👷 (#161): Saas installation

.gitignore

@@ -193,3 +193,10 @@ $RECYCLE.BIN/
 
 # Drawio
 *.drawio.bkp
+
+# helm
+./charts/hopps/charts
+
+# unencrypted secrets
+*decrypted.env
+age.agekey

charts/hopps/values.yaml

@@ -66,6 +66,7 @@ azDocumentAi:
   serviceAccount:
     create: true
     annotations: {}
+    # ToDo: make fallback name unique
     name: az-document-ai
     automount: false
   # We usually recommend not to specify default resources and to leave this as a conscious

kubernetes/hopps/base/hopps/helm-repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: hopps
+spec:
+  interval: 1h
+  url: oci://ghcr.io/hopps-app/hopps
+  type: oci

kubernetes/hopps/base/hopps/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-repository.yaml

kubernetes/hopps/overlays/.sops.yaml

@@ -0,0 +1,6 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+  - age: >-
+      age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s

kubernetes/hopps/overlays/dev/helm-release.yaml

@@ -0,0 +1,223 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: hopps
+spec:
+  chart:
+    spec:
+      chart: hopps
+      sourceRef:
+        kind: HelmRepository
+        name: hopps
+      version: 0.0.4
+  interval: 1m0s
+  values:
+    azDocumentAi:
+      image:
+        tag: 239
+      envFrom:
+        - secretRef:
+            name: az-document-ai
+      envVars:
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        - name: kafka.bootstrap.servers
+          value: hopps-kafka:9092
+    org:
+      image:
+        tag: 239
+      envFrom:
+        - secretRef:
+            name: org
+      envVars:
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        # OpenFGA
+        - name: QUARKUS_OPENFGA_URL
+          value: http://hopps-openfga:8080
+        - name: QUARKUS_OPENFGA_STORE
+          value: hopps
+        # Database secrets
+        - name: quarkus.datasource.jdbc.url
+          value: jdbc:postgresql://postgres-cluster:5432/org?loggerLevel=OFF&sslmode=require
+        - name: quarkus.datasource.username
+          valueFrom:
+            secretKeyRef:
+              name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: username
+        - name: quarkus.datasource.password
+          valueFrom:
+            secretKeyRef:
+              name: hopps-dev.org.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: password
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/enable-cors: "true"
+          nginx.ingress.kubernetes.io/cors-allow-origin: "https://${DOMAIN_2}"
+          nginx.ingress.kubernetes.io/rewrite-target: /$2
+        ingressClassName: nginx
+        path: /org(/|$)(.*)
+        pathType: ImplementationSpecific
+        hosts:
+          - api.${DOMAIN_2}
+        tls:
+          - secretName: api-tls
+            hosts:
+              - api.${DOMAIN_2}
+    postgresql-org:
+      enabled: false
+    fin:
+      image:
+        tag: 239
+      envFrom:
+        - secretRef:
+            name: fin
+      envVars:
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        # OpenFGA
+        - name: QUARKUS_OPENFGA_URL
+          value: http://hopps-openfga:8080
+        - name: QUARKUS_OPENFGA_STORE
+          value: hopps
+        # Database secrets
+        - name: quarkus.datasource.jdbc.url
+          value: jdbc:postgresql://postgres-cluster:5432/fin?loggerLevel=OFF&sslmode=require
+        - name: quarkus.datasource.username
+          valueFrom:
+            secretKeyRef:
+              name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: username
+        - name: quarkus.datasource.password
+          valueFrom:
+            secretKeyRef:
+              name: hopps-dev.fin.postgres-cluster.credentials.postgresql.acid.zalan.do
+              key: password
+        # kafka
+        # ToDo: url should automatically be calculated, dependent on the name of the release-name
+        - name: kafka.bootstrap.servers
+          value: hopps-kafka:9092
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          nginx.ingress.kubernetes.io/enable-cors: "true"
+          nginx.ingress.kubernetes.io/cors-allow-origin: "https://${DOMAIN_2}"
+          nginx.ingress.kubernetes.io/rewrite-target: /$2
+        ingressClassName: nginx
+        path: /fin(/|$)(.*)
+        pathType: ImplementationSpecific
+        hosts:
+          - api.${DOMAIN_2}
+        tls:
+          - secretName: api-tls
+            hosts:
+              - api.${DOMAIN_2}
+    postgresql-fin:
+      enabled: false
+    frontend:
+      image:
+        tag: 180
+      envFrom:
+        - secretRef:
+            name: frontend
+      podSecurityContext:
+        fsGroup: 1000
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        ingressClassName: nginx
+        hosts:
+          - ${DOMAIN_2}
+        tls:
+          - secretName: frontend-tls
+            hosts:
+              - ${DOMAIN_2}
+    kafka:
+      controller:
+        replicaCount: 1
+        resourcesPreset: "none"
+      volumePermissions:
+        resourcesPreset: "none"
+      # disable authentication for kafka for now
+      listeners:
+        client:
+          protocol: PLAINTEXT
+    kafka-ui:
+      enabled: true
+      yamlApplicationConfig:
+        kafka:
+          clusters:
+            - name: yaml
+              # ToDo: url should automatically be calculated, dependent on the name of the release-name
+              bootstrapServers: hopps-kafka:9092
+        auth:
+          type: disabled
+        management:
+          health:
+            ldap:
+              enabled: false
+      ingress:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          # basic auth
+          nginx.ingress.kubernetes.io/auth-type: basic
+          nginx.ingress.kubernetes.io/auth-secret: kafka-ui-auth
+          nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - Kafka'
+          # configure oauth2-proxy security ToDo: waiting for keycloak GitHub integration for SSO
+          #nginx.ingress.kubernetes.io/auth-response-headers: x-auth-request-user, x-auth-request-email
+          #nginx.ingress.kubernetes.io/auth-signin: https://${OAUTH_PROXY_DOMAIN}/oauth2/start?rd=$scheme://$host$request_uri
+          #nginx.ingress.kubernetes.io/auth-url: https://${OAUTH_PROXY_DOMAIN}/oauth2/auth
+        tls:
+          enabled: true
+          secretName: kafka-tls
+        # ToDo: mask domain
+        host: kafka-ui.${DOMAIN_2}
+    openfga:
+      # ToDo: check why enabled attribute isn't working
+      #enabled: true
+      # only run one pod for now
+      replicaCount: 1
+      # configure securityContext
+      podSecurityContext:
+        fsGroup: 2000
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+        allowPrivilegeEscalation: false
+      # use postgresql-database
+      datastore:
+        engine: postgres
+        uriSecret: openfga
+        # https://github.com/openfga/helm-charts/issues/100
+        migrationType: "initContainer"
+      postgresql:
+        enabled: false
+    # use already available keycloak
+    keycloak:
+      enabled: true
+      resourcesPreset: "none"
+      postgresql:
+        enabled: false
+      externalDatabase:
+        host: postgres-cluster
+        database: keycloak
+        post: 5432
+        existingSecret: hopps-dev.keycloak.postgres-cluster.credentials.postgresql.acid.zalan.do
+        existingSecretUserKey: "username"
+        existingSecretPasswordKey: "password"
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        hostname: id.${DOMAIN_2}
+        ingressClassName: nginx
+        tls: true

kubernetes/hopps/overlays/dev/kustomization.yaml

@@ -0,0 +1,34 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: hopps-dev
+resources:
+  - ../../base/hopps
+  - namespace.yaml
+  - helm-release.yaml
+  - postgresql.yaml
+# create all needed secrets with fix name
+generatorOptions:
+  disableNameSuffixHash: true
+secretGenerator:
+  - name: fin
+    envs:
+      - secrets/fin-secret-encrypted.env
+  - name: org
+    envs:
+      - secrets/org-secret-encrypted.env
+  - name: az-document-ai
+    envs:
+      - secrets/az-document-ai-secret-encrypted.env
+  - name: frontend
+    envs:
+      - secrets/frontend-secret-encrypted.env
+  - name: openfga
+    envs:
+      - secrets/openfga-secret-encrypted.env
+  - name: postgres-operator-secret
+    envs:
+      - secrets/postgres-cluster-secret-encrypted.env
+  # basic auth for kafka-ui
+  - name: kafka-ui-auth
+    envs:
+      - secrets/kafka-ui-secret-encrypted.env

kubernetes/hopps/overlays/dev/namespace.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: hopps-dev
+  labels:
+    # postgres-cluster can't be configured to be pss "restricted" profile
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: v1.31
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: v1.31
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: v1.31

