Fix #15 + #18

.sops.yaml

@@ -1,15 +1,18 @@
 keys:
   - &min age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj
+  - &min-two age1yjqjfdpajzg8a2cj4e5ax6wcg5rq3337rm9jwsfzug2tr7yj8yfq27vteh
   - &eidola age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6
   - &silver age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3
 creation_rules:
-  - path_regex: secrets/eidola\.yaml$
+  - path_regex: secrets/eidola/[^/]+$
     key_groups:
       - age:
           - *min
+          - *min-two
           - *eidola
-  - path_regex: secrets/silver\.yaml$
+  - path_regex: secrets/silver/[^/]+$
     key_groups:
       - age:
           - *min
+          - *min-two
           - *silver

nixos/hosts/default.nix

@@ -19,9 +19,11 @@
           system.modules
           ++ [
             {
-              _module.args = {
+              _module.args =
-                inherit inputs;
+                {
-              };
+                  inherit inputs;
+                }
+                // system.extraArgs;
             }
 
             ../modules

nixos/hosts/eidola/default.nix

@@ -1,9 +1,7 @@
-{inputs, ...}: rec {
+{inputs, ...}: {
   system = "x86_64-linux";
 
-  pkgs = import inputs.nixpkgs {
+  extraArgs = {};
-    inherit system;
-  };
 
   deployment = {
     host = "eidola.int.min.rip";

nixos/hosts/eidola/hardware.nix

@@ -32,11 +32,14 @@
 
   hardware.enableAllFirmware = true;
 
+  # Enable hardware acceleration (for jellyfin, immich, etc)
+  hardware.graphics.enable = true;
+
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  # networking.useDHCP = lib.mkDefault false;
+  networking.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

nixos/hosts/eidola/secrets.nix

@@ -1,6 +1,6 @@
 _: {
   sops = {
-    defaultSopsFile = ../../../secrets/eidola.yaml;
+    defaultSopsFile = ../../../secrets/eidola/default.yaml;
     age.sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
 
     secrets."root-pw" = {neededForUsers = true;};

nixos/hosts/eidola/services/jellyfin.nix

@@ -1,6 +1,4 @@
 _: {
-  hardware.graphics.enable = true;
-
   services.jellyfin = {
     enable = true;
 

nixos/hosts/silver/default.nix

@@ -1,9 +1,7 @@
 {inputs, ...}: rec {
   system = "x86_64-linux";
 
-  pkgs = import inputs.nixpkgs {
+  extraArgs = {};
-    inherit system;
-  };
 
   deployment = {
     host = "silver.int.min.rip";

nixos/hosts/silver/secrets.nix

@@ -1,6 +1,6 @@
 _: {
   sops = {
-    defaultSopsFile = ../../../secrets/silver.yaml;
+    defaultSopsFile = ../../../secrets/silver/default.yaml;
     age.sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"];
 
     secrets."root-pw" = {neededForUsers = true;};

nixos/hosts/silver/services/breeze.nix

@@ -15,6 +15,10 @@ in {
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString httpIntPort}";
+      extraConfig = ''
+        # advertise http3
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
+      '';
     };
   };
 

nixos/hosts/silver/services/grafana.nix

@@ -19,8 +19,6 @@ in {
         http_addr = "127.0.0.1";
         http_port = httpIntPort;
 
-        enable_gzip = true;
-
         enforce_domain = true;
         domain = dom;
       };

nixos/hosts/silver/services/min-rip.nix

@@ -12,6 +12,9 @@ in {
       extraConfig = ''
         add_header Cache-Control "max-age=15552000, must-revalidate";
         add_header Content-type text/plain;
+
+        # advertise http3
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
       '';
     };
 

nixos/hosts/silver/services/sim-breeze.nix

@@ -2,6 +2,11 @@
   httpIntPort = 14012;
   dom = "simul.lol";
 in {
+  # xray depends on nginx config in this file
+  imports = [
+    ./xray.nix
+  ];
+
   sops.secrets."svc-sim-breeze-upload_key" = {
     owner = "sim-breeze";
     group = "sim-breeze";
@@ -15,6 +20,12 @@ in {
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:${toString httpIntPort}";
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+        # advertise http3
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
+      '';
     };
 
