From 8c39f54eee79713a3fdd1860b6c964bb82ae0036 Mon Sep 17 00:00:00 2001
From: jz8132543 <i@dora.im>
Date: Fri, 8 Mar 2024 13:54:40 +0800
Subject: [PATCH] add: fw-proxy

---
 flake.lock                                    |  90 +++
 flake.nix                                     |  15 +
 home-manager/modules/desktop/dconf-proxy.nix  |  20 +
 nixos/hosts/isk/_steam/dst/default.nix        |   4 +
 nixos/hosts/surface/default.nix               |   1 +
 .../modules/base/module/fw-proxy/default.nix  | 688 ++++++++++++++++++
 nixos/modules/base/module/misc/ports.nix      |   2 +-
 nixos/modules/base/nixpkgs.nix                |   1 +
 nixos/modules/desktop/apps.nix                |  10 +-
 nixos/modules/services/fw-proxy.nix           |  76 ++
 nixos/modules/services/hydra.nix              |   1 +
 secrets/common.yaml                           | 170 ++---
 12 files changed, 988 insertions(+), 90 deletions(-)
 create mode 100644 home-manager/modules/desktop/dconf-proxy.nix
 create mode 100644 nixos/modules/base/module/fw-proxy/default.nix
 create mode 100644 nixos/modules/services/fw-proxy.nix

diff --git a/flake.lock b/flake.lock
index 8f296fbc..c4de61b7 100644
--- a/flake.lock
+++ b/flake.lock
@@ -15,6 +15,35 @@
         "type": "github"
       }
     },
+    "clash2sing-box": {
+      "inputs": {
+        "fenix": [
+          "fenix"
+        ],
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "naersk": [
+          "naersk"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1705993101,
+        "narHash": "sha256-V1F/nH7qUlZ6vjXwrhc8yMUv/tYALwjbC1aXrcoBfWs=",
+        "owner": "oluceps",
+        "repo": "clash2sing-box",
+        "rev": "2fbf7be3336c0e48d6a60674e566fbeaca29f7ef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oluceps",
+        "repo": "clash2sing-box",
+        "type": "github"
+      }
+    },
     "colmena": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -173,6 +202,27 @@
         "type": "github"
       }
     },
+    "fenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-analyzer-src": "rust-analyzer-src"
+      },
+      "locked": {
+        "lastModified": 1709792596,
+        "narHash": "sha256-DQL1KJ9AaoQjwMkZkSBrW9/az2dwbbBnhNIbIzgeDIE=",
+        "owner": "nix-community",
+        "repo": "fenix",
+        "rev": "221fedb628b1e86e88d8fbfbd20b699448e58fa9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "fenix",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -633,6 +683,26 @@
         "type": "github"
       }
     },
+    "naersk": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1698420672,
+        "narHash": "sha256-/TdeHMPRjjdJub7p7+w55vyABrsJlt5QkznPYy55vKA=",
+        "owner": "nix-community",
+        "repo": "naersk",
+        "rev": "aeb58d5e8faead8980a807c840232697982d47b9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "naersk",
+        "type": "github"
+      }
+    },
     "neovim-flake": {
       "inputs": {
         "flake-utils": "flake-utils_4",
@@ -1006,11 +1076,13 @@
     "root": {
       "inputs": {
         "blank": "blank",
+        "clash2sing-box": "clash2sing-box",
         "colmena": "colmena",
         "deploy-rs": "deploy-rs",
         "devenv": "devenv",
         "devshell": "devshell",
         "disko": "disko",
+        "fenix": "fenix",
         "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils_3",
@@ -1023,6 +1095,7 @@
         "impermanence": "impermanence",
         "latest": "latest",
         "linyinfeng": "linyinfeng",
+        "naersk": "naersk",
         "neovim-nightly-overlay": "neovim-nightly-overlay",
         "nix-index-database": "nix-index-database",
         "nixago": "nixago",
@@ -1040,6 +1113,23 @@
         "xremap-flake": "xremap-flake"
       }
     },
+    "rust-analyzer-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1709749600,
+        "narHash": "sha256-jLGAyPPi4PVo/9y6ayWgdAtzPotFWvNTCxrDzxO+Uj0=",
+        "owner": "rust-lang",
+        "repo": "rust-analyzer",
+        "rev": "ce15e73a8ece3cf9e7958bbad3aedb03daa10135",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rust-lang",
+        "ref": "nightly",
+        "repo": "rust-analyzer",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
diff --git a/flake.nix b/flake.nix
index 5a0c0fd9..767012a3 100644
--- a/flake.nix
+++ b/flake.nix
@@ -32,6 +32,14 @@
       url = "github:nix-community/haumea";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    naersk = {
+      url = "github:nix-community/naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    fenix = {
+      url = "github:nix-community/fenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     colmena = {
       url = "github:zhaofengli/colmena";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -145,6 +153,13 @@
       inputs.flake-utils.follows = "flake-utils";
       inputs.flake-compat.follows = "flake-compat";
     };
+    clash2sing-box = {
+      url = "github:oluceps/clash2sing-box";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.naersk.follows = "naersk";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.fenix.follows = "fenix";
+    };
     # Themes
     grub2-themes = {
       url = "github:vinceliuice/grub2-themes";
diff --git a/home-manager/modules/desktop/dconf-proxy.nix b/home-manager/modules/desktop/dconf-proxy.nix
new file mode 100644
index 00000000..d4a2e29f
--- /dev/null
+++ b/home-manager/modules/desktop/dconf-proxy.nix
@@ -0,0 +1,20 @@
+{
+  lib,
+  osConfig,
+  ...
+}: let
+  proxy = {
+    host = "localhost";
+    port = osConfig.networking.fw-proxy.ports.mixed;
+  };
+in {
+  dconf.settings = lib.mkIf (osConfig.networking.fw-proxy.enable && osConfig.programs.dconf.enable) {
+    "system/proxy" = {
+      mode = "manual";
+      use-same-proxy = true;
+    };
+    "system/proxy/http" = proxy;
+    "system/proxy/https" = proxy;
+    "system/proxy/socks" = proxy;
+  };
+}
diff --git a/nixos/hosts/isk/_steam/dst/default.nix b/nixos/hosts/isk/_steam/dst/default.nix
index ab7fb5de..fd6bdd2e 100644
--- a/nixos/hosts/isk/_steam/dst/default.nix
+++ b/nixos/hosts/isk/_steam/dst/default.nix
@@ -1,6 +1,7 @@
 {
   config,
   pkgs,
+  lib,
   ...
 }: let
   gameHome = config.users.users.steam.home;
@@ -73,6 +74,9 @@ in {
       ExecStop = stopScript;
       CPUQuota = "300%"; # at most 1.5 core (2 cores in total)
     };
+    environment =
+      lib.mkIf (config.networking.fw-proxy.enable)
+      config.networking.fw-proxy.environment;
     wantedBy = ["multi-user.target"];
   };
   networking.firewall.allowedUDPPorts = [
diff --git a/nixos/hosts/surface/default.nix b/nixos/hosts/surface/default.nix
index 4484673b..85d438cb 100644
--- a/nixos/hosts/surface/default.nix
+++ b/nixos/hosts/surface/default.nix
@@ -9,6 +9,7 @@
     ++ nixosModules.desktop.all
     ++ [
       ./hardware-configuration.nix
+      nixosModules.services.fw-proxy
     ];
 
   microsoft-surface = {
diff --git a/nixos/modules/base/module/fw-proxy/default.nix b/nixos/modules/base/module/fw-proxy/default.nix
new file mode 100644
index 00000000..936c4ac1
--- /dev/null
+++ b/nixos/modules/base/module/fw-proxy/default.nix
@@ -0,0 +1,688 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.networking.fw-proxy;
+
+  mixedPort = cfg.ports.mixed;
+  tproxyPort = cfg.ports.tproxy;
+
+  enableProxy = pkgs.writeShellApplication {
+    name = "enable-proxy";
+    text = ''
+      ${lib.concatMapStringsSep "\n" (env: ''export ${env.name}="${env.value}"'') (lib.attrsToList cfg.environment)}
+    '';
+  };
+  disableProxy = pkgs.writeShellApplication {
+    name = "disable-proxy";
+    text = ''
+      ${lib.concatMapStringsSep "\n" (name: ''export ${name}=""'') (lib.attrNames cfg.environment)}
+    '';
+  };
+  updateSingBoxUrl = pkgs.writeShellApplication {
+    name = "update-sing-box-url";
+    runtimeInputs = with pkgs; [
+      curl
+      jq
+      yq
+      moreutils
+      systemd
+      clash2sing-box
+    ];
+    text = ''
+      dir="/etc/sing-box"
+
+      url=""
+      # downloaded_config_type="sing-box"
+      downloaded_config_type="clash"
+      keep_temporary_directory="NO"
+      profile_name=""
+
+      positional_args=()
+      while [[ $# -gt 0 ]]; do
+        case $1 in
+        --clash)
+          downloaded_config_type="clash"
+          shift
+          ;;
+        --keep-temporary-directory)
+          keep_temporary_directory="YES"
+          shift
+          ;;
+        --profile-name)
+          profile_name="$2"
+          shift
+          shift
+          ;;
+        -* )
+          echo "unknown option $1" >&2
+          exit 1
+          ;;
+        *)
+          positional_args+=("$1")
+          shift
+          ;;
+        esac
+      done
+      if [ "''${#positional_args[@]}" = "1" ]; then
+        url="''${positional_args[0]}"
+      else
+        echo "invalid arguments ''${positional_args[*]}" >&2
+        exit 1
+      fi
+
+      mkdir -p $dir
+
+      echo 'Making temporary directory...'
+      tmp_dir=$(mktemp -t --directory update-sing-box-config.XXXXXXXXXX)
+      echo "Temporary directory is: $tmp_dir"
+      if [ -f "$dir/config.json" ]; then
+        echo 'Backup old config.json...'
+        cp "$dir/config.json" "$dir/config.json.old"
+      fi
+      function cleanup {
+        if [ "$keep_temporary_directory" != "YES" ]; then
+          echo 'Remove temporary directory...'
+          rm -rf "$tmp_dir"
+        fi
+        if [ -f "$dir/config.json.old" ]; then
+          echo 'Restore old config.json...'
+          cp "$dir/config.json.old" "$dir/config.json"
+          rm "$dir/config.json.old"
+        fi
+      }
+      trap cleanup EXIT
+
+      echo 'Downloading original configuration...'
+      downloaded_config="$tmp_dir/downloaded-config"
+      curl -L "$url" \
+        --fail-with-body \
+        --show-error \
+        --output "$downloaded_config"
+      profile_info_file="$tmp_dir/profile-info"
+      jq --null-input \
+        --arg u "$url" \
+        --arg p "$profile_name" \
+        '{"url": $u, "profile_name": $p}' \
+        >"$profile_info_file"
+
+      echo 'Preprocessing original configuration...'
+      ${cfg.downloadedConfigPreprocessing}
+
+      echo 'Converting downloaded configuration file to raw config.json...'
+      raw_config="$tmp_dir/raw-config.json"
+      if [ "$downloaded_config_type" = "sing-box" ]; then
+        cp "$downloaded_config" "$raw_config"
+        elif [ "$downloaded_config_type" = "clash" ]; then
+        ${pkgs.clash2sing-box}/bin/ctos-${pkgs.stdenv.hostPlatform.system} --source="$downloaded_config" gen >"$raw_config"
+      else
+        echo "unknown config type: ''${downloaded_config_type}" >&2
+        exit 1
+      fi
+
+      echo 'Preprocessing raw config.json...'
+      ${cfg.configPreprocessing}
+
+      echo 'Build config.json...'
+      jq --slurp '.[0] * .[1]' "$raw_config" - <<EOF >"$dir/config.json"
+      ${builtins.toJSON cfg.mixinConfig}
+      EOF
+
+      external_controller_secrets=$(cat "${cfg.externalController.secretFile}")
+      jq "
+        .experimental.clash_api.secret = \"''${external_controller_secrets}\" |
+        .experimental.clash_api.external_ui = \"${config.nur.repos.linyinfeng.yacd}\"
+        " "$dir/config.json" | sponge "$dir/config.json"
+
+      echo 'Restarting sing-box...'