kubernetes/hopps/overlays/dev/postgresql.yaml

@@ -0,0 +1,37 @@
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: postgres-cluster
+spec:
+  teamId: "hopps"
+  postgresql:
+    version: "17"
+    parameters:
+      # depending on application that can cause issues
+      password_encryption: scram-sha-256
+  numberOfInstances: 1
+  volume:
+    size: "50Gi"
+    storageClass: "longhorn"
+  allowedSourceRanges: # load balancers' source ranges for both master and replica services
+    - 10.0.0.0/16
+  #  requests:
+  #    cpu: 100m
+  #    memory: 100Mi
+  #  limits:
+  #    cpu: 500m
+  #    memory: 500Mi
+  # create users
+  users:
+    # namespace.name: roles
+    hopps-dev.org: [ ]
+    hopps-dev.fin: [ ]
+    hopps-dev.openfga: [ ]
+    hopps-dev.keycloak: [ ]
+  databases:
+    # name: owner (namespace.name)
+    # namespace notation is part of user name
+    org: hopps-dev.org
+    fin: hopps-dev.fin
+    openfga: hopps-dev.openfga
+    keycloak: hopps-dev.keycloak

kubernetes/hopps/overlays/dev/secrets/az-document-ai-secret-encrypted.env

@@ -0,0 +1,8 @@
+APP_HOPPS_AZ_DOCUMENT_AI_AZURE_ENDPOINT=ENC[AES256_GCM,data:+edt3T40kOE0doDYokkP985ahKAeEIXg8tnBeuqsAKWSnxD++OZx+sUfky1KbRrgTiD7+I+hfw==,iv:Rf+x1l5cRk0+So+/x/f7xtE3Wi+OMNBuZNuKuoyZKsc=,tag:A+jLejhTAoKfxkvL5vNa7g==,type:str]
+APP_HOPPS_AZ_DOCUMENT_AI_AZURE_KEY=ENC[AES256_GCM,data:X1BHnZm53e3L6Nn0lODbOa5b5FKLd6Zt/WnpUEJsozg=,iv:mkf01qFUWJL+Y2Yt22TbrjpoOEQxT01HomDYTHsz8Q4=,tag:5q3r3IyoanVz4erOp1x9Yw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsYURMeFhkMWI4T0FxSy9W\na3B1MUw4cG1ydEFuYTduekxSeW05YkZjM1M0CkprcDBoTHQ5aHRJYjBIMFJYb3hS\nRy9YaXZPdVNweVA5UnRUVGUxZkc3ZU0KLS0tIE9Lak5pczlsQ01WY2hCRXA5aXZv\nNWg5Vmg3Qm81Wit1aW5mNWpSZVpOOXMKlaPu98Iz57EF0FNkRjUkYxk+R8uStbZ+\nocdP9o+xyifc/R/HrveooBKrwibvEi53Fq6LlB/OPkWvSChGiMYzkw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2025-01-06T13:28:06Z
+sops_mac=ENC[AES256_GCM,data:CYd4sfrC95VcCC8efBM9NiZmdbshFf3WlEjb3OjSu25eNxP7OzGq4HmIsbAzPXNMeMZRUA9SDPvNHGxy4JFFUR8Ef2wYsXvB5iniV8tUHItxCAVpy0m+44EZQf2QkbS88VE+fYgSTrSN5d5YvoF+5V5BM6ELbf61l8DlFwADI5U=,iv:nXBOk826o+eCCyMq4fIG4sPnbPLkUl21cGPE9Anq1Gk=,tag:D7dIKR+IPMWUxEd6AGgmSQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.2

