From 2654b9fdd9c03ff49f556bc88c6dd89c29853ec2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Bon=C3=A9?= <aleix.boneribo@bsc.es>
Date: Tue, 3 Mar 2026 18:43:40 +0100
Subject: [PATCH 1/9] Enable rotating gitea backups

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
---
 m/tent/gitea.nix | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/m/tent/gitea.nix b/m/tent/gitea.nix
index 5c458306..53c3b850 100644
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -26,6 +26,44 @@
         SENDMAIL_ARGS = "--";
       };
     };
+
+    dump = {
+      enable = false; # Do not enable NixOS module, use our custom systemd script below
+      backupDir = "/vault/gitea";
+    };
+  };
+
+  systemd.services.gitea-dump-rotating = let
+    cfg = config.services.gitea;
+    exe = lib.getExe cfg.package;
+  in {
+    description = "gitea dump rotation";
+    after = [ "gitea.service" ];
+    path = [ cfg.package ];
+
+    environment = {
+      USER = cfg.user;
+      HOME = cfg.stateDir;
+      GITEA_WORK_DIR = cfg.stateDir;
+      GITEA_CUSTOM = cfg.customDir;
+    };
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = cfg.user;
+      WorkingDirectory = cfg.dump.backupDir;
+    };
+
+    script = ''
+      ${exe} dump --type ${cfg.dump.type} --file "gitea-dump-$(date +%a).${cfg.dump.type}"
+    '';
+  };
+
+  systemd.timers.gitea-dump-rotating = {
+    description = "Update timer for gitea-dump-rotating";
+    partOf = [ "gitea-dump-rotating.service" ];
+    wantedBy = [ "timers.target" ];
+    timerConfig.OnCalendar = config.services.gitea.dump.interval;
   };
 
   # Allow gitea user to send mail
-- 
2.51.2


From 56ab09901793a5ab74440c52a6563647abf255bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleix=20Bon=C3=A9?= <aleix.boneribo@bsc.es>
Date: Thu, 5 Mar 2026 11:12:26 +0100
Subject: [PATCH 2/9] Override files in rotating gitea dump service

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
---
 m/tent/gitea.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/m/tent/gitea.nix b/m/tent/gitea.nix
index 53c3b850..dfbe1229 100644
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -55,7 +55,9 @@
     };
 
     script = ''
-      ${exe} dump --type ${cfg.dump.type} --file "gitea-dump-$(date +%a).${cfg.dump.type}"
+      name="gitea-dump-$(date +%a).${cfg.dump.type}"
+      ${exe} dump --type ${cfg.dump.type} --file - >"$name.tmp"
+      mv "$name.tmp" "$name"
     '';
   };
 
-- 
2.51.2


From 46b7efb5aca39a1f1555d9bc1b17388a49d24546 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 5 Mar 2026 15:46:30 +0100
Subject: [PATCH 3/9] Rename Gitea backup service and directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 m/tent/gitea.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/m/tent/gitea.nix b/m/tent/gitea.nix
index dfbe1229..56333a84 100644
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -29,15 +29,15 @@
 
     dump = {
       enable = false; # Do not enable NixOS module, use our custom systemd script below
-      backupDir = "/vault/gitea";
+      backupDir = "/vault/backup/gitea";
     };
   };
 
-  systemd.services.gitea-dump-rotating = let
+  systemd.services.gitea-backup = let
     cfg = config.services.gitea;
     exe = lib.getExe cfg.package;
   in {
-    description = "gitea dump rotation";
+    description = "Gitea daily backup";
     after = [ "gitea.service" ];
     path = [ cfg.package ];
 
@@ -61,9 +61,9 @@
     '';
   };
 
-  systemd.timers.gitea-dump-rotating = {
-    description = "Update timer for gitea-dump-rotating";
-    partOf = [ "gitea-dump-rotating.service" ];
+  systemd.timers.gitea-backup = {
+    description = "Update timer for gitea-backup";
+    partOf = [ "gitea-backup.service" ];
     wantedBy = [ "timers.target" ];
     timerConfig.OnCalendar = config.services.gitea.dump.interval;
   };
-- 
2.51.2


From d3e54b7c99f7e5b8ce2471c9035b1af197260433 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 5 Mar 2026 16:02:26 +0100
Subject: [PATCH 4/9] Rekey secrets adding tent for ceph
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 keys.nix                                      |   3 +-
 secrets/ceph-user.age                         |  52 ++++++++++--------
 secrets/gitea-runner-token.age                | Bin 699 -> 699 bytes
 secrets/gitlab-bsc-docker-token.age           | Bin 739 -> 739 bytes
 secrets/gitlab-runner-docker-token.age        |  24 ++++----
 secrets/gitlab-runner-shell-token.age         | Bin 736 -> 736 bytes
 secrets/ipmi.yml.age                          | Bin 1673 -> 1673 bytes
 secrets/jungle-robot-password.age             | Bin 807 -> 807 bytes
 secrets/munge-key.age                         | Bin 2336 -> 2556 bytes
 secrets/nix-serve.age                         | Bin 865 -> 865 bytes
 .../tent-gitlab-runner-bsc-docker-token.age   | Bin 738 -> 738 bytes
 .../tent-gitlab-runner-pm-docker-token.age    | Bin 733 -> 733 bytes
 secrets/tent-gitlab-runner-pm-shell-token.age | Bin 733 -> 733 bytes
 secrets/vpn-dac-client-key.age                | Bin 2356 -> 2356 bytes
 secrets/vpn-dac-login.age                     |  25 ++++-----
 secrets/wg-apex.age                           | Bin 697 -> 697 bytes
 secrets/wg-fox.age                            |  25 ++++-----
 secrets/wg-raccoon.age                        | Bin 697 -> 697 bytes
 18 files changed, 66 insertions(+), 63 deletions(-)

diff --git a/keys.nix b/keys.nix
index d491d6d5..b98b2f6d 100644
--- a/keys.nix
+++ b/keys.nix
@@ -22,8 +22,9 @@ rec {
     storage    = [ bay lake2 ];
     monitor    = [ hut ];
     login      = [ apex ];
+    services   = [ tent ];
 
-    system     = storage ++ monitor ++ login;
+    system     = storage ++ monitor ++ login ++ services;
     safe       = system ++ compute;
     all        = safe ++ playground;
   };
diff --git a/secrets/ceph-user.age b/secrets/ceph-user.age
index 48b912cd..7a293426 100644
--- a/secrets/ceph-user.age
+++ b/secrets/ceph-user.age
@@ -1,25 +1,29 @@
 age-encryption.org/v1
--> ssh-ed25519 AY8zKw /gmhFOFqOs8IobAImvQVKeM5Y6k0FpuR61/Cu5drVVI
-g9FXJg2oIoien0zJ70FWHwSTM8SBwbpS188S3Swj7EM
--> ssh-ed25519 sgAamA opPjlWPhSiI0Rd5l7kd204S5FXFLcQcQftyKb7MDmnU
-3XrRDVnglCP+vBwvfd1rP5gHttsGDHyXwbf10a8/kKY
--> ssh-ed25519 HY2yRg QKZbubM76C3tobPoyCFDRclA9Pzb2fC7s4WOoIgdORc
-K5kckU0KhQFTE6SikJXFJgM41Tco5+VqOsaG0qLrY1Q
--> ssh-ed25519 fw2Xhg +ohqts8dLFjvdHxrGHcOGxU0dm+V3N//giljHkobpDM
-jR/UzGrfS9lrJ/VeolKLxfzeJAf2fIB2pdIn/6ukqNk
--> ssh-ed25519 tcumPQ 3DPkDPIQQSVtXSLzIRETsIyXQ0k1o18Evn6vf+l/6R8
-bLXF62OmJjnOT1vvgq3+AcOKKSG5NonrK5EqCVc0Mwo
--> ssh-ed25519 JJ1LWg 2Wefc7eLolMU5InEmCNTq21Mf71mI0a2N1HgDrlHvy4
-qXFW9CQBnrzubZ0mzS0Io2WGRrwGBkmeYndBTcZn/fM
--> ssh-ed25519 cDBabA oiH36AoIt/fFFYgnoxtH7OoetP+2/wjtn8qo3RJDSHc
-qKmkxy1aZGP4ZwC0iH7n7hiJ0+rFQYvjQb5O1a1Z0r4
--> ssh-ed25519 cK5kHw bX3RtO5StMejUYWAaA37fjHA5nO7Xs1vWDQk3yOjs2o
-Egxmcf8FKAd+E5hMLmhV1yQsCo5rJyUazf1szOvpTAM
--> ssh-ed25519 CAWG4Q oKqqRDJH0w8lsoQBQk0w8PO+z5gFNmSaGBUSumvDp1I
-m1zWp9MfViAmtpbJhqOHraIokDaPKb0DvvO4vAGCTWI
--> ssh-ed25519 xA739A G26kPOz6sbFATs+KAr7gbDvji13eA1smFusQAOJXMwA
-Sppvz7A103kZoNxoGsd6eXeCvVh7mBE2MRwLFj9O1dY
--> ssh-ed25519 MSF3dg 55ekNcp+inbUd+GQ/VZ7BoBASaJ8YDqF74CVXy1PUxQ
-aTHLLAbzQPWWld/OT3BKebc6FcmsqMTaWCPBGm1UHic
---- mVkAMnI9XQhS3fMiFuuXP/yLR9wEG9+Rr8pA4Uc0avY
-çDU ôÜsÌÝÌÜjùüMî”$Î[†M„°Ú [_™K7síju±vDÊ4¸g‚ÚÜ„3øGnÔä£ É½ÌP§7~rZsˆ­
\ No newline at end of file
+-> ssh-ed25519 AY8zKw Crgof1PMHzv3jBw8VeJAst6FKSoyqPFdANFpf79CAgo
+7fagE5BmlWdTsdY/i3RbExu1KBcjW1LQXbYwu6chxlk
+-> ssh-ed25519 sgAamA tGRCaK8mjvz65YziXjRcjMOHIRoyGNJFzBEEbivXPDo
+YLzE5a3J81r+gzkfZIeh9gS+mXzMooC82tBbZ+C3C8o
+-> ssh-ed25519 HY2yRg +vhO1/vdGPM1JnZRsvVnViFWaFWUZ7MIqvWdePivkxA
+2K+JdN82DTeGh9QwZBTaghg8C5BCLoEsOgTCM64PU28
+-> ssh-ed25519 fw2Xhg NHDn0dq32I/AVdUZlpzBX6retlEYEUipde7A9R90qW4
+SJO78ooqEwfHlBRW+YCzgSQJb1JHNo8jz37t3qvLClE
+-> ssh-ed25519 G5LX5w d4HfLzI2623artkR2FIfRJgr5yb2BKZJUWqPnwOWDCk
+Kh50QESJZSjaJPyp3xroHGn0fD5pPNEYgKkDdqxGpjs
+-> ssh-ed25519 tcumPQ wQyOKtT15Qezs3cyv5/xxIPVD7Jyk6N6ZLkfxxBHLTo
+rKlRBjJdfDVT6U8211+ssFF8yY9yRs1u3GhCSvsw2oE
+-> ssh-ed25519 JJ1LWg 98tF1MdA244xNny4w3RnMFuubf4WcuQaZf2bN2Uq8Qc
+MA1Xh1H9vHisVYdqkxNeBkngtn8cYuT2eSimvooIXYo
+-> ssh-ed25519 cDBabA imJ0rXLQETELP7yo3sArhqA9nJwY+S6gkC7tA7CJsQA
+pKMHW/KDAoEj5ZD64VKekg6et9hlS2PKSgDw3eB3eu8
+-> ssh-ed25519 WY7yGw +2g5021/02HvLxLqq42ynr6qKgOKJ3J5GgB1a1bmFXg
+fYvj52R6bM6ngPOZ2lwVezTJnx+8LJBbdnaapKKbyd0
+-> ssh-ed25519 cK5kHw fLZ6yF3NggJ724rjYqhs5ZZh1xUExuK+ITAyqONluzk
+NS9OMX70XEHrbPQnmC4KB/eoiHChIb8DwDLYJiwOLUU
+-> ssh-ed25519 CAWG4Q tVduE/wMzdfS+DjNbU3Q4blNhL/A63IehNSZGJkJjD0
+jEBB5zG+gLA/88YF+KqWQsNH7lfCsWNvAkrgfbescFs
+-> ssh-ed25519 xA739A ZhFvev77I+YOl1YSHKn2ZcEvGoLjWOILufjd4q/k8HM
+YXEtHHtjPQlgZW60zHgHm7CLI6vYiRo+AM8QERL9tCg
+-> ssh-ed25519 MSF3dg 9DvLNheBU1vlfW2zNNxBrGnJ6k4P5ox7s+OGKlgRdyQ
+wseHfLGHz0huNi5sZsNOfeNkm6Kjjx0SZ8lK4/oXtUQ
+--- bnJE+14onuSla0XmckD4z/wChWGZh6exbkcbyhcmNYU
+¡ËtšNçŒˆÁòUâwâ–®i2¤å-ŽiV'(»IF‹ñ	S°˜xs/s´Ú	ˆÐNDm´Qœšˆoê¤èüwZvºÛ.\
\ No newline at end of file
diff --git a/secrets/gitea-runner-token.age b/secrets/gitea-runner-token.age
index a5c23d93ff6d0264f355f54cdae25609492497e7..b144b2561daa113ab13db0c1af62ff20123a65ec 100644
GIT binary patch
delta 609
zcmdnZx|?-^PQ96DX;r0{Ns5I_sar^tuc?c1V4_J$P<BLmo}r<8gt2dhud9h)zH^SV
zFIP%<nRk+ze?^9|iMD>3XIXBRmq(OgMzL#IxO;F)p=(u`QI)nup=+prF_*5LLUD11
zZfc5=si~o*LbA7Mwnw>wQBIPptB+e=qG?dNp|*=*m0NMLS4L2|Uulq&nUT4^S8h^8
zpu1^giCcOxSF&G*ab#e6sAq7fyIW*RMyPj5p>}bGwo`_WmtnA*TS|nROQc!2pMH4y
z#E;_Pd0`$tWdT)59{EAez9w!S`K}RZiKSr{S-uvb***n{`WC6i+F?olq2>8pNe20j
z9?k{YiRCFdS*A%*g`tHe9s!jVrsa{Q9)3RQ{$UkHe%Zz4CBC7P;~B-ni(Ore(o@pY
zk}N#5O<WCqN+VLuy+hoc-F)1Q`~vjDqqNNfy`ubFaswl|BFrnyEQ;KX0^KY_4BP{~
zO>;sbyvv<Ev(x=Ok~~WaB0b%5O5IbuoI*k;pJf!UFLH}W^w7?TNHfjy&q#9(@+~Wj
z3U&%fNzBtX$#wQNG%U$C@prBAu5`=hs>m@nanpB7O{+-DcFi=?wnz-m&-W=bcFxT8
z2q}m%k1TP^C^Gdg@yW^N($&>f2u&>vswg%rtOzRgNpsEciwFq|@zi&B^74(WH1y05
zi7-ry@GhyW^sB7&<x-pcaMIC3?Ix9GJE!byJ-J8c+tS*=q({u*Vy|nsxg)OzXdaad
wQA+elaBS^qY&kw}cUWBNiph*qKQGTOyXGjoS-o_IQHmC?RH`{caEnnA00<w>ivR!s

