diff --git a/.sops.yaml b/.sops.yaml
index 77aa455..e69d45d 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -46,6 +46,14 @@ creation_rules:
       age:
       - *pyramid
 
+  - path_regex: secrets/nginx/acme.json
+    key_groups:
+    - pgp:
+      - *swarsel
+      age:
+      - *twothreetunnel
+      - *eagleland
+
   - path_regex: hosts/nixos/x86_64-linux/pyramid/secrets/[^/]+\.(yaml|json|env|ini|enc)$
     key_groups:
     - pgp:
diff --git a/SwarselSystems.org b/SwarselSystems.org
index f602e41..562651c 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -2858,37 +2858,36 @@ This is my main server that I run at home. It handles most tasks that require bi
 
     swarselmodules.server = {
       diskEncryption = lib.mkForce false;
-      wireguard = lib.mkDefault true;
-      nfs = lib.mkDefault true;
-      nginx = lib.mkDefault true;
-      kavita = lib.mkDefault true;
-      restic = lib.mkDefault true;
-      jellyfin = lib.mkDefault true;
-      navidrome = lib.mkDefault true;
-      spotifyd = lib.mkDefault true;
-      mpd = lib.mkDefault true;
-      postgresql = lib.mkDefault true;
-      matrix = lib.mkDefault true;
-      nextcloud = lib.mkDefault true;
-      immich = lib.mkDefault true;
-      paperless = lib.mkDefault true;
-      transmission = lib.mkDefault true;
-      syncthing = lib.mkDefault true;
-      grafana = lib.mkDefault true;
-      emacs = lib.mkDefault true;
-      freshrss = lib.mkDefault true;
-      jenkins = lib.mkDefault false;
-      kanidm = lib.mkDefault true;
-      firefly-iii = lib.mkDefault true;
-      koillection = lib.mkDefault true;
-      radicale = lib.mkDefault true;
-      atuin = lib.mkDefault true;
-      forgejo = lib.mkDefault true;
-      ankisync = lib.mkDefault true;
-      # snipeit = lib.mkDefault false;
-      homebox = lib.mkDefault true;
-      opkssh = lib.mkDefault true;
-      garage = lib.mkDefault false;
+      nginx = true; # for php stuff
+      acme = false; # cert handled by proxy
+      wireguard = true;
+
+      nfs = true;
+      kavita = true;
+      restic = true;
+      jellyfin = true;
+      navidrome = true;
+      spotifyd = true;
+      mpd = true;
+      postgresql = true;
+      matrix = true;
+      nextcloud = true;
+      immich = true;
+      paperless = true;
+      transmission = true;
+      syncthing = true;
+      grafana = true;
+      emacs = true;
+      freshrss = true;
+      kanidm = true;
+      firefly-iii = true;
+      koillection = true;
+      radicale = true;
+      atuin = true;
+      forgejo = true;
+      ankisync = true;
+      homebox = true;
+      opkssh = true;
     };
 
   }
@@ -3001,10 +3000,6 @@ This is my main server that I run at home. It handles most tasks that require bi
       server = true;
     };
 
-    swarselmodules.server = {
-      nginx = lib.mkForce false;
-    };
-
     microvm.vms =
       let
         mkMicrovm = guestName: {
@@ -3296,7 +3291,6 @@ This is my main server that I run at home. It handles most tasks that require bi
 
     swarselmodules = {
       server = {
-        nginx = lib.mkForce false; # we get this from the server profile
         wireguard = true;
       };
     };
@@ -3914,7 +3908,6 @@ This machine mainly acts as my proxy server to stand before my local machines.
     topology.self = {
       icon = "devices.cloud-server";
     };
-    swarselmodules.server.nginx = false;
 
     swarselsystems = {
       flakePath = "/root/.dotfiles";
@@ -3963,7 +3956,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
       postgresql = true;
       attic = true;
       garage = true;
-      hydra = true;
+      hydra = false;
       dns-hostrecord = true;
     };
 
@@ -4144,8 +4137,6 @@ This machine mainly acts as my proxy server to stand before my local machines.
     topology.self = {
       icon = "devices.cloud-server";
     };
-    swarselmodules.server.nginx = false;
-
 
     swarselsystems = {
       flakePath = "/root/.dotfiles";
@@ -4168,7 +4159,6 @@ This machine mainly acts as my proxy server to stand before my local machines.
 
     swarselmodules.server = {
       nsd = true;
-      nginx = false;
       dns-hostrecord = true;
     };
   }
@@ -4370,7 +4360,6 @@ This machine mainly acts as my proxy server to stand before my local machines.
     };
 
     swarselmodules.server = {
-      nginx = false;
       bastion = true;
       dns-hostrecord = true;
       # ssh = false;
@@ -4578,7 +4567,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
               "moonside"
               "winters"
               "belchsfactory"
-              # "eagleland"
+              "eagleland"
             ];
           };
         };
@@ -4590,8 +4579,8 @@ This machine mainly acts as my proxy server to stand before my local machines.
     };
 
     swarselmodules.server = {
-      nginx = true; # for now
-      oauth2-proxy = true; # for now
+      nginx = true;
+      oauth2-proxy = true;
       dns-hostrecord = true;
       wireguard = true;
     };
@@ -4756,6 +4745,7 @@ This machine mainly acts as my proxy server to stand before my local machines.
 :END:
 
 ***** Main Configuration
+
 :PROPERTIES:
 :CUSTOM_ID: h:96540b9c-1610-45f2-ba19-916051ab5e10
 :END:
@@ -4789,7 +4779,15 @@ This machine mainly acts as my proxy server to stand before my local machines.
       isBtrfs = true;
       isNixos = true;
       isLinux = true;
-      proxyHost = "eagleland";
+      proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel
+      server = {
+        wireguard.interfaces = {
+          wgProxy = {
+            isClient = true;
+            serverName = "twothreetunnel";
+          };
+        };
+      };
     };
   } // lib.optionalAttrs (!minimal) {
 
@@ -4797,6 +4795,8 @@ This machine mainly acts as my proxy server to stand before my local machines.
       mailserver = true;
       dns-hostrecord = true;
       postgresql = true;
+      nginx = true;
+      wireguard = true;
     };
 
     swarselprofiles = {
@@ -6271,6 +6271,7 @@ A breakdown of the flags being set:
                      additions = final: _: import "${self}/pkgs/config" {
                        inherit self config lib;
                        pkgs = final;
+                       nixosConfig = config;
                        homeConfig = config.home-manager.users.${config.swarselsystems.mainUser};
                      };
                    in
@@ -8440,7 +8441,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
   }
 #+end_src
 
-**** System Packages
+**** System Packages (Server Programs)
 :PROPERTIES:
 :CUSTOM_ID: h:6f2967d9-7e32-4605-bb5c-5e27770bec0f
 :END:
@@ -8462,6 +8463,9 @@ Here we just define some aliases for rebuilding the system, and we allow some in
         swarsel-deploy
         tmux
         busybox
+        attic-client
+        swarsel-gens
+        swarsel-switch
       ];
     };
   }
@@ -8530,16 +8534,64 @@ Here we just define some aliases for rebuilding the system, and we allow some in
   }
 #+end_src
 
+**** acme
+
+#+begin_src nix-ts :tangle modules/nixos/server/acme.nix
+    { self, pkgs, lib, config, globals, ... }:
+    let
+      inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
+
+      sopsFile = self + "/secrets/nginx/acme.json";
+    in
+    {
+      options.swarselmodules.server.acme = lib.mkEnableOption "enable acme on server";
+      config = lib.mkIf config.swarselmodules.server.acme {
+        environment.systemPackages = with pkgs; [
+          lego
+        ];
+
+        sops = {
+          secrets = {
+            acme-creds = { format = "json"; key = ""; group = "acme"; inherit sopsFile; mode = "0660"; };
+          };
+          templates."certs.secret".content = ''
+            ACME_DNS_API_BASE = ${dnsBase}
+            ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
+          '';
+        };
+
+        users.groups.acme.members = lib.mkIf config.swarselmodules.server.nginx [ "nginx" ];
+
+        security.acme = {
+          acceptTerms = true;
+          defaults = {
+            inherit dnsProvider;
+            email = dnsMail;
+            environmentFile = "${config.sops.templates."certs.secret".path}";
+            reloadServices = [ "nginx" ];
+            dnsPropagationCheck = true;
+          };
+          certs."${globals.domains.main}" = {
+            domain = "*.${globals.domains.main}";
+          };
+        };
+
+        environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+          directories = [{ directory = "/var/lib/acme"; }];
+        };
+
+      };
+    }
+#+end_src
+
 **** NGINX
 :PROPERTIES:
 :CUSTOM_ID: h:302468d2-106a-41c8-b2bc-9fdc40064a9c
 :END:
 
 #+begin_src nix-ts :tangle modules/nixos/server/nginx.nix
-  { pkgs, lib, config, globals, ... }:
+  { pkgs, lib, config, ... }:
   let
-    inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
-
     serviceUser = "nginx";
     serviceGroup = serviceUser;
 
@@ -8619,40 +8671,12 @@ Here we just define some aliases for rebuilding the system, and we allow some in
       };
     };
     config = lib.mkIf config.swarselmodules.server.nginx {
-      environment.systemPackages = with pkgs; [
-        lego
-      ];
 
-      sops = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
-        secrets = {
-          acme-creds = { format = "json"; key = ""; group = "acme"; sopsFile = config.node.secretsDir + "/acme.json"; mode = "0660"; };
-        };
-        templates."certs.secret".content = ''
-          ACME_DNS_API_BASE = ${dnsBase}
-          ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
-        '';
-      };
-
-      users.groups.acme.members = [ "nginx" ];
-
-      security.acme = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
-        acceptTerms = true;
-        defaults = {
-          inherit dnsProvider;
-          email = dnsMail;
-          environmentFile = "${config.sops.templates."certs.secret".path}";
-          reloadServices = [ "nginx" ];
-          dnsPropagationCheck = true;
-        };
-        certs."${globals.domains.main}" = {
-          domain = "*.${globals.domains.main}";
-        };
-      };
+      swarselmodules.server.acme = lib.mkDefault true;
 
       networking.firewall.allowedTCPPorts = [ 80 443 ];
 
       environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
-        directories = [{ directory = "/var/lib/acme"; }];
         files = [ dhParamsPathBase ];
       };
 
@@ -14041,7 +14065,7 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
     SOA = {
       nameServer = "soa";
       adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-      serial = 2025120506; # update this on changes for secondary dns
+      serial = 2025122204; # update this on changes for secondary dns
     };
 
     useOrigin = false;
@@ -14051,7 +14075,23 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
       "srv"
     ] ++ globals.domains.externalDns;
 
-    CAA = letsEncrypt config.repo.secrets.common.dnsMail;
+    CAA = [
+      {
+        issuerCritical = false;
+        tag = "issue";
+        value = "letsencrypt.org";
+      }
+      {
+        issuerCritical = false;
+        tag = "issuewild";
+        value = "letsencrypt.org";
+      }
+      {
+        issuerCritical = false;
+        tag = "iodef";
+        value = "mailto:${config.repo.secrets.common.dnsMail}";
+      }
+    ];
 
     A = [ config.repo.secrets.local.dns.homepage-ip ];
 
