From 5a4fe58b86fbf70b1de85e8e1a61a75600bb5687 Mon Sep 17 00:00:00 2001
From: Conrad Kramer <conrad@conradkramer.com>
Date: Sat, 18 Apr 2026 17:47:17 -0700
Subject: [PATCH] Add Jett forge access and rekey secrets

---
 contributors.nix                              |   2 ++
 nixos/hosts/burrow-forge/default.nix          |  30 ++++++++++++++++++
 nixos/keys/jett_at_burrow_net.pub             |   1 +
 secrets.nix                                   |   2 ++
 .../authentik-google-account-map.json.age     | Bin 968 -> 1078 bytes
 secrets/infra/authentik-google-client-id.age  | Bin 493 -> 603 bytes
 .../infra/authentik-google-client-secret.age  |  18 ++++++-----
 secrets/infra/authentik-ui-test-password.age  | Bin 832 -> 672 bytes
 secrets/infra/authentik.env.age               | Bin 732 -> 842 bytes
 .../infra/forgejo-nsc-autoscaler-config.age   | Bin 1264 -> 1374 bytes
 .../infra/forgejo-nsc-dispatcher-config.age   | Bin 1127 -> 1237 bytes
 secrets/infra/forgejo-nsc-token.age           | Bin 1199 -> 1309 bytes
 secrets/infra/forgejo-oidc-client-secret.age  | Bin 484 -> 594 bytes
 .../infra/headscale-oidc-client-secret.age    | Bin 485 -> 595 bytes
 .../infra/tailscale-oidc-client-secret.age    | Bin 484 -> 594 bytes
 15 files changed, 45 insertions(+), 8 deletions(-)
 create mode 100644 nixos/keys/jett_at_burrow_net.pub

diff --git a/contributors.nix b/contributors.nix
index 9475a27..df76a01 100644
--- a/contributors.nix
+++ b/contributors.nix
@@ -35,7 +35,9 @@
       canonicalEmail = "jett@burrow.net";
       isAdmin = true;
       forgeAuthorized = false;
+      forgeUnixUser = true;
       bootstrapAuthentik = true;
+      sshPublicKeyPath = ./nixos/keys/jett_at_burrow_net.pub;
       roles = [
         "member"
         "operator"
diff --git a/nixos/hosts/burrow-forge/default.nix b/nixos/hosts/burrow-forge/default.nix
index 1b46f6c..96eca4f 100644
--- a/nixos/hosts/burrow-forge/default.nix
+++ b/nixos/hosts/burrow-forge/default.nix
@@ -3,6 +3,7 @@
 let
   contributors = import ../../../contributors.nix;
   identities = contributors.identities;
+  stripNewline = value: lib.replaceStrings [ "\n" ] [ "" ] value;
   authentikPasswordSecretPath = identity:
     if identity ? authentikPasswordSecret
     then config.age.secrets.${identity.authentikPasswordSecret}.path
@@ -27,6 +28,23 @@ let
       }
     )
     (lib.filterAttrs (_: identity: identity.bootstrapAuthentik or false) identities);
+  forgeUnixUsernames =
+    builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeUnixUser or false) identities);
+  forgeUnixUsers = lib.genAttrs forgeUnixUsernames (username:
+    let
+      identity = identities.${username};
+      sshKeys = lib.optional (identity ? sshPublicKeyPath) (stripNewline (builtins.readFile identity.sshPublicKeyPath));
+    in
+    {
+      isNormalUser = true;
+      createHome = true;
+      home = "/home/${username}";
+      shell = pkgs.bashInteractive;
+      extraGroups = lib.optional (identity.isAdmin or false) "wheel";
+      openssh.authorizedKeys.keys = sshKeys;
+    });
+  forgeUnixAdminUsernames =
+    builtins.attrNames (lib.filterAttrs (_: identity: (identity.forgeUnixUser or false) && (identity.isAdmin or false)) identities);
   forgeAuthorizedKeys = map
     (username: builtins.readFile identities.${username}.sshPublicKeyPath)
     (builtins.attrNames (lib.filterAttrs (_: identity: identity.forgeAuthorized or false) identities));
@@ -52,6 +70,18 @@ in
     "flakes"
   ];
 