delta 609
zcmdnZx|?-^PJOz!dqr`UM_NH<kV~LhNNHJeg?T}icY0A+sC#*8eo1LTj!$H{vwK-)
zHkV6qm1UNGaY<OElVMIoL0EuxcDlBQc92VYa9T-_tGk<<PhgaDj<a#LCzr0BLUD11
zZfc5=si~o*LbA7Mwnw>wp}9+ecWQQ;Us$C{n7N5jpj&W?nPHJpxmjjnd5OPQkhyb-
zacEkOOGIWqS4MGRh--jzWR{0_Szd~7ctDPcdx5)=v2#_HdwN(=uy(SKXJxKuu$M>Z
z#E;_P`Q8SGDJBI;PKB;fVa1iX!I|EfSpj8U`R0Zu6~(^6LB2^<*~P_P-kIfG8N~)A
zVQ$%lC7vD;>6Td~&PJIo>CPpoX>Q5kW$s?t5l-43UZKf_5rM^%;~B-ny(|2+9TUsb
ze0*JlJj$y|j3e`+g31Hja-7rLT|;sc&C~KNe6^!WiX9`lQiJmhwDpTJd;%-{yh}_g
zyi1e3ld~=SDoXQ=f-{U$y$YQ|^)t%TtD<}-pJf!U_peNha`JI9%J#QN3pF&h%!x=!
zayBtANe?mitnv)c)^_sEh^$IXa&k%M(of3_a7%OYN>0*FH8Idmi%KeYE;rB1bTi7x
z(Dteb4aoEk&MXfN_76|z($&>fs7#KkbdS*X$<+2K_Af0@b+hyj3&^oZ%=b+UN-xk4
zN^whya48BXuF4KA=GwaN-IGY)3x}*+75v|vFls0gW49GO$)aX*nq`A?;JL*Q8#A0=
weR!Xov@9;Ta{fw5RTj?O_bPPDSe+Bnr-=TW_U^w_cwGP0@-TN+?wxa*0bp{~i~s-t

diff --git a/secrets/gitlab-bsc-docker-token.age b/secrets/gitlab-bsc-docker-token.age
index 2b77fcf03d55cbefb941db0c5aa74b2363f59f58..45624d7308127fae3d57cf5a82f66d96110f843c 100644
GIT binary patch
delta 650
zcmaFN`j~ZsPJM*0o0)02uZxqRQBinan3JQAL1spUQKn^HW^PHDg{7-+nVGL=p0h_-
zC|9PLUwLXsR+fQDRi%GuWN4|jQL33ig{Nm$n6G1yk3nH+ae0Axh_{zZK9{bYLUD11
zZfc5=si~o*LbA7Mwnw=_hNEAueo<aoP?~c}RiszBn_FqAQ?_qNRbW+Bak#mWTcwGw
zmye5YNMV)%SGuKXzGb0hl4Yi6m2Y8`erA4Pdbn4Sxp85kXI@fBy0?k1epXg!QAtGL
z#E;_PrXi+DX)f9B#_nN;m7dONzL8}?`bjzA#je_Eeon=aX*oG=Zf5xzE(Xb5?tu{o
zsbRjx#isf0&Pm0oB__@R-hSy-Zu!ZD#_kzD1ujPE!7fg&$-#k>;~B-nL&I{-lhWLa
zGMp<iQ!=A0P5nH)g93tl0!)*mattF2Bl1#HwZl!_!km4%3W6N<BTGw)B7#C)&616R
ze2RixN_;(1E5mXta?&e`^qt*}{0+>?i+n;SpJf!U56w<@HStbP$usi`HuCYSD6a~L
zD0K5FDRl`*bJLD+H!icZOpMHNajMGaDhmv)^wBOU2ywA6a4GO8$kR`$C@t_04@>t?
z&+{z^@sCJxuFMawa`v#`($&>fD9&?9%+C)fPj^fXGSROr$@9(j$xSg$EDa1ui8ApE
z%<}QCPfIj1ck&MN<x)DtD8yu!duG0KpO(vw#X|oL%}h`G&D?&Gr&p}ML!y|2yFlje
zZBg-Mk6SYq*9IJTwPI28_u%#fmoKFeZdYV~)>}_+OO^62F8>qj;8n2SahkomkKgxM
nMwVJes~0=|f2Wz6|N8Yyp#}R{@6XV_QevvuwM*dmNk%mQ2TA6D

delta 650
zcmaFN`j~ZsPJLxbfnij3u$OyIaiL>gxVcwVm4R7!YErp@x1Vd7TewS+qiINGnSW5a
zCs$TtzHxqKXjV`}X;NxHNU(unRe5r#fse6QxMfgUWOiV>Q9zbiS+Z|QF_*5LLUD11
zZfc5=si~o*LbA7Mwnw=_fR}HIWnyr0iMwN=vr&eJky}`BR-!?0u5U_eWv+LjbD~pr
zMRH(enon3Hmy2nspHsGRS!GUsXkoT{xQAO(fJKsld2)(LKw3#+o?A$9v5!SwXlZ`>
z#E;_P!G?|%#@eM-sTSq_UP)$Er6v`YhUPw|MHUs#QO0H2WqGa@$?kckt|8f62I-C#
zj>!g<&Y>ahi7q}BC6;ALjwvZ&VZQ!OAs!_@=3XUH=9ww(MuDM|;~B-n_0w|P%frnI
zi%fm0%+h_0vx=hv9FvOD^^1**!u>4Ll2X0OlYC9IE5Z!8s$4UDDxK5ZER%97gZ$mX
zorA(6e1k0wjV(Oge9Sz<yqqh%LyU?OouhmwpJf!UFETNYNC^seHE{_mbT={22=p`c
zD-4S?b1$tj39~e`bPaP1E%9=SbT-W93fE69&Z_c@%=I)kNw&~0*3ZdK4vWmzcXZb-
zDGJZ@45;$(N-qj3H%yD<($&>fh{{V$_b>BwHZaL3E)5JbPxbOCEH*DO&q{PmG|%wW
zPqs9y4=xFFE3rti;JW<pi~~b0|EUb0J;K+t9k!&W^;A}rwI2PdAb#a$^Lwk;Of_5Y
zJySR_{ZbnHulLG)2P39cPmSF&b6(U$Z8kyPxhwgV)c>7)UGH+iaecek3xU3dP0{VE
pYc@xoFlxJ~eL()6cj(jIhaa-6bcpfW&9u>KvA}<(3sV^X0{|YZ>AC;_

diff --git a/secrets/gitlab-runner-docker-token.age b/secrets/gitlab-runner-docker-token.age
index e7f58c7f..a81096bc 100644
--- a/secrets/gitlab-runner-docker-token.age
+++ b/secrets/gitlab-runner-docker-token.age
@@ -1,13 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 HY2yRg U2KQWviZIVNemm9e8h7H+eOzoYNxXgLLS3hsZLMAuGk
-6n5dH1McNzk3rscP4v2pqZYDWtUFMd15rZsEd/mqIFM
--> ssh-ed25519 cK5kHw Ebrj/cpz1cFWAYAV9OxgyyH85OEMUnfUIV66p7jaoFY
-6J7hWqODtS/fIF4BpxhxbrxZq5vbolvbLqRKqazT02M
--> ssh-ed25519 CAWG4Q mXqoQH9ycHF7u0y8mazCgynHxNLxTnrmQHke+2a5QCc
-mq6PdSF+KOqthuXwzTCsOQsi5KG0z1wHUck+bSTyOBY
--> ssh-ed25519 xA739A TADeswueqDEroZWLjMw3RDNwVQ2xRD+JUMVZENovn0M
-KFlnSjVFbjc+ZsbY8Ed7edC5B01TJGzd/dSryiLArPc
--> ssh-ed25519 MSF3dg Pq+ZD8AqJGDHDbd4PO1ngNFST8+6C2ghZkO/knKzzEc
-wyiL/u38hdQMokmfTsBrY7CtYwc+31FG4EDaqVEn31U
---- 1z4cOipayh0zYkvasEVEvGreajegE/dqBV7b6E7aFh0
-³‚ƒ¾R–@×/i–I'ÒùNxšr"œ`¶O­³Üy£8ÅÜ \/öÔIÂñD¢`Ùß“Šüëž¦uy¨¢Þ:9Lt¤û”³Ø‹€æú±îû·AUüñ€èÏìú`ë;­q8žGLU#îiãyù•i¼Úœ
\ No newline at end of file
+-> ssh-ed25519 HY2yRg eHM55QsHK1ca9b5nP3EoVUZYu0w2d4B5tkilNK0j/lw
+6Na6lkMe0fOd7+vNP1fLIaVEQDUw5m65Wh8jUH1I6C0
+-> ssh-ed25519 cK5kHw 0ekhoBYwF7OSWwn4P5f/J4gXb9UHJAWGKV0yI7HCzzE
+2Q+Tt5jXAB9ip9jf1z+jeM4FSiqd1w5DNtbqtacuOcM
+-> ssh-ed25519 CAWG4Q Jmw4v9efOFXHjjNky96q/d6vGBP5dNM4wK9zoGrwOh8
+u5I17wcIq8/2ARWckDXsYckhfX0jWE4AEm5mip/KHws
+-> ssh-ed25519 xA739A 10pPeC2YG9DJzaQlt7p+fGo27VDiL2dN6JmvY2npcUw
+4aRV8DekYeL9HagGWgOSjlYnPKmYdKZH8Aw4lRdm+r8
+-> ssh-ed25519 MSF3dg hDwIE3Su6cN3sq2E5v/oy6vTNfxTT1ZPts85//gIhwY
+aoiaGjQYJB1ededhIuVBCKDRLIOVThWz1pSTvg65J3Y
+--- OYPAGb5U/nwLOIV5VchSvxhChjNnwzbEgU9glSkWCl4
+˜=æ·ÊcŽWÈŸJSaÐ†&é’á‰§)Eµ€ C­´J~u¢cÅþ2ù˜v…ÔäÞàs“ñ½vf¸ÞêX7(Ü~äá=XCi;º×´¬\ß¢¾“­Ü£öô¬¼É³CeùD;;X*”3ði¼»r·Em±Ý<
\ No newline at end of file
diff --git a/secrets/gitlab-runner-shell-token.age b/secrets/gitlab-runner-shell-token.age
index 0290f9a75e16f83b17a15c13d4627b08dc84fbee..e01dfbd994336790226503e358b55c34076c7e9a 100644
GIT binary patch
delta 646
zcmaFB`hazUPJMA%X0AtyvtPbfq;G($siS2<YHGTFscX4&p=nZtK~<rCpg~1ho{v#w
zF_*JtWp+-OcX+sCj)_xAeyWdlQe{b2xKV|9ex6x~qj!`+afoA8n6|N3K9{bYLUD11
zZfc5=si~o*LbA7Mwnw>wxo2{!n|@fbk+FrgMOLMGx|?&pc|lc~nWedtV|cEwU!{wa
zepy+$ad~AqS45e6Rbq&{nP)(hvsYfZXR@1Td8%1Pv43eqU|DLhW4LLSS5=XZab%9?
z#E;_Ph2^E*W{!nME?J3L=1#8J#*s;>ex6nS<{`<Bd6AYD`MK_CSs|HeUKJ)>IaSGy
zWhw5ag^~Kf!3KF*`W9L4DQ;m#`I#wZ=6U``rKUyciB5TCX}*z@;~B-n!`wWA3?mW^
z@=PPs-Ce5Ea*RVW^2*Kqjm=9kD<VV7EA-2P^D}((Q!6~V5;M{rEz>LWt5O|ZJS?>{
zi!x0eL%jkcs!}on979qAEi&_r^j*9|OS6k7pJf!U_csrAs&I5pFDWvxC~<So@XjuZ
z$PNh)PE0bhNUBUPNzV$@b_`Cph%8U$aw>}msdRO6^RuW*G<G+L4D`+m3$*Yyb~Gu9
zNGj6zPIYm%bnyxd%5_WT($&>fa7#_ibvI6Tw=B&GHY@hkE--K@^-oL9E6DM643D&k
zGB3-jHFojw2rWvD<hnXDCuNJt{XoY#^(97o=ROuq>X6`I$k{rnb-t5}iRy}wprE&U
zyC;a{RL!4yNj*(%vfYZ4e;$OrTaaTIAto_>>WlC_X_|~mM!(O7XD(~lIq90z=9Fm%
kLM|_SmFAXTHe==~9`}349;^Jx33hw9+d9P|;C1LM04osZ)c^nh

delta 646
zcmaFB`hazUPQ72GyMJ(MRGvkiyH{voL3qBuqoZYnzeRv~YI1g{lXrx3u|;`6v37Y*
zC|ABuPI_XLSC~(jrDv{ThC!K!t9L+{V?l9-iCJQqMShuYx?jGVi+4_{374*&LUD11
zZfc5=si~o*LbA7Mwnw=_lCx!KPGCf8fT>Tpr<<F<rCYv7M1FE%ewI&3a6q`Les*|L
zhI3M8u%~-ES9ySYLAiH<b8?u0WmZ{5SZ;ZinNvt^R<5>lRGEoUaZ0*#VQ`v@nUP84
z#E;_P;n`m4S*a<`PI)GoCQ15XZl$4?;e|$qVc8xPnWg2$If>c^0i~J2nJy+=`gwV2
zl}0Wh6@l5=Y0iaJo{8Ey73qa}X1<>3ZaIFY=}{h$k&Xqa0cFLL;~B-nEz^_p%(Bdr
z&5N9aObr}UOEOEHvmNt%i-TQ#O9D&s_4V}&b3(Em!!wGxaw3ZS^R$ywGolKDvOR;U
zg1rn=%}l(DoeRU$j7z)|O&pz)BAp6L%L;ubpJf!UcdIILtt=_6a`G<H_9!oKHcYBW
zEi*3EHcJkU%J=nk_Db<eD|PhC@hH#dDh#VEF^Mdwa!)Jsi!k#nERQHQ%MWriO$<)Y
zOmTCoaCI~?a<PaA@Nx>}($&>faPtWBbhju;_VaQoN!2zE3oQ;Zb}RNTwx}p9a!gIi
zck`*J^$*jpC=0GK;F61XdhNR<tJ|Y)-(}voyKxn()wx<CWM}Z4y;@_Ka?vWGsGaBY
zrvDL79Ushhx*hfG6{E~oiKXX`*1V1rJL>wY`r6U+Lh`W(Cx*_FyDawZ{J!sV_f2=b
lF#YwxCJW=oVSC%(OUuo4nb5y#=aabKORWX1xDH(s0{}R_?fd`$

diff --git a/secrets/ipmi.yml.age b/secrets/ipmi.yml.age
index c02079fa53ac50b43dbb7ea03465f3e8f472ef53..e1ae8574a401ccc2bb9a5abbcee0036f1180dc68 100644
GIT binary patch
delta 1591
zcmeC=?c|-HQ*Rn&Y3%Ca?c<bInvv(46i}M!l$BEuSnA@DlO0%@Ynfi)U1%8Y7@!~I
z%N3pxl<8TO7g1Ce7UB|~kzyQbS!G&a>=J3|RU8pkm2O}W6qW3uU6^T*&ZTRoP+Xj$
zo0?)|YHDby;BM*@VOp->nV1}yT9D)#krwQpXP%ko?UtUR@1K%vq@5IK>K0~^osm`O
zSZQXIQdt$sm0{@|Rb*+FWg3?2=T+*Jsvl&QXOLWGlw0iQ7UB^Wk>?kY=<1(co||Ga
z@uPUSM^uTIX>M3>L{@}pVu`PFkY#bUWujX|zH6DbQAmYrWnhGRPH1VlU$!S#cwup_
zVP?9CpHY5EQKW&pueYm3a$=~VnNP5hr@wP?qIQ^jxOtdizH{j0ct-K?F!K`gbnWCY
z6O-hKyi||uN<VM^&<YEma_55L3}Z8+$Z(5v_Z<IH_nbhk+;kWJPzx6~ldNO|kK`zK
zSL58&P_NvuD9_NaEb}5ab2pPrcW3P)6R+&aXBoxo%Q6j%GRi|zgUd2ZjEf7xatpN!
zi~`NPoJzeby^IYD4T8;53{nk>a~vJHio+su-7LJEGE7p#O_DQm%PZ4TU9<At49c=x
zN(#I}@&f(KvmLWaO;ZBVW574q%{V1p!N{W2Brz~0$}h{($I(^aIKAGhGRZq6FuB+$
zvAin7FV(EDuprdkFUT*$m&-USIXTy&*euLA%2hu(DkaCcG(tN(tjgT9%FxHfJj*$#
zq9`iU%{e32mrGYyS0S~u!Z*t}IJ?v_C@Mv}B&aye&CRJI&oZ<!Ajj7+BRSN=xgy2X
zEZo=Bf=f<^w@T*o)&KQp`B&b)q%84J_UQASM|+ksM+Md&_$R(Xa9USFab%Q%KtiPQ
zhu`j-m(M*tNkGM-%U4=z>D7=82USEY7=&{(XSJ<o4GjKvsziIs@#zfDx-+%?dRACx
ziC-0EZ}qwz5xr`on}Q?1WkzqGx`OWB=YNv+94=e6?cuMV-?;KD-<mGvt<PBeIZa1S
z#kuo-k?rQBp2aEeUd;U%S61@Q@T%9o*%HroZ@T#WaB2(ZWSOR;k^hYDTu%%uaplQe
zCj0BemVdlr7C9Evccm~KDC_U-yqOktv`YE$YKb>|(U#8Z%A|AK?o5^u|JbQs(>LL9
zf7OcmldC5G$nBnIwq+Odp_#6m)33GFb1Y(ABCyEC@1Dk!%C0Cqo+k_U?m72U>gkFz
z2C1wIcTYI6H>NWC&q4jwoq8{?tUWj7@(qR{@md|@NI}mdu}?cU6nxn+RXg7#?bi!2
z*W|=As*F!Q6%=ZOrtfe$6m9v2FR521;(TxJ;iWgFrkbSP3dtAXy(nt6*E4D2)TIHZ
zpGenRWu3@*yYIvN_pAH91vZO%&ff2BmwQP;`PR;>5@l%@H?`_;y_V_U5!3v;NNBNV
z%|1o-LpluNTu1Kp76dP3Yvpy}Si{WbbgzxMI!-2X$#Ihfo2T?l5Lm8vZ~e?&{|@Z;
z|5|5tewvx`gk#+fT71IWWWIi8nYCb&yzJE~J~y*Tzv}nieYB`WQ(d-JzBwfLdf3mO
z6EDospB$$!FL#|^b}8HQh_5q6mnNsC&8zpw+N|%%=XT=63Dx<VcICKSb6cM`D_~!C
z;G~G7vu<Zgdo}+R+-CbFAg=Qg=i#E%OH8KsTNWLT$goVx{%ZO%+}r!6<NQuh=Di2=
zj61qyG_xmWd{bOp&$RQkgvYN39QQph-qB0C_3(G&rK#t=%Qvk(_PwcoTdnuKUmI5K
zk2%AreoAoGVy0lW)XtEjXQ~QLb8B(r)!pY!@-9?bCp61{_mL0V4yny_`O;agW1+$B
zU7z;Qdxb;jgbT+H8=VXlGdXeeq@ox%SM<*lE26(I+8M?g*Csq;zrv*Y#?8WWMSg!Z
zFXvNJdvd*au^n&tnfitczwOsM@RdzrKP%F8<psacX9eAl*|H}x81inaIhcrC$SJlu
z<M(}kLE`5RsoNWx#QuMHF#X!@nk7w_?6pNA_jH{;%dB1?*>J(~X~}%?4{z(c*`+sK
z&ED^3%~HXT;eBn^?5kIky>^w0W$0-=&EEFz-74-ImaF2gpK|SgJ^O)aTauYJ`@81e
XGY_2S9gr0iGxWTe{i*niT%aNV!YZJe

delta 1591
zcmeC=?c|-HQy*HIl3Zls=o}avoShPG>=EqclN_8~nOPW|6B!s_oEqd&<mQ^{m0OXK
z&6S*K8RndxWMEn0u3c*8>ycZQ;o)lH?C$CtW>l1&U7QzckscbEot@_q%B5?kP+Xj$
zo0?)|YHDby;BM*@VOp+`kyjX=<6d0mVw7Rz<{ey^>*iXR>zn9rl$j9}=<4qi;%#IS
zS>WpKUJ+!$<(3>85@{Z2Q59_FoLCfQknW%6sc-3BmTOv;Sx{z?ZD8W;pA%5(nG;w%
z@uPTnPJ~%`qPbgzYmiH2O0YqOZ-84#rfZ;fMZSNbmy=OmnrE?VqIp4tcBTcFWujlc
zzps&dMM$23g==oIwtiw>fQxTcVQNuYxur|Kf3RPoTYj#7xMlj}ct-K?fG~4y$KVQc
z{{mlq@5FHJaO1SnqJqdGle~)Xz{;@l4D(dODvz)vrw9wKz;NdrBcFf_cm3p&0B=_(
zXAcwY6pOOrjABQlqLTc=?BGn}aF1X=?_`6?XBoxojU!DWebY=zO9Mjk{FAbZGo#$X
zoSh=VTs_K*atwk^Ld|{LL)?=p3c>=pveTUdQhbbxa<%<j0t}N}gL6Fcj8lut%|qP6
z!i%#jbKL!Nvdi*)vT}XVW574q%{V1p!80T^$;+U;BC4{$AlKd5vZ%hW*t8(UG|(V4
zureyM+&Is`x3bDDGCZ>~pDWqTH!DRuvoh4rt<p5hz+FGYEX`5dEx^(x-`vx}%*{N}
zDbY2vA~K*dpG#L)S0Tm3-8{;?GQgn1S=*p6s5sfbFg468C9$d~Q$NbjGQugz$D+i|
z*w@3=m+Ry@w?p2|+fLRqZrt|&$0NNf$*F%EoUZ>qBYbf7g+nSSMz1UuzcH~{lJ2K=
zhRapxSlEqgJTXQ=zYp^6Ys{~S-SF{J?4)AZ78#?AJ@>X;KRrv3>)yq+3zsqcVGKK&
zzG?2-45zMpC$0)+%2ll?W-Ywk@$4g0`7-Nmt3+=c<bEB@_pGAx$^(zN!Or!HC5B6`
zJacN9YVtEvT6C`B$CoWjoR1u}*<kST8pr=>>U(4JQr%yE%gjjY(vz*-?RfCfWqxJz
zOA&oGTbVD3l;-|rRAl1$mRoXN&Brh4y3A_}=6D{PQ%h!?J$PV$z?mK&&t!q8$M^1!
zce`c2Ls4>G-1&vI%hTOOR;6|q>GEwbt#4tBOA0=6>a)1&lKV@)Rm~7Jo|tz|FiYbT
zZ;qjyDx<r%!osJkmmT@P__w3s&d1VH9~gY)iY`Y?f64SJL(|SMOmOR#g0TIvA>Tqy
zeok6xA;80~a5CKEclY0~%dS3Dj$iDWXu>ng^!U0@<sSQ0#d!XzX(^@6-OMf~_R`C2
zsa0qFG85KaAxT;a%Z$t?1fFcTsPB1yKHuyA3X|O>xx(&6Y>?RKCOBgQ@86{_rmx?$
zm*HTF=xUSBGa+(MT)JgH9f-OXd)#f|>(?oDl0OcGi7h`Jz^7#qs993;N@!)mJnrJ{
zcPy4?3I_jID7<AT-F>G!JNZEVq_PqR2P@|TckjK^*i?Vqi?4_6<M*knWSNUDwfvdG
zc;NYmHI|ZHneMe6OuqN{_dQ({5;6bCX=z6GwbONkWTdA())L}P;q$Fq_$Jodf;G~u
zSE`{y{`Rd;Pp9f<Mkbvx^7+_uTH3v0=Q;kcDc0{DUQU?)`7Sq`gZJyZO$@IVw@QCE
z5IneOkss%M`+{2$^*dR<Y(M4c8|BD3PsHqXPuA|<mDBI<$j@LZpRmA#{p@<L*}bij
z61>-vw_onAo&Lr*;`0yPKbG40e(}4jJ{*bKX>fD$&dAT_rWdjIlx9z#Vj?NC^x~Rr
zubxeDUS_NA>^c2}_)49f8}fhL*1Y<FIbYf4Uz6wQ$IY%E_8p&}#Jt_Cev?I-xXz-T
z)2+7ltT?{o>)}Y*E#VIY<%??@jd>Sn#mnFKEjep*YI%h0rYtSHMH7s3`k1o)ziNLs
zkNCl_ZF2j{ht9jE*POE+&bIq`{?NCSQ-4#P%BxSgn>_9dPh?9h725B?DV^*4-Py{!
zZO+FNihuqu)}8!vx5dm^Q3Z^;ez*1FW8+;ypB&5gckex>+3>x>UFw7I6umsTj$_*&
X)^)^52B_xxsBMqkVrcH4>1O}{)4iJ}

diff --git a/secrets/jungle-robot-password.age b/secrets/jungle-robot-password.age
index 1a296c6c308f18ff850a3cde058bdcc87df9a94f..c774f2592fc76dceb41b51a25442ae488731b612 100644
GIT binary patch
delta 717
zcmZ3^ww!H(PQ9l~VM&IYp?0W6uw|ONuc5oInT2s;U|?0LNl;2qno~fEqho<*h^3Q(
zFITd8mP>k>k#~e=L`GhCW^TGyim`ThR)~L+V`ZYNsaZrtibtNAcTuE8B$uw8LUD11
zZfc5=si~o*g1f0tglV~gVNgc7Usi~7kz;UhWJG{Lq+4col2eY8d5*TBXPRG5igAf&
zUaog|N@PYPS5A7EzPq_$R6voBQ({C(v5$9NN|APUg{4zLYQAZ?Poz&pV2+u7VPvw!
z#E;_PrKM)t*+v<W7C{wZj{c!phW?2~P6p)xsm5Lrp{0)AX$B=Zsb=n}&LN&$X?eMo
z`Tj;lDS3v4-dTxRPF0>B5fy$GK>>~_#=${uey%~K27ay<9zGV6;~B-noC`v|Lvt(&
zqS9T=^8L~Z0!<S=ay>jOGm4$OJj)~e4AXsF3zO2yoDCeg(!ES`{M?c%4KfRT(hH1&
zjZD*BGxFTb!z<mA{rt@XO-c+5GE=j1!iy%KVU(!%v@~=J$j(d53(F}<N~{WUv<PrX
zPK(eEkIXO02{v%`Gc&Xd56#a{GS27Hj!H>&b#}_}ukg)tjEr<~i^wW3EDMaZ4E8Dy
zN)F8r2rW<5&Pgu}Nw+|c0N-FY<CJs-H;XXG65pUQCsY4QZLbnvr+WAFqSDN~Y?pLP
z7k}TJ<Qy+o%gTrh6BEO7u23`2Ja3CK-yl!@H0Q*Cbn_^`lpxo@prkAdiwF~AlN@)i
zT=V2e=kUyQE?r$+1yB7_13!1mFz;}$@F-ueJWm%#?W~HzjHu8ur+n|g<RFtM-|(bR
zx0Jwau1|&kS2<dxN4wTP{S+Y^D_^M_^gHuno$-RGb8osIDJZ`VeKpx?;;}lVg-mY0
oQs3O?V^}ICGwW7^!qWEb#djyxEcE%)@$}QGg#8uY%x{?k0E*`Jp#T5?

