From 3aba29e7a3aa2e1cfcf981197208e6a15b5af134 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 15 Mar 2026 16:37:38 +0000
Subject: [PATCH] remove SOPS pipeline, deploy ESO + Vault DB/K8s engines
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Vault is now the sole source of truth for secrets. SOPS pipeline
removed entirely — auth via `vault login -method=oidc`.

Part A: SOPS removal
- vault/main.tf: delete 990 lines (93 vars + 43 KV write resources),
  add self-read data source for OIDC creds from secret/vault
- terragrunt.hcl: remove SOPS var loading, vault_root_token, check_secrets hook
- scripts/tg: remove SOPS decryption, keep -auto-approve logic
- .woodpecker/default.yml: replace SOPS with Vault K8s auth via curl
- Delete secrets.sops.json, .sops.yaml

Part B: External Secrets Operator
- New stack stacks/external-secrets/ with Helm chart + 2 ClusterSecretStores
  (vault-kv for KV v2, vault-database for DB engine)

Part C: Database secrets engine (in vault/main.tf)
- MySQL + PostgreSQL connections with static role rotation (24h)
- 6 MySQL roles (speedtest, wrongmove, codimd, nextcloud, shlink, grafana)
- 6 PostgreSQL roles (trading, health, linkwarden, affine, woodpecker, claude_memory)

Part D: Kubernetes secrets engine (in vault/main.tf)
- RBAC for Vault SA to manage K8s tokens
- Roles: dashboard-admin, ci-deployer, openclaw, local-admin
- New scripts/vault-kubeconfig helper for dynamic kubeconfig

K8s auth method with scoped policies for CI, ESO, OpenClaw, Woodpecker sync.
---
 .claude/CLAUDE.md                       |   21 +-
 .sops.yaml                              |    7 -
 .woodpecker/default.yml                 |   17 +-
 config.tfvars                           |  Bin 9968 -> 9857 bytes
 scripts/tg                              |   18 +-
 scripts/vault-kubeconfig                |   10 +
 secrets.sops.json                       |  321 ------
 stacks/actualbudget/.terraform.lock.hcl |   20 +
 stacks/actualbudget/providers.tf        |   22 +-
 stacks/external-secrets/main.tf         |   80 ++
 stacks/external-secrets/terragrunt.hcl  |    8 +
 stacks/external-secrets/tiers.tf        |   10 +
 stacks/freedify/.terraform.lock.hcl     |   20 +
 stacks/freedify/providers.tf            |   22 +-
 stacks/linkwarden/.terraform.lock.hcl   |   20 +
 stacks/linkwarden/providers.tf          |   21 +
 stacks/nextcloud/.terraform.lock.hcl    |   20 +
 stacks/nextcloud/providers.tf           |   20 +
 stacks/openclaw/providers.tf            |    7 -
 stacks/platform/backend.tf              |    2 +-
 stacks/servarr/.terraform.lock.hcl      |   20 +
 stacks/servarr/providers.tf             |   20 +
 stacks/speedtest/providers.tf           |    7 -
 stacks/vault/main.tf                    | 1303 ++++++-----------------
 terragrunt.hcl                          |   21 +-
 25 files changed, 680 insertions(+), 1357 deletions(-)
 delete mode 100644 .sops.yaml
 create mode 100755 scripts/vault-kubeconfig
 delete mode 100644 secrets.sops.json
 create mode 100644 stacks/external-secrets/main.tf
 create mode 100644 stacks/external-secrets/terragrunt.hcl
 create mode 100644 stacks/external-secrets/tiers.tf

diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
index ce1a5f67..1dd5d8ac 100755
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@@ -10,7 +10,7 @@
 
 ## Instructions
 - **"remember X"**: Use `memory-tool store "content" --category facts --tags "tag1,tag2"` (via exec) for persistent cross-session memory. Also update this file + `AGENTS.md` (if shared knowledge), commit with `[ci skip]`. To recall: `memory-tool recall "query"`. To list: `memory-tool list`. To delete: `memory-tool delete <id>`. The native `memory_search` and `memory_get` tools are also available for searching indexed memory files. For **storing** new memories, always use the `memory-tool` CLI via exec.
-- **Apply with SOPS**: Use `scripts/tg` wrapper instead of raw `terragrunt` — auto-decrypts secrets
+- **Apply**: Authenticate via `vault login -method=oidc`, then use `scripts/tg` or `terragrunt` directly. `scripts/tg` adds `-auto-approve` for `--non-interactive` applies.
 - **New services need CI/CD** (Woodpecker) and **monitoring** (Prometheus/Uptime Kuma)
 - **New service**: Use `setup-project` skill for full workflow
 - **Ingress**: `ingress_factory` module. Auth: `protected = true`. Anti-AI: on by default.
@@ -19,13 +19,20 @@
 - **Node memory changes**: When changing VM memory on any k8s node, update kubelet `systemReserved`, `kubeReserved`, and eviction thresholds accordingly. Config: `/var/lib/kubelet/config.yaml`. Template: `stacks/infra/main.tf`. Current values: systemReserved=512Mi, kubeReserved=512Mi, evictionHard=500Mi, evictionSoft=1Gi.
 - **Sealed Secrets**: User-managed secrets go in `sealed-*.yaml` files in the stack directory. Stacks pick them up via `kubernetes_manifest` + `fileset(path.module, "sealed-*.yaml")`. See AGENTS.md for full workflow.
 
-## Secrets Management — Vault KV
-- **All secrets migrated from SOPS to Vault KV v2** (2026-03-15). 43 stacks read from `data "vault_kv_secret_v2" "secrets"` at `secret/<stack-name>`.
-- **Vault stack** (`stacks/vault/main.tf`) is the bridge: reads secrets from SOPS `-var-file`, writes them to Vault KV via 43 `vault_kv_secret_v2` resources.
-- **Bootstrap secrets stay in SOPS permanently**: `vault_root_token`, `vault_authentik_client_id`, `vault_authentik_client_secret`.
-- **Platform cannot depend on vault** (circular — vault depends on platform). Apply order: vault first, then platform.
+## Secrets Management — Vault KV (SOPS removed)
+- **Vault is the sole source of truth** for secrets. SOPS pipeline has been removed entirely.
+- **Auth**: `vault login -method=oidc` (Authentik SSO) → `~/.vault-token` → read by Vault TF provider.
+- **Vault stack self-reads**: `data "vault_kv_secret_v2" "vault"` reads its own OIDC creds from `secret/vault`.
+- **Consuming stacks** read from `data "vault_kv_secret_v2" "secrets"` at `secret/<stack-name>`.
+- **External Secrets Operator (ESO)**: `stacks/external-secrets/` syncs Vault KV → K8s Secrets via `ClusterSecretStore`.
+- **Database rotation**: Vault database secrets engine rotates app DB passwords every 24h (MySQL + PostgreSQL static roles).
+- **K8s credentials**: Vault K8s secrets engine issues short-lived tokens for dashboard, CI, OpenClaw, local admin.
+- **CI/CD (Woodpecker)**: Authenticates via K8s service account JWT → Vault K8s auth method.
+- **Platform cannot depend on vault** (circular). Apply order: vault first, then platform.
 - **Complex types** (maps/lists like `homepage_credentials`, `k8s_users`) stored as JSON strings in KV, decoded with `jsondecode()` in consuming stack `locals` blocks.
-- **New stacks**: Add a `vault_kv_secret_v2` resource in vault/main.tf, then use `data "vault_kv_secret_v2" "secrets"` + `dependency "vault"` in the new stack.
+- **New stacks**: Add secret in Vault UI/CLI at `secret/<stack-name>`, then use `data "vault_kv_secret_v2" "secrets"` in the stack.
+- **Backup CronJob**: `vault-raft-backup` uses manually-created `vault-root-token` K8s Secret (independent of automation).
+- **Bootstrap (fresh cluster)**: See vault/main.tf comments — comment out data source + OIDC, deploy Helm, init+unseal, populate `secret/vault`, uncomment, re-apply.
 
 ## Resource Management Patterns
 - **CPU**: All CPU limits removed cluster-wide (CFS throttling). Only set CPU requests based on actual usage.
diff --git a/.sops.yaml b/.sops.yaml
deleted file mode 100644
index 586447a1..00000000
--- a/.sops.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-# SOPS configuration — defines who can decrypt which files
-# age public keys only (safe to commit)
-creation_rules:
-  - path_regex: ^secrets\.sops\.json$
-    age: >-
-      age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce,
-      age1hrafaswdslw4u63scxp8u5ye4tf8h0xjah0v85w280phy06m0vespz2u0n
diff --git a/.woodpecker/default.yml b/.woodpecker/default.yml
index 86624b5f..f367c66f 100644
--- a/.woodpecker/default.yml
+++ b/.woodpecker/default.yml
@@ -18,12 +18,13 @@ steps:
       - |
         curl -k https://10.0.20.100:6443/api/v1/namespaces/woodpecker/configmaps/git-crypt-key -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" | jq -r .data.key | base64 -d > /tmp/key
       - "git-crypt unlock /tmp/key && rm /tmp/key"
-      # SOPS: download to workspace (shared across steps), decrypt secrets
-      - "wget -qO ./sops https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 && chmod +x ./sops"
-      - "echo \"$SOPS_AGE_KEY\" > /tmp/age.key && SOPS_AGE_KEY_FILE=/tmp/age.key ./sops -d secrets.sops.json > secrets.auto.tfvars.json && rm -f /tmp/age.key"
-    environment:
-      SOPS_AGE_KEY:
-        from_secret: sops_age_key
+      # Vault: authenticate via K8s service account JWT
+      - |
+        SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+        VAULT_TOKEN=$(curl -s -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login \
+          -d "{\"role\":\"ci\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
+        echo "export VAULT_TOKEN=$VAULT_TOKEN" > .vault-env
+        echo "export VAULT_ADDR=http://vault-active.vault.svc.cluster.local:8200" >> .vault-env
 
   - name: terragrunt-apply
     image: alpine
@@ -35,13 +36,15 @@ steps:
       # Install Terragrunt
       - "wget -qO /usr/local/bin/terragrunt https://github.com/gruntwork-io/terragrunt/releases/download/v0.99.4/terragrunt_linux_amd64"
       - "chmod 755 /usr/local/bin/terragrunt"
+      # Source Vault token
+      - "source .vault-env"
       # Apply platform stack (core infrastructure services)
       - "cd stacks/platform && terragrunt apply --non-interactive -auto-approve"
 
   - name: cleanup-and-push
     image: alpine
     commands:
-      - "rm -f secrets.auto.tfvars.json secrets.auto.tfvars.json.*"
+      - "rm -f .vault-env"
       - "apk update && apk add openssh-client git git-crypt"
       - "mkdir -p ~/.ssh && ssh-keyscan -H github.com >> ~/.ssh/known_hosts"
       - "chmod 400 secrets/deploy_key"
diff --git a/config.tfvars b/config.tfvars
index 69933926b4dad17caa1e322f3ef7416697449992..1421a1e9d28938e27adf0214641cde95de305d2e 100644
GIT binary patch
literal 9857
zcmV-{CVtrfM@dveQdv+`0J9t*NEZ|dWYyM(Xy4(4ZC+f6BaYpp(tcjFaMvZ7Ee0CY
z7>L2#JIx{u{Ec0gCb~`{_$qnkoV#`}Tns;8;#WhwP;A#!a>z>lm0lsuPldl6EvBFp
z4YEbi=#<ibH&`sIr=|}Vhr2H2e|<{M?JuikFJrtli>CD_>+FfHCJJ1E88m%{oEN!$
zSAcf@23sOqu10lUbz;m`0Ssc`ME#>5Glo?KKT}4r#`!}Iuh9%BgLy9WV>9ba2Sqen
zB`AiP<!Nb<N1TRHlvW2RXJV7ZL*#vKJ)YhHvUj^6Mk;>MXet;wi2HWB)W4|OVKV$K
zWwIP4xP<RoZC`htOa+U_0^iKc>NOf+qMxO9Q<vJ&{+lalDd*)`c>=2CUmlaUn{boz
z&|Eo)D(hsc(bC+<zA`9tgo|Y#8_`q0c@bm<ze)ejprGpeOf^t;1M83T<ta9tI4Rl{
z<t=E>DT6zVpVr$X16HRMza|B>DstSU)E_{0#wiX0?{kPdP^J5f9donSed~uHtb?+4
z4xa3G7-7rF=)RI2xi6I*t+u#RT88MVsih}R^4@~5q#ljsb!w)8-6Ws4(quMbkb>It
ztE2<(`0F5HaIY&efF=p7H9$nNYUNRB(;dFH3{^-O{h%+vQ^0f<piP$XpTWhHv@HwA
zU66@o;L?zM48?Eq62;^sj(=XwbUfr{V8`=GGIuRUPmhOku6|iz_#5aeY={--7fibF
zJD?J=-$eaH4H-m>X}m3v7z`1nB7<cwhyfuPp43)zZX48Eh|s+KURN`?56VjvVbJx4
zKRnz)q8F1?p6on@lsvydMn9>Fs9WZfE)?PuF(mUYWL3kNULo^W2D9_I2v8$n=K0|f
zO+6iP+jmyiKJ)Z@IAI;(ebw$~z#iI!Q!CZ7X%vbQPk?pA=5Z$mAh-_NQoVpcrSvTW
z+;dg5uOxr7{vONeJ{+<MRR{i`YxA9vapO<stkvEImARyBsF3R&mUd<v|EBp4a1cA?
zQ5!)T3|!LdC<dP0Qu9&=yEv;5rB>=eCB<y^S^T8}rKu=x6OW2F{eHs`d^`U4xiU!g
zoe0FdQ=*$yY<E3<r8BbFQIN0~it;jTtn7?Y{MzB&n?=uVndvo;vxNHHj}zqt1!u<P
z3_dzVgi-esQUoIxG551>K5m^`wx57v4MYZl+LQ*~&jxh3&hziuvU`M^>V_Ck$$Bn8
zoMdXNe<GPyG;?Q1^O9iWT;)4kqNu0kksD6=XFr^rZciW&SCYjACi8M%z-PpIBD>fz
zax~@2$cq3>eLI8IvcFta+F4UguB}vualS$bhteGO1`tK23ikp3<9RVYftGS@UM!fi
z&-zZ>wxo!d21NwX`862skw9rX<((5SZjUOO4l;0;<ZD!#GV>M?^|j7?2o$^f9puWF
zW4-4!a9vAh1-JRY`|Cg|)M$HSgUt>}9|99jcMgq8BC-AG&CLHaOgCaZ=AGKk!Zd+r
zdHQo7-VFzSIn$h<`c&_GDi*b_xd^6&tyw)p`|4M#ZkS(rG)1k&#|oh1+X+am9<7ki
zZ&1Rixt;jT>G>t-Ve1Urj}exO4mPVkn79C<QBJ%E_>2!c;lEh!JM}T3c88TdRZB!C
z2FhJQj$kK+NinecghyNfdENCRXf3*1$r2J#U%Ju_Ns#Zp%9r$3`2qujkvqVcUd1cQ
z8caHraIowm>mtl@mb+xrRla{kA**Br-dl`H5&7=(xq~-9x89&YoUVD_OUXzErW0$^
z{PIo6CkuEGvbe8WFnOhBYs(fz&PteuViyJc^f}CUL*ii`h~vD`fPIlbnk5`1lSWIX
zDkCR7#=z<t9?;nEO=?IuG)6<KF=W8!MNYF&g^U+d_hnY^!hgDz+23P>djskef^zQ~
zeo@Yp`1}UYZK0DG4T>(0lQ~D7Dxe(K%OHmW&3_~gA8uxM{LJE&CFHo@<tC~N!=0Lz
z)c7wNaq!oq9+q5Ozlbg3hs+2Ju4q(1<z3E!z2ziB!i~W5!r1`{c@;VTHY`=TekW*#
z$r@9Rpz%obc~Ms2Casen_mjiF9J#_2r>duYHSlVwt?UKx03Wc$=GR6lfQ8J36ou8!
zk5db~N43SpxZ06npmLz>I;3Wi(2$}7Rv`4K-EBU<iyg4SG!XPi*LsZRUAf{F_pR?g
z8~2_R+G@k)2^Tn;2ua)!ttpQ#RUr3a19-NP>XdUDWnGT)W-D(YUK{@4c6G!iH_<bS
z+~NFqU3iEMA3)vtrsN?;B2Zr%Qm#sG1+4#fKoO=n9IJgi>Y-A{G_L(`P;faLo>moR
zgK3x_<Sh!5KZj_hmbY?Lr)Y3*2f<jOSG}E4F;tB?VBWkGJ&inSDrgfcvqsxD5Bf$}
z0Ugz%teLmE**WDS&yBHToJIr~YRqsjsMwsCdmaHx#<HeZ;TA>DxkVG--|quwmAoJ_
zxt---XiiRq>TV-+@AUk<T_+{5e?gllxV*YW<eAdFwLS>-m-Vj<r6h9$91iL})JokX
zR7yVOdMBSusJ-u((Y0!-i9kAbEGRpxR57%nEEJiw5kH2pwd@Obxw;>t1z_FS!$GP7
zmBeEpNwj0am<j0pH6)IcFE@k|iPHQpjQ&KAmj$`jMu8nXKiwD;2UPL)HAp=I4Q^L0
zW0Pe)x7b{hrXYTulS%bkEgaA*vz$Zkp_FM?*_oT7l~<k?g!&QG^AV=b<sa<7OVz)%
z1%#y1Jx7ZvP5Xi98_+yaGHPzcxmOAhzkgy#f43?4!gOj67|0Ye(cJ|!f&FF5rL`>X
z5r^YgzB}U^9$fi1bCFHK_lqpDH%{&K!E$3DM9adMtRT|&jDeY@pZ0hQ2=jp#HfWav
zHg3W2AVwC)Uvi(k75vAN3Z(eKi)G|CR~V6Tk$3_E)6K2M{8CJgH~bo(ALl7TNeoAq
zh5wKprQ4bVo>W1n^c)62YF?B7^|DWk!r;_2AilZTAw`-Pb?2>Ra@zgXX6xfh<HoZR
ztIM^GitZN;GD<y~AI*_agfAiq{1T-&i*&3wg0qPRg;X7?hBI78&SYc1TQT}D&hXX2
z>Ps_RXgP=AuN^}4xEM7h*kNNAi!rhxjA(OMs2l}JoZ#nvHvQ3!721rN3c0wejdG6L
zBjmNDLw=M1aSYIQa*_jwK4F7vGHpwIe?G^+3qtKK1j03LeoHjKn{*{R5;gVoj1J0I
zMnE=llj77aJboB)7=iW?Ia<6-qq&I^oU;O+;mw}IjUUlgiAg6^ZHwl_Xbln+WaTP|
z+ys%C1V=?2y$Y})^l+|geh&##IBurO8{L$U+X#qC>YZ3b<|Q*7f9=X+cuG4yzs5Wh
zU$@9R0OcxXnhD3Qo_iBnv3f4ObqO3QJz;fLuqU;uL+q~R_Bb1WmYCcW<{dNeTM!eh
zgZ5I|F@o_7jN?g~Px{9;nTF|MHH4b3cBQ!GwC*{|M_2q*D$f=geL&pP<zkXF=7ygn
z+^b2xo_o3eiDQuE)`Tlx0)@hGC$ch?9R@y=cNy`-0+>3oc)_9hKBVuWiA<%Z*~W&b
zj(LO$&|ghU;RO_WmUaNQqPaK_?ZtrtwqSr==~a@!g8CaQ+JOZh5|B6_3#~%i3@WPl
ziDSB?b1)YQ)~)Qe%cFhH8zVR}mkG8RFMVfKQC8&<k4fQ`cbe`AF-1+HfV(PUR)HlV
zP09Y(EPHtC!~YLE;p{Y*N6uVfVH)ZAJYAi7^I8fpO-?3LDu@ocNDNnA79|2!pduk4
z(v@#FYj|BORShf%@vMnnc(jP6<g{7)blO*m^|kg+-bBhG6u<sO0POtV?8??~(NHsO
zZJIk8&8#p@A4ALlkJK7wuB;`(0%S=8s6kqhIa|+<Np-JpqCr6^?REuusz+~ZXTc4g
z2t47aF!{Os@+1fLGU7<3b-)qhcJqQ&dALAmMDJ`SrMGl5YOBjti8bEVK2XV5MV|S^
zA1!?sDZg-ns8N>)PT83uZm9dgPIpO3;*-PGX`H%s2|0~S&lk}ZL-$@hk&xD164x|A
z>nQ)^?bLC9cYXVkeMpre<lYXTsX_Dr@`EFZo7}H}Qe}S<=0t(y?063yelQ^Xv=Yp`
zjAQLQ-Q}+mx$c}D^;`Tk#dmT>#FtsZz2n|(Y)@w@Kt{kwr5P9Q@T`0BRf{sP?E~*B
zDk@T0Q!V*(e)P%$DZVD@>wC~osc44KjZMB*W7y+|J0bsp{!-KRg;zAgt6H*Kwmblc
zl?B?(iTsm{CDkZ@^z{ks^Zkh>iSZxy8!JfxOAxJ&ZFLr#h4Ncu1%YmBi3Ls%+hlDW
zEDjKgaEu%Kbc<NE+p|6{tj6XNKJ;iBDHdz-56$DbY!!`(2m3`0b+vZohqWz6>Ep>V
z47NNtROOXw@=slqVI}yNNyakAS<!uRQUPurNy|9qh3gdX+qExdugQBoW}l%6d{iZp
zML<5!-A}}jwm`@CMXs+g8P3q!oRMoHpAPbbXy|M04p9Tbr`k6*^<1)Rx$c3)0^wmM
z92sS5N;7<w#MJcuBVHRkjk^DB(NV3<+PuxdOxFDZHUgF%?u|sS+SPWMi3@uf%W@Qd
zrkQ3|<r$huaqMdcyq}?Z4gT0JY?qCpmOtkqFU=%vJ2bG*G|-`uwc-4sxg6>ip!V32
zU(u~o_ArQ<LSk$`J)pxVuH>>CB;P|H)I8!^5m}=8fHq11t`+<dPC&`;c}3igKnaMd
zWZG%7f6A5(0ih`_+vh)X%lLfndh=y1&5Sk^lVv`#jrtJN=%1q10d;D%PoM|gjY`DG
zKuE*S=r9KAv}jgoJS>q{RMuF-@S%$;Erl<kOecP(*5&|4gSY2nH6<t%j25cN$)B@~
z$gI|mP*uMV`8jJ{V;9tpfM8dQ(;B0robYo&6ggQ@BJ<!rlPmc5{ovb$Zw?=d$G~uS
zpo*j3IUPT(yZt>;KdXvi35VE(|DR=X!diq3&qIRW0snSN)B@+zW+U|_2a1cdr}r+k
z3I<Z*pr1k<WtQTSAw#A15ffg!3Yc(WS3c4<7CXS1usr?bwjSS2Nlrrt^xlk=V?|(Q
ztS<D^ZT9~(K6LG(Q4QGeASNSe>9$#&6c;+~&<XR7I0r8JZ*qjj;o&}}lw2r0{cgMl
zW<2}G+uVou58Mc>nG^$me)NTKQO}HpSgOb)0&+<0#^?va*kgZ%_7Mfd)DE#E;D=Lc
zw}c(UK{{;f9Lxin5v4VNvUnvt=er#QFlfp|IqkateFALP^25cZJTPPy<{L8B-AL=8
z`Di@U7BuC3eZ~iuDs3sNEPMN~2u|!ZcbbB95ny0}vrW!zXM$7w1slaVizXz5)Cp6X
zla-wTMX<-czy=k8OipKvydgO9Z>FX2uoY7{e?2G50otmy(wSJYStnw(e{S07=U_nc
zbWbKsDszq=zD}$p0G3s+Z#GY^C#0lX<tLv_$yFX5r|XO3q#|~71MVW64RL&0IolZO
zqg%4KQJQLpWC1vQO#WHP%*nZuq1_cRd7i0x;9#`BE9J8_dd68yX<{RaYdlRPm>&i`
z<XqnCq|9%~k{2S|my(?6$YX1xK-Lujugbxk@(0Mdlb^h9OiwF`Ww;x3j1$gIJ%k&5
z)i_o?2D&>(EBWA&*nfJn@vQ`f?;BiIdhxMeEajUAnyl*@_lE@sBWI`v$#$sMx2YVM
z6~H+9E1QmqZPX%t;$%~XcqZqn01V()+@b4C(WD2SwsVA76ie6u@~$6-lQ3Ey6w!E!
z$5DLJN>kp1B9jzKID+zX>2s>xfks;Ogu1I(OXqs#@y*ZGIwC5_;-%fxj@*4LnNt7o
zA>Na-+Z<38vm6jAo5Tu4Eg!9Ki8sI?8_2+jGYK3{{EiAOB1>xy;9smtG4INV_lL8f
zYd%WvWJ}7SA~R2INhKPqxB&B#&~u7RLu^A4@_O>+$r}o?Oi*@ndKp+6gWo*_U?Hv%
za{y*M;1gwdlT^!(axnrXkX%zL<?JpzXV3g%G9?^YveKdU)__%tlPk(Q&Ul61LA=t|
zl$xfUD`z_)u$gp)CL_Y(D_I$9MXG_mn2ye_W&)iUj<S;Mu8a4Nhk<6?*)FZ+w_bUr
zOu;lZw>)FemJLaIlF)CQ>+vYbT7jQiOMx9M(g|KAmV}TBGYPB5;4;z#JLg8$!=siQ
z3uoy)F@`^hElv%p9TK+VR)qsq68y8x!=<L3&}=~BY4#1`Ja~GRtyVDC{RiqCL_XEw
z4=AaC=~IndVvlURKic|CO`BC7RI-UhR}n*IZV|q>X%<D;$M~SjgSE}DFWU#yB>aT1
z9sDvcgDfdk7;_tzrme|gmoW|i!ybmwe!(m#fio$q-s>%KBP2e_xslz9GaEBL&)wOe
z><JO*XKc0C!23YrpDDNa?w(JGaw(>%1|-4O+Z#!-CV~{pIq}3bh5=TfM;^rmVsv;6
zkRz~oV+d;^Y9<Tf8=)d?@<65nU_TDtYaqzj%(cq%r<%`Fm23d&NUfKy_cgaO4k(;J
zyMoTr+J#xBA`I8c+2~F7->!IM<AOzvSgD{kPKBdBm3235cK&0O$QOqAQP_my6GLv$
zgkKvCq7>joRAqw+)VnY#KdVVdmKuqQr8kJA=Sc|N>bE>9(W9sDuA4DLnPWWasaDa>
z=lxx9{CWopn2f6t2Do+q^mqTh1oSm~0a>`<3zCR{KWHF6tb1GVk#IR%d0=ij^mUeW
z4zzSLP(0N-J$RLJ_rqE}Keo*NBRk9?HzO20d%jW1kq@LK2xA*#lX$`hc+X*SCW&AI
z0!}Xn5ou8URF^tMD;t3lyZ3pr-jxS`>`CRrT_^Zky6Eo|=cl8D_qnci=Wb?|<?{$I
z#lLYNQ*fx`@G1;k<;ARRxmri6^BF^KzUXhl!B+MIs0R8q#cJ9mfu0*<t<!Q!E1?}}
zmw+Gu3%NE8r<#`e7O{QrGXGogX2@Ddw~*%EteLbk+3BM2Xn|1+7OJ$a^>v1_Z+;65
zFAtx55Um&VX!UvD7Bo|Co?^KLwzDl{%{iz5&;2HQjJ93ia_N3MwK%<q6=$buBrE0w
z)uwyvdfX5J%RXrlCQVT3*E*Nltnhf(x^YZ-%U3ABR?8U6#CQDjc3`#~O*F|=GFWDo
z(fp;L=w;-0Ln?-CPLanImwnNXFd>$dEC+eIEKn6C(l{7wK)*dQIoGSAdny)@JE3<8
z^5YXh;XTFsLCr%(Lk!KA3Q|c(sV?3oGWOF<G>+E*?|Y&V37(okFa7*e4B<O42$F*l
zi|M$%7PLm?(;mt&1q2Xo&;tg+#e7wHQezYswSpuTFI-EvFocp8UB5b%tg%9@#2*-X
z;=CpOZm&PH@s6se4gphb{&aL1Yg-_slThbvz9s#Uc7P4=tkJQ)9O>4EMo$R`c5#Nu
zGz4O;W!{=anE`tNX5`x;SOKW5eytGQ{h1XNJ3;%Cls@~PoLwGWKnz;*>J|n7)Ulsr
zqbQ|^BfHolB7-3peU*c6*6L1J@!%t(qOvSyQ|T*A?g#udrw_aVgRd%GrO*5*-c7kU
z_fmw7+<1Q=)A2&x;|yt;iiEXPkOX>E;@R0{xHe4!mfxbVJ&LZ64Xc{esR|qOS<`Xs
zjqq__8<EUP5r0uJ_*EdrMH<M3M+n66ei{~aN@|>5ZMWd8EdZS6_1G3R@gz-fIp}n?
zsK4c+#!CP@N7-u5;dmIRHZG?5Jk=*9<82fUTMBPG5_PA{1I*PY*===Z6~uR1@=&LL
z)BAF`Fa`TLwboY?7o7hpg&<-m=r&j9tkYAF*Y=rXS>p2o?3+hY@uk6-?q!{e@!IZt
z9t6PhPD8N_y*-<VVW*iu5VPN83uRX}W*%5Y#kV*|qidanf8)A<5wBHoRAbFm-yUU6
zNyJy=(BlH4UiEtbs($klhAhN7JCau)*40C`7h#_VQ*LXBsYssU2^8{98xlfEQVlRb
zQ#xTLlfMG7af%nrQT=+_px<C|Mw828l%vOJWMS|=j&A<Q>$G}5V)mlRZi_afPqeHL
zVA5EP&>%SFMQ3HDU4U}Ed*Zv*(0Z)##4NfmKsfJSo*8!5KRpdC8%5c=SYf4E5B!p9
zdQdc20DnBmB8MZKOSTE*Z-e>$>=X<+7UHc@*h5HFA6Iub$vz+<Iu$%wS*Cd#u|7P`
zxWzoUxxg$451uVfMwP3?P1>>Cie^uk`1ew<nwL{hQC|YHp0mb1VD{#j9X;YtAdy*)
zs;)7`)k1I_9d9kJzJB&{W)`F_#<~O5i<38RFX&F!*X&cj+8!ky#a=Bc%>i#@)=x{w
zTvLQ6#xlt1jNTg9peg9Jy8(FL3^`Jfl(pug^Zej9RGDEPe(0|+92%L)QBwVB9>?3z
zdcjEwc^621*H&VwAO$etovuMSda55AqSwjDy3s#a=jGt+!xZG)J17~1KaO5GUY-B4
z8d+kgEh{|5oV#~pPW{6#U*UwD1^???e|`tg7O(S?W3p+pvM!pXGwTkjwqygR%uZOa
zEYJK&1ECytFAW%s;y%76rYDM6JBO*G!I%a==#s%!Wm#C3(c<&*0_(!Kt{#sx-N<(i
zG*FS>L;5Mw(x1qi-9Yw~(4r1TYOy3gQXYJ6?-oFcg<40asiA1WcK?<h7PF|GMT4>I
z-fP;)NG7+Z0(*S^<iwh2#==FSR)DN)ATrfhakNwM!djEgqaJ<Uzo>lQZ#96KZ0?8~
zeqI-+@7vR%d&eB0XQRqSmLw@W)iU00?&zt?cum8bB}c(IZ{uernS9cgDMnYLoAj=8
zi!Vz77nw+~_^UcC&=Zke3&hRTE?1Y6^$wp%Rd0lKZ!N)+_po>rF4F8>(+o_F)_7<)
zL`T7Vx-CRp3z8~VxsKhd3+n5OuRhksz2OJ?*|A13Me1C*xHOCW<;U%xNii9j5&njv
z;Hft&AQvQDCi}Jfv(>&Af?2E(2N@I=&I6Zh>oDEONbwFvfdnX}aOzeiP^Zw}7O^o>
z226|Eu3t!Ua>dT=av8wH>-6S|%9*s&IG+y#4vinfNnIk=^0e^W_rXFz>*;p}6aB5Q
z!7s>A5BTXYmsxgwu*2)ca)X4%OmEGGxf?5k3wh33H(#Lt1?OB5Ju9na;TpLbo}nqX
z{<-K>xaP)xEnsy$1fs35ZaZx}0Im+hC61UBbe^<>2HKG@u)kzlPzbmzQf%Vnh9=+5
z32VkROrwCqiz_n@+Xk*3D}`^u&5v(~9q-c8t8u#iaZ}+J!6S<t!?P-B)XB1li<eXL
z&C#<S_D1TY&@DB#8amzv^;{6~BSGf@S@@FIaB^1Xc<LXVb_$qFv;DH7@%VK&vM&HI
zSZuG$VFgCf!)DWW9vjdQ&-LpZ6B`-$8gKtm2MV9SV#r2$_$!y#f~PbRyYyxZOR_<G
z{^`Y25e2s4$cYu2z<&NQF_h)vxBF0OtBj$?$yTed%;BNsS8gOy9sutR&t(ll{@%HE
zq@USqQrS$m)>HRtY*-s+xc%f27I#zEN5>|WFY7lJu_PxbU(mZG{Yh~Efk=Dgy8m{h
zGSzLzq8&ga6VPocLuL|)sz|V5c6hIZx@48ZV)@?&Ew0m)xP68deKdHt!3Tra(S7Il
z*9C{K6@OWOW5^IiQnkMXEqE6j-8P=5z3IO9)~RPs7FJeOFgH60g)_^B>+^6uMdF-R
zzhS(Dx$jj3x-qW))8oe(LPQm<Low$3E|6{yVMhRC+}Jv$lhhWiRp8rxD%gLAETV0}
zbLw5)$)9{6J86`Y`8xyX&uo80;!(K<j_m~;LXTF_65xoN5JqB*hVA`7pFZq@lx7kj
zj9#SX{WWPzv)^X@e#W%nfq$L3=c+y>RFG0+IjHpDk4eDH#iZs`5lH722A8Tt{?H+A
zea}2|h;$oiNhIEYXy2Ri$E1)J*xg*mJX%4=vQ&T9hi1;`Z*er*0P2J7e)n8?YCwRb
z`i7kl4oH2yE!8iSk_Q=?Kxg1@@zd4GVA|TP$Ba?c>H)!t+963wY{ibXgBhu=!@Y$3
zc00KURTqOX?+@$1+T$BX<T4*1gp=^}RS3wMX(il(Z9M$gSYmI?LYX|xL%epS%fRTp
zvqVkkdqUgHC4Q6p(M5>+|8sRU<wvM#5glQ-bfxg2hxCY3sOCB0j3aPKa{Q%2(J0E5
zzw#z>Gr#ijqihweZ!`a1yof{A>DHPTdUZOJk*~qx>hQZh5}EXibB_EzF;XI1N2%Pi
zsU8DSU*S8k#5&mmf9{rNO?;(10Xm>WS>QUW)#%yua*+;|K7aDS*iFzrZ@FS<kW=bb
z?_8xL1`?b_S?eT0hO@cSryP7%sWeKQuwiM`bbR*Po!>eD8LlbH@*Lb*G8l^zW>4uh
zc|%EFAHNw<Ce$St+}utMAr7HVFX?q<Rq{aT0Y7rl3`|kNtx07MO7&dge=4ry7)yd`
zl^>7EX}iDQ%8mpT?U&gG^Cz@D8}h2x#Jt(dD~V4BYA#MtSJhh^P;QxsDf(oF4~wjK
zLzJ2H{BOe$%L>Q?PD{cEdm%)e${d-(96j>+O-0w(IV|-w4)a6@c>Z|-4Dp1ayupdr
z&gjXc>Mv6}dGhVzyNr<FN&|BfLCOGl*jVLuGTcVsAjTirAPj&o6~`(KFu?WWZZjdr
zzh+jx*>`f?whG9NH~W4<Pi07#3C^W5A111g?d)N(k$m?!#caAxYNvY#ktAI`ovK0a
z{zXEjSq|@g-;YKBIh;o%y?ral<sO^=yYWe_Sgu{CjRf<<4Lj6rW@GN%8oEWULR&<v
z&0bS;T{s{4XGh}7Cl!_!pUCJm_~GR}{i=Zr21^Pol;L-Fb2i`~uXOn^AZ!+VoU>^1
zL?X5lj!ncR_R7?CB}R9^HEsT#V;HmgWeTCTvuZhhV}BH%@*@}VVh@4Ke1>>UURc+J
za-gY%YWfTY)7+eG-!pcS5>ji0W-yc9!CP$+c8pHEWDMk8F=9P=T&^%8L9Av471W3d
zu;}(rNfr!IR$u7Tvex>6T2AE<I0|h^WMF?u-_iC_d{LS-#l{NaH}Gq6by;&)YrZs$
z?8Ai{+u0$r*^ttWV}rmeV<aqN@m38Y93*&6fX$BHAKskR3f)D!Kwyk}Wpv&6NUcWB
zp~*Et@EIc3yb$S;2Mv_XZcX2~)T%w6>1-=ka2LO+odH`0Fa<V&8HsPDyjN~5ztVy`
z{eK{aUkW>Wy%;OfROhd<(FcF&$r%${T2zSCE2Jlsyh2;CMD*09pf02g3GBxyT~}Os
zj6o|961_W47_&eaaLhFfGKE$3w^rG26zxr{F|NJ|1*2rxzCZt3Dg7&P5^Y^;iCZ)C
zow7*-Ab{7kF5FOxDVJ_O(R^qDr6NN0`<CO70@@4?t>618bBAt5;Qib(KY0-Qrg@of
z!=PwHO39<im<})uh3*kk;kM}lVU&2bC;rW|wH!Y%ifGBwR{zFd5<^w)Nl&y@jK@56
z+(yW3={K7;MU@XszA*bB*3)EHqvoI}r+jKwz*=L<PK}*1MH$L)^Zzf?5sjjKsBhuj
zaVr1d=Bx1v6PT)#P+}2(iALX~@Embx#qN@3Nn709#Q=DhnW!Xmk^zcq3Z~*ciAmlG
znH&xA)_@#)qhs@4iEVouathjvT>PkNGb5Z;q{xrEcoXNMGxJ>*ORxayK+cgrz%hXO
zVa7g8!EZi-?gx6+;xq`#l_%g3FLjBf(3kYOIx(H#qPWX7=qENl;p;FEB#es~dw;}&
zU)B8G1qt7p10ZZ0uWyuVerdU<lZufcoI~f;Zm2+>y1bi$5JA@n8nwzTkw|Bh^MnYr
zGa{X_+26J5VOIQ+9bgX)0)S5pW<r!LZBObMB75dwF`75*aBwD!HTVpE4HH>pV<^;}
zA<F%+j?gR)i!51%(WL7@?JCW$hZZc8-iYq8-K8DQhALq!-hUf3;LCxj^Uv03g_Iv+
zsH{rXI2<T+rew`fD>S6EMGHN!QEFtbN^#fc-VNXD-=sTp<&jUrXOUp?Rt59@j4LFT
zLU|f3Qd5t|te;Qm$MRq9qxqQ~bP?U2FjMitb8dfAGncl<-1iIMgEmunbr%7vk!R&_
z9}XK6YWvuLHf8+P_E%W~XIiN;4rOn<;7)$xcT#k(8*>y(xuWA4Ypw9HWyREg_WCMO
zIm0NMzxB8{+8XLQh*wF9%xmJ%1mhcrwUF<)hoh71!HtBr2fGt$z;ktx+PbXwRwK@y
z=CT4`v`<}#Nq&oFZ?)P&j-NuH?)Y89>PCwiX)6p+wQgm6SignrO$Uv^C@8;PYAUdD
z+~WcE$f+?;PlW~}^V&+BeXr&A(M|R^lw-l$`0272VNJEjr&4b-{q8SQYJg|%$4c2c
zl<L+efs{N+aVu5Ul1H+!`+wa!(1Q=ara|A<vj6;NgenFLhG3yI7|ls)47xHTP#G*O
z91*<5tqxONS<(I&)<xH?`l6@E<GDiNKMUN4r9Likm@TrxUvPbwO#a$J(RAy37MSTC
zBfXt&C2EE*;-M^>uJlbFMiYfW*f;Esdj!}BJ+_%T1&he_alBH1Ps#p=uRtNGGdicV
z*92Z=4|hLAGp4jR6u$4}<!_t1?zcrA8uRt&Ax+7saUAh1Q-n9XeA@Rowk4Zn3GwaX
zUZ^16Nqiu0=G)rG7-)@RIYy!tTax8G-`GrYiVZ&&aWi)9o=$!aa|;Sh@?Lw)6FW{t
zg_wCCkEE!V6sX^Xdx05e>@EDVrAQc2^96q41q~2`qaCXlU%{pWaq*~6hQqaKTRk?R
zFS5GWno2~FPVmret>?5mh^Iz^pXG_@YUw1vZtT=D`DRX>QO!PTD?MG*M29TYKA~Zu
zlOwTs@76bfE5lc-sgs!(bAdC}jI~&5x-934-(N!qUl2hz<T9M0UPtv(&bH$^E514Q
zw)^L2*qXe>f^{m)6Ew;J`;C0a7?BeO_y3<|DQ($V3I*~yY`>i^>Yjvt015g?4{#qv
n-^w!&?4_<Ty|2lLa>;vIH_#A<Q&RTgYC_+c8*oAwSb-q6&Y1Ek