+  users.users = forgeUnixUsers;
+
+  security.sudo.extraRules = lib.map (username: {
+    users = [ username ];
+    commands = [
+      {
+        command = "ALL";
+        options = [ "NOPASSWD" ];
+      }
+    ];
+  }) forgeUnixAdminUsernames;
+
   environment.systemPackages = lib.optionals config.services.forgejo-nsc.enable [
     self.packages.${pkgs.stdenv.hostPlatform.system}.nsc
   ];
diff --git a/nixos/keys/jett_at_burrow_net.pub b/nixos/keys/jett_at_burrow_net.pub
new file mode 100644
index 0000000..36c85ee
--- /dev/null
+++ b/nixos/keys/jett_at_burrow_net.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMe960j6TC869F6RvElpICxlBauIT3E0uLyy0m7n70ZC
diff --git a/secrets.nix b/secrets.nix
index e3fd9a2..32d7882 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -2,10 +2,12 @@ let
   conradev = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBueQxNbP2246pxr/m7au4zNVm+ShC96xuOcfEcpIjWZ";
   contact = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO42guJ5QvNMw3k6YKWlQnjcTsc+X4XI9F2GBtl8aHOa";
   agent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEN0+tRJy7Y2DW0uGYHb86N2t02WyU5lDNX6FaxBF/G8 agent@burrow.net";
+  jett = builtins.replaceStrings [ "\n" ] [ "" ] (builtins.readFile ./nixos/keys/jett_at_burrow_net.pub);
   burrowForgeHost = "age1quxf27gnun0xghlnxf3jrmqr3h3a3fzd8qxpallsaztd2u74pdfq9e7w9l";
   burrowForgeRecipients = [
     contact
     agent
+    jett
     burrowForgeHost
   ];
   uiTestRecipients = burrowForgeRecipients ++ [ conradev ];
diff --git a/secrets/infra/authentik-google-account-map.json.age b/secrets/infra/authentik-google-account-map.json.age
index b3cb6f84c8d7f174f404cabbccb26a8525167538..158814a6c51d0945bf91c2632d6504972f7bf9e9 100644
GIT binary patch
delta 1049
zcmX@XzKvsoPQ7t%mZ5%7o}q<_MUKB=Sz=X*ms63aYk6r!dUi;XpHGr&c6hOyPe@|8
zFIR}awwq73p?0E=rD>sWWI(EsQF)nZg@>V$Nm`1JX{ENOZ@Oo(WxiW>K9{bYLUD11
zZfc5=si~o*f@e`wu4B4Fcx6bHQDT~Qd4zL?nPGs1e!YI6V_`w2cd<uOQMgw|sZm%-
zNq}dhPnB~ymsf$mW1)$gflrcYxM84|qr0=dd9im&m3O$eV{v+fSx$&gfM>Z^WI<&*
zx^)KG;Q{G^3Z{YKp{{;T5kAF{UWO%!k*SGcSs7-|C82qazJU>8srtqBrV%bK{vNKu
z7F-!QiN(pLrimu`B{_wWh3+PK`bpW@p3cc7!Ol*l!Ok9rZtkx7&c0=-CLrq~ARem-
zN~<!e3`zAYDf2B22rJEX)Autj%#QM|%t;LiaCgmcbhIo^56ySU3FWGAax*Y+jdCf@
z$kH!!O)L&I&98TK@y>S643Er@@Tzn-bj$RKDEIa))eq#-)zwvqa<ZrhEc9{<sf_fC
z3UP|aH!Mrc4Gt@F^2{mE$?!<=4#>7}GH^7iFihuKeEcGNg)P7D$@;aIwi&I|6W-q7
zF7YJ&Yj@tGzABxbOOr&6UQ0xpY}&u-giyp3_3tk)eADeosTa*@wBY3neo-!Cbx)G_
zsmJ;?qEnsJJ!+S$WLw>j^E%e6$+B*1>I<>`KgC)zIuCD8+vo7BP;==MvkwK&8+(?`
z4E43)UdnR+*oHHUmM-Jg<vn1(rg~XcWf#By^ON_}RWehfKGwFaxGw2B^>3~B&4B9Y
zyNk1feskLQF)TRn?)=pHUH4r-Z&H`+RQapt{o{Z8!h3E#ceKShtu}I;t7uesK9_|-
z!!&kV%JDC0A8Li#84jlz*(Kg((MpgIwR*H;dH)Mb4yUEl91GUo^!ds6kw1(hWs)zy
zw&s=Bn_b)gFH2sabHl`V=^AmdopUBUJ+I!=JFUI=R&&|pOF1w8*-ux~cC42_!@oZ~
z#_0OL;Fym1-5MQxUj7lVKccbid#CRyR*wFyznVh-nM6h(F)GpdaCYW~$bWnjGJVYA
zKJQwz{h>wDeY*>9-<cjcq+t5yNL3lnp27{E{I5v3c}=-F`#C48z{E}kl?DH2>4hIk
zdbIzpn6OFL6dl1IkG`j$Z>wO|Jgz!vTK#Reyl?0BKFlr<HB(99IAhiJOY-5G+buI>
z4|}H-cK*5)>Rl#R_Hpf-d8I2SwF+96$!wpKcc1mQe@KPy)jfPFpI*+a$z!uRlX2o4
z+rz-tTaT_cs@#!UQN8{}n&s|S4r}LHe%{-bwqxm$+f(?tr!D@R-`<uQ$I*E-DaBuk
cXKw(9kT0v%(ml7;CVcqk$`BqtSI%uG0P@|nhyVZp

delta 938
zcmdnSae{q<PQ81Qn^$PEyNiKYo{67Pns20Ekh_afvWJghP_aRTYq5Efd%1Z=Zjg6Q
zGFMJ&gjs1tNqM1bQD9J_w^@{1s#joUg}Y~FihgEgvcF%rTUBI+MQK<{AeXM4LUD11
zZfc5=si~o*f@e`wu4B4_X+)A!LAjfwdtp|Rhe3+3bG>`Mk5P(=U#^i^PJxqaqKT_n
zah`LsSy+}YS4vP$WrmTLVX<RHUS*PDm6uC!L`s&0kwLzfxrcwLdud{tk4vScrAtsg
z$hruKP07Yio<Z7yUXj{fMvewyIgaU;fyRa9PKIt41!jKPX2#}W#hxBUmWB}qTo$hN
zo|bvqp<Y#vmbpnj#U^1vt|m^V`IhN9>1nCKB>{zQ#l=;HhAAlpj$FFBx(Wtffu`og
z`Vr<v7L}IC7A9^M<pCa+24Q*0l|HWSj;7g}9zMlE5y_TS`CKNs&R=ymN~Z`5#OHq9
zG%GPr&)??XMO$e*u9<5}^Eb}ySfZ|brT$ac{Z1<(NhU{!T#1+Ni7g+d<}Tc5nX_iI
z>{YANg?hfm^Y(vD4oeI)?cAO6_p9xJ_$n9G4_tl9hgn~6AK&z7iGnT5hTK&h%NPG<
z%g^R!Dh*%w_u7Q_i@#j>d}n3N;azzdX?#nKGg{?TKVJ0=w%&GV`;-?AA71WWc=lz<
zPp43}`eg|#b@irflh{-$9^NX)<mpv^zI$Ja!W#bNN*B1J-bPy5_5C{iG)nMe?WS)j
z-!D2bzhrX1FzcN6;t+qm)CbEN!zO%@3ECLFFmX$$McCxBSw=;Zb}zAD5cpf+Bd1?*
z`?OKlESbp?Hjm7{Z=A0b`RLFBv!qP-=UKB?)qe`(uj;P1*+1L0-tv5IxXO#OGy6Fm
z+rQN<h+kN2*Ccb}*z~8ychs1scslL4_?-Lk{8?AlZRzY%47u~NJIU(a?uO@FS5va2
zUtCzf>{MLLV}_u$vsScgTxaWPkdp1;da!-#zQ#=jbE^IHyrbt=J9+jyN$(O^$1f7R
zTlUcLfAfFqBsj#(sI1@BseE_Kou_{o4HlfetHrKnzvA*s-LqZ0ue@KbC~$1<+-E7(
z%_$H6%ZeK%+sAoa3Jv?X$42|?mPqEj+qN5}w)6#lemV1!ih=Gj9RvTwKX03p{#&xG
z-~CFq*ID`J(RFJ=6jnT1y?5pO*sB}+xSx3be8rm0EVBFI?uw#Irq8xd6IMR(^{J2R
kmaG=V!;%dF|7FB1u0KDz_V0{jv$PHg_Ptk9UoeOR0Gbk!f&c&j

diff --git a/secrets/infra/authentik-google-client-id.age b/secrets/infra/authentik-google-client-id.age
index f295804f68781d005cf5d43f5fa1e4f1dd49d320..344c73bffdc9e21ccf1560cb9da098d937c37ccb 100644
GIT binary patch
delta 570
zcmaFMe4Ay0PQ7z(ntoY&kdu2+fQ7evc|o#egmZ*<zNv?iv3qiQrdf)gnT17uVwGn|
zAXh<tWT=rvZf;q2xLZncrhjI*PoQ=|etBSWu}4*Ynz4IjRiT+-m{ERCB$uw8LUD11
zZfc5=si~o*f@e`wu4B4FZhm=aK$x*pQe=>!XK8^`etn2xzOlEHwp+e=ps}m5ONc>v
zP=$q2nn`9dS4fmek-m?qYl=sJWqG-0l2^D>mZxV(R-%!QQ9z1`V}yRFxmR$SPp&?O
zbq3kt0qKDXWtM*VZWYBru0g@+-loav&K|)jB~b-=Ca%c=8D&`}Ue5JFL57JH?uDVg
zT>0rPnLgRUZbcTE#+FIOl}6z?c}XF@1w|2=VO|05rrv%Y?%rOWiRnK1Am2qmJZ4gn
zUz!o%UT9J7oST%C<r7$(7M1Frm{c55k!+G?Zjx%09+9GLXq@e2!WHUkt{-3!6jfPj
z9FQMsn(G^BP@kCZ?wpceSmYm)?oyoLUK*B_n4X{Ln#`rEtE*6CmhS25QdyjqSXk`g
zo9O1IUsmc9mgrSxVOkoT5s>5O7m{7#n^F*3R?cPAxj$q^#F5!keK$^4l3W+^x_#@b
zU+gD>ZR11rj@$OW<y&6P{Y^I}a<_it%Oj!{pYLexu94eqT=M(fijP_C`=glDl_i)<
rmmTq6m;AEOr{(wh_>2{djw&;kZ#!}SlxAk~mHO(ryL}WKrn><E{6xxY

delta 459
zcmcc3@|JmmPQ7JXaacfcpnIN?WwF1rpIbz}aY<N(iIHhwVyJ&XhMTdrL0*oxL6EPz
z371Q#UtX%Kc9vIehPQEsdstw4WNB$up@Ft<WTt_CRCq?7TSRzCxvQUnFPE;JLUD11
zZfc5=si~o*f@e`wu4B4FYDrl|fPQX7woz!Mm#2ZTYkibyrBir#g;`aiQDTLmOL4xZ
zp?g@4v5%WCS5#s|YMHZHT6l$rK}k@ib8eWgZ;E@0S!KSVyH9CAx?`1xK~{RIxr?JG
z$hruKO-7Dp#wDqShAw_Z<q^*1p@DgYCV9C=X<6>hZYloh1wm>0sl}E-elF#aTs|4~
zNv@dz9{L`cMq&Qh9{x^IrmiVzk*SHk-o{mCMh1DtnI4X2Zbezz$y~a+x(Y!ax#ksN
z>Hg&*E{4WtL8e)0P9}v#g~pXWj&6mOVeY2crI{X%Mip5e<y>k_V(AM~n%W=#7CX59
z#3RR<^Xn_NROTdF2IgP5&JecRXlAG9Wfz~f%D2<BU%m6`W?Sxh#bt}R&E2x>smgaP
yg*IIYT5fqcU?aQk>Z-TR0;T@>)0RXXn}51>-pTHJSx3#pe;XZ)NG{y;ZY}_a=%t+i

diff --git a/secrets/infra/authentik-google-client-secret.age b/secrets/infra/authentik-google-client-secret.age
index 43ecf0b..9a841c7 100644
--- a/secrets/infra/authentik-google-client-secret.age
+++ b/secrets/infra/authentik-google-client-secret.age
@@ -1,9 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 ux4N8Q 4uq5z93mRUUgcMOxP4+Yfe2Jq4tGYErwtzvtMHUvgi0
-J9DkDeSPkQbOjFM3QoV+1Kz3ZVLfR4PUxCT8Zxz+Wvk
--> ssh-ed25519 IrZmAg uLEVmJ+e9ZiLas5YooR4GfgyspWTsFdMB2WPvluU/VI
-7vqqQ/BIDQaOp6VDVLa5ugoRxVZZsMj116cTHY6+8KM
--> X25519 9spF9eLz63UOaBfuG9vTIr6bCKwzFsWMjnaIj1PIR3Y
-iGFELg2RQUT9rEal7pblQhfxtwYhxsZdXYxEhvjtHpw
---- 3TDrUnIN826N/n5gc+YY8ilMMc/6K8zGTh6FxzKC/JM
-ÊÉXÍHºéÓ#Ä²G§uíÃâeÒüÖ¹f&1€a2ƒB„JÔŽõg¯ºÁ=Ì¿Šä”.ÅÕ÷ë*7™F·´‰–bÖ
\ No newline at end of file
+-> ssh-ed25519 ux4N8Q Q3rYrGroJXarMLdatYCHVERefWDyGwM0Ii/kOp5m3Fs
+W3tgHNXLSVfGU5p8MhBj0mX72SNgMl8nf8sQX29yvBw
+-> ssh-ed25519 IrZmAg fyFQQkd51GthNZ4R+W5Al266LnlKbr4ZoMERlCM1OTQ
+rNjnHTGCfF8LkqU8mzTrHlL5G4az1k62gvH4gW8zmjc
+-> ssh-ed25519 0kWPgQ OWokv9XAphqbkDi1cznb9V09VcM6Li1eIh0JpcIlVTY
+TnPVlqKB78y7NPYp02UJmuRXdBMKJKCngpvo8TjpFZ8
+-> X25519 HWaWhyejjo4IjDrNsBYxU1JaGU0899FqiBYgstInuiU
+enbBGnhH+uJKY3NBD6mmy09Uos+in6ytRQ5BakvTUvI
+--- gOBrh88hnvlUSmnRiowJiUIwgIz5zzVKH8YCRb8Ckdw
+Úx¥¢õokPà²íáÐàn8¬ý­vòµ„™HRÊoMºÒðªÃ‹¼ê¢9&TÁb]Ä‰¬Àƒ'|ý<ÒèPbe†
\ No newline at end of file
diff --git a/secrets/infra/authentik-ui-test-password.age b/secrets/infra/authentik-ui-test-password.age
index e84a7becc0b8a5f9a3acd01f4a95440bb16e9fd7..773833e64364613a7f7619be1fde4a32d423c4fa 100644
GIT binary patch
literal 672
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSHtuXPk2vjgFb+#x@
z4hyRCcFFS&Pp=5c$;c}z3J(jj%u0$d$<od#)edtsam_9YG~qHXu}ITT2@DN4%_s@-
zEK7_E^{Dc9wDipN4t4TL395?nDtF2CPxUN|%tyD)vnVRpF<rr_q&(ltO}iqoC_BsF
zBdO5P$0*g$z0A$4BqKD$H=@GQy(}QZuf#Pe%$F-axiBp~%r&qwt+>c3+^je`DA+$S
zA}TCT+pkQ&EHf;{!!tWK*P_VWI}qJAgY58t^gxB+RL?4ZACsU^QzHY5q)P9M$VhkN
z^dt+92yOky6qCxr<f0H`%YcGR!*njgB-2W_#L(>0q>v=@yu1*zs1Qe!(9lTVRD%e|
z$_h6RL#IIfq)?}vN>`9=5s*L(jBqIp3lA@Lw#*Aj^~lSt$_on2PIJpODlsuL3QIQd
z$Vl@j3y$(GHa6i(&#*M}F-Q-q3@=QLGzm5E)=$of%GA$xNewP4DEA8w4T^Ge^vDSf
zPc8@9fE-sPNx7!Z<qE-RWrj(9nVF`Zg$AX$`f1@+9{GVmeuh4t<q?jCrA~nrS%xJp
z7J(Tq$y}zDd4Xx>!EOeb{)wLD<?bPc`XQd_`NdAT;htWlC51laVcL~B$p)eBfn2(}
zx(b1jss1iuc}4lgPL=ukj)}R&9tEbEroKrbZk|<M+Eq^ZS#H6V*||Z!7F-db7dy)o
zA5WewA6y#ccS&-Y{Mv;)?;ez~&8*XxRAlJNj1Otvai`wn{+i_VoUyzdtW3_9+sf<{
N`ZvmRoL^wL7XXHW-oF3<