delta 717
zcmZ3^ww!H(PJM)hzEM<Vuv<!IaH3~gp+`Yzd3s2RNrYi|kcEG+Wmag2MV?owS-y5)
zGFL=NmWRG;U~sUXXQ)|annj3rmZ_V2o?pIpmcCc0sjG!$cw$;Xg+WkQK9{bYLUD11
zZfc5=si~o*g1f0tglV~gnQ4?usz<S5O1@!`QE8-kv0G85W3sWfp-Ew`XL(>!X>mx9
zw~L`?d8U&iS4D)MeqKqEd0JFNg+*ntm%f?5TTrU2qgk$(XJvM<t5;N_c1ez7p0RJ>
z#E;_Pc_E&uMWxySmj2$^F79Rqeo4NW$;nQk>0aK(j)f6kS>{372FCe;6$a&8i7v%y
z!O0PxDgL>Ic?G`Oe(sg!u8{>{ndx5XIp&^`zNPu@Ilg9Q0XdG7;~B-nN+WVBOI(t)
zBNO$ror(j!-BP`>3{rFb(n5`#or5aPQc5ceeY6eBy+iZ4(xQAy%^bb;L#jOU@||<_
zeGR=UEXvCREknH`bJBtek~~5!Q_3wZ^phu_VU(yZi3%|cat%(`F0XPis0=aBF0FJ5
z@h&pZH%ti&EGjT}%}(@mcMJB(33ufRs&q_o5BAQ_a5nOBNl!NMv4}J(i*Pb4PA&7u
zb51f0bk8uh^hovaaP>rw0N-FY<CJuT0N>Qo{1ErdT;Kc*^YkPm=lZG;|1!hkumFp+
zs*+0cV6#B?G$((*Nd3TKF3%+2@KO^~$AXe1ORsc~P~YU#$kKw$aQFPkf~-W>%wlH)
zeXpd@lHd|gE?r$+1+R=E&r*Hk#LUFPLj58`#}NO}s1oxikEBrVk{}<WvI6g@G<WAD
zlYB2vuKzQiyxn#0HG^x9&%<RW{yt_^WYhNS+Z?xH+V|DFR+{ftJ<azfkaPcR=A4(w
ojx$eP<4o_<VVuqL|B-WTprd1Lh>>XN^F>z}``OcuxNKhm04q23hyVZp

diff --git a/secrets/munge-key.age b/secrets/munge-key.age
index a92ac0dfd05a29873bc5942b3c30fdac9cc73160..b20d0788924b91d714b19321a31b587ac2c1da15 100644
GIT binary patch
literal 2556
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4jI^loE?3A5c6T)}
z_6sh}G0^wWj|z6P2+m1O4zI`vwv6%!c1lk%Ny`iL%`A>ENao7*&kjz`H}W=jcF*yQ
zC`xlm_p&r`$#h9c%kjx8a||m9t8&Tks`9VUc0{+WINdQZ*HNJ)IX^WxsnjtlD%n3c
zB%?6O)iFHJ(!#7L!Z<U{BHPToGOHk^)HK*5#DL4($-Jc0J0&>T+d0x8%{3}A%)d0m
zCtN=`KRhtfts*U;%sbCH&^IW^zZ~5*k4U4+pmc?bw8&r=ClgP@2p8?ja?1eoa6|J@
z(*obzK<DtJ496m`g3v0T!hrDfymT&?fE<eyli+M06OY6Yr;M^9_foTz$l`E!XFt;-
z^MYXQbhmVipk&jsbOUtT(#nk@GSU@14Wi8TOCyt0%c3kYGmN|(Exp~+a;hwh{Hjtd
zvivKv$~-+B&GYkfa~-+DvXTrPeJU+1jH<HD3@cJ23(Jy9bM(C|v|TDqvwV`Of>XRo
zJ&T-zER)e~b2s&gFfCVzNDB+|3lGW5iAqn5h>8fw^)?JmG)*$H&~~XZ^KwrtC^pH<
z3G%imuQK5(HSrEB%@1^R$xh5l$*R&1EKBpt4-9cMbaF1vNH?wsDJn0j@+{8}48pLj
zB)K#<AW$LSr6j~SPdmxP$lTq+FF!lTr!ufI*Tga;z&%jk(abM7EXXvyyf7#^Bbh7T
zC@(44JUJsIHQb=W(#W99*D1ra)Yrw>(%aR{ARs5IBFj9|$V}g&(gNLYUS5Vi;pqw%
zX5~eu6|O!;CN9a&p6;G`k%1xJmd4pdQ9<D)Id0}|9!YsQexcgl#>HHbd7e)G=4D=H
znV#PH1;vHsX2GFG8A-XJg&t+*F8XfzRe`B)Df%Y<<rwjn?BbM|<fxDz84zia9_D75
zkz!boZSIk6nwgcUA5|P`6s&KUVr)|E5@i%&>X;T~T+WqO<!RttSX^cl=4xINY+96N
z=$I3p85rc6R2bzInc@{>5)fo*9uZh>jN!NNNb^efa)qcgpR9o7G)n_*bK^`O_nf5g
z3S%deK%We6uk>731O0T1pmL`I6N9RdNUkCu@5J<ck0f)0RL_j0ATL8l57)GUNZ&F?
zmtaFnZJ)gGh~#i>M@OR~U-Xbn_BPG-C|B??$Z#&r@zl>NcJc`_PV;w6Elo_!OG?X2
zbS%>M$|(vf^7ARSa4QL_DCY9=El&y!$~HGJ%(FBz^iIkytV;FtjtYv*a1IFytSkr$
z&Cc-%N_C9#!w5-d$8dL(Km~pM(&8XT6Me_RC@+H`i!>AS^xU!(_mIGxbVIj_)clm3
ziqI%W*W}8GWUeGLw}7&U0{;q=5^WF1^2l(5OnpaV?{JgQwA7r)P_xu*120d@(EN-P
zjNDz}Xl`ujs1T`NRpg{!=$M;PSy=2D8DQe%mKK<v?&B038kysqX=<+Tnq5%n7H)2o
z&z0iumYbH7SQ%9oTxw?KZds74ogC&}=9-!0?(gK~X&LTbWNZ-OY8>W~jUJM|!EVMW
z=?bnsA;u9=e%Zz8748Q4Vdf!KhK?3a#o3ldRi>e-0m(TLWg-5-iJ?Z0fm|l(=|+KN
zndKQ7X=z2N&i-kBW<KHi0ZGMP?ookhQGR&=6%mF7K7P4j<y^YDx(Y=><tDzxfo@Sj
zVZJT~iC)gGCXU8l<%!{D+F{vVkvT~wF77!I-eE;$23*Xl%xSiMj!9c9)DwJimOsBg
znOWO1;!WwRS4U1rG3u5^%=)L`b@uf%b!MIOXWLWfS3PAtYk9OFRd@RQ3u34E<Bv;D
z)qlVJcGZ@>eUB%&ZT`LK`qK50`(7oaIy?1omu_w;SA9J}eY)6Uk9Tub?`%med?=?8
z<RGza8pF)@T2`-BUaVgEP-}mbTJC%Kq;*{nEX)cHF7132c~NBM|Kg+nUsml^yD{q-
zqtR{iu4!UnS8h)|>@w~5>72sq^;@ogV%{PqbhF6x(+Y-TmJF))iZO4tOc&c$RyRAQ
zfup=)E<=vfrp5F6J9A9iH{|<$nWD2$=9A%r295X^VPCJEx}VV}edWb1f&A5<o8lz=
zI_pH6Vo$%Da@Vohc>3XUX?FM7kFCD_RfsS9$5p?lZKr=Wds$DKQN8zl^sZfw?{eS8
z#{X71QuyV7iK*g*l?USADzhGR+wLp3@XFi|&zg5z=eEW_u6)aTV0nSO2|I_3^TOI5
z#+IP(k_K6SPn}+P;`c8v?!~c-g$%8~wh8@Fm{~Z{m;E}&Ec?c?&7HFn7kY^@&fR<F
zO<ummLi0N|976j8D>>7>%g+S7*c;^*Vkk3dZSy{khZ@tiO^~T`aZ3q&k=fz6uJ^}D
z{(Gsv?q%-DvPgYmwyk7q_4zL~eOk?x>4$3GOjJ_VSNkX1v37r@dA`A)P{y0_&8F?M
zHJ*1oo7c3z#>HGDLUPm9@W#4;SBCz{|00!>6j-c<{A=gsE_o7OcTA&fuP*<5{@n>q
zSB|H|i*yC~L~dRrwOai7EB`OQ`1Y@!azw^x>#gRy57K+$9hW^wcTiq;EWs}LrGCHJ
z*)6>Z3ooTqpO!X}J$Ao<foY?-;;IR9^@RswuL?bF_uFtz>e#92PRDMYnv{9$#GV63
zqw>$(t=`iR7HYOD=i|N^dt;V$ZdX+>UL!kEAltlngVup3+TQP;+IUsZuX<$Gv*_@x
zo{P6Q8N9xC+^t^dyJ4~NR?qhe`u$52ytW+lKRidE{)d0hlN8$vmu9aj+&lBV#n!Wd
zRoouepG>&A<Nb@D4s6Z`9A;}tG+R7PcxlAUd!>Mv`P!kcr{5^?918Yd)oqizx$?@@
zyXo&&1wQ}MRd?O|ns4$(xjEqxrB+JZb@^@ks$V7S-J&IR*s<kf$YrI6oqnB{bGY{A
zzPf!(?nv#W)I<C`*w<y4aw;#*<(Rj*&8+O-r1(Z@`^02-of>h^8_(3@PF$^5UwS=C
z!ovOeJl22uU9U_tTtBr1FJ}xia`Y9+S-52zr|em~D^Jh;+V+03sq`bQ^}+W<@0h-w
z!u5L5+{efN6udTR)#*!LIBW5a`?bpZf8_T)k_`5&W9jFbUww!}IoD`<+eMj4>l&wg
zonTzZSJ`&0)Zxe4wbd6~xmi@JtD<BhMJ!gb&DpPeA?Q*kORKGGymq7wd+6+C3;UiV
I{ONrI01Ef#yZ`_I

delta 2222
zcmew(yg+DzPJMEPS+-+%h;g8+k4vUORd`^knX_}Tb9$<0WR_t>L1KY-V4;hXMOu(+
zF_(8yX@G}wMPaacd8ALWOHx{zN2P~>lTTVfnt7U!TZmh_dqF^%yLNz2I+w1ULUD11
zZfc5=si~o*LUFodVy>e?Vnu;TYNUIjeuY7pkH1%5kz2ZPkc)-3Q>ABWV3b>FKt`T+
zmO*&FM@FRums_E}Pp*fLc14M!udz#HpkGl?R<dhhfuEs;Pg+o5NLf}&NRm@dK)#v5
z#E;_P$&SU975YA91s=|cuFgR@DTVH7CT9A9&c;cV!Ih<M#+jjh+QF77>46qpxh3I-
zLHYrH!D-1B7DXu*dFk$DSw^mjDS1X2`aV8I=4BSCY5w_zrWF>G;~B;4y^{?M3^H6Q
za*WGUl3k1feWOy-d?WOY1H&ys4719zv{Nn94gGWc%QA|&%$?m0+#EwgszMBWBQ2b>
zQk|14E6U2EvNOD#3v$x}(=CgNa{PUYg3>WUsU*2HHy}{KIZHp$GB-D%q&TW9!ZF#u
zpgzDP%G1K6s>nAY**UAi)H_w%Ew`xBJloNNE6>L)Dl4bl%s4T{C&Z<)+&nxhup}(6
zG^5b7GQ=Vv+uS!PrNX<y*QX*BJyN{941L1W6#_zBeVmMp%)JfMa?4z!qC5?JiZiOJ
zLS2fTU0pnUy?o2+9aBr4LmUm9vbnSkEfRf;(mhhlGm||GQ%ee*EG^B#(kzq1GkrY$
zbAz&sl3et)tDHl8v(c?fc5zBfa#RS*b}sU?i15x2DGt=H^vLo{EKkoXNp^J1Hwg7H
zEs4m=GY!oxv^0n^$mc3`%hpc!jI56`De?6UGz#)|baBj%2o3NljLORKE_8EAclEKT
zuuQRZ4fVya&f7HGqg=r?#UL`zImfTOtfDl%A|lT%t1465AV9mo$Tz~J)Lgr$%E!nk
z+$Z1Dz>_P{smR2_)7>rHBHzU_(Am+YIJwBtA}>|A&?KYMxX8mislvp=S--?HCDdec
zB8zx<hJHbzg;{Qfo4JKoVTx(6b8>NspL1opqnWd%WthJ~kz0D0ab=lBm76D5P*h1`
zPH9lGZ(4pzp+`lci-}=adA@5!fPq0#u327LMx~#Hd7g2xQHAT|^DN@wrp9UM9>&4N
zZk49aCSIYb5yeg>dA_+t7M>+WmdSbULB&1>g=UtKrsW1);U)QAsrp5c<&Lh2A)yiZ
z#lhOeX=ZL!X$A$3mD*;Zsd@UY{(ep-LH@pzZCS<ZUCaxeJcDv8OG-0+-QBzsqntfM
zBFa5o(=xO341Iz!%Cw!+eBBC@LIWeYO8qmFLd+`k^UF$7oC8Xnvb>AD!@LUvDl2m{
z3@VMw6Vsfks&celv$M0gbaizV91BuB{qz$Joc%L{y^7pCT?(>{@+{5EA`&fpT#eEb
z%>yIq6Vu9r3R27*x&B+K9CRvoOW0gEB}!b>ocB#v=<<T2t<jx-IQ~xcnCIm(-$0q~
z#jlgk;(kgT&2g9bU1IkB<HBd^Yp%|<tG4tLK3mnzG~J3tZObIqQn`tn|F=g(G`DL{
zS?w-f?Z51FjqIXtuReb}&$u9>sqZ(B{nO*qjQE~Zys6LVJ1;OX<ixU?DkbL!za_n2
zv&p^W|K3v>xqrLWl8a{<+#{{NnoB2h*10$QzB*ND%YEJrbN7WSJv(}nGxk5TrP%bW
zM|<C7x*eZ;JpQnJF84XxNY*>%U-$3jTO}q_dbP4s=cupplIP)#d^fh9^5eU8cF(<X
z2Cr~ao7+Yc*uFlxULU#d!tN74Uf-Fq=&9GS)>xAjAzBmd7W(=7TPaRd=3{1M%{AHb
zS$bg*_kpc--xth3xiyYe?)9TqFHa_Y#|N9{Yd)Q&+$7epGx_Evfh8X4Yu<H-cxSHG
zVN>vSwh_y(yu4AdeY$Z%g@pANqX5e#)rZa(N$qrKHRrnW)vWN9Y^!Vi6}JydmDzar
za@=|MX}3xGHb0B*U#x|FzNcbl@3)oRG0i0Zi)qe@wfx#9^7|5l_{2i<i~P$wy5~hF
z9^d?7(JD3BRYBG>Gw&Xo_U>F3<Acv1`g$Wx*W6YLoMV=FbxxnU>#z5Ei?SE67YWQf
z{3XIiU|FN;qC?9%G|nA<cx(NfwK4T94?Y|_w#o0<A-#Rd)@S)cH&tZpf1CSjDUXL#
z=F7*+tl8Hs5A-Z>-sEAqRiC>rWBV<|1AC$yMeYYhKG*r?5i5B%RpNo1)Xa(Vr|)R2
z;9N7Q#J)|du=Ab}t4U~wXWo}HI}_(KEbi@D=ia_f=5@@Qwf;v#m#vPSd#*gAOaI~z
z>v~D6Ql`yoS4*;%KHp|0UFExkW6AYe=LXxEr~f`r%3R!Ff6{x={d2t!)>R~&OwaUL
zlhiQz$m7ZHHwlT}nwMJ4^=Rwq{cd{}tF?aB_^1~dd-S+)eW|s(@ENDymt0t@Tn>Hc
zHBRJE_v`5GikZFY-ntr%55`3~anfxot_t@mPx-l|KEcT3#`6ck3RjY*q@{VipT?iD
zXn_#N>?zg?^Rg!M)#*?D+T^J7<l-OylZWOnwK7z{6`>#h;rNF6%O7MuFJ!Pd6|h2j
zt5xHKCl((kaI7ufBF^<Cu3~p$;rVH=H+{IIsk-CwTK+{M^){VbE^PkP*JR?+nCy0R
z_eFtz-uCHDx)}%SMV1D$1<mHXX_K<Q^u)sG&#wZ#%k?j=`nS)&qb<Yb@Ri+PCp_NB
z9slGm`${Qsx7){Wxje{!s${3fzr>SM-Ba=G#JtWT^VWH%Uk2<meqF-sv|25NU&wID
z99|jIpUyEhcUMLS+`o5b^|yOd3Pp`BF*>dOyN~-&xv{#ZqJa=MZ;#=(9cP$Z)LFfc
uN-5O)cptX?{c4p@@{;oX!A`#|93Hr8L`Ch@TDU%{<;mT($6d`hvc&+;(|%_F

