From d0b284cbbcb843cd0b18ab38df40438b5db5b518 Mon Sep 17 00:00:00 2001
From: gabo <gabo@crans.org>
Date: Sat, 12 Oct 2024 17:14:48 +0200
Subject: [PATCH 01/17] Ajout VM Bitwarden

---
 hosts/vm/vaultwarden/default.nix              | 15 ++++++
 .../vm/vaultwarden/hardware-configuration.nix | 32 +++++++++++
 hosts/vm/vaultwarden/networking.nix           | 53 +++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 hosts/vm/vaultwarden/default.nix
 create mode 100644 hosts/vm/vaultwarden/hardware-configuration.nix
 create mode 100644 hosts/vm/vaultwarden/networking.nix

diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix
new file mode 100644
index 0000000..1396d4b
--- /dev/null
+++ b/hosts/vm/vaultwarden/default.nix
@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix
+
+    ../../../modules
+  ];
+
+  networking.hostName = "vaultwarden";
+  boot.loader.grub.devices = [ "/dev/sda" ];
+
+  system.stateVersion = "23.11";
+}
diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix
new file mode 100644
index 0000000..dd003c8
--- /dev/null
+++ b/hosts/vm/vaultwarden/hardware-configuration.nix
@@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/03214fba-5aad-4f5d-9e0c-da089dcb5d2b";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens19.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
diff --git a/hosts/vm/vaultwarden/networking.nix b/hosts/vm/vaultwarden/networking.nix
new file mode 100644
index 0000000..5e870b4
--- /dev/null
+++ b/hosts/vm/vaultwarden/networking.nix
@@ -0,0 +1,53 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces = {
+      ens18 = {
+
+        ipv4 = {
+          addresses = [{
+            address = "172.16.10.159";
+            prefixLength = 24;
+          }];
+        };
+
+        ipv6 = {
+          addresses = [{
+            address = "fd00::10:0:ff:fe01:5910";
+            prefixLength = 64;
+          }];
+        };
+
+      };
+
+      ens19 = {
+
+        ipv4 = {
+          addresses = [{
+            address = "172.16.3.159";
+            prefixLength = 24;
+          }];
+          routes = [{
+            address = "0.0.0.0";
+            via = "172.16.3.99";
+            prefixLength = 0;
+          }];
+        };
+
+        ipv6 = {
+          addresses = [{
+            address = "2a0c:700:3::ff:fe01:5903";
+            prefixLength = 64;
+          }];
+          routes = [{
+            address = "::";
+            via = "2a0c:700:3::ff:fe00:9903";
+            prefixLength = 0;
+          }];
+        };
+
+      };
+    };
+  };
+}

From 7910f90380dade2b742d5863ddb4d7ea94a659ab Mon Sep 17 00:00:00 2001
From: gabo <gabo@crans.org>
Date: Sat, 12 Oct 2024 17:24:06 +0200
Subject: [PATCH 02/17] correction sur le flake

---
 flake.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/flake.nix b/flake.nix
index 7f747b2..e4d64c4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -71,7 +71,12 @@
               specialArgs = inputs;
               modules = [ ./hosts/vm/two ] ++ baseModules;
             };
+          
+          	vaultwarden = nixosSystem {
+            	specialArgs = inputs;
+            	modules = [ ./hosts/vm/vaultwarden ] ++ baseModules;
           };
+        };
       };
 
       perSystem =

From 1019072dc6e01e2455865da399349cba9251256f Mon Sep 17 00:00:00 2001
From: pigeonmoelleux <pigeonmoelleux@crans.org>
Date: Sat, 12 Oct 2024 18:21:03 +0200
Subject: [PATCH 03/17] Ajout nouvel UUID

---
 hosts/vm/vaultwarden/hardware-configuration.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix
index dd003c8..f580b41 100644
--- a/hosts/vm/vaultwarden/hardware-configuration.nix
+++ b/hosts/vm/vaultwarden/hardware-configuration.nix
@@ -14,7 +14,7 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/03214fba-5aad-4f5d-9e0c-da089dcb5d2b";
+    { device = "/dev/disk/by-uuid/4ded0657-a876-48d2-8fe0-9e1c0d3373f8";
       fsType = "ext4";
     };
 

From 3fa6f4a8ef3837c9d89bd2ac2a07668a9ea73d2a Mon Sep 17 00:00:00 2001
From: gabo <gabo@crans.org>
Date: Sun, 13 Oct 2024 19:49:40 +0200
Subject: [PATCH 04/17] changement disk et State version

---
 hosts/vm/vaultwarden/default.nix                | 2 +-
 hosts/vm/vaultwarden/hardware-configuration.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix
index 1396d4b..f2f2fd6 100644
--- a/hosts/vm/vaultwarden/default.nix
+++ b/hosts/vm/vaultwarden/default.nix
@@ -11,5 +11,5 @@
   networking.hostName = "vaultwarden";
   boot.loader.grub.devices = [ "/dev/sda" ];
 
-  system.stateVersion = "23.11";
+  system.stateVersion = "24.05";
 }
diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix
index f580b41..babe446 100644
--- a/hosts/vm/vaultwarden/hardware-configuration.nix
+++ b/hosts/vm/vaultwarden/hardware-configuration.nix
@@ -14,7 +14,7 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4ded0657-a876-48d2-8fe0-9e1c0d3373f8";
+    { device = "/dev/disk/by-uuid/e4e8f7c8-1673-464a-9688-468510d28b23";
       fsType = "ext4";
     };
 

From cf4d7dd1136438c1bc39eeb21fdc18bf7f53a972 Mon Sep 17 00:00:00 2001
From: gabo <gabo@crans.org>
Date: Sat, 23 Nov 2024 14:50:38 +0100
Subject: [PATCH 05/17] ajout hardware-configuration.nix

---
 hosts/vm/vaultwarden/hardware-configuration.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix
index babe446..9b113d6 100644
--- a/hosts/vm/vaultwarden/hardware-configuration.nix
+++ b/hosts/vm/vaultwarden/hardware-configuration.nix
@@ -14,7 +14,7 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e4e8f7c8-1673-464a-9688-468510d28b23";
+    { device = "/dev/disk/by-uuid/c97aeccd-b88a-407e-a08d-f821a3f34936";
       fsType = "ext4";
     };
 

From db2d2d3986099c832e9eebee49002481e144faab Mon Sep 17 00:00:00 2001
From: gabo <gabo@crans.org>
Date: Sat, 23 Nov 2024 15:29:51 +0100
Subject: [PATCH 06/17] ajout module vaultwarden

---
 modules/services/vaultwarden.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 modules/services/vaultwarden.nix

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
new file mode 100644
index 0000000..7df899d
--- /dev/null
+++ b/modules/services/vaultwarden.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  services.vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      backupDir = "/var/backup/vaultwarden";
+      environmentFile = 
+  };
+}
+

From d360e5d769766a0faabfa60f88ddf33b83a20bc4 Mon Sep 17 00:00:00 2001
From: gabo <gabo@crans.org>
Date: Sat, 26 Apr 2025 18:19:44 +0200
Subject: [PATCH 07/17] configuration de minimale (pas du tout fini) avec
 rebase sur main pour les secrets

---
 modules/services/vaultwarden.nix          |  11 -
 modules/services/vaultwarden/default.nix  |  11 +
 modules/services/vaultwarden/env          | 581 ++++++++++++++++++++++
 modules/services/vaultwarden/env.template | 581 ++++++++++++++++++++++
 4 files changed, 1173 insertions(+), 11 deletions(-)
 delete mode 100644 modules/services/vaultwarden.nix
 create mode 100644 modules/services/vaultwarden/default.nix
 create mode 100644 modules/services/vaultwarden/env
 create mode 100644 modules/services/vaultwarden/env.template

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
deleted file mode 100644
index 7df899d..0000000
--- a/modules/services/vaultwarden.nix
+++ /dev/null
@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-  services.vaultwarden = {
-      enable = true;
-      dbBackend = "postgresql";
-      backupDir = "/var/backup/vaultwarden";
-      environmentFile = 
-  };
-}
-
diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden/default.nix
new file mode 100644
index 0000000..9adfcc9
--- /dev/null
+++ b/modules/services/vaultwarden/default.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  services.vaultwarden = {
+      enable = true;
+      dbBackend = "postgresql";
+      backupDir = "/var/backup/vaultwarden";
+      environmentFile = "/etc/nixos/modules/services/vaultwarden/env"; #fichier de configuration de vaultwarden, peut être la seed pour la mettre ailleur 
+  };
+}
+
diff --git a/modules/services/vaultwarden/env b/modules/services/vaultwarden/env
new file mode 100644
index 0000000..80eb475
--- /dev/null
+++ b/modules/services/vaultwarden/env
@@ -0,0 +1,581 @@
+# shellcheck disable=SC2034,SC2148
+## Vaultwarden Configuration File
+## Uncomment any of the following lines to change the defaults
+##
+## Be aware that most of these settings will be overridden if they were changed
+## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+##
+## By default, Vaultwarden expects for this file to be named ".env" and located
+## in the current working directory. If this is not the case, the environment
+## variable ENV_FILE can be set to the location of this file prior to starting
+## Vaultwarden.
+
+####################
+### Data folders ###
+####################
+
+## Main data folder
+# DATA_FOLDER=data
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+# SENDS_FOLDER=data/sends
+# TMP_FOLDER=data/tmp
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=data/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+#########################
+### Database settings ###
+#########################
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+# DATABASE_URL=data/db.sqlite3
+## When using MySQL, specify an appropriate connection URI.
+## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
+# DATABASE_URL=mysql://user:password@host[:port]/database_name
+## When using PostgreSQL, specify an appropriate connection URI (recommended)
+## or keyword/value connection string.
+## Details:
+## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
+## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+# DATABASE_URL=postgresql://user:password@host[:port]/database_name
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents Vaultwarden from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Database connection retries
+## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
+# DB_CONNECTION_RETRIES=15
+
+## Database timeout
+## Timeout when acquiring database connection
+# DATABASE_TIMEOUT=30
+
+## Database max connections
+## Define the size of the connection pool used for connecting to the database.
+# DATABASE_MAX_CONNS=10
+
+## Database connection initialization
+## Allows SQL statements to be run whenever a new database connection is created.
+## This is mainly useful for connection-scoped pragmas.
+## If empty, a database-specific default is used:
+## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
+## - MySQL: ""
+## - PostgreSQL: ""
+# DATABASE_CONN_INIT=""
+
+#################
+### WebSocket ###
+#################
+
+## Enable websocket notifications
+# ENABLE_WEBSOCKET=true
+
+##########################
+### Push notifications ###
+##########################
+
+## Enables push notifications (requires key and id from https://bitwarden.com/host)
+## Details about mobile client push notification:
+## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
+# PUSH_ENABLED=false
+# PUSH_INSTALLATION_ID=CHANGEME
+# PUSH_INSTALLATION_KEY=CHANGEME
+
+# WARNING: Do not modify the following settings unless you fully understand their implications!
+# Default Push Relay and Identity URIs
+# PUSH_RELAY_URI=https://push.bitwarden.com
+# PUSH_IDENTITY_URI=https://identity.bitwarden.com
+# European Union Data Region Settings
+# If you have selected "European Union" as your data region, use the following URIs instead.
+# PUSH_RELAY_URI=https://api.bitwarden.eu
+# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
+
+#####################
+### Schedule jobs ###
+#####################
+
+## Job scheduler settings
+##
+## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
+## and are always in terms of UTC time (regardless of your local time zone settings).
+##
+## The schedule format is a bit different from crontab as crontab does not contains seconds.
+## You can test the the format here: https://crontab.guru, but remove the first digit!
+## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
+## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
+## "0   30     *          *            *          *     "
+## "0   30     1          *            *          *     "
+##
+## How often (in ms) the job scheduler thread checks for jobs that need running.
+## Set to 0 to globally disable scheduled jobs.
+# JOB_POLL_INTERVAL_MS=30000
+##
+## Cron schedule of the job that checks for Sends past their deletion date.
+## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
+# SEND_PURGE_SCHEDULE="0 5 * * * *"
+##
+## Cron schedule of the job that checks for trashed items to delete permanently.
+## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
+# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
+##
+## Cron schedule of the job that checks for incomplete 2FA logins.
+## Defaults to once every minute. Set blank to disable this job.
+# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that sends expiration reminders to emergency access grantors.
+## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
+##
+## Cron schedule of the job that grants emergency access requests that have met the required wait time.
+## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
+##
+## Cron schedule of the job that cleans old events from the event table.
+## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
+# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
+## Number of days to retain events stored in the database.
+## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
+# EVENTS_DAYS_RETAIN=
+##
+## Cron schedule of the job that cleans old auth requests from the auth request.
+## Defaults to every minute. Set blank to disable this job.
+# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
+## Defaults to every minute. Set blank to disable this job.
+# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
+
+########################
+### General settings ###
+########################
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
+## Details:
+## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
+## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
+## For development
+# DOMAIN=http://localhost
+## For public server
+# DOMAIN=https://vw.domain.tld
+## For public server (URL with port number)
+# DOMAIN=https://vw.domain.tld:8443
+## For public server (URL with path)
+# DOMAIN=https://domain.tld/vw
+
+## Controls whether users are allowed to create Bitwarden Sends.
+## This setting applies globally to all users.
+## To control this on a per-org basis instead, use the "Disable Send" org policy.
+# SENDS_ALLOWED=true
+
+## HIBP Api Key
+## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+# HIBP_API_KEY=
+
+## Per-organization attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per organization.
+## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
+# ORG_ATTACHMENT_LIMIT=
+## Per-user attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per user.
+## When this limit is reached, the user will not be allowed to upload further attachments.
+# USER_ATTACHMENT_LIMIT=
+## Per-user send storage limit (KB)
+## Max kilobytes of send storage allowed per user.
+## When this limit is reached, the user will not be allowed to upload further sends.
+# USER_SEND_LIMIT=
+
+## Number of days to wait before auto-deleting a trashed item.
+## If unset (the default), trashed items are not auto-deleted.
+## This setting applies globally, so make sure to inform all users of any changes to this setting.
+# TRASH_AUTO_DELETE_DAYS=
+
+## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
+## resulting in an email notification. An incomplete 2FA login is one where the correct
+## master password was provided but the required 2FA step was not completed, which
+## potentially indicates a master password compromise. Set to 0 to disable this check.
+## This setting applies globally to all users.
+# INCOMPLETE_2FA_TIME_LIMIT=3
+
+## Disable icon downloading
+## Set to true to disable icon downloading in the internal icon service.
+## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
+## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
+## will be deleted eventually, but won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Controls whether event logging is enabled for organizations
+## This setting applies to organizations.
+## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
+# ORG_EVENTS_ENABLED=false
+
+## Controls which users can create new orgs.
+## Blank or 'all' means all users can create orgs (this is the default):
+# ORG_CREATION_USERS=
+## 'none' means no users can create orgs:
+# ORG_CREATION_USERS=none
+## A comma-separated list means only those users can create orgs:
+# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+## Name shown in the invitation emails that don't come from a specific organization
+# INVITATION_ORG_NAME=Vaultwarden
+
+## The number of hours after which an organization invite token, emergency access invite token,
+## email verification token and deletion request token will expire (must be at least 1)
+# INVITATION_EXPIRATION_HOURS=120
+
+## Controls whether users can enable emergency access to their accounts.
+## This setting applies globally to all users.
+# EMERGENCY_ACCESS_ALLOWED=true
+
+## Controls whether users can change their email.
+## This setting applies globally to all users
+# EMAIL_CHANGE_ALLOWED=true
+
+## Number of server-side passwords hashing iterations for the password hash.
+## The default for new users. If changed, it will be updated during login for existing users.
+# PASSWORD_ITERATIONS=600000
+
+## Controls whether users can set or show password hints. This setting applies globally to all users.
+# PASSWORD_HINTS_ALLOWED=true
+
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
+
+#########################
+### Advanced settings ###
+#########################
+
+## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Real-IP
+
+## Icon service
+## The predefined icon services are: internal, bitwarden, duckduckgo, google.
+## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
+## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
+##
+## `internal` refers to Vaultwarden's built-in icon fetching implementation.
+## If an external service is set, an icon request to Vaultwarden will return an HTTP
+## redirect to the corresponding icon at the external service. An external service may
+## be useful if your Vaultwarden instance has no external network connectivity, or if
+## you are concerned that someone may probe your instance to try to detect whether icons
+## for certain sites have been cached.
+# ICON_SERVICE=internal
+
+## Icon redirect code
+## The HTTP status code to use for redirects to an external icon service.
+## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
+## Temporary redirects are useful while testing different icon services, but once a service
+## has been decided on, consider using permanent redirects for cacheability. The legacy codes
+## are currently better supported by the Bitwarden clients.
+# ICON_REDIRECT_CODE=302
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+## Default: 2592000 (30 days)
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+## Default: 2592000 (3 days)
+# ICON_CACHE_NEGTTL=259200
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Block HTTP domains/IPs by Regex
+## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+## NOTE: Always enclose this regex withing single quotes!
+# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
+
+## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
+## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
+
+## Client Settings
+## Enable experimental feature flags for clients.
+## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
+##
+## The following flags are available:
+## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
+## - "autofill-v2": Use the new autofill implementation.
+## - "browser-fileless-import": Directly import credentials from other providers without a file.
+## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
+## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
+
+## Require new device emails. When a user logs in an email is required to be sent.
+## If sending the email fails the login attempt will fail!!
+# REQUIRE_DEVICE_EMAIL=false
+
+## Enable extended logging, which shows timestamps and targets in the logs
+# EXTENDED_LOGGING=true
+
+## Timestamp format used in extended logging.
+## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
+# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
+
+## Logging to Syslog
+## This requires extended logging
+# USE_SYSLOG=false
+
+## Logging to file
+# LOG_FILE=/path/to/log
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
+## For a specific module append a comma separated `path::to::module=log_level`
+## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
+# LOG_LEVEL=info
+
+## Token for the admin interface, preferably an Argon2 PCH string
+## Vaultwarden has a built-in generator by calling `vaultwarden hash`
+## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
+## If not set, the admin panel is disabled
+## New Argon2 PHC string
+## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
+## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
+# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
+## Old plain text string (Will generate warnings in favor of Argon2)
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
+# DISABLE_ADMIN_TOKEN=false
+
+## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
+# ADMIN_RATELIMIT_SECONDS=300
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
+# ADMIN_RATELIMIT_MAX_BURST=3
+
+## Set the lifetime of admin sessions to this value (in minutes).
+# ADMIN_SESSION_LIFETIME=20
+
+## Allowed iframe ancestors (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
+## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
+## Multiple values must be separated with a whitespace.
+# ALLOWED_IFRAME_ANCESTORS=
+
+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
+## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
+# LOGIN_RATELIMIT_SECONDS=60
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
+## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
+# LOGIN_RATELIMIT_MAX_BURST=10
+
+## BETA FEATURE: Groups
+## Controls whether group support is enabled for organizations
+## This setting applies to organizations.
+## Disabled by default because this is a beta feature, it contains known issues!
+## KNOW WHAT YOU ARE DOING!
+# ORG_GROUPS_ENABLED=false
+
+## Increase secure note size limit (Know the risks!)
+## Sets the secure note size limit to 100_000 instead of the default 10_000.
+## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
+## KNOW WHAT YOU ARE DOING!
+# INCREASE_NOTE_SIZE_LIMIT=false
+
+## Enforce Single Org with Reset Password Policy
+## Enforce that the Single Org policy is enabled before setting the Reset Password policy
+## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
+## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
+# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
+
+########################
+### MFA/2FA settings ###
+########################
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
+## Otherwise users will need to configure it themselves.
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Client ID>
+# DUO_SKEY=<Client Secret>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+##
+## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
+## Duo no longer supports this, but it still works for some integrations.
+## If you aren't sure, leave this alone.
+# DUO_USE_IFRAME=false
+
+## Email 2FA settings
+## Email token size
+## Number of digits in an email 2FA token (min: 6, max: 255).
+## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
+# EMAIL_TOKEN_SIZE=6
+##
+## Token expiration time
+## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+# EMAIL_EXPIRATION_TIME=600
+##
+## Maximum attempts before an email token is reset and a new email will need to be sent.
+# EMAIL_ATTEMPTS_LIMIT=3
+##
+## Setup email 2FA regardless of any organization policy
+# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
+## Automatically setup email 2FA as fallback provider when needed
+# EMAIL_2FA_AUTO_FALLBACK=false
+
+## Other MFA/2FA settings
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+##
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+##
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
+
+###########################
+### SMTP Email settings ###
+###########################
+
+## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=vaultwarden@domain.tld
+# SMTP_FROM_NAME=Vaultwarden
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_TIMEOUT=15
+
+## Choose the type of secure connection for SMTP. The default is "starttls".
+## The available options are:
+## - "starttls": The default port is 587.
+## - "force_tls": The default port is 465.
+## - "off": The default port is 25.
+## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
+# SMTP_SECURITY=starttls
+# SMTP_PORT=587
+
+# Whether to send mail via the `sendmail` command
+# USE_SENDMAIL=false
+# Which sendmail command to use. The one found in the $PATH is used if not specified.
+# SENDMAIL_COMMAND="/path/to/sendmail"
+
+## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
+## Possible values: ["Plain", "Login", "Xoauth2"].
+## Multiple options need to be separated by a comma ','.
+# SMTP_AUTH_MECHANISM=
+
+## Server name sent during the SMTP HELO
+## By default this value should be is on the machine's hostname,
+## but might need to be changed in case it trips some anti-spam filters
+# HELO_NAME=
+
+## Embed images as email attachments
+# SMTP_EMBED_IMAGES=true
+
+## SMTP debugging
+## When set to true this will output very detailed SMTP messages.
+## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
+# SMTP_DEBUG=false
+
+## Accept Invalid Certificates
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
+# SMTP_ACCEPT_INVALID_CERTS=false
+
+## Accept Invalid Hostnames
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+# SMTP_ACCEPT_INVALID_HOSTNAMES=false
+
+#######################
+### Rocket settings ###
+#######################
+
+## Rocket specific settings
+## See https://rocket.rs/v0.5/guide/configuration/ for more details.
+# ROCKET_ADDRESS=0.0.0.0
+## The default port is 8000, unless running in a Docker container, in which case it is 80.
+# ROCKET_PORT=8000
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+
+# vim: syntax=ini
diff --git a/modules/services/vaultwarden/env.template b/modules/services/vaultwarden/env.template
new file mode 100644
index 0000000..80eb475
--- /dev/null
+++ b/modules/services/vaultwarden/env.template
@@ -0,0 +1,581 @@
+# shellcheck disable=SC2034,SC2148
+## Vaultwarden Configuration File
+## Uncomment any of the following lines to change the defaults
+##
+## Be aware that most of these settings will be overridden if they were changed
+## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+##
+## By default, Vaultwarden expects for this file to be named ".env" and located
+## in the current working directory. If this is not the case, the environment
+## variable ENV_FILE can be set to the location of this file prior to starting
+## Vaultwarden.
+
+####################
+### Data folders ###
+####################
+
+## Main data folder
+# DATA_FOLDER=data
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+# SENDS_FOLDER=data/sends
+# TMP_FOLDER=data/tmp
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=data/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Web vault settings
+# WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=true
+
+#########################
+### Database settings ###
+#########################
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+# DATABASE_URL=data/db.sqlite3
+## When using MySQL, specify an appropriate connection URI.
+## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
+# DATABASE_URL=mysql://user:password@host[:port]/database_name
+## When using PostgreSQL, specify an appropriate connection URI (recommended)
+## or keyword/value connection string.
+## Details:
+## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
+## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+# DATABASE_URL=postgresql://user:password@host[:port]/database_name
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents Vaultwarden from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Database connection retries
+## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
+# DB_CONNECTION_RETRIES=15
+
+## Database timeout
+## Timeout when acquiring database connection
+# DATABASE_TIMEOUT=30
+
+## Database max connections
+## Define the size of the connection pool used for connecting to the database.
+# DATABASE_MAX_CONNS=10
+
+## Database connection initialization
+## Allows SQL statements to be run whenever a new database connection is created.
+## This is mainly useful for connection-scoped pragmas.
+## If empty, a database-specific default is used:
+## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
+## - MySQL: ""
+## - PostgreSQL: ""
+# DATABASE_CONN_INIT=""
+
+#################
+### WebSocket ###
+#################
+
+## Enable websocket notifications
+# ENABLE_WEBSOCKET=true
+
+##########################
+### Push notifications ###
+##########################
+
+## Enables push notifications (requires key and id from https://bitwarden.com/host)
+## Details about mobile client push notification:
+## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
+# PUSH_ENABLED=false
+# PUSH_INSTALLATION_ID=CHANGEME
+# PUSH_INSTALLATION_KEY=CHANGEME
+
+# WARNING: Do not modify the following settings unless you fully understand their implications!
+# Default Push Relay and Identity URIs
+# PUSH_RELAY_URI=https://push.bitwarden.com
+# PUSH_IDENTITY_URI=https://identity.bitwarden.com
+# European Union Data Region Settings
+# If you have selected "European Union" as your data region, use the following URIs instead.
+# PUSH_RELAY_URI=https://api.bitwarden.eu
+# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
+
+#####################
+### Schedule jobs ###
+#####################
+
+## Job scheduler settings
+##
+## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
+## and are always in terms of UTC time (regardless of your local time zone settings).
+##
+## The schedule format is a bit different from crontab as crontab does not contains seconds.
+## You can test the the format here: https://crontab.guru, but remove the first digit!
+## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
+## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
+## "0   30     *          *            *          *     "
+## "0   30     1          *            *          *     "
+##
+## How often (in ms) the job scheduler thread checks for jobs that need running.
+## Set to 0 to globally disable scheduled jobs.
+# JOB_POLL_INTERVAL_MS=30000
+##
+## Cron schedule of the job that checks for Sends past their deletion date.
+## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
+# SEND_PURGE_SCHEDULE="0 5 * * * *"
+##
+## Cron schedule of the job that checks for trashed items to delete permanently.
+## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
+# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
+##
+## Cron schedule of the job that checks for incomplete 2FA logins.
+## Defaults to once every minute. Set blank to disable this job.
+# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that sends expiration reminders to emergency access grantors.
+## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
+##
+## Cron schedule of the job that grants emergency access requests that have met the required wait time.
+## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
+##
+## Cron schedule of the job that cleans old events from the event table.
+## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
+# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
+## Number of days to retain events stored in the database.
+## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
+# EVENTS_DAYS_RETAIN=
+##
+## Cron schedule of the job that cleans old auth requests from the auth request.
+## Defaults to every minute. Set blank to disable this job.
+# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
+## Defaults to every minute. Set blank to disable this job.
+# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
+
+########################
+### General settings ###
+########################
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
+## Details:
+## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
+## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
+## For development
+# DOMAIN=http://localhost
+## For public server
+# DOMAIN=https://vw.domain.tld
+## For public server (URL with port number)
+# DOMAIN=https://vw.domain.tld:8443
+## For public server (URL with path)
+# DOMAIN=https://domain.tld/vw
+
+## Controls whether users are allowed to create Bitwarden Sends.
+## This setting applies globally to all users.
+## To control this on a per-org basis instead, use the "Disable Send" org policy.
+# SENDS_ALLOWED=true
+
+## HIBP Api Key
+## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+# HIBP_API_KEY=
+
+## Per-organization attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per organization.
+## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
+# ORG_ATTACHMENT_LIMIT=
+## Per-user attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per user.
+## When this limit is reached, the user will not be allowed to upload further attachments.
+# USER_ATTACHMENT_LIMIT=
+## Per-user send storage limit (KB)
+## Max kilobytes of send storage allowed per user.
+## When this limit is reached, the user will not be allowed to upload further sends.
+# USER_SEND_LIMIT=
+
+## Number of days to wait before auto-deleting a trashed item.
+## If unset (the default), trashed items are not auto-deleted.
+## This setting applies globally, so make sure to inform all users of any changes to this setting.
+# TRASH_AUTO_DELETE_DAYS=
+
+## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
+## resulting in an email notification. An incomplete 2FA login is one where the correct
+## master password was provided but the required 2FA step was not completed, which
+## potentially indicates a master password compromise. Set to 0 to disable this check.
+## This setting applies globally to all users.
+# INCOMPLETE_2FA_TIME_LIMIT=3
+
+## Disable icon downloading
+## Set to true to disable icon downloading in the internal icon service.
+## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
+## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
+## will be deleted eventually, but won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Controls whether event logging is enabled for organizations
+## This setting applies to organizations.
+## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
+# ORG_EVENTS_ENABLED=false
+
+## Controls which users can create new orgs.
+## Blank or 'all' means all users can create orgs (this is the default):
+# ORG_CREATION_USERS=
+## 'none' means no users can create orgs:
+# ORG_CREATION_USERS=none
+## A comma-separated list means only those users can create orgs:
+# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+## Name shown in the invitation emails that don't come from a specific organization
+# INVITATION_ORG_NAME=Vaultwarden
+
+## The number of hours after which an organization invite token, emergency access invite token,
+## email verification token and deletion request token will expire (must be at least 1)
+# INVITATION_EXPIRATION_HOURS=120
+
+## Controls whether users can enable emergency access to their accounts.
+## This setting applies globally to all users.
+# EMERGENCY_ACCESS_ALLOWED=true
+
+## Controls whether users can change their email.
+## This setting applies globally to all users
+# EMAIL_CHANGE_ALLOWED=true
+
+## Number of server-side passwords hashing iterations for the password hash.
+## The default for new users. If changed, it will be updated during login for existing users.
+# PASSWORD_ITERATIONS=600000
+
+## Controls whether users can set or show password hints. This setting applies globally to all users.
+# PASSWORD_HINTS_ALLOWED=true
+
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured and password hints are allowed.
+## Not recommended for publicly-accessible instances because this provides
+## unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
+
+#########################
+### Advanced settings ###
+#########################
+
+## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Real-IP
+
+## Icon service
+## The predefined icon services are: internal, bitwarden, duckduckgo, google.
+## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
+## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
+##
+## `internal` refers to Vaultwarden's built-in icon fetching implementation.
+## If an external service is set, an icon request to Vaultwarden will return an HTTP
+## redirect to the corresponding icon at the external service. An external service may
+## be useful if your Vaultwarden instance has no external network connectivity, or if
+## you are concerned that someone may probe your instance to try to detect whether icons
+## for certain sites have been cached.
+# ICON_SERVICE=internal
+
+## Icon redirect code
+## The HTTP status code to use for redirects to an external icon service.
+## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
+## Temporary redirects are useful while testing different icon services, but once a service
+## has been decided on, consider using permanent redirects for cacheability. The legacy codes
+## are currently better supported by the Bitwarden clients.
+# ICON_REDIRECT_CODE=302
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+## Default: 2592000 (30 days)
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+## Default: 2592000 (3 days)
+# ICON_CACHE_NEGTTL=259200
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Block HTTP domains/IPs by Regex
+## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+## NOTE: Always enclose this regex withing single quotes!
+# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
+
+## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
+## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
+
+## Client Settings
+## Enable experimental feature flags for clients.
+## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
+##
+## The following flags are available:
+## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
+## - "autofill-v2": Use the new autofill implementation.
+## - "browser-fileless-import": Directly import credentials from other providers without a file.
+## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
+## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
+## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
+## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
+## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
+# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
+
+## Require new device emails. When a user logs in an email is required to be sent.
+## If sending the email fails the login attempt will fail!!
+# REQUIRE_DEVICE_EMAIL=false
+
+## Enable extended logging, which shows timestamps and targets in the logs
+# EXTENDED_LOGGING=true
+
+## Timestamp format used in extended logging.
+## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
+# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
+
+## Logging to Syslog
+## This requires extended logging
+# USE_SYSLOG=false
+
+## Logging to file
+# LOG_FILE=/path/to/log
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
+## For a specific module append a comma separated `path::to::module=log_level`
+## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
+# LOG_LEVEL=info
+
+## Token for the admin interface, preferably an Argon2 PCH string
+## Vaultwarden has a built-in generator by calling `vaultwarden hash`
+## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
+## If not set, the admin panel is disabled
+## New Argon2 PHC string
+## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
+## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
+# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
+## Old plain text string (Will generate warnings in favor of Argon2)
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
+# DISABLE_ADMIN_TOKEN=false
+
+## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
+# ADMIN_RATELIMIT_SECONDS=300
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
+# ADMIN_RATELIMIT_MAX_BURST=3
+
+## Set the lifetime of admin sessions to this value (in minutes).
+# ADMIN_SESSION_LIFETIME=20
+
+## Allowed iframe ancestors (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
+## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
+## Multiple values must be separated with a whitespace.
+# ALLOWED_IFRAME_ANCESTORS=
+
+## Allowed connect-src (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
+## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
+## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
+## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
+# ALLOWED_CONNECT_SRC=""
+
+## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
+# LOGIN_RATELIMIT_SECONDS=60
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
+## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
+# LOGIN_RATELIMIT_MAX_BURST=10
+
+## BETA FEATURE: Groups
+## Controls whether group support is enabled for organizations
+## This setting applies to organizations.
+## Disabled by default because this is a beta feature, it contains known issues!
+## KNOW WHAT YOU ARE DOING!
+# ORG_GROUPS_ENABLED=false
+
+## Increase secure note size limit (Know the risks!)
+## Sets the secure note size limit to 100_000 instead of the default 10_000.
+## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
+## KNOW WHAT YOU ARE DOING!
+# INCREASE_NOTE_SIZE_LIMIT=false
+
+## Enforce Single Org with Reset Password Policy
+## Enforce that the Single Org policy is enabled before setting the Reset Password policy
+## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
+## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
+# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
+
+########################
+### MFA/2FA settings ###
+########################
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
+## Otherwise users will need to configure it themselves.
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Client ID>
+# DUO_SKEY=<Client Secret>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+##
+## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
+## Duo no longer supports this, but it still works for some integrations.
+## If you aren't sure, leave this alone.
+# DUO_USE_IFRAME=false
+
+## Email 2FA settings
+## Email token size
+## Number of digits in an email 2FA token (min: 6, max: 255).
+## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
+# EMAIL_TOKEN_SIZE=6
+##
+## Token expiration time
+## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+# EMAIL_EXPIRATION_TIME=600
+##
+## Maximum attempts before an email token is reset and a new email will need to be sent.
+# EMAIL_ATTEMPTS_LIMIT=3
+##
+## Setup email 2FA regardless of any organization policy
+# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
+## Automatically setup email 2FA as fallback provider when needed
+# EMAIL_2FA_AUTO_FALLBACK=false
+
+## Other MFA/2FA settings
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+##
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+##
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
+
+###########################
+### SMTP Email settings ###
+###########################
+
+## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=vaultwarden@domain.tld
+# SMTP_FROM_NAME=Vaultwarden
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_TIMEOUT=15
+
+## Choose the type of secure connection for SMTP. The default is "starttls".
+## The available options are:
+## - "starttls": The default port is 587.
+## - "force_tls": The default port is 465.
+## - "off": The default port is 25.
+## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
+# SMTP_SECURITY=starttls
+# SMTP_PORT=587
+
+# Whether to send mail via the `sendmail` command
+# USE_SENDMAIL=false
+# Which sendmail command to use. The one found in the $PATH is used if not specified.
+# SENDMAIL_COMMAND="/path/to/sendmail"
+
+## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
+## Possible values: ["Plain", "Login", "Xoauth2"].
+## Multiple options need to be separated by a comma ','.
+# SMTP_AUTH_MECHANISM=
+
+## Server name sent during the SMTP HELO
+## By default this value should be is on the machine's hostname,
+## but might need to be changed in case it trips some anti-spam filters
+# HELO_NAME=
+
+## Embed images as email attachments
+# SMTP_EMBED_IMAGES=true
+
+## SMTP debugging
+## When set to true this will output very detailed SMTP messages.
+## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
+# SMTP_DEBUG=false
+
+## Accept Invalid Certificates
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
+# SMTP_ACCEPT_INVALID_CERTS=false
+
+## Accept Invalid Hostnames
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+# SMTP_ACCEPT_INVALID_HOSTNAMES=false
+
+#######################
+### Rocket settings ###
+#######################
+
+## Rocket specific settings
+## See https://rocket.rs/v0.5/guide/configuration/ for more details.
+# ROCKET_ADDRESS=0.0.0.0
+## The default port is 8000, unless running in a Docker container, in which case it is 80.
+# ROCKET_PORT=8000
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+
+
+# vim: syntax=ini

From 391308692923c76c6a98f94707801c1604b2ddaa Mon Sep 17 00:00:00 2001
From: korenstin <korenstin@crans.org>
Date: Sun, 25 May 2025 18:54:40 +0200
Subject: [PATCH 08/17] configuration backup et secret

---
 hosts/vm/vaultwarden/default.nix              |   1 +
 .../default.nix => vaultwarden.nix}           |   0
 modules/services/vaultwarden/env.template     | 581 ------------------
 secrets.nix                                   |   7 +-
 secrets/common/root.age                       | Bin 1451 -> 1561 bytes
 secrets/restic/vaultwarden/base-password.age  | Bin 0 -> 1125 bytes
 secrets/restic/vaultwarden/base-repo.age      | Bin 0 -> 983 bytes
 {modules/services => secrets}/vaultwarden/env |   0
 secrets/vaultwarden/env.age                   | Bin 0 -> 27762 bytes
 9 files changed, 7 insertions(+), 582 deletions(-)
 rename modules/services/{vaultwarden/default.nix => vaultwarden.nix} (100%)
 delete mode 100644 modules/services/vaultwarden/env.template
 create mode 100644 secrets/restic/vaultwarden/base-password.age
 create mode 100644 secrets/restic/vaultwarden/base-repo.age
 rename {modules/services => secrets}/vaultwarden/env (100%)
 create mode 100644 secrets/vaultwarden/env.age

diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix
index f2f2fd6..18e2c6e 100644
--- a/hosts/vm/vaultwarden/default.nix
+++ b/hosts/vm/vaultwarden/default.nix
@@ -6,6 +6,7 @@
     ./networking.nix
 
     ../../../modules
+    ../../../modules/services/vaultwarden.nix
   ];
 
   networking.hostName = "vaultwarden";
diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden.nix
similarity index 100%
rename from modules/services/vaultwarden/default.nix
rename to modules/services/vaultwarden.nix
diff --git a/modules/services/vaultwarden/env.template b/modules/services/vaultwarden/env.template
deleted file mode 100644
index 80eb475..0000000
--- a/modules/services/vaultwarden/env.template
+++ /dev/null
@@ -1,581 +0,0 @@
-# shellcheck disable=SC2034,SC2148
-## Vaultwarden Configuration File
-## Uncomment any of the following lines to change the defaults
-##
-## Be aware that most of these settings will be overridden if they were changed
-## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
-##
-## By default, Vaultwarden expects for this file to be named ".env" and located
-## in the current working directory. If this is not the case, the environment
-## variable ENV_FILE can be set to the location of this file prior to starting
-## Vaultwarden.
-
-####################
-### Data folders ###
-####################
-
-## Main data folder
-# DATA_FOLDER=data
-
-## Individual folders, these override %DATA_FOLDER%
-# RSA_KEY_FILENAME=data/rsa_key
-# ICON_CACHE_FOLDER=data/icon_cache
-# ATTACHMENTS_FOLDER=data/attachments
-# SENDS_FOLDER=data/sends
-# TMP_FOLDER=data/tmp
-
-## Templates data folder, by default uses embedded templates
-## Check source code to see the format
-# TEMPLATES_FOLDER=data/templates
-## Automatically reload the templates for every request, slow, use only for development
-# RELOAD_TEMPLATES=false
-
-## Web vault settings
-# WEB_VAULT_FOLDER=web-vault/
-# WEB_VAULT_ENABLED=true
-
-#########################
-### Database settings ###
-#########################
-
-## Database URL
-## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
-# DATABASE_URL=data/db.sqlite3
-## When using MySQL, specify an appropriate connection URI.
-## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
-# DATABASE_URL=mysql://user:password@host[:port]/database_name
-## When using PostgreSQL, specify an appropriate connection URI (recommended)
-## or keyword/value connection string.
-## Details:
-## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
-## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
-# DATABASE_URL=postgresql://user:password@host[:port]/database_name
-
-## Enable WAL for the DB
-## Set to false to avoid enabling WAL during startup.
-## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
-## this setting only prevents Vaultwarden from automatically enabling it on start.
-## Please read project wiki page about this setting first before changing the value as it can
-## cause performance degradation or might render the service unable to start.
-# ENABLE_DB_WAL=true
-
-## Database connection retries
-## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
-# DB_CONNECTION_RETRIES=15
-
-## Database timeout
-## Timeout when acquiring database connection
-# DATABASE_TIMEOUT=30
-
-## Database max connections
-## Define the size of the connection pool used for connecting to the database.
-# DATABASE_MAX_CONNS=10
-
-## Database connection initialization
-## Allows SQL statements to be run whenever a new database connection is created.
-## This is mainly useful for connection-scoped pragmas.
-## If empty, a database-specific default is used:
-## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
-## - MySQL: ""
-## - PostgreSQL: ""
-# DATABASE_CONN_INIT=""
-
-#################
-### WebSocket ###
-#################
-
-## Enable websocket notifications
-# ENABLE_WEBSOCKET=true
-
-##########################
-### Push notifications ###
-##########################
-
-## Enables push notifications (requires key and id from https://bitwarden.com/host)
-## Details about mobile client push notification:
-## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
-# PUSH_ENABLED=false
-# PUSH_INSTALLATION_ID=CHANGEME
-# PUSH_INSTALLATION_KEY=CHANGEME
-
-# WARNING: Do not modify the following settings unless you fully understand their implications!
-# Default Push Relay and Identity URIs
-# PUSH_RELAY_URI=https://push.bitwarden.com
-# PUSH_IDENTITY_URI=https://identity.bitwarden.com
-# European Union Data Region Settings
-# If you have selected "European Union" as your data region, use the following URIs instead.
-# PUSH_RELAY_URI=https://api.bitwarden.eu
-# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
-
-#####################
-### Schedule jobs ###
-#####################
-
-## Job scheduler settings
-##
-## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
-## and are always in terms of UTC time (regardless of your local time zone settings).
-##
-## The schedule format is a bit different from crontab as crontab does not contains seconds.
-## You can test the the format here: https://crontab.guru, but remove the first digit!
-## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
-## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
-## "0   30     *          *            *          *     "
-## "0   30     1          *            *          *     "
-##
-## How often (in ms) the job scheduler thread checks for jobs that need running.
-## Set to 0 to globally disable scheduled jobs.
-# JOB_POLL_INTERVAL_MS=30000
-##
-## Cron schedule of the job that checks for Sends past their deletion date.
-## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
-# SEND_PURGE_SCHEDULE="0 5 * * * *"
-##
-## Cron schedule of the job that checks for trashed items to delete permanently.
-## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
-# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
-##
-## Cron schedule of the job that checks for incomplete 2FA logins.
-## Defaults to once every minute. Set blank to disable this job.
-# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
-##
-## Cron schedule of the job that sends expiration reminders to emergency access grantors.
-## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
-# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
-##
-## Cron schedule of the job that grants emergency access requests that have met the required wait time.
-## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
-# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
-##
-## Cron schedule of the job that cleans old events from the event table.
-## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
-# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
-## Number of days to retain events stored in the database.
-## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
-# EVENTS_DAYS_RETAIN=
-##
-## Cron schedule of the job that cleans old auth requests from the auth request.
-## Defaults to every minute. Set blank to disable this job.
-# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
-##
-## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
-## Defaults to every minute. Set blank to disable this job.
-# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
-
-########################
-### General settings ###
-########################
-
-## Domain settings
-## The domain must match the address from where you access the server
-## It's recommended to configure this value, otherwise certain functionality might not work,
-## like attachment downloads, email links and U2F.
-## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
-## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
-## Details:
-## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
-## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
-## For development
-# DOMAIN=http://localhost
-## For public server
-# DOMAIN=https://vw.domain.tld
-## For public server (URL with port number)
-# DOMAIN=https://vw.domain.tld:8443
-## For public server (URL with path)
-# DOMAIN=https://domain.tld/vw
-
-## Controls whether users are allowed to create Bitwarden Sends.
-## This setting applies globally to all users.
-## To control this on a per-org basis instead, use the "Disable Send" org policy.
-# SENDS_ALLOWED=true
-
-## HIBP Api Key
-## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
-# HIBP_API_KEY=
-
-## Per-organization attachment storage limit (KB)
-## Max kilobytes of attachment storage allowed per organization.
-## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
-# ORG_ATTACHMENT_LIMIT=
-## Per-user attachment storage limit (KB)
-## Max kilobytes of attachment storage allowed per user.
-## When this limit is reached, the user will not be allowed to upload further attachments.
-# USER_ATTACHMENT_LIMIT=
-## Per-user send storage limit (KB)
-## Max kilobytes of send storage allowed per user.
-## When this limit is reached, the user will not be allowed to upload further sends.
-# USER_SEND_LIMIT=
-
-## Number of days to wait before auto-deleting a trashed item.
-## If unset (the default), trashed items are not auto-deleted.
-## This setting applies globally, so make sure to inform all users of any changes to this setting.
-# TRASH_AUTO_DELETE_DAYS=
-
-## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
-## resulting in an email notification. An incomplete 2FA login is one where the correct
-## master password was provided but the required 2FA step was not completed, which
-## potentially indicates a master password compromise. Set to 0 to disable this check.
-## This setting applies globally to all users.
-# INCOMPLETE_2FA_TIME_LIMIT=3
-
-## Disable icon downloading
-## Set to true to disable icon downloading in the internal icon service.
-## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
-## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
-## will be deleted eventually, but won't be downloaded again.
-# DISABLE_ICON_DOWNLOAD=false
-
-## Controls if new users can register
-# SIGNUPS_ALLOWED=true
-
-## Controls if new users need to verify their email address upon registration
-## Note that setting this option to true prevents logins until the email address has been verified!
-## The welcome email will include a verification link, and login attempts will periodically
-## trigger another verification email to be sent.
-# SIGNUPS_VERIFY=false
-
-## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
-## an email verification link has been sent another verification email will be sent
-# SIGNUPS_VERIFY_RESEND_TIME=3600
-
-## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
-## email will be re-sent upon an attempted login.
-# SIGNUPS_VERIFY_RESEND_LIMIT=6
-
-## Controls if new users from a list of comma-separated domains can register
-## even if SIGNUPS_ALLOWED is set to false
-# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
-
-## Controls whether event logging is enabled for organizations
-## This setting applies to organizations.
-## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
-# ORG_EVENTS_ENABLED=false
-
-## Controls which users can create new orgs.
-## Blank or 'all' means all users can create orgs (this is the default):
-# ORG_CREATION_USERS=
-## 'none' means no users can create orgs:
-# ORG_CREATION_USERS=none
-## A comma-separated list means only those users can create orgs:
-# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
-
-## Invitations org admins to invite users, even when signups are disabled
-# INVITATIONS_ALLOWED=true
-## Name shown in the invitation emails that don't come from a specific organization
-# INVITATION_ORG_NAME=Vaultwarden
-
-## The number of hours after which an organization invite token, emergency access invite token,
-## email verification token and deletion request token will expire (must be at least 1)
-# INVITATION_EXPIRATION_HOURS=120
-
-## Controls whether users can enable emergency access to their accounts.
-## This setting applies globally to all users.
-# EMERGENCY_ACCESS_ALLOWED=true
-
-## Controls whether users can change their email.
-## This setting applies globally to all users
-# EMAIL_CHANGE_ALLOWED=true
-
-## Number of server-side passwords hashing iterations for the password hash.
-## The default for new users. If changed, it will be updated during login for existing users.
-# PASSWORD_ITERATIONS=600000
-
-## Controls whether users can set or show password hints. This setting applies globally to all users.
-# PASSWORD_HINTS_ALLOWED=true
-
-## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured and password hints are allowed.
-## Not recommended for publicly-accessible instances because this provides
-## unauthenticated access to potentially sensitive data.
-# SHOW_PASSWORD_HINT=false
-
-#########################
-### Advanced settings ###
-#########################
-
-## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
-## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
-# IP_HEADER=X-Real-IP
-
-## Icon service
-## The predefined icon services are: internal, bitwarden, duckduckgo, google.
-## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
-## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
-##
-## `internal` refers to Vaultwarden's built-in icon fetching implementation.
-## If an external service is set, an icon request to Vaultwarden will return an HTTP
-## redirect to the corresponding icon at the external service. An external service may
-## be useful if your Vaultwarden instance has no external network connectivity, or if
-## you are concerned that someone may probe your instance to try to detect whether icons
-## for certain sites have been cached.
-# ICON_SERVICE=internal
-
-## Icon redirect code
-## The HTTP status code to use for redirects to an external icon service.
-## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
-## Temporary redirects are useful while testing different icon services, but once a service
-## has been decided on, consider using permanent redirects for cacheability. The legacy codes
-## are currently better supported by the Bitwarden clients.
-# ICON_REDIRECT_CODE=302
-
-## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
-## Default: 2592000 (30 days)
-# ICON_CACHE_TTL=2592000
-## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 2592000 (3 days)
-# ICON_CACHE_NEGTTL=259200
-
-## Icon download timeout
-## Configure the timeout value when downloading the favicons.
-## The default is 10 seconds, but this could be to low on slower network connections
-# ICON_DOWNLOAD_TIMEOUT=10
-
-## Block HTTP domains/IPs by Regex
-## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
-## Useful to hide other servers in the local network. Check the WIKI for more details
-## NOTE: Always enclose this regex withing single quotes!
-# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
-
-## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
-## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
-# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
-
-## Client Settings
-## Enable experimental feature flags for clients.
-## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
-##
-## The following flags are available:
-## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
-## - "autofill-v2": Use the new autofill implementation.
-## - "browser-fileless-import": Directly import credentials from other providers without a file.
-## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
-## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
-## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
-## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
-
-## Require new device emails. When a user logs in an email is required to be sent.
-## If sending the email fails the login attempt will fail!!
-# REQUIRE_DEVICE_EMAIL=false
-
-## Enable extended logging, which shows timestamps and targets in the logs
-# EXTENDED_LOGGING=true
-
-## Timestamp format used in extended logging.
-## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
-# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
-
-## Logging to Syslog
-## This requires extended logging
-# USE_SYSLOG=false
-
-## Logging to file
-# LOG_FILE=/path/to/log
-
-## Log level
-## Change the verbosity of the log output
-## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
-## For a specific module append a comma separated `path::to::module=log_level`
-## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
-# LOG_LEVEL=info
-
-## Token for the admin interface, preferably an Argon2 PCH string
-## Vaultwarden has a built-in generator by calling `vaultwarden hash`
-## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
-## If not set, the admin panel is disabled
-## New Argon2 PHC string
-## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
-## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
-# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
-## Old plain text string (Will generate warnings in favor of Argon2)
-# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
-
-## Enable this to bypass the admin panel security. This option is only
-## meant to be used with the use of a separate auth layer in front
-# DISABLE_ADMIN_TOKEN=false
-
-## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
-# ADMIN_RATELIMIT_SECONDS=300
-## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
-# ADMIN_RATELIMIT_MAX_BURST=3
-
-## Set the lifetime of admin sessions to this value (in minutes).
-# ADMIN_SESSION_LIFETIME=20
-
-## Allowed iframe ancestors (Know the risks!)
-## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
-## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
-## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
-## Multiple values must be separated with a whitespace.
-# ALLOWED_IFRAME_ANCESTORS=
-
-## Allowed connect-src (Know the risks!)
-## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
-## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
-## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
-## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
-# ALLOWED_CONNECT_SRC=""
-
-## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
-# LOGIN_RATELIMIT_SECONDS=60
-## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
-## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
-# LOGIN_RATELIMIT_MAX_BURST=10
-
-## BETA FEATURE: Groups
-## Controls whether group support is enabled for organizations
-## This setting applies to organizations.
-## Disabled by default because this is a beta feature, it contains known issues!
-## KNOW WHAT YOU ARE DOING!
-# ORG_GROUPS_ENABLED=false
-
-## Increase secure note size limit (Know the risks!)
-## Sets the secure note size limit to 100_000 instead of the default 10_000.
-## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
-## KNOW WHAT YOU ARE DOING!
-# INCREASE_NOTE_SIZE_LIMIT=false
-
-## Enforce Single Org with Reset Password Policy
-## Enforce that the Single Org policy is enabled before setting the Reset Password policy
-## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
-## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
-# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
-
-########################
-### MFA/2FA settings ###
-########################
-
-## Yubico (Yubikey) Settings
-## Set your Client ID and Secret Key for Yubikey OTP
-## You can generate it here: https://upgrade.yubico.com/getapikey/
-## You can optionally specify a custom OTP server
-# YUBICO_CLIENT_ID=11111
-# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
-# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
-
-## Duo Settings
-## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
-## Otherwise users will need to configure it themselves.
-## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
-## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
-## Then set the following options, based on the values obtained from the last step:
-# DUO_IKEY=<Client ID>
-# DUO_SKEY=<Client Secret>
-# DUO_HOST=<API Hostname>
-## After that, you should be able to follow the rest of the guide linked above,
-## ignoring the fields that ask for the values that you already configured beforehand.
-##
-## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
-## Duo no longer supports this, but it still works for some integrations.
-## If you aren't sure, leave this alone.
-# DUO_USE_IFRAME=false
-
-## Email 2FA settings
-## Email token size
-## Number of digits in an email 2FA token (min: 6, max: 255).
-## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
-# EMAIL_TOKEN_SIZE=6
-##
-## Token expiration time
-## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
-# EMAIL_EXPIRATION_TIME=600
-##
-## Maximum attempts before an email token is reset and a new email will need to be sent.
-# EMAIL_ATTEMPTS_LIMIT=3
-##
-## Setup email 2FA regardless of any organization policy
-# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
-## Automatically setup email 2FA as fallback provider when needed
-# EMAIL_2FA_AUTO_FALLBACK=false
-
-## Other MFA/2FA settings
-## Disable 2FA remember
-## Enabling this would force the users to use a second factor to login every time.
-## Note that the checkbox would still be present, but ignored.
-# DISABLE_2FA_REMEMBER=false
-##
-## Authenticator Settings
-## Disable authenticator time drifted codes to be valid.
-## TOTP codes of the previous and next 30 seconds will be invalid
-##
-## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
-## we allow by default the TOTP code which was valid one step back and one in the future.
-## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
-## You can disable this, so that only the current TOTP Code is allowed.
-## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
-## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
-# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
-
-###########################
-### SMTP Email settings ###
-###########################
-
-## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
-## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
-## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
-# SMTP_HOST=smtp.domain.tld
-# SMTP_FROM=vaultwarden@domain.tld
-# SMTP_FROM_NAME=Vaultwarden
-# SMTP_USERNAME=username
-# SMTP_PASSWORD=password
-# SMTP_TIMEOUT=15
-
-## Choose the type of secure connection for SMTP. The default is "starttls".
-## The available options are:
-## - "starttls": The default port is 587.
-## - "force_tls": The default port is 465.
-## - "off": The default port is 25.
-## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
-# SMTP_SECURITY=starttls
-# SMTP_PORT=587
-
-# Whether to send mail via the `sendmail` command
-# USE_SENDMAIL=false
-# Which sendmail command to use. The one found in the $PATH is used if not specified.
-# SENDMAIL_COMMAND="/path/to/sendmail"
-
-## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
-## Possible values: ["Plain", "Login", "Xoauth2"].
-## Multiple options need to be separated by a comma ','.
-# SMTP_AUTH_MECHANISM=
-
-## Server name sent during the SMTP HELO
-## By default this value should be is on the machine's hostname,
-## but might need to be changed in case it trips some anti-spam filters
-# HELO_NAME=
-
-## Embed images as email attachments
-# SMTP_EMBED_IMAGES=true
-
-## SMTP debugging
-## When set to true this will output very detailed SMTP messages.
-## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
-# SMTP_DEBUG=false
-
-## Accept Invalid Certificates
-## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
-## Only use this as a last resort if you are not able to use a valid certificate.
-## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
-# SMTP_ACCEPT_INVALID_CERTS=false
-
-## Accept Invalid Hostnames
-## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
-## Only use this as a last resort if you are not able to use a valid certificate.
-# SMTP_ACCEPT_INVALID_HOSTNAMES=false
-
-#######################
-### Rocket settings ###
-#######################
-
-## Rocket specific settings
-## See https://rocket.rs/v0.5/guide/configuration/ for more details.
-# ROCKET_ADDRESS=0.0.0.0
-## The default port is 8000, unless running in a Docker container, in which case it is 80.
-# ROCKET_PORT=8000
-# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-
-
-# vim: syntax=ini
diff --git a/secrets.nix b/secrets.nix
index b14e26f..d8face9 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -27,6 +27,7 @@ let
   redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite";
   thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot";
   two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos";
+  vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden";
 
   hosts = {
     inherit
@@ -38,6 +39,7 @@ let
       redite
       thot
       two
+      vaultwarden
       ;
   };
 
@@ -50,6 +52,7 @@ let
     "redite"
     "thot"
     "two"
+    "vaultwarden"
   ];
 