literal 832
zcmdM|0Vh{?Pd^1mcUJ{hKj)yxfDl&~1vgJ0SCE`8S7dlfj!$@4X{522X|hL9L6VV4
zX_B#5o{w>4g>$BXwx@?*Rid+DPLzwMp<jrrsi#L!W>QF)OG>3va9C(cAXi9szG0Ya
zR8^2mR8VSoi9v`#N=0J0sad39SYo14MNVXvn^9zzpI1_tqiL{VkU>(YUzT%Lm`SjK
zo4>!SK^0eMXmUl6M~1tfL4HwCM21heTa>GBUP`IAL5f$PVVJvLo@-@NM0QnJReD)e
zj;ps%h)H^~v0uJVcv!Y?R;VGDZ%B4}N<_LrNLEIWr-z$UkfD=dVvd(@YPMmfe^^Fd
zn46z}l##DNQg(@FNT{J(c!-m0q@h<>V5pl*P_CapSCXM$ZfdrxcW9QcVVH|+WnyTK
zXJlw`S!je?URX$uOSp?)nQyqML6lLDSyE1vtFN(VRZ4D&e^O3RL{x}lIag?4en~*4
zQ&qB2dP!7xV5MJ3XoY{UlUH(1K}leEa=Nc;RDN){WmJkwR6%O6MOBzbN~O24Q?Xx2
zPJW_WXeC#oYlTagdv=Adn`@Q7o1b@NXi!*Sgp;wKV?juyVRA)CPMCX=QAtElct&M#
zM3h@(o|A7%l~+-sb8&g9M_?IORA^36NOqucSWZ-?kAYvIe~4EVIQrbuVXpB=&Q32&
z%JMVu%XTaDGb(Wja?QyMH42Ih$_dKjip(}m3=b{IOw1|BNe+)PN-~Oa4sl5~3=55l
za?Z{$Om=fK3CWJi4bAe(4GGC93(s;YPV$J#j10@k4Rba1<_a{jbo2Mf2u(5YEA=)^
z2?~kGa19U5_Vx)jDDiYREeg+02~IQ$%Lp+}Hi$GzDGv!ZF-<nkH;oK&$_+AhtKdrZ
z@XJmOb29S_H4RR7Pccn$w#-P*OZLuAF*m93$xP8V_o#|AFAEFIO)hfuH;>d02=dKx
zH47<AF${A~GYRJkF~}>?HqQ3)D9%VM_YFxj^2y68FEC7UH_9>#@$d@Ih$t{E^R7rq
VH7qvFO}Dk>0_Ol%KNp;t0|0|53f}+#