literal 9968
zcmV<MCJ)&FM@dveQdv+`033_Z_t}$!Jb*B`oprOe@%{(XmH*?GVSL6)T5Oh{M+l~%
zMdHL0!ySun?$12;fnI5@vu2~Ea^GY98L~xTVjr1hqNTlhA+x{s-DU`zEVX2+L1i87
zT=<vR8Hj<HtQTu$0>$tILq{{!&o)>ADsOa7Ozi|5eR|{V$KL-G2K{T6QT9h+JNLmK
zA}eg}FTM!6qfg9MdCv<J4gOp_9`pz-H$rklP(m}qkKVbxzSO5)*hod~^G8H0ALgJA
zG^NG}9P=grLi{mx;m$RY?E*h!EK%x-MkOSflfZ?}pYB4&2v>EJz5_d{=`-e$%sDMf
zDsYhNCrHq?HhzW}rPF8Q*n06xp4r3L92DfuzpmM{QX6Al->_K1t>J{2KE{CKW+V4|
zeur<PuUwNV6zx`r(A8>X!V5f#dX;L{hSl`(xc$?f$wvp4mXJO)Pcn{{)TVO(Y!J^(
zWZrj3eaCzLg}#LH1eMerAjO%@gt$Ek>8LezM*oE=f0)b1S>4h@9Q*`6vT*CbDrN=8
z0gpMA@ReWGg1pwx0*0<}8GUZN4#PJJ*9biv_Ow<q40tVPQ#juT*D*bi1&*Q|0|lj=
zwE}fKmP?|!<%@>ARRE@_$Kz1>AhoW>>TpJrv`K=u2LgHfV;Gi&KP1;Q^e*VT3z}f(
zGNFU<17zN#3<z$oKeH+?AL4+y$kWMUtNC}>3wQ9NPbE%L!3dKEGli0f7=DnngWzMn
zCMGRgYt8h}6trVFGgKG#ia`xnYaIzpHKM4Xni_su7_a(m=d2BidR2bny8tK48cvJa
z+dNWsG?fK>9y&SUi2zuk#f;aWkNw_4l5QrTiEdEe0-KUr{Et{2t?8xCUX3kuC7mhV
z`&l_H27@(=f6Hj86F7T=u?!gQI)N1$?qvk6{r%*-0^e%j&>zkVZjr?pX?F#X)3ELF
zc@gu*7<It4KU8S%?KD8-)tKA{E+qud+nT`}Yn7^4-xi-iS9UK7a~FqSEgLU1Ei=WW
zET%AMUmssm>U<u5W`>$%NRW)a+Y?%78Ca+-Z9(S=eT@{-6cm39G@9YVX_CA(J&JeV
zlhl>=423<=G&_0)j$Tl^cB9(qzys|+oD9wZPRwU`JLFML-1W5zdaNnHPXn@BQgm}A
zlb_syWrqOX=jM}Zl&;c4fQtVjv7e(CA#JMQG`$LAp9hDB7nx%2mS?Mpq_BN;(fKY@
zVWZ(hIG~%O3=05A87t0=e?-RD5krxk8dOy{i`?Bxf-{sh?LKS%mgn2}wbH^$)7#VY
zM5D(bWvC0P2lJI!7ngmYamFXOUbTy;sh$jHY6Ml}wpIKF>Gf6gOfG){rA*Xq4pP3G
z4QGN#zB}#^lMnFLjmP3-w^n(KkF?`H`5prObjTvbJaAMdKOw8ICgxpF>Ns2ieG30R
zt7^75K>F$dF6@Hd(`H8IRmD!=?);uG(}0GNMOyus7bhXOF?Q3nFZHClgNh<9K}Tn-
zcY1$9TxQPRu^=F9ELs86n$gMErWK{H*DofVu?+YfiVUn(sjf(jgmUZ#WBjiVkc~q|
zR`?5^jFnLbKqSf9mELv1@R+HZU=@wBysD|-el@T@CDvHO&tPW6jWGd_nR}TY?3V@W
zy7+m{7?F34+l+9qxUK|u#jR7+9At@f<o(E7MhL>d&}y-u&nfM>K*JR5Ei%2&P?mlx
z2EtYw5gg)XdvR)t=Gx2UV=ujp_Jyu5wWO|!XHH^;yi28JR5PQ@{z&vwXeUOc+V>-m
zD=<(eU+oLmsz7D2;sV5sEk}<m`K<x-6shHGA6nj>Z|i*Cj#(_TB9+LpPKs-Sdbwz9
zaenWN)G5fiFfTA0!zM|Xtp8MuoO;<g^acBBKYevkGBAn4PVFRR;l~8#lUXp9ws5S7
z1(9VUa_P(Wp8U{4ef;TOTucm3+A*OaB_uL@tPU*n9<z5}J0Rwz=Y?QHVAqF+!*Pko
z2XE2c#lVo*=ox2p)wB@?_g$9Kl)N@}7J5y8Te(bi%s>_L`V|az5qUAwHn48(yei%u
z;l8<Sx>P@BoCF9~@vt!OoR;oQFJm89Fap_7SH*NA9RMEQpqD!@xqv4fc{wagUyhWA
z0Vl>s^;$Y5%~G_ic6ri9fB>A}5i~@w>4xa6>E6O56?cGb`pJ~r;i-THi1>jWMz3=0
z_iNYaW*n9Fvbl!WXi*dfqK)WT3wRINUHq-e1jPN^j~gL;_@;$*>osgf6!z^E8JdAh
zo<k1wZl$BGG5HhcQ#AnoKzoH3ci1NWi6z~QPoL;T15vCEG}u`;^KurTl?*t-T*1|*
z<h6*O7e{?%T>2U%g70$x%?#p|CW(8KONiHC_F-{Aw0#DBdv+0}G_^>;lUA_`{TdZ9
zv-63~{~ByQ0k#TK*$B(wsQGNQFo!#Z2rObtq#=WvMl*QpRA2r{t)|Dh9QAo%!2P}!
z4yf8|Hkp>WJn`VKkAKOnS->J1u-Rb@Z&Sr&n3=q7tg+D%JxPT#>9a6kzi7PH(&Sd%
zX^y(sFryp-m|Fy}iAVeaje8AVJ^i1gj1i}wD`9tuM-Wa8sP%Q-4$l6d&oQf2o7{Xv
zfqOqsFbMhKM#iE*03M;KY{A3+Qg$kcXsu8SvJlY9JR~k(4Z-s2chAr|k?NsTw1aKO
zBVmPJ*`G-8HxEMo(hLs~Y6ud@e%`@C5~<(A&2dX2v3krdEu!_rriEunYix%i9UUqq
z1*pn?#E|&KSQ?TmV&Rjp^(`dOxHK`pX)_kd)sLK1_W_B*Ik9Qj8toOJ`>ID}2BRGU
zH1N_`TCd4p#ug*3G@^I^g4JJ2*o^lHo9;XiVNZJzH=qdT<aEs;3hlAXgz1S;e05T9
zbDAwBicFEf$=t1g`}x$=@<Z>HhU4P$n`Tw90gWxYV_E{8IL3wv_&f{H%EJWn()rER
z_Xu;*Qz_e8R5tXV0ufjUs7LCTb()sVn7t1`LHL?QdpMG=djHoi4+PVGyH+YM{;=pg
z&ze5aq$^hNPXdfeImCQchx-7nG)KX-`Y!4*tZH0G{?7<$tg;D;`y+t403Z0l`Ea({
zR#NW6kuA#|Gqv>zqK|JS)JMQp7#tp8+;hPfZjx1HR{nZi1z1bS+}BYGJqV(4Z%8Dl
zUv(Fe9yU$X$s7Fg=Cx6F^J6?lK(#4*%>x~Oz50Nxj!E9aryMg&w=s%=H4OPTpuy6b
z2o9md?92lQ^w<ok*J(UCq{tdTfA1^)B``Nq@rX0eXvwgx=n_L~)jsEmLcM``^f*Ez
zs<~jPk56{4xiOo0?wpTpspYLWt;ffX%tq^F1Nffi|Eoqq^X3geR%S|Fq)WVZb*%7V
zhfn(l395jR7Xl++hFteRcwB6;Lkbu}r%Hc;Rd9%>vp=RAy|DJhxehf_#oTnV-bY7C
zYaz6hH-mFD*O|BRzmGi+0W<-@RI^&-hZQ&!Rur>6Y~^9beHZos^8ZVci0EpSLQ_rx
z!3X-vH{dR3W3-kIKp<1@*U+2_&r<yNG3L+eN(YYP$X~2OGmfO8##EOs2V(H&%_uzv
zIc>XhD>s&rU$@O8i<J{Q6eNR7-<&!9a}l+>3|xL?u#}=Cc`yy1MdxIO?W)xU`$=>R
zIs%$%CcZznxY2`2iv$tl$AF#El8FUn9r{?s;Z>DQqSVpx@CcCDzjEJdo2CgQ9PQ7`
z<(i*;8%n7gcElt6kWLvn)h**(W7+hFaPBgv?4A52vnw5W3AP0y%pGYglMwQ)lpxD$
zQ?!A?%!V>PBjR;#01o;iI;`Q7Gi$Yf+Y1##vr+TFzoV3KD?$|omU-h#ErK5$YYoK?
zS5E#RmZO`J@IhG|m^!h((Bc8$2{lSO`k8!DrYH@`fJ=I~doy!2ZeuA}f_vjO#&|5r
za`+W;0Mg&!2UauRNb0*S`ZP2b^g=Y;k-I+pY&PduiKghCskS-;JRIhjJasMbjYn(S
znc~EXr*$l*0a%_G(nGRWh3hpq2Y)3;r6yj$qH)ArH+8LZA{<hNau>gU6Im|8O6vo5
zCq+6*sWdri^0FnPs@dW>+g|o9{d}Ajo7h&IMn?{F*iY!(LJN_|GbFCf#a3py=u&I!
zA~RSs#l+7!j}4fVZMEKpR%|5)jHzJ=O!kd|B#M^om?YRK<TW#3RA4u7gtN5w8~{*Y
ze<#gynuzJ={^|4k>LHG^nL}T2-*W95AOVpp+lc$|HxvK~hmabLxt{U6SH!ewnu+Kv
z{R<Z_ir}jK)Je;k59$-6wCr~%iWP|P70Ctw?*UQ-_r_x};Y3#&GWV09-@O?Nt1qo-
z5od!6xKu)dSXkGl6lNyr=(n>^rjbnw$zro|1c1YpA9+mPy#sfr%Rxhxd++ee0&AJW
zw>V(V7_`V*tO9`{E7J&h5~FOR@_km0D9dr1CDL%k+9eIVV$INcn~)sC?KiNjqHZRk
z+)h^&^ARt{9)K$4_yn-LY2tgM%}esNl$Eu^lO_6#(Dgw|RUwu`!!r|;<vZgGzfKwU
z^k#%{cj5a3_ATrkhnskMnma-Iq|pK^7HSeGwSgXt*VKgSiI?FSD#r3uu;*)&@y-+E
zo%@)88*j3ydx!=`%CndA-slm*{4If##O&zxeS&J+51_<bWi#KZVZ~Z!8;2y*-v{i2
zY_ZXx#KKbjg|F$UyH=m5P1QZY+$N(5-382;N%AdCf`hRQRtkwN`}Q`3I>)TsK8nrU
zH1cssr_!rc+o(ifEct^p*l3;{#-0p?sY(sru0oQ#iWa3grsb(hIoc;tA(D0zr}Myw
zT`UUitow>gmqtI|yogrPxUr+F&4e7W&h7;%b{7eikUZ<c=f)0Pu@u*e=V1kCy)S!D
zfFtTxD`}JaO#`vBw&id|=fCI(A~4HRIA%~bG?2r|$6ylB({f!r*o0@m8Ez<3Q%rSo
zx6OK?tnZ3L#&Dd5YL`G9*Z=dOc;=ZYA5M-wYY+@N0fFLa$;}k|<u9&9mGAV7=SIg~
zbolI-kK3)fonV<?NV_Dk!yo7Q09-`E!bKw^{yWm|{s|C}sSFU`f`e(tMXdTxOR%O}
zk*|is*A}vrAShWK<%9@#*@)uZ(9hQL{U+ddL0l-;*Kfj51(GZK9aP?RD9$GC%MUew
zsW;KRJh>anjgTRM9&lgiHFYyT?PJhe$*bCN`v5))Af$vxM42^=j8^?2_w>Lvzq4f+
z1Z0<l3^6_nT+~5)!`4Kydo>LoC%PS<T}+sxEWjsfWh^Bb?|z9r<-1Z{;&>?vPAzbx
z=g&bKd<QaMDUj@%*=y0wD9J~*6q!doo!wgC#)ZTzzlV&6Y>OEiYtApVfc<*M4fu32
zfwDoxH{HgtLH@{BjhI!&?L(Vomex%dv9k4B)Q=|xmg4aBU*w8K3lZ%BZ~>xea$JaI
zTyQibV=D*U*|FD=H)grvfv)oB%m^YKReCh@d{1cwQac72o4&U5Vh_;+bTRT`sK`ln
zW{j`I5;ES}UWUXp0z2ZZ4J(r6l~8lsgwos}pc<mN>779n6=9-o#L{2e8f%@IF;8C8
zl}9LDO{5*S=le^%lu_%vw9b0IT0fF=bTcX#INUh-y+4(83tI3C^EP-mH68(wEpiYH
zBwe6J4DLGr9Nx#);6acx?4SFZ^LLTH!fCdo7v}^4epv}abis7-pdEf)8z-C=sW)gV
zAEA1cCqEO}uhy56GW-4D3|Uk1cpe;0kih?Ab7=<bD^Ob64R_2)YE_78nhWNe9401B
zq=;Dd*Ui9t4<1}aNzTlE&Jyh|y&8xvst4SpCPas|cSF$6?L=+M11S3)hkEXVksV&<
zJngU>ywvI}fe=@{AZefAQ)AC^GG#IV+a}$5wdd70*>^P%F3jx8O}F(<*%hq@Y|L}X
z_}UdNa9_Qq#@8I06XCwRj9)^aKm`iis}D<enrA$J<8-YSl1aU@p>93ChrB^`qUq{m
z(aw*$xtr_LTFNWb``|C?CzZzA%7oGjF9?>KRY>%F6VX6MtQ66e^@!PG$2HXN88UZV
z^#^Ed^2^iDaHFe^-XznPmv2^o+iin0UK=1nNx#JL_Jp<~44Ex&W&Ip)hd%rv>|v#~
zInmigw=LqJ7gSr98lN0RV}^M?x#=M`hKF`M?D)pG0daOC+AsL62RiV)p|S8uM7sEQ
zxV1#7wL|j=aw(V1m2OrZ=|8?U=b!|YMWi3+kUXwG;Zp?U;yQ^oo)q!@7(Sce>Unxn
zQ@M6MJ)#SL^4j&#<+7<k`y&oTHfg~snVET=)=xO>s5(?YiT)uJOH4g&e>W*mYy(rD
zxmQ6uOzNciwhnL)8$C;SND0$?VXof}5a(wsKlFrMxD4~N$*aUwmyi00uwM_jO<V9G
z?Bfov3t%-f#tzd^u|q~vDo}945@hWGKLpXlp6CROe-GgEH>kLs#SeZkmNSY}AgWRU
z<-$Ma_4+!#d2Wm=LeBF~WGO3BcdsTn66gJ-^EvwvD^TXIP{5529$!R?0Oy2WRO#)o
zHLwP`$B(ZkZhVs4$*l}`w5SJlV;d1ZT6mjM$dk2TPBC1+Z@J%*qN3>{MQ$kgHCN%&
z$ZUN7L~bHKhL09}lQ+`iv;??Wl3CZ4P5t7>9p=*yy+&mT{;!vxD0Y4E0{*t+9;XK4
z%3cr0oG-fJ)C!|2mpPGUz$DrU4_Iy^>M!-^G6T9)9g`S|K?{3Nz!^y^b9gwjx>D@6
zmr25_3nBh6^=y-er3Y37Kn%wzUs6B!+=K{g>qC(i$@y4QC}?j0(V_U}xvg}s{RX1g
ziQjoPI5J5D+u-hVZ?#vKT-^S-Q8pb2ROig$X038ba+*MFhFR3AnF9D7ms1Eb4X%nN
zal+ZUF0+dselqj@F++Xk+}e!d;9MCfTtKM6I^pa<=ZYwS?t8cnZmUWz%gg5a>(Z1J
z>%!Lt(-`QBV34Gb=(8dB(J#rI$@bam%N72Q9-Ao4Q1Aj|e)HXdj5YHD4Mvv02Kx96
za-<&o@ER7X|E{Ml)+ZNa!Kx8(2Jn|rAKTbB9ry!?M#<qWglCN)7f9y2)X^CoTT3#o
z1sr<gTEHZ<M!*u7#6Tj*kj43->5O%_zN3C;g71rUHdoqHNE;Ec>mYOBnL#$*2K;5@
z)4Z?8-5Tb29;%6EL#rg!<Nd1*%Eu@+@suaK9fW;<$g|Y@4&pwUpd6VA`AoavH-XE-
zP`i63jXdssueBZ+!vK~-hRMGVDq2#z53K5c*6T<o*GNl5y?*h6LJtQi#`y8}LwDWH
zmW5%NOm>HellX}lG7xtGO%KB@2G<H8i^6~g*u!^(PRPT^#$>OI1`Eq*v{OcK#r+Y|
zv6DJxm{7>tCzyYW!g}G~J=)QXJjaRTBq(La_~2<@g%V@bt_{8fS)1a!aBA`bYqEcj
zVhLP`c_^YLC+CIWu7DH>s^lLbmxs9hGeHbT-09*siF*IAt{q1y84%be5zKE?$F%#)
zI8Z9$yN<`8Gb<u4@k3Gev-c<;G4%%SNzOFiV+q3H#^CZd@~`9u<om8>M=F6g1x`;k
zYC12|9l$C79n<#<8z47ftx~R&Dq8P;LTLZ?Q*#wf-bYH4IKSnmdoW=B+XxcmGZyMU
z`E%i+J=E!i1xNIZ{014{Ke(9_8i-tgXel>=gS^^0Rkb!;3;)KI1R(>n@WDhniGh<m
zhrk3&%&T3d!em73^lZZ$d4;<Wu)A8fCZ$~!V5b6$>M_W-QIHID&@<8Pre~64kyGT5
zOTvI;_jvTQ1!pBo;y$X?Eg$tq>5xWssw*eyjY=J~GidNM(CL{f2I@v^kn7oJ^i!#P
zp*u2?H4EKp6B1jLeCROct~UnjJ4Ju?H4)Fm6mg#AzKS9~=ZI5wRPDDAp|iBDc`+qn
zpPsz}g~Cw7rGT*=m4s{;bnApTEMeWsAmqf4XT-Knv_o?FW*h`Hj;%;NWkIm*k3;H@
zeXjzuH@lISww|;Q<va&J$4Z9UxcZh@7O$Hq`9J6;zo~{rG8mBym+%I<bD%DFmm*^!
z(s+EF6{z2uQ7Zy5XA=uZ>LDb<CGQuNAoY%95p$-lR|IahtLT6LTMY$Gank7Ze9u)r
zkuXl=n33@iMpO{~y28$l`HfyU=SXAw0nNt9(9h}jHVPCCzZ-jM0LW8+JOA&YE=tzQ
zNah=(5=yLD-=^p#n-Zgv1O!(PTFp<yN#7blG3boQOb+wi^R&Yy6(w#-HS>2$^d*<<
z9N#x9Ye02Ave$$?v7XaO$mbmVk=Dklc|(ub%t%TLwlcoPpZ+5kvm6(Wgx#A99yw>L
zCG#`USMN#y`X-n6DmH*&+8&yS{E*39|Gouq3!uc<SKo3hrKzVPC{Q}$a*oDrV#L~c
zw%6AqK(_%<*ft@$awqDwiji+(HdD0cpM7e$m~g3m!b|ss{{6;*!~S-zg9y{ux`o4g
zNES6txTYChME|MPW|an=@%w8NX}^(Qg-P-K*W$39TFz|6lwo1}t%Dr7*gnpIn253?
z@C^=UwV6oDfYM{`H2c5Un!@nZTY`;gARCoo3Q#Gp;2UqPd|nCYRXldL^|b?!2U?TL
zI(g1N4Sc}0m?2d0%U+~#Wjy+$j_utsI};oR=)w*JrU@K=eZmEq5R>=Uiu%ReY|A%s
zKw5ixDLgaY9tqjffc?HW-6b8)5~vn#eWbrm#0XakV)%SEMj<4rxweA`RT0~v3jQAA
z9YR27rXN-dXq2=*yiso^XnR8ZawEvn)0nxKt-H|$azaQsx(%Qg)rMvB+|Os!!{qik
z6C|sw2M(r4Jv+(juVLaPVjM$Hj0Ya%d#Mk<T;)7J9}Wr`ef@Lo)nwf-ffof84;tOR
zHN*b5ECQ#O$#b#T2sPPL!$P$FuUrYZJ*JZcQC(tD*yK;78)ncqrqzi%#nORl{i3^Q
z&e4_`_N~Z4zDz8?gA~nXQy5Y6r=)(6$5t}od<=`Exa&iA82Kyo+{2!1V>a({2|j*a
zD)<i;`by>|(-rKdSJAUL8Q(04;k2=SmQ4KxJghL?H1V5xl!*_xn)|n<6%F5}hhbSV
z^-f1(NvK$_K?C3Cr$T!QPsWdbEFBqr7vi6T7D^+pVV|Fpm_e<f8hIogM!_Sj4Nw|Y
zzd@mKa}A$t@!H62g4j+ZO@|(zrS75Wivqq|!uSx}1D&uIc(~-nPH^>g4Ff(8&naq;
z(>x|v6nnS_1?ij{Z9{ENPaK8{6aWU;mbU6Px1tnuI~iiIS9-8$H|^5XAp{=IVMtH0
z8f?K~S*-&aFNWz`!aCWn3EPUl<M6GQ5C-&YN9V;DNQS)WKAA^OPU4y}+Zr%l5cg%<
zr%*Ccf$B}Xj^Ac$BGL0W#KfDpcG8m(h8d&A0Wd(Rqqtk*fzMG?Je(hjQSL9#yw~N>
z%k+vUl87q78hAoJmBOU)#$D>11SyW%b>SHy{)?8rB&*=kH+Hw+qau6Zf5iwJ#pJ{e
zHeC%rYgtx0f7Yr75op95MCzJVKq*UOI^bc#Z-^HzW7qq3r}Pn!QpC_Sc+@cm$Tlg<
zgW9oezwJKIAa_K!_#f6|&WS$^)%4@e4rf%r<!W1^2=cPl77EwED!#rWlE6*_b@?vZ
zExn4wMYgD65OGu(Lemoe@zEL^$KWhR2c8I{AFS#g{Q^bPJR-iY_q(PwMC=diz~R-2
z7J)I#sl!|e#-G<Z{}8i&gxhj`nO)iUBK?UawLKfLY9w)JyBdD3P#I;NyT+gUL;28e
zdgkDec)qot-FSZFVB(%BJJOpVdfLpHa9qp<jm~o{BVQ^F0R&m!Tu7SV&M_=SO0gM+
zjE&r*qC(b0mC9le3)>4u%Y{UTbAzY~N3QzEfdl+`asb#hF#BQZBT34F5W<pUinz>v
zlzcJvG8|Epn&Y}AU>NnR8q}-(r{$2jp0VyA(Y4j$Z3?|a`2Cq%inx2FV~V5b1oULN
zHBAm(-WK<3(S6BA)1+phY}+=HJ3^&Idj@lK2+8^c7GZ02DUJ74I&6k4*64MxYs8T7
z#V=-{(rY%J#tP!X5!C&GzD)p0;?dqsl+1(~9!no<(rgjv0BOQr+C#X@{*h7Vs*+9o
z>w@TwZZZRftYcOXa9a1UzPih-Bf*gM+8EMiyI6H)cwI#GpK<4hdPsMfKnxh2|6%N9
z+J-7?Hsg>k|I4q?wisq&4zBOR#n8gkBm+M8lslDl+#>-_aL5qbxCW#VPOvY4-mA3<
zGmLPjMB$IrfjIx>nS-lSsHS{{!5cn34Ss%C?5r~lsBi<=#vFKj?De~G_jbck&WO>b
z{~e(R=ca|GSx;crA8<REU$Z8ZW~mcbK&FEw^M8(20k}7>uq)y2;-LKOI>scX!hR$6
z#dU$22v;7BchUp3I>0$t-|lqZuyeXl-ei~U*{XpcWL`r!mhJEh^}^4=`gX+S_CS7e
zD(ZVskj#M08aa?xArutj#vGZaHM(_p`P9X~Ro5}^L+#bLsgCszHE}V`C<J@%z@YF!
z1+Nh9y1{a(t@W|oB;P%J021!7H_2J9VXr?bkRCC@1g3&m(<%3+80j#zTUj^)pti&h
zL;MduxEV6fMs9%4IcU!#=yR{&exBN>Ot`wq`t#6mC-r`BT8@PvJUclU(={hqTP73F
z)Jx=@jAI`U)>?YTiM`845HTrQN3$(X-VHYxEUJOw+bKlB$&h4q?5e8w!2K&?1f2uS
zWOPZ;_IK?xQwvu0F;IQMSA2gdvy^$nOPz24DR1zz&R4!-%S>o;cs*7ygcZ^w0&b)Y
zbv&@2p65HujLBHtsZ1qiQ(nyR8?;Z+#_mq64z1)M?9XP%P$XV2t-xQrV$JzK(~5H$
z;{Y2hdJw*^4mY6@w*3YdTXcEFt?8j~63h;CgCIHhcKwhAq$v6?(Zmxhh5)pPJR9l#
z4YRcAp-Q$t9KI>>No%IBnVH*^&j8aD=uT>A*oou11!)*L0RYDZ9L9<<!Fh*>i-7vP
z&*9&d0eyIbzIjW_KLWDWnPL2k`+=ZKMa6B=4t~%A50=M$N=41C2L3<pQdEg8@z^#l
z_6y)9IL_CY1;mCnD5IopwJE2V{?0nkJbL=Ow7SXl68p<zGiAfSaPqJhK7Ni#G86_K
z{oT8gDjcl~rU>!H&>C&OIvannETgbvmxV)+)R>)_G6WlWo}?zNyO%^<@9HBgC|`M-
zN;nAtvwz`x^VRq?4=jd<ecyyblbu9(!F1x?dvQ0*{z4l}g9ECOfg)4C^VuO;cvc6g
zW=el&GH~AA%X59GFpLfha~9XR<H3t^KHnn)FMaFOhqLrgo_ibAt$n!8;$L$(17T?X
zndf~`F<cYPl)yq-si7bv2R$l!S&3Bejb32ol9%}sQxa}6?<Bb*Z|1CrBP<^5!tfY)
zOl?LQXnWeM*^A^rQDIV!NACh$T{m#?+vBy0bNI)^QsrT~CKjvaLfZ>%wGb&XW9*7W
zBglwE&^|7o(M^{dl7swmvpA-I3|COffL<Wtjniq|KlAYx;NXHCc0_Va$Jgj`b-d{)
zcbQip&O1`58x?qWgfnNP3%RvhZu*0A<Guq1ZyLC`d#GVL!#n%~Oer`O_7}zgAMw;e
zy0m=rGuK~f{4;QpW;J=;lf$?8hq7zvPTb%95yQobarUl2Zu8+vCLU8)=YS{qIS$J;
zBBR3E$kqjPcHxq>lCr79j?gdI2i34P^};Y_>ZvMW=UELt(|0eDK^^z3K0;vkgoErg
zv%=(+M0zNpw*b7WoyRis8eefv$FEccSXews3;luGFBt~E2vxuLN5pIC{tT(J#J(^O
zP&a>8k*4NSX3|L{L@D0vxZbKUA0NM2>WCrEv(u6DHBFkcRky=pg+wFLXNL*_&Qkqa
zC;*h4{Vqixyk?~c)(@n|tG^Ubz7iFc9x&nSFpN`+WBd}EKQJC*#VYx}Bn`0S<6JPq
z(q{p1O4sWjM1Pr&d*9ml_wy75alR3R|FQlXh&m*R?_H)b8pS5{4|KHYkyd9hc{aZj
zG5$^`ceWnI>Sd(&i9^N+r&<=Jy3{5r_`@on$p;=nkaBzIiFFE@Pv7+Z;P#=5_(h#F
znYjPGoV%EvU84|SZ32777c-yE7&C+hqo%1?_0zy+{3LD#-Y*hrF^r3tq%1=T{vo*O
zpfp^55+n={-1)m(AN7%9no458tiXYEFkaRc=8BUpdCUiV`3Z~I2r!jP){vA>5^T~w
zb;dlLLin8r);&%HaI!_Tvl8p4@N-uw8_Y-vGyb9QgPy~LdNj=?TC<2YeHjOe{_jJ6
z_Zl5@#r>D?BnyOPM7NXu6*qz&SlP{>3ek5`R?{R%F_x&{mf72nN`Qm5>1Zbd*B5ly
zgb7h6NI57G#oL185?2IE)B|Xx_8zb`!^0pu`6%T8S!avK!xT7c#?9CB4w@Cvx*K0Q
zNEY%HrqT1}&Bu^l4B<0Gl$e-h5%5eKa_rB-*D{uY8<tQFeovmawD5)*if*ny_*H1H
zuCOqej>F(EC%dk5X~1z<`bGc22M1(%2q0G)%$9SurwIH7Mi{Cz!>Gu$37|fiX`1_|
zvj?n_WnyM4K0|M3etUa|WzQk*eh?*KS|({~nEh$baZN6GAsBsW=#7HGS;@-VNCu@u
z3abeXauJqb)6vs%+BVh}GBjIgm=R6p`h|4qVBPd{CQR*&<IY6GVoX>{SUf@ngJ_dk
zT?n<E%a;zHAhKBibIM#GF@#gvOOZ!^v5Ur!hpni1clMOeVLKuU23)%P9NOw2Fe{OJ
zjtD`2I#`_59hw!!GbQQ1kJQs!=rC?t3@P%GdItxXNEJvN&daL_b)uQnc5AO@1x8??
z+8%k*I}dok8c@8W>OAk%^)ag8ZmVuTL~(!228GE}56~CJy<MOZWT;<@l7)QE!jc%`
zvueuTIvcL=+a7M#E%`o~Y(zt2S`0V5vWq_)qKd4Txw@RQBj>jS7EaTcw2&AwJO<=s
z=FLBPqa<|bMqa_f|MyWoR{5Wf)Vst(M??<sjAFwxR5M-eFM7#P@Z#EFq5iao1Ep=c
zFYHz61xjDY%4U!&SUkhsl(Xe76>~HHL(OgH1W(bXPKOJueobpw)zjy81kfn-+QNmh
upE7sDG|L(vHlJ5&jfn!<ZtVwNhNwrw72A#ghA-Rkj;jU0)cT^KZRV0vrCC-0

diff --git a/scripts/tg b/scripts/tg
index b329dbed..f5622f25 100755
--- a/scripts/tg
+++ b/scripts/tg
@@ -1,24 +1,10 @@
 #!/usr/bin/env bash
-# scripts/tg — wrapper: decrypt secrets then run terragrunt
+# scripts/tg — wrapper: inject -auto-approve for non-interactive apply
 # Usage: scripts/tg apply --non-interactive
 #        scripts/tg run --all -- plan
+# Auth: `vault login -method=oidc` (token at ~/.vault-token)
 set -euo pipefail
 
-REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-SOPS_FILE="$REPO_ROOT/secrets.sops.json"
-OUT_FILE="$REPO_ROOT/secrets.auto.tfvars.json"
-
-# Decrypt if needed (skips if already decrypted and up-to-date)
-if [ -f "$SOPS_FILE" ]; then
-  if [ ! -f "$OUT_FILE" ] || [ "$SOPS_FILE" -nt "$OUT_FILE" ]; then
-    TEMP=$(mktemp "$OUT_FILE.XXXXXX")
-    trap "rm -f '$TEMP'" EXIT
-    sops -d "$SOPS_FILE" > "$TEMP"
-    mv "$TEMP" "$OUT_FILE"
-    echo "Decrypted secrets.sops.json → secrets.auto.tfvars.json"
-  fi
-fi
-
 # If running apply with --non-interactive, add -auto-approve for Terraform
 args=("$@")
 has_apply=false
diff --git a/scripts/vault-kubeconfig b/scripts/vault-kubeconfig
new file mode 100755
index 00000000..12204355
--- /dev/null
+++ b/scripts/vault-kubeconfig
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# Generate a short-lived kubeconfig from Vault K8s secrets engine.
+# Requires: vault login -method=oidc (or VAULT_TOKEN set)
+set -euo pipefail
+
+TOKEN=$(vault write -format=json kubernetes/creds/local-admin kubernetes_namespace=default | jq -r .data.service_account_token)
+kubectl config set-credentials vault-admin --token="$TOKEN"
+kubectl config set-context vault --cluster=kubernetes --user=vault-admin
+kubectl config use-context vault
+echo "Kubeconfig set with 1h token"
diff --git a/secrets.sops.json b/secrets.sops.json
deleted file mode 100644
index 28688be1..00000000
--- a/secrets.sops.json
+++ /dev/null
@@ -1,321 +0,0 @@
-{
-	"actualbudget_credentials": {
-		"anca": {
-			"password": "ENC[AES256_GCM,data:l4gO32TTThCcR2QTOS8=,iv:fcWn5URa66sw+CnnjroYiMYQyHAknXyp09bkrLSfWps=,tag:0PiuMatYWbL4GaFcoEJCww==,type:str]",
-			"sync_id": "ENC[AES256_GCM,data:hyqhxThdPDsQo+vLGYOVeatH6cQT7sgw7AUojzeZVSS/zwbL,iv:/5CDja1A9u0vo43wlcN3iaZEtcrD7j2EjIyh85qCHEc=,tag:B8visId6bPTHhsb3NUHPIA==,type:str]"
-		},
-		"emo": {
-			"password": "ENC[AES256_GCM,data:gwPhGMICe5dyq69YGOSHsvla7wg=,iv:2/fCp/l8KP5AedA5fqgGISMCbF1XrFjY/lkvMwd3tDg=,tag:JBeEgokF+t/OO0dPclrAwA==,type:str]",
-			"sync_id": "ENC[AES256_GCM,data:xY3zw06SLaVlZFBFp+avQR7id+EkfOKT9OvkSbtzQjL7frgh,iv:UekYOCMOc87kzTKZNGruaBiAPUbprzUBixsnQDc1+8s=,tag:Qt07UBPMKoohXbGiYbgCLg==,type:str]"
-		},
-		"viktor": {
-			"password": "ENC[AES256_GCM,data:zfBx+Q9/DOzeHIKn5DTKjgYvwakQhA==,iv:trknja4iuUKCIsG/F2KrMgE3CxSCiIBsYnO6vsh/cis=,tag:WkgR31ZfcHRWsmH+gOdSAA==,type:str]",
-			"sync_id": "ENC[AES256_GCM,data:soaBW/Jg7RPr+YEAqbIPmkU0lha8acZsVeXZOR3n0PIBMZTU,iv:84n5WQNX5a+gFuvD2Sn/LNijYZvayY+7SMNI6D9BaII=,tag:eYozazvrG6bXwC9tsh0ecw==,type:str]"
-		}
-	},
-	"affine_postgresql_password": "ENC[AES256_GCM,data:Q2iUS9AycO2bZDR0YpbMMk/0ki8=,iv:Da5KuARZJVLv48Vz6kbG79SxZDeG2OGwCBK3pHmcBuY=,tag:On/kzru5cPSBa9HblI+o1A==,type:str]",
-	"aiostreams_database_connection_string": "ENC[AES256_GCM,data:azuFpsKrSDRYC0DVCGEfcv+qo87A2Iw6yWmB4edsawkGFqq1w0BqOGWvM3kDw3mr6HD2uRIdzKELTNQ46cfViyDqe9hS/lOo4t6tVW7etOPUzHIdg3HS5Q==,iv:yCqiBd9+hAio/cm1co9q8X3EH3AOQZacba+WPReGcPE=,tag:g+8MW612eDfe/5ZE8wMJPQ==,type:str]",
-	"alertmanager_account_password": "ENC[AES256_GCM,data:LfPAPQbKt+6iy3W+NHCHIhDK2w8=,iv:eb+eGHPGtZPpw35cKPQ5a4VMQWAn/SjKGsScEuxZoVE=,tag:eOT002E9yZ5LX6eCAmUuhw==,type:str]",
-	"alertmanager_slack_api_url": "ENC[AES256_GCM,data:/BuXJsrIPuviEMNuT7NLhoYMtqS05t8uq+/AQwpLzr5Cv5K0lktcFrJNajdowME5fpSLrOAEm4gYgNnaeByPohyeq1CFBPPiNWcGzqtlcq9t,iv:37NRRy6/K431N7rK7vskWPlHUyklCzp2k57A7i8T9Sc=,tag:NWWs3a/FLqckPXLp4xfNPw==,type:str]",
-	"anthropic_api_key": "ENC[AES256_GCM,data:yMpQVqBqpcDIZnZnBJyZxX+1fVVuV8rf7Ol9vD98v61yYWMikqaeWDOhj23Cwaoa6zLuXq4FHd/c2mvmBcem7i1MdisZ3MP43jOU+h/6rHVy/02QYlrM5GDwgG8CHY9rz/jhIhLrt9KpO+XM,iv:JDyiFoD34E4EN21nc3oApljbfYj8VCrv6sR91O68de8=,tag:CBLqBEH1h/kj4YfaozAflQ==,type:str]",
-	"auth_fallback_htpasswd": "ENC[AES256_GCM,data:Ohzl3Na08VQA+6CpDvLgreC9CxPbh6yxJ/jHMFakoJqJU0SepfExQaQyc/4Z3j/PioG9tV1qFTUfCUDtdfZovm+F,iv:DyAWevTSpvG65J9pki4jGatHvsNyJaaO7igPpA+bkzg=,tag:DE48UWnhDLoju9KUF/O/1A==,type:str]",
-	"authentik_api_token": "ENC[AES256_GCM,data:42OGcVrhy8IronJswj2F7/Sc7huDIal0gh+k/aVSltoBqxr7GHJhfsKp13KfUr7dXfTDNWHRQ6yshoho,iv:o3VgWATL5GYtLOdXU8r3ViHcGRWRTk37gCeJHUOG4Mw=,tag:XqlWtEa4JSILWUEg8f0iSA==,type:str]",
-	"authentik_postgres_password": "ENC[AES256_GCM,data:FdiD8kalTsASaAWWiBGA0g==,iv:Y/R7QdOW94JJ0kMKbNJksYnUK6mo4GpO0eoAKC/9BHQ=,tag:Un93yrX1Ijyef3fjnZr0VQ==,type:str]",
-	"authentik_secret_key": "ENC[AES256_GCM,data:iDwEobzjJLvRIjBuC8GI6jloQmT0XwVkwAAVgllzbMsxE/s/7bGF0UEw8a87cHBZIdtg,iv:RKUvrmcGNr1Wbu+91kxbAZviSn573c+97VucIcUUbQ8=,tag:yVK0YGZ1w2K8jSFngRwLIA==,type:str]",
-	"brave_api_key": "ENC[AES256_GCM,data:1XVaHaFdkcApuQyV2NYZ8dw5EyH3JG5qlrKnwKOVhw==,iv:Hi5Tom9P6MD99sNTkuVEFH1OysixXjTrKbvY60KVJVw=,tag:nhojyZj2czdhEYW/bbLxBg==,type:str]",
-	"claude_memory_api_key": "ENC[AES256_GCM,data:a7y3eKvMcTH7u75GrP4cYzouvklCheIiIYMWZnCAbS0tG5DSyAmJUHweLGY=,iv:Ohjoe/bJRu44xA+XYK5GKUm00QZiPoOfPmvGwbMznYo=,tag:l2ZCcE+KJ5ekBknIr++sMQ==,type:str]",
-	"clickhouse_password": "ENC[AES256_GCM,data:JKGifam+nLdP1nVF9j4=,iv:7k3r+VrDZleBcTI9Z7WvOlPl81pEZGKhba2U2WWs6ys=,tag:FfGTddHlYnF8pu22e4NWYg==,type:str]",
-	"clickhouse_postgres_password": "ENC[AES256_GCM,data:Xntg9o3BfobzMHwsFiE=,iv:El2VHST3xTjMsi5HWCwnCjay9NittF89syfca2TDBLw=,tag:0fwC6bRJgQ6I6yZHA3Mwkw==,type:str]",
-	"cloudflare_api_key": "ENC[AES256_GCM,data:5By4fzqpK8OaDa9Fr+YIXMtv+jO9HRSifS2fLBBpk+ji7qFCJg==,iv:eohFtRTF4xZ4hTj9yQ4uhJiK5vyiyMmX9PJd4gnRofs=,tag:NVEsz/mdxxDuiE6wZ+CdJw==,type:str]",
-	"cloudflare_tunnel_token": "ENC[AES256_GCM,data:Qq7K5HxUk2rIcz9wJopQWG5DqudADcEYoOQWj2VekAHtez2PVA/ZkPS3FUS/ovksEFFDTH9bX5kRli+3zRuxGKSnfUvZl2zxmvjkg61y137S0axNe8cnp1rtnQ8yP7BRSIpIp9FMDo4MpaWEWJt/TJzFA3l0IloLHuEiNWxaOsummC/FP8LrdMUpA2WX5I8fg/74uZRPaOf6A3D2X59gGHnA+/thw+9VihP1G7lfetH+LnY/XuLyYA==,iv:HkpUQvFepKyFyrKXtp0eU3/8RYrwU4zbdKaIZDLHGlk=,tag:n/yG8EWiQqX6uw9ybSjiBQ==,type:str]",
-	"coturn_turn_secret": "ENC[AES256_GCM,data:WcbQlpXc3jhC7JeAFdRkhUJv5/J5yJhl5EUheY6KzYuh3tJjeSC9wLp3hhq0PZgU5STw10/WzMe+WUepNaS5lA==,iv:KuqG0DmIBBIXfDqI96/WLMHsxr3FQqSbqluQX4rwdac=,tag:xZUbZz/tw4ZFTGpjkzTlhg==,type:str]",
-	"crowdsec_dash_api_key": "ENC[AES256_GCM,data:B+fkmxOkZVaagnOXGAXb17KZbzsF3j0mlRFdr0r1/iz+bucjQBHCCfYQyg==,iv:R7tkdo2buJ8doovh6Q8/nT93kOAtngGqfMTTWs6fj3M=,tag:q45QU2AtZusM6XcGu2ogEw==,type:str]",
-	"crowdsec_dash_machine_id": "ENC[AES256_GCM,data:dkhWQOi7uuFOQzmJ+echqx3MlEwBrPAHR0213oo=,iv:s8gsbWWmJtqV2VAiPmzG0Nrh3BKtVql2dwcwA7jfPiU=,tag:F43RFDQTpKumepYI3yP1pQ==,type:str]",
-	"crowdsec_dash_machine_password": "ENC[AES256_GCM,data:UW0c1graKS+VuQXRJy3kNWmfrEghxP7Yv9J1+B62+JALf5LKS1KlCK5nXbh/+LBV/X1oqFpnT+iubUkSBvRWEg==,iv:Thny3X6S1CwSGNoo9e4ski45VRz4sjUgm3nosD1Ke3w=,tag:qxtd9T5BldKYYtMp+CiXKA==,type:str]",
-	"crowdsec_db_password": "ENC[AES256_GCM,data:0esthtRLLOgJxeMWtAQ=,iv:+kfDicf/Pb4pcR2VuprGZTw5Y6PqP/x+HuAT++CQyag=,tag:af1PdC50KiDOIMFoBAZzUw==,type:str]",
-	"crowdsec_enroll_key": "ENC[AES256_GCM,data:iX/ifWLeStmwAUb/hMjLkM4uPnYYqcJqZg==,iv:8G2y3boBODF5Q22t11O4Ib6xxRn2KYcpFuY4KnxJlZE=,tag:286nu21GCxptuSf7a2jqmQ==,type:str]",
-	"dawarich_database_password": "ENC[AES256_GCM,data:SJ+o5saNfIsUZSLNrjGolFyE91eoTqnYEQ==,iv:4qUcY6bl+y41zxZX5USF0AqABzcjFzncT/eMCZkfFyU=,tag:fjmOicy1CkSKzm0Ai755kw==,type:str]",
-	"dbaas_pgadmin_password": "ENC[AES256_GCM,data:cOOiqfQJ/s0KZNmpxVCQe/hqU6mhL3Z8sz6S/BnqGwM=,iv:gIM2FfguDOTqsZECGLvr9RoeesEsjYH7W4AjDyv0GZY=,tag:QWGENNbay2bs/ugJ3sd7Rw==,type:str]",
-	"dbaas_postgresql_root_password": "ENC[AES256_GCM,data:xQJmwAgxmmEkuy1WDTuMtfGbubYxvJABuqg=,iv:DZoII2xL00qoSCablzuaDLpLZhm2+XckK2qkLeWKGvo=,tag:qO02qSQcMESjh97bZp9p6Q==,type:str]",
-	"dbaas_root_password": "ENC[AES256_GCM,data:UtnCgjYpVZEJznJxf7pBKwRduDysuSl38zb6Bw==,iv:m+tEEwGwd4/ncj2RpuSwz+v0opO0YL3M4R88QLdF1Sk=,tag:q615+GSZhvQfY1ScjRUpCg==,type:str]",
-	"discord_user_token": "ENC[AES256_GCM,data:kbZlby6ykWueuHUJKdQovfiEs9DU+6e0keTsVVF3Si5U4WXOlleyi6ClbMOeZ5ul5lN3bycOGJ1l0hgqNbT4eF3RUjoaGYym,iv:6zQSUZRPzfe0DDg7bPMq+8KCTSekZopM1MB+dA59Gmw=,tag:Me9HEcJoel1+GyPTWj256Q==,type:str]",
-	"diun_nfty_token": "ENC[AES256_GCM,data:32DrdKtafjSAZBddQFK1HzAPP2rkkueZlRMcgEs3vtg=,iv:iUwbu6d9L/uvEwft2q5SZ/kBZ8YH7sVln1Kyg2iyZXs=,tag:2E4hcXheHl5BT9E2gwzlCw==,type:str]",
-	"diun_slack_url": "ENC[AES256_GCM,data:6zYRXf1ohotcbMAex1YcNkesSJgKlCYqpPjpQx1gHWrQBxtzLdEPUynBRWHggGNf9Y4GLFKk6u5cwvkP8MUPJYb/Qh/xtVN7k+bk9Mbin/H+,iv:UuWxm9BeubsNYG1/2bfIALEMyfbtItYpqFPxqi9iLJQ=,tag:9aYOKORBvVvQDVyKLgglvA==,type:str]",
-	"docker_config": "ENC[AES256_GCM,data:qGvWR4pgJHeRN1bUILwKHEDEWT9cpv/+VFX6ZqrE2TqHqQSFRlJcOGS+Ar8lUW1K/2txqkphrc0uDZYWqZDdi6iP6JK4rKzOPdCFl1GUCBSAdziQb3z0f4kjC+VI3938aJ+wZRHppANVtQLBFmhRJRLNAc3rhXk0yJ5TYb5RjGgfQ52gaBQKYlyfbIILDf4TlhfAMsqMTv9Gh7Nw7xL9Z0V9SulybYafez4gb0EikYYs2ZxoWkBO4pF4/hll1w45n+3j3rUkjlyTpZZXc64GSHvtsw==,iv:qmyQfL20bCU/v/i0DW9DrkhJV3tgqOXn5lDKPdsP6Ac=,tag:IPzVN5OjAjk5uZTFWMOacA==,type:str]",
-	"dockerhub_registry_password": "ENC[AES256_GCM,data:t/ZR8Afh1Z5Cij1/9IYbp/4THkHxVz2nJS+62jO2tKkuyMZe,iv:TmBqZNqJFatKNGAzIYlM69glRUWBfWdQVH6LFyooNxg=,tag:G3HtC0QfWjOWqKnUmyh93g==,type:str]",
-	"finance_app_currency_converter_api_key": "ENC[AES256_GCM,data:vDs/qkAIE6bHGG5HF+fyA6Ptk+GQMzmG,iv:fSzckBpAeQvaUOU9CdM3KtWwjO8iMoWCu6oUrhNV/Ts=,tag:YnwTD+Qcl0sw3xfq20jo7A==,type:str]",
-	"finance_app_db_connection_string": "ENC[AES256_GCM,data:YxEcPDlfGM23wJScw0yyXpK6za2CrFVvzSAKV60syynaNQolPOi1tzEpu9ajxPly0VNGtcJyHR+6vflhPGUev1pmCl5J8mfhkbKz5RFg9HjRTEEadgdCLw==,iv:pDeOZOIFz0Xff/wJ/flOoTzE6ApGxtwZDF84mOLObMk=,tag:W5mSKvVZaFV354+A8BWzHQ==,type:str]",
-	"finance_app_gocardless_secret_id": "ENC[AES256_GCM,data:5h1+tEz5yC74yz4BnwuYwGqdH8Kgzohk3toCBOfG6wToYLba,iv:i7LT/m+T8CPw05vxYzC69bzGHDX1j0WKai8Zgg+mVM8=,tag:jZ74gpv+tGWwEB5M2xT9ew==,type:str]",
-	"finance_app_gocardless_secret_key": "ENC[AES256_GCM,data:Dsj6V2/6vC5d/H3mqtbNwmqEPYax54p8l/33dBCx4/Pk3iJaKhtJzg1oZHQHuYSZw16DZal7lfDfYUeJxV0oCTKbZ2RVaTKNWgj9N/eLEcihjcY2Th1YODF4E9Pzx7uI+vyL9tEYvl+70eSuTnhau88vWeg3a9fbYIscSB5bX1Q=,iv:rVYc/hnU9o7uEdLzN6S3J+ztFbZuNBT5msHzr7s+gz0=,tag:zHO0c1iMxgXxm5PiAojwPA==,type:str]",
-	"finance_app_graphql_api_secret": "ENC[AES256_GCM,data:g05dknFXW82BL/437Fae2VEWBskhnU0ZPcIdIwLzsjakBOUT5+Q=,iv:KOlhJHOr/IDpHEpI45i6T52TpEoQEjmHXISTIIDW7yA=,tag:hWeR4/oso0JpwRcXIokiiw==,type:str]",
-	"forgejo_api_token": "ENC[AES256_GCM,data:wz3os5Qvxsmv86sTKtuwv+ce3OuxMl5ENdGNon5UpoJwXzQtPS2cNA==,iv:QHsd3Xtelfz9hlpnuK5/YYCX18vA4OuJdFs1LsihA3w=,tag:bk4crONciQNenayCvosa+g==,type:str]",
-	"forgejo_authentik_client_id": "ENC[AES256_GCM,data:rEQLce/v1wEFblEXluObBjTMUz/D6lZhQ+76INR25Pe/puKTkbPq4Q==,iv:5dauJ1Uwv3eH2JQi9kEVA2VeBMMXywRfqNjARBrEGCU=,tag:K1odzjcp38MriTl9+xDRpg==,type:str]",
-	"forgejo_authentik_client_secret": "ENC[AES256_GCM,data:tYgwxMPcSCES/vfhZTLjs+8ahMDk6EX0MsVVumf9fgv7wXybJ9jNN+kzplgDMSr+BPCkA0xm9jU2dhAPAW5yTYub/+wZ1vPAlgFk1u3jQEdIDCVxrsL3hp3OR8p9X5XfwuVvZ23irnDPNt9VgqRolGoPeq4ipIjkHHz+cmEIcAw=,iv:qyC7d0YOlwLJJ3myN4zJ0DGgzwLaWsYCuq7uYRB5vAQ=,tag:P0CH5bDMs0yL+z/S/GrB5A==,type:str]",
-	"freedify_credentials": {
-		"emo": {
-			"gemini_api_key": "ENC[AES256_GCM,data:bHiIocfLoJFLABdn5tSo7RcdV6wRNdl1AF5smLB5pT/Ukr62mJka,iv:dingxj/WIOJzQuJAofyjiGJvxwaKT2Y7KygzmKY3228=,tag:dmZ3ZPj/rJlqj46B71zDHQ==,type:str]",
-			"genius_token": "ENC[AES256_GCM,data:eGXGbp1Cj2jp6a4xaYlBV10Zui0ZLH2jz7XRhIzAAKMElaavs1bh2SjmdiJZ4xvBK8vBZec9KE7ymQfDFR0SLw==,iv:jyMvZU/oh/PFK/TEf9ZQm5cUASsVprALAEzTGGy/SZc=,tag:hcC21CIL6ZU/KKIdNtzGOw==,type:str]"
-		},
-		"viktor": {
-			"dab_session": "ENC[AES256_GCM,data:G7lnJ+DfSAFEPC2tdGtYKXx9b1YOIDqWfM+89TB0L2JMFdHgrNfIjaXL9WuYwPuv5c3O+uVH7pnA+ePLW2a7J+JxJCbLR5q+HNXHLUTD9Sz/IYQSW+14tHBZ/pvSQWDWkSf9SYl2Vb79NP88JdBR3iaWweAb78rD1nvS9Yzg1qsMbFGYyE9p44E8oT8XrFk=,iv:Z7KZe0itBzLUI0KIqtfYlvS0QFDrQB+7Vra4AsiODqY=,tag:yFNf5BATgZYp+pJOKEvToQ==,type:str]",
-			"dab_visitor_id": "ENC[AES256_GCM,data:QhRGBBDE4Hp3hhz+nwVB4SzUlgjhq+cNeUnYusmCDq41cBsn,iv:ZpQp1wdNaq3HSYyajVVHJESeieQvK0d4zvr8RtZzeXo=,tag:T3rTiS49gqcIWp5X8upYOw==,type:str]",
-			"gemini_api_key": "ENC[AES256_GCM,data:+zYomdhBXUvfAltaSey0SjkDfYo8uLTOYO1QcP9mczKRU30h+aOv,iv:MhD66ZaWB0Q/DUpS79v9TIR7XMlOPB86j/0r89BYmc0=,tag:AsDj7BGssmT+D5oF9ZfGvQ==,type:str]",
-			"genius_token": "ENC[AES256_GCM,data:3O0hIaXITh/9kbNM/jAk9t7IKGPKmdO27SsHqZQcBMQGLOKLvT8ZLopU6X71pvoyn4i6NDGrjFTeNBCOCNXWSw==,iv:ZBWQ6+q6EqEyMFMKMLWr705Zj8Sx8xU96UWKWK8Elcg=,tag:Y/fH2PMmgPg99e2CuEFXZQ==,type:str]",
-			"listenbrainz_token": "ENC[AES256_GCM,data:aD5XIV4IIadNzujNO/Chrcn1P5cKh/t3fn4V0DOWRmSxeUdE,iv:0EFRuR8cdYgR7j+9dPJ26N3cLbBY308U1BCzFcoZvkE=,tag:sg0e1W3BAx2QHBTUzbwFHg==,type:str]"
-		}
-	},
-	"frigate_valchedrym_camera_credentials": "ENC[AES256_GCM,data:yh6jUar2/MlbAkzlT7J6mDOZJQLY8w==,iv:TiIiHLjOZstawqkG+Na5Tl5kbfcw2p2MQPyI9fay8O8=,tag:fltU3v+LZI42GIDR+oQqzQ==,type:str]",
-	"gemini_api_key": "ENC[AES256_GCM,data:hPMe6s9adPDOv4f4rxHQg8W2shb68dTXJ+E88u+Wf8LyY9Whs6R0,iv:Hu3aKTNniL4kY496r7tOHktSgKdyziOB6yn1m8l8ZY0=,tag:u1zao3tm3Mg3TFsFUiqpHw==,type:str]",
-	"geoapify_api_key": "ENC[AES256_GCM,data:6nTXTqR28HQTjqRhTT+b/fp61OvRx802owklo486ijw=,iv:6np8o1hIwkXuD5gDWKef7F/ZILfy17HEZkzxdhI2PFI=,tag:P6y1ozO/3NR/FPG2o6EZLw==,type:str]",
-	"github_pat": "ENC[AES256_GCM,data:/8Ep2W5KTnaKi94wuoteIcF8KSzZkVyZkqH/4xkaWQoqcBQoyDy/vw==,iv:z22ewL7u4UDOcyIn0bwZ1PY06lNI3N/vHYh/P5pDIMI=,tag:s5gbIMHcWqDQ4BkMw2IvIg==,type:str]",
-	"grafana_admin_password": "ENC[AES256_GCM,data:Qiogt3BgxVwDE6vScI04f57qGeg=,iv:HPfTTw7nee+CV6KcJl56wBcEs18O4VtdiypCmurhq3c=,tag:YJFOskhgkP1ptHUuTaHfLQ==,type:str]",
-	"grafana_db_password": "ENC[AES256_GCM,data:b49r/LmBUl8dKPxOQC3HInouoBu4,iv:goXCqnuoSpqP190xYyky1IpFMRvkIU7N3CYXG7mOnHw=,tag:ktUZtg2/QaA9PYBBOImp5Q==,type:str]",
-	"hackmd_db_password": "ENC[AES256_GCM,data:4uTOnbsBgUjt3WQVFl7M,iv:+EEGjYdWfFoDf92aylvdx7KeLR/FcwPmd0lFi9SpNTM=,tag:UI4BzmmyAOJS13/Ms1DhJg==,type:str]",
-	"haos_api_token": "ENC[AES256_GCM,data:oXFtV7+BJCVgzTcFjSF/s9iUFDvwlCPUnSkwuPSlctv3BduVQJCL35P5jWeUAnBpJp9u/N5M3lmVUnIluxBmtxPGJ4Eu0HTJWXnNOJzT6DkiZGldg2yucAZMqfdm9b6O790NC1GRa5Ebylw+Ra55V+fJY2VF7ccLh6MkuZxpxOQkUcQN8LQW9T3q0HKNOEr5q6jP+kli7BVeHFlUUSbAUPnqJX+N2TDes/mf36yz3Y8tn1/LpCxc,iv:KcngUQASE9y6E1PdS11ZspHfs3VKzEVveAOiUCA2hvM=,tag:TCN/yXV74mv+aJGyLqBwlA==,type:str]",
-	"headscale_acl": "ENC[AES256_GCM,data:Olp1XidhSddVFE5Ajum3ZLVpXruvC1qgqIYgmWUYBVJ2BV1aT7hJNlJ0blztkRBuAKvFMzEangfgzEHrmUG9DZlI2ZVeHcyitLmGQwkwySdXO5atQw2tFpJEyW/m7KMvNV6uB59yBo0WL2/wLn34cZL/l/r/gQnV3tVWB62kCEzZfOKuej3x8gTrKwbnX0qIqNgczWgQrx5YQoslPrmNmwCSCkK3ejWyadnSBgu9W0Gkm2sMCUX7kq7D6LDqqvWUk8r1CdnCYbZFQQbXSG7mXXUKJcAZ+eVzfiMgUZpQisKq7lxZvXExoolk10why962J+1NoTk+SCrbewHQRau1p0DyXHZ5MNe7+iZ6bK3Z69esmjELTLaeFqFIVi7xWlkyjaY71V2qvh0lmahY8cQ/HpxjZxpeVP22O2f7L+iOrfTAX+DT3QsGmjRet7rddtT2I9ZqzctuHBNpn4sr5g+eWod9WI2Wzt2GxxnjVg2+aEB9y+JOe+UIoiZtaktvWN4tdjSuZHLRiUxfvpF+bp2kszpmv+zYcvNoKAaX/W71orWokHDH1m96zDOhRR8yU7bAUSVRb7kliKOGKG1OhQGlblRddIj+UK5X7lCqOqcpACiUXfLHRwteMRd6PUx6OXNfpBh1GMutpEUxCzkpDN8ndE7TWlQp2KD0sBDa/iKt6NkeLPalb8tizE/arM+T2tSZDoOYxXjPWSJ/JOhttYSPIl2iWvwt8UoG9IG4RdmyrRW9OsPIY4AlADVhkuwzIlWXPPV+WprQeJWZrPtCJb3l4Eu5zzpGS7AZ0rC3A0pUGUgGAIgGLOQAZ6LHuBFgdth8nkWqQN1C9KYAHaZDBEQgHN0ETE/Rc2YoQURJADuunHcAhH24mAvx6TMnRT0ApgJVj0MAUshalxEyu58jkKRosTfXAYw/RtAfoj4WhBCDuq4TsHaw7yGTh5ENPvTcdfsTbgtc9dJf93faqxFtZEqGBuHpL4jMBTuPzrTAsRYIR9/wBd5TXLY3Ne5r8A+AAbEeNOe6i03zKkSmwfhWYYFIpS43f7qVJ3pzE2c43fJQbt0H8QrUXmj3rI0LuS8TGXQnMwAkpcpYe7vpKLDshPIXf7GlS+vhKDmEqI2MQrMXVNqewwuCMAvC6VSSugTG9PIiBSE58A4MobERxIRYLUmyv5rMc2ygLSUlQuk3olxFEoKR/UZMuGOp365a3BmJJFMf+2RnUPv4oql1L681JOT22atk+0JW2NUyTMoxQfdDp5TDEA94TVkUUvN2gj09/HPafaVPdpe055AbLpRQ6uaC/O7ygviAoCicj9zkM+RGWjIGnsDeVu+Ma47N0S32xIPdmAbiclPRa8nhLc6CRxeXH7e+4CePXUHZMALnTU4wmhFdp2DLUi64t4fjfdhAFPDpRCVXvR5RxJcgeNGXtOwzvrF/vmVytU78bf/2ellw5qMcd0khsOhxcRzB8pQa7s7RlMuBj0nQGS3/cRvDsdr8R7ceNLfDbZ0kknzJqq9hc58bvrA/qfmPVzw8Sy201k1rldZJMwpuWQWi5SUAS8BjlKpj+f/k59ZnhVcjpxytPL1F9rXSe4RhIbUGxK1b0jeaQk4RkzSTawSO8Ol9wKZ4xwAsABDrl+F2mLiajwxBiquJ/gcGRnrXmsvkysWtiD582Or9krvQUP2eAQYPd2tK9eM3jodKkHyjKhMV1W8dhKEkWVbRWIj0x2ToZ8J0MDu7dfITsrbay8v4qyIVSinG9Fc/BwuFmvox6DR1uEjrrfcgg6R/ZXO2il6nrhqLX7tNyqkJf0yf8SmIuJtH+OjRTORA9d6C36Spv9KXF9wgYKLnZ05/Edb6y/D+fXpybHckaqJM61DsZs9D2RTk+3WSsPX5IuQ+6hfiQRxjSCkNwkhXH0ptxPRf1/71KzUUv0oIpopy8WOf+coeIYwdUICzMe9lQ7t5dwRs83vRG0tZs6Lmmb1X+WcJ7tobInIVKwC0Sa9crCSq3un///onZpCO7vT42szpJRzKeFkc4+pQ7Z0ejqPeGiqQz5/gLvLOPGETmdTyCaBYaHA77lvJpv0lGtTZJXhDxUc4JsuwdWy5PCgWTl3+b7vll6mpJwBlJIo0NTwUdOqWa/9NPYMAFnQPwT2Y/deP39Jr/f9cvBMFyxyAkPBWzBnSZ3XDnssICfjXs1UmcqJZw22chPMNvJHtegMWuRURIkeWa991h9SeXD9OFd9JsrbSn5J2rIdNxKXLa+zlw+MXT7omdddn8Rgc9nLoBAAy4ZSSs2yX0ewlBMo4fVdU8KN+VULAvGRrkiFgF6NiMX8K2wufwX8EUekaYraiaW7hmZhKurfsR++cnRs7/nxglLlOLB2m8YMadYnjBJLW8W9V7pPAnED67KswaeBsQGRXjCWm46oEV38zSLFDBWPYBv+D6zvfyAC3DCjZFtq0+YG0NcuD1xbVGyJl6vyKNGOINsYilXq3J4/2tg2udd99YC5TPq8zoDVZY6lOGepW44YELJmIlyZv0wRZ+vPsRn51i15u29W7/V6M7NxygpqZI0STZOZRUrMx6eAgIXiA0WcOeI8I8yAsyE4neTSQzQ6x4byY14nXMmx86BwTEGt5HG/7ET4hmT8hkyjMGCPxfpjyqBbAhpz8qMQVEQjzxFajMSIg+V0aO5BWF2RyFfh8o65fw63uR4KBJXweGodMV2KSENiC5BydoZwmCTrRPtcODpDq9hfktmTXNmoJsuIe6gOxpQWePY79wTbsRoSUieRiWQktrmR8sA+Z2Fdkdy464X4Zz3AmOUkl6CxPmBZR8QjKFU490t2Lk33T4FRX+BifjI6W2mz2t/UgzEp4OP410BUmjCTZy3x6buUOVY284mJHz9nlzapMwzmznyM/rDja/1bth6o5vtFzHpOwDodjt+SsRefT7opyqa2zvFv6rrIprc1rZSM7RsfdYgzvYnNRP4LaJ65m0uP5m8NkSF2SgnGr13DSEWwU03ySZG8ChJQv+O8gXIOWazEAqZwiL4nS78iior6kWYuvJTp9NuX5NxlCTW+m72N4dxJyrIYE4XRagkk6BC1OX2Qv2M6T2oA9ZG3u/iklLlIPKX/p2Z8MD83ch3TXTnpxD/udf1sMHy5nfom5G0jL5XMMDjnzl7vJFhGEiV6oXEfK2v75AMYgzB76UDlHcItZEBF3C93fu7dI2DGSTTWHCoi1nRGMKAV2SwHdkcFhi24KedJV8Rbi3HbZmX7TewTXgC9ZVX7pXt27spycUX2uzDZ856YLXeKJmMdWISBxlNvbe94XfY9xZqboO9IIxIVz/5epuwNJe0f+pD9cm1irUE/iou65QYP1aUrvt3ZTzGchBndbbScQj2jem4V/NNcFjnlP49gH8RZMy0YZTYygHdFghj1TuPcARLcmN5S6LmeKxmhjlTUOg0IofPpt48+OvD612h04fbAb6ccR6T7eQ/SLIzRRrcmp06PEsk3fupBmtf1o0gAgg2g5EF2mOrmvUBscmZDNjP3FUHDXQt526+FGZaBcoRADo0JOb3xqL3WdqiHbOaIm/ccMgZe1dT091KxgBRTmewA8rV+VpKQUixXpP96w3tSyzX3LN1WdxHDPnzvQ8ordEADigP3g5jiqafFU+dklZlQ4c2Cz5nLAPLP4mY9JLFKdsqX0dWKhL5TM1Qn1Q1HxXwy/fTHJ2iKBtCU9wOa3IxqAPDtQWLrBMHP8ugy+/Dej7JfNzwoWSfzOVeiACqkRtLYQIXsRfhR4tO/DOkz8qg3SpO/eAZWhT2QfzIIQqsoF88mNVCwOO8/g7Qw1FyGYaZew1deCQZj1Vavv1dnIgY7s5wj2SyzZTU75ah8Z9irmVCjiwqRr3aY1JrdJzINZwRZ9HqXdBK+ZymN4bkviWR7cYvd3mgXZkOgwxn7IHIhx+hNeqVFT1deokWFhxCsrBPxmWktwTNNCgpl+4vmgtYorOl+7Ior96UH9pSmfBlBYdMvzkEFooJHtgvomH/06yamguBAmfBbqBBOHInhw/osZaPJ8qVW/NEwZeDAnUnB89zAQ7Kc/8S9AXFr56W+yN8GsZVcrz0P+V7/dSsuFy6JCh24xc1P7srQD8PKkl2Utgj1KkvUUNbSiK5nJVdTgld9j2sM8+GYsjKBbiJP9hEJAdRD50BRt/36c90X5AhK+5imYyJ4oB9QeE6v/I0zNPlyFOGuUIYlrmPHgJLRQCnbCMYF0UQEvHM/QLUdIO875eRLVs+APvcZ7b+l3fIiDt9ZyUFKW9DUERtKoqiBr0XR03OQ6bxLMGBBFemopay9cbinWST9MAKPamkIeRYBaqjCFsf6cKESV3TGG7uUGIWAs6o0QrgclFYvHQmmIg0C3v1BnikhXyuw9gkjPI6LYZneN5w2L92bRV+ZepqxBjpgJK8Lu5jOzY7CQFiQlVdUQrwJhGe8EHP6glSkHJ0eDMwtoKPv0cnugBFE4KTaogFsMhc/spUNQRN1KxwQyGUzrtOzcLPdvHlprndPd6NHXo0MR5JDTq+EaDzD/usGB9xmCDbsMFv7lb3BLSIO5yHSu6grk7K4s/+1N62zUEKtF+0Uwz+j8uyohimQ+41t+XfM3wNVvch2bh/w93efbkoAZio/0IkYC+J19x3nu+6U1+5xJ0vFYtVt/c2foIeq77fk/reZKTJ5TXqgtDe05Mp7s6uLD7X4XBOfiC0qzfxQZkcOcd/SAhlCrpyoB2lJMWrhjrYT+qnnvy1XVkPPGIRIzegFxSA6azBGytAzpIxfx8f8SmaOTLjz7o39+wBv68jRpi3XD3f7JQcx6GaODnmH1latwe1RwQYd37z0bK8TXnxmwqwn2zozRCj81um0/Y7a/8CZGE629rvd5AcNf1Qeb9DVBwr9WR24jJxCjXvzASvLUzQOg8pBePf7Wcy7qrruolQ==,iv:h14unZRVg/Tpqt8b4DXHIfhiyg0U1/ZqIETsMkmMclA=,tag:auFXQA/aSk/bYjB8O3foAQ==,type:str]",
-	"headscale_config": "ENC[AES256_GCM,data:u4ff8NMAbGpyPqE4CCGSyFFMhOXWTsxUYkNLBD21spc0OS7RoI8kwsLDzvbBc0qcfL87O3Oe5vP8v7gZMAJbCqKVmyk3RGevfPWMhDSaseBJB1dDaW1F4Vn4SfkmtFWEJErO6wnlxaKwp9edD1IKm56tkHKlqEJLMyuXzcIhlf9AJZvncytetpX2mwEw7MRURmBOLHh2eZehBbWiA2slPe4lQpWx2u/+xqKYe1gbF9xwLyCPQJQvWIy12Etx+Xt6cgAsMSeGS0rfkfM43gdXAx+4w6v1fOgXtFSGtu6S+NRxAg4TsRrTz2vIlbTVJdpeuGsCOJUlrcDhj9CN2pzeLfzF8egLIw+n+eZST0+f7RTB6DoOgUAXyutRRZI91iCh+moRy8dLNDTHyOFnW/Gr/km5rOo0wc4uHpjRQvguST8jfJqWPmYYPDnxvTc17kPHClnhlpD0Brr8HBmnOUL3Tq4T7OhbaTKq/JOwPEdloZmBQW5XhYhFDTcPNEYvDDFuLAn4q5/w5cAVYVZbIgnwTno9DKEfUUmHKanrpo9gvI15pOlxhr75ZMT/TMYg8N6RfGyuOMpxCW0UAJ20MTQbLcQ45v2T2EY9WZ4PAzXMYBMnGa8V+oUgK13m/jDmCWgtUEgeuAj3U8UxD8dVNjtSmyqCl7eZRnfs9z+ujrQ4Zuuq6sBj49ALSA9cdNdA5SLhd1JGjtRepT/49VM6wBmbwX2whSJWkCYiB5xuqoWBtMgX6COv72tDxKArXg13yInTVot5Y0ro6ZmR9KztGCSos9pUe2ukA8Mz9A3VR0t72Qk0j/B0E08LiReL4LiN+7LCUT2ESme1UNulVSSI7z3rjMwTSPGxefxmpxQ+rq5Gu6QcpVqBZC0+BTDcAyxbXtowD3uKdFJiqHiQ6XekHhDnJ77wNwlTT1u2eOuQop6srXENgvm7XCtCR7e7wfGcALoYF8F7gX7CuhKnmEN1J99Aeoa8r79oFQmfGuEjlZGszKZosQwAGs05U8ThakAyRpeec3UNEHGqp/4Wyp0SU4VVlwhErfxkIXFb75ccSY2MwKWl4TSxQcK2HF2iEH/qO+O0IGe5rgLOmFV/A/0fndWzMtUsHjSkJf1NveptJgsKksqvuB1En96LuSrPJlDcF8E0zM4k8HOH4SlOgBukTEyceihdnUplMt5KXRsjosTJk93nOOXzouGZm3KBtT8bCdhLrZVwlFBiNkgpTEesiQaqSFiyT019bhjOpgqc3SwVO9662j9UMGy2mUk07YojRZHDyNoTQHK/ZiAxhItS+tJCPRqE93XNYlLc3Vd3xseOjtbFt47R0sWEdOW+3icbCaJfqLzzs1hFLRjwePkBrOAa/tijuCvFv+RL4SECczuxU4PG2ue4qaQRnFmsBOtAHYjNH8SU8QwB5/YQ5f8udBJsYvruxwh6XCQyyAeeF+lHcATCVgPOvu84lCm8+GCjGVjTqJTupZZ5WHutODtHBOJuWvCUcAOHMf9Gm1P+3j7MKfdcnjM006RIO4sNh+2u1Uzy0N46a5liUTj8DItsBNPI77wEBnkdG/MrMVzido4EK+pezNNyB/I3prXbWqBToYTYztztO0y8R6cAHoY1NLnbYtwBDi00/v/T/lnYkBV7YhPCZqWh/PNgXNjs99rs6BsL0F6fBp/Bmp3FpDuQM84PEHMZf5QsJDOTn3aXJn7tgzBr5ORrU18iHFu8hcQcYak1TbrF/xSduqZruXA5u8aO2ZzD+2iKv5uCfmAKKGyePTaBmu0vq9SMBbExgfMHuV9wee73o4+t+Mbnv2lO8uB/s1Q8b/KidorZ2HC9Rcfx3oq88nlHR/ywGQiWFlu363EFJMV4Vs0H1olJnGXNxH+sGjk1hEwRX3s6HECsTUho6JIU4OJdstzZRVmF4SQ1JzGGjWyJ1b2DLalvEoTIIl8RGqujtWU7Ilq0ltn3NgUGWGY9xCiTxLK5GOt+rlBiw4LXP/xxAWUSc8yo55IO7ZrG0aGWgc4N48mNdbiG4cdSOohLkl/XxKJNGE/AZ3Lxsz7fRurg8pwpMIuL7EDBDGyQvzbmxl+cqIuUEPjt70LeyxQu+OG6p8xPLNGYSkfZjYLOUyTPi1OFMPoFFaUM4HyTPEZTy9AVL9fYUA3KegmTelCfQRrHvJQhOzC/w3oUu29vkj2B0BT1hlapBV5Vx2R1QTFMYfA+pEuY0DycSPc+giBihi2gXjqwGSeYUCjtXGi7wZhszHAkmbnE5K8cS1+dx6Za8ge2v1LEyg04h4Q7rp0q5GmxvWEt04YQNBIAic4+AVN94xUr+8zqlg01Oq2PUQQLattWSsr2tp18Kd6Lfmk4UREabuQtNYaVSOK2ZpjITP3XZRdy216rsdQP5XJ+gYmLOetkWo7BgerSdRw2z2FYpwmCwzrH5WLvzd5hPbn8HY5qZxi51Cf+sd0aAfxRbtV9dM9NXRjeFnnQP/SLYBixZx1fc2cFQCFcylcuYpW7nN9eD/bmr6IeY+K+F1edrr2QMFYuSkclo5nsPFme6hsWFNHG1K9DAF5gBQg+rknHx7ENECp9oWb6iV5XLlERtci2l3OCoyjeMTKGqbdxy4pyLPUfxnXoQnRHVHLV0U1E+A97gXwkjETHbHxIpi278gjZCtNMUexugEiyQF0DIfgbaDyTIPxadVg5NEbURFiDAUP7aCJOAHerm+BL6t3FD3CGNiZtDEnqQ5OUcLCtBifgqnFh5+9ZV0wZeei0z43Bf693GisAHBYr2BmuMXF1Au480klwMB5eBQL9CsSFLjVR8B2ar7k+2M/+Xds8BPzfg5PTSytthuRZrWNv/y4+36oHbMJfrv861W+XeHH2KmenvE0/RyOgCJcI/hiPBqo3xnohqxplFcmxiF5xC4XCO5xzLYxWIo1Agwn4dbfX32YqR5H27VBC2zUHLkS/+WyCFNpSFKBPX7tMRQqgDc7h3bWXZ9x3zfGKFDGbR4PrCQ9xsDZUM85J40C+fNrdBqfYVbBzEIqTXehGrj9T6SBuDcqbPnj142W3a1jTCBpOVNGGAoG+KrOdFzkWhmnCJuT42yo3UaYNVr9/AXdFwChmVOwSGRbXUY4Dldt67+KmDtQkQh1gRxB8XxSZV+H0J1AfBZV5caDLHuHHhLRyqQCodElhaiN7yvDQI9+8YmR+td729zgT1eXpHERhvx7uRwx78UljpqbetxV7WEJ6G6kmOQ08IGsKwzji0JEH4JfrZvKsnbuhiflcoic6qRTONeMY0WsFApgfaqUPCpauouMlqO2Kyh0jWbKcyc0RE+RIk8UYAqswSpgjlM9LyKBDa05quZ2JBDz8UC2oVDhKvkIN0gW4kbmjmsZagtGllz538JlS8pp8LErComl+cAHI4QTxociwYatUkY+1dWaTm4/FdypFKGCbh85x0RqMrh39weY0M236Lh8fZe0YGSPbLHddNkkHdjHFCHSKT/cALA/83DVGhXotmxWiV8heMD/ZviTtY7fQLhXDCO/DSMTvOCuF8e0MVPWy8oH1OIUpEb4HFSylopAK08Dc8d0SZA+kDFKpSL74oa50BSjHL8ZsogPjpilzUV9ZrTypJuoXto+ii3FxrX7p+qgfebDN+Yt/Q5AycrtBlQ2KDWC0RhGaff1LMZOVVzbkfdRCYbuQSYRDQZj6EPTmmql70PtKohlpJrNeK4FrOiHf2buT8i9GOq8gEewXEtx9adBOy5XfhyzqLy9f7E7avDhML0uydCZ7IKr369oRtWJg8jYILePbpJ5IeoP1SDK38dGwMhn3SyA5OWJVVxS08bVVNy+LY3MYzE37XnRC6PmtH4DGwtRjiRD2Fp6I3urZQ16y/ZfNDBZTKG/SVq7foYXG4o5TM449ky71lHG5b1+lfpSXQNUIp4o+ERpqhFuJ+pwySLkYNfSfbJ0PVelEZUpHW5I2XOFj7pJCAUrdO/CsPzFZtYIjNLMvAt2RAjK8JXznoCD9ircaS+qG3BnjNM0Hxz7S5Pt1VcFLWnefd+6kfxc6vnNaaZF8sIFUGeh4coJpq7cWqOYGwGHlTGwEP6lZ20FamgF324P/OXnl2ZahYRHmItPqSIYDHG3jOl3BnpO+1Wdx8SkCciGry9ttPmV9wmcKDFMIGrNjHQqPbo7LXikeAJzwxsBuKfEuOx8Xb5IhoWFUmj8reWABTE8vrGkmNRqZK4ncjoQ/GbN0ri5eNsAjupcWBKDYDoCZpqfXhyQiWZpIsWxvZQx/tueQ6FND8xJRueW4INy5T6QwhFwwmEen1AmKmo1fFrWAaYmt3H9O8bNB/QO6qQvGJmAGO0JyQajwgmQArBdCMAOgXzpzIuQzlk4tS7OapFND4o/WAIggHe/Tvfws62Cio9nR8mct0DE0FOw499Y+AatgLeBwzOWLaEnyh3RHRZHSP7YFneI1rkP0jXJWBRAU91c/VUJn9f7MwHqEkfwO22IuvtiqeqGoevi5IZHnBCay5GHlXiRqgRCYaMVxhvMSROeZqVSdomSwJdjCcSToVsUyYXi2RGQLJJQTUxq7PYclDnBzUVqwp3CltbQyKRjdC9jCBPJ8rq7A8ziYktyZr7bdUIpuTHIKFthlKVigAr8QK7IBjY9igI+ULm9lmd3+uJkkKNvO2PIJ14RF/kFaVw50dGF3cDRvg52Tp27h7s+3dn+lWEZnAPKCLSUHOES+BnvHY62fOEOYuUAFcWYA6LrYPTEXq7Gd21nmUQkvUxaSf1pb75PfR8kC5gsCx2IvHftLdIKQAkVsr0lbGTYPvy24e28TfkRH+Ej52RGQ7suc1FS+6Aez+LAJtu7pRhY3hQLFYigNO+NvfKeqEs0ModmNbIWdEDSXABSrNl8heQurxGdlr7Sbt3MjVbxSxN2WIpeKIhMbC/ZkrlFCu2JhR1T3e3b/4hnXz5MJ2kSwl6vClT31J5lBg70v3AUzlVXCPF8Jkrkc+fEhLLuxv5Qz4Tj1h/FSRm3YSEVDpczeGrnhq5Zxx0lfLVVCztzPjLMxjvSp035XrrjnjRUh7of0nPjyNSNHd1UIj3yJB+X5X0wZOokOpmu782jPT9KcgE6DE6BFKYNbFCtfjnm6SOxKRF/8FqgqtT1fut1h3ju3kmU4S5ilMJma75ovlJ6cnEjlNqDIiY+R3MI8xOhwbI82IrvBOIGOj2IYtbhexlOPnhzEFtgYNVMgeEHHGDzvhRiLQYnuwCfjiLT8DQ3HbGyK3Z5QXkDAwDJBMlikyB/UFtv2fqI2t3QBtRYnnECje1St/TCFeHzF7PBB9eP9Nv4ctXdKareTdRqgfwTeLpI2YuK2V+xz2WpvhX82+ZJxRl//S0jZ/+QxDsUm054P0UmoPRW9Yv4lQ1rz+Wersh49hqwjYsF0CO3MbVnDj/NhHu7uJsYHAlUbsy/3YHY4YLKtLrR00Osq2sTWDZB7qOkvlqG08XPuD4ok6ECDvbLWeCljgdW9bwjo2IgaBEeQ6AKGDSsmWfcsYjxf4LpX21ytzsUiZ65ygne8gM60E6wnH1dc+d87fzrY0bOmThoW4k0q8ZaLdLIF/BjbRqx5v17moUYF+ul4Cyqyyki6LZoSKqmQVAM96S6K+3cC/OmZTAZG2liZfbaDVqI4W5hSlNp3Jj/unpEMX8FSqIOqjuvd/8qVzF+AFx+GhZVOr0eeKWUM6US46OEcV0L4yFGeSaCKedhDzkdfM8Tqzdt+hamkf4vsLP2bcKRox2q1AZF1O2/JwXujk8aJxSmt7QUPV848rvdLwtv8ZMMUWqiaQJHGfUcOxmQk0hQeoQpZlDa5pVV2IkknhrRkx9Nxe8boseOwrz6BTUuvXCFsJuyKo/pa9UWBfauuDuypMQlSgupxg8U9xDRzeVAznXFcaxf4lvWph9atLhzt/iCqNkmk1WzXkfffsE8SRBsBwgGPppRlC2TQ0hHlfIhiMoToPPaqUyu+BZ9PTJ6m9Ifyf3I4lGG6C79y0UyYch+whoKU29hmumql6cqDAuALI3nNYHkTnAuyUMK/NVaqC64XxyuDGHRdFY6Mv0GhrqbWUdflcOKnoog3Cb7RtIUK42AlIDtyxAGR6bcXYl87JuwRYIfwXbPFII+v5vviffTaQb2RtuH9ef5AAgQydbmQEiWM1HFJ8LVE2XboHfqtCX7RZdwiZf9Di01NUZCDlC8JET6MkVxSv2ItPHhTSiFQ7djfGFNS87xNyTZgj/FWXpOOpuLeZlh5HK26ErSg8HbKMOrbbIT71b+P9WnuhiQhAw2dquQNtuT0PE+i3wUcpPxD48zG53afw8ZcJR5T0NaQdNFA9v2BwGJEVDeh6eyXi5aejX3ODyP4PeKVhDYMmHLTxdJal7lN+ogxTD2wcD5oRbxFwepf79s7XGZnnuWojyhfgHIZF9S/m1suPmo9taaBC/aJTmYDKFlkP4qm95t3YLKUwlazDPRu7Gddrn4GSEQnE4fzXBDzNHrgJjFNSzQG2t9OScaVA3lo5nN4YDASLgyuU5qeT/GrtAwsIURB/p4ftZ/0eafjM34BIGEkfit3fM9CoM6QkLsmY2s+AtzDWFtGQhAzXKuLzSNZvL7WflXZlUGR1oju0r+KY/m/A03PZ2YbBmr+V08vFL4+J2WwNq4y/ZZt6UkIJJNh2fHKob57l5wL7bd++t2UyvXW8XjDcErklrYr0Y6Jj45C02KmGy0dxJs1ya5xw2A0Wh70BdxQuBXVZMmumhYPyPt6YfBJmok+D/qS+OqPGoY3AuyE5vaOEmDgWGNTiozfhB6BwmmSGGfTUXRWATAJRRgSaIw0Ap8BsS/9CWoxbxpz2D7ln+HEWfroayLuR16gXOTFsb5a2jHRPLoph5FmA50hIb4y9UyZ4eqKfrPpAFEv6kKQvRmgGG+p8Q0MjMJ0ZncIaynxxBsWiPlzgjf/+49Ouk12Rk9Ka5mEYKsyrw6ceerjF7sQSgdFqpCuEic8wTI536obk3HZ6uYjPDxfC4hLJCb/Py4uJwVbjz7mPGtcu+QerOlOcd66BXFEdAhUa7gSO85EJtwXIKVNDLpCxWJ2bb22Bt3HctISzJbMWy+uZs3XgMUltB3NhDFMyEnS3xHGbie9MDt2Ll0mHj3seAMZdm9h27Gw8nreJiNDEaZiP5Hvz7yTwEKVL29L6crkOamjNZyW+/GyvGHzH2aTXpVyXtq2/LaPInsAeW5e+gdkdGxjCiCPLxYPqyUYKsCXrltqnrEkXsrtBtYnl1flYVAD4KKuuHPlRs3EbVbNgX1En1PROHjkZ0Ju0PRvZxpQ4/3xO34zsYPOBJTpYraARk8h1eXQ1tOvddXuVlGzGoYcIq3gyHQbJsVrYPBfKVUIyupxLWOFNJWPY/5w1WmH06ovaQpnGWzPSefm5JKkVTMVFaiqjpv8ber30bIxLYI/dPaV8fZ8irQQ8Ugi9x1U7/8pp5dAQVyIkjuYYYjhK0MnyWHdov8vYqwo7OIVM5WYQGPH20PU6sYylcE1v/rbTuGmWiDSjwN0fWPYgixT/EbzB9aMzQySsADhuHjVA9A1FqaEiewIZ5tYTZxhOvl8htI/9cGvtsiG6a1idQ2LwwDaoqwHhgsDTjaA4YI8kXvEx7B1xwbUCbT7bmBzAVF8src0oK4HKb5w1vktQiiw7XC7ge2M5U2PJEQpg2gANKxlteVqshNpZCNqnb6xEcBpS5X6PcfkIYrXCBT6X+h52sqPyPe2oON/eRtKhrhTsTY4KSNqiYn8jMAZBA+DPfn6MwFH+tcahfeeynHUAXQrkZTCjhREcX1F6mJAg0mpi5Dgq+2gCpJCpBM33CpUCZk93uDlnHBq47w1MZxlQ/fvrdZxmHFOmFKnvXGypJ4pAqG0qJgDQUeWCoZnb2TP8GXEosA64dILFScK3KfsOF7EqnI1LeMTCllHqnVOYlEThurhBztuVFoVWWdKx/ZYmYEZcaizvKK1y7VNguF4DS2O3Lj/jIlXoTpjwGQqLz5tl270aZ5d6NQI3Y3jzEwJ3huDmVx+1aLjMq7++587IEh7NiF3dt9wYxK7VWOzxmCn0hxv4rt73bzOeE3J2AZvQvayNiyGhkGkV2+uuD6ps7mDwFdNvQt6C2QzTBLPY2qzxZmjhI2lbE+24QcNbX2Rt/Z4yCFbzV+ncHETVbK1MpWmOZp/alEi3vdH7Kx6snu+047hiBNkJ9tFyK5yD3rhiOks16gOqrLRP4mqgQpmbiFDG3LiYx9Cz7XUWEJ1ARCzHD3iUtdkAGHkoRaLuGC5FI5c8rHaC5UEc9ulH+xDJ1x5NXxlPIyU0NY1g/q8s6T4M8X76332DPlrQTcZJUlGbJJuJLTcsQpF9WW18ua2oI9yF8Z8ML/ag9JDGDZ8JLZTLbE5htXb3kYkVHYTJ9YhP9niGuINsUmISiBGMh+aAe1ap7Ird6ififuMvo+58S5BeBvFceNAh8zmOH+j/9J8M+98QYt0YxxpQmMRpF+nwSujlIK8leBREKdT4kpVMPeO1hYthTWaXqKQRC2Z+fbdVf6rwP6FWlWhaAzSgTQB1ta5KYaW0SKp/tHQ5hapSXLQif4OYhkI02VWoDNeWmnH4OKZpyI8lq6/moYYwoWsRdxhcj33ffEFAlCYag7sIojMrF+Riw/MhSmnNfJIyXGC/rm3l383rdbZu3uBcWHCRg97afHk9Jzv2THTYC0wODDZ7lDIJ5+/r7aVsLrpa7EgHkpAtjqyGkSFAP/REHGFRgL06CizH4z2NIqI3cQc8iB7LG3Ru1NIIY3wLwoHjucxMA2T/89+OFyimnx+daz56RNZwXDdFNufoBNlwXhKBlv9hRc/TcnnFgbT1VlwZeVbnEUIJc8eyrPDBA6owkkErfCsUPh2uNZ9Z98u5qRmvhMTE9JszEEoch4ADYydX4YtReDpX6+v4xeqqguaw72bkQzbz/U2jnLyJBSMMmeAAXBjkCZC1ofYGn4Tk8kEaMFxmONSrK1KNved156+KT/xOJjlv8OEZiNW7I3BfTPL5WL98P1dnhF2xv4L9yJId3WT0Ba43ms1IfDE2SYsG0xHASh46MtolOrQ3OURCi1PsGU+aM8sbN2pHIREhjOs6pdkFzwa+dJGDPCQ1rGoe1LDhnvytJw3wuWgrT+yAahCkgl0WcFt4c0TIO0rx0m73bBKDEG9IE6bDAo1vm02Jt/qZxHc57MEqsfId+XAVwdx16gVy/cdiAn+C2MrNZzq/6sIuQKLf3Bn4u48lDIhakLJRPwCDg0YZtb+ergk7Sk5MMZInJQU2YupJSIeJmENxvZiTpOuK28MOdupf4+Uw3DxNo+M6VXyebemG4u6gE2Cyzgbk4nnoMBf1d92ss4+/uBFPk9sYPCaSWHlBLtX8enjs3y9lTGAQIQCyohoQNiZXcjm1KcKd8MmBIb0krWTN7x8TvZLZxXOkj/tO9MMdmgX0X4N9tc5GciVEcB5QcxVojh0aesq251mEBB/EsQGkCPTz0D0SIizx1eqVkHGAyHsHkaC9/xj9+bSj7NKBaj+hrkpAqU6xznYReY446FAV5eaRxPWhOXKGJLD7FPlxMuQJ2QhRe4lZCNeLT/vD/HUCq8AQNCce52uaLLftLxH45Zxvdo0mqS/UmswqsOgRloxG1kJ6N+ChBXqXxIqrwBj+zQL++OsWBQFTZ21eTmKelHqBLFPgawgae/a03CXaB9TLzINsP3VujN9XyvGjQHLjE3RmsZMN3OXTqvPhIba1hRWndi1cRo1aPO6i09vJNwSuaOcgeF/KPzQQym+Kmhr6DitfdyMakd9T7QTStnureqQV/iansSX26T2+ZNEzctvcQdqb9bZKooFjryg6YCfPm6NXlVx6246rgpC0oiQQ1UcgquylYRYPYZ9GGYd/rV30scIqIXKZNODMnSWoQmaKLk0wOQnPmBN9sb3IN2D4ZpxKEygGMBEvNdQ9XLvSS3mS1dHIlrGAD9Idsdx1WsDglE//DqmKtvOSRXNdAkIUx3JXxkYFv1pIziQkI4sxkMnyTzlvW6QyvgK/M9iNOEWhiMSdhGsVZXzQxMuKs7hBK8Z4sy/uuDQgxDFl/bfFo+JtjW/s42SYt2KV2DdegdqcW8Ph6RzQ3j3MtA4ROKaJfO0w87TYoyd3IXxRG4NzCRIOLjX7Zwmg3KdEdZfgGYA0cJ4h4Sgj95VUBUhtuoHjlKl+J64SZbCy8m7DpSPJH1+iditm74ixqNAdaz1fHrpD8ux8OwzNP3KGgBk7v4yzERCYyKC+hJpAdElaJnzkPzaOpHJ6sxHbaxV9GeDtKWBfDOe3EGHXTGlWCV9yXFGkvuuhjiRPMPMgGBt4HXydP4NfeDYTyI0hJqmUB5zsn+NuChqYtE7BQLoEPBRfFuY5iMvPUoD7Ei3EAR5Hqk8wif+ZP9KPQDSsivau+W1yZu5M1lBhoswK+a6Uogpnbz4L7vy1I+mCKZhKfuPIeE/2YITdNsLPmHeWRgBKds/KMrwOEfY8KTyEYo754aVJN5VawUv23/eGAhzOPYIqf7m3vDKnmt2J2wYPFyUP9Emn9GZW4jxH2nqtuo7jIg2Mf68otpZGSX5lQ4iCt74h1NZfoy6/raA1UIJOMxapjD2Tnu1EMLkDJ9YO5z4y5ip3ZAOb7QNXuEzjg1Mg/szXVrrxvmyatui8wcShLXu7hoKNb3qep7Vy08vps5c2Zyu8RbahFNonnoq1r7r4NOyxZqg27Bu45E938P/jQCCYnjNUf+kalkzrxKQ6b3vjH2puFGSZ+dcPC9jsgxIvqut9y0Gw3D4tbjjjdKrEv76v1PxB+0u7t0Qc96gj6My+bZP8KYc1NscDV1T314qT3ppZEZpZJJnozCSGBPkTe9SA4tZ4I5MRM2RfO9FyidaRxvuzMrA6Myou1NGCu8WZVtHtyctUrpYZdb5zHKmBIBUOUBFwoe+7P9FrCPg54FtoAKbTsfgaYGdplMm806uJjXWc4a3pBMkacihv+unKQa8kxX4GVMwhG8J9FWfRKLn89jo02pikWbus1JN9yAlmuA4zv+rv4ZKhb/zTisHRUwOut78yeJlLqCnypXgZWvLtM0CJWMyisscZ3g3pu4s10WTMZz7RsxbLdWFPf9gQGYWjkZh7U2qgdsRm9SD4tvACbhboKdN64vL3y+dLSOkZgoyoxXVSkRGrEXdlrqMV5vr1nHkoVh4Csw6WVMgOzQ2q1in9hk9/WIMZJV5zVQvwO3MSuV+WtT5NPOVWxl/bwSKSktZkvWkcaF+gxob/CyWdDpoSXuF3VpnLNFaUD84ZkduYgP8itvZ7fjTSXAdVhlNdMmEDxLGI6qlwP53uQY/fPreValNUzvj5adFHkjB9SJphseZAhpX6hdSsPUI6xQIrr35o0ihfmGkfr0bJyxdFWKmypfumVF2YAnbOXwHGG277n9E3d+kusY2jJSlzYgy6pf6Kwaw03j1e8rgVqsEgvOdIrPk8YgHtbAbfX2BxBQ+vueS2Dz/5/wcYY3epznjQ9LGWI+bBZ4fcojJdm9fiREniFWMorOXjsYRIFEl7bnvwmVyzfJ/DFS9+DHZklbQ9xmxgKjHKYbYhl47nMsOloZuyR21Rt2CHm2Qxm62HvEhWsrqNQmxRu+wk8SBOLqPWhgZNH9Fo2/gjA30gPNPeV6wQJypuowmtxPs08YDt2z4walVtj6Xx99pUn3qOLhMsOEA9Is11rw31S7nOwftgvhle3T2xWY88wATtMA6ox9R7voOy+rDXCHpZADpYDYQubveRvTd75YWCjEYcO1ugMbb6BILZZSk5N3JXHSqwqOkQkCs56ckARt7Z9/QkLLPKoBUosYnhOljfTBk64ISF9DR6dGmls5BEQnG9jOjZEX0rkwMDy7aDEtzd5LYF2NKjX412c77Al0t1OrYdpFjCoP+YGZgblttkpWDriT19XrnsNDr/MjBKylxdq+pBO4cgU+7Yqee3dXm7GTTo2qD+3gAtwKL4F5tjEBofVChTLsvEJ0i7caQ2owAZsprUlE32Xtqn4BH+OuFvq+2aw4fWJmB7JgbcsKezaoWyU1lOGDQenmry7Bowavr7HL2eZCw2nZ8FTUGU/VjPUU3im++7/4SqytV0feo7glddGhPrdegfhjEI2FOO5xbQaatT6OngVrOjGeYcNO+7LV+heKr32porwl68qOh2wV24Qdh4ppe4qqXEhw1epk6IWIGc8UbSykfJxkj0EYEusDw/gzffEzoGBnMek+1pxA6xkzptSTwFSnSm5/0396XfAjbYQgIRkbB64nmp5hlurGRDiOe0MoxnLGbWalOqsqgm4PM10XQPwQTEZZZKKM8UllwlRu5Pks7GikZT3tjDqt2FVDbMKE8AxWisp1lMqFpMCVr3g7keYGO1eV+8i5EA4dQrsiEyvSvjcC2PEPHLmz9V/OAAp76jYz5LRvGto4HLPbpuR1E6Qyd71E3Qrzyu7en5IDaprD+uLYPS9QJEQbdA6kyJUZDFA7+6Y0A8FmbVkm7XKSH1B/TRcUw81A8G4NOCK4Wj0izDbQKBavgKhhi2pE8pHcp/vF+nktAi9+8LmaPQjv5TJZ6drTyUCKfK6QhPXaJOCq/4u5MwU97JYeDfhSN7x9zf28vHAcJQ7b20Gwzy99CIeFgywejk/RiPqWixxtFxjPheOkpOuagqCRTr5ah6hur8gp7z2Ad6MR7I3FZfCp+Yml1Byq1gx+2zq480dIwqD2pXBWdPz2PAQWWbRUBxHwsuFfrhfWGsXb6Zh89hz+3DZbSyI0o2fFp/pInJ4cuxKj/pU0rCKHAm6nx318YAJ2gzfL26Hk6R7IYPGKdvPiHOgfIU/6YgtPZy7hG/IKDU/g0MZfoQTqiJNDwpUSVJurXXEdOS2fDB5dW/HN6pzYoBQYtVquBQJJAzpd6ECmnVi98nzk5hum2TitLjCUPMzC1YyEk+TaeZFebTZdA5b2s3Q3NuyEk3La/RrX8i1CdA6XGq06ZIb2wA1QYQ39c7ky8IQVraGH6+YbEagZRC++JACL+C2hNTlEcqBtYeAC1Ur2liO0mDTqhJea5NO8zOx8L78S7HKCBoKZWnFqclutkgQNqhAc7wk2InqzcC7uDS/LDfw+8U+2qD6fa3CXUpCQReB7YzMgHYqIQyHLxuT1eCNTuoZ3QTBmiIB7hPZ4XKy9U5Ax1ql2og52m7GSCxGAy91/mGpM0DZRwcFYpxgGzXUE9mnZRBFCehJaOu4azZZ1ch3pQ66cXBaYFKm3xG2NEav3x5OHKi1dnFH9Os/JRWwERQ0b0ydqbCI+dx4WnMsCn5w+yRduBhFvafRQTqvv/RzTkVO7gbfjYtF5xkt/jEgMaeXhwEFUllKhofnz9VSGFnBzLzeu8Bi/zpBp7qQsykT64raO4OB8zow4o59PyFjKF0SjIk87Zd8I0OYN9ARbeaPSiCOlTHARDa2FWGS8VxFrztSNutz6tuVIgp9kUg7OrrSiwd4lYcr1XWrIuyMLIDJvSq9MKfz9rwMqIqL+r39AU4nJcPsN+ashn7TM/EJjvBLBpNpxYTTTvbmnCW4sExcfj812yRzGzBmagz9fRO4wu6+M+zzyYQFFN1DSZVuz8quDxfZUoQaYkTSWP1XliKPtD0rEfzwGyLqo/sZfDBPSp6ik8ScciifJb/Xx6du84bO7Gcm294ncOBGD6Zp05i+tCf7QB6C/IMcGWQVPIWjJ4TOKuQ9IlThIrPfsj5EZUMpnAuWGCfEYk59sFm2wjWLb1+UUL117Ac7E4BE3n7mv45kgIcgkHpf8mCe1nUk2PLRhGf5DiXHKVNc0bTO4YtCo3hkiHPOS/oS79ovIrMPROYat9JSP7NMQJm2g1HPUS9oARGmOXWi3P1PrmY1erdfs77H2iz3kwugYJEkL4nUx1MzG6ckHc1wtZqbuVCpm3k0jWgNRpBG6JYMtecSXLYwk+JnjCPa4rYVxK5JNEZjrQudcX5vIh5YI/nPJPPKXZcTz77ehn0tsqEzZeRQHzxJqI4qpPsRD+X0EINACDGMuO49aoHIEyNmuc+xEWslkfYHWEKHhLrorz+1at1pCCeyky0DVZgsCTwlOptFDpf7s1LBjLcnNDcKFhSQqV5OlfjbBmYpHk+AAP1iFK4uWchxZPAzf1gPbrOSmQQkD3KD87JOn8R7Noqs0bWABtyE5Jbxs8q4rA8O8QhAQiTIE7R1vrrKY3AQtOpSsIiBsWPiwQLHOUZLGb6mtI8AyCYlfuvWma1xGiTUPgk2EROnwZyohMPHakQSfj0/cwru2ZKTQXaBJyWA06cEVdVOCfUHpHSdVjUTsUQUksBTRJ70pxj32BY0/EvyZYMbktzqJEX3SUEnGejyJ92kfNKeCmEoG1RJfhz619vv06Ya82tXWJxh4SVwz1Htf0KpF5Bv9DYBd829J4/CbgUhU9DEI7l7k9dJGoljv+kjCCK1pz68PgP/rccThme4prT+92Z5yHaDOq/mBhltMAYBPcs4mTFSDEnmXjbBCOlvht1Ur4MlHye2w56IyGptobFVE8fceF/7xmxhboORL1PdfOxvxKuLQ95asfKws2976KwUlNYLswAP1kuLpwWYyQMu0Go81NSytE0NQdRgCNtEnSNaCFyLFNpl0hwzrcWDMsPeBaduwqeEZ9+/yCryGASJWD4MILVdCiupL/hbr9+UZibvaNSLoXyx59+E8ZOm2nXxMvscKwOFEplQ9AkqfechdnFLFjfwQ7ZpAisN/f5kHJzVJJlMP4eSZakBScHCaKJ/iv9Ya8hmTk2gTvzB5qS97lvB3JsUCvE01NY8UALOZ3Bhpyk+y+hEyVzKln/FzIdi/cntawr0mIZ9kF6BHFmlwBGGwoY/C6l5J5FrU9VaT4HYYdnIq9lp+K7H9a6R0+DEv7Nal1cO37TWih8E1MWLhEo2lHBLZZ4L6EeujtY7L1hMF+qHymJ1xItX6bwgA6TKU8DMGk2gjFSHlrz5hK14s+JIGtL8tptbc1gtqdAlVFBzaNS2rZYQDClpyyetDx+dryvnoxcIa2lmo84/0fdQG0JEq3hfzt6pHXWOV2bVHLmEHA4cjk518C39SD1LG3bu81q46GzGZ5aSdsaUAf1j8jpfYK7S9e97uTi4xe32J/KaOvmrPD+WwgFvcdveDoe6S8UzPATrAwEQEiWgcup3/CrLv/XTQbkfIUx1a2fMbfpahn0dV8ZzdGU6iX6/3wqpJeAvQMBOENBncaqXzWifAz5B7j+tycYeiFRxmqOnJNxVJDeZrshVqEn/rvJToYXdNywEBJhahYngLv65zaPSM2oJwHFWT6aWYmdFkCeMtr6ZIqOe2xIjxj3YAB5BgHc4GGd+U1PioHxAj1mwJqKckaDktGVbP1Kgx5oHZXa0AKrW/cVy/TrnCQ6q4gEFehtYgN15q1C9qqCajcnMauGFjT5BGXnMO5m41dSTVl2sC4WqBB6TIBIfEPB7vLEae/UjsSQktYZ8aGPtVIvC1FN+mTcMc1J2mjl4ZQiBmT1Tk1ES1VUmk0fRapTOIzL5DLxi4D7OAnmngtsoKbWLNBLESgjuEL8C2w721S0KDSsGdbIdKin712gfhpP3hcWMBSvRYF0Td/FcdtVkcGxCQ7hfepQ7p8DScXOfPD4PTatXRLsf7yxW8LUo53x2DYFOtx0EYXomhtC/9/TETQC90S81AhPC3eQDGvmQ2kkgaag/xbIPpVFjjR8p1unr0QMN16xsp50he/V1bI4EOMTpO9y54sk3a6rRN5RXVSlOhQJvSR6Y1nyo8RggWjHIKXgehV6qv08hZqfnGRzLPAVVDJW4TLPNkSoLkcYdKGzqSdtXNC88kgo4TfAaqJQXl8HF8JDUpwyPGgOC4iH+t5XI1AgjazZFOwgX5GYKdLZqOqYSczI2NkhVrjKuc9czNusGKBeWZuoJg0z7t9Uht/2vw1hhrnekjfrE2kptVECxpfZuQkzUj//dQjGpPQI9jO6dQYwQKjLBLysuH28iA7xKr8gMLiMIlo3oBNELd+ZwdbLJerGqZc5cNc+RGDa9BOY9uFKQ/nD/e//geNWCMiva8zbsK3bL9kT2jBew05qkxlC4407Ofu1/VcIbrhYevvzl+qJvx165YmLHNdNw6WTTcubJdpGdgaNBP98SpspotJ3d6x62WxAE62QGyv/0Bll+FfzQ1yPFkBLaa6YUNUn9qywvxSD8D0ue76lhgNzZ2x0wiEul/mG+J/968OXv1iDUblaRQZf2+L2yPrIw7HASaMglID6Eh4bNSc1ODB+VcEyFiv1VW8aKPenzufZ0wpaM5M77mKjA14LHkwAk4LhVAoqCSkCzLvDnIrm6VfUBjHOcUuRYj8uAf/3ADmHuWtx9n2Os5fGZEahCvrGnV3fJJKuAA+zWEhcF82ZUS8oqB80tgqP1dLR6pqOyW73EtAt6EWwNC5LmzUILMl0nT2kZr23QjYiXcsH2wePmeomjz1ySe8D6MiTwfhi65/CSMic0fmIsso4LCIieTeb8cBE2HibUm22SZ7oLJCVq7AErk26QIlhhzHsZVFV0y+WItWXkdC2f+HQ7SVbG8cUU5jjWa1nnppcrMo9ma+oHLc45nb+oiGnUzkDd+h/7cwu8ic+Boi2Qk3VgC+HILRnzDb8guImcyzb1f/XmW07Qkt1YhQ9APT3Fzop3RYAg2ZJJWxFMzWIJMH4ZFOu0nTHa5uREvCdiOnHVpHCG3fgcl28BWoo1dsx0avRRbtkOAJSXZS6q4iARNfhs0XzboVqywejZIMAKKEluHqgATQFiLaPSbzy/P6tOF+HcgwUlLN2NnNv7tSrRFpJ6XVjuSSpbne6AkCPZKozZ+qNfaeE1zgJ/VBq/dtTQ4taEj4NEqWJVhHlIokm1xIY4jz5l/uryFphmbNCUJShQVXKZdb3aYIL5G9P1FR9qex6z+z9le7r4qbdrcxfdnbDzEjdRfWcOjE8sCaOLyVnYQFZVBQi6maqOGDu4+bi1jcWvbRQfpoeKKJe8RvpJGE4RCndv5ItoYwjJsEfADM77EsbP9s5LeE0uRfacnLulwLuNrjOni7ad+UFAfH0tZoUNEc18Ty+JnE1POpsAXg9p8tsZ5WbK7ur0W3ef2T2zjmrA4n8phzVHN2ZohD7Z1K3ov1U+YwdJiI77dFU6/xH3+lOA2Ar1LudhH0ew5UOh92WOQE6tnfF7bF343QL0N3SVGFb/5bd/RGIuYcn9l+xq6R/1hjqpcjoozS2cKm4PWNu6PSHipNHGUmjlaDASS/gYErHIS4WDsrtr1OGyzkwfpNCBLgfIMwkDvAF/uhgKdxHHNGkxFVviYkN0iBYXcKMRj0IZ43xBDl1sL1s9tcrxArmmDrE5Hj+HQLJMtnvY31fxiCXNXql2DOWERybiKD76MtSHdKkgUZ8eWDv3ZljETeooLBD3Zvlt+DZlpylURp77CqXG0pedPxzYsvrCmbISfGXjBFX3Jf7AsK4EMSzK5fJaAcknBQ7OSIqX7S/hCRfg2A96oWP/p6MAL2ER8M+Saiv5UeK+/XIbq3INusDEl9vJG1tzLHotTAG7DKKupyr8lnt1rxaD1kQgZhJbT4P5vNpvLK9ljNuafiESK2+6ORUDzwBAlSAj+1lCIu0WkXxPksx3zFWTIODuTLBtd+5+6jJ9cT9dELPoQrOUYGNkjgZIxngYT/ZxgcipL1V43ZSbbzYXwwaHJOa/RurWOny/j5Riun8Ooeqw1kzGDE4oCwQ7mo5eJV+f8YssIQZAeC0QLxkL1cBiknj5f5MlaEuhIrnaWdk48rJriif2sp4tbJccTEZF8tDmiJCSros00VV3bsUtliqEUpWnyBPych/9kjCxi1SpbbDuy+fuoz1m8dv1HTcMtwxQ5J+O4a7wX+W/OZq1Zf6RPTia9S8g40qoEa/InZvdzsNk/pILrioZpBg98vi168rBUF5BmPNykoQDhAxOEQ1EMPidX/pZDNzkXANvDX/3IjiYT8FeONHY/3moBjIrO82dzRts/Z7Yze5G+gcYEcywuDVz4bzJBx5/KhLkSOtUvAVtHIvdc9Y2DKiPGSX9Rmd2QuZpl9tkcPi58zBsmTPlrITV8/EXR7gTQAbp2Mk7rbBHt4U5Th2IHbQ6CtYxHOWLPJjPGnj6H2SwjyuXmRZvXe6kgaB4e8lnJJE1peCeDm65F4HQqzjAm9j9tmloNqhf9n6GxKT9EFQ6AXDA6CGMo=,iv:jl4YWQc/kCa6eI/EPU5g1rV/1Cl8iD92Rmzt7GnAqUk=,tag:IFNwmuflHn7BjPj6pqkOgA==,type:str]",
-	"health_postgresql_password": "ENC[AES256_GCM,data:mwOt0uoUxFZVHlFNkFNcmIht/Ey0DTvqQwXnZ+TdfEI=,iv:hFG8meHV8G3Kg7XIXDpjXFiXW6gTBldgJes/qMbW3zQ=,tag:9IvBLW0lYYdhD43kc1JdEQ==,type:str]",
-	"health_secret_key": "ENC[AES256_GCM,data:9iNatHUdahT5J3Hi0MNNdg1pZvsixyGp5U9MwEJjezd0yVF/N/cOG0tYT1inklolVBAgq+0FJXcfbviZDUv9xg==,iv:hoVqK2x20j0I1kXvr5pw+RQfrFw10fqJuEDoXe3r2gc=,tag:1K1UBukmH8JxgnKjwV3uUQ==,type:str]",
-	"home_assistant_configuration": "ENC[AES256_GCM,data:e6gnOZPEwWDJgPQMfx20wPXr5BD/ZnyCXuv4M1B7uszmHzRDgOsXMgELDtZTMdzrsCuAYp5sD+kcBqsLUdINLnXx/GWuDoTocc7KPgWLOvJm6L/cwj/mExmLDnDr1moaZWWZIpi11rr/H//qoCpC7QN0FJUaMZbch2pvgr2mgFF7kVpOPmvaQkIl6IXYZo3DrqwzO3n8dnjqbT90NtXIHdMG6Xc+xehjnQerXs9jW239rcBISys2gqeJaCsOyDYCzy57N/Dp+aFfDemedKJgOtukzB8eiZPJU6UNtT8Z5sMdreE4eJYuXt3o1dTGc3XMI/OzU6YuG0oUbL7PEyM1gdRhPth+Qdm+5tkl/JqPgnFqVzxcvONElQEtEY8Dn7CzTFkslMvsnlJvrtoU7M7HM4jNaDwbev3WA7DhAq7LdYcmcHWa3TqUA+N+vp33IcTx4os4cSBTMyhk+a6hrs2qBXmEsIAIhc0K/54j4gOPCjMHJmne8DYn41X3oIg+oifFLFLY1DFS7bMRMxPUl0/UCUQ3/G/VqHCUYfWzcf4=,iv:/GMmusKMeW48Dz/Sld8bU8mKCCdd9mNvRStRhGZuaJk=,tag:XVi2x65EnUBZH+Wo2YTfJg==,type:str]",
-	"homepage_credentials": {
-		"calibre-web": {
-			"password": "ENC[AES256_GCM,data:JXVhckhomVkwW+woxyTNG1E=,iv:dVcrOUVnjma5chQUmxdZ8yOVw/qlBkqwn7ltxnpxy3I=,tag:wHW2xxnYV49E+qCkjNwZnQ==,type:str]",
-			"username": "ENC[AES256_GCM,data:zKkNvF4=,iv:tOs7oCqn07nD/8hT3FkJbRM3BlX/D1DUew9FUhfGKLM=,tag:OTrboMnMePfX5L1zNPLtlA==,type:str]"
-		},
-		"crowdsec": {
-			"password": "ENC[AES256_GCM,data:EjWh73yEoJ8+sgv+p9cMYgLyr/hWuVxTtAyqvuOv3BCHOI5veoWbYTl1FBBfXYeM8yVi6HrUCQTszG7Zwv4iZg==,iv:sztwLwRGxvTeuwvxPlO9+OavNWAx2WvGtPNS7bhLv3g=,tag:XJ4OWt/Wd0Z6hSmmFw/ulw==,type:str]",
-			"username": "ENC[AES256_GCM,data:LNf9VzHOrVR5vedEp952veyp3iBfiIPPxXhnJG2L,iv:C+RyF/3XnSnhKDJtLxnxno7zysStgs7sJFCBbAKdit4=,tag:Pwy/E27lylTVUZmB3psE4Q==,type:str]"
-		},
-		"immich": {
-			"token": "ENC[AES256_GCM,data:+hVmT7A7B9qRr4UtOLs6SIKbmNgwFdzUY/cTmjGSP+XIxdfjYMI7WXs=,iv:++6H8w+KcqmPnMJFw95uzjjPy27S8JQHEQe4w6BCqto=,tag:jLbrDBEjGCWQ6PSRl4nxSw==,type:str]"
-		},
-		"paperless-ngx": {
-			"password": "ENC[AES256_GCM,data:elss45zEwbNMErIrCua+mmKBvCDglA==,iv:dvfHZUon1rNlug6zKLV2kupD1EEGvS65xmIrO30a/6I=,tag:djGBx9o4ta8KoT4ihBHEPA==,type:str]",
-			"token": "ENC[AES256_GCM,data:FcFzfT9+wSmMIZDFw1nofQxoZRJMCk0AEO4y0ZyAP+XHhEdhvoW3iQ==,iv:fsNoVZGJrAIvfenmoWKYfbAsNCLDnm7+8FQkI/zly0Y=,tag:KeQ2dcUj41KFLrItrSLefA==,type:str]",
-			"username": "ENC[AES256_GCM,data:vllfVQ==,iv:EFLUW+73kDaXvMNPbVJ6t6N4LYjgEHE+a3N5p9BelOw=,tag:EwpBx/kZu7NHI4SEfI6DHg==,type:str]"
-		},
-		"reverse_proxy": {
-			"pfsense_token": "ENC[AES256_GCM,data:lKZZN6EXJtCf08a4SpkSHB/d+h0=,iv:mTdYagsVtIkSrWX7X++iwLet0tbAnjDSkSQTSNwy0YQ=,tag:1QcN8iL4eutw80mBWsVhXw==,type:str]",
-			"truenas_token": "ENC[AES256_GCM,data:Q4dY2sDIVG6PhplcXeKGrPWbFIzoForpxIJa31I009czET73bmTJFv+aqA5nlpJdUFVYtxtTC7jbt/rwP8O2M8H1,iv:mIheML+3Me4cvd7Nslf6cM/e3jYGpE4K59YT3VFLtoM=,tag:XUZozeWj4BTQIDcbQYSyQQ==,type:str]"
-		},
-		"technitium": {
-			"token": "ENC[AES256_GCM,data:Z83gBOvJIe9Ql94qX9gU5NlSw02zmhtAv1EW6Qv+7zAF89aYrBdR087n/lrzzjpP/aWsjeH31fCNIXdP7Q288Q==,iv:JSIaW1fgoSFEtPDYul7fqxiEcinZc3KyR0d2FmVBFWI=,tag:AgkoZg3fmNFRFho8PSayUg==,type:str]"
-		},
-		"authentik": {
-			"token": "ENC[AES256_GCM,data:42aiTSdUPkk7pvg8kOEdWhEQ1+qlz3T/qDXb1ncKZmR7PNsj8iF9rmtOTN+vixLJUaUoIdqDqr3fMzor,iv:sbOWS5waLcP7ofraNvOoKHdCRwGhIH9sn3A1yrkD99o=,tag:YCWtO41tErr2lP2tx8nVzA==,type:str]"
-		},
-		"shlink": {