+      systemctl restart sing-box
+      systemctl status sing-box --no-pager
+      if [ -f "$dir/config.json.old" ]; then
+        echo 'Remove old config.json...'
+        rm "$dir/config.json.old"
+      fi
+    '';
+  };
+  updateSingBox = pkgs.writeShellApplication {
+    name = "update-sing-box";
+    runtimeInputs = [
+      updateSingBoxUrl
+    ];
+    text = ''
+      profile="$1"
+      shift
+      case "$profile" in
+      ${lib.concatMapStringsSep "\n" (p: ''
+        "${p.name}")
+          update-sing-box-url "$(cat "${p.urlFile}")" --profile-name "$profile" "$@"
+          ;;
+      '') (lib.attrValues cfg.profiles)}
+      *)
+        update-sing-box-url "$profile" "$@"
+        ;;
+      esac
+    '';
+  };
+  tproxyUse = pkgs.writeShellApplication {
+    name = "fw-tproxy-use";
+    runtimeInputs = with pkgs; [
+      systemd
+    ];
+    text = ''
+      exec systemd-run --user --property=NFTSet="${cfg.tproxy.nftSet}" --pipe --pty --wait "$@"
+    '';
+  };
+  tproxyCgroup = pkgs.writeShellApplication {
+    name = "fw-tproxy-cgroup";
+    runtimeInputs = with pkgs; [
+      nftables
+    ];
+    text = ''
+      nft_table="${cfg.tproxy.nftTable}"
+
+      function usage {
+        cat <<EOF
+      Usage:
+        $0 list
+        $0 add    PATH
+        $0 delete PATH
+      EOF
+        exit 0
+      }
+
+      if [ $# -lt 1 ]; then usage; fi
+      action="$1"
+      case "$action" in
+      list)
+        if [ $# != 1 ]; then usage; fi
+        nft list set inet "$nft_table" cgroups
+        ;;
+      add | delete)
+        path="$2"
+        if [ $# != 2 ]; then usage; fi
+        nft "$action" element inet "$nft_table" cgroups "{ \"$path\" }"
+        ;;
+      *)
+        usage
+        ;;
+      esac
+    '';
+  };
+  tproxyInterface = pkgs.writeShellApplication {
+    name = "fw-tproxy-if";
+    runtimeInputs = with pkgs; [
+      nftables
+    ];
+    text = ''
+      nft_table="${cfg.tproxy.nftTable}"
+
+      function usage {
+        cat <<EOF
+      Usage:
+        $0 list
+        $0 add    INTERFACE
+        $0 delete INTERFACE
+      EOF
+        exit 0
+      }
+
+      if [ $# -lt 1 ]; then usage; fi
+      action="$1"
+      case "$action" in
+      list)
+        if [ $# != 1 ]; then usage; fi
+        nft list set inet "$nft_table" proxied-interfaces
+        ;;
+      add | delete)
+        if [ $# != 2 ]; then usage; fi
+        interface="$2"
+        nft "$action" element inet "$nft_table" proxied-interfaces "{ $interface }"
+        ;;
+      *)
+        usage
+        ;;
+      esac
+    '';
+  };
+
+  scripts = pkgs.symlinkJoin {
+    name = "fw-proxy-scripts";
+    paths = [
+      enableProxy
+      disableProxy
+      updateSingBoxUrl
+      updateSingBox
+      tproxyUse
+      tproxyCgroup
+      tproxyInterface
+    ];
+  };
+
+  profileOptions = {name, ...}: {
+    options = {
+      name = lib.mkOption {
+        type = with lib.types; str;
+        default = name;
+      };
+      urlFile = lib.mkOption {
+        type = with lib.types; path;
+      };
+    };
+  };
+in
+  with lib; {
+    options.networking.fw-proxy = {
+      enable = mkOption {
+        type = with types; bool;
+        default = false;
+      };
+      scripts = mkOption {
+        type = with types; package;
+        default = scripts;
+        readOnly = true;
+      };
+      tproxy = {
+        enable = mkOption {
+          type = with types; bool;
+          default = false;
+        };
+        routingTable = mkOption {
+          type = with types; int;
+          default = 854;
+        };
+        fwmark = mkOption {
+          type = with types; int;
+          default = 854;
+        };
+        rulePriority = mkOption {
+          type = with types; int;
+          default = 26000;
+        };
+        # TODO wait for https://github.com/systemd/systemd/issues/31189
+        # currently can not contain '-'
+        nftTable = mkOption {
+          type = with types; str;
+          # tproxy is a keyword in nft
+          default = "fwtproxy";
+        };
+        nftSet = mkOption {
+          type = with types; str;
+          default = "cgroup:inet:${cfg.tproxy.nftTable}:cgroups";
+        };
+        # TODO wait for https://github.com/systemd/systemd/issues/31189
+        # currently can not contain '-'
+        bypassNftSet = mkOption {
+          type = with types; str;
+          default = "cgroup:inet:${cfg.tproxy.nftTable}:bypass";
+        };
+        maxCgroupLevel = mkOption {
+          type = with types; int;
+          default = 6;
+        };
+        extraFilterRules = mkOption {
+          type = with types; lines;
+          default = "";
+        };
+      };
+      configPreprocessing = mkOption {
+        type = with types; lines;
+        default = "";
+      };
+      downloadedConfigPreprocessing = mkOption {
+        type = with types; lines;
+        default = "";
+      };
+      mixinConfig = mkOption {
+        type = with types; attrs;
+      };
+      ports = {
+        mixed = mkOption {
+          type = with types; port;
+        };
+        tproxy = mkOption {
+          type = with types; port;
+        };
+        controller = mkOption {
+          type = with types; port;
+        };
+      };
+      profiles = mkOption {
+        type = with types; attrsOf (submodule profileOptions);
+        default = {};
+      };
+      externalController = {
+        expose = mkOption {
+          type = with types; bool;
+        };
+        virtualHost = mkOption {
+          type = with types; str;
+          default = "localhost";
+        };
+        location = mkOption {
+          type = with types; str;
+          default = "/";
+        };
+        secretFile = mkOption {
+          type = with types; path;
+        };
+      };
+      noProxyPattern = mkOption {
+        type = with types; listOf str;
+        default = [
+          "localhost"
+          "127.0.0.0/8"
+          "::1"
+          "10.0.0.0/8"
+          "192.168.0.0/16"
+          "172.16.0.0/12"
+        ];
+      };
+      noProxy = mkOption {
+        type = types.str;
+        default = lib.concatStringsSep "," cfg.noProxyPattern;
+      };
+      environment = mkOption {
+        type = with types; attrsOf str;
+        description = ''
+          Proxy environment.
+        '';
+        default = let
+          proxyUrl = "http://localhost:${toString mixedPort}";
+        in {
+          HTTP_PROXY = proxyUrl;
+          HTTPS_PROXY = proxyUrl;
+          http_proxy = proxyUrl;
+          https_proxy = proxyUrl;
+          NO_PROXY = cfg.noProxy;
+          no_proxy = cfg.noProxy;
+        };
+      };
+      environmentContainter = mkOption {
+        type = with types; attrsOf str;
+        description = ''
+          Proxy environment for containers.
+        '';
+        default = let
+          proxyUrl = "http://host.containers.internal:${toString mixedPort}";
+        in {
+          HTTP_PROXY = proxyUrl;
+          HTTPS_PROXY = proxyUrl;
+          http_proxy = proxyUrl;
+          https_proxy = proxyUrl;
+          NO_PROXY = cfg.noProxy;
+          no_proxy = cfg.noProxy;
+        };
+      };
+      stringEnvironment = mkOption {
+        type = with types; listOf str;
+        description = ''
+          Proxy environment in strings.
+        '';
+        default =
+          map
+          (
+            key: let