@@ -14204,9 +14244,13 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
   { lib, config, globals, dns, confLib, ... }:
   let
     inherit (config.swarselsystems) sopsFile;
-    inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+    inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6;
     inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 user3;
     baseDomain = globals.domains.main;
+
+    roundcubeDomain = config.repo.secrets.common.services.domains.roundcube;
+    endpointAddress4 = globals.hosts.${config.node.name}.wanAddress4 or null;
+    endpointAddress6 = globals.hosts.${config.node.name}.wanAddress6 or null;
   in
   {
     options = {
@@ -14215,12 +14259,20 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
     config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
       nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
+        "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
       };
 
-      globals.services.${serviceName} = {
-        domain = serviceDomain;
-        inherit proxyAddress4 proxyAddress6;
+      globals.services = {
+        ${serviceName} = {
+          domain = serviceDomain;
+          proxyAddress4 = endpointAddress4;
+          proxyAddress6 = endpointAddress6;
+        };
+        roundcube = {
+          domain = roundcubeDomain;
+          inherit proxyAddress4 proxyAddress6;
+        };
       };
 
       sops.secrets = {
@@ -14286,7 +14338,7 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
         enable = true;
         # this is the url of the vhost, not necessarily the same as the fqdn of
         # the mailserver
-        hostName = serviceDomain;
+        hostName = roundcubeDomain;
         extraConfig = ''
           $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
           $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
@@ -14299,10 +14351,11 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
       # the rest of the ports are managed by snm
       networking.firewall.allowedTCPPorts = [ 80 servicePort ];
 
-      nodes.${serviceProxy}.services.nginx = {
+      services.nginx = {
         virtualHosts = {
-          "${serviceDomain}" = {
-            enableACME = true;
+          "${roundcubeDomain}" = {
+            useACMEHost = globals.domains.main;
+            enableACME = false;
             forceSSL = true;
             acmeRoot = null;
             locations = {
@@ -14315,6 +14368,32 @@ or 2) use classic path addressing =aws s3 cp <local file> s3://<bucket>/<path to
         };
       };
 
+      nodes.${serviceProxy}.services.nginx = {
+        upstreams = {
+          ${serviceName} = {
+            servers = {
+              "${serviceAddress}:${builtins.toString servicePort}" = { };
+            };
+          };
+        };
+        virtualHosts = {
+          "${roundcubeDomain}" = {
+            useACMEHost = globals.domains.main;
+
+            forceSSL = true;
+            acmeRoot = null;
+            locations = {
+              "/" = {
+                proxyPass = "https://${serviceName}";
+                extraConfig = ''
+                  client_max_body_size    0;
+                '';
+              };
+            };
+          };
+        };
+      };
+
     };
   }
 #+end_src
@@ -15929,6 +16008,8 @@ This is just a separate container for derivations defined in [[#h:64a5cc16-6b16-
         endme
         git-replace
         prstatus
+        swarsel-gens
+        swarsel-switch
       ];
     };
   }
@@ -24652,12 +24733,12 @@ This script allows for quick git replace of a string.
 :END:
 
 #+begin_src nix-ts :tangle pkgs/config/default.nix
-  { self, homeConfig, lib, pkgs, ... }:
+  { self, homeConfig, lib, pkgs, nixosConfig ? null, ... }:
   let
     mkPackages = names: pkgs: builtins.listToAttrs (map
       (name: {
         inherit name;
-        value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig; };
+        value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig nixosConfig; };
       })
       names);
     packageNames = lib.swarselsystems.readNix "pkgs/config";
@@ -24687,6 +24768,42 @@ This script allows for quick git replace of a string.
   }
 
 
+#+end_src
+
+**** swarsel-gens
+
+This script quickly lists all nix generatinos on the system
+
+#+begin_src nix-ts :tangle pkgs/config/swarsel-gens/default.nix
+  { name, writeShellApplication, nixosConfig, ... }:
+
+  writeShellApplication {
+    inherit name;
+    runtimeInputs = [ nixosConfig.nix.package ];
+    text = ''
+      sudo nix-env --list-generations --profile /nix/var/nix/profiles/system
+    '';
+  }
+
+
+#+end_src
+
+**** swarsel-switch
+
+This script quickly switches to another nix generation.
+
+#+begin_src nix-ts :tangle pkgs/config/swarsel-switch/default.nix
+  { name, writeShellApplication, nixosConfig, ... }:
+
+  writeShellApplication {
+    inherit name;
+    runtimeInputs = [ nixosConfig.nix.package ];
+    text = ''
+      sudo nix-env --switch-generation "$1" -p /nix/var/nix/profiles/system && sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch
+    '';
+  }
+
+
 #+end_src
 
 ** Profiles
@@ -24911,7 +25028,6 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
             diskEncryption = lib.mkDefault true;
             packages = lib.mkDefault true;
             ssh = lib.mkDefault true;
-            nginx = lib.mkDefault true;
           };
         };
     };
diff --git a/hosts/nixos/aarch64-linux/belchsfactory/default.nix b/hosts/nixos/aarch64-linux/belchsfactory/default.nix
index b94db11..a5c764f 100644
--- a/hosts/nixos/aarch64-linux/belchsfactory/default.nix
+++ b/hosts/nixos/aarch64-linux/belchsfactory/default.nix
@@ -13,7 +13,6 @@
   topology.self = {
     icon = "devices.cloud-server";
   };
-  swarselmodules.server.nginx = false;
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -62,7 +61,7 @@
     postgresql = true;
     attic = true;
     garage = true;
-    hydra = true;
+    hydra = false;
     dns-hostrecord = true;
   };
 
diff --git a/hosts/nixos/aarch64-linux/liliputsteps/default.nix b/hosts/nixos/aarch64-linux/liliputsteps/default.nix
index 4a370a9..3fc716c 100644
--- a/hosts/nixos/aarch64-linux/liliputsteps/default.nix
+++ b/hosts/nixos/aarch64-linux/liliputsteps/default.nix
@@ -32,7 +32,6 @@
   };
 
   swarselmodules.server = {
-    nginx = false;
     bastion = true;
     dns-hostrecord = true;
     # ssh = false;
diff --git a/hosts/nixos/aarch64-linux/stoicclub/default.nix b/hosts/nixos/aarch64-linux/stoicclub/default.nix
index 7cf2079..1a84d39 100644
--- a/hosts/nixos/aarch64-linux/stoicclub/default.nix
+++ b/hosts/nixos/aarch64-linux/stoicclub/default.nix
@@ -10,8 +10,6 @@
   topology.self = {
     icon = "devices.cloud-server";
   };
-  swarselmodules.server.nginx = false;
-
 
   swarselsystems = {
     flakePath = "/root/.dotfiles";
@@ -34,7 +32,6 @@
 
   swarselmodules.server = {
     nsd = true;
-    nginx = false;
     dns-hostrecord = true;
   };
 }
diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
index 9a4e5e7..e4af5a3 100644
--- a/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
+++ b/hosts/nixos/aarch64-linux/twothreetunnel/default.nix
@@ -33,7 +33,7 @@
             "moonside"
             "winters"
             "belchsfactory"
-            # "eagleland"
+            "eagleland"
           ];
         };
       };
@@ -45,8 +45,8 @@
   };
 
   swarselmodules.server = {
-    nginx = true; # for now
-    oauth2-proxy = true; # for now
+    nginx = true;
+    oauth2-proxy = true;
     dns-hostrecord = true;
     wireguard = true;
   };
diff --git a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/acme.json b/hosts/nixos/aarch64-linux/twothreetunnel/secrets/acme.json
deleted file mode 100644
index 7cfe4aa..0000000
--- a/hosts/nixos/aarch64-linux/twothreetunnel/secrets/acme.json
+++ /dev/null
@@ -1,28 +0,0 @@
-{
-	"swarsel.win": {
-		"fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]",
-		"subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]",
-		"username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]",
-		"password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]",
-		"server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]"
-	},
-	"sops": {
-		"age": [
-			{
-				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVZ0ErYjZTb2o1LzdZY2tz\nNUR0dy9DWkVyQlZBQU1WSmFja0pUN3NJSkNvClNLbTU5RFFwUkJQVUNML291eG5N\nZDlCK0JvMjVDL3lvMURMbFptQ1Z4ZWsKLS0tIFA3OEUrL2tXZGM3TFk4L2l6RUo0\nMVBZOFBYS2lablRuR0hneU02eURYQWMK1M9ng/GcFH+NEmknJ8SHOUxc8atX3p1E\nB/3+4dVWSwVdTEkG2VqQTdo/irjbTKpqZ0m5bg9zDhxZpyQ2lr2ePA==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2025-12-04T19:04:02Z",
-		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
-		"pgp": [
-			{
-				"created_at": "2025-12-04T17:59:06Z",
-				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//bwwqP095CUku9qYMYLJToU9iuL7USF7UxfKQLgP7Lx3a\nilbrofOS508V2og32sZD8y8GGDCMc7HMQv8TcgIk/kq6jX5dHUYN68nVMQ8ZG0As\nW1kpo/cLZAPHoWWEG5E1INX+KSN3b/KhZgXohuVyrax3aTy0kcKeApAJlntr+gyV\nfjPjjvGxXrCXZHN6DzKZ+zqEIs18T0ByLtqLsYzTlD4FszISGCnf6Kr5jpj43BcA\ny1Hj6avzk1bQqPEFovf5JcB+O3DnkIwus+GlXihu/6gIiatbdshVKk/vDdR6TR1/\noDg2EV98uX1K+gEe1JvJdC1JrAPZkOtx4hiFcLVc5G6phdQ08hY4PZ8On4Yajkby\nj46FkPNLB4TwwSC2Ga03CadpaUK0twNGAH7oya3VXUiHqqu2rnVgUjrsZCr6yA4d\nJmumRiTHvnQjECQB5J837wXoDOivaaY0OszELM41p6UIhMTG4/SkkEvfgAI3goGN\nV5g4uBES/TGCedU5NS5EMtsjRoJSQDyvhfkzMUBDcUm8xQ3RKRtdqTZVkT75Ti6M\nmnZolAkqq3uWwmSTIXTgC7T2dnWLRVgfpj7hzZX43ucf5bXCn6QXoZscMUL9LKR5\nd3lyh66PoHghatrb0u3E1ub6XJQWkbDDkKDHRuYjU02Ai12oPd48nhyTuhnmeLCF\nAgwDC9FRLmchgYQBEACgklMklJy3J1U542h3ofmkH5otjNaWv14oVr2yNdOxhlIG\nDYTb9vuLL1lAwxOB7JW6sgPbS9TmiCU6ZBYDeQDmfth7yPWK3/Epmd5wmXDENqra\njoZcpNSvvMnescS0MJWsSF2BHJiwPJewuOCAiL0EXGYVNB7z54kAt342okScNDK2\ndS6/ddjVKFsSi73HmLqQk7wmYpZuqIGoJQXH+E2to8h19e35YxOEsnG2DcVyC7xZ\nqHeUfuM9BTVJmUvqFdovz3lYJ+xg2CjBf8u0jRKOhhufS8JAu9H2ye9dWPktslMF\nRjfRbTAwryVGYmajnlmfoge+OD0XsubSaT79BixZ6xwXgA8xrCvM8in8ZeYsug66\nrgA/I7sO2PPQBh+FNVfuxVVr4MC1Nehk3/JghYzF9Ip7uAvoB9bzi0Yx7L3wGY8i\nr5Rss81IIYvZY4NmPwsOkeX+v9k6GbrcBDa521nl9gz3Ll9Q59jicZBaNyuIvJ3f\nP/bmh1nZc9CM+uIP3A5e/5tUTS5E7judEmOeqlotOjZGdoqyGsG1VqJcrcyTzscY\n8LxCIJtQEeM4KoptKaIXt0Mu/puMzQxIpcx9eFDZ+SE7Cl1QXC6HRLW5N99AuD5f\nSmxquKsmc+xB+gNGkYuySeTqfklK3FLTvISXZmoAQKgqdgO0d+hpCpOQ9lkprtJc\nAbMyytjCe+RLnIWHXi1hjQyspcF8JvBgnRp0zWEZwn+C7QI7ChHlSIrudMohS76L\nN2rF646oaFcxr8mDHy9bebQDXlWahbDB/2jFm3/SuyARtKSg8/PaNcuh+c8=\n=LxIo\n-----END PGP MESSAGE-----",
-				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
-			}
-		],
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.11.0"
-	}
-}
diff --git a/hosts/nixos/x86_64-linux/eagleland/default.nix b/hosts/nixos/x86_64-linux/eagleland/default.nix
index 3adb96e..92e85ec 100644
--- a/hosts/nixos/x86_64-linux/eagleland/default.nix
+++ b/hosts/nixos/x86_64-linux/eagleland/default.nix
@@ -26,7 +26,15 @@
     isBtrfs = true;
     isNixos = true;
     isLinux = true;
-    proxyHost = "eagleland";
+    proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel
+    server = {
+      wireguard.interfaces = {
+        wgProxy = {
+          isClient = true;
+          serverName = "twothreetunnel";
+        };
+      };
+    };
   };
 } // lib.optionalAttrs (!minimal) {
 