kubernetes/hopps/overlays/dev/secrets/fin-secret-encrypted.env

@@ -0,0 +1,9 @@
+QUARKUS_OIDC_AUTH_SERVER_URL=ENC[AES256_GCM,data:fb2ziAhB69XZzsKLyxOzOpDwD90LMfNOQnI0KzsxEQk6ujMz,iv:RlpdtUgQOE7wrYMkxbowmRBIYNDif/w9W6xjt3IlwbU=,tag:YSnT//aCcS+HyKInKV52YA==,type:str]
+QUARKUS_OIDC_CLIENT_ID=ENC[AES256_GCM,data:nZELclNr,iv:VeKFi/LcWI5zcL8CfD/PDvr47vni7wT9bVIJSyJkUgo=,tag:vF9h9YKSxp/y1Avpi7G2/Q==,type:str]
+QUARKUS_OIDC_CREDENTIALS_SECRET=ENC[AES256_GCM,data:4ZRCeQ4jnJtRac28OjTMph41SvtvDM/C38w74Dnlbcw=,iv:OifUqjxjzow2CUv0q7qEY/WEc72c9/iE4v9II+DsBjg=,tag:N+7VgY4vIN2nv/I76XWDnw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0dWYvNjhDSkJFR1BSd1FC\neDZDeE1pZjVybHhWTmtXWHNnMjU4RjJRY2cwCmQ4MVB6NlZQM1hwWGNSZTJ5aHJo\nOUR0REhaZXJTMm9rd3VTSTRQMmhBSWcKLS0tIEZReUQwNS9oSVpheVcwTHVSWDlQ\nSlJXUEJVTkprald4UW1hVkdkRnd3YmMKlv8jU1LlyZVm2zBs1/jHbWWuebEXoY6S\ni+SOIOMotqbqcNLGmbJ8tuewSMiJRfjeKQG9gjHNYxE5pn1Pf1O0iQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2025-01-12T15:54:01Z
+sops_mac=ENC[AES256_GCM,data:dOGI5P7yDSRoDl8Yi/A2F/7CvtNJJwNamr9W0u7/u0RfW6dCiJI9hhCpWmp2AjmL6mN9AQEgBTykTI2KUhstNsuKmSuCnSqByhr8mZjHFtVSxXlOHOrHomBwbQX/jcDhzgwuUHXUqpjGXrrKy9buURfTtT+tXt/34FikSJlI9i0=,iv:dzhxO8USAGHm9mSG9fk3S4SdnJPu9tGoKOEz8dDb1fc=,tag:Eu13S2uy8VlSyya8dFWrmg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.2

kubernetes/hopps/overlays/dev/secrets/frontend-secret-encrypted.env

@@ -0,0 +1,11 @@
+VITE_KEYCLOAK_URL=ENC[AES256_GCM,data:dZlUm9DMJjyC28ACLBYu2MszlXBqDg==,iv:GqV8OCoduYOCYND6Sg5uYDfVMSlzcxZsZJBYOA/gCF4=,tag:gxiNOI6O0LA9mwW6cILKfg==,type:str]
+VITE_KEYCLOAK_REALM=ENC[AES256_GCM,data:fYbDpBk=,iv:1QluHnOejxFUGPe0c7IWUjgPPUfM9l05GUgRLMvRpGQ=,tag:zRYChmOabgXY3TjHh5yVzg==,type:str]
+VITE_KEYCLOAK_CLIENT_ID=ENC[AES256_GCM,data:2s3XRBD/ho8+FHNG84M=,iv:hqPmOp1n7M+MhBrhd2xFygkubK8yu9fes9y/j6KTu7Q=,tag:Ma2cCIyf2tx2OjgqTZDGSw==,type:str]
+VITE_API_FIN_URL=ENC[AES256_GCM,data:UG2g4rpS+bL68qRd5ncDn5EjFoJXKI6aVZ5P,iv:HUScPVe0SVgUvq3/wsNDqSo+O1FWqsv60aDjhUJD2bM=,tag:+BCKqv6OlZtk+f9nmCsbPg==,type:str]
+VITE_API_ORG_URL=ENC[AES256_GCM,data:UZ1dzzTwLERAlvkV1YYE8tlY+akCc6qlnvtW,iv:HaDkNcnscdmNkkDLbiXVaVUZQpa1hjGM/QKQGwxAuvE=,tag:yVisuxwPAXLMzyjZTLXazw==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSNlk4MkNTVDdMUk1KQ1Z4\neXB1TU9VVCsxSFdiN3F1SlVoUkxKYWZZcWcwCkhlS3BLczJ0MDJ3UCtZZFQwRmZK\neU5qMm0vYXIrc1ZkRnBpRGdoRnFpMWMKLS0tIEdGZ3VoQ3paakw3QmxRSTlzZUN1\nN2ZIQitVeGl1akFidmpQV1Q0cE0yTmsK4VG6kzPnnLirVdEGCV4RO1ZY9v7LGlK0\nRWXK6fX7MSq8oujKNdsqeP+3lkDU5+yoUrXHwRzfAV7MCtsZcL8b5w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2025-01-06T12:56:10Z
+sops_mac=ENC[AES256_GCM,data:A0JWmvk0x/33lF0sPCEyHQqlUaVgS2H9PhbdfXmcq5KOWsybinXJc6/QuWpHTBhrZbbqm4fBjDLRKlpE1dYU3IthNkcWBuIcXeou9FImj1bn/ZC6Dv1UI1EiLrCy350GFcrIWLAvM4HvICz4fC/1Pc67PPAl2pGj30+E/VJf16w=,iv:yDoipX/O5Smv7fqpYkMxMuZqodqAQNAkU9QdL+n/Rs4=,tag:FL8ysTJm/0yeiP2QaFNoog==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

kubernetes/hopps/overlays/dev/secrets/kafka-ui-secret-encrypted.env

@@ -0,0 +1,7 @@
+auth=ENC[AES256_GCM,data:kwhxfFdp3+EgCYtNUJwvn2lPF1s2bt9B2hMZJHujiA/M+199olW+Emnx0A==,iv:3OfPMTFsZjKkJIjUOdat1jBWrovV1NReEJXRScLTejw=,tag:ONko/NriMNfAxMh9vKoCOg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlMDRub0l4SWdkeVVOcjBO\nYUEwQzFHbjc4RjdNRnZqV3VaZ1cxcyt6ZXdvCmhtbnhjeHUrbHV0K3gvekZGc2lK\nZWtmNEZLa3gyek95YlBVNHVGWVdzdlUKLS0tIDBNdXN0elVFQlhFR28xVjRGcjBr\nbnFzS3dXWW4reHlxd3k5MFFudnYyM0kKuu5eP0SELJeISAUC4Cl4jagICrh0gumS\ngCwE+HrzHIVMdLHLGGSCp6aWd0GgBXIUYdY9y3vNA7VVmJNhfhHnXg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2024-12-18T21:13:15Z
+sops_mac=ENC[AES256_GCM,data:f4JbURgxgRaFPmzELjLqLAeBc2ITDO2II5BNHDQ8mEqPFvi/0tSzjh0Z/L7ZWQd4+ADRHQZMHZ3n8sHKl+6bC4I8OnkvKLExQ+zhSPQoyLJ0H5X0nXRrXsql4hOM1W2Wd8DcNlIyUgA1f8ZB7qFoAtpHuPmhHn5N5YBNI70gwMs=,iv:qnDOOThcTkC+5y6h2nBrYyjwxkfYrjb9a6zX8EGm//k=,tag:DJ5yeROIMBCKxKXmdPqkzg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

kubernetes/hopps/overlays/dev/secrets/openfga-secret-encrypted.env

@@ -0,0 +1,7 @@
+uri=ENC[AES256_GCM,data:2DPudSRROl7ECpui938OcWmxzLNtaxpPy4b3ww2OtE5D4wMMUKZNlh3DYvk774a3LqLbScOjmSrIC4SgSLdf1W5CwZyXocAaVbd/VEdffZydmGKeBisozPhR3hvWNrqmgiSkV6Uuva5PpMAibjD36CVXSW7gvC85d6JuPqQhNtP/RLYgGTSLdVkw5w==,iv:rm8azi6y765zP4nOsgvH9Lkqa53rLdQAMMJ2H2UIGMA=,tag:t88aXyZAoREujOn7gstRww==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRzFhOTQrcG5sZ3FucUFU\nMm1vc1JwZmN1bDRXL0owcXVhekplcTNWU0ZBCkhVT3phMFJCZldCTm81U21abFhn\nRFdSblNFT1M5MlVnNlRZbjNwdiswYTgKLS0tIHdRM1FkdU1KN0x2YklISitKR01W\nTlRENFUvQkdQU2xvR3BzMXFKaTdsR1UKYWIgrxYOMQVVNlXCsCLIGxUHAH4SeHxZ\nZwjH8eq5xUNFh9tshDJ1PQZ8QT9NWZKkyNvzp67H8udL8hve3Hujog==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age13pk722ex6xm3hhk380urrfuqc9kpm6jl43l0ssqunv0gtls46qwsafrt0s
+sops_lastmodified=2024-11-25T21:11:35Z
+sops_mac=ENC[AES256_GCM,data:ELg0s8d4ItMFWs7umjBWsyLtbaILmOjShSnmOmkMj1lHWGkmm2hZMp1V0FI5dZbR5MenAY2rrnPPcKnGHe17X/YCZCE2iUyIQS0QxxJOfn3Fieanj3sFhEyWNv8ZOOZA8c4l7yCZH2shAh3B6P36H8TYfMOuEbcU+7Eq6Hffjqo=,iv:OsaDMjAx93QrwtwHB84HwnGB3Bj1R12/30vl/nxJjVQ=,tag:rvqSk2a0w1Jhx16i+uJcLw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1