   # Groupes
@@ -62,6 +65,7 @@ let
     neo
     thot
     two
+    vaultwarden
   ];
 
   acme = [
@@ -105,11 +109,12 @@ in
   )
 ) { } (remove "thot" hostnames)
 // builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) {
-  "secrets/common/root.age".publicKeys = remove apprentix all;
   "secrets/apprentix/root.age".publicKeys = [ apprentix ];
+  "secrets/common/root.age".publicKeys = remove apprentix all;
   "secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ];
   "secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ];
   "secrets/neo/database_extra_config.age".publicKeys = [ neo ];
   "secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ];
   "secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ];
+  "secrets/vaultwarden/env.age".publicKeys = [ vaultwarden ];
 }
diff --git a/secrets/common/root.age b/secrets/common/root.age
index b518bc750cd0ca041c0b3701590c467a3bb9e9d9..3978639cf685de44e33345934fc5f03cd874b0f4 100644
GIT binary patch
literal 1561
zcmZY9sqf?j6bEqDtQd=76GU+&&5s__YYe2<w4F}R={cyj(|dY%dW<1KfW@E)g1-Q{
zX2mLScmxR~7z|<sSe6xp{Pr*Sy!XEEy&#Pr;yUWrcFddlqoz-x3E4b+3=Bi|5MNLn
zM|J>O;;NPcJUuzK)}~T}1xPAaVFJ$9L=I}vWo#a{)wuPLT-K1n*pTaOH(mYP*-s~g
zO;4uUu0&+kQdK0YL6Dwa9w41jvub#(<<^CaX`qCCE=$SVBot~C9VXpWGi4FaP14aC
zZ@P_zD42FS3uw7<ol<BpIZcK%v>{qF+_bs7gUN@wdI_LY*F+6A!~)YQkF^XRT!RKI
z4^c9y)w+`OM-sdsi?DV2rgSMtLi6ib;afy8O6gLkn*#Mh7)H?jC^q`_FwJ176prf9
zi|F7)z#n(oon*PuKJt$>NNCr12CRvo4&h!%@3A=FbnT|VC(>kyXdL0yhHs*O()M;&
z-0$<oLu<405K9uQ${?yl6Op+X?yl9`SGnb7AuywBd2MU`t=^8bBqB7x%`DCm=ewrY
z1<x7rk%BNobyLvlmA;6SE{^*==8Ro2Zz^fuqr@P1wgNXe2-gMP1Ps%trJ+b|71+h-
z$lh`@(6@5yVx^o7U~eY2w)h>zyB)nC;I%K3eh3aWJZ^<q%}B$I9qKfjmcOY_TO))e
z-0B4`)*P5dINGOS?M}!0awPnoPL6!TT8WW9o}|?++HnTdrs<S<A#23bX<zrnJYz2$
zYm<;>lJF9M(i#@j;_j~gX1U4wyfQZdP3p)bXA0#=Z8sj~t>yOI^_tOAm`297w%+8{
z=F>xq;sg-SY_y#L`rf$Ng){T!WDFi_8T;vqts%c2*nQ8OYDCR<qbj)005coaO`Nfa
zJsNGya0{iO08wPC9=cH;ELIlX=4^QQcsus+zn%SO5$qAtUt82+-`zl^=}~*y%E29j
zF0(6SaCR035O?!LIa`aFC&E$KY;)&s6RA$Xvff=emJZ}g-7pr;aCL&#bdEJ8T@*>w
zy|Mm(*%HcM76ZU(=xRdCbhNoT@-FbARD{e@0~NNOkgqAX7L$8LJ2a0rl9c4PesI_T
zyoQXG@~1Uc*D|b5@VOwmDGYVCoq9_U-rA4@l$&u1n3OCrU<Km*A`nt|74=byE+}||
zeZxU2V>(MBSMCV3@HczMx#OYc&MJ63yUfI5*lb1RY-(m540zF%QMezgL*`PCH$+gg
zlQ08K{rWkzXV+tki%Nl^WtAkeR)x~Lxw)$T@mQXrIM6Vf+LVOh^Jp<vT$><71~Td*
zbw^je^jQ|t@#My-bPo<StG}hio<ff_fc1iZ>L45L-DH*I%A>(R5_W_*b$)_@^`H~i
zM5(G+j5hrYN?n!iOl_KbMLw-(f+8J}pedU%-R<kjTwB9;F19qAhldA1-g3-kDh9LD
z1We;8545-ZA+P5B<fBQB)sUeJKH3Rjvx#4Pwtp~w{pqjr%OCj<p8odq+4Eoi(5h$O
w+_v9;O8(A5Uw!@e`~0gT`T3Jiig*6}w)pPFEAi)-@BZ-K%MYLIzKEay17hm@o&W#<

literal 1451
zcmZY9xz6JR5C`xUr2t+4WVS+B!S~gy<omYcE3qS*#CIGY@fk-{@Cf?=h#C+`G`s*3
z4J(AiL(otn5DgzC-<H$NPyd<Gobq&=HgUgpW7#$zw|x%H$Y%Qz7=~h-CMZE541iXI
zW#<6?VDe*IB8`e;?y(#8Eme7E66OPvY$n`psevG44OQ>U2ECzXUo{n)>|t6)+EMYQ
z1(|wLHZ8<NiYQ*KQpTJ{ho5VupHL|az&p^(D9SC{DNw-D$_Ap7h~b#c6r7EUC`0%<
zrWh3p!A4f-nm(^CI~VCis;39I5cu4(V5)&|bn0ouZLnO;_dEKzRuIF%VF73r&v~SC
zW@Njk!lfNep34hH8|1O?Zz>4(=&gv-&{x>a5#z=#?{;Dr2#79w%2>(-Uyo&fL|962
zY-~(0`_>{>@LYrBZcP`!VBJ32mqG*Q5qKU0FS{t=Q#~Cc>*99-J6YQKz~H<LZ{p>!
zCNtqK=wy+!v?^EPYQm`_$jRFH$HTQ#$&QuioT;8`2CFIv3vl$&xIK6~UfR`c$unZs
zx>re;dL||Fl;OM};@-pKTQ1lTa2VII<KN~fcE#h+IJlBVyM%Qenj|mQp>;8w5Y9rE
zKi6)lSuGBL8l|K}Y!zyvoju0B=9JmU+c480Wp~m7s+sc+JPO_w-aOjJ+<?_|yyWUA
z>I2%AuA`m;?LH;T{j}Hi9oz(~M<ncjT36274kbt+UHBMV0CsYAU^%l)q{EaLMN-x{
zrCQ9ERnHT68>YR>L?ap=az@&4)+!^3Bj4zS0R;|g3(RYDqBaV8Lh39sO>NohN-?0(
z|16R>pxu*IfnlKEePW%aT)mHL0Mb*S&tt`ht`0xA(Jw-YRHeBYH@Dg_UBpdEQWN?V
zp<>-NWCgXC#)mHDocO(S&XEpV;WzG4MaAU)G{p%|bAcTNPN4Lmcjv2OIFCHYC{dC3
z+yD}>iC=@<l%h>7?V!5m;xV$r3XR1@yF##ygND(e0mB3j%pWUoIVe5;d}kU|x@iu?
zrQ7xCY`T88W?Dq{b0`+4rSlpYHH(&4SUT&lg>|pN<~GuSK3sCJW+dqf>nR2fkboz<
zi_h3|Fq-h;cHU{|3cis|whB*P0GuaCo63+_94&>K3%2hg7|H`)mD6UwA~BSMWkhHR
z7jMkiKP<J~!`ggAab!54N#&P@r5QJ&$&2LF-|sBRm1z0KA4x-#9a$j6uu@dx6xrz~
zZ7ujZeMF=)2iacX<CTmpUSrJGt=z}3Ic3(ARqzFO1@iVNLRJKwwJUx7(l!w2E$PVV
zn$U5wWNx<GEf6U%r=i|%*&l7qF4@Cr)gGsdUaM{_D+(saI>RMt-aqyJx}$;J=ksrW
zewlLmC!hZH(PzR}yKlZI*YVfiU%z$v<Hvu#d;fdp+xPreFMm*fe%pQhi}CkQ;ENBU
NSJ;bpKZKTd{sr}d)aw8M

diff --git a/secrets/restic/vaultwarden/base-password.age b/secrets/restic/vaultwarden/base-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..927f9b1b76cdb37fc6165e9481fe6965b022e450
GIT binary patch
literal 1125
zcmZ9|*>Bqf0D$ogq@hJj8a!-6;>ZKXP)O~>M-pwV>e!BJ$BCW8iDRHBhaD$z?D$BW
zcoNdYxpreh9Mi@aoshWtKp%=2FxaX|eF2HFqf7`y2SaFk=n$Y)+eAxwq<_Ir-&d~7
zL0PX_gO1ZM^dZBl1HF(hIO4Z$H7M7@2oj3<^Jbr8UBBJ*SUyBX70W^62$5`w1%`)-
zw8m8P{bXM?9hblpNL+<%A5*go%5Dot0klL&BI@;Kf`PjY-1a=htY|`|DoU~xGdjk9
zTBp$qcESkimtDLHxqhsvfvLR5VXRxIqcUT|Q96y+w7B7bP^N2yB)%!+TCu2=uzjV3
z9*CDpm|aVj8iWMIBpr0}<&r9jKp%>v(+UzH%N>m@2>-KCoCWwbtHZWrE}BiMjN@r7
z1=NKBT9ElJ9Egd%l*x4&V1R~dCP;>Typ?DubTy;5dp00IQJ$7lHraAu-PR;nkqsx_
zaybf@is1T-beOF5Gkz~+ijYvDgj^tGvAUg4hctn!6#6~4K~_P$==B^F?o%bG<uhVR
zBxbfKz~qIrk;<lvQYOl0v<k3xkM!DUi^%lAiq-Sn^%?^-vU1&DP&f@4kZO`HH+fX#
zaJCBuIJr9(>l0Y0=#(_du4nL=5N`P@l#E3L0!5n$oa*Ef0s%zeK?sJUK$=Q)+?)|e
zsr>>=W7YK<l~!|<>t}FV&ql}umjh}l1qCYE*qF((RV;7T?SX?EL{5~sHd+!gzO|MB
zot43eY9?uf!7wf7lBG1v2$1Pwq-JXzE)DF0qGRhdSxjLL=EuxlyI3>?$U<16n^!aj
zun3(ghmj7)6M~l;tHKqDl1;JXi>EB2iJ(Zap<6Xf>K60KbdK-1{XFQ>fovp~s==-*
z6cA*sEg1A;dZfW}$e81hlrDt5sLF?GaTG4QF`J1qG(9NGL;*Ll2JM^Je>^_4viI1g
zPwr^3joGJ1&nv^PE`)1i@7{>qyT5T|Qkj2f;<F92k4;>C<=~^QXTChxe&mbImtULP
zquhOadTV9cxc&pTT;2HV)S>gc_E8UmcWz5gy~r&cFdn>&Uum6s{NlB<hxgDsKKk>}
z(%C$*{K1kn`S<c)Gw0^`(;vsN^V6pjKQ6wIxx{8Ko*cZh@6E&S?O1wi@yz^%`>5dV
z2fT5R6pti6ylX>!YVq?WW#r}@_4^;U#=l)nK?~PLFI_+SY2NHgPwdY99A8)+dTQ_2
zGaGlFJbusj_oHW?7q&k0&kQ#Fq%wYLSMj%77moIj5&M_PW1C-EeWUTRe|FRDt2ais
ny<hn1oA9~C=bqg%kKbI`37y~$Y}x*Her5Q(pSDk(NFx6N&fcK8

literal 0
HcmV?d00001

diff --git a/secrets/restic/vaultwarden/base-repo.age b/secrets/restic/vaultwarden/base-repo.age
new file mode 100644
index 0000000000000000000000000000000000000000..58b57458b7ab51f72def3b9c083c618039b9ef5e
GIT binary patch
literal 983
zcmZY6%d6vL0LEc&!#EjGaG|3cGaHpDHTO#u4yNfPX_6*s(~~BG(0;kLNt(1xzO)Jh
z2NVTC@UjryxNtEz2rd*iu3R{R2XQG5f(nAe2p$Fo)Q#iP<6rRbd*4~;H~kE(clkD6
zWlyixAyyGc^8np!qNeYW3`4X~tEhDqqKuJdEzVeUt?iy7icKa>_#{zARh5sX8Z^aG
zSDn%>+a@(cNE<5Mm;5f2$Gtt2!fiJkYQkY*hb3Mz^HJVfE;&=SXz;I=$5k^Y85Z@S
z2q=gOYjNp^!pf?Nb#GVWSWg=(f!|nGG>O%_e7V<Sy0IX)SOY_LV9umwKt(&l(5P5s
zOwIsyYHtm`p*E(CK{uZeypE?s{y!Egs+e)dB0QykIN6Y6tdtuHgt9h_`>win1hZP1
zSkAB=Zp?28Y9=7w!ofO#gAth>b^xZBIAD3Tmne~kV{+p3fYTjED%CFV(<{nk*Q-r5
zDA#Vb(Mx8^Zxbt7jkG)zTs~=&b8BTSGt(~=y{0#vNJDCj<~FeeCuxU}vU1+a9c@|_
zo@;?ZBXwX}t5!)>hMxaV8({Is577vC^&T><M9Su^%$8{O&VRBpY-2*@LSZ26yV?*g
z2NaGYX^L58F#;~W!U&V=f(3JEkj@NO*E1(f@tlij*Pq0JygA+0A4cOoMBQ@VA(xI{
z+4REOd&?TE8ELji;9*X>RbA?ZS}2r0AZ;A+MY{zpTUlvjT1S}8yW9pyGsY7DMe7>L
z?WQCU>&dLIo!0!RCTs<CWmRRn!EOh($xqs@q$bV)id0c#CX5_8k@z5nb(`OIa3s?A
z4Pw?#`h$2liqk=VxXyzfF-is*kw7B=fygU8)&N@vX*QdvB8x@IDmKkw0-=Nn+uOBN
zd2Y)-U?Mu{getq_t<EfTXr%r=xO_u;nJ&Kj@_Os{*FU<A+<)u%Z}0p)N1q>`LoffC
zUzcxOdhX19PrP^X*e9hcp8wz^Kf0jZzWN}1c=79}!EZNTd-l?c_-9w{x_Rp>^RKgK
zo5_b)|2TK|j|b$N@08ZN@$ikef~S6Z^6mc7H|4cQp1(kSd+pUPUi$dpg)7Ieoc!_w
Zot&9I`oPtn?|q-T_>lC><6mFg{{y-KO<Mo}

literal 0
HcmV?d00001

diff --git a/modules/services/vaultwarden/env b/secrets/vaultwarden/env
similarity index 100%
rename from modules/services/vaultwarden/env
rename to secrets/vaultwarden/env
diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age
new file mode 100644
index 0000000000000000000000000000000000000000..270a4465f88b57144f09eb8b193c9d8706c02bcc
GIT binary patch
literal 27762
zcmZ77Q*b3*(<tEBwr!ge+qS)v9a|IIwryvUiEZ1~#5Vr-T%PZKRXtU!y1Kf%x=pMs
z7%lA0oV^@ftsU%{9GtC~-C5xn1xZ|70E`yqY@D2|yd>&Qo=Wl_B<dp8?yeFpKxPFV
z6>&vvW-m@<c|~4cCoL~sR!%!MFIO+12Ai@7fQ?NA&c@4(-OZMhT}hQ!S%q6gTuIi(
zg2R?mjDypR9q4Ff=H|!?<Yrfpwb79Hf10DUJEJ2TCl`r@hnN|=2Z@NigqNeNiif2Y
z3$vJ}hK#5gm$ihFyN;WSgcqx;mOZzey{ERDwxts%7cZQek~NQwjf*2IuQ<1pgo~7v
ziG;bCrIwngg}Jt^i=?-b46}^1hKH1+sKftfaf!(@EB|M4sj%2un$U~durupOE32DG
z0o`R>RoS&XoOPUCfwnBF^13FRVhYw4Qp#|;ERqtY%x+ey%96~gn$D`;;v%l1ta9QW
zKyz&t8#a0qb8dQBMGGrsDUbjCMHw~;b59i#cTaa9r?a)Hm#v4Sstmx?&6UH9)m+I*
zS&iFH)<NAx8z?XBqzDA+O0mF6aNByDd#j3>S+Yr4DtmcwnmQ?YI5>;iDS5f@cuH_c
znCdV~aB7Han`->8Cd+KCYGFkpDdVKB?!sbW!s;O{ZqCNeAtDO21hR=aNQ(iu9o2Lt
zls)9xT$HRt*@1A%ELz%9Zfq7hE*=s<ODAV17G)Jh32{|18D36hRZ|T|6@aa&n1-aR
zl+6EXQi=dIDGw4IfS8+vxS5m)H>Z=ll)W1-i>{}XlZt|<qyv{2r=5d~oF@RFD*-fP
z<ALMku~1Z&<o3{2msMw0w6SuQHs#=z@iKAH_SRB#bz+g=<mGg+cjQ(S)A?V`LR&$^
zRfNPuMuk;LjNOdWLBw0a%-%~`g-uJA*Tb1hUdc&OoP`abCaNs~)R42$5`hzSaki0T
zmiP3u6XjBn0BU<Fu(F%lnDL70+G}Y@syJCm*jn*gns}+R{}&^Sj3m-BHqLT9R=lFt
zJPt~t?lyKxlDb@y?riKb>h_*Mb1`!r7AbdGTWt@34jkg)c@TkqL+?>CX2_lx(8n&o
z>@a7{D4tYtubUIZI`)^8y_gCFtAG9ajG-KjI^NkCn!4^U(hf>t!!}4&N~?euhrC^2
zd<WT(N~g{Xr*44J)#u)?m@#3JIySj%s8_KCPv&{@R%d(~+Q_YMkcs<oHbp$*BuAQ~
zRY~ac*zP(X`?U=EQtRgQbMLws@Do|Itu15kOs5i}k78291&7rf?zOh<l1*cNUn@Z+
z)g+tDDW<ie?K-`Bt*>9C&oP6pRvuFy%f;gvpJGNGx@8RzvmI3J)mv0x6`~2Sg|cv1
zcylHpn&mYT3Esinm0FdyC!tJ6YVeF6xSBKkM(5+?vuGtXuP<zzwU6D0LNNsrP}zax
z=-v=n=U80~a4L&2Q<f$))l^lin<N<liLed@`CUVvysr>yEEV+e+e8984@*Z9)bcR#
zCYDX`43#g;`!?b?Dd@yUacjNcaIOQyLwrVNr@MvqMFUqZh@?;%Ydjy+99p9I4$5PD
zV90x44&XBtDbz01J>!764ituy?VgXn#S9d*k6TVC#h2?_M-^}L05`8ekbgD3mrKkq
ze4+gEuv+Gcf=PC<0w+;euHG^8nXB15S0Bi1LJtZfKiT#HZtpZouMo~ckR;FLr8U@~
z$`3X<nYTO<2~lo!viDv0FadfU$HU<n>p27m*%aDmO_ow1<6sVH<yOvJL!X(=#lm?o
zljt$F;ygAx7i71%Y60_as>GKVhmW9U#t@M7l!bU~%bKq!t7s0TL9_-73~|^vI#W`J
zD|4o^yCY-kDEkb%wj;b=v_HIQ9G=-CA}<x{%T?P${+MWKR=M3nCu_4c{%=I+N@tWk
zQYRD6O^ic%`2CsCZtd-{jb4Qmfg44EZ8%Dt`?tMbG6i+BGG=WM7=2c)W?$VtxPi*r
zONm^R3Z-mprA6+^wkyAdJD{gdnRBPPZzTEKZ*zx!?MLgMwsa$xg<_!LC=Cc2@CdOi
zLnR+?DI}otQsBiPo7X2Cnf-2VpTegvOIm~N=BVh(mX|t-I6PzLoJr`d^q0803l_}(
zX5=|w$wLJVOpcj&_4`&i##@+PK0aDN2@`vqZDO0@%{U<4s%n>5K!^Qapt-4R6J~bv
zc9s8Qm}mjMG@|gZto9h#;s?he*i@c?seOl#I=FWOWH-tq`a9i`k9M>GLy%|!IJPnB
z@?)D&=s^!qRPuRM10L6}`rTgp%Ww;Vx~SOWCTQRN(xEn&?P1lHK7t}bJxx6n?G8n2
z@Gjw#{H;EN*y8oFCrVGvoE-oizB({r1Y>3DtypW<2Z%X$t_*XTn}`0yfNz^mK=H8y
zH}<j!+_6hMVw=>6z|&S@kweYbIi0aJB)h*1EL;^gb6W(dEQMQh#{IfFE<qzFAz9d~
z<=kXKbPFd(3+H(hzb!;xx6`&So8%OYF8>h7ZsmGCprcop>%;WaAs%n4PhmZ339VXX
zUh>|ITFgP%`I@yqRii~Vs2@Wr+Y+%QO9wU@bek=`)9t%;%fV-+>*x$vd=zmBi?HUa
zLB^BMpAcXlXsMTX;V>fEI%mVBy>L+3s>GrGLnBFi*TvPnu1ad1rWmsERgW2cp4p&M
zz5sqaF2FpxFu&6D3YX<nX25MfDGulwiqSZN<ski+x@W1Q`UQ(g$#Kqz>iW&<ZWluC
zAUMF#;QBu9e>{ceeO%#>$EU3Ojl%VekpKf^S=F~OS<RLH&#u}Pi}x=DQcxvVTi^7d
zl*BF=7Xj3~+JWb12Gda{iwHtasBeB;q7Fy$iGYq3FSTDc4J>G#vY;SjxK^WHM{O>|
z+JE_!Uqis=_xs%Gxe&s<;N!nxY*LhUF-jms28xf{(T`vhhP~{;uL)g;%^kYm0*N^B
zXRmN2C}ng;T2aYi_v{g#K@zhg?FKK$Pv?%JByjmSrvE}6In`LGXc48pC=AOT@eMdM
zyj2m$!<p7puRRM5uxDwcY+N^)yKGM_8V`!$MK(?k6QK>|9pEF6h+b{Fv{$UHetZL*
z;u0Bu4jJDP`#=6Uc9@t<QaJElUjVOJgJDu-hR9*@OP!j1`=2v#MU~ZXSnvN#j)~%Q
z!)c7dzR0_HgG#x$#2zXyyBGXXe5Kbi+@N1#CA19X)jZ_6zo|%y>1DF?&mcYo`DFNP
zbcZ<hEGTMC+Zs_g88Z9>evtbw!^kP7AfkeK+rNlL7jP7{0eZs*Dsr*GN21s6&@-Hd
z`IOjGbd@lkZMAQj{A8nva~~Uo1DkDHTDznt{_!^#>XOeRY9yF(CQA0v4xpLiTX<}p
zJ(0BF=PTN35dxb}^IQ!s?Pbn;(CGgx_(wsshMZAs14tnu6C<PSmY#YWcJF{)vG461
z2b?4Hy80Nl-FYt;K5<yu|5~Bgk5>eM?JwMP#a#y8?)VM}QvKTL#t}H!CLvD#Ssqlx
zPA!a5`1_GWLNBt!5=A{+Yev&=SfRuAJ@xzjWI)$m;i)zg&2JE9*El_mY%zt1Z+bK^
z&OG^D%PbL1O7cql&Rq=gwz<zFge@eqB2qy{H{R0w$%mFFh0@pY>IoS}*w~2Ie&BKx
zee8~Up63D(BXrP|(fp3zORW3>sYPvPhoQw}8B-Ut3Sm8-TO4zIIDB*Kah^8j!N9CL
zLN~AP=eJ=;&cp7xT2nI|srffH=fDl=F^v&P{0=>|E5gp`Q0@!0mIH>0IN{>yGj;-2
z1|$z(E<qWu^kdQ2IOBp#EuG6s`e=iP6Ig*>u}!oQEO|1<ety;72aleG`MrQHTBXf8
zH>ok598jf^>xoiS;j_jiXoD1_5CaCwejlkhqj)|f_DQ5O%q~f#A36B;=a!K&)i|L)
zg7!cFo6=pSoK)%?sRbb;kv}qw!Ir4SakxLQViw9Vg=|PHBMV(h7ch7J#Lkum=dyAv
zU7|1sIInU|9LJrfu2$xOcARRKKmI_gP)~w+mgBnq3NUkyO!acOq2J9MMY8ig#VDZg
z>RuP^keX~8F0?yjg}Wfr=Ly<Gvj9u-%xgqR1S5C1<oxfgEvPgtS{@{<Nr=Z>p-uOG
zfH*?$3^W?gBtKd0&p<q^lLX|1$H{@@MF$cq)~B4m^ib83AinC6Fy1-Vkuj8+vZ0su
z?Jc;dm1@Z?*Gzj0%Yq`tnPg-1+#fH9Yd8p&mPR>{^3)e>y`ODBh|#?y{@7~U2Vjio
z!<e^Qjxgym1FEpVEKz|zKFjS)>L<<S3X;tq=4Z$P@<LZ%Hpf!_`XywZwQI}diT})V
zGLiZ|eg~CP5rXw|Nl$~!=f{k!PmT_lR0DE`a?aoPdA<2d{6&qlYdyohbN^bmxt!fU
zfM4FE%IU%G$|Rh16t+Nh4f^fi!lHbiDixr$80G2z4+I8;)PR8T#o(Nl0xe%_%8up$
z)amizde_n(w22=8J-{grsClc_(}ehvA0if9Wjj3K7u{~Nww{XkB|tg7|GJa`={*Td
zQFPP2GcOw;*n}f6H8V?iuw&Wx-`<K9si^S=ADh5wy*w0zWaoA<EXW<;vkHq{8wmO1
zz7e+K0Y%l!P|x|I@m>ybXBcB|Gj%cMNN5KRqyAm4|1lX8xlo#2%<~vtA=5i(?%7CA
zjq*qpvtPcF{F^@<TO0A1(sa8zHfsKI0}T%g!b$jaME75Jqz{}{HP4ztqvm`N!AP7F
zvr?`+(bp#=09!n%b0dDD*UKqG29WvYWuZ(AT0GGf%fcWznchL^)!hfdGR&>q>YU5A
z80oYu*+Hu|u{M1+jojq@jw$_%EAv|#F-mT_{oZ=VZ;E<YuY7fo%h&w+H|2;gW9bz-
zbVM)>vm(nj#)jcfL-#knu~8--s<GlS=VpLmrvhFr&Bs)7xfSPZeL)oDbZ?RkpA&BR
z4Nb%rDWNZgCG=JGvtn_4$i}(EjjNp)dRiuIxr@kxnT9<b{CNy?$OL)s)2h_R6>}oz
za)c<soe*ubxMxircq4ys*cpS{gQ0J?FVI(ghY2BhX6jkxlh3gbAJOi-FZ-Xp?wt!(
zr>~Iu<o7q<fU+Q>J@<e~bb5q=mU1I*>^n>4uQ*87*LVqz42P*xr!)ai>J>=eA;-tX
z6SnL`j%6g`?jsc9jM4^~?_Fh^ZBL$9oz|LQW<FPVEylp%ZAY^8MhJUMH%R3Z7fMn$
z@8D9?$;0eZtBD6G+)en>5`d6x;Lv(d_o#U1?V~hgF}Z*EUxAjhQ}8VP51L&?3O_ta
zGF*ZMoU3m)?-g|Zo~^52>3*ndL5*jrJu2(+yJU<`6a&O&qi4s_rY@6X&J15W3u4Zj
z^-#5ev-kng5nT@bJ;>KD9I`cXx8u$YfA%&03{$9BV3nUqayH5!xUg-&ixW03X_;X8
zGixjfkDbB*2#>1J;av7mwn?SKueCgjZ;YlLD{*amh9zH8@;w5Y`13?VkjfCS41EF`
zxR$xRr6Mt1P#1;^>Z+_CuDoepSUid9&k((we?EnOhmiD8ci~tXu%K7klF6*1C;k~7
zy&-f7P%evC7<ctqA3K`1p^PA6#>gb~NgTfns{0Hvb|nlhA_^eQj?Ej8Z5Em%LZce<
zA?A<$2EBO$w^*em+@k0>p;}~cVbulyz8Jk4p{dqcHdV*t3k^H%RRJxHpycpLL&mhF
zBKLlufO?XMnd7@+SHB5O!ima9R?yx?cx+4z!R$V9^N82n>EXJgf%?_5fE5+oS&sT7
z5KQ%ZdJ+C54~IAu(*??7&BCkFl66??2A(Tudso;OBTPHq?FA)10u5r=<IR;-1m={~
zK219k%QrShuS$`A^x*L}+87b)OV_ud>8z|pE~O#D8`gsaK-$Rq&dy-2A9dn=bGQ+J
znh4$!#w{V7dF#GzvNM9@9T_R2KhGeL31{6($k?Z>NLr5(!}2&fM1vP}#c+7-*Dshd
zZ^EgOH7C#N^it;0!GnO;>1!%iASB>IECG(y-WL><8;W8Co0<s0H6xDh4mEVz5H<Pt
zUpvo0BXaF_kb6o++|dk<6mTR2H)_tj@qAfonF53_hQu1xB!{iuza(ogR7uh|?`c1a
zs)q+|6MrU~{2BzA<WN=62@ES<a1t^8-Lk<L^@T3)F-!ws&Kg+Ia#fplbywQBoBL-W
zq`2)IU9~)hj&AR*%egMLT-1auv2wmz%MMLbh^9ZCW)p|V8kHR{;ct=*MuQ#M`&n_5
zDt6tZHBi7Wd_i)E(n*_^D1(hZVIkA613jC=y@Gaber*^_O%x&s2iW<JlHNv9EZFf6
z>nO{@VW$hv>Wam*BpWVf{#G-ut<BWjAVwb_%l*V==|pN(+&RgO^N9gop-Jf3l%$4I
zd?Q$-cMC(M%NP8oZe`i>oLdif@YpQ*qWkgw$gw<MnJ);MDhdi(@VL&E^i-N+%A#m?
zZK;Kk=;i0QERV4tVtiEyv7VEm$m^%RDo%4=*N&~qWe7Z5<n)x$`A=}ex0QDw-i^I}
z@)ljqeAS~2I`?4ffxy3C%DiG?(#?lrkz|v~*(T3Q>zR_akghoCG1ngVtY(GKSS=u#
zf0(We6I$WC``7`?He4vY;>=6mS8~%3MJh`j9fQBe{t-t08HsksE902b<%;Bxf$UPA
z+pi;t$Uz{H{}}2Iu-vxJAis=6f#Kkn(ENzVSkhF%0^IbXP4)>Wq2Eme4S>*<Zvr%D
zRHZ7(jII!ZW5(nk<LmgXtHeXqqSGoEn%OU=I9@q<Xt__eg}*eesXwno?bH1K2`OVw
zuRIqq$By@tqIV!;#taa5NIQskN4NBQDtm2PI{2*VVoihZHaIN~F9O3M%0CIP_{o@G
zxPzi`4ZF#7M+X#&N6$~F?N{wkc@Xr{XP5J#jy5+-XuViHAIu3$xM>6V_acN`&`pHV
z8a)&vAXG5|KHS;=HO+_b7T2c)1TgfP6^c^i_HLoL=tG-wAuvqn@afl*wK|eeZJi5V
zKU~f{!Sv2CBRG8HTtCcUcUbe9B%u_bN5Yk>58$o(4_>$tT&GOV2~MSLcPei-F#0)n
zW50*V#)<K`(IFL0@f`_6Inri54ZgKvEaPAACWLOB-I>{fG}%!ISqS0uW1xRnpzTnp
zpe-6I#eTIkz`;ofFu*~C<93ZI0miS$UYw3@Qn71e5U<+}nL1Ylm<=RUIfrq5(!#W$
z-LsBCR{Xy;N6iTC{i!>h;K<Edkaf<W#km}%?{UF0W7?`!;_nDm38PX|MqsbFHD9R>
zAaA&Y)By-qPpa42=Ad>oSvMb)=JrCG*2!5|W6$r|PJMc;v~|>8d6$dA+=losuqNYy
z98Ic`3ejVhy{vDGTAGa!em6`j7x&+IT;qnEeCMqA$2e{cWEm5F?#tM;*NplBydS2N
zudkhtpSYCdb*7;WTe14{LQM>v<;*RKc9}giJ81Sr@Gdb@m-E${TWI*$5ur`O_z-Hu
zt5d?RS<)PL%YOnB`fe_XuOVBq&W(rw=W%vfJ+6;e$rhHy5Cy;55G4dTTC9|!g;rCS
zVewwxL4XBs2Zg7_hqF2b;(=PTGE$BkpD+7`1s1Zk>Hkz(MfrB@C!*18r$?_jmD3rF
zqdNH=^s1r<XicA419pZvaA3C`3So2$a7b~)qatt(!RU@kn20amEFZ<!(w_%{{1lBd
zH^t9$UpJ{qA0c>mmFs;d@Zx35k~9GetG!t4g>jj$#>CWYc%By7T@~C7LXq6tkgm2r
zkFQCD84syeI4RSbbmgCL%;)6kScc^Qp&U+jTBq%4o=>)^``>oz?h_)2ZT~_cXQk@>
zXz#{Tnr`E;$(qLkBT*?!>xmZ(Ke8emo)+?8_b|ZS&wrR}1zb>(^bWNwN-Rr)M%mS$
z&hGylGUH(b<V~u#+5ht12RR=cNFlb(jyqB>uZTH6Mi)Uiu#V4=Z9ekavmC~Tb*%P-
z=Qw*FQ*G82o-(Slw;fhBb47pVm3NJFT{86xN~Fp$DXpb~g`D@Gd=E<n;9bRC|5`q*
zE?c>ydSlKZrI`<O1+c}~Ex(NI?vn-^6fa>bQ<)<BQeW*dE~#RDN9G6qHEtQtD#EwP
zTd1t#l)jFZgIcGzs!zhZJ1@?p^ei%s%{+l9-Ov9Uz{Aq(A{hs3ql8$G?h=jbR|Fs&
zP<mJ%!j!ydHc8W^uY)HC6_9hn9);`#OkFWXi?<d(*na7h(q|8Jgi#L)f&E!;^aC0)
z_Pr}cZ{IM9V;RBwh024|7rmx7Mre9lI@*S=>@U$G_r>{v20^ZJWZBagM5R;ag#5yC
zLSBZ(FT;?G;p3Is3xJs6!n2>PxnBerF0sN#`wxMS31|&7>|EG#cwsoHLNQT&T2m2k
z1k~S}xU?||f6BmU6;fsnL=F;hmpAi@A7#pT(fS(6%x|c0FbPeQ>#VnQE!gQvMS^m<
zxzt4XHXiGr&<(<3Vx103PvI)EhXqGx`z(v17sX`ySW->SbA7a@nN<*;v%BO~943KU
z58af(^+gH)1KQk$?~U)?j#q;aKScUrU**YbiQHe0XOKuU;hitT{5bTqNnAL==(wIU
z>Lze=D46osnhWwxm>+@T8nw;XP0Q(hd&>bi`(^$>ncGkd4kkKVAH&YvoG0v`k%M+5
zX3dXbi&iCTa}k+Og`G%>qaThwm;)QtFUgelZ5=yF?p&TQX<5=PdfS)(ZfIxPEQh7b
z(r>PSe=&=u6$xVi>-SIX{e>}=qIGV?4&zc}2D6s<Av4~W^N}g8_B6vxHyBaa?d>_}
zaG9JK=2UIrW>H#*2$!-FN7Ec%k>ENKCUr6kd{gk^05Fp)qTsImlH`pN<IkGYZ!g4v
zg*g0NXGdX#0|H7LugcG+u(w3*Ey6nTwOK#OTg*5m`9(86&1@p7lt7zRw*KpL#qJbH
z5mwL&uH!#OIV(guvq<tS!A%uHMx$~y{9VE88~zo(K35nUi!E~;GJ+z*Rm*<Z@?k!o
zFr{>x9zsg?xTIgov)2DYPY(ShmfA0qyv$zHeK5tpv0C5OoUIuH+?_r5&=R_0PIPZ%
zLp%dC_VDk?wp{vPYrN@%0jh@}6sK1H;ehXxFxJT5N_ObgW4%`))%hbqnaXPgUO&`%
z>lQ5DayZ5X?sw1anDk<S#oN1oYAzXCDpcl%5sU~s;s}&umZb)IfzS&s;ayIlEN*3v
zIz1%-K@-oKb8&RycCsVQb|ts!dh${xg#x#E%M@cNz`rIt&?GG+dHsdyst5jZ83o6F
z{3q{rwsmB_Y!cQR>R;9%q6N3GluiTAzy^#PJ_kcokC?-*BwKUKw6@Kosz}=33-zm<
z9H9nUD1v?nH|$T1VZX2QYq*RShZ@3{rHq5J!I%BE`IFZx;hc{kRMq4<Y?}!4g8CL9
zP$9W{nP67uMLtgM$bG@~THM_`s@eL={l2JusX`Bo#o#x5=$)qdAR5z{^<!*MW>kNP
zR8fHVrE!2NtyGI|oo&S!*`qw~p3TQBr_^QP=^}bPP-7<RRAgj9kuD(29;vh-rYf;s
zMytkf51Ou|vKtK4_vYMnIa5e0$E%F{)@1j$&ijZN7}-3er^JUdLu4P}PE)p|IK!+a
zLC&U(GPQy7>OM(^smQ*!)DWJY#g6r0ttiw@m_MzDaO=@q^tkUQy~-qCcB=Q!D`Knl
zlM87<m}lri7-zmnp~gE%1Y{6!U`&EwQGWPcHo(6+j<A_kb)G%;d?OTx)qx>gndqMn
zx2882`Xyx<_dkV-{+T=B1g(sUINZo|naK_f|C$95;?O40NS2qO>5%*h2ww2U=qjTI
zF`=Op$;{6~tqHJ&g#{w87>d*(kSF%>)m29KkHolE_Tb@?WZ;wxKj8KKNpS3T1<f5!
zt#?Y5|FQdaaj2*K5>z=r!NoV(3N2=v&McTa+iAfG__AIrOy=>V%M)UBQvRB0dK}n!
zL_5{D^`7}4eJAUc_-!)-z~qXW;?b%y`VF+R41@vo+O4f2R-!)gUO>nYH~{whNWRtC
z<o5A6fQ=E0wGdDVRj1`gEP#u&Us{E(SR+9Wrjru=)NHxzJ&7h+i#eQzqW51TRri<i
zlZbvZgjbl1N+Be%uJn^D0f=OHo(cUHV`-oS*ZzhvhpR9Cg+#;?=@>|W{IOvhECK|4
zGRKD7wmvw}(>3w8-R%lZ3l#flFI_gH&M9e=YI0tKz3ClCy^zal{e?FcInn*RgxpjU
z6D{kha;CN<n>$oXXiY{_K6!vzNl}^O{jQtMEDR_@I?5l)+-i$#B}&c`3$Jnj1x?ro
zP@$@6tg;hy^!J%$DZ+juz6vq&7k`UK`wehuBnyI?8i>U5J!yA-ZpRh8Yx7s&b&9vQ
zGn5tnnIF0yq|@^d9mVjI`bXXHyM&HVvR?>wRsY5w=dcfXc=yKl@IvD_6e{xmDfw3>
z6CK`SxaIVbFEybqaiD*Ks^zFD0}%bjsRPz{NfIg{*~^#Vr85dKLKIapcdvrvK<>P3
zQb7g$Voq(HjWIBZsqIqMr{SlAl01VV=yqzquLwaVInm~OueX;|<}{|ZbHmyCn|TBc
z1MCFX2HYdQs4^#X?tCSzUPRAl^PoLR8kI3ryN?A|d5Hr)QM7O83r<|&dRK4?)wxml
z-Weo31_BAyRCNxqLGAtELKmr%$i2R<YVJhn;;GZCF{?vsx1D90#_yMkEkf}#wWP1$
z{d+oG`wY7jyN=r6-vy4lfM_P)!=L5G2+F!vX`S@~W(3*qd%I>v%;Shfn(#j|UL~rt
zVdUEWFgrgZY$E}P@E@D(3ytC9)Sz7E8M@H~ACjBeI*b#EpCNLPHvY^m*#Z?vVw){4
z(Uv9;GuvTlvPi?4+XpX5mmij8&9e%X+4mbk`q6*M$w#-L5DT7W*`3cpK|7l>J}|bg
zWU9hyM$CT3VmYK;(UuzR->T$$x-O?xA2-j2r79E?z5VNTzLGN6<J$Ks(g^10DdsZ!
z*N<{Ns)f~{8`M;2d3eis`cNo!X2{kCl1^j5ga-%wv$S4*D=`%FfT1JS3#(tC#-kp~
z6spoLd6;;33yth{%RNRZUxJ=6)Umz1j@|?)gM<rX`Jd;}AnQz!ZTBKx1%j>K)8ww2
zF8*7^pHl~{nj`imUNI$<@!JBn{l+I#lP4dgNHn{?NX!q(g9VDVRH^qz8L3)h8872T
zK_~CqI~OcER=p~WTkkc)4HsRa8z2&CxmeJ3rYw|lK_lrpmy(lXI;;K-KV)|2CTewz
z=i3uv0|Ti4S{Qv<QE^oFie2G)Uw?|}4v;Y_+ls)&w2E_vyFQXKr<!XvcBF>ytsKK|
z$=^inQ+(nXQ_H7OWJ4)xb;*QEn5)@pzd9n*bn!DRP$Q#=<#=Ve@&kR|uerl<ImpDw
zu!I+ZZ}I(nE+h}Xf8d+X!W2idybBj)d@}TBr=GDQ&t%`|3At1VA5=LjCRm`*DNf}G
zk3>rwDRFtE&y*uo*^S+-@ib-SGHTjYY#8egfP7>!%5P4;#=@L?4l@)F10Fi~MY>^~
zfI}$jOZijwxe47KXyyrlh1pj#rgF67wt)||I8|xw^+=pn>z7Oo8u(|1S_r)QyURJ=
zhrzz5Kn+WMW0}N^^OMNh(8*brgGLLjP|^pQu)irFZb!ZvVrjoIvlIBd0S6?+b?_My
zf(_BpTZv^+35C@9*QlXUX++qSf4ew)K61$a@HmmsFWgkPoosz?IC6p`nbazR>c)vC
z9G{B<i2~bFXU=wsW>SaBo7_;YyvNfE$89Uno+i?#Hyxo-tqh(CUq&ij8*qX~T{Z}>
zo_nsTgO-Iu;@%9IQw%1IK;G%aA`dyK0AV-M662Ec*!6I-8fvpM3zdns8Hkn%K@2*#
zZ>W{R5E}5-h5?bs5OAlFidrzJzeRNgQ)5@50s{srKYnN5aZWk#<Fb)$QGaq99T}0z
za~LriDjYtzZ{$MoVcxM&`5gUr!QW5}?}PXa3ahFOv0(a!sDyHCrG)X7o!G6T-RC9@
zqNQF@(+Kz+BhJrfsCMV@A|%6n6fl`QupsQa?;)c+Ulf<nCY4GDRditxeGzsVz5Sih
z;dpTnl!dFymheV|*Ld#j33ZL;NqT4H9^L?m9psfGP_BBBt?{RQl>^_`asqdgo*EGm
zg}xAyoxye)p{-_?XU*$Jp<{;JZwBt3{yq2+K5=8+tF2n*_r^bQ&g9R-C-%npJ7Tv4
zyMsr!MwnonA&a!HC_bHz?1(xw%~F*ROv;b;hsydF*dZ9^-{>v@H(uVR1`i)XNn`!G
z+C%-hc^~gZ(aaoV562Pk-eRY@Y;q(nX6SfCX_~(vxZhY|+xR=FOQiEkbK9^1BW_Ir
zF71!yFo7s&W)0zB0klv<ek#Y&M1vVm2;Qb={rfg2j8+Du29VPs(|m9i81z@!fo9}k
zdlZWpd?F03f8^RtHa+YxYQRv4BI%x?;{fW6{P>q8ny_eb=P#`(O;pwuU73X-99pi^
z*4nH5i+DvX(M%K5rl<Pz`&qBY*iEBQ+^D2xYg4Tg)Zx_B5T6M%2x8Y1s)#7bmvvIR
zvHU0%)9vTW3l&29b(;i=|IOck+3~rPT(=8LbT5H~m~|iTK-og@4>w|gI!Fpw*f#QB
z<?|<6kmI70sbG!4*Ev7}K|0}=(TK;t!`{C)=y8sTIuerH1#ph#NtR`o_1IY;?GWEH
z!vwj*a!O4z^3fZSx#U9RN|{X{h!S4)7uArIXtVI<xDtW;Q7h4XZofwn9y=@#dPx-A
ztiJ~m<H#(k*%ND1U^>?raSwmxJgf?TAt)<io$KiPxy+@J8U6zO`8+T7=s$pAc5)a>
z^+|T(S3wC)pML#07@2CuZImWV&-`~Jd^LrED*o<Q(I-ShjyNSa?r)s}d1xR3pYecz
zpFnRlpaZ8S%bjU<o+WLUj`RTjODKOKv~auRLBIJ)<D_6@gnHGXB}u7m5|tm?GI<Gl
zh3g->(lHAhWR;~<+O%!dKm11|V;OHnnIBL0C*}4<=@Bm-{~1115(50laBryTk#XaH
zF{VsFR^~Bwtdb4lBVaLHVCapHN~xX{Y={MzgWq~Y6pW&(KDMA%7<R<!Shp@D#5p;*
zS<w)S4u_K0Gg#F$D$~DyY~dubH4oWX`1RTr29{KiD{+sMGsN~U{L=g88Bewcqt9uL
z>2^zJtO27_KL}{O4IipK%QwR=pwf_k0b9%2;4=~)rh;g2IK&p-iJa83=Lw`LTGf}L
zDqN-}X1kiYeJroR6kGY5X<5`iKZ}TYE+kU%%}NIYg6zFk+A^fEKxIMR%%&L%Jy%_p
z2H1O{vjJ>~m}A;jfhX4!1P`>!Y93gJrr*)QhvSWnq{u0<tJ0V3M@dY@*A@7}66F18
zUfk8ET|@0(!*D5``4~OyEi*(N=?A|#Pxu$JHQt_9J0FLLp<j7c@i=~%ee#UDbUXZQ
z@YpK|M)Xy>Ux1G43=&c*{9w^JnA}g`-mrZbdD~e{V|hG-crW`57m*%$4BTYK;4KYY
zKs>&)AjBNhjJyl%E17SP@6KEm>T&GZ{cSh|hVi`#&|3`VpchaP^Ih)Z%yUcvmkIBK
zzw3<*1SnOlAxt&Qv_CX9aV|5#MD%*UNS(WbX*!UfyY6T<co+<{+RHjrs!u3)hlXo%
zIn9UX>?cc?K8mf@jYh7dh4j+GWUJqC2p$wldIa#96wMRI!h~Tv+v9`t9Z{Fu{qF|(
ze3XSniGz}ESd}iH)s+6^`0%aZ9R412b~6y0*NUcakHnJfqF#fY7Y-Pg5uK~s#nzuz
zz*45Zv^uq(UT^=-wCYRXh7wSeh`D1Pyicn?Ynv4g_v|)c6n;6k-uHnLKD{pUHJ$>t
z8o8yWI1qR>yvwr_kPR>zX?q<b#^Iip%bWNGh*y(0-!0m#!}Z&R+31ED58YBfd^nVp
zVml4Xe70D;kWX`kxEkNTte2B~AJfqHZx-@)I`3(X6_^w>vN8;h4xZE+J&r$d2oLcW
zKZZ_5346ExDStQ8yIzzqRJ8c?rcB}KA5fi7l=4Uwqusr+VCE8#kF)U}Z7!onOD&y=
zv2nrACpsh^W#b=r3cFR17{ZDuIf`=>{9q6cDDvnzE0)NOX$fE63={xY@Wv6Se~(_R
zHJqU5rZ%*qV;d&B&~n1&@1T1yxBQn6nIkII+zA(HpDJ6|Rfv_+Ig3k1w+VfYz@Eqo
z>V#^WI)UQtL{WIc)U<#qkeY~EwO~q3*B{P1<TlV!;7}Vmh}gPm@mgvj_p`y#W{^A?
zgcEc4qd~OSoB9hDg$x&-d|u5@VJhN>qDX_3cpvJ-VK-a{0$vCp3l|H{lKNe_@zeAo
zN%)PRS$^t+AuY|BG(YsHOwDTrI#p;zLl_5}H0`@zCX(<gqVc6dv7Jg-Xo65U<ir@*
z@p~Yp`Cx8$MA#a$M$7{QbhL4^MA-iEX#05Rfr)iN9M<sft2PMmpLey|aXrX2q{PA%
z?Ur1-0fxhAw%)}@N{wHRX?_8)IM$d*SV)$&X=c2Cb*4|5YS(L&E1*AyZ7d>MkFWLH
z8AQMFk7GoQcF3$JIO9JU*I+PV*k>lgm+ZR3ox@q+ha$$h!m5h{YO(sBK2|0@7$9GM
zuc_E$uc<D2uIy?DY5&9-eBIW8x+&JgN!Lsp=;ouGhxl=3>qqKwsaa;b+{Hdo)S*07
zbqtZy5-$VdBlN-?W~C8MNunfHr$F|P_2PT5<-AsTRJ?o9pP>@_K5_OHA-mx<V`AJ)
zdIeojU8*<Wqe4Q@c0L{`$8TYK!yFShcEs}TD@svs3cK9%Kr|D*5~x+=`|yOCXvl!u
zV245liJF}da4@QZ^MmB4^gG^naE3j7p04(Xy^DRP=L(TXh<GZ3OWsUHG*DO#?u3@O
z5tWZhuy3kwzQGf%7NZk-&S$Ee#Z2j<s9BuKEKWq49WCYiNb22NfvVV{AG!k<(C?7A
z4c6A@*2%dKQ1#<YG_=g#9#?(&{dzShH-Z*r?RN=DrB(+pf%HB-$Q1I6063TmRsqA$
z8jy`28~EQ_d?hC6ysS$_)vg>H>+{q!H7;(`H&F;KReFqqO^eLQj9k_!U%X{)`TAT7
zp<ExcEN+z|CY62q#taXA%(!)2+<jQbwFOHO6Wlx!o0wGB-z-KvK$W^W*}E6{88zN2
z!RX*H@Jtn*zto<7H7KRoxBUbr_SqLYTJ9%MH33?W`m!<XaUn3a{razhFv|7P-uZr5
z^46q`6SD;Rq3S1@&Bawtv9VQS;DBV*&kl*<BY}FovCeXKC|Cx-GKJ)027ZfFhex5@
z6NPa?3ZD<|G`4BCq%m1(tZ{Sn_l6I5w9F;T-CYP@(iw{kVH|P3XuAI34nL5&RHdS}
znCfA&;I}aG^c{Z?Nq)GAa7$?Ge3#Lav)2;eaxxXl=<=NiKhm?vek=YtR~I{_r9!}6
zCP*FA1%wY!EaVH_pc~S#D8gopgnMSTXt7?n;A{9~CYPjzJfUmY_ik=SL{w6)&Hv!X
z6+$W{_YYiejZSF}msmmx0_^J1t0_wK*)=?520w%X0Hq-R6snfwrmO^99)bJ9Vhu6C
z;oli;qkvE!ccT0u<-LsLMepSpOKTZcliWqH=M-sV?n&$Y-xbGrGOEN3&0BFutw#os
z;YEDQa$v_bk6j4+)B=8a9VxOcPq~V%;?o%dF&(@3jub7$ei-o3@g;@2wp_Nw)1MJ!
zKXUImaZlU87!G!6`%d(%PzVm7(7cCn;M$bfu-E+J==_QYrNNlCQQ8^ms-9aVzf4Q^
zsCHE%Dd=OFP@MIMZ|p7&UP3f+C=<pq<zIz@q7b+OYIl@d19;lV)L#DXWXaV^Upe`W
zaj(7Km+PdQi#x&?EO)U*nme%mnMm`dy~426<s~AUOk+j}EKe+?U03yk*QYY<i^Zr8
zdEuI}7n?AD8QEhWhNfgw1I_!4^<A9rrporAMd7=VajtsYLqO;}inV7aBZ!OAh@v4o
z0RBAkEV$$!I`1&m|FYeo4e3^F7$|XCtD}cV{?{R|qb6Ml&cGQb#I3_`02ox(fFkKK
zocmnEVJ71ct)L{R?@o6-#LFJUTB;bvd?reUY*NR7y!@gcxl9#Z4>(ebu^=|+Lwd&I
zK%-#T_~exxaGSRapzk#-`EA6I39<YVuOJkwJ$_n|F>lEvD!TB`^osD?)on+b)+=H|
zYyCj##|IV-`7MSlm#L_AG#87aTmLX#_B0-i6k3u9R#6UqBuFr_(BMwHfDl~ufN0w*
ze>_J=K|LBF)kj-0D)uQs>M@kNgi6Bg%#2a0Kq(XtDq=u;!cis)%=NUA6#jGB1b&*^
zD05z=#|J@ji+zx_wjVS(cUT(X^o}pVSWtN)Y*xAAbQK1WKB*@1V$^&WodfV~vI+PZ
zqIIgC;P*$WK#wWi*r18C|AqSl*te@Vb<E8;&%Hk0CQ6#;_47&Gd5pa9)vP>D9HdYI
z(c*W2D9QKd2MBh86iS3wro<d!VLJ%MxoVZ(du5y2aJ?vjGT&+R|EqPk+hgwQbz(c+
zh~O$bduYqmRs6uz6f~tOArzD#rX!*$8AXn`wv7`zO^~|wZHk$yi?3z)Z$E=P(mqnP
z9sK?Bz84uOB`}HYRQM-~25j2E`9%GYyR>9~azl?-=`Nmu^p~>Ch&l7BYCZ7QGnCRA
z)JJ<%!mm3q*Z<8WL4I<_k8bld#Hwa6$mqd|q=Qoj4{;ht8-A!J0VfLT`8^hY+l_XB
zG}pnV!(Q<kLTYS=nlR${diAL&ljj}P-K^R`tEe0SpjD0`qsbI6%61ZNo;^U~>+XAI
zdZU|{kjrvMci28tepz#uS`#kK!NJ!l?QZrFMyB90OlVA>Q#<_r8*=sBObJ<S9xcUf
z9KaAzd6%lH-GZB$>1fuzY$2NRRz*l2lZd@yIL3rmKu(mEhL*A}trU^2Am}~#@t`|;
zZ0H=h+dpjWUcH+DYNakS6k!z+3dL-AJ5MOHXY}Qbw_v{=J{?X7k?o<nTaZPsRry#Q
zApNoTDM_{BPL!D#tkMrlox|RvE+^Dx#vA-sa_I<`iEYH3Zx{ai2N6v~q`Xq7b(QV!
zf%h7^MD!Z}{t6sojpcY}fK~t6x<`A?RXK^BI$4d-OMPP}H6bJH0vZXvk#(nh8mk2Y
zT<cX?RX)Kd%((@ArU-bQ(vF~L|Df)<@6hy*-st|kif#Y3!$9Ux0gVoAr6(dSx|)O-
z__jVvKdbFZOeWsAE`uDp=gAq!qW`W9`W)Fg%rf1=lT_P<%<T?{mh}klkH?MitG&^)
ztjO1W8X{$NeD?iLW2l>1COEEhBRb!-W3K*qZ*ebGlPq;Negtiv-8)xX(uZ-c$OnqL
zD-~)L_L<V1n{_%0w0e#yeT1*-z8oHPH&o}xr{^bkzN;T{5R#YYWmT3Mzf#QU%OdD9
z0sLw+KQC5odl4hBYlx8IS56j+@ryi|^YGEC-MJ?+`o}nZXVO2y_N2bQ5azptO7~1Q
z0Pw*pVBgp4FHTK=wwa~*YNCu+VbXw-kw?JQ;CTTU9jj8BZ!5}03I4hEjLd+KSfZ4#
zTUS$sXAU`Amz$Ln_^&vVMqovlTf8n_i^KBY4=d*G0=5-zn$}&~rx+EdU>fs$v_Z36
zZ6#?j`7EM^$`H;AM`evkib)HrZ90Vnh~!&w%e}k7D`h{z)VgyP(wfS09KEu@z~}CU
zcLN8kBOevphdOvvQE$*K@o?gzDzTphdD|OZ>cM=!Elp1vPvPIm0yjehuo|U<2%qTl
z7>e0mR%-R_%uo1Wk30hK1(?0nU=Va~djWN~H081LotO=07DrH>!xbF)>S6UodTS=B
zn5arJV1?1~P~j}rW5Lt>7w?2_PVGoIEVPM?RlKwFLgP_vrnZh=5+^AtN0~OvKYpt5
zl9Bc>R2k9Po$Z9(D3E^lFb3B^+@p#$aW<SwPHkb6v`Vc@v#_@C`*x0*XVXWtycO}n
z_|9pmn~I8<U|D*~Ipm`KDmG!WM%<Ept=nCmabl#ZUuw_@uZo&2tuLs5%8_D*H;%dF
z?(j?|{A`;{tfikRUV(XD_<OAeqk<me%f`NUI6|yeAPC#o!e2p4_yQ<5;>m(Vm<8sq
zhO>I`?$qM?7&lEc<;gZ(yQ#f2P_u0nTHK(J?<dLE^w!3E4n<;-m=4FF=8$R4?B;Fo
zu6Nr9Q#wq#y9M$3PT#?C6glQtP8s}wWK(KCHI;7pg4q*vkI+JxHI4LNFX-ayhz=V3
zN%EZCaUFi_!zy)&5WFuxLdpC&0^bk2-VZiP6`}%npiqxp2Sa32mV8Yc)Kpxerr0w{
zYRA(BROiJa#G&~8D=?dmXXJRW!V??5bOfYW$ySd3Ev%Eb6u_3CDX;e2JG0x<p6(6y
z&=(S|a?~r{u+x5#R|T^`MS-Ku<+5!l9^N-thwUL(P;y)gMRX~j2%^@VHv;Xl-l&OT
zY91uiY4KbOVH=&T#7R3#btZlx{;TIqY&+W5okS_H^owac`!n{K&ri1>FekYhEnMn}
zt}V1bOJ(pz=WWs}WXx|FN2`@((5edf;{gl^!$yyK**&@W49}nw_I-&?e}g*+8fi_y
zG0vs8g<8LM%k}LpGb*M_&`02~Tf_t>OhG~6VguUyUfPP%U_OK3Ex$~l-*v%t<dI#n
z4e~aJRPR{C4C|i}A<H<a_O=|6*~`P0$Kx|u=q{5J-08(#|K@;g<LlA*R|>wgLUqJR
z0XzB;1Ci(UFeWP%tL7dn$}hdS>Cygt+X2fZ7F>)?Q^NgC!4%q$^}xq)T5(F@T+oP)
z1yCyB_>#mTTv6y^9B;RylIV-Yx3@i%>2ee!%O+dNvrY=<cAzz&@>oh8?jlR4*rE8V
z&wt6+!k;CkcmLLAu<~6yIra0%xv)0*Jw8(Hs%rD6_C974ix)DBh9rHp=@F3uLTpgd
zl<7Pxhz2ch%@e%3GK>qxq@O7%a_1^1=40nuqbvW2&ZHG@Iiinq%zm+Xl{bKD_U-EW
zI}U|a55*GywV-a~dJMCo*um`-*J`0sy^YW?VoO)n`SgqqNRYAaI^Yn#uS4*4Z^Io-
zRD#tdj)2O@%b7&#nrJaoafNRaLVDExI*Lx(=+SXhvr7GfQ^XW_D||;wq||5R)gRt~
zUR<Ho^-cgg`}gDCCtTzqCtB!Bod?h`f||bKk7cA&x&aeTYJ~1`v+&4g1#uCN2U`m~
zSLCUL9ZnpT)v-T=Mf`YFU_vX`%pAwoT;_!-ZOx?!0T*ay6g0`~6oF*vziXEipXm20
z`)vpYSzU-&uKBlzn35YWEQV8DYctN1!R6uiy=&~>U0!I!kFrMpDadV<cNWY0Uv-!U
zXzFv}+vyf<Bt;ExT#=nQRJ6~@i`&}3;czgFB5LwOehU9VGTkjgxPH0y%6RiNf|`Az
zfNgqX0(jqXd`EjE#=opG25se<A(9dJ4L4ew5xVsZ^FRA3kTWpOAd<Ms6}PJltV&qy
z%H7kfd4c8C;N)Mc8dXqy9%4Ua3T^q0m0OqhG%EJ}Wx)dxDw(&vS^dKKO>F+`l^$L9
z<})O8Vz{ou+En{j4h{cQV_J8fskF+j6^9p8jK&X<I}XWQsv<%FXa5A%v*c%#KtN=v
zYrr*Vx}`u1ut^s3Miz<x#&`c7EY1jTyPzt?gTL)S7YQf;mCwjQP2L+6#zd=dltisB
zfAwfqe~p}wEv{P`kq7ZhP$*fWFsUH1SV(ocXMJovdz}w2E+d*F{A|0`M7|A9Uf8rv
zkcOju2K&RxqVeoaPmR=~5*M8z;)rM7+q^}r=3HpJi^R*)TO6Kt^!g8zKU4fXXn`t3
z_A_R>MWVQ@DPXDc$`s6Tl%gaZdXEAhie5{_^h57Z*%d3>XFKha8xGt?vy@=CFesUX
zp4xMNe;w*0(eC?!pEA2DRBuLDazYPYuUw5Wo<`gH3eg>3R#gH7o|yOftR<WEUV0_}
zA$l%sIlgp&?T#YnBl4~^%~{rIPykehW{<e>{DPIriAI@I3^kZ<S$tE)m#V>Wh|qIx
z5SUwufj-J9l;6!Yn}f`)PCmlkNg4HYV=<>bm^h&Ca<UC_IBM`rv{XP@J2hCcLR)q$
zQ30%2EL;z&KC1Tk5ucq1bgK=w<hoo1fwrj$%yFF<nQy;5`L9M!uNtA8>O8mYfF>(r
z+h&5aU{dJ7?sF#r!S-iEe`rt;g<&%~2SB!eV~2xUb&i22l~oYwF+M@7?64FV=n-d>
zi0anYAbI(AsV{pZoI!wvz+8;(L>3)c(}%0hk*Efnlq1d_0LNfEa+;-%UVqQ7VP*>v
zSKZ27Ate(#+;)hk2uZW<5X}fhZj(^lX8|wk>~1pu4s;$(^wi9v9?nG80y5FV9#DL&
z;M3`?RnCk__RIp|GUn4ptkICPa(3PiGYK(3a^meUlWJ<godmF#$0ssBF>SrLom3*<
zc4s#$S-jA6!C{Y_JX=vmv#nI>P75d7wc$o?(m7oZz<YuaEG_f|Tqjp^GS_p;vwEK(
zUcf?zS4D;SG`M4zcm?}(NXa7XbMh&xxn4eyeU6HnU1WuG>s9o`btSrYx2q;Oj7Q&a
z_g?bkt(`~NYE?B?QZnSGIlx$qE@t!ym&)!$wzu}OeOoT}eK2;L=|=3k2g-QE{S~Vh
z9P|gfdrjjJvaXLJLgp>f*U{15Xr@38eMlw0MS`%|!8W(=Y6eI?jMKZ1w!crsl@#Cn
z5w{`Df9FxSaXUSlUd{7Z&84{3a;bfsNALGmG^DUtwOeugCUEl3waZHAg22Fkmb1C-
zHRa_+`-7ebTM_S0i?vn(8ZPcO6uZf837rD9Zj;dp`dfasvAm$G_Tr~_(Id5X8Y0v~
zDwFFggx5hJ3YnDjq2J>HiE&qdq5Zt*oHE>R`sVc$2Wlcwrdl!2b@X34h0fDoH}$7K
z4zmv7gJqdmQ>B<5iY)Wv$6NNP_>)ICthIXi=Qe3_d#pkiP?}rIwc==qMgjlU>4BG)
zivCc$;h2U?ZrvH|RN;4$h5Yk<rzc0n*F2$<5;hNL8PrF#^!pM$hAsczF=K<Y<%KGk
zCe^D6fxoQsde=1%y{dR=Z%nsk$gfV9jZoUWfHiMq;LAEK{<&Lo;txi5kxEkq|26j~
zK>4eHdBq<N`XU}5KMeUQE?rB|u`_$|;k!}E;|IU9U9fy3*$J#RXRKRvE&*J^U$+^m
zdf?4;Im^Q?zaPrw@}{TN{+(C4t24MVeu8tfXavQuyce<2bIX~796Ltqe!neZY!2at
zE^7P%VbPxx^Xk5M>6F~?^f7;o+={7;3od4wFv&*hTaBcvk-xKwaiBKXsIPE<hJwC?
z%viEJU##%_dh5U8_~z{lp=#dFvQ6=E5!b<E<x!R1!GeY?P78QrUok`@k8#4jhM=D?
z;O4SOF=pYbK0YdibcU!?yV?6i;#(9)bjiwF1&dtZJ0Y##!)Tzd&jkA4^)QW^5Z2Go
z7=UgIk*u)<DEBsS@&>>6%gP$5ByAM{UWlZD2b=%C3qU5tfMJ_ox-L+lY3%Q9=!WS#
zaMIIK?&|Q5)q8_u&9Mhp7LM#&*iPPw?`9@-U&~R~`dem#!c1@Ww!5!Pbg2b#x8H6x
zX~yk)@P3hCRxNFZ$UGwN?ou}wp-O>J7`3QuczZzaD5C8BbqqdQ9g)DA+AgbE|8W&i
zh;$yU80!s6EYV|tywEPKeZ;0Ojiuazp~h=(^nU>sEa}spYFAbuj~Yy$0m#~$pd;J!
zZhKk-nz!+k#MDWH{2y{U<X%(hw}depnqZ}4gV4wJ&l^xjs`8eokh1qbh6Zu~+wURl
z62<Hubkmu^Oili*e@)5~Ob{LG!njtbty|sD!{q@Tz5@uzope-F8RonUFZ8Q>3gsuR
z8^8g$cGA`>!-Cn%!t5szhS?~SMTzs=q_~K{4<k8D7*_f^YxunbKMklbuC2-y)KURt
zKau2D<~a@u^BpD%BAiWn-~2Z!NHlX$ie|-Sjgijm3w5A^RPOwqLSXbf_qX`+WS1VZ
z{V+!@=I~$MuRomF@w)j;0z;INA9&e`<}Dv{UQ3N8u|;wRXRRqpbt*`vb#8;P0EpM|
zNdsIKGLj8K9%>%9;D1MGZ;qqiMt~UZdy1|I_X^^Ds?ORu*r0e%gl*8%*KQob60~cu
z;nI}0f=@t2H@PA?mkvvM>uWKoHYTb8@)4x>2=%)V%CzeB#$xzu*Fh!JL!y&>kJ{Q|
ziyf{x`8<9iHrI*u*_XCv7Rd_GF1-1VuWz}%<Kj42^KvfEVB{G53PinHV#>?(r<;v^
zsqre$lvwz^D;Q%>CZ!d13My*kIKSIK>CkhvQ9;y~+$(wCmTXxFha;K`hWM7-X&}s|
zXANmp5DdIV$sA6!cw09zQFkh)YetpBwiVjVB<?q)dScTIhYNk&Iimp9-hJxTnO!~~
zk$xdc#MK?eIbLqQ#GZ~v9!^d+A`5Nadb$&LVLk2r&~Iqu_y(Mxn)6VOtOa9s;=~!~
zBd1dEp0}QE)O{$tiu^%FRlvd$8dhp-q%9Jb8n{62cccw%8GNe0;hcZsZs)Ee0CZ`3
z|Fkm6a4msuLIL>JX&tlS-j_8_yj?HMc$dVz%vB=>Nq^t?P>%shg<E4;W%n<*(_cLe
zJsEHDm-!J!L)CIWLFt==3JgVr6`MKz8swCaUN05NEi<AkWV3eM1qJzMDA#?>$<SMt
z`=a$4Qw-1ZKhbcQsuJ&?pN)#r5`j^0Z~A02g~UcwIrdss3=E09<kOHx^Nt09kSW<v
z$@*iia%Y{<lOLeezc=4_WEC&Y*g(ne)<%wC5FFuKcNwO0?B<wZL3}vSOw{=u>EXjT
zf>Ajon-NqLF`@M=fZ?>A{HHFPZo2|rU-{CG59%`O-V=1y_ijIDVg<Egq)&1Oi36u7
zDQ-0YO)8Vz<}@#qz382d;_GmaEc30t7|ZYwf<q-01KNLS;q*FwSwB6C$*TGJP|xd5
z%gz$gZE=fwaQanYrF{RNZ;98YbQh;RoDEMGQ2nf>cO$1oEMd_Hin<7Xq99RooAR!r
zud&JCG4sHnn9=&{bYAEF`M4)609%nB`b3xy@kz_<uDtln)c8V6fnvdyNONvcP};0D
zrMrPD0gYQ$#R~~{3@32$q}uLq7-8^x34F5nK@PFbWVrRI#}<?Z|5=LR5gRZ;>RXxY
ze{DatL**yF5d0`Nd_bhRu^g4sLCjn%rGBHez^BImd}H4{MU2k4wU+#%TOFC`wv6b0
zG+YARsuIiEUt2i<@BZw^b>~sXLwTzJHYJ!^^NKl1^W4kEJX9?rk;|x%jO}<n$~>ia
zJzc6UL}G)<)UsiBoZ)j3QHT6fxUVo1yNo+=GlBlfu$bzEOC*XmuglIO;3xCYE^*r;
zoF<SccBi?{QX7pqI{V-9ye5MHhW8xrChqREmOp@L>bN<5+gU2IeT|wOuGBrQb7%lB
z9w#=0CsbC11h;5hn!R{&srWXZB=<G$`b#!CzC|FbzVVyp`A1GF5EpkFUA+`>Bu!tw
zS>LH0=tT;P@ECg7dHkA%{O9|N4laz#G+%)|o+@&V)%!Wbe3eqU_^#?!2zitdw2)kx
zR?A)-bsU3t$NxT6$<uKV>aIom#H|2jP5nABpy~JEVcOsk_SB}$Sl4_XG^Th#<K_<1
zlmz!yi|k$F76QgFa`H|76twjJ-ZxSAUAt4#Kj6}i80~r~Sp^+@TeO1*2Hj`Vq6Xl#
z)!zLXtjEyHt{+35mUKqdX*Ba?!ifVg_NeiP>zrMg-)o-%J_)1p6?rfZ2zAB^S!^P3
zyy*H980Rf#T`)Y(%P!ond*=+XiTCu$87cnES>ZJztRCCn0u+Kk7B4t)<h-3NMxsqM
zEs9XlM+2qk4C`2?orPpfTX5i`jv6uI<N5EaPa|L`lIS~b@z_!KGzjz>s8qXseX%*9
z#HutVEC;0mt|L=W;-tJzk~@=rvv+PZ!<^S;I11fDAWYYu&GZ2RFtEqY)*Py95y>!6
zRqhPy%<{c-7?~Q9iv%`Vkr}F2p8B$ejdt@Qg61ePyZn(>$&cpf+R?A-cV5QrT3IoM
zMN{%V92T62Lwt<<nKnhm7<Hxz00<6BW0lb~_tN^vGgkDt@;WHe{2red?!E`K>=44F
zLAJ9G9(2tnx|@{<W8hZa3s&itwC({FZ4#ewIobbb`T7N;Sjq7T(C^uH;e2pR&i-Ib
zTqowjS2JoGD<v0J#z!YEcIKs;y3d`fXYQfl;f_q-j6^ttJ4Mg&2}U3?4|b!8M=>Lb
z?TYED`TDzXhC(3eNy{F)42O1nW5Qq9cpaI}%+S>?;a85f{%Hxx&%fO*8wrP`gK=!S
z4xf@i>>wMH`29ZMNh0<U4~hohbX!3t$0d{HTYf@7v7X~cG&OoxQMdL*T33{)O$~Cf
z;k_Id&_E7hbWE}PeRq?17F!FyIfnGNE+?>8DQDf_o}S&0k;KyNIjivYaX%jEh5@FX
zzH^Q^`547&JjUv<6kf!qnw6l6)6siJ=uWTSk?H88!apW_)Q6CDn+E%bkeBIS#7WO#
zLodNe3_{*AKjO?e#jUKnUnV6eA(L;;mD@VN&=NwgP{H6SP2WedBxg_I0q3B=(DfGb
zxIUWODo(LU0r>P`hV;*^J-&+T71J*#?3!zjl)m~-rnSqvTN@@k$egaWb4x{C1*HW1
z!8Um>^3Yd%`83!w#x1nY=*+k8YqB_Exd#3)VaS*T_9WIf%d|qu7o9$3d9U+QcZsEA
z(Jf;lkBFV`R@x@lQT|BTW8@LSb8Yiznj^3nL6vtiWP981tdn2BGURwGYCx5RZNUFm
z_83#oTVwAq!twyCZDRvt!IM)A5GlVXG-TnS*KEwnmNu=iap}`@)rK{i0!eXt0U?&r
zaTWeeEXyN*!j!e2OgKuC*Jlk|Cq(Pys-MC~A4}++nq3g}`e(+M&gY-ttL4<*o|2Og
zoFjuxr8|)kW0`tf*n9W8Gd`}@r$HBbk#r%)eu>QY@Ix=BGNH~StV2NGH0U|aEM>(o
zV|#6jdey!~$%|w;y!FD?`v5>#mw|)dV4f<}1)k2;GX3RSD_P7~hKSAPw}sV|=l;h!
zUupg8oPc}_9m0RP8S;4q#VGy;r{?avn_e|+^?TC$ul{h~Ht9~fioOD3sUo0zJsN#(
zFE??R%7%=PDAqiRxi;0N*+QLD320qf(qbdyN&TK31DyrMXMBf>(fhPA!wzBx(wqxu
z#m>WGCc_y@>e3;A%CIwE(9heiTd15)*OKi`ZD7`?tTaMX)++l;CPZ%ER190*Ht(N^
zY^n*@d;5*=CcbY4sgXsmh@2U$%@hR*vqSTU24rfjAINPkbn?9JTNPH~|90%c*<yuc
z?8kt1t}<cGPTloBvMy7W{+ah?lJHx@NxX~)I`N0E>9{_(@3W}=i%XeqWbHz0#;@Ie
z9Ww+MBNbacc8VwCFQoKVUDJr6?_ZnT5!3EGNLBnWZyi4^dG;0c-iJ!bd{`f-5%#FN
z(73>5>OBuRHxJ}RPVy({n6esc5<f-?#o(;bvt}5bi0o)!$&6Rk3H*$8E;LjeR8aeF
zlulF$C=U|jP4vEvjh8OOZRe1BJHNP%1zoDn`~!ZitI28madMKtj;cbj3}ThR_|b}s
zi685(|H0o~Lx@6UVzrcdFUKoq^sM|rD|KG;=%;Ug9z!hr6Sz%z*vDJt2fJiVS0_+4
zz&iFipHsIn_gy-*q=cyK)Fiq(yye%U#_MO`!EESnt`o+)33SN2N%^u$YY<ZFt!V%0
ziXsjuGnPT8CLjv6N13Q!Sy`0m26sDQD<6gT4>v~(Rp>w6;6ZY|(y&x48b%oUBqjGd
z%LD-p#CZ&e_&rhV%~Cxkez9t1Pk(1}_B{qA7l<4%D=o37w@=fd_hfx-wDnELpbEa%
zmFVbMTY!MV#F9j!G5wjGj1tUB_LZyKk6jLl>a7X<U7(`SYZ&*n{2b{X63ZV-Tz?Rp
z+m(Eg_qLyg3w%WdijCVuG?I7=-B=oUepTT^1rb)u-2%|i0vRWW?qcCv97#CHSq*3w
zYAS+QjwWJ+3~u@cP4VMJ<ajx%iF^2$R)!}nAkf^Pu#F>G$r5sy0PAtS!>@gGjyUqv
z`B@j9Tj{5>r)#$X09_qRqsoa^L8ptz*$vg&EaWUI`Sv$Kg<c<wiw_3d2)qNgDw8sU
z>S<ilssJe;X)ga!0$Df!qJ2jeHqA}dyebwm^Qjp1ad!7t0$UtiAiwE76}tARU6XSe
z>3vZ^s!1*-INo|)SRCF{RZ(6&omf2RWY6vIoaTxkC=?9f!N*2KK*ra2vJS0G*+Qg&
zHbJ6pXQ}IFmyJp1;+CYmd~F^g_e-Cagcn7B{K{Dq^?C=-57c+n5Px<zl>9`j<EW&?
zQuneYEu*KEVN4V3lP}j&W+e2tD=jus(n`2^!5i>$4uIhJZ;S84h{<4Z|9PE)7^cj7
z2Tn#&Q(cd@D_*U+L3O$))@|t~@`A6(%2_@LEA9fnb8iL=^QCb3^)8VX#5&``@E0mM
zoH77bFo;5!iicAyubuMw(dy^5j`)q~d;BlcrTY8*uwoPC(>qgf4g}@BmR4SlxO3;X
zk|5q6)BG@gid0EYXN9&y^-*#7L3u2DK}k~lvYoaeZg5tWMo;vlz*Sf2ktTrZve7o!
zx!K%F(RURD3gdVbrH7!XH03S?g)!e>hLl7_#(1*O4zUPoo%u-CNMY+0-+zM;18K9h
z(;*`es|EADqb%K`)En=NmVxTPlq}TS&(=pKs_sWtzFEj_TG2(5d9LlZT}Zwfq3Si;
z%cds@>W44^zqWrQbv}DS9k;;6BW0zoZ5K2KE&}ngZ{Wv_y|<=GLKR{SB-WVaNl=)D
z_07Fkjh*50Yb%+A+wTG2=WkS!n=nX-^X$LE3dbA>)cSMYFg{icumJDPt<-VouHa_&
z2>79sQcZiVw5x34c*EoTGD*)Dd6J+Nth`Ow>Q{hKu1&@8Nb4cUclh>MjPg^(I45|x
zp=<<iTFDWGN(6qVSKy|LvR2lC{wFcn3%}|S@!w)?2b&KXmlht*fifsVW?m6lklDM0
z119ADsW8FxKnWKSfa#So8oxy6)qWbJCV_2NXX%?1WTE<iKt6{K%;K=1a7xP8nr&Ja
z=W7&`VM$n<3?v7oK@LSHfN-8n&couIL8FU@;_H_zLyqk;wShRs=!XoT>cWgrgAxsA
zo8HDX7r?OFlO@<*dTjF31FKEMD4AIx+uU>*Xjl1ts+3*ZET)~dbK&DVq2C{K>!o&_
z@dYttAh-(L0qe$qVn7kDljPWDH}I%E`P=Z?35^d0xgHbJ*nm>JJ!0sWX7vEbV^&7i
zH8Qt^%6>Xl;nl_vy-r02Lz-O&8Ice7c30LUey6}6ZtrV&#<nrPb2Y}IRlsMIH0Bq=
z`U-k%(4`l{GD^~ziY-CZ`Qx`f{)E!ZA;?O|6eoNzrk?@gdlHuTG;f;Wy&s_W)ax1!
zzJd-{Z}x*XGzz*SYkH%!i>GcbL8qJT>xyrDo4H!KA&&8JKLw%eYyo}-S8YQW3nI8%
z;%KuFHjIIg!uGk`;@dxMrX?B6E%Aq8)mQ@_PdZvKm9RiYtd+%SQ+=PoPo^j*JM6^8
zj9euJ+FpOnIL_IMG>WTo6R11d0>Bt3xXwjf?06$H!Q=@`<=4QeWOx4y1D3Gk`OVls
z#kbPGZ<_&$KGFG_U|<0zhaFMgFlN>F5^ju8w>9&Cn$RMn(-jB$x>jeIP4@Y8k<nwl
zm2Heuv6G<k)KKxtiptAcx6DPzT&bB4%6tI*Q+#>$WO$A#3T>j?i+tcXNs1$m8rA^v
z?+%JrxH+5KH!IQMg_VX%5}%1O+fwKpAu$SA-TPZNQq{e5coy=!qjxf?mq;TcNu%>A
zRN*xI626+ffR~?B7M_ttF3A3(SU&BUU}CHHmnO5ebcyTUiZ=)dSa3*8fwZ{Ee|IMs
zR>Nj9%;b@AOa4`>?*_fz?tqAOo6g)#m9G|m(`6Xd#*6$%KltXNgWjG7P6Ak$IkSqg
znwxD}Qc!Sq_ZF|RcC?>uxS6&{aJr%j^;gN0o`xC)3<X#T_;<ph!SOh%`e-zMk7;|U
zFMbkWyESrIeTr;lM`m!Si<2>t^e`ku%bQOy<FTEH?9E>eFy_IXOr|b7Q|-i1SSg%>
z+{y7xW-i<iI+rggFGtiT>Qb>Si|`{fl*m~a6|IBTcj}IWSM+3FgwG7@69KOr--&&z
za7s*hab3Pj^2AFnBk`(ym}BorS<IMk@j~q?ay2URRej~;n{0p#5dxNZSWY3b3LS^~
z;MF0xn~%NmzpM-i%>qxvDs?cF9-$$>y6CF+4o)Du)`mb0KM26<hufLtY3B*thoFCk
z{-a%0MLgvAgBYLF>!Hf*49?YUTzus?d6>IK_m-puG{;xu?F=i<(Pr+UjWMx_kbPt1
zNR5)8$vM?uuHgy#+aSKA%r?RRDMiwhNEpu*e_;NDSzqkLTb3jBSv`wny}528NUrqg
zB+&d2@9oVw4AL|>!fc;u?#BHVb#?Wi&<0bW1Dguc>>4a9jj5SG%WJ!|zl0(8c8^r!
z+!SgZ1ts1=)}WccEq&eJeP1j#m+sKM^wc=T<*`r(IDs8(YESrU&ZJdC=%6H}ZX(w0
zO?ATnO;1n`yZpM)H5EC<OSxL^LH)}(_Kk(uk>_L06N#SE_eRVq|Hv$L(>;ZZI=N6c
z4CE2r6*W+;(z!#d-#uP+D{DIN?!JX+W6~ZZBxUun$KLJ?u?(7}tcdxQznul0vgf%p
z*LnjP-Yd4c1#7{Au>B*?HwL^xOZFzR^1S>8>=Ur)_uq~XMoahLgMheMt$2^kXF|q@
z2C(05QhkXasRvalnm(O3+>a%x=qL6lF5g$tN)FCBR3IB^!We&I@fpt$h)9v=8lj*#
zN|jgXM)96ygTU-Iv2=!~E2L^sE$=GF4`174(Y}CJe*hx&TX&;@$j9@Uc&%JYx^ggU
zhs_pGjL)+r^T^c~u1Ersc9<CabeGeFx&O)V=GpP@cY`MT^?Ht4D&@*Y9g~!Y>zY2o
z;HbEhpuFCSx|VvigzA>7w>Em61AX|zQR4<w0VROcu5<kG79b&3a`2z)9Rx_k;~_Vz
zbF||sJA;n_mg@I@{dC+Q?L<N-^}24PUcBX*5Xh25ljkL_ZxO6^s8uZH3RZI)Epl(H
zGsdZK?ZNXPIM#e(r#z_{>eG{9+XGDQiVPICUp;RSL{+-a6;=`3tv6I(YV}j%t;kV`
zN%q-sq~R|d=jE9DmA-vH>Cn*}NCOo@L8G+5V~a3^eiZ{RTSn}uG5~OPZoHD_;p`4w
z6=1Hqg+c>!WXz;l&6Axj?CV*BI7+)T|0eSk2=H4!HgX{En}kZBoN6BPia?7Dq0_(f
zpo%FsNnU<jLY-nmrSq?bqB^i>N`wK;swaEFZp-GI<7Kvva`f|%EV5quMb_y*Xi}S)
zTzPS```U!(b*UZahdJ8%glVEcEYU%$!C(U17=H6&{||>b)XR-Iu9YQZUNt|6HKgcl
zxVTmnWCjtFUnVsKJ9<X=FCe-J2wiW8dSj&-iW+<LP&udFHx1}Oj#D)G=IlJ7G;ddI
z+12%S%G8L`|6OjjpDaYF1rfacJi(gbSfGZfR=jZlaX#t2Y>ks;q|)!iI}OU_RR}@e
zv{2fQ=@Lg844JKUb0~a|G6hpX<_)WLjXwpco_1o8fE320Y8uHBDB|5gqsyi-Ry@SA
z-^ZgjeixI(p05|AU9WB*?xt&5hv(U(V-PEY{>(rZw~2U*n5bMuf_CVQtaqnq?X<l^
z<FI|Pp<gjtAx9jM!w+O}6BINc?=;*Qyo7v~4kdgm-Gc**Av^=GtERg(uca3Zl5=8K
zCGPjzxJ1dz>uJq)mmE-x{ojvow=<V;QL<@Uw%sS!%f9iSGlCJS6Q59$7H)7nUj`I=
zz0?{oCkng`<b0nEfD%{UkWmA@(>-xS{S1?y9?#zn;!e#sV>qPV&SBrb-!QcKmuDY=
zCjW6;-M(}#K<%2gA)7JH@&WXjVWIC#THF$IxI}02Fb8-3df5qsQ#|CaQ+XK!w*zq9
zOjF!ZAf8C=4o0tg<Y8Ynk|y%oumItAbPtbXL#znmV7Jh)jyql4dx&X4N!dWG?wWf9
z78@Axu*?+_QlP6LQFtSiDPl#qwSITbWX~jt9l480G>-w5#0c~$oh%sc=e*ATe6;_g
zgG(TYf}2WhaFlYp-x$5q9-|G2$9__yI1~c=FXuUMuu(OnGEP*0vy<2XUNJhTFE-D2
zWBIy16b`b+kiczSlsI#&M~_^0#{;46KX0YhvQ53uNDQ_)h3sqb)d2*sd($F5A;9l>
z7hvX1yfv0C8(Dd*hVAp?#0wO2o;|&AUA~^+%&~+8OaZ!N7BXRw;0S5(Kr@LI-Fi`)
znz1(aK?fT^$DQK`pHab6;{8mONL_lu{jM|h3t^90=2U&G%fUf|MU@6$F%hHhLUc3<
zRRH=9f^9vM{TPwdX=w`xW^EEV?>6)4&hpFhR}yd?;F<Gk=5Uh$FZX+Ky=<A?oQjdO
z<oeuwE(V1QC5QYztAzpln#e9{s)_2#FD*7)m`T`<T727y;uQD(<|;ZbuZxs`><#BK
z^@oV7anU&Ah*KoXkr^f4;r=1JV?8f#umc0!*a%h|TaT{4?ADIMAtEY7YD_NGVIsH}
zo?v5;JNC4A-qg13`RxT0r@JZ}ltm~A-vZ}Ec##_vz<3J?+???_kEQc9wLYsy_l$m?
zl|)9eU9e}-7W5O{A1A5wj%W@>Jv&hdc6*!THe<#9?#y8@<dt^~FLzMl_w<@Q)XFk;
zq=St&OD;5!UH^&kF10!N<eSB<1qdq|dY}NIsj#paEomf#l%&3W|F8j4;)ZmBnMsmY
zXmav?_4n%zoL=Dgk9+0gF+mbI!kh2KjmA0JOCg<Ryq2Cjwi+I9zy?h*J()*Mx;V(f
z0;5BDX4Qb1ZL=jATS{ua>n2d#3>#y+jpEEc&UeTAL3{wOg_`tCkPL1RTwOy{*aI9Q
z5XW-C<WO`zP5J*cEAsDM;ep@{wD`$H$-OY_<`6U=<WX<4J^s0=7}8<6&m=&J+%Me^
zaq`N3ORieR(z%sKK*uvU*YKM9f{j?i2hKf%xECI7*_eAd;w&10W$6h!w1YrCtr~uF
zoT8o@H^99M3*AzCr84`>l4As~LRgT;$2`K@`~biF*bph@KWg9LHYTr2)vz}mR=xth
zVi?Qy_WuIh;e<k|=KcdrqQpdS9%0USA5){*bjM&NFt`Y%-SI?Gl&h0+v-o~tpf~H@
zW%L@~Qd&#gEhA{wAU-Dx6LqK-b>YW7q7AkN+N?&!S#O*9;By|TSyx@@){!!QUcOet
z&Q@24IR16pUjELmPeK#WXV?jho;A&p1y@WCrbE>iLZVp=sos;iOxzFIs(4s@LiUa}
zrjBuHT7=vLQFnZDy*`uY-~ZOxZ??grQzm!Np;`oa@?uxgY29U+k!;K%-|Jwyk`(lz
zGf;?6UlRNEoIlfBvQrtMY(@0!7xsTuJL|=GBvXSyUL2#V*3eK3`L0@z#z#;Q5e0u=
z_!79bX=rE}&0Q(&=rCkx(armR9FubaDz$@nz>Vm9(hujuO+aOR9wt>c@k#wxyQiN7
zBqAXKKkU)_pRH7%vC$jnQ7PS5OfoHjGP0j;_nHNk$PPgROvGjHN+T%rh^i{%zUhI<
zI|mYw&9Rlm`vlhL8=1k*XRu{JbZSMW2?N^7jW7JDlJgT$jPS4Cq*Vg7TA(D>RB36b
zmD~hZtlUDSvZ=Q&scq#tKV0&ABG=ge@Y+r0b({r5jG|~X;8psWlSC2JY}mpstsgx5
zhk;+H+3aiP#=TB?G3%bh#BcRc%>~o|s}5h!hEJ2PA2FoQtReVG7g+FpTqwsuehKnd
zQ_AzHwStD0S5#VWm+<sCMj7xF+13+P8jO<P$a;m?4#A8G9DK@B-)3FmVSK&8l!`BV
zRU^>CL#1t##A(u(YVHdk;}`LAUo|6oepDu-U&7&#rq^U^sFKSR77_^eYh==JMHSp{
z&k5iJDyb;v5l@5ulcG&wr^WU!r%}0Uj49Ez3B|ySMR9&)aA&nb=`QZbdm_#ge=TQ>
zj@&~MDdgy+`xrgp&zoqzlUPPs{nH?tf|HFo{vLz2Y7*JbgntkcH#XHYd&L@#K2n3*
zmJ$q_GKRIQmNv<u4I2j;nXjyw8XnT>0IoVCh0+z)wZjMx=yj*#c?gk?sky+{6_|3&
zcT*dq*Tpo-Oyp#qVVDXvF0Av&x5SjI37~anbR%g$mPOt7cJxYcQtM=;MDvv$;YCR<
zgun~X%g|82BcDg;9}aHrY4Rc&a{S)~+CO*|;#o1SwWg57F?%N<7?#IHeZB18Rtz@X
zd=(nK_C54A$9|RVJ5R%;4VIKKQfY&udw?f%0ceW$0pkp37R>wnq>7sB3Iw7@GDoX9
zZ*-~@D-Y@s1F3%8!puSVz0)B7aFC-3g;qe)G(H}1HNsA@FA}E0(3dx?hDw(_x+!I<
z{OCoj=wM1JXx<PqF|*lS<35Gt*3oFptEK8PZ3xtgkZ)9N;ZFL!QKq(eXSeH1Bn@pb
z{0Lz|X>9e2%}yd^=yP)8r~H|tiK=tOZwvMiXdo};u)1cgM2`?OpgB?z`+vAA!$G**
zigqI*7*wvfH>sn-Z(;gL`C}HT|Nk@@e2fbwf*n;z==V4El@@8_i~_NeNtY`9z-{oG
zA{L}-G49qen$lTK<VweV&pSHZV7N($TXpnIvIyB5Gi6MB%We0STNcfav;%{a*ex38
ztnC(k4;|mfi$8AYwK}KS#ItG4v7HJ$7*xK3)`)pd+(fx<wKr=kZ3>%ACvY7Ve=m&b
z{>dXz0m_p>wY&(%)9#Xs;)9gHbDB9s@2CZit?CJ&?4r4dHVpKvpp!^TGF6zRh)e4o
zom|o0Y6IArfxADl?gD*T*Dm_>xRrBVgEXOx`_|QUw?@`_zhY_IS8B@covEzfX7$E#
ze#s{&z<fHrwwKc)@L#tYu;bv2D&JWc|4^eW>9>c4VWBQ97lo=P&Wz8v*&9o>?K2{G
z?KBF4!W|`nHPL#j-Jm1MJM@>{bDo2Zs)Z)tO}ay$_i4aTYM<TW>s)ekmQnzamWb7x
zPCFnno_pDN6S&Q?&p*^21bH~X={TFVaFqfl@%~%VlQs%jr@T6Zy9kgMUbkUpGZqm|
zHau-pR&SW#4_-=V0ruYQglTLzkKUYjPYg~9%|eD$>ZFM;`|3MwKKE9pHU9+{d9|4b
zY${ES^yCu0>w1zU%+i=SKaF#sBByIs`7@O@Cobi*Md#}O6tC3Xal^%Vea2OTNTcsY
zouixqHjvFg*7}!i(-;$v)3CONnDm%rQ|qmm+=<#(+XrGu{0GquYLfv{q1SsGtF*OA
z$TNrEJzJ@d$_T1SgFC)<ee5-Y;_vFZ%h?s$Q)bk3LYwK(OE3{MTu$Tp6^p5az}U7L
zd7CXqOW}Ox68OBmOZeSX`pU^D`a3{;Xb`6Kich;j)1LM!GHgXeEyVA~FCaF+lpF7A
znd^6w?97sOzOSeY2eQ5b6dG%^s2r8}_~IrW-~(lMla<0J)2<1e=$EDwbv}J{Oo(j0
z0jyH^g7t+LsGUsapUGd!PsDp~3O6v8lCNpsDD+tbZvJWKi?o}VPe~(`{>UDXa8V~c
zE}CKoTH6Od5*b(SjQE6BkVV|~xfGlop`QDWZKPg=KF2tsn*<uqA~IbTat`hu-H9Wz
z|MkJb<Ed1GSY~y8IlQP?8x4esg-)>xr`j2oD0lzaY5z}A8(MK~W~9ha2K<y-(m2LH
z7*sC>2C}T6^7um~APUVPzC54m$+6a^VHDnlG1e5Q&@UvX!-*r1<2c_qz9^VvKMKDM
z+k-&ppVW3n789^Eyf<%rXD<X$+f;nbmdDnl7wBxR+uc&m+Yf`7r-2BiwbLp7laztS
zI?)IAQq+Qs>w#7-nCwR<5U~A_(;c6)&TrJ%?;G$?4RyV73sOnO?iLXDt9OtXL%-z8
zdjj_Cxu~t*rj$eG{l`OUs7-}^HcJAl!e{w-iP{z~1ojG-rH0sa_uAF))<@+v%6jk)
zsP-6uUN)lN%TykN%jQ1q7x(CS2jUn4Kmv)<&Z^)Hx24G&{eJvs6ZGLeTcwHJ?A05S
zKD~|o3fJnP!JJZd1#=;A!Ein`K8~8B<%PV5>A{0Ob>S0Kf^A9-M3xra8zPVxsLdbf
z1Q}jc*x_i5mZx&IGp2`2`yfmVhJdZa(k?v7(DerGgzqLXE83lOHey=VETBs`@anlk
z?GFIuss@i)hqu_6AwWND{*&V-iu!2~NreWec-(-`OfPgU)Mrhve_p)Vd(5NfuhVGZ
zj=jGF!Xg@cu)D66crlMMB27=VURi@1e=QhK;5xef<P9C$>zq$o2HUk+R~5D}v+N@~
z5>>W7&2R8Wj7ZYig<9>YrxyD5ny=IXIY(SpGk4NTb^anUl;-4ja7lu?5`4Y2Xyc(c
zgchMLYN(y5xc6)PR8<qxuUz$i_Za?CcpG@WulHe{J1HT~nCbiDdlho`=lH7VgV?vB
z!vH>Rx3q99mfzHkq>O*ZVWyBkoL|r}m=_Jt$_ix?20jaOvWddi5eGS)-N+;C*32VM
z4F-ipqc;s_0IRxa`~PGMQ6@D>7{YQ~T1`szx*>N&-vMoFy3v;=KCWyEa4USlksySc
z;vh~!8tq?)rV;UNI#E!dM3E>&==A_9{7v3>(i<DLhkmprOX_OiABYz?r)JzkO1^jX
z8Vc$n1rtOs3OqN|3O!<v&o`EnYzM%27pp12*$KX#zie#qbWv0UzFU69w3-er6fwMQ
zkWp73Ai>^`7<g(dGF@z}%6lGy9n%I>3el%%&cd-C^*|K<UL}I&{NP%!T>2f=D_X3;
z*8a^>;OG<=5sa8ax8a~CEr*g+m%aTm+L*1WC(5~!wG=<Xr`-Y_v{U746dv^u|BF4K
zjNL!{$%V*z?8OI#HQ|LIIjPoca|MjS#j^lYyJ5S<iX>+6?ztI>Lk_t)IIZ4r&y=2f
zi1uX#`SFy==-m9-8~EYf)AA4Ti32O^Ug2(a&Cxl5wfs4zDPIV*OkX<bk4E6YaV^D~
zo8TVpoZ^oIOz+`56X5}LV}&Slfm30gL9shi6O4dto|s|U(+Q9<;b3*p_Q}@<d1L+B
z4|eEB=>Th)IFOxnnM_bejHw$X1iKqnde%**#mq7->8Gl@@#zl6$B<4w`=Mo?Qzln0
znfFV{6`sE*ejM0`-JpC%K5D9h8F!A!%U?H>7XZ!9vB-vGw4_%LeXDSb*|0-LVsj0&
z;10Ddf4i?P6;wAapQD@x$mObgyb)zg0U7YH@=1&<;N{S|c-GoCQHgJW&h0JjFIN+m
z3rk1QakG*y6vsgn*<JD-qV9I{0r2f`<^uY5oY7|?>pqB8lW{*HE0H^6Jx8dqdgg=E
zj8?3Z<zlhLSZ<7~h=VILV8<TqY>G7LyR*v@tUQKM;whv%$uk!@YjNjIzR1Otlf)A!
ztS6n>$M5YU6i`|Kc(2l$3CshS0Yl4P@kCTTo&F#C{e$(axp=D0*w6rE5AIK(*=K9K
zvZ=3p8xx>GEm+L@YOXcRDh9XBpI(I#&bnD<6sG#&ZgrLkq%Ir&P266;<hOQ+Emovj
zzr>O9AN$Rsjf3sBN3CZ$S80}#4-S1m37O~92Q@gPEvKf-8|K>?x|c@y)uTEnNX<M$
zO`(C{CcGg2YEYy(M^1*p`qA~eZ4N-HGTq3lHh8sP()I)~Z@5XI^})b<;Hx>rL~02n
zL+3+8-I^70BD%v!Q7Eo0kQ72R4z+u(^^bF@k3s9kTJ^nks>b?mf*xio=+C|wI0Pkk
z=dPh*p$x^m+T`F~$e&X_dK1;S5o$uX0Hm5Iq;?lXQxfg?0M)aX{ZmwaPRUw!AJf+O
zsl>FXMM@qsXw$-Ob<@qB(#YZ&SCs(R5BRycm1yK*CkRAMMyWP4voMOZ-W}443scAs
z<Q$RX*wh-Uz;)6tI~mFuJSWX2Z%y_(=yUgN`%_fi07t7UbIS&g0ZmYblwyq>4?8=U
z_tt5mi<N_pwbYKF&CeAjVqXH>)!CpajN}LTZwo>e<7DKXy1~DA($N-(&do%{)T&w2
zQBPTyNhB0C!f&}cs0$g~g$wdYEp8vk>n_8Rs#1|{;auloxz3n*o6^`?!4oCfVfRwd
z8q<p2+MkC=o%)AYqX@Z~ZC5ah4^;n|sNadgw8(<&TV{6Q&ce~WB8-7WN91%S3>7o$
zIQW+aK5$R?z8j&@5v$%H(Sy6WxMPg|kYH^4_pB(*polyZlftwvv*i#NcHKP|Mq)|t
zL=X7wYm9OqGTsRb$$c|a42~H=^}U7bh1+{#-ytm`p>n)K+~U-3P}v=tdp^4L&Ruy0
z{UtUfv*E?a1fiSIuhOB)ABbJ~Nxmj0ezZZ*=L!-L0F?7`fGmH2KQOw|{IKufcf(7A
o!YaI#pudoJ*$a>}wGZW}u+e<T=4fJKc##vE`r?FBU%B^+co^5uS^xk5

literal 0
HcmV?d00001


From ff3746d69dcb18d0d2877ed2faa71885efb2edc0 Mon Sep 17 00:00:00 2001
From: korenstin <korenstin@crans.org>
Date: Sun, 25 May 2025 21:06:43 +0200
Subject: [PATCH 09/17] Configuration vaultwarden

---
 modules/services/vaultwarden.nix |  13 +-
 secrets/vaultwarden/env          | 581 -------------------------------
 secrets/vaultwarden/env.age      | Bin 27762 -> 2693 bytes
 3 files changed, 11 insertions(+), 583 deletions(-)
 delete mode 100644 secrets/vaultwarden/env

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 9adfcc9..1a27dd8 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,11 +1,20 @@
-{ ... }:
+{ config, pkgs, ... }:
 
 {
+  age.secrets = {
+    env = {
+      file = ../../secrets/vaultwarden/env.age;
+    };
+  };
+  environment.systemPackages = with pkgs; [
+    postfix
+  ];
+
   services.vaultwarden = {
       enable = true;
       dbBackend = "postgresql";
       backupDir = "/var/backup/vaultwarden";
-      environmentFile = "/etc/nixos/modules/services/vaultwarden/env"; #fichier de configuration de vaultwarden, peut être la seed pour la mettre ailleur 
+      environmentFile = config.age.secrets.env.path;
   };
 }
 
diff --git a/secrets/vaultwarden/env b/secrets/vaultwarden/env
deleted file mode 100644
index 80eb475..0000000
--- a/secrets/vaultwarden/env
+++ /dev/null
@@ -1,581 +0,0 @@
-# shellcheck disable=SC2034,SC2148
-## Vaultwarden Configuration File
-## Uncomment any of the following lines to change the defaults
-##
-## Be aware that most of these settings will be overridden if they were changed
-## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
-##
-## By default, Vaultwarden expects for this file to be named ".env" and located
-## in the current working directory. If this is not the case, the environment
-## variable ENV_FILE can be set to the location of this file prior to starting
-## Vaultwarden.
-
-####################
-### Data folders ###
-####################
-
-## Main data folder
-# DATA_FOLDER=data
-
-## Individual folders, these override %DATA_FOLDER%
-# RSA_KEY_FILENAME=data/rsa_key
-# ICON_CACHE_FOLDER=data/icon_cache
-# ATTACHMENTS_FOLDER=data/attachments
-# SENDS_FOLDER=data/sends
-# TMP_FOLDER=data/tmp
-
-## Templates data folder, by default uses embedded templates
-## Check source code to see the format
-# TEMPLATES_FOLDER=data/templates
-## Automatically reload the templates for every request, slow, use only for development
-# RELOAD_TEMPLATES=false
-
-## Web vault settings
-# WEB_VAULT_FOLDER=web-vault/
-# WEB_VAULT_ENABLED=true
-
-#########################
-### Database settings ###
-#########################
-
-## Database URL
-## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
-# DATABASE_URL=data/db.sqlite3
-## When using MySQL, specify an appropriate connection URI.
-## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html
-# DATABASE_URL=mysql://user:password@host[:port]/database_name
-## When using PostgreSQL, specify an appropriate connection URI (recommended)
-## or keyword/value connection string.
-## Details:
-## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html
-## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
-# DATABASE_URL=postgresql://user:password@host[:port]/database_name
-
-## Enable WAL for the DB
-## Set to false to avoid enabling WAL during startup.
-## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
-## this setting only prevents Vaultwarden from automatically enabling it on start.
-## Please read project wiki page about this setting first before changing the value as it can
-## cause performance degradation or might render the service unable to start.
-# ENABLE_DB_WAL=true
-
-## Database connection retries
-## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
-# DB_CONNECTION_RETRIES=15
-
-## Database timeout
-## Timeout when acquiring database connection
-# DATABASE_TIMEOUT=30
-
-## Database max connections
-## Define the size of the connection pool used for connecting to the database.
-# DATABASE_MAX_CONNS=10
-
-## Database connection initialization
-## Allows SQL statements to be run whenever a new database connection is created.
-## This is mainly useful for connection-scoped pragmas.
-## If empty, a database-specific default is used:
-## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;"
-## - MySQL: ""
-## - PostgreSQL: ""
-# DATABASE_CONN_INIT=""
-
-#################
-### WebSocket ###
-#################
-
-## Enable websocket notifications
-# ENABLE_WEBSOCKET=true
-
-##########################
-### Push notifications ###
-##########################
-
-## Enables push notifications (requires key and id from https://bitwarden.com/host)
-## Details about mobile client push notification:
-## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
-# PUSH_ENABLED=false
-# PUSH_INSTALLATION_ID=CHANGEME
-# PUSH_INSTALLATION_KEY=CHANGEME
-
-# WARNING: Do not modify the following settings unless you fully understand their implications!
-# Default Push Relay and Identity URIs
-# PUSH_RELAY_URI=https://push.bitwarden.com
-# PUSH_IDENTITY_URI=https://identity.bitwarden.com
-# European Union Data Region Settings
-# If you have selected "European Union" as your data region, use the following URIs instead.
-# PUSH_RELAY_URI=https://api.bitwarden.eu
-# PUSH_IDENTITY_URI=https://identity.bitwarden.eu
-
-#####################
-### Schedule jobs ###
-#####################
-
-## Job scheduler settings
-##
-## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
-## and are always in terms of UTC time (regardless of your local time zone settings).
-##
-## The schedule format is a bit different from crontab as crontab does not contains seconds.
-## You can test the the format here: https://crontab.guru, but remove the first digit!
-## SEC  MIN   HOUR   DAY OF MONTH    MONTH   DAY OF WEEK
-## "0   30   9,12,15     1,15       May-Aug  Mon,Wed,Fri"
-## "0   30     *          *            *          *     "
-## "0   30     1          *            *          *     "
-##
-## How often (in ms) the job scheduler thread checks for jobs that need running.
-## Set to 0 to globally disable scheduled jobs.
-# JOB_POLL_INTERVAL_MS=30000
-##
-## Cron schedule of the job that checks for Sends past their deletion date.
-## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
-# SEND_PURGE_SCHEDULE="0 5 * * * *"
-##
-## Cron schedule of the job that checks for trashed items to delete permanently.
-## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
-# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
-##
-## Cron schedule of the job that checks for incomplete 2FA logins.
-## Defaults to once every minute. Set blank to disable this job.
-# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
-##
-## Cron schedule of the job that sends expiration reminders to emergency access grantors.
-## Defaults to hourly (3 minutes after the hour). Set blank to disable this job.
-# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *"
-##
-## Cron schedule of the job that grants emergency access requests that have met the required wait time.
-## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
-# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
-##
-## Cron schedule of the job that cleans old events from the event table.
-## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
-# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
-## Number of days to retain events stored in the database.
-## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
-# EVENTS_DAYS_RETAIN=
-##
-## Cron schedule of the job that cleans old auth requests from the auth request.
-## Defaults to every minute. Set blank to disable this job.
-# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
-##
-## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt.
-## Defaults to every minute. Set blank to disable this job.
-# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *"
-
-########################
-### General settings ###
-########################
-
-## Domain settings
-## The domain must match the address from where you access the server
-## It's recommended to configure this value, otherwise certain functionality might not work,
-## like attachment downloads, email links and U2F.
-## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
-## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy
-## Details:
-## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS
-## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples
-## For development
-# DOMAIN=http://localhost
-## For public server
-# DOMAIN=https://vw.domain.tld
-## For public server (URL with port number)
-# DOMAIN=https://vw.domain.tld:8443
-## For public server (URL with path)
-# DOMAIN=https://domain.tld/vw
-
-## Controls whether users are allowed to create Bitwarden Sends.
-## This setting applies globally to all users.
-## To control this on a per-org basis instead, use the "Disable Send" org policy.
-# SENDS_ALLOWED=true
-
-## HIBP Api Key
-## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
-# HIBP_API_KEY=
-
-## Per-organization attachment storage limit (KB)
-## Max kilobytes of attachment storage allowed per organization.
-## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
-# ORG_ATTACHMENT_LIMIT=
-## Per-user attachment storage limit (KB)
-## Max kilobytes of attachment storage allowed per user.
-## When this limit is reached, the user will not be allowed to upload further attachments.
-# USER_ATTACHMENT_LIMIT=
-## Per-user send storage limit (KB)
-## Max kilobytes of send storage allowed per user.
-## When this limit is reached, the user will not be allowed to upload further sends.
-# USER_SEND_LIMIT=
-
-## Number of days to wait before auto-deleting a trashed item.
-## If unset (the default), trashed items are not auto-deleted.
-## This setting applies globally, so make sure to inform all users of any changes to this setting.
-# TRASH_AUTO_DELETE_DAYS=
-
-## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
-## resulting in an email notification. An incomplete 2FA login is one where the correct
-## master password was provided but the required 2FA step was not completed, which
-## potentially indicates a master password compromise. Set to 0 to disable this check.
-## This setting applies globally to all users.
-# INCOMPLETE_2FA_TIME_LIMIT=3
-
-## Disable icon downloading
-## Set to true to disable icon downloading in the internal icon service.
-## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external
-## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons
-## will be deleted eventually, but won't be downloaded again.
-# DISABLE_ICON_DOWNLOAD=false
-
-## Controls if new users can register
-# SIGNUPS_ALLOWED=true
-
-## Controls if new users need to verify their email address upon registration
-## Note that setting this option to true prevents logins until the email address has been verified!
-## The welcome email will include a verification link, and login attempts will periodically
-## trigger another verification email to be sent.
-# SIGNUPS_VERIFY=false
-
-## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
-## an email verification link has been sent another verification email will be sent
-# SIGNUPS_VERIFY_RESEND_TIME=3600
-
-## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
-## email will be re-sent upon an attempted login.
-# SIGNUPS_VERIFY_RESEND_LIMIT=6
-
-## Controls if new users from a list of comma-separated domains can register
-## even if SIGNUPS_ALLOWED is set to false
-# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
-
-## Controls whether event logging is enabled for organizations
-## This setting applies to organizations.
-## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
-# ORG_EVENTS_ENABLED=false
-
-## Controls which users can create new orgs.
-## Blank or 'all' means all users can create orgs (this is the default):
-# ORG_CREATION_USERS=
-## 'none' means no users can create orgs:
-# ORG_CREATION_USERS=none
-## A comma-separated list means only those users can create orgs:
-# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
-
-## Invitations org admins to invite users, even when signups are disabled
-# INVITATIONS_ALLOWED=true
-## Name shown in the invitation emails that don't come from a specific organization
-# INVITATION_ORG_NAME=Vaultwarden
-
-## The number of hours after which an organization invite token, emergency access invite token,
-## email verification token and deletion request token will expire (must be at least 1)
-# INVITATION_EXPIRATION_HOURS=120
-
-## Controls whether users can enable emergency access to their accounts.
-## This setting applies globally to all users.
-# EMERGENCY_ACCESS_ALLOWED=true
-
-## Controls whether users can change their email.
-## This setting applies globally to all users
-# EMAIL_CHANGE_ALLOWED=true
-
-## Number of server-side passwords hashing iterations for the password hash.
-## The default for new users. If changed, it will be updated during login for existing users.
-# PASSWORD_ITERATIONS=600000
-
-## Controls whether users can set or show password hints. This setting applies globally to all users.
-# PASSWORD_HINTS_ALLOWED=true
-
-## Controls whether a password hint should be shown directly in the web page if
-## SMTP service is not configured and password hints are allowed.
-## Not recommended for publicly-accessible instances because this provides
-## unauthenticated access to potentially sensitive data.
-# SHOW_PASSWORD_HINT=false
-
-#########################
-### Advanced settings ###
-#########################
-
-## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP"
-## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
-# IP_HEADER=X-Real-IP
-
-## Icon service
-## The predefined icon services are: internal, bitwarden, duckduckgo, google.
-## To specify a custom icon service, set a URL template with exactly one instance of `{}`,
-## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`.
-##
-## `internal` refers to Vaultwarden's built-in icon fetching implementation.
-## If an external service is set, an icon request to Vaultwarden will return an HTTP
-## redirect to the corresponding icon at the external service. An external service may
-## be useful if your Vaultwarden instance has no external network connectivity, or if
-## you are concerned that someone may probe your instance to try to detect whether icons
-## for certain sites have been cached.
-# ICON_SERVICE=internal
-
-## Icon redirect code
-## The HTTP status code to use for redirects to an external icon service.
-## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent).
-## Temporary redirects are useful while testing different icon services, but once a service
-## has been decided on, consider using permanent redirects for cacheability. The legacy codes
-## are currently better supported by the Bitwarden clients.
-# ICON_REDIRECT_CODE=302
-
-## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
-## Default: 2592000 (30 days)
-# ICON_CACHE_TTL=2592000
-## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
-## Default: 2592000 (3 days)
-# ICON_CACHE_NEGTTL=259200
-
-## Icon download timeout
-## Configure the timeout value when downloading the favicons.
-## The default is 10 seconds, but this could be to low on slower network connections
-# ICON_DOWNLOAD_TIMEOUT=10
-
-## Block HTTP domains/IPs by Regex
-## Any domains or IPs that match this regex won't be fetched by the internal HTTP client.
-## Useful to hide other servers in the local network. Check the WIKI for more details
-## NOTE: Always enclose this regex withing single quotes!
-# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
-
-## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address.
-## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
-# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true
-
-## Client Settings
-## Enable experimental feature flags for clients.
-## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
-##
-## The following flags are available:
-## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
-## - "autofill-v2": Use the new autofill implementation.
-## - "browser-fileless-import": Directly import credentials from other providers without a file.
-## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
-## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
-## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
-## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
-## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
-# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
-
-## Require new device emails. When a user logs in an email is required to be sent.
-## If sending the email fails the login attempt will fail!!
-# REQUIRE_DEVICE_EMAIL=false
-
-## Enable extended logging, which shows timestamps and targets in the logs
-# EXTENDED_LOGGING=true
-
-## Timestamp format used in extended logging.
-## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
-# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
-
-## Logging to Syslog
-## This requires extended logging
-# USE_SYSLOG=false
-
-## Logging to file
-# LOG_FILE=/path/to/log
-
-## Log level
-## Change the verbosity of the log output
-## Valid values are "trace", "debug", "info", "warn", "error" and "off"
-## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests
-## For a specific module append a comma separated `path::to::module=log_level`
-## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug"
-# LOG_LEVEL=info
-
-## Token for the admin interface, preferably an Argon2 PCH string
-## Vaultwarden has a built-in generator by calling `vaultwarden hash`
-## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
-## If not set, the admin panel is disabled
-## New Argon2 PHC string
-## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
-## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
-# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
-## Old plain text string (Will generate warnings in favor of Argon2)
-# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
-
-## Enable this to bypass the admin panel security. This option is only
-## meant to be used with the use of a separate auth layer in front
-# DISABLE_ADMIN_TOKEN=false
-
-## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
-# ADMIN_RATELIMIT_SECONDS=300
-## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
-# ADMIN_RATELIMIT_MAX_BURST=3
-
-## Set the lifetime of admin sessions to this value (in minutes).
-# ADMIN_SESSION_LIFETIME=20
-
-## Allowed iframe ancestors (Know the risks!)
-## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
-## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
-## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
-## Multiple values must be separated with a whitespace.
-# ALLOWED_IFRAME_ANCESTORS=
-
-## Allowed connect-src (Know the risks!)
-## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
-## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature
-## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value.
-## Multiple values must be separated with a whitespace. And only HTTPS values are allowed.
-## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld"
-# ALLOWED_CONNECT_SRC=""
-
-## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in.
-# LOGIN_RATELIMIT_SECONDS=60
-## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`.
-## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
-# LOGIN_RATELIMIT_MAX_BURST=10
-
-## BETA FEATURE: Groups
-## Controls whether group support is enabled for organizations
-## This setting applies to organizations.
-## Disabled by default because this is a beta feature, it contains known issues!
-## KNOW WHAT YOU ARE DOING!
-# ORG_GROUPS_ENABLED=false
-
-## Increase secure note size limit (Know the risks!)
-## Sets the secure note size limit to 100_000 instead of the default 10_000.
-## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers!
-## KNOW WHAT YOU ARE DOING!
-# INCREASE_NOTE_SIZE_LIMIT=false
-
-## Enforce Single Org with Reset Password Policy
-## Enforce that the Single Org policy is enabled before setting the Reset Password policy
-## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available.
-## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy.
-# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false
-
-########################
-### MFA/2FA settings ###
-########################
-
-## Yubico (Yubikey) Settings
-## Set your Client ID and Secret Key for Yubikey OTP
-## You can generate it here: https://upgrade.yubico.com/getapikey/
-## You can optionally specify a custom OTP server
-# YUBICO_CLIENT_ID=11111
-# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
-# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
-
-## Duo Settings
-## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support.
-## Otherwise users will need to configure it themselves.
-## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
-## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
-## Then set the following options, based on the values obtained from the last step:
-# DUO_IKEY=<Client ID>
-# DUO_SKEY=<Client Secret>
-# DUO_HOST=<API Hostname>
-## After that, you should be able to follow the rest of the guide linked above,
-## ignoring the fields that ask for the values that you already configured beforehand.
-##
-## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'.
-## Duo no longer supports this, but it still works for some integrations.
-## If you aren't sure, leave this alone.
-# DUO_USE_IFRAME=false
-
-## Email 2FA settings
-## Email token size
-## Number of digits in an email 2FA token (min: 6, max: 255).
-## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
-# EMAIL_TOKEN_SIZE=6
-##
-## Token expiration time
-## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
-# EMAIL_EXPIRATION_TIME=600
-##
-## Maximum attempts before an email token is reset and a new email will need to be sent.
-# EMAIL_ATTEMPTS_LIMIT=3
-##
-## Setup email 2FA regardless of any organization policy
-# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false
-## Automatically setup email 2FA as fallback provider when needed
-# EMAIL_2FA_AUTO_FALLBACK=false
-
-## Other MFA/2FA settings
-## Disable 2FA remember
-## Enabling this would force the users to use a second factor to login every time.
-## Note that the checkbox would still be present, but ignored.
-# DISABLE_2FA_REMEMBER=false
-##
-## Authenticator Settings
-## Disable authenticator time drifted codes to be valid.
-## TOTP codes of the previous and next 30 seconds will be invalid
-##
-## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
-## we allow by default the TOTP code which was valid one step back and one in the future.
-## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
-## You can disable this, so that only the current TOTP Code is allowed.
-## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
-## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
-# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
-
-###########################
-### SMTP Email settings ###
-###########################
-
-## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service.
-## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
-## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
-# SMTP_HOST=smtp.domain.tld
-# SMTP_FROM=vaultwarden@domain.tld
-# SMTP_FROM_NAME=Vaultwarden
-# SMTP_USERNAME=username
-# SMTP_PASSWORD=password
-# SMTP_TIMEOUT=15
-
-## Choose the type of secure connection for SMTP. The default is "starttls".
-## The available options are:
-## - "starttls": The default port is 587.
-## - "force_tls": The default port is 465.
-## - "off": The default port is 25.
-## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS).
-# SMTP_SECURITY=starttls
-# SMTP_PORT=587
-
-# Whether to send mail via the `sendmail` command
-# USE_SENDMAIL=false
-# Which sendmail command to use. The one found in the $PATH is used if not specified.
-# SENDMAIL_COMMAND="/path/to/sendmail"
-
-## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
-## Possible values: ["Plain", "Login", "Xoauth2"].
-## Multiple options need to be separated by a comma ','.
-# SMTP_AUTH_MECHANISM=
-
-## Server name sent during the SMTP HELO
-## By default this value should be is on the machine's hostname,
-## but might need to be changed in case it trips some anti-spam filters
-# HELO_NAME=
-
-## Embed images as email attachments
-# SMTP_EMBED_IMAGES=true
-
-## SMTP debugging
-## When set to true this will output very detailed SMTP messages.
-## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
-# SMTP_DEBUG=false
-
-## Accept Invalid Certificates
-## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
-## Only use this as a last resort if you are not able to use a valid certificate.
-## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
-# SMTP_ACCEPT_INVALID_CERTS=false
-
-## Accept Invalid Hostnames
-## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
-## Only use this as a last resort if you are not able to use a valid certificate.
-# SMTP_ACCEPT_INVALID_HOSTNAMES=false
-
-#######################
-### Rocket settings ###
-#######################
-
-## Rocket specific settings
-## See https://rocket.rs/v0.5/guide/configuration/ for more details.
-# ROCKET_ADDRESS=0.0.0.0
-## The default port is 8000, unless running in a Docker container, in which case it is 80.
-# ROCKET_PORT=8000
-# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-
-
-# vim: syntax=ini
diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age
index 270a4465f88b57144f09eb8b193c9d8706c02bcc..89d30a9cc410272fd689c9cb1d94cb67e26d9468 100644
GIT binary patch
literal 2693
zcmZ9|`CkhR0|4+IsWhn+@+dV#YSz}yh6lUvwX1gUQQO+lT3fp}Nt7p%t0Z*LAtpL_
z(t|E3mB*D(dF09wIr2~xdV1gY$Jbx*{d~R>r5r5R$_(~oQ-V$#t}`ehmIwfN4bW&*
zf#vZqBr*a6<m+uw3@ebrHo#--Aej(G!I~0HVwN0amaz?D6pM)<uqX%=8AdlsFf0aF
z3E)Jrh>_MPJAw}tN9nk7s2HUoinV4LmuF*%q&A#1(XvTMwOf?d|7pny7H~2Qi2};4
zcp2OZ#G(`$Hk<+B3)GavXsSjK#YV(Lb9E>Y1p<K(R4Ael&BCgA3c1(>z{3O*DG7;>
zz?#_6$vim^Ll;tXW}8_b1yxEBL@eJ5;#oCz443(T77EXRu>Wgqf(zmeWK%qxCrsj^
zaS&;85{;8ch8j_zM7*AZ#nGiaK3^=BlMnzcC^ABY<8Y$QHf4-F0%X^4%tk1aOd_bY
z7ClzVrV{x^41}vDM*h4=g%RUz93Vx;iqVr8EGC1DBf-c*3)&LHW2x*?MwH%WGJ{lj
zC<lSY$5^yX08(rhgNSr3ORw03!>Cy(0ya_tNtS5LRw<jTAluj)lqrV5H}VsI)@YCf
zu3QOBRzQqu9EZG#79qhxd1w=wWrxd>FcNvPSfrzoC~&J>q2}@}HYGqoQ_)dM7)D`X
ziHtI%ObCKv?J6i$fYAw&YI`C*g3mAr#3rN$`?E%7sd!{7(2msWBq+O;fT0luYJ#2?
zZHX5VVB|=PCW0*_Y?3haC|d%Jh!G+HY@-S)hT143Zj^*Vibq+E(QFg~ZK6e^g|uX`
zC7NOpGlfuyCX(~BCKocXCM*zyByxCkLVSdYuLWtDb{j$uryHmsp(zr_R1lItR;*lS
zq*)TRRzQ?d$gtA5N;*iP15tPe76zn2(ZxKe(iCsR+s$O65Jj~Tm3%T000x7BGNMj}
zkFjYfQmO&QRLkrlgkEGzij1(qbTDyDk}R5tf$A`5u0jbgWKz%adeyCYJ6tb47=piP
zksjGtoYv#Man5z$io!hnUx_3jrKF;jGuW*@KA-k6dnj(_tMi=bfs}-ZZ-2d?r4>>$
zL;X~19|D%F*Sozs@fV=vkYROw_GeZs@wcx|S07CJrrx$a{R(Ki>~T}&#nJZAJcYju
z6*a;8j*L`1WoKwf_Ukc$ZQT3Ezbw*)FD+SChUBK<UcY;Lu69@M!-a%32G0@3{X^-;
z*6HHCQnLG-v`gHb^xtiRP*M(&<+K60t9*{Od&7r{Gdub^+V(zm<h{?{dNBx*J&_Z!
zXHs8L@iH#gx7YLjvQKqt>nWkt-7)R+%(xl-sDhNVKT6I{;D%>vZn<ZOMtm3#r{O|1
zRnJSdO9DyTj$P4K|9!f|-J|eg8AaXjM|wt`TUXA)qv^|^S*Pf0`YE4}##dSyL8zI&
zxXTdl*(>Wb#U=HcmUjb`eGBoEt2T{#1c`2h%=l+#0Vp;rf7M23_`0oQ6Va|g+tTZr
zeeY-WuHvKsU10g>Z&m%BTb{8GdZ}$&z*v}PAl^qe^y89Be(QOyS3nTYAJKH^*SW=^
z3~ZLDOrHAY*bik;d?bdvzYs%J#K#Uo800Vdvh#~{hl(x~r7^Uw@taQ->~HB<pD*Zh
zJ}y|`b7m%VZR6+s`tXUB`K08T&x~H27t7w2eIW|dOMZtuGKKFA2&qCM`su^l`tW&a
zwiL&yBTV-PHJ(cgzYqR{Sh;uP?t4(NBdH^7{th8Hr)!VCO){&Ex%$VkWfx<5q0)CS
zY0OM-Eqd<$Q`t8IIGwzczk%}}nP0xoI(S>$uVg!1MAE5RPx_+D!@B}LP@%E_-@;(H
zY+dp7tLgr7tW)A(<s+c8d#&TJa&K^oj3IiRaIbLnughPLrU)}<3_asHZ&p}4u^+D~
zh2ug0o-NPkIDdVi_)^~<omKdtL0dhq=v=dU)oWW>3v_35`2yboH95bvW8z4W%U%K!
zSv`E-I<4uLXDE1OLHGFFgOSzmH6>f`!kr~0U-}k)`x2OS;l(_nrikD_y=(-#{a!@U
z<Wc+AcCWkhh_}L~yxa~-4&PXj(5)GJ+#s*r2fLYH-|o8N9%}Qc+SJAy{jMDjG`2+V
z^0vFJz#w@_&)m&AgX$cqD@dz-Wr-c|rq$jk)4QbHYrOMub5VOS>v`|0#TpK&y#?L(
zLj5B!EI4GiLXPW;Y`R}a>v<AA+#e>ce|-i+zm@sSno>j9Ht3Vl0In*TYECVkD6sXq
zc@M4#PRfM)mR8D^DE)d~#=3(pXQNk8>pOp$k9uR*&dG^`9M&vj04tl5J&uxhl<u2J
z;C^1tIdB-@qd#H3UK_B~{=sE@dR>ZJkNi&MS=G@{*CSi=IQClCzViIw-l|8*sUv9n
zxiC?~c2SGpg>@@dW3v&Y+P5pGgB&+k??xuY9?W$@azQIPyDQvwIq2XuLRebDtXWPs
z%N<Sn>ECgeCIQ_?wp6tY?&pjPCaV$gZ$dbqM-^=yzdNS0>`(U0<?jz6?#T^_DR|!J
zaR}cTJO21i<LS7`rJu?_&VKEHSQg$*2rI?N-FsiAMx94{wqM-Qy${9kc;Zrb_^lUq
z?^qY<l3(mUcjl7(Ulk>cU9lYC#5Ttn*PYyq*u7!TIr1LI52rowR==3rcPp-(82WWp
zszt_`Gz^!+>H8E<AGQue?<l21t4B68tR7g@=n;wt+bAC&{w<LoQ+21y7|5~CJ+wHr
zL4ln&d~SQ1CheZv$q&+-ahhfGp{*Y4T_&)(SD=woL%ADW+&3KQ*!j+Z@2_cWu4)F>
z%nmL`bJADuZWi!ex1LYGb`nGg={bI$*|GiD+e=$~FnxokykC?I{20f7XZ!6#)fiJ3
z82Co<g!AbP|0(D2L*~|9bG*q(*3wc^n*&CE5;aFK<A5UweYtpp|FuWUbGBo^UA~f{
zKbNKo1U1gz;tmYU4hLQr)+|;RM6efb!d12=EVtaS!&5Hk>qITx;~8-Wlqb0rjKt5*
zg0GRYmtQT-3IXKa=;YQs^Q(BD(-Qn|JLR=$5;~wcT}}O}s5ZyCo(X*!=tCqA^k@pu
zA;r0a&Rv<wC)RjtUt!nu&JdkEy1qZNeWUsB!dV_W(lNE(&a>Bpy&tX&$j}TJq5ki`
z^`w<8*{my`F%~<KQhoLJ>Q4bu-*a)e-JX)E1HO;xPGbf^V0v-YgXh!eSA5!3S!0d!
zIJO^4q9EJ)avJ;1OGZaF4nF>vx>j2EXx=`5so0jF+e*-Pg^dk)F$<ZbyijIn%Yv?u
zwHwBQ{}>gMtAlfkUwWQV&1+f?`5M1C<u1~1dha9fjdkIFqF(f|Pd#n_<eU}Jq#df~
z`h?y7wqh9IJi2%svFlvG-O8a>arUi;gI_|&CmKE)N_S4NcZP3ylTkujb)rh#8+v>2
sWlI5!ylDOCtkUpZ`e6Ubn#O}#?asZFYm+DQ5SlS6A3i!-DtvtKKWYJ-Gynhq