@@ -34,6 +42,8 @@
     mailserver = true;
     dns-hostrecord = true;
     postgresql = true;
+    nginx = true;
+    wireguard = true;
   };
 
   swarselprofiles = {
diff --git a/hosts/nixos/x86_64-linux/hintbooth/default.nix b/hosts/nixos/x86_64-linux/hintbooth/default.nix
index 73f09e9..2c957c0 100644
--- a/hosts/nixos/x86_64-linux/hintbooth/default.nix
+++ b/hosts/nixos/x86_64-linux/hintbooth/default.nix
@@ -52,7 +52,6 @@
 
   swarselmodules = {
     server = {
-      nginx = lib.mkForce false; # we get this from the server profile
       wireguard = true;
     };
   };
diff --git a/hosts/nixos/x86_64-linux/summers/default.nix b/hosts/nixos/x86_64-linux/summers/default.nix
index 36dbbe4..1d895b2 100644
--- a/hosts/nixos/x86_64-linux/summers/default.nix
+++ b/hosts/nixos/x86_64-linux/summers/default.nix
@@ -43,10 +43,6 @@
     server = true;
   };
 
-  swarselmodules.server = {
-    nginx = lib.mkForce false;
-  };
-
   microvm.vms =
     let
       mkMicrovm = guestName: {
diff --git a/hosts/nixos/x86_64-linux/winters/default.nix b/hosts/nixos/x86_64-linux/winters/default.nix
index f52d4ee..e449875 100644
--- a/hosts/nixos/x86_64-linux/winters/default.nix
+++ b/hosts/nixos/x86_64-linux/winters/default.nix
@@ -72,37 +72,36 @@
 
   swarselmodules.server = {
     diskEncryption = lib.mkForce false;
-    wireguard = lib.mkDefault true;
-    nfs = lib.mkDefault true;
-    nginx = lib.mkDefault true;
-    kavita = lib.mkDefault true;
-    restic = lib.mkDefault true;
-    jellyfin = lib.mkDefault true;
-    navidrome = lib.mkDefault true;
-    spotifyd = lib.mkDefault true;
-    mpd = lib.mkDefault true;
-    postgresql = lib.mkDefault true;
-    matrix = lib.mkDefault true;
-    nextcloud = lib.mkDefault true;
-    immich = lib.mkDefault true;
-    paperless = lib.mkDefault true;
-    transmission = lib.mkDefault true;
-    syncthing = lib.mkDefault true;
-    grafana = lib.mkDefault true;
-    emacs = lib.mkDefault true;
-    freshrss = lib.mkDefault true;
-    jenkins = lib.mkDefault false;
-    kanidm = lib.mkDefault true;
-    firefly-iii = lib.mkDefault true;
-    koillection = lib.mkDefault true;
-    radicale = lib.mkDefault true;
-    atuin = lib.mkDefault true;
-    forgejo = lib.mkDefault true;
-    ankisync = lib.mkDefault true;
-    # snipeit = lib.mkDefault false;
-    homebox = lib.mkDefault true;
-    opkssh = lib.mkDefault true;
-    garage = lib.mkDefault false;
+    nginx = true; # for php stuff
+    acme = false; # cert handled by proxy
+    wireguard = true;
+
+    nfs = true;
+    kavita = true;
+    restic = true;
+    jellyfin = true;
+    navidrome = true;
+    spotifyd = true;
+    mpd = true;
+    postgresql = true;
+    matrix = true;
+    nextcloud = true;
+    immich = true;
+    paperless = true;
+    transmission = true;
+    syncthing = true;
+    grafana = true;
+    emacs = true;
+    freshrss = true;
+    kanidm = true;
+    firefly-iii = true;
+    koillection = true;
+    radicale = true;
+    atuin = true;
+    forgejo = true;
+    ankisync = true;
+    homebox = true;
+    opkssh = true;
   };
 
 }
diff --git a/modules/home/common/custom-packages.nix b/modules/home/common/custom-packages.nix
index 3c8f8ac..7e73685 100644
--- a/modules/home/common/custom-packages.nix
+++ b/modules/home/common/custom-packages.nix
@@ -33,6 +33,8 @@
       endme
       git-replace
       prstatus
+      swarsel-gens
+      swarsel-switch
     ];
   };
 }
diff --git a/modules/nixos/common/settings.nix b/modules/nixos/common/settings.nix
index 2ab4bbe..989aa2a 100644
--- a/modules/nixos/common/settings.nix
+++ b/modules/nixos/common/settings.nix
@@ -127,6 +127,7 @@ in
                 additions = final: _: import "${self}/pkgs/config" {
                   inherit self config lib;
                   pkgs = final;
+                  nixosConfig = config;
                   homeConfig = config.home-manager.users.${config.swarselsystems.mainUser};
                 };
               in
diff --git a/modules/nixos/server/acme.nix b/modules/nixos/server/acme.nix
new file mode 100644
index 0000000..1bbeaec
--- /dev/null
+++ b/modules/nixos/server/acme.nix
@@ -0,0 +1,45 @@
+{ self, pkgs, lib, config, globals, ... }:
+let
+  inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
+
+  sopsFile = self + "/secrets/nginx/acme.json";
+in
+{
+  options.swarselmodules.server.acme = lib.mkEnableOption "enable acme on server";
+  config = lib.mkIf config.swarselmodules.server.acme {
+    environment.systemPackages = with pkgs; [
+      lego
+    ];
+
+    sops = {
+      secrets = {
+        acme-creds = { format = "json"; key = ""; group = "acme"; inherit sopsFile; mode = "0660"; };
+      };
+      templates."certs.secret".content = ''
+        ACME_DNS_API_BASE = ${dnsBase}
+        ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
+      '';
+    };
+
+    users.groups.acme.members = lib.mkIf config.swarselmodules.server.nginx [ "nginx" ];
+
+    security.acme = {
+      acceptTerms = true;
+      defaults = {
+        inherit dnsProvider;
+        email = dnsMail;
+        environmentFile = "${config.sops.templates."certs.secret".path}";
+        reloadServices = [ "nginx" ];
+        dnsPropagationCheck = true;
+      };
+      certs."${globals.domains.main}" = {
+        domain = "*.${globals.domains.main}";
+      };
+    };
+
+    environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
+      directories = [{ directory = "/var/lib/acme"; }];
+    };
+
+  };
+}
diff --git a/modules/nixos/server/mailserver.nix b/modules/nixos/server/mailserver.nix
index f1d7cfa..917d3f1 100644
--- a/modules/nixos/server/mailserver.nix
+++ b/modules/nixos/server/mailserver.nix
@@ -1,9 +1,13 @@
 { lib, config, globals, dns, confLib, ... }:
 let
   inherit (config.swarselsystems) sopsFile;
-  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceDomain serviceProxy proxyAddress4 proxyAddress6;
+  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain serviceProxy proxyAddress4 proxyAddress6;
   inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 user3;
   baseDomain = globals.domains.main;
+
+  roundcubeDomain = config.repo.secrets.common.services.domains.roundcube;
+  endpointAddress4 = globals.hosts.${config.node.name}.wanAddress4 or null;
+  endpointAddress6 = globals.hosts.${config.node.name}.wanAddress6 or null;
 in
 {
   options = {
@@ -12,12 +16,20 @@ in
   config = lib.mkIf config.swarselmodules.server.${serviceName} {
 
     nodes.stoicclub.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
-      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+      "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
+      "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
     };
 
-    globals.services.${serviceName} = {
-      domain = serviceDomain;
-      inherit proxyAddress4 proxyAddress6;
+    globals.services = {
+      ${serviceName} = {
+        domain = serviceDomain;
+        proxyAddress4 = endpointAddress4;
+        proxyAddress6 = endpointAddress6;
+      };
+      roundcube = {
+        domain = roundcubeDomain;
+        inherit proxyAddress4 proxyAddress6;
+      };
     };
 
     sops.secrets = {
@@ -83,7 +95,7 @@ in
       enable = true;
       # this is the url of the vhost, not necessarily the same as the fqdn of
       # the mailserver
-      hostName = serviceDomain;
+      hostName = roundcubeDomain;
       extraConfig = ''
         $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
         $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
@@ -96,10 +108,11 @@ in
     # the rest of the ports are managed by snm
     networking.firewall.allowedTCPPorts = [ 80 servicePort ];
 
-    nodes.${serviceProxy}.services.nginx = {
+    services.nginx = {
       virtualHosts = {
-        "${serviceDomain}" = {
-          enableACME = true;
+        "${roundcubeDomain}" = {
+          useACMEHost = globals.domains.main;
+          enableACME = false;
           forceSSL = true;
           acmeRoot = null;
           locations = {
@@ -112,5 +125,31 @@ in
       };
     };
 
+    nodes.${serviceProxy}.services.nginx = {
+      upstreams = {
+        ${serviceName} = {
+          servers = {
+            "${serviceAddress}:${builtins.toString servicePort}" = { };
+          };
+        };
+      };
+      virtualHosts = {
+        "${roundcubeDomain}" = {
+          useACMEHost = globals.domains.main;
+
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "https://${serviceName}";
+              extraConfig = ''
+                client_max_body_size    0;
+              '';
+            };
+          };
+        };
+      };
+    };
+
   };
 }
diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix
index 2cfcaa7..604f509 100644
--- a/modules/nixos/server/nginx.nix
+++ b/modules/nixos/server/nginx.nix
@@ -1,7 +1,5 @@
-{ pkgs, lib, config, globals, ... }:
+{ pkgs, lib, config, ... }:
 let
-  inherit (config.repo.secrets.common) dnsProvider dnsBase dnsMail;
-
   serviceUser = "nginx";
   serviceGroup = serviceUser;
 