     extraConfig = let

nixos/hosts/silver/services/xray.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  httpIntPort = 14060;
+  dom = "simul.lol";
+  user = "xray";
+  group = "xray";
+in {
+  # depends upon sim-breeze.nix
+  services.nginx.virtualHosts.${dom} = {
+    locations."/streaming" = {
+      proxyPass = "http://127.0.0.1:${toString httpIntPort}";
+      proxyWebsockets = true;
+    };
+  };
+
+  sops.secrets."svc-xray-settings" = {
+    sopsFile = ../../../../secrets/silver/xray.json;
+    format = "json";
+    name = "svc-xray-settings.json"; # xray needs .json extension
+    key = ""; # extract whole file. not nonexistent key `svc-xray-settings`
+
+    owner = user;
+    inherit group;
+  };
+
+  services.xray = {
+    enable = true;
+    settingsFile = config.sops.secrets."svc-xray-settings".path;
+  };
+
+  # assign user/group to xray
+
+  users.users.${user} = {
+    isSystemUser = true;
+    inherit group;
+  };
+
+  users.groups.${group} = {};
+
+  systemd.services.xray.serviceConfig = {
+    User = user;
+    Group = group;
+    DynamicUser = lib.mkForce false;
+  };
+}

scripts/rekey.sh

@@ -8,7 +8,7 @@ ROOT_DIR="$(realpath "$SCRIPT_DIR/..")"
 pushd "$ROOT_DIR" > /dev/null
 
 rekey_dir() {
-  find $1 | xargs -i sops updatekeys -y {}
+  find $1 -type f | xargs -i sops updatekeys -y {}
 }
 
 rekey_dir "secrets/*"

secrets/eidola/default.yaml

@@ -9,21 +9,30 @@ sops:
         - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBb2FySEVQ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBL3lkOE1Y
-            MlJXcHhrRGdaUWdqMVlhOVU2TFZDWVFaYURNK2JFMTI3eFZRRgo5ZmltTHRDSStB
+            VDFoZjJic1ArNVNaSGo1NmJHV3lYSHY2REMxb0JyY2RUcHdwVQp3WDRNVldMcDNV
-            MjhvSFM1bnViUllYQXcxT2ZUc3hUWnFhRmtDUFNxbWhJCi0tLSBXRlBOQ0FjWTFF
+            TTZRV1FaZHE4YzRNam1PNjNhNDRrNFFsZDBLeWpZeitVCi0tLSBtRG0xc2FDazJM
-            SHcvWFlHdnczbzlZeFdLaWFtaURzSENHZWJ6eGdUVEtJChc+IZb49DXtLhh+xutX
+            YVB4N2tCSDFLbnZoYWRYU0Y0ZmREdk8zQ1JSU3loOFBrCq3tOwFRmsroKOiN96Iq
-            va765WabBmojoMKI6tIZGUqwwBCMZXd9tWAmyNOu3vxQ43KCpWXP/NkYxGgd0+Ot
+            VybSNCFyTMSf9bq42EK0BS6AbOQmaEiKwJTNMhjUZldkYJqKNVfj3T2tqMNiFs0P
-            7eY=
+            mv8=
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yjqjfdpajzg8a2cj4e5ax6wcg5rq3337rm9jwsfzug2tr7yj8yfq27vteh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtaGJ5bW1uSHpEZEg3TXlJ
+            bm5YQjFhTUVEZ2JTTGVZVE5HKy93T2pzSXlZCmxGS3JkMlNVV1FGNUFtWXM2QjJQ
+            NUMxRytuOTVkK0xlTjIzck1IZFRvU3cKLS0tIERPM21OZ0RXOUl5SWoyc1EwS1gv
+            RkNod3ZqRkdIbnlrcXhFK2pEMmRERk0K9985Wrlc/JBWmJsVHoyH9CcEr5cX8bgx
+            C3cg1V/0+GYP0b3ovnYsssftMprYYEDmRYlJHheQFcCkRou/umBycw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHdkJmdTJ2ZXl6ZEtjbVh1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWW9Gc3NPZzcrVTVneFc2
-            amVVREtNQURUVUpDdHp6OFV4eFpaaTVVaGs4CmZ3d3pCVlFpOUR0aFN6dlpPbjJs
+            NnpJQzNvbXhMaVR5bHllYnhBZE1JRnNmemgwCnp3bXpGWDRkbCsyU3lLMVF6T0Nv
-            eE5VRFBGOCtHbDZhbzgxYyt3anNGOTQKLS0tIGpoWkNHNTNoUTFUYWRTMFl1Mzh3
+            NlkwZHZUQzBCL1BwOUFzWTFsTFZJajQKLS0tIER1dWhsaU1mbW4zSEhCbmVib1cy
-            VTJvaGtSZGpQMSs5N05pblQ4aEIzbkkKQiM+335AZC2+UmotonvM1nsyA/l9F5gr
+            eWRoSXlMamNjTHVaenpMR3dEOXNuWDAKSmbC+fGeKYcKy0eQdWPVVMpyBVYtogur
-            da9+ltLr5U88pXfcdpiXTmxrSnMzDgLuZLRKZ0S/ZllGDhlnwxsuOQ==
+            A0fYIBLXi+HMN+/7LXFb80vSnXN3v42KGQ/tzsWJo0ed3Q16wJ4eUA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-05-09T23:52:41Z"
     mac: ENC[AES256_GCM,data:38RF2ZBEN8bnldWusQNhpju9zPd/sWRG8LgNesarcuqyqHVJCbjOo3Wm2arXCmnQAFlcmrLCbyheD/bpNhgbVEP2JscrqsH1PFTAAi+iLUK6AT4VZ1q/cdhRVVnHlR+wtehxufJ1sEAp3LNBbDKeSKTk8jorEfEz8NdE0uPvvjg=,iv:u9F0nEKYO/0E51f4z46GNvgK8E7QwoVI+xn7do5sGRc=,tag:Ovv85eGJi037y9hh1KqzEg==,type:str]

secrets/silver/default.yaml

@@ -17,21 +17,30 @@ sops:
         - recipient: age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBaksyYUQy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBcThHdTl3
-            UlhXUDJlRE9SY2NUUE9OSWJjcFVPRkNJaUdWUktMT3NVU3pveApRU2NGSWVlZXAz
+            NHNSNEw1VVVTNnlyM2FzZHFlcFVnWTRLNzRsSDhhQ0R5WlZ5Uwp2S1NtS2RKd0t2
-            ODB0b1Y4Ry9iWVoxMFpxOU9HR0ppZ1A0MUFCSFEzRWJvCi0tLSBRVHdMUU5SR2d4
+            Wlc0dmcvWGJGclZrWDNEaTRvOEo0UlpyaG1pemZLTjY4Ci0tLSA0UE9uQzA5bUlo
-            ZlMzTkhDUDZJYXRlWTJ0NkpMaXZaUFprVzZKdElyZ3RjCo6/6NJZpJxTW8I4WsN+
+            N3pYM25yU09ZaFNzb3F6bFJCR0lzRDlNZ1IyMWZ6SDlvCscwVPwWt83Lr8L4G72L
-            aGOyPa0xeiGs9kCkkYykoD6tQsf4FVovT+YOvvAlRrch4yKDo7oAVNF+hfw4vLeP
+            vi98Md6DBrNc0xNCnR2fUHaCSeTST/c1VeEHpsqgeQ43wnWnYWG3LRS7aX1tVvvo
-            24s=
+            UrQ=
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yjqjfdpajzg8a2cj4e5ax6wcg5rq3337rm9jwsfzug2tr7yj8yfq27vteh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdm9HZTBsVngwcG54RS9W
+            WElrYzJ3TUM2WkRCYThJcS9XTThQb0NnUXhvCnN3Z0ZlNkE5cHFVa2tDM01MaUJZ
+            NWJyL2crUDRVZkhIMkxQbFkvTmpGZzgKLS0tIDdsSklTVDQ1SE80WlkwVFZ5UVlX
+            Z2FrNldQeXFjMzRWTVN5Ykh4K3RMTWMK/7venyyXy0fJsWi1hqEdw3DUl7xFbj0z
+            kiiLLQt035RH/UiKyOlEVPC5xDAOEE00n0wSaYC9//vI/LXAxDgx3A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a0Z3TVBYSkV5YU0zeERa
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZ3Z1czI5UGNXcDAyT3FN
-            T3NXUGxlMGp6UEFrdXJ2YmdjRE5YQ0t4eEVnClZ5eEgza3UzaGhIY3ExTjdZRVpO
+            cVV4YTJZNnNqa2dIMDVqVnB4Q0lxTUp3YWc0Ckt3MzNZUzdOSjBWQkIzTzRwbEhE
-            eXFRMFU2NEFZRXZlRUlGUlF4V2tzUXMKLS0tIGF0RjR6aFFDMVZ0SWhJNDNTdkNp
+            Rjl3NUFVclJ6VVM4Q0IyUDNJT1ZDckUKLS0tIHYyVTNaY28zekhXWUtVUThqUjdF
-            MXdERWkyRitkbWtHMnpQaGxhbTRma2cK75S4x9TdquXAV00m9EQ1vJno14YTmPD4
+            NVREcHJGWWIvY0Z1OGt4cGN6am1RaXMKAnlb8FOJ1wO5qtcmej57s7rhWjv5wqIn
-            K8ne37brRWWi3gW6JsaOQOshNE19u4uwkAXZ2IQ+NdAq7Kt/qrcU8w==
+            nCUJX0R7s0/KH3aj98bX/4hQg2ZAw1l+xViOOIfwfRnzLWeyaAnk5A==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-05-11T01:03:55Z"
     mac: ENC[AES256_GCM,data:QiKJfX/odDwZLH8Ds6pTBrQ5FplSMGLzDwk9jhXu8y5B6SAnahuf4X9Nj9V6rNHvYMN7MBnVQKcb5lD/nofNPOLvck9CTP6yWJ3WTK4Nd79Ffx0kRK3QY8Q1WlzjE0fDel5pJaytivf/l+BZwrWKIR20h0HmT2ETSb+lzMdYFSs=,iv:rrT6VJkf/D3tzbuysu77eUiwUmHKZCwdrbcx3oTyBUI=,tag:zsBE/r7WGQ0PIo/ZQHS4/w==,type:str]

