From 317fcfb795f11db194caf1d5cf642fff79fe72c2 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Mon, 5 Jun 2023 06:01:19 +0800
Subject: [PATCH] feat(authentik): cleanup, TLS mount, 2023.5.3

---
 .../Biohazard/2-config/5-deploy.yaml          | 20 ---------
 kube/3-deploy/2-apps/authentik/app/hr.yaml    | 44 +++++++++++++++++--
 .../3-deploy/2-apps/authentik/app/netpol.yaml |  3 +-
 .../2-apps/authentik/app/secret-redis.yaml    |  9 ++++
 kube/3-deploy/2-apps/authentik/app/svc.yaml   | 28 ++++++++++++
 kube/3-deploy/2-apps/authentik/ks.yaml        |  1 +
 .../biohazard/config/secrets.sops.env         | 17 +++----
 kube/clusters/biohazard/config/vars.sops.env  | 12 ++---
 8 files changed, 96 insertions(+), 38 deletions(-)
 create mode 100644 kube/3-deploy/2-apps/authentik/app/secret-redis.yaml
 create mode 100644 kube/3-deploy/2-apps/authentik/app/svc.yaml

diff --git a/kube/1-clusters/Biohazard/2-config/5-deploy.yaml b/kube/1-clusters/Biohazard/2-config/5-deploy.yaml
index f43e0c83..c300c0ca 100644
--- a/kube/1-clusters/Biohazard/2-config/5-deploy.yaml
+++ b/kube/1-clusters/Biohazard/2-config/5-deploy.yaml
@@ -344,26 +344,6 @@ spec:
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
-metadata:
-  name: biohazard-2-apps-external-authentik
-  namespace: flux-system
-spec:
-  path: ./kube/3-deploy/2-apps/external/authentik
-  dependsOn:
-    - name: biohazard-1-core-05-ingress-nginx
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: biohazard-2-apps-external-matrix-synapse
-  namespace: flux-system
-spec:
-  path: ./kube/3-deploy/2-apps/external/matrix-synapse
-  dependsOn:
-    - name: biohazard-1-core-05-ingress-nginx
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
 metadata:
   name: biohazard-2-apps-dns-dnsdist
   namespace: flux-system
diff --git a/kube/3-deploy/2-apps/authentik/app/hr.yaml b/kube/3-deploy/2-apps/authentik/app/hr.yaml
index 0746b4c4..d4b6bece 100644
--- a/kube/3-deploy/2-apps/authentik/app/hr.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/hr.yaml
@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: *app
-      version: 2023.4.1
+      version: &vers 2023.5.3
       sourceRef:
         name: *app
         kind: HelmRepository
@@ -19,8 +19,8 @@ spec:
       replicas: 1
     image:
       repository: ghcr.io/goauthentik/server
-      tag: 2023.4.1
-      digest: "sha256:96c9f29247a270524056aff59f1bcb7118ef51d14b334b67ab2b75e8df30e829"
+      tag: *vers
+      digest: "sha256:a7ccd464402a9cf9bd36df73dd1f85cd90df6dce2d5d721a7de7a55c6f72962a"
       pullPolicy: IfNotPresent
     service:
       port: 9000
