clanService/prometheus: init monitoring system

2026-06-23 15:27:31 +07:00
parent 77b487a709
commit d09f67a757
32 changed files with 580 additions and 0 deletions
@@ -0,0 +1,308 @@
+{ clanLib, ... }:
+{
+  _class = "clan.service";
+  manifest.name = "prometheus";
+  manifest.description = "The Prometheus monitoring system and time series database.";
+  manifest.readme = builtins.readFile ./README.md;
+  manifest.categories = [ "System" ];
+
+  roles.server = {
+    description = "Prometheus server that scraps all data from nodes";
+
+    interface =
+      { lib, ... }:
+      {
+        options = {
+          scrape_interval = lib.mkOption {
+            type = with lib.types; nullOr str;
+            default = "1m";
+            description = "How often to scrape targets. Default is 1 minutes";
+          };
+          extra_rules = lib.mkOption {
+            type = with lib.types; listOf attrs;
+            default = [ ];
+            description = "Additional rules for Prometheus";
+          };
+          default_receiver = lib.mkOption {
+            type = with lib.types; attrs;
+            default = {
+              name = "default";
+            };
+            description = "Definition of a default receiver, default is doing nothing";
+          };
+          matrix-alertmanager = {
+            enable = lib.mkOption {
+              type = with lib.types; bool;
+              default = false;
+              description = "Whether to enable `services.matrix-alertmanager`";
+            };
+            homeserverUrl = lib.mkOption {
+              type = with lib.types; str;
+              default = "https://matrix-client.matrix.org";
+              description = "URL of the Matrix homeserver to use";
+            };
+            matrixUser = lib.mkOption {
+              type = with lib.types; str;
+              description = "Matrix user for the bot";
+            };
+            matrixRooms = lib.mkOption {
+              type = lib.types.listOf (
+                lib.types.submodule {
+                  options = {
+                    receivers = lib.mkOption {
+                      type = lib.types.listOf lib.types.str;
+                      description = "List of receivers for this room";
+                    };
+                    roomId = lib.mkOption {
+                      type = lib.types.str;
+                      description = "Matrix room ID";
+                      apply =
+                        x:
+                        assert lib.assertMsg (lib.hasPrefix "!" x) "Matrix room ID must start with a '!'. Got: ${x}";
+                        x;
+                    };
+                  };
+                }
+              );
+              description = ''
+                Combination of Alertmanager receiver(s) and rooms for the bot to join.
+                Each Alertmanager receiver can be mapped to post to a matrix room.
+
+                Note, you must use a room ID and not a room alias/name. Room IDs start
+                with a "!".
+              '';
+              example = [
+                {
+                  receivers = [
+                    "receiver1"
+                    "receiver2"
+                  ];
+                  roomId = "!roomid@example.com";
+                }
+                {
+                  receivers = [ "receiver3" ];
+                  roomId = "!differentroomid@example.com";
+                }
+              ];
+            };
+
+          };
+        };
+      };
+
+    perInstance =
+      {
+        settings,
+        roles,
+        ...
+      }:
+      {
+        nixosModule =
+          {
+            config,
+            lib,
+            pkgs,
+            ...
+          }:
+          let
+            getYggdrasilIP =
+              machineName:
+              if config.clan.core.vars.generators.yggdrasil.files.address ? value then
+                clanLib.getPublicValue {
+                  flake = config.clan.core.settings.directory;
+                  machine = machineName;
+                  generator = "yggdrasil";
+                  file = "address";
+                  default = null;
+                }
+              else
+                throw "clanService/yggdrasil is required";
+
+            matrixRoomReceivers = lib.unique (
+              lib.concatMap (entry: entry.receivers) settings.matrix-alertmanager.matrixRooms
+            );
+          in
+          lib.mkMerge [
+            {
+              networking.firewall.allowedTCPPorts = [
+                9090
+              ];
+              services.prometheus = {
+                enable = true;
+
+                globalConfig = {
+                  scrape_interval = settings.scrape_interval;
+                };
+
+                alertmanagers = [
+                  {
+                    scheme = "http";
+                    path_prefix = "/";
+                    static_configs = [ { targets = [ "localhost:9093" ]; } ];
+                  }
+                ];
+
+                alertmanager = {
+                  enable = true;
+                  configuration = {
+                    global = {
+                      resolve_timeout = "5m";
+                    };
+                    route = {
+                      receiver = "default";
+                      routes = map (mReceiver: { receiver = mReceiver; }) matrixRoomReceivers;
+                    };
+                    receivers = [
+                      { name = "default"; }
+                    ]
+                    ++ map (mReceiver: {
+                      name = mReceiver;
+                      webhook_configs = [
+                        {
+                          url_file = config.clan.core.vars.generators.prometheus.files.matrix-alertmanager-urlfile.path;
+                          send_resolved = true;
+                        }
+                      ];
+                    }) matrixRoomReceivers;
+                  };
+                };
+
+                scrapeConfigs = lib.mapAttrsToList (machineName: machineVal: {
+                  tls_config.insecure_skip_verify = true;
+                  job_name = "${machineName}";
+                  static_configs = lib.mapAttrsToList (
+                    exporterName: exporterVal:
+                    let
+                      targetPort =
+                        if exporterVal ? port then
+                          exporterVal.port
+                        else
+                          config.services.prometheus.exporters."${exporterName}".port;
+                      targetHost = getYggdrasilIP machineName;
+                    in
+                    {
+                      targets = [ "[${targetHost}]:${lib.toString targetPort}" ];
+                    }
+                  ) machineVal.settings.exporters;
+                }) roles.nodes.machines;
+
+                rules = [
+                  (builtins.toJSON {
+                    groups = [
+                      {
+                        name = "default";
+                        rules = [
+                          {
+                            alert = "NodesDown";
+                            expr = "count by (job) (up == 0) > 0";
+                            for = "1m";
+                            labels = {
+                              severity = "critical";
+                            };
+                            annotations.summary = "Node **{{ $labels.job }}** has been down for more than 1 minutes.";
+                          }
+                          {
+                            alert = "SmartCtlErrors";
+                            expr = "smartctl_device_error_log_count > 0";
+                            for = "5m";
+                            labels = {
+                              severity = "critical";
+                            };
+                            annotations.summary = ''
+                              Errors occur on **{{ $labels.job }}**
+                              Disk {{ $labels.device }} {{ $value }}
+                            '';
+                          }
+                          {
+                            alert = "ZFSPoolsHealth";
+                            expr = "zfs_pool_health > 0";
+                            for = "5m";
+                            labels = {
+                              severity = "critical";
+                            };
+                            annotations.summary = ''
+                              Unhealthy Pool at **{{ $labels.job }}**
+                              Pool {{ $labels.pool }} value {{ $value }}
+                            '';
+                          }
+                        ]
+                        ++ settings.extra_rules;
+                      }
+                    ];
+                  })
+                ];
+
+              };
+
+            }
+            (lib.optionalAttrs settings.matrix-alertmanager.enable {
+
+              clan.core.vars.generators.prometheus = {
+                files.matrix-alertmanager-token.secret = true;
+                files.matrix-alertmanager-secret.secret = true;
+                files.matrix-alertmanager-urlfile = {
+                  secret = true;
+                  owner = "alertmanager";
+                  group = "alertmanager";
+                };
+                script = ''
+                  echo "" > $out/matrix-alertmanager-token
+                  openssl rand -hex 32 > "$out"/matrix-alertmanager-secret
+
+                  echo "http://localhost:3000/alerts?secret=$(cat $out/matrix-alertmanager-secret)" > $out/matrix-alertmanager-urlfile
+                '';
+                runtimeInputs = [
+                  pkgs.openssl
+                ];
+              };
+
+              services.matrix-alertmanager = lib.mkIf settings.matrix-alertmanager.enable {
+                enable = true;
+                tokenFile = config.clan.core.vars.generators.prometheus.files.matrix-alertmanager-token.path;
+                secretFile = config.clan.core.vars.generators.prometheus.files.matrix-alertmanager-secret.path;
+                homeserverUrl = settings.matrix-alertmanager.homeserverUrl;
+                matrixUser = settings.matrix-alertmanager.matrixUser;
+                matrixRooms = settings.matrix-alertmanager.matrixRooms;
+              };
+            })
+          ];
+      };
+  };
+
+  roles.nodes = {
+    description = "A node will expose metrics for server to harvest";
+
+    interface =
+      { lib, ... }:
+      {
+        options = {
+          exporters = lib.mkOption {
+            type = lib.types.attrsOf (lib.types.submodule { });
+            default = { };
+            description = "Mirror of services.prometheus.exporters";
+          };
+        };
+      };
+
+    perInstance =
+      { settings, ... }:
+      let
+        enabledExporters = builtins.mapAttrs (
+          name: value:
+          value
+          // {
+            enable = true;
+            openFirewall = true;
+          }
+        ) settings.exporters;
+      in
+      {
+        nixosModule =
+          { ... }:
+          {
+            services.prometheus.exporters = enabledExporters;
+          };
+      };
+  };
+
+}
@@ -0,0 +1,19 @@
+{ self, inputs, ... }:
+let
+  module = ./default.nix;
+in
+{
+  clan.modules = {
+    prometheus = module;
+  };
+  perSystem =
+    { ... }:
+    {
+      clan.nixosTests.service-prometheus = {
+        imports = [ ./tests/vm/default.nix ];
+        _module.args = { inherit self inputs; };
+
+        clan.modules."@clan/prometheus" = module;
+      };
+    };
+}
@@ -0,0 +1,101 @@
+{
+  self,
+  hostPkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  name = "service-prometheus";
+  result.update-vars =
+    let
+      relativeDir = lib.removePrefix "${self}/" (toString config.clan.directory);
+    in
+    hostPkgs.writeShellScriptBin "update-vars" ''
+      set -x
+      export PRJ_ROOT=$(git rev-parse --show-toplevel)
+      ${
+        self.inputs.clan-core.packages.${hostPkgs.system}.clan-cli
+      }/bin/clan-generate-test-vars $PRJ_ROOT/${relativeDir} ${config.name}
+    '';
+
+  clan = {
+    test.useContainers = false;
+    directory = ./.;
+    inventory = {
+      machines.server = { };
+      machines.nodeA = { };
+
+      instances = {
+        yggdrasil = {
+          module.name = "yggdrasil";
+          roles.default.machines.server = { };
+          roles.default.machines.nodeA = { };
+        };
+
+        prometheus = {
+          module.name = "@clan/prometheus";
+          module.input = "self";
+          roles.nodes.machines."nodeA".settings = {
+            exporters.smartctl = { };
+          };
+          roles.server.machines."server".settings = {
+            extra_rules = [
+              {
+                alert = "test";
+                expr = "zfs_pool_health > 0";
+                for = "5m";
+                labels = {
+                  severity = "critical";
+                };
+                annotations.summary = ''
+                  Unhealthy Pool at {{ $labels.job }}
+                  Pool {{ $labels.pool }} value {{ $value }}
+                '';
+              }
+            ];
+
+            matrix-alertmanager = {
+              enable = true;
+              matrixUser = "test@matrixtest.org";
+              matrixRooms = [
+                {
+                  roomId = "!testroom";
+                  receivers = [ "matrix" ];
+                }
+              ];
+            };
+
+          };
+        };
+      };
+    };
+  };
+
+  nodes = {
+    server = { };
+    nodeA = { };
+  };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      start_all()
+
+      server.wait_for_unit("prometheus.service")
+
+      nodeA.wait_for_unit("prometheus-smartctl-exporter.service")
+      nodeA.wait_for_open_port(9633)
+
+      nodeA.succeed("systemctl status prometheus-smartctl-exporter.service")
+      nodeA.succeed("curl http://localhost:9633/metrics")
+
+
+      server_ip = server.succeed("ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'").strip()
+      nodeA_ip = nodeA.succeed("ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'").strip()
+
+      server.succeed(f"ping -c 3 {nodeA_ip}")
+      server.succeed(f"curl -v http://{nodeA_ip}:9633/metrics")
+
+    '';
+}
@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1kxsp8pa8am6k333nxs4akjqkhht8gspznmlqz4pxn35h5dj4uv5qj6q6fl",
+    "type": "age"
+  }
+]
@@ -0,0 +1,6 @@
+[
+  {
+    "publickey": "age1dkrf438z3337d2qnc7ugkggua99xkh55wuf9zgun35fjrxdpnf5qkg4z6j",
+    "type": "age"
+  }
+]
@@ -0,0 +1,14 @@
+{
+	"data": "ENC[AES256_GCM,data:Z8I3ecNV2N2jed1sPBU+tI5r5qB2nVTO7aNyMxvp0ztujn8kXjw+thSvLGtRygL2V9rSmPJalHQf1IYUriXgCmYtfg5InPDCAqk=,iv:O4rSyg2G6PJWHURZ/BTBKmn1AVekbNBdg5137sOPL/U=,tag:4/CLfO50laZ8ljWkr6o4qA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSWxnekYvREdZMTBMVlRq\nRmtCemFYZDhLYU93azc5czdoTVUydFFUL1JzCmo4ZHlrNi8yeW15N2JxTytWeCtk\nbjRwWUVlazUwTlMwc1RZVU8xYlVlckEKLS0tIFVPeU5KMVFwdExFT0wzeXZka2Jo\nSmxEM2RPTWdoZXJxK0dpemUzVkNzdGcKfXdiSeAcNwEZi7kh9c89ss5K+dYG0lhq\nFsf2I0A1csxqqnYJqXPmwlVGMzuWDrWRU0uc+hQLndP3TbadVux64w==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-11T07:43:55Z",
+		"mac": "ENC[AES256_GCM,data:OCPR2tkbN72MdaczO47UNCJBb1KjABHQH9q7dtVEwoAhKg4QWFtsDaMwBTVE9qe48nlaWQbxT1mM7uztm6RXLkc5y2c3danPUYFj/FK/ffqpaxv3oReyxWqMoGayT23kFbB0TWEx1K8Jp3gOkwCPg+ZRClvhV1dXrfnwIwZHrBY=,iv:3puPIWFIxRF1KtrmyG54LqCc7Zg4/AOMD65QjYdN970=,tag:RoIVltMKw7WUvgW6sNk6mA==,type:str]",
+		"version": "3.13.0"
+	}
+}
@@ -0,0 +1 @@
+../../../users/admin
@@ -0,0 +1,14 @@
+{
+	"data": "ENC[AES256_GCM,data:Nuq6ege3HJOxpRgA6fnxdD2Wj+KCw+3PaJCxmZirJl3mkRVLnZgUUhr+gOVEup9Ifjl1ZnP+PqV7b9pPR/WQg0LARYtxIC1QGJ8=,iv:v9p9lsefP5V9McAJCzS7v9sl8XHr9/hAL41XwFbwMOA=,tag:ETK+CFFJAAzGTpowQNAZMQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArN0NEWFZoZWlyeUtZc3hi\ndnVNcHl4eVVHckRLeFhPYUt4a3BwMElFMVZZCklkU1NEWVVmSGw1NmJmWWkrVHFH\nVTN5U0x3NXdiQUJCc095TElzMWZCMXMKLS0tIHRXQkJNREFYUFFvMXM1Sk53VW5z\naTRjMXozZXZiNU8zSkF5d2hhdklBY1EKWwsPi6YiHKFfAyqWH2u75hw47gzcQOz/\n95Im0FgadhqGDCeZhTDfEAc4b1VWQULInsjeRapzf5OJOwekbz6guA==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-11T07:45:26Z",
+		"mac": "ENC[AES256_GCM,data:mTKFSBFnUzu3rldQCHPZHoyzDdwPzBWPIAhemC1XyG5PiQ/OczStjYaLzZQGCpPvOjBb5Ntqrc+dnaOedZgKlOdaPjZs1U2ZDWadoeWQ2TAKWYA6+kN7PXomsxtHhntiaujMy3502eh06VyiutpVuCdzK2cfEwuno8nyIcHgtXk=,iv:/5DRvFVDQA+yd8m/+Cyxb+aIsfwoaFcV6KRQ/7ISHnU=,tag:z31P6CL0NNRlQThqwapVNA==,type:str]",
+		"version": "3.13.0"
+	}
+}
@@ -0,0 +1 @@
+../../../users/admin
@@ -0,0 +1,4 @@
+{
+  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
+  "type": "age"
+}
@@ -0,0 +1 @@
+26.05
@@ -0,0 +1 @@
+204:b10b:6057:4bbe:2b44:fc58:c6fd:90ad
@@ -0,0 +1 @@
+../../../../../../sops/machines/nodeA
@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:JkuciSmL5nmSjcYn22W7iHKzuRxWMJ5dixYllm0aSM7DsyAp9mQzIYJJmalepp7sEhSJ5As3vQW6ZpOQ3G8ZheG06++1GlM8lvVV2FKmYvKHQpI+V7WyUJl7dpfu+5A6BzWES0GbC1g8l/a8sb/+jjEoqUTAj/4=,iv:tehdHsdm2uSRAAzImHhwBSnSBF6lzjLzF9HIPnoi9s0=,tag:dWnQhAiJeCkcssjko+dUpw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVmRSR2xDNmdPYW5MNUVH\nYWVpaTc0TjdOZFBTSEJDL1Z3VG9vVHkrZUFjCklUMUU1bnVmZFJYbzVPd09oZm1U\nNHY0R1hNQnBBc2V4Y2RWQ1ZZRjdOK0kKLS0tIEJkSWFaTDJzMDNJR3QwQzRVdld4\ndDA5ZmZSeTYyVUE5Y1Z1T1l5QmpHRTQKSaN+MIazA8RXhRSyFSkDTyXEp43COpbf\nXOzAhTXja+ut/akUuKadDS4xycZ+ZXAreVmdsF4SWvwZkmPeew+hKQ==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1kxsp8pa8am6k333nxs4akjqkhht8gspznmlqz4pxn35h5dj4uv5qj6q6fl"
+			},
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMNmZkTHlaRWl1V3UvcGxk\nR0hhL1lNekNzb0REaEc4bitBZkcwYmRDb2hjCnloQTZUL3ZneWZQZk9NTEc1bGNB\nY3ljdFRMMUhLeDdyblhVY3lSOFBXc1UKLS0tIEJUc1ZpQmtuNlRUUEVmajY5TGdP\ncSs2RkZXcnJYRlEvcEtYSWxIWmkrVEkKgQnfxuZuxl1OpZDUPVuqseSN89WnBGFw\nx2PI3cqN67R2tV/FEjOZo+GFgxW93SYdMvxzg2aG2q/7xOQxfj9sjg==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-11T07:44:25Z",
+		"mac": "ENC[AES256_GCM,data:gRk1t7xFxXSTUcZQw0DCH3QtRnQJF4Mc4kZeeckhuQdc/VATj+cq+ugicrcGJWbbXzAscQLG6g72+Qiane5nFfzmjNoO6JMe181wm7pY/5St+2MjXZEzwAaYjn6ZAm+U7aiUVcp8RBjFIL9HCvBF8qFl7rqqTvYHnTOU0V6TIIo=,iv:eUvZFDKl8PX5QaQPmwJXaokawQMNP0TGOklTAMgB/sg=,tag:3cHICox8bKWkPKMUgvLuXA==,type:str]",
+		"version": "3.13.0"
+	}
+}
@@ -0,0 +1 @@
+../../../../../../sops/users/admin
@@ -0,0 +1 @@
+0a77a4fd45a20ea5d81d39c8137a97dd4988c692ce4263959559b8c3f966c1de
@@ -0,0 +1 @@
+../../../../../../sops/machines/server
@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:VszBHfdaNOOYYa6tNUPq9CsJHp+KMBTnZOdHnJz6v3pZQl1zCeYdW3ExvDfNY85tUAZ3YAHthD9JhuR1D+VVVn8=,iv:zbMmaTDZ5mL9IzRTEzuTSPkfwrwOlOIFJtLQyTzGkPw=,tag:Ez68y6gMIj0e/RYQ/Z+s8Q==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlenlYOCt2RkJOK1hDdUti\ncUpxS1F1RTBnZGo1Njg0Y0EwbzM1dWM5b1hJClFKQ1NDRVVpRXRpOGx3SU52MDZZ\nVVh2NDg5TDgzckFKZ0lNaG1tTEk0MmsKLS0tIHRvR0IzWFZUVkJEM0dwRFZ2SFRz\nNHpCYkI4dUx6YXJSd0xreUN1aUtKNEUK/SJqs5pbFipbp9P7ASUMby7H5ProXknF\nGMvHcIxa6OLLOCRA39YZBVEUlRd03j3rVFILZqVq47CwfaeHj0WBdw==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1dkrf438z3337d2qnc7ugkggua99xkh55wuf9zgun35fjrxdpnf5qkg4z6j"
+			},
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4cWMzaElhYmZaRGhmMXJQ\nbWk2WVl0UmtidjdzYXM0enB3MGdTMWRMVDBjCmdiNEx2RURGL0ZtWCtkcHlabUs0\nVis2d3JieC8yOXV5OW9sN1l5ZWs5Sk0KLS0tIFNmaVpDQklaUDFQK1JnZWZzMDF6\nY0g1M2NHNTEvSkRsTVJSODcxcVVrV0EK8FLzflXqPcooAPh38L7oVliUY8WbB97W\naQYvGf/yo9Izmm8Pa0/ZUGSRnCVRAXtQ1IeR1uPNyuy47mHXO7n7Bw==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-22T07:46:31Z",
+		"mac": "ENC[AES256_GCM,data:ewR8kGgrAj7i6b5UUwh4Fn4CbtRcsDSHhHzrBwGBi9S0XWaatVTQAAmsAVm7DEiJ+a3SQLIAyx6Ef7uqCsZagmzs7LBq0YXNxWtxv62EWPwx8Vihzz3gscDJo1DM3ictX7yi6EiipQ0aYoPCh1veqw8AspLdwnkBxdUF2C+0muc=,iv:bo7vq8BfL437ZI63Os96pAg8EKi8NnrqhABz4Jft9YI=,tag:8krOKra/Z3MJdlmZFBZ7YQ==,type:str]",
+		"version": "3.13.1"
+	}
+}
@@ -0,0 +1 @@
+../../../../../../sops/users/admin
@@ -0,0 +1 @@
+../../../../../../sops/machines/server
@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:Mw==,iv:ylmBzsJVBD2pcQNkLcdthT9FX7YW84yZk0u7SlJUdaY=,tag:O1oT/MVijlrQDQG1ddFKlg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRd2ZIMElrK2ZacXFTTHFl\nWDkwbGROS1d3WlhzcHhQK21Fc1pmWFZ1VkJRCjlrY1E0cndsZUR1dVQ2L0dud3RQ\nbDlNa3NQZjBPQTAxdUVkUk9lYkgyTGcKLS0tIEUyMVE5Y25BOFJyUWdkdWI1L3VQ\nSE5ubkMvWU9YbE94VTN2VXFUc2F0ajQKKz5VJEtEQcKggoO89ZSfpB3KLBHCnMf+\no8llbCm5bZ39S3qA2Q8spOK4AlkW/NiaCQE4G1LSkvvT6tYEMkwbyQ==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1dkrf438z3337d2qnc7ugkggua99xkh55wuf9zgun35fjrxdpnf5qkg4z6j"
+			},
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnNHhVMWNhZGR6LzgrcG05\nMmVUYU1zcC93YklZUkVETFhZL1BISU13MEFNCjFSZ25EQUQrZTNIcmliTG5UV2xp\nKzQ3MzhkdzcxeGgyV3oxbXo5Y0ZMcmMKLS0tIDVMZjdYWjRkUE50dmE5dm42alpn\nbk1JN1poZWp2bEZNQ3VIdm9PS3Z1ZlEKYOTa7L9tVKq3gZbAeKmCifIxs/sqaPoj\nqdUlsPkwBPjSvlv1QLdRbjBICPdyfH+GiHCmj78DitzZ+KUnRKYqSQ==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-22T07:46:31Z",
+		"mac": "ENC[AES256_GCM,data:NqKlCAKKPF0OTesGozt0GSSd/HT8+h4meiO57EBzD7vwLc9mobG0rLn5C2i3e7tBM13VYzR66qPzQtaWI/jVA7BpJ0PNa2u9MHA2JV6nshRdhMtYgxVCBy8Had7IixAZEs1lLE2zHcWRvLMJPOvUp7tpghb34RddmF/Po/Mkm2s=,iv:9XCsu+rO/DbtaLt13O0/PUo/yV2eUjNP+GGmkYjOIfY=,tag:7tzJE5XBR5PfOqdIh7IKAQ==,type:str]",
+		"version": "3.13.1"
+	}
+}
@@ -0,0 +1 @@
+../../../../../../sops/users/admin
@@ -0,0 +1 @@
+../../../../../../sops/machines/server
@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:LetAgJg1TgcJL+W7dX8k8MlvpS3PPwVGdco3Z6a8fGhGeQARcuHWV57K4lLQzPpJ7Cruxc6XGQn1U/t3cubdp2NPtwQsP9jaIqPnlZblrq6foHaUmBLaRzc4ed7HOo94ErfV5ZY=,iv:jdt3jMNlK3QvJP8i3OlGydkRPRd2rVybnmUxCDCxfz4=,tag:imNVcalMwnpuaLCdaoaegg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4WU9IT3g4TVpiSWdYMUFo\nZGpSUG5xekZLaGMzNTZlcHFaSm1kbTBxUHhjClRIMzlhWW9ub2JFZHhVY3I3TkF3\nU0t5eHJVeFVHRStoNTFkT0lpYnNoMFkKLS0tIEM3aWdIL2RrSGx0ZkdheVRtYUhm\nUHZxeGZvUlBybWJFTHIrZDNxZVloemMKvpt+hkFaRUEXNp1dcfnIWD1i6fyVkaZm\neTn6RBxl1idVN1XlXAwrHHTekuZIobST5kGTV0uR3nLk5Cmhe2x93g==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1dkrf438z3337d2qnc7ugkggua99xkh55wuf9zgun35fjrxdpnf5qkg4z6j"
+			},
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTDlTM0JBaEowaXJOV1hE\nZWZ2UmUzQmlyek5NRWlqWDZiY0FXVHpKL1d3CitreGc3OUFzS0tYYm5UZ0tUb2pX\nb0pZZ3VacVBma09pSDEyalc0VU1HTVUKLS0tIE5YcnY2RnFCVk13dDZJQ3NMZDQ4\nTGgrY3FwMW5ybjM0a0FmNllrRWZYNWMK2BklSFSm1jT1SsdaMtFWZX4uu4JT2kGi\njyD9E/G0yGl5JH8xfKO/x7vIPuow96WW8bx9aqGRnshXqbe6WzvbIQ==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-22T07:46:31Z",
+		"mac": "ENC[AES256_GCM,data:bO9VvnIcjXDSyTdEHm1l5Dqm4umLC7FCEaJIbuC+M776q+GR3crq1FWm7J6tinlHDNFX/WmcS417b5WY5VJlP3jqvCalQdttg0EzlhwT65vATvJHoYEp8uqahyLzA9tj9ncQ9LL2XGFeIsvWnU9OcZ5s/42v2DtVdS1/32PT+7U=,iv:W29qp/zHP367rkwiMmpPQcKS/5g6HR5CZGkGCIacwD4=,tag:3DHc5kdj1Ar+7TcaSOnj+Q==,type:str]",
+		"version": "3.13.1"
+	}
+}
@@ -0,0 +1 @@
+../../../../../../sops/users/admin
@@ -0,0 +1 @@
+26.05
@@ -0,0 +1 @@
+202:8a70:e215:f822:c67a:f191:b04a:a8f
@@ -0,0 +1 @@
+../../../../../../sops/machines/server
@@ -0,0 +1,18 @@
+{
+	"data": "ENC[AES256_GCM,data:JcxiDqZDX3J3ooSeN0pQ28uvI86mtHUf2BEcOQdFIDhJZODGCc+BhZvBQmu2mabV8Jf4skrTWqD+60c1fkRcsM+MMXfoyNsrRyQ2K39mG4kl8jJKVKDs+BqXa+CvZ96kesOMgi9vdc3YUKo5cCLY4bQ9VwymqH8=,iv:W3z8Pbyo2IMzkxI4k14FlirLa28qgZ3rnTAWuusiw/0=,tag:EQc8mo/UvACbt8hQv3zPEw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRDNOSU81alN2THNQQ3ZW\nbHVjMmxaYWpzak1NZHplNTVzZzQvMHg4azAwCkExb0VLYlZUd2JjVGNlcXUyR0p1\nWHk5cXpOeGZ0VFRFTGllQWpxRlBTRk0KLS0tIDhKeUc4RHQvb0o0ZXFXZUNCanVY\nYm04TVBoWjlLT0tFOHRnLzd3RHV2ZzAKVpLtENDySGC6UDgAwhDb+7KJiHXOZF6n\nIaeIQWQqiB+45h72NE3yh02boPK8pl6IoJFcK3e4zSO7/G8jGUp0MQ==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1dkrf438z3337d2qnc7ugkggua99xkh55wuf9zgun35fjrxdpnf5qkg4z6j"
+			},
+			{
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGSUZXVzJwVHdwZGtxOVRu\nN1hMZkltdVM0cnNRL2tSNENkSGV2VzFIU1VBCmRZWlJTODNPMVRjVWY1V1VZcFln\nTDE3N0xsMXdMWityRUNUYWlQOXBMMTgKLS0tIGViTzBrQk5wQXBYQitIb1ZPUitC\nLysyUER0UjFlZm95c3ZGK3hEMEtrNUEKABpoKBUnvzQKSrgsdnU+uyDyED0Tlr7D\nnSsf12c84cvdt0OeCWwf2WvBANZL26XTcFq1fBYOFTJqNLs1ZfO2kg==\n-----END AGE ENCRYPTED FILE-----\n",
+				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg"
+			}
+		],
+		"lastmodified": "2026-06-11T07:45:55Z",
+		"mac": "ENC[AES256_GCM,data:jjhkZB9NdpvV2R0k9yS/AcUqeMr1RLv1UZwGCemlKSwhBfs8E5NxTXLhtmJeQ+hltOTYpz51BIporVtlaH6ElVnh7khOrG3Lb5cLBrL41QM59y3Tbfu6TjNOE3NyMiWuxZnwuqUGWQjsjrIIhE0ftKnpSpkGHMie+BC3iNSB1tY=,iv:onOVK9eJxWOaIjChQD54tz8lY+r/jpp6AArsBIuoRUM=,tag:2Oas1C5D2kZOe4iiD5huyw==,type:str]",
+		"version": "3.13.0"
+	}
+}
@@ -0,0 +1 @@
+../../../../../../sops/users/admin
@@ -0,0 +1 @@
+2eb1e3bd40fba730a1cdc9f6beae1848e4b965e37f18a61593327964108fe6a8
				`@@ -0,0 +1 @@`
				`0a77a4fd45a20ea5d81d39c8137a97dd4988c692ce4263959559b8c3f966c1de`
				`@@ -0,0 +1 @@`
				`2eb1e3bd40fba730a1cdc9f6beae1848e4b965e37f18a61593327964108fe6a8`