@@ -81,40 +79,12 @@ in
     };
   };
   config = lib.mkIf config.swarselmodules.server.nginx {
-    environment.systemPackages = with pkgs; [
-      lego
-    ];
 
-    sops = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
-      secrets = {
-        acme-creds = { format = "json"; key = ""; group = "acme"; sopsFile = config.node.secretsDir + "/acme.json"; mode = "0660"; };
-      };
-      templates."certs.secret".content = ''
-        ACME_DNS_API_BASE = ${dnsBase}
-        ACME_DNS_STORAGE_PATH=${config.sops.secrets.acme-creds.path}
-      '';
-    };
-
-    users.groups.acme.members = [ "nginx" ];
-
-    security.acme = lib.mkIf (config.node.name == config.swarselsystems.proxyHost) {
-      acceptTerms = true;
-      defaults = {
-        inherit dnsProvider;
-        email = dnsMail;
-        environmentFile = "${config.sops.templates."certs.secret".path}";
-        reloadServices = [ "nginx" ];
-        dnsPropagationCheck = true;
-      };
-      certs."${globals.domains.main}" = {
-        domain = "*.${globals.domains.main}";
-      };
-    };
+    swarselmodules.server.acme = lib.mkDefault true;
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
 
     environment.persistence."/persist" = lib.mkIf config.swarselsystems.isImpermanence {
-      directories = [{ directory = "/var/lib/acme"; }];
       files = [ dhParamsPathBase ];
     };
 
diff --git a/modules/nixos/server/nsd/site1.nix b/modules/nixos/server/nsd/site1.nix
index b7ea2b9..97ef596 100644
--- a/modules/nixos/server/nsd/site1.nix
+++ b/modules/nixos/server/nsd/site1.nix
@@ -3,7 +3,7 @@ with dns.lib.combinators; {
   SOA = {
     nameServer = "soa";
     adminEmail = "admin@${globals.domains.main}"; # this option is not parsed as domain (we cannot just write "admin")
-    serial = 2025120506; # update this on changes for secondary dns
+    serial = 2025122204; # update this on changes for secondary dns
   };
 
   useOrigin = false;
@@ -13,7 +13,23 @@ with dns.lib.combinators; {
     "srv"
   ] ++ globals.domains.externalDns;
 
-  CAA = letsEncrypt config.repo.secrets.common.dnsMail;
+  CAA = [
+    {
+      issuerCritical = false;
+      tag = "issue";
+      value = "letsencrypt.org";
+    }
+    {
+      issuerCritical = false;
+      tag = "issuewild";
+      value = "letsencrypt.org";
+    }
+    {
+      issuerCritical = false;
+      tag = "iodef";
+      value = "mailto:${config.repo.secrets.common.dnsMail}";
+    }
+  ];
 
   A = [ config.repo.secrets.local.dns.homepage-ip ];
 
diff --git a/modules/nixos/server/packages.nix b/modules/nixos/server/packages.nix
index e1246d1..15dc4d2 100644
--- a/modules/nixos/server/packages.nix
+++ b/modules/nixos/server/packages.nix
@@ -14,6 +14,9 @@
       swarsel-deploy
       tmux
       busybox
+      attic-client
+      swarsel-gens
+      swarsel-switch
     ];
   };
 }
diff --git a/pkgs/config/default.nix b/pkgs/config/default.nix
index 668619b..62a9be1 100644
--- a/pkgs/config/default.nix
+++ b/pkgs/config/default.nix
@@ -1,9 +1,9 @@
-{ self, homeConfig, lib, pkgs, ... }:
+{ self, homeConfig, lib, pkgs, nixosConfig ? null, ... }:
 let
   mkPackages = names: pkgs: builtins.listToAttrs (map
     (name: {
       inherit name;
-      value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig; };
+      value = pkgs.callPackage "${self}/pkgs/config/${name}" { inherit self name homeConfig nixosConfig; };
     })
     names);
   packageNames = lib.swarselsystems.readNix "pkgs/config";
diff --git a/pkgs/config/swarsel-gens/default.nix b/pkgs/config/swarsel-gens/default.nix
new file mode 100644
index 0000000..54cded1
--- /dev/null
+++ b/pkgs/config/swarsel-gens/default.nix
@@ -0,0 +1,9 @@
+{ name, writeShellApplication, nixosConfig, ... }:
+
+writeShellApplication {
+  inherit name;
+  runtimeInputs = [ nixosConfig.nix.package ];
+  text = ''
+    sudo nix-env --list-generations --profile /nix/var/nix/profiles/system
+  '';
+}
diff --git a/pkgs/config/swarsel-switch/default.nix b/pkgs/config/swarsel-switch/default.nix
new file mode 100644
index 0000000..6e19f54
--- /dev/null
+++ b/pkgs/config/swarsel-switch/default.nix
@@ -0,0 +1,9 @@
+{ name, writeShellApplication, nixosConfig, ... }:
+
+writeShellApplication {
+  inherit name;
+  runtimeInputs = [ nixosConfig.nix.package ];
+  text = ''
+    sudo nix-env --switch-generation "$1" -p /nix/var/nix/profiles/system && sudo /nix/var/nix/profiles/system/bin/switch-to-configuration switch
+  '';
+}
diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix
index 31bb1af..fe27be2 100644
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@@ -20,7 +20,6 @@
         diskEncryption = lib.mkDefault true;
         packages = lib.mkDefault true;
         ssh = lib.mkDefault true;
-        nginx = lib.mkDefault true;
       };
     };
   };
diff --git a/secrets/nginx/acme.json b/secrets/nginx/acme.json
new file mode 100644
index 0000000..372705b
--- /dev/null
+++ b/secrets/nginx/acme.json
@@ -0,0 +1,32 @@
+{
+	"swarsel.win": {
+		"fulldomain": "ENC[AES256_GCM,data:CVasUSMRn/KWzVRlcYfTO/RL+W5Cz2JpDj0JLAKITXrDZrl+Wsg46X8zv4hX6NLj/wAyvXQ=,iv:N3DL4JPX8vWTbllFWcpNulwtDJ57xpHrAwoUxWhTzxs=,tag:CYWoK9uT121rFXQ5h69CZA==,type:str]",
+		"subdomain": "ENC[AES256_GCM,data:uM457vEJa10IV4SovBDUzLLlW+mPwh1SiWr8thQisFoe6zAk,iv:Tdbd5a20Gv/thkPfsvNiAbI86JjcDs70MAfk4yCZLgs=,tag:MulJiRWPs215x0bc+1jBiA==,type:str]",
+		"username": "ENC[AES256_GCM,data:ePE2BEKL5uaXqzGngW9ArhwP3qwDzwULtfwUfb5Q56VGGURp,iv:/GZRbyXHorcq1PIYlhfOmUVwCg0I/N4ZraEzSrc8qmA=,tag:wM5B1U0BsRsBAJg3qNOXpA==,type:str]",
+		"password": "ENC[AES256_GCM,data:RGzdi8IMqm+rtiuU4RtWGQ4N/7FYBbp5Pir8/k2V1QEdM8z7SIn0FQ==,iv:ThFbY9eZuEZoyzcWV5DwtSi8ugNwM49JfRof560Qx/Y=,tag:sgMaLrPB8WgpXWPzaCwOBQ==,type:str]",
+		"server_url": "ENC[AES256_GCM,data:zJdXoO7ED7qeskYJ9Wu0Rdprbvj/uP+Z,iv:ce+QXocqCjNKCsZRyVt6koUyc2lsTwPNMcfQyqbktN0=,tag:bQSE4/6va+V0TORWANLdUA==,type:str]"
+	},
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWmFOUGZrbkNlQ2ppbnFw\nTVd3RVYrK1RocjU3Z0pPOUNpc05YZ0FKK2hJClAvdkZ0aFRtaE5PRWFNbWdWSjN3\nbWc1WUpuTTVDTlNldTh0ejBGakZvbDgKLS0tIHJaRmwwSEtqQXprcFZ3TlllWmJa\nczN6eE8wWUppc3o1VTRpcjF0VUM1azQKdWhbP34mx6yR6TXUMpP/npA9TjAayjqz\nHC7ztK5/zu4ML7BRCsoLNLDDVtMsmhEVKO8VV9sbMvusSq0WNu0I7g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxVUM5eTMrZ3lCeDgxVHlj\naWx4QUZ5c0NGV2xEaXliNHFyVktkTnBYR0d3CnRMcUgyUU1hNzhLcWhaYzJCMndR\nQWJyNEZJV2xNVVBSc2xnbzRqdEx1eXMKLS0tIDJhTGhVYkxJcGZ6N3dHZmV3QlBo\nNzBORDJXb1pRbVNiWHZiVjBKQjNwWDAK1z/XA6gRor2fNX70UooBqHjCFfIIP34j\n+vHx10dtoue5tSPgM3cA8QZzqM6Ht+U282JFMztrlDtiz/j/JofTNg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-04T19:04:02Z",
+		"mac": "ENC[AES256_GCM,data:nWV/knCo/MeWTBrfq1VlV6SPEQ2i2P+le82S2So0BIxPfz8tqan0MdaIaKLFlapsT9VRJOv8ZCCXSLWeGcbEvfmEz4MP1E4iHcU/4YaO+n895D1JrjeyP1cgGisnXqe01xMXCsDY178sqxHcnDDlXp9foCem+mGjIlKGPYGu5Oo=,iv:qbavbW3MF4fx+E3aybBYaz/T/Hb63ggWml4Oe9WFz+I=,tag:05vBbBGDGRNaXJWoZn1bVw==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2025-12-22T14:07:12Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//XZNxhn6vCEDo6SAtlIcA5OxNuj3326ITbjjv+XwiTHk/\n28cErtXOF+4bnjIXLwXGbbewWgvrnK0Lx5nBqpidMrhANHVEWDp3iBrW79QPdRl9\ntIcofQUK+6Dwh+XqJK4eorEAeAKlu6l5y3pc19L4j7BiDOxcXBYqTx4ScnZhFFoc\nRVC6ngRjck+2e6bL/+lopntHML41yrXpAHMBlobTbzYP8cnfMKroUZzLoNareVIS\nNlcE7oaCwAvCXYBbQN5qQCIFbLBFB+vD4ArOrL/zNxWVjnEeM4RhBdIjd0bdq1FQ\nLBsO1crEniz4Lgp5N4cWOzuOCz5fHlLJEKtNIIFt8rcocBEdyQf1OmZ2VrY57nN+\nSeCYGN+fPA87UoH+iZcmLNjDvMy+MHNIiGCEuY9jWLzgcDDvtFwtQdl2CpI8a/Ax\nKG9RgMFyjLtPCgNzDkn6LrvHKtnFkcsx22f8PHB4RZIgP43loH//xieOVnA9vo/k\nV3pRHZuZkTp3qmAED3KhbjE7aKP3bjUkJdrTATsal5YyRd76pjPvtXkX6MchgTgh\n6emt6DssvWJy5vhgitM0Ucq1IeeaLwIDTXqP5GShcQrWJ2P5ilzLGp2OKYzOqSBf\n//LfA3EHq4aFaTGuOVxjf/VS1vEeIAMaAo4eo86unIIhcQ6OBVAKzKfrSgzV9iiF\nAgwDC9FRLmchgYQBEACFwFYn12YCzYIwpSfJ7Apo5nEiLYbcD1wXR7bx7MFjJFxc\ncrS6yB/44y6a+OJfTLEVpDTPahKiOFAlmMAb8B05bDd/jqairwJPS+Sw2t/Tb6Ry\nToHi8ucg0+P8b0j+VeXoE0DlnuSMKbKQGvIq9fd8G6FymHppA4TpuKFl0QPUAbX7\nGLQbApk7gRoZK1XTQ/HKjyXdhfRogo8/07oRt6iO3nxC5NkLS/uxk/0ODqiFTGVg\nESkGQK3YQcr8hhhM467S49nzh+AQODgCTm7jSFO8kJwDP6eb5vF63qrIBZNUGc6j\nIoNHzQxqDoaFUd2GZcKg2Zsyizb91qYEMZdHUh51h1XH+jhg8G+L7I+hnBbzIj/o\naZfXALcmYNiI630SsiqA4iSufWy1bONnP0kHPSxVBqilLXpmfzIuNUwrZSQB+ZbR\nkIIA5lRqu1jWIcG/3CGQQMDfjqxus4Wt8bvGfOrbQk2qNs+l3uPb0+OBDNKQfVHD\nenXkTGrKIHt4YqnDc3ziWNAULwvRPviPQZPkJwPCDHdfA2bcQqLJOIYiBF1TdN9o\nv2eMQoTalEXfHOI5ndULjlyy5DaW2ZBKAgtH/WXg/O7ey5Q9e9QcnmwbOezEWx6x\nNNY3eoQs5LYxoWO7cEUv2MiEqY7ZWkrwmwcWzRV/7UmspvPHKULQV/fiNWb1yNJc\nATKv+sla0n0DzD+7BSiFcYC0ZvGAErYAwNIYhlgMEN7okuCscB+tz1d0yLhNt8DK\nZAn0NkIVnTn6esHqhp233ZmCrCmUezccMMINs8xQbqJR8bkns5hTDYLY48s=\n=v2/q\n-----END PGP MESSAGE-----",
+				"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.11.0"
+	}
+}
diff --git a/secrets/repo/pii.nix.enc b/secrets/repo/pii.nix.enc
index ff5ca0c..e430c7c 100644