diff --git a/secrets/infra/authentik.env.age b/secrets/infra/authentik.env.age
index f9f613687871d9959a66369ee2bb51b7aee03d40..dbada85c47dfffb1804d9c0b7c0bc4196873bce0 100644
GIT binary patch
delta 811
zcmcb^dWvm=PJNKReraN1SXf4+pPye)d3b50XGw&ArbVPrl~ZUyQki3VRJdh@V{ln;
zF;`VdS%q(sv9o82vA$)gUuL9PWky<6PKBp_QD%;>YgtlBrdxVpkYPZ2D3`9CLUD11
zZfc5=si~o*f@e`wu4B4FWNxHmVosJvR-l=yVT4JZdA&t(cyeN%OG=_+P>`ibSU_dE
zX|c9bg?^qZS3#;#pi^O3kwvn$qh)@MQAko?cu9IydR}s9wz*eQwr^FcQ+{c-Nq%xV
zx^)KG;Q{G^3fh@oVct%b?rHAcK3Uo6C7yxWg=s0K#UA0=MLt<ZW~C<eZeGsGnO<d?
zzFcJm2CkvSmhLVo<`qHal_9wnj`}VEzJZ3>&ZPw|5h00riP||v7T$q@`5@~eARa3T
za}P_3^bQCK3oftp^iQu!4N1~BGx0PiEq8WuPYR06D31zu^)U=}%;zeO^7C~n4RFp4
zDJ)5`EJ+N@Pp@~5j4Cn7@eC{1b_q9($j<T%4M_9|b28x4)zww7a1S%6^ehTZ3H7)1
zND1-`$*L*{$*y!UH_G$~t8g>SDswS5%k$04_s!>8f4_9|h6~DvPVy^;e!X(d?}35P
zrr0$KH`{zNzdZSD^2+j00RNGWWuLyMYYE+9OR)_1%*gTiR{u<|Zqe)K!PmThonDfw
zoUoMDH`w0yUjL-De^c#$wtjv%g}X=N+`>b*%e&+%ZuQ?&mx|7a(>|F~y68+n?AHZH
zWWUBv+V#k%HFUG5Tm%>2hi%J0^eJ!{^0OJlHk%z<)~B-4c0$K`i(b)<rYbr2Zr?23
z%CRN;rI*lCVdwOl7G_rUn*|cr{r|g3S@6R&7jZt3H$o?-cm?q1@0H$P*^sCqD{k6S
zRWUJO(?a_uwS}$8?&8wHY3`FxU77u9aymzWv*RbVqr0~HU7adi7;jo<@j)``aJa(c
zZI)qgmh?aT_R;M}l(zBuFTr!We9fW*a-P0t^b}k0LF9k$;-rGTcUO66-cT`Sxxw31
l>3&Gzxy7AL(F;5)@8-?UauJyE>yqdNhKrXMWim)v0RWA<KiU8Q

delta 700
zcmX@bc87I>PJL)faH6(*L9kJIL~(ejnY(3rNm+KJbBd9LVOW+^pnHgui*aFMdYO}}
z30H+_nwM{tZ$**2M|i5cqkFhdq+^<azd>bWxre8Zzq4<sYgAOKwxefmB$uw8LUD11
zZfc5=si~o*f@e`wu4B4FWJZB|Ri>qdTb5s7dRd}hWW9HUx4UtGagcwhc6w+@k$-A(
zaZXfWnQMp%SH7vYX+^1JuD(}EV78BWXi<`3d6;2Xv3pcOdVobllCfV%afnfbM^$h+
z$hruKO~nP4r52@WQGUrKi3S<Dg~s|-VU_^~=B~xL{>9$r`RU<hUfJ2j&Q9fyT)Cz7
zIq8ljk>-W&ZpB^^!NIBSVMP&c<v|`*q1ll}VL91`KKV|L`c+QGp<KGUx(ddj$r+L9
zk;&N^*?~EcUWM5u`u>Gkffl}=!RDUY1!Yc#My0{NhT8f*u3VocC4J3un-}`=cmDV3
z|G2NqF4nwKuU_&m);V?aoMR3l-xqmoSzNDu$o60C))Lv;xfcF)5;i+d9K5T2jA_A-
zKSIl28+mMV_@Zd#Tb6Y>Fj3nknfvtgnQ|u>3QL=LbQ4awdR`1%P=Dnw8+XOmQjwkd
zvhgNtMY^t6&3^@-*9%bi$$Ca?S5|sy_2Zj2W*@tIQH<Y-{aejUt*7h<KMUp9&YN_}
zX^)auJ!gH!vmIWNOb;brzENJgD){b+cRNGh-Poq=|9x_JtJqD2%ij)95<GpVvYk7%
zus-szn5lXFp|c149@{uDvRO4$eVRV2W`4W%@9KCh>p4{?JZ)>&M=>AC+BR$HhaazI
z$lcs?eEON7kbcv*?so*M?wABV+mqy$mbL!l^*3!_{w`)Vy%!#(&B*sSVrKTf8y7yV
tiL#CQ%+<H^R?_1`mP<1pPw_vx{W?qM=Jnh2OiN#W;l085@Ovy@7XZM%BP0L-

diff --git a/secrets/infra/forgejo-nsc-autoscaler-config.age b/secrets/infra/forgejo-nsc-autoscaler-config.age
index 28e3d4ae7ab2661a31c8175b638ac203ef7414f5..5b5da65240a9a8fe6b5e62d778f0c2db1f6a2917 100644
GIT binary patch
delta 1347
zcmeysd5>#?PQ72YMPOuRrBhKsa&l3ai)Ct6QAt^TWnytfzMFS)NJ&9nvR9Uqxl3AQ
zK3A}7rm=gfmw|q;qqa*>kfD3FsZ*qhqe+Q(N<gMjd2*n;VR@u$QKeBvAeXM4LUD11
zZfc5=si~o*f@e`wu4B4Fgujt%L9t;_Ns^<pslI!WaeZW}yM9W#S6W$UdR}0lzIKpy
zN_k0Cp>bF?S7u<ii%D8(Ra9xPb7fSTMWBg`e`;7zx{Fc1fn!-gfoG{pR!O#Hxr?DI
zx^)KG;Q{G^3VAL`k$G8(rsh#@elA4@Rh6m5?ipb&X?Z0jjut+q!KSYDF5cQD`r6?h
zCR|lc6_u4{#`*px!M?#^#W^NnCi&r^&gscH7AC2lPCh1%si7&ENd>OOjv(tIARcon
zOE${MO-yu4EsrY5Pfv3%3Ad~Y%k!;F&X4rV_0abXNOumbFi0yacjXGMa?0~hH3-fw
zaq_ARjdZdoH>=O~4fD%LcdRJQC^9SvbPNx3bxY34_sQnc)zwwd&nj`w&kXc4cMmD`
z$c@U#3JFd(Gp`8M4oY__O)brc%64=q*Y<O(G%e@47@_p#lhlTz3YGQDZ!|3z^y$C9
z7r$TdO0}Cx5i9RLb@>^tN*d>67FoZGXY4p7Ty~J@m%RGydXu}%y-L-K^f}shFHbr0
zZ0dujqB$7{MPxoDa<9E9u5K1{GU6DsP?)*aircQj8y6K7oW1gK>ZYi)EaBwM>zdhu
zlLEfZ-<jEc>=f&3_pD&u2nRo(XKTGo<Lq@znZ2r_zb<f?a+{H-Va5_k!$tR%B^K@M
zZ}?SnCd&J5(3^E1p19O6?PXv#m9S>!VZB=Zouwk!@b>=ij8dC@tsFkFrXTHnv|#ri
z^E8E;-yJ?F?*7j_j_t{d%6j=MRz>Pu-Shg*zaK9<aIw6uq$Yg!{Ud4z-%nSaw^nKK
zv7+ut_mBHL_4yUd{jq45+_~>tQcj2LxaU<V!MA*p;AyT;5<NdUqGmQ%cGt&L9Qsr`
z;jQ?oz}-8y6wjC&J@wZ;v$D@k`bU->tPj}#rT+Ny#bvP?NtcgIvXHPi`dszcW}Q~c
z{YBGxLPWQx^4)Ow^HOPd&Fo;t?I$+scN}s&vQhr&?G|kxtNUVKgxM>;_0;I~luw$u
zjCI-8mO~EHKNNpr+Mm8sdbz-Xn><@zY1f}hC}!MnF7IFJf_q{Yo{QYs-c~b7;@r+f
z<}FrB7wr>>U0fHqc;UvLsO2XX?hTQBd+7e!ya&2Tt@HA7Ts-I4DW$BPceK+#;#RSS
z|ALv^OtKO@Yt#f6TyANRHnmwcDN>97VV1w#!Wk37)=pwIIV$$|(gwHK%O(#39xd`@
z{g=eURsSOH=qt{6@l7kv{B`^uX22lwh<T6IyTpXqS1*2un^vCYzI2_){1pPMlX6P*
zm^lq|=H0ngw)>?=;@+Uc4%>FWEc~py((mC63$H}x3L$~=Tk4y2A7<TKFq=<Hf}>!<
zlMNdhSL$d6G;8_Wn(@wBvSP}QLy7(!k3-YjWOY<EJ}d63uR5lulyx$3J=0H>Ykewf
ztgM4HvY!6jzJRSzz0T-y&9uY-2hBTG3-7raTyjloxUA!KFEpF`6!)qLJ{5DHo;$E7
z*7E9|1TiOO$8QPJ{OR+fe(js7D|B~puwHmc0(<;>9|N;1H%tt6PSpMo=@Ixpbj1;o
zf8jY3bf(E1=aYQ2TF1ul(IJ-^!5uq`>r}!8%A@|CW7Bv0Eiv)m<HsSl8|S{0$l^$h
d=QS2-`2M!r*JGWlMD}zxdxe&jTg>z;8~}HiK)3(^