secrets/silver/xray.json

@@ -0,0 +1,53 @@
+{
+	"log": {
+		"loglevel": "ENC[AES256_GCM,data:mbQi7zKBog==,iv:1Xxb95L7iloljmHdBsYY50rCoQyrRu7AeU1sCN/tyzw=,tag:62F9cRuxJTyrTJ4OG09aUQ==,type:str]"
+	},
+	"inbounds": [
+		{
+			"listen": "ENC[AES256_GCM,data:HtY8ByxZ3vkM,iv:ZXYZ0es7pFOA/RGQQvCNRU23i7n7AGza1pqP4KvAoS0=,tag:GScJnzymZJ6uUlhwmppfaQ==,type:str]",
+			"port": "ENC[AES256_GCM,data:+qHgc8o=,iv:Ya3KrZzLjcb7uVAXFhscjFMD6yJXnyt/AakRk2SS6eA=,tag:DA+69lIbzm+z6ev7kfpSVA==,type:float]",
+			"protocol": "ENC[AES256_GCM,data:R6dhbB0=,iv:TwVobIOIZG3qXM3UylX2yAc04U77rh+XROwqH0fcXTw=,tag:xktgDmPYjxA1TP27w4dFyg==,type:str]",
+			"settings": {
+				"clients": [
+					{
+						"id": "ENC[AES256_GCM,data:sW/OrfmvvIoUCesh6o6i13ii42ppMlULMCHm7dGNR60THrL+,iv:5o1ebsFvFz7FV/7bfEZWpjoTGpCGWpvS6c7JPlpCJuU=,tag:hTXbENZLcD4pUNfvPe9axA==,type:str]",
+						"email": "ENC[AES256_GCM,data:5ecahRH9zjXwQ3UshHJciCs=,iv:wt9ikuL6g2Pqrew0S9zs8z4Sn6TjIxuCIW7NNAZ6R/g=,tag:pcSreGlfKzsMJmFX1k8DdQ==,type:str]"
+					}
+				],
+				"decryption": "ENC[AES256_GCM,data:THm0tQ==,iv:fcCansdqlMqfyaa4qoLeXVyV+QGEm7hfPr6L84VL0wc=,tag:TnO5Wu7KlwK+qB77xOGSjQ==,type:str]"
+			},
+			"streamSettings": {
+				"network": "ENC[AES256_GCM,data:bU4N8q8sCJc67uo=,iv:S4nLjgnVn18Lw3vTqZewu2H735WCKB6HXpuySWHax/U=,tag:zwLcQYneVvZYaim381H1CA==,type:str]",
+				"httpupgradeSettings": {
+					"path": "ENC[AES256_GCM,data:/r2IHJSgagkshA==,iv:eb+CVVjsE1bWzhxd4a0u6lM3J65AqZ3wOeHdm7AQrgU=,tag:hblCpH7Vnqir6uZHO7AdYA==,type:str]"
+				}
+			}
+		}
+	],
+	"outbounds": [
+		{
+			"protocol": "ENC[AES256_GCM,data:+5U3oYGUBA==,iv:Z35TWquRT5f51jQoAEROACUtyI7fPFyGxa/gXumSEq4=,tag:Ui3YF9lTxP1T5D4Xq+I13Q==,type:str]",