+              value = lib.getAttr key cfg.environment;
+            in "${key}=${value}"
+          )
+          (lib.attrNames cfg.environment);
+      };
+      auto-update = {
+        enable = mkEnableOption "fw-proxy subscription auto-update";
+        service = mkOption {
+          type = with types; str;
+          description = ''
+            Service used in auto update.
+          '';
+        };
+      };
+    };
+
+    config = mkIf (cfg.enable) (mkMerge [
+      {
+        networking.fw-proxy.mixinConfig = let
+          commonOptions = {
+            listen = "::";
+            tcp_fast_open = true;
+            udp_fragment = true;
+            sniff = true;
+          };
+        in {
+          inbounds = [
+            (commonOptions
+              // {
+                type = "mixed";
+                tag = "mixed-in";
+                listen_port = cfg.ports.mixed;
+              })
+            (commonOptions
+              // {
+                type = "tproxy";
+                tag = "tproxy-in";
+                listen_port = cfg.ports.tproxy;
+              })
+          ];
+          experimental.clash_api.external_controller = "127.0.0.1:${toString cfg.ports.controller}";
+        };
+        environment.global-persistence.directories = [
+          "/etc/sing-box"
+        ];
+      }
+
+      {
+        systemd.packages = with pkgs; [sing-box];
+        systemd.services.sing-box = {
+          serviceConfig = {
+            DynamicUser = true;
+
+            ExecStartPre = [
+              "+${pkgs.coreutils}/bin/chown sing-box:sing-box $CONFIGURATION_DIRECTORY"
+              "+${pkgs.coreutils}/bin/chmod 0700              $CONFIGURATION_DIRECTORY"
+            ];
+            ConfigurationDirectory = "sing-box";
+            ConfigurationDirectoryMode = "700";
+
+            StateDirectory = "sing-box";
+            NFTSet = [cfg.tproxy.bypassNftSet];
+          };
+          after = ["nftables.service"];
+          requires = ["nftables.service"];
+          wantedBy = ["multi-user.target"];
+        };
+
+        environment.systemPackages = [
+          scripts
+        ];
+        security.sudo-rs.extraConfig = ''
+          Defaults env_keep += "HTTP_PROXY HTTPS_PROXY FTP_PROXY ALL_PROXY NO_PROXY"
+          Defaults env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy"
+        '';
+      }
+
+      (mkIf (cfg.externalController.expose) {
+        services.nginx.enable = true;
+        services.nginx.virtualHosts.${cfg.externalController.virtualHost} = {
+          locations = {
+            "${cfg.externalController.location}" = {
+              proxyPass = "http://${cfg.mixinConfig.experimental.clash_api.external_controller}/";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      })
+
+      (mkIf (cfg.tproxy.enable) {
+        # networking.routerBasics.enable = true;
+        systemd.network.config.routeTables = {
+          fw-tproxy = cfg.tproxy.routingTable;
+        };
+        systemd.network.networks."80-fw-tproxy" = {
+          matchConfig = {
+            Name = "lo";
+          };
+          routes = [
+            {
+              routeConfig = {
+                Destination = "0.0.0.0/0";
+                Type = "local";
+                Table = cfg.tproxy.routingTable;
+              };
+            }
+            {
+              routeConfig = {
+                Destination = "::/0";
+                Type = "local";
+                Table = cfg.tproxy.routingTable;
+              };
+            }
+          ];
+          routingPolicyRules = [
+            {
+              routingPolicyRuleConfig = {
+                Family = "both";
+                FirewallMark = cfg.tproxy.fwmark;
+                Priority = config.routingPolicyPriorities.fw-proxy;
+                Table = cfg.tproxy.routingTable;
+              };
+            }
+          ];
+        };
+        networking.nftables.tables."${cfg.tproxy.nftTable}" = {
+          family = "inet";
+          content = ''
+            set reserved-ip {
+              typeof ip daddr
+              flags interval
+              elements = {
+                10.0.0.0/8,        # private
+                100.64.0.0/10,     # private
+                127.0.0.0/8,       # loopback
+                169.254.0.0/16,    # link-local
+                172.16.0.0/12,     # private
+                192.0.0.0/24,      # private
+                192.168.0.0/16,    # private
+                198.18.0.0/15,     # private
+                224.0.0.0/4,       # multicast
+                255.255.255.255/32 # limited broadcast
+              }
+            }
+
+            set reserved-ip6 {
+              typeof ip6 daddr
+              flags interval
+              elements = {
+                ::1/128,  # loopback
+                fc00::/7, # private
+                fe80::/10 # link-local
+              }
+            }
+
+            set proxied-interfaces {
+              typeof iif
+              counter
+            }
+
+            set cgroups {
+              type cgroupsv2
+              counter
+            }
+
+            set bypass {
+              type cgroupsv2
+              counter
+            }
+
+            chain prerouting {
+              type filter hook prerouting priority mangle; policy accept;
+
+              mark ${toString cfg.tproxy.fwmark} \
+                meta l4proto {tcp, udp} \
+                tproxy to :${toString tproxyPort} \
+                counter \
+                accept \
+                comment "tproxy and accept marked packets (marked by the output chain)"
+
+              jump filter
+
+              meta l4proto {tcp, udp} \
+                iif @proxied-interfaces \
+                tproxy to :${toString tproxyPort} \
+                mark set ${toString cfg.tproxy.fwmark} \
+                counter
+            }
+
+            chain output {
+              type route hook output priority mangle; policy accept;
+
+              comment "marked packets will be routed to lo"
+
+              socket cgroupv2 level 2 @bypass counter return comment "bypass packets of proxy service"
+
+              jump filter
+
+              ${lib.concatMapStringsSep "\n" (level: "meta l4proto { tcp, udp } socket cgroupv2 level ${toString level} @cgroups meta mark set ${toString cfg.tproxy.fwmark}")
+              (lib.range 1 cfg.tproxy.maxCgroupLevel)}
+            }
+
+            chain filter {
+              fib daddr type local accept
+              ip  daddr @reserved-ip  accept
+              ip6 daddr @reserved-ip6 accept
+
+              ${cfg.tproxy.extraFilterRules}
+            }
+          '';
+        };
+        networking.nftables.preCheckRuleset = ''
+          # Error: Could not process rule: Operation not supported
+          sed 's/^.*socket cgroupv2.*$//g' -i ruleset.conf
+        '';
+        networking.firewall.extraInputRules = ''
+          meta mark ${toString cfg.tproxy.fwmark} counter accept
+        '';
+
+        passthru.fw-proxy-tproxy-scripts = scripts;
+      })
+
+      (mkIf cfg.auto-update.enable {
+        systemd.services.sing-box-auto-update = {
+          script = ''
+            "${scripts}/bin/update-sing-box" "${cfg.auto-update.service}"
+          '';
+          serviceConfig = {
+            Type = "oneshot";
+            Restart = "on-failure";
+            RestartSec = 30;
+          };
+          after = ["network-online.target" "sing-box.service"];
+          requires = ["network-online.target"];
+        };
+        systemd.timers.sing-box-auto-update = {
+          timerConfig = {
+            OnCalendar = "03:30";
+          };
+          wantedBy = ["timers.target"];
+        };
+      })
+
+      (mkIf (config.virtualisation.podman.enable)
+        (let
+          podmanInterface = config.virtualisation.podman.defaultNetwork.settings.network_interface;
+        in {
+          networking.firewall.interfaces.${podmanInterface}.allowedTCPPorts = lib.lists.map (i: i.listen_port) cfg.mixinConfig.inbounds;
+        }))
+
+      (mkIf (config.virtualisation.libvirtd.enable)
+        (let
+          libvirtdInterfaces = config.virtualisation.libvirtd.allowedBridges;
+          mkIfCfg = name: {
+            ${name}.allowedTCPPorts = lib.lists.map (i: i.listen_port) cfg.mixinConfig.inbounds;
+          };
+          ifCfgs = lib.mkMerge (lib.lists.map mkIfCfg libvirtdInterfaces);
+        in {
+          networking.firewall.interfaces = ifCfgs;
+        }))
+    ]);
+  }
diff --git a/nixos/modules/base/module/misc/ports.nix b/nixos/modules/base/module/misc/ports.nix
index a0b7d165..3b14e870 100644
--- a/nixos/modules/base/module/misc/ports.nix
+++ b/nixos/modules/base/module/misc/ports.nix
@@ -49,7 +49,7 @@
       proxy-socks = 3141;
       proxy-mixed = 3142;
       proxy-tproxy = 3143;
-      clash-controller = 3150;
+      sing-box-controller = 3150;
       transmission-rpc = 3160;
       elasticsearch = 3170;
       elasticsearch-node-to-node = 3171;
diff --git a/nixos/modules/base/nixpkgs.nix b/nixos/modules/base/nixpkgs.nix
index 317e6db0..86f229fb 100644
--- a/nixos/modules/base/nixpkgs.nix
+++ b/nixos/modules/base/nixpkgs.nix
@@ -17,6 +17,7 @@
         nix-gc-s3 = inputs'.nix-gc-s3.packages.nix-gc-s3;
         nix-index-with-db = inputs'.nix-index-database.packages.nix-index-with-db;
         headscale = inputs'.headscale.packages.headscale;
+        clash2sing-box = inputs'.clash2sing-box.packages.default;
         comma = prev.comma.override {
           nix-index-unwrapped = final.nix-index-with-db;
         };
diff --git a/nixos/modules/desktop/apps.nix b/nixos/modules/desktop/apps.nix
index cf285ab4..bc0768f7 100644
--- a/nixos/modules/desktop/apps.nix
+++ b/nixos/modules/desktop/apps.nix
@@ -6,11 +6,11 @@
 }: {
   imports = [nixosModules.services.aria2];
   programs = {
-    clash-verge = {
-      enable = true;
-      autoStart = true;
-      tunMode = true;
-    };
+    # clash-verge = {
+    #   enable = true;
+    #   autoStart = true;
+    #   tunMode = true;
+    # };
   };
   environment.systemPackages = with pkgs; [
     qrcp
diff --git a/nixos/modules/services/fw-proxy.nix b/nixos/modules/services/fw-proxy.nix
new file mode 100644
index 00000000..ef6d94ce
--- /dev/null
+++ b/nixos/modules/services/fw-proxy.nix
@@ -0,0 +1,76 @@
+{
+  config,
+  options,
+  lib,
+  ...
+}: let
+  cfg = config.networking.fw-proxy;
+  inherit (config.networking) hostName;
+  # profiles = ["main" "exclusive" "alternative"];
+  profiles = ["main"];
+in
+  lib.mkMerge [
+    {
+      networking.fw-proxy = {
+        enable = true;
+        ports = {
+          mixed = config.ports.proxy-mixed;
+          tproxy = config.ports.proxy-tproxy;
+          controller = config.ports.sing-box-controller;
+        };
+        noProxyPattern =
+          options.networking.fw-proxy.noProxyPattern.default
+          ++ lib.lists.forEach ([config.networking.domain] ++ config.environment.domains) (x: lib.strings.concatStrings ["*." x]);
+        tproxy = {
+          enable = lib.mkDefault true;
+          routingTable = config.routingTables.fw-proxy;
+          rulePriority = config.routingPolicyPriorities.fw-proxy;
+        };
+        downloadedConfigPreprocessing = ''
+        '';
+        configPreprocessing = ''
+          jq 'del(.log) | del(.inbounds) | del(.experimental.clash_api)' "$raw_config" |\
+            sponge "$raw_config"
+          jq 'del(.outbounds[]|select(.tag=="auto")|.outbounds[]|select(.|test("3x","1.5x","0.8")))' "$raw_config" |
+            sponge "$raw_config"
+        '';
+        mixinConfig = {
+          log = {
+            level = "info";
+            timestamp = false; # added by journald
+          };
+        };
+        profiles = lib.listToAttrs (lib.lists.map (p:
+          lib.nameValuePair p {
+            urlFile = config.sops.secrets."sing-box/${p}".path;
+          })
+        profiles);
+        externalController = {
+          expose = true;
+          virtualHost = "${hostName}.*";
+          location = "/sing-box/";
+          secretFile = config.sops.secrets."fw_proxy_external_controller_secret".path;
+        };
+      };
+
+      sops.secrets."fw_proxy_external_controller_secret" = {
+        # terraformOutput.enable = true;
+        restartUnits = ["sing-box-auto-update.service"];
+      };
+
+      networking.fw-proxy.auto-update = {
+        enable = true;
+        service = "main";
+      };
+
+      systemd.services.nix-daemon.environment = cfg.environment;
+    }
+    {
+      sops.secrets = lib.listToAttrs (lib.lists.map (p:
+        lib.nameValuePair "sing-box/${p}" {
+          # sopsFile = config.sops-file.get "common.yaml";
+          restartUnits = ["sing-box-auto-update.service"];
+        })
+      profiles);
+    }
+  ]
diff --git a/nixos/modules/services/hydra.nix b/nixos/modules/services/hydra.nix
index a02eb878..b2fd72b5 100644
--- a/nixos/modules/services/hydra.nix
+++ b/nixos/modules/services/hydra.nix
@@ -17,6 +17,7 @@ in {
         hydraURL = "https://hydra.dora.im";
         notificationSender = "hydra@dora.im";
         useSubstitutes = true;
+        extraEnv = lib.mkIf (config.networking.fw-proxy.enable) config.networking.fw-proxy.environment;
         dbi = "dbi:Pg:dbname=hydra;host=${PG};user=hydra;";
         buildMachinesFiles = [
           "/etc/nix/machines"
diff --git a/secrets/common.yaml b/secrets/common.yaml
index 2b9bf251..2c2914aa 100644
--- a/secrets/common.yaml
+++ b/secrets/common.yaml
@@ -1,64 +1,66 @@
 traefik:
-    KID: ENC[AES256_GCM,data:oI+ilb7lQVWxxX59znJYo5dpS+g7cQ==,iv:DA2HZazMFO/oiou0H/1udH/F0lS5qJOPKh3W71dtB5I=,tag:CPLGheeMOigCCkdP1Jovuw==,type:str]
-    HMAC: ENC[AES256_GCM,data:4dtMrYshgv3Tl4VwPd6TrgJaRg6YyEFUlnIO1TIk2jBvceR2Ki6Z76sVxXX5BTn8StwBfA2XkIO+McgXYJAxf6JxKrvOBKHnPO5GIK/MPrLKLQcEVwE=,iv:FGWDRRA4j15V7IAHEOWb1GZGbbtWxaerO53yags+RYw=,tag:tvKlrnA9CDCl8hg0N4SoyQ==,type:str]
-    hmacEncoded: ENC[AES256_GCM,data:g+otMEThZtZdi//BtU/Azg1tPZgrMxQKqoch1j4912nv1NWN2WvBZYNDMBpYZD/Q4N/2Z9myhsWYrP7Y+XmcJaoYMN8FgA75gGb6uNmqn8UOFnEOmYGH9HafIxZJ4L//EAmQMZUN2CeZHxguDewpKjkj+gM=,iv:5zrBu+kfAzF29jvrYqcco1ccAldV62LKFlLWmOJyBaQ=,tag:yD8LUElyNRGMbksslZuGmw==,type:str]
-    cloudflare_token: ENC[AES256_GCM,data:iRmyDG+inzyIF0Ca6jyCPic0uJeluqBpnzED1iVll12CU6tr/Qcawg==,iv:fvN8u49RmQH4MeRucM9yDPc8D2+U6rJJAkXlnYzPqh8=,tag:TyNQQ6Nq+qtR1cGXa0n+YQ==,type:str]
-    TRAEFIK_AUTH: ENC[AES256_GCM,data:ZHHzlBEgWLCADvSgFELBN5jqffHNFQpmf51JM7yMmX7B01I1ds/Z2L8A03lTts5a9LUMUtAO8WLqcvWv+FiPToty,iv:xo59CTPD5Fx7lSltw+a/32GLygm0oOOBIIT4rSqEddY=,tag:+djMxhxC/SYvftCwNgtzBQ==,type:str]
+    KID: ENC[AES256_GCM,data:a5vMYFhdyoQawp3W9seCK/qiG301GA==,iv:9G6gbdt7yXu8tMBu7RRIf8dGDYkzwFWnnXDwJinBRXc=,tag:UW/gLDbd/k3C6WMD9Tw/fg==,type:str]
+    HMAC: ENC[AES256_GCM,data:H5+TYDFUF1i+wZkWhlnVPOnoAwFijCruca4xMy0ygjAchcMKp7uzuRQWkvrEoglH9SE688qrOnVciYmaDtV41Etyi2oYoNlnBwQ9UMLX9OU29pPr0q0=,iv:JW8iMIDzU6pQFlIzhYPXr6D8QQeDFiQYMHvgJKMa4DE=,tag:xsmYVTDhYr+GnhjHjkK7Og==,type:str]