@@ -42,6 +42,20 @@ spec:
         - hosts:
             - *host
           secretName: authentik-tls
+    volumes:
+    - name: authentik-tls
+      secret:
+        secretName: authentik-tls
+        optional: false
+        items:
+        - key: tls.crt
+          path: fullchain.pem
+        - key: tls.key
+          path: privkey.pem
+    volumeMounts:
+    - name: authentik-tls
+      mountPath: /certs/${APP_DNS_AUTH}-k8s
+      readOnly: true
     authentik:
       log_level: debug
       secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
@@ -66,6 +80,7 @@ spec:
         password: ""
       redis:
         host: '{{ .Release.Name }}-redis-master'
+        password: ""
     envValueFrom:
       AUTHENTIK_POSTGRESQL__NAME:
         secretKeyRef:
@@ -79,10 +94,31 @@ spec:
         secretKeyRef:
           name: pg-authentik-app
           key: password
+      AUTHENTIK_REDIS__PASSWORD:
+        secretKeyRef:
+          name: authentik-redis
+          key: password
+    env:
+      AUTHENTIK_REDIS__TLS: "true"
     redis:
       # TODO: change to non-Shitnami Redis
       enabled: true
-      architecture: standalone
+      architecture: replication
       image:
         tag: 6.2.10-debian-11-r13
+      master:
+        persistence:
+          enabled: false
+      replica:
+        persistence:
+          enabled: false
+      auth:
+        enabled: true
+        existingSecret: "authentik-redis"
+        existingSecretPasswordKey: "password"
+        usePasswordFiles: true
+      tls:
+        enabled: true
+        authClients: false
+        autoGenerated: true
     blueprints: []
diff --git a/kube/3-deploy/2-apps/authentik/app/netpol.yaml b/kube/3-deploy/2-apps/authentik/app/netpol.yaml
index 8444e951..26921233 100644
--- a/kube/3-deploy/2-apps/authentik/app/netpol.yaml
+++ b/kube/3-deploy/2-apps/authentik/app/netpol.yaml
@@ -60,4 +60,5 @@ spec:
       toPorts:
         - ports:
             - port: "587"
-
+    - toEntities:
+        - kube-apiserver
diff --git a/kube/3-deploy/2-apps/authentik/app/secret-redis.yaml b/kube/3-deploy/2-apps/authentik/app/secret-redis.yaml
new file mode 100644
index 00000000..c52a259a
--- /dev/null
+++ b/kube/3-deploy/2-apps/authentik/app/secret-redis.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-redis
+  namespace: authentik
+type: Opaque
+stringData:
+  password: "${SECRET_AUTHENTIK_REDIS_PASSWORD}"
diff --git a/kube/3-deploy/2-apps/authentik/app/svc.yaml b/kube/3-deploy/2-apps/authentik/app/svc.yaml
new file mode 100644
index 00000000..3d8aa301
--- /dev/null