literal 27762
zcmZ77Q*b3*(<tEBwr!ge+qS)v9a|IIwryvUiEZ1~#5Vr-T%PZKRXtU!y1Kf%x=pMs
z7%lA0oV^@ftsU%{9GtC~-C5xn1xZ|70E`yqY@D2|yd>&Qo=Wl_B<dp8?yeFpKxPFV
z6>&vvW-m@<c|~4cCoL~sR!%!MFIO+12Ai@7fQ?NA&c@4(-OZMhT}hQ!S%q6gTuIi(
zg2R?mjDypR9q4Ff=H|!?<Yrfpwb79Hf10DUJEJ2TCl`r@hnN|=2Z@NigqNeNiif2Y
z3$vJ}hK#5gm$ihFyN;WSgcqx;mOZzey{ERDwxts%7cZQek~NQwjf*2IuQ<1pgo~7v
ziG;bCrIwngg}Jt^i=?-b46}^1hKH1+sKftfaf!(@EB|M4sj%2un$U~durupOE32DG
z0o`R>RoS&XoOPUCfwnBF^13FRVhYw4Qp#|;ERqtY%x+ey%96~gn$D`;;v%l1ta9QW
zKyz&t8#a0qb8dQBMGGrsDUbjCMHw~;b59i#cTaa9r?a)Hm#v4Sstmx?&6UH9)m+I*
zS&iFH)<NAx8z?XBqzDA+O0mF6aNByDd#j3>S+Yr4DtmcwnmQ?YI5>;iDS5f@cuH_c
znCdV~aB7Han`->8Cd+KCYGFkpDdVKB?!sbW!s;O{ZqCNeAtDO21hR=aNQ(iu9o2Lt
zls)9xT$HRt*@1A%ELz%9Zfq7hE*=s<ODAV17G)Jh32{|18D36hRZ|T|6@aa&n1-aR
zl+6EXQi=dIDGw4IfS8+vxS5m)H>Z=ll)W1-i>{}XlZt|<qyv{2r=5d~oF@RFD*-fP
z<ALMku~1Z&<o3{2msMw0w6SuQHs#=z@iKAH_SRB#bz+g=<mGg+cjQ(S)A?V`LR&$^
zRfNPuMuk;LjNOdWLBw0a%-%~`g-uJA*Tb1hUdc&OoP`abCaNs~)R42$5`hzSaki0T
zmiP3u6XjBn0BU<Fu(F%lnDL70+G}Y@syJCm*jn*gns}+R{}&^Sj3m-BHqLT9R=lFt
zJPt~t?lyKxlDb@y?riKb>h_*Mb1`!r7AbdGTWt@34jkg)c@TkqL+?>CX2_lx(8n&o
z>@a7{D4tYtubUIZI`)^8y_gCFtAG9ajG-KjI^NkCn!4^U(hf>t!!}4&N~?euhrC^2
zd<WT(N~g{Xr*44J)#u)?m@#3JIySj%s8_KCPv&{@R%d(~+Q_YMkcs<oHbp$*BuAQ~
zRY~ac*zP(X`?U=EQtRgQbMLws@Do|Itu15kOs5i}k78291&7rf?zOh<l1*cNUn@Z+
z)g+tDDW<ie?K-`Bt*>9C&oP6pRvuFy%f;gvpJGNGx@8RzvmI3J)mv0x6`~2Sg|cv1
zcylHpn&mYT3Esinm0FdyC!tJ6YVeF6xSBKkM(5+?vuGtXuP<zzwU6D0LNNsrP}zax
z=-v=n=U80~a4L&2Q<f$))l^lin<N<liLed@`CUVvysr>yEEV+e+e8984@*Z9)bcR#
zCYDX`43#g;`!?b?Dd@yUacjNcaIOQyLwrVNr@MvqMFUqZh@?;%Ydjy+99p9I4$5PD
zV90x44&XBtDbz01J>!764ituy?VgXn#S9d*k6TVC#h2?_M-^}L05`8ekbgD3mrKkq
ze4+gEuv+Gcf=PC<0w+;euHG^8nXB15S0Bi1LJtZfKiT#HZtpZouMo~ckR;FLr8U@~
z$`3X<nYTO<2~lo!viDv0FadfU$HU<n>p27m*%aDmO_ow1<6sVH<yOvJL!X(=#lm?o
zljt$F;ygAx7i71%Y60_as>GKVhmW9U#t@M7l!bU~%bKq!t7s0TL9_-73~|^vI#W`J
zD|4o^yCY-kDEkb%wj;b=v_HIQ9G=-CA}<x{%T?P${+MWKR=M3nCu_4c{%=I+N@tWk
zQYRD6O^ic%`2CsCZtd-{jb4Qmfg44EZ8%Dt`?tMbG6i+BGG=WM7=2c)W?$VtxPi*r
zONm^R3Z-mprA6+^wkyAdJD{gdnRBPPZzTEKZ*zx!?MLgMwsa$xg<_!LC=Cc2@CdOi
zLnR+?DI}otQsBiPo7X2Cnf-2VpTegvOIm~N=BVh(mX|t-I6PzLoJr`d^q0803l_}(
zX5=|w$wLJVOpcj&_4`&i##@+PK0aDN2@`vqZDO0@%{U<4s%n>5K!^Qapt-4R6J~bv
zc9s8Qm}mjMG@|gZto9h#;s?he*i@c?seOl#I=FWOWH-tq`a9i`k9M>GLy%|!IJPnB
z@?)D&=s^!qRPuRM10L6}`rTgp%Ww;Vx~SOWCTQRN(xEn&?P1lHK7t}bJxx6n?G8n2
z@Gjw#{H;EN*y8oFCrVGvoE-oizB({r1Y>3DtypW<2Z%X$t_*XTn}`0yfNz^mK=H8y
zH}<j!+_6hMVw=>6z|&S@kweYbIi0aJB)h*1EL;^gb6W(dEQMQh#{IfFE<qzFAz9d~
z<=kXKbPFd(3+H(hzb!;xx6`&So8%OYF8>h7ZsmGCprcop>%;WaAs%n4PhmZ339VXX
zUh>|ITFgP%`I@yqRii~Vs2@Wr+Y+%QO9wU@bek=`)9t%;%fV-+>*x$vd=zmBi?HUa
zLB^BMpAcXlXsMTX;V>fEI%mVBy>L+3s>GrGLnBFi*TvPnu1ad1rWmsERgW2cp4p&M
zz5sqaF2FpxFu&6D3YX<nX25MfDGulwiqSZN<ski+x@W1Q`UQ(g$#Kqz>iW&<ZWluC
zAUMF#;QBu9e>{ceeO%#>$EU3Ojl%VekpKf^S=F~OS<RLH&#u}Pi}x=DQcxvVTi^7d
zl*BF=7Xj3~+JWb12Gda{iwHtasBeB;q7Fy$iGYq3FSTDc4J>G#vY;SjxK^WHM{O>|
z+JE_!Uqis=_xs%Gxe&s<;N!nxY*LhUF-jms28xf{(T`vhhP~{;uL)g;%^kYm0*N^B
zXRmN2C}ng;T2aYi_v{g#K@zhg?FKK$Pv?%JByjmSrvE}6In`LGXc48pC=AOT@eMdM
zyj2m$!<p7puRRM5uxDwcY+N^)yKGM_8V`!$MK(?k6QK>|9pEF6h+b{Fv{$UHetZL*
z;u0Bu4jJDP`#=6Uc9@t<QaJElUjVOJgJDu-hR9*@OP!j1`=2v#MU~ZXSnvN#j)~%Q
z!)c7dzR0_HgG#x$#2zXyyBGXXe5Kbi+@N1#CA19X)jZ_6zo|%y>1DF?&mcYo`DFNP
zbcZ<hEGTMC+Zs_g88Z9>evtbw!^kP7AfkeK+rNlL7jP7{0eZs*Dsr*GN21s6&@-Hd
z`IOjGbd@lkZMAQj{A8nva~~Uo1DkDHTDznt{_!^#>XOeRY9yF(CQA0v4xpLiTX<}p
zJ(0BF=PTN35dxb}^IQ!s?Pbn;(CGgx_(wsshMZAs14tnu6C<PSmY#YWcJF{)vG461
z2b?4Hy80Nl-FYt;K5<yu|5~Bgk5>eM?JwMP#a#y8?)VM}QvKTL#t}H!CLvD#Ssqlx
zPA!a5`1_GWLNBt!5=A{+Yev&=SfRuAJ@xzjWI)$m;i)zg&2JE9*El_mY%zt1Z+bK^
z&OG^D%PbL1O7cql&Rq=gwz<zFge@eqB2qy{H{R0w$%mFFh0@pY>IoS}*w~2Ie&BKx
zee8~Up63D(BXrP|(fp3zORW3>sYPvPhoQw}8B-Ut3Sm8-TO4zIIDB*Kah^8j!N9CL
zLN~AP=eJ=;&cp7xT2nI|srffH=fDl=F^v&P{0=>|E5gp`Q0@!0mIH>0IN{>yGj;-2
z1|$z(E<qWu^kdQ2IOBp#EuG6s`e=iP6Ig*>u}!oQEO|1<ety;72aleG`MrQHTBXf8
zH>ok598jf^>xoiS;j_jiXoD1_5CaCwejlkhqj)|f_DQ5O%q~f#A36B;=a!K&)i|L)
zg7!cFo6=pSoK)%?sRbb;kv}qw!Ir4SakxLQViw9Vg=|PHBMV(h7ch7J#Lkum=dyAv
zU7|1sIInU|9LJrfu2$xOcARRKKmI_gP)~w+mgBnq3NUkyO!acOq2J9MMY8ig#VDZg
z>RuP^keX~8F0?yjg}Wfr=Ly<Gvj9u-%xgqR1S5C1<oxfgEvPgtS{@{<Nr=Z>p-uOG
zfH*?$3^W?gBtKd0&p<q^lLX|1$H{@@MF$cq)~B4m^ib83AinC6Fy1-Vkuj8+vZ0su
z?Jc;dm1@Z?*Gzj0%Yq`tnPg-1+#fH9Yd8p&mPR>{^3)e>y`ODBh|#?y{@7~U2Vjio
z!<e^Qjxgym1FEpVEKz|zKFjS)>L<<S3X;tq=4Z$P@<LZ%Hpf!_`XywZwQI}diT})V
zGLiZ|eg~CP5rXw|Nl$~!=f{k!PmT_lR0DE`a?aoPdA<2d{6&qlYdyohbN^bmxt!fU
zfM4FE%IU%G$|Rh16t+Nh4f^fi!lHbiDixr$80G2z4+I8;)PR8T#o(Nl0xe%_%8up$
z)amizde_n(w22=8J-{grsClc_(}ehvA0if9Wjj3K7u{~Nww{XkB|tg7|GJa`={*Td
zQFPP2GcOw;*n}f6H8V?iuw&Wx-`<K9si^S=ADh5wy*w0zWaoA<EXW<;vkHq{8wmO1
zz7e+K0Y%l!P|x|I@m>ybXBcB|Gj%cMNN5KRqyAm4|1lX8xlo#2%<~vtA=5i(?%7CA
zjq*qpvtPcF{F^@<TO0A1(sa8zHfsKI0}T%g!b$jaME75Jqz{}{HP4ztqvm`N!AP7F
zvr?`+(bp#=09!n%b0dDD*UKqG29WvYWuZ(AT0GGf%fcWznchL^)!hfdGR&>q>YU5A
z80oYu*+Hu|u{M1+jojq@jw$_%EAv|#F-mT_{oZ=VZ;E<YuY7fo%h&w+H|2;gW9bz-
zbVM)>vm(nj#)jcfL-#knu~8--s<GlS=VpLmrvhFr&Bs)7xfSPZeL)oDbZ?RkpA&BR
z4Nb%rDWNZgCG=JGvtn_4$i}(EjjNp)dRiuIxr@kxnT9<b{CNy?$OL)s)2h_R6>}oz
za)c<soe*ubxMxircq4ys*cpS{gQ0J?FVI(ghY2BhX6jkxlh3gbAJOi-FZ-Xp?wt!(
zr>~Iu<o7q<fU+Q>J@<e~bb5q=mU1I*>^n>4uQ*87*LVqz42P*xr!)ai>J>=eA;-tX
z6SnL`j%6g`?jsc9jM4^~?_Fh^ZBL$9oz|LQW<FPVEylp%ZAY^8MhJUMH%R3Z7fMn$
z@8D9?$;0eZtBD6G+)en>5`d6x;Lv(d_o#U1?V~hgF}Z*EUxAjhQ}8VP51L&?3O_ta
zGF*ZMoU3m)?-g|Zo~^52>3*ndL5*jrJu2(+yJU<`6a&O&qi4s_rY@6X&J15W3u4Zj
z^-#5ev-kng5nT@bJ;>KD9I`cXx8u$YfA%&03{$9BV3nUqayH5!xUg-&ixW03X_;X8
zGixjfkDbB*2#>1J;av7mwn?SKueCgjZ;YlLD{*amh9zH8@;w5Y`13?VkjfCS41EF`
zxR$xRr6Mt1P#1;^>Z+_CuDoepSUid9&k((we?EnOhmiD8ci~tXu%K7klF6*1C;k~7
zy&-f7P%evC7<ctqA3K`1p^PA6#>gb~NgTfns{0Hvb|nlhA_^eQj?Ej8Z5Em%LZce<
zA?A<$2EBO$w^*em+@k0>p;}~cVbulyz8Jk4p{dqcHdV*t3k^H%RRJxHpycpLL&mhF
zBKLlufO?XMnd7@+SHB5O!ima9R?yx?cx+4z!R$V9^N82n>EXJgf%?_5fE5+oS&sT7
z5KQ%ZdJ+C54~IAu(*??7&BCkFl66??2A(Tudso;OBTPHq?FA)10u5r=<IR;-1m={~
zK219k%QrShuS$`A^x*L}+87b)OV_ud>8z|pE~O#D8`gsaK-$Rq&dy-2A9dn=bGQ+J
znh4$!#w{V7dF#GzvNM9@9T_R2KhGeL31{6($k?Z>NLr5(!}2&fM1vP}#c+7-*Dshd
zZ^EgOH7C#N^it;0!GnO;>1!%iASB>IECG(y-WL><8;W8Co0<s0H6xDh4mEVz5H<Pt
zUpvo0BXaF_kb6o++|dk<6mTR2H)_tj@qAfonF53_hQu1xB!{iuza(ogR7uh|?`c1a
zs)q+|6MrU~{2BzA<WN=62@ES<a1t^8-Lk<L^@T3)F-!ws&Kg+Ia#fplbywQBoBL-W
zq`2)IU9~)hj&AR*%egMLT-1auv2wmz%MMLbh^9ZCW)p|V8kHR{;ct=*MuQ#M`&n_5
zDt6tZHBi7Wd_i)E(n*_^D1(hZVIkA613jC=y@Gaber*^_O%x&s2iW<JlHNv9EZFf6
z>nO{@VW$hv>Wam*BpWVf{#G-ut<BWjAVwb_%l*V==|pN(+&RgO^N9gop-Jf3l%$4I
zd?Q$-cMC(M%NP8oZe`i>oLdif@YpQ*qWkgw$gw<MnJ);MDhdi(@VL&E^i-N+%A#m?
zZK;Kk=;i0QERV4tVtiEyv7VEm$m^%RDo%4=*N&~qWe7Z5<n)x$`A=}ex0QDw-i^I}
z@)ljqeAS~2I`?4ffxy3C%DiG?(#?lrkz|v~*(T3Q>zR_akghoCG1ngVtY(GKSS=u#
zf0(We6I$WC``7`?He4vY;>=6mS8~%3MJh`j9fQBe{t-t08HsksE902b<%;Bxf$UPA
z+pi;t$Uz{H{}}2Iu-vxJAis=6f#Kkn(ENzVSkhF%0^IbXP4)>Wq2Eme4S>*<Zvr%D
zRHZ7(jII!ZW5(nk<LmgXtHeXqqSGoEn%OU=I9@q<Xt__eg}*eesXwno?bH1K2`OVw
zuRIqq$By@tqIV!;#taa5NIQskN4NBQDtm2PI{2*VVoihZHaIN~F9O3M%0CIP_{o@G
zxPzi`4ZF#7M+X#&N6$~F?N{wkc@Xr{XP5J#jy5+-XuViHAIu3$xM>6V_acN`&`pHV
z8a)&vAXG5|KHS;=HO+_b7T2c)1TgfP6^c^i_HLoL=tG-wAuvqn@afl*wK|eeZJi5V
zKU~f{!Sv2CBRG8HTtCcUcUbe9B%u_bN5Yk>58$o(4_>$tT&GOV2~MSLcPei-F#0)n
zW50*V#)<K`(IFL0@f`_6Inri54ZgKvEaPAACWLOB-I>{fG}%!ISqS0uW1xRnpzTnp
zpe-6I#eTIkz`;ofFu*~C<93ZI0miS$UYw3@Qn71e5U<+}nL1Ylm<=RUIfrq5(!#W$
z-LsBCR{Xy;N6iTC{i!>h;K<Edkaf<W#km}%?{UF0W7?`!;_nDm38PX|MqsbFHD9R>
zAaA&Y)By-qPpa42=Ad>oSvMb)=JrCG*2!5|W6$r|PJMc;v~|>8d6$dA+=losuqNYy
z98Ic`3ejVhy{vDGTAGa!em6`j7x&+IT;qnEeCMqA$2e{cWEm5F?#tM;*NplBydS2N
zudkhtpSYCdb*7;WTe14{LQM>v<;*RKc9}giJ81Sr@Gdb@m-E${TWI*$5ur`O_z-Hu
zt5d?RS<)PL%YOnB`fe_XuOVBq&W(rw=W%vfJ+6;e$rhHy5Cy;55G4dTTC9|!g;rCS
zVewwxL4XBs2Zg7_hqF2b;(=PTGE$BkpD+7`1s1Zk>Hkz(MfrB@C!*18r$?_jmD3rF
zqdNH=^s1r<XicA419pZvaA3C`3So2$a7b~)qatt(!RU@kn20amEFZ<!(w_%{{1lBd
zH^t9$UpJ{qA0c>mmFs;d@Zx35k~9GetG!t4g>jj$#>CWYc%By7T@~C7LXq6tkgm2r
zkFQCD84syeI4RSbbmgCL%;)6kScc^Qp&U+jTBq%4o=>)^``>oz?h_)2ZT~_cXQk@>
zXz#{Tnr`E;$(qLkBT*?!>xmZ(Ke8emo)+?8_b|ZS&wrR}1zb>(^bWNwN-Rr)M%mS$
z&hGylGUH(b<V~u#+5ht12RR=cNFlb(jyqB>uZTH6Mi)Uiu#V4=Z9ekavmC~Tb*%P-
z=Qw*FQ*G82o-(Slw;fhBb47pVm3NJFT{86xN~Fp$DXpb~g`D@Gd=E<n;9bRC|5`q*
zE?c>ydSlKZrI`<O1+c}~Ex(NI?vn-^6fa>bQ<)<BQeW*dE~#RDN9G6qHEtQtD#EwP
zTd1t#l)jFZgIcGzs!zhZJ1@?p^ei%s%{+l9-Ov9Uz{Aq(A{hs3ql8$G?h=jbR|Fs&
zP<mJ%!j!ydHc8W^uY)HC6_9hn9);`#OkFWXi?<d(*na7h(q|8Jgi#L)f&E!;^aC0)
z_Pr}cZ{IM9V;RBwh024|7rmx7Mre9lI@*S=>@U$G_r>{v20^ZJWZBagM5R;ag#5yC
zLSBZ(FT;?G;p3Is3xJs6!n2>PxnBerF0sN#`wxMS31|&7>|EG#cwsoHLNQT&T2m2k
z1k~S}xU?||f6BmU6;fsnL=F;hmpAi@A7#pT(fS(6%x|c0FbPeQ>#VnQE!gQvMS^m<
zxzt4XHXiGr&<(<3Vx103PvI)EhXqGx`z(v17sX`ySW->SbA7a@nN<*;v%BO~943KU
z58af(^+gH)1KQk$?~U)?j#q;aKScUrU**YbiQHe0XOKuU;hitT{5bTqNnAL==(wIU
z>Lze=D46osnhWwxm>+@T8nw;XP0Q(hd&>bi`(^$>ncGkd4kkKVAH&YvoG0v`k%M+5
zX3dXbi&iCTa}k+Og`G%>qaThwm;)QtFUgelZ5=yF?p&TQX<5=PdfS)(ZfIxPEQh7b
z(r>PSe=&=u6$xVi>-SIX{e>}=qIGV?4&zc}2D6s<Av4~W^N}g8_B6vxHyBaa?d>_}
zaG9JK=2UIrW>H#*2$!-FN7Ec%k>ENKCUr6kd{gk^05Fp)qTsImlH`pN<IkGYZ!g4v
zg*g0NXGdX#0|H7LugcG+u(w3*Ey6nTwOK#OTg*5m`9(86&1@p7lt7zRw*KpL#qJbH
z5mwL&uH!#OIV(guvq<tS!A%uHMx$~y{9VE88~zo(K35nUi!E~;GJ+z*Rm*<Z@?k!o
zFr{>x9zsg?xTIgov)2DYPY(ShmfA0qyv$zHeK5tpv0C5OoUIuH+?_r5&=R_0PIPZ%
zLp%dC_VDk?wp{vPYrN@%0jh@}6sK1H;ehXxFxJT5N_ObgW4%`))%hbqnaXPgUO&`%
z>lQ5DayZ5X?sw1anDk<S#oN1oYAzXCDpcl%5sU~s;s}&umZb)IfzS&s;ayIlEN*3v
zIz1%-K@-oKb8&RycCsVQb|ts!dh${xg#x#E%M@cNz`rIt&?GG+dHsdyst5jZ83o6F
z{3q{rwsmB_Y!cQR>R;9%q6N3GluiTAzy^#PJ_kcokC?-*BwKUKw6@Kosz}=33-zm<
z9H9nUD1v?nH|$T1VZX2QYq*RShZ@3{rHq5J!I%BE`IFZx;hc{kRMq4<Y?}!4g8CL9
zP$9W{nP67uMLtgM$bG@~THM_`s@eL={l2JusX`Bo#o#x5=$)qdAR5z{^<!*MW>kNP
zR8fHVrE!2NtyGI|oo&S!*`qw~p3TQBr_^QP=^}bPP-7<RRAgj9kuD(29;vh-rYf;s
zMytkf51Ou|vKtK4_vYMnIa5e0$E%F{)@1j$&ijZN7}-3er^JUdLu4P}PE)p|IK!+a
zLC&U(GPQy7>OM(^smQ*!)DWJY#g6r0ttiw@m_MzDaO=@q^tkUQy~-qCcB=Q!D`Knl
zlM87<m}lri7-zmnp~gE%1Y{6!U`&EwQGWPcHo(6+j<A_kb)G%;d?OTx)qx>gndqMn
zx2882`Xyx<_dkV-{+T=B1g(sUINZo|naK_f|C$95;?O40NS2qO>5%*h2ww2U=qjTI
zF`=Op$;{6~tqHJ&g#{w87>d*(kSF%>)m29KkHolE_Tb@?WZ;wxKj8KKNpS3T1<f5!
zt#?Y5|FQdaaj2*K5>z=r!NoV(3N2=v&McTa+iAfG__AIrOy=>V%M)UBQvRB0dK}n!
zL_5{D^`7}4eJAUc_-!)-z~qXW;?b%y`VF+R41@vo+O4f2R-!)gUO>nYH~{whNWRtC
z<o5A6fQ=E0wGdDVRj1`gEP#u&Us{E(SR+9Wrjru=)NHxzJ&7h+i#eQzqW51TRri<i
zlZbvZgjbl1N+Be%uJn^D0f=OHo(cUHV`-oS*ZzhvhpR9Cg+#;?=@>|W{IOvhECK|4
zGRKD7wmvw}(>3w8-R%lZ3l#flFI_gH&M9e=YI0tKz3ClCy^zal{e?FcInn*RgxpjU
z6D{kha;CN<n>$oXXiY{_K6!vzNl}^O{jQtMEDR_@I?5l)+-i$#B}&c`3$Jnj1x?ro
zP@$@6tg;hy^!J%$DZ+juz6vq&7k`UK`wehuBnyI?8i>U5J!yA-ZpRh8Yx7s&b&9vQ
zGn5tnnIF0yq|@^d9mVjI`bXXHyM&HVvR?>wRsY5w=dcfXc=yKl@IvD_6e{xmDfw3>
z6CK`SxaIVbFEybqaiD*Ks^zFD0}%bjsRPz{NfIg{*~^#Vr85dKLKIapcdvrvK<>P3
zQb7g$Voq(HjWIBZsqIqMr{SlAl01VV=yqzquLwaVInm~OueX;|<}{|ZbHmyCn|TBc
z1MCFX2HYdQs4^#X?tCSzUPRAl^PoLR8kI3ryN?A|d5Hr)QM7O83r<|&dRK4?)wxml
z-Weo31_BAyRCNxqLGAtELKmr%$i2R<YVJhn;;GZCF{?vsx1D90#_yMkEkf}#wWP1$
z{d+oG`wY7jyN=r6-vy4lfM_P)!=L5G2+F!vX`S@~W(3*qd%I>v%;Shfn(#j|UL~rt
zVdUEWFgrgZY$E}P@E@D(3ytC9)Sz7E8M@H~ACjBeI*b#EpCNLPHvY^m*#Z?vVw){4
z(Uv9;GuvTlvPi?4+XpX5mmij8&9e%X+4mbk`q6*M$w#-L5DT7W*`3cpK|7l>J}|bg
zWU9hyM$CT3VmYK;(UuzR->T$$x-O?xA2-j2r79E?z5VNTzLGN6<J$Ks(g^10DdsZ!
z*N<{Ns)f~{8`M;2d3eis`cNo!X2{kCl1^j5ga-%wv$S4*D=`%FfT1JS3#(tC#-kp~
z6spoLd6;;33yth{%RNRZUxJ=6)Umz1j@|?)gM<rX`Jd;}AnQz!ZTBKx1%j>K)8ww2
zF8*7^pHl~{nj`imUNI$<@!JBn{l+I#lP4dgNHn{?NX!q(g9VDVRH^qz8L3)h8872T
zK_~CqI~OcER=p~WTkkc)4HsRa8z2&CxmeJ3rYw|lK_lrpmy(lXI;;K-KV)|2CTewz
z=i3uv0|Ti4S{Qv<QE^oFie2G)Uw?|}4v;Y_+ls)&w2E_vyFQXKr<!XvcBF>ytsKK|
z$=^inQ+(nXQ_H7OWJ4)xb;*QEn5)@pzd9n*bn!DRP$Q#=<#=Ve@&kR|uerl<ImpDw
zu!I+ZZ}I(nE+h}Xf8d+X!W2idybBj)d@}TBr=GDQ&t%`|3At1VA5=LjCRm`*DNf}G
zk3>rwDRFtE&y*uo*^S+-@ib-SGHTjYY#8egfP7>!%5P4;#=@L?4l@)F10Fi~MY>^~
zfI}$jOZijwxe47KXyyrlh1pj#rgF67wt)||I8|xw^+=pn>z7Oo8u(|1S_r)QyURJ=
zhrzz5Kn+WMW0}N^^OMNh(8*brgGLLjP|^pQu)irFZb!ZvVrjoIvlIBd0S6?+b?_My
zf(_BpTZv^+35C@9*QlXUX++qSf4ew)K61$a@HmmsFWgkPoosz?IC6p`nbazR>c)vC
z9G{B<i2~bFXU=wsW>SaBo7_;YyvNfE$89Uno+i?#Hyxo-tqh(CUq&ij8*qX~T{Z}>
zo_nsTgO-Iu;@%9IQw%1IK;G%aA`dyK0AV-M662Ec*!6I-8fvpM3zdns8Hkn%K@2*#
zZ>W{R5E}5-h5?bs5OAlFidrzJzeRNgQ)5@50s{srKYnN5aZWk#<Fb)$QGaq99T}0z
za~LriDjYtzZ{$MoVcxM&`5gUr!QW5}?}PXa3ahFOv0(a!sDyHCrG)X7o!G6T-RC9@
zqNQF@(+Kz+BhJrfsCMV@A|%6n6fl`QupsQa?;)c+Ulf<nCY4GDRditxeGzsVz5Sih
z;dpTnl!dFymheV|*Ld#j33ZL;NqT4H9^L?m9psfGP_BBBt?{RQl>^_`asqdgo*EGm
zg}xAyoxye)p{-_?XU*$Jp<{;JZwBt3{yq2+K5=8+tF2n*_r^bQ&g9R-C-%npJ7Tv4
zyMsr!MwnonA&a!HC_bHz?1(xw%~F*ROv;b;hsydF*dZ9^-{>v@H(uVR1`i)XNn`!G
z+C%-hc^~gZ(aaoV562Pk-eRY@Y;q(nX6SfCX_~(vxZhY|+xR=FOQiEkbK9^1BW_Ir
zF71!yFo7s&W)0zB0klv<ek#Y&M1vVm2;Qb={rfg2j8+Du29VPs(|m9i81z@!fo9}k
zdlZWpd?F03f8^RtHa+YxYQRv4BI%x?;{fW6{P>q8ny_eb=P#`(O;pwuU73X-99pi^
z*4nH5i+DvX(M%K5rl<Pz`&qBY*iEBQ+^D2xYg4Tg)Zx_B5T6M%2x8Y1s)#7bmvvIR
zvHU0%)9vTW3l&29b(;i=|IOck+3~rPT(=8LbT5H~m~|iTK-og@4>w|gI!Fpw*f#QB
z<?|<6kmI70sbG!4*Ev7}K|0}=(TK;t!`{C)=y8sTIuerH1#ph#NtR`o_1IY;?GWEH
z!vwj*a!O4z^3fZSx#U9RN|{X{h!S4)7uArIXtVI<xDtW;Q7h4XZofwn9y=@#dPx-A
ztiJ~m<H#(k*%ND1U^>?raSwmxJgf?TAt)<io$KiPxy+@J8U6zO`8+T7=s$pAc5)a>
z^+|T(S3wC)pML#07@2CuZImWV&-`~Jd^LrED*o<Q(I-ShjyNSa?r)s}d1xR3pYecz
zpFnRlpaZ8S%bjU<o+WLUj`RTjODKOKv~auRLBIJ)<D_6@gnHGXB}u7m5|tm?GI<Gl
zh3g->(lHAhWR;~<+O%!dKm11|V;OHnnIBL0C*}4<=@Bm-{~1115(50laBryTk#XaH
zF{VsFR^~Bwtdb4lBVaLHVCapHN~xX{Y={MzgWq~Y6pW&(KDMA%7<R<!Shp@D#5p;*
zS<w)S4u_K0Gg#F$D$~DyY~dubH4oWX`1RTr29{KiD{+sMGsN~U{L=g88Bewcqt9uL
z>2^zJtO27_KL}{O4IipK%QwR=pwf_k0b9%2;4=~)rh;g2IK&p-iJa83=Lw`LTGf}L
zDqN-}X1kiYeJroR6kGY5X<5`iKZ}TYE+kU%%}NIYg6zFk+A^fEKxIMR%%&L%Jy%_p
z2H1O{vjJ>~m}A;jfhX4!1P`>!Y93gJrr*)QhvSWnq{u0<tJ0V3M@dY@*A@7}66F18
zUfk8ET|@0(!*D5``4~OyEi*(N=?A|#Pxu$JHQt_9J0FLLp<j7c@i=~%ee#UDbUXZQ
z@YpK|M)Xy>Ux1G43=&c*{9w^JnA}g`-mrZbdD~e{V|hG-crW`57m*%$4BTYK;4KYY
zKs>&)AjBNhjJyl%E17SP@6KEm>T&GZ{cSh|hVi`#&|3`VpchaP^Ih)Z%yUcvmkIBK
zzw3<*1SnOlAxt&Qv_CX9aV|5#MD%*UNS(WbX*!UfyY6T<co+<{+RHjrs!u3)hlXo%
zIn9UX>?cc?K8mf@jYh7dh4j+GWUJqC2p$wldIa#96wMRI!h~Tv+v9`t9Z{Fu{qF|(
ze3XSniGz}ESd}iH)s+6^`0%aZ9R412b~6y0*NUcakHnJfqF#fY7Y-Pg5uK~s#nzuz
zz*45Zv^uq(UT^=-wCYRXh7wSeh`D1Pyicn?Ynv4g_v|)c6n;6k-uHnLKD{pUHJ$>t
z8o8yWI1qR>yvwr_kPR>zX?q<b#^Iip%bWNGh*y(0-!0m#!}Z&R+31ED58YBfd^nVp
zVml4Xe70D;kWX`kxEkNTte2B~AJfqHZx-@)I`3(X6_^w>vN8;h4xZE+J&r$d2oLcW
zKZZ_5346ExDStQ8yIzzqRJ8c?rcB}KA5fi7l=4Uwqusr+VCE8#kF)U}Z7!onOD&y=
zv2nrACpsh^W#b=r3cFR17{ZDuIf`=>{9q6cDDvnzE0)NOX$fE63={xY@Wv6Se~(_R
zHJqU5rZ%*qV;d&B&~n1&@1T1yxBQn6nIkII+zA(HpDJ6|Rfv_+Ig3k1w+VfYz@Eqo
z>V#^WI)UQtL{WIc)U<#qkeY~EwO~q3*B{P1<TlV!;7}Vmh}gPm@mgvj_p`y#W{^A?
zgcEc4qd~OSoB9hDg$x&-d|u5@VJhN>qDX_3cpvJ-VK-a{0$vCp3l|H{lKNe_@zeAo
zN%)PRS$^t+AuY|BG(YsHOwDTrI#p;zLl_5}H0`@zCX(<gqVc6dv7Jg-Xo65U<ir@*
z@p~Yp`Cx8$MA#a$M$7{QbhL4^MA-iEX#05Rfr)iN9M<sft2PMmpLey|aXrX2q{PA%
z?Ur1-0fxhAw%)}@N{wHRX?_8)IM$d*SV)$&X=c2Cb*4|5YS(L&E1*AyZ7d>MkFWLH
z8AQMFk7GoQcF3$JIO9JU*I+PV*k>lgm+ZR3ox@q+ha$$h!m5h{YO(sBK2|0@7$9GM
zuc_E$uc<D2uIy?DY5&9-eBIW8x+&JgN!Lsp=;ouGhxl=3>qqKwsaa;b+{Hdo)S*07
zbqtZy5-$VdBlN-?W~C8MNunfHr$F|P_2PT5<-AsTRJ?o9pP>@_K5_OHA-mx<V`AJ)
zdIeojU8*<Wqe4Q@c0L{`$8TYK!yFShcEs}TD@svs3cK9%Kr|D*5~x+=`|yOCXvl!u
zV245liJF}da4@QZ^MmB4^gG^naE3j7p04(Xy^DRP=L(TXh<GZ3OWsUHG*DO#?u3@O
z5tWZhuy3kwzQGf%7NZk-&S$Ee#Z2j<s9BuKEKWq49WCYiNb22NfvVV{AG!k<(C?7A
z4c6A@*2%dKQ1#<YG_=g#9#?(&{dzShH-Z*r?RN=DrB(+pf%HB-$Q1I6063TmRsqA$
z8jy`28~EQ_d?hC6ysS$_)vg>H>+{q!H7;(`H&F;KReFqqO^eLQj9k_!U%X{)`TAT7
zp<ExcEN+z|CY62q#taXA%(!)2+<jQbwFOHO6Wlx!o0wGB-z-KvK$W^W*}E6{88zN2
z!RX*H@Jtn*zto<7H7KRoxBUbr_SqLYTJ9%MH33?W`m!<XaUn3a{razhFv|7P-uZr5
z^46q`6SD;Rq3S1@&Bawtv9VQS;DBV*&kl*<BY}FovCeXKC|Cx-GKJ)027ZfFhex5@
z6NPa?3ZD<|G`4BCq%m1(tZ{Sn_l6I5w9F;T-CYP@(iw{kVH|P3XuAI34nL5&RHdS}
znCfA&;I}aG^c{Z?Nq)GAa7$?Ge3#Lav)2;eaxxXl=<=NiKhm?vek=YtR~I{_r9!}6
zCP*FA1%wY!EaVH_pc~S#D8gopgnMSTXt7?n;A{9~CYPjzJfUmY_ik=SL{w6)&Hv!X
z6+$W{_YYiejZSF}msmmx0_^J1t0_wK*)=?520w%X0Hq-R6snfwrmO^99)bJ9Vhu6C
z;oli;qkvE!ccT0u<-LsLMepSpOKTZcliWqH=M-sV?n&$Y-xbGrGOEN3&0BFutw#os
z;YEDQa$v_bk6j4+)B=8a9VxOcPq~V%;?o%dF&(@3jub7$ei-o3@g;@2wp_Nw)1MJ!
zKXUImaZlU87!G!6`%d(%PzVm7(7cCn;M$bfu-E+J==_QYrNNlCQQ8^ms-9aVzf4Q^
zsCHE%Dd=OFP@MIMZ|p7&UP3f+C=<pq<zIz@q7b+OYIl@d19;lV)L#DXWXaV^Upe`W
zaj(7Km+PdQi#x&?EO)U*nme%mnMm`dy~426<s~AUOk+j}EKe+?U03yk*QYY<i^Zr8
zdEuI}7n?AD8QEhWhNfgw1I_!4^<A9rrporAMd7=VajtsYLqO;}inV7aBZ!OAh@v4o
z0RBAkEV$$!I`1&m|FYeo4e3^F7$|XCtD}cV{?{R|qb6Ml&cGQb#I3_`02ox(fFkKK
zocmnEVJ71ct)L{R?@o6-#LFJUTB;bvd?reUY*NR7y!@gcxl9#Z4>(ebu^=|+Lwd&I
zK%-#T_~exxaGSRapzk#-`EA6I39<YVuOJkwJ$_n|F>lEvD!TB`^osD?)on+b)+=H|
zYyCj##|IV-`7MSlm#L_AG#87aTmLX#_B0-i6k3u9R#6UqBuFr_(BMwHfDl~ufN0w*
ze>_J=K|LBF)kj-0D)uQs>M@kNgi6Bg%#2a0Kq(XtDq=u;!cis)%=NUA6#jGB1b&*^
zD05z=#|J@ji+zx_wjVS(cUT(X^o}pVSWtN)Y*xAAbQK1WKB*@1V$^&WodfV~vI+PZ
zqIIgC;P*$WK#wWi*r18C|AqSl*te@Vb<E8;&%Hk0CQ6#;_47&Gd5pa9)vP>D9HdYI
z(c*W2D9QKd2MBh86iS3wro<d!VLJ%MxoVZ(du5y2aJ?vjGT&+R|EqPk+hgwQbz(c+
zh~O$bduYqmRs6uz6f~tOArzD#rX!*$8AXn`wv7`zO^~|wZHk$yi?3z)Z$E=P(mqnP
z9sK?Bz84uOB`}HYRQM-~25j2E`9%GYyR>9~azl?-=`Nmu^p~>Ch&l7BYCZ7QGnCRA
z)JJ<%!mm3q*Z<8WL4I<_k8bld#Hwa6$mqd|q=Qoj4{;ht8-A!J0VfLT`8^hY+l_XB
zG}pnV!(Q<kLTYS=nlR${diAL&ljj}P-K^R`tEe0SpjD0`qsbI6%61ZNo;^U~>+XAI
zdZU|{kjrvMci28tepz#uS`#kK!NJ!l?QZrFMyB90OlVA>Q#<_r8*=sBObJ<S9xcUf
z9KaAzd6%lH-GZB$>1fuzY$2NRRz*l2lZd@yIL3rmKu(mEhL*A}trU^2Am}~#@t`|;
zZ0H=h+dpjWUcH+DYNakS6k!z+3dL-AJ5MOHXY}Qbw_v{=J{?X7k?o<nTaZPsRry#Q
zApNoTDM_{BPL!D#tkMrlox|RvE+^Dx#vA-sa_I<`iEYH3Zx{ai2N6v~q`Xq7b(QV!
zf%h7^MD!Z}{t6sojpcY}fK~t6x<`A?RXK^BI$4d-OMPP}H6bJH0vZXvk#(nh8mk2Y
zT<cX?RX)Kd%((@ArU-bQ(vF~L|Df)<@6hy*-st|kif#Y3!$9Ux0gVoAr6(dSx|)O-
z__jVvKdbFZOeWsAE`uDp=gAq!qW`W9`W)Fg%rf1=lT_P<%<T?{mh}klkH?MitG&^)
ztjO1W8X{$NeD?iLW2l>1COEEhBRb!-W3K*qZ*ebGlPq;Negtiv-8)xX(uZ-c$OnqL
zD-~)L_L<V1n{_%0w0e#yeT1*-z8oHPH&o}xr{^bkzN;T{5R#YYWmT3Mzf#QU%OdD9
z0sLw+KQC5odl4hBYlx8IS56j+@ryi|^YGEC-MJ?+`o}nZXVO2y_N2bQ5azptO7~1Q
z0Pw*pVBgp4FHTK=wwa~*YNCu+VbXw-kw?JQ;CTTU9jj8BZ!5}03I4hEjLd+KSfZ4#
zTUS$sXAU`Amz$Ln_^&vVMqovlTf8n_i^KBY4=d*G0=5-zn$}&~rx+EdU>fs$v_Z36
zZ6#?j`7EM^$`H;AM`evkib)HrZ90Vnh~!&w%e}k7D`h{z)VgyP(wfS09KEu@z~}CU
zcLN8kBOevphdOvvQE$*K@o?gzDzTphdD|OZ>cM=!Elp1vPvPIm0yjehuo|U<2%qTl
z7>e0mR%-R_%uo1Wk30hK1(?0nU=Va~djWN~H081LotO=07DrH>!xbF)>S6UodTS=B
zn5arJV1?1~P~j}rW5Lt>7w?2_PVGoIEVPM?RlKwFLgP_vrnZh=5+^AtN0~OvKYpt5
zl9Bc>R2k9Po$Z9(D3E^lFb3B^+@p#$aW<SwPHkb6v`Vc@v#_@C`*x0*XVXWtycO}n
z_|9pmn~I8<U|D*~Ipm`KDmG!WM%<Ept=nCmabl#ZUuw_@uZo&2tuLs5%8_D*H;%dF
z?(j?|{A`;{tfikRUV(XD_<OAeqk<me%f`NUI6|yeAPC#o!e2p4_yQ<5;>m(Vm<8sq
zhO>I`?$qM?7&lEc<;gZ(yQ#f2P_u0nTHK(J?<dLE^w!3E4n<;-m=4FF=8$R4?B;Fo
zu6Nr9Q#wq#y9M$3PT#?C6glQtP8s}wWK(KCHI;7pg4q*vkI+JxHI4LNFX-ayhz=V3
zN%EZCaUFi_!zy)&5WFuxLdpC&0^bk2-VZiP6`}%npiqxp2Sa32mV8Yc)Kpxerr0w{
zYRA(BROiJa#G&~8D=?dmXXJRW!V??5bOfYW$ySd3Ev%Eb6u_3CDX;e2JG0x<p6(6y
z&=(S|a?~r{u+x5#R|T^`MS-Ku<+5!l9^N-thwUL(P;y)gMRX~j2%^@VHv;Xl-l&OT
zY91uiY4KbOVH=&T#7R3#btZlx{;TIqY&+W5okS_H^owac`!n{K&ri1>FekYhEnMn}
zt}V1bOJ(pz=WWs}WXx|FN2`@((5edf;{gl^!$yyK**&@W49}nw_I-&?e}g*+8fi_y
zG0vs8g<8LM%k}LpGb*M_&`02~Tf_t>OhG~6VguUyUfPP%U_OK3Ex$~l-*v%t<dI#n
z4e~aJRPR{C4C|i}A<H<a_O=|6*~`P0$Kx|u=q{5J-08(#|K@;g<LlA*R|>wgLUqJR
z0XzB;1Ci(UFeWP%tL7dn$}hdS>Cygt+X2fZ7F>)?Q^NgC!4%q$^}xq)T5(F@T+oP)
z1yCyB_>#mTTv6y^9B;RylIV-Yx3@i%>2ee!%O+dNvrY=<cAzz&@>oh8?jlR4*rE8V
z&wt6+!k;CkcmLLAu<~6yIra0%xv)0*Jw8(Hs%rD6_C974ix)DBh9rHp=@F3uLTpgd
zl<7Pxhz2ch%@e%3GK>qxq@O7%a_1^1=40nuqbvW2&ZHG@Iiinq%zm+Xl{bKD_U-EW
zI}U|a55*GywV-a~dJMCo*um`-*J`0sy^YW?VoO)n`SgqqNRYAaI^Yn#uS4*4Z^Io-
zRD#tdj)2O@%b7&#nrJaoafNRaLVDExI*Lx(=+SXhvr7GfQ^XW_D||;wq||5R)gRt~
zUR<Ho^-cgg`}gDCCtTzqCtB!Bod?h`f||bKk7cA&x&aeTYJ~1`v+&4g1#uCN2U`m~
zSLCUL9ZnpT)v-T=Mf`YFU_vX`%pAwoT;_!-ZOx?!0T*ay6g0`~6oF*vziXEipXm20
z`)vpYSzU-&uKBlzn35YWEQV8DYctN1!R6uiy=&~>U0!I!kFrMpDadV<cNWY0Uv-!U
zXzFv}+vyf<Bt;ExT#=nQRJ6~@i`&}3;czgFB5LwOehU9VGTkjgxPH0y%6RiNf|`Az
zfNgqX0(jqXd`EjE#=opG25se<A(9dJ4L4ew5xVsZ^FRA3kTWpOAd<Ms6}PJltV&qy
z%H7kfd4c8C;N)Mc8dXqy9%4Ua3T^q0m0OqhG%EJ}Wx)dxDw(&vS^dKKO>F+`l^$L9
z<})O8Vz{ou+En{j4h{cQV_J8fskF+j6^9p8jK&X<I}XWQsv<%FXa5A%v*c%#KtN=v
zYrr*Vx}`u1ut^s3Miz<x#&`c7EY1jTyPzt?gTL)S7YQf;mCwjQP2L+6#zd=dltisB
zfAwfqe~p}wEv{P`kq7ZhP$*fWFsUH1SV(ocXMJovdz}w2E+d*F{A|0`M7|A9Uf8rv
zkcOju2K&RxqVeoaPmR=~5*M8z;)rM7+q^}r=3HpJi^R*)TO6Kt^!g8zKU4fXXn`t3
z_A_R>MWVQ@DPXDc$`s6Tl%gaZdXEAhie5{_^h57Z*%d3>XFKha8xGt?vy@=CFesUX
zp4xMNe;w*0(eC?!pEA2DRBuLDazYPYuUw5Wo<`gH3eg>3R#gH7o|yOftR<WEUV0_}
zA$l%sIlgp&?T#YnBl4~^%~{rIPykehW{<e>{DPIriAI@I3^kZ<S$tE)m#V>Wh|qIx
z5SUwufj-J9l;6!Yn}f`)PCmlkNg4HYV=<>bm^h&Ca<UC_IBM`rv{XP@J2hCcLR)q$
zQ30%2EL;z&KC1Tk5ucq1bgK=w<hoo1fwrj$%yFF<nQy;5`L9M!uNtA8>O8mYfF>(r
z+h&5aU{dJ7?sF#r!S-iEe`rt;g<&%~2SB!eV~2xUb&i22l~oYwF+M@7?64FV=n-d>
zi0anYAbI(AsV{pZoI!wvz+8;(L>3)c(}%0hk*Efnlq1d_0LNfEa+;-%UVqQ7VP*>v
zSKZ27Ate(#+;)hk2uZW<5X}fhZj(^lX8|wk>~1pu4s;$(^wi9v9?nG80y5FV9#DL&
z;M3`?RnCk__RIp|GUn4ptkICPa(3PiGYK(3a^meUlWJ<godmF#$0ssBF>SrLom3*<
zc4s#$S-jA6!C{Y_JX=vmv#nI>P75d7wc$o?(m7oZz<YuaEG_f|Tqjp^GS_p;vwEK(
zUcf?zS4D;SG`M4zcm?}(NXa7XbMh&xxn4eyeU6HnU1WuG>s9o`btSrYx2q;Oj7Q&a
z_g?bkt(`~NYE?B?QZnSGIlx$qE@t!ym&)!$wzu}OeOoT}eK2;L=|=3k2g-QE{S~Vh
z9P|gfdrjjJvaXLJLgp>f*U{15Xr@38eMlw0MS`%|!8W(=Y6eI?jMKZ1w!crsl@#Cn
z5w{`Df9FxSaXUSlUd{7Z&84{3a;bfsNALGmG^DUtwOeugCUEl3waZHAg22Fkmb1C-
zHRa_+`-7ebTM_S0i?vn(8ZPcO6uZf837rD9Zj;dp`dfasvAm$G_Tr~_(Id5X8Y0v~
zDwFFggx5hJ3YnDjq2J>HiE&qdq5Zt*oHE>R`sVc$2Wlcwrdl!2b@X34h0fDoH}$7K
z4zmv7gJqdmQ>B<5iY)Wv$6NNP_>)ICthIXi=Qe3_d#pkiP?}rIwc==qMgjlU>4BG)
zivCc$;h2U?ZrvH|RN;4$h5Yk<rzc0n*F2$<5;hNL8PrF#^!pM$hAsczF=K<Y<%KGk
zCe^D6fxoQsde=1%y{dR=Z%nsk$gfV9jZoUWfHiMq;LAEK{<&Lo;txi5kxEkq|26j~
zK>4eHdBq<N`XU}5KMeUQE?rB|u`_$|;k!}E;|IU9U9fy3*$J#RXRKRvE&*J^U$+^m
zdf?4;Im^Q?zaPrw@}{TN{+(C4t24MVeu8tfXavQuyce<2bIX~796Ltqe!neZY!2at
zE^7P%VbPxx^Xk5M>6F~?^f7;o+={7;3od4wFv&*hTaBcvk-xKwaiBKXsIPE<hJwC?
z%viEJU##%_dh5U8_~z{lp=#dFvQ6=E5!b<E<x!R1!GeY?P78QrUok`@k8#4jhM=D?
z;O4SOF=pYbK0YdibcU!?yV?6i;#(9)bjiwF1&dtZJ0Y##!)Tzd&jkA4^)QW^5Z2Go
z7=UgIk*u)<DEBsS@&>>6%gP$5ByAM{UWlZD2b=%C3qU5tfMJ_ox-L+lY3%Q9=!WS#
zaMIIK?&|Q5)q8_u&9Mhp7LM#&*iPPw?`9@-U&~R~`dem#!c1@Ww!5!Pbg2b#x8H6x
zX~yk)@P3hCRxNFZ$UGwN?ou}wp-O>J7`3QuczZzaD5C8BbqqdQ9g)DA+AgbE|8W&i
zh;$yU80!s6EYV|tywEPKeZ;0Ojiuazp~h=(^nU>sEa}spYFAbuj~Yy$0m#~$pd;J!
zZhKk-nz!+k#MDWH{2y{U<X%(hw}depnqZ}4gV4wJ&l^xjs`8eokh1qbh6Zu~+wURl
z62<Hubkmu^Oili*e@)5~Ob{LG!njtbty|sD!{q@Tz5@uzope-F8RonUFZ8Q>3gsuR
z8^8g$cGA`>!-Cn%!t5szhS?~SMTzs=q_~K{4<k8D7*_f^YxunbKMklbuC2-y)KURt
zKau2D<~a@u^BpD%BAiWn-~2Z!NHlX$ie|-Sjgijm3w5A^RPOwqLSXbf_qX`+WS1VZ
z{V+!@=I~$MuRomF@w)j;0z;INA9&e`<}Dv{UQ3N8u|;wRXRRqpbt*`vb#8;P0EpM|
zNdsIKGLj8K9%>%9;D1MGZ;qqiMt~UZdy1|I_X^^Ds?ORu*r0e%gl*8%*KQob60~cu
z;nI}0f=@t2H@PA?mkvvM>uWKoHYTb8@)4x>2=%)V%CzeB#$xzu*Fh!JL!y&>kJ{Q|
ziyf{x`8<9iHrI*u*_XCv7Rd_GF1-1VuWz}%<Kj42^KvfEVB{G53PinHV#>?(r<;v^
zsqre$lvwz^D;Q%>CZ!d13My*kIKSIK>CkhvQ9;y~+$(wCmTXxFha;K`hWM7-X&}s|
zXANmp5DdIV$sA6!cw09zQFkh)YetpBwiVjVB<?q)dScTIhYNk&Iimp9-hJxTnO!~~
zk$xdc#MK?eIbLqQ#GZ~v9!^d+A`5Nadb$&LVLk2r&~Iqu_y(Mxn)6VOtOa9s;=~!~
zBd1dEp0}QE)O{$tiu^%FRlvd$8dhp-q%9Jb8n{62cccw%8GNe0;hcZsZs)Ee0CZ`3
z|Fkm6a4msuLIL>JX&tlS-j_8_yj?HMc$dVz%vB=>Nq^t?P>%shg<E4;W%n<*(_cLe
zJsEHDm-!J!L)CIWLFt==3JgVr6`MKz8swCaUN05NEi<AkWV3eM1qJzMDA#?>$<SMt
z`=a$4Qw-1ZKhbcQsuJ&?pN)#r5`j^0Z~A02g~UcwIrdss3=E09<kOHx^Nt09kSW<v
z$@*iia%Y{<lOLeezc=4_WEC&Y*g(ne)<%wC5FFuKcNwO0?B<wZL3}vSOw{=u>EXjT
zf>Ajon-NqLF`@M=fZ?>A{HHFPZo2|rU-{CG59%`O-V=1y_ijIDVg<Egq)&1Oi36u7
zDQ-0YO)8Vz<}@#qz382d;_GmaEc30t7|ZYwf<q-01KNLS;q*FwSwB6C$*TGJP|xd5
z%gz$gZE=fwaQanYrF{RNZ;98YbQh;RoDEMGQ2nf>cO$1oEMd_Hin<7Xq99RooAR!r
zud&JCG4sHnn9=&{bYAEF`M4)609%nB`b3xy@kz_<uDtln)c8V6fnvdyNONvcP};0D
zrMrPD0gYQ$#R~~{3@32$q}uLq7-8^x34F5nK@PFbWVrRI#}<?Z|5=LR5gRZ;>RXxY
ze{DatL**yF5d0`Nd_bhRu^g4sLCjn%rGBHez^BImd}H4{MU2k4wU+#%TOFC`wv6b0
zG+YARsuIiEUt2i<@BZw^b>~sXLwTzJHYJ!^^NKl1^W4kEJX9?rk;|x%jO}<n$~>ia
zJzc6UL}G)<)UsiBoZ)j3QHT6fxUVo1yNo+=GlBlfu$bzEOC*XmuglIO;3xCYE^*r;
zoF<SccBi?{QX7pqI{V-9ye5MHhW8xrChqREmOp@L>bN<5+gU2IeT|wOuGBrQb7%lB
z9w#=0CsbC11h;5hn!R{&srWXZB=<G$`b#!CzC|FbzVVyp`A1GF5EpkFUA+`>Bu!tw
zS>LH0=tT;P@ECg7dHkA%{O9|N4laz#G+%)|o+@&V)%!Wbe3eqU_^#?!2zitdw2)kx
zR?A)-bsU3t$NxT6$<uKV>aIom#H|2jP5nABpy~JEVcOsk_SB}$Sl4_XG^Th#<K_<1
zlmz!yi|k$F76QgFa`H|76twjJ-ZxSAUAt4#Kj6}i80~r~Sp^+@TeO1*2Hj`Vq6Xl#
z)!zLXtjEyHt{+35mUKqdX*Ba?!ifVg_NeiP>zrMg-)o-%J_)1p6?rfZ2zAB^S!^P3
zyy*H980Rf#T`)Y(%P!ond*=+XiTCu$87cnES>ZJztRCCn0u+Kk7B4t)<h-3NMxsqM
zEs9XlM+2qk4C`2?orPpfTX5i`jv6uI<N5EaPa|L`lIS~b@z_!KGzjz>s8qXseX%*9
z#HutVEC;0mt|L=W;-tJzk~@=rvv+PZ!<^S;I11fDAWYYu&GZ2RFtEqY)*Py95y>!6
zRqhPy%<{c-7?~Q9iv%`Vkr}F2p8B$ejdt@Qg61ePyZn(>$&cpf+R?A-cV5QrT3IoM
zMN{%V92T62Lwt<<nKnhm7<Hxz00<6BW0lb~_tN^vGgkDt@;WHe{2red?!E`K>=44F
zLAJ9G9(2tnx|@{<W8hZa3s&itwC({FZ4#ewIobbb`T7N;Sjq7T(C^uH;e2pR&i-Ib
zTqowjS2JoGD<v0J#z!YEcIKs;y3d`fXYQfl;f_q-j6^ttJ4Mg&2}U3?4|b!8M=>Lb
z?TYED`TDzXhC(3eNy{F)42O1nW5Qq9cpaI}%+S>?;a85f{%Hxx&%fO*8wrP`gK=!S
z4xf@i>>wMH`29ZMNh0<U4~hohbX!3t$0d{HTYf@7v7X~cG&OoxQMdL*T33{)O$~Cf
z;k_Id&_E7hbWE}PeRq?17F!FyIfnGNE+?>8DQDf_o}S&0k;KyNIjivYaX%jEh5@FX
zzH^Q^`547&JjUv<6kf!qnw6l6)6siJ=uWTSk?H88!apW_)Q6CDn+E%bkeBIS#7WO#
zLodNe3_{*AKjO?e#jUKnUnV6eA(L;;mD@VN&=NwgP{H6SP2WedBxg_I0q3B=(DfGb
zxIUWODo(LU0r>P`hV;*^J-&+T71J*#?3!zjl)m~-rnSqvTN@@k$egaWb4x{C1*HW1
z!8Um>^3Yd%`83!w#x1nY=*+k8YqB_Exd#3)VaS*T_9WIf%d|qu7o9$3d9U+QcZsEA
z(Jf;lkBFV`R@x@lQT|BTW8@LSb8Yiznj^3nL6vtiWP981tdn2BGURwGYCx5RZNUFm
z_83#oTVwAq!twyCZDRvt!IM)A5GlVXG-TnS*KEwnmNu=iap}`@)rK{i0!eXt0U?&r
zaTWeeEXyN*!j!e2OgKuC*Jlk|Cq(Pys-MC~A4}++nq3g}`e(+M&gY-ttL4<*o|2Og
zoFjuxr8|)kW0`tf*n9W8Gd`}@r$HBbk#r%)eu>QY@Ix=BGNH~StV2NGH0U|aEM>(o
zV|#6jdey!~$%|w;y!FD?`v5>#mw|)dV4f<}1)k2;GX3RSD_P7~hKSAPw}sV|=l;h!
zUupg8oPc}_9m0RP8S;4q#VGy;r{?avn_e|+^?TC$ul{h~Ht9~fioOD3sUo0zJsN#(
zFE??R%7%=PDAqiRxi;0N*+QLD320qf(qbdyN&TK31DyrMXMBf>(fhPA!wzBx(wqxu
z#m>WGCc_y@>e3;A%CIwE(9heiTd15)*OKi`ZD7`?tTaMX)++l;CPZ%ER190*Ht(N^
zY^n*@d;5*=CcbY4sgXsmh@2U$%@hR*vqSTU24rfjAINPkbn?9JTNPH~|90%c*<yuc
z?8kt1t}<cGPTloBvMy7W{+ah?lJHx@NxX~)I`N0E>9{_(@3W}=i%XeqWbHz0#;@Ie
z9Ww+MBNbacc8VwCFQoKVUDJr6?_ZnT5!3EGNLBnWZyi4^dG;0c-iJ!bd{`f-5%#FN
z(73>5>OBuRHxJ}RPVy({n6esc5<f-?#o(;bvt}5bi0o)!$&6Rk3H*$8E;LjeR8aeF
zlulF$C=U|jP4vEvjh8OOZRe1BJHNP%1zoDn`~!ZitI28madMKtj;cbj3}ThR_|b}s
zi685(|H0o~Lx@6UVzrcdFUKoq^sM|rD|KG;=%;Ug9z!hr6Sz%z*vDJt2fJiVS0_+4
zz&iFipHsIn_gy-*q=cyK)Fiq(yye%U#_MO`!EESnt`o+)33SN2N%^u$YY<ZFt!V%0
ziXsjuGnPT8CLjv6N13Q!Sy`0m26sDQD<6gT4>v~(Rp>w6;6ZY|(y&x48b%oUBqjGd
z%LD-p#CZ&e_&rhV%~Cxkez9t1Pk(1}_B{qA7l<4%D=o37w@=fd_hfx-wDnELpbEa%
zmFVbMTY!MV#F9j!G5wjGj1tUB_LZyKk6jLl>a7X<U7(`SYZ&*n{2b{X63ZV-Tz?Rp
z+m(Eg_qLyg3w%WdijCVuG?I7=-B=oUepTT^1rb)u-2%|i0vRWW?qcCv97#CHSq*3w
zYAS+QjwWJ+3~u@cP4VMJ<ajx%iF^2$R)!}nAkf^Pu#F>G$r5sy0PAtS!>@gGjyUqv
z`B@j9Tj{5>r)#$X09_qRqsoa^L8ptz*$vg&EaWUI`Sv$Kg<c<wiw_3d2)qNgDw8sU
z>S<ilssJe;X)ga!0$Df!qJ2jeHqA}dyebwm^Qjp1ad!7t0$UtiAiwE76}tARU6XSe
z>3vZ^s!1*-INo|)SRCF{RZ(6&omf2RWY6vIoaTxkC=?9f!N*2KK*ra2vJS0G*+Qg&
zHbJ6pXQ}IFmyJp1;+CYmd~F^g_e-Cagcn7B{K{Dq^?C=-57c+n5Px<zl>9`j<EW&?
zQuneYEu*KEVN4V3lP}j&W+e2tD=jus(n`2^!5i>$4uIhJZ;S84h{<4Z|9PE)7^cj7
z2Tn#&Q(cd@D_*U+L3O$))@|t~@`A6(%2_@LEA9fnb8iL=^QCb3^)8VX#5&``@E0mM
zoH77bFo;5!iicAyubuMw(dy^5j`)q~d;BlcrTY8*uwoPC(>qgf4g}@BmR4SlxO3;X
zk|5q6)BG@gid0EYXN9&y^-*#7L3u2DK}k~lvYoaeZg5tWMo;vlz*Sf2ktTrZve7o!
zx!K%F(RURD3gdVbrH7!XH03S?g)!e>hLl7_#(1*O4zUPoo%u-CNMY+0-+zM;18K9h
z(;*`es|EADqb%K`)En=NmVxTPlq}TS&(=pKs_sWtzFEj_TG2(5d9LlZT}Zwfq3Si;
z%cds@>W44^zqWrQbv}DS9k;;6BW0zoZ5K2KE&}ngZ{Wv_y|<=GLKR{SB-WVaNl=)D
z_07Fkjh*50Yb%+A+wTG2=WkS!n=nX-^X$LE3dbA>)cSMYFg{icumJDPt<-VouHa_&
z2>79sQcZiVw5x34c*EoTGD*)Dd6J+Nth`Ow>Q{hKu1&@8Nb4cUclh>MjPg^(I45|x
zp=<<iTFDWGN(6qVSKy|LvR2lC{wFcn3%}|S@!w)?2b&KXmlht*fifsVW?m6lklDM0
z119ADsW8FxKnWKSfa#So8oxy6)qWbJCV_2NXX%?1WTE<iKt6{K%;K=1a7xP8nr&Ja
z=W7&`VM$n<3?v7oK@LSHfN-8n&couIL8FU@;_H_zLyqk;wShRs=!XoT>cWgrgAxsA
zo8HDX7r?OFlO@<*dTjF31FKEMD4AIx+uU>*Xjl1ts+3*ZET)~dbK&DVq2C{K>!o&_
z@dYttAh-(L0qe$qVn7kDljPWDH}I%E`P=Z?35^d0xgHbJ*nm>JJ!0sWX7vEbV^&7i
zH8Qt^%6>Xl;nl_vy-r02Lz-O&8Ice7c30LUey6}6ZtrV&#<nrPb2Y}IRlsMIH0Bq=
z`U-k%(4`l{GD^~ziY-CZ`Qx`f{)E!ZA;?O|6eoNzrk?@gdlHuTG;f;Wy&s_W)ax1!
zzJd-{Z}x*XGzz*SYkH%!i>GcbL8qJT>xyrDo4H!KA&&8JKLw%eYyo}-S8YQW3nI8%
z;%KuFHjIIg!uGk`;@dxMrX?B6E%Aq8)mQ@_PdZvKm9RiYtd+%SQ+=PoPo^j*JM6^8
zj9euJ+FpOnIL_IMG>WTo6R11d0>Bt3xXwjf?06$H!Q=@`<=4QeWOx4y1D3Gk`OVls
z#kbPGZ<_&$KGFG_U|<0zhaFMgFlN>F5^ju8w>9&Cn$RMn(-jB$x>jeIP4@Y8k<nwl
zm2Heuv6G<k)KKxtiptAcx6DPzT&bB4%6tI*Q+#>$WO$A#3T>j?i+tcXNs1$m8rA^v
z?+%JrxH+5KH!IQMg_VX%5}%1O+fwKpAu$SA-TPZNQq{e5coy=!qjxf?mq;TcNu%>A
zRN*xI626+ffR~?B7M_ttF3A3(SU&BUU}CHHmnO5ebcyTUiZ=)dSa3*8fwZ{Ee|IMs
zR>Nj9%;b@AOa4`>?*_fz?tqAOo6g)#m9G|m(`6Xd#*6$%KltXNgWjG7P6Ak$IkSqg
znwxD}Qc!Sq_ZF|RcC?>uxS6&{aJr%j^;gN0o`xC)3<X#T_;<ph!SOh%`e-zMk7;|U
zFMbkWyESrIeTr;lM`m!Si<2>t^e`ku%bQOy<FTEH?9E>eFy_IXOr|b7Q|-i1SSg%>
z+{y7xW-i<iI+rggFGtiT>Qb>Si|`{fl*m~a6|IBTcj}IWSM+3FgwG7@69KOr--&&z
za7s*hab3Pj^2AFnBk`(ym}BorS<IMk@j~q?ay2URRej~;n{0p#5dxNZSWY3b3LS^~
z;MF0xn~%NmzpM-i%>qxvDs?cF9-$$>y6CF+4o)Du)`mb0KM26<hufLtY3B*thoFCk
z{-a%0MLgvAgBYLF>!Hf*49?YUTzus?d6>IK_m-puG{;xu?F=i<(Pr+UjWMx_kbPt1
zNR5)8$vM?uuHgy#+aSKA%r?RRDMiwhNEpu*e_;NDSzqkLTb3jBSv`wny}528NUrqg
zB+&d2@9oVw4AL|>!fc;u?#BHVb#?Wi&<0bW1Dguc>>4a9jj5SG%WJ!|zl0(8c8^r!
z+!SgZ1ts1=)}WccEq&eJeP1j#m+sKM^wc=T<*`r(IDs8(YESrU&ZJdC=%6H}ZX(w0
zO?ATnO;1n`yZpM)H5EC<OSxL^LH)}(_Kk(uk>_L06N#SE_eRVq|Hv$L(>;ZZI=N6c
z4CE2r6*W+;(z!#d-#uP+D{DIN?!JX+W6~ZZBxUun$KLJ?u?(7}tcdxQznul0vgf%p
z*LnjP-Yd4c1#7{Au>B*?HwL^xOZFzR^1S>8>=Ur)_uq~XMoahLgMheMt$2^kXF|q@
z2C(05QhkXasRvalnm(O3+>a%x=qL6lF5g$tN)FCBR3IB^!We&I@fpt$h)9v=8lj*#
zN|jgXM)96ygTU-Iv2=!~E2L^sE$=GF4`174(Y}CJe*hx&TX&;@$j9@Uc&%JYx^ggU
zhs_pGjL)+r^T^c~u1Ersc9<CabeGeFx&O)V=GpP@cY`MT^?Ht4D&@*Y9g~!Y>zY2o
z;HbEhpuFCSx|VvigzA>7w>Em61AX|zQR4<w0VROcu5<kG79b&3a`2z)9Rx_k;~_Vz
zbF||sJA;n_mg@I@{dC+Q?L<N-^}24PUcBX*5Xh25ljkL_ZxO6^s8uZH3RZI)Epl(H
zGsdZK?ZNXPIM#e(r#z_{>eG{9+XGDQiVPICUp;RSL{+-a6;=`3tv6I(YV}j%t;kV`
zN%q-sq~R|d=jE9DmA-vH>Cn*}NCOo@L8G+5V~a3^eiZ{RTSn}uG5~OPZoHD_;p`4w
z6=1Hqg+c>!WXz;l&6Axj?CV*BI7+)T|0eSk2=H4!HgX{En}kZBoN6BPia?7Dq0_(f
zpo%FsNnU<jLY-nmrSq?bqB^i>N`wK;swaEFZp-GI<7Kvva`f|%EV5quMb_y*Xi}S)
zTzPS```U!(b*UZahdJ8%glVEcEYU%$!C(U17=H6&{||>b)XR-Iu9YQZUNt|6HKgcl
zxVTmnWCjtFUnVsKJ9<X=FCe-J2wiW8dSj&-iW+<LP&udFHx1}Oj#D)G=IlJ7G;ddI
z+12%S%G8L`|6OjjpDaYF1rfacJi(gbSfGZfR=jZlaX#t2Y>ks;q|)!iI}OU_RR}@e
zv{2fQ=@Lg844JKUb0~a|G6hpX<_)WLjXwpco_1o8fE320Y8uHBDB|5gqsyi-Ry@SA
z-^ZgjeixI(p05|AU9WB*?xt&5hv(U(V-PEY{>(rZw~2U*n5bMuf_CVQtaqnq?X<l^
z<FI|Pp<gjtAx9jM!w+O}6BINc?=;*Qyo7v~4kdgm-Gc**Av^=GtERg(uca3Zl5=8K
zCGPjzxJ1dz>uJq)mmE-x{ojvow=<V;QL<@Uw%sS!%f9iSGlCJS6Q59$7H)7nUj`I=
zz0?{oCkng`<b0nEfD%{UkWmA@(>-xS{S1?y9?#zn;!e#sV>qPV&SBrb-!QcKmuDY=
zCjW6;-M(}#K<%2gA)7JH@&WXjVWIC#THF$IxI}02Fb8-3df5qsQ#|CaQ+XK!w*zq9
zOjF!ZAf8C=4o0tg<Y8Ynk|y%oumItAbPtbXL#znmV7Jh)jyql4dx&X4N!dWG?wWf9
z78@Axu*?+_QlP6LQFtSiDPl#qwSITbWX~jt9l480G>-w5#0c~$oh%sc=e*ATe6;_g
zgG(TYf}2WhaFlYp-x$5q9-|G2$9__yI1~c=FXuUMuu(OnGEP*0vy<2XUNJhTFE-D2
zWBIy16b`b+kiczSlsI#&M~_^0#{;46KX0YhvQ53uNDQ_)h3sqb)d2*sd($F5A;9l>
z7hvX1yfv0C8(Dd*hVAp?#0wO2o;|&AUA~^+%&~+8OaZ!N7BXRw;0S5(Kr@LI-Fi`)
znz1(aK?fT^$DQK`pHab6;{8mONL_lu{jM|h3t^90=2U&G%fUf|MU@6$F%hHhLUc3<
zRRH=9f^9vM{TPwdX=w`xW^EEV?>6)4&hpFhR}yd?;F<Gk=5Uh$FZX+Ky=<A?oQjdO
z<oeuwE(V1QC5QYztAzpln#e9{s)_2#FD*7)m`T`<T727y;uQD(<|;ZbuZxs`><#BK
z^@oV7anU&Ah*KoXkr^f4;r=1JV?8f#umc0!*a%h|TaT{4?ADIMAtEY7YD_NGVIsH}
zo?v5;JNC4A-qg13`RxT0r@JZ}ltm~A-vZ}Ec##_vz<3J?+???_kEQc9wLYsy_l$m?
zl|)9eU9e}-7W5O{A1A5wj%W@>Jv&hdc6*!THe<#9?#y8@<dt^~FLzMl_w<@Q)XFk;
zq=St&OD;5!UH^&kF10!N<eSB<1qdq|dY}NIsj#paEomf#l%&3W|F8j4;)ZmBnMsmY
zXmav?_4n%zoL=Dgk9+0gF+mbI!kh2KjmA0JOCg<Ryq2Cjwi+I9zy?h*J()*Mx;V(f
z0;5BDX4Qb1ZL=jATS{ua>n2d#3>#y+jpEEc&UeTAL3{wOg_`tCkPL1RTwOy{*aI9Q
z5XW-C<WO`zP5J*cEAsDM;ep@{wD`$H$-OY_<`6U=<WX<4J^s0=7}8<6&m=&J+%Me^
zaq`N3ORieR(z%sKK*uvU*YKM9f{j?i2hKf%xECI7*_eAd;w&10W$6h!w1YrCtr~uF
zoT8o@H^99M3*AzCr84`>l4As~LRgT;$2`K@`~biF*bph@KWg9LHYTr2)vz}mR=xth
zVi?Qy_WuIh;e<k|=KcdrqQpdS9%0USA5){*bjM&NFt`Y%-SI?Gl&h0+v-o~tpf~H@
zW%L@~Qd&#gEhA{wAU-Dx6LqK-b>YW7q7AkN+N?&!S#O*9;By|TSyx@@){!!QUcOet
z&Q@24IR16pUjELmPeK#WXV?jho;A&p1y@WCrbE>iLZVp=sos;iOxzFIs(4s@LiUa}
zrjBuHT7=vLQFnZDy*`uY-~ZOxZ??grQzm!Np;`oa@?uxgY29U+k!;K%-|Jwyk`(lz
zGf;?6UlRNEoIlfBvQrtMY(@0!7xsTuJL|=GBvXSyUL2#V*3eK3`L0@z#z#;Q5e0u=
z_!79bX=rE}&0Q(&=rCkx(armR9FubaDz$@nz>Vm9(hujuO+aOR9wt>c@k#wxyQiN7
zBqAXKKkU)_pRH7%vC$jnQ7PS5OfoHjGP0j;_nHNk$PPgROvGjHN+T%rh^i{%zUhI<
zI|mYw&9Rlm`vlhL8=1k*XRu{JbZSMW2?N^7jW7JDlJgT$jPS4Cq*Vg7TA(D>RB36b
zmD~hZtlUDSvZ=Q&scq#tKV0&ABG=ge@Y+r0b({r5jG|~X;8psWlSC2JY}mpstsgx5
zhk;+H+3aiP#=TB?G3%bh#BcRc%>~o|s}5h!hEJ2PA2FoQtReVG7g+FpTqwsuehKnd
zQ_AzHwStD0S5#VWm+<sCMj7xF+13+P8jO<P$a;m?4#A8G9DK@B-)3FmVSK&8l!`BV
zRU^>CL#1t##A(u(YVHdk;}`LAUo|6oepDu-U&7&#rq^U^sFKSR77_^eYh==JMHSp{
z&k5iJDyb;v5l@5ulcG&wr^WU!r%}0Uj49Ez3B|ySMR9&)aA&nb=`QZbdm_#ge=TQ>
zj@&~MDdgy+`xrgp&zoqzlUPPs{nH?tf|HFo{vLz2Y7*JbgntkcH#XHYd&L@#K2n3*
zmJ$q_GKRIQmNv<u4I2j;nXjyw8XnT>0IoVCh0+z)wZjMx=yj*#c?gk?sky+{6_|3&
zcT*dq*Tpo-Oyp#qVVDXvF0Av&x5SjI37~anbR%g$mPOt7cJxYcQtM=;MDvv$;YCR<
zgun~X%g|82BcDg;9}aHrY4Rc&a{S)~+CO*|;#o1SwWg57F?%N<7?#IHeZB18Rtz@X
zd=(nK_C54A$9|RVJ5R%;4VIKKQfY&udw?f%0ceW$0pkp37R>wnq>7sB3Iw7@GDoX9
zZ*-~@D-Y@s1F3%8!puSVz0)B7aFC-3g;qe)G(H}1HNsA@FA}E0(3dx?hDw(_x+!I<
z{OCoj=wM1JXx<PqF|*lS<35Gt*3oFptEK8PZ3xtgkZ)9N;ZFL!QKq(eXSeH1Bn@pb
z{0Lz|X>9e2%}yd^=yP)8r~H|tiK=tOZwvMiXdo};u)1cgM2`?OpgB?z`+vAA!$G**
zigqI*7*wvfH>sn-Z(;gL`C}HT|Nk@@e2fbwf*n;z==V4El@@8_i~_NeNtY`9z-{oG
zA{L}-G49qen$lTK<VweV&pSHZV7N($TXpnIvIyB5Gi6MB%We0STNcfav;%{a*ex38
ztnC(k4;|mfi$8AYwK}KS#ItG4v7HJ$7*xK3)`)pd+(fx<wKr=kZ3>%ACvY7Ve=m&b
z{>dXz0m_p>wY&(%)9#Xs;)9gHbDB9s@2CZit?CJ&?4r4dHVpKvpp!^TGF6zRh)e4o
zom|o0Y6IArfxADl?gD*T*Dm_>xRrBVgEXOx`_|QUw?@`_zhY_IS8B@covEzfX7$E#
ze#s{&z<fHrwwKc)@L#tYu;bv2D&JWc|4^eW>9>c4VWBQ97lo=P&Wz8v*&9o>?K2{G
z?KBF4!W|`nHPL#j-Jm1MJM@>{bDo2Zs)Z)tO}ay$_i4aTYM<TW>s)ekmQnzamWb7x
zPCFnno_pDN6S&Q?&p*^21bH~X={TFVaFqfl@%~%VlQs%jr@T6Zy9kgMUbkUpGZqm|
zHau-pR&SW#4_-=V0ruYQglTLzkKUYjPYg~9%|eD$>ZFM;`|3MwKKE9pHU9+{d9|4b
zY${ES^yCu0>w1zU%+i=SKaF#sBByIs`7@O@Cobi*Md#}O6tC3Xal^%Vea2OTNTcsY
zouixqHjvFg*7}!i(-;$v)3CONnDm%rQ|qmm+=<#(+XrGu{0GquYLfv{q1SsGtF*OA
z$TNrEJzJ@d$_T1SgFC)<ee5-Y;_vFZ%h?s$Q)bk3LYwK(OE3{MTu$Tp6^p5az}U7L
zd7CXqOW}Ox68OBmOZeSX`pU^D`a3{;Xb`6Kich;j)1LM!GHgXeEyVA~FCaF+lpF7A
znd^6w?97sOzOSeY2eQ5b6dG%^s2r8}_~IrW-~(lMla<0J)2<1e=$EDwbv}J{Oo(j0
z0jyH^g7t+LsGUsapUGd!PsDp~3O6v8lCNpsDD+tbZvJWKi?o}VPe~(`{>UDXa8V~c
zE}CKoTH6Od5*b(SjQE6BkVV|~xfGlop`QDWZKPg=KF2tsn*<uqA~IbTat`hu-H9Wz
z|MkJb<Ed1GSY~y8IlQP?8x4esg-)>xr`j2oD0lzaY5z}A8(MK~W~9ha2K<y-(m2LH
z7*sC>2C}T6^7um~APUVPzC54m$+6a^VHDnlG1e5Q&@UvX!-*r1<2c_qz9^VvKMKDM
z+k-&ppVW3n789^Eyf<%rXD<X$+f;nbmdDnl7wBxR+uc&m+Yf`7r-2BiwbLp7laztS
zI?)IAQq+Qs>w#7-nCwR<5U~A_(;c6)&TrJ%?;G$?4RyV73sOnO?iLXDt9OtXL%-z8
zdjj_Cxu~t*rj$eG{l`OUs7-}^HcJAl!e{w-iP{z~1ojG-rH0sa_uAF))<@+v%6jk)
zsP-6uUN)lN%TykN%jQ1q7x(CS2jUn4Kmv)<&Z^)Hx24G&{eJvs6ZGLeTcwHJ?A05S
zKD~|o3fJnP!JJZd1#=;A!Ein`K8~8B<%PV5>A{0Ob>S0Kf^A9-M3xra8zPVxsLdbf
z1Q}jc*x_i5mZx&IGp2`2`yfmVhJdZa(k?v7(DerGgzqLXE83lOHey=VETBs`@anlk
z?GFIuss@i)hqu_6AwWND{*&V-iu!2~NreWec-(-`OfPgU)Mrhve_p)Vd(5NfuhVGZ
zj=jGF!Xg@cu)D66crlMMB27=VURi@1e=QhK;5xef<P9C$>zq$o2HUk+R~5D}v+N@~
z5>>W7&2R8Wj7ZYig<9>YrxyD5ny=IXIY(SpGk4NTb^anUl;-4ja7lu?5`4Y2Xyc(c
zgchMLYN(y5xc6)PR8<qxuUz$i_Za?CcpG@WulHe{J1HT~nCbiDdlho`=lH7VgV?vB
z!vH>Rx3q99mfzHkq>O*ZVWyBkoL|r}m=_Jt$_ix?20jaOvWddi5eGS)-N+;C*32VM
z4F-ipqc;s_0IRxa`~PGMQ6@D>7{YQ~T1`szx*>N&-vMoFy3v;=KCWyEa4USlksySc
z;vh~!8tq?)rV;UNI#E!dM3E>&==A_9{7v3>(i<DLhkmprOX_OiABYz?r)JzkO1^jX
z8Vc$n1rtOs3OqN|3O!<v&o`EnYzM%27pp12*$KX#zie#qbWv0UzFU69w3-er6fwMQ
zkWp73Ai>^`7<g(dGF@z}%6lGy9n%I>3el%%&cd-C^*|K<UL}I&{NP%!T>2f=D_X3;
z*8a^>;OG<=5sa8ax8a~CEr*g+m%aTm+L*1WC(5~!wG=<Xr`-Y_v{U746dv^u|BF4K
zjNL!{$%V*z?8OI#HQ|LIIjPoca|MjS#j^lYyJ5S<iX>+6?ztI>Lk_t)IIZ4r&y=2f
zi1uX#`SFy==-m9-8~EYf)AA4Ti32O^Ug2(a&Cxl5wfs4zDPIV*OkX<bk4E6YaV^D~
zo8TVpoZ^oIOz+`56X5}LV}&Slfm30gL9shi6O4dto|s|U(+Q9<;b3*p_Q}@<d1L+B
z4|eEB=>Th)IFOxnnM_bejHw$X1iKqnde%**#mq7->8Gl@@#zl6$B<4w`=Mo?Qzln0
znfFV{6`sE*ejM0`-JpC%K5D9h8F!A!%U?H>7XZ!9vB-vGw4_%LeXDSb*|0-LVsj0&
z;10Ddf4i?P6;wAapQD@x$mObgyb)zg0U7YH@=1&<;N{S|c-GoCQHgJW&h0JjFIN+m
z3rk1QakG*y6vsgn*<JD-qV9I{0r2f`<^uY5oY7|?>pqB8lW{*HE0H^6Jx8dqdgg=E
zj8?3Z<zlhLSZ<7~h=VILV8<TqY>G7LyR*v@tUQKM;whv%$uk!@YjNjIzR1Otlf)A!
ztS6n>$M5YU6i`|Kc(2l$3CshS0Yl4P@kCTTo&F#C{e$(axp=D0*w6rE5AIK(*=K9K
zvZ=3p8xx>GEm+L@YOXcRDh9XBpI(I#&bnD<6sG#&ZgrLkq%Ir&P266;<hOQ+Emovj
zzr>O9AN$Rsjf3sBN3CZ$S80}#4-S1m37O~92Q@gPEvKf-8|K>?x|c@y)uTEnNX<M$
zO`(C{CcGg2YEYy(M^1*p`qA~eZ4N-HGTq3lHh8sP()I)~Z@5XI^})b<;Hx>rL~02n
zL+3+8-I^70BD%v!Q7Eo0kQ72R4z+u(^^bF@k3s9kTJ^nks>b?mf*xio=+C|wI0Pkk
z=dPh*p$x^m+T`F~$e&X_dK1;S5o$uX0Hm5Iq;?lXQxfg?0M)aX{ZmwaPRUw!AJf+O
zsl>FXMM@qsXw$-Ob<@qB(#YZ&SCs(R5BRycm1yK*CkRAMMyWP4voMOZ-W}443scAs
z<Q$RX*wh-Uz;)6tI~mFuJSWX2Z%y_(=yUgN`%_fi07t7UbIS&g0ZmYblwyq>4?8=U
z_tt5mi<N_pwbYKF&CeAjVqXH>)!CpajN}LTZwo>e<7DKXy1~DA($N-(&do%{)T&w2
zQBPTyNhB0C!f&}cs0$g~g$wdYEp8vk>n_8Rs#1|{;auloxz3n*o6^`?!4oCfVfRwd
z8q<p2+MkC=o%)AYqX@Z~ZC5ah4^;n|sNadgw8(<&TV{6Q&ce~WB8-7WN91%S3>7o$
zIQW+aK5$R?z8j&@5v$%H(Sy6WxMPg|kYH^4_pB(*polyZlftwvv*i#NcHKP|Mq)|t
zL=X7wYm9OqGTsRb$$c|a42~H=^}U7bh1+{#-ytm`p>n)K+~U-3P}v=tdp^4L&Ruy0
z{UtUfv*E?a1fiSIuhOB)ABbJ~Nxmj0ezZZ*=L!-L0F?7`fGmH2KQOw|{IKufcf(7A
o!YaI#pudoJ*$a>}wGZW}u+e<T=4fJKc##vE`r?FBU%B^+co^5uS^xk5


From 4742dfdf7a5da716ecc6677f1898e6d3d5075f7a Mon Sep 17 00:00:00 2001
From: RatCornu <balthazar.patiachvili@crans.org>
Date: Mon, 26 May 2025 22:03:27 +0200
Subject: [PATCH 10/17] vaultwarden: ajout postfix au service systemd

---
 modules/services/vaultwarden.nix | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 1a27dd8..121822a 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -6,15 +6,14 @@
       file = ../../secrets/vaultwarden/env.age;
     };
   };
-  environment.systemPackages = with pkgs; [
-    postfix
-  ];
 
   services.vaultwarden = {
-      enable = true;
-      dbBackend = "postgresql";
-      backupDir = "/var/backup/vaultwarden";
-      environmentFile = config.age.secrets.env.path;
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = config.age.secrets.env.path;
+  };
+
+  systemd.services.vaultwarden = {
+    path = with pkgs; [ postfix ];
   };
 }
-

From a5ee12226c81906c28a1faac9e34188c4b1d43c7 Mon Sep 17 00:00:00 2001
From: RatCornu <balthazar.patiachvili@crans.org>
Date: Mon, 26 May 2025 22:46:37 +0200
Subject: [PATCH 11/17] vaultwarden: ajout nginx

---
 modules/services/vaultwarden.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 121822a..718beda 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,6 +1,10 @@
 { config, pkgs, ... }:
 
 {
+  imports = [
+    ./nginx.nix
+  ];
+
   age.secrets = {
     env = {
       file = ../../secrets/vaultwarden/env.age;
@@ -13,6 +17,13 @@
     environmentFile = config.age.secrets.env.path;
   };
 
+  services.nginx.virtualHosts."vaultwarden.crans.org" = {
+    locations."/" = {
+      proxyPass = "http://localhost:8222";
+      proxyWebsockets = true;
+    };
+  };
+
   systemd.services.vaultwarden = {
     path = with pkgs; [ postfix ];
   };

From b9a15c0d87500e5021a37b3f5bba56d90f18fd2c Mon Sep 17 00:00:00 2001
From: korenstin <korenstin@crans.org>
Date: Thu, 29 May 2025 17:44:33 +0200
Subject: [PATCH 12/17] Whitelist de crans.org

---
 secrets/vaultwarden/env.age | Bin 2693 -> 2707 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age
index 89d30a9cc410272fd689c9cb1d94cb67e26d9468..6d799b5011caf4ab527b74c5bf6f17161ba04468 100644
GIT binary patch
literal 2707
zcmZ9}`9IVN1HkcY#X2@ZOZOm^mB!4ND@9|Niy7t~Dr4^ZKE5;4N|$nkXls?0c10~A
zu_Z-`B2%br(xqtSNLrPiRQB2D$EUyG{d#>qJc%eoq!#F{TBA&(Ua!$hz-EX`NCe1W
zkcNnaP&gcd1~GJ&_&5N>GV*LRV^UN+5>Q~oNl`p(C?VKJH&TT$@n~^OG){t`7_mAC
zk(TI!F`1}}XcUyiVeq85C<;u-k}!-Cg@&qP+Mo~)R%s*XWI}{E%<w-=D>H{^p>PC9
z1YiX)0EAJAVZmyhnF=8#*-Q|%&Z@J75;(CU0zn%rFbRZIwT>!>gJl5B;vxVzY@SuZ
zWAa!wl~SkWge3}8dJ`{L&bLZQNDdi-;mJgJtcW4`KMR4411J1zfl&ZKm_)RS1Qre!
zhp-Wos8DOX4knXH0V_sgmSQL|B8V0+abPZdFhxuZ<(W9hSUFo72RE8AdOpnp$5Lf_
z0IHK2<x$ZvXaZP3Cx2a$2#pb1s34S?A&%E0#Y9S&l7%85=ztVulfraT8;%TEgknMh
zQ=0^n0W>_*B|Zv91fX=a9)i=yCGhnG5i~KH!i&++4NL*sOv5LjVkNOsv=T-AS|fpF
zG?4^kw6cT63O$w@$G2c;aj{}HjS!EG=9m*W!NC+UoJb^?5{+cDKnb{j<4I_$(89!+
z<QictQe~l8Epl26Ov;dinw5ABNt!@TqG=3h8t}D-r%35|0Aw^<p(L6Nr&nm`0G$st
zu|o-bEufGAa<PUV%@ic@<H__SCIl1e0%IsqW|1OPmWbgC;*dt72`Lg905lv<MA<BI
z6b2_`Aqmu2q>%ZwCgPAWMhwVGijpNEW2kIvjDScB#)R1@d@)C-v?4hyqDUV`x6;u6
zPQxd$6)pt0NzByXuu77|B0#gE2x2f%s#MU~v;;T@MwXD28nYfwj4~KeE+HWyAh1rF
zB<CaKcv)hiL93AvV=OEy1gwS%bY`&yiM7)4ID8lpZczzbC^}DR!Q6MXK)@AjUrD=t
z=Sce_@a%VE=i3JR+wW`&mGe6X%h8Rr8~5zK1$5p*U_+h7Ur5eae(;@B)A`D3Ix;F7
zxf|OE#3Potx`LIV<ms7?+|#f1^ECI_t3xg<Zo-u6-RKXpmp>&4COYfxUa)=KHIj35
z+@SiWE3c)!vMA0sUke&jJdHU1+z1Wa`siU?MAd_*sb{jCr}m6~c=mpKRpQOYbZ$B+
zj6bs@($WWMfB*6M+b239x1jLRixa+^377Xc<b8Qwq6#jt=~tfmFg>5Zy<X9BN|L&v
z=C@<s)!7AoZp#)R{HG3gMm}M#F)h9<th=Mapcqad+^W)xmHXdR*LHuCzs_~999`cr
zQ^lrLEV7>vxNk^DWi`ab+pj^@Rb1wq<{9T<*Zs9&$b<09W&KfOmE#k6IpGCY_O@Qe
z40ZQ5?&w@I+4=14+!H?mP}q^r>xMYfE$MII>;FTy`r1DAdsHs>h~R$u1>1SxpzE54
zp3xJH*J<}6w>ovb+RE~{XcqM$;~ESOK3+|x^s>7x>qiCGr(*r%rc#Y)$L&G+>0Q31
zjf|xY@}<_^hQjqK$T6p(&yLk2{PFr}CdVY*0`~GI)UVDzUX+R(IP@-t=DXtcRcQHC
z-o}r=&}s!kw}m@`_C_17{93UAOUAm@YkZ$omJGMqJ*w72(Flx6Z|e$d%b_bYO>lYd
zMCZ;&9D^HB&W3@<+x7%yNb>?C^Kb9`$0@C6qzg87%l5SGT*7a3IB8>oLrT(#2e;;J
zMZtPKO6>ic0#?p;)nT_RjKaa(TjuFM27JOMlfK1V8e2uTJHC-R&hcnTSvvdv<*8T8
zDX%(v{4>6^psXrZ+Uncf%_ZBzvKFVOk;1n(sYd+Us2PhHM{^1!?-UmAuBPGp(ES-C
z)TK|4AG~e^uSAA4*yQ(Wuc(XvTG@7Wl3x1R*wJbp*3I8@e!^LhQu`d|R@+H&!N<-)
zn>^Exavi>}b-#85a?3e!?lGNTGQPU6W+*tP*KwkdH#p^~a9zrcZHEuP*|h51!T{3D
zw&EzCz=ohD57BS86}XPx?btYX`yeZNaG+ud_2tK)oSa`r{|v%R2JJZcAtGs_Vt&W~
z+`k~Ypn1Z+I#wLlclLNRTpor}`{B#@0Q|n<B-N#T&rYknXO87`YmtepXZd#C(6+nV
z-Mmyk$7K4YrMB+VN0q!VuHNlKIha~~8JzL^P4~p!h4t{p74}{P2T^oWJ@mHf{95kB
z0yt9^n4tAyVZ&ORIx?9vm-cw=H@@%PaAwU&EBcjuU+$+bf?eONbnbC@yor9+swAcC
z`M%BVL(?fYG^B6F`5xw;_k^o=0A|^uSM1#Tp^Avc63CBJfsSUzwjd=p@=&n#EU+W*
zOu=k(w!Ru@<7M_qnGB$HdaYM=>077Gs!zm)S?j_#RDJ2d`#xMAUUIGIGo<F;O@FB>
zuVSp?<?<esmc7pE(Oh_<EV828cBtMaK)-lSK705S<)rCu9msWo=h<rmKR)ph9B}sk
z`JagU6ya2MY(RG1BXUcRVcci7ZeOWqVBbK-jPvQ%2l4#d*J*^zrC!ZXa#wPTNp>ms
z*_E);y^;>6OnstZ>#97);Js@bha@xS)--LeJ{>7rGk}wDFZhUVs57%T7h++PMF*NS
zs=<zue^;5GZVziVZI~XiuRY*B`KWN|(HB3>mLRJZDf&emAtb>9c-EgdMx^y6%}+V@
zL0@_I;`Fw%+O*?G(wqs&aEVWV%sxxpkzcT2wG`oA>*iJ75VNRg-vv)SE^uXi`Ndf|
zs1D(}V5B8y@biHksfPK9{Vj)sXP)PS)s^s}GqRMo+CmgOI;G72n=$R-=8|{nzWy3~
zIWGI~-J!*nvkLLY(KCVCQ|58{&X7yHmh=ptvuB^Tm)AEAu*M98uvhq+1-n8Y*p~o)
zqyAM>$<w<Zx`$#Bx#&CH0bGYa9uGBm-Mkaj6)^O8ACFxi1P}9bS34A0KJ<?koI8%S
z8h=10w}cdX`j!okI&}ZBRniF=SOGfZEAn|Wucj?`ZPhP>XI|Ij9c@t;?zKd&@WRSZ
z1qeDG=k<L-y$r(72g3#{zF9_k$0}a$dbqi0alQ0Ks+|nVD^Xmv$x-~?%<iMg$zAUj
zxy6NBzGqC1TQ5G@lwK@x=<&Ev>Ul7a!|up!PDag(@auED<TvNBvsc!U`&llc^Dl$L
zN3MT+|LR{A?Ba0$x^e^DLj3X@x26mm@NF`1ExGvC{>{XUqAlm_?cv71wO!*loCfhi
zkP?|!>yvi%OvsffM`C7s&ozN+G&MRavoPWoqdIdcT=Dmp-`C_T%UXQc)ww_C|8OIH
zVh+OFJF|oyVh}s7%?Oa41g`Qt(iE3wp37TR^ZrB@_MLtG-oelD&HiOY>|GZhpPcm9
zJ9U>ejLxa_tmhxQ@!HQbV)v2nwxm*Le^lM{n0VD4vjF(d=wIPolilvztOK>bvi=Kf
Ch`3h(

literal 2693
zcmZ9|`CkhR0|4+IsWhn+@+dV#YSz}yh6lUvwX1gUQQO+lT3fp}Nt7p%t0Z*LAtpL_
z(t|E3mB*D(dF09wIr2~xdV1gY$Jbx*{d~R>r5r5R$_(~oQ-V$#t}`ehmIwfN4bW&*
zf#vZqBr*a6<m+uw3@ebrHo#--Aej(G!I~0HVwN0amaz?D6pM)<uqX%=8AdlsFf0aF
z3E)Jrh>_MPJAw}tN9nk7s2HUoinV4LmuF*%q&A#1(XvTMwOf?d|7pny7H~2Qi2};4
zcp2OZ#G(`$Hk<+B3)GavXsSjK#YV(Lb9E>Y1p<K(R4Ael&BCgA3c1(>z{3O*DG7;>
zz?#_6$vim^Ll;tXW}8_b1yxEBL@eJ5;#oCz443(T77EXRu>Wgqf(zmeWK%qxCrsj^
zaS&;85{;8ch8j_zM7*AZ#nGiaK3^=BlMnzcC^ABY<8Y$QHf4-F0%X^4%tk1aOd_bY
z7ClzVrV{x^41}vDM*h4=g%RUz93Vx;iqVr8EGC1DBf-c*3)&LHW2x*?MwH%WGJ{lj
zC<lSY$5^yX08(rhgNSr3ORw03!>Cy(0ya_tNtS5LRw<jTAluj)lqrV5H}VsI)@YCf
zu3QOBRzQqu9EZG#79qhxd1w=wWrxd>FcNvPSfrzoC~&J>q2}@}HYGqoQ_)dM7)D`X
ziHtI%ObCKv?J6i$fYAw&YI`C*g3mAr#3rN$`?E%7sd!{7(2msWBq+O;fT0luYJ#2?
zZHX5VVB|=PCW0*_Y?3haC|d%Jh!G+HY@-S)hT143Zj^*Vibq+E(QFg~ZK6e^g|uX`
zC7NOpGlfuyCX(~BCKocXCM*zyByxCkLVSdYuLWtDb{j$uryHmsp(zr_R1lItR;*lS
zq*)TRRzQ?d$gtA5N;*iP15tPe76zn2(ZxKe(iCsR+s$O65Jj~Tm3%T000x7BGNMj}
zkFjYfQmO&QRLkrlgkEGzij1(qbTDyDk}R5tf$A`5u0jbgWKz%adeyCYJ6tb47=piP
zksjGtoYv#Man5z$io!hnUx_3jrKF;jGuW*@KA-k6dnj(_tMi=bfs}-ZZ-2d?r4>>$
zL;X~19|D%F*Sozs@fV=vkYROw_GeZs@wcx|S07CJrrx$a{R(Ki>~T}&#nJZAJcYju
z6*a;8j*L`1WoKwf_Ukc$ZQT3Ezbw*)FD+SChUBK<UcY;Lu69@M!-a%32G0@3{X^-;
z*6HHCQnLG-v`gHb^xtiRP*M(&<+K60t9*{Od&7r{Gdub^+V(zm<h{?{dNBx*J&_Z!
zXHs8L@iH#gx7YLjvQKqt>nWkt-7)R+%(xl-sDhNVKT6I{;D%>vZn<ZOMtm3#r{O|1
zRnJSdO9DyTj$P4K|9!f|-J|eg8AaXjM|wt`TUXA)qv^|^S*Pf0`YE4}##dSyL8zI&
zxXTdl*(>Wb#U=HcmUjb`eGBoEt2T{#1c`2h%=l+#0Vp;rf7M23_`0oQ6Va|g+tTZr
zeeY-WuHvKsU10g>Z&m%BTb{8GdZ}$&z*v}PAl^qe^y89Be(QOyS3nTYAJKH^*SW=^
z3~ZLDOrHAY*bik;d?bdvzYs%J#K#Uo800Vdvh#~{hl(x~r7^Uw@taQ->~HB<pD*Zh
zJ}y|`b7m%VZR6+s`tXUB`K08T&x~H27t7w2eIW|dOMZtuGKKFA2&qCM`su^l`tW&a
zwiL&yBTV-PHJ(cgzYqR{Sh;uP?t4(NBdH^7{th8Hr)!VCO){&Ex%$VkWfx<5q0)CS
zY0OM-Eqd<$Q`t8IIGwzczk%}}nP0xoI(S>$uVg!1MAE5RPx_+D!@B}LP@%E_-@;(H
zY+dp7tLgr7tW)A(<s+c8d#&TJa&K^oj3IiRaIbLnughPLrU)}<3_asHZ&p}4u^+D~
zh2ug0o-NPkIDdVi_)^~<omKdtL0dhq=v=dU)oWW>3v_35`2yboH95bvW8z4W%U%K!
zSv`E-I<4uLXDE1OLHGFFgOSzmH6>f`!kr~0U-}k)`x2OS;l(_nrikD_y=(-#{a!@U
z<Wc+AcCWkhh_}L~yxa~-4&PXj(5)GJ+#s*r2fLYH-|o8N9%}Qc+SJAy{jMDjG`2+V
z^0vFJz#w@_&)m&AgX$cqD@dz-Wr-c|rq$jk)4QbHYrOMub5VOS>v`|0#TpK&y#?L(
zLj5B!EI4GiLXPW;Y`R}a>v<AA+#e>ce|-i+zm@sSno>j9Ht3Vl0In*TYECVkD6sXq
zc@M4#PRfM)mR8D^DE)d~#=3(pXQNk8>pOp$k9uR*&dG^`9M&vj04tl5J&uxhl<u2J
z;C^1tIdB-@qd#H3UK_B~{=sE@dR>ZJkNi&MS=G@{*CSi=IQClCzViIw-l|8*sUv9n
zxiC?~c2SGpg>@@dW3v&Y+P5pGgB&+k??xuY9?W$@azQIPyDQvwIq2XuLRebDtXWPs
z%N<Sn>ECgeCIQ_?wp6tY?&pjPCaV$gZ$dbqM-^=yzdNS0>`(U0<?jz6?#T^_DR|!J
zaR}cTJO21i<LS7`rJu?_&VKEHSQg$*2rI?N-FsiAMx94{wqM-Qy${9kc;Zrb_^lUq
z?^qY<l3(mUcjl7(Ulk>cU9lYC#5Ttn*PYyq*u7!TIr1LI52rowR==3rcPp-(82WWp
zszt_`Gz^!+>H8E<AGQue?<l21t4B68tR7g@=n;wt+bAC&{w<LoQ+21y7|5~CJ+wHr
zL4ln&d~SQ1CheZv$q&+-ahhfGp{*Y4T_&)(SD=woL%ADW+&3KQ*!j+Z@2_cWu4)F>
z%nmL`bJADuZWi!ex1LYGb`nGg={bI$*|GiD+e=$~FnxokykC?I{20f7XZ!6#)fiJ3
z82Co<g!AbP|0(D2L*~|9bG*q(*3wc^n*&CE5;aFK<A5UweYtpp|FuWUbGBo^UA~f{
zKbNKo1U1gz;tmYU4hLQr)+|;RM6efb!d12=EVtaS!&5Hk>qITx;~8-Wlqb0rjKt5*
zg0GRYmtQT-3IXKa=;YQs^Q(BD(-Qn|JLR=$5;~wcT}}O}s5ZyCo(X*!=tCqA^k@pu
zA;r0a&Rv<wC)RjtUt!nu&JdkEy1qZNeWUsB!dV_W(lNE(&a>Bpy&tX&$j}TJq5ki`
z^`w<8*{my`F%~<KQhoLJ>Q4bu-*a)e-JX)E1HO;xPGbf^V0v-YgXh!eSA5!3S!0d!
zIJO^4q9EJ)avJ;1OGZaF4nF>vx>j2EXx=`5so0jF+e*-Pg^dk)F$<ZbyijIn%Yv?u
zwHwBQ{}>gMtAlfkUwWQV&1+f?`5M1C<u1~1dha9fjdkIFqF(f|Pd#n_<eU}Jq#df~
z`h?y7wqh9IJi2%svFlvG-O8a>arUi;gI_|&CmKE)N_S4NcZP3ylTkujb)rh#8+v>2
sWlI5!ylDOCtkUpZ`e6Ubn#O}#?asZFYm+DQ5SlS6A3i!-DtvtKKWYJ-Gynhq


From 7e3c87d8bb67101a83ccd0ceb49fdb5c934ab283 Mon Sep 17 00:00:00 2001
From: korenstin <korenstin@crans.org>
Date: Thu, 29 May 2025 17:58:13 +0200
Subject: [PATCH 13/17] Rechiffrement pour pigeonmoelleux

---
 secrets.nix                                  |   6 ++-
 secrets/acme/env.age                         |  41 ++++++++++---------
 secrets/apprentix/root.age                   |  34 +++++++--------
 secrets/common/root.age                      | Bin 1561 -> 1671 bytes
 secrets/neo/appservice_irc_db_env.age        | Bin 698 -> 1134 bytes
 secrets/neo/coturn_auth_secret.age           | Bin 643 -> 1079 bytes
 secrets/neo/database_extra_config.age        | Bin 751 -> 1187 bytes
 secrets/neo/ldap_synapse_password.age        |  28 ++++++++-----
 secrets/neo/note_oidc_extra_config.age       | Bin 1335 -> 1555 bytes
 secrets/restic/apprentix/base-password.age   | Bin 1125 -> 1235 bytes
 secrets/restic/apprentix/base-repo.age       | Bin 979 -> 1089 bytes
 secrets/restic/client_env.age                | Bin 1525 -> 1745 bytes
 secrets/restic/jitsi/base-password.age       | Bin 1125 -> 1235 bytes
 secrets/restic/jitsi/base-repo.age           |  35 ++++++++--------
 secrets/restic/livre/base-password.age       | Bin 1125 -> 1235 bytes
 secrets/restic/livre/base-repo.age           |  36 ++++++++--------
 secrets/restic/neo/base-password.age         | Bin 1125 -> 1235 bytes
 secrets/restic/neo/base-repo.age             | Bin 967 -> 1077 bytes
 secrets/restic/redite/base-password.age      | Bin 1125 -> 1235 bytes
 secrets/restic/redite/base-repo.age          | Bin 973 -> 1083 bytes
 secrets/restic/two/base-password.age         |  38 +++++++++--------
 secrets/restic/two/base-repo.age             | Bin 967 -> 1077 bytes
 secrets/restic/vaultwarden/base-password.age | Bin 1125 -> 1235 bytes
 secrets/restic/vaultwarden/base-repo.age     | Bin 983 -> 1093 bytes
 secrets/vaultwarden/env.age                  | Bin 2707 -> 2817 bytes
 25 files changed, 119 insertions(+), 99 deletions(-)

diff --git a/secrets.nix b/secrets.nix
index d8face9..b2665f4 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -6,7 +6,8 @@ let
   korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh26Ejn/syhvReixauY8i85+XD8P9RRJrPQGEyAQ07l klin@nixos";
   lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHW62pK9A6E8pEwmSnTp6oKXac+bbOJ4VkPvNLa11No8 lyessaadi@crans.org";
   lzebulon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJRSBsRgd/ITK2An7q1VXoeDPbcydR3FkQjHoO+1tAAO lzebulon@archframe";
-  pigeonmoelleux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHa+ptSTNG4mnGUEGSkHTNDzyUGeiMnaWS2nDvJwrYTp ratcornu@skryre";
+  pigeonmoelleux_0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHa+ptSTNG4mnGUEGSkHTNDzyUGeiMnaWS2nDvJwrYTp ratcornu@skryre";
+  pigeonmoelleux_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA41j5jdFj18OSHONx4QN9mMT+oBmtdwb1vstNavGOnz ratcornu@vrrtkin";
 
   nounous = [
     aeltheos_0
@@ -14,7 +15,8 @@ let
     korenstin
     lyes
     lzebulon
-    pigeonmoelleux
+    pigeonmoelleux_0
+    pigeonmoelleux_1
   ];
 