+    hmacEncoded: ENC[AES256_GCM,data:ekbh/sT1+5Hdg2z17WZu5QZRBsHHdknVnhXPknTE2jA/ZJPFrdG+Ouzj68Pxtq6Nu+/LFTah6IEbB7EhiP5x3svrOxz5wnsPiRPlOYN+gNrsXg7xCc2vAtKdrF6cQFIkAa3k56UImM/xylsf9GgRSqZfPLE=,iv:E4A6IUXHtxXJlwGdJMQOjuwA3eA68Mbx6u3aPMz05SI=,tag:xni3zr1udbRCLrVCeoPM7A==,type:str]
+    cloudflare_token: ENC[AES256_GCM,data:n1vm5yMdFj47cikbjQ01tqkD8YLqxNr6Dp7ZhntNInfP2A0eMe2Inw==,iv:Aq4lWzTJSacoYPk7hPpYzcR3watJjAGflS4VUoKNaE8=,tag:pivnunpn70i45M3BC9BHGw==,type:str]
+    TRAEFIK_AUTH: ENC[AES256_GCM,data:IG2j4FHltemqDB996H1TNhtTzE3A3hVEBRUocWgkU90Xd6lEjXmjjqXX+NdGfIdpyUqjzUf/eiW3tm0FJf5hfYS+,iv:cFwzBC6wGhTmziNMQG3gIf7ZuKNIIFOiQQoSXElxkwQ=,tag:O5fxiHkQg7K9SQWnedZ1GQ==,type:str]
 proxy:
-    uuid: ENC[AES256_GCM,data:1Uwyjduckly51RGKTdseLyLOSmcmg2maDhQJ0Rr6F6qB0IPy,iv:SsCuYXU5jlA9oYIMJpUtjJ/JONjF55SKzW+QZueKtoU=,tag:Z5qhwHwYX8zFgGGO0hhUfg==,type:str]
-    passwd: ENC[AES256_GCM,data:CzYHMo5/qJn03S+TBMY7ih0bYhxy91fCwiXfZKWXGOsDG54E,iv:KkEDiJKOmU01TsqevzkPX/JoxzaWIwdiE1T+HxyszHY=,tag:u26gzDkdBVpSWgxUciaADA==,type:str]
+    uuid: ENC[AES256_GCM,data:g5huq1eIe/SHnMvXmXZAUgTsuO2RDruSJAuDX40WLZe5e3AQ,iv:DGq/c/npihaAU+/PU2PBCnvNi1HiBXDXRmsqpQal/fE=,tag:X89LsxppLxKw9vWCGyxNRg==,type:str]
+    passwd: ENC[AES256_GCM,data:tuAJvToAVrE1N2NYnQ4IBZnbKiZ8G4KPK0i5uUmJJ2pUz8Ku,iv:WnUdQo8dmiay8awuX+fAPye466wADhTq4Xk0s7dHY6Q=,tag:sm+rc1nyXdo9cYCUZmgQKQ==,type:str]
 vaultwarden:
-    ADMIN_TOKEN: ENC[AES256_GCM,data:Q9XeOFC1xuxT9l1CC9Nh16Wt1cMEeAp7GO7bBznyyR1Oe1kDxGsTQRo67xv/TjViRdl1UASZbXF4URbzNoLu7Hhuq8VCgCRhLqGiLq3DZCZBISJ0Dq7PYclAVqtocm3O6zaSEVDrfImZ6C//w2CbA/YCN4htHA4hp85wqoa3eZn+rfuXWP8=,iv:HT0ChvD6qY9VvL0KMDsPSJODbycKXrrmdjiNTuZ8wbk=,tag:3jSYVIlmac8wl7zfk1oZsw==,type:str]
-    mail: ENC[AES256_GCM,data:ZqQ5+OKqXxtlrF0zGN62WCj37xaMVXvXrEHV6XzY98Q4sEog37xt+KrZ8vnj11Tw,iv:hKxepOlIXfrxPXoInfDCr8lU6B7ZVjqGr/xYl4BbfOE=,tag:VhJhG0LnrqEUi3HuiwoOAg==,type:str]
+    ADMIN_TOKEN: ENC[AES256_GCM,data:jdsoKQLURTjqy1C0Fkwyg4IgxJBuO8dxfZ19U4ayAKWcz66bNbcoorcYZAC4Qulj7wcPdeK2qOFQNyGkS0bBAoTo3w489z2OkYf2S4j2PX14aqT+ifhqu2W8JoOpLZp5ulFTGnAzdK8V93mLvLifRjpBbgQqIcXCUaYr8GVfmHzTgVmHwvs=,iv:5NLrbK92jE0YvPHEjBpBKHC4OpU3ImZa/p/CwWP/cgo=,tag:AWiUMGbMoUeRJ9RqalYBrg==,type:str]
+    mail: ENC[AES256_GCM,data:W7XZvzwWVFbLxipcIGESljHqoaokWywT4Dk1nNQihUpl+9rwB14xYNTUQ1Uhjh67,iv:SwXCrZkQGs9R2KQjD4zajxCqpNG9ecViAG1wvKIUGzk=,tag:kuuulJbB9mpI93OcoqnuIw==,type:str]
 matrix:
-    signing-key: ENC[AES256_GCM,data:SYl4S65ov2xoErlhiFj0igA+XubprOth9Wu87rV8VfCBeQmxXC1u/jbDCgxlBlMQT9X9LUJqaLoWPQ==,iv:s3TIpYPOKHAJ4SYWvbFO4fFDbW0p7RbZQID8dkEReXU=,tag:df0/6ZE/yovaE8Bq00J+4Q==,type:str]
-    mail: ENC[AES256_GCM,data:AJkZgis7wp12u1LfxQ4TVU8GRVqehZI52B6UTyRgy5sUZm0Mi8VhuZ+rzDw0jp08,iv:Su6uCd/bG2XMEe+L0B3mZ5UqzQDmYJ+S0rynzaK8tg8=,tag:owm1A41cqfR7RFpSkg/0KA==,type:str]
-    oidc-secret: ENC[AES256_GCM,data:TedBVD6I8TOTt+ZUuQ3SI/6ufRWAETheN8N9KcnzcGM=,iv:mtKTeoM3AO5U1XxGabeCD2UCgpPZOsGC/EN2lzhOpBw=,tag:K8sodyDlVCZyMnhDdwT0xw==,type:str]
-    registration_shared_secret: ENC[AES256_GCM,data:vqfHQ+L/n9of6FNkD7FP8sJwfdRujDC8/7ykq33j/oo=,iv:BoMz4ci2BuJe+ohLVvVRXxefaktQw8IkwglXMiMRFJY=,tag:2gHUjQq2JsoiOXFGWK+IKw==,type:str]
-    turn_shared_secret: ENC[AES256_GCM,data:NQnWXPazmG58uvyA+WDGbgZtBfNlw+XVt14P+ka1HrAwVe1uqNzzKjn0kYHCfTy3Tk9NnZIDm+I3C3XxNkdMyQ==,iv:JOA0S0edomTQ09KkH0ILzqGLKHLpLuzSWC4Q3RnuCN8=,tag:ax5lnV4rg54EUzJYC6JWYA==,type:str]
+    signing-key: ENC[AES256_GCM,data:qcDqLfOp+a1CFFbNjvHlAwCotHECCRwuqUwCkTILyzAjGF8XXY+HDwhCpRDOo4fpQZvZ0xNl8nALow==,iv:M0EyUN3GLQjp0o9Y7L3MzVgZzpGH/+jSFaiyU6v0IG4=,tag:Gki0eerkFtG4A7Kkf4yjYw==,type:str]
+    mail: ENC[AES256_GCM,data:BiOhmvUfwI1tggf6e7eHo2GaED1yucDis0C4YiFr36YrPXfsj7f9TrXGmrhx69aW,iv:116lMzX/FmrsQ3meNUumEojV1ccvUwDco9Zuhk99bwM=,tag:c3omAMNKtkjDhOm0WHy5wg==,type:str]
+    oidc-secret: ENC[AES256_GCM,data:SNHpyL4lWEPf9IsKzew7OGU3bzIGHZ2ta63ABOWVDZY=,iv:YqFwmTWY9KSP8CzqDeAMeeTfXhtZTVdS5AOluAV6jGo=,tag:O0TUwW6/q/3YjpkgQp9LWA==,type:str]
+    registration_shared_secret: ENC[AES256_GCM,data:q3AXY2K80c87Sbj+vlIPhYkJ8qqp5h6vZ9FSYodLGlY=,iv:pli/yEDGRVc0BiywSoy9ahBW/m1tPqFOHrjhLWe8o5c=,tag:6X7aUij8PdrzfT+idA8EQQ==,type:str]
+    turn_shared_secret: ENC[AES256_GCM,data:Y5Z+fAtwSGcz4f6Ta4z/oN4QbH3U6FAsLkMNfRmvEe5tEHyyHzjLBNHBrX1fxIhZy+uQd6VU6RPbgv3BDm8kWQ==,iv:+oyt1TVt2EzvNz33ZIvFM2UjJkAqEUHNmW0udDTlA0o=,tag:8ig8nwLKkXhfnqDntY55LA==,type:str]
 b2:
-    keyID: ENC[AES256_GCM,data:Cr7JypbYOlXl/tlJrfxeVp7VUxlSI0TtJA==,iv:CsAHuaDOq2XSLf15hN8GEXWqZ/ZGp9rPMvooV0HNALI=,tag:p5+mn3+RG/3vMHQnbEKlmg==,type:str]
-    applicationKey: ENC[AES256_GCM,data:NpQLlOTMcowjQflfKrlMtCfvEzfo9N6oNWA+7jfQ2Q==,iv:8ibyz/kfqO6fKC3Ud1+z4auxkYM5nDWwqcJgGMyoyYo=,tag:dRJm42SaKCt0PhQ0LQ87cA==,type:str]
+    keyID: ENC[AES256_GCM,data:fL/eYFjiYXqkwUVq/KWRzjH+S83y2dOZxw==,iv:1GIPAqR9FBiiyfpiNDIku916M5B4HZT/oo9Pjiuo7AA=,tag:Y9ikeBi4KK1sFZavwaT+NQ==,type:str]
+    applicationKey: ENC[AES256_GCM,data:E/gRRm+Q3igg23kw0/MlLrPHhBKoPzyl59nWVJEY4w==,iv:l2ApWcOh0Rj04WQqiRSvIzLKVde43EhCYnSxZBnciTg=,tag:GiNez1/aXW4HvlmlpeufDw==,type:str]
 mail:
-    ldap: ENC[AES256_GCM,data:zW4zKen3nOi0CYvGIrSGgp1M3ga7HgiU5Pm1YMzJXeCLePkWWq0fQQnvwaLHCxU8,iv:huqpi7h0aiu5s5esEuOgBcAEz1IruNPTyWDIYXgBqWc=,tag:J/M5AnI/6H2QlOAyTASCbQ==,type:str]
+    ldap: ENC[AES256_GCM,data:qrzkJJhfTzuyDEOJRjwhBGAVX7ZnCQfFTYqKT8bPzFXt8M+XABl25mGwytbnk94a,iv:IDPoH3/dtR3ghV7T52S+HiD3LXm+ZLRoz6vQVhNXsyU=,tag:B/ELomNGaQyWnyqZGdql8g==,type:str]
 lldap:
-    jwt_secret: ENC[AES256_GCM,data:4rEyGpYWJ4WyIVhhx5MaMEeHqPiyJmB0TfNTaySR6qU=,iv:ZW4vXw1w8znfs73lsJjSJMbgTVgsO3jgCJmBvwxiifQ=,tag:NNE7DakH6IgXkfrB89i3yg==,type:str]
-    LLDAP_SERVER_KEY_SEED: ENC[AES256_GCM,data:kHeXn+hD/njWlpZThmuVSKKsCVNSg/o9DUgyKVHzavJeblG9ae522yuq3hhni7GC,iv:YBS0bktvjxwF3w3QzF16sV2KIYFQC3TW5WVxCjHdYxg=,tag:huVjrSdU2T8ggYZ9LOo1bg==,type:str]
+    jwt_secret: ENC[AES256_GCM,data:RtpPbERZQU6/rtb2mzoLYq+duOp2It/s38uzGazG1MU=,iv:i/QSXnqpLsmcCkyquT+UMQ+xHcY9ZIY+VOlvw1e1Ejk=,tag:QDMABoIQ0LQuJ89XSuotLw==,type:str]
+    LLDAP_SERVER_KEY_SEED: ENC[AES256_GCM,data:oLFPBiSK21TbFeSzxI+VjFiu8earvAIx8VXV2rMJ2OR952Mj/LRcv8Mz1AsRsUnk,iv:91a99ah6zb8xL1GEK7P/QxH9z9gBVUHpNntPs12Oink=,tag:IxxECEvSBXdW39IxzlumyQ==,type:str]
 seafile:
-    oidc-secret: ENC[AES256_GCM,data:AqFSSUMCzQYt3llQGb5ArWnInahuOQmOviRypSJpRI4=,iv:6fOgQiP1oGHoMIRy6+zp9G7ZwzVRSgjKfUgye5zfjsc=,tag:B9//G7IZsdtUps98YLROhQ==,type:str]
-    password: ENC[AES256_GCM,data:TYCWkuvPPq+VVpfnQK9g+Sn+8mkYX2jdDHzu2+zb5Rhu4QE0uki1uwE59qgng4Ke,iv:Cx9jmP+7MvRa3Bdd+ku+11I8Xp120f9XCdn5N1vyZAA=,tag:LUqNDQq08J9jRBAM9juprw==,type:str]
-    mail: ENC[AES256_GCM,data:FStg9iX83UHVILCAA7ueEbMK3v0k8OX6Bc0Du7KXOS+MIDSTlKHAYQ+rHgEE+WPU,iv:AToLschOU6hu7MuP5kFwNk102c7V9OTB2durwqUnZ/M=,tag:w3B86IzVGORQj49uuQnTQQ==,type:str]
+    oidc-secret: ENC[AES256_GCM,data:ObOjZHDHNad04dAjyB+jnpctnlOUoWTZCZW/DrgTA6k=,iv:j8fDB5dUVLBQNyyeGh1YFjXItGThFqJ8hdz0MYnRN5o=,tag:qyOE2iD7Ax2zADYGbNVjkw==,type:str]
+    password: ENC[AES256_GCM,data:4Wj06AHwTTJk4MZGMggWjzuFXMosZBw/fOreV8Ik3UWI7NmGSYD518Y0x0hJXgIY,iv:6C/fhT8iYnZ9RpLl6aRyF0lRw4EM06dyfIzm4so78NM=,tag:Xs5FuVZU1dKhNj2xz985JA==,type:str]
+    mail: ENC[AES256_GCM,data:Hux0EKh8LF1TExA8urzCG+2OysfL+fMgQdgh9NINexI98rRlGzVuwcS93wnI8MAW,iv:pBFQU7sRgRpHwE7wEc6xrplCX3+g6iwYLxL/uie+clw=,tag:wp/b7IFmkFBpEp4swsBbnA==,type:str]
 restic:
-    RESTIC_REPOSITORY: ENC[AES256_GCM,data:3ZV9vNRp4TDJ2UMsXN9otgE5Sm9kOpcPFQN0Vs7ZHpKaXPPH+hq106NFenrfDd3ZwjLvGwQvaCKQB4O1jdEgQOY=,iv:PR2LqQ61Jqs6IzDF9tsYa4gXmT2f7Ny1cIxi7h5mWhg=,tag:w2xKkHtQPecjL3a5T4fAAQ==,type:str]