+++ b/kube/3-deploy/2-apps/authentik/app/svc.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    coredns.io/hostname: "auth.jjgadgets.tech"
+    "io.cilium/lb-ipam-ips": ${APP_IP_AUTHENTIK}
+  labels:
+    app.kubernetes.io/instance: authentik
+    app.kubernetes.io/name: authentik
+  name: authentik-http
+  namespace: authentik
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Cluster
+  ports:
+    - name: http
+      port: 80
+      targetPort: 9000
+      protocol: TCP
+    - name: https
+      port: 443
+      targetPort: 9443
+      protocol: TCP
+  selector:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/instance: authentik
+    app.kubernetes.io/name: authentik
diff --git a/kube/3-deploy/2-apps/authentik/ks.yaml b/kube/3-deploy/2-apps/authentik/ks.yaml
index dedfb93b..a9d3b8e4 100644
--- a/kube/3-deploy/2-apps/authentik/ks.yaml
+++ b/kube/3-deploy/2-apps/authentik/ks.yaml
@@ -36,6 +36,7 @@ spec:
       PG_DB_USER: *app
       PG_DB_LCOLLATE: "en_US.utf8"
       PG_DB_LCTYPE: "en_US.utf8"
+      PG_SUPER_PASS: "${SECRET_AUTHENTIK_PG_SUPER_PASS}"
   healthChecks:
     - name: pg-authentik-s3
       namespace: authentik
diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env
index 2fd40d1a..8c76a81c 100644
--- a/kube/clusters/biohazard/config/secrets.sops.env
+++ b/kube/clusters/biohazard/config/secrets.sops.env
@@ -15,6 +15,7 @@ SECRET_AUTHENTIK_SMTP_HOST=ENC[AES256_GCM,data:xKMQWNOHeKpqID8IRRXDclG74k1D9zTmn
 SECRET_AUTHENTIK_SMTP_FROM=ENC[AES256_GCM,data:D1UhPUWc7S8bh1qIwsgTDfRDzA==,iv:VQImJJL8FW+AG/y0gijqzP26eZ7lmPUIUjncjuciP/A=,tag:3qd5NSwy7jimLD/0MRcDQA==,type:str]
 SECRET_AUTHENTIK_SMTP_USERNAME=ENC[AES256_GCM,data:1rEiJfdxMJzLsPkiD4oTd2vczzA=,iv:704boc2UO4b2yaUh+jEJAm9y+qa6yLfoorhgQgPLpuc=,tag:YLzsBgHuYhq6WurZoYE6gg==,type:str]
 SECRET_AUTHENTIK_SMTP_PASSWORD=ENC[AES256_GCM,data:oT8AnkYa8Jq1emuP6dnDchKltNMNFPEI7L5QGw56TUCgxhC7NHaQdA==,iv:9hfYTWmwb0Oqddknk2kZFDHbatlKUg5AV4DOHI9TH+k=,tag:7fB/vCFBZzOBAzfUfhhs0g==,type:str]
+SECRET_AUTHENTIK_REDIS_PASSWORD=ENC[AES256_GCM,data:3IQpYUHxjbkQOvP4zayJKrs23vbdo3zgNPU7BBUoKKlL4vS6w2scZJV74d1ltjU+l3GojsExyhXzGPUZm3ZNOzXH9vL/MPlDwhrSmRBK25fAN0I5eckCf8yF2tVoiOaYNVjZv13eFQyZTbrWa6kNX2H8sU5qrz+3hE+rFMKSEt2oGVyYY8SigU2HalWjaSYp1mNEJhrS70ndBdxMSjtMvQ==,iv:Wz06/Zl58RiowOEI/bSfXKN2/6r7t+mmPzWeagJD4FA=,tag:wjheK4Nq81D/sI3bS4YrvQ==,type:str]
 SECRET_AUTHENTIK_REMOTE_TOKEN=ENC[AES256_GCM,data:GSPPuSgS+nvXBPOiu1jhK9jTiBE4t/AZgVutT+j8FgLx2TboCtXZh/09mEu6capG7TYwO7C0fUgyXzxD,iv:K5VX3471g3RA3t+KxnalAaane2Q+7RhMwVa1ICtFDQs=,tag:2benS6z/VBDqkwxoi3IIXw==,type:str]