+			"settings": {}
+		}
+	],
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1yubikey1qg5k0y844v5e79uwax3r00u7zdljwnjlrmwvdr3st9m5a3ra5098qy0sjdj",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IGpBdE54USBBM2pNeE1B\nYVVZUGc5ellpSk5RS1pJNURFTkYvUzNmRS96cTZaM1VOSEhVWgpOeU5VQUY3R3Zn\naHpsdGluRnJjZnV1bzNDS3A5WXVYQWpaaFpob3RaTWpZCi0tLSA0aHRiV0tuZFda\nVGI3Z0F4b0U5b1ZKMGlKNDRMeERBbVB1VmpkK3lFaTkwCh4I81eVgiv2kf0WBo84\n9gn/BOeFlAORXh0GJt4g496lwkIFWb/NSTG9Vl2hdGx8OCw/3vUhcbWL8Ndtx34c\n0Ls=\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1yjqjfdpajzg8a2cj4e5ax6wcg5rq3337rm9jwsfzug2tr7yj8yfq27vteh",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwVFJlVzNtSmFzTkZ4SW5s\nb2U0Szc0SytGZjRUVEFCbzBKd2lQOG96amhFCkRtMXQ0UG1qcm9lbjBDRnBiQ21Q\nZ3h1RDZtN0VONTdvWk1RWTE1WEwxd0kKLS0tIGNGSHl3NWE2SjFMd29CcDJ3Znlx\nQUNkNkhLTXpoWk1WVndUbGRRbnBNOG8K2sDAgRPo/4qlc/NQBV5fmDEX21Ri/qr8\np1ttuUxo141ZuTnJ/czKdMMiJScaIghUMZW4oFyxLwqQZfTSdyy4mw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5SjVJS2NRS1VwSm42bWRP\nVXFqT2wvWUVqS2RiZGVZTWEvTDNqbGExWFhRCkY5N213WEp1RWp6bkZEdkcyNUhO\nclVCTjI4enpBOHNUMEJTMzZoTzdlWjgKLS0tIDRpaU9NZitxY3lzL3Q4MGtXM3lN\nZWpRT3hhZ1hTeVhnMFRVZlAvOUIyYWcKeamBTHEl7QVFxFevy5ZiDQFgEFIAM+1u\n8bvwoMfrq95DKIqxC1cQ1ndTzALdok7kWfPjKG3nDxgFS1y84Fh04Q==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-05-13T20:34:00Z",
+		"mac": "ENC[AES256_GCM,data:JqBN/0K0BT3cZ+CNaRMMM5zTA26QvAPQcKuPmZda1DTWmu7uCzpvGhZb58VFDFDG5Pj7hqFy9ba++cu8GcBuAqbu/wlW9ogkgWtBdDi92wZyqU7KYO0cFVYuz8MVJBmI/tr1ikdsRypjdgGYKNLXhr9h3lQiQGGkB2uIe3SiKpA=,iv:LBB0T+Zdgt0ZK3cs8/ewpYJPetqol963DKVTfWutglY=,tag:Gp9sZRk1nrLAGqU0mlKfpQ==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}