   # Machines
diff --git a/secrets/acme/env.age b/secrets/acme/env.age
index 14cc6d0..35b0750 100644
--- a/secrets/acme/env.age
+++ b/secrets/acme/env.age
@@ -1,21 +1,22 @@
 age-encryption.org/v1
--> ssh-ed25519 iTd7eA SOdizgV+LHwgOVZlLWlW0ywVXHEzmGjBTEAbpbSGBAs
-4AO1uVgvA+jkpgKrdFZD0BIMRmxGbKavfYZdpgDh79c
--> ssh-ed25519 /Gpyew Tl0BGQR5Y2gEVRT08vx0LOouwZgGeB8w51r8Opt2Mgg
-tsmtuQPnV7LM1ZByAsVyDrRwl4TkwQ9qioHR0/dDraw
--> piv-p256 ewCc3w A4seXIEIpFDXUUNnAgrnx4vYhbw3ii8lBg9SpWiGJLte
-LInyfV4f0sPsJcK4qbzmPQBcyxFimDleNujC8sNSu0k
--> piv-p256 6CL/Pw At0UITcGiU6NQ28t3wAHlStnvfuQNvRUg7lOluxRo+a4
-Tw7/nTlZjKVEwsAWrnsFZ61v4S2olIKsYyGbQC0GI7o
--> ssh-ed25519 I2EdxQ bFTORPs47D3JQEXa1i1Zv6gm39Jbqh6UwrwWrYtuLnM
-jX28nZJ3WbfC30eq1Q0VCSmrBbrm3Nog96aWrxAsI5s
--> ssh-ed25519 J/iReg F+xTdDl1YK0XT5NMudO9Oz+tMrOU/CDX85NbTcMxPTs
-rTFkioHgePRwCLeKhqeVGYewnxCcgl+05YM6re30WEo
--> ssh-ed25519 GNhSGw cMADVhvNtNaMO/bKWpB9riONTiukhJqeNarPa+zuE18
-X2XeVei3FHNwHZ4q+MxYQHkQx4qgjtxVtwRdv1dFo7s
--> ssh-ed25519 eXMAtA VjP7gBICaF5BeCYYt9wXhY0WEkEU1SfVvCrl5MmvhDY
-s6x46ikGHX15DFuwjo/q3+Ldx/hFriUT9dZ4iVJyG7Q
---- NoHZglVeoiTggX8013Hj4PAlZVFkKOc1kAheXoT5QhE
-�i�FE
-d�PU0;�*��1�����+�8�`fP��1(FN����~�7/��'tM��b
-C��e���n�&U���x�7C+Sl4	i�]�ҙo3OQF>��?��S�>$�F�v-����U�G��ϯL��*�ڮ��b�o>˴ze�ak<R�5_�~��菝A�;҄)S#�l����
�l�M@q�U����X�	2�R�=w׌�/���Z��M~���q���-gr�=ӏ���T��|�7p�
\ No newline at end of file
+-> ssh-ed25519 iTd7eA a8H1iSFJQ99fdY5aIyZoedRVuB66+pIpgw3doydu6FA
+HRvZs07ovO1e34AsJbC9d2ybMqB/DjQGZlkEvdTUsBg
+-> ssh-ed25519 /Gpyew hcs5lB9WNAV33HPEI/xwa0zWiR+2XE/8hHqB6BMQXSU
+K+9qcpVXJFJdzKROYtegcBAPr6yx2J8kQp8SdXGp1oA
+-> piv-p256 ewCc3w A2IOcgyuo9gjutoV70398qJMjEbiTeELmuIUkujshdxi
+0filLXpTkxcN+puPhkngFBGe60mchnuEBEkB1kd3ySo
+-> piv-p256 6CL/Pw A+0V9DCKaD3H8FECcIytIkQJ+xpFcy2ma+JBQLeYRXSJ
+aZeNEaLTh3uEQvDkkBwDtg83aANDxoUnuP1EqCdTtZg
+-> ssh-ed25519 I2EdxQ WtsOCvaqwhLG9eZTeTb9fAOnChQxdoH73/EQeQnWtmc
+GRjvVMl01FRGLQ13BPtx78H2pqXmrx3l2bl/WUCLiSM
+-> ssh-ed25519 J/iReg 310sd0jMY18VVcSs4tktB7zDvcEQYGQi4EL7+xAEy1I
+/DfwBYxAWBIv4Qp3FHeYkOSqxzICFtmxSSvqPH7Plho
+-> ssh-ed25519 GNhSGw liOl4P4Vm5ohFhgyeAggjuy1pazAn5QOdLJ3z0/6uQw
+pkPOUwJ6ZFfvmxOPuDTLOy2T3FLTUHjb8LSKbxx5Mjo
+-> ssh-ed25519 eXMAtA 99UxNpHUc/0mSB6P1cdaDl3T0eD+EpyWSGx7cMtXWUk
+PHr3c/QmO677qku1MfmjA2UkLfl/JnE7tN+GQjbuhlY
+-> ssh-ed25519 5hXocQ LhyO1Zawf/VcIFGVJ95mDmlRJqTQcWRNvFGD9zphPSM
+2rD6RbsGNu2TSsTbkBgyAuLpoYsQQwwaROkszopMBfg
+--- XqQJ6u0HrdjbuQ+kw1+B6xKQFaLR7rY3kIS890N6coA
+1m�p2�3���
c�(�e��p�G�LaK�����/�d�K�Y,Y��*n}�,k�k��kZ�@���lby�?��Ѓ.R;Jj
_���{��/ՃG<DvX��9Ä�>tN)!�>*�$=��lN�pj	/�ڈ�>�0O�!�G�1��
��5��U���&
/a��v�1H&�=0�jΐ�\������������~�)q��ot~
+��ŶGy��~���$c���(�Cs&mhj���?mR�
\ No newline at end of file
diff --git a/secrets/apprentix/root.age b/secrets/apprentix/root.age
index 24017e6..c88217e 100644
--- a/secrets/apprentix/root.age
+++ b/secrets/apprentix/root.age
@@ -1,17 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 cZNEGg uRRHS8/vsv+HdtnzBv030V6t4t+D83BTvbo+urA6KEE
-3vyBxkv2OvKW2yxZicgTn7DB/5qHwNOKgrRl+EaEYyc
--> piv-p256 ewCc3w A9gVVQvR4Z/GQKf7CAE6Y19sLs6YO1BNrIls5Hy2QUnp
-CKjuobW9dTvAQ8m6k29Ft5vlyf1ukqEhsrbwkZLcFlc
--> piv-p256 6CL/Pw A2bbIwJfcbIlsfR5tJZopMXQaWrYXTl4z3JrMWzYWNuq
-9zcXc9usX7F2qaEasnQZzS0dqNg6UqrB4krvCzMRhzk
--> ssh-ed25519 I2EdxQ y4c0Z4xxhJMXH2Ej2AXNyfRdowqqn7xDpKdMSE8K1G0
-FIByr72GUA6XcPtNIy58DPsI7RCyFO1MZrQjqgbFEFk
--> ssh-ed25519 J/iReg 0IUi0nvIQ0EP+kYxIEw2B5WgY9vP0BIIw+xE/j+XaTU
-1ovtzwIE13/etKz1mMT2slbq6ZJ1JpSoOHeIBphlgbU
--> ssh-ed25519 GNhSGw gefnPCvWFMMRUdL6yXOG580b/pQxzqpqJ/5nsSsIAmI
-zjIjQiO/1wjteJmkmPKP62zDyZJkbaievkV//dXiEGU
--> ssh-ed25519 eXMAtA uKvtz/zyt2UCWuuzI3sQerCwjzU2+4bNawRCzFA4YBY
-ezDyL9NgmIZuyX06Suc64viWNXVEImIU4kH2AH3lD74
---- 0m8XP8zS+MqhBXxgykk1n3TvAFtwxcQmHm8lzl+8Nd4
-{�3�'<�V	$�y�ի@�C6���b|�I{��):�r��T����}�ʷ\A��	���
\ No newline at end of file
+-> ssh-ed25519 cZNEGg hx2K+BJ2BE5shiuYVL8lNDebSXOslE+D11wInEU5AC0
+/Voe2mVa0VBiowquOfiCqBwbsNWKlqJw19Rshncmb08
+-> piv-p256 ewCc3w Atur1opHkIZnyRdfVcSPmXJ6pnC8KRSoTDTgRdpXhQ0a
+BeNHX/8DygcMRjv+BYCMJEbx+yUiiOz1yRQ4WdpCkEA
+-> piv-p256 6CL/Pw An/25v/ZffNknCs1+Z9oUHEa9sltmBbaCGw5zGtPlS6X
+Mp3IpX/1m45V1PVIxnh50hp4ymL3VjCnDZ9+n+pjoro
+-> ssh-ed25519 I2EdxQ MFQL0HlTcYBeQe5W+cAegZNrtvYh67YfaeQk5lKBkxI
+6YtFHaJBmdC05zaeCNRUEOx+XdAy/KSSJbIFDAjqk4I
+-> ssh-ed25519 J/iReg pRxUVtZLA7OlkbjZPNJY+PcWBiwu0qOUymXTACmOGws
+wLOQy84hbkdjSiqywOU+fAoZkUg84cdUP5mmehv1Les
+-> ssh-ed25519 GNhSGw oSRxaxlY2LyuB5QBkfQ+vIpmI6uFCCi2l4IqPrQxWgk
+ePpTSXekzXDwSUZj6drtsvlnaKxPjgu+j5afvNsKbQk
+-> ssh-ed25519 eXMAtA v6zL1bc8aR2fgESNZcmTtGPk5pjVj0UGiBd3SjqGLzc
+amsA5x2C5dQBzqL1uu6popDmDkKEhm4WPeK0J361vNQ
+-> ssh-ed25519 5hXocQ DPduJx7pfwr8FqMTXEPq3zXBhyElZTj3Ouy0d3S8RnI
+m8K+tCRbGmnf6IkkPAa+scmGmiEy8QAvJppj0lvHYXs
+--- Oelwm56/V9NDvorDKW+xqISHYjsqEs6HG/pYf5qTX94
+�Ğuŕ{ %�i[V�4�kX�+d�	�'�B�<��{��h�%��P��)��m=`�Է^�I
\ No newline at end of file
diff --git a/secrets/common/root.age b/secrets/common/root.age
index 3978639cf685de44e33345934fc5f03cd874b0f4..b00783c30c1e943b8e4351460e64d3334258fba3 100644
GIT binary patch
literal 1671
zcmZY9JImw*6b9g8yRos<E`=g8d`>2r+!`^rnMpE9CYelbUGDe$Jy=<+KR_(3w6wDn
zYq1a(WWnt$#2+A*iXg5QBH#Xj^YEVYa-1l52uiPA>OQH;_o_D9jr+~R`#{&l4}lLM
z$esY843XprunPC;2xA|5VMVd$30|Zc8Dn;9>g&C3-GvfBktvFR!8bQmxE7_qDB8}a
z^R0{1<ACTfq|13N`tXeE;{*=!A(55GTB7+_KmxEj1PA4mRQ|O|15FS_u#s^5EKIbK
z6%!>InUs<{Oe@IEJ%c$M0$Z=XAXeUZ$LxZxekn<nQ*vO#B-<huO+lXr_OTWtouQBb
zv3hg79$dDX4=2dKsh(LW*|nZ5<Z#h&Td!~Rn0IcJM4JJNg7z4p6>Gqx%Xiz5a%($2
z=2xv_(>ugN^*UIZV%FJXZFj1dU;<d$)j=j=wa^`pTV;Q1Q$A-eVz>H4YPCBA-iPHB
zt6*$x45{Y$pxgEsNjhS+>?TmRwzimGV9&3uqC~f%1fI7?!FsG+NbbBRf%ud`-K0(x
zyj8=9#4MK5H0qQpVMkx8LhszfHEtHu8P=wQ4)ks|B!^}e=TfBfsY6qyb;`SlRd*(-
z&O#k0al36^(V9TaCI!HqNpe)e43uoFIkZ^X{-95|9d27uV{7=7kBQjorN5sxMjl(5
zA4baIriK?D=cmC}Ot+H5e$@5-EVLm4@}?N<U)iMA%<^Rde7i?T+f$lBFpf?$VMA6Z
z<HRhQZ^n_&vO9dVyFS>yoFLCRWE(Dw3{34*;!(NwJXxe`wMrfBh_h9va60lPnf$BO
z$@ox12nqxf?ZFd3;v}rfvuMnO)>OQltR&rFQn|}xTM+k{iK1JG!YyUJvm3$BFL{s|
zlh3o~-Nc#&a`qCkPqQ21%~o+YvLMB@i)$YKx!QjgN?&%@msTQc4IVhUwx3n)eAN~y
zIFMo<!z0(ZUV>Yx*2489-U)0|5|nT|!feZBcb!&}9mbi}s6+UeVytUVh=mjE*<wA6
zeB2NYV*ObGlEE{Aq0Lw{MydpKT<zqUD5*-`IwN=T#PBGn1-)y|_stb?LP$2bC~eIS
zl4cvcHziaOAXbt2Auv5Mhfm85$)SIf{r`{fyF?8lKs^@&n??mrW#+B0cJ!^lh@K)@
zU1;|V=~Xzf(o7TaOtqN<J0TN}mWYK&{c9cQ$hpiqwJdC!xuI^2xN;tIjjD)`vz?^)
zcA9`ejgJ|bXGLA$Vd`A1Go8X~TRH>RQ>A?qMv93O$17NNb2ndhwxQ648+#`V78edK
zLr|zt>t}0$+1ad8gN=*@@k$>9QzUy5pxon_{?oogpEeCk`$)GKZ7pLia$|gpDo&@B
z=Ma)G@eMLD(m>Jmu`@uZr({SOZ>`#aqHvE2HEQT^&}OF^D;j*94T;UlQvi&w1Glo8
zS=h}*+f1lsuj{cK`b0d)Re4S&*e&*V?gUSpe3%KM5J~4e40~&B`vq4p22QV5WS@=L
zyTXQS_3^&DRGWu~2Vh5gt-mtYAk4Px%cn7uJ%8}7LB}0kRJ9ib%orUyYIm&Kyz}u3
zhyUiQr^N5yKmSDd<CAAU#ZMUiuQz`A!T9{Ux1K!TKK<y!CvU!Z?d>1GeD}8(-%6jA
V%Lm^-JO2FXpX?W3|C+u&{|!cVDxClT

literal 1561
zcmZY9sqf?j6bEqDtQd=76GU+&&5s__YYe2<w4F}R={cyj(|dY%dW<1KfW@E)g1-Q{
zX2mLScmxR~7z|<sSe6xp{Pr*Sy!XEEy&#Pr;yUWrcFddlqoz-x3E4b+3=Bi|5MNLn
zM|J>O;;NPcJUuzK)}~T}1xPAaVFJ$9L=I}vWo#a{)wuPLT-K1n*pTaOH(mYP*-s~g
zO;4uUu0&+kQdK0YL6Dwa9w41jvub#(<<^CaX`qCCE=$SVBot~C9VXpWGi4FaP14aC
zZ@P_zD42FS3uw7<ol<BpIZcK%v>{qF+_bs7gUN@wdI_LY*F+6A!~)YQkF^XRT!RKI
z4^c9y)w+`OM-sdsi?DV2rgSMtLi6ib;afy8O6gLkn*#Mh7)H?jC^q`_FwJ176prf9
zi|F7)z#n(oon*PuKJt$>NNCr12CRvo4&h!%@3A=FbnT|VC(>kyXdL0yhHs*O()M;&
z-0$<oLu<405K9uQ${?yl6Op+X?yl9`SGnb7AuywBd2MU`t=^8bBqB7x%`DCm=ewrY
z1<x7rk%BNobyLvlmA;6SE{^*==8Ro2Zz^fuqr@P1wgNXe2-gMP1Ps%trJ+b|71+h-
z$lh`@(6@5yVx^o7U~eY2w)h>zyB)nC;I%K3eh3aWJZ^<q%}B$I9qKfjmcOY_TO))e
z-0B4`)*P5dINGOS?M}!0awPnoPL6!TT8WW9o}|?++HnTdrs<S<A#23bX<zrnJYz2$
zYm<;>lJF9M(i#@j;_j~gX1U4wyfQZdP3p)bXA0#=Z8sj~t>yOI^_tOAm`297w%+8{
z=F>xq;sg-SY_y#L`rf$Ng){T!WDFi_8T;vqts%c2*nQ8OYDCR<qbj)005coaO`Nfa
zJsNGya0{iO08wPC9=cH;ELIlX=4^QQcsus+zn%SO5$qAtUt82+-`zl^=}~*y%E29j
zF0(6SaCR035O?!LIa`aFC&E$KY;)&s6RA$Xvff=emJZ}g-7pr;aCL&#bdEJ8T@*>w
zy|Mm(*%HcM76ZU(=xRdCbhNoT@-FbARD{e@0~NNOkgqAX7L$8LJ2a0rl9c4PesI_T
zyoQXG@~1Uc*D|b5@VOwmDGYVCoq9_U-rA4@l$&u1n3OCrU<Km*A`nt|74=byE+}||
zeZxU2V>(MBSMCV3@HczMx#OYc&MJ63yUfI5*lb1RY-(m540zF%QMezgL*`PCH$+gg
zlQ08K{rWkzXV+tki%Nl^WtAkeR)x~Lxw)$T@mQXrIM6Vf+LVOh^Jp<vT$><71~Td*
zbw^je^jQ|t@#My-bPo<StG}hio<ff_fc1iZ>L45L-DH*I%A>(R5_W_*b$)_@^`H~i
zM5(G+j5hrYN?n!iOl_KbMLw-(f+8J}pedU%-R<kjTwB9;F19qAhldA1-g3-kDh9LD
z1We;8545-ZA+P5B<fBQB)sUeJKH3Rjvx#4Pwtp~w{pqjr%OCj<p8odq+4Eoi(5h$O
w+_v9;O8(A5Uw!@e`~0gT`T3Jiig*6}w)pPFEAi)-@BZ-K%MYLIzKEay17hm@o&W#<

diff --git a/secrets/neo/appservice_irc_db_env.age b/secrets/neo/appservice_irc_db_env.age
index 2b54a13eed3d017d485f88934cb3d95c35f4625a..61087d30da4bc82c6940388da0889be05a2dc79d 100644
GIT binary patch
literal 1134
zcmZY7+pF6I0LO7~$VL^sARb{b^B^0ntGTBMjA5EImo{m7Nt3j?9osa`rCpNd-l#_r
z5g80OybB_Thi&>WryK=+8Hx(d$9Vx?L=Zv5M{gkW_~`L3`0)Mlo7h&(^37-+CT`&0
zA4E2o!IjzxAda1yHA8S5rT~x+*H#W7Cfvsh8ePY>+VWSRz?3fQ)eT2bVId<m92?q-
z5Tub#R>01Zk7Z$~liaW+whNwzF^18~b}UD%pEai?inmfzauxYsEp)S5h~NZZ<&25u
z038XQCW7d~E6@NHY%=8Wz-SaC(+>F{CT1wswwl8vW4qG|PBZmtU`hy*3k`1?+Cr7Y
ze7=lR(ZIa<BCu?QBkU=riT|+(MgqIL7Alu$s4^XiVW=#e<yDC#2mNK6mgds3&UWCn
zNsn|VCJMJgO}&ueBDWQ@InNcSK$8xa%vZ~{VFztx1vyAtwHu?bLGN8rM4Gdr2V{W{
zsewOGTdsyzJ22`-6WM0wPTBQEbzGIH8P#J5cJ2n1rb$nW6cc7^UqnVZWX2{uaR-J@
z5Kf1Z3EZ2f0x}efYHzRB0^Po416au=lg{e2pLT6X7fDZ~`Oc((B0^PiML~KdhC1AU
z&S<Do7%M)R_K2d2Ey01LMODO`OH7@GX{;_9eOiFPeBA2^+W*@4jx*qMK%0Tfu_AWY
zbRPBelyj^!U`H?+=5~QL`U8~8SbZf2GfuAfswj=?an9q6*qLPI66~YN2pu-or^kNR
zNE(JVZ&3BAx5D<eS%yp}G%&4e;38iQ<~T|%2A#$j&Iu#JtWs1-C+NeyAQJ1+qBMN5
z(jBfR>9iX;ZQN#kZw_LDG+HibOM$4Fjs_40A&G`IoFv$*;f@iQJ%DAH*2siNq+Ldg
zPFSrZ4jDNajdXLMrA&v)$O5uaZOJSuASE?9)sI!e;f52j2}7AO)^^`ND4T4{>rYy|
zV)@iMWOtXW)qq0PV@^q{F{_xmOem>^Wq~LaEeg|Be=%+kB7WlPlQIk{XP-ZI{?K>t
z9fzP_k1$(THy*!Qrcdqvr1Bd0;sbAgyvcr>Zf>LU#Xo|(l8p<$+<Nl%&EG#`?|J81
z{j7B7#@*C~XRL=m&|d%PmK*cKhad6RH?E#U4t4%w4!-*7eLG)mKY8WL{paSNTMwOh
zW#i?i8Q`OD{8MlI`R2VZ1kdgK@a&`ew(^}P=mTfYKlsJ_*Uzv=leT-)zWTv)?_Rs~
r_krRP|I*fNzn!{lT{(97!|&0f*SBvTz4f)#`uUFIkNqfBj?Df6hQNUD

literal 698
zcmZ9_OHb1P003ZP1WhFxkqdBeiQJajtzFk{L`mDVW3R5=v)e)K)^6R_u3Oiw+oFkr
zCt?td#z!LYU?3r$h#}}fFX#ayJ~&`ZFsK189*7q&8ocxUfln;Tpj^!xotjzFtLJp1
z2(_F5c)`|aD4;CCDC+dsAb+hRTQ;QAR4^ARVD=oW1%hqaku_D0q&Yt8i`VEF6&<&u
z2IQa!9bhU7LJ?@1;_@vLDbTbkLO6?t6-!UY*d)tDP@lU4NmV#=a0|e+)aGp}U8u7z
zl)+0<5T-D{9AGO%1s5Dd#6q+dn^Z+-H&KdpG#tnY858D0YAGG()g<F8cMHL67-`74
zAPu{+3|mRysuk`SG5z4?XO+0$vXLdxUkhMx0?%SHBostflS}Xrt#xaLUUZt}W(Rk|
zRm0b|0EZ-{5Yk7dixvTe5XC(nG))Vl>$<|jt*{o?#6Z{MNtwRJ!A%w-gh|*qtIJWa
z5w6#0NbnGeumMs2Bpm5tu}Xq1k4Ky3OwGuply(D<ga*wp5R|ePGQP4Bb&!@bZ_jXe
zvxupD14VQxS#Kp#w;2FH5VTojMy%>(q-=NdT2p1Rdb3J5aYA5J4obONbRHJvkiAG6
zMc~&f$1Xqh^P#u>WQ?59j?I{p#F2eJ+P|>ZGq*nQZ#A?bZ2Y)5Hjn`pM$h*@KE)h<
z^w+*~bb4*p+tUrwtH0Uk3iz?Rr={Ea?ZGprKVRFwI(5T<Qk&1F*K$vH-gvJMA38~X
z$Cj+k_gn84w|DNpz3ZW#ug{Kr`!c$)dpUAx<@Ml)$rF=~_2G%!gX8@pcfJnHjl9_2
lntwSow7hz&FFMnE<tA`;@zdhc%<fX(z4_i{(EEoJ{sSnz{8s<~

diff --git a/secrets/neo/coturn_auth_secret.age b/secrets/neo/coturn_auth_secret.age
index a3b608c2c1ac73df212d624b4d8fb7de7fd8b74c..2ac1e90d0f8a533b57f96851192935e12b117ba3 100644
GIT binary patch
literal 1079
zcmZY6Kgi>B9LI4GAJH7gGl=3KSRcJ9)HH39rXmMP)BJCnr2Vx?5G4PaKW&pVNs}g^
zI4FplhljTb_uwMvaHx|m>VbnExSR?Oy58M#;4L?(kE74c-{Hmg{jq$n?Zr-3r$v~=
zuOyj|lql4`+{*Ky?YUhXM+Ys0OKY!cl^tQ10Am$;BeEZjC0eF+$3d;_aETe^*;R8j
zyHaLoX9SJm5E(A)g;Bsp>=4UHSNHqOsUlz{+13l{fC4L$j21EWpO%JYJMH2`%d3V?
zuWC^TW|ONXSQNSK_Ta584-Q$17Bkr^nn_&OD~c@Bvf<_%2`bs4kfyu=dIwRUI+)c&
zTU78;Op<axD}2iyH!DTLu(<O-ix|p?a%OFOUD@)|2Ak=yNjtueyJ%fUg0SqFHjUts
z!fc{w=DA)274|#~km+Vl<Zf?>O8uE@uvP_fo|$L1vg(-Dl*eJf0_uE4p*wO9YD;xp
zA(feA$!bj{1%%b5<|qXttO)B9nIqh|Z|ec?jkyjak%4%y{6&fJYNw8}((dBbXjuq7
zN~A%PJA}sWr)75ykIri%5^A2`VnN9)jCix(S1edKIEm*)=3!l9*JE^kiVR%C^2I}E
z%s7xR4<Z5HIDEQy`=K6}43HH77TKV$EqXIX&e%OQpKgSzI<Ik)V8&Ig1(BC)m7tL<
zHMqK#?ZDK;mAP(MO^6Mpv;pf$9Fx<`7;>kuO^$Zx2p4%E$IMC)sbcTj$#_1S7f#6_
zb|zBQirhW&o2QSdf@-Pgw(_^Ng#)s$_Hm~x1%V8tmBnaVWEt>rq7128q~Ruqh7nAM
zGY36u<xZpZ-kc4?35aPT(V7mvrZ~Q*RASu>yhnD!13hun7TQb)QyXU!OaunkFM;7&
zv?C)Z3}fZaRGoga$R<h+Mmgk%oEz#4jj1S6lRF+A)UdT9?Z&h?^5C-#Blgs_z1)Gb
zlI?bjY`RNze!!(-T)2~s;IA7{Ns3kYI-ZZw!Jg=Zz#JxrX#!n%<FcpOFFy0(E#>Ip
z*X9Q=nK!`kSC_6`NPpeIPxNoTdvY&tODFHV3|)WW+41L(|2g~nuQxxr^6iZ;uH5<K
z?!71BFQ5D7`bX~5-<|%5t51D;?fu_Aejc`7z4-gh&u%?-bOPrWFFD9Rr*D7%+TCOA
ehv8cfZvXP&ctE{(^wa6<KMPk^4|nSQtN#Lu_iS?j

literal 643
zcmZ9_OKZ~r003Z>O(BS&=w;#v-gLyac{M?pq-mP8P17c6)1{)=rg=13lQe0Xq^Di<
z;z7m`1TTUjf<wHB2Sx85JUAG7nW&82d?FQg@xJd5d|gwAbXN;fe?0KqOI~1RCOH6F
z2E)*T^gfJXITFmUeyYbHm1W7iTI*ycW4a?sF<w-CSS4*DKp0uCwrwNE%#qW>90KU3
z4PR92@U)vW98;AC5tA0`Q+M1Gr9#sn2I&+b6go%dw1Zn2X8MT;2Hpg1Cmv@D1GQ83
zErTzx6@1V@m*i}mPK%o6mv!4Q%B>K{F;Oc);wlwa+7!-;Lxdw`gwHnd*cMQP@kg}U
z;;gW0)DCW}V99I@wrjjzX9Kk)21*}ENCi<*Hje02A+<=!k5`kGh(oxhz)}F7RS3N)
z*UXF=iP?%7m3g`uEy>zSPp{>QlP;4FJzcVK!#lX?D>Z6Nfpnge1d38gV!|~lp6*Ff
zHOdd@YFkwVNAg&n)rZBp5mFRjIdaJo;7G7Uw^HJ<rqja7WKyI#ig$a}k_cl{u{#R+
z5eh&M1oosnJhcNCMX=Rwov>Q2<@jcRp>W1(^P1UC#^{jfHynup_Aab_+m*KFJNv(H
z{5}42@8~SM|7Gs=pT^mp+0M<EbHzss4|dNux9f`=L)ncxhnnk8Ki_)+uKjwp@mPK@
z{kuB1ynFra=EM2ZclFJ6<jT3^TJgiXW4-53Zf&ps=zjf}Jp~0P4j1m9w?7fQwlzDs
VUHCp)ymJwKl_HmqI18gU%74GV<0Jq8

diff --git a/secrets/neo/database_extra_config.age b/secrets/neo/database_extra_config.age
index 3297a9753d515fcead0b90cab0b66e43190e7c93..cbdd4cbdb34bd485f170c90da0440696d0f012f6 100644
GIT binary patch
literal 1187
zcmZ9~ON-nD00(eSisPeVp@$x1RCEhrOeT{_Cf(9*UX#gWlG#b-l@x3<nM^W|Ox}-4
zbzAI$%htBw!GaWgK+gqR1Qidxsatxe6)9*-EeM5zJru1<(dtR}6a4r;G}9;;bKPIK
z;n<nK=J+NU7juRE`5>?g#t<%-i+CPn-G!0lO~rF*h~kwlX?2Z(M019tC!mgDGoW7N
z`GBm5fF>Ktg2<6G6g3xijiItMoHQD71K}5`*_;hJI2sK*8BP!VemF}r=pW4;#|0NI
zqj@8t^iq;1EUazdK-b8G3Y4J~8DMNxvg#Z^k}c396gcZZKGtK1F_K#~iq%G<l1W{v
z)WCXVchvGAo>Ka>=I}*9A2e`}@h4L_VE$*JR0CXnWM#ZV&2dH?PVjD62Gc$da{>!Z
zF|lcOOhNW%7*g?_S+`~8*tXI#g{Cc1SQi<M8YQw9OEBA`RCi2wP|3lo85~y_8TvQZ
ze_P~WW|+3}GPmeet4%qMY1|kV@ew^y=rSbB?1JGzh4H9W4sA~HRg=qUsN2MC5Rg(X
z(qs%WK)qD*Ihg@wk*&8>wc?DM_#CGgW&37za4Z>SzTcy5f2gWyUvFepX>PiuUa<$8
z8kUANq7wy+$d9|Dx=XimpwS@9noRfunw65G(s5vm7?epblawTIgJw(MIM!z!zO`Lr
zMN4LreCX8#RWw{;;;BHVK0$3l(9xDF!x=s=!lB?hZQqb>r^@6IECn7NN5M&rHQbrh
z3{8*5M7&mCgb1qio9$GQ2$UEI$#%`?3q(ldiwr^tEnzNN;;_^R1Y4Z*P}YumNLn<4
zk%h#qlBZf}wUp!{L5i|br_0D=tfV=P3c+9?g)x97j!1g8wy?W(zEQzS&UUSA^&P#H
z*V(?S;VLH9yP;9iHKGP2b7`PgMkSm9g2}-3`g2^M2Gb-bsIVi>%OfwGOB%{pwueK^
zVjQqNPn$#w$LrK<dT+E4$3(7BDC9d4GD}CKJ|LC$P><1(30VL=MT}LEV^|?#b;tx_
zt86Ds&baY#jk#k#3H*-y`2B(C#_{!sr;_iEzFApu9i-9T`OA(VU0XY{@h$)E6)9O;
zKDY7q2bZ17?Bs*n`yL-Y@y_PC%j?aDZ(Q0zUf%ou-szr;uRMQ$^Zo;1Q(yjQ<+B&U
zmsh-{@YJO{VE@it_U`Um&+a^%tK8&IUq7SJhnEjt+j@P+>HE(d;ckDUeceAa`)U8p
z&#(S`p+ETenE2I+b@MIq3)@+L>_l$suY332t6g2%bN<+cv%6j-j}-UC_$qQ}bNA>6
zq=)~u@hQCVE4B6E!Ka=sAN}(1#anmX(x1CudhWRV$sfC}U)j3GojmYrap}y;-)1bK
A-2eap

literal 751
zcmZ9_-AfYz008hJ3L8cc`jD0Fr5>7Vx1Be)u<~}hyKTDLZXb8s3c}r8`?&MIym{UQ
zV);^35|)*qsT4I$dWoQdf()yd!0ZEj5JE~Lq6gE&DCynbKk#eKadu8*R72JZl6Y8B
zbB+$D#eU4%-k!H}tP6siUaJF_4NkY3D#esEn#&Psoshj0%6NQHFck5}!9pr1B|t}x
z%iux1!)Uj_olK`QplA({m}hxBE~ikX9!#~k+cAf$m2n}aALdL{O3LKME$BkoPSP6k
z@GjbnLh({E)QscJZ7wjzda^|n^OBU9jS4gc;E@7|1360+)RYKC3ra{01j9P!Zs8L+
zN^o?#8Io-Uhyh5%WH})p2R3dvk&olLHB#S@k>nT{bfV6DiYL9QyH!ehbAhlUjAYEH
z&iUjv$rc7&utg-yW=C6xkxS4D67>Tx2o-n{BmyZk-xf(_3fZ(RP10ro3~t=GR2bG^
zYs92c9M^eBie>x&MPU&(VT%Dmkyi-Nt*aSFlBG!_A%GqWiwPN1g5V?q8gS7B4bvB(
zNxdaV>2XHnAfGEwgSO&nH6mH;cDoe|7t<w9MTC$?bOvA%%a#<krbRtMsU@2vm<)!f
z0@Io<3cBUc**;`)U7YP~ge%DhuZ`n_Mrf5;_*xaJxjz5#&!;;_E>-N~|JwQYgM*8o
zlXX*18>=tq6A!yb4^CAHKXc2MUo~F2G1-KpwM74un`QUFP^J4>_40|6wZqN>+*tRH
z>FuGV$(~VRsIPXSYI>Ks=iPvFJUk%(aMT=KGN}e`^BHO7l=eG%t80FxC$Lg{(=<0q
zR6OoKkFV8XfcXV06Z-Qt>=$-1Hu84UwgtD(dUvK*=^kk+&3xNBzB;V1vE8#P<#qqw
of3pquu8sAQQ;z~mrP}?-)pT$9+=rc`_qD~jmzEc|w|wvV4-U{ARsaA1

diff --git a/secrets/neo/ldap_synapse_password.age b/secrets/neo/ldap_synapse_password.age
index d1b0851..a9b10a6 100644
--- a/secrets/neo/ldap_synapse_password.age
+++ b/secrets/neo/ldap_synapse_password.age
@@ -1,11 +1,19 @@
 age-encryption.org/v1
--> ssh-ed25519 /Gpyew GGtk6DYlauerByL2ia9uqYRRnwqwn+oeZZUfRpDzhh8
-OJ0qDoPCz5FXCXDOHJyGlcYhBRvMPIyrDuTXVR6pYiE
--> ssh-ed25519 I2EdxQ rHELcLTEsfu0sL3Aw2c290Zf9EmdOIO5gmhLS6lRMiU
-AKX6RMwbLn3J1IKsjSTfxn0u/XlT0W76JKXfcfMCkqc
--> ssh-ed25519 GNhSGw LPx7cnjBfMcDwZ4hqfP6y++D2FVtlYbzMxfVkfF86hY
-QjXtb0IX9wtvCw1ms4A+kG4Nx6URhIT9e2nzyRSpI0U
--> ssh-ed25519 eXMAtA sB1Ew2t6yjQoYW6OpH/bFCo5PO+a23nF/OrCrl9d+iY
-73LkKS8y0bYR+hGPVjHxHc6VDZ5mscAMPfLwS+a0slo
---- B5T496c9WhW9A7EzOhy7vshIjNFgTr/kfW1mi5Cc5fc
-���M�Z�ϖ����D����7
��U�p{���Z���~�*����X���ѐ�
\ No newline at end of file
+-> ssh-ed25519 /Gpyew 8DFDxGaZWao+vO9qxc7f5O477lK7RnGI1RDBIxySpz8
+TKZsz+XOy3O7Ev8Uel7RzQw53eTPe8/6IltBLCx7dDI
+-> piv-p256 ewCc3w AuDjekUccsQysWccrX2KIlqqSy482h9dmBM+N2599B6s
+X3ZD4NEdRmIVtNNHUtMcpWsa7Z6gSSxfNjMbQfdw5VE
+-> piv-p256 6CL/Pw AmuREh4r0wVcpltIZjXTI4LqmHz6bKMCJk3FOPShnwBP
+q6es8bKoU9dXIWegdY8418Nq9QLjEf4Xmn4RUMozV1U
+-> ssh-ed25519 I2EdxQ 0hXF3v4y5kSEZdR4eg/TZbcRjHQMyT3iu7ucYoBm/FE
+aj/i/gRRPMdOFG0urrG5bcT6NGgXQ0IdT4IUoLhLrHo
+-> ssh-ed25519 J/iReg K9SLwdDMWuUpyRM26ysJHATmVk8rsfi90NZ8Z+h5XnM
+0yQ+b1augkDHdCVWPI9uvq1IzgOBwQ23S/Fp54lVce0
+-> ssh-ed25519 GNhSGw 0/k4x4mxXWKyqhwg2LeFIau8Zdx0ebPPYWfcppGEfUo
+njIid8JCI+41KyhIzQTj4T4DKmQ2GxRRrN6P1U6ywFc
+-> ssh-ed25519 eXMAtA m9yyWKx2xE55CHRgeEyTrft3dZUkJjmWdZh+M1Nf73g
+97B5ztSgE1BXzNDnu0ZM+oowj8wEkxWYoiNEs5qXhGs
+-> ssh-ed25519 5hXocQ 1Z8OfB3R7un6+JGu4MeBe2lzvf4kIRS8L1TUJ1JAygM
+GmkDdKbrUgaF1aOYKRJCFTC4gIdvoYzmIhGoHbOWOW4
+--- 9wriBEhA/Kil1/4DRfn0Lj8KXVxU01JOtzdY34HkP1I
+�Qʋ;q�z�[<V8]G��:k�����e�v��D1ȵCF�W�I�p:��i�(�#z�
\ No newline at end of file
diff --git a/secrets/neo/note_oidc_extra_config.age b/secrets/neo/note_oidc_extra_config.age
index fcee140ad1883ed8db93a497aceb18ec1df3a70d..49ed9a003c14ab8dffcf6fbecb18b9e84a9e62d2 100644
GIT binary patch
literal 1555
zcmZY7{d3a<90qV0=<OmN%!wkeWxfolBTd_+DTpI&(>86=m$c~{BG<KP(l+UPlcvYv
z1i^XAp}V2zkZtEX3g;oBc*um~O&BuNDZ`1N0z*I#xE-E|3jU<{4}3rOJkK}Eu}y3y
zR#0-KWHvJ=Ti`$m0-7FC6^ncm8`r`xWK@B+oWjZ~O8_bw;b2P@C6nqfCmKM+$hZZ<
zN=3|m$%EmR0^~3UtXv2KbiOF!bAu!iq7f<V7IPFBRf8f^&f>vxRMBUWAVb6n*ex(O
zv|LhZ%4uOl#meTGPF7(e6}E-+iL_3M@z#iJ_iNm^TrhCBk5xm2PZCL_jJv|TXtM$|
z%f$31D8ZpYhXwZQGL%D8fiY5WTQYhV<$?&FM?4Y}auENq5HksSZdg9rB^1$AUglaH
zIYxk4wxWac4iJNE_Nq+bWD#{6g;b2dfGR|iNI{eY(XHWP5NdMk<Pw@9idKVOk+VTl
zS}GM`-r}Uun_DEbc)a3Oky$Bm{gl&cskBroq@PY!s;rch0)jS?5=){wOjBYZWs2h*
zP$jLrUGK8dnMyb&5r$GRWLIqVFcL{BR2<YGBnOLHG!miyr#ZkR&2p-i7+*Dr`M6w^
zp|pr<%?2it1dWKmFqAKir7Aj?I+XK~REh!e5}gHOdOMzRnSw$z=XC@q90wJ5C5t$+
zB`(bBTwzbf7O(!Z*}p%;=Hh)eS!KftJ_XBF5*~*I!gwmhYdD4T`1O((VZZ`}%Ib)i
zh*e<`12RD&N&ECE)NeNvVQr~|Yf?qMBV$HQX3m8|IgQVtu8L8;;Jvv?Hbh}1Ocl`K
z{wk%01*fkV1_N1RiDpX9asrXl9ucRI2*e{AYdD*%$N-&`s5~u%V@eKUI2Y)J%WPSa
zP!k_;>V#0*Sj-2Uf+U5o;>{Y&hq5uRO37DBewjAXfr2qnh$|VZU*|3omW<Z}Tak(#
zPupap7)nGfS%CAfA!EsBLk)pKu*GY2!kC@*I*c9=w42-pwV8}ME#)8=bY0KZ)TDB8
z#tht2tp=(H&&er|9_5XRxFf`B%vy~QL3M_>gh^=+$TPr!$@jc#s;le9Zhd=VKJ&)t
zNbi%&fyPVgv(r!LI<FjEuUza|urBiD!oit`<_|x-QFY&^$)S&b9=-d~eB=DO=;$-&
z`WkwfulKl5FRSmII%z+#sqxU8r})+5(SdQpvnT(tSsycOZEvkxt8V}%`^FHj9$o^R
zzW9XR^3vJHI%{DS@W@Yz^8U^(_qHrsaBwW5Dfh!$XTEvRvxMuPSg!dKnu3jLKa=a6
zHRFLD4Yl=ig{<|3^*uF*p6+Uc`@a9+!d;s$8+#XH&wtyUSvtpjjnMhKhqh_c(}^j^
zKOEQe)9i1PYAHHMK2zHJ#d948`|dwAG*B3v`_b87dnVRi>0vf-A43zG564&aW0#Mu
z-PGE@+_t0rnGHuA*DmJ{cfDWw-TKzL)}7lLdV4^B<Lw>I12adL0>w-BKKM>E(6ze$
zz>%v*?_Rs}joSJ}uTN>j8^)e9{cwIP79Y2+bHT~QBi-MxymTSWJ5?KJFV}8*Y0XpT
zdw%JD&p4o4bK8`~zZq(zzjoCQ_-b=Iu5}1U*R*e`-+N0|2egu}nEHR5I(_#;BTGks
z+^o+6i_G7QRIdyVt%9Q8wVmCLx5m#cycpv`ziS@XAd@D}+K0S*348SdTz=L&wJ{x5
z9{X+UuKq5tp=<lJTUK^ne0fPgcJwrl`gKtGa^A_q@fEh=9ZR?Mhu2-`xc}L$(|#-*
z@11k(hjU2R;CON{5@_4iH+|AF`syA0!!={t?z^+GcmD304acbydshz`CcO4U(or+~
yNmQAjtT23jwszp_X6Mx{$5*h++eaC`nlWR~q8A4ug?aPF>@yrYeeCY3`Rv~gv{cam

delta 1290
zcmZY4|5H;1003~w19ge<MYAifRvvb>i0y4}Z=jH4jJ<8|?aTYJJ?58u><e#S-uAY=
zZ7|GP=}8%W0m)MWp*u|!O-sf6f?6P{q=jY>UphfUGcUpH%m})Et-s)NpW4}Nf-SEl
zBvD-{sIb^^nZxXYIW;P0QC83EX&pe>1Gv|1;3Pn#yc{!!1&AICK;bfjUR2_dBXXxR
z<P8}qDU@T^+Z_>^(=9h@agr(V=(U3E0wL#)W^({27dm4qyEG<L<{)Iyr<05PZfON*
zCSX)yEs9G}rc^H?yrtsYcpMFKq)s97awP&zs>huQS0QR}<`mmw%Ag^pv`c~(D4>;6
zQCn1JG1=gF6jqj-xBfOS;VuK6V%V=YlNOnnWjWGLnUst^RHXF~VxvqPH>hxFfOYYr
zu)t<VHMm3Uu}UIwGt8SsemNYbJupG>NQ8;yAaWa_V!g7kRs8QG9A>he4gdrtxk4?V
zc9ffiEMa3Y0>;%4Y!3K%kw0P7#2MU+`#`w?(8hr%S;3H6na#th1wbI8paT(^1u9nY
zv_^#E00CJ{xxCe;0ce*L;apUNHPc}Df1Jj^;F_3FA~!qTY;i~dI<@5{aolA@#9`j6
zha`S`RKqF(R{~=|73?!&c7fkdszX{|kPL<@(6CCbi!xRVkI4W^6)TYxT5>`L4iHIA
zTD0W9J12!Id8LrTq%IFoWRqb`X-uIeT(UxjCRG4P5;nO}fkZ(@Ohx!mg;gzxg~>t~
zEK5icT~Url9e1*FpI;t8%qRiKIIqhS(kL*!j55YRRFIvWEp#IhuZ#3xxd7~T;-MhH
z+bU4lM*9>nE^?RAg$k@fO8X=*SR(j-MS<d@J1q~t9B#?!oq9O9J{_F3F1etxcK^ku
z?&c(M2VC+-Z5osfoK4Jqr7bUM=;T+pj$VK~B_2*Fe>d!Fy&c>8pvU)eHFfx2d!2;c
zl8SHxOX`itYHk8LbnA;38<+zZdwiW}>S%XwEhoBBTsbuKS<B>~8))nCx2MK+seAkO
z?}A^y-@+A~ELuLP>&?m%E*<-MC;aaF<+A(n1NUzCKvrll15I4boR^XT@A+oJHQ<<=
z%I@6v^~e3^=xH-f-E2rIo%}l;UfMqV<cCWaZq1x%ZY+DxDZ=lcU$c06%GA1JHy4@S
zA@i33BZe3NVR>h&=5JWga`0wscW-n4tjdm6C%Vkf7ZKy%M)aR|WgH>~R&^a2efNs~
zhfZ{pJ^G24V1K$(ocOf5zk6h2AF!+;?ff&)_*;^T{>L>AXgf~?Rf|l?wT7ANf4qCS
zee9^=^5)}J9V_Q}TeEI4`A5c9!jtv)S`M}~ZByP#ym~ja+!LHpy}jXFO?!n+odS$1
zPkpy~2^8+?JpZ`yQe(bbl0-EGUZAgy1a?<W*4JdF)VUrFRwb@HLC#p9?r%Oj`_c~l
z(2_NcNmzbjV;a_U8oPijY#o_8Q&-xN-an`3uhIe6*oh0v>URKpQ}_>-4`<G)Rvf*c
zp7zVOSW}I^d&P$7L+$70KWG@*b8tnP@Va^6db0b*)w7OMi?6li(VIf)gEP^SRrxQy
z`RmckqvIK-G=IvoM;1TWSku<mBL1V}Ze3QqZ)hxP9OYLx&lIQoj*X2!y=N-<(c!!^
brzvXf+K!d2qun<$cdgmH=()bZU7g53ERq$#

diff --git a/secrets/restic/apprentix/base-password.age b/secrets/restic/apprentix/base-password.age
index d7522230ea97ee55db170c5a1c1259dd0a048907..a68f73d3aef7d3ca77c07735372e888bcbb278c9 100644
GIT binary patch
literal 1235
zcmZ9~-;3J>0KjqFj}yz-rXV^{sNTcGtTt)VHW9onKl&qS(ll+8CS{zqO`D`?^P^3g
zG}9r2Dd#2%JDtkrkfDqrj)`!xhp{>EVNRKd1Mvno+-*#Bf=^?pb3S^1!3Vy4TUs~K
zwK}7z;~BQ~oITQ#6DXFLi;u^8qN}FTX$XsVn&n(Ui%0drAhJms4oXTT7ebBks3}d=
z1{ImZUVtdR+xHq3fFMFV7Fczk0tW7g>L3&-7O<qBF+7$l1#R1}A|z+h6hXpCzNG!9
zImRU6q|%vqHy}H35XXHWC-gy(1lx+F7lo`vfQ-xXNmr|Jh}j(#0-=#fs+<Pmu?SW$
zmE<*h64pb?YeiYwYqfGbpW=O8PL=>yryQAKSPuE0l_A+=<-P?OV+rk6Shq8j0+uZs
zH5MTSn{Af6f>53`(m_)QaJ(to!`Qf4Y)(r|dZgrO&NiUpK$f6@4*_));*@R#OjRW$
zLJXzx+KO~4r-nkjo)!^X4lyi?bu)ud@3nE;;U^K1t2TVQQzPVbL9tCvwd`15615r&
zLxh<drCJ<ct7rQrE7Pc{)U<rkssR+|gJYo~aBDRtX;iyf+!z=mP;xvts`QzbtNKm2
zI%MQ>Ht9rG9h`Wcqtm9?0zxsCn@)2iOqShhu57_>)&_JXC{TWC2seGI9_od91`{RC
zaL~0{p{&;mLEHuDN{`UcJWA&?2&2dm#NcGR3wb;v@F+ZL<4g^JDB3b(h$_hg3l2>e
z8-#F(M(wsa!ksk35v?jXbugU^a0040wy;*~${g<D@xVn*xX#o(6%^q{QtNlzDJ0Pn
zlP2-v5CBnFlb|s$>FGiYZ$&PE4_S`D`E=V*LJegmrCuc*4$)eU?FIu+L6W_wNtkQ3
zv@Y8nAwD!}N(%zqzLXu(#fe+x9rgb6DAb)Gp`1r^tQ5+9gsSB2m{!NEycl#qt5U8`
z0MHp*b{Zbz5iYa}MXIegT0pIik0(MWmPjPx2wB9+6(4UDvzZp1k<uzcyG~yq0Z|A#
zq{L@vIN2fPK4Hh0mwR(3%%#PJ?I-s<^ZupJj<3${?Un26a%1cxW%bIl^S8v~7ttq|
z642Rs@%+j@`P%;A!KY6?dSdbF!A;w-nX5aZh29T~sRPS%r*{7R*t&feR@q+<w_OE)
zWd2V4>g-b=E`4yM@y@Zuix0hMo;Tk*xU#b2<~jdI{*`~u>{b7m{dn_V^T%dCed)KN
zx0$Vgn~L-AU0=V=_P)QM9hlkh`m5UKU*1^VeRu!6Uu=2e+S?n$nKR$&-wC_E-h94&
z@6hkn1!(Zv^0uuzSHT-+qtgejY*;?@)7%?(cYc#O?A^Qc%c;kK1?6(;;ma?q+&XG~
za;5U~oi`)!^bB+J`HdUa=SA_v%<Wy&(gR!e^!~hk`m5~G5<lSQ&YZ08x^!f>k8Qnv
GF8UX=nYo|<

literal 1125
zcmZ9~-;3J>0KjpPJ-8m5vbo{8$<-Z$X{~9}CQWb0N!qk&(xkm6mo$x_v`Lz#X_K@`
z+O#0M-A-?N5r0jl;)CLY8#0ld%6@RS;a;4A;LtgpcTC*rqv#xZJ5J9>?=Sekmv2Q=
z!>TEF`nIcE=95-O1G-=!JP~x9dRSE;7zPtTS<0sgEyxh58l1AgVylV@rh_<5nBjFC
zf)!s65quPlBNC#c^~#_ZfCO<eRE}6_B?HxAHeHs83L2f#npNG7>jrK@uEIH?kdQ_H
z(`>yPwjme^s=bsP?FBK@>rDa?ty@uzxXa}`IfRkeXvf7h-Oq^)4)HQ+Ig{W7o(pi8
zt=3IYceAxdL?e{8Q_D`#7ER+Q({7eJ1sq`&ma{u4>wgxKqJhZ`%SU5k!3625Oh8f}
z$8%_sV3LGN@#S0|Pem{Z^EA(kighiZvVe#nG8#>!6NbdcIxe75c^U!@uicdq&FPkU
z&QuAL2xD_a5=tw6G1%!vrM8o<xRh5U7`UXfHBP|@xoGu68wFIn8kHP|H0`7oD5iao
zY39vl4-sg}A-$AX$WhID%FNM~8fofXgfkGjsdL(9jRJI5)q)w_1lvf3?ZkU(l;OHs
z-X07%kjQ#8ERzv@;46J8qY5~N1<HCX4e2cJ%gK0_fLu+}9B%+jfepWe7vd=@VI>D~
z$l(3RW{t?#IieTLF@PxwI!jlkvK*11V7h^-tV1-@#(-7(rXxdHqu|RW-U%SC=lgB5
z)2JIBQl5+$#Xi{rEtrHQ9*A&7LS)JUs47i2wpmj}26M3>L53Oz)+*tY(l;P(fKYU~
zYG(k6q#;D)<%*HjA<oONEi6!zp@Buxbf2wZWhp+uW62V$E7c^x7g$Ry>7@$UaWRNQ
zHhv6;gN`EgQyIP<a-4PpX5)DZiHAbfgw&1U1)!DHG#YGYY&aGx2jHTx=2#+sfS)Vx
zTK<7ZT|If{;`sHUDP;8Y_T#s&oLzV`a`B&>F#X&IOGh$apTB(Q?CO>MBkOAiPq}lu
zp3vWU>h6WzW4C4&Czf{n{@LNZL+JP3gH&YqH|o|~gVkQUyZ*-<H~Z1*t9$NW7EYg^
ze)oWNZNgvr(ip-HUS<7fA8V{%zrlaV4(w0g@JFASnH^t$Xjp%`|MqnKliBa~oXakJ
zj2(Uc$UQ5qWo!KC%Ij~Hwq2f^Klj^~;jQ0}v+HZ~KTjOrKW8~-e!S$&pZMv$oA=&%
z<xt`AGnWo))`i>P!@>7Qg@v!~e*V|UzUs-HkG^#6?-$1I3#>e_@8IIj%E+nMvAs8k
jUnWl==xdAZ_VzzX`^6nwra@!o*cY8&Z~U_Dk+FXPCt#R&

diff --git a/secrets/restic/apprentix/base-repo.age b/secrets/restic/apprentix/base-repo.age
index 2343af3dbabd368101a217c94f27dce27f04ab33..59d8e9a454cd560db28122eca4a046e7d8298432 100644
GIT binary patch
literal 1089
zcmZA0IjH0W7zgmqVzjW(732xQqtG~Ja?E6+AY^jQWHLvN$s~alXL3%C$(>As*a)(f
zh@uFJ7OSuii!EN~irBdzShxtQc8iJ@7P|X%OW#`QE5GW;|NH*m#<jcl-prb$*v0$j
z;>?9AxYK<R$aAl2TS&hT6M$*V8O{aZ33Dj**c^+q6)ClgNw|e;X2xQgF0ojhPaRZm
z=$0%=rsJ<5HW}xd>@EgEq>1~`sCSA{C{e16dB`bPX$&gu8d(STv}9Lx6Qn-??3yys
z8X%L<8rx~B;^;s%_9{Ldvb##72!mHdtW>wPjN&3Sj2gu3*vnvv;*89oLRN*OCMnRC
zLWf%>8^TkI)?qL4BGwT7rT9N<Knc+D%z`1dkI{NLQ+BpHl>>x{gn~E0MNP=9!Ig(7
zp$hU))B3RE-V2Ilc3x&n(WQA<+gJp2sMSgU(=3fgXdki6LQC5E{1zt&V;w}Gfh`3r
zBWAs3P+t(Rq}oz)doaaOOjk>IrxU_#0%E@J1)YI%SZ%C$(k8?ZTt&u#-Wx3kt^77>
z@nL(&Yre=1W<w(Sd5wp5lI;RED<i7k%d^ZkjB10!nJ|#2Am%06aM=u-nl7qMkC9!`
z>}+JEnTI;hD<Q%U4^pPj&L*VUS8d>w>x`c}c{LJ}8o|zM+}xA78h|+~tY-8ibO+JQ
zQ@2dZE>qIS=c2HwT+t&m%_aPjBjCCdQ*~rg>>_RF=>{g$XtZ2Gk+YMw!6reWCKZfQ
z<+A;B{BJ}4+ecfQkp&58i<X{xF}LPR$F%iIU+DUX^Lu0%z*azMQ&>nTP$Cw7(4kmg
zPL_$9^G$}OaV^2Mge`C$tUPOnmb6kkN#bBW4zA8;>w8*kiU1acGY=LCX^!E_lp{kg
zmYm!!odQnl-gwQe?3#sas=vZI$lj}BV%Rd1$dP=D#HBK7$)3fCJ2nq-=IqRz%9j?u
z9Co_hF3^HfLGV2vJ$s_8q855oap>rPhnkiXy66YBfQ=i$&*(|#1NmfsSzUke5&SrF
z`{~y&UAyZ!uU&olfkb^`^3>6LUuM7keBma0(ZBzj_wW30MgQe?+4<^Y?Xlvecdk7M
ze|!AhE73`B@%$<L<m6F^{NoaQ-wW?v`TWy|Zh+U1-Z=g1r>hxrJ$?IzaP&QK`r*mt
o>5qRt3;bF=^49OK9$$DSIR5+1Th-T}+zRe|c6a|Ucazxu0|JeD+5i9m

literal 979
zcmZY5%j?^8003|=B4&c@vRxDlBBHgw=KD?4rpO#=nxuKQO`0a@t$8$Qn^)5`Fa3cY
zJPbU{jR}gdAu79y%!4r8MNz?vpfC|U>3oBNI4{1A&cEOTpQY!v+{jL=BwNSPQJi}1
z93ZWy8vDK9avg}{px>|;GR=C8L6hGs^sS`?FzyfrO-CF~ZNh*W%UeqFaUxn8ZfRCk
zK_K~TI1stiw*5j07xNV(ZAR))*ozbyW^-^zcRjy2ID2vy|EneIyp=$_+i(lY#)<~n
zXVe2M^OT7-TC-BjJxqf!l%0`1DVug}#!}$K0Ai!b3fZpuDyMQ<qA+REiNw<5w|eT1
z4q~CM_o#X339`MWJB*0_$LdmId-9Lf)Cw`&oA`X<0)3kD)4I+W1r1mErY*(-TJADP
zSTd)qS!CUw_;b8Jwfn0kt*ld^SBx&s08Z+II>$@XM;!vMXuDI~xyV7<DW?q&bjQNb
zu~nkB1vgl@h9#TqbcwB0S=x9K%-R85YMBCK1UCQ|@cq7?3Jkj^j1&_|mKhO#PH%R@
zLP?~#i`6DS2j-m`-(D-O*XRjtFydFF04Kv>xgB#6Fj<1zExJ-$$tGx0LqpS=AzE<=
zZ^4yvm^oe?PGgYpsgYM*$6bPbLhg53#x3ADVB0;aN#3ckvahm5qaQ>$Mf7SA0@>S|
zO{r6loLQ`m7;89|uoB%ZtS~P9WLqF6UFo&lQ9JBxz#g2^NfPLAx{s|!WphVD+GQ{>
zPYs;^-=u3uWJWgT11yd_h*>d1_3bK6%s9a@3{50>kTf^i;DIsbSk9giNZ}L=HSdI~
z;MWB^mqOEZ)&kImR+6MSkkNV;cQeTus2<X4wHnh3gS#rNb!|1=iuxiWK%y>q72~Hd
zZ|SwWcT7A$M^g|Z@4a^YtCwFgPkeXj^oK<2=*1f+quVDgocZO83(T!o!i&MxC$By7
z&`G=*U4Bfz`O#hH@45TR^>^-l<JQmDt{|sA`Tl79*_W5E{`Kb>?T_B`zpJ00yZ!JF
zr{3)-B=x|XZ{K|4WBR$Lzx{@DUj6iRaqj-J@N87Sb$-`AK0cN%3eWgo-+1t+OE28_
Rc=GGBAN=^J@&0eG{|%BEQt<!)