 SECRET_AUTHENTIK_OIDC_URL_AUTHZ=ENC[AES256_GCM,data:nQOUFH4EofqbavU2rqDY7ZBVP6HYFiPJwR1ewvuPlS0CZpwLmva/GIBqbKo0iNN8fEnIww==,iv:PLigYh0PaOx2a97NmrXqji6Y6gPiqoMs4DZ7ua95CR8=,tag:0VvJaP8EYPz2jlxjTI8GQQ==,type:str]
 SECRET_AUTHENTIK_OIDC_URL_TOKEN=ENC[AES256_GCM,data:7siWNEfEXQSgDDzgDw1eZwXSmT7grd7k6lPa9aY7ENaEb+c4eXm+MtJujnLuCCAL,iv:K/L+WZIkawK2sYuQ5or3XpYy5R5rg2DqGBVPpK5QJCw=,tag:RgOlx+g3Jc1RIG5ZHMegQg==,type:str]
@@ -55,12 +56,12 @@ SECRET_KAHIRC_HASH=ENC[AES256_GCM,data:W9COiS07lKcFu3rST32KymOX7snnuyBLvULnyi53x
 SECRET_KAHIRC_ENO1DEV_IP=ENC[AES256_GCM,data:Dgny2/eaGODCKELQ,iv:/o+9sD7ua3ncilb4eO9vMbBAxq6GZSmoE8bKdW/QinM=,tag:wzGGhlnJQgF0/DCSSadGmg==,type:str]
 SECRET_KAHIRC_ENO1DEV_RECVPASS=ENC[AES256_GCM,data:RfJaouvks2DBKZdo8Z0psDnp7uGe83uf2bGpi8sp5u4mDnZlbCp2yXjWo9F2a5SOU5aV,iv:jvn+gwN6z7j+2Kdaw7iWBJ8PyMkOqUzs+YwoTjDDkPI=,tag:RNlYvdEbNa1jx3eXqQgZ/g==,type:str]
 SECRET_KAHIRC_ENO1DEV_SENDPASS=ENC[AES256_GCM,data:x2ibpAnes91GZ9PyMXlbVnigh39lpLI7m+DvN/IsNOeTSwiE76Br/0jRpxbi/TErA8FS,iv:Gpbl/qzHx5X9Y9pJYDab+dsWykRnQAbCjutlWnO9M/c=,tag:0FC8CRu+7yZ7LIW8PsCFYw==,type:str]
-sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
-sops_version=3.7.3
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n
-sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
-sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
-sops_mac=ENC[AES256_GCM,data:crsXDzNEM84oHxz5EgeXMpC3U6My0Dy/VtFHPAbncRpRJAFvIJXmGfV4rF2fBEzbafumu2qLQE0vGP25zJhus+GEth2qiEYqyv7XGyhpcXkzwjBRcIqPLF0Jc6pkI48mm7m6LherWcH0/KjL2ShP8IFQFzLtAUZ/MmIwJJNgc3o=,iv:MQYrm2OC9VfWAMyrU4dM6lwl8EPOaDoiCu8ZNFoHlnU=,tag:toyRjE4+m4/KjpyxwR6J+Q==,type:str]
-sops_lastmodified=2023-06-04T16:55:05Z
-sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
 sops_unencrypted_suffix=_unencrypted
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
+sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+sops_lastmodified=2023-06-04T21:55:24Z
+sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
+sops_version=3.7.3
+sops_mac=ENC[AES256_GCM,data:h7vvETTj/3A2n0J12aMx5h+GFcJTeMGJ+ZIXOXxYZU720OVMuYGjIcDlhnGmihfB48/QdpjRMPE2xidGR3NFN+q5ORZHkwnIvyMlagf6gfpt7apo9i71wUEabBGt8OKJJJs5S5izm9qPu1/Aa1zokIQN1ZeDhwssowDAybzRkeU=,iv:erVo+HFQA1hYe+K7ufjVBpiAm0rMD/B0D/v0plv6vII=,tag:b0eW1fgDlLarX348mBSFyw==,type:str]
+sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n
diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env
index 45b41848..34cb367d 100644
--- a/kube/clusters/biohazard/config/vars.sops.env
+++ b/kube/clusters/biohazard/config/vars.sops.env
@@ -74,6 +74,8 @@ APP_UID_SATISFACTORY=ENC[AES256_GCM,data:nuVL2gs=,iv:LsaAEsq6f2C2LDbT472gIJ9ikGK