delta 1236
zcmcb|^?`GOPJKmwieZ+Sr(>DByLY*7V2)==Rb_Eec#2cGes*QCdti`JMPfvjM{#g)
zHdjz(ph2E*et}1NW@tgSU!Zw%rnafCUu98#Nnl{MQ*xnsuvwBvQIT1GB$uw8LUD11
zZfc5=si~o*f@e`wu4B4FsDD*>iDhO|S-QDLkbY!IMtx3jdZ1faX;GGOdX+`Cr+;XH
zS5aWNUs_;3S4mW1V7Pg)r(1S*vPoJ%Vpv(QSCDa-hiQ?yp=)AdQGj=-QD&j9M^a@V
z$hruKP2p~N1w~m#PTCe37ExuEAsI;qk)~m}Mn086!ATw&UfB^@-evhwC4ug~Tty-E
zCh49*Dc;(K28Ko%?v>dgrBz9Rp60$~IaL{zj@sI3i3O=ysTN7au3Wmhx(a5QKIO@k
zrJg~i{^hPwRc`J<+J(MZ9u+2r>HaRkp>8?3<&Gwa-hSae`CR)aOnbBX<>f;z!CR*7
zpHqJK>djNz<u_y$dvD(TLOS%Yci`+*pWoCo`Coo}?rF!3{j&?#^giCOc%DtTWR=@f
zL$7P=bvA8Z=eTNB{fex<oB8i<2u@g<)c^U?brpHH_zbU!X0x{5RD2K|(;0TTX^(2G
zZ+y_^nGW@09&PVV3Eu9CIJvZH*ShSg2E+M1hZN4PC>A>Y_T^d6?fYiV{doL(PWGBp
zH+sU}soK_``o2LvNiwdrldCBEa|M5ofUVo=r%&|E6)j$7vEBWBF6=+s#&5aSLVJo0
zUxdy%H&4brKlx?l??Wp4iyg%-sb$Zxa})V(&+i?&x|8J~uT+oX&nr7$fB3<dJx5Sv
ziJJP(CuWD{%IZlf^Sk>-#BbmKl_TF%AY7`VchQ=KZyIZE*3WwG=X?Bcz$N*h&O`p0
z8)x?Mmy1pQ{8PSeV_DhWcba#kIaIXv#3?<>$*Pxaw)TDYf4j-W#P`oW#%S==^Pcr-
z+w=L0&W~B!d1tN-z1Db8JN(*)ixzv=K4xRze9WNi)YhH)aW|?b&pr1%xxHES@^^>C
zgojI4ylbePZj?Vs<#9w{eS%Ee`pPShCtP#N@OJ-j`b6AOOV3k@HGVC7FCCj5(Ik^4
zUaP!E)>`O7z2&Lcn(LlIZ&U&}8}g-M(h5E8UT&3ik-br9BUW<t*zJvrd}B8~UivP8
z?|#y`#cS)P>r8t#cWt_*{PKu(Go7`)4&1Z3z!$H#&MrnaR`TcC*x5yYtZ&pC@m_qs
zASO({D7e2uc0;6X*uSgG#9mK0FQ6^-H)~<)5_!e2y6-D~u3G#;<?EeEv!d(%)E9>@
zXH$K!B_TB3$myc?H(4!)Us*A8LLvj+w%%v^Yk0xE|MH1dH#aZW&X|2^=c%gd=;DBt
zZ_VnZ?^?x3x2c)En0WGE=FYyK%ySRPFx0Q^*7>aGo7BXbSf<>1Em(U&H#2jwwoJl5
z=J!WE)8?~Wdt9}3-2(YF-3mYc+u8myI{j<Y`A>?c*{1$YYCRwlr0Klymg0WSC!(dx
zCRN?NAicX?!>YRQotNdm(APT?c1*jgb|wCt{Ij6byVtK=^ygpd7rVth>IWOt);znd
z*E2o-pKsB^yM5_C5}cd4LUXhmpO-BCE2UDVwoB#l<h}C(*}9i&=dGyditPXK@Sk6z
o{N$<9kCz-=v}jvb#p6j^nD<{Y^_c$qWn#yfIdZ*|rhH!y044l8JOBUy

diff --git a/secrets/infra/forgejo-nsc-dispatcher-config.age b/secrets/infra/forgejo-nsc-dispatcher-config.age
index 5ef71b597d03de8a9e9125c30ef502e316f0fec6..4ab9cc03f62e3da9a0f8947370984f6defad5b53 100644
GIT binary patch
delta 1209
zcmaFPag}p|PJNl5wyCpGWkr;sYj$O1c9?;0W=5f@MTo1fnUPyYj&`oQVYo|asH<6?
zE0=$eyGN?Fhf%Umvaz9gnonuASGGyEt7~L{UvPl0r<qf*yN^YNc~W3rF_*5LLUD11
zZfc5=si~o*f@e`wu4B4FVQ{*Iajr+GS5~o?v3`ZKd3|<hu78@3xv#gGze%u3Xh>>s
zflFb5r*Bv`SCxf+saJqgR7GJ@ps8o6er~CAnQKLGqH}O*S*BS*aCuQklB=sxKx#la
zx^)KG;Q{G^3jRU4MtP2=u2JSL0ToUm1{RTq*@cezt}apeCdtL2#i{1?Nns`)Q7NS!
z>0Cy+KB1|JX0A?2-sTow{zV>+`rfH|AugHbg+3|zP6kzlxl!gx8RkK``5@~eARa3y
zbE-7Sv&c{LFRdsqj;u2G(zZzQGz_;W3a)bZsx0>M_RR1O%F)jVHsCTfF)z(>^e>7u
zsEqOobaM)DOs<bia`h?6FY*g<EH5&!aCgl%H7bwt)OO_3)zwu<&h`%}iYPCt3`t5W
zs>rTL^a|E5_csYBbPdQf$xVw&Gztjy%uP1R2r}SWaxceT!hP}*kG@}-olP%tSfm|}
zznRP6^?B|ox66roF0-aTeUZ+vKL6CKe^*8K#XL|xc|x19wEnxnu9E3Gk*Ym9rQDv)
zbFY2hH0#)BmR{MEnFR%t7Rs2Z_Ptrm**|BcTB+Rg`SA%776l(o7S9Xu^JtxQZjZIJ
z=ttrGZc^gA>Mn6`I$U*>QkAv-lD>`2W$$mE=x_sF=Mo-+`{x4%{@6`^?sK$g#!rDA
zf%S(|PKsEpVbj%Onkib(U|u3#lhk_sR7U>BZ|u79`#M!mPDwTKSuP{-z1*|T@K==G
zvMFr)F4g(niD|PBR(-(GfB2{Cr!zSVR?iZPRR6<Y9+zBlL@=jfQ%{M&{HZ4{eTaQN
zw?U%oSC!%Z<8{B~W1n0zGwYgJ(R@LDk=_!A>Q4TDrym`1PB#_w;oP|=zW##x`zEg4
ztJ>G@+&OpaVVfxX4PrGJVggznn;U1HoWJ?tqp+<dyMAv}{2SX86(OeiS$qEe1{Rsa
z@6@7Htu4RUC#3K@adt}t8j39U<p|#0qV;6P@l7u0OE0cXIyjNNog*o&?a*t@>+kL{
zO%>A5zP)&Pmte_OjkjO_{gc!=cF%Z9ebGnT3!Y}D_@}I}nV4PTmN4P@79B++say6+
zC+v6J+dH%MUjFqfGbSJ8%iit4z<rBx=Ft^Cnb(6mRlMq#e^p;^RXp+5XKlTPU9Oi8
ztm!*j!t`B!wK+>b;zGr}_b!%&oGX!KRDSto>w}a0yQa>|Zx6cmN&e~8lX>?J{oNrX
z`^sQb{qNa2Y+4-`1<#!{+^ygHlFhrdx9ajX9u~%LJJ$&MvM_K-omH3+A5?Jh{qD4|
z#wY*8rRHC}u~nLZD=#5nm5ZN{5y!KKXMV4boW$4gP1#`eyWR)izvpb&s9e|TZg=_6
zg>L4w4Z)xO=6yUZ^?io1`h)dhGWqt#l7TAq57wImC8ij;eo@tVziE-n-}b+&o04s8
o-7S7;>?-}uE_CwtM<@M4&Y2d8aSNDyH#c#g5L~+1>orp!03~<(g#Z8m

delta 1098
zcmcc0`J7{dPQ6o=m$9d}VV0YJl9z{9g_}ibVQE-)o?mKOg}%AIM`EJ3o3TZPxnrWc
z1y`0wc2!wGL{3pul23(Ou8(<efoWj6U%6MJc4dCJyNhXnVWe|*NlsW`F_*5LLUD11
zZfc5=si~o*f@e`wu4B4FgsHD{d0IhPg>hD@K~7jzWPOFUajJK|duD+_ZlF_{OK4`H
zXJw8>Rhh9XmusP~cA}9%xW1!nMzTe&b54L`V0nONl&^DEsb65CQGv5@UPw-4m4$00
z$hruKP3~Di86}Qp1->q&>5)aoftdyQuEvQjIq8Y|`pFh~u0GkOd1e6x1{sy1T*>A2
zsfJOhhUrl`sTOI5VWwVYLE3?aCPA5=Sw5y-`oSgohNdPJX*o%5>0G+Hx(a2+9-e81
zzNIBzc_~g6B@wAvnO?bOo?)iN{*l^F20lr-$^P0#q2_KyCR~hdd;-3qQB8k4xVT=n
zY~?)q?bwHulGNfI={vs8Ej)J5ewF;;oO(IU*vAfiCw!wiR$S%$wD*-znVtCD=5Gu6
zR=V%FeKp)<s&Lqss#lMn&Heq=;GU#V>#_;10!xh_F21PLR`jNG!R0mY)8BDRFVnmC
zbGGA!t6Tp+V4rvL)pZ?Xv)1cVcc?A6meHqmV2!NTis}!J>qDpM7TlZ|BBtu*ll4zJ
z>f-?^-ukGS`z;U4Zeyt|ycqOuTDR_&79B?ZKU4fBA6H8Jbz5|m`&^FMMYo?Ew-DE#
zvQ0wtf%n9`JH1>nOhPv%2Nl~_p1nMup)kF1&Q!%`U8WB-jr(4uJ$9K}vMy&|;bIYU
zRfFQ}@8A0GDy&UVoclz%!7=-T_lA=ke*Ckaex52h@wXaV{bZF1{iiqVl`8#`v*Fe)
zt9KrDLUy8;9(URAv(I|`T8(`l7k`M{A1|ZTZ|=MeI{sm!r^x&b3;%`9F1N{9_iAtN
zAu|)-9UHVod$w1L<u)D_(icvc^!xkg^D=E#sVe1VnLdWQToUCfW{Ge5Fr({S^v8tr
zuYPM4$TTkaa=I?cXG(RwDa*t~KPRPZOSrUVC1=I2Loec&=iXiM<3Xfj+|}<@r;B@+
zwfX$xFFW-p|CX=i7Tfdvat5Ed-|5`^BQSf~|2dOn1dp!2(Z0e-rR=(_^TL1U&xC$|
zv*_7wlfaFBO19UxDrp_d<>*rmnl=5({61CnM^5{-QhX$}wO)q2C^tJ+_vU@Q;=~+V
z_q*;N#rtNwn%xoiUCH67wdFBG9k0L_-7eGq&wceig!5o(C$Hh#T{D)}-R{~ha?R9_
zslugDRr77p^R?$@FxYDOX_w|dl6O*N+2CA%AvN#wozOMHQ)OGCdomjTf9Y`3eR}oW
zUA@&yk3?LlQTXcLvX?o!{ciN19WQ>UF*<vxy;GJp+#k=q@z|Z<|9K*FSo(IZEIr!P
xWPMC4^@*plJYUUxN9MPpYdd3RDwJ0UKGx8EzQ`bVQ>3ZfuB-Ri7rXJ8003ti=DPp@