diff --git a/secrets/restic/client_env.age b/secrets/restic/client_env.age
index b2b4b6da6cd7d3d3689e78523c8fc1f486716113..6c9746fbe94639d363d25ce3afbd1f0deadb5928 100644
GIT binary patch
literal 1745
zcmZY9NyzjD83%AIdKoW@^kjvA2-4v-`*u*sB$H*bP4-N{V)kS*GnvVrK*geh(DtHG
z`4C(R_8_=W58}Z>73zoJ*9soQlO9Cy;z98Cp|76w?fE(U_&+@VC(P5k^b$AowJYn(
zXX+*g2Y7Y&IiPKeyEH*?9Hs%J!Zkeyd?DClTM?GH>VjUebYEqy*R>uUsg|ol%y3q-
zorrmeC#`U`0dKBxQZLFDr>LEK9h;mWQ&FpN>x^D4XkEy&<R63WL#?zEGG&023KxEt
z^pQsxi4P%^(az;Oq{`^CV3pn+nbB*q9$?Q|Dc#PY`MtQ`wFaaIv|G8oWa4SB$|&aa
z>}5a>@)E97_V7?E@YXXJpl*|RP%)~+bSgSsdCe=k{1mfPz}dz|g0=p{ZAjUm%)<(q
zLpKAv>7eLfAyA>c&YhSws@}|<zHO#;f=wg@`2nat)Ii}nry~$(>p^C-P>d9=*@eqZ
zb(wSNp0^nZ7R$0@?>Fu?Vk02cs-h;=^4V0nI^YH3z!|=n3(iQ}WC===T$dy|Wks<J
z1oTi-7)gW~z^YA^>2`P#-luC*3f=2HvbUSCsV7*KXlh7zp>vD1VqDz<=;$nxaFM(-
z)|$kLF#JQtwu^MIaXLZ>3E_-5L^jI%v|FlHqX9%SkrlCKsf`OO0}3rHn-ziCq7y>s
zVtjMNj6a;(a>?rzS{2zebU1h8oqfqb65QmpILn)hq3%;_+`5`9th>ohu!q^~+oUTa
zK%ZQdi7?Hy8hJA-!CCHgVwj-{g2xSkcWjLH=X5+Tmb#Mc<Xku%TC3NhqmNeE?|dt+
zRC1QcAaz2036ZhsJ(p(wqg~74?uy_9kdADOjsOE=p^pgaHnQ_77I-Cg*r-(2OGie?
z=5mpkO_pNEbl9u(iiUZ0bnU1Z!+z*vo+SJe>XR9_hWCcJVY*(yscq|l=j#6~f>pr%
zz10mz&#v<bgMvfM7wKBtR2%Kw*)}gv-D$jFl<!{mUOmn$s@_*gv*|jn*8^$dHz4JS
zbq)1d&+AvPmPkVs3kp@L|62dsYzf&WlL1JIm6S29dz?j3Bhkwwzr{mHo||LsAEpS)
z_z@i}3KXl=!XZddZbn+8MR+~?qmjoDx?6WBmY@ZFf@gDrk;T2u@4NmTSej`L;HlJ{
zF;?GD5H}qz6LcYSq-btMTm<n5EyV?6xb=`2hO{~)kW408FkVyJZik~BkyfLRT(~zB
z*Rg1+XgVYJf{Je+UWlL-mM{WsPh0BwBvKhHgQN!Mc_aw7bA}fcyh2`)ALo=J)iAjK
zBb)7RWKK!HKS=9FW#_;-?Bop@n%CAi$qgY&1zsGk?xax<wbZ}w7y}%pn#lPGW?NH2
zY1yH{(S-W7s~z~kY+YEO33jY_E6KMjgxr$8i-xW?U9UbCWnBpRM&%|`4f=w~R?yzz
zyxsl77$0hQ;n%SNXi<IUSns5!T8a6PJrec~xsi&i3?Kp#oM^>TLzl-!fL4XkZ1!Q_
z!M>C=H8&}1S+FXhF$02vbkea<Pmp#!y0G!;?(PoYy5Z6x%zSIx?G`l;>9`L18;otS
zgJ8N<9B&omepV+ovwHCxe}DYxmw=bwl0IMpU;Wp!e|q~9{BNiqedt?HpZ@m8{!f4P
z<l98@^WyDS75P!}#}{A!=$jw(UU~i3-+V*TU;En|cjCKmZ681L=nudAdi-wp-j{#)
z-0#2lvFBd?ivEx9zW0|GsAoTa`OXW^e}DSL>;L@7+Wh33uYUYf`R|Y?&%E@t4}bRg
br+<Fs3r~)({q;*fdFP8id-Q`Rk9YqD)Xzj*

literal 1525
zcmZY9&Fk9)0LF1;s8BpjolHf7cq>2i(j;vhIMSqfYnzwmz2Kou(!8~Ke`{1w+}Rft
zw#yEJJ1N3WI@w7OMQ{htiXf;L+3=w5AnH8&^Dp@D<$-78dnaDv6vwOz)8x6d@WBQi
zoV);(WpLuT2!_D~fW(+6`G8{kdD<g&)Mr&Jqz6$7&@`7bJW-8RN)jH84z(zrV=I2p
z9{p(!k4JVsA4WJ%dd3Jjrl@8qthS!lF+5~51|N@Y$~motnmhJL0Pk0lhH=Zt71m~7
z%#f~>Bq3DSo4lFN@x$7YE9)p0l8O$HMV`Q+$kp4e1ST!D<CZPK=ae%W$uVlI%dn!7
zwq13le_9K$(o{&GvLtrfxtOy+7>zJ6B~|)~$K!pRX<LHG_A?C4*tIJA%R#Wfwmk-}
z^a^8!SP=9Dov<L+N}?-dYTzII1lm&j+AU|NHIU7YUJK|*e(-ri<>5F6>!2)QRS4+7
zwo?`#2YX&7p{7MaouTx>*caqRA|zI*^lq`=d)cPMW{#Rd$#^3=LdeiKo+TQl#HY0d
z$#XCX%ta_Nk1pRc$8IBMt4Rg*<_1p?mshk%%XAv4x|Qx*ia+pC++lZ<W5`>S;WfKR
z)>}t%!T{VCiz5}QyG`C%jR+<G({gVaw+bMl2H9<UFV&}9S}7)jJ78B4CPWNp$(&S-
zxeelpKb*tqU@Z&7&Dyj(as>8?r0&oqSEnnh$`pvKee1v&LW8cxy-fbwmW9nphG010
zwUjez0kRk#B8$nGXju3Sz4b~vhO>H-2WkY{E=|haNC|=st#$c8kEs5@A#StgUBu=>
zf`V3U85ujBPSGIUBPKU(7TL~d|7+pY0+jDr<E;d<zN!aa$Rg>ombQ(g%uq{@T|Ztl
zh|_5NICmI%6Aw&|l*?#WP+G2RDGfcU4Z7GfyfhVtplW%$-H;3+2VX1p>CJd#=5`8T
z35lx|eWlf&&oe0!TeBh~Rny4rx-t>EiwcNlP2GSe1E1h0YKua++e?+C&Iu7tcbK8=
z#sQ&88$>?tnn1KiSfroU1Tb8AK0td=%XS-Uye^M)p)JSbaA+O6n3mE2LzshD4VMAI
zZ7~HMpk<w4;Q{R6Wib@E-j$$zm9J7{&$SfK7*HuJ1=depuRN`>VxY1u0F`sRnXFdq
zktZb;#LCo)_D&j2XhuUoFIXY<VZC+qn$ZV7VvUxzb?;{uQdcMT++b$fwDIQC?UXV%
zQ$OEOCTuz#GC8ez){?A9AhHWLayYyeP~GE(dTV97DuskPk~IP)FobaNy-WJDem0mV
zfjqM_lL`<sIEeeE)kG$coV0X!Qk_8us^q8?m8D5LI5{~1)^uvsmbjPl=D=W1LHOp>
zlsMQWoN{#NDnHMdS&S(K!VkVY^A_{;#T&(q_s-D2ZoYZmdOiK^#v6D4{&rrR1Ae^x
z;xiYoK5^~#m7m{qC)rEkpWnZK;Zfk(uO2x6$475ni!K{)KNbD(&L^+F_V`WZ{<C+T
z_~!b`r8{3-*na-t2gdKW&VTyQ*YE!Fi1X9Ax54l3W3S)2_Ti<+o?P-Dudcs*>Fj69
S`08!%VFiyb&tCa!dg~vH+W;H@

diff --git a/secrets/restic/jitsi/base-password.age b/secrets/restic/jitsi/base-password.age
index ae8ba8aff1c5c49d52d2310fd387df536a73cba8..44d3dabae59df1fb59bfee4dbff4f25c7fd645ff 100644
GIT binary patch
literal 1235
zcmZ9|?aR~z008g=F}lZ~FJTbsNbJRNZnt~e0w3CTx4YeKcYD3tEz$1wcH8c5yWQQh
z?V<+)qa+MW$`ItCLbE<Rlodt^W>lz^ppVrDqqGlEf~AR>VD|E{=P&rduWcDgW1t1G
zKeoNWW-qXyxl|%K3yenHq@g3(YzhNxNzWTNptYx3DXLj8iZl#&+VHum?H5{n&uBTS
zF!HC9GSOlD3R(0LxGROibeP7PAkh|uoKnki!pN()2@}-ONnSx);*_Qa6<z*M^X<8$
zk7RRz5t3Ru1n@N0@)Z|}1Se*Zk)+}>tm72TDQpy=PKQr%)sb0`71dM|Bmy=_cn)h*
zIXLukMNleh9ayOZO|UU()avR;P@9eH5XI2{Svit{xPPsbU{69Qln0}p46_Z*RQmK#
zV+NKm^`cRV*S&HbYwM`wR1;%5<6@E-KoQ1pX}>iI4X><|vCG+dH~@wExMRXlL*pTS
z`67)J^@s<Q21v0@A%m%spbi@qk?hQkRXETc8N%Yws<dKEkP5KO^9e>yQ@uPK#+X>j
z%gqtQkZhorpfobZ8l{3RrM3JVip+`4)^e=^*@9sKEh^P3E8V(hWF=0kQdnB;r)mww
z5%8WRckqyNY2Tum3>7Bks;=2gmxyAVnUE4D;ju|549fHe?ilKJ9j;iXrVbti0lZu*
z)w*IS1Ond6l)$dSFa=sp6+ulY_=BFu!(=`q$KqI4Yc^8zWyeAjEyk-8($pGxni~<t
z9+sMRVsL;Hc3*7U{kAToRJq6%c-&pC848P!ae$h5v=_3$blk%ktd-CEL%Tk%d%mb4
zB}4HDk)4!AzC4V>gj(q88k;5jXqwOZQxj*2f+qNtp<W(z%mNcQc&9$W%syRQu4TK5
zr}023H3W?&)6H2$+GdBMYH~q^FUW8sv_l<jxsXq`<ZjVcv;<PFr3DgaifKi6DX3{9
zC`@-VV|E$}Wh4W^lMwZrR!vEHiDWVfI8j~{Wxt?;BdbI?xfDwG>)5~{tATCT-1IPn
zt)c1oSp-k4@ULS_YPjw0z0{EfHT%f?kHE>V_8cM}exg%;Z`C3^c>l<n+dKZwJacq*
z*SS4^?fC8GtKU~oJh<g~GPQN>+ZVPTUz>eu;ng?YHR0*wt4_9z)A*MA*MFMacri!M
zzq@b2+`K#Itvmqsf0uxKaBA<xThZ0m7gs-bV(GI1bnwrUKV@<D%B7pH#V@Xx)5Oi4
zM)b|+U*31)gEJp(;#L4l^J`0IADVsX=cDHKFPh%j<5$)leCMthJRe6h+m;@u-gp#x
zR#>>O>#Z~AfBA57@X22nFVow<7S2U0yEEK(Fmq#r&2M__l?)+2z3<qi{Tt8D?%#0j
z_O)Y&4qw>t!=2If7wYSFZ~j*OnBDmawC3`r)id|F+RWC&56r7#_Kw517Vj<oaq1uF
C>%D0J

literal 1125
zcmZ9~`-|HI0KoAd#*h^~w%a)$+|CNZkXX~Em$cQnvq{q=y(Degq>nhgOVc!M)1*z(
zJQ}8m3hG30r~5%1V~#nU+z&d%Q{nD(Cmv1?K@fzwp*ZJ;ird7;{orH%==}vB`0|xh
zC88LzHS7=CJ>%}4rGjoO6xkED?N&r-KrkFjh1+~1p`^o@F<Av;ut8aq5-Mx5En9ts
zDixz>nREN1z`3y7>d}H%R6`=~f`R73=~Oh^M!SAK!GdhbBYQvswcre_*=3lo;aJng
z|I_+yH`0e-B&>Lt9QVTMj%LE0YCuAIiXf~ZUMK`LJZp<&Kiw#&3jI=6094-8TJ&_t
zjH3a-G7uE4T5MEnxU^z05}Rj)nCxhtY!wO!$d%0`N&U}4Fd8gevx2PeT83mBK4F@K
z!5gtmnnN5Nk4G!*OrnuN-J%!hhC?}_xL$S?tAqt$G};+NS;go=qKo@g6d;;VD(^x_
zgFvB{?|2(4QV`zoxiIf|4i>GrW+M;yjI9rts@ODDpiF6XxHk><itZ3+hL!qI2-$X}
zj1E~Y)g=wY5L}09yG@L6YQsv=>!v8IPqyJEG9WXxjam+D7Zo+^mlU!nW~vDYp=Ck$
z6E;Y)K~<i_(6Ry=bQ6%+x>Yc%s2mz9uFBIy3FCN+>v99ZZ$%xmBw(CXD)q#HF-!;u
zkwfya-bRgJTP4B^6S~aTB$I{H0n>Gac6?wt*+!$7g`>JrsmHrONfVQ*kwTde6$j&j
z7IUWyH7izSJH0H$P^F+r*UW6z%HvWxS*M9=l1OPAHKod=2k9^%s+KiPYdU9l`AWY?
zX)@oG@SH^UkbEaTG+BbH#K}r6=!H@(N=h~`AOIv!z*2GnmtvsO#(66fbjo(aQwF(W
zlFoINYd=OJVLX!wSh3!8Vj2Q*ex<LlE)!IAxX@93Olb4Nz6GF+E$KoC>L2cIA)mi`
z|H<}a>r+qezHjm354Vd4X6mCKeRXQ-?^{0I2cOKn{-gdN_1Yr2G`Iil6L*Y0gztHC
zeR=8h!ENWx-<w#u{*Q@c|1e{n&mMkuZRFecPMb4RwVRZ+@pW+`HGBSnXXf~=SB`%8
z&TpsmUHtsSRAKL~)#3_pXvdVl^VabTm+G%x{(iyul~~@ld=?qI_+4w;rgzWyKW~2Y
z%OhW(-8s8<PyXpQ=E=$E%;xK8+8Dia;n?vfK6&fl)g6a#{$+gog7(GxtFxcaOn75z
zc6NUp+56(l{N$0v@R|I|g_qLeyhm<-Y6q40W@J47$ce|77DkSLpk8_Icb37m(HAPO
n%>Q+x%N_mrw#%E!F#PB0gnBN1!==PegF{=l9N0bQhVJ?ok=mJJ

diff --git a/secrets/restic/jitsi/base-repo.age b/secrets/restic/jitsi/base-repo.age
index b8e765a..efc311d 100644
--- a/secrets/restic/jitsi/base-repo.age
+++ b/secrets/restic/jitsi/base-repo.age
@@ -1,17 +1,20 @@
 age-encryption.org/v1
--> ssh-ed25519 iTd7eA ktPtHZZ/+e2knf7YT58/ejjo4yqOerXJQ14JfU9ILBQ
-NUJFutka+8RGBXsW/gn+y2zS68D6yHJo8KqjLjwfDq4
--> piv-p256 ewCc3w A2IoLrli9N3qyiZvxKQLZg/LXIS2OqtoDKyeAbGPb+us
-tmNIdJqzDAuNCQkl2Jq3u5amzYpfePJotzn2vzc/mAw
--> piv-p256 6CL/Pw ArfivG/h3oKHEhIFlE073h1XppcVmWjsv3U+zB56j8Db
-jxqzWk0I8/om/lrduJzTTL7rnNcX6nLFZLP56yVx1Uk
--> ssh-ed25519 I2EdxQ Do2vvD+CNF7MDtZiYyIHILuGlGJWE7+cPKU+5qd0nBM
-LdsMG37dzisNjfZ/Fduuckc0GC0jSfbD3rlmSUBKGi4
--> ssh-ed25519 J/iReg ulKX+/TFErYoLbdfUoqFDFw89yKCHTnJsvAVXoVN6EQ
-3+9rqrAt1nqDrNJzAHU+NU/b+0sLJxTovSDa0tPBda0
--> ssh-ed25519 GNhSGw GevFYiD6G0GG+Vvnsbb7xZ5T+ysZwJ7ZRTDcjMCe500
-tsG1aNZdpxdnVhpbV9atHptidXZ8dvLI6ht7SlEWDT4
--> ssh-ed25519 eXMAtA 2Ebl9bg/Nt+m3M+TyoXIH43tfliZQ7kroGf2QOnyaVE
-Zng4Ci0raemfl2xjK1dPd8uxlvX3Qd/ycI4f1DoJfiE
---- WNg4DqhbLUxAUSRgmbA2JrOhHKSUk09U7OQFN6g9mPg
-E�s{�fK�d����r@��qX\)���H5e��?LG)5��_�I�n��=I=L�H�I)Y�~�F�P��^�i5ޠ.#O&���#��v)��(�h�A�� �=���_�6'�cG�rX���n��
\ No newline at end of file
+-> ssh-ed25519 iTd7eA uRrBI9CzlE7xB9xZzh2tR9rhhcO8ECV0vcutdGUVxC8
+yap+Mg5Ym0Yo1H0+TKDaojKzmnoNofHqVrYK9gbkSyA
+-> piv-p256 ewCc3w Ay7iGAUKVd0RFNHOkZ+SiBWBd1PIwCOVkcQ8EcLdfjcT
+M+rII7rd/Nj+aE7NGNKM4zbEAkBpaWMwrSd3YDVCjPU
+-> piv-p256 6CL/Pw A8UmdQQuWgttNdgGh08IF6AnNmbeK1KTqQ4ln1ER7xm8
+mTSK68h8V7vRoRMHAg4rC+V7oUXZ5IDjvjUW1jUIMl8
+-> ssh-ed25519 I2EdxQ rN6TtZQJJp5cQkE5ZMwWJs2+bWUSbEp38hlJZlzMUAo
+a87eqROq47yNH6f7g+ZZ4THNgzvV5qqDoIkc9fik0wE
+-> ssh-ed25519 J/iReg DhQaCrBS1lQGFOOnLg2rICE7uPw+9/nJV52Xu7EydQM
+YN11U8v11KH8CjYjQv9EqphNlxCUohqn4IqUWRCechQ
+-> ssh-ed25519 GNhSGw +CauAMGluNGn7ghPdeY/JgeTyWNIxITvL6daUdRw+hY
+XgVJiyzDjltfSSdelUSoueHZASUHDEf3r0ch4tMLKj8
+-> ssh-ed25519 eXMAtA B4H6SVG3mYZZ+RrOXXo/DEB19XRWiGuHLb7mZ8ATghI
+3puinvyt1PmZKZRHCFbQUxg1czzSLaKgfbIdUPOp/mk
+-> ssh-ed25519 5hXocQ 4ag4hWaM6nah0wb7QhdyIQYvQ2Czp+AC0WYI//k6NHw
+XXcsQk+CJYhhKu9JeNf9IXlh/pfUmF3LWpw2JGhUA14
+--- h6qtHaw3GwCzXMMRBBeq5nbhrCuCC2IloLHM/10OQaE
+u�Q�:�m�w
�I��s#��u �;�R�{�JN&m%��d�@�ș
gk��`��q�hK�Ϫ���/Y��/��]܂&sF^�K��3sEn�
+�d��
`�<izv�C{��"�Xh���݌̮M���h,]-;7
\ No newline at end of file
diff --git a/secrets/restic/livre/base-password.age b/secrets/restic/livre/base-password.age
index 7a1182993603e28b952d3bfc57e5e51d0c82816c..6ce01fb0eca8c5069a7ac141dba1dbf176a39d9c 100644
GIT binary patch
literal 1235
zcmZ9~?Tg!V0KjoY-88~f)X5%n6}%f>sA+o5(~x1Bq-lChoAlbGtuIE~{F*drn)D%0
zRmT(&+??W@>BiU#A2t;y=r)AmIdnQF>U@~o#x{p?QzuMh3WxZF^QHF}eBjHsp@TT+
zwFZ$p>NvgooPmz`C=}lq8xD;)(2^L2QZWM?sxlqR0+tH=E)VjupT%;DE;Z{Jzu4@y
zJ&;8PmW4DqtqwP7R)&gESd&{-8OaNXQ}$%FJ)P(Up=p^QM^qF`*2nE4Hin0y^`GW;
z{J5LM@E8b~)^re~9k?&|ffsqSM&cbp5XgE^Vz?yN(<q5c50yf<th8F3OKDIAuk;dj
z%N~H4Vt`{aXjgF**UZ&3h!^z>9$xGv<V;&Dg8y4MlSia0mMNqfjyR$u5j6N(hAJ40
zY-(&G(QYxaRBy{6ELTlMvQrc!4cfRR5M35WbIl=~aKr{ZB9PGMT#3_cH$^joAuB|=
zEH14mBsndVW21-~1-MHUK^})gV0$4h%Lr#nN>2B5z0Lb0wAAygVvmNXOqGMFN?P_&
zg0;Jn09$yWmhV&PTCG}uF^>^Q0SL{GOD@%NNT&q!813i%vM5ui-A@~)=r;OcI8tSw
zL(MuTw{vb5sRxlMu|^Hj)P$4Ki9|G89jO-Ig;hD-$4FC`s2Q@(sv6AJSvI4i%y6m3
z7mQgxhyi~FE_TN)H60NwQ}EDac8rul6tpo`BKg*IuGma74Uwoi5L~hyQ8QE%PcsTy
zw}M%+<XKqQA4f<cpbKzXkBF>GS8}bT8mNl&h>oS(<xZs%_L`DvskBkavtk+*3(k0a
z<p-;j%-72)3U5^4*&&qXOaV(25(%tE*(0@>Wb({lx-srYGy05RRta2h!v+;;Nnxpm
z8C9nx$AnQn<aoXrdgW%LM|N_oC1qQjW2Sm#+D}GFqh!@VrVw%*l*eR54-$59JRqe$
zpbb9?MMlDyF|UB0m=f85Q6rK7WCe=H<FT3}7qZEYr<Cj=mvum-8L3X5)Til&lp^$=
zr@1I=)uwH62p!t8^6=!T<MTgX<X2s=iGS|ilY#zzIs43Yuh;%q@e+T2_3o!<f7nN?
zapnHm)$C>n-oJ72g{fb>wHe`*_5R6Y@10-v_2#LQVBe*`&Vc3f>f#%#E`hBVt)uHN
zP!C?aJbU@!d)Msv>Wf#^TX5l_S8m+DW5WlZJ@Mn`r*2(5oqBZgxt*WvnmfGf>_lzi
z*q)UW<%2)D-yB$%+4S+dPfpzo9lLtZGUBxplk+Ry#>eBMb6cu=pE_`+dS~~ZLsO}J
z@wtVy-+#36#Xqlq_Jp>3+v9wxbZ|ZK+x)j1ZeO?cSA@Lln!V>XKcL)Hc0QduE$m(&
zS>(Bel?$gI*^W9B=b=078-8!!7LDFqb$Qd5lZ(80zsMZ_@W}C_XP>|7yY25Bd29c+
J$6`ck;a}TIySM-V

literal 1125
zcmZ9}?Tgz40LO7AKHREv?2v(SLY<;$*K3kCO*8RE+oWleHcis!zzwfSnlx!1+B8o^
zRK$m!a_)R!4xcuh&p5fs&P}HxZgNhzp@<9)++Iv4GMIudHk{mic%}CjeE9x;GqMzw
z3}Fyh!>(yengcoJf}!YC*tV6ZBtkF@qG1KL8*DmEgQ_eP8=0I07T`9C12nDJ7S&KP
zY%_o@%4yZSfGW9u1`p|!qsDx{JPLSD(j$1*>B78%lJTk~r=X6=isd0W=mSt-|D#!5
zH)=s}GAwynA?}6KaIaO*=Qy3Rq<o?o0Z2xG#EQyUT(-wi0Z4<Ioy80JtZ0W21`2p%
z)MYYUr|LzN6fBSGO20SgNMO-G+6^6UAQ`_8`HBBo$!syk{B5ZoHHeFiNWv}K1E$-<
zd@4!A%78DI4T}c)#;D12TFOhe%OOwCqYi<foC7q<5e{cChh~R0I`67M2S{S1A$wSI
zR85=zcKvt70)&e`8+OQM-fZ+lJfAGEIRlA_J+|BD+GV4lC0I#O<pH0AoF)NiArh=W
zxGMm-(g_>{VkkQoR3Z>8l4LWE)v=P1rUkUv!Um<apOLXHC&^*caZnH!(xVaXra?T}
zaCL+t`KoHzsKIoLPPM9NP7&4fb|?nSNOD^TwNgg3F``Ao5|fqeM8%5qaZn`?*_TQK
zHvta4wHiSy6~YViW-_SSO#?GC4OI=)9151&b)NwR8Lna~47=s5gQRgbkB4YR8xB(H
z5LG=Ftv6|mPG+knCpL>UrK4Do&6_=h!pL5|uvU|rrSvczZtJyzP5Yo0_ZY$&QUo<D
zf^A-@vRszuGI+bD)s3p3P7-XW8Od}5G!CeRZnhPO5m?tz3$NQA&y9wbY-%o@N*Y3I
zrY?k{(P%j0OLR#k%tETxGBrG55_Ya8M+B&suK*oilLQ+CiaOJ&d7*cYp4@&&oj&{X
zdu?O&+1(GHTKsm$-N!b+@XeRoH%|Tf(bYFV$eyRCMpz);xOZLd@mc-OH$P2fa)T=p
zqO;n1e*1&RO3?cU7JAp6I7J>9+j-*nC*O@<9Q`!9@Y2>F#MkEEn0|8q%Ax7gZ?`U4
zvrAuF%S-1X95OzRJbHf9kzGH|Z&+S<J#+mnx!>5aFTOu{`4Q`#$p>C-KR-szyBA8I
zZP_@nRk=2Q^!D-F%2O-PT)ywji)YZ~{^_NMhWBid{)G1)o|@eE`JQd{+K%<Bzwq}y
z_C)%reT5_aZQO>dCWv!m6LZ*ym;RW$*?6vfg(uG6bw8sV@66q_JB4gsU0nW(<3C<m
mUH3ufty}S3zrTFPrk%5MhcE6IDhsbHo^2dlzUJV>>eye>Xqox|

diff --git a/secrets/restic/livre/base-repo.age b/secrets/restic/livre/base-repo.age
index 3fe67cd..39575ea 100644
--- a/secrets/restic/livre/base-repo.age
+++ b/secrets/restic/livre/base-repo.age
@@ -1,18 +1,20 @@
 age-encryption.org/v1
--> ssh-ed25519 h5sWQA /nZh6IZdBtv3woGAynnhXZXtNfKDODEoYCpVmHHhmyg
-/UN8RBQr+0Wu5rPzFosqsmmiAAj8Etqx4eyzhLzcQ5g
--> piv-p256 ewCc3w A8r4CYBN30fKpvBBaWomaepl0fxZwpUajIh0+BAmwjko
-P/qLiF22BlrNlkT2EsxXCBBh6al8OaTtL6IVHHmeemU
--> piv-p256 6CL/Pw A9H4fgwM3EmBo50xdWhNuWOnJjFFMigtrBQ4a0Rvx8N4
-jes6k2hlyuX5Ech5qTiChseaVI3YIzXG3p3UpWHylB8
--> ssh-ed25519 I2EdxQ LPJmQ47OOrMu88w16HV3GsJTpTcoG1Ug27BRCMrWSCw
-OLgC8l7K9qOV5QA27uzPFIgMd+Ho2L/WyIUYCZEam4w
--> ssh-ed25519 J/iReg 911LIrz86R1AWVKra7YkM3YwWKSOgkNHtFAgDNRYWB0
-J6DWXqaDVN3Z1LVo7LgqpjjBVjR2L2P1TZULu1FMeo8
--> ssh-ed25519 GNhSGw MQk3YSEF9jJjgH0M49LhlJzvcqdbBU2aqVpnxeJeZ2A
-c6xqYIkdFIAx/wqAEeIoR3GrHsmReSDbzt9jtRPKsMs
--> ssh-ed25519 eXMAtA KvWo6kdZcf3pjDZXTPXhHsGPrzE+wVai15ZT7tjia1U
-be3K3ljtE1l/AAQ79l6D50SRJvLmVsT5lfY901Zyej0
---- zfk/PCQfQSmHRlvwG50i/sHtPD5MXBuFfIKmPH6sbiM
-�W��1O�2_�ݲ��#��c\S�X�
�*�Z��}�Y-�Y'��䷺3
"���
kcU;V�nř�m�(5�ȓ�
-�0n�%h���Zj���9O;�C�h��6�Q�cg��o�T����f��D��c�
\ No newline at end of file
+-> ssh-ed25519 h5sWQA UVA54f4ih1Y7DeHl8JaR5xx4aNZmYSWBH3rSDVx+V30
+9DkQJ8hh6vLIzHy1Jh7evdTC0IxJfZ8h5Dna95mhGdM
+-> piv-p256 ewCc3w AnSKSHNZoIlAOaJ8yuHASConbMyE5Xe9pYBRZTH1Bmpp
+tDvSbnzs1MmYGD2ADjrPcQ2/CnYbgFKAFgx+LCwSKwg
+-> piv-p256 6CL/Pw Akuc2AE0t7UEi2cc7MKsELdEJI9j1HArytxKs8ALhhkF
+CtYo5aBfkeUEdeB8WtD6+aJntmUOLgV3c0YqiIa7mqc
+-> ssh-ed25519 I2EdxQ vHAuEyr61iU2FNZ0a7qoGxMrdwhTsxyJY5md5decugs
+XeUhYGi/sPLQ1S60TL752+w0A4esESNwa9nb3dyy6T8
+-> ssh-ed25519 J/iReg ukrGz/sElgVRVYZezBP9zbK85owb+6SieNmx2+6LQUE
+cal2YERpuidS4flDyOd0p/wendfr2RNPtTP9MXxAxtM
+-> ssh-ed25519 GNhSGw BndztlGUOHgsxE5gpUZXjipFnKijFm9C6iu4MZGymFo
+hD3xvuydadnbTClB/Oe48zyLXgk21fYdSPlLiZIG7TM
+-> ssh-ed25519 eXMAtA dM6ndCAczkhAmvKTP/ZKPN8hvun6VQdzZbDfJ5VApWo
+REcIqzrOHyO/Rloldxvxp2y1kTk/nKrD1WPDFrX78nw
+-> ssh-ed25519 5hXocQ QW1soBQzuSD0UyTagoTswDdLi0Clw8YUV41wvGtIpDs
+z4YXC79z4YoJrOq3HRISGWotcoq/6bR99dKd/PimHlQ
+--- i2Rl65MgbXq5oGglcGefPDQ6yWdi6+Nl4/SYTCvYZq8
+����zl�[={
+��:�ȏ��3��@��Hc���A�hpgd�ߌ���̲p��tn�#E:�!d�A'X�����?�<ڶdl�����&��ʂ�����]��+A9䗜�hp.����	��5
�~b
\ No newline at end of file
diff --git a/secrets/restic/neo/base-password.age b/secrets/restic/neo/base-password.age
index 15a51e346196b06bb16f1ae8ae3e33dd221c7b17..d445971964c11a0ed18bddff2e45f0411b666a52 100644
GIT binary patch
literal 1235
zcmZ9~|H~5v90zbMshIjh6lOo93&ZM}dv4p^ZMTH*cDvo~xv$&p+nt%uecRn_yWMT~
zW!pvafT)OQNNO4cW<^Hi<8Kj4luDvdX&5N>Lr_T&k_lpAVNd;3&mZvN#pnHg%Z8rR
z`|5Dw`j*q5c7_HJrenz$<DO?Gbu9zK>3kd@+=)Jl8;GtJ-5jVpB+m?TY*4oY$W*#f
z#E)tST5S2SPVqJ&Sx(Fr0?6tN{CXn{ve~>ck!cq7IH{wNRRaf`eiQ^c?pFdN^^fLS
zVbaaO*|<K!RB#kWvw0fOB?A)5o*`i!m*$FXw}g)KQF$nuSqn59dZ3ZPpfnSM`y?gF
z93$w%c5Bci%cZU{u{bNlRHqfd0H;LtYN-j;c>I4>7NY@v!SYNb?Sot$Ndvu74nx|t
zs6QTe)1cYoEE8?w7Fw+GBMoL!v3lU=sukNXd6{<MdPxua?H~#uyvtK&RV+6eGZM#+
zV6BHPPLa&u+PD(W`4xpum$fF#f(lD|HBDo{4wcqj5EMhYNEazLfr+%AF=81hG=#iY
z?w2do4up|j)$NFs)D-nvBO#bzV5bZh!XX567HczrRn?6+&cSlE*VO>eu(Jv-FchCa
zX)Y%*ER6ZMUL?4LR|kVg5Mx$5gLa^1zfxc)qM>O01m7@91**XiXb;fy$SBO=5X+zl
zv{)lpQy@n1uokt{LKiNkU}r`k&7u%>Rbn)Za)w8?D|va`8ic*nFlwqXk5;uo5$*x@
zKwii|0lGrRQ*0Td>Rr)e)24%Sq)cPl@ZW{}caM6DL47oCharWKa$zXgsrrmu){uf=
z6RCDc5kbTd-Uucc(8Wo$V#I=mTj{zu16mCrg0Vpf)KJDrgF`Yj8Banw6%7CjRh1x+
z#lOL3%TX(FC6mD<KA2I=#=-$x$BIm<2S*NrPg3~6)CjJ`jK`)y3S`VF2R!TWlv=9h
zWhnzQHi}6yCU&Z#F=An17&waCwV-BWp|@l*?u%s`Fxd{EunO9B%!yF$xf!S@<O36*
zq@l=>qcRgfE{Vq0wZ1xdb<NH<wtu_%K7Hobm+$T0y>H(`4<Gtu?KNWVz)K(edGX+!
zdGrj&EO~3?+NC#tUS8UTqUYe*?dK2Ner+ZGle%qg-wzWBxPSdK?Buekb9X;ly6N4B
z<YuRjOzmBDEji8IK(@VqvH0c_-*2fg%c$xXspI`sHZ^^04=uo@b&t=5;+4IXKXxP&
zf0-X@ol6^)--#2myJsK0e)8UflT}lv2S<l<XMb7wO=`+Nzy8(v#GMOo7nWXH@yh&@
zw?sZQ_-_8hp6KlDL-VWmZ?KMF>mGaN?uuu>K0DZwU$J$`@>5rzzPU*`{NDNvTTkDz
zkDppy+Ijf})4yJPXW5qre!K7h{?x~xU*4oX@@ZnT_~VuO-ty6dHxe5!-g*9v^;~Mr
JuGe=Q`x_brx2^yH

literal 1125
zcmZ9|`-|HI0KoC#4<gm`g>p{Mt)7#O%etgVn_efkqiNdok$2LjSKK6Nb7`71$)#!1
zbPg29ft)CeLt$(pGQ`t$J|@Q@+=lmq3~}njos*&Lhs`IBF&{rD8_plSzu?37D{E>@
zwHj{dc)D%vvRw`I<B`~&Xt&#nsZBVUjHja@;e=`s<vr1BQeIg$Tx?Kgky&{rW0w)X
zA_z6FMnXInB3yp5><M;6X;QvT3u3}*qZ(G^K@b2s$#7s%tRa=--~dAT$%60m3Ftq~
z(fybMC()=HWE)5j%~*yD6hjWedp$tQ8Ue(M0En14!<#)vuV&Q>8dvjh8~3D0M=r<%
zEQgshg3%WYMKb*^SFFj^Vx|Oj*n%)A&tf8jXCUf-7MdkN_Ldc|YLpk38U+FECyY8Y
zs0T!mtFvTN(p5TF;;XaiL3&`Dj1dw0a1JfZwc3h<V*MVIAe(lZ8?^LBi)f@2N00_R
zS#@BFG&Wu=!ntOjiwZEym#T_YW3<o)TuZW*TIE)!NJupTZYnv5Mbd4R=5Qz?Lm`!~
zV6;h7PPb4D9XM<fT3<I{r0@1ffVH(CZ{XrAV{g<-pw6pW6e}5xLRKk=K-}`&v_lLU
zydYz9xCLX`+-z8fWL+uo^)_6LB-OfEQ$c|3<#mS4bkcH_GC-P<>J*@x20)2jg6UL%
z9;I#62)ZQ@L9`;52)3ql<hD|;r|E#`r@OesP^{iE04&#F8u4-gG%zodi0DDSqm*V4
z$On)Nkirp>(@=u9`ZKmerP@Fr!LzDM1XVZKsHrt7<7J{2WhSgZlU>uL?LmnNlCvg*
zqdLbiqLS)@j+yFWWw{I>xd__{LdirGPnoPRoK>BxxU@<l1HW5Oa+Xk!PuAe_Tmf|E
z5|LOe76nC=BwV&QW7WH+5C?o7%?Xv9uSvRFffS%c<8B%4bTw9sEErYi)X0|4rq4Ze
zI--oyiD^IhXX4_S14r&l-aheN?!?yNCueW_=K8O_(bT6;uD`K#<>Djem-9=<;2*D@
ze{b{d&$o>g;RpA8{LIwOlb3_T#&35nZk3O<Up)P+qaVMY7=PvGL(5kS<nZcS&kfgG
zFXJO`SII}8Ubxl{ku5?6`Q_UqkFWfG_Q2&o-aVv!bbL9y<HqW0e*2Cc!_j+JI^*L@
z+vm@38d=^=P9;;TzP$dExAXnR$s7B}J{VoOvUb<>x%nSbUvFDJimrv((ms=W=MsJM
zuk7`^A3hvTY?`vYpfTA$^};>s!LPCh_emG#U)#I5-&d!#=Qr<tY1i=PQx`hJC%%Bc
gC#l8u->l|rfBnRnKSv&T^TW*8tB;xeOXAwXzXc+e0RR91

diff --git a/secrets/restic/neo/base-repo.age b/secrets/restic/neo/base-repo.age
index c17d4f116e0d38d359c0138d775824dae2150540..ef64cac96c32bd875aa15a38162c0159ad7a27c8 100644
GIT binary patch
literal 1077
zcmZ9|Nvq=o0KjoU1t%h2^f0#^gh67>(yW3@nx;vbCQZ{UO>_=TlO}DGW^1zzB96#A
zISeR+7eRzkQ3Sm_KY$1WgW}!O;6X)rjEV=J7ssRT6a4=CmtoKg_N$`J4x4oUd|HHX
zg#x{oz_N^bfsYXc%7CztwLuLU!?8c|Av)aH-L^02a7x1B5Em8a$hRS?Z}FjIO|5xX
zuYhBpfH#KAP^~x5s&&2eGF`yz?J6&P(F*4)%@rmKnK{hq|FmpV^)ieg!Jy_={TgKH
zvX4|wvA45aV!1St=Xsnd3`;SgiWl1vI!2-a!8KmH2ZmnUk2dl~2~1SC5k@uRev*cX
zHf9Y+&Pi52LUe4x9E|+WBDo2yJ+Pv3T`r-7M^G9z5j<K?bZ@fe!o)OuWq80LEZ>;M
z44NGJK-#ye6=ylxE?ajD!;mgEYZ6qf+5x|dbehEdR4O`|&BBWpC5-o*8Q7$3$`d}*
zxYC^0P&pfQOa8zqr4q-mtC8ZCsCJeELv{!xT1iB;UrFr2iHL?k#=&wdE8>xs78+&1
zo*=*^!{U30zo?DjjUI&H?8qM{%RV~I>wp&Ae7T@^`^xP)#vhM^!(_N-OO0qSgEN7F
zG=*ZlQ4K^KcqnI^DNEaa#7NjEEGUv<52FU^{E>~O7d1hR=0XjU44%V&!Wq?Sn&U{w
z$-9AN>Zrm=m@`vT%A68iwdRdJ4Qx!!vgf54Cz@MirJtzouB-Ke$C)(9DOQne6w+`B
zS>hM9V4<)F7Nn0#WLYE1^!!n?(*0vHBordHh8BcGIK?jxU8PVh1Z@!@8dS98BA$hF
z0xF};j%(eST?U!0$m)(>uc{p^h!09)^P)yXi*z*uL+Cgqct{qP<R&32raTyC<_wlA
z(Zh!LX19>+3ehPnU=?6d^pijg+L9BTj3z`Z*05P1`^Q|R0&1~tCr&+@*la^OK(E&W
zl_|PFs=?kV-EO|1*}5f7bK*hf*51`>H7kyB$=Ap*h-SbY_p3*4e*F~t@^`mS?k2bY
zx_9-<pWZiqJYk=E`iJ!=H_orLXK%l$e)CvLod0t5+lQ|G{`zZY_kZiI-@4=d{HO4b
z^sI9I`wwUDo&u+TT>A6_)s8=Z>$6wyo);$%>(`3QFJ>S8`egm_4e6PimoL4SzfiyP
Y=oe>yzcF5xr{K1|_sXp&u*cPZ0bvko$^ZZW

literal 967
zcmZ9|Nz2>>0DxhTN+F&^qz6Stq?Hn<nXHr0jjWSowk(s(B;YcWWHQ;;nPg%w1^++=
zPalY9!E<R5JSeDmP;WvJD+ST&K`)|*Ppn73U+}!VYv1d8sZ$>FI>^#1S?NOu80g>V
zRn@NVxd@KKR1X^EN3ZD}0<C7{fEiDVBTnidQfXDLs&fNmHr1dr_kw{L{st~$3D9Sr
zg}Q3%2(c2UqU;!mFGX5xDTRxa3ehI4%pkH+*w}ws9vu2Pf)hQjVI8#T(Ssf3L-B%`
zh}DAJZ-%b3Y!_NyGMR6MI!#ksyxaO)T$Wsb1al3h)VVhng6OEhtc^7i<$@a78Lp*7
z8JCi#(8fZS{m&xU38Xx++AeNulOlyl2GZfGrJGia@(^>TYLH~f&dFp=;D>E>jDd2u
zP`Yp(#YtimpihT#vf`5xV<3G4byAIrX#!$FwoCZ47bS#uTeU}5VgtdFwcjgXCP}LV
z-8(vxEJ_&W3e5F7gPhx@u<oAJatu^<>QVQdRL<<x46%##sv~(c5>dPM@OU|y1&4G-
zES$5N3<a9!_Zq7n2EurbF!q+z+tG~KS4gC>Sr~IBJd6(`4TI8>P+1H}54>SZR!FQd
z1}p8!Dx`)Sh_<-NFpOtI=>&43c1iP~aaJ46cKWF45rb)I70zUodTUB-h&AuQ?RXe6
zzF%97fmJBDBqL%t3>*OFu!*@0QV3IrV=`YwslFjP4VQE3C<G*HlcBfU5Ex!cXEkp%
zrE9t;<c__F4hS5YHkGU*d$MdSF5YGIR@pF=K-22Z8S#}B8-Uu(1UW$&eOj4Vh6W{e
zEYN_>7fE}JJcCH}_Rx)|TXE3<{eHhEY*|E+>A|43Hp&=L+8Qe66k#u|b$zH}(l$9x
zK7gPm4uJf__M2NTJs3NWpW=eq*BAP?t@oeD&tLrH?>B#r=ij~Y@>TBHx8#Sy`M<vX
z^h@~^`0D<}vGn8VY4Xai?|yXWhm#liKOfw=|K3j*{<(bng~zAvy}Q}TI}&j2iu77}
v_1?K>KEBj!KYRO9{oB*GKKT6?`SZJ9T)+P4kCU4tadqw0?;k$5fBn(F3=vA=

diff --git a/secrets/restic/redite/base-password.age b/secrets/restic/redite/base-password.age
index b83837c2ca405db6804a67e7b8936df2aa01cfac..35d1b35d48d278ce5903264e0dd3cf58e36ba588 100644
GIT binary patch
literal 1235
zcmZ9}+pp6E0LO8XV@}BQ7(frA4>E{ipp33v*RB$XTi4y%ZtJ@477j_b-q&_(*L7<#
zA&44HOeA;-4+@b)iJHje7&KAhgDBz!6NouL0w#haM8#u_NWcWqCp~|`C*R*sP^5@t
zbsWF%YCUU1&rv`R3Pm=D2Lm-CiEum);bFCEn1y6`0O-tk9PPJ#O+;G$V60jYCg`>>
zL{yqelQk&-HO&bK7zs52aLgw21ZM@V!qs4m&o%9SBG6>WH`S;LTY^18GIcaJ_($t&
zUZfAl(XcckI<ZkWiPDS=i#F#clTI_P^06WY894)i1rh`XFp&v5382>UTghIi(bK(5
zDXz&zDU0V*)l`>(WmZ)vs~AlcOcbc4bHxl;;3(vO7D~`y`Hp2&H3F!JgpBqC)DqLJ
zegPWw$h2bjhXCmetQZA39W3nz{g72^CsIbA(c?in(5nJMx6^jf;~j^HTZGa~-0^U%
z!2{#w!WHu{DUR82!R$BvK-J<{JVvuz8}o`XYL#Th&Ik<FHo;U5Z@VUq8H14P=OwV2
zF&s0=F<h1Q(<J3#jcAVT)F`8-R@w<sWm*Nu{kQDDpA|r@A}Qfora>@SCWQ}+S&lM_
ze!e4TJcdnWRo;Z)W=4Y0vYf)`Ml_@k6;ntL85{6&itN-oMO#O!W{Y=9gHarGl`@qa
zm}N>+qYK-zMU~5r!fYV`D4*oiEZi|_Y0<)gR)f`gF0Q(bAmsrB1d0u<t|#-Mo{Jzd
z<aJS7#hXd6UJn#B?NJq@gey!lEhqf3R|FcG-QyQ(QiDml$*_o9M%^g!#xTYf^lr4^
z)4YQf&??Ym6|$`9Spgh$wG?AULkX+O(|OWwbDGbVI27h9bslpdSJ5-=Q8gEoEwPq}
z*@($5)Z%KR*I~n*N+MeGu|#b=>`Nd~lqEOT%PTF79Jywk>bKf<z826KpX-DwBODrH
zbyDe$1IGYRj*~fv0Wiqps=SmXL^C18qS>fGbwiOzB<%AAIY!b{weENIAXRSCGLrXn
zMaMxL%gc17G-&w%EmXurX!ma`w(NXY`1<sfqq`ov#;iRxz3#JHnFBX|vcZ{`=f1pk
z5}QY6mmXP@VxK=c{n|3(!K;s6qB^$^?mmaFgf#F>{h@bOa8pZ9?;XE-9lx^t@W$i)
z^#><!?l?O|p1XKr)rP;$+CQYfI3P`|+5g_<J+phCx$yed2hK0ryc+qLyZ2h|&8a#4
zg{i0XwRd0IcGu1D<2RQr{^~sP^rtUo?|DvLHBVPg{5dgeZQb(LrVGx@%%L;ig7T6r
ze@vXe_(^=JKR5&`6XxyvR-f7V>l@oX$USnHcozD7(KjF7fRl?!XXEm#3bXzGxnq|n
zL*IRF(;v4_{<vZ?227uuS0>-zb@JHm>qlNHS$htxd-C|)z9rwU-|^8Y;g^TED=RlW
QA@76sA77S#`<0o$0nVSflmGw#

literal 1125
zcmZ9|>yOg}008hD5;O}Uhv1n=WJma5GH2Iz?KY#Fy>9Kcw(Dcvx>l5Qx31mRtzFk!
zAAy7*5eP965_}O(E}BRHUkQnd(O`TWfuIru^aJKVM365kK|dJr@zMJWe#uYOwYb)s
zasu0JS-nRrM+b&rB)&d67#MM_0U-#Oi5jBWEn-oZ7}!O@6+<=%)pVFtLMNsPg6)8W
zpmX%F>ZVl{&Gz~1AYveV-ZDyp<kf|eT(MxdkjwZw9iyvU!|qpGDT=fbl3c8I{?qK%
zFm6K#8r3{}3ihH{-z7U#AxsE;qHLELq!?HLtQw@LWjUfwG%X&mG!`UKBNnk(gPQUX
zHBTm}HZOvz5fTV$m;03>)0s-?3DOLPRXdLx|F=+_2DpDM1W>?|G^D&5UlW8u8Ho`<
zo{?L)>eKSD)X*%+&&9fmRxd`NCf#J{3~PXtESI~@p2#W8G%vC#wZ*X&E@<Z{9-<hc
zGFZ4+fN~9=kLLYJhT&;2X6jU?oEMVvpoI=)4$kq(E<J4K1RHIKbqs>6h$>)ynyl!4
zA#5^kNh1Z>tl-6JUcyP3P0FxMnI@$IovgJ`D*`P+)1xRWXEblRRxkBETTC!yr-XV^
zjA-+YDU>)Mn3fcgmhgNf5vgH80clMF4J;6AW+T>i+_IJ<i(IoKg~?1-lQL$q=HShi
zzEC4eMw#@Ya?Y`1Sg87bpDnS5m?CPu!erm?6-+OyiJVDwveQbhYhhNTn0IQR2K5w8
zu>_Y+K^~Aq!$~>mF%p~C7@1K3)6kqwjajH^H3oCBXrm5syqD2()i&O?i&L_$^8qHw
ztb+-~CN2des;D#qG>CL0Yqo7M$bvyH%(vSK#qa5G6IZ%mZxZe%IT}kq0}Gw1+d(=K
zkH@2FO4R#R-=KuH%)oF8uBTD5=Qg~y?`q{{nPSVh;HCXE(~10Co4xe6;?ABX@7(;!
z;T3-#ef3u6;+i?)%DUdnp^MkXx7){e{dV`}HS1=cy14_}zGC-Jmv6uR?qB;}c=_mC
ziDgUDUyq!h*}3Cn&iT<)?mhE`@cz-uPo&uAM^I$#*+&l`D^JBH9(d!xqT1!FcZ{N2
z8lQePa{bL$uF{X6AHD8w`tl%ikX^j|3^a4!5AQ7c{nEC1ec8kx@~yeq&!PFfyTapR
zOTXVUTX=8&^xmysJxTm}Zf4clwd?Va{9yITZA*q5znwd|Z)WM06Bc*jF8S2K7r`4l
zllhI`#Pm(#(;tuBym6>AatwU!mklc)yf8X;c>nEZ#y`Ag@&0qG!IzE!-97e4tF~y5
m?ViYDymMrH!}7!N6P3NsJ`BO%9Z4*D2*1WX_x4uq{(k@zkC})7

diff --git a/secrets/restic/redite/base-repo.age b/secrets/restic/redite/base-repo.age
index 2f4c34137b063b14abb4f118ea92600532f08dd9..2f072c69d677f292f8e58b7eff3948e3416b4d6a 100644
GIT binary patch
literal 1083
zcmZ9~%ZuCu0LSrzw?Xy~=*8%1C5(B$5QRJ@ubD|EnPl@ogiMl2GRY*fNoF!LSWm4U
zJn60MLA;4lJSc*7Es7S36hu%_p(m}6gGjAKuoSJHbpL`6zaQTqiTiOG*1J`kRpk>^
zoj@C;*MAylnzSEBC_x|$kXpr3WdYY08e}hvImk@#bnml}zXm0$(UI5-y&8mvj#Up8
znn2i|H?B;ql}#?5@AEM_Y~-*)xRjU}dOMFb9NffUIe;j-$p6t+*`~ij2@;4qKEyhJ
zt!2zQE*el~Aq91FlY$~C<{V0sv?vYPidqL*Q;;bsf<2<%$4(Y!Y?3Tnoh4EeD<`m@
z@m@mKFs-ppFwW=GJ>S~@vq*jfO&(aS>(kL*btx;f15{3<qom*#6o|wHXsu~YSc2oI
zEahoY^&C!LHeNmS2TdkQkt`P8+!u1fCPSUFBxHsy@e<_ZBpsi9Q9%dM)&OF>k}Xd+
zv2iUJ`fjn(cxaI5J8xd7fuQEY(zdDX20~f72fG%s-l7hTq^vbJ%?(@boUypCIYn3x
zMSlftM}nDmED@g7R46m!1Xx$g<C!!zP+Ime1Bq<G0(V=U?i`ZdgsXL^>>%3a6xlX<
zlge}k2F;j(u`UrUgi(aVr+zf|#H7=PTII~_GAoQ($ez_CEuBgopihT01xLuBBzcM(
zkkmHJq^gBI@5q`lmSzP^t>7Rx6uaJba-0(zrHt1o5jtfu&>9BrysBoR1bo2Ip-yxd
zlI707h5Wb2*d4Pi3#^kSSW@Q3)l9Kl?;Km-%{;suur@A9?E=k?V0Pff=?H;)OaDkz
zEW?u+Xxu@{N*$ZkR;9L%$InN!GMi1ek$03bjAxwPMx<^P8h}6*JA~)UX39;ia)OD$
zd@xtD+ULTyHaeQd&BWL<a4fJrH&<H;pE)k9fQw;$oH}j><uWre0%HN?PATp}gHg=~
zsrUN*J`mQ4rKI~6Ymp1g4mOc6G8~JXO$h<Pj+Z_Hs#)TzX|!#6R~~!r(vzQDJ^AzC
z^p{%)OYZXIo$l(DliQ(v{)_u>-#skOefRK(2M=9fpa1FSA71<I@f+vbd!x@Tp7J?%
z=luP{H=nshpWJ@wy=TQQf4%&{jThe<J^Fd&zmTIJUHpT{N8Ml7e@yQDe(&RJuiX5K
k{rc7SrFT!s>rY)s;BR8#`%5pA*Y4i@_L0L+U*Em)HwaXC6aWAK

literal 973
zcmZ9J&CA<#0LMMZke-|eF9RvNNvwHkk|r1Bm$Z3%@}8z`dYNtB+q^z$o22MThCD|P
zPTWC3#!wjQPCHByr-)7v^rC_%6*mt~1bG-J;xkYB`~{!y=kr~Je$UU`!?xJOdG>UE
z7{WWW(|e{{RZ-9PFoHnoZZu9(33P*+HxMD(QYK>?rEDOQ>sr}@JS<%gaTrsC=0k-@
zrc&f|bVpKbqULNb-(nSpqPiBO)L~)>EQ;?jSphNLPyJS@@CURa-t`KMAiI9ey8XHf
z3VTw(xFgT&lG`mAk^)VROx=D{gqc2-##JWz!J!J$OzKcXGgNC6q(0E;flTu)#Cnxh
zkaDy%X4rfrkB50{6`TbA$0Au7)=yYT&H|Z|XNb2PQs~^rC#fclb<DIA%w2|@mq<F`
znid`h9Z%>>l*feBY7!08t-INec1+eB3|UZYt8&!#E0o(WLREE7R}`_4*BISM=0<Hk
zP=nOKoC#b@IGDniCPzb#+t=Zo)sg8cXTl+BcTfnl&YG_y(#&+q@;4*dEx3iKiHe|a
zfjZCzbS|ezS^jJG-_ImCHvO<Wja;&*xF|IeMpz3I2M?^Vzz?=gZkKCF-mDkd05V(F
zQaUk|>J{J4NotqS&Kd`hjBqJ0ob*l)5KbZ|JFdwc-D{20ZoC><eBCwCjR4bn-0(Au
zQH{(<`g35dT#cUbtb&xJ=`4WF;Or#t2>EKS<_%Xeic(}WOQpeJ*tDBwYRBSKv+S9%
z$0W-NmdI(EKU2U4bkV4S@ktpiFuzfh$VNP}l+6JeWbCZZlg(Dk@l--Z+crA=2!=$9
zX2(&6YH=ZK@fB8XwpQSCtaA{o<Jwe-%7IHh@AP`T?i`1}-t^RyJqS~zT(Yl7f18OR
zYVAa>h!bc<w9}@2VDjXZPyT-R;veMw_h93rkN<k*_NCi5p1Z`p|LRY-9y=5K_WSs|
zAMV|{6CTOOt$qE+qx8(<<ntHr9-sZ{Px>Y8>Wkp5*|m4io4+hRd*j=8j_$BmA0^IS
z`1&E}!uL17dE)gepMP=p-m~Xlehoc$<NCEPA32^AJh7Qv{xw*CioJ08!=F1h-~8aI
L-MRa3kKBI%H4Rdw