 APP_IP_SYNCTHING_USER_1=ENC[AES256_GCM,data:5TFttY9RxF4ZXIpG,iv:Zxl3Tz6i0yeJH2jUCRPiYDoGKOvgmce8JFqCG/UQSbQ=,tag:5rnymxpGSukseJRQtMLQdg==,type:str]
 APP_DNS_SYNCTHING_USER_1=ENC[AES256_GCM,data:CPLql1XphBbMmVQ=,iv:O4i2oh1iD4gRbZNu8WolBnIu+R7JmgG+Ern92hmA8X8=,tag:iUNh7FTVU6ULBno6blbw6g==,type:str]
 APP_DNS_AUTH=ENC[AES256_GCM,data:sXFjbTpoaVJlfWOwsbgnNNLTGQ==,iv:FMrKU4bV2DvvO37Awjb+n23/kLJo36IpSPfCdQCvqtU=,tag:P4u0pgHGytRxVku3EWKDvQ==,type:str]
+APP_DNS_AUTHENTIK=ENC[AES256_GCM,data:M9CPbMYyI8xbW3IIWcLIJnPqdA==,iv:Bk9o+S8qShQ2uqa4AUiZpTl8aFUGqygMeZRhRG1dWD4=,tag:+Clc/DEP6a6HyTaJfLkC9Q==,type:str]
+APP_IP_AUTHENTIK=ENC[AES256_GCM,data:DGzwzD82RHVqZ8M=,iv:wyhgGqYYfxDLW/E/RpUjP46XIXON2pw+VwLYDpX2ubk=,tag:v4bwql52jgDCNw6rjBobpA==,type:str]
 APP_DNS_AUTHENTIK_OUTPOST=ENC[AES256_GCM,data:CUBRYiO12Ai6VNc=,iv:jdbf2R6Z49YfLw2NDcJqk0+ltAdWMcx07pdxyRcYcL8=,tag:qpEZVfFbuCO6SPJfU3jB9w==,type:str]
 APP_DNS_MATRIX_1=ENC[AES256_GCM,data:4vltr5J1tNy5VNDh9C5FKdgFAA==,iv:53YO9hfqLp8+FuILGaSnxhsRcODxNu4cV69tfymJPxE=,tag:Pf8Vti0yvAhkyH4bv9vQtw==,type:str]
 APP_DNS_MATRIX_2=ENC[AES256_GCM,data:a/Kw6TPyjHzo80PXS3aiLMfYqC4e,iv:sD530ugJuIc+oBuDFObb60Lda/9O5vKEUawI1/J9hKI=,tag:J5nwJIZA34PbVvEwFrcv0A==,type:str]
@@ -105,12 +107,12 @@ CONFIG_SANDSTORM_INIT_SCENARIO=ENC[AES256_GCM,data:199SWIbX0ecKR9r5VjxL/aZROg==,
 CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn2ENL1EyPGVdXZhi/IDRTNxmBzCVkUdju0D79EKB29qTw=,iv:FjiBFYt68V1J+/AOEptVDQ6IoXxGevvN9NCB54Rs9ws=,tag:bWkb2QIS32ltJKCrHWL0gw==,type:str]
 CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str]
 CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_lastmodified=2023-06-04T21:05:05Z
 sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
 sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
-sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
-sops_lastmodified=2023-06-04T10:53:33Z
-sops_mac=ENC[AES256_GCM,data:q2TXZE5bZriXJx6CgO2fg6V06fVzC4E6jAnQOqjJQ0n1yQwXOdz0ToTRJFsm2F70YgXw79G/U5P/LFlty23zgDOHUMPXssbzR7px2fF1Q7fF8nqOXj36Y9Opp5LGPQWsCxi6qslgvqSHKj/N94Phq0lJilxdEAxKqj4ruAOHgNw=,iv:jo41q1fb0Ba5iYvtfWu5wsrUeY5e1GC4ZweGbbJ6mms=,tag:yNiijTsd2OC4SmcgFBLqxA==,type:str]
-sops_unencrypted_suffix=_unencrypted
 sops_version=3.7.3
-sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_mac=ENC[AES256_GCM,data:KDPElR0we8pWoUV9av0VlXRLnX0QXxeCF3T6AuHh5TUsO8iJ18/x79KFle9zxWr2XMHT8xi5ZV9htQ8c59TebtwM6xaU3ik/SnOLLbONMufCYre0DORalpnUN9oGMjLU9jSqgISasDVRSiAhbhIxXFVINcDalM5AB/dfaUyLQvo=,iv:aJtid6f9uypSElSbeH9EDd4PUPuRIf5DT4zXJ/HdmzU=,tag:5NmnbAalbNm6o6LZAyFSaw==,type:str]
+sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj