Weekly flake update: 2025-12-29 10:38 UTC

Reviewed-on: #1

TODO.md

@@ -0,0 +1,39 @@
+# Keycloak SSO Rollout (Server)
+
+## Compatible services to cover (assume up-to-date versions)
+- Gitea (OAuth2/OIDC)
+- Nextcloud (Social Login app)
+- Paperless-ngx (OIDC)
+- Mealie (OIDC v1+)
+- Jellyfin (OIDC plugin)
+- Kavita (OIDC-capable builds)
+- Readeck (OIDC-capable builds)
+- Audiobookshelf (OIDC-capable builds)
+- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed
+
+## Explicit exclusions (no SSO for now)
+- Syncplay
+- Matrix/Synapse
+- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr)
+- qbittorrent
+- sabnzbd
+- metube
+- multi-scrobbler
+- microbin
+- ryot
+- maloja
+- plex
+- atticd
+
+## Phased rollout plan
+1) Base identity
+   - Add Keycloak deployment/module and realm/client defaults.
+2) Gateway/proxy auth
+   - Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash).
+3) Native OIDC wiring
+   - Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients.
+4) Per-service rollout
+   - Enable per app in priority order; document client IDs/secrets and callback URLs.
+5) Verification
+   - Smoke-test login flows and cache any needed public keys/metadata.
+

config/overlay.nix

@@ -38,7 +38,7 @@ _final: prev: {
   waybar = prev.waybar.overrideAttrs (old: {
     mesonFlags = old.mesonFlags ++ [ "-Dexperimental=true" ];
   });
-  qbittorrent = prev.qbittorrent.overrideAttrs (old: rec {
+  qbittorrent = prev.qbittorrent.overrideAttrs (_old: rec {
     version = "5.1.3";
     src = prev.fetchFromGitHub {
       owner = "qbittorrent";

config/users.nix

@@ -1,5 +1,4 @@
-{ ... }:
+_: {
-{
   users.users = {
     sonarr = {
       uid = 274;

flake.lock

@@ -20,11 +20,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764714051,
+        "lastModified": 1765900596,
-        "narHash": "sha256-AjcMlM3UoavFoLzr0YrcvsIxALShjyvwe+o7ikibpCM=",
+        "narHash": "sha256-+hn8v9jkkLP9m+o0Nm5SiEq10W0iWDSotH2XfjU45fA=",
         "owner": "hyprwm",
         "repo": "aquamarine",
-        "rev": "a43bedcceced5c21ad36578ed823e6099af78214",
+        "rev": "d83c97f8f5c0aae553c1489c7d9eff3eadcadace",
         "type": "github"
       },
       "original": {
@@ -54,17 +54,17 @@
     "base16-fish": {
       "flake": false,
       "locked": {
-        "lastModified": 1754405784,
+        "lastModified": 1765809053,
-        "narHash": "sha256-l9xHIy+85FN+bEo6yquq2IjD1rSg9fjfjpyGP1W8YXo=",
+        "narHash": "sha256-XCUQLoLfBJ8saWms2HCIj4NEN+xNsWBlU1NrEPcQG4s=",
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
         "type": "github"
       },
       "original": {
         "owner": "tomyun",
         "repo": "base16-fish",
-        "rev": "23ae20a0093dca0d7b39d76ba2401af0ccf9c561",
+        "rev": "86cbea4dca62e08fb7fd83a70e96472f92574782",
         "type": "github"
       }
     },
@@ -216,11 +216,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1765495779,
+        "lastModified": 1765835352,
-        "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=",
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "5635c32d666a59ec9a55cab87e898889869f7b71",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -234,11 +234,11 @@
         "nixpkgs-lib": "nixpkgs-lib_2"
       },
       "locked": {
-        "lastModified": 1765495779,
+        "lastModified": 1765835352,
-        "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=",
+        "narHash": "sha256-XswHlK/Qtjasvhd1nOa1e8MgZ8GS//jBoTqWtrS1Giw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "5635c32d666a59ec9a55cab87e898889869f7b71",
+        "rev": "a34fae9c08a15ad73f295041fec82323541400a9",
         "type": "github"
       },
       "original": {
@@ -404,11 +404,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765605144,
+        "lastModified": 1766939458,
-        "narHash": "sha256-RM2xs+1HdHxesjOelxoA3eSvXShC8pmBvtyTke4Ango=",
+        "narHash": "sha256-VvZeAKyB3vhyHStSO8ACKzWRKNQPmVWktjfuSVdvtUA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "90b62096f099b73043a747348c11dbfcfbdea949",
+        "rev": "e298a148013c980e3c8c0ac075295fab5074d643",
         "type": "github"
       },
       "original": {
@@ -495,11 +495,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1765741609,
+        "lastModified": 1766929444,
-        "narHash": "sha256-mBDW/2NPaxXw68ledipQYSL6GGU+/CCsObondH22+no=",
+        "narHash": "sha256-mGk+mk/miObjivy+6qMqQm+Jyl8R7t6B/1SaiBkUUyY=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "7ccc57eb7cacded5e7a8835b705bba48963d3cb3",
+        "rev": "6a055fc747a5a899b97f9b4c1d1a52229a805b1e",
         "type": "github"
       },
       "original": {
@@ -541,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764812575,
+        "lastModified": 1765643131,
-        "narHash": "sha256-1bK1yGgaR82vajUrt6z+BSljQvFn91D74WJ/vJsydtE=",
+        "narHash": "sha256-CCGohW5EBIRy4B7vTyBMqPgsNcaNenVad/wszfddET0=",
         "owner": "hyprwm",
         "repo": "hyprland-guiutils",
-        "rev": "fd321368a40c782cfa299991e5584ca338e36ebe",
+        "rev": "e50ae912813bdfa8372d62daf454f48d6df02297",
         "type": "github"
       },
       "original": {
@@ -566,11 +566,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1759610243,
+        "lastModified": 1765214753,
-        "narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=",
+        "narHash": "sha256-P9zdGXOzToJJgu5sVjv7oeOGPIIwrd9hAUAP3PsmBBs=",
         "owner": "hyprwm",
         "repo": "hyprland-protocols",
-        "rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622",
+        "rev": "3f3860b869014c00e8b9e0528c7b4ddc335c21ab",
         "type": "github"
       },
       "original": {
@@ -672,11 +672,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764962281,
+        "lastModified": 1766160771,
-        "narHash": "sha256-rGbEMhTTyTzw4iyz45lch5kXseqnqcEpmrHdy+zHsfo=",
+        "narHash": "sha256-roINUGikWRqqgKrD4iotKbGj3ZKJl3hjMz5l/SyKrHw=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "fe686486ac867a1a24f99c753bb40ffed338e4b0",
+        "rev": "5ac060bfcf2f12b3a6381156ebbc13826a05b09f",
         "type": "github"
       },
       "original": {
@@ -726,11 +726,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764872015,
+        "lastModified": 1766253200,
-        "narHash": "sha256-INI9AVrQG5nJZFvGPSiUZ9FEUZJLfGdsqjF1QSak7Gc=",
+        "narHash": "sha256-26qPwrd3od+xoYVywSB7hC2cz9ivN46VPLlrsXyGxvE=",
         "owner": "hyprwm",
         "repo": "hyprwire",
-        "rev": "7997451dcaab7b9d9d442f18985d514ec5891608",
+        "rev": "1079777525b30a947c8d657fac158e00ae85de9d",
         "type": "github"
       },
       "original": {
@@ -747,11 +747,11 @@
         "sudoku-solver": "sudoku-solver"
       },
       "locked": {
-        "lastModified": 1764529970,
+        "lastModified": 1766276320,
-        "narHash": "sha256-XskTPGgQJlMXMpiD16J+EyG7G01SwybwK0MXgsfqi5E=",
+        "narHash": "sha256-0OjLvaFkXUPy1lCICUH/QUsUpcDpB2rlDner/f8wirQ=",
         "ref": "refs/heads/master",
-        "rev": "e40d6fc2bb35c360078d8523b987c071591357c3",
+        "rev": "64676aca5db212e7a84b154811d69b74c9cd265f",
-        "revCount": 122,
+        "revCount": 125,
         "type": "git",
         "url": "https://git.lebubu.org/jawz/scripts.git"
       },
@@ -788,11 +788,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765764448,
+        "lastModified": 1766887720,
-        "narHash": "sha256-GHM40ltWiRnGYvhcLRaNWXZoyGUOL4FgB0U7muHjn9s=",
+        "narHash": "sha256-h0rnexpjILYVpOcE76FQ7ieyqevTQhjah6y/bM9A4kE=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "7f4e526e0a1badaaea208a0180199d1d26596fa3",
+        "rev": "c308874a31ba27dbf83a66418268079cdb7e320f",
         "type": "github"
       },
       "original": {
@@ -855,11 +855,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1761765539,
+        "lastModified": 1765674936,
-        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -870,11 +870,11 @@
     },
     "nixpkgs-lib_2": {
       "locked": {
-        "lastModified": 1761765539,
+        "lastModified": 1765674936,
-        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",
+        "narHash": "sha256-k00uTP4JNfmejrCLJOwdObYC9jHRrr/5M/a/8L2EIdo=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",
+        "rev": "2075416fcb47225d9b68ac469a5c4801a9c4dd85",
         "type": "github"
       },
       "original": {
@@ -903,11 +903,11 @@
     },
     "nixpkgs-small": {
       "locked": {
-        "lastModified": 1765750102,
+        "lastModified": 1766945671,
-        "narHash": "sha256-0VK0PKOmryh4V2aBakcTpgshQZ7qRsRRwDm7Eqhs1ZI=",
+        "narHash": "sha256-02c5lD9jxmuHK3pa9zvoRaSEtwmR1Dyp3cquGt5i7B4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8e8751ad07080fe4d5737a0430cd5c1d3ba5c005",
+        "rev": "66ab54eb48d681dd7babe2d0eb9bc36f823ec6d8",
         "type": "github"
       },
       "original": {
@@ -919,11 +919,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1765472234,
+        "lastModified": 1766902085,
-        "narHash": "sha256-9VvC20PJPsleGMewwcWYKGzDIyjckEz8uWmT0vCDYK0=",
+        "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2fbfb1d73d239d2402a8fe03963e37aab15abe8b",
+        "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4",
         "type": "github"
       },
       "original": {
@@ -935,11 +935,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1765762245,
+        "lastModified": 1766736597,
-        "narHash": "sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk=",
+        "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d",
+        "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852",
         "type": "github"
       },
       "original": {
@@ -978,11 +978,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765790735,
+        "lastModified": 1767000376,
-        "narHash": "sha256-KZqns0oFKXtBpmhk7QIsoMQLFepTGVt+2adnTMSDCus=",
+        "narHash": "sha256-pbK0Nw0Ye/Ftbn0fLHgcNTgdN7k3MNk+ffNNv9IN+i4=",
         "owner": "nix-community",
         "repo": "nur",
-        "rev": "88f0edd08dde26877c8e407ccdb2ed6d1449a7a5",
+        "rev": "3ba02c75254298131216fd7f00871d69879a20be",
         "type": "github"
       },
       "original": {
@@ -1026,11 +1026,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765016596,
+        "lastModified": 1765911976,
-        "narHash": "sha256-rhSqPNxDVow7OQKi4qS5H8Au0P4S3AYbawBSmJNUtBQ=",
+        "narHash": "sha256-t3T/xm8zstHRLx+pIHxVpQTiySbKqcQbK+r+01XVKc0=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "548fc44fca28a5e81c5d6b846e555e6b9c2a5a3c",
+        "rev": "b68b780b69702a090c8bb1b973bab13756cc7a27",
         "type": "github"
       },
       "original": {
@@ -1085,11 +1085,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765684837,
+        "lastModified": 1766894905,
-        "narHash": "sha256-fJCnsYcpQxxy/wit9EBOK33c0Z9U4D3Tvo3gf2mvHos=",
+        "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "94d8af61d8a603d33d1ed3500a33fcf35ae7d3bc",
+        "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7",
         "type": "github"
       },
       "original": {
@@ -1119,11 +1119,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1765478257,
+        "lastModified": 1766603740,
-        "narHash": "sha256-GMCAQgs+h4aHhLP3LF6JxI5uNg+fLPlRhHwRrJJ+3+Y=",
+        "narHash": "sha256-F0BovrhzY/siRQYBRUFn2sZH7TJEuwetOJiGgKtITjk=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "a7fb3944d1fb4daa073ba82e1a9d34b5f05adb9f",
+        "rev": "cfe89cabaae6ea1bbf80709bd53181494566a1b0",
         "type": "github"
       },
       "original": {

hosts/server/configuration.nix

@@ -27,6 +27,7 @@
       3452 # sonarqube
       8448 # synapse ssl
       8265 # tdarr
+      5173 # media map
     ];
   };
   nix.buildMachines = [
@@ -90,7 +91,7 @@
     };
     lidarr-mb-gap = {
       enable = true;
-      package = inputs.lidarr-mb-gap.packages.${pkgs.system}.lidarr-mb-gap;
+      package = inputs.lidarr-mb-gap.packages.${pkgs.stdenv.hostPlatform.system}.lidarr-mb-gap;
       home = "/var/lib/lidarr-mb-gap";
       envFile = config.sops.secrets.lidarr-mb-gap.path;
       runInterval = "weekly";

hosts/server/toggles.nix

@@ -81,5 +81,9 @@ in
     "audiobookshelf"
     "vaultwarden"
     "readeck"
+    "keycloak"
+    "oauth2-proxy"
+    "isso"
+    "plausible"
   ];
 }

modules/network/nginx.nix

@@ -7,6 +7,8 @@
 let
   proxyReverseServices = [
     "firefox-syncserver"
+    "isso"
+    "plausible"
     "readeck"
     "microbin"
     "ryot"

modules/servers/gitea.nix

@@ -30,6 +30,10 @@ in
           FROM = config.my.smtpemail;
           SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp";
         };
+        service = {
+          DISABLE_REGISTRATION = true;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+        };
       };
       database = {
         socket = config.my.postgresSocket;

modules/servers/isso.nix

@@ -0,0 +1,39 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.isso;
+in
+{
+  options.my.servers.isso = setup.mkOptions "isso" "comments" 8180;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    my.servers.isso.domain = "danilo-reyes.com";
+    sops.secrets.isso = {
+      sopsFile = ../../secrets/env.yaml;
+    };
+    services.isso = {
+      inherit (cfg) enable;
+      settings = {
+        guard.require-author = true;
+        server.listen = "http://${cfg.ip}:${toString cfg.port}/";
+        admin = {
+          enabled = true;
+          password = "$ISSO_ADMIN_PASSWORD";
+        };
+        general = {
+          host = "https://blog.${cfg.domain}";
+          max-age = "1h";
+          gravatar = true;
+        };
+      };
+    };
+    systemd.services.isso = {
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      serviceConfig.EnvironmentFile = config.sops.secrets.isso.path;
+    };
+  };
+}

modules/servers/keycloak.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  inputs,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.keycloak;
+in
+{
+  options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml;
+    sops.secrets.keycloak = {
+      sopsFile = ../../secrets/env.yaml;
+      restartUnits = [ "keycloak.service" ];
+    };
+    services.keycloak = {
+      inherit (cfg) enable;
+      database = {
+        type = "postgresql";
+        host = "localhost";
+        createLocally = false;
+        username = "keycloak";
+        name = "keycloak";
+        passwordFile = config.sops.secrets.postgres-password.path;
+      };
+      settings = {
+        hostname = cfg.host;
+        hostname-strict = true;
+        hostname-strict-https = false;
+        http-enabled = true;
+        http-port = cfg.port;
+        http-host = cfg.ip;
+        proxy-headers = "xforwarded";
+      };
+    };
+    systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path;
+    services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) (
+      inputs.self.lib.proxyReverseFix cfg
+    );
+  };
+}

modules/servers/mealie.nix

@@ -17,7 +17,7 @@ in
         TZ = config.my.timeZone;
         DEFAULT_GROUP = "Home";
         BASE_URL = cfg.url;
-        API_DOCS = "false";
+        API_DOCS = "true";
         ALLOW_SIGNUP = "false";
         DB_ENGINE = "postgres";
         POSTGRES_URL_OVERRIDE = "postgresql://${cfg.name}:@/${cfg.name}?host=${config.my.postgresSocket}";
@@ -25,6 +25,13 @@ in
         WEB_CONCURRENCY = "1";
         SMTP_HOST = "smtp.gmail.com";
         SMTP_PORT = "587";
+        OIDC_AUTH_ENABLED = "true";
+        OIDC_SIGNUP_ENABLED = "true";
+        OIDC_CLIENT_ID = "mealie";
+        OIDC_ADMIN_GROUP = "/admins";
+        OIDC_USER_CLAIM = "email";
+        OIDC_PROVIDER_NAME = "keycloak";
+        OIDC_SIGNING_ALGORITHM = "RS256";
       };
       credentialsFile = config.sops.secrets.mealie.path;
     };

modules/servers/oauth2-proxy.nix

@@ -0,0 +1,51 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.oauth2-proxy;
+in
+{
+  options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets.oauth2-proxy = {
+      sopsFile = ../../secrets/env.yaml;
+      restartUnits = [ "oauth2-proxy.service" ];
+    };
+    sops.secrets.oauth2-proxy-cookie = {
+      sopsFile = ../../secrets/secrets.yaml;
+      restartUnits = [ "oauth2-proxy.service" ];
+    };
+    services.oauth2-proxy = {
+      inherit (cfg) enable;
+      provider = "keycloak-oidc";
+      clientID = "oauth2-proxy";
+      keyFile = config.sops.secrets.oauth2-proxy.path;
+      oidcIssuerUrl = "${config.my.servers.keycloak.url}/realms/homelab";
+      httpAddress = "${cfg.ip}:${toString cfg.port}";
+      email.domains = [ "*" ];
+      cookie = {
+        name = "_oauth2_proxy";
+        secure = true;
+        expire = "168h";
+        refresh = "1h";
+        domain = ".lebubu.org";
+        secret = config.sops.secrets.oauth2-proxy-cookie.path;
+      };
+      extraConfig = {
+        skip-auth-route = [ "^/ping$" ];
+        set-xauthrequest = true;
+        pass-access-token = true;
+        pass-user-headers = true;
+        request-logging = true;
+        auth-logging = true;
+        session-store-type = "cookie";
+        skip-provider-button = true;
+        code-challenge-method = "S256";
+        whitelist-domain = [ ".lebubu.org" ];
+      };
+    };
+  };
+}

modules/servers/paperless.nix

@@ -1,21 +1,28 @@
 { lib, config, ... }:
 let
   cfg = config.my.servers.paperless;
+  inherit (config.services.paperless) port;
 in
 {
   options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system";
   config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) {
-    networking.firewall.allowedTCPPorts = [ config.services.paperless.port ];
+    networking.firewall.allowedTCPPorts = [ port ];
     services.paperless = {
       inherit (cfg) enable;
-      address = "0.0.0.0";
+      address = config.my.ips.server;
       consumptionDirIsPublic = true;
       consumptionDir = "/srv/pool/scans/";
       settings = {
+        PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL = "http";
+        PAPERLESS_URL = "http://${config.my.ips.server}:${builtins.toString port}";
         PAPERLESS_DBENGINE = "postgress";
         PAPERLESS_DBNAME = "paperless";
         PAPERLESS_DBHOST = config.my.postgresSocket;
         PAPERLESS_TIME_ZONE = config.my.timeZone;
+        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+        PAPERLESS_ACCOUNT_ALLOW_SIGNUPS = false;
+        PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = true;
+        PAPERLESS_SOCIAL_AUTO_SIGNUP = true;
         PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
           ".DS_STORE/*"
           "desktop.ini"

modules/servers/plausible.nix

@@ -0,0 +1,27 @@
+{
+  lib,
+  config,
+  ...
+}:
+let
+  setup = import ../factories/mkserver.nix { inherit lib config; };
+  cfg = config.my.servers.plausible;
+in
+{
+  options.my.servers.plausible = setup.mkOptions "plausible" "analytics" 8439;
+  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+    sops.secrets.plausible.sopsFile = ../../secrets/secrets.yaml;
+    services.plausible = {
+      inherit (cfg) enable;
+      database.postgres.socket = config.my.postgresSocket;
+      mail.email = config.my.smtpemail;
+      server = {
+        inherit (cfg) port;
+        baseUrl = cfg.url;
+        listenAddress = cfg.ip;
+        secretKeybaseFile = config.sops.secrets.plausible.path;
+        disableRegistration = true;
+      };
+    };
+  };
+}

modules/servers/postgres.nix

@@ -40,6 +40,7 @@ let
     "sonarqube"
     "gitea"
     "atticd"
+    "keycloak"
   ];
 in
 {

modules/servers/qbittorrent.nix

@@ -7,10 +7,6 @@
 }:
 let
   inherit (inputs) qbit_manage;
-  pkgsU = import inputs.nixpkgs-unstable {
-    system = "x86_64-linux";
-    config.allowUnfree = true;
-  };
   vuetorrent = pkgs.fetchzip {
     url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.31.0/vuetorrent.zip";
     sha256 = "sha256-kVDnDoCoJlY2Ew71lEMeE67kNOrKTJEMqNj2OfP01qw=";

modules/services/sound.nix

@@ -1,7 +1,6 @@
 {
   config,
   lib,
-  inputs,
   ...
 }:
 {

secrets/env.yaml

@@ -1,15 +1,18 @@
 gitea: ENC[AES256_GCM,data:8o+U4qFdyIhCPNlYyflQIuLHsQHtbT6G/a0OyCUeg9DtIeABXNVFhiy4iFRuIF0=,iv:AYwqDRNML1XuzwQnD4VmI4rKWYfTJjOjibrAbI5qgcA=,tag:UPL3UlETdkoFXLihEIGcSw==,type:str]
 shiori: ENC[AES256_GCM,data:tV7+1GusZvcli8dM86xOD71dc2mzcyfQwMeTh//LDb0=,iv:ED9wR6QjQgwd9Ll/UC5FK3CyYK3b0RniC/D6Y0nGEOI=,tag:X/aopMc2vhnRW2iTphFflQ==,type:str]
 flame: ENC[AES256_GCM,data:XsYRsA2xs+juWje2Od2Yl2xIvU0OS8xMrtwtcK/0NyyRrg==,iv:FR8lHsNQNCaOy4P+7BsIjNCz+H38i5RlwLYQ4fpB2+w=,tag:61EV7H04pcr1bSX4nSvlpw==,type:str]
-ryot: ENC[AES256_GCM,data:VMWf3VqcUdyJu2Ygd3XmoqGNWY/W/VJ4213ej0FrA95kAoX+S+j0+4a4B65NtW9UheDSxD1swTXebyenJCIN/tEZwH2wj9I12akNNvSDpt/LG3d1/BZ62cvLCb5n9vyE/vcXgJVfPUqmc67pYDWLpEV/vkKjpqwNH4Y8vnapVo1ytIgsjkTuBb7VFbnRPvYs6J1M0rnaTtkVhOBoRxv+Xg3pWYCgFEXdM/Pg/WKqdHpyh+tJqR74Z91Mwv6G56ZYEDQmAp+Cn+Kk2zZ+t44UAu1SQOgYXPLep+4/PgWw/vQMuyN7GNNP6TrsX3g+ONtJtkdmGu6ArcfbRAky4vM14DxlQP4xSjYSu+FDWGJL/J4TMw6IVDuw/TDVNpMrhBmZdPujYLUW1c6GCCEchBknNfw/Wt+NyTjOzCmZLVw760jY05Fa9kcW2kz+P0iAGTviY7yJZWDctP6PrVNtG1cXc4noJqV/uJ9sQmuGWCiTzaCIIZEhwRKnvjpvZNisKPhx4tctZMWm8l9gKO/TJC/SHMIhvEazmH4v0AzCiRUzdTfnWQZGTNenDrCUetztPh/UUJbLZjhFBH3QR26w/3I5oNpUzUDhfDhcEYtfWuB7ckbkXT8nyYMfe0OR16yJTfQCdnIPBhAUi1g1ZV3jFg+OhYWxk73lPiqC1ADRNh01L1k90PMMWtLXXm6aQ28cB+iQTvvgKbDrr76U8bXoZUyEl30waOQ2HT6nDG61OBUtQHTu6/cFhfhrnU6poAD/k+L7SyqcBoMYAZJN6Us1y3SKhV/3mXVKjRwSl5XZSW+ZpcRe/Cg4bonxFBYsZyY3VjK0LC4Cj8ijh4LpYWrGWtVmWOt/gg7UQPTd81A=,iv:Oa2pvfDpfPr3pqeAg2kYIzjf8KUK9ckMfbVymM78FyE=,tag:XyjYEvWo46BliYXdDH8QrQ==,type:str]
-mealie: ENC[AES256_GCM,data:RjKqDs70lWhGN0LXPp3feQfW/WtfJlR6vX++0hwGtqcA3iepEh2Ab/36YRKbsVRBkglp0u18MusTmP0LSHUpzgCn/c/5ZzzRLGL83K3aQRlg8JtdTvzvEnLQSdE=,iv:GEfa8LwpOhkqWtLk0I5F14zkHcnFjVhVaHeLSFlDkN4=,tag:lkGcFn91hVxraMHCKF7rXQ==,type:str]
 maloja: ENC[AES256_GCM,data:yCwokfD4I1Boy2NOhOTLA3dWgUVOdSzWKIEdYC0klvYu41IGcM8bM65uYFmiOtk+jHgt6j3kO/pBBlC4w/iTElphTqFyFRGdBN4fNRntAhMzqOszBZII,iv:Vf9hfNwSTBkh2cXV7Y2fv4NA8kng2M1i7BtTXJvy4u4=,tag:KLc8sP6N2/Pp/9069E3aPQ==,type:str]
-multi-scrobbler: ENC[AES256_GCM,data:ce3dd0PKm6eyD2AqWmw+8iex/tBHgMhG8ASoOMkT3c9k6kiZabpTTFTkcouMO+s42P+qjWQAUJcJlDdYVYJZbAqw8nnxLrtYmKoBknSbbWijlR//CpgfwuuAWIyGQAGVPliuxz+lR+1cf/G2mXM+FJIfp8Sliak3v/nGg3ry0bdjbOLVoBM4rS90Jrq98ZuBrjlFVhcJTKkEHtgDv8N56wWbPL/r3cTlS9MoEu2ulCSLvfu/snr8HqJ5yssAGQ==,iv:jOJulX6o3t+W6DrD6sU7amDH7JQP/JFGBI9IM8m/sXU=,tag:jFZoLpYFXj+xplbypf3nvw==,type:str]
+oauth2-proxy: ENC[AES256_GCM,data:MnAMX4adm8joZGaxZhgMDGf/15U2tk3dE/0dHFwETIi4JdpNvG/PUHTWGmXJrUnRrFxdZaOtGUzAMF47,iv:eEoo0YM+wt2/pCcONHM9YPRj/q4fC9OQZr+ckRsmhjY=,tag:AevxpvvRt13T5w5xwzay5w==,type:str]
-vaultwarden: ENC[AES256_GCM,data:NituIOyGrYALEkuwKT0RRS1gvi3wjC6ZSAfUIejfi8xoePE6vSNztJTGsRSIh4sJnRrQIiDuKTmRKZDM6AtX/oEBsNW8MVq+lWAq/vtcO7fuTriySEungmpXhQwRZD6NsXE+9283P3s6RshpA4iipmENiW2v2/uxkIXxtTguUxfX0psWYtF6mx5/hpaoNZ523OB69m6veAxD6Pmnj+pTOAORGXHldoNrxNc35WBDdndjAZICyO873tbs22VJOWD9a66BNxtfwIPYoFkuPO6QG3nnFfyPSQ==,iv:rmDJbrP+NQ5HGdRCWSYfymP8dU9WJdMEhAg80eupgeY=,tag:kdNzgWjgeqaTCjqUCc4uWw==,type:str]
-dns: ENC[AES256_GCM,data:fQN3SOm0HzOjSjTohRAD4KlXdEu5PbQc3DvK3rLC1S4G0G4HUPkgucN6vJUwVJPiY0AB+L/iLNcqCRz8OH0qNtfnikBbDicq0OfrwjnN+VzmbwmrS6AdFo6lilbxI3Jb8YwGMrQxXg0U9F2/WVLETbzICG2KpukwIER0xxQpb51OVL+2hviGV8JpWKo66S6pug628Zc+uMJXEBPSqCpz2vXHXnXWMszP6MlqVfNm/zE=,iv:DOj0e8y+2N9eRA81nlT0kS66sXWZoLSVn0NAiUkNcDY=,tag:+0Baqs6TbTAmt3lRfncE6Q==,type:str]
 cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a8ASyrtouPgLbcnoPY/jalsJYAj991dSiui+Vwqs=,iv:qWONG/KLd9/F4tqrWF5T25Zxst3bk+kOYaOFBFSBAAY=,tag:gRFxar8KS8gnX8oaCD156Q==,type:str]
 synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mCkRO/UCQOybNm03iOQeXX0Whz739kpYSGSInEyx69BNG/etH+bMu+GbYeMdrTEyXHSa7kcH4Ug,iv:Vn2ILYXnCj+Op/E2kWoxV+2ZtlxYJxO6XK3Ql41KW6w=,tag:9wogJFLlmfM5PRgPdwFlcw==,type:str]
 readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str]
+keycloak: ENC[AES256_GCM,data:BmwZxuJaOB8F7zmBNAf42lkw36s5TepimtdyT2xjdGVyuHgRHbTZqeVen7/0II39qrJjko4agZJgToIZ1uhaC/gpGSoHZlib3rJozPCqmBc42nO6SOtpIO8=,iv:kPModK85937/liNk6iLIRiQ/G5yB7S7h24ZzPb8A1zo=,tag:lWvDQAHVRiBz8XZUoADKvw==,type:str]
+ryot: ENC[AES256_GCM,data:VMWf3VqcUdyJu2Ygd3XmoqGNWY/W/VJ4213ej0FrA95kAoX+S+j0+4a4B65NtW9UheDSxD1swTXebyenJCIN/tEZwH2wj9I12akNNvSDpt/LG3d1/BZ62cvLCb5n9vyE/vcXgJVfPUqmc67pYDWLpEV/vkKjpqwNH4Y8vnapVo1ytIgsjkTuBb7VFbnRPvYs6J1M0rnaTtkVhOBoRxv+Xg3pWYCgFEXdM/Pg/WKqdHpyh+tJqR74Z91Mwv6G56ZYEDQmAp+Cn+Kk2zZ+t44UAu1SQOgYXPLep+4/PgWw/vQMuyN7GNNP6TrsX3g+ONtJtkdmGu6ArcfbRAky4vM14DxlQP4xSjYSu+FDWGJL/J4TMw6IVDuw/TDVNpMrhBmZdPujYLUW1c6GCCEchBknNfw/Wt+NyTjOzCmZLVw760jY05Fa9kcW2kz+P0iAGTviY7yJZWDctP6PrVNtG1cXc4noJqV/uJ9sQmuGWCiTzaCIIZEhwRKnvjpvZNisKPhx4tctZMWm8l9gKO/TJC/SHMIhvEazmH4v0AzCiRUzdTfnWQZGTNenDrCUetztPh/UUJbLZjhFBH3QR26w/3I5oNpUzUDhfDhcEYtfWuB7ckbkXT8nyYMfe0OR16yJTfQCdnIPBhAUi1g1ZV3jFg+OhYWxk73lPiqC1ADRNh01L1k90PMMWtLXXm6aQ28cB+iQTvvgKbDrr76U8bXoZUyEl30waOQ2HT6nDG61OBUtQHTu6/cFhfhrnU6poAD/k+L7SyqcBoMYAZJN6Us1y3SKhV/3mXVKjRwSl5XZSW+ZpcRe/Cg4bonxFBYsZyY3VjK0LC4Cj8ijh4LpYWrGWtVmWOt/gg7UQPTd81A=,iv:Oa2pvfDpfPr3pqeAg2kYIzjf8KUK9ckMfbVymM78FyE=,tag:XyjYEvWo46BliYXdDH8QrQ==,type:str]
+isso: ENC[AES256_GCM,data:yfcIsfGuEH3pcpsbBZWXbxrO39AQxHYMaNDHpjhJmwQBUnWgKSWCynIDWgUm+Gjy5r/4GP373xCSiWg3ti7MMgbmqKpd2fL886mrk/7fLMocQqW4sCfWaObzwoEjDvrjDbqAaaJxP4PDcrxOUjj3MiIzQSMPY35I02tbJKTuB6WQw+DftI5Or1/H,iv:j8qp9BSWegV2lKLDlNhlTnWtYABQFPIBEuZJQNpGMjs=,tag:zsiY5crL9bVwOXtwhAeDPw==,type:str]
+mealie: ENC[AES256_GCM,data:/XRyhFGfsSF9y2UEvWIjB05LGkYx4kbl1u5ninGEnkPkbmyRfW0TXybeVKwcX/By05KkbUk+C4N00qykmo16KpI/lRytfnsQHmutST6dV1C5CB6XiPymG8WcntwOtmUiMEwm9qqgEJfoaeFfwdY+03+GFuS2cSphGe6XN8dUOTe+IjNIO4U8U2FXtvcNEsd5SohWkbnObZScKocOSFemjjKoSySwJpK64sQwVKOyIgVECuWo1asXShvmYY3iE6coB7DEk3PaS3hj5u7neN+muZrdANBZjlFxANWDhvFLX6fplRXZLS7DE0KjTqeVjC237Q==,iv:RyRG36wUkiGIZ6l9bXY2cj7jdi8SSJLrbpkOA4uRigU=,tag:frzKD0eabB8O6UH/+pJBTw==,type:str]
+multi-scrobbler: ENC[AES256_GCM,data:ce3dd0PKm6eyD2AqWmw+8iex/tBHgMhG8ASoOMkT3c9k6kiZabpTTFTkcouMO+s42P+qjWQAUJcJlDdYVYJZbAqw8nnxLrtYmKoBknSbbWijlR//CpgfwuuAWIyGQAGVPliuxz+lR+1cf/G2mXM+FJIfp8Sliak3v/nGg3ry0bdjbOLVoBM4rS90Jrq98ZuBrjlFVhcJTKkEHtgDv8N56wWbPL/r3cTlS9MoEu2ulCSLvfu/snr8HqJ5yssAGQ==,iv:jOJulX6o3t+W6DrD6sU7amDH7JQP/JFGBI9IM8m/sXU=,tag:jFZoLpYFXj+xplbypf3nvw==,type:str]
+vaultwarden: ENC[AES256_GCM,data:6PID5tUMZ6BlyddmxumG3Z4uoxDezr8OIRJPYd7SrW1kTGUaQyewIxFajngOY3r251t61IwbKe0MwWeugpi7w2kxVJN4e0WErwUZDjBPCQxukbu81kVbUzCS3VDm1TP0fKylJUPIK3bkKKHkD5XDGo22YtuhICyaPkYXNtEEs2TCAHagBuSrVVEYPbp8as7FS1j8L47XUkjaT919w298nB8s7jNo4VvaNeHFgWVdH0oRRD/VUJj7yewXaugk+mlsRMuNd9HqxpOophIHzX2B59YG3rBA6w==,iv:Xgv4OTDJNf+atQHFAvSEYMXcW65cm7wqN9VtmDHS3MU=,tag:ZN/igsxJb025HmCriLcCZQ==,type:str]
+dns: ENC[AES256_GCM,data:fQN3SOm0HzOjSjTohRAD4KlXdEu5PbQc3DvK3rLC1S4G0G4HUPkgucN6vJUwVJPiY0AB+L/iLNcqCRz8OH0qNtfnikBbDicq0OfrwjnN+VzmbwmrS6AdFo6lilbxI3Jb8YwGMrQxXg0U9F2/WVLETbzICG2KpukwIER0xxQpb51OVL+2hviGV8JpWKo66S6pug628Zc+uMJXEBPSqCpz2vXHXnXWMszP6MlqVfNm/zE=,iv:DOj0e8y+2N9eRA81nlT0kS66sXWZoLSVn0NAiUkNcDY=,tag:+0Baqs6TbTAmt3lRfncE6Q==,type:str]
 lidarr-mb-gap: ENC[AES256_GCM,data:bNzD9Nf9BWAPkm0Yk0J4MJbmo908QX9VsD+40Rngnfec9nzH4vZ2DrelxRllgT1kgnXMQzvoSgNhBwkDN4fgX73hz1FjkytTwahlO0wcY6R+tw4aokh0QYy0TVx5pZ4u1FEQOAp3IMgBsP8HOqaL/NEsEo3yb0K9iC3AfFihkLDJmVh26Pg=,iv:go0qS7/BcfcAMPkAdGWCoL61gNqBG5lWDev++y9DJ/I=,tag:LgtEyTZH8NfhfrKTcAigZw==,type:str]
 sops:
     age:
@@ -49,7 +52,7 @@ sops:
             QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb
             9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-11T23:18:34Z"
+    lastmodified: "2025-12-26T03:14:55Z"
-    mac: ENC[AES256_GCM,data:i3U364pjZB5Y61Wf7ETbXhNWyfH1gw0oyPcNyT+nCIJmePh8JWiP9hnHmZfLS1BKkI2powQdezbz9R0XDvU7g2SkV8EsWmn/h3rFwbopUZbeRQ2SCoX7LGFez74l1oTPQjL8zWJVdrUtfAFgbZKSEWuz7rsDieKBVhIJwWaeePY=,iv:N4z+X3eD6jH+zQfY24qec+U6wkfhLGPm4MzY8T2Km/A=,tag:yluW5YSKMZ4Kk+wcXbkj8Q==,type:str]
+    mac: ENC[AES256_GCM,data:gIWqEMtFkoEnFV/I4cefglnXxxr1XwON/Oiv/iHv1h5zVLvEwdGC9hyQB1KEKUEHDxWjh8GpKXn9rkZ5pncs7vZdjgiMXyVC7IAiN7uT03RfyGjPtLy7T9qqzmac2uOWLoCnda6No4VIBGG50leh5J7WDk4hKXvlm49xCwSlcLw=,iv:fVtqpXMO3klwAztFRXODLp5H9kq9LJt82Zsoq/59dTU=,tag:XTa90qDkg7ehW6xoXRwEVw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

secrets/secrets.yaml

@@ -1,11 +1,10 @@
 jawz-password: ENC[AES256_GCM,data:j5qya2z9bDESQopcBpLBktyBvIuplbq3Ql4TovdAF1BIJHcf4CAjFuCStW0axFEOST6bgJwhcZZvK4rWUyoS47eaFDp2lkiQnQ==,iv:GNEA8v0NR+PGe4yvlm4V6tTJD5NmlswRPH7JnQJUyLk=,tag:dpxDK88cAJSk+XdFF2mDww==,type:str]
-smtp-password: ENC[AES256_GCM,data:KAIn6lp6JXY39SgMPGP3tQ==,iv:Mgmo9bLT3iIGXw6THqJO6+IuPV65VXo1+vE3PrmS44Y=,tag:8urcnZtccaPJSOuHiZAp5A==,type:str]
+smtp-password: ENC[AES256_GCM,data:Reb6wDlZivAn5DVI2swNfQ==,iv:ZT4QvFXYmgFl1Ut07Yic1qnA8JvapSTfKw2DPCoQMEU=,tag:A5jIqUrmUwROS/LKbsahsQ==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:g0bnifEbMykPBVwMF14EhT/RWGsnEzJ6sXXmxSJ6kIVDeRr8XVRbFzusxlxAOOlseVwPT6e4Ad8=,iv:Gy0LwUNCw8gnqlwk91qguSEeufIJDtaqNNLX1vZp7vA=,tag:y8H42B1rue0X7/4nG/Whsw==,type:str]
 firefly-iii-keyfile: ENC[AES256_GCM,data:HTifd3/5apa9f0RiOh33aRRoVkRskgo/2FV9S01wQSEmKFLg2M9gNNFm6gv2/WCQvNc1,iv:4yLIQQkfqhLixQtAOsbQePNlKOrU2p6Dqw9aLPDoJrM=,tag:uSbAMCy4FWRMU+QhExAE2w==,type:str]
-resilio:
+postgres-password: ENC[AES256_GCM,data:V0g4T1cLUFnTN94zZZR83/KVJFUDGEWVEn6nyijnver4QCELUFkNr99s9g==,iv:1ymHA0JaVC2/aHdg4TmJmuKOG8JGZRRvynrgQIGdTss=,tag:xsCVpc+HBaNeswYvzo0PaA==,type:str]
-    host: ENC[AES256_GCM,data:iITbrqpJSdM52A==,iv:8sahhsUA9iIXNlJYKAkakllQDbYVOsGuwBulK9FyvTU=,tag:zKKHwrEFUkl3Fcd0RJcIjw==,type:str]
+oauth2-proxy-cookie: ENC[AES256_GCM,data:eWEgnIGcdq1aRXWokmVO9DDb+t2oAxNCwFeyOUITzHQ=,iv:x5CROKQ5arUMESWQsroC15xbtMA6/HvnArhBiGwAx6k=,tag:U5yYk1ztExZsou7gVvA8Og==,type:str]
-    user: ENC[AES256_GCM,data:31s2ihj2cN9C5Lyr2w==,iv:2MzKiRoDosawbeQ04LUKbfbSVFUUD6uUYynB6B0WNWw=,tag:GR0lXvLZAPof6WE3Verimg==,type:str]
+plausible: ENC[AES256_GCM,data:Vze/uzsB4VkmeQwqJCVwlwT2kLpFoKSKXgaCmZ2633J2L6pVpL+OxnGxiSS7dmEuWRL5HOkMOJJdFWWCUhrv+QUMpp2RQ9bjy1q6gIOtejNTYPNm6/wg+A==,iv:d+ILv3ZDpanUxDJ2IkWaZ3TC14mldafxnjL3yAE+SK0=,tag:YqhGhMtCtvwaazeN7pXQJA==,type:str]
-    password: ENC[AES256_GCM,data:codFGm4O9QkI2+hbrVK3UqwFWETXyfl9y3Q5lY6UfnIRe/IqWG8Ibly1BUlh7OjKIepXm6m35e6QPioVSiUT5Ll1SIE=,iv:QWqKyKrvm2y2UM2Ir1COxjV0jgU8jTeu9ehnyeXTwCE=,tag:Xtr+r7EphaiLjGwK5gmsMQ==,type:str]
 kavita-token: ENC[AES256_GCM,data:kt3bTZNf4S7sKfbxzXc4Q+9yTPFTKzvEaR+mysBhhdnht+FuN9o9i9liqy2pKvB7WQmPnjQ/aYEYkcPSPg0NC5NwE7lNY7kUJtyHzYm2wkKqkkDIc/aI+dHhtX1SBF99ZpWEhmgnIA2HtCpYXUjkl4pUTKgNi0cn+bb1NULMY0zHyF2f7faOOKTWatQEuG1ZvBpiNIbPbsMznfdrWe9VEKrdtMg8IkK138Cn+EOSu0mCHdU=,iv:NCjegkB9/O6xq3fdWqhyVJy5YetqIpcDmD0yyBh3XXQ=,tag:IiqZY0mhqyUHJ61DRNHPlw==,type:str]
 stash:
     password: ENC[AES256_GCM,data:ZYwrETIJ1K5RJePR9TvmPdVHpZY=,iv:nqIvm5MkSmZxgSLUpZC0Iq2QOp4lU9rh9wtE8FhO7a0=,tag:YIlj9iPGjDVewgtjq0tdag==,type:str]
@@ -52,7 +51,7 @@ sops:
             RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM
             QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-02T20:02:38Z"
+    lastmodified: "2025-12-26T08:13:55Z"
-    mac: ENC[AES256_GCM,data:DnbkeF+evVTMhYTg3OU528cRQ+jBiUl7Q7JZxyGRL6USjB2OdIRxqnnCH8L36K2hSAIkKQ/kojyJs+8Pgkx5uD/qsCbGlNT9pSBU1qPdSBxqJsVPxHZmkuf/QxGtE4pgV/50xJMrVyzAetWPZuxcYVfWAPszxDZcR5XDuD+Yjk4=,iv:i2Vt6nv6etIgaaoxsbVlxEnIhIx4adOQZFeyGM/4Saw=,tag:jugPmHU78lap7Hy7RJd9pg==,type:str]
+    mac: ENC[AES256_GCM,data:hZoOrRraR1qg/w6dEseP1sbJxxLBtWIw+hTV6TUQHlA9vCfrLEDlAlMZBNoTx1ijHz0Q22sV39j3ON+PBqfRRqxWr7nynYDZ7zk9rtVlW4xPTqIBusU+lHTFC7MSMfPn7bhTQ0h3QPHtTF778WIbgNYjEIXda4rlmrnc0bLdFA8=,iv:2a1M8KUtEj0rMuJsyu3WyEYdzeKw+VkDDZFsyU00XuM=,tag:vXw2+za466Olq05HJPOYdQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0