--- a/secrets/repo/pii.nix.enc
+++ b/secrets/repo/pii.nix.enc
@@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:gXyxjAlbeGW2GM26evxLPdH2RILejHXF2v6g7He+p/06wOj0w7fJQ6VqE+J3VHk1iw6bSMOSOu4MYQGtsgGnTdU0WQ9VMI5J4u3MbC7LW4+8CwuhS3sABjGwHd5PAP9UvU/C+cd++4vZCXTkJFp/92kKNtZTCpGev5ckMLaXGfuAd0py2nPvgGTYcLNLOJcdGQ0ZkttnA58r20d6qyU0nRwEcbG91MBr7c34pSH5jGWnK+qfL9oAmWbY4ZyaOsvY4vfxPxQYQqX7BRQpln1H7QdF+X7d14E+k+FqITGQh4MrFN5DpkzWo2q7JybEol3eAtT9a0qIVIdgDNsXrSfkKN9GUVDO/1ErgupCQCM7emd4YURV8K1Zi6OxQB9uLBavgHai8D52+vik+drw98oR13GRo1ND1JVIf0VeWqhCNVzZoRBSO9I80PmmDY4PrXQgehi3c/iqd5p9yr9HGqWVzZ/UB3Ar6RD0Bp1PjkFvnJy62iDHHc35tI9ZWYxVD7O60AclJIaies3f7Bp+c1zRxeO94tcQJNDlHpu2C7Mgd3QmZydTRhdEOzTBZdxvJ6v/SjAr/DIEbIK1b3o/iI/tHIwRZ4UsVxCL2vmEqEowJcYjUsw8RdPVBmY9gkNbkx4oqPs5g8YNXJXDCXEnpaAOvMVf00dyGgyUXTsgAYEbUkdh7O2FAir8AH36bsctm+DnfwXfbVxcd4ZEelvfLWn8eh6IwSDNFyayRczQy34f3elef9OYO5jTxl5eNGrJxRTGRx/t7bRIkGistZjPwhGDci8C2uolBqbiB2r6KA0MJBQA0J1/26OXF5mpUmLOduau+udAYg8BnTNbqJwlIh4lCsl4Kg+VtRk7+ZDn+w3bQxAD6XSfzgvt329UdhZD7mVUEp/bsOlYWsJntXc34vOSm/OfLXMpMBzrwC7Rl/PA3W18K6aG9dHJ/87AiQgvlZsWp0h82diBxxBUDE9PWbUEJfF8WpKMqHinEqfbmeBp6Egtjh8V/TUC5hW6EARONepl/PuYMm6yi2yfokCGm6wFnfNJaxUBQ416KJU3WlxHOctx0ztmsuvYJC9kMU7FRfy+qC0BYQPIXVTKw4O2+T9JPJF6GLQLQC1ZhBdIqgvpWq29e/OiiCdp2iqBTn7TGZ8Jk9JanBy0hXlI9elXvj+faE+RpENIA3aSnLjBrQGPZM1Jv3ljUtWPmTK0OaO2gBI5u5ZGVvL0i4O//TCeUrCZHEkP3P3eitAR2jbYh73xGiHckbEEWSGyXS99Ld3DJjtTW6Qso3Gkrn5CRRmtLnmwZJT0HLVSoEX8jZPJIVBJ3+MvRNDQ/xRDq3sJwC6EOqAL5vq8nWLA3B60sNi6KisQv7Zv7NYnGSMe6Wvpdo6wyD40Kek5n1YpQQkUPR3CMMysZss58/oM/bgeZ5pMhOWW+P2daCKoLDI6HYJnUnjC24IV80rWpK5QhOvg1R7htUYsT4bM6TIuKDijd5Uqp5k36SI9N/NM+8yqtUD5NOkZx6hwtKrZeQw4Rwuf96inyAJrsCM8INJX5dQuhbi7Az6Y9xJTzZGbK56Dai9j7lN2Ka5h/1Gwq13pngVqMUA5wh4B7ieDow0AAblLdK48/K4AWJwvTr8SnPZTcDEpdggDgY2M4pnHA0kihlXJRV5tcxz5E3fjgwo8S2NpZ4fmL1yZlGDr0Zr5UpDitucbAMo7zCHUlnBuU2DpOWKfcdxX8Ez5MRjzHS+PNRaTO8d684dVX9rkQBvd0JOtQtQDTaNICCqSVgx0OOb24cdlJpn+bPHauunfVBPAI0KODjwEJTDZdlokoLqlxAwJjBDcK/iO/JAipGNUUMLACqOROwABLSyscexcBjNuxjMA/6SCQJvLVZfk4ANkx/0bSCKQ/tCJbTWfh5buV+rAwm2/Lsnv/6CiPRLB/KLgOFVS97ClPlTaK52HSOnNbx/KykJh23y0yGfdi6/NjouKOMUC64ESOQTuFyo+4IMfMV3p+pZsND7EWOH3MY6hQPpV7eLuCdSAAtcNZM1dQakaD9nFD6C4MPkLDC+BcueRorC51Kgw4od1pv7DYkjWea7mKWHADWOKovrawXw3XDvnNxYRl3o8ogZHJTZgIdFaqyhYGvLLvItZW51PuyHmpIEBNWzOUUp3RwDnratpyk9F3qFD9AkpwEOCqbGfhhRW4yOBPwjwwmt/evt6delgQhXHUyZL6Tfh3vlReDcchSE80ErCtgVf5MjX8o2dm+5ywof9SV5ufzMwiPqPsybskrIhcimm6Eoq14BIys0r8zxPMovG/uswi65fmoJsWeSEpt7X7hYHxS9A5ikXCH/o8vRXHkoTX0WRF3BryhcDlGzWqilrb1thttXZ9hicnnNmxDFB5l6+2e48uSo1SBNazCcRgHqX++to0u6Nl8So6qbWFz4qjhvVFySvbn4slRz1mCAmyd6k/4TFhKaz/aopIDIktgOktjU51R+9yw3MXudZ6vV2/zH961cvKr2rg9NBun3FcAggV3DDRlGU10V7DV6sfd3J+OkPNKIAqvAvjEoIbk0Pdl3yiKvNioEyJz8N7/ijLA6P0YRedJKQ7Y1ppyi0+5P+qwR/V1CB3Q6+sUmvTxC4wmT5VHxhuo1nq1+p3cIGmLx97l26qrdkZgHDSiOpXAZ8ibkveA+QAVg0XqXBShLGOJ3SZMwGmKwdlR8WSBjIZsZzp4Efl24pr34RrTNHhiWEqeNF/mnyO93+XBVzS0HUdgHhu0N6lGVxLrpQYTwidKMakkmQ+eWuqaZlKmqILkS5NUs3id3zZ3w4w1ReS44vGYdJLK0uY54cyBxlVKK5OrokOOxAbvfuuXXsTMzaG8PsSjKcasmPv2ueFUHiOvKQjgeldUmFh/84oYgWxTCneacI1VDBG7WSzN4/4ilvnQ3e5b9gr1kANc8fyH/lpXbTyvSph6SaoxuU+ctxAXBuCh1bW1izyoi6u3zh4pUDswezRxmWp6rzv8ZCD6DqxupjAFam7Nv69FIEskKw3DIao3l5zqYOat77yQ6dj07TKhhCF8s4XceoK8bjsV5bcBRzHWBKT1JLUgqiKsTSV4UpXNPStZAgBu+DL4mjxDdAqEYnmOuHYZZtn32XEJgyP8LDj6UVeN41K9PIHiWbHA1Rc31r5Fav2F43zjgzGsamKc/MfAyNSLBacsutoEzOX7Qucl8LrS4oXM2iIYext4w+lw+CJ079O2Dm01BYHgzobDNoybAtdFMLMkM86l5RMOAur3rzgz49Rh4VdZnuFYl+ZANIYD2bVskdZKvrqudWHYewK/qt6JbHz0mgX11KDGqjbYZAdOiIuV71tKvNdH943P+NE6zZqdxumi3DVfEfo0+YS3vtQfE5Pd7NXk6F4kXGRYeRrxuk7aVcqEs5QRgy/6KAs06lNk/OmEub3Wj4hrbdBXjhx3RKaLEWGIcHvL4lKdRJKXMlaSUgm4rW6A56SbyqolVlXFH4tgiwVEv+QZBC/dtaVy29sCgq+W/zqVfUmslSPKMTSRicblBD14/YXCd0XGsAsmWFs9gELqtKTxYkrwU4qeQoEzOyXJXB7pEdMD/aFAHnGV1kq6KUd7lbz9OxJOx4zyJEsA1nwhcpvfWUo0l+yzLWJ5vwLbnHF7GvUyqzwjvEfddaYZeHNgC/xziUzsr0KnsVUXOZEH5N6a6+GsWXc+wATqMo8gaYfrmjwxICEXk9jL/hjm00g/APEdQ3JHIKH9lUtEKFdfqCwysUMl+sw+fwk+oyKzdylvqpNyBovqOoscoKi0OJW5c6cn5o3r/1ULQ7oysjTLl46en5pZw32IotNTYpX9LpqWF2N9sdCb6YW9IT4GAdE/mS2Dl6I3mgjtnOqO+Axvnd2ez7gowwWH9ZgSaJbWtkKvpdXtjocZRT+NwsjCzW5QgI3Bs6MI0g8+JKYyQLPm92HPPtMiF349M+QKjtt5+LM397OFbC+JKX3ftp+mxFbTtuk9+RRWTyC5M61FfNTUqt5IhE3bALH4mZ/ry1eMO7iucesq/uYcS2g160M88ifZu8Bu/DghLwel7ilQcdH6lJx7LDgKLLIz5/YdysaelzqmyWFQWHKCyQMZ9d00T+ziNeR2V3i6FEKeulGirwtS2pp6GBXOJSk821v2LqzCd6nKdJAAu3PGe6tuDUbd58KZS2ExXPJvAeyQ/GGXGtY6qOGwlxqqDdYzkBEnJ59R/8M4JtEgqJSNTVA7eIGP3QuvrcX3yYCexeSziNlK3lZlWTn3vVlvJMiwm1CUyAiy3QMxER9QWwbPdjeh2aV5wtLiNRH+NFKegMOzuVpP263ghsMzNX1MGbIdTNvakrG/saG6XMxv1i6KuVH54Pt3LVCAKTKYLx3KD6wF4PzRtRAiPgYYswV37BUzk7vNL1YJ2q4Cxm1Qrh059wfFCEIFtGphUOkj4TYf9jLZywaN2lO/w0wxYYhJiIISxcQDwpiH4S6B5XO5aI/9H8shd4uUPIMPfFs1ccbC/CwiVB7Lu3w0Z0IkmIFoE+3iwmisWrYeqgqXslrQo6kd4cAI+S4bQlUbqV8i+uWHKthelItCDpgMLCXOmL5tXBCGfkYQsSW7V1r4nARmKQERzqY4Upg66O1aUk9gbas7p2vj/kJDHDQGfYIF5Y6EdneODn4a50Qk3bQrf+7OtzMo5NtvyT6q8p8ynvoSSasWlyO+LLHt+BnNzJE9dYc20bpHAlmvnxgYyo3XTL+uw+5cY1ToqmgOupt7d8MFiu8bPoJbh36xxqgIgCJoIhQTFImqLllR0Zj91Tz15Cez0uAVhP+e/nOjlZA42w6/Kxloo5/d4lgPu+tq56Qmvz1dd+fZNQVD4xrpZirNwD8wp2lDR+PHPPuMVO9nDhWSqnPrbn14xD25mwuekENxwF+px4F5BP2xJ6oPWxvO+RP9Iw25Lu9nnPSWyNebDwZSh0PqZEGmrrqay/WSWCqmZRQXRGRxSpSR4j+K0BIoZD5479gd9OmCM6Ax5h6BnIt28SNQRhpEMYQ2UOk7KyeXmQU3wxfRtqaBeJbJzRSl2sbfG0QDgeMV2Lba2ZS1B8IWeh2Lq5CE5imu950dUPI9nntJ8nW5MZuudfvIlZ2wCCS2dRoxcKFn7idf5e8szG1GlzA+iYOvTkXdly4A/dzqaCBvyzSEeGfgQ+IbLhGPTIRYIj1k2/TKm9klOvXhbrhTRQfB4MhnqaxTwjGkqvNnqWy4HPzsC/T+cb1wpDW5WKVgSnpfx5r7ix0Sg4r9UCdwUAta33FW+v1Ut3G/L5Upx4lH4roOiB2oWyZAjRXXs0yXb+gk7UD/9tb7bgudIiKB1wIfwfosgx3p0uzU2svFsnSTKSXnhMQ2Az/lvTKUJx9pHadzISEuwf3C9y/wFlnmu3D+2g4aB609LzCjDJD8XihHsIsW7uOQneOZpAzLG/jE3o3T+aW3D1RLwSN56srV9fhSMRV+2qEpTREEh/4kEULoGTvIgqJkh2Hb6VCIi+gwmLlh0OFooyez71YhKj0HKnlRmVl0ZAcal2FhZizAk/t25tuAfgPhzNxJDkMB+/aNGK3+y5hJJQz/npv+jhfcYZtDzIkG2K8nU3dSmiI+O5+jEb9XfEa4reIt1ODCY26VlyaO705TmHM68OVZ06B2P9TQa5arlEpDsjFIFRT+tBuGVoY25xWldD29pv8rfxxsdAABScr/crSy8qSWbb+r9I+bKlO26vJIA/MyNfAvCLWJn5XbHZ8w+FEdpE/8JfxPpl0HnRDW4kMCmt6mVjzWEMjFQl9QBtzIcIe0sr/aQqBwYCRe99TkJ5pMuw8S+jAcYoUYOvIFoWgA3ZNflNoW7Hn8kMQLyvYbLJtC+lyZHH6Z/+SX+RwCQ8Zsvr07wBZarsVbyx+SPWqeUHwnOaTRllgdp4OUPKlUcrABcC7opIrpFGhp5XOIk312UGKVKSafTrW9T5TQWnSMLXoS8S0iP0nB9YEpDxdVtz322Uw/Xq2x6NvuKgR0ewI6BiPzSVJ72+Zdr+2ISx24E2SrmIYlpkbXndEhpP4lA0g6eudn8sl1jr/CoUTSHEjvbxCHPiTJKg721CeKbSsxBYIyPnW1vjZBB93oM1slTf5UQSjg5x4YGe0F9ev+QcLT02YP0GCunAK9VCZ36Kq+b8P3lp7WYK2dzpXFu67VNl8TqEHIE7tJFn/u+zEyR4+Ty4RTdmP0G4U7xdAkT2M+5PlsKo/ZsEKnTp88/OdUzGKxK9I7bnxIU5xy/xWBcNLOK+3t78Zf1o1+5Gzmg1qVIIaOpAYSihsxVIjndqCtIoPZeec6H5LyLaiW3JLqBrN/fC5DNC9u+NTzasGs+AOVw3nUwaTD31w0+VkY+akLDhT0hWvLDogzs2+gPlNnHM2NQ+TIH3NQ6Xc+c6VIIMxyNr8kg0/E/KX7/qQ+YaPQ7IIH30Wtvj6vbmhKgK/AE0IU9Mi+ibK+ZAF/ranpZzWZ3DGIdyca2vtLOMtd/pXHyNyZeJxirq/oo0PQYhjz5tHaAEgrJ6JKVrkLdjK0QJIbjYyXwur2Rxled6ikz1qPqWfUte4Ez+STbrozAFEYyYElY6flBoZ0A2jnARd2Isy6cTpG4F5qZ8uLtzoqVETKVyAfBFj+VD3CMgK5Eaj+tawQOG2XjU3U4vqHbxglhUQSDWjUHhnt1gW1Ch1FVNyTrbv2XG4tlcaUu05+BreDBfvYzG5OvUVDDl7BvrXcTZw8t0gY6+xRydmDesIZXeQDZcnSVip9IIIguHymAkpbvNRgR1GT/EdwuEHQhHxVcRd8j9dMrGy1ve9mzCQVZTrlm8RAxH+iKsaT/JPtvEjREVWJB5XfMQflFybK5eoWZQNHIdBUFmX4BpxnI4uXnXehCTM6tHyRiZfQCsrqoamv8Ddr5G7bj0p2lxdnzfF4C9FICxIu3Y8w5LM6oYcAaFya70Pi01kkCVW9At8J+K4B+AmU0eb7eFPCevsXQP4EhdsjmJh1MRKVBgWRXMbnG0fXNso/gCFvg1NQ0085ZDa2khiEFWpVwDkpoP5M+vxy6754brHvIwKdXcsuEWfim0SWOOIUz0UXl68Lj/GIR5xgmVM/8ZxmbxFyis6TvGBrHFUug8A1XHRWvFy75k4mGzegwS+ENzC3uDhQC9tEVChsJ5AHxkm7krZQE5FMPusOJ95c8H2/ThbU4oB/x6xTGuZJqH5alhNdypmTcRe6LlDZZOU8vbWw8LCFwKZ5GqeK9dhnWoUvlMWwu5SKeC1FOmQHLJAeSdozjuZr3HmX2YSgbwtHqQlPUdrTZ6S6nwS70UW11PHn7IylQLjZ0QQh9zUoNfYS0/g2tu+GOIUYFDOAKc0qgEuXg+nA55c4dqSideFrbvO1pKOLdga7d8tY4nDpanPQVo2KyZV/sZP6sO6yblrv4sHqtarQ8P7N1H4/61Rw74tONQcQtrAeUw+y3WkOdlQguYjN/W+BL9aDuQuzCGcFPDd2E9RaiNeyUX1hCRNJ0tl4RTknydZMqF47cr8Orlrnmi5T7zGPD/wPAlKFqQwz+dsfPr3LnxpwolbBjF3s2iUhdE+i3TrqHuosOcTBCO23uv0pocwVnNvfDa+rSITUKlqLHr5nAskd4cEixZA2Uv1S95vBYnRwvZbajs1e4jftqoWrHUWFUR2WuWizNImJXl9e5gLUpZk6Uo3Z9ZuGqvb3bIGOd7msOxKqEHPeeQhlfkFVNld0ugDT5jDikBvg2DnoDG105svQVrptTisNnVQo8nH5p874FAimmb/ri3pG8Bn4zuoz5EDOPojgr5NdBDxByvY75nYeTG0wmnO/5FhWsqPTl69Inewn0AhFQrV08fKmhlO9RJwWoBT2yzINFpBrBhyGMHlzsJIvF74yxGZaMjrSGcJakNgl5QRZOlONoNO/92PiMmfN10noHfsOE7QfwmNO3k1+nBQqFn/m7BauDGekEBro/iciT5g2TRi/hG0ihEbp3kxq/4QriTShP/wum/98XsxorpkjTb5raEPKhx4vdSFoSsUinQc1Q81NAekQa1Hx7P/57sEy3oLmAnDeOmmQrGOxF8qTOgukTn2VCYuAzxEpnLirxQw4KpTxWxEy6ZkgUcTm42bgTDFD41nQH2g/Xl3XX+X4WM3yAWaqKT63DvmxtKSt0heKrxb5gHr8NC5IS3h0itA18Rs5yWzW9rsFsdOpzfCbQrSJYhWv/DziLepVs//ATeuHn8jgtGgSuC6MRsJtYHBYpldCOGuDVQsH7CjT4CELl1oZIhXqaAbremOPs3e9PawCX7j9vU8whj0nxtUXROWsAiT3h0H35uon0fT72ft6SivRLDIzQsenEmwkBBkXOX61Hm4wuO52z7LQWCY7OwXmQKn2iwGF1TcTG+yKYEqXpWRAPQY0RPkx0drGGXS/iJPdHD00fppL2DxSU8DRvMXD3FBkE1TUq++AqIESGjhGFliKeHfkiHWPyf/E0JAdRiKSNOIvAh+MQbRfd7nh8VBb002iQEY2RmJ8q2SFIZd2FQzxJsZvOfv7ilMeyM1zKHTevnFDV9/HxtXLy66mFomUEDuQJ7qV13oZNcKb0qWk+5ixszfcIBOD6XcSuzWfRZPOtDlST0tChGHMHNdPr3tk+VhVYjwdQB6ryIZcrX9lOX1lNir6zOnWvuiA==,iv:5ZAE9KTKJIBfAZy5hXVWYTSuNxNFtFjmgIHLFYfHupc=,tag:YaVIJMGSqY4WzD8LabW4lA==,type:str]",
+	"data": "ENC[AES256_GCM,data:TTRt+/F3VgN3D9mZcklKJ0xJShC5EUfdCo1NlcK/QONERmYYmnOyfbwbPxaUwBq2ZIwxznBAwwU42XMFclRiO/I9UKI4fmwsOoYZByIflNAKX/kveoig3WBRXWbXwTYTJfggErEW5WPiZRzk26Ji8L3cm4GFt25qeMORFVs/iN9Fiy1c9JSbasxjRI2UGfmsfILD/BTnTHo1QTibnCwdNerjQEETHD+QOTDQSlYJOVeop884BE3neXeYCnr7cWhy+YTrln8OX3y+Sgfv5jLEYNM8R9xaOTa1OpmadF9mx/RrOCABctBhuWFWLGPk/sLhCvGUylD5J/pyaYJN+cvtVT6bRCX0wj+CeCMAt3SHHrphXiU2BiOAneB90HGRbEJ8oyykt/ltjgwWmRwagKAp9CtzEqhuFouhow/W9LRgsksupMX6viv1YS52XgWbNXOHiqiEwBh+onjMz4Xg8Sat9thvgpy89k1ep9KJ5QgJYhqFKb2pvFgFkkDl49C4UpdImvdlePqXK46J1YzKWB1EMWPZ+stg3V/HDJGbXonTuom0e96AeGPY192p6wLpqsbZ5cH4vosSmhQTlkrGDvINGZS/q0Xxz7X8eLZMTW05kH/Ks7m71NHrx6xAkHaO8iRdbpQdVtqLIIh6OAt2vdcK4xVox9WyIiCWG4nvyCivjXXeYBLj0f9siINyFYI543wUpsO1zd129HKO40ZDcdXjrnR0n246uxDAlSBkA1VFWIZ3tincTcqT8tjkKQzIfNdDE/X0zLhzLn1NEIXMdUi/og3Oxh93A16pvpBNPmyR4CX8wQLu0aO5ceYIf7DCVSTZ5dDtbbA2Pi+qhb77bdS5oynnlYOAi0UHgB1H+bv4KTZiD7L/wMBxtoJbHVJJCvA3OEeKDwR0GmPBsjtjICib6dTJteidYTdY3p3XAbSZWjTotCn53vj40N+FzhfpgZei5fQKaE5jsAVqbzqdsJltWd07MB16SHA3aRXt5DC02lGtAsbPSSgJ7hxnxR5rT+z4bD9wFaNQ3NseEuSNHZ9Jep0qmwE5jd9oaH5J9As+8W+4FqQSRLQ28nhVFKNt1R9Bzcfmcx9hARbJUtx/aXvA8qFAC6/c9DLVK1WVWnvs4iOBzVfXB6NfQfaynuIzcbRYTx+hD86AHvwyW15RwbYHee2A4X74/qcn02Y9ilByhel4rt6tokBGuEJziYVtg6vzuH7hF2S+2Zl11MtNBlxSmD2ghLdzNhGQRi5XxDvbrPDndDHS9ppTpn/JaRLdzAaLwSM576hKwQmyC7O+sqmgUw2H4gy0iYkFVsKuTkRuOEa/wkyK2cLWCxUY4jOgclhS2wfDRbL+4FhtdNBzTPtduqnQVgGSKY8LJg+2dWDBmstpfbIiYNvNGI+ho4hO+82vNpPnY4MT5Bz/GiznAgVc8vZ2ELZD6PpRtT7SKdxI8dRcY/I0FNqfUhTYyW0Wmz2lZ/+KKv074BoihtqgLbLErge7Fe7v+SbYuKHj6w2wsEm2XsbTEzv3fskMgDW6eyuEtDhDATWIdrVjXlBjXfoYU5wBtWXNE0MzQISxYhSZHiTFei43JafagG3S7RQEOiCUGeqjjFjX1dCxalhTITIzFp0uGmHG6BiOAepHOi7TOqELorRMcglP5EPaDC+M5Eeax6PQgMSs+h50LVdSdNbYvREtllIqzL/B6ntMebAELFUxVttsk/Ky8eIbWUbXB5YOZpChJAk7vDlVeKye/pn49aHgkHp5MmkDlNYURnnX/wIQkZsKH7m0tOfmIBPXnnm8v8AgiZIfzH9GySfM3EtNsvmh6qshViGagyvXnSh9kgnotuOsWkuXVuNH8nDZQsqGWlATMctzYY2lsKXQ1lxmWhcTHlpDVyqzqpmn/5V6ivn3ltbE4uhYygbt0auOYuwnMGFuzZRB0xh/dp0J25grEeA9hKICb0OOjVSYTVKyUidxKGvHMtySv0g1qH5jBJXe1mBliJlFKgHKjQ+FK0oGzPxxakTOBoh2jY+sZdV0ZiytXPtuEVOVUu4rixPubuQiuE980+ZhShFtimjTt87BlTRBBaf04qYoux1MN7zVc3HQDbyA31Nhe1fsx+vylVT/1htqyw9Xe13FboLCFaf0hus8VJ7ycd/Ohf7EJgm3f+O/9pGXUamSRgRSE8tx6NwDAUQuSiGnYbi5hN9j+1zG/bC2atOia5SEGmn9ZjJB5s3mQC4M68af2Q7oFbkpajEKb8DyB2WlqcF1ke+cCrl6ADZWxuUezk6KKJ7Co2gVPNmczgUzJcEnYOV/YhqHOjdQDEf1peZlByq4sE6d17YkM9BrNXzVhftOuFUbbNl5VZIdd10YgVy5rMQsyB4vrB0HsR3s+8H+6Yon8wAaI1/A8ZeREjLq43Gb7qNy+Y703B5RzHTxUFHFFkviSAvP515YSVF7R7zT6Ik/5l2Nzg3DBBFqLfkVlub7eft11wd8XNUFJekvTubfh5GJW+lyMp8pXIGWPBH8PCbchuj/yBiBwhHPvu+sACtHYtu88ufQnQuS42CIVXG3AH5awDSOH048uHH8395Xu/bA0jWOX1f9b7m01yec2yxDhtG98gWiR4zRC7teIafxT6nq3pV8pxPOx8RxXWZhtvRFmcHlTtn4TO9cTm2e4yiUiNm7R3HGNvB/QzfLtcu8teIL7JL62Lca7e5fPiKkjoee9TFW4WbH5PQO4gX1LCM1XI+Az1YorNrIgzkX7tvASKCaWMHuMJGzVSS3rZ2A+HFmVaaO5nvWrxIQa+4z1nucg9+/so4iMaKaSKz8ZIv8pW9HFUyq99wVHhtYxj6Tatc2JYcln+oUErJ8OZ0ep7gq9b8gQLdbVQKVhCz9tWbG6tteClsIs2CflJ88LgMrRd50j75b8r9luVNnBvnhRpKOc7eYtd1XPtFj8Oup08p3BJoKSjkoQga8XDydEAEqmn2vvaNb84Em1kBaN8tpKZx0vgBG8y9Mfrlbxar56LD46+gQOPNCp1g92+0f9+kxPL7eZfr8Afsaoa2fvEScfVxfNE3TG0n32Q02y/UrzPn+tmkqhgHmJFXkR7oUVwcRFyge7jRmGKgkpCX8YbUGKvVje7/v98SfdQWHaWZ7ONb7lRrKt/T9FMwton+/pcREDdqP8aRw0uZsPdgL5n13iWcuvn2ba/gDpblIng44IDYLwDW3ldJDUGfzNGl30WzGdn7RDmYXwfnLzuo7f0sShjLIPay4B+L5f76ZaR/kcDrneRzU7/igpiMxo1uYHfjgWWEln53V67IT+8ae/Xf+oLIjHtVlWuQ+y4gnqF4u1nK5EfHmF3c8Wunc7nLx71UQGpggiHpnQrP8WbY0toEX1jmlYH9OlJqZLI67wnV0LbDgYLu012i0ovkjGYEvtL29kb4X32qAEiKc/jDrlm4gZ1hid2613KltkuH67iC9fDN8A4ocw3qgLMtOGzev0MXdCtL2QO3VeR+373iDNW6pFt95wduMEO0Urc/8hVkPCGX+VCTwgUQYdYL4eR8xiXSYp1EhiTgiuVHjEkk++cf2fh+CUqZCex+1Frj5CCnLS6QM9ccR6b5WJTHS6JezkHXsodnnnefixHi/QsVZ+u1BL7xBVUzvw5H35Lt1BCmAiVOMFpAnMcN9jHepoN25RWNwizCVO9I6UpBcl+e/gSwRo8gmNR2eexaPz2f+2Z5NLvNNyREBXpfNv5J6Nyv+Splb+QQogvYT+JURUTEQI1Ja0bl3dbJqOhQVBN9ms7TjKpSvyvJqVB5chQjE3MkrPISSAgG18MGFvpDcwPkn/INzSXsGceAcHLN1y+NQvo6pasGx6cYzZgc7JUhosmqGai7H21H4X7K3TlmW5KySTlwIx+pouj09aUeP97e+05PU2ov0wXN+lNHFLMV68QDykiQdhm1HZeicePoYYbLrSrodnIxamjSj9NCWaLoGRGf+ZqMb6xMBOj3y1SmzEmFn2Eyf/xNtCD0rADpbKhFZMmmDzk2YGYjQvzpbGAZm3qY62aqe4tgck26D2IPlK7XcSivpxmfiCj46oBa80kUfZGhmrTcq5btiVeu5B3c9ffIlcUIeUMCLA+G8opYHdijATFN2Od1ieUvkY/EE45xlHP2fyUn0Tfs7BvchhSkCoZpV/I3Gq/FOW+3o8pQkWDy+neYaZEIvfdqcbxf4AEYBVcj/1nNeYjCzQUfc8O1hLVR+t4Q/LUQY0zs0fWQS1M9jRxp4HE6Pa2DFAjo5hQZU0iuhuoPmhTWXvCTjuntddfyvbPb4FPk3QD3mDlBt39C8MkIuRGvH1g/a+BWttdzXqPFapLuvjr712fl58uGJc55IMmLrZZlkAGeL1tor3Kd1PvAFrqYS1kQamioXzubmZm2aJbrRQlJD16gNWoirBAyOKVrw4Na2simnv+3DPqVOvmQWPUAHBsTk3oaLU8ifZI7BUDdXTJ3Yn2HBLwW4QN3u+alPjyyDf0VE1M60O7ufN1DPDgsQC2hnkUsnr+mX+lyWPrZGZrlaiaUsLa5JIt4NA1h/aOMeP4JC2wxeQGU5T4KApusyGqE3PsfRWkCCiFDddZi0ayj8jZKwDseBwwVswvbyAOxrErtE0Xn6DdUocfL7R2DnHA3KwB6rSkWFAzksk7b4V5t8KhydaZZEqFKUW0gvoioGF973hrCt1idcN/SiiBaCUsM++ryyDCOqp4awJ3vvNa67gJiDjZodC63AXZOrkWKxtk0TXAgvjKKnwleJ7RabZHQiA+XuAXv799np1rniJ4f4WiS5QE+oMYNzjselv7Z/pzdE8gf58l4OV05j8X+cmELQUZSzBy1ZdQBxF5QcEv63Nq4h55pYB4/pDmRU5l+yEXrB4eeCbSfWjmOkggybwQ21M2EDTstLnheHvgEsKTmRXmr0fZ8Sdt81dcuZazG+cUKE65qDAYQSLj57wQIeE/d6pW5M+Ng2aMl1aNltkIliSsna/uf7v0cOtt9krIWXOL5C9o2TGJxWuv6S7keDozIXpARpopbMh5d4rRzCBpmaosr3gvw4Ea1HXp63N4noY45ImN2BLUv/vXAeeirbvhzN09ToNGjur0Hlvb77AhDFS511j2p3VyIwFiYRoxixI+zVzt4UpGjbsfyKOJhXg2fsV4qKtRo0iSU4ZjnmwTGR70aP8S8iJirirj1/UycQRlohWIY8eqhmKZS+HeSTy6bf3qGcue57Zn1ywXdXdjLrrz5tNg+qywOXMkG3ITz6Uv6Xn/hDaPdtGq0b1StNzPfEA87oIrT1QGoxZD5YgzSxyWkzc2cjA4ay9FS1tbBUtWOjy9tMBIsAyKR3MNq2qMGN9q/5OcagwyFJnepax3dGNj77btXMgIy5MLvNItGRQx4b8SvI2u9nfbBUVPTRYpjIaxaBmXyr1aJvmFRYCLgSH2Zq4xlOOapU3Y1kQeQCXuRulcdnittmx3j2FZAXf3fKyfstS9w/kUOeQcBYj72SAzkPoTiYHwQ1aBPxL6nP+oND+az8yASd2lnX7areK4ob+Oz6mXNZ+fzI9HCEAa9IQhMdrXrhYvumSaN+Nl/6d9Vob7nVeEBxSK+i6F1Oco17cU45S/MWGgUUZ3sEeciH6BnsWjTMDSTEAPlGqEX+TwzHvnY/mmoyZI5Ayg2U6moh04rGy9csDOWw34FARWdGlWnL9tbRqHJBfOXjkUcUmGkV7k9tlD0mTbhyxhmzXC2eFCI8rPstI9v3EKKBP55V6xt0auxP14M3f/gbKmn2iAlCFcutlwTp6a4jWqjdlB0XCxDdQj4JesVdyiZVhCSipvBbKO7wFo+n+majpHvoXP9292mJBHUPfU9XVqupX6HR8/Tbs1+6T3PTegW2dIzi1RGIcUdfCANTccUZsCG/qMZPQ0JnMtxi+K4/jdyKjKUokwMzZ4Qp/xylXT5k+LvIXpCWCkP3Nzcwi62nvie5RE5fEwIwEC/nYAzv3yau4B4bBIkF84Z5B/Rv+3urvYlfBXOuLLlxmnoZ0MomaeWuoBggJcPsdG4CsGgO6BuVdn3xVbHpwvDhk67gzeLIca/0h5qBM7C23H15J/fOflT8YgfuNrqW+AusJbm3AEHhUq3bMiX4j7BW20d4LJH5zpuFfXKZZKuu7T9Ujh04YS+ziFGNXegKYrnieOTdN5KVbqoWxWmRqptwfNYzugoeAzCjqV09TFD5NQeKdUw1qxVtyrbDwqi+ZfOu0L7r3EBbxq8XBEZPwAgqg3xmMokDdb1sPvPX4GnKO2y6uEpRaE6ilVusbks4ITW7cMpE6NliapADFaOm/w8L6F4yy5O7YF4DyLfuxvw++Z6Q9mrAD58RnD3sB392RRwHnWK1TXbtetdqcN2DlL6zUEQuez9/YCpMQbyTvb9SHNT/ZW/UIkSSvapTrOQMi6ZCD7mUt8X37HfEPskJexlLiOuflcfAIQxq8cAjGtiNME83hLFY2C77skw5WqQ7Yth5coFKhS2SX3kEDUZo7jmGeNTAkQHUBGfcxQ/fWsh3wbFH09V3X4/p24aLYgehp+T+8VblKCgpxCV43XuO9VHpPEuxLZVeWxuPy9VJ/Bw2B39LPkAFv847ncS0aUrcnPs8iSXu3WzUVAL1qpk/TwMUm7KrYdDGp705GwI8EgRjJnCqOUEsqEliNvblTkMVp6a+V3B7U9+Bhqa5HONHIEeD+vP5xHynzjRkbO3wQm8PEdUaXOpdqlLZKES/j7Dp9rfgHKNMGlJEanS9aNrk9KnSp9AZdWaEGMenTjZNkWYJgedXtg01NVxo+QyEA6TH7mm3201P3hAzsCMffDg3edxJa5KHHmLcWnokkMPiCgwWR3VFnQpEKZCkX9mmf5qPdJaogIzotk9SolLCrNxu8qLJkoYQEJ6a0mwngNZWDSViW2d0etxFnC9dg4bk3BmPyFOr+eEzv454v2ZLHBgnU1m4akTFou/gMr5gkf4ue09eliWE+7uz4jNgYedLhwKLEvA5tvWHSCnjqOAS387tHYV7I+tII2ZNtxo4tVLq9DaqQOd8mvaVTcHjzNKOfVubpTeNQxUNqZ+zwDR6E/8jfdo1D3wqAKi3zS61/T1jnEvjxNwukV9kbp7S+okFQ/L/t3yMBYUEB8pu6at+rN0YpytcaWMDxFKmYLIMXoCmKbkp1Zgye+d8gRTQYgkcVaYzGVXAtp/A8Q/WVmDEddMYk3EzaYNrTqYNGaKM7wTPbeeXXFKNYKRYPRhWGz/FoxGkXfKQjzm61bSjgjjtNiuyO4p2iuHDnQBTf4/vBs1cYfA3ZkH1uFCpiCDMRn6mgoRCgv7jIFhG38m/8gDfqPJN7ze/tqdWcWNp01YMBDe9WCtAnG8oCRmG3I6k7FBB7A7mQNthkMa0uTixC359aPHUsHVrreC9YrNc39YnE56MqzOBzIOjNfqcivygT/4ArpBpo/qK4LW2BGxk+6bH4pBoIF+8fDWegQg+8Ut4oqYDKXujS+/Pml35+ztST4xMVwlVI0GbMSu4R2dec73TD2jrghqfG5A9r7iRswH9uim25uNaJ/5kJJe+iwAnijFOTcgRleQ40G28crNPHC8pjwm0khW5JNZWE8e+tsi+Q0g1QkU9Q2S6eCNHOGgmJd7yfrizfzfZLDFYHQdHyZyDwXNq1H/8AR+RWb62S7GP7Amu0D9L7k0VLM/M3nB+eCX3aKNJimPGZ/sFuPyZ0kho0BHsUcPVinfOBwn72Dw4OE6g5EpbQzs+r+Dqdzhx8xZTsUnsaww2UGfk2p8GioHCVCzBnWO9kCYO93d/OB/0GV3yAtqG72DPmM1neKiwpdDr33EBYMfwxUd03SY0HbB8xUj34z26pEk/V+3EHX99MnN4Ac0r1HdF5PNJHj32RBsFhiWwwicXEWNkAC6Qb3Fuf7MgH0DoFRuvu5b+mUbVBGi4q/NCpZGyd/jtzmEHemYONNuNpF0XPloQ0mR8PM9GAzQ9mId9WJ6j0qYCwVCTGFsc4GxM+21HQjAW/QQs9drGcSVZ8/NvUcVK51OyJofFeqEWn5HpWAM45bHeqL1V3hKrlWDby+fTTuu1OPrG4Xpzaw200zmL//jxmBh6/sRRSkGzNU48v9KWYft+H3hM/9wsNSX9tNV70O+GOjYI2ITSCIev5hCkMSev6pzuTm6BB8LH7rCW8l9FH56TSmdutnxebmCQ/ZWvonT29TqNRvZyN14dKRYZ1d0Q6lChYSa+6PGhPsZXDIOaHVyc5UgCnoaKyLdddsJAOwGM0Uk6gl2fCX/m9XuhbeGTMZs66JGjBs0cdVeYAx9+hQTryrsGfFK4CvzBgLx4k+5XbZd4+B7Wi3vR6etJv/6JR03zQ+3VDeOmU7G7m6cL2SWlI7eqarPszN2pV8gZPjtnOw3PYinHlphFZMqIfP0dlNppyevOkHZZnCgq2r5cPX/mSn9uFNUsDv+206Nrp8060Aos6V/e4hPB8vdrpcvlljt5UTorVLs9Xsl1NwmAjtTT0LzIdWy80DFKLwkGViaM7J1VEeuMOE92lbl9v/Dp4UtCrul3lBzj/i3AfGVpIFIP9HI+iijTQ0IM28bLAD04f76xDM49MV32do7K0OYJLUPMbJpLu7zcGxeI5BzTayBnR7oySMcEDaUa4rLKEDx6TMvLE5rjQCNGs4KYoKuCQe/ngbb9KBEFRH4a0XB5XenNSsaRDCODzGsgw+ESaL2I1e67OXw1geZQ,iv:poRBCLTfTrmzqU4D9jrfRkiVrKX7bxdtLPCqFIg4GRY=,tag:hWozJXghX1TQRsYHbusFFw==,type:str]",
 	"sops": {
 		"age": [
 			{
@@ -51,8 +51,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNi96SEpTVU1wa29DeDdw\nYm1weGNFVU1kdEdZMmRZTEJCeWliTm5mVGhrCkZhbmZzTGZoVHRmVTE0ZFcvMno2\nUkhVNFU5RGdOS1dEN3pZeGtBbHlhTW8KLS0tIEcwQk1LN1dydEpjSjlna3BwYlBZ\nZjNwdU5leHhJWTZqRElGZERVbFg0SkkKR5LI86bCwuWnzzF/+sYgnsEdHSCMYwr7\nhEaK43fFnD1zUKve/D8NmscJO0VAZIt7duzdeMLv7h+a2ebSXAJ7fA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-12-15T22:14:13Z",
-		"mac": "ENC[AES256_GCM,data:PKmS4kCrIpbCrH3nczv1DBGdGOfHfZziZKPAH8LKXD5mXT/AM7PtBZhWFSI4HSS7zoOXEtW1iS0s/DCIqEurzwaedoulYR633ALnNNLNRiDuYGk4VMWjeeUEZLd4AFNKQTtDdDRDeLKZDaqtXU8QUjGd/VqREIBekuHrAV5SUG0=,iv:7m2h6z4CxznnCGcxGLoXf9T6sE5U+7Rezcr40tSZqfs=,tag:lhngFD3+LZw1U/QVq79gPg==,type:str]",
+		"lastmodified": "2025-12-22T18:01:00Z",
+		"mac": "ENC[AES256_GCM,data:P8D/ArbLH/BrIL06OSmOjQ1iO2hZTnrryjp9YgZIExJ3rBWE8pdPpCiJ5BXYk2CEe+ZPpbF6Bh7YzUoUVoZTRjBSWWKd51MNoVVn39qIqx6+GK5d7R2/a+1+LeJYlG4QGCjPStIg1QBmgnzKP+rAsu4bOfoVXZL9KyHOGDELfAk=,iv:8fK/UDHfEaMOte+qWzgp8BHS2Q+lkYewFkvfCRnGh34=,tag:PuHdUK3F3UXFuNWPDXeO1g==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2025-12-15T21:53:39Z",