diff --git a/secrets/restic/two/base-password.age b/secrets/restic/two/base-password.age
index 0483dd6..a50a037 100644
--- a/secrets/restic/two/base-password.age
+++ b/secrets/restic/two/base-password.age
@@ -1,19 +1,21 @@
 age-encryption.org/v1
--> ssh-ed25519 qeMkwQ rHm8PBJzgu5JUR8LDwtfYKC1G9nNTp/RDhBwcE3gpX4
-bffg24UPtdd592oqZmRE5vBeLOawd06Ly1oQpPFWV54
--> piv-p256 ewCc3w AqnnaM/0jDUtsn5Pd2kOwNYccVX3qwh/fC9c2Xkn9oM6
-RZcY6yFcGTR5OkUFJ7NXHNZkfP2gHwixfR2jD8j6F7U
--> piv-p256 6CL/Pw A/wYBpm+pSebrFJQaHAi6s160F6q66ZqNv4U0CPF/rqm
-uyfoXqTdchDgdWLTtxiyr2GT9coVTcY0TodoPAXtOEY
--> ssh-ed25519 I2EdxQ a0dWSVEUmhLbJ2kfXjvjDvRMtuCtRktm2m1pbTQpgzE
-M3EgtQZw7Nyg/KfuD8R+Txji3PO/vQA2EtnXe25sHKw
--> ssh-ed25519 J/iReg eoIguFRQZYm6dEUzz+BhblhT+e/auOZD8Sia/h6/yw8
-SFPkrWh++D7drO68mYpTSdYuarXtxuba4/ExYyjTcJw
--> ssh-ed25519 GNhSGw +WPoU/HXAEyMS6IfdjhwX/GvoQMLxRyNKkpeN3tgu2U
-gWP4dU+yBPsc01w4ORdjelYZGm8yQ9ad+4odR8zv7Cc
--> ssh-ed25519 eXMAtA geKWTCA1dU7CyiQFpuILO0zuppQLpgL9ckTuj3f2IUc
-3z/xc0qlMttG/bMY7C+W3cEB1AQCkunbTExhU0V4QFA
---- oBKJY7LxTDs/My0AHe1ctI8ZXl0ns/AoCdCpEJq3/aU
-<:*�o�S[�n�l
��L�2����$77y�B;a/�ro�TT"�}������B
-0>�jDL~Ā�5������(���a���(���U�vRr���q�CԹ�5Z(X
s=2ۏ�"�i(��Ju{\W��/N�ݯ/�{���{��i��gǛ���7�Fg[	��P�v#�)��ɔ����z���Q��u��\
47��w3<j
on-[j��[�!%��P+�K;�;?wQ��uP�|���2�e��qK�4��x�>z��c�ÝrRQ�'����
-v�6VUƣ��1�[�3��-
\ No newline at end of file
+-> ssh-ed25519 qeMkwQ lhh6bd23FH3Hn404o9sJl+KImq+RXNRZFqPKJcZQ7GI
+S2BQK34VYZGSSeKOqelBfcKxB0HbxK9ewRexg/PE36M
+-> piv-p256 ewCc3w Am4uoXzdmiXDC+qZJVVZNc/FrN59U33cUi2D9+9mAI79
+oFKbEIomM3OfoPDIqRI8I1tAfN4bgfQOMgoZJp2OZvg
+-> piv-p256 6CL/Pw AnSOSCc21ekFkc5p7W8fBOciNqfBn+wbn5KHVndgNjdV
+EWq20DFhf9b1Cf7ARSSMrndiMcE3DinSNfeR5Uu+KLY
+-> ssh-ed25519 I2EdxQ jrt85s0g6aCA/gs+UCzcV7Pkt703Fs145MPfus8P7Cg
+GmBwegl6mmT1WOSMVzpH+V0mXPdW0aC76SSVPGGHBIk
+-> ssh-ed25519 J/iReg 7Z2Ttvl8MDnwELutnNJUtMSe+DK7VhrDEtwmBTaI72M
+PPEXp8cT0MfViIxP6TZX4NaIbU/cncfmRVx+/gP2ztg
+-> ssh-ed25519 GNhSGw ET5WTttkMHIjv3P3c/PFDv0GJyf8SjanS3hLHsu9QVM
+6FolJs4qL+NPlTRQzSJXt6PucFfZBAWqa32tD627IuY
+-> ssh-ed25519 eXMAtA lMbetQOb1LaoGTgTOyM5VBiOZkKY9VI2roJVkTxwXSc
+G07M8nFdtHrSHSBMBWDFPcGbBEVn1qWO8xHIV38YBXs
+-> ssh-ed25519 5hXocQ SrxklvHG54MV6CbAvAiW28oTkj4XZmeAWipOwtvz6Gs
+XdO/tq4NzjOg6GJ8nzKzxY1SvCbFxpfVtOs6hrXexuo
+--- 12HUkojZ27/Vd1c/fWLlS6dS2uljdEMAt5tf9KfpRwg
+�Q���F�W7@�r(U��X�CGUW���K6�伯YL4�0.�Gb%#����v�g�3���R�Y�tS��C��o��IRJ��ʡH~��FC��/|��%/�i+�C�A��G|��/N6�
+�2��d����d���K.+Ã��{lؙý���x�SI����6�x�s��
+cKd�x�l�)I�s�/`��P����l���;@zE�{�==��K?��;?4_��4�s�Z
�Ǻ^���7��$tj�CFt1,�-/�A�*��;�~A�|�n�]	��|p
\ No newline at end of file
diff --git a/secrets/restic/two/base-repo.age b/secrets/restic/two/base-repo.age
index b45143f46d0ad140ab742aab87bf661e35b5a0a3..e010244078930e25bfdb244b9fcfacc05083c5d7 100644
GIT binary patch
literal 1077
zcmZ9|%gfsY008h^zJpOj!3VNS55mCGC25m3LHHzT(k5-vBu&yZ!GU?dA5GGxi4Fu2
zym*)|R1`s{hoP{Gh{D)OJnU2SG-0rl*D>(w!N<|>FZjXF^xc7**=1YQVV+&iOCLPI
zz~Ho3Rl&e@hA0Z-y`9U)jnq>;jbX{M3sw4v&|#~3B~*?m))EQ~^$;&yE~hCMi|7Ud
zrdA*t2WUH1*5skYOfqRJO@Vho-RdhyY&ve28wd?$0`i|$goi;fM8`e1ncAbKM`ZJ4
zB-l_j=QTP+Fym+$DJy!)aA*w`h0$q&G5fhgU^)j(qiDHW(d~xWb9IGy&145|Qe@SE
z>!Jb;6I|-X1VN|@wEt&~ryMB$Ywb1=S+X>U9j)Bz3Zl(2&M5bADTB^vI*)5NT(EE~
zI8Y8)%-+VTNP_#axiTVu=}a(uHKFm;4)OzCj1w+R;0fWS{P{(8NIOTV*T`#h#>K~Y
z*9Od5PZ$*TLb`^*VyTEE7x;5DLK9Do(;Vmuq@WZ~)v<LA&$3FCaw4VzURC3gm=*bs
zcRMiEJj)`^YYQ-3yMC{dm3ED{9PZ<`G3}3{%n!W-DPaA0G=o&rEz+qna$rTZfrB=a
zM2^S!P@p#q(@$qYbEwA<=xy>AbLXtA7sz<oCENVGHeUtuyy=aON7$(h1JyIr2P;D%
z5LhlkGd0ChY-UW%BsjSVXh_z9fIU(ONw2*UZ@S&F-Nyt%(W`AOQxFWHTg%KHWhSr|
zA)VLUEl<=$k7OKwfloTz+%M?dRD>8)No=9fYOZ^!KE;RI(AU;#AjJTkU_0_qA$`I0
z+%SoDF2zKNjnxu{w9cZB@8^^jBVCZu=QT9g=C;&J7L;VmAv6LFBTSm*L1`n9_4=-p
zj69y)aC~DIvV=xH1b7|EuQRSg?Z^@LB<84;W>FPirt2}r(vIXIG#3|+Hf?~xV9<kG
zq==oYpUk3Btx;VgD|?mkP{%sP%X~qIe6fkOeWsxjaCeG4^5WpxH%Q{{%TI~=*LQ9V
zUV8Z8!%a<{zIyw|2O9q9;o<)0XTEvGe|*e7arXST!r6t#uH5@`b@TT7>XY}5&i5bv
zbn*1>YZrbvdy{#1v;T|o`#Ya~`u0`j-H(B5CtqB@M16Pv)+ZlazIFfUlfQm@eSiJe
YFaLP&ts5_VMPI#m=e5tn=T0vD1JP=2l>h($

literal 967
zcmZ9|%j?^8008ib;vx7z5YfXR@Vkhi=Fui?m<UPQG|i(;lO{`gOVe+Yw9U79KYsA@
zfd|2Zhac)i22K!ECNl6Shy&-r!$8<zY#!!e;7vCWh91<TzrWxEA1?qM0R5~@is%4e
zJ!Ao1kx1utG|$5hSW`4jvS<plT|GyAY&3;YU`QpC=zyU%TPH0C#1dvg5<^p$*@QDW
zlO6LlA_bWSvXx0z3jxG^ZXRqLIgJ-qs#umX!@b7Q>fuT^_rZT!5>=gqq8Sv_g5RxC
zt^gRL(spC7Eko!gi<WT+onE-O7Zi9b^zlGdTyinP5`dW2##eo9tucb!?N+v+D-;)K
z!0IQ-PL}}*si>sdc`Z!-XEB0`>;GEBUN@X-M6*)u_avWJ(oJH}7~CfE4j=8zM8DW0
z#GVRm5?NZJq|VyeaS!l?;qKSsFjkHgzjj$m23R2Fi>Ma%5)^i47bnzc-OSNLPRtmw
zXXv3Z+*f=GcckDCcn<0cPBlFu-H);`o*KMOAerlmMJh)OF)qVIQN1}nC;_H+DI1E#
zGL3pkW<YaOaEG&+j7J6t&^ae8RU8}Xjj1nazL}au9olL%a*kU`ujZNT4}2)hrEQL^
z=3Pe=hWmp=8iWjNr>TN=MwfoIB{wTZj7d%>Ou90h(OGRg4b5?l5_s#b;-+w!0C2$a
zWS_7uj&UKg3bvk#V>ehQ3x(Ix;~asF+jV+<jU$%fZZjDxaBoR%w4Rg`kHZMwhmMWq
zdKV74vl?(TuHaBTkB!h#(<!jatl1k?xed3T$redu=hpgQ)ErP$v9Y58!s0~RUz)I#
zO{^F%mxt7tj+Iifwvl5wE4we%WPf6%TTVkdoeoMb`vyx{^qOKBv6ui+_MHZ{xmvF>
zuM0gjv{%d~Hrmocp1S7!b@Og>OZ(xC;w1aUcz@!(q(6K5?e$L|-23|7@9)-6TzZ9i
zk9zIpkM93?{+-)j{rw4lr}O3?_rE#1aD3zF@{3PDd2}VZa&qs&Pj5f-@yWy8wJ!$e
zp1XSP=FjQp+2fa;t7ZP^^v~b5UvHl$A9=rhdE@lX?u8Gy4?nwfeKcU6k8XYU)?@zw
DQBzLm

diff --git a/secrets/restic/vaultwarden/base-password.age b/secrets/restic/vaultwarden/base-password.age
index 927f9b1b76cdb37fc6165e9481fe6965b022e450..e2d9fc1aa4e6db2e54992f8785775cadcbaafc2b 100644
GIT binary patch
literal 1235
zcmZ9}{mT;t0Kjoj%34o`gpl@>vrvjL@3!4;cZ%A*ZFkRhx7~Kzy_m+H+wFGS?ryu+
z-67@=X;CIch*msQiYUetLPh;3Sy2knFGXf#q)=i-_F&ly)zgnXf58X7-?px$HA{7(
zk!RS}Cfm`0Ad^UMOS*0^t#z{bd<IPl<4Ls=CJk2cCB0!;l1Y<g9H(7au1ORdhMwBd
z-L}!|j|NyxcKTF8>omL^6jE85uH&qv_<$ZjjdHDCC{H+00COl?=|QqFitYcjkrAXv
z**u)oLPE`jNlbUWfUM+aU7)E10z}gm%JH0TAuW1F0(4Lv!zgaZaa$QC7=#jIHA{yn
zB_;SGm7)nzap8(5T1^o%iIiJ#9K$c65%oU{CMrN}(E>W$$Yi^IgnPXijlgt-WmL!q
z$68S6)3OkgjssL9k44~w7Iq;Cjd}<Trm}j6%G9YWXsCt>!m5Emxk5|!Kvc??I_}bn
zOqS|Q_#~R`E4rrlSve~DVL3l$Bhf9#)s{FO)@O@llGN(#*sOIjY{IHA!=~wnIyz`^
zW~+gb-6qGH1%-!eniO|swwFOhg4}1JrP>T&)HOXB8*<iGIj`Dib-`*#RcmI$!E_QI
z!kh^?<;9y`NN~6i4id8l(<;vJO|KXmC0p(WU={acNG{S^6@eiaHFBihX;lj&WT{r-
zdW}+;EO>k^Cu%W)bHp&$b(;te1F&we5mZNIPK8K~nKW8eb`T~EDIO6MUSgTv5Z8)s
zqhMJ?GiETA^w^P-7o>vPvTSW}(Nay5Sj@wcB#I9Uep`?@wq25#42lUsoEtznv?2}^
zG>dq!9h4{zv-reVDUS`4SJZZaGYN*~fd)5Z2Pq`xacN@81VO8i20^X>F4giq$yWJf
zJ`)LpA<2g0SeAQ3RE&ppDdmeSpgD_mX5CN#t1SuW(|m$$>NW{5UL*}tI;V_)vQGy>
zYNkDbWV=Il!<x(ES<Xp0d?KArCxscCsVL=~QtcWv5>YHwgAAb=cV>AN_4AU1`Jl|8
zb(D1z)919Q$6i>q^5`{WYkTLy)~hT2n7lF>PyYh%xNi&e#07t0_3WN~YWu4nk6zqg
zdS?E{17~-i`s{S=`0)+vPU_{y!#BOXo7H#CoxzEXx1SE~dB1T&xa-QDg80UI;nl(B
zQ|GrY=(|4OkKMacn_9k0Jh}JVpO){q^!3@7FaNWB(~&m6a(r{$fy%A)vwIkP+FADc
z$FFTDeG#m=&0mjQSIrmcV^i;;$3Dc?UHf~PIQP!s6I<5SzSMtx$-d(zw6OZYYlqfe
zJvhHFb9C8-`KEf{{3DmeRde;Lo4%R8{_vy2yEisB+?cz+xbg5uAAI^`bng1aGl!yu
z=fzC%t;*BemM2zQz2Bev+1!gflzF>-=C50R_~g6Mnk!GuT}pp%YX^T@k@<7C*!UMH
CJhp29

literal 1125
zcmZ9|*>Bqf0D$ogq@hJj8a!-6;>ZKXP)O~>M-pwV>e!BJ$BCW8iDRHBhaD$z?D$BW
zcoNdYxpreh9Mi@aoshWtKp%=2FxaX|eF2HFqf7`y2SaFk=n$Y)+eAxwq<_Ir-&d~7
zL0PX_gO1ZM^dZBl1HF(hIO4Z$H7M7@2oj3<^Jbr8UBBJ*SUyBX70W^62$5`w1%`)-
zw8m8P{bXM?9hblpNL+<%A5*go%5Dot0klL&BI@;Kf`PjY-1a=htY|`|DoU~xGdjk9
zTBp$qcESkimtDLHxqhsvfvLR5VXRxIqcUT|Q96y+w7B7bP^N2yB)%!+TCu2=uzjV3
z9*CDpm|aVj8iWMIBpr0}<&r9jKp%>v(+UzH%N>m@2>-KCoCWwbtHZWrE}BiMjN@r7
z1=NKBT9ElJ9Egd%l*x4&V1R~dCP;>Typ?DubTy;5dp00IQJ$7lHraAu-PR;nkqsx_
zaybf@is1T-beOF5Gkz~+ijYvDgj^tGvAUg4hctn!6#6~4K~_P$==B^F?o%bG<uhVR
zBxbfKz~qIrk;<lvQYOl0v<k3xkM!DUi^%lAiq-Sn^%?^-vU1&DP&f@4kZO`HH+fX#
zaJCBuIJr9(>l0Y0=#(_du4nL=5N`P@l#E3L0!5n$oa*Ef0s%zeK?sJUK$=Q)+?)|e
zsr>>=W7YK<l~!|<>t}FV&ql}umjh}l1qCYE*qF((RV;7T?SX?EL{5~sHd+!gzO|MB
zot43eY9?uf!7wf7lBG1v2$1Pwq-JXzE)DF0qGRhdSxjLL=EuxlyI3>?$U<16n^!aj
zun3(ghmj7)6M~l;tHKqDl1;JXi>EB2iJ(Zap<6Xf>K60KbdK-1{XFQ>fovp~s==-*
z6cA*sEg1A;dZfW}$e81hlrDt5sLF?GaTG4QF`J1qG(9NGL;*Ll2JM^Je>^_4viI1g
zPwr^3joGJ1&nv^PE`)1i@7{>qyT5T|Qkj2f;<F92k4;>C<=~^QXTChxe&mbImtULP
zquhOadTV9cxc&pTT;2HV)S>gc_E8UmcWz5gy~r&cFdn>&Uum6s{NlB<hxgDsKKk>}
z(%C$*{K1kn`S<c)Gw0^`(;vsN^V6pjKQ6wIxx{8Ko*cZh@6E&S?O1wi@yz^%`>5dV
z2fT5R6pti6ylX>!YVq?WW#r}@_4^;U#=l)nK?~PLFI_+SY2NHgPwdY99A8)+dTQ_2
zGaGlFJbusj_oHW?7q&k0&kQ#Fq%wYLSMj%77moIj5&M_PW1C-EeWUTRe|FRDt2ais
ny<hn1oA9~C=bqg%kKbI`37y~$Y}x*Her5Q(pSDk(NFx6N&fcK8

diff --git a/secrets/restic/vaultwarden/base-repo.age b/secrets/restic/vaultwarden/base-repo.age
index 58b57458b7ab51f72def3b9c083c618039b9ef5e..875d74af8b3c7182cb0d858250d6fc80672933a9 100644
GIT binary patch
literal 1093
zcmZY5&FkBA0LO9gFr|mVP=|ttiin5O<*|8~ASP*&CQZ^LZS#Z*zobo*CQb59nuq>C
zR1iGPhw)?JK@dbQo;E@B;to4Z=1GwaFHVFV)Polp>dATZ=U?#peBMW!^>Cd9<)PTe
zd3GT$H&BE0hA;H1DjKd==xBt{{RQY|O50!P^J$VMOhUx#m=Ww4o{lZCl0z5C)7H;7
z!d_T-JEF+co{fV6p4SR|q?f+YkfA~sS|W2?H=c!|foQEkZ%D9rh~>Xp5jVpE9TEL?
z%LQ25XW}$P4r-2Q9WI+&G)A(4IaSwNg4RaZ2Dp1*?jn?Ig&6Kd4XG(?0q_FJSPsG2
zW`fxTLTdt*&0B0H8YZ83w$j4Ee=LGiApL=r&nQH7alF|0unww5Ynzz>lcqCOeVU-H
zP#O5bMn9^kvNvMAe2L9Po2AFa*uXT`S9NI%xzNBxG3)r)COtFuMWVt_SCmkG)fs&V
zGiHn9aTq(=xF)JZ9(4YEH`+74z*I;w)=hmurHd-wO1%W8;ZTVfX>8*(t%!)hnu{{S
zIXd?0Dg*c`%}TUZCj@m`lcCsLZ~DMum0Wg|k-RF$PQ@<MO@|6Ot&s-~mTC*fT7R1v
zhY_Oo<R-}ic5Z}#;al2l26Kp}DxmmV2R*<<$tr=&Te04n?rBZbqPf`iT{kQY9UO%0
zAWkI{E+$j}how2s^s-{eh}Os1K$RgNR=pVG>P6cHQrSv}c(PLovl58b=BKR3d+ag4
zFoOvYygBl}l50n0_Dmnmozl}>7{pZ6O{rWKgw=$VFt*79%%%9$8gLCLRBy8E6#-Qe
zyEtk%DMb=l^0slV()J1&Dde1~Ct>ZcTb82p8FTvED01?^=!0|=1m+Q0ivzH>)8k`{
zl6*}ilIemSsBuyQ6F^f7PL@W`*>Z@5tSUCGsg=0wpokY|dL}1=Aa)4Ugvky^$T{F?
zsW%)B`y9G2SFVo|*rpkEWR9ejws&MHldKZ5?dZY23FT-;2bR5epT08qup#hE-#z>1
zE7#ATKU~LdhZw!Ndgsmhr-(-)8GQdk_VANK^0z;}ITL>J+Am++y?3LtZr0<sn5$>s
z=5Kw}Jb&@R<h^&i8=u|*ch6n<_G{?c>*s!b<nX~`7wM0;Pkp7odgb$<Z@&1u`Pa$G
r$))|R`<L%)Us8MX$2Z)E9>3i__h|junR}Pxm#@9_4D!U^@1Ok#6?t)P

literal 983
zcmZY6%d6vL0LEc&!#EjGaG|3cGaHpDHTO#u4yNfPX_6*s(~~BG(0;kLNt(1xzO)Jh
z2NVTC@UjryxNtEz2rd*iu3R{R2XQG5f(nAe2p$Fo)Q#iP<6rRbd*4~;H~kE(clkD6
zWlyixAyyGc^8np!qNeYW3`4X~tEhDqqKuJdEzVeUt?iy7icKa>_#{zARh5sX8Z^aG
zSDn%>+a@(cNE<5Mm;5f2$Gtt2!fiJkYQkY*hb3Mz^HJVfE;&=SXz;I=$5k^Y85Z@S
z2q=gOYjNp^!pf?Nb#GVWSWg=(f!|nGG>O%_e7V<Sy0IX)SOY_LV9umwKt(&l(5P5s
zOwIsyYHtm`p*E(CK{uZeypE?s{y!Egs+e)dB0QykIN6Y6tdtuHgt9h_`>win1hZP1
zSkAB=Zp?28Y9=7w!ofO#gAth>b^xZBIAD3Tmne~kV{+p3fYTjED%CFV(<{nk*Q-r5
zDA#Vb(Mx8^Zxbt7jkG)zTs~=&b8BTSGt(~=y{0#vNJDCj<~FeeCuxU}vU1+a9c@|_
zo@;?ZBXwX}t5!)>hMxaV8({Is577vC^&T><M9Su^%$8{O&VRBpY-2*@LSZ26yV?*g
z2NaGYX^L58F#;~W!U&V=f(3JEkj@NO*E1(f@tlij*Pq0JygA+0A4cOoMBQ@VA(xI{
z+4REOd&?TE8ELji;9*X>RbA?ZS}2r0AZ;A+MY{zpTUlvjT1S}8yW9pyGsY7DMe7>L
z?WQCU>&dLIo!0!RCTs<CWmRRn!EOh($xqs@q$bV)id0c#CX5_8k@z5nb(`OIa3s?A
z4Pw?#`h$2liqk=VxXyzfF-is*kw7B=fygU8)&N@vX*QdvB8x@IDmKkw0-=Nn+uOBN
zd2Y)-U?Mu{getq_t<EfTXr%r=xO_u;nJ&Kj@_Os{*FU<A+<)u%Z}0p)N1q>`LoffC
zUzcxOdhX19PrP^X*e9hcp8wz^Kf0jZzWN}1c=79}!EZNTd-l?c_-9w{x_Rp>^RKgK
zo5_b)|2TK|j|b$N@08ZN@$ikef~S6Z^6mc7H|4cQp1(kSd+pUPUi$dpg)7Ieoc!_w
Zot&9I`oPtn?|q-T_>lC><6mFg{{y-KO<Mo}

diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age
index 6d799b5011caf4ab527b74c5bf6f17161ba04468..f3a5d82f7d092b209b2f79280ae649767f7a78b8 100644
GIT binary patch
literal 2817
zcmZY5X*d)J1Hkc;qM_+PN@VDEjhQiql+1mPxy=mHnENpIVI-9f?UGt&m(s30tx1Pu
zE1hnYBi&oh3Q6~-LwNW7`1XGOfA~GmUnr9VOEe;bO=nVQH6dDq3~Ye_f}=r3qdZt5
zhQi^HNDy0}8cVT)U?jdwlLk$bDg-tf4V9(=%LG!4Ku6&vqqLzWJUmuQfysn0Fg6sR
zMoZb^SPk98RfDN`x**OP&bIQXU_IB0SHe+vGo4AG$V_;Jjrd<pr?3R;pzv^z#EKTd
ztRN(m8>dtm39)1(m>VdwKnx6<5`%%6#1<wmS<J&i$wny}VX$Z=IsgYrld057Wu%hB
zGojcVgouHY($IlSF$pZ@n=JxeAcRVjkityH|FOc+6fpf?D=<_gG>FJHLj*03s*oBr
zIFdmoP$89EVk#m{trJkR^l&{ng&-gUth_je8VWHBB6ws2O2jrONCu%0Nu)@uBrGCK
zB8Mwe<Ct;-UBv(SA`yxer!qi7o;(df4`ad=2%buiOim+{lga<i(?-Ho$}plS0+R|=
zF=<?08V3LmLr4`iE!D&d*HED0NT`Ly;b4=IWC>hCfLcXHI@QKzTT<z)u%9&&SizLY
zKyo2c5Q@fz%LGcjh!P<dCgXJ~y+~+-YjI>56h^bAVJQrPfen)ZY(fzchEZGeL<CbR
zV8z<ZC<8lI0F{Ib@enaW5K5<!ZBUp#9HaeN!_(v}ycHzZXjxh`oJ%Ii6p;`_BvXS;
zMN(u4rdb1Lfdi%LSQeU@3PXud41h^P<MC4QWU$1NLZT6gvd}<=2&YR+4htiilgT(e
zJ{5__i=hMv@@GxLqasa6Py`Y!OC!=uHY6)t&V%U5T70a)f+MhDNV$at!^<#8HOCl<
zRl|$`EI$y1(DNxMDhsWl1;VUW6I^dhweV#qav+|DfTINp2>aiV@_#4ca-LSi0I}&X
ziUJqNAlV=U0bd^mCgX7m6&FX+=tx>5OM}xOm~=b>2WRjBd>cc9;Hkr@cvv8Xgb8Iz
z$c8w!lug1ijbgsu92;h~VPpib+AISE2M2>vxM@<0E;*HomoT_`B~qldn&XrPqe;#t
zvdnU=4QYhIs7e!th6QxpV}*!%?Jp|_L&iIoB?~X+_Sf7$r28J}S6j4v>+>nb+fL{3
z-UZlrnS1T+@6=20a?j3nv&R{n>Ak#r!?f(hZC&CJUd_26Mp>!B+tpqX?4Px;+@W#B
z4fy7?k1EZBv&C_yjj9_LfRQs$Sv#VB*y7JzTGOOic_>qS;q0kvqWp=q-45y1F@(;s
zjHd6eZ(`1`Z{Owcc6IDX>*0mtUhZ%F98?``V$S<z)iZhd(cZ28+%^4sL1XzzIls%6
zG#0=kJdTLk#Dj%e_pDvgo7;01{dNjCP|yD8>du2azBb!wL4Qev+S%{QYaVZ^ITu;o
z616nS5^7jKk=JvEb$iF$B*^n7#QtI6C%vWl-tB-L>ziQf_td-Xkwy&-5FnSm#(l27
z{d1zJg6{D6apRH^<=GX+4Uz$?fQ`PToAqXGnZEhz#KjkJOJg>biOs)Wi-%5}nL~KD
zl5X3c4yyDv0`A{|$x)x9{@$Y}O;+{sGF!t~M}t1x`sG^<ux4!lQ#JF5ljE&x35V8w
zc@o0MdOQT~1$-@^7>j5Z{+j4q6co)*8y-90>K*fsVN(#{!T25de7|u4V@XiCB_lq4
zY0NZS-kOuP#l;sM?%~Ef;mDmb+s6S;$F9TIrJaDCYkyo7i#<O%k#TwnISDx2U+$!|
zj50GThWvc{SLY2cST9MLfgwmDs{fqHk8#`<x;@nKX;QgM$*;!^(%sVN?B&mn%wf3S
z>D!_3Z1^!m$lLUN`nRsn*MSKmR`JwJb4J$maz!PzW2}*sJkmYKnxR6=QcFCA7ZQig
z_#T?pav=Ai>A*wNHsj7_kL?A+m+MM1U}cXwIPqr|v?BUmbxHwlDcg<uEw?HD>02T~
zHl}^LS)Cl(;k#(j>JwVcfZI!q`_VQ;RgDj3wCMdhwr3uAxQJuSq`N)Rvj_a2+gwCf
z=X&q2SeYwRm*zPuj6H>ozwdq^z43Ts6tG1!2bgb6^;(E7%e<({b<^E=N?(|5+j5PT
zQR!qsOnp8#yP<n#1=l$hnjO)aW8lHwd&M`HFO9fVI-_v0o;8z&M1I!d*8@AwW*r=K
zo8MQo?|JElCP)0q(z|<JdC|u=ugZ4Jh;e<B-A4RUnALi?9X!g2@7-xQVgGPpa{sFy
zzs}*t3yY%rG(G3-qb1XN-6qtNy|;o(4?>)NnK*uOwPxM?48+Ev_~HF$qWp>qSKU^T
zpBJy)8&!7V^aH=<>9F~mdwt}EDNL#kj_r^xsq)`RLb85~nfvaK+OpA!+5}Lr3%+x7
z{zJEqu8v*bB_B>PK5N(`FDsYo#`mqc(&bUvRFxp4YykpXSBdMse~nQJI*vB<%&v`o
z0jGKZz820j_kWJX{I&7wGIJdg@M2SuO{H0$4Nvaqx>DH6^X>pXRm_<PI+!%R@0E(_
zo5-xsKRtRWxGZY}we54%80PDYN8^<h+^JK~T|TLsLhS4Idvq2pL-TTb!?kwzkH*Q^
zN%zLUp)U_5|IEv&oP}QDe=lmAE5m#}PPv{dgZiIKy_?tviIM;(92D2~7d23Jx<!Ym
z!KSz8>)clPZ?N}W7`dO(Q`!Fsv~Orr?}-MN(=QXZ9GDZ3(DW?m<MEbeYTI2|ch#dD
z{6t3k$dQ2bfrUr%>Ym;^0*a>P_BWvheoWN!y>_@R%_T=>ejAEBn1jTe<|L$7RlVGK
z7&{4r{axCh?%~w4>=_q<uCJW|yPN0YT-ui1GFI1biwa7RW&=>4fOmUmK11!kwS8~s
z-ri%U61Vkagx?S9?7D@l$!^?=uy676owm8xdC@#ItU5gjS71GCPi(KOWKz`iN%<4c
zu6n*>Oxv}VoAXZkeZmn4@!4_8QXISu`<`bmZyJ8lE_=5++NJx+2k)XWzyVyX8)qQn
zv=@2ZvMEZz&OdU-<^)kKQ{7%7#GMLx-p2&Eul)G40K=(^#}Yp2>N^ImgFK@HBPMgt
zr}VjnJGvdk727hpGefrktKAy_)y-k{)<^CqS_=9h-ln40^2Y&PU0*mozPqG&4D@1i
zoQi+Yp=NaNg3B5RZ=_E;1PypPwsLd+_OQBo%WR*DDb8#|u_XAainRE3ZDY&g?A1kE
zA0Y=53W`e!xGJ*e3vcei=+efijVq)9o{H<<gLjtju)t;7f=@FNx2@#*0Omqn>#Bce
zfI4QPS~nj%K5Mwy{@Oa2_`dr9t}JVj`dH&u-9Gz>wfV+d(csJ9Zr+IXf1`<axX#;@
z)c@Cr6vMq*P%<jqKQCgvN0$52Dw+>1Z+SyiNp0(Sg57gymfKF{a>0S5fD?|cK`nph
z$2^&9JkoY@AMvw~4}sl1y~jGwixR)DQ0NM!KS(SwX<1DhIA(P4WA-R^ECFxr@wNY;
zFT!2^cy?A3(K=S&d3=x;cZ>3HFdR3qb=zUp4B^|;R@Ie1l3x)~Yj&3(lbw9y{pLw7
nNILiI>)HK@-u4yd;>6i+0bSo#h?kPWn!y2oX-XVb<BR_T{^rbE

literal 2707
zcmZ9}`9IVN1HkcY#X2@ZOZOm^mB!4ND@9|Niy7t~Dr4^ZKE5;4N|$nkXls?0c10~A
zu_Z-`B2%br(xqtSNLrPiRQB2D$EUyG{d#>qJc%eoq!#F{TBA&(Ua!$hz-EX`NCe1W
zkcNnaP&gcd1~GJ&_&5N>GV*LRV^UN+5>Q~oNl`p(C?VKJH&TT$@n~^OG){t`7_mAC
zk(TI!F`1}}XcUyiVeq85C<;u-k}!-Cg@&qP+Mo~)R%s*XWI}{E%<w-=D>H{^p>PC9
z1YiX)0EAJAVZmyhnF=8#*-Q|%&Z@J75;(CU0zn%rFbRZIwT>!>gJl5B;vxVzY@SuZ
zWAa!wl~SkWge3}8dJ`{L&bLZQNDdi-;mJgJtcW4`KMR4411J1zfl&ZKm_)RS1Qre!
zhp-Wos8DOX4knXH0V_sgmSQL|B8V0+abPZdFhxuZ<(W9hSUFo72RE8AdOpnp$5Lf_
z0IHK2<x$ZvXaZP3Cx2a$2#pb1s34S?A&%E0#Y9S&l7%85=ztVulfraT8;%TEgknMh
zQ=0^n0W>_*B|Zv91fX=a9)i=yCGhnG5i~KH!i&++4NL*sOv5LjVkNOsv=T-AS|fpF
zG?4^kw6cT63O$w@$G2c;aj{}HjS!EG=9m*W!NC+UoJb^?5{+cDKnb{j<4I_$(89!+
z<QictQe~l8Epl26Ov;dinw5ABNt!@TqG=3h8t}D-r%35|0Aw^<p(L6Nr&nm`0G$st
zu|o-bEufGAa<PUV%@ic@<H__SCIl1e0%IsqW|1OPmWbgC;*dt72`Lg905lv<MA<BI
z6b2_`Aqmu2q>%ZwCgPAWMhwVGijpNEW2kIvjDScB#)R1@d@)C-v?4hyqDUV`x6;u6
zPQxd$6)pt0NzByXuu77|B0#gE2x2f%s#MU~v;;T@MwXD28nYfwj4~KeE+HWyAh1rF
zB<CaKcv)hiL93AvV=OEy1gwS%bY`&yiM7)4ID8lpZczzbC^}DR!Q6MXK)@AjUrD=t
z=Sce_@a%VE=i3JR+wW`&mGe6X%h8Rr8~5zK1$5p*U_+h7Ur5eae(;@B)A`D3Ix;F7
zxf|OE#3Potx`LIV<ms7?+|#f1^ECI_t3xg<Zo-u6-RKXpmp>&4COYfxUa)=KHIj35
z+@SiWE3c)!vMA0sUke&jJdHU1+z1Wa`siU?MAd_*sb{jCr}m6~c=mpKRpQOYbZ$B+
zj6bs@($WWMfB*6M+b239x1jLRixa+^377Xc<b8Qwq6#jt=~tfmFg>5Zy<X9BN|L&v
z=C@<s)!7AoZp#)R{HG3gMm}M#F)h9<th=Mapcqad+^W)xmHXdR*LHuCzs_~999`cr
zQ^lrLEV7>vxNk^DWi`ab+pj^@Rb1wq<{9T<*Zs9&$b<09W&KfOmE#k6IpGCY_O@Qe
z40ZQ5?&w@I+4=14+!H?mP}q^r>xMYfE$MII>;FTy`r1DAdsHs>h~R$u1>1SxpzE54
zp3xJH*J<}6w>ovb+RE~{XcqM$;~ESOK3+|x^s>7x>qiCGr(*r%rc#Y)$L&G+>0Q31
zjf|xY@}<_^hQjqK$T6p(&yLk2{PFr}CdVY*0`~GI)UVDzUX+R(IP@-t=DXtcRcQHC
z-o}r=&}s!kw}m@`_C_17{93UAOUAm@YkZ$omJGMqJ*w72(Flx6Z|e$d%b_bYO>lYd
zMCZ;&9D^HB&W3@<+x7%yNb>?C^Kb9`$0@C6qzg87%l5SGT*7a3IB8>oLrT(#2e;;J
zMZtPKO6>ic0#?p;)nT_RjKaa(TjuFM27JOMlfK1V8e2uTJHC-R&hcnTSvvdv<*8T8
zDX%(v{4>6^psXrZ+Uncf%_ZBzvKFVOk;1n(sYd+Us2PhHM{^1!?-UmAuBPGp(ES-C
z)TK|4AG~e^uSAA4*yQ(Wuc(XvTG@7Wl3x1R*wJbp*3I8@e!^LhQu`d|R@+H&!N<-)
zn>^Exavi>}b-#85a?3e!?lGNTGQPU6W+*tP*KwkdH#p^~a9zrcZHEuP*|h51!T{3D
zw&EzCz=ohD57BS86}XPx?btYX`yeZNaG+ud_2tK)oSa`r{|v%R2JJZcAtGs_Vt&W~
z+`k~Ypn1Z+I#wLlclLNRTpor}`{B#@0Q|n<B-N#T&rYknXO87`YmtepXZd#C(6+nV
z-Mmyk$7K4YrMB+VN0q!VuHNlKIha~~8JzL^P4~p!h4t{p74}{P2T^oWJ@mHf{95kB
z0yt9^n4tAyVZ&ORIx?9vm-cw=H@@%PaAwU&EBcjuU+$+bf?eONbnbC@yor9+swAcC
z`M%BVL(?fYG^B6F`5xw;_k^o=0A|^uSM1#Tp^Avc63CBJfsSUzwjd=p@=&n#EU+W*
zOu=k(w!Ru@<7M_qnGB$HdaYM=>077Gs!zm)S?j_#RDJ2d`#xMAUUIGIGo<F;O@FB>
zuVSp?<?<esmc7pE(Oh_<EV828cBtMaK)-lSK705S<)rCu9msWo=h<rmKR)ph9B}sk
z`JagU6ya2MY(RG1BXUcRVcci7ZeOWqVBbK-jPvQ%2l4#d*J*^zrC!ZXa#wPTNp>ms
z*_E);y^;>6OnstZ>#97);Js@bha@xS)--LeJ{>7rGk}wDFZhUVs57%T7h++PMF*NS
zs=<zue^;5GZVziVZI~XiuRY*B`KWN|(HB3>mLRJZDf&emAtb>9c-EgdMx^y6%}+V@
zL0@_I;`Fw%+O*?G(wqs&aEVWV%sxxpkzcT2wG`oA>*iJ75VNRg-vv)SE^uXi`Ndf|
zs1D(}V5B8y@biHksfPK9{Vj)sXP)PS)s^s}GqRMo+CmgOI;G72n=$R-=8|{nzWy3~
zIWGI~-J!*nvkLLY(KCVCQ|58{&X7yHmh=ptvuB^Tm)AEAu*M98uvhq+1-n8Y*p~o)
zqyAM>$<w<Zx`$#Bx#&CH0bGYa9uGBm-Mkaj6)^O8ACFxi1P}9bS34A0KJ<?koI8%S
z8h=10w}cdX`j!okI&}ZBRniF=SOGfZEAn|Wucj?`ZPhP>XI|Ij9c@t;?zKd&@WRSZ
z1qeDG=k<L-y$r(72g3#{zF9_k$0}a$dbqi0alQ0Ks+|nVD^Xmv$x-~?%<iMg$zAUj
zxy6NBzGqC1TQ5G@lwK@x=<&Ev>Ul7a!|up!PDag(@auED<TvNBvsc!U`&llc^Dl$L
zN3MT+|LR{A?Ba0$x^e^DLj3X@x26mm@NF`1ExGvC{>{XUqAlm_?cv71wO!*loCfhi
zkP?|!>yvi%OvsffM`C7s&ozN+G&MRavoPWoqdIdcT=Dmp-`C_T%UXQc)ww_C|8OIH
zVh+OFJF|oyVh}s7%?Oa41g`Qt(iE3wp37TR^ZrB@_MLtG-oelD&HiOY>|GZhpPcm9
zJ9U>ejLxa_tmhxQ@!HQbV)v2nwxm*Le^lM{n0VD4vjF(d=wIPolilvztOK>bvi=Kf
Ch`3h(


From 7508137e40d42647539dd6e4aa4de7f4bfab36a3 Mon Sep 17 00:00:00 2001
From: korenstin <korenstin@crans.org>
Date: Thu, 29 May 2025 18:30:23 +0200
Subject: [PATCH 14/17] Ajout admin token

---
 secrets/vaultwarden/env.age | Bin 2817 -> 2951 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age
index f3a5d82f7d092b209b2f79280ae649767f7a78b8..d2d5d0e9ae192dc971ded2bb706ab16a82510da6 100644
GIT binary patch
literal 2951
zcmZ9|`CAMK0|4L>HjyJoay1e~JI&op2-956)!b)VJI&P`&3%)jBx!AulCqhQE|erH
zDMzVIg)W3Bd{%OYq<s7R`1uRo=XphPDNw2r8|*rhLaPbZ8ss1g!~?hiU^K=8r4lFt
z0SN`L^)?#C3V<WY2E9f>N9YYI7F``8GuX@oeF&J&($VdF7!z$Y=>!xw7zrbKP_S|o
zT?mhH=%6uHeYn}Cg^5f!8wkP{OWAlF6)TIyb7^KaU&r~Mrc+peIw&FpAhlw|Fe?Bp
zr;zzf5(5TSBLqT~QG*YnYj{cr35t-|bOyOmsf|$U;#9G*QiKPQstrO2h;j-)4i!hW
zi}Y+5j2Z*O*wC?N17A(TV0iKnshDO2Q~%Ej!B9Z-f2~+ns6!NomeCcEa12T;7Rb@z
zp*A`xQfCxHDIk^H$QBX_2DF&N^}w3B77<&khojh1v@!<CqU*#s4jIFNlH<gLST;n@
z(7-Vi0xU@T^CA(7lh_!5m{_oZMrJ}0Jgr#87V!y4j5@|{XIhL1h}B4sPz2fG2ChOJ
z2L^lagh-)8h(j?zxNr*73ZXIVOq#*UM5|Cx2AN6&nS~HL91Ag$89!?zkb)_d10oo9
zF&P}mG2lf!G6ly+Q;`@e8zKm|6F>wkf+WF%Lt_;&W)TzRVJ8G3^cI`~Y81(oa*CNM
zMPW50B{7o4pyOg01g6qLq8OD18BYAOMu?1M5v%~bkQf0~>a9YxMWz=sq-G%#%{Ov2
zQl^P+k*QQl3mK)v*bH1I+QSrTp-Z(vQmvE?hKCYDwIr%mL1i!mdX<$AV&UQ(9F5fh
zVMFD(pEW6;iZ-DEQWH}PmBBQaSVAaW!jC}Vg)%mqXON%?2D(hlaexpyl@tv9x7C9W
z#US`%i%BYzLzGmgjA{WHa9klB3=v4lbS&A<gxdI_dJzOi{8>Z9^0i_HKyHT!k!&Re
zON!$$^kSVYhJ?4X7#s**AvM9p9J|9x<5^$`jm_v0#FIM2Fr-6mB?<7xIF(YQ=Ne5i
zmO+II<?1*w;VO%R9D)S1H2-QqAV9>?>A8$h0X9ZTv0#HDIpH#u#9*R?3)nEI3=XG~
zsAwLCuAq~x9-JoTsJc&**~q<>Bc<+{5Z;#@4vF_GaQQ3f+Ld42qLGjpBICW6wU>_9
zR1YTSQNQ1Jzf9iL#OtRubRYWUpUn3f`O<MvIr{*hhB&`G)9@yxk^=J1oC~Nc8(i?J
z=ge8<#_7DF2TP767WvkCNh??Osf@sO`*#28_wADAm$`RS#os%B>+#N?QIfvvW$z!`
z6YuUJI-2I>$LE!D2ig*&RIF>CKkvM8tn=WI-n-Ck?fI^;%X=AAWVY#BtNdy1PKmc%
zt`_bOueCa%72W&bM+-KhpROVp30}pwo#U6ZTkEq1dP@SC5+1$vw_(zZD3EMze;@7f
z{G|uS8*JnLr*{2-wjABEnVNeeB`p71H{(a*R|4^A*Q71(=d&+$S2D&p*=rS+k3R4A
z)BSf=b=s`ax%r9~2#{Z_y$A35&hGQN_wi(0YwdSnyFgdq9-R@vlBB4bT_a7)N6K9_
z!%J2O<GeR>J=UbR-vVy?9A+5zB#d@gm2C;LlFvFaMoa!P=gwGWU609Dc@VP9hHLnm
z-fg}aa$AV1Ep<-&s!j2Fn3l4@^X<xzA>fwWtEMhc$?Az02`{_7bvI;Zo^8#L`vb3&
zihMj<SP4&OEo^K2_3XZWw~2&J^g+<1W=&2<!H@ou>^{QF7lVeK`wENT!6}4wR}80#
zt3z6{Kk^#|DW?l>`qY(A?JdZdQhNMR67EjR?aADhqWWo%P$he-rql-b;;)0hB{6up
zbio<!@8bJ+-_)!alC0*`=N!3(-Ix{aHUS#`JE?B)O4){$R(0k<a&aGc{qJ*{XHgF}
z9M7^obmj5wM^+v2FL#*v-S2t_&(2!znSX6`v?!{6o11rARk8Y2!}z!SIlG#i!*yD6
z;`-x&M=r<eF2u}8eQ_}jwhB<zdcMlb+%tijK0Rr3KVDyT&SmoRN4dS8SC8%aPmW)B
zUQEp&va0Q<2{$iNfPLb=b!l+#;<kU<fX~bw@q@iFcC{f&wZQ3MM4)zi`SUcnbE|p3
zu!XLwMh5_7YW4A@g;TeE%6NFHq2tG<_=Tw<l<Xocw`b2Ub6UGz!xwK!iFJPX>%(J6
zc;vlT*e;J2<9A}9m)}_GkBu%9i!fQ9J*_tbj%F4Q)mbg}yMFJv5u8N#L=CQBdVu7!
zl1q!Y=9ZlJWl>^N;`Mf{@3j{@do#Y3l66FLxlh%wxY09@EZ=pw*6m{Xqy_uxQ;#&f
zSnC3*^L(+pZO4~^<PD%i->BW0Z>)C*#Nt45K{l=Y8AJX26o1Di=R)=s$k@_#g;i@7
zl`D@XjK4XSW<ctKFP74K&x}`;>?x0oLgF3kiUPTn3pgzWKb8iNk}8#7IPAvS;0OF-
z@fTUw@bb{>S!Q40-Y06w=R5wJPNhc?sL}Pwk9c>SW8OO!`T9Sc;3V}I)tm;SP(JlJ
zo8LCnDg^MtqQJvv;%#BO$|gNsLh4_m%co7=ATi(Mon*8W@=oV?)_r59ak?g5XNCDS
zx;XQgheDg9=iEC#Pd6Vh#{J+*`Q{GWwW2Vp8hh&qHT0j4?ks(MsyOfReC*0|NjaGp
z23t!<{Km+aN;b#|cxZcQ+=(36ImL3t`<lX&oo%m;^&3+k^JeVGJJEH4dEnO|ZpEQL
zuPod6$rrYkD3d>^uA@z<zU6g@`DJ42S=|0ka7sc@almn5qkHk_p+Bc?dGtJxQ1f;u
z<We$Hl-ER^I$-^A%tTz4v%NE}p@TlD?(f?VW3Mb~3SL1D(?miWQXcpat{rCV;IE9H
zbH-og^HMtV#XxKJ_dD__8D}rW+?(0@$#rQz@bMy<WQKD$gM8VRSh~EiXQ?oFndHZ?
z-(;uGKeG1V?W`l^eJ9>^xO}Fd76&GGh9kN8^6K=8IhBFcjYYBdmu5dZwuF&VI4RR-
zcjwFnKA$2gd=3oYW?jr;JURFzW4@%~p5)7o=WBQEcP{Ku^sE|L$kedzuSr04NB35;
zr;WJWYx>x(8Qyd{pnd52J6+M!08v@{M4zd3AJ%=d?C|(Juji#QQ$qgmgXZ!zb%ob4
zS3kpuwNuHOxijxnyNy20IWe%z4>&v$wTkA=$)+t|H|01r(KStIq%GPyYyXoPes=2i
zXKT)lN}f-@x$W(IXEsIc`ew?`jL7KIftbumGvAzjGb;;)e_a*U)+9LDkua3uxM5u~
z_iD38>Z0L_wCCvfLuow|sxU-mms<T?HGg*4s*W8)ug^5=-_euj3b)?6?VTQ<-ZMS<
zt8i68-dah?w!eQ(2d#S0wl}xz0BhPpA~tBEU~c`I5X%w#$}!-r%{Slu_Gi)SoFVbi
zHRq4WbJCP$74LTg)0PGAD?J*LI68Yq@ce==iWH0!f6)aO{Uo<6AmV<BrKUf<@chER
z20r-R8Jdz+JOfv{aD*mcFH!HwzqC&zvd_Ex#`*Fbqbi;cy5C0)*-h_0xuxK}?bVQ9
z-k!N_D~j47o-f}9FVhU^i2?0Z5%zhj=gmI)59HX1%Ke^LLZkx*EgEUQbUaLO%C>lN
zkD!h58nSWwXXlN_?wj77s43nUYTJQ4@vt=f+}hE&ufVhYFI<8<ZazpTPI>GTGH?Ux
z5fATF6IJaW%{woT#8}Piy^(rpXW4Yy(`UQai)*~nE4~7Pyu-$iXGzY-$qo^>P?ohv
UY!5qgVQ^_?JJZ9Nbl#`;zj%QuYXATM

literal 2817
zcmZY5X*d)J1Hkc;qM_+PN@VDEjhQiql+1mPxy=mHnENpIVI-9f?UGt&m(s30tx1Pu
zE1hnYBi&oh3Q6~-LwNW7`1XGOfA~GmUnr9VOEe;bO=nVQH6dDq3~Ye_f}=r3qdZt5
zhQi^HNDy0}8cVT)U?jdwlLk$bDg-tf4V9(=%LG!4Ku6&vqqLzWJUmuQfysn0Fg6sR
zMoZb^SPk98RfDN`x**OP&bIQXU_IB0SHe+vGo4AG$V_;Jjrd<pr?3R;pzv^z#EKTd
ztRN(m8>dtm39)1(m>VdwKnx6<5`%%6#1<wmS<J&i$wny}VX$Z=IsgYrld057Wu%hB
zGojcVgouHY($IlSF$pZ@n=JxeAcRVjkityH|FOc+6fpf?D=<_gG>FJHLj*03s*oBr
zIFdmoP$89EVk#m{trJkR^l&{ng&-gUth_je8VWHBB6ws2O2jrONCu%0Nu)@uBrGCK
zB8Mwe<Ct;-UBv(SA`yxer!qi7o;(df4`ad=2%buiOim+{lga<i(?-Ho$}plS0+R|=
zF=<?08V3LmLr4`iE!D&d*HED0NT`Ly;b4=IWC>hCfLcXHI@QKzTT<z)u%9&&SizLY
zKyo2c5Q@fz%LGcjh!P<dCgXJ~y+~+-YjI>56h^bAVJQrPfen)ZY(fzchEZGeL<CbR
zV8z<ZC<8lI0F{Ib@enaW5K5<!ZBUp#9HaeN!_(v}ycHzZXjxh`oJ%Ii6p;`_BvXS;
zMN(u4rdb1Lfdi%LSQeU@3PXud41h^P<MC4QWU$1NLZT6gvd}<=2&YR+4htiilgT(e
zJ{5__i=hMv@@GxLqasa6Py`Y!OC!=uHY6)t&V%U5T70a)f+MhDNV$at!^<#8HOCl<
zRl|$`EI$y1(DNxMDhsWl1;VUW6I^dhweV#qav+|DfTINp2>aiV@_#4ca-LSi0I}&X
ziUJqNAlV=U0bd^mCgX7m6&FX+=tx>5OM}xOm~=b>2WRjBd>cc9;Hkr@cvv8Xgb8Iz
z$c8w!lug1ijbgsu92;h~VPpib+AISE2M2>vxM@<0E;*HomoT_`B~qldn&XrPqe;#t
zvdnU=4QYhIs7e!th6QxpV}*!%?Jp|_L&iIoB?~X+_Sf7$r28J}S6j4v>+>nb+fL{3
z-UZlrnS1T+@6=20a?j3nv&R{n>Ak#r!?f(hZC&CJUd_26Mp>!B+tpqX?4Px;+@W#B
z4fy7?k1EZBv&C_yjj9_LfRQs$Sv#VB*y7JzTGOOic_>qS;q0kvqWp=q-45y1F@(;s
zjHd6eZ(`1`Z{Owcc6IDX>*0mtUhZ%F98?``V$S<z)iZhd(cZ28+%^4sL1XzzIls%6
zG#0=kJdTLk#Dj%e_pDvgo7;01{dNjCP|yD8>du2azBb!wL4Qev+S%{QYaVZ^ITu;o
z616nS5^7jKk=JvEb$iF$B*^n7#QtI6C%vWl-tB-L>ziQf_td-Xkwy&-5FnSm#(l27
z{d1zJg6{D6apRH^<=GX+4Uz$?fQ`PToAqXGnZEhz#KjkJOJg>biOs)Wi-%5}nL~KD
zl5X3c4yyDv0`A{|$x)x9{@$Y}O;+{sGF!t~M}t1x`sG^<ux4!lQ#JF5ljE&x35V8w
zc@o0MdOQT~1$-@^7>j5Z{+j4q6co)*8y-90>K*fsVN(#{!T25de7|u4V@XiCB_lq4
zY0NZS-kOuP#l;sM?%~Ef;mDmb+s6S;$F9TIrJaDCYkyo7i#<O%k#TwnISDx2U+$!|
zj50GThWvc{SLY2cST9MLfgwmDs{fqHk8#`<x;@nKX;QgM$*;!^(%sVN?B&mn%wf3S
z>D!_3Z1^!m$lLUN`nRsn*MSKmR`JwJb4J$maz!PzW2}*sJkmYKnxR6=QcFCA7ZQig
z_#T?pav=Ai>A*wNHsj7_kL?A+m+MM1U}cXwIPqr|v?BUmbxHwlDcg<uEw?HD>02T~
zHl}^LS)Cl(;k#(j>JwVcfZI!q`_VQ;RgDj3wCMdhwr3uAxQJuSq`N)Rvj_a2+gwCf
z=X&q2SeYwRm*zPuj6H>ozwdq^z43Ts6tG1!2bgb6^;(E7%e<({b<^E=N?(|5+j5PT
zQR!qsOnp8#yP<n#1=l$hnjO)aW8lHwd&M`HFO9fVI-_v0o;8z&M1I!d*8@AwW*r=K
zo8MQo?|JElCP)0q(z|<JdC|u=ugZ4Jh;e<B-A4RUnALi?9X!g2@7-xQVgGPpa{sFy
zzs}*t3yY%rG(G3-qb1XN-6qtNy|;o(4?>)NnK*uOwPxM?48+Ev_~HF$qWp>qSKU^T
zpBJy)8&!7V^aH=<>9F~mdwt}EDNL#kj_r^xsq)`RLb85~nfvaK+OpA!+5}Lr3%+x7
z{zJEqu8v*bB_B>PK5N(`FDsYo#`mqc(&bUvRFxp4YykpXSBdMse~nQJI*vB<%&v`o
z0jGKZz820j_kWJX{I&7wGIJdg@M2SuO{H0$4Nvaqx>DH6^X>pXRm_<PI+!%R@0E(_
zo5-xsKRtRWxGZY}we54%80PDYN8^<h+^JK~T|TLsLhS4Idvq2pL-TTb!?kwzkH*Q^
zN%zLUp)U_5|IEv&oP}QDe=lmAE5m#}PPv{dgZiIKy_?tviIM;(92D2~7d23Jx<!Ym
z!KSz8>)clPZ?N}W7`dO(Q`!Fsv~Orr?}-MN(=QXZ9GDZ3(DW?m<MEbeYTI2|ch#dD
z{6t3k$dQ2bfrUr%>Ym;^0*a>P_BWvheoWN!y>_@R%_T=>ejAEBn1jTe<|L$7RlVGK
z7&{4r{axCh?%~w4>=_q<uCJW|yPN0YT-ui1GFI1biwa7RW&=>4fOmUmK11!kwS8~s
z-ri%U61Vkagx?S9?7D@l$!^?=uy676owm8xdC@#ItU5gjS71GCPi(KOWKz`iN%<4c
zu6n*>Oxv}VoAXZkeZmn4@!4_8QXISu`<`bmZyJ8lE_=5++NJx+2k)XWzyVyX8)qQn
zv=@2ZvMEZz&OdU-<^)kKQ{7%7#GMLx-p2&Eul)G40K=(^#}Yp2>N^ImgFK@HBPMgt
zr}VjnJGvdk727hpGefrktKAy_)y-k{)<^CqS_=9h-ln40^2Y&PU0*mozPqG&4D@1i
zoQi+Yp=NaNg3B5RZ=_E;1PypPwsLd+_OQBo%WR*DDb8#|u_XAainRE3ZDY&g?A1kE
zA0Y=53W`e!xGJ*e3vcei=+efijVq)9o{H<<gLjtju)t;7f=@FNx2@#*0Omqn>#Bce
zfI4QPS~nj%K5Mwy{@Oa2_`dr9t}JVj`dH&u-9Gz>wfV+d(csJ9Zr+IXf1`<axX#;@
z)c@Cr6vMq*P%<jqKQCgvN0$52Dw+>1Z+SyiNp0(Sg57gymfKF{a>0S5fD?|cK`nph
z$2^&9JkoY@AMvw~4}sl1y~jGwixR)DQ0NM!KS(SwX<1DhIA(P4WA-R^ECFxr@wNY;
zFT!2^cy?A3(K=S&d3=x;cZ>3HFdR3qb=zUp4B^|;R@Ie1l3x)~Yj&3(lbw9y{pLw7
nNILiI>)HK@-u4yd;>6i+0bSo#h?kPWn!y2oX-XVb<BR_T{^rbE


From a35a537c295f529e93118b646873bd45000f90a0 Mon Sep 17 00:00:00 2001
From: RatCornu <balthazar.patiachvili@crans.org>
Date: Thu, 29 May 2025 19:26:20 +0200
Subject: [PATCH 15/17] vaultwarden: remove postfix

---
 modules/services/vaultwarden.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 718beda..2b79a57 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -23,8 +23,4 @@
       proxyWebsockets = true;
     };
   };
-
-  systemd.services.vaultwarden = {
-    path = with pkgs; [ postfix ];
-  };
 }

From a8061ccb3793e0f5af4b73215f57b7f4adf719bf Mon Sep 17 00:00:00 2001
From: RatCornu <balthazar.patiachvili@crans.org>
Date: Thu, 29 May 2025 19:31:47 +0200
Subject: [PATCH 16/17] vaultwarden: add nullmailer to systemd service

---
 modules/crans/nullmailer.nix     |  1 +
 modules/services/vaultwarden.nix | 21 ++++++++++++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/modules/crans/nullmailer.nix b/modules/crans/nullmailer.nix
index 23bb4ef..fdc6aaa 100644
--- a/modules/crans/nullmailer.nix
+++ b/modules/crans/nullmailer.nix
@@ -4,6 +4,7 @@
   services.nullmailer = {
     enable = true;
 
+    setSendmail = true;
     config = {
       remotes = ''
         smtp.adm.crans.org smtp
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 2b79a57..7b7367e 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -14,7 +14,26 @@
   services.vaultwarden = {
     enable = true;
     dbBackend = "postgresql";
+
     environmentFile = config.age.secrets.env.path;
+    config = {
+      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
+    };
+  };
+  users.users.vaultwarden.extraGroups = [ "nullmailer" ];
+
+  systemd.services.vaultwarden = {
+    path = [ "/run/wrappers" ];
+    serviceConfig = {
+      NoNewPrivileges = lib.mkForce false;
+      PrivateUsers = lib.mkForce false;
+      SystemCallFilter = lib.mkForce [ "@system-service" ];
+      RestrictAddressFamilies = [
+        "AF_LOCAL"
+        "AF_NETLINK"
+      ];
+      ReadWritePaths = [ "/var/spool/nullmailer/" ];
+    };
   };
 
   services.nginx.virtualHosts."vaultwarden.crans.org" = {

From e9c99d2241318d49e36a7c1bbd5af62a9842aa03 Mon Sep 17 00:00:00 2001
From: RatCornu <balthazar.patiachvili@crans.org>
Date: Thu, 29 May 2025 19:48:20 +0200
Subject: [PATCH 17/17] vaultwarden: add port in config

---
 modules/services/vaultwarden.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 7b7367e..4cb76a3 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -17,6 +17,7 @@
 
     environmentFile = config.age.secrets.env.path;
     config = {
+      ROCKET_PORT = 8222;
       SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
     };
   };
@@ -38,7 +39,7 @@
 
   services.nginx.virtualHosts."vaultwarden.crans.org" = {
     locations."/" = {
-      proxyPass = "http://localhost:8222";
+      proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
       proxyWebsockets = true;
     };
   };