-			"api_key": "ENC[AES256_GCM,data:l07YICry8ZmgKHpM4Izh44wpeJz61ZY8PhvThJcR2AXu1IYT,iv:hGfqpfCB0FuBTm0zjYcVzuBSgut/TjU9n9gohqX/Tv4=,tag:qke4YpAI6UhiUUT2coKwKQ==,type:str]"
-		},
-		"home_assistant": {
-			"token": "ENC[AES256_GCM,data:eG1nuLuA8UhO15ds577x53FwS8B434Fw3BQ9omPQjwyx+kT2ysz+PE3XjuDJuOPH6OX5Bx4wIG21glr1iKpOQq6lEh0Kh79P0WzEUilT5pX9ix0UypgFWyKqSbQA5sewsN5hPcEXFFmnkwmoAeKFYMZD6c6OlaM9joSqhfArWSpF1keoEP8C2GZKPzU7jOr41soBPPeSV7W0GtUI2fLw5w7oBoUoVBIctsEwNgefvZdKfpXacFr+,iv:cmoRy2AbCO/wwxkLJWv+ikVgqE0Rk8umjfSLFHBXsSg=,tag:6AbJDLo4mEQgPwPrHFQ+sg==,type:str]"
-		},
-		"grafana": {
-			"username": "ENC[AES256_GCM,data:eCP63Hg=,iv:Ge6uY/nRA2wl2StLNAbJiDMccovZO3DWiYeMxyMUsBg=,tag:KQEp/OLXRKalATQWCYt/GA==,type:str]",
-			"password": "ENC[AES256_GCM,data:xFh4MtvdgeagAg9aqJAxscTxPSg=,iv:BbTJ/FCAjvPmtXAPlY8BwkwxBTjx6uccXIW4H/uSriA=,tag:L+tEDjtSyGex+AOam80tdw==,type:str]"
-		},
-		"traefik": {},
-		"speedtest": {},
-		"headscale": {
-			"api_key": "ENC[AES256_GCM,data:/ooKLdk+QiCDIMUXu94tEvtDs8jSJlPQLn8I+D/AOG/z3TS0NV2TLCB5J1U0WG0ztu/sgyxq,iv:uaobUtZJ21LAVseA0DFaEo67kMy1++kRO/Vrb0p+ymA=,tag:mwFDIBXPQuyUEyhcKhaInQ==,type:str]"
-		},
-		"prowlarr": {
-			"api_key": "ENC[AES256_GCM,data:uFqfJwXPK0RuQ8HLc2gOvyh4XyZonfLybIAE/punxIs=,iv:WUrFpAQbLWJkUUt6XDU7MW3RygvPT744y+ojx5M9KgI=,tag:naFDyNuu/ZJMrOU5Kp8tTA==,type:str]"
-		},
-		"changedetection": {
-			"api_key": "ENC[AES256_GCM,data:XfOc7IisnzNH/wk1jD9LirxxgxIR4dYdhRcp5sBvgsY=,iv:TFt2fMDzk/V9GaKeIgQgMQEZXVoN4KFA4sy2aYs+BPE=,tag:JuySGNFralHxjIeFfnThHw==,type:str]"
-		},
-		"audiobookshelf": {
-			"token": "ENC[AES256_GCM,data:kpB50UEuFJVTSpT6AuT63j9K4jY/eM9E+871fEAiYT+30/wuIj0hp4RdRCMXtECLMOCklu4PIGLKUCYpwUZhA/Uhbo1eG2H1D6jifl7968rjng5DcqHfJKI0ZDOhbEWxbMTm93AeFVMScaXv6M8VPouo/1WEH6pvIiuOZQgb5nzZwiG4H2yuIdE2KatBV63SHZb7aBMQQT713avDgRt5w13fe8qIiGXD8KbySOJcJL0+rAlT1tLeoRfRNh4L9BuOdg==,iv:96+EVw9UsKEJjt1S7VNjT7suh6huNid3RAJlGKjGHyQ=,tag:NSir93MPoZ7H7balBCKS0w==,type:str]"
-		},
-		"qbittorrent": {
-			"username": "ENC[AES256_GCM,data:vMfowF4=,iv:syBxpoclC7Vs9MGMtqf5/vXN3UdfIlBjeX6hXF/w6j0=,tag:3WKxWktrvdEKDZzLZoHRxg==,type:str]",
-			"password": "ENC[AES256_GCM,data:Am4o/MMHDg9iuaqjgcoGH+72O+Ms7xNTKKfQ5cte1w==,iv:isYvdsKhRy7GhC3tlX7T1qBgQNo/av1ttwTfdmYM4kY=,tag:kgCd2QONvi9hbr3utUs1VA==,type:str]"
-		},
-		"navidrome": {
-			"user": "ENC[AES256_GCM,data:DRdkGpNM,iv:8NB55gP8561Lay7hU3y9pcGkQiiIlJSsdDe6PeT218A=,tag:k5oLZJHJ+b7Q2evtdlA36Q==,type:str]",
-			"token": "ENC[AES256_GCM,data:8Dxx4NvOBqYNSCMLDVPQMXE6T7iL8CAICZEi+SYV3i0=,iv:pAdzQamnI88U3C9JaoHNPJdYO2gfO1lZt2FPHMG8feU=,tag:UzFISr1TwMU3yQaed5yspQ==,type:str]",
-			"salt": "ENC[AES256_GCM,data:SmNlQNK9nB0=,iv:g2COdzZCIdFgbSiOxanJVJUmJqA+lknPC8YO6hfXakI=,tag:RmHI9oIAHg5OYWrxxBMz/A==,type:str]"
-		},
-		"nextcloud": {
-			"username": "ENC[AES256_GCM,data:RI2souA=,iv:uZr/2ZHjGziHEFmKQeBul6edZpLiaRJU83tedDsHecY=,tag:cM8R474tCspew/NLzM7aDg==,type:str]",
-			"password": "ENC[AES256_GCM,data:LmjzMZa3YSycAqrxvZmfD6gW9bF0c77iDmFc,iv:RQHmbcezYcvj2yaLy4cpHkA1+RiNGLL077bf6teWQ6Q=,tag:oCQGL4pMMQwiT+q/wVxVSg==,type:str]"
-		},
-		"freshrss": {
-			"username": "ENC[AES256_GCM,data:syEM/rC0,iv:mjcloCUT7q7XZ5wqpGfsAHcw07MBkxwn+f/E6tm0TbQ=,tag:h/hafM7FavtMnSeZrjBZGg==,type:str]",
-			"password": "ENC[AES256_GCM,data:ZnG9sVUEtEbV90T6tAjAvfjF17Ce,iv:QdIAqoh8M5Oev7YlNjHYlhslONIYA6ERHoyKNu/5HYw=,tag:MB6+HCsyRvEXKmFHs8X76A==,type:str]"
-		},
-		"linkwarden": {
-			"api_key": "ENC[AES256_GCM,data:l4+5hfINrPycdC3DX0/useb3V4mO4LqwzWypfN5R4/vDMT0HxvZ3dIy5tNwu6AEsvr3qVp4/1EgL6KINEiGs7LaDQcRvHHclZWIm5Cty4Z/N5dJ1XX/KBnMuGQkGStyLxpWmxemd4W9cJdNOGo9qGenIfHZz+blV1Z2spJ4nP/MCm1BSjKdqeC28nj2RbraE/2Yv1vv9hEfQI9AbykzUaiNkANCmuSv/9v+d+hLIeBHhrioBizqcH62CUFiBERGvEoX4I2A=,iv:VJnbKv5JqDZTWNxOnR/XwlLcip+TGXWD4jeRz4QCSCg=,tag:x7nUsRrfnXnu/Sy0mFhCMw==,type:str]"
-		},
-		"uptime_kuma": {
-			"slug": "ENC[AES256_GCM,data:Lr1fqjw=,iv:Sk/cWMHi/PrdlEJIt/ap1X2SExHofqeVS1Vqst2RXZg=,tag:8EGHybsDIHoY3A4PTqNYtA==,type:str]"
-		}
-	},
-	"immich_frame_api_key": "ENC[AES256_GCM,data:InZjG7OGFNVMAoJcfNGprbP6///vPCt2qTI8slRf7PsHrgN1k+Gu,iv:euObwNUh0QM1e7LHOvvuV5CdWczhETqDmDzg/3E0Dhs=,tag:sv/NZe4+xcymQfgXK9gmQQ==,type:str]",
-	"immich_postgresql_password": "ENC[AES256_GCM,data:PW0CxWBD,iv:4A3KuvYvCsTyPY+LRdrx+aQLqU2AF4WrK/a7U5FnxrA=,tag:8npnXx0tn3ReWX14nM1ZaA==,type:str]",
-	"ingress_crowdsec_api_key": "ENC[AES256_GCM,data:JLE8dxZ3x5s8MeafEgO6OLD8ZoWUnlmONVUQ4VMzx7JuxfWAOeqcs7f9dQ==,iv:reXbnYuHrwXdf6lUVDUsSSDcaaf1zDjOHPcc4NvlAOg=,tag:jWTS0UNL8hged3CcBl53Uw==,type:str]",
-	"k8s_users": {
-		"anca": {
-			"email": "ENC[AES256_GCM,data:BNIrLSOZiirY/LxLGJpViD2Roo+7,iv:E1Hcm6Qe5cLL7jtOKWLuBNTYIucjJgmaK6AFCjwUKUk=,tag:8oaP+zc+6AVgLXCVNHE7lQ==,type:str]",
-			"namespaces": [
-				"ENC[AES256_GCM,data:lJxETt2SaJ8bnjRgJA==,iv:tpO3XwuIMeP+WhnKQ4zFF3K/n2CnLTGAjXLuEMx95mE=,tag:0fuxMxCGuBZmNjlh3x+9NA==,type:str]"
-			],
-			"role": "ENC[AES256_GCM,data:cxDD2xi8Fxy8VuNw2jU2,iv:yyVkDDK152jZYf9skJ/qbCzp6Bw3OHcrp9QPe5wi2V8=,tag:JLEDsqV8IaiLvnZeHJReMQ==,type:str]"
-		},
-		"viktor": {
-			"email": "ENC[AES256_GCM,data:hvgQRcQRa50YLNoBfuodxYDTKSXqRg==,iv:Eo33MhngqVwXHk1WDCMgX6FGuDE6Aunj580sBXDXBkw=,tag:CZRAwwgCMlvxi2o0QRnnYg==,type:str]",
-			"namespaces": [],
-			"role": "ENC[AES256_GCM,data:h5gr3B0=,iv:MNTgu6Zc9BdZQgV77Ut6MxxHL/PA5hjXvFbcItZlHUU=,tag:erEJ2CLZlW5/m4MRxe48gw==,type:str]"
-		}
-	},
-	"kured_notify_url": "ENC[AES256_GCM,data:8n7Xjx6bR+IyFQC16Lx4fQSCurxparJQtcjT7lfy5Bk5/QYjK6BdQqYRy76tWQJ78EzZ2FsGVD8QkjGPdvDV5N9qSFDA1qIaa/kuVjwIVPyM,iv:Udv3pJ7vW0cw8hx+MMVBIUBabeRLCdNV8d+yE8Li/Kc=,tag:s6RdfhMaloSUaFlaj2CNmQ==,type:str]",
-	"linkwarden_authentik_client_id": "ENC[AES256_GCM,data:yVnMhIfFjw5z4aQJ6s/cGpljYriKsW7gf6XEoHQD3bwT8Jsr/0I0Ng==,iv:DC2Y/ukxsxTzw42xypzN9QJGnyYuvhhJkjJSb2iVS28=,tag:RG9X9q+yMujE+pOUo5YeRw==,type:str]",
-	"linkwarden_authentik_client_secret": "ENC[AES256_GCM,data:rM17bvCizafHtrXXtbLmXiQRMwlHbyLQF8uFp7BGdkWKt8VSkyP7j8fAoGE27mgQ40nbwLugF3u4ASvgCR+qMAJC3LOjeoOXsg8Lqf/dUfGJDPaD735v1FzrID5GWlI3iw4o2wg4VLTIZ6ygc26UKqntW7aiWM8uP1a0a/MI7/k=,iv:YDVF0nJ5giS7Pbal2clI7M2bJPeOqDJAYJG+BWcAm/c=,tag:NtoxcG+TSYfjhfjwU00Mkw==,type:str]",
-	"linkwarden_postgresql_password": "ENC[AES256_GCM,data:+qJWT47VQqsaknml4KvGkaESeUmpgiw4tnXNsuVz41VhZaEazchkY8Fvnd0ibNOEaJnE,iv:wK848FeuIeooNbz6s9SkOGZJY54h9ARzxMMo8pT4Ma8=,tag:NbqIdDUTVISjtESBic3fKA==,type:str]",
-	"llama_api_key": "ENC[AES256_GCM,data:R2GNj+ByN3Punmkv9GRwj3oUBlo0Ys03wz5o5PHEOPuOLoNn7E89On7WmsSD5vyg,iv:ExEma4QvED/Y2SHoLvqDQtbGZ/jwY5itdyNpD56KXkA=,tag:EvIaSWvmX5gb1w5JbmVwjA==,type:str]",
-	"mailserver_accounts": {
-		"alarm-valchedrym@viktorbarzin.me": "ENC[AES256_GCM,data:GCC+7hDWYVP/NpNbyZBWFPxHJ1U=,iv:c+81TfvYKz+N/91ohpMfC4ska6eyD7ekw0K8NQUXZHo=,tag:dJ6DmPl+/UTtNo2jR9zc+g==,type:str]",
-		"alertmanager@viktorbarzin.me": "ENC[AES256_GCM,data:AvhiIAH8mU1a9NdLZD75SJJambc=,iv:n3JcQvEhzj4MNLPjoQl/dYC3/lPfmts43o44alk23Ls=,tag:54lngKt9y1Cd08in05Au3A==,type:str]",
-		"calibre-web@viktorbarzin.me": "ENC[AES256_GCM,data:wLK7gA34KedTAtesnh0jgEJf1w8xUA==,iv:okDn7N1dGhYan9zQcxCda1D9g5TZJi3W6IrzeomxWqg=,tag:6fPy2BAGupKsG1ng5KAP5g==,type:str]",
-		"info@viktorbarzin.me": "ENC[AES256_GCM,data:zu6ifI7+ye13sGu48gGuXdWNZ7f9qdKDRA==,iv:kirsDinKMVOwSAQUeYkf2WMTydawLdHyKrHw1saQduQ=,tag:epJnB+FOH97lkerVOlShfQ==,type:str]",
-		"lubohristov@viktorbarzin.me": "ENC[AES256_GCM,data:0Oawhf1easoX23uRNdU32Xxgwn8=,iv:vhfGwKlpQgAAx3yoMSJNZD5ZBF2sps86vPB6S7GR+qk=,tag:02IOB9fnbXgJF2eUleAsBw==,type:str]",
-		"matrix@viktorbarzin.me": "ENC[AES256_GCM,data:Rww3XkEOboilTPawi2yxtH0IfQ2xtAqT2JVRYI69ERY=,iv:/GAkgsgQ7FKfXbn2XK+wVeKoCjDQDV1Ba6iWhxj412M=,tag:SZqXzVMQNo2Bn+/mfNVJsQ==,type:str]",
-		"me@viktorbarzin.me": "ENC[AES256_GCM,data:OAufOdHPKjTCFr6dT7T7gcn59fRX3tmc1pfKLe7BW64=,iv:Y4solV7A41z0XVgfM3A1VakZt6zoRW9U2ppyFf0pVek=,tag:esEhHiTzKHggChp1SBM7BA==,type:str]",
-		"nextcloud@viktorbarzin.me": "ENC[AES256_GCM,data:uTZPlyY1Zvd8NHFmQU/dzAT12hYE1StuHxYn,iv:3UBN3FKJFmLcQjWnzwvOQ+4UtrRME4GbJGbPaLFyw0E=,tag:qGp5r4yuuZkTH8FX3LLyJA==,type:str]",
-		"r730-idrac@viktorbarzin.me": "ENC[AES256_GCM,data:rvN1ARSvxGEsk4oQNlZC7njfv3I=,iv:JneQxBSxqWdPyx4MsOKJhNG4PrbMQbNDP/MG0Ht7rxw=,tag:zHioxQJvVllK1jIGExKl5g==,type:str]",
-		"spam@viktorbarzin.me": "ENC[AES256_GCM,data:jyyb0chTOHpkypHbZnMMfyCoiZz3Ng==,iv:i/7G+mDTqTYbmxosOvBAJzeYGqq3z2JSU/Wi7jgE7oI=,tag:qzorZfVTSsem1aC5gXR83w==,type:str]",
-		"truenas@viktorbarzin.me": "ENC[AES256_GCM,data:Xsfom0Pmxlrq8pPKV+07/h2pc50ldA==,iv:zS6quyFEU7FpbDEtfn5Mj8D+4SuCZ7zxi4EVrMLjxNM=,tag:Ct74NYpNNNXQh65mtMhPRw==,type:str]",
-		"vaultwarden@viktorbarzin.me": "ENC[AES256_GCM,data:gPjJ7EwBxKuCCyEIXY/iqyY7qZE=,iv:x9p4o4LBu56Ci/1SgDP/tFKtZ5blhSHtPBMbU/tuH44=,tag:5FRdusqtL69wpp0+zNYmZw==,type:str]",
-		"yoana@viktorbarzin.me": "ENC[AES256_GCM,data:RBqRpAs2ZXXJ+w==,iv:kxAED2b+LnHYN9ztn577j2e55rK9wFACVv1r9dtyd/E=,tag:RX0nhFXto4nrEZQJI9IKXg==,type:str]"
-	},
-	"mailserver_aliases": "ENC[AES256_GCM,data:EXnVC5DRGnwofE6vjUrnRErVUM0/VPd/6TTr2DfDtHFkXpp+aGQKrsseyq5G+u7BZmJ8dZNI0PyGi9bnH0E6Kgvg1YUSQfcVrYED9MUnq8/QWlPkk9WXVuiwd2JNCqNEzCB3yGo0GWe5iacl3OdDCDZ68d2ESRissd/hqnJf5Xr8Yc+1Z5qM/uAtmhd6JxcSxTwmhYMG+EaYvF/t75nQKQQejMHYkQSx8oS2lKkAsjAohHhPNSIsBY9+Xmma428mBfw7KagWM05578shSQPA2h3D5Kv1BA5TVYU+zwCXh7kLx8x1Vq85Jd0yHluUEoQr8o4Qv+jv8ye3EN6pG1c6sTehUJFuNq11gCLAuGGGsd0nvwoxNwTPctH1lOnY5lG+MYc/8SC0Lgfb3La/MeS6tLsz0S/nN8bg+UuF95NPLGTVdwgPl2NKzA8rTutwL/V9/K1W95sYcC2zgO65d2SLFiZixb2Ple91slB9vtVzcTETmDd2gZNNG13nIxL3zGWOSBmpA0CL0YH2+X9yRkzYQ8BZs9vY2aNhmRx6netFu6JjGKj09fzb2TO7a1td+MJQBXJFQJEFjGqD+Q==,iv:+yk6DCwVEUgtusXy+ndtOGj0GlPUeFubFxrA4KEn4gk=,tag:9hSPnERKtuPUOae7OHSoNg==,type:str]",
-	"mailserver_opendkim_key": "ENC[AES256_GCM,data:s446PqU8ThuI6y4CgRQ0LO7C0cYMR1vqc729LKkp3XvH2NUCaxT8+0tGoqeskgMwoCVdRTwCmIcXK69EoPk3OXWsPjyiz2oJsgyFE0J777Eno6wMU1gWzMoUJOtbV+m6hQSJX0HpDvynjoPoUAp3iOeJKeA+LabHx2lR2V+xJ1yuQHR9wchkm+bLQN2v8ES/HfwIZsqdF7bl4GOVM4nulegJ41CYH2k5Hcnuvk2NZliyGvgxQ2SWLlaRWy9KuYd3k7i3SkxVkejYpJRVaYjMfKp9aqQZriuCnG341b3sojxmLEZKiljLS8oRNuFWBo8S/RDg/YnxEUQvNE4R+HWvFpKadCjQ2Fd4lE7Ef2EvnZzLIh1bMb0i8DdckATqvYFxvbGJSs7CLcZavXqlm3sCuHmzBABZbawzOpKPhMMj1uSSf5Amy85/GY+VgEB7AxE8bwQGdobdSWQB0Q5IzjUZ8jc9VEPim3Fely4KMKX4qJKQfh3fNkMrsv/N+YhQAEtFZMRFz5J4E+rycSWIaLAYNOmJH/AxkZNjiOwAIHclZlS2MSfdcFxV2mlbPbxEVoiNNKTYbkk5DZ0j6FJZ61MIXx1PSx4EdPMx+iYO94TRcAW5PsnAQ6iWB2tEjQZeOiANanTs4HQEDP5IyH0KykJ2oH/piQpxKPY2mQWGZDCP/iZwcH8tfetWutvJ3lXnL7MmjVxvGawtnUepZySwnQMc2Gfs/isHYr0FVR9PrZvtGJkJy2kr15aaa012NwIZEmeJfaiUFhz+Hh6fChLZ6P2jHyFKw0yjrhXQhrY7THMIgnp3SaelcMN9X2h6XX/0hpIVJsV6VsxY3XwqTipaWTvUqpMa+eLmLbAcc0qTUbI6lNFZ30UUswT5mDxBSr93MK8rw/WplVjYKUmKDNYBrFT8gfSQYYwEW9u1dxESs2L1h5S2HwxpFrxAmoovTiO3PQVw36uNKlhKgxVe5zIUWYBQMWaHiiAipjmkP6g4W0UVEnwUP1D5TUFsmIQ2qncuTqs95Z7OxzJ5F9GwGoN2UOrU9lr2yttgx9yiGN19RKTTFmziwoXe2lE7r1Go6cGfXh09HgNV+WOb5qY0qmwlBd2xQGWGjJalzBV0gGzMukR54anFoWPQnMP1hrtPP+OuVChNOqZ71iBTGkcLHBCmQ9zuw2U91/p3g4/WuBkhIWrS/Dz2BLNNGh/EXXrZzCuMPxF3xvpbXMJPPqTkM1JTJ1l05rMbL8HQKtT03nfSD5snQVoEy1EE5WykiuAWNnoOxxSK43YRFEyoUWhp3ahxUzwDBMc6CCkCTX3mLnCiLr4K6+4QQzGoW04F4nxbl1EHkmwJYC4Xxb2rmhR8XMNbWEjpYrZkIr+EhMJN6L0yLPem2netQ1WtzfH0vI4ZD5l9srbOuCzDJSFhdsxn4ZWGv3tWAy239pELwxfl5s+XiYTAlCNuiePoFFd1APWnD2WYWiw1HrF0YWJ12+I29mqBH4RnKgzykaY/jGvSe/IsCFgFfNFW9lLKdiHmLStleK6lwzdQTdFNmLL8Yw1/SAy5DBA1TrWFFX6NKQylXjtjHqqUX/X7p/1Mkn3SZsqshtKDHvvmPusZ7Sp9fSG5QlntXHIKXIlWets4eVcdyG27p+iz80sXNpzohmAmSfT97qKIoivppAwtBB4+/p7hIBwa2qYbbdEp39BotGWbr8eWCKjfe5YXiC+1zjxFpyqSNYfNwRIaF/q9naYhqlsh0uPzko7Hg5yt5GHJ9DH1ifqE0MPHu+cnye+SUISXsfd6QhR7lfqkKzOLLrfCyBmZjklYr0QshOFwvtYY/AWF/Pc6MFvw+rNUCL4myYc02ABgbdcvwxYvNevKFWnWL10la8QpyEZ3Vs3fwL7aJvR9/lvT9+NwQ0b938KqTQIir/7afuDfhQAviPnJUNNLkJP4DZiX6M3OCnqui0by4PzwmWQy2PZl2TlD/vNZuAHPDco654U0ct9YhJ1UWMljvKl+zO9KIjJdJbhU6Bf2SJx4c23XdEHHQw+u+e4+0xaIGQFAKFugIkDCLDctH2wvr1fC1SEbQ0oQ8UIAXL0YMiNclkslEICaXrcvTjPapep0uHZG4xCqFS3Q5AWLw9i9gdCWEQS48X+7Kx+htJRQfhcQVMXen7MNOVnUDyQqNe87Axtkp9lY50FAFmlRA62MGSF7KmQzif3iTl4kY98+JLzA5yWmytNNkkQGSVZVdvdhd143FIxZtWM=,iv:wC7+g8hPWlg9H0qUIs1jK++TFS8W7TRw8ZqWVnq6+v4=,tag:gB5PPoOD4Itq9fzfchJ9bQ==,type:str]",
-	"mailserver_roundcubemail_db_password": "ENC[AES256_GCM,data:k0TZBh7E62XmJfvDgEY=,iv:vFwkXyfE7S2R+bxHEd8gROfODiESOdBmFsK+IVHoTuI=,tag:fYKyC7HUZJ85QkrABhU9gg==,type:str]",
-	"mailserver_sasl_passwd": "ENC[AES256_GCM,data:MUtY9XKQK2jH6+O7QT/40h4AKBgM3pq0A9DnbdvVJS8dSC/0xoiUZSNIL3k1dzpRLYdYKb1r0LkTzOLm8rMeG+EOdFOgCjDw4fglqAHyfKsY3cGhyP1CWSGOyG0bwEAm,iv:txf7x9SOa+XOgxNWigcmRnbcqUKnDQT09Q1TI2hep5g=,tag:NOOK2Qyk+7XYZgThDuT4sw==,type:str]",
-	"mcaptcha_captcha_salt": "ENC[AES256_GCM,data:8G8Co023cTATOQAa/JKRZpBm13aBJZV1Q8JDB1moAfI0ce+e1zG66nJE1Qy7ybRN++KX3ewhO7DUWPomfqXwjg==,iv:oBUD16NsxqcCYaZ/vyrk18q/ezg5eCbfZRfAWBnl79g=,tag:/sL0xNi09qJCIACM8LHvlw==,type:str]",
-	"mcaptcha_cookie_secret": "ENC[AES256_GCM,data:8WUAPy968p5uWT54Rv8/ih0yYn2dGoMrjEazsdh9eARk8zZZFKzOS/seudJWZOg+yXGCsprwWHhSOYL24FDR7A==,iv:Hk4oAa+gzLvucEm50lL1Rlbtr6es0TfITp2u/zBD4IQ=,tag:QtoGUTmnoHVAH0Gd1vHV7g==,type:str]",
-	"mcaptcha_postgresql_password": "ENC[AES256_GCM,data:tRzfAjiCpxUn+6Y6vPCMMEsCG1E=,iv:CCnvi3rA5FmXgTlLd//8gyAosD8sK0/MSKiEZHH/z1I=,tag:OB60fgUNcK98ndYQ/YoUhA==,type:str]",
-	"modal_api_key": "ENC[AES256_GCM,data:RUKZv60+OAgBitmBVIUs8qw3VYg8fw2VpIMLLtiXhys98+IBZeJODULvGCJxn5B1Bg0fwtylcrBI,iv:CqXUBooH0ZzTde8EBy+g/dkdo1Sr5s25Kc+6Cl0shy4=,tag:v0lYywkggALJrYVstv6KKg==,type:str]",
-	"monitoring_idrac_password": "ENC[AES256_GCM,data:DuSMkmB8,iv:A461ld8AHZeg0d8dWXuG2w6KOGOfWXj38WbN3MaOzSo=,tag:PpMG6hlfkzVoiTsQwbjFgQ==,type:str]",
-	"n8n_postgresql_password": "ENC[AES256_GCM,data:YEK3U1+L9yUXyiexQLI=,iv:6ggyDMPQ8hbRd+ZorHo0jaM7VJtvIoCbpl+9x6t3vaY=,tag:GzHSeVOP1W/KhaD5BhM/Lg==,type:str]",
-	"netbox_db_password": "ENC[AES256_GCM,data:FPCZR7TwlU474qXPrpasAQMcTvF6lA==,iv:vzGWP9Fl5RDYSL/NI8V5bTWfA1dM4+d3JbURkgSiPUg=,tag:Yc6VQUOtVmNXvIicoWf4xw==,type:str]",
-	"netbox_superuser_password": "ENC[AES256_GCM,data:n/9lHBDRmonXqXzti0Hjkq6HDy50sshze30=,iv:JY7yUpdltB7yjCY+/8r77cLzq013Uql3mZlfyLMiGPc=,tag:kRXEIRgc6lNnLevkfv59eg==,type:str]",
-	"nextcloud_db_password": "ENC[AES256_GCM,data:x0Yj8Ea3NRbB9VYqDGeE1g==,iv:e4UbAKcmsOZ9jrfHcdRrkHRUo0k9Iyfpz1T4Uj3Wj6c=,tag:D3GxwaChcs6qbaNvav+vbQ==,type:str]",
-	"nvidia_api_key": "ENC[AES256_GCM,data:C/U5WI3L5xgps6MwvsAWNdrMqKsFr5St2VjiYUWYUAg51aTLmZSj5GsL3NYePMnW6w1hvTOMAhok6gBCs+Tvu9gSrQD8dQ==,iv:H2YNDJYGu4CibC0Sh/4d1j/jOTA53UFAmuGZhjbDw6Q=,tag:ixML8PCIPwXbgxYQcjpqGg==,type:str]",
-	"oauth2_proxy_authenticated_emails": "ENC[AES256_GCM,data:uFIyjxjNU/h5Nm7R3NAHQjpN0uGGMehJ1rDkW8Zzri5oPcHHn7+vEydUkwzzTN/g783p2N9NBeLA4KuSDqY=,iv:kkK5h0AwVAki2TDp9ndlvbvd6XF0Ggqlb12neuzOxkc=,tag:HExYiwVqMQiQGfHXxwX7Gw==,type:str]",
-	"oauth2_proxy_client_id": "ENC[AES256_GCM,data:NBWKQ/qyASbEGr1l2E4OKN9b7sh8xfVmYNRB889olne8+tWmGc1zYAPfWXvxecMqmFITpODmeSUFg4GBNbaUlm13aXRR+N7a,iv:/GIddbau1xw7mThOKgq5iqW5xHE2wT0m5Go3cFw8sZo=,tag:4z5AQ8rZ/sbrZGoB4RiG1A==,type:str]",
-	"oauth2_proxy_client_secret": "ENC[AES256_GCM,data:Je/sod1zD/a0J3pq3XVC6Zj+l35OmP2WRp7255v0SOQNblk=,iv:MwnpY4SrAnkx9asIRgWmx9EOCXpOuvGpzsR7fiLB3mw=,tag:6OUQ5C8wqkTnyT03P4LFkw==,type:str]",
-	"ollama_api_credentials": {
-		"ha-london": "ENC[AES256_GCM,data:LuQnU4uuZs3rYQW6kuJ8XZDPJTtgXGgp,iv:aiJRjIB4ZPNe0jAYUHSg468WTJtWIbANI1J2mDE0OXg=,tag:uYYZv7BNNTDoRK9zuuGv3w==,type:str]"
-	},
-	"onlyoffice_db_password": "ENC[AES256_GCM,data:R+BzqtHPgEKzbk4MAK6b0JqeS3QJ,iv:wGa3Wv0GfmhTqCjLyngoUTMhTl1uJ3mG+wUDy5WZ5SM=,tag:GF1cINyq51rNnUjM1ZwUdw==,type:str]",
-	"onlyoffice_jwt_token": "ENC[AES256_GCM,data:LFDrTbJ894m0R9YeIdvHIemH8ZdU,iv:QhAnYaRgqB3HU64ZRaTqs5djH4c3zvts56o/LEpgX9U=,tag:2RTpn3OhYpMdQKwdH9SdQQ==,type:str]",
-	"openclaw_skill_secrets": {
-		"home_assistant_sofia_token": "ENC[AES256_GCM,data:Hlry8IzeQSMqDxXWsnEdbj7ZPqx24kBpHOredOHM41Y/edNKREW8wLX+zFpu3fY6y0VLjho+PCrjCovGIiPp3Hi383HTLfqPEUIkMbX/ld2glsMC8crghoRh1Y9H8BVUmTyKD9LMcwAdRZKDmrRAkvpdKpK21j8qqgNCaERWsAkvmERioaZRKyATSGw8EC5L9E/GZpks2EcCPEidsRLilsiwxPqZfFcXvjnbkgvmuhAd+JkPM6DA,iv:eZMrfF0mKZ+TJEvgQMIGoqnJi83VG+pxPjj+ceMSVLc=,tag:Js4pWgIItZakATRNbs2DbA==,type:str]",
-		"home_assistant_token": "ENC[AES256_GCM,data:ibSCViFYzpysg1s1od5fnBQoLWlGv7pV/xJ1+0LJhVjFz0DRWOnxsPX6kzKr8hUS94fT17N6A5DO4e/B9gm84myJ4E8X49NW/0sRTjWb0dg2/1L7rQ6Bn+XYnrb0LGgGkDsQSsMJSa4HOYU+UcpFX5SyWHQMMSLf65gc7WRDFmWB7gNpiV5yUdvSdGfWAZUJJopNgW5MCZhiOsCDwtd3+khCWCUsDS/0rSKpczJHLrnwRV2No5wu,iv:hrGZon8F7wbRDY5szwq2eFuovWUbkovu5u1VsDq6L0o=,tag:NHrG85bbgg7X0vkd2w0Zgg==,type:str]",
-		"slack_webhook": "ENC[AES256_GCM,data:PCZ0n6/aGa51zpz/h9t5xFMDCgHZ+ifGbh0OPP7LmoX/kONKIALzvCkz/h/P57Ch1bzCe0BKlZbJ0B/Xr4v4Wz0C00b0maaMTL9t1XsoESrx,iv:7ZCHwhi4bMxPatxY0oukptB6nIbDSbR+nDDcmzT5uzQ=,tag:grAqpBO++FgmTzgSSW5x1w==,type:str]",
-		"uptime_kuma_password": "ENC[AES256_GCM,data:G/GaDlrYYvYFv9SxPjlDjg==,iv:pf5cf8lCyQyHYMkipLSMHDP3JNOBwlVIsgcbVKAaOeE=,tag:3QyTPUUs9wIt4iO+o8JgBw==,type:str]"
-	},
-	"openclaw_ssh_key": "ENC[AES256_GCM,data:+Urd1F6t7xw7ElsGS9CU3i5Qxl7HDQZTxGN8Eo/TFT9Lwj5q/DkGsHUDsmrLaqoyjaJrtKRoycGXdvlIv8OXSNukuccYOTHxJWxsauBpIo1F69Q7GFati8t0npcEPB6inQ0l34NoK7Sv7o//XiwPUgL1wXev57oLyKdim3vi/Yu/JAVLrJbIx8G7kKwrthykTvfOs6b0XBkbbAV2Doj2dD1QkTQO5ax0B+7jovN+uqg01AAEfKsbxIYHF6cK3vjpVTJCkJ8jCilRsEtqLL2T6fI5Zyhq/C9mrYSZRy21KJXmxOMnTa8MPROhGvSMXMa7H/jABdmzsgzul/Spt4fJp2RSewtLiCChPVHxvdbcWO2B+dZ7a2IIcsxoeHRTCeCjjRYojQdH0iDTbotoLIUrg7LVCpfqHOrclgWSibnWWTen+ZxOmzV2MMd1uM8h/XmpZTT4HzozbTrHbHRaZNagyuKvx4M2R91PT0rmaeEo35enNFwLtna+NlTZm97zHuNbFqYlRnYFp3RpO24f447UmmUBf2/fu6CTirlRzqFoPPfrNXE=,iv:fN6NRV3i0m602VnsNOUAW1aVT5syTG/xafSzfmhb94A=,tag:hypmplIzIcNUAp053Css1A==,type:str]",
-	"openclaw_telegram_bot_token": "ENC[AES256_GCM,data:tGtDl70BeQNuZVn8OX5Z8fsTl/0BurSI96KsXfvpSmpPOAxy1EqUsKyu6zH3kg==,iv:nXF7Hnp1acnxRkPKzaO/4+Gyifpsva1j+fuLWN729MI=,tag:rS4AYwK+fJJrmVm50uqDLQ==,type:str]",
-	"openrouter_api_key": "ENC[AES256_GCM,data:tdDLvqsVavM7jIN/aiOFk9B/IeZvHBklaWyIQjAHiVcBSt1RkABw4TATlEanNBI45PTADoGfa440pq+eu1ISI1jm53WRn2DV0g==,iv:4ECpEJ9JKJu24yOybtix5Nme2s1wBxdz0dIhjuF4Ujk=,tag:xbUxDFgJ+YNVoZoxz/gCwA==,type:str]",
-	"owntracks_credentials": {
-		"anca": "ENC[AES256_GCM,data:ezihwiwwDXnj+8QTbL3MzPVVMst/ggAGIw==,iv:AbGfoWHafD3i9xvUqqlV3voU4cMjxzD+tt1r63E3RH0=,tag:vkZf6rO+GZ/GMrCPKrylYg==,type:str]",
-		"viktor": "ENC[AES256_GCM,data:wWAsEiQtAiju7Wgv5RkZuhCi+el7HPMhuw==,iv:q1p2igC3MHyhNEaJMDOBfYYmZOwMEQo1x8b2OXe+/0Q=,tag:Q4jTkgYrrdr92ku3FR4R1w==,type:str]"
-	},
-	"paperless_db_password": "ENC[AES256_GCM,data:w1rZnmyA4Ydm5azRnlR+qzvpv0zhbg==,iv:aCU592eUdEsAj157GKH9z1zhz6QlZSI2Ous2wprgI80=,tag:aAWedehfhSz8/rOYbUm+pA==,type:str]",
-	"pihole_web_password": "ENC[AES256_GCM,data:Nn6KqsoEmwPb/AHiXrLTlFiL8/A=,iv:z3Kwobgsf45jOmGGeT4tWWaHNV3IWwOK3wsNeGC2zbw=,tag:9Uiz1O5LFT9Su5kImZk77w==,type:str]",
-	"plotting_book_session_secret": "ENC[AES256_GCM,data:GZ7kuJ8U4CvCVJvxQkgILt2NtxHuY2QVkOE8vlQKw+RJBDYTTxlANlFwnIoNSAdy7oXRSXvG80KeThP0jzykgQ==,iv:0vqzT92oAUqnScXEUxN5VaVDx2S9Wk9k5mEIsIHqljA=,tag:4x2RvaPwmzERh5TwdM2VmQ==,type:str]",
-	"proxmox_pm_api_token_id": "ENC[AES256_GCM,data:rZrGpg4vTBm+k6UgVmOzatHoA6iOwZZ2xUYl9g8yjZU=,iv:x415b4It6ZxoYftXqPkEHFtiTXA0rs8iholPRHhMAGM=,tag:wsRYJxqRjoYjBGyZT0CJ8A==,type:str]",
-	"proxmox_pm_api_token_secret": "ENC[AES256_GCM,data:bnehUagnQkrZfw5rW15SpUW/bOg+QSxUtE+87iAqKWFwidgT,iv:d8fcVy7rWrkEGmK/fnyFdbuwr1GB4EKbVhV0uw49Pyk=,tag:cd0bZi3XA6MkX3wr5NIpBQ==,type:str]",
-	"pve_password": "ENC[AES256_GCM,data:mI7Mvj+PNUwGmJzZ3aVny7INMuCDu56HXrM1DA==,iv:LoPq4iGDrojPJOZwLsOXc0z6aPAf2PTi8U3DCQVrAxg=,tag:XoMwCDnVqZwGUQvaknqHQg==,type:str]",
-	"realestate_crawler_db_password": "ENC[AES256_GCM,data:jOsh8ZUqvZ5m95D8hlaJ7WXVBRwi,iv:+78vWBolFZlBTYxO0lAJEneh4O+zRZzZbS5J02ZamOA=,tag:mfJQG/B9K/BqNaF3DQMi5A==,type:str]",
-	"realestate_crawler_notification_settings": {
-		"scrape_schedules": "ENC[AES256_GCM,data:+VOch6H2uZMtsaVPfA153DYUXmYT+23p1uW0RFdWIU8kJRT8F1aIjlhyNQNVdw7BCL32BucWrD6D/un7OY+jDhP7sxKHqkPictEZxUWvCTtjHy3J1G4PD41dT20OvH0iMKv/+n5MCoSiErpbF/gW5tECJ8MGp8k0TXopaSEl/OhZJWuIFLm72gbvSw3KBGWhqG1ZGeAgjChcp/i5ST1Itn2Vhc0rYWmQx5wxEXDjrMG6axNs2aTSx6oB4kRksKztWjm0qccMy0EbBa2EJN0TKOP+vt4aIpRKjBeezE/SYuRWBzSDNR79fmEO5WFHMBHSUf5cQ8Yx9aEYdA==,iv:8jXSgHR0a9s+7sz3XjxWMqSYoA3cDIORSyaeNFYyb08=,tag:DtIdZLF99Y2eOlWwxNWzyw==,type:str]",
-		"slack": "ENC[AES256_GCM,data:RXmdmWXGnEG9BDnqTOGaNCzLrMf8pLVi7E9kkKRoRbCbiZysY3ew8oMSaAFFVFqYDgj5KvICqH0YoxwLKpQctDpsfHTyVreEh5IZtxrC6bUU,iv:UlU8cc/mXt6mYz+QYxwuzqGIsXud3f/CfVC5SPbESYE=,tag:beyPy+rMvi7+VfsOQj47Xw==,type:str]"
-	},
-	"resume_auth_secret": "ENC[AES256_GCM,data:jumPZXMhLxr24wdxuPxFvm1swaueSMaqa5G1LVLs294QMtb2voB1imoAZAc=,iv:AO5zMjbKCwzLiB9NTQ4Mh5p2xYzPOXK358VqZGRqzy0=,tag:jYiBZo+nFVId5iYzysbPiQ==,type:str]",
-	"resume_database_password": "ENC[AES256_GCM,data:bAo7dY45G1xh1naOc/Q=,iv:cpkBEsL8rHTf+aSQFVsV0BLTSXZDy4YDAhPNz+++LJ0=,tag:9mcJYgDKEccAsC+jEbvhKw==,type:str]",
-	"shadowsocks_password": "ENC[AES256_GCM,data:krFXDt0WiZcIq7GdPosq1CnWNcs=,iv:KNbg59MBRWy+f3waK5b9VwMj1zpvQ07qaSgnCD9e3pw=,tag:CIGTTdyQD4nubxfzGLsqmA==,type:str]",
-	"slack_bot_token": "ENC[AES256_GCM,data:54j1SAgDmYuwoRyD6PTBNhzj7PyNHBq+35lUHmfacENKHXy6+3d6FJpP9wjpf0G+dRhNWyILN01Q+Q==,iv:aiMUDRXvfoJ5KSsBZAkszaEXesd4U5De7n1AWZIeBIw=,tag:u7KFRSHoajv9n7i74eJswA==,type:str]",
-	"speedtest_db_password": "ENC[AES256_GCM,data:uzjYk4ufpxER8PV3GxI=,iv:N78Cxu/QH7+Ekw4IX21zXFCxJgUwV3/P0BYC2Iaz9FA=,tag:mAsCAqGhUu5r4T7hfu0/vw==,type:str]",
-	"tandoor_database_password": "ENC[AES256_GCM,data:/fh4x5HK2ULhhgbBcfhj+KNIiciCcnRi6g==,iv:U6BE0WWZ0RBku82oMVCZqDQ4BqMD4I+fKlTJ0g3rn8I=,tag:SOR0oQU9DQnNAoBcA2aOSw==,type:str]",
-	"technitium_db_password": "ENC[AES256_GCM,data:BdwBMn8T+0UXXDcLoUk=,iv:+vhDZkyhgEzS5im0z6fobY6BHCpu8iJ+ur+hYOGendw=,tag:XJzw+8WH8jCMBK+Ol2nRjQ==,type:str]",
-	"technitium_password": "ENC[AES256_GCM,data:aFsEJcEe/E2B4ChgcL0FYp88F6nM6OU=,iv:QLUISYFgI679Hm9stNy3VZfLx/i6EIYg6aaLG6unuPA=,tag:/jIYYmD6SLm+A3VBSATN7w==,type:str]",
-	"technitium_username": "ENC[AES256_GCM,data:Fwb+tdE=,iv:ooNe/enI37tKC6xF3tBL1BFzjVpW+pHY6IHfxxy2pHo=,tag:Eo2PSjCJ6bRbOaP5mXonxQ==,type:str]",
-	"tiny_tuya_api_key": "ENC[AES256_GCM,data:uyZKASMX9RvuJfrvMgfOTak/E9k=,iv:oxoPp3glOfQqiTgqHBoEpgKq1FGzqa1OL07Sm+sVDr4=,tag:nsfVyHOMiHsgsH0P4W0mzg==,type:str]",
-	"tiny_tuya_api_secret": "ENC[AES256_GCM,data:+JR+KkBlC84oqFLzUGMTOpb0hOenrwi90OkmyAhxlws=,iv:YMPIzFOUt4B1haKF1L+rUwe2An+Niw9iIXQJN9fzSyA=,tag:5OpOVJupnpd1Mbbf3q1XJg==,type:str]",
-	"tiny_tuya_service_secret": "ENC[AES256_GCM,data:sXLvZniuInywgIrPDDM3J4KGZx/fBw==,iv:wgjVygxpGf3EIx/mCjt9/atM2YJPd5xcYeYuaciwVQg=,tag:zpn1EQAOV7XdeeC1KDJSGA==,type:str]",
-	"tiny_tuya_slack_url": "ENC[AES256_GCM,data:oSzoRkW3/nBeFUHx7VOz3/ZXxupAmvElt6zaAmSBomY4m16TlDKtYoxmE9cpQM4YG9JBRzOjG52m9EX6FhBXElpBblIQiQ7fqcSkzhLsqil1,iv:GV+mEe/paHff+Dj6hGSyhUmXae9e0jwVJfvh7N1DBd4=,tag:WrkAGjVplZ1IW6JfJQvlIw==,type:str]",
-	"trading_bot_alpaca_api_key": "ENC[AES256_GCM,data:W4f61DeIiNqYky5xfoEKMyO2gGeIKPEHpW0=,iv:xCWv9yLgcsxgpiTH+cps5HqLyvL/ewZ9LWVnQb8oNfI=,tag:uvbx1WvNlXOHNtcGlsF05w==,type:str]",
-	"trading_bot_alpaca_secret_key": "ENC[AES256_GCM,data:2Q+kpclZ9tcLqGeKLV3C81uMF9QTqbdFKb7cwzOGDnEpPOJmkVfCInlkOWs=,iv:d5QTqzwemGxtfb4QSUffbb+yp0xpQMSDQpWxjwqC8so=,tag:KVyhcs5DHZLWjZw5wROXBQ==,type:str]",
-	"trading_bot_alpha_vantage_api_key": "ENC[AES256_GCM,data:xut/qn8pgc3jUumfLwfr1A==,iv:AT5Q/2FnxTPTX2IDKC/Yfu1mZYs+qAfFsNBUWuOEdgI=,tag:MsdLz3fZsB5vSp7OXYoRjg==,type:str]",
-	"trading_bot_db_password": "ENC[AES256_GCM,data:k+Romo+xz+g+3t4XwPpySm6h+O6LoUtdzeDoT5j9EUs=,iv:YvXLsIPPpXP35BfOsLFpo2kxkayeQUlafh9uLkImrIE=,tag:HEVQ2mwdi3ptnOBqFb69Sg==,type:str]",
-	"trading_bot_fmp_api_key": "ENC[AES256_GCM,data:aojOF2EDgWw3lbMZi1GKG8UOsN3UvHpti0Ph15vIDuI=,iv:xlKwfLc/WFyGsE5WRw/TR3SIkCgLbUJ9YU7O9UinW/c=,tag:FcuSUl4S3JbPVp/qu1PS6Q==,type:str]",
-	"trading_bot_jwt_secret": "ENC[AES256_GCM,data:s+lfu4IO6ODu/SMjddmSXPZhlh9A2g/tL30ixpOnpDHvFJziU8tW73ndm8AgQyNw4pEibyhnwWO4HMU5wrzkGQ==,iv:aaiBLaWp7HQAS2LmYRepsjMTEwyoD0pP3gx1Qi+SZ6Q=,tag:6Hl0+3UBrzjUkEvH0bmfhw==,type:str]",
-	"trading_bot_reddit_client_id": "ENC[AES256_GCM,data:G+jqNzxqwZ1o,iv:jj1yonf4qh+x/uMt/qqQKZ0TmhYUI4BneD7cNXgZy+E=,tag:OoS4/ouZfWmmwLTJP+t6ng==,type:str]",
-	"trading_bot_reddit_client_secret": "ENC[AES256_GCM,data:KbshDUnoB5ua,iv:p49bqPteCi+urTaNQSpXiz4ehDwByM8bfW8jpnGJR6E=,tag:1hrQql4TdAJRyIo7ZgDzfg==,type:str]",
-	"truenas_api_key": "ENC[AES256_GCM,data:2DCtsvTm93dL2/trnQI04Qeco4459brFcjL2M8FzW0oCFs+ZMMwRhqvHtPZqGcQBYAeMyer7o2hv4QSlqul1lAkE,iv:v54AitmRg58WoUFmv1CO1Nz5p+WdFA05fmPVspM9MJE=,tag:s4f+1TeWhfLbpCQ7jY//gA==,type:str]",
-	"truenas_ssh_private_key": "ENC[AES256_GCM,data:/1ZkIya37Io+yztY9oPdWQXkVy2VWobXzl1MFyhAtytFwJ0nmOXWFpZsvCL3X56CHkVHQ5Hgnu6QJxTk5TUEFn6BU7WhHgBDfFTakcCDoGl1nOzYwBoSwAf4KfksMB+dfOm8TiOXgu+Gz1/nfgB6Nl1aNIBmdXhobbjNwHaUtGpZRaBYjUgMHQcD4dTatSbC66ky1/gkAexRNl6JLeq0QKuxfY+dPqTcyVTNBT2Xlbv6ACTQjBiprujqiteDsUD0WnCOseBY3cZx22Pm4j4ks48bgwvnlQ1h+S5Xl4QNHO0yBy5fNzn4/R5kkWdM3Xj9t3+GsmfyCgJnc8rHGOC9tCm3h3TlZf/9pKc2z2qPThqobd2ejO4vM2SGD1n89peD5xxGdTyNpaQaobYiYZMMHoXeQVnCh70fnz//vcplVGWg+lAj1kc1OvkaXx8rf8ICzB4/079/zI4pCgQvpru/BfJ0Fiobv6XNdRW2B5N0hzwRovl2q5OiKXPLu3SDmUL5RiUHvKO+xsytHDGdqw5LW4KPHCRVj5avfTgX,iv:wMB1n5Jyf+mc1p1oxOy/ScQ5zmLvLHvabFbkJ+hHFkM=,tag:8z/FlwPO93Xj+6HHRtzH6A==,type:str]",
-	"url_shortener_api_key": "ENC[AES256_GCM,data:KDM3XiHqDxjJRHs4ecaIP4agIQe5lBaGlBEU9VPhevW4SenG,iv:xO7lyvXdpIsf3K1IubA8TlKk71hPuEUc2ZVUjx4fa8Q=,tag:4y5TxsWHxnTwnCf1o9336w==,type:str]",
-	"url_shortener_geolite_license_key": "ENC[AES256_GCM,data:SyypTV+c+YDhMxf35jdO6g==,iv:SDE6qd1/bM/m+TIJ2oPd2Llhq0mUkVBKG5hcOrZ3bL0=,tag:lvUQcZltUIhq39AUNkRrwQ==,type:str]",
-	"url_shortener_mysql_password": "ENC[AES256_GCM,data:GnI1T/ciZ1udCTITxrjfzZm8fSo=,iv:bvsTqxHeJXdH/y8ZbXXglg8GbjH+UWyw9QYW44oi6DI=,tag:V2mr2CN9JaL/YmiOUbhpYw==,type:str]",
-	"vault_authentik_client_id": "ENC[AES256_GCM,data:qmXVBXOJIAgkL8AqK3IxpfqG9q9LPU4TbTz9hV4CCVgXxPZZMzuIWw==,iv:EkjU41nb8+25FjCu7mVbxrMKDVxjcG0jEfjRbBF6a+k=,tag:TfT8cuD1MDGY3weoZCw0tA==,type:str]",
-	"vault_authentik_client_secret": "ENC[AES256_GCM,data:/+pTFiMbXJCva/P9zW9ozySoYCZVYfMAKShzso+6io62v35CS23ibcqJgPzrd+EjUViLfvFvLmeFhXVgGQ2s2yeP1RFmTwLw75qoh6SYpS5R9F2JmM04ahNcYIXuTsKSEfZFqVk4hsp/lrZ29d2O7SGuXiiFpdJfjfkervnZrTU=,iv:7qk5mWUWL/Jlg8BUieFvVUcNcfqecqBD4IZ8So3OC0U=,tag:6eR30WtQCk67ZwgROCtFGA==,type:str]",
-	"vault_root_token": "ENC[AES256_GCM,data:ztKrCwtCj8LB1yPvU7Wxw7jqLkJQEmpEPdJDVg==,iv:w62lxzDOz81QyzQ3FyV6C8C26wELdhyKSIok2Fkr0XA=,tag:QWPlFrOmH03NSOkQAfMzgw==,type:str]",
-	"vaultwarden_smtp_password": "ENC[AES256_GCM,data:ouana3Vk/CJRZzAORx5ja2h+uXQ=,iv:KJk5h7NjPA9+BjTsRdpPHgMSNnggp0oJb/1D8gIF0A4=,tag:paXPWmE0cjmuNcT8spbXDQ==,type:str]",
-	"vm_wizard_password": "ENC[AES256_GCM,data:G6IAYi8nSOTXXhx9nFmHgoqH0f428T6Sv5Yjv5+WEaVNqG/WtBQNNCMkeDyv0h/0BL9OWbkV2KIhEvLUR465UAF1eIoxApcypQ==,iv:chE/visoUH6jEn0T1O9/GrBzWXDnaUhMoH9bT/NCo7M=,tag:rBQYkU2kKoZDwnq0iGKv9Q==,type:str]",
-	"wealthfolio_password_hash": "ENC[AES256_GCM,data:s308P7T4/f2Cbu+hAYr+dUbjfQ4gFsfbSnB4tDtdrdkqkHRC5Aw0EOXH0PIW4YrhRPEGS5tHIzgHdB7F5DFZqX+vLZWFh1aHkO/scujYrtGkBk5Z,iv:vAV28VW5S7Pfq4aphSLuRiK9KO7aBzEkeHk7sr6vqb0=,tag:vJsvc56euzVl8Z3vRJTChw==,type:str]",
-	"webhook_handler_fb_app_secret": "ENC[AES256_GCM,data:TcLkeDv3aR4bRvVlo+Jzo1+suog4G6JJ5mmaQAmfC80=,iv:FRWlDg5MkD5MWbFiAq3prfyqNAUOt4ksQMCit8oxo4Q=,tag:kc5PC9egH/JqaIjHVwRr5Q==,type:str]",
-	"webhook_handler_fb_page_token": "ENC[AES256_GCM,data:zzJJmQVXPOJpj02vk6oVXW+ZjQrMmWwFGHwfCbutaA3gMMlZctcpuqaPHS/Nhb+Suck3/L1LhOyjYY15yE5AzcrG3G5NT44wowiBOCeNfxKzH/ow579XPhi8Wc1RAyq5F2aJtK1TCDiteF+gr6X43nGQhLQFrFkQOgWGuNIaHtltV4YY7itCNOVycWj2naQ8BcArVDFbBsMOhvYPTLOiQxifCwcIyQaEfi9GrgF2OkOWmVZtMd0GB5Edb9bl3hNVyhEr6dHZYSJ88t+9rz7o3s8O5YtZ,iv:b7HqtSlF2ih35Xz0S0ctOCkBx5l+EhzK4pgpksJS2ks=,tag:WpPo9Pnzbt3p9tznO7YJNQ==,type:str]",
-	"webhook_handler_fb_verify_token": "ENC[AES256_GCM,data:ITbUuLMhszma/gFlV2MKiXhQyCU=,iv:E4jPQvXIQV4aSOcFaXksrky9UnB2L0jyNV8OY4jC9Uo=,tag:p0gsyAiHXBsn+8OzGxmB5g==,type:str]",
-	"webhook_handler_git_token": "ENC[AES256_GCM,data:GKvzq88PTIq3pkx7iEEPHOpm0hfR3vOxECvzCQ35aIcXulbdVeZR5A==,iv:pobEJvZ24OebTtOprend9mi7Oby6sDor978VkGXFMbo=,tag:qIrpq/3fntIurel8EvGccQ==,type:str]",
-	"webhook_handler_git_user": "ENC[AES256_GCM,data:FdVaXZUBUB/gvP05,iv:6nchtiu1XAP/NZjifG1wrb9eX4GJJ162JMHybEXPCTI=,tag:dqRDRZVSbtiYHcDREV0/bw==,type:str]",
-	"webhook_handler_secret": "ENC[AES256_GCM,data:/Mh2uYtlk98EezZd4gwUTGqCLL4=,iv:vPP+aF0p1f0JMBWNvUoVp663xmtKxFoPS7sF28+fOw8=,tag:jTVcvigIMKI8JKF75w240A==,type:str]",
-	"webhook_handler_ssh_key": "ENC[AES256_GCM,data:ttrNEjKF4M0PPs9JnhG62Fcny66H8ObU/9EgUvlUlYkp7BifKlvDKl18K7UHliaeOqtFV4DrDuxf6sduGqSaqmWGkH01qk/Us5tyPZImyAqz/Rd74Sj6R7+3gtmIUJw4U9Ab9hQdoMsy86HlAQ6qHihmgQr6MVTCq1cFpqX0xtNxCYmhVmBOzKC6MFCEszjL97iAv/ZrB5PUDR50XV5XLPVAgiMf9hIi1z3tbg3jCn83L07NnJT/LsCKQ/86jD/8E6+/Kzrtxy6YeSBMMIvwI7n0PRQold4otHabH8FSkmfRZJowekzXVHdwNxZd7d9DowGNfRRDAdJ9ZUIybgxwU45MpQQIjPJekrmwdAsq3B4/P/S8PPO5UeGydngBeEAu3Dy3MwC12xiDzjYQzvCiNxay6HmpVHQjy10f9+vaka/WP7rXJgZdmF1vKu0jQOtp2VcB7GilG4/ApFOgvv5m7rZp7Jp5naQjooYy6bxw8OoUZ3duA18GZlxf9BMeKATcMVC8dJIImM2UiYIJOE6DpCAdHz0yMsyjcdgfzoahZpxCV84deBKWCqi7nYUBINS6ElcuoKCLsDMyfXa42blNmLy7bRyGD7IlWdsVXblnSKLEJCLOwP6fCtymzdO4DMWYmcqw4684O2dWkB51eo4jBB9qBpXp19UFQ9uPFJlv50FNbIve8xn8GV9IAvQQVYyPp2clN/zWs5CbuDJBWYPxYJelpDSqVP3EOvACCL1iNFFFI7ACSJoWGHkFZkgHTLy8cFnklSbRo2LBdNB7BFISzkPzjmptkYjfWgW4kssphOiRLp7YBsJz5MpKYtYkBxVDLNGY4niaI5fXQxVenQkh6mD65A0mJNgf3HEw0gUYrqJirJbxorlwsVBphcnqLwkLZ5U4OIF6NTyOnO89PNOUcsbyHhjpf6qpfR8/7sm29k4XOHeSQTg3q+dKIQ6tE+tMXd4o5riXrRPIn51C70hdtBrPoNYb4fPx9erIZoLbhkd1t/GZijpO7JZV1X9zZFz0w2DNQ4Rpfl5sMJD6zLyF/63gx1yVNpGx5h4qm1rY04PzsG1Qw5wgUIqsTAHK94SCmfprT+kFNvcEkR7ulcSuualG1MxOPPwRpQ1ihkwoiCRhNMkK47yXeKqvaEWyfdF9SYR+e3CQwyBxBgW2RhgDMTdDGcOl6NGIRfMhQi1QCNBaojF9CZ1uNgu2qhAFhuHyzjSdyws2eY2Y51u44bkfHnVxeySFLK6FSgpV4f52xugI75Z7S9RXen6BeMZtMm3PmbS+7eZkvEy7wABuVAw8Wo636TmmPlZAyICxKm+GINR9NTkHemLebn2UztcM+2fprt0/O96YSKwtQmdy2j7jpSiq9Q3ZvN5gPnMl23mEOsN3rkVyu8zXbLhLNEbwoqV68sC766KoxNUFz2f3twPhglH3xbuCwJpYbpNx7cuhd2wXhF6nnSsP46Ry8c3V2aDS97ugP4L5tLSuCG5qB0Tz3VSlXw5cIlwKJq1p7V6UxpLgixT85Gsm1S2FKVxvZzFJGjpvi1FTYRUw2liIM1j4wErvrNJwyCTWTDOJe80VRml0Oy0u1vzMCzrhGQaYM5wjeNokk+L6TmjLdMzPMoihpzTV50lK5ZTsI6nYX+ayiKjmicLUfneEefl9z12wGauJbt4X6BJoIPBUfKV/HKbXr6smHq9yMnUw8+hf5EoSBeJNB6gyjvtYJJJQef9j9MzUEuXG0S0TUACxXvhjN1sBqr2syY3V7Tf5LudOkLZECa5heJBRZB9AWaUn0TW4bZEFv446leQj2PXWYd7QjTz81iJIh+vrU0XvocHWmD9cHzZGSUP7ijr3jSFULZVsDmCdF37Ezyo7leqlTOr7zP6aa/9XDawzh+uUPH6VXtq8TwCr5OTSYPLDmN5hHDH5qi8sFzxpYYuX8B0xtKkxqRETdOl25Kyt9N3v5moId92U8LwcePmK6vRKvi0JqJ6UdaA6bJza0cRXEbcBBOjYvgPeN4ExDWy7oeym4YnkuxAh+nXvBX9Xmpnk3bKVd3ehIyfFo63dXywYuCNl/B1DhmGBtbplbKl3Xs6A5XNpdiPRbaO9FBtBpBk41zWJ2FXmIg4R7IMRzJhmqxuRUly2ipg8OistFkP2sWwrilIFSdpqRFgSkXfF4/Nf+xnLUPeYNZo4qQHrdqW5UurQaf7utiFuiaW+jRIoM1xX1pTa3WcHGwR7Jtt1rbdHuZrZoBUXm8Eud3p19zt3iX3tvMCZWtquGDU+kOBCkk3XVbwwG1KGemZLg8PYCSDgNC1r8B5YlIXGcIJC90do7ZA6nWH22/2FwCSysyldDzfQe5xarGzH7I+CmgRWZf0XhjPcI0S1G6lplfPwV4HFCX1B4ojQ3sDi9ho18Ptj0SRVoJkXrLkBJj6xvDZbsHG4QXXcBqAxQdVbv9jbsLdxkp/cDawa8M3dy/MnhgT2idLFMqgHIh0UTdtMWn/8wCzg4kofub7A8ewUMoZnHWLvseS2oOij47P/4UYfRe44M6DlfZNJc467Pq3CB0jN0CEyX29GmdS7YM9imYHseiNJBfWuYE/2+DgmCu5FLJmSm/LvlAYC+qt+HBKBW2ngIAdiaTQzCdHIxkaVyCeTV7ollebx8zZ2+u+XCFQhBJSWcqeisxvG/GKgu8ql6QBG8Uuo55gGpAb5IR4lx8IqNeNw+uEC9mzKy3E+CxtIr3J+Y3v0tkrpgx9fg30n0G1wQEBdUwgtmLyMBNEJzbts3nNe6syOD3t4muryh4mPr+8Mv132IHQclu176IqySLdo9vBMVnWo9pvkRWEG60x/vMDDWaaB8ZE1IVMU11vLImVSYmSktcMzU/zrMBv7bS6cKBX5oVG1dxD7oCiLPFLGNzsek64425u28pT40zoGpbKUAc9P/SM7nsEzuoqy0+g8jiJ3zAyIV6/ONo7fBfFiQKShg+v4kyD+Q3zncgDOUP0Jjk+usAi4CXElV7thzW4iWcxnvBsb7R0OVGcRMBABdFFuSNAqdm2prfyXSbWumwHNIJSZ3jFfej+SRrM2vD5CCMGcCMy2GU5esqkzlYpgscjYcHx2W4aDYo8EuELHueaUC4qooSEDoATT8PdY29lWZrBtRnmlsX6g6rTPSndWiONekoLtGPs6TtW8GpnrmSwXC4fm3e8ZBGTnK4GvGvbcmBM3SmRRgtYTfaML64FpmAnapbFHsjHOLR6WkuXbj/SpO6JrQsxSqnuMzAwABrww1A78gp0ea+S46tTawDGpfnjyrNtKoGbjOdHtu5/mglnyauMh4LVEda7juQQPSoyjjI4voNKWMyAeK89c40K7PFG5RYQrirHGGLVf4/jRq3hGyShguf+qb2n9AAYH9Ap3mf4h3RGZ0DlfqR4BDhjEuX9WJh/z9bWY3AT59s2L93yV2ALxRcuJ/mxlds4AOUPqPrT1uYATXqCIsQlClVtIW33ajSUDtwK4xlA5h8U+VL/UkQqXzj98fPy/,iv:P1CVxeakIpAKK9jEA6SmQtviluQ+qSbautwFCHMVHus=,tag:5H98IN8pzWg2k6a/3wGObg==,type:str]",
-	"wireguard_firewall_sh": "ENC[AES256_GCM,data:/yMhzArWE8M8G1ckDn50QJ9zl5KKwWzy2+6zqQJaxVMy1WX2JxIDSiLPX7S7kMNK5otbDqGGj0Dt2TQ00NlFoBsYhXfoFg/+2aKAKRUu3EXJv7F2vBAfqoZVUD6R6STaN9UwzKxgCdS+nC4XX8XxKtVtCofh1D89o3738yJbHcAgQ3J0pidtCG1OcsUTmpE20nJv71txGPCCLACccrOWVdRuyPo22uRloBEYS4bOamhFLi9pGQKNHUW7i/Rf0+mWtDRjUydIao2hmhyzwZi9nFa1bxmfSqIw/dy+5LhY6P1NrMjcwUKvrYsVv+Yqh00ocGGxRTs0n2xpuf3fXpxuZrhQC1YmIKW4TOq29jPGNb3Qa+BTL1hQn4Z0noZUcYiWZjWXbq4rfvWRI/+6dTq1122LtLY7AAqTYqfawQ2MqUdKTksIV0ZW3rd22Pphynl9TrmEEtMvMohLoM2C0JVsGNYy4J1RO8ZJB9rkGX52YiQgRiwinVdu6Z8rp/WBcD/mn1Nui87TmW91htmTfMfZ3mccDhNLdeWSWXoo1g==,iv:h62m/PrGASvUmcCSfoUe5oYd1f5BiyTfOz6qJhjpHX4=,tag:ESVrLQrc64aWUNi7rlYGfw==,type:str]",
-	"wireguard_wg_0_conf": "ENC[AES256_GCM,data:iGifnkCyTuXIQYvaLiZaYSqhC3E5vAE79nqdQNLO4dmq5WtlZFri3c/yiTZLvSi5O3MoGgio/Vlj27ISS9ptxwkqmPCFlbI/Atfm3FFFYGabdXdLjRvhkzxkFvno2jrv7DuiaR+6vaIszDQAtUvtfqU6Ax+0ztauSxG3JJVJjw9rWvLDjWgkTiTBsK6bRb2rkkHeCn/MeskPrHNzicK+Uq8GCVa6Nl720ZLUx2cdaFrZ8LAq6U5zNNi1f52VYZkSDqL5hugb6ZgGkvhd7r44uIJ3AEHv5mGQCvgp4EBF7bNQYMH7otSHJwj8386Z1FqEKqUpMKJizyZxD3qMFRvsoMAAsIpdoq4wxF1QBv9hcXvph4oCjcFGrj8QpASrw8/lVr1h/GDsfK9moVtQfvLdBtGlmQLh3u+Zhrilpisx7aNASPnBPpumumm0iHiLGaXzhV0FonzDHDiDYTknifSlnYNIwxRvLE+ZQV12U5q2FCJKTxaHWxkR1bDURgmNS13omb688GAAXMnNUmI653I0lyCt6cTMEYU67u3EEea9SWOd7YasrilfmegbBrPBpqHUvQmHNU14bXR03wcpQQaqq8zpEqWWAWLI5ChWVMKDt7n3RH/1Yh5g4zT56UXmtAO7jd0b4QQt/ExvEKLL/Vx+B2vSa0DZ0mcfwbGSz/bRAxRc71a4il3LiWmhmkyi2LU2rADAxQlmHO9WtOuaIdMMAd92ZjE2sL4G3CbP0p+rxl24cBYsegY0IYMMYGtE748fKyDyB8dcOaGvDbVuoWXX2259X+770H3nQpCnuEYRrJyo5VrI2ZaMs4OiIsTpg29Gl41h2MHvDBpKU+7a9Zywj/Ik4uWT3G+X90yYdDMdm1DD/0DDqGeYFqpKxEoflUDbA8vmhzMOnUDQlj0JLQBoPXrbPYL/e7HidHpDw3C7mFQyQOVoqoD2/TwAoiDUuXd/0qjMSagax2w4xZ00b+jY5gT+qyWna19SkdWwYDIKCsAIjYanpVC1QMJ2X0H7lPsa4PWDJbjnYzTrE4y2dp9ugcHB1pbm3YT2/gMrAT19CrvLzwxofQqtKe6g+fD4Nr7trkYuA4P0EquzJ3eoPJQUQLzU0zfoNFLnUUJvhbHVzpp03KqhW6gkIc9XR6ecKYW4Goja4dKjgVGbBQGvbMcHuaWJPVOWYZHSq3rgPsIclrJ5wkfFqfWay6tcx0ZcROuMB0BtOp2BS9/3xbF3uwiDgDYwYuPhGwcz0EloTbuE42mVGAPS6bkimwbAZMXh2CA8akJ+FTYO6XJB/R4o0tSlYGeVvn60Z9LNGjkMxG7C64zTazrFjCyyYjAH6AN3TP915PliWPeAlv63a+Y2ApY6TLo+0RHLVtQXR7hn0tl1k489102mGsBfckjHguATYktZ0wzXyTXv8MuGLKA2mO8AzpC27qznC0FqHhDKZrEcpZTDuPtl+0OPgzGmqpRaKkBLGjCt6R7f+ihkJYGIK6oxKkLVGIffAnsuRHkTr3pK7QJH+18uRyJouyWyF6jOI6BszYqug8H58Wp5v39fhal+O9qq3V3B6HRh4GfEbrlwm98/ixLp49CwTB8ftuof/tb4BkvlOVNawRmbiv2NurlBOQon1cJzeB0ydXMfCS8vE8mS26Nz23AOFftIxrQ1SJFmmXswvTgyNw98krQXPr9KV02pbDmmGhsTLqXd0fGjTucI7DcqPf/gguopk+Ru5HrwoscaYu0xiIpy4ha4nKNc+GsVSIja8YO4gOuIfJOKLiJiRw0jPgFo1zlpl/gckGO66LUTk8udsdQUmZ5I+PV1r6PpcVAcv5dooWaer9xdIrASf+fzEcJhLkWGGCWDvIppziee5q7ke7iaWa/8TrqEvnYZ3FYhsovOcEj5hn6HtstrINHEYf7w0ht2PJM4w2jEtXp3PaCbDFie3ADKTESK+O+UEood7z+qJj2jBFlKkgUbCUAveA3oGT4q3KC3C4mfIsO5KWF0oySZ5Hlqj6MTHgVusLqWm4Gv9o1O9fo6zAOEWeEOabYdtL31Qx2swhReG81lleGA1Dd34rS4lWSmOb+CvoordSP1rtl7mIUVRrdtIH1pS9JXw2b37PGLqMvohbcbpiCAEzXkQLpXVYPDO9+pX10zh/4WA0H9GV0JasCbTyChOjfTKrqpkRc73TKmefSb0zxNF7dL2TBUhy2a51OZubAkfoRZnrexSYiu7gsBruarevRZ8IscquTOogPvGz6+JRgUBUHPgTOn/a6fzGYS5c2/qtfkqKuESeYRscVHNAsB8RZPKmPtF/vuWYu+fdhdnd3h3vlQVIedfTCqM6aFpUR68LK+rfjdw1HksvGAraU9CDN3yljNqK6+9+jjsIvCYPDS6Y+rVnsxFsaZ4bfZjizxRqcN+gIWmEXYh/dLpm6PD02JveCVAcRHuwEa4DQSESHNwA/wq8zJ8n5h9y56CcHeHcchQ52pJ6toc7dqX5p0Tcjpx40sYYBzyDw3tUvoUahgGFrLkZ7l/Een/QLCHqEmY/JU79tCqFj7r4nq/of3UGgcTmU1CV0uDZVG3d0EJrxSk5mqRfMz2m25LYKrygbnd3RaT2ng2gMPvRDHqpwTp9MJkLaBm1Pl22+zeLXqEtlOOfADy/dm7Ik4u+DxHTop5sF5myQjKOCGY3XV+eFT2aCo25daI0tKmZ32KTWxmmc60TokUkM4oJM/RDfORqqlcgl2b3PUg7OHEieyIDaDuprMDzs7fZKJiKwoCqfDz0fKoMADucdPad9TaMw/GllIeltZJ0ZC28C0BbRVE+vD/m7QHCV0rU4+LwDAr7vEFqrsyyQC5iwQ54qFN+z7CIXgY9gPSKxrfRfzHaz5LXTMf7nKe4k7PsukC0OACPlHESkAz3OONY+iVKRbCL4IgHeq7Nnm3NctbLp8U04bMIaP42+TcR1xJwPgKlt7N8BW/uA3OFf4xDkfDW2sAq7wmrG2cyyTHStBaK4afuKpxQfrQIyYL74n8w1nkOfQy8WMiP0X26Iad2wcE7d+ApHAWGLaUZ1U3VEINf2p7HuYzOaV6qpqQvbMj6rN5mF/6hF3IjrW4lWk4jnAVG5rNnDLYmTgHeiTXW+orNwiSiwcJGvX88bTKkOa9Nu4SyD224lJlaNgoqIZQ5uOad8fN2d5HcFXNxJqCwt9YtXN3FxC4p2Fa07sxyU/ugsFWLhVFo+ASmaGgBlq/8wBSExzdxYdG8ufpkWe4AAksuXEfgSUGObF1ieL2HoqDRnuiwBMvFPQZne77Zum0j2VZP9sVPsdAjhfqJxMWKJ62GhFfic3d87riLtg7Z2rLYIxfyXhrNTb0ci0lgRepP8gS2uW7nlTf4xWfstD5dLeC6WGI4D8yN0az/Pe2woail/5qolsTMvcZEBd9lUnd8UONglvCeWnKq5/D8/BUfwITfBlUVuyYXA8K3cv8Z35UGRFBiuX/GXMmdHjDtbnsw==,iv:Sr9GT0aJ0bShSoNZs3FJff79gnxFldYOmE+WpfPWBzM=,tag:SfZVGTcoue25lquz08h2rA==,type:str]",
-	"wireguard_wg_0_key": "ENC[AES256_GCM,data:XmllwnstBwJL/Wf6H4a3GBmBgnuI8G/UH6zUvcFMJZGpP769P+0VwFAzuUs=,iv:cS9M1PLLcGtij43BCZUehzXB4D5Ar+5/rmwPRjsKJF0=,tag:EM6UewtSGrtaCe5aI/IeIQ==,type:str]",
-	"woodpecker_agent_secret": "ENC[AES256_GCM,data:4VGccKN+0W1bXez7emdVOvIyHoC7nMX1tpHt9yVsZE43u5p0ZMSBfE/b3LgxQL4ffBB98UpD3AMV4JSLyrjChg==,iv:5TtilrXA73cEaRJG3E74vC59Kr9C9VhtLiq/QSQbbpI=,tag:NFkU+rxfwO3omGKcPTH5Ug==,type:str]",
-	"woodpecker_db_password": "ENC[AES256_GCM,data:GTtotWq1jH3H4XcEa3DLpH/X2VkyUhh5vuYEdvhMCyI=,iv:tHMBR0MpMV9Zj/eMkWU72AtCeBsneRhLBjD0Is6WKQc=,tag:6RySmbeQNFeCkpIz8M+jhw==,type:str]",
-	"woodpecker_forgejo_client_id": "ENC[AES256_GCM,data:GQne0Xuqa4/V/ZhPSgkjVo37zohgq8uE6x3PtMaggw0CTAu+,iv:0CjXVg5NcVcZxexSi3GAJLjjTSbBj4edtfwdOCBPDFA=,tag:QL5s49tuz4QOLYyB71xYxA==,type:str]",
-	"woodpecker_forgejo_client_secret": "ENC[AES256_GCM,data:7Lg4TMelDgHmUQ9vbxb6+sDTxQwEGqtJnB35x6WsnhXEkVd58rUPa99h3HmIJQsxkA2qQDLnkI0=,iv:qRq9lG7aJJ1QBxyioIvUuwSfnCmDCKxcphdG0PhnqZc=,tag:ucwIaxruoclu2ovsNMvlvg==,type:str]",
-	"woodpecker_github_client_id": "ENC[AES256_GCM,data:u06M94x8adG2GZpisBInrKgGKU0=,iv:RdWi22saS4zdNU//UVBcsmGP+hCfJf6AnBmPVIxQdsg=,tag:yphGXlZqUeEm3KqjQI8W9g==,type:str]",
-	"woodpecker_github_client_secret": "ENC[AES256_GCM,data:Q0DkBDgPto5OghEdzkEti18cYTT4PmhE3UbD8HLXbeR9pDomrF3dLg==,iv:fN+OQ/JHidK7/x16MYhcCpcVIbJZkprybSkzg7NrIQ4=,tag:NJA6zpMkMky8ragr5ZV/JA==,type:str]",
-	"xray_reality_clients": [
-		{
-			"id": "ENC[AES256_GCM,data:NcNtLMqbu0htEqfxKq4UDAAzI4OUzDazGO7oD1/qQqlDzy/R,iv:CLPh/UhKf/Ee33RXevmn5wW6tueHUcIhN1rAQsVecpk=,tag:tUbk4o2EY27TMEqzc/hEsg==,type:str]"
-		}
-	],
-	"xray_reality_private_key": "ENC[AES256_GCM,data:8RSx/KeB4wTuRxI6GNs+mJMSILBshMVupckC8Hci6eLoChVsYoETutt6SA==,iv:VIzqntZUo813HyBZ7dqmmWtvy8CNB5AavFkhqSispOg=,tag:MoYUxN26/JrCNzmxatmMwg==,type:str]",
-	"xray_reality_short_ids": [
-		"ENC[AES256_GCM,data:DNbZIBk5,iv:p+kMCMGPvCGF8t23gG0de5NVFfC3A3znkmcEvLXW0G0=,tag:sjLLqv8cY0ZVUoX3eO3uKQ==,type:str]",
-		"ENC[AES256_GCM,data:YjpASLFqi30=,iv:HxiKr7D80stWpf/o3TNoVN+h5+IU3MuMbRdeofbHCmw=,tag:B9hb8eu98a/GtqDuM0h/4w==,type:str]",
-		"ENC[AES256_GCM,data:/tUCBm7cub4=,iv:amwTI5IQKy/0RYGYXg8C1HOlLcfB6EO5VzbCbxWuKN0=,tag:6i/dXt/o7yI1LMK/NCvtAQ==,type:str]",
-		"ENC[AES256_GCM,data:MFl+6q0lXQg=,iv:iOjdHjn9Z38SxUz4PgIbMu/MwrPLVQCCGqpbArZsiDo=,tag:u7RaKXSwFfwBlDE6HPzH7Q==,type:str]",
-		"ENC[AES256_GCM,data:qHA7ed6uIbo=,iv:O6j0NFutkwD4ApqWlvvHmeaVcOvB/pOJTtrbQ50IylI=,tag:JZeScjVUhUgk6mk32Mrs8g==,type:str]",
-		"ENC[AES256_GCM,data:FVT8c9pdvn8=,iv:UnKfJIOqTCzi6PWaG6IAXABHXhB47h+QV1l2zzQM2i4=,tag:QULHY5e71V5zpSHxZdND3A==,type:str]"
-	],
-	"sops": {
-		"kms": null,
-		"gcp_kms": null,
-		"azure_kv": null,
-		"hc_vault": null,
-		"age": [
-			{
-				"recipient": "age1z64h9t3acsm2rr74pz7j4846kwj5tutx9sk78jqv46y8fln4vs2sy920ce",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0RjBhQTczcEQyNXpCb3Nj\nMVRXQnFuVTZGTVVVMWZnR1lxKzJIcCt0N1hjCkxGb3ZwVjNTVERFMWlzSnl1RXpF\nMFd5WFdyN0t0SnNuK2N1dzBGZTRxeGsKLS0tIHpVdkpOam9WbWltTnpZRndxWU5E\nSS94QVJIMUQ2S05GOFNDVFVpS3cyVFEKJ1OgN/Jm5FDUwpmyPup9HtnGiMG4rLTk\n1iYSfavyWSUHxK81k8eXTuK8y8GzXpxajuV5YSUvmEHWfCB3Qtzy9A==\n-----END AGE ENCRYPTED FILE-----\n"
-			},
-			{
-				"recipient": "age1hrafaswdslw4u63scxp8u5ye4tf8h0xjah0v85w280phy06m0vespz2u0n",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOHhkM3BvWlRZSml0WDNj\nSERkT2pvblg1Y0dwTEtOd1ZheWFXbjJJNUZFCjFuL01kNC9naVdxQjZmNVpFamo2\nQ1R6TGQvL0hsU2daTnFyZ2NpSWJoTW8KLS0tIFhDUFUwdElEY1ZWR3dyYVpMdEQr\na3V0UTl2ZHFURmc2N0szUk5RQnhXK2MK/7Dmplzr+uCjGThSAn2bIxKZqNATKOpx\nqAOZuKr8XdykTPMOEtsjn8hl7IqzAJWRzHmzIiPQapvw1AVuuw6ySQ==\n-----END AGE ENCRYPTED FILE-----\n"
-			}
-		],
-		"lastmodified": "2026-03-14T16:16:38Z",
-		"mac": "ENC[AES256_GCM,data:U97CyfOWlCbUoFOFErdLhtm6AQtVl9imzjTxneaT89E+JumQeumNJLnsSFWdodiYoVuumDCWC2b47rqRaFPT/sEbghkMHStYR82KVSHNEJFICz1QTGSfdaH74RMTzMP7SmkZqNQUaS/IKmRORE5W/1eJ3aTpVIaotx76KmAAjMo=,iv:wIx1yBDTshX4PtOgRumPA4sU+4MNOv3ZVuhtgIUgfCE=,tag:Xkc+QxFcGc4ILC8ogH+JOQ==,type:str]",
-		"pgp": null,
-		"unencrypted_suffix": "_unencrypted",
-		"version": "3.9.4"
-	}
-}
\ No newline at end of file
diff --git a/stacks/actualbudget/.terraform.lock.hcl b/stacks/actualbudget/.terraform.lock.hcl
index afde2320..b6a18b36 100644
--- a/stacks/actualbudget/.terraform.lock.hcl
+++ b/stacks/actualbudget/.terraform.lock.hcl
@@ -57,3 +57,23 @@ provider "registry.terraform.io/hashicorp/random" {
     "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
diff --git a/stacks/actualbudget/providers.tf b/stacks/actualbudget/providers.tf
index 4cd042f5..f4845cc8 100644
--- a/stacks/actualbudget/providers.tf
+++ b/stacks/actualbudget/providers.tf
@@ -1,8 +1,22 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
 variable "kube_config_path" {
+  type    = string
+  default = "~/.kube/config"
+}
+
+variable "vault_root_token" {
   type      = string
-  default   = "~/.kube/config"
   sensitive = true
+  default   = ""
 }
 
 provider "kubernetes" {
@@ -14,3 +28,9 @@ provider "helm" {
     config_path = var.kube_config_path
   }
 }
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  token            = var.vault_root_token
+  skip_child_token = true
+}
diff --git a/stacks/external-secrets/main.tf b/stacks/external-secrets/main.tf
new file mode 100644
index 00000000..b4477e38
--- /dev/null
+++ b/stacks/external-secrets/main.tf
@@ -0,0 +1,80 @@
+resource "kubernetes_namespace" "external_secrets" {
+  metadata {
+    name = "external-secrets"
+    labels = {
+      tier = local.tiers.cluster
+    }
+  }
+}
+
+resource "helm_release" "external_secrets" {
+  name       = "external-secrets"
+  namespace  = kubernetes_namespace.external_secrets.metadata[0].name
+  repository = "https://charts.external-secrets.io"
+  chart      = "external-secrets"
+  version    = "0.12.1"
+
+  values = [yamlencode({
+    installCRDs = true
+  })]
+}
+
+# --- ClusterSecretStore for Vault KV v2 ---
+
+resource "kubernetes_manifest" "css_vault_kv" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ClusterSecretStore"
+    metadata   = { name = "vault-kv" }
+    spec = {
+      provider = {
+        vault = {
+          server  = "http://vault-active.vault.svc.cluster.local:8200"
+          path    = "secret"
+          version = "v2"
+          auth = {
+            kubernetes = {
+              mountPath = "kubernetes"
+              role      = "eso"
+              serviceAccountRef = {
+                name      = "external-secrets"
+                namespace = "external-secrets"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  depends_on = [helm_release.external_secrets]
+}
+
+# --- ClusterSecretStore for Vault Database Engine ---
+
+resource "kubernetes_manifest" "css_vault_db" {
+  manifest = {
+    apiVersion = "external-secrets.io/v1beta1"
+    kind       = "ClusterSecretStore"
+    metadata   = { name = "vault-database" }
+    spec = {
+      provider = {
+        vault = {
+          server  = "http://vault-active.vault.svc.cluster.local:8200"
+          path    = "database"
+          version = "v1"
+          auth = {
+            kubernetes = {
+              mountPath = "kubernetes"
+              role      = "eso"
+              serviceAccountRef = {
+                name      = "external-secrets"
+                namespace = "external-secrets"
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  depends_on = [helm_release.external_secrets]
+}
diff --git a/stacks/external-secrets/terragrunt.hcl b/stacks/external-secrets/terragrunt.hcl
new file mode 100644
index 00000000..c4938f1f
--- /dev/null
+++ b/stacks/external-secrets/terragrunt.hcl
@@ -0,0 +1,8 @@
+include "root" {
+  path = find_in_parent_folders()
+}
+
+dependency "vault" {
+  config_path  = "../vault"
+  skip_outputs = true
+}
diff --git a/stacks/external-secrets/tiers.tf b/stacks/external-secrets/tiers.tf
new file mode 100644
index 00000000..eb0f8083
--- /dev/null
+++ b/stacks/external-secrets/tiers.tf
@@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+locals {
+  tiers = {
+    core    = "0-core"
+    cluster = "1-cluster"
+    gpu     = "2-gpu"
+    edge    = "3-edge"
+    aux     = "4-aux"
+  }
+}
diff --git a/stacks/freedify/.terraform.lock.hcl b/stacks/freedify/.terraform.lock.hcl
index 1e5d8b27..8830db04 100644
--- a/stacks/freedify/.terraform.lock.hcl
+++ b/stacks/freedify/.terraform.lock.hcl
@@ -38,3 +38,23 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
diff --git a/stacks/freedify/providers.tf b/stacks/freedify/providers.tf
index 4cd042f5..f4845cc8 100644
--- a/stacks/freedify/providers.tf
+++ b/stacks/freedify/providers.tf
@@ -1,8 +1,22 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
 variable "kube_config_path" {
+  type    = string
+  default = "~/.kube/config"
+}
+
+variable "vault_root_token" {
   type      = string
-  default   = "~/.kube/config"
   sensitive = true
+  default   = ""
 }
 
