Configure SSO for Grafana

TODO: Maybe replace with NFS once the great storage migration happens

.gitignore

@@ -1,4 +1,3 @@
 .DS_Store
-secrets/gpg-secret
 secrets/id_ed25519-nix-builder
 .direnv

README.md

@@ -18,11 +18,7 @@
 - rsync state:
   - `/var/lib`:
     - `acme/.lego`
-    - `bin_rs`
     - `fail2ban`
-    - `grafana`
-    - `headscale`
-    - `hedgedoc`
     - `mastodon`
       - dump and import Postgres and Redis DBs
     - `matterbridge`
@@ -33,6 +29,17 @@
     - `prometheus2`
     - `prosody`
   - `/home/ftp`  
+### synchronicity-ii:
+- `nh os switch --target-host root@synchronicity-ii -H synchronicity-ii` - deploy config
+- `passwd` - set user passwords
+- rsync state:
+  - `/var/lib`:
+    - `acme/.lego`
+    - `bin_rs`
+    - `grafana`
+    - `headscale`
+    - `hedgedoc`
+    - `prometheus2`
 
 ### penrose/sierpinski:
 - `nh darwin switch` - deploy config

common/fragments/bittorrent.nix

@@ -84,21 +84,4 @@
       ];
     };
   };
-
-  # SMB Share
-  services.samba = {
-    enable = true;
-    openFirewall = true;
-    settings.global = {
-      "server string" = "Synchronicity-II";
-      "guest account" = "nobody";
-      "map to guest" = "bad user";
-    };
-    settings.Library = {
-      path = "/mnt/library";
-      browseable = "yes";
-      "read only" = "no";
-      "guest ok" = "yes";
-    };
-  };
 }

common/fragments/grafana.nix

@@ -1,16 +1,58 @@
 { config, ... }:
 {
+  sops.secrets.grafana-key = {
+    owner = config.users.users.grafana.name;
+  };
+  sops.secrets.grafana-oauth = {
+    owner = config.users.users.grafana.name;
+  };
   services.grafana = {
     enable = true;
     settings.server = {
-      domain = "grafana.technogothic.net";
+      root_url = "https://grafana.technogothic.net";
       http_port = 2342;
       http_addr = "127.0.0.1";
     };
-    settings."auth.anonymous" = {
+    settings = {
-      enabled = true;
+      "auth.anonymous" = {
-      org_name = "Main Org.";
+        enabled = true;
-      org_role = "Viewer";
+        org_name = "Main Org.";
+        org_role = "Viewer";
+      };
+      "auth.generic_oauth" =
+        let
+          authServerUrl = config.services.kanidm.serverSettings.origin;
+        in
+        {
+          enabled = true;
+          name = "Kanidm";
+          allow_sign_up = true;
+
+          client_id = "grafana";
+          client_secret = "$__file{${config.sops.secrets.grafana-oauth.path}}";
+          scopes = "openid profile email groups";
+          use_pkce = true;
+          use_refresh_token = true;
+
+          auth_url = "${authServerUrl}/ui/oauth2";
+          token_url = "${authServerUrl}/oauth2/token";
+          api_url = "${authServerUrl}/oauth2/openid/grafana/userinfo";
+
+          groups_attribute_path = "groups";
+          role_attribute_path = builtins.concatStringsSep " || " [
+            "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin'"
+            "contains(grafana_role[*], 'Admin') && 'Admin'"
+            "contains(grafana_role[*], 'Editor') && 'Editor'"
+            "'Viewer'"
+          ];
+          login_attribute_path = "preferred_username";
+          allow_assign_grafana_admin = true;
+        };
+      security = {
+        disable_initial_admin_creation = true;
+        secret_key = "$__file{${config.sops.secrets.grafana-key.path}}";
+        cookie_secure = true;
+      };
     };
   };
 

common/fragments/hedgedoc.nix

@@ -1,11 +1,55 @@
+{ config, ... }:
 {
+  sops.secrets.hedgedoc-oauth = {
+    sopsFile = ../../secrets/hedgedoc-oauth.env;
+    format = "dotenv";
+    owner = config.users.users.hedgedoc.name;
+  };
   services.hedgedoc = {
     enable = true;
+    environmentFile = config.sops.secrets.hedgedoc-oauth.path;
     settings = {
       domain = "hedgedoc.technogothic.net";
       protocolUseSSL = true;
-      allowOrigin = [ "localhost" "hedgedoc.technogothic.net" ];
+      allowOrigin = [
-      allowEmailRegister = false;
+        "localhost"
+        "hedgedoc.technogothic.net"
+      ];
+      email = false;
+      oauth2 =
+        let
+          authServerUrl = config.services.kanidm.serverSettings.origin;
+        in
+        {
+          baseURL = "${authServerUrl}/oauth2";
+          tokenURL = "${authServerUrl}/oauth2/token";
+          authorizationURL = "${authServerUrl}/ui/oauth2";
+          userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+          clientID = "hedgedoc";
+          scope = "openid email profile groups";
+          userProfileUsernameAttr = "name";
+          userProfileEmailAttr = "email";
+          userProfileDisplayNameAttr = "displayname";
+          pkce = true;
+
+          providerName = "Kanidm";
+          rolesClaim = "roles";
+          accessRole = "hedgedoc_users";
+        };
+
+    };
+  };
+
+  services.nginx.virtualHosts."hedgedoc.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/".proxyPass = "http://localhost:3000";
+    locations."/socket.io/" = {
+      proxyPass = "http://localhost:3000";
+      proxyWebsockets = true;
+      extraConfig = "proxy_ssl_server_name on;";
     };
   };
 }

common/fragments/kanidm.nix

@@ -0,0 +1,41 @@
+{ pkgs, config, ... }:
+let
+  cfg = config.services.kanidm;
+in
+{
+  services.kanidm = {
+    package = pkgs.kanidm_1_8;
+    enableServer = true;
+    serverSettings = {
+      origin = "https://${cfg.serverSettings.domain}";
+      domain = "aphex.technogothic.net";
+
+      # otel_grpc_url = "http://localhost:9008";
+
+      tls_chain = "${config.security.acme.certs."technogothic.net".directory}/fullchain.pem";
+      tls_key = "${config.security.acme.certs."technogothic.net".directory}/key.pem";
+    };
+
+    enableClient = true;
+    clientSettings = {
+      uri = cfg.serverSettings.origin;
+    };
+  };
+
+  users.users.kanidm.extraGroups = [
+    "acme"
+    "nginx"
+  ];
+
+  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
+      extraConfig = ''
+        proxy_ssl_verify off;
+      '';
+    };
+  };
+}

common/fragments/vsftpd.nix

@@ -1,14 +1,25 @@
-{ config, ... }: {
+{ config, ... }:
+{
+  networking.firewall = {
+    allowedTCPPorts = [
+      20
+      21
+    ];
+    allowedTCPPortRanges = [
+      {
+        from = 40000;
+        to = 40200;
+      }
+    ];
+  };
+
   services.vsftpd = {
     enable = true;
     anonymousUser = true;
     anonymousUserNoPassword = true;
 
-    rsaCertFile = "${
+    rsaCertFile = "${config.security.acme.certs."technogothic.net".directory}/fullchain.pem";
-        config.security.acme.certs."technogothic.net".directory
+    rsaKeyFile = "${config.security.acme.certs."technogothic.net".directory}/key.pem";
-      }/fullchain.pem";
-    rsaKeyFile =
-      "${config.security.acme.certs."technogothic.net".directory}/key.pem";
 
     forceLocalLoginsSSL = true;
     forceLocalDataSSL = true;
@@ -22,4 +33,17 @@
       ssl_ciphers=HIGH
     '';
   };
+
+  security.acme.defaults.reloadServices = [ "vsftpd" ];
+
+  services.nginx.virtualHosts."ftp.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    root = "/home/ftp";
+
+    locations."/" = {
+      extraConfig = "autoindex on;";
+    };
+  };
 }

common/users/default.nix

@@ -8,6 +8,7 @@
         "networkmanager"
         "wheel"
         "docker"
+        "vsftpd"
       ];
       shell = pkgs.fish;
 

flake.lock

@@ -59,11 +59,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765605144,
+        "lastModified": 1770260404,
-        "narHash": "sha256-RM2xs+1HdHxesjOelxoA3eSvXShC8pmBvtyTke4Ango=",
+        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "90b62096f099b73043a747348c11dbfcfbdea949",
+        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
         "type": "github"
       },
       "original": {
@@ -202,11 +202,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1765066094,
+        "lastModified": 1767634391,
-        "narHash": "sha256-0YSU35gfRFJzx/lTGgOt6ubP8K6LeW0vaywzNNqxkl4=",
+        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "688427b1aab9afb478ca07989dc754fa543e03d5",
+        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
         "type": "github"
       },
       "original": {
@@ -232,11 +232,11 @@
     },
     "nixpkgs-darwin": {
       "locked": {
-        "lastModified": 1765676008,
+        "lastModified": 1770746255,
-        "narHash": "sha256-jm7jhNnicKaFxetVii3pS04wsiFIUKqqVHc1jVf8z50=",
+        "narHash": "sha256-ZzMQ1deN/Ca0GapjGtvlCXPop/ZzFtolpb37KrDTgWo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "988649b2eac5c348b229ab340ba7e40382f77483",
+        "rev": "78d26d24b115f5df93835994696a30b20bb38c83",
         "type": "github"
       },
       "original": {
@@ -264,11 +264,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1765425892,
+        "lastModified": 1770843696,
-        "narHash": "sha256-jlQpSkg2sK6IJVzTQBDyRxQZgKADC2HKMRfGCSgNMHo=",
+        "narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5d6bdbddb4695a62f0d00a3620b37a15275a5093",
+        "rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1765762245,
+        "lastModified": 1770770419,
-        "narHash": "sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk=",
+        "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d",
+        "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
         "type": "github"
       },
       "original": {
@@ -348,11 +348,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1768863606,
+        "lastModified": 1770683991,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033",
         "type": "github"
       },
       "original": {
@@ -430,11 +430,11 @@
         "utils": "utils_3"
       },
       "locked": {
-        "lastModified": 1734618283,
+        "lastModified": 1766323809,
-        "narHash": "sha256-QFYFxw58d3WOU6SYDiazyaSz+mSJwgABsMEf1joM2FE=",
+        "narHash": "sha256-lS9M7v8w7ruYz/ylom0ZIfK45vkFZQ3X98a/Is8BOTY=",
         "owner": "AgathaSorceress",
         "repo": "url-eater",
-        "rev": "96af6b75a3605043141db6bf80ad60866c10c827",
+        "rev": "d617007eba79f9760db084aefda6c02c80ad7971",
         "type": "github"
       },
       "original": {

hosts/bloodletting/configuration.nix

@@ -10,7 +10,6 @@
     ../../common
     ../../common/linux-specific.nix
     ../../common/fragments/fail2ban.nix
-    ../../common/fragments/hedgedoc.nix
     ../../common/fragments/mastodon-ebooks.nix
     ../../common/fragments/mastodon.nix
     ../../common/fragments/matrix-ril100.nix
@@ -22,7 +21,6 @@
     ../../common/fragments/prometheus.nix
     ../../common/fragments/prosody.nix
     ../../common/fragments/sops.nix
-    ../../common/fragments/vsftpd.nix
     ../../common/home_manager/common.nix
   ];
 
@@ -71,19 +69,11 @@
   # Open ports in the firewall.
   networking.firewall = {
     allowedTCPPorts = [
-      20
-      21
       22
       80
       443
       990
     ];
-    allowedTCPPortRanges = [
-      {
-        from = 40000;
-        to = 40200;
-      }
-    ];
     trustedInterfaces = [ "podman0" ];
   };
 
@@ -107,13 +97,12 @@
       "*.argent.technogothic.net"
     ];
     dnsProvider = "hurricane";
-    credentialsFile = config.sops.secrets.hurricane-tokens.path;
+    environmentFile = config.sops.secrets.hurricane-tokens.path;
     group = "nginx";
   };
 
   security.acme.defaults.reloadServices = [
     "nginx"
-    "vsftpd"
     "prosody"
   ];
   systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
@@ -181,17 +170,6 @@
       globalRedirect = "technogothic.net";
     };
 
-    virtualHosts."ftp.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      root = "/home/ftp";
-
-      locations."/" = {
-        extraConfig = "autoindex on;";
-      };
-    };
-
     virtualHosts."fv.technogothic.net" = {
       useACMEHost = "technogothic.net";
       forceSSL = true;
@@ -224,18 +202,6 @@
       extraConfig = "client_max_body_size 64M;";
     };
 
-    virtualHosts."hedgedoc.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/".proxyPass = "http://localhost:3000";
-      locations."/socket.io/" = {
-        proxyPass = "http://localhost:3000";
-        proxyWebsockets = true;
-        extraConfig = "proxy_ssl_server_name on;";
-      };
-    };
-
     virtualHosts."jellyfin.technogothic.net" = {
       useACMEHost = "technogothic.net";
       forceSSL = true;

hosts/synchronicity/configuration.nix

@@ -13,9 +13,12 @@
     ../../common/fragments/bittorrent.nix
     ../../common/fragments/grafana.nix
     ../../common/fragments/headscale.nix
+    ../../common/fragments/hedgedoc.nix
+    ../../common/fragments/kanidm.nix
     ../../common/fragments/prometheus.nix
     ../../common/fragments/sops.nix
     ../../common/fragments/storage.nix
+    ../../common/fragments/vsftpd.nix
     ../../common/home_manager/common.nix
   ];
 
@@ -27,19 +30,11 @@
   # Open ports in the firewall.
   networking.firewall = {
     allowedTCPPorts = [
-      20
-      21
       22
       80
       443
       990
     ];
-    allowedTCPPortRanges = [
-      {
-        from = 40000;
-        to = 40200;
-      }
-    ];
     trustedInterfaces = [ "podman0" ];
   };
 
@@ -62,7 +57,7 @@
       "technogothic.net"
     ];
     dnsProvider = "hurricane";
-    credentialsFile = config.sops.secrets.hurricane-tokens.path;
+    environmentFile = config.sops.secrets.hurricane-tokens.path;
     group = "nginx";
   };
 
@@ -82,6 +77,14 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+
+    virtualHosts._ = {
+      default = true;
+      useACMEHost = "technogothic.net";
+      forceSSL = true;
+
+      extraConfig = "return 404;";
+    };
   };
 
   # This value determines the NixOS release from which the default

secrets/hedgedoc-oauth.env

@@ -0,0 +1,11 @@
+CMD_OAUTH2_CLIENT_SECRET=ENC[AES256_GCM,data:99VzpdiJOmKmyRyPd28tVYBNYuTVZg0z5dqp0gZqIp++hqwneOslDkLwStoJ/i5m,iv:hlHOcgTh8DttrSI0sz3pv19x5LuRURZ//UBWEs5FpGg=,tag:pAPS4NYXNQ6omgVWLR4S8A==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBOFlwTU5E\nOFZVOTlxMWU5bDVxKzZCUVdxSzg0d2xaR21uWmM0QVJGeHY3Mwpheml0TS9lejRU\nSWtybEhQT3lBc1h3b2Vkd0w0SXZETXJrQzZENVBaOFJVCi0tLSBSMHViVHlrbFdt\nTDJWc3puWm1OWDQzbEpSNHI5TWdMQXNuVTZGVy83TEVFCprclQ3Na/0zCTuOKHSH\nd4V2IiMHxwn3mcoKrEDB8+gILanNnhJwKvqYDpMYEqDzGy48HK9MGcQ9YSY/YbYB\nvKM=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SCt4WC9rNG5pQ1RFVHdB\nalZ0Q0ZjNEN4eFNPY240VEFsS1BDYXFFS2dRCm1BSGZKUmUrNmZhaytiUVp0RXo4\nRDlYanBEaWlYN1ZJRHl4dkY5a0QxLzAKLS0tIGNIRlI5aXl5TGczc3R0bW44TUlx\nWEI5YlpvblNpUU9FTitNTTFlb0JmR2sKzSavj1koSJCu2e51jBigqNfFmHNv/x3r\nZwZ/R8JPglqKlzdhDYYvrdwqlAdL5QU8bVzWFsZwCag5eEgLJaU1kQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRHRxRTEvZjgza0VtRi9X\nTlVSc2h0andqSllzOGZ4SU9jL1R1TGRGL1VjCkZLUGFGRTR6SVgwUEZxU3BFb1ZN\nQnIvNlNteVozWDdsRzRqV0hmU3RVVUEKLS0tIGoydFc4SFYvQ09LY2kvZ1ljY3pr\nOHF2Z3VORzU2MXNHd0QyL1NrTnpQb00KaTK2sy8IztMPaYfruiQYKV+hGUcos22q\nKDt53HysD5Q/zQJyFomKGsBWPTqSfK2UnoI+PN9PkZkX/vE4Xp7y0g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-02-08T00:41:43Z
+sops_mac=ENC[AES256_GCM,data:hCGTiM/g66uRkYVlm4Ejp4wFphWcumVAWXXSAqTKOnKXG6L0rT9V4oTcM5W4h76l9YB8wlSmjvp+2Zc7G8kLXT2oYLZXT8lrDOkVNhjUASG80uWxdjJTUdj/naqkfpjXmSFmVjCVLTBCT9/rIb4usuu7+gUl3GgpGmekUAsPWxk=,iv:lfGtxhxEMaVUyg7lUp7QhDBjJt38FpHF3x/4VvAeJ6I=,tag:iEC3+8VZqbFe12OeStqEEw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0

secrets/secrets.yaml

@@ -2,6 +2,8 @@ gocryptfs-pass: ENC[AES256_GCM,data:9kNFGfTBdOGoXDfSQmnrkihnXmF2Qx0U,iv:lzPqXHbn
 restic-pass: ENC[AES256_GCM,data:URCa2YXY103XnZmyY0Wp5RrzHPj5MvCvDcRurtfDPMU=,iv:0XvodvaSV3AkbDnXqHhRbvt1IcB0goeQBClwwzdxH7Q=,tag:huH+5YPARPAueMNmzI3Aig==,type:str]
 create-ap-pass: ENC[AES256_GCM,data:iIq0ZUCWKYKZWNmvTjon0D8HkzxL9iqX5rJj6VBkkwI=,iv:KGkYVwErmb5ra+HTv6MAgOW0Fs8vWx/Kz8PWD4Xx9I8=,tag:GOtcKfSe+61SGoh1PRGNWg==,type:str]
 qbittorrent-pass: ENC[AES256_GCM,data:J5m9y2pX5oI6ziIkhlMXXgszDum+rfQFfAQoImawW48=,iv:FqOYreDUX0CATPugra/dTlx2yMS4UMN0o8NesueRu3k=,tag:neKoHJhwdUdl/2mJKWkslg==,type:str]
+grafana-key: ENC[AES256_GCM,data:m/MJnidxdqnGk2GO6JXQ9Gw36a5gIWkVumggOx6NjZE=,iv:aCArsPNlDsp1b0+CAYRqAHV5n69wwUccSgvTXpKhEwQ=,tag:10rM/WytKNS3HqHMht4sMw==,type:str]
+grafana-oauth: ENC[AES256_GCM,data:en+OyzGDfNKYisyQxvlIRVrCXPNgyOgCIngtoEsJNTnO9RHqW4ny+rfKhZz0IZfl,iv:tI1q9UYI8ddi4KkSi/NiNJ50Eo21yi+vSHs9KZUsm58=,tag:SeGw6fJVshVAvuMfYcnDqg==,type:str]
 sops:
     age:
         - recipient: age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
@@ -32,7 +34,7 @@ sops:
             RGtjY1V6U2tla3ZaS09haXYrYUNrVDgK0e3UVPshSTB7kwYzm4uVUDif2PwiIGg4
             Qb4P3L13Lg6tT0a1SBEs2gedbNVcWyA0YgGTWouWvZIhBmSCOvHYVQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-30T13:08:33Z"
+    lastmodified: "2026-02-08T00:40:49Z"
-    mac: ENC[AES256_GCM,data:uLkpRbQSwRY9JWXMeoTspoZHKyCaIwkCYzUE+R3Uwooft2VuvaPOQ+n9R9XpK4QWWKGQ86iRSBAhqX0Zc0xuvtMDZBIdjI1968U5JFSQoRI5Y68byQw+AayI+j/wrC4K/OPly/ain0soiHbtBh8WmHpSVGk+gVSrnHNgeLXMtxw=,iv:BVOYNlLGqTNRQB134ETNsLmkHO7eSiVimAqF2fHoC2Y=,tag:bqYoeCmGtzwL33BK6Q+U8w==,type:str]
+    mac: ENC[AES256_GCM,data:erZf2eNF422UBzmRDgviq+X+ghs+CfP6gKSCJQsYR/AMr2QYuewzAfPEQ9UKcw8LNRmdlRCcqp7CV0qpUk+38j4m54ETDMqUBS3bwRjaKD/RocJ/5VB3Paq8rt5eiNH0KK4deFmm6ZHp5bccJwH45ne/ys2tLGbp+EiDCjGkud0=,iv:AzzlewHvkTcAO9KLM1+lS4mvb8A75gPgquTNLzXEDvw=,tag:LY0+FTisigltO+pmrTzxgQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0