diff --git a/secrets/nix-serve.age b/secrets/nix-serve.age
index dcc0b5e8cb1488046cab67136cb15e047b5d48b1..2e0e4ce41c613e100d1f1a71207cb0be18d59747 100644
GIT binary patch
delta 776
zcmaFJ_K<CYPJLF8pQ*EHKw_AFX+&OSet}DVR*JX3tBH$cWkgb1iG_Djq(wlfdA?hC
zGFN4eu~SlIVYs1*XQfkES&DCpen^2)N??&oxl59fZ&pxlSz1_FzIK^WI+w1ULUD11
zZfc5=si~o*g1f0tglV}#hDS<9X|acyzj=val1W*Cqnl58p0;nHV@_qIpRcK#Pmx7l
zdYFZ&pSDLJmtUx_tBFN!YKDownPGrWMyY>EV775+Zf?12rE{rSg++y9nu&{rZ-{yJ
z#E;_PL57y)MaHE``ep_`ZW+!|SwUs_$%)<>9;pEpd70TMz7<~S`NrnSxkiCpNzN|0
zmEqx;seYb`-T_5PZskeAZn<Xu?v@e00ma_MSrHMw=4DA~Wr^jJ;~B-nLqm#FbB#;A
z!YcjzQli3qO?-+1i$Wt^GfgcMy(=OL%?sVr-CPQbO7kqZ%G`r;45LcZlAVjQODdA9
z48lSqQvLJ7vn@=kg5C7Zy{c03oig*o+(IKKpJf!UcS*~2^fvQ%4lGD<jPeR_N^_~o
z_VK7FF!iV^4t5PJGxMqnNiQf*%ghet@(lG!FLrUtFEh_H2&~jLaw`bQv<xxMiS#bZ
z%?fr&PAc*B*AL9ncdEdM0pDOZ<CJs-Gh?p`i!cM9bc@0W3;)n?^ZJVPkWfe0^n%b7
zmw?E?Y!COaz_J`?eRD@wt^i}R%!14$*W{pZvrNO{fMSEld<*Y#@9;do{Hn+jm%_}F
zsz|3aN8h|aE?r$+g)kR`N+W0eGQ)zP^n!E?lK^Lb%U}yb_mVVA<6xgCw}^=Fln~1>
zPZNI=uF@Z$U9aY5Z>Seid~=?~K2|{gbH^;9;v*9tcfBo2ZpeQld-Q0WW6__3ddC+{
zT;OMSy0}a;=<S`rmImX`Y1&gK=HEVdIytgI-Pw5CW8?2-wUUqX?yQo}XIENhaz^9E
wqty$!I0emA77NeeaM+%Ed-h@J7bbU)?7z9HY+CbGp%QjsPQ7EI`ngFw0DV;yZvX%Q

delta 776
zcmaFJ_K<CYPJM7xW{$RgroMNUQ$d(XT12^%Pex`?N_k|kV^O7_nQ=};pqp1(uwSsV
z30JX8K&DZsS3$Z*p>KF;vWKT*h;v@Jt3_g3aBz{cc2Z_#VPRNakx7BECzr0BLUD11
zZfc5=si~o*g1f0tglV}#ae!r5aFKqbV^Bn8Nw`@_ky}7TsCS`pvX_3SYp!KtQL?^A
za7k{OWsr*}SDL${fu+7@euzbAL0NFIaix2nTV_~6lzx!APo8Cldzn|Bhhbr|p<%kk
z#E;_P5qVW9NujPLF23d#k!dEm?%rh;K_2BL6=o^HE|C@%L4_qrsUb;uxxubnNde{-
zK><c-{`%qN#Xez?zS-g79y!Hju4!gP`r66ip^;gxURi<Wf%yiL;~B-nOH)GqL!9%2
zJ<HRgN<G~@%Z&3goDH0f3*5Xd+zU&C^&^5DjT0k6{le3^(uzy`Q=>f1!h_1AeDfRw
zLLFUPUCOew1HDW0lT#f%^L_J56D=&<3c^AspJf!UkE$$8t4KA?s<bQ#sLBXRN-ixk
zb<7G*%q&SZ4>Jo*PRc0H^eA_9^$5!6N=`F1clXFEFAC8P3N}kM$_fw756abc3o`Ta
zj>t+0aSRL0iquZY_w{l_j{)CcH{+Cah4QkZ%wqQ_k91Q5v%;cepNjfCgTUed*N}{C
z$M9U^3g3!=QcL5)4404yPp(iuQ@4uTpn#x=NMjF+AlJ&k^75P%ZC|r&OW#mW{ZPj=
zV||klcfb4`6E0m{T?LP{qHq&0ZFlWZ!$dPPfBoEy;ynL?ux$5I{mO7N-`wQP{Cv~W
z?BY-tN3MBFssD3Z*Q~4OIv?qAbo1WLr)EAY+^^`}b-JOO#s5lP8q=#vrzHsokB4t&
zk>N@V-|K&_c23lstC{!CN4|;-b$G+@Sp4&5SG(Ps`9-V4o-lpVyVLeg;pm!zc`~A}
yYh^E)&%Sx;nAnw6??vJ9GJ?xKvU|u(ZaMOSJ>UA<CfoE4yHdmJtG)&}Z3O@Vs1@x1

diff --git a/secrets/tent-gitlab-runner-bsc-docker-token.age b/secrets/tent-gitlab-runner-bsc-docker-token.age
index b8fe92d5041e64fbf292669d39445586e50269b5..187c863bc2c3cdef37e7ad9a4a596f3edb4e444b 100644
GIT binary patch
delta 648
zcmaFF`iOOcPJLiuMtN93QKqSRrfG$FQ9*^fVX=N$L6&J`c~+)&Xr^JVv159kdq`Ne
z0hhU3a<W^BuV;~|Q;>T^o_=MquYXQ@sZVZtNu{5gt6^qvm4!uSPKJASI+w1ULUD11
zZfc5=si~o*LbA7Mwnw=_NQ9GlzN1sAcCJOSn?aass9R2Qgn6ZtV^u+ZR-j>Kuv4<9
zrHf&>YiN}Tm!EfKl5tgvfooW%Ymsk6R;FvBS-DxDg^O8ga%QG~RC#8)iHC<vmPeH1
z#E;_Pj-gdSdAZ?L$)U;m+UYr_zNJ+j#)iS!;fDU^W#*|-L8keZ+POg{84)I2sVSbO
zRcZP@xvm**PRaR3o(5T#+D3T+ey)zD&QV$A9=<*%M&VUCk(QB@;~B-n%L6j9$}_$4
z%L=u9!hB3}6GIDf@_qFS{fu1Q5(84RLcF5N5>wMnO@mFi(jsyy0@56VE8TLP1G7B+
z4V_Xv6ZIX<3-W!lN<#umOM?qCqDow|EDeh%pJf!U4@wEF^e7C>_D=HGj>xad&Np-~
z@C$P>Ei=e7sz@}>O^NWctS~lk4R&_r@{TI1H23u~^e-uJEH_W~ch5`9swmesGYay~
ztjNwxj4bue*3b5HHgxyp($&>f(AIWMHE_-@_i;B2^vfzKcMZ_DFv<5as!Y^R4leKs
za7uNn&(1eBa4gS><l>rJ&Qznu{i{Nl!K;Ds+AOhdlk{NK=6;5h4<_ONFRU<gn)-oB
z&p3@KKC9;3>-$XG*5+MkU8N9Xx$#8!!>KFI+_`7^(@*{QnKjQ>?R|dWW8R*#2Uo>-
nZ2I%;jd72V>dM%o2FK==i*8O|dvyPXi6M8tE3KV!Jx~PzilFLk

delta 648
zcmaFF`iOOcPJL8HQn9w5uYRzniDhA+L4-w;Q$cuWctxbIL0PD`bA+E`UO<7TtC3%j
z0he>OQ)sT2k(q0Dxkpt=h($n^L8yD7k#|(NpFu>GMP_86WwNV>kEMTjAeXM4LUD11
zZfc5=si~o*LbA7Mwnw>wsdrXrgjZ#GkV}D)qj`>Lsatl4bFg-}r(<GHMR|Z>nz><W
zmU~6HUr~e!mshxjzfW#jcBoH8zNKS%q_4YQrGI*qc3z-?Z&<QHfU~bjws(MMzFC;b
z#E;_P$zfTM#z6*A9*$}G*^VaJ;W?$IW&Sxv?#1T0DTP7lLD?qZ!J+;Uj#=qko)xYx
zWu+CFx#5<Uu7wr31>xFGB?Y+#QI#pV<>~sR7UoHXc{xUAev!$O;~B-nGjdDIqe?4s
zz4A&OvvNaCA}lI10s^%&0>aDu4BfS(f(;7FT+Guv5_8kJ(()Vw!p)+bi^@z3g8fZ`
z0y8p-EGnwZGqcRI9HYFl4IB%?b4vXqT=LQ<pJf!U4-R(sNe<5|%{2(j*EjIb^LB{}
zOSi0WjPfmaFAwvJjLZ%4il|63aSt`%DoDvO%XSQLH_tQ5_btv3P0DvlE7dM@@h&a$
zO7<`eEelOFHz-Q;4a|1s($&>fNHmHHbWC*&%<;E$3C~MS_jD{Y^DFQ)49GW2Gq%Xl
z&d4mOk18wFuJR1G;CdKyZI_a8+$)!mtsXBH8!tWmD85FIEklCu+WE&5nQz6l<jIO`
z=IdG5(<n71{cP~8*!b0t?DKYrR@E7uVN<+bVE%lu%`=hKQ!8BT-_$X^bla=a$ChxY
mQ2XzM?%?p(8rtuk1nf^1mwQwi{U!HGg8!F0v-h8$76JgO1L&s!