-    RESTIC_PASSWORD: ENC[AES256_GCM,data:IL+jHt8cDrBGwwsb4RwuhmTCChGa6tewQC8/nSPCR61sE0/lU1srRvjrQj6juRUK,iv:V7ga0Yv09nMyWfg8XqtegQn2rtWPHTiR7kYdt2J3JdE=,tag:ERZ+BELWJutZDAI62OkLWw==,type:str]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:hWhG1eRjjjyao3JOtbHQy0hUzbYr4AE9dMnSUrhYnWLIgMiGc/83k9ns3ZkHznXHx/gkal5b7KZ6FChyLgxYW14=,iv:r35h6whEcvwmHkX72AaC3m4VWUNqDTrzshwixFP+YrM=,tag:27+VdlHbamsyzcwb7ymcVw==,type:str]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:WMmlneQc9iLzANp3JNZ//KL/ZN3xcYKcuv7NJ79L2gwlFH44IZoIq06XaCvls0Si,iv:2qJH2P8Bowsx3M6UNyP7JCpU6u6RnbEguCXTunW7zE8=,tag:0mJMxb/WKKuZWRGHaN+PNA==,type:str]
 ocis:
-    oidc-secret: ENC[AES256_GCM,data:rVl/d66A/U8LVJMW6NGJEc4VQNjbxlAFLxs07557lTs=,iv:uC3LQOPb/IcPIc4VxMPGsHipOAB+7FqVnxwaPRqn2J8=,tag:+e72c08EIhf2YFswtT//dA==,type:str]
+    oidc-secret: ENC[AES256_GCM,data:y0rDFznTCplExYWaD9s6eocNb65q1PTh0CY4TOdaMUk=,iv:UsThyPS5Pj3c7K6Tq/H5Hc7BE261b4MmSPOBDvRV+no=,tag:Gw7oWkibryI0fbgLYRgopA==,type:str]
 searx:
-    SEARX_SECRET_KEY: ENC[AES256_GCM,data:87pIkLcZRqvi3m76VMPtwpK2ZeHnYo9p+TM4/9gCzcs=,iv:rugaEUbLkSS0bgd2hie3jqZ36L96NUi3WptnROpTPFQ=,tag:9KhtfwEr06zfjjfrBCVFpQ==,type:str]
+    SEARX_SECRET_KEY: ENC[AES256_GCM,data:hiPh/bX6yfY2H9MtdQZqmJEJvHvSJKKuJYXgsgoga+k=,iv:BVa76aRl4hWqAJgr4spKJoSsvmhcAwVMcu74DngMIbs=,tag:iMXeSg+mXQ6nEfYUzZFHag==,type:str]
 minio:
-    user: ENC[AES256_GCM,data:DPZlvQs=,iv:G524LHi9CjDKyv91wwLAgdv09xSHjuZ5vr/purG53aM=,tag:yfpn5bwO/6sGGa9AVjIGJQ==,type:str]
-    password: ENC[AES256_GCM,data:Gf1oz4jWz0pF3wHpBOeklMDKNhGFlrYfBYkWEKVGU4aqMcNTPunzeF1i7SaxoHvJ,iv:qQyJdW/0l8glNLczIV2Q/Gj3qcIgf7YNDzufj/ZlpSI=,tag:rY3PQp3tqayH6ObCmmKcqA==,type:str]
-    ACCESS_KEY: ENC[AES256_GCM,data:NHQXLEdZEO6HOhlnrk2CmGDOnYk=,iv:fP1xsWLrPcz1cZB/vVg87FidgJADmk93ODko9qSrVuM=,tag:L1gFyRAVbkXKxLj9zHq3vQ==,type:str]
-    SECRET_KEY: ENC[AES256_GCM,data:t/psvMk8lTc0d0Ot9kNEbVBio0w463oal183KyLYXfhs5S/t8hHulw==,iv:yHrGJ+b3ZzgwKRjawizutYRg/LBywrUYmxsqImlMzCA=,tag:DyZhAkMAo1a+CNDOoDvQjQ==,type:str]
+    user: ENC[AES256_GCM,data:QoMpYZ8=,iv:xS7HB4nqP7o4t04Qh2EbpmjVRAFwpa2U0+TfdF+V+LU=,tag:dfNGuNj+4lXMPVoWko57dg==,type:str]
+    password: ENC[AES256_GCM,data:kFG87b5KwCpTOYmTH5NrBcX84PLSw3SvPlNvHCyxchjfQoXwexjlcuK60dOPIckN,iv:bXb6u5sRNKQyElGe4IJYovkmdOGfHArAvAqqMAmtvUI=,tag:O5rhwAtwxP0eQOICkEXV3g==,type:str]
+    ACCESS_KEY: ENC[AES256_GCM,data:n0nxslx62iGc4eX2oBKBxKNGNLE=,iv:gnCjFfzSzX273WCK/gKVyWedPf0V/5y+d5lC2/Mnw+g=,tag:hYRqpG/Q7kHDD6RHUDHiUQ==,type:str]
+    SECRET_KEY: ENC[AES256_GCM,data:1VQSVCPPWdw0sL9uR3mkSFoeraFbc4hbwbX9EfICkRhidchHFv0l6w==,iv:nQ741krqihIxH1s7SSnmLy5EANxpu8AohNggbc9NPbo=,tag:1p2f2nK0dRKhiha57E53Dg==,type:str]
 mastodon:
-    mail: ENC[AES256_GCM,data:926DDO/aKcGr+miRk/waoY0TZkJmFtQXujSi850tHS1YFGmmu7ppvFyIoVbqXh4t,iv:/EDv16kqPtvYcRqlxysMXmiZmQTzrvyVxejpjfeOgng=,tag:RSbCnQlpDwMVKaI029rK3w==,type:str]
-    oidc-secret: ENC[AES256_GCM,data:Pcvo3u3MYRv20IHo8d1eg0crzEnziOffinM+OVATDJQ=,iv:/e32wwsIqGhcNfRxla5XKXP0ZePOsN8VxtQyYHGAnrM=,tag:k+9nRth2JvPzRE+tpUCIfw==,type:str]
-    SECRET_KEY_BASE: ENC[AES256_GCM,data:AZVUceNpAdjk3KBM3+m0pvADnAfI3T/iWoagQwHy+wf4pi3lPmSp1udub+ewlF2sTYvvoObNllbCimNUsGAp7dgs4/PW6FVTmEAoSGk7ZU0oLNwqV7ptoQ8QY8wMK/O4xZkYO9FJdN4ejvWnSK0h5TNiL9OV802LVdH4uhMGl8w=,iv:k19beqUKmqdA3g8Bb4Q6ildZ4Zg+ahIyg2Hv6MQ1Wys=,tag:W72kzH5WkGkwbY737b1a3A==,type:str]
-    OTP_SECRET: ENC[AES256_GCM,data:bqRWAPceKFacr686UKyOIbr/fnezw++UW8p4WDrwmygPEjgzl7hlnUwhmoYi2pWKkZOGZz2vqKNmeu2p4vrg61VL+PMmv4QAbGIB8gCpusLzLGIjwyg2oWYSNOUHCiz+8IC95sTNF8HlvZK769UYYd8wEMRcYCAfkTgnmRY0WS8=,iv:Vr/eV+ovdp5685Ewmn6QUkw28oagnklzQVMaKLG66XE=,tag:eF0jgNVsoc3/7jZTtXRR1g==,type:str]
-    VAPID_PRIVATE_KEY: ENC[AES256_GCM,data:sjwurPPepDid2zW8SClUeLYk33HBWO6Dp9nwHb+8++6Pee2aWCRW/lQVur8=,iv:EF0ADsrfkcT1D+Bv3cLIqTaFHPJW8RaV9hcRIJJBxqA=,tag:ON4ake53VEQqFY63piNWcg==,type:str]
-    VAPID_PUBLIC_KEY: ENC[AES256_GCM,data:n6R0uMAxFYl7tNChcyC3CJntE0qKRmD1S/tH3I2NNb0aBVZH2YT41gxUucYcLokNO2Y1IfmBNd2KiqNa1/qf/a+d5qDtAhbz3gGKW6bhSbTzyviZo0oKSQ==,iv:ENijEwXNnwf9klOorw8txBv3M3rNNhoVuPEWUbNZ8NQ=,tag:aKBWrPoaFc2A6SPBwWgcxw==,type:str]
-    deepl: ENC[AES256_GCM,data:1FDtWy5YAJT9otNKRB4qLX4lqlRt9WJj0xcJOAHuKfugPeiCFADK,iv:FKj8IeE+Ee5XD6S1q9Gj5mFVB4qn310wFyz7BRgmPxQ=,tag:Z7eGqPnt7u4Agn2jKjuudA==,type:str]
+    mail: ENC[AES256_GCM,data:ZK49RL2PZ2hr+nClsI1EDm49kgEi9FQgdbybFv+L7gx+7Q5G/uOQlZwr5OiRk4bT,iv:sDBlldwwxYeyAy3/cE9jixouTLtiDOcLULTxQKEaCBw=,tag:1WPYk2WCmszLzjmstTl7xg==,type:str]
+    oidc-secret: ENC[AES256_GCM,data:QlUZGjrbPF71m/8UseMXhIi/9cgKTZudsBsbDhm56SY=,iv:B+DYAzKl6hLf5IZsfV7UgM3dwP09AJExi0TqQ67GiIg=,tag:qaEszaY49nd5BWVCiXB4cg==,type:str]
+    SECRET_KEY_BASE: ENC[AES256_GCM,data:zKQttsmF/2srdxbcavXnVVKWD8+XrQ1B0IKqFtz/1qumnRAD9ydh4NjvuWSClxobv5EWpidNVDVM/kFVI+T2gdGnrqAu6Mp2NHWtPP9IIhurq2gHVf/An7GKsEO3NJQOrOocpURpcjpAs7JvsFpbQu8eT9JHK3OZaFsecKnXKBg=,iv:WAFCIN502gqk6WMTfAP62ROI3/IpU2wE8AXX+kRpv5E=,tag:x3Q5fEnv/kZhrOVIli3HLg==,type:str]
+    OTP_SECRET: ENC[AES256_GCM,data:G8rZPu72zdsOIYqSDrS9b1wSjgvF+UXoQEOTMw4ePvlsAyvMY1cAASQAVa5xYPz1j8PFnE+RfAqDxB1w91Rs4Spx/ToMASoupR14GHfane+Wyk+JwVJKjR3ROvgo8PfLme++NSmhOje67mnYMlq16/b9Ds54Pi08ygQy0AaYwj0=,iv:PhbYZgR+3ypkdZbixfzfDPNivRPGt9uMHM48bM/jC/s=,tag:Gz1vL1c/WMKI9HSbhZbteA==,type:str]
+    VAPID_PRIVATE_KEY: ENC[AES256_GCM,data:kWl764SQixcbt7harbKXKXQuUrR/sPAJWVxu2wM/ZIaWW1mimhuQSywBv2c=,iv:Xej9Cf0z5LKfgKIeX3fVDqBI6W4fRoaGrjJkJcmrh5Q=,tag:tmlb/sq0xqO+bt/DrwyFHA==,type:str]
+    VAPID_PUBLIC_KEY: ENC[AES256_GCM,data:f+rln3li7btQKYXwYkrS3iEE8hFPyhj/fdQrK0WTyHRZC7n+g8vongO7QOJhv+8ZGGbCJGpSJSlC6YoFt/ACoB1ojoF5VF0Jgo9carXoEAG8qHfr8WZXlw==,iv:PL46ihVqJlgXceg/lH1bTSu24EvuG/D2cOLOBX4jjgU=,tag:Q9iA9Iw7k8q6DZv31ac32w==,type:str]
+    deepl: ENC[AES256_GCM,data:7EXk3Uk4sHZ8vzOlXeVFYtg2TRZinFxJT08KfXxzfzVRnCJx1CJv,iv:pTW9VH+mbqkb/yftKQokNwO8pPcK7ewTp+imi8uK5xE=,tag:IUnR7R7UCzIubYk1iP/XNQ==,type:str]
 hydra:
-    cache-dora-im: ENC[AES256_GCM,data:x634SibBKWOSnToetM6yh8JbijmZxRPipKVXmFQDvAGj6oV8AFF/Xb+oLtFqj9MCE00HbUXDP6S/28X/0ngBcEXwoQHcDIWASjvsayEZPsoDA8ke+r6XtCPRjT9h3p9JUTLjOAQu,iv:+7HVvW4X7P4BXt3JeVjM6e3CplT1oiSCq2urh6TJfcs=,tag:94E1gPhpmpAcoTCodZlNJA==,type:str]
-    github-token: ENC[AES256_GCM,data:yCZV4/frLSUQ2kGNPt0XBcHjRV2quSZ+ZjbcoZlTSiiUE/0xbsOP+w==,iv:jU7riuOgkgdHRnvf9s2P9uqiq7OGGJ5mwseb7+Duu1o=,tag:jEXkU4zUMpM510Xsay27sQ==,type:str]
-    mail: ENC[AES256_GCM,data:ZIX64PF5/bNWYsIOaBoNY07O7OvJs8PFZxQOoCHKssjpQgkx6bpA5d7Qk1YZ+ot5,iv:oIwgzwz+RfQ1B5Pwly+nCOxQwEA9uzWmp0gKqOv2PQ4=,tag:hT/ZmhsC1w5qeuSH6Dg8cA==,type:str]
-    builder_private_key: ENC[AES256_GCM,data:S8gZj5r4vam1lYAC/6gWrn1jjpwG0YfvY2KPgf0cBpQkLsvVsiftEl7Y2zr2nstmRI1bNLU2bDaMF1msa6JalRBAnhh0+3Gi8kVBbpcrom8J1JsdoQPJG2y2eiJtRH+sDG0BEaGQl6MwP0a8V95VTzdMvLdabFpZ4Rsgcy82fYCYIQYPLnJkWTLOMST8wwFUMHPa9o12Hh/9CiHRuWYinyw3biVtmg7PXR4WrpPLk57ix0KGQxajZzL1RgrN7Y+sJIAlQX7vZZJ4v7vM9zQcTENGsDtGSLWpA0jAVtfvNGBLknmHrkBCpb8BEaj1QA8NMvYzQOy4OEMJjV3ZIV73aOAmmWjoS3Qxusn4h5uMnSOaO6YG4atBk2ojgU93He0X2RJY3WmdCcErtNAHY5kgsU5yX/qelT49uaAdAYwgJsW0ydAKX+/n+nHDE3daCR2j6LYI2QRhvcIrTO/4NpX5x0ydRjepf7fTmLYsmjA26BqFITDsBo1FrLgnyRAvSP6Jjw+E3tWHfSkrLDtIEfi8,iv:EQ1VgOn6V4wVSMse7ORGQ0Q12JpF27xCKJSLVBmtItQ=,tag:zJMRnkwNmvHuAZLbDd9POA==,type:str]
+    cache-dora-im: ENC[AES256_GCM,data:CoTnSJBQC6Q2yIk/XL3QhGUxmgz8oFLUMM08uKQB8EtYEks/2SJdYnlxacTZibpGQTkvd9sjFNPhZRRcPy38int/3hNDMQEeVxbxYYBOQ42Ras/kwKnHHJz3pePfQSlw4S0Gg8eQ,iv:y3gyDB8m8f+/pu/bAOlzYzVYn75f5P2Nb6gI/xjVzl0=,tag:V/0BGtXnKjzWDzXbiaZjXw==,type:str]
+    github-token: ENC[AES256_GCM,data:gv1W2khGBli9u6+gEXEHiXnugzAONKRDz0EGM6fHOS//+/Jlzz5Zcw==,iv:3O0nfi6aPKEzu2KD9fh6EQy8Obmk7b+R7Is36W1FsKw=,tag:TKShZlfGO2seEeXMe0BusQ==,type:str]
+    mail: ENC[AES256_GCM,data:xqJZiey3YwLvBWhbvLnHzePte0sakOZDkpfDxFSm20gbdnpVwbiyGbZ13hOyj/hY,iv:z+bkcls6K7lg8FGGSWiFzqA/8Wq172r4CXTkOqDjSWM=,tag:hPYpadnafF4lTCGYUQPz9A==,type:str]
+    builder_private_key: ENC[AES256_GCM,data:M1Klz9/gFxAQTea39aY2UaCZI+IUkEXAOB1SeAYMzy8xH0Qy4mHCpJN0wI/Mb1bodyDpbBxXwsavIdJ4+oncDSmgdRTzWVwTy04NrIQHNcEbxDPBJ526VbkF1KY5v6lj4a5GcU4omU0ePcJvjtT/bU52oMxOr9MbNQxmHL1eVevthVD+bqkoI8+XrommH58VeOAjmgDgLRyHD5SObMQ3YE27VfjG6PWBlnBtsyz1/28wVAjGdtQYHSSCpZmTrZRG/wP78HEoyowRJ6HfOsXUFxS6cVmOdUcmjAR8m/KHJNXKFGCHIJxOHX5SqZk1IWgKBzmzs+7icEt4KfLUpXbd2CL8Ej2aanL+eUrHIqHymn7ICzZSFlzZAFK49ygMr4hl0B3rG/dHW4NJYdmNU0dOCAYQ9NAjE8OHwUePymJ0qvo74Ri7p17HW3lHULwCuhKwn5qTkme+LLBJUI2vKko00RfOVGZVYyao+aIYlkvhoK2XuSC/Bt5z20q5LKP14SbBEvYxL28zGy7k/yy57QBN,iv:b4CbCPq2KEzWfIcNK8h8oFAc7jcjQ9+zKaChdAEgsFU=,tag:Hj99RWh2SUvLF9ITq0Q+wg==,type:str]
 alist:
-    JWT: ENC[AES256_GCM,data:U4NvF7dq1pwLUbVP+kAbDw==,iv:cvpbZMTj1kBrvyCFESLhzz4mMYFTF6nYt6Qz9Cr1Aqo=,tag:WnKj+4wFYaXRvTCRAFK1Bw==,type:str]
-sing-box: ENC[AES256_GCM,data:F9zBTXfscY9vECclSGuWf6RFJPBgqur2VifAp+eIiYsYhTAUWyP6nVr28VbKx90GJoVrerUqk1s89dsNie0WCZ7fzmYq,iv:aFxzA4rbePuQUd98yUZqtNVw8c9FLfWxhjbiipeoNjQ=,tag:U1QsDK9eYVOLWEBUNJcc3A==,type:str]
+    JWT: ENC[AES256_GCM,data:z1t9ZEj9qCm5T1w8cPpNlA==,iv:ZLOqB0HyZbx4l7QtrEh4GHJx9BIvXJi19dbuuqV0j1U=,tag:UMJFyvj/BTUAm5gcUEoXiQ==,type:str]
+sing-box:
+    main: ENC[AES256_GCM,data:9/kO8eiyVFTxWI2UNXVWRj2oaDS/XnKMvuKg/RkaGRtnoI0o334jlY7kdoy7/LdI1N4p3eoMyMnMCmFObR9p9Eg/YpNbIlaAU/M=,iv:6ZHwmAkpx7VUlfvcl9NQMpPN41h3Ei1wz4xTA5g1AF0=,tag:buBuhAqu2SvIybEFvosHiQ==,type:str]
+fw_proxy_external_controller_secret: ENC[AES256_GCM,data:Dl3YbLsr42zR/EDyZw==,iv:7Myxka/5j5Pv6G0SrlWEC+CjoI3yGbP4CSgYa7NnQj0=,tag:TyXVWiivJUakrjYMYiaUHA==,type:str]
 ssh:
-    id_ed25519: ENC[AES256_GCM,data:sZNjVKhHFpiuJ4f1I+8sClajtCfoYzIWlw/IhYc1hCzFfrT4cTJvq4MGewSdroeAhQ+SNMJcI6q+EFm9E/8QuTlFcuMKqIqvJF3HsgYthvFe089rBIBFI5/KYwxC2b9hjiDGHpIdgAAfaG7gRzkXiZMQTlEN26p6RG345XxbXLjsPr5OHeTHajFAMGJG9bTOJLHECkAJ05RNa8QFwh2UbHMvxyXlHBLMXhAcE3hWQ3uVZtOxUWQNsyLU1wOMbSK6C5wVImdGXav8Ddua320AhDc2PfpyP1wo8PkSUmR/Oop31MtZCD2eG8KW3zdjmsRRT2jlE3lF3sKpIO64EMV2rT4IU8qgiA/EQIQneDQRyYMkD8g+wnp7On2/p9DT3J8brUSnpgWY2RWs3RB4noV0mze78+XSBMkhagoJ/0oBrqYpH1f/B9lmGmzhDPTxxDtHdKJhYyQ9CjICmghe4NqvLk1+AzPNXAqWw1jGTN9rYJEfDx5ikKac6dW21U22b6REOYXTtmffCoghLyfJma0z,iv:PTrEBD53o888nqxg7izJ176S6HETfwXOTwZm+c4yAIs=,tag:hDb71Uc+Uy4yd785bFcJKA==,type:str]
-dkim: ENC[AES256_GCM,data:64NeVyUy42PKy8QZjHueFa5cg5PnuL5hLHBG+/8KSAT4iUbPjaPpiZvCJEwOEUuVNF97AJSPW5DzRArNMerOiBEAQYaNhCPYLL8X34v8LT4kNDVqKChhAHXQFkTl7wSH3YisODOvimli1tA6ZlJgdU7mrZ96KJYgefNJhTOGuXMj+s+z20OF19l1zOrf5BzH7XAariZ5iv77va+FEqt9ZIlcssp1csj0x3bJs5vHJWaPoIGxUl0GD7qJeTbRs0+qU/mzgTF6BZCH/5aqZnAx8ksAHs5YKbtFx6icRmoVQpL/nrB3H59UXxXf+akWu7YCJxbGx4a0NMr08uZO//s4PGVJb3XYxFudu4FNMeVdvRFlVheKxMBsFnak2yVrn/QGBI8KLu9xW1ZVjD9TzVB14n8BrmB5qCCVkCGSNpjh1+1BlUvDsMVmHtqEQJazlcTi/D3Z39biKC7TK87eKMsf5mEPhwNUgEn6FmFfSC1MmuDU2zv1b8pqMyiB/L/JMnb4t61C/W9KAuc8mRl1Xtzp8A/4VGF/2/m5fLQGAa7Mxegs0gvlVpZDsWuWAOX2ypMMb8ijpN+lmRtH8j899HZ1la/8Y3NpyySpAdP3gRV5GpCWNlxz5M+EvoWKdfOUONAQfhhAp0muRir88bBXw8Q+j5i7QGkT14YD/EDtZ+1sZZgEVOcDUIyxVGoL7npFDD5MZ+uc4GJS9nKKGUZK4rRt8nuYUR4YQQrkswExwTAXw13AF/6P65ctL9g7ufLNlTtEKsu8xtTuBQMTDnkL1s7AHQ8hst0OObyjrGiYBk3pTGloG1CwhtjV+/mYn0uV+AJc9dzxRlp1oKQ9l5RKdryo7NByaVN06d7IcEjy5zvyuJzT5URbUU7t/rx9yslouGbx8ZJxtTSFiSDPF/ngEuYBrkbCUsVCQcNKc3spbcJOvCX3k3Zx8Qb443N73wU6wCuRmCRRKBSB6dDblgeyYfAH1IL00gA/C5WwWBpaX6BDK96rU46Dlc3xwiBosWi2XN/brsv9HQ7Wmj5tFZVmJDsbADIgxiehqOYuP6MlDxPSiMR5u3FfsskFmX3dAQbEX24w2XeL1AOdaKa6CTmMNZBgFTPu21niQjTJ/dfGm0eABWbphZEmcGLLnvIhINWOmKPtSGd9v8bfjK4NrcfxWC8FNrAzm91FunVdRI4EpOGSutcRJEVq3Lmo42CxhSjkZbNHv0e6wpbK8ZqXPCv37TGc0NMWR5l1SPMYYwrot7V85yqomFSNUjdiZ3jsp4adC/oKlhUyJ5Ycg5OMd9cmPMBW8JEBxUHF7pSJmCHF0eJ9xzpxI9PTfWJQ48XfwW4jJMxzWf5HWYKVLOW1h5/Y6pktrIdVTbLoXAX8H1RFKwmb9s/U9f/WtgZpYAm1SMI5MMK8+Z00+dfS8dMx8m+jkftV5Rn6ZCjlBKW2sHXO5qQWBLP35cIi3BF0QjYF+YoESaSJ7qP21rOwCdTX9N11glD7JhQPuVyxQjSOwcS+J/iD1fJv17Qrggz1wPc/kg0gxvC/0q2yVHaJPIsdioeeCKTtjm4PcgYrLixeXe6XoByUfpcr1CogassK6EuEtH58hwVtfCfUyq+hyD34sj7oVb4KwRfd+Mo+XmDHKfQH0jeHhWVczqO4ktabuvEB7ExA7o3bh79rxg9bANsmHw66msD4sro8unlrgfXunVwwomI88PwADjAJn4WbyZKPxcl1qLKqE6UukuIkiZ1xLHLA5qa2nWx+QWHgJuPgf81UvGokjmfWEOEH7Z3pCmYrHZ3bfG2VbS2KwIrGx4EQvjsWUEuUU5cudagIBdWgLSBi9t/6uxrjx01VBOwwEmr2WxSZSMzT2AyT1cYpnLTeyTMxYPTAilRZN0QZmeFubwhEWfH9q+TxHMkun2x5RQ9/dL1SGmOHLvzy6nKnXdrYXX8iYX3AuJxpe+CUvbGTrX7jBcdGzjBtiK9f9OQn4N+ePJhtd5nk9fW9F+V7EeQrraPzXezg5TZIIwpz55I1p7C5pAJv0aDeNHwGuJBpgXob0/zh0mASoVh5mgSc93IfUG/qxPPYY7yVZNnkh404Etj2fX/XrMOfHQHp8fhn5muAY/kVvglFpoSPSuoF7+eYMZg314Bs8T/O7/vDXolj8KmKiS1uzb1swCgZTi3Fa1YaZ/KXze4tkbrwRZLTpczteJFE0rvIFquUXrpxO185yARvDQLtKWiilSEYVYbDCXyk7O+K0dEIGdvQv6tLm3/+VpVCEcFM/zYuabJlr+mP,iv:8hdVFJT84tW+qawijaz/6a7MclqgYjJtKyNS0/9XOzs=,tag:EgMgkLPvaB2f2m8TQOyryQ==,type:str]
+    id_ed25519: ENC[AES256_GCM,data:GVZIf/AtjSKHNRw4fqiiHvJ2e2oClgNqZrcsVo3Y1W7yGgrIOi6dlHHYcts/liQQv627sy6nITWXKV0f/8ZdNpx7vKRSgjJb/iLpr9gpX/Zz3E9yEL/FwEq3XZ4Ui0UdxkZCU/8J19HTFCjYrsrjfUz2wMWWQR27tZYixM3rqb9Wy/BAbj5eWy48wtQff/ZXhTINB2+79fNHlHegLYfdJH7qUlJHs7WkopM5GsI+IwMAa8pO+1fJLvikXA/C3lJ14iW4LejHv/OZsDN8yqs0nKrNrTF5z57rBxPQzinax59/Lk6ghPJuh+ttdGMtgG3mHKKp8sUbZmF2+YG3tfTaxzQEW70ZTup0GNT7Nkx5tlFnN2+gmT8H7i8kOMw7oVhFjiGHN822aihAdIOXOk82IvS8PrJrBzXzukZ1t8AR0Ap7574Jvw+AIN84/sIJe7CJpJIN6zECmgktxW0jNZlpIGKxImh6nt7Lnzhb0EariagZFksPjc7dY8/VnMbHMZUoRrbKbRid+4kG6FddwJer,iv:RC4UKyWR96RKicu52kW6Ggrf3GHD9A+S4RX5cDZcLBU=,tag:GuMgTCmb+UeXo2TKcpDBuA==,type:str]
+dkim: ENC[AES256_GCM,data:ysYEpj0lB0h72JOsqqalIxdOusiacVbGMb6G+j1pqwQlzOKjiVi3tF4TS3q8opr/HLqB/pTZPB7mLicUoE1192KmolynPbDVMRzw0GAKFm1H9KEwNZLvugra040L0eW7mJH29hc4F1gcDldewePttF32T6rH3T0N4sreutuMvqskPKQV7d71LZ0cKb5wcB3Hsb5MRZtbTTMLueTHJFwcANLISlXwnlA3sH12GVjAZnAt9md32flY3e7qukGL2L/5MRJkFUQ0ZjcmrfMlvbuRNZkJ64TFykCLmeodSB+sRTJk9uYtoHVkrj2ScdmhQXQ7N/Ucrx8eqqjH+Goz5osmvAsgVS6FKYM6kDTQgty/qW/NK2rT/cGhT/MKydFVOsJVfr/h2cGA9kTOGWX/eNpi2u3+zgJPiUmf0ccicx0wSxN0GGr1MKPM6Aq+E2K2gTvHupe4/3F7eTOR12IDIdINcuUQfR5u04Pz08BLkVCBS2Z8yS9tsOy8Xjb/3BWQ1WcUoA5rkxLzOMbC3Uw9LPWGasIxGDTW08ThlaSNpyQvK2RR9UIwigpgp0fNGohZ8S4QPGTjZyn4ZrAp9QhdoSoP+PF84JhKG1a4l98E736CQ7x9+5XJBNiGTTdGM1s68rJzLG0lK9OHma2CPik2PEHHCVKI+sf8qa/ZjvypoqgYd+rM3GNAN93KOKT0A3MxevEMSe0owDaPAHZ1StVy3ameyGepfeFWZ5rl6uTcJ2fT3ynyFlvHL4ae7cUH6O3AOjTBJ52B5GNL2GjkxFPko0xU3n6cwmaoycKxON8BB+qrYIzjVM/YYg4CZPDOjO7hknCWVR8j98PenDJWXvkePEZhfQ2Cy1eK2roQRS9JEGO/qWD9546xLefxiindV2TGaWmkuLMi+kq5MCGjLsFMhhqZxLNSXv/ff2tnbykDOxV2DtbgqzzmdtX81NBpK1gGX2P0Dw8eT+YFH9fKNbqJX6IK97YMOrvXnxOy8O2NBowqsrimOX8uv2zf0GFLM9jH77N5tvFGOHdAr9QQXJOCEDEc8HugHVFwzZorza2cCKmcnKJBSib9eVdEWWPi6eed1uB5Q8zdgiuBN9/68E0Swtr7bIjT0RrC15FXwaVsLAPNvdbN6H+pyL+bwp6iwtHrv0rjoZw+AFh75FgDExqivjT2PKV06TQNO2kK0vxKs/loJmyHzD3jViNorpommYnSRq5X0ZE1PI7E9zE+Kr9vA/G32CB9i4f0a0jZ621wNW1a9ICg6XRwZSiXlXRp86o5guYNc4MQ3lFEoPGOVdi3y/Z+cDlxZyjWP3wM9yRmwrbYyft7Ys8d/Du9cKdnHx+Iv37at6JEcs7LcyXbP5cx097xpEqxEPfD9jo+BHAkV1pSdqX2PIFIQUelvmuZ2xF38+oIEwW3TZIyNi4U+sksZHZ9EEBPaW5+hwOrOGvKAccMv0XFXzVgarwTP23CcmzEuGjrMwq3li67iKfPPEmOQpgvTptDdkWCmg8Lt4j8MAwPf9lB4nUdIWX7QlDN1LbWSCzB9kMZpqBU8yC4SKy5qlavPtpKlFN/T9j+4uTmHcI3X7pdGFB/CkMMn/KzO1d7hP46biGW5QMP79TSm1FzfTBXCu051JV0Q/NBItHip33Fg1kYeH/iBrUJsot6Ji5RpkP6wvOrRz2cZQNV8HS2Jyu+3IMFVOP1Hjw290Y/qwPyRM/5BYGGkYrUGEsusOlgStdD++uYCNh9GAxSJMpBW7les+leBk3RqmcFB+DA/xddX8+8kRHvt1NZAYbRrMIxkzXwkMtM60c5K542qxnfEit505FjLGypl0geTEyWX/C84gZzVFy1zvRl+ITYQw1BFuMS7v4oWM7C1RlZnlTaH5KvW0LEF3Fqs9M376Tc2Hsk/LPUlo0oCPmU68fSaWA7PRhLnWixOfASwtAz0wNcjGLWG3zu2GRm9GWLEkv+kcr6MjhtyZJ8LnLwHwkjXUUFNswYRorofWw1aL4SK1E8D3gWrQKr23NjD4B6wZeg+zr+vm5ikdKdks7p/J92XFI0h6mxWB90MDPD1go/B5bxVQGeB6GfB3pqlUw6ecVrS7Th4ym1l3d/19C/QpX8hQtAOtEQOrfUlO0kIwKv/bZLpYZj6oQfm6T49bUqW9MFfHo50mjvY/DMhGzCOdZXHxfy+YZDRBLvu4Zc+Je2oh3d1mrer1wxgY3FtqXVCR5HS7VFd9Gxc7nsAQ4KAVLmozSaFWygOjngq6VoPhK4PHrlKnWttunUwjkUoQXE,iv:9mG3x2fLYd9kuBJXOqeJhWiLHZvD+XKBygBpXix4woM=,tag:nVII5s8dn8cWOLDnAaPc8Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -68,70 +70,70 @@ sops:
         - recipient: age16rc6cs8fhplzwh938d3zxq8pke7pgxerzms0dgkdgq7he99c3ccs4emnhd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYjM3cThKREdaTUZuSmxY
-            YndWenhNQWtiU3R0SU13K05sMExOSnA0NUFrCm1oQk9OZ2RlaExUZnB0UlJDZGJY
-            RnlqcXJmTUJVZDdjYXdLNkNidUpMUnMKLS0tIG5jdUJSVjlJZTR3SGNIY1FEOU1T
-            N1NYanpsWnNxN3FHalUySVhxSDhaeVkKMC56ZF4VSUmocvuITtscy35l9hSh4/vT
-            my2MDAZwUuMsvH7eSupFcmxElhor6mpnZrLBOl+lWi6ULoXctulmcw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL0ZleS82MnhkTG0vZk9v
+            Wjc5OWRTeVJTUTVNMFZzb3ZCbndxZFNLazI4CmRSMjBkMWdpTW9WTjUvdjlLbEkz
+            bnVCNy80SThnV1pUc2ZQUmhORStmZzAKLS0tIG0xeW5CT0tQMnRIL2lBZkdUc3ZS
+            Z0xDcmRSWmtuNEJ1N2JTejZ6dy9XZ1kKI4xLu82mbQ5+F89CRiIu3nfXnF5KvZm8
+            2mPsjwA4YWlHG/EwiBISt/pn8AjGVomHTxql9hDgUh09cCpQffyMPA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1yrns84azc959kqy3lwh0jqxjlg98lf4mlccx8v3q9d4rphpy4e8s2sprwg
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQUQrNTh3YkEyaFZibDI1
-            bGJxN2dJdVY5Q256ZERUYTBxekxqcnprQlZzClBERXREUTNBQ0lMdEFYY1ZlVlZK
-            ME9TRGE1VlBkTTZodHFYQUVuSTB0bG8KLS0tIHdKbGVPeEl2WUtLUWYycGwxL1pl
-            SVFNMWFQek12SjRCZEM3NFNPVUk1LzQKduvFdmTTcmRz9r07caUwNgXthLe19Fs/
-            aGUtH/WWOI70mXSXc7Pd42DZGhEz9++XDHUQH3bZ9Ww6liZyvw8C+Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OGI5VVUyWGxzUVFRNXJC
+            REZKWkdCb2dZOFRWTnlsajBVdmliUzQ4bkNVCmIzME9JYlhGeGdEbjhRRHBKdWg5
+            aTlyN3g2TU4rM1pNK1JxRmVuWnk3MmsKLS0tIDNuQnRDNGEyVVhtODNJcHBxdFRj
+            RGdNZktBSlAvWEVZVjRtcHpUaklkdkkK85GzOZIJCCRc5eOwReOViY+33JN/IDne
+            //Nigpzb++EX+eoLxaLJmDGcxJ6jyTvpvMo7Akv8KkUMJzrTpVQdmA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1tvfl7y78hv2egs45nqtp7nlydqrrq2twjr47m2028lh68qtqwuxs9wxk3v
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxK1Y5b1FYOVpmRGthK1A5
-            eFlpd2RBZExncjhBYkhqZDJ3dDRyaXNUa0ZnCmRya0t1eEtTK3ZSNExRVlF3OHhz
-            bVRuOUtHRW5HTFZRTy9XQk8waTNWWmcKLS0tIDFVUG1veGdqaHdYVFpvQmE3Ry9l
-            RWJkYnRyQXlVZytpMncxOERTMW14YWsKZ20AXZPJ+siGrKJonJVkzRYwY299AXo1
-            caPSrihkbJx2NbWGIjPaEUwP3+CxeAXnyVlF2Bv6rXzhCziAiOTVrg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpMFlJNUNkbklaeWZRMnRv
+            RXkvRzNBbXg4WlNpUWRhdUcyWU83QmlhOUVVCm5sTUo2cVFmdDArVVNJTHhMNFdL
+            NTlSWHdJZWg3bWF6VEl2VGh0RnhMWTQKLS0tIHRwcmN0TFhsOHY4QXNISkZQT2hM
+            RHdpYUpncWgwcEVmeFdIMHNEc2JyUVkKA8ue/L56bYeL1WD2l+VyVLP8ta5yYMeY
+            f4My3T4RoeVxGA6gG5CgJP49VbQrnZBybDlQr9fbyvDdX5MTmcwqPg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1uy5aqnm948p6zd2jy9enw5rppemgxcdfswgvf3qv7d2y05zfla5sqwzhhs
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaS91VzliTmNwbUhVa2hG
-            R3JlNElmcUhxcGVYUlJHMEg5RG5RdXdrSHdBCjJKZmQ5ZlhHMzRKeVpQVm44OGp0
-            d2lrUndoeExjREJDbkFVNU00Qitta1kKLS0tIDNldlZTcS8vN1g0SndnS21wckNt
-            RUkzRlU3c05kL2g3N1RudTJGZndoQTQK+QscmN9FAJem9nn/KbA7Ibt6JVboYiPf
-            c/E7ACKT96CF4V2Z6tUS9UQ81HWYx07249hjgVNeQbMQs4K4nqVGmw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VEo3YlRSa0pLdGp4UnpT
+            eGh2cXBZb1lMN2ZSc3A3NG85YjdXcUZkdW44CkRQZzZjdk5Va1ZpZUp3ZFBnVDJC
+            YVhXV1hkbStoeW1RWWxMMHlzblZQc28KLS0tIDQ4YkZ0eEZYNlhSOUxBQkt1R0ZD
+            QzJxb0tEY0wzZ2RCL3JyMWlsSlN0eHcKQWRgoFyRjs7MbEtOl1WyYtdCzs4PqV0D
+            UX/E432ZLw6rNhSahnKrEl/qBG4z3D1bLs5RPSGs+LbsJ9SjtRU+gw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1934xpm9at83g823dzwm3wxj64apvrx40wcv8ms2p9gvgxdxwsp3s0rvpyc
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1RmlJdmJuSnVESk15L1VV
-            NklzRlZWOGhDc21lcVNUUXVyRWd6emsreWhVCkIxZkwyOVRLQW9HRjlvNFhhcWgv
-            dHdqMVJSWGhzTC90VVkxSHZlT0cyTHMKLS0tIE4zRk4yY2xHYXRLUHVzNTRrck9n
-            UVVTb0cvQ0tURk1pL0hYTFlOMzFSZWcKem0wc6jnfd4f3X5EKwst0ABKJKFVR2v9
-            BOjRzOnzrvFt5LWK0x2NZ/hXYdEcncSwiCcgCGjVRKS3mjvz1L7SQA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtajN1ZHd6UGpDSlc4cXE0
+            a1lkWTB5cnFHcmlLZzZOOWxYdlcrcDdPSHdRCjRpcVZxRDRDSHVHSXhvMVJGaUNY
+            RVQwdS9qNG1BdjV0b3g0NmlXUytrY2cKLS0tIFdoUVRwOFk4SEEycUd5aG9nRFFa
+            WGc1WkhNQ2dsTktuOFlDeCtVR1Y0ODgKdMYAjLcuTOsP36f7QWIg/BDgAef2qAjo
+            /PTrHGN0h05A/qNfJa/E1cX27J8uihi6AwNUKlny4chWVzebscv/jw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age170nax8h00thyfumectwsrz2vk2l39k80urwzghez84acppq97fushqjtrd
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3R1VNRHZWbE9MbkxkbUQ5
-            QndGTk9lTTN1TTVFbDlDRFNxRFpIZnFwVkJ3CnhrRVR0bjJCa1pkMCtIOGdmL3Jz
-            dFFSbGQ0RXZFVzRwSHgxVzM4WGNUWVkKLS0tIHlDdis2c3p6eGltQThwY3JTTXQv
-            bGY5OW11U3hiL05jQ0dQTUVEZEsrOTQK9vv86L7ls3rn6wRByw1KOu5x7amDwvbB
-            8fmvUlQhDMZAQSBdeLnqQIdqtQPAq/5+uqJ2MfrT3SvKAoc1j/V/EA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRy96aytKQVNmNGg3cGRG
+            OEs5ajU5aS92azExUWI0Q1hJdE1LZy9ONUhnCmVkd1VTdEwrYkhheU9hbTNRcFBD
+            ckplRDMrSFBwNjhMQ1ZBVzRjYVJFWTgKLS0tIHd5WVlsMXBpdWlYUWZMcTNjeWlV
+            R3hZQ1NZTHhYWHZqVk1VNForeUtjREkKg0jINVA6HkBOYS3vjja689FjrI1C2cDV
+            8bGR/fzWtxtvVjacdO3cHbIWhClIBtAE2pWv97mXg8niy10fz0S2dA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-24T15:43:58Z"
-    mac: ENC[AES256_GCM,data:luC1Pi4h3Kq7dDtDLXHvlL/3fvizLCs2HfGNEd7CWOSEO1p5OgmB64r+NBz0DsjVD+O/HsHMKnlzrrGDJxFqBSsJJSVteXBVltppnpvjQP5Eg6hxCsCKLeF+PkV/SuvPSTi9bzrWIh6y/kBQeQJal6HkwHAz9zZbFt4LevUlWQM=,iv:Th4sOg27G4GgGI37HtZcUa+eb1tlUlXnFT1Xzi0ogJM=,tag:8ld6WENDyCVkQc+w+vBf8g==,type:str]
+    lastmodified: "2024-03-08T05:35:31Z"
+    mac: ENC[AES256_GCM,data:n7fP2/nu74jOPhTd77jOgaOFqBtU1IP03QvItrFYWKsSJ8RNvbR8z7omDLyBuNPaylmIp0cFk3NIq3H7xiVS/oBa3ybVLCbmxE4G5lbc1v5S2lVeWm4uowLFDEN6ozLV5uVK7zMiXAESsDPKm8HOmYelBE+HKVdy8hFVr/LUiCE=,iv:4YzVYJCwcwRZzmdMD/O9QlFYeA9qLlfnUw+5cxntBg0=,tag:9vgES76TXtA3WzaAyqz6HQ==,type:str]
     pgp:
-        - created_at: "2024-02-24T15:43:58Z"
+        - created_at: "2024-03-08T05:35:31Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hF4DhQRDCIk4Ky8SAQdAgIgxuNOMOQn9vSRy7heg9+LMlsxIR9FAoQAhCp5XrFEw
-            c3Chi9YprhUs9gB2DcH0yYklUxjJiZnJ7n8pVhC+PFMol/VG/CY3RTtEtPjdWoNS
-            1GYBCQIQ7TPSFuUVEtyAdVC8EhkYd2tjfXfymyLi5cpwIh1Pm4cZSFg5ByX+r1tq
-            zBeqT5XrETUkmJvtqfhPT0lINKjdTvYF5FVk3+0Y+iTVTFB29FeN7ptZSV4IMsAZ
-            sMUonym2VNE=
-            =SHgp
+            hF4DhQRDCIk4Ky8SAQdAYmU76IEFsULJdxa5nLZAYssOOvrqoL98v8N+KzhpUFUw
+            7upViiVFysVhleMHzFl9lQz7sdeyuPeFkNNty02lz4X9sUYCYCC2Z8iCNhoO0gt1
+            1GgBCQIQgXjhrVGZtF3rzQbL9u2prcmbQADYtAw2bAHriBUdKSWlosBvZa4aw31f
+            wQwxijWCAl8T5QH5I9/8Ctw3Fx09kDYBxWzvD+oenBe/URWFV6geNFu9dLVeJtw4
+            jHrYx2Tn5cQFFg==
+            =4Q61
             -----END PGP MESSAGE-----
           fp: 23232A6D050ACE46DF02D72B84A772A8519FC163
     unencrypted_suffix: _unencrypted