 provider "kubernetes" {
@@ -14,3 +28,9 @@ provider "helm" {
     config_path = var.kube_config_path
   }
 }
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  token            = var.vault_root_token
+  skip_child_token = true
+}
diff --git a/stacks/linkwarden/.terraform.lock.hcl b/stacks/linkwarden/.terraform.lock.hcl
index afde2320..b6a18b36 100644
--- a/stacks/linkwarden/.terraform.lock.hcl
+++ b/stacks/linkwarden/.terraform.lock.hcl
@@ -57,3 +57,23 @@ provider "registry.terraform.io/hashicorp/random" {
     "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
diff --git a/stacks/linkwarden/providers.tf b/stacks/linkwarden/providers.tf
index 516f9fed..f4845cc8 100644
--- a/stacks/linkwarden/providers.tf
+++ b/stacks/linkwarden/providers.tf
@@ -1,9 +1,24 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
 variable "kube_config_path" {
   type    = string
   default = "~/.kube/config"
 }
 
+variable "vault_root_token" {
+  type      = string
+  sensitive = true
+  default   = ""
+}
+
 provider "kubernetes" {
   config_path = var.kube_config_path
 }
@@ -13,3 +28,9 @@ provider "helm" {
     config_path = var.kube_config_path
   }
 }
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  token            = var.vault_root_token
+  skip_child_token = true
+}
diff --git a/stacks/nextcloud/.terraform.lock.hcl b/stacks/nextcloud/.terraform.lock.hcl
index 1e5d8b27..8830db04 100644
--- a/stacks/nextcloud/.terraform.lock.hcl
+++ b/stacks/nextcloud/.terraform.lock.hcl
@@ -38,3 +38,23 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
     "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
diff --git a/stacks/nextcloud/providers.tf b/stacks/nextcloud/providers.tf
index 7b5cc7b8..f4845cc8 100644
--- a/stacks/nextcloud/providers.tf
+++ b/stacks/nextcloud/providers.tf
@@ -1,8 +1,22 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
 variable "kube_config_path" {
   type    = string
   default = "~/.kube/config"
+}
+
+variable "vault_root_token" {
+  type      = string
   sensitive = true
+  default   = ""
 }
 
 provider "kubernetes" {
@@ -14,3 +28,9 @@ provider "helm" {
     config_path = var.kube_config_path
   }
 }
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  token            = var.vault_root_token
+  skip_child_token = true
+}
diff --git a/stacks/openclaw/providers.tf b/stacks/openclaw/providers.tf
index f4845cc8..860c9eba 100644
--- a/stacks/openclaw/providers.tf
+++ b/stacks/openclaw/providers.tf
@@ -13,12 +13,6 @@ variable "kube_config_path" {
   default = "~/.kube/config"
 }
 
-variable "vault_root_token" {
-  type      = string
-  sensitive = true
-  default   = ""
-}
-
 provider "kubernetes" {
   config_path = var.kube_config_path
 }
@@ -31,6 +25,5 @@ provider "helm" {
 
 provider "vault" {
   address          = "https://vault.viktorbarzin.me"
-  token            = var.vault_root_token
   skip_child_token = true
 }
diff --git a/stacks/platform/backend.tf b/stacks/platform/backend.tf
index 6d424f69..f9db2d0d 100644
--- a/stacks/platform/backend.tf
+++ b/stacks/platform/backend.tf
@@ -1,6 +1,6 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 terraform {
   backend "local" {
-    path = "/woodpecker/src/github.com/ViktorBarzin/infra/state/stacks/platform/terraform.tfstate"
+    path = "/Users/viktorbarzin/code/infra/state/stacks/platform/terraform.tfstate"
   }
 }
diff --git a/stacks/servarr/.terraform.lock.hcl b/stacks/servarr/.terraform.lock.hcl
index afde2320..b6a18b36 100644
--- a/stacks/servarr/.terraform.lock.hcl
+++ b/stacks/servarr/.terraform.lock.hcl
@@ -57,3 +57,23 @@ provider "registry.terraform.io/hashicorp/random" {
     "zh:f49fd62aa8c5525a5c17abd51e27ca5e213881d58882fd42fec4a545b53c9699",
   ]
 }
+
+provider "registry.terraform.io/hashicorp/vault" {
+  version     = "4.8.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:GPfhH6dr1LY0foPBDYv9bEGifx7eSwYqFcEAOWOUxLk=",
+    "zh:269ab13433f67684012ae7e15876532b0312f5d0d2002a9cf9febb1279ce5ea6",
+    "zh:4babc95bf0c40eb85005db1dc2ca403c46be4a71dd3e409db3711a56f7a5ca0e",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:86e27c1c625ecc24446a11eeffc3ac319b36c2b4e51251db8579256a0dbcf136",
+    "zh:a32f31da94824009e26b077374440b52098aecb93c92ff55dc3d31dd37c4ea25",
+    "zh:be0a18c6c0425518bab4fbffd82078b82036a88503b5d76064de551c9f646cbf",
+    "zh:be5a77fdfd36863ebeec79cd12b1d13322ffad6821d157a0b279789fa06b5937",
+    "zh:be8317d142a3caad74c7d936039ae27076a1b2b8312ef5208e2871a5f525977c",
+    "zh:c94a84895a3d9954b80e983eed4603330a5cdbbd8eef5b3c99278c2d1402ef3c",
+    "zh:de1fb712784dd8415f011ca5346a34f87fab6046c730557615247e511dbc7d98",
+    "zh:e3eafae7da550f86cae395d6660b2a0e93ec8d2b0e0e5ef982ec762e961fc952",
+    "zh:ff35fb1ab6add288f0f368981e56f780b50405accd1937131cba1137999c8d83",
+  ]
+}
diff --git a/stacks/servarr/providers.tf b/stacks/servarr/providers.tf
index 7b5cc7b8..f4845cc8 100644
--- a/stacks/servarr/providers.tf
+++ b/stacks/servarr/providers.tf
@@ -1,8 +1,22 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  required_providers {
+    vault = {
+      source  = "hashicorp/vault"
+      version = "~> 4.0"
+    }
+  }
+}
+
 variable "kube_config_path" {
   type    = string
   default = "~/.kube/config"
+}
+
+variable "vault_root_token" {
+  type      = string
   sensitive = true
+  default   = ""
 }
 
 provider "kubernetes" {
@@ -14,3 +28,9 @@ provider "helm" {
     config_path = var.kube_config_path
   }
 }
+
+provider "vault" {
+  address          = "https://vault.viktorbarzin.me"
+  token            = var.vault_root_token
+  skip_child_token = true
+}
diff --git a/stacks/speedtest/providers.tf b/stacks/speedtest/providers.tf
index f4845cc8..860c9eba 100644
--- a/stacks/speedtest/providers.tf
+++ b/stacks/speedtest/providers.tf
@@ -13,12 +13,6 @@ variable "kube_config_path" {
   default = "~/.kube/config"
 }
 
-variable "vault_root_token" {
-  type      = string
-  sensitive = true
-  default   = ""
-}
-
 provider "kubernetes" {
   config_path = var.kube_config_path
 }
@@ -31,6 +25,5 @@ provider "helm" {
 
 provider "vault" {
   address          = "https://vault.viktorbarzin.me"
-  token            = var.vault_root_token
   skip_child_token = true
 }
diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf
index 98cef9a2..d12dacd4 100644
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@@ -3,12 +3,6 @@ variable "tls_secret_name" {
   sensitive = true
 }
 
-variable "vault_authentik_client_id" { type = string }
-variable "vault_authentik_client_secret" {
-  type      = string
-  sensitive = true
-}
-
 variable "nfs_server" {
   type = string
 }
@@ -142,14 +136,22 @@ resource "helm_release" "vault" {
   })]
 }
 
+# --- Self-read: Vault's own OIDC credentials from KV ---
+
+data "vault_kv_secret_v2" "vault" {
+  mount      = "secret"
+  name       = "vault"
+  depends_on = [helm_release.vault]
+}
+
 # --- OIDC Authentication via Authentik ---
 
 resource "vault_jwt_auth_backend" "oidc" {
   path               = "oidc"
   type               = "oidc"
   oidc_discovery_url = "https://authentik.viktorbarzin.me/application/o/vault/"
-  oidc_client_id     = var.vault_authentik_client_id
-  oidc_client_secret = var.vault_authentik_client_secret
+  oidc_client_id     = data.vault_kv_secret_v2.vault.data["authentik_client_id"]
+  oidc_client_secret = data.vault_kv_secret_v2.vault.data["authentik_client_secret"]
   default_role       = "default"
   tune {
     listing_visibility = "hidden"
@@ -290,992 +292,365 @@ resource "kubernetes_cron_job_v1" "vault_backup" {
 }
 
 # =============================================================================
-# Vault KV Secret Population
-# =============================================================================
-# Reads secrets from SOPS (-var-file) and writes them to Vault KV v2 at
-# secret/<stack-name>. Consuming stacks read from Vault instead of SOPS.
+# Kubernetes Auth Method
 # =============================================================================
+# Used by ESO, Woodpecker CI, and OpenClaw to authenticate to Vault.
 