diff --git a/secrets/tent-gitlab-runner-pm-docker-token.age b/secrets/tent-gitlab-runner-pm-docker-token.age
index 863144d8029633aa3a47cd7f1072f90a83d42aea..871bf449f545ea0bd92f9d9bdad1dcaba3286ce4 100644
GIT binary patch
delta 643
zcmcc1dY5&APJL-gXn=W2NkO5jUr3d<iCdI+R;Za_T19b=bBVEUcy^Ixgt2dwQB<Cj
z0asLhWum21RF!^KRfVfbxqEVvvys2KUuj5qXqIVWZeV1kr%#qiVt!FjI+w1ULUD11
zZfc5=si~o*LbA7Mwnw=_Kvt@GL9mHeZn1H&k-MKksheMjiHoa;hjCGqVX={~k%xPw
zNqM<vNvUBdm#J$-floz%Po-tPd$CKNhnIFnh(%R;V3MmrVnv0MWu{@KX<2xgYk7#t
z#E;_PSpmt}VeaMbMgi%@ruwGE#U>%SZiSX^W?6|o1_jO*ImU&C<w@Qa7C9zdVd<vY
zuAU{OjxO#lmDwJt#>Q?rK}Fu#2BAKQQNDQwZn?=$;a*YRk&cd&;~B-nLtLs73#xn*
zD|6EF^$WGL&4a^DvZ72KJ>0TgQVnubyox;X-CQ!tL$k`c!aTG?at!?=GfH!{gPbC>
z-O^oh3$x5Dg9F3#Gqk-7_5D)}Eqy&wOj5HapJf!UPw`4G&vYy|adC4CEJ*h;H!}=#
z^tW`+4ENB^@hfmCF35IGF(|4u3k)vj%Bn~VP4)IFC^HPtG4{zZ$Ve<q&T}yj^!Lpy
zaE&mF^2rGe$ug}lF$^`}($&>fh&1<%40Wjr_DeHJaSsb{4tH@43^yrHFS779G!F3a
z2~RJrG7d|sG)~jc=6Zc|VfE*C50&INuen??wEo2~d&0)ci%zF5vy3_z;qiqf;KP!R
zt>HfM|NomQb>ChSu5^C2rpo&AELA>bz6Y6|+@;55;)A=l9}e2`@&569yhlIG681h<
h|9Xa%n?+NSnO0Opt^1nmEqir43Pj)hx~R<)000;b<H-O3

delta 643
zcmcc1dY5&APJNiSuYROic%?ylZjw=YvPqzUL0FYXpoynrMOtuWaYm_2exhSlj%&7?
zFIQQbp+#xFtDk9<kC%x@vRAr=X=*`YacYL4bC8dveqM4!NvM%WfroaWE0?aFLUD11
zZfc5=si~o*LbA7Mwnw=_v2Urnfq8aTj;C2zRzQ}kkDGsJKvj00ws(kSWTClJK$<~S
zuw#g?QKGvimwu|hOSzAQcX?%4x?7f$w~?<`PEui(pLwopS%h<NaaN(Fi=|m{RZ(90
z#E;_PCC2(8mFAVsh0dlG7T$r8CSi#l!GV^6#;FB`z6BBaPA=Y+-W8VGVO6eNUghbb
z#f82p+J;$fQDtrgmiob-`T6BZ8Nt3`uG!uN2F4*~mfHRvSsD40;~B-n4e~Q`y}eD0
z%(YF*N((Z}ib}E~3Jg+Qye-N@Od>)ZEsMg_lZ&0*z0)1Ja*LBv11qbH3w$hsd`cWs
zBO**oiqk4RD*YoWGSVUo3KM-?z4L-93IYNrpJf!U_s}-Wa?B4f*LSHXuyEElcgi+&
zHgOIy%qYkX%_vFA3keVRtjP8^GI34j3NG?34RyCP4l&IMEjO<4^m9$kGj(<K_KEPy
ztnzes%W(2HObaW@ck^)N($&>fDDe!)^RP^=2njRJH7=|wi*m9wcTKO-E=mk9kMc6K
zFmj5hitu(RwMf&>=la@_ru;!hhri~IYo%UUpNr4!%ez=ldNBq>JZC?9KVkFS+b?yM
z|G4c5O)9>q5vXXtLu#sWg_oqXyS<o@>5BJTPkgVNv0uW>*HQEgcj%{A^PL&rAC~g%
gQ_-#sZ}U69!d<a-*Y#(KEAO5?z^eM>_}&}t0P_;!RR910

diff --git a/secrets/tent-gitlab-runner-pm-shell-token.age b/secrets/tent-gitlab-runner-pm-shell-token.age
index 74527b0ace78c33a3643860c7b30fb4cd3b2c5c8..dce063abdc01a564e138d1192f3fd45e024a8bd4 100644
GIT binary patch
delta 643
zcmcc1dY5&APJM2Mi;HoocByumuS-}&akhtxYoJA`V`@^qc2usvpSinpfT^KzL9v@l
zGFMt^gnvm+fM<k@TUADizDZz?kwI#NXGCF;vtz!tOJSydn1P|8pT4hOHkYoQLUD11
zZfc5=si~o*LbA7Mwnw>wMO2APzE6<8fqQ0=fkmi~wp(SoN3p4^V|Jc#T8Vq1Yra{g
zX+gPRMO9uXmrrg^R%w{FWu(7%iLZ8uqia!#MQUY%Z@!<8zq_Y*p+#YebE<2eN0dqN
z#E;_PCBCj{k$!=Nj-`f~m4%s=Uhdk(hRHc@l_pW;=1GA*RR&eXIVswnnNF@;nPKKp
zQHBMcK|#fa0r^Gx7FiLQRmoA>AysKbmIcmPK`x%Y6&C5`*?yjr;~B-niwrZv3o0{G
z+{{WdOd`UJO-c)Wg7ORfOUomj%|b(c{Pisj@{IjG12cWOj8a0K3<|wVl0$+Dl8hsK
z+zi|*({p_DD)O>j{M@qws|+&2++33qgUu`^pJf!UcPz~@Gj#P0D0L3W%g9Mj3NSJ#
zb1n8TN%rw|OZImPFUrVrObje@OL9);GO!FXN(m|Sa5T(v%PmdL(Dx1s$T7|LugC}p
z_w_V(*Uu013o|w{Dsgq>($&>f2=oea_9-n7w+PCMh)OciPS4HBbqUipE->;9E~_;2
z$;vgaa!fU}2=&R!=GuB%AlEpsV{wMS(TIvoq1k0UJNrb|<Q_dQcz^d#A^WLZU3@Fd
zj!hMsB4OISqA)$y%J%HLEuBfqj~kybT@Evw)H3h6PjhiX_^P<>pRd39S0{LNmp^9s
g+x0@id+lyMxtNTU9qdLzoGbns)R#>@_olfX0EU_3{r~^~

delta 643
zcmcc1dY5&APQ9UbT1ak4P=Ik}a7uD=PMW@3sb_&(ctNFMNxFBjsjG{2VQ^%4zIkR|
zBv(*`S)gH_kDHr*WoDR9L3Vgij)9Y>K|p~|zEh^Tsj+sYMUK8>M3$ec374*&LUD11
zZfc5=si~o*LbA7Mwnw=_NPxMve_%miuwQAVV^LmczMG-5rMZ`JfN{Q)L1amlvui+V
zSXoY0aioVUms4@2sds>%M@X2TN1mHuafN?bPMTMtv9q6Vm|J2*N@RAByHQzimU*G?
z#E;_PsezSM<$j4CX3lAek)Bz_7Kur&rGXVCW@QyY5ykFRW|pBjsU^OlVJ@y*ZZ64{
zc>(_B73n4c;i*-oQ5NYT>83uFt_I=hNyb$nmYK%h`FUpMfyJSd;~B-njl4>I5;Kj`
zLQ9QPqMRyIf-RDLi+qY)Lp?*Yt4#d-5;IE+@}2xkLdrwAic@@zBeWxesw#`~3(PAE
z6V1({%-tNzLp=PmEDeK0oJ*q0(md0hQ=AMYpJf!UPYVvn&J52h@XU)a3^Oe-PD~4M
z&JV~hNp^S34|mJ-_YDZiD2cQ*GS5lovM4im)i=&DsBkn23y%tjsLJ*;@ypFibTshx
zDlPHxEiKB^kBW%O&8TqX($&>f@D0qabgHn-2r=>WiHz{hj|wrg2nf%sGz?5~ajVQt
zjw&*%GOo(<_0um5<kFQ-I;ni+wy&PpA%|5ZU5y`)Zmrcm-=plXZuR8f@3UW4uHAUb
zzU=0cJo%%yLY8RHeK|oadP`uhLb~J137>hD9v5b;-!Au1VtH)%p|JdlWiGKA!Kyzz
hL&f$_7JL++wq~l)!R4YU&!cBc2w$5}5S*}I0RZjv=I;Oi

diff --git a/secrets/vpn-dac-client-key.age b/secrets/vpn-dac-client-key.age
index c414fd70b5ee93365f2e81dd647bb70b21051eb3..75ebda4daa08e2eadd38e073ffbc9c5a68f3bb42 100644
GIT binary patch
delta 2279
zcmdlYv_)uwPQ6o9W<hp%Zl=F`ikE3paz$o@fvHzOL9RhSgn^%Fuw!C{OHyLCM@WjB
zBUfOgt8cNtZ%$C2QG`KOh_|Urgn4jqc2%NBMY&~Jiffu*o?k{`SWa$uI+w1ULUD11
zZfc5=si~o*LbA7Mwnw=_qN#yfm`Rndp;5V4rBP~7j$4wUWo1P{c5;5Gx4Bt_aX^%d
zNrYogSbm5JS7LxyZhB#4S)p@!xw}b3WRR18WKnLOOJJsjxlfWsYLa(kx|wltps`{8
z#E;_PX6AmW#`;E{>E+>NCMKTRfgVXtE=E2UX(j0uPLU-Meir72X;A_CiRt-VW>KZV
z73Bu0rBMd%*^Xv``j*-$t_8^v+Kz>lrlncAE{5fmX-45@nP#Dr;~B-nOLNm)L&`Fe
zEj+SvGr}t^QbT-_or)Yy%nefX6V1Y_yh@5w3yn(i!pl9mg3<!aqcR;mg3T?<A`+ca
z1N5D>Ey5$p&5R67vIEiza>^?M3Nt)HQqm13pJf!UcQ>(&Ec7Z4NviNl$#Zc@ObiMv
z@=VJ$Gp#6g$;$O{4=^-vHcw9u%?tMBGP5WR$jY_Mun5o24$ji{aLF^zGz}~;Ob*F*
zcFlBjE)DW^bg|3}DD=(e($&>fFbW8C*N#kf&olPT%uMw3&hiSZN=lDPiO5ZJOA8CO
z2#qkS&$cWs2{H3^<!V`=<W$#peE;wC(1I(W2g7R`O}KV1`<W=O-}lvXd9s$fmr+!3
z^k>^2i!x_&-MZXmS(@Fzwl{L|vnMMH1YVs!WWBI%laiM6(M`F`37b*_TLW@z?lLyc
z3NM_zAoF+HF`Flk{LTjyJmERxc2ZE)<%Oooodg+$vie3XqYC?X?vrcoHR#AaOcLzn
zTwNoz=by(<$2FpJ<iG6VxXKdt>ckm6?wO2=#;2z}Vq4~4pShO#<eVG!hRZuQ^l_&0
zMEn1qR(Nl=-l4-w0+q_=KRIBoRwcsju9VBRjM-ICMlxi1xcYWOr;TRXTzglB)Ns#K
zQx4VQoj6S@p1rf)_jp3r&rPOx4SfZ|HvY`8Qt?|kspE2zKz6~g{!Wh97Bc6G+!$q_
zeu@-%mAjjDhU(;V!c!*wbXm5&z-pbRsWb0)nMCjGDT4gEtN-VQ_!KVlxb?_1lP|UG
zX7Iy*3vAsBBg$@jT-|t3Z%6&Szsvd@MFh{8&M>X`tN&W@;E9Mmlj_UVOrqbbroL2H
z)_qhJtH!Zec-hv7?KX8UA0CLmTQC2jX3^^9u543Mr#|GJ*5EQJI$VOeFes?3y<u_8
zWRdf4L*pkjFz2`heCaVc@%qrA#}j`s#_dmJ-oE|Q?BHK2ldSpgu0GgYpllgnyr5EN
z>*?$tzODyDtd?5+HnDzM%2w%B-?j2PSCp)+;GO=ywwVz<%4dxkdFMBjslPY-`ARZs
zrP`9<U*BIHSd-#Vk}9e=y;e5*gG)>LyNdl^7n^xM`n4c~=hegxu5#Z4UkjufEcPEa
z{JwglPKx+erCz0~#Sc1V#Ms^AuDd$qO*VgUY~5OR<}HkF+??!3OIPKs?{Yo-F{^%;
zN$|g3zLHP=r_%#im&R&!_53Q{@P2{d*`14Y#ZO;c-kQrdA^(Fe=gfHiIr9GE&$D%R
z#J;GTweXA1{B8R<^;w!MtN8VWY8-f?y3$17Z?%cz+<xgrQ-t`z@|TR0^hJ(5NGta7
z-I}&8X3@$m#cECG_H6yhY`*yFhh<jBzKeX>TrX7l!@l5mkjY!_%IEjXRlMhmm3*_3
z(lrQ`&doiiRa>LKZ14ZJhY~jquN1EMYVl{zE_34pLR?<VU+$}Zuc(Neu|=ed;hx=x
z4?lCWOaC6e$Ligybx@-?UaVL-d<Lhf>+FYz4DQCIvbN0$SP^X)E4sUKi^8(7U6cRz
z?y)uf)t*>iFMjlXQi_Xi?4w<eJSC2=<G-66eqPa1)4X8q&brxU$3IBFUOs`1<I$=&
z^QYRo_wnC6Fy%?2m)NG1ou)EI7ezlFV$q7I`ug=(eCfmX%gvc-U%&T@oZH3Z-*f#`
zh~(NmPTLk`I_zGTm8PPzx-j?3%&J<h{THVvoh-bUV!BcPQ9=Dhr~9S3dzYl`kU3&5
zJufBZ^b(s1XMSFFpSZlxWPTQVWU}8LmGait9Mvx$x`}O2JeW5@XUSr=Nfw5hwQke@
z&krj-vD&9DC6dGO^%t3$`=<y!6g8hA>G^qs&Q@R9+t%whm@eBsC+$eeiXYvNzT6PM
z^Let*dRwlrk7mYFb2N1A9qM^YHf}3US~TI9x<P74T<m?Fuoc%F%MXfdF=o;Ed4KiW
zz&MpVx1CQ2{to!1&sNd*`2I(^X`%nb89yzN?ENG0>*qwBCzS!^CQWA@PS5<W+b#cw
zr^fE_-;1jc)pPQE%%9MIQSJVjODzk8SN7NLIqD#$=zfbmt~brP<If_)?%X!Pdi(FT
zg?Inlx-G%&{HE)jUg^VJ*9Atk@(0eI%L$sn=MyL1psIiE?E#6HoSFn?{<t6Sf=yq!
zrOlXpXw%2*pN`BZSG~*>CE?269r()SRG#{wb>E6F2DG+!t~gWr|8qp>pFKZ4{NLJ7
z(OR;;Ao+BbaekPr%7-GA^C#-;E(kx`dYZL9T_?}?m7`w7%d1EAcImeFzbaIIczTl2
z%BC5w%j^=?G|hE;`SaoOD_kuRi<N$VJ-t|=f4P^&!}YdLXM5WSK0PDyan&uK#O|XT
zZ+u*FODMT&-v`~Atqm*KOkV0_{XDq0`%+!H&NH2;dvl7#ZhgEw+o+d~J9o-FcdO1P
z7tWns9r3n4{HAPhPw(=Hc~X1Dr|e4ezi^;OskMyZ8_zk$7>S2lSKsD3wesKe9VR@E
z3#HynO5RuE@NLJ!H`7dJt54QR-TWi0{QT-u9-;-ZQhT->h)Z(~*wL?lpZmCp#OvLs
zoqjzRSbaP~co~ng@%?LinVja$&Enj5GW*Y->P^{a=4C2O7u^y!vv2XSs@(?nosQ*)
zU(o$@mH$$}cX7qEbKf<doD%em3Jf~%&GV=q=K@B_<vN^RGjzJS<TndmKUT!Hu_`#u
mVDE>t<r6&0?i;+!yZNWaq-J6JLIsb9cDfq6t8!ZcD=h)j%>su2

delta 2279
zcmdlYv_)uwPJLCjv2jI#ft!1FS$;)Dx}ir=n3<E2d7gKwn`>EtcDBB^hmpIbX;iXH
zGM7n3MY?`saALBnxsh3kzN4RUrEx%VSz@7Ss!yh`znf)ZS)Qk-N4c|cD3`9CLUD11
zZfc5=si~o*LbA7Mwnw=_h>N3vcZIXBiG^=uP(WU&nVU<grAtYYdxd^cR#uT?rE#`T
zdbqZJL6V^-S7nN$sb5)oV7OzEU%q*$PpWZgUZRn!OKNy&X>v-imvM5Qk!P5hV@71?
z#E;_P<t2f+LB7GMIp!wr<^jezo@oI^>E<RzWsxamDgKd;maZwrMHy}>0qGW8Uheuy
zVSyoG`i@2=QITPlAth01<&~zTM(Mu(iD^!Lp4!PK{%K+1eih}D;~B-non6u^oWop8
zf^(7#i-Ik@BMkDBqtg9Ke9Drw%Pq<>ioAl&lXHA?jUybnjDp-VL(58C3e&5qB8oEI
zjQxX4^j#zJDx9;!O1#Z0eFKWTO-fx2LZb2~pJf!U_w_GN&UG#~b=UV!Osz2REe~?f
zEcTDgNUw+tHx4#Q_b)Ll&hYaMiEvHla<VWAFE#ay$_&d6$jkStG|rEVa;_*UEX;F`
zth8_}Gjh%kG|O}iEh!4+($&>faLEiQjBqmb%<&6LO!CkV^>j6<vM?<4Hwg>$k0>^G
zbTl!mH*vGfFQ_te<XZpBd$XDNwAE58FaAhy*}Qh<YQD@HrYn9*>QCRNb58vn^C$VM
zC+g=$&V0yYGdn!Cv%R;@*vjc#S^KwtNAIojwmbUBWQ|Paiml3Tx9Qx|X1o~4$kaB$
zvEDZ#M}$AWWnI~X=Yic%Cx+?GzaaF?=gWTmRfTy^Z}`-6-YHyDaA8i5Pq64-yEiVs
zqtBQyd0y+E`_cH*?#NevfBaVOcqz7X?d5H!-^S%w)$NdB@%XdxUxDz=4G;Q%ux@@@
zcTMa__@|?sQGYIdy!$iWd1J%1wJwSoNww{~WexK}l*{!y?{)j9o9A!)v(!6D$ww@Q
zG5e|Mo-o(_|BtVJu2UbnWbT#HJeKXhCP^N0)a;rYYQCfQzKKiVg{>QR1P4qnKdtA;
zHYYt|i^9B}cM?`FYfIg#-;iiE)q3{t{Q-;OYo+$Gd#u_jFIprWbV|EVPvOJ2iD$kj
z&iQ=e<p26<f%_$IB&|5iy>hz9PyWu_wbg%_#DeQ4NXiw@QI+j(O6^MOum55r<oPnh
zsdlRq*Cg@Wi`8zGZ{*S)mhxqLY}|P!Qn-xm_6@%Wyl+GzH2k^j=grirn(ix8_a$XZ
z`06F$PgOtbJ{DLb!dUur&tZXe>mz)=_{@H2cH831`bp;|H8>pmr#i9OsgcWQ*2(8Z
z)A{G_)v})ZzdYsFlfRExa)hqFKlCf6eqR2!X99OLj^1yVoi$0!y5`q>mLJ<okG_*H
z;c-1ywE5PKwu9wet*L!?I=fopCowMY^{ozUQi!>CxoQ3jp`<BH^)L7DGcUU^yYR`P
zQ(--EZfW}xzIP`(yz<?wFpu%!^g8*(vR0udaS6X>3hBs;ncaHiA98~+d4h`B!<m|&
zUc1ykF#n}~^kJdv{}7>4zTW8{I9aOPTiY(DFwAock+^4?$d$dO`SqH)ozI`KKGeLh
z^jN07_u^jd#L`y1eVsKrvp(l;pAo1WbUmU`hHu48{_UTgBEHL=_H^3BcxTnmv>$l_
zF1)M5{~XTV&ttE@MfFppgaMn~%v2+nNQ)P1_7%=es9*5uiItd8{lun{^`~Zi^y6&P
zw0(6?cH0aW`{;e4?}DV%uT&h_sP`pj-^4F%Jq=TNTUIZgA89S1y;ShtUB-JMhs$p*
zD>u;Fs&bX1XO|uO#q~0_>(s8N%hXCO*}36wYTo+p>Ps1qzE!^|-of%;Lb&{07q@-L
z5Bu#wxy8HoZ(Tm6UU4_qmV-fO{FoM&2-hWR-{WnPShD@w53ehq67N@+XH-fg2DLuE
z#?<t{Xm1{W&i|v&bC#+!$|NTThL|WU{&v0iv%A}`kI&5wyiXo^Ie$NkfLgbu_pyR)
zNrzRQ&M7&WFFr}rRQ6?Tbac-viRC}EW`z_gOut>D*SBg(=X0GBj#>3DK3z5HoVe=R
z>J8lCuOsGUo954(-?P<v?$u%!W0&&{?yJiW&UO8;`&*o5MbeKa3YFhk1)?NBTd>BK
zeO+a8{Hx@Sqb)5{f9%PO+AcM#rs;`SmyX1|4!J-fp$BE1TOK|5%FJ$<e|G!sW+8$3
zvN!Io*&*K?Jad*=a9R7qi-MoCPS)RvEw1Z-8d-la)$K({P4=JX2PNJ_uWOaKW7RG#
z5PD6s=J=sV@w4rpC$Z`&O)5N8$oDpH_6(y1j=M?@-ahY?&99I;(U|YS#pVY#8|K}9
z*u7d^_S&Y!`*I(P%x~Mwo^H*zdM)o?4(G-bs&}>eM8j5u$^H-gkj?J0D(M;bS)KA{
z^)JqK27YN)JN80P?&a;sZ>|Z=k+XCTDW(+fSP}o)$9(>}`VfnSpFhlv|CCzNJUe;*
z1*u~~lXKbACD^(*E8mD^;kwY}_A~I!r_09{G0m*;nO^zhEVt~cq>`d5T=}jBv*a#F
zO->1Uwtwrg+@@dy&8ua5{@HANx=xhu=J$|i47LUJvsX>8)=To*!gO=aI_=`H^^?^2
zyK*I-rhjqp@H`&4;#JP1Fva-|7L(Fe?K_h2>+*7;4aFzb>e<8_;?L|g&fPmTE8qWW
z#7;*3D~tE6`FGoV{ePK18H_6q1|<BmZO(W6pKZnz{XoRl*8FyjHd9mR;y>FTYe{a{
z6ZFWiE$r+E8<l#V8&(f0Z$+2x6qJ`<yndy1Z}#GyTw5!cB=>jgY^v~4tJ93Wm~{Hz
z)2!F=(@yI!Jd2o7@oR<5=C|uia}566bE$b%xP|*#WO}gm*RyGUYrQqo%D56L?JVB!
z&)}4qSlNEAH2+ar@S-UBUArwgMPy35cixx3B+wIE`AEih(q_AzaV_s|uQU9<I-u{x
z=TFbtrVF^G?6|_l8U4{wesRRs_babv$Z17Yw{E+-apJ$}dmk9H{S7yl+ax(><DF^8
pB{Cl}CZ;X#SiJ9#>fDX{RwjijcUw<cQ0K>XNGZv)_s3cLg8)zM7#aWo

diff --git a/secrets/vpn-dac-login.age b/secrets/vpn-dac-login.age
index 6191ec7a..c35d902f 100644
--- a/secrets/vpn-dac-login.age
+++ b/secrets/vpn-dac-login.age
@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 G5LX5w SRJhNenoQXbT1FgX3TMPnVH5P6oe2eHot+M1YsEjsEk
-hfTSLgKi98Eh7JK5o7x2POpTEtQlQCpEa3keUFYCuME
--> ssh-ed25519 cK5kHw z5TwWJTkvx7HztjXHJW/aCOtOfPrQaLP0gyIT7rXcyU
-b4NCpHfasgvkLLr+6LcWUl60p59aSNnfp3bl2OFYXo0
--> ssh-ed25519 CAWG4Q 4VpS1/OnFe8nxcQbRTKNhjsh/ZQ5cbhSMXwK/jjQ+3o
-WF9wvOkqVml4UcEzyzeumKuUwCwwr2zvKLMg+PCB8nk
--> ssh-ed25519 xA739A 67FhuJ070jBVMt/xbKHWhfri6iIm0FyaFvzQabsvFBM
-1G5/913dDv/r/6p1x/c5YiUnZzrX/LvIj33KW+PN0KU
--> ssh-ed25519 MSF3dg Bj/yB4N2wkyHCHC22tcjjJAA4ebSamN0Z4UVX3ZnryI
-6D/ZgTs+j+MGDAbPU5zyK0i9zN6tQy68IcOnQZ27mYg
---- 169erk3ICSYLs4FPEuXCn7QlekWhsmSn0Lr+/R14I5Q
-§¼ã¦Ò½3‰sø
-w ‰4DºÏb.ÿÖ"|€…ó)"¹»¹¤½æ¥;Œ.‡É«7)¤LeCù=SØŸ
\ No newline at end of file
+-> ssh-ed25519 G5LX5w /9lcJOXC9CN02+XLswUaJ0H7jU6Xhjd8Xg4+KY0l1Vc
+fCLzsLc9zrocM8SHOKyZwt6eUEr8r1WLug9RLi63KU0
+-> ssh-ed25519 cK5kHw 1qza6h2NRSs4g8LYdFU7E+Dn1CgdtCU7DPdYInP1GwM
+/6uk7pTFkNTRTI7nA+x4y4CyOBVQVXX2lnpOg3ktPe4
+-> ssh-ed25519 CAWG4Q o+vyzcejSaNVYPSGzzOdzaqPByZ6zA1uaJf4KOg+wQA
+wfZmWrDSfRV8C+Hu+SeZDcomf/qigBqxuQK77SfnuEo
+-> ssh-ed25519 xA739A +rBsOC+IBE3lmc/pfrziftLIqMSyaGMsggRjC5Pqwl0
+xa7ulLz2+YC3g2hu7e9XhRYDIUb2sriaaigJRYF2oB8
+-> ssh-ed25519 MSF3dg TK6PmKjjQt8ni0mJLCt7P41lUsgimlj3o5Q6n3N+DE4
+ne+s3ctcg8cBjY06LY2lrW7wcxomvKHxu6MlirEA8Kg
+--- eorg2ckkUZ1Ogi4iTTg2MoiVBwl1F0RCmH2D8N1d1So
+¤Ñö8‚Á€ú­Ëi§$]KÞJ=2ZùüÓ¼Fú][»‡Ö8ßÚÞ¤Œ	¨=©ÏLD/ígz
\ No newline at end of file
diff --git a/secrets/wg-apex.age b/secrets/wg-apex.age
index c22c16735cf39e56f9758966195c76bcd5b31e38..deaeb828a832ffa2c58f29353bd39551bd99b5aa 100644
GIT binary patch
delta 606
zcmdnVx|4N+PJN_*hGA$@iEn6HaC((Xg|SyjmT6L1p;@J6fRm9~T1uc>v1@LWaX_+j
zHkXlUc~!bsva3;XYPoi?yIF~gxv5{6d3af|dxT4wb9tqyd%1<HYetr<BbTn7LUD11
zZfc5=si~o*LbA7Mwnw>wnNf0nm}R+pR${43xu0V|v729zezKXRM?_I*WI>ptyS8OS
zo_l6Ul0`%$SDLm@pr^Y*l6i_>fO)ouMNvhCWm!p}g-f}4hDAt~Q)sYfMMXqdNV%Es
z#E;@(28O0#NuCwjCN4f<c?OQ&MrGxN=9TUqspfu}VOf6J-WIu`8KG`f+D@)q-lZk}
z?)iznf!YyyewjJh`Go;#o_S&6{=vEBZmIee0R>JzX<?53*{PG`7$w5J0=+$rO+tJ_
zweuZ|9Haa^EQ_2hgFK`36P^6BEX~5TebdvTT+`A#UDCPATs?hFjP)&24I-RN^!<HY
zeZBS5eY2{JwTr8Q(zASvgNm}<i}Uj=_46m6WfZS>b@y;e%gQdybd4wt@XRtOa!>Kk
zEGTl#jxf|VHc2rkbhHT1Ny#xwH8$b0NJ=lvG!83ti3~|HHY+GDOieT@sth)9&2n?f
z$anYmGtTn%GAODHFHYyu)zww-@bvU32`lvS@e9Z)){hJ_uGCJ>5Ax55sLZL<4zX}|
zbT$bKF7Yic^U-(YQtfayIBT!<+>X~YEUzPzQF;mM^Ire;g7z%g$1a&4Y@hwGpP^~h
t!I<?{e;->bEV=qt?^n5J^^&Z^KYjPK$=mHdpfX3<j3f9$%!H5!y8&aP&nf@_

delta 606
zcmdnVx|4N+PQAIIL1dYeOH^8<cU5j)l}EN^RiaZ`sJ^zLrKPL8hoyg}Z%J}^V3=1<
zGFOUoX|R5|u~TtSy0@W0Nui6Ad!m6?vVL%3RBn({x}Rr8vQvqErB6Ys1(&X!LUD11
zZfc5=si~o*LbA7Mwnw>wse74osZmBzplfNeL1a*No||u4R#b|6T9I>-Q(AdQPF}9Q
zac-ztW_h*=mvL2rbCF|Wl80|qReF(6mT#y>PDXiVX0VZ^Pp*@ZiFrwQvR7(`v1Mxh
z#E;@(PR=3T0U;K-=|;h>>6H;_kzSQ<;XzSp22~km0p%9X!Nsoru4RTLPOj-(+J!zv
zQU2wH+L6Zoo-QV#ndMF;c~Qm{rI}7i&V>PnIRP%ES$TQ+CfSqY7$w5JOA1{AeT^!O
z19P&%%Yt0;qkPi}3ViciN~4Uj3=J~O^74}k3p0$2oXfe=&CSz%T-^;#0-TKU&9%*n
zTq=vS9ZNk*vQ7LfoHBgFg9F3TT`DTvOv@*qWfZUX^!BVYPsvJ7sSHjtst71ZiEvCd
zv`mTeF^EX<O)K*@EvYguF!W3|2r}R*4$26qOpG)%$aT%AGS9UP3oURf^zu!$G$>BV
z49QNaG|Vf>^p7adbkFC~)zwvS&kM_`bj?gD&G&b6^vQ7d&JN0P^V80b4A6J?u=FWN
z%`*yf^{Nba(=Q6-YQJW|eeTEal??Bu#8hwNUu3Bm9CF@@C9uib<G7Al&<Bwev&n0g
uE)J=>r@yuMtd{dUxs&qqO&9)WGEVXryx#is-IbrQdJUg)mASq?YXJbYLer@L

diff --git a/secrets/wg-fox.age b/secrets/wg-fox.age
index 57079f3e..f7636022 100644
--- a/secrets/wg-fox.age
+++ b/secrets/wg-fox.age
@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 cDBabA heyW9/cxgwFX9IexQIXjAQDWGQPNcMXcArQp2Rxsqx4
-o9MQ7EH8PDDjsJdpH9F3Xq2zUoaDAJQlfFmYucSFs6Y
--> ssh-ed25519 cK5kHw Sza4pos7K3qW3omEeyidI/jszJNf9smemSZnUJfCIww
-D6vazXki7hIYraIuSiGPS+FPbkFUwHhHWDf52OhEIMg
--> ssh-ed25519 CAWG4Q YexIHueOIMmIN8JIDyNUOKBkyz/k18HqV3hTXh48KlM
-xh8UJzzWT6ByN+Dpn4JrMNsjGC/uc/v6LynwjBDz9NQ
--> ssh-ed25519 xA739A KySG3TXdqfCMUkVEDGa74B0op745s3XGYxFLyAXSQAc
-5EI/yb5ctW9Qu18bHm3/sK97kwGcKzzmWvPSCWm89XA
--> ssh-ed25519 MSF3dg MNxnNj0fHmri8ophexXPNjRUBUWrzcuk5S1mucxUMTE
-GVFWXtISEU8ZmlwL4nh4weAgfGrt2GHX0DTzbpS6zg8
---- UdrqkYG2ZApAuwdZeNhC50NP2rkD/Ol6y8nJa4RHx7Y
-·Ü»¸m(Éó”>æHýY87ª’G¸+*ÿô†²9V™.ÿ²ÿ‰›ÝpÎOo‰=+å“‡ÐP0±þ{â)¡‹÷Ö>®z3P^
-u
\ No newline at end of file
+-> ssh-ed25519 cDBabA So/Tqwdwd7G0PbE4RwH2qDrNcdqTkhFjF4IJrLKKpkM
+MEA5dzlUeFXm3pa+ndxrcE0ZWdO00Xf98+Q8U9LZ+cQ
+-> ssh-ed25519 cK5kHw sCHD/hHBOfMBUQXkLG3MBPNC4ebLOXW37OlF/C8FEjU
+4TFbKoy23Ic2vteXZ02fMrFxyb4NxyWaSo5I8dn48mI
+-> ssh-ed25519 CAWG4Q KYGPAXTx8H5cBC3YIBxi5B7OeF15C9rEIPFCcG0vEDw
+9LC2Zvp1Oiau1/hfPf+nJknl6BUSr+lzTn6TozZNxJg
+-> ssh-ed25519 xA739A hpvNBHPgYRtUx0HyUAdCW8s7QTmGyPXwzRHb8qYoeG0
+QkUZINY7Fr7HpyY6lbIMcP+hGO3oCmLL6N+yDN4weyk
+-> ssh-ed25519 MSF3dg P9TmEfXS+hyxsbVKja58UWAFpad0ZS3LhwrMkLnSNAY
+hiHuh7HhoYwHi2KFbCczXJoF3On9eqjD1Wsp9Q1NW/w
+--- SN3peoDvjXuD/Q4DdebQFam1CE22NyGZlMmnKyCTuX8
+s÷É´î&×³Ö¦ãïäæ}Å#In0&á¶{¼1ÿ.·Í0Ÿ˜òÃ›ÁBp7†5­—/Ð¬Ãª~T£Œ»3§ f³j‰µm
\ No newline at end of file
diff --git a/secrets/wg-raccoon.age b/secrets/wg-raccoon.age
index f32a2aa395b4fcaf3bdd9cf09e9164d3a85aad62..fc29bc7bfcb6153d9c7f721036b18a5a6e2e763f 100644
GIT binary patch
delta 607
zcmdnVx|4N+PJNhDNU*C>zC~J&UzTTNc4mQhX=q@oX=+lqv5Ap)R(M&iuWPb_ws&D}
zAeUiSMTL(?d3csvRDfZau~BZRUrC;GQe{SVMu=CiS5lH&M3j?TaDaJGD3`9CLUD11
zZfc5=si~o*LbA7Mwnw>wfkCoMO1`_FzjJA@cA{sQrCVW8ajw2^pnkbWMMXq#RiK4;
zWVU-$Xj*tOm#=YpcyXn7l&L{bl(}D)afMTnZ@GJDj#qe4kcqxqQg~ERx?4$ddTFui
z#E;_PQ6BF8WjWf}ZszH}d7eh0{@LY)g}GIhd9E(WK}8`Y9^u7>{#A~VIXTH(QI77x
z<)NiPj;=`_Ik^QD`I(`H6?u_S8R4E0`5s>G7M=$A1%CR4+94*B;~B-nv&wROJ+(74
zjZHkNk}C5;d<rT}ysBIcJdCnS!i-W2g9D7pi@iO<!re@`4BP?}Ez0~I-7_nasvJv#
zb4$aDqa1y_e7ysLjf@N}{ew)*d=gWAQZsxfpJf!UPtP>;i^$40&PhuN_w#qDa4jt`
zDlrR4^-guEGB$O#EH-dUsw~eeiZICMvP`US^~}xC&vr5|DlqUaEb}QTk8~_6w{Q*1
zNy`rL_OI{{t@3d+^fXB4($&>furzftEeQ;dsM1e1OD%E9i1ZH3iwv&vH&62_2&{7S
z3^qy$Gfy=3%1g@e<*I(tHg#Vc7gMs(q|c|rHr(F1IE{Z&;M$n@x1s7PNB7;!639;H
vU#%yY`$3q;*8JOSpSSrf(;|;deWmBQ`wEk6<06d^{}*{IXI?0-K0gNlxoXrd

delta 607
zcmdnVx|4N+PJLuzzIJJ*rE6eLN>zr7TS0JcP+noCMOu`ZSGaa)q-Sbqim7ErMw)AR
zAXh-DcUDkJj(%>ibGDIhP=<S|XFxz+o=a}9Q)yXQK!t&YOJY@?tD9MJK9{bYLUD11
zZfc5=si~o*LbA7Mwnw>wLAXbiyO*<9xJ$N0Wq?I;sasM;wsu}tR8*B`L0C??Uv5T@
zb3uA=VS!OPS4EX!d6HQ`Nm-DIQKqS@Z()Q_X{ljxl8LWVVWd}qn{k<OMxI5cXI7}m
z#E;_PLB^(TCBDw-?*2I`#U&LUWo9Xkruj*w8J79_c@_HFiSA}8#mUBo$>qLW7MY>0
z?#_kUNtWh89s&Md5pF3ymX?-LIocUTjwU8m;bkWN`C+-imXV>8;~B-n4GW8$42&`g
z%lus<lJp}Z(^Es8JRCzyBb`hA(({5U0+KSqJi-mqBb`mS!m`tHoy{u}OMNq(GxH*R
zio!$8Q@ym^ObgsRj4i?(1Iyeq19AeLd|b*WpJf!UFYxrLG}JdU%QcTM3iA&!FwRT!
zN(~8!3M~vOEB6cz&npWyb9N64atd|jaxSk7H1oIcE3XXC@veyU@bk@2&2UW5@eL^V
zEUL&22{+BN@DED#4)w|B($&>fh^WZ&HFqlvC^Pa%&d7)i%QZ6B_VLRs&GiT?GP3jx
z%5XLe^UlvRsw%GZ<a)rr(fxUkX3_VD#YQZ@*fiK?i%CA1WXoV@?k6iExn@J}lPw{<
uN$PiRD%kvqY71+~`}p&Ez|L@%)vpY;_gY`s(e!#_?~fwxl?9sYcIyF=lG5V<

-- 
2.51.2


From 374cd4ce480f4e1490b4a98c3d25347cf4d7c660 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 5 Mar 2026 16:12:38 +0100
Subject: [PATCH 5/9] Allow tent to reach ceph
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 m/bay/configuration.nix   | 2 +-
 m/lake2/configuration.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/m/bay/configuration.nix b/m/bay/configuration.nix
index 7bdfe740..9bb353eb 100644
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@@ -35,7 +35,7 @@
         # Accept monitoring requests from hut
         iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
         # Accept all Ceph traffic from the local network
-        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
       '';
     };
   };
diff --git a/m/lake2/configuration.nix b/m/lake2/configuration.nix
index 477cf59c..338c2d40 100644
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@@ -57,7 +57,7 @@
         # Accept monitoring requests from hut
         iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
         # Accept all Ceph traffic from the local network
-        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/21 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
       '';
     };
   };
-- 
2.51.2


From 8197221146a7cc1eaad140c6455c21b3f0eadb06 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 5 Mar 2026 16:02:40 +0100
Subject: [PATCH 6/9] Mount /ceph in tent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 m/tent/configuration.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix
index 2b7f3f42..15baf92c 100644
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -17,6 +17,7 @@
     ../module/vpn-dac.nix
     ../module/hut-substituter.nix
     ../module/tc1-board.nix
+    ../module/ceph.nix
   ];
 
   # Select the this using the ID to avoid mismatches
-- 
2.51.2


From 32a576e870727329f73a5c04251e9b8a05c04885 Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 5 Mar 2026 16:41:11 +0100
Subject: [PATCH 7/9] Copy Gitea backup in /ceph too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 m/tent/gitea.nix | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/m/tent/gitea.nix b/m/tent/gitea.nix
index 56333a84..4f8a595e 100644
--- a/m/tent/gitea.nix
+++ b/m/tent/gitea.nix
@@ -1,4 +1,7 @@
 { config, lib, ... }:
+let
+  cfg = config.services.gitea;
+in
 {
   services.gitea = {
     enable = true;
@@ -34,7 +37,6 @@
   };
 
   systemd.services.gitea-backup = let
-    cfg = config.services.gitea;
     exe = lib.getExe cfg.package;
   in {
     description = "Gitea daily backup";
@@ -58,14 +60,21 @@
       name="gitea-dump-$(date +%a).${cfg.dump.type}"
       ${exe} dump --type ${cfg.dump.type} --file - >"$name.tmp"
       mv "$name.tmp" "$name"
+      cp "$name" "/ceph/backup/gitea/$name"
     '';
   };
 
+  # Create also the /ceph directories if needed
+  systemd.tmpfiles.rules = [
+    "d /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
+    "z /ceph/backup/gitea/ 0750 ${cfg.user} ${cfg.group} - -"
+  ];
+
   systemd.timers.gitea-backup = {
     description = "Update timer for gitea-backup";
     partOf = [ "gitea-backup.service" ];
     wantedBy = [ "timers.target" ];
-    timerConfig.OnCalendar = config.services.gitea.dump.interval;
+    timerConfig.OnCalendar = cfg.dump.interval;
   };
 
   # Allow gitea user to send mail
-- 
2.51.2


From d4c00679ee4707ebc66efc52eea8fc4b20e7616e Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 6 Mar 2026 12:19:33 +0100
Subject: [PATCH 8/9] Increase NFS subnet to allow tent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 m/apex/nfs.nix | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/m/apex/nfs.nix b/m/apex/nfs.nix
index 8334d507..2497f252 100644
--- a/m/apex/nfs.nix
+++ b/m/apex/nfs.nix
@@ -7,7 +7,7 @@
     mountdPort = 4002;
     statdPort = 4000;
     exports = ''
-      /home 10.0.40.0/24(rw,async,no_subtree_check,no_root_squash)
+      /home 10.0.40.0/21(rw,async,no_subtree_check,no_root_squash)
       /home 10.106.0.0/24(rw,async,no_subtree_check,no_root_squash)
     '';
   };
@@ -15,19 +15,19 @@
     # Check with `rpcinfo -p`
     extraCommands = ''
       # Accept NFS traffic from compute nodes but not from the outside
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 111   -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 2049  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4000  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4001  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 4002  -j nixos-fw-accept
-      iptables -A nixos-fw -p tcp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 111   -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 2049  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4000  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4001  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 4002  -j nixos-fw-accept
+      iptables -A nixos-fw -p tcp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
       # Same but UDP
-      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 111   -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 2049  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4000  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4001  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 4002  -j nixos-fw-accept
-      iptables -A nixos-fw -p udp -s 10.0.40.0/24 --dport 20048 -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 111   -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 2049  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4000  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4001  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 4002  -j nixos-fw-accept
+      iptables -A nixos-fw -p udp -s 10.0.40.0/21 --dport 20048 -j nixos-fw-accept
 
       # Accept NFS traffic from wg0
       iptables -A nixos-fw -p tcp -i wg0 -s 10.106.0.0/24 --dport 111   -j nixos-fw-accept
-- 
2.51.2


From 5c30975b8b966e964ce4e6c61b54acaf198a9dbf Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Fri, 6 Mar 2026 12:15:09 +0100
Subject: [PATCH 9/9] Mount NFS home in tent at /nfs/home
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix BonÃ© <abonerib@bsc.es>
---
 m/tent/configuration.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix
index 15baf92c..c3e126a3 100644
--- a/m/tent/configuration.nix
+++ b/m/tent/configuration.nix
@@ -65,6 +65,13 @@
     fsType = "ext4";
   };
 
+  # Mount the NFS home
+  fileSystems."/nfs/home" = {
+    device = "10.106.0.30:/home";
+    fsType = "nfs";
+    options = [ "nfsvers=3" "rsize=1024" "wsize=1024" "cto" "nofail" ];
+  };
+
   # Make a /vault/$USER directory for each user.
   systemd.services.create-vault-dirs = let
     # Take only normal users in tent
-- 
2.51.2