-# --- Variable Declarations (secrets consumed by other stacks) ---
-
-# Simple string secrets
-variable "speedtest_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "hackmd_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "n8n_postgresql_password" {
-  type      = string
-  sensitive = true
-}
-variable "tandoor_database_password" {
-  type      = string
-  sensitive = true
-}
-variable "shadowsocks_password" {
-  type      = string
-  sensitive = true
-}
-variable "coturn_turn_secret" {
-  type      = string
-  sensitive = true
-}
-variable "wealthfolio_password_hash" {
-  type      = string
-  sensitive = true
-}
-variable "plotting_book_session_secret" {
-  type      = string
-  sensitive = true
-}
-variable "discord_user_token" {
-  type      = string
-  sensitive = true
-}
-variable "health_postgresql_password" {
-  type      = string
-  sensitive = true
-}
-variable "health_secret_key" {
-  type      = string
-  sensitive = true
-}
-variable "onlyoffice_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "onlyoffice_jwt_token" {
-  type      = string
-  sensitive = true
-}
-variable "netbox_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "netbox_superuser_password" {
-  type      = string
-  sensitive = true
-}
-variable "clickhouse_password" {
-  type      = string
-  sensitive = true
-}
-variable "clickhouse_postgres_password" {
-  type      = string
-  sensitive = true
-}
-variable "diun_nfty_token" {
-  type      = string
-  sensitive = true
-}
-variable "diun_slack_url" {
-  type      = string
-  sensitive = true
-}
-variable "forgejo_authentik_client_id" {
-  type      = string
-  sensitive = true
-}
-variable "forgejo_authentik_client_secret" {
-  type      = string
-  sensitive = true
-}
-variable "dawarich_database_password" {
-  type      = string
-  sensitive = true
-}
-variable "geoapify_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "resume_auth_secret" {
-  type      = string
-  sensitive = true
-}
-variable "url_shortener_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "url_shortener_geolite_license_key" {
-  type      = string
-  sensitive = true
-}
-variable "url_shortener_mysql_password" {
-  type      = string
-  sensitive = true
-}
-variable "linkwarden_authentik_client_id" {
-  type      = string
-  sensitive = true
-}
-variable "linkwarden_authentik_client_secret" {
-  type      = string
-  sensitive = true
-}
-variable "linkwarden_postgresql_password" {
-  type      = string
-  sensitive = true
-}
-variable "tiny_tuya_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "tiny_tuya_api_secret" {
-  type      = string
-  sensitive = true
-}
-variable "tiny_tuya_service_secret" {
-  type      = string
-  sensitive = true
-}
-variable "tiny_tuya_slack_url" {
-  type      = string
-  sensitive = true
-}
-variable "claude_memory_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "dbaas_postgresql_root_password" {
-  type      = string
-  sensitive = true
-}
-variable "openrouter_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "slack_bot_token" {
-  type      = string
-  sensitive = true
-}
-variable "woodpecker_agent_secret" {
-  type      = string
-  sensitive = true
-}
-variable "woodpecker_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "woodpecker_forgejo_client_id" {
-  type      = string
-  sensitive = true
-}
-variable "woodpecker_forgejo_client_secret" {
-  type      = string
-  sensitive = true
-}
-variable "woodpecker_github_client_id" {
-  type      = string
-  sensitive = true
-}
-variable "woodpecker_github_client_secret" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_secret" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_fb_verify_token" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_fb_page_token" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_fb_app_secret" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_git_user" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_git_token" {
-  type      = string
-  sensitive = true
-}
-variable "webhook_handler_ssh_key" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_alpaca_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_alpaca_secret_key" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_jwt_secret" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_reddit_client_id" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_reddit_client_secret" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_alpha_vantage_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "trading_bot_fmp_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "openclaw_ssh_key" {
-  type      = string
-  sensitive = true
-}
-variable "llama_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "brave_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "nvidia_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "anthropic_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "openclaw_telegram_bot_token" {
-  type      = string
-  sensitive = true
-}
-variable "forgejo_api_token" {
-  type      = string
-  sensitive = true
-}
-variable "affine_postgresql_password" {
-  type      = string
-  sensitive = true
-}
-variable "immich_postgresql_password" {
-  type      = string
-  sensitive = true
-}
-variable "immich_frame_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "nextcloud_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "paperless_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "realestate_crawler_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "aiostreams_database_connection_string" {
-  type      = string
-  sensitive = true
+resource "vault_auth_backend" "kubernetes" {
+  type       = "kubernetes"
+  depends_on = [helm_release.vault]
 }
 
-# Platform-specific secrets
-variable "dbaas_root_password" {
-  type      = string
-  sensitive = true
-}
-variable "dbaas_pgadmin_password" {
-  type      = string
-  sensitive = true
-}
-variable "ingress_crowdsec_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "auth_fallback_htpasswd" {
-  type      = string
-  sensitive = true
-  default   = ""
-}
-variable "technitium_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "authentik_secret_key" {
-  type      = string
-  sensitive = true
-}
-variable "authentik_postgres_password" {
-  type      = string
-  sensitive = true
-}
-variable "crowdsec_enroll_key" {
-  type      = string
-  sensitive = true
-}
-variable "crowdsec_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "crowdsec_dash_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "crowdsec_dash_machine_id" {
-  type      = string
-  sensitive = true
-}
-variable "crowdsec_dash_machine_password" {
-  type      = string
-  sensitive = true
-}
-variable "alertmanager_slack_api_url" {
-  type      = string
-  sensitive = true
-}
-variable "cloudflare_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "cloudflare_tunnel_token" {
-  type      = string
-  sensitive = true
-}
-variable "alertmanager_account_password" {
-  type      = string
-  sensitive = true
-}
-variable "monitoring_idrac_password" {
-  type      = string
-  sensitive = true
-}
-variable "haos_api_token" {
-  type      = string
-  sensitive = true
-}
-variable "pve_password" {
-  type      = string
-  sensitive = true
-}
-variable "grafana_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "grafana_admin_password" {
-  type      = string
-  sensitive = true
-}
-variable "vaultwarden_smtp_password" {
-  type      = string
-  sensitive = true
-}
-variable "technitium_username" {
-  type      = string
-  sensitive = true
-}
-variable "technitium_password" {
-  type      = string
-  sensitive = true
-}
-variable "truenas_api_key" {
-  type      = string
-  sensitive = true
-}
-variable "truenas_ssh_private_key" {
-  type      = string
-  sensitive = true
-}
-variable "xray_reality_private_key" {
-  type      = string
-  sensitive = true
-}
-variable "mailserver_roundcubemail_db_password" {
-  type      = string
-  sensitive = true
-}
-variable "headscale_config" {
-  type      = string
-  sensitive = true
-}
-variable "headscale_acl" {
-  type      = string
-  sensitive = true
-}
-variable "wireguard_wg_0_conf" {
-  type      = string
-  sensitive = true
-}
-variable "wireguard_wg_0_key" {
-  type      = string
-  sensitive = true
-}
-variable "wireguard_firewall_sh" {
-  type      = string
-  sensitive = true
+resource "vault_kubernetes_auth_backend_config" "k8s" {
+  backend         = vault_auth_backend.kubernetes.path
+  kubernetes_host = "https://kubernetes.default.svc"
 }
 
-# Complex type secrets
-variable "homepage_credentials" {
-  type      = map(any)
-  sensitive = true
+# --- CI Policy & Role (Woodpecker) ---
+
+resource "vault_policy" "ci" {
+  name   = "ci"
+  policy = <<-EOT
+    path "secret/data/*" {
+      capabilities = ["read", "list"]
+    }
+    path "secret/metadata/*" {
+      capabilities = ["list"]
+    }
+  EOT
 }
-variable "mailserver_accounts" {
-  sensitive = true
+
+resource "vault_kubernetes_auth_backend_role" "ci" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "ci"
+  bound_service_account_names      = ["default"]
+  bound_service_account_namespaces = ["woodpecker"]
+  token_policies                   = [vault_policy.ci.name]
+  token_ttl                        = 3600
 }
-variable "mailserver_aliases" {
-  sensitive = true
+
+# --- ESO Policy & Role ---
+
+resource "vault_policy" "eso_reader" {
+  name   = "eso-reader"
+  policy = <<-EOT
+    # KV secrets
+    path "secret/data/*" {
+      capabilities = ["read", "list"]
+    }
+    # Deny access to vault's administrative secrets
+    path "secret/data/vault" {
+      capabilities = ["deny"]
+    }
+    path "database/static-creds/*" {
+      capabilities = ["read"]
+    }
+  EOT
 }
-variable "mailserver_opendkim_key" {
-  sensitive = true
+
+resource "vault_kubernetes_auth_backend_role" "eso" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "eso"
+  bound_service_account_names      = ["external-secrets"]
+  bound_service_account_namespaces = ["external-secrets"]
+  token_policies                   = [vault_policy.eso_reader.name]
+  token_ttl                        = 3600
 }
-variable "mailserver_sasl_passwd" {
-  sensitive = true
+
+# --- Woodpecker Secret Sync Policy & Role ---
+
+resource "vault_policy" "woodpecker_sync" {
+  name   = "woodpecker-sync"
+  policy = <<-EOT
+    path "secret/data/ci/*" {
+      capabilities = ["read", "list"]
+    }
+  EOT
 }
-variable "actualbudget_credentials" {
-  type      = map(any)
-  sensitive = true
+
+resource "vault_kubernetes_auth_backend_role" "woodpecker_sync" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "woodpecker-sync"
+  bound_service_account_names      = ["default"]
+  bound_service_account_namespaces = ["woodpecker"]
+  token_policies                   = [vault_policy.woodpecker_sync.name]
+  token_ttl                        = 600
 }
-variable "freedify_credentials" {
-  type      = map(any)
-  sensitive = true
+
+# --- OpenClaw Policy & Role ---
+
+resource "vault_policy" "openclaw_k8s" {
+  name   = "openclaw-k8s"
+  policy = <<-EOT
+    path "kubernetes/creds/openclaw" {
+      capabilities = ["read"]
+    }
+    path "secret/data/*" {
+      capabilities = ["read", "list"]
+    }
+  EOT
 }
-variable "ollama_api_credentials" {
-  type      = map(string)
-  sensitive = true
-}
-variable "owntracks_credentials" {
-  type      = map(string)
-  sensitive = true
-}
-variable "realestate_crawler_notification_settings" {
-  type      = map(string)
-  sensitive = true
-}
-variable "openclaw_skill_secrets" {
-  type      = map(string)
-  sensitive = true
-}
-variable "k8s_users" {
-  type      = map(any)
-  sensitive = true
-  default   = {}
-}
-variable "xray_reality_clients" {
-  type      = list(map(string))
-  sensitive = true
-}
-variable "xray_reality_short_ids" {
-  type      = list(string)
-  sensitive = true
+
+resource "vault_kubernetes_auth_backend_role" "openclaw" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "openclaw"
+  bound_service_account_names      = ["openclaw"]
+  bound_service_account_namespaces = ["openclaw"]
+  token_policies                   = [vault_policy.openclaw_k8s.name]
+  token_ttl                        = 3600
 }
 
 # =============================================================================
-# KV Secret Resources — one per consuming stack
+# Database Secrets Engine — Static Password Rotation
+# =============================================================================
+# Rotates app-level DB passwords automatically. Root/operator passwords excluded.
+
+resource "vault_mount" "database" {
+  path       = "database"
+  type       = "database"
+  depends_on = [helm_release.vault]
+}
+
+# MySQL connection — app user rotation only
+resource "vault_database_secret_backend_connection" "mysql" {
+  backend       = vault_mount.database.path
+  name          = "mysql"
+  allowed_roles = [
+    "mysql-speedtest", "mysql-wrongmove", "mysql-codimd",
+    "mysql-nextcloud", "mysql-shlink", "mysql-grafana"
+  ]
+
+  mysql {
+    connection_url = "{{username}}:{{password}}@tcp(mysql.dbaas.svc.cluster.local:3306)/"
+    username       = "root"
+    password       = data.vault_kv_secret_v2.vault.data["dbaas_root_password"]
+  }
+  depends_on = [vault_mount.database]
+}
+
+# PostgreSQL connection — CNPG superuser
+resource "vault_database_secret_backend_connection" "postgresql" {
+  backend       = vault_mount.database.path
+  name          = "postgresql"
+  allowed_roles = [
+    "pg-trading", "pg-health", "pg-linkwarden",
+    "pg-affine", "pg-woodpecker", "pg-claude-memory"
+  ]
+
+  postgresql {
+    connection_url = "postgresql://{{username}}:{{password}}@postgresql.dbaas.svc.cluster.local:5432/postgres?sslmode=disable"
+    username       = "postgres"
+    password       = data.vault_kv_secret_v2.vault.data["dbaas_postgresql_root_password"]
+  }
+  depends_on = [vault_mount.database]
+}
+
+# --- MySQL Static Roles ---
+
+resource "vault_database_secret_backend_static_role" "mysql_speedtest" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-speedtest"
+  username        = "speedtest"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "mysql_wrongmove" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-wrongmove"
+  username        = "wrongmove"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "mysql_codimd" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-codimd"
+  username        = "codimd"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "mysql_nextcloud" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-nextcloud"
+  username        = "nextcloud"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "mysql_shlink" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-shlink"
+  username        = "shlink"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "mysql_grafana" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.mysql.name
+  name            = "mysql-grafana"
+  username        = "grafana"
+  rotation_period = 86400
+}
+
+# --- PostgreSQL Static Roles ---
+
+resource "vault_database_secret_backend_static_role" "pg_trading" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-trading"
+  username        = "trading"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "pg_health" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-health"
+  username        = "health"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "pg_linkwarden" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-linkwarden"
+  username        = "linkwarden"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "pg_affine" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-affine"
+  username        = "affine"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "pg_woodpecker" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-woodpecker"
+  username        = "woodpecker"
+  rotation_period = 86400
+}
+
+resource "vault_database_secret_backend_static_role" "pg_claude_memory" {
+  backend         = vault_mount.database.path
+  db_name         = vault_database_secret_backend_connection.postgresql.name
+  name            = "pg-claude-memory"
+  username        = "claude_memory"
+  rotation_period = 86400
+}
+
+# =============================================================================
+# Kubernetes Secrets Engine — Dynamic K8s Credentials
 # =============================================================================
 
-resource "vault_kv_secret_v2" "speedtest" {
-  mount = "secret"
-  name  = "speedtest"
-  data_json = jsonencode({
-    db_password = var.speedtest_db_password
-  })
-  depends_on = [helm_release.vault]
+resource "vault_kubernetes_secret_backend" "k8s" {
+  path                 = "kubernetes"
+  kubernetes_host      = "https://kubernetes.default.svc"
+  disable_local_ca_jwt = false
+  depends_on           = [helm_release.vault]
 }
 
-resource "vault_kv_secret_v2" "hackmd" {
-  mount = "secret"
-  name  = "hackmd"
-  data_json = jsonencode({
-    db_password = var.hackmd_db_password
-  })
-  depends_on = [helm_release.vault]
+# RBAC for Vault to manage K8s tokens/SAs
+resource "kubernetes_cluster_role" "vault_k8s_engine" {
+  metadata { name = "vault-k8s-engine" }
+  rule {
+    api_groups = [""]
+    resources  = ["serviceaccounts/token"]
+    verbs      = ["create"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["serviceaccounts"]
+    verbs      = ["get", "create", "update", "delete"]
+  }
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources  = ["rolebindings", "clusterrolebindings"]
+    verbs      = ["create", "update", "delete"]
+  }
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources  = ["roles", "clusterroles"]
+    verbs      = ["bind", "escalate"]
+  }
 }
 
-resource "vault_kv_secret_v2" "n8n" {
-  mount = "secret"
-  name  = "n8n"
-  data_json = jsonencode({
-    db_password = var.n8n_postgresql_password
-  })
-  depends_on = [helm_release.vault]
+resource "kubernetes_cluster_role_binding" "vault_k8s_engine" {
+  metadata { name = "vault-k8s-engine" }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "vault"
+    namespace = kubernetes_namespace.vault.metadata[0].name
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.vault_k8s_engine.metadata[0].name
+  }
 }
 
-resource "vault_kv_secret_v2" "tandoor" {
-  mount = "secret"
-  name  = "tandoor"
-  data_json = jsonencode({
-    db_password = var.tandoor_database_password
-  })
-  depends_on = [helm_release.vault]
+# --- K8s Dashboard — short-lived admin tokens ---
+
+resource "vault_kubernetes_secret_backend_role" "dashboard_admin" {
+  backend                       = vault_kubernetes_secret_backend.k8s.path
+  name                          = "dashboard-admin"
+  allowed_kubernetes_namespaces = ["kubernetes-dashboard"]
+  token_default_ttl             = 3600
+  token_max_ttl                 = 86400
+  service_account_name          = "kubernetes-dashboard"
 }
 
-resource "vault_kv_secret_v2" "shadowsocks" {
-  mount = "secret"
-  name  = "shadowsocks"
-  data_json = jsonencode({
-    password = var.shadowsocks_password
-  })
-  depends_on = [helm_release.vault]
+# --- CI Deployer — scoped pipeline credentials ---
+
+resource "kubernetes_cluster_role" "ci_deployer" {
+  metadata { name = "ci-deployer" }
+  rule {
+    api_groups = ["apps"]
+    resources  = ["deployments"]
+    verbs      = ["get", "list", "patch"]
+  }
+  rule {
+    api_groups = [""]
+    resources  = ["pods"]
+    verbs      = ["get", "list"]
+  }
 }
 
-resource "vault_kv_secret_v2" "coturn" {
-  mount = "secret"
-  name  = "coturn"
-  data_json = jsonencode({
-    turn_secret = var.coturn_turn_secret
-  })
-  depends_on = [helm_release.vault]
+resource "vault_kubernetes_secret_backend_role" "ci_deployer" {
+  backend                       = vault_kubernetes_secret_backend.k8s.path
+  name                          = "ci-deployer"
+  allowed_kubernetes_namespaces = ["*"]
+  token_default_ttl             = 1800
+  token_max_ttl                 = 3600
+  kubernetes_role_type          = "ClusterRole"
+  kubernetes_role_name          = kubernetes_cluster_role.ci_deployer.metadata[0].name
 }
 
-resource "vault_kv_secret_v2" "wealthfolio" {
-  mount = "secret"
-  name  = "wealthfolio"
-  data_json = jsonencode({
-    password_hash = var.wealthfolio_password_hash
-  })
-  depends_on = [helm_release.vault]
+# --- OpenClaw — short-lived tokens for existing SA ---
+
+resource "vault_kubernetes_secret_backend_role" "openclaw" {
+  backend                       = vault_kubernetes_secret_backend.k8s.path
+  name                          = "openclaw"
+  allowed_kubernetes_namespaces = ["*"]
+  token_default_ttl             = 3600
+  token_max_ttl                 = 86400
+  service_account_name          = "openclaw"
 }
 
-resource "vault_kv_secret_v2" "plotting-book" {
-  mount = "secret"
-  name  = "plotting-book"
-  data_json = jsonencode({
-    session_secret = var.plotting_book_session_secret
-  })
-  depends_on = [helm_release.vault]
+# --- Local Admin — dynamic kubeconfig tokens ---
+
+resource "vault_kubernetes_secret_backend_role" "local_admin" {
+  backend                       = vault_kubernetes_secret_backend.k8s.path
+  name                          = "local-admin"
+  allowed_kubernetes_namespaces = ["*"]
+  token_default_ttl             = 3600
+  token_max_ttl                 = 86400
+  kubernetes_role_type          = "ClusterRole"
+  kubernetes_role_name          = "cluster-admin"
 }
-
-resource "vault_kv_secret_v2" "f1-stream" {
-  mount = "secret"
-  name  = "f1-stream"
-  data_json = jsonencode({
-    discord_user_token = var.discord_user_token
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "health" {
-  mount = "secret"
-  name  = "health"
-  data_json = jsonencode({
-    db_password = var.health_postgresql_password
-    secret_key  = var.health_secret_key
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "onlyoffice" {
-  mount = "secret"
-  name  = "onlyoffice"
-  data_json = jsonencode({
-    db_password = var.onlyoffice_db_password
-    jwt_token   = var.onlyoffice_jwt_token
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "netbox" {
-  mount = "secret"
-  name  = "netbox"
-  data_json = jsonencode({
-    db_password        = var.netbox_db_password
-    superuser_password = var.netbox_superuser_password
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "rybbit" {
-  mount = "secret"
-  name  = "rybbit"
-  data_json = jsonencode({
-    clickhouse_password = var.clickhouse_password
-    postgres_password   = var.clickhouse_postgres_password
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "diun" {
-  mount = "secret"
-  name  = "diun"
-  data_json = jsonencode({
-    nfty_token = var.diun_nfty_token
-    slack_url  = var.diun_slack_url
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "forgejo" {
-  mount = "secret"
-  name  = "forgejo"
-  data_json = jsonencode({
-    authentik_client_id     = var.forgejo_authentik_client_id
-    authentik_client_secret = var.forgejo_authentik_client_secret
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "dawarich" {
-  mount = "secret"
-  name  = "dawarich"
-  data_json = jsonencode({
-    db_password    = var.dawarich_database_password
-    geoapify_api_key = var.geoapify_api_key
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "resume" {
-  mount = "secret"
-  name  = "resume"
-  data_json = jsonencode({
-    auth_secret        = var.resume_auth_secret
-    mailserver_accounts = jsonencode(var.mailserver_accounts)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "url" {
-  mount = "secret"
-  name  = "url"
-  data_json = jsonencode({
-    api_key            = var.url_shortener_api_key
-    geolite_license_key = var.url_shortener_geolite_license_key
-    db_password        = var.url_shortener_mysql_password
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "linkwarden" {
-  mount = "secret"
-  name  = "linkwarden"
-  data_json = jsonencode({
-    authentik_client_id     = var.linkwarden_authentik_client_id
-    authentik_client_secret = var.linkwarden_authentik_client_secret
-    db_password             = var.linkwarden_postgresql_password
-    homepage_credentials    = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "tuya-bridge" {
-  mount = "secret"
-  name  = "tuya-bridge"
-  data_json = jsonencode({
-    api_key        = var.tiny_tuya_api_key
-    api_secret     = var.tiny_tuya_api_secret
-    service_secret = var.tiny_tuya_service_secret
-    slack_url      = var.tiny_tuya_slack_url
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "claude-memory" {
-  mount = "secret"
-  name  = "claude-memory"
-  data_json = jsonencode({
-    api_key            = var.claude_memory_api_key
-    dbaas_root_password = var.dbaas_postgresql_root_password
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "ytdlp" {
-  mount = "secret"
-  name  = "ytdlp"
-  data_json = jsonencode({
-    openrouter_api_key = var.openrouter_api_key
-    slack_bot_token    = var.slack_bot_token
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "woodpecker" {
-  mount = "secret"
-  name  = "woodpecker"
-  data_json = jsonencode({
-    dbaas_root_password    = var.dbaas_postgresql_root_password
-    agent_secret           = var.woodpecker_agent_secret
-    db_password            = var.woodpecker_db_password
-    forgejo_client_id      = var.woodpecker_forgejo_client_id
-    forgejo_client_secret  = var.woodpecker_forgejo_client_secret
-    github_client_id       = var.woodpecker_github_client_id
-    github_client_secret   = var.woodpecker_github_client_secret
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "webhook_handler" {
-  mount = "secret"
-  name  = "webhook-handler"
-  data_json = jsonencode({
-    secret          = var.webhook_handler_secret
-    fb_verify_token = var.webhook_handler_fb_verify_token
-    fb_page_token   = var.webhook_handler_fb_page_token
-    fb_app_secret   = var.webhook_handler_fb_app_secret
-    git_user        = var.webhook_handler_git_user
-    git_token       = var.webhook_handler_git_token
-    ssh_key         = var.webhook_handler_ssh_key
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "trading-bot" {
-  mount = "secret"
-  name  = "trading-bot"
-  data_json = jsonencode({
-    dbaas_root_password    = var.dbaas_postgresql_root_password
-    db_password            = var.trading_bot_db_password
-    alpaca_api_key         = var.trading_bot_alpaca_api_key
-    alpaca_secret_key      = var.trading_bot_alpaca_secret_key
-    jwt_secret             = var.trading_bot_jwt_secret
-    reddit_client_id       = var.trading_bot_reddit_client_id
-    reddit_client_secret   = var.trading_bot_reddit_client_secret
-    alpha_vantage_api_key  = var.trading_bot_alpha_vantage_api_key
-    fmp_api_key            = var.trading_bot_fmp_api_key
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "openclaw" {
-  mount = "secret"
-  name  = "openclaw"
-  data_json = jsonencode({
-    ssh_key              = var.openclaw_ssh_key
-    skill_secrets        = jsonencode(var.openclaw_skill_secrets)
-    llama_api_key        = var.llama_api_key
-    brave_api_key        = var.brave_api_key
-    openrouter_api_key   = var.openrouter_api_key
-    nvidia_api_key       = var.nvidia_api_key
-    anthropic_api_key    = var.anthropic_api_key
-    telegram_bot_token   = var.openclaw_telegram_bot_token
-    forgejo_api_token    = var.forgejo_api_token
-    claude_memory_api_key = var.claude_memory_api_key
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "affine" {
-  mount = "secret"
-  name  = "affine"
-  data_json = jsonencode({
-    db_password         = var.affine_postgresql_password
-    mailserver_accounts = jsonencode(var.mailserver_accounts)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "grampsweb" {
-  mount = "secret"
-  name  = "grampsweb"
-  data_json = jsonencode({
-    mailserver_accounts = jsonencode(var.mailserver_accounts)
-  })
-  depends_on = [helm_release.vault]
-}
-
-# --- Homepage-only stacks ---
-
-resource "vault_kv_secret_v2" "audiobookshelf" {
-  mount = "secret"
-  name  = "audiobookshelf"
-  data_json = jsonencode({
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "calibre" {
-  mount = "secret"
-  name  = "calibre"
-  data_json = jsonencode({
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "changedetection" {
-  mount = "secret"
-  name  = "changedetection"
-  data_json = jsonencode({
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "freshrss" {
-  mount = "secret"
-  name  = "freshrss"
-  data_json = jsonencode({
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "navidrome" {
-  mount = "secret"
-  name  = "navidrome"
-  data_json = jsonencode({
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "servarr" {
-  mount = "secret"
-  name  = "servarr"
-  data_json = jsonencode({
-    homepage_credentials              = jsonencode(var.homepage_credentials)
-    aiostreams_database_connection_string = var.aiostreams_database_connection_string
-  })
-  depends_on = [helm_release.vault]
-}
-
-# --- Complex stacks (map secrets) ---
-
-resource "vault_kv_secret_v2" "actualbudget" {
-  mount = "secret"
-  name  = "actualbudget"
-  data_json = jsonencode({
-    credentials = jsonencode(var.actualbudget_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "freedify" {
-  mount = "secret"
-  name  = "freedify"
-  data_json = jsonencode({
-    credentials = jsonencode(var.freedify_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "ollama" {
-  mount = "secret"
-  name  = "ollama"
-  data_json = jsonencode({
-    api_credentials = jsonencode(var.ollama_api_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "owntracks" {
-  mount = "secret"
-  name  = "owntracks"
-  data_json = jsonencode({
-    credentials = jsonencode(var.owntracks_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "real-estate-crawler" {
-  mount = "secret"
-  name  = "real-estate-crawler"
-  data_json = jsonencode({
-    db_password            = var.realestate_crawler_db_password
-    notification_settings  = jsonencode(var.realestate_crawler_notification_settings)
-  })
-  depends_on = [helm_release.vault]
-}
-
-# --- Stacks with homepage_credentials + other secrets ---
-
-resource "vault_kv_secret_v2" "immich" {
-  mount = "secret"
-  name  = "immich"
-  data_json = jsonencode({
-    db_password          = var.immich_postgresql_password
-    frame_api_key        = var.immich_frame_api_key
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "nextcloud" {
-  mount = "secret"
-  name  = "nextcloud"
-  data_json = jsonencode({
-    db_password          = var.nextcloud_db_password
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-resource "vault_kv_secret_v2" "paperless-ngx" {
-  mount = "secret"
-  name  = "paperless-ngx"
-  data_json = jsonencode({
-    db_password          = var.paperless_db_password
-    homepage_credentials = jsonencode(var.homepage_credentials)
-  })
-  depends_on = [helm_release.vault]
-}
-
-# --- Platform stack (largest — all core/cluster secrets) ---
-
-resource "vault_kv_secret_v2" "platform" {
-  mount = "secret"
-  name  = "platform"
-  data_json = jsonencode({
-    dbaas_root_password              = var.dbaas_root_password
-    dbaas_postgresql_root_password   = var.dbaas_postgresql_root_password
-    dbaas_pgadmin_password           = var.dbaas_pgadmin_password
-    ingress_crowdsec_api_key         = var.ingress_crowdsec_api_key
-    auth_fallback_htpasswd           = var.auth_fallback_htpasswd
-    technitium_db_password           = var.technitium_db_password
-    homepage_credentials             = jsonencode(var.homepage_credentials)
-    headscale_config                 = var.headscale_config
-    headscale_acl                    = var.headscale_acl
-    authentik_secret_key             = var.authentik_secret_key
-    authentik_postgres_password      = var.authentik_postgres_password
-    k8s_users                        = jsonencode(var.k8s_users)
-    crowdsec_enroll_key              = var.crowdsec_enroll_key
-    crowdsec_db_password             = var.crowdsec_db_password
-    crowdsec_dash_api_key            = var.crowdsec_dash_api_key
-    crowdsec_dash_machine_id         = var.crowdsec_dash_machine_id
-    crowdsec_dash_machine_password   = var.crowdsec_dash_machine_password
-    alertmanager_slack_api_url       = var.alertmanager_slack_api_url
-    cloudflare_api_key               = var.cloudflare_api_key
-    cloudflare_tunnel_token          = var.cloudflare_tunnel_token
-    alertmanager_account_password    = var.alertmanager_account_password
-    monitoring_idrac_password        = var.monitoring_idrac_password
-    tiny_tuya_service_secret         = var.tiny_tuya_service_secret
-    haos_api_token                   = var.haos_api_token
-    pve_password                     = var.pve_password
-    grafana_db_password              = var.grafana_db_password
-    grafana_admin_password           = var.grafana_admin_password
-    vaultwarden_smtp_password        = var.vaultwarden_smtp_password
-    wireguard_wg_0_conf              = var.wireguard_wg_0_conf
-    wireguard_wg_0_key               = var.wireguard_wg_0_key
-    wireguard_firewall_sh            = var.wireguard_firewall_sh
-    xray_reality_clients             = jsonencode(var.xray_reality_clients)
-    xray_reality_private_key         = var.xray_reality_private_key
-    xray_reality_short_ids           = jsonencode(var.xray_reality_short_ids)
-    mailserver_accounts              = jsonencode(var.mailserver_accounts)
-    mailserver_aliases               = jsonencode(var.mailserver_aliases)
-    mailserver_opendkim_key          = jsonencode(var.mailserver_opendkim_key)
-    mailserver_sasl_passwd           = jsonencode(var.mailserver_sasl_passwd)
-    mailserver_roundcubemail_db_password = var.mailserver_roundcubemail_db_password
-    webhook_handler_git_user         = var.webhook_handler_git_user
-    webhook_handler_git_token        = var.webhook_handler_git_token
-    technitium_username              = var.technitium_username
-    technitium_password              = var.technitium_password
-    truenas_api_key                  = var.truenas_api_key
-    truenas_ssh_private_key          = var.truenas_ssh_private_key
-  })
-  depends_on = [helm_release.vault]
-}
-
diff --git a/terragrunt.hcl b/terragrunt.hcl
index b591c981..8a8a1e87 100644
--- a/terragrunt.hcl
+++ b/terragrunt.hcl
@@ -13,9 +13,8 @@ remote_state {
   }
 }
 
-# Load config.tfvars (plaintext) + secrets.auto.tfvars.json (SOPS-decrypted).
-# Run `scripts/tg` instead of raw `terragrunt` — it decrypts secrets first.
-# Falls back to terraform.tfvars if it exists (migration compatibility).
+# Load config.tfvars (plaintext) + terraform.tfvars (git-crypt encrypted, migration).
+# Secrets come from Vault KV — authenticate via `vault login -method=oidc`.
 terraform {
   extra_arguments "common_vars" {
     commands = get_terraform_commands_that_need_vars()
@@ -23,8 +22,7 @@ terraform {
       "${get_repo_root()}/config.tfvars"
     ]
     optional_var_files = [
-      "${get_repo_root()}/terraform.tfvars",
-      "${get_repo_root()}/secrets.auto.tfvars.json"
+      "${get_repo_root()}/terraform.tfvars"
     ]
   }
 
@@ -34,12 +32,6 @@ terraform {
       "-var", "kube_config_path=${get_repo_root()}/config"
     ]
   }
-
-  # Safety: fail if neither secrets source exists
-  before_hook "check_secrets" {
-    commands = ["apply", "plan", "destroy"]
-    execute  = ["sh", "-c", "test -f ${get_repo_root()}/secrets.auto.tfvars.json || test -f ${get_repo_root()}/terraform.tfvars || (echo 'ERROR: No secrets file found. Run scripts/tg instead of terragrunt directly.' && exit 1)"]
-  }
 }
 
 # Generate kubernetes + helm providers for K8s stacks.
@@ -62,12 +54,6 @@ variable "kube_config_path" {
   default = "~/.kube/config"
 }
 
-variable "vault_root_token" {
-  type      = string
-  sensitive = true
-  default   = ""
-}
-
 provider "kubernetes" {
   config_path = var.kube_config_path
 }
@@ -80,7 +66,6 @@ provider "helm" {
 
 provider "vault" {
   address          = "https://vault.viktorbarzin.me"
-  token            = var.vault_root_token
   skip_child_token = true
 }
 EOF