diff --git a/secrets/infra/forgejo-nsc-token.age b/secrets/infra/forgejo-nsc-token.age
index ff8c278c3f78517fb387ac2ff5c9640754e81ffd..68b65722f7fdefd62b86b7e0b8a0586f52507286 100644
GIT binary patch
delta 1281
zcmZ3_IhSjKPJLENinF6-VX;|dfPZ;$y1B7mWPo2#VOo)ASVU50P@+$nSxA(VnP*5u
zAeVQPSCm(JhJI;aVtJ-%NsgD1c|}QavSXQBRce%PnTvaJL1K=nab;qLCzr0BLUD11
zZfc5=si~o*f@e`wu4B4FP@++4s8haidWw;kSD~SwV||K6TCj^}T4lDoXS%sdl0{xr
zx{<TDyGw*4m!n68rDIfirfYDyS$0N5sCK$%WwNu2Z+d28NN%pDyO(KEWU_Z?zLSY7
zx^)KG;Q{G^3Z*8Y`e{|Am1WsksoG{K2HNH&rCAo0ZowfY+POg~uEFK??l}dnCOIYP
z7F<q=l_ka5mMKA{iGFUuA*mi2`Bh0t;lb%<*=dRTRp#MQ#g?97#-)X2$sp?@ARco{
z$qo#4HYrRo)Ava-Gd3zVc6IVj4ylMR%q)rW4Koc1NOI0esVb<7Nal*DNHz=!un0>p
zjf|`cN=yrM53MgXiz+Y94#=oX^6)o^2q?(#C<t^m3oqx=)zww-&GHWLEphj$NHa3b
z^)AZx3CS!AaSY8f49j$L53fv(N(^#K^Y%3^j&S9wlKE>I?b*9aJMvxYN4Bm9{YFg=
zTf2|y_-=5R&%ZyrNoQ6-2lMY;p}eWwDhFiKlA0%Ow^{SBKJmbtqfWgup4vH7U;3x(
zuIkQde@D#DBma|1h;g~+wI^*>ThHHN(RVziu}Q8<=aT$9iIT((i5>kx6)UF*bidrX
zWs|tHQEuPC3jK<At<{26=YIsH$S-VejXDvjtM<-R)8lp9CdIDooS=-YcK?$t#KO<F
z&UY?7a!72=-lfkYR@FP1HCKs;ChEW2Q`oo9=*QLDiMl^t2KKeAix$^YQuf`HksauC
z;L`e5(KRQ{T(y*6zuQ(U_U2$O?;XaAzn8qdcys2CpuCfBpHB2@ICAq+U1gD=Wy<-C
z`q}PQ8`wfz#gv%N>^SYbU&r!`uld?P`ihUuo0o|QO<i9-TjgzKQ0?Wqdg0?jtNQQq
z8bzNFH7xjYDqbkZ{nf$X)zew|m`+aSJf)$NRM09j=g66@c9$<%_g3_!wl8wYe7=n3
z$`qqbtws-zIGz12nz`(|o$`ITTi<ohgxT#B_@cik)$UH?Yzd#wXSN87+z*SaWcd2<
z)%AyO6wWpL{dwU2d~vC;YLPIe|N2SwpM0A;ZXV$c-`HWhsL3EEsC7cc9Z|tqr*)5u
z&5GMSwXAeynA=j(%YQ<C%=rIw&e_hD-}43DY5jaXb-vyA%a03MR~(+X`MYkU#TChA
z;pt!GZ~ZrScpf+R{7!{5MT>7;O`l5(--}*-%6Z<0cm0f=t3NYMGkIJr7~OAhkk?3C
zIasRx(iRQfJ$AgDCPFtdL#F6S9(^)x!S-%P`T7l?ZZ2H#pY;q!!s#zN?Hny{)M=dA
zY?^jlSL+DxvDKM;f_W=k3!1#%T~C?kGV}NXPM31Em&@7|jwa<iKfm2PY!^>6kGhBB
zj@$W6M~i|kNO%aC{Bt}qbFYK>FJ+c_?+^M_mOf(4?W!vN_TjAK<m*rGwPlHIasT!|
zeDMKY20!^-0{oBfBtMvLSk~HRG2!&Qr{CAHJAGWWB~~ltdhOyBS?^!>r~Z-EFg4?y
z+P<`}Qc7lP#w+898`V$#6#EK>F?BAT(yqDn&I*eak7kIleED~!IIQ*QwOG^1700I(
MT&Uo4Ki0Vr07SqoDF6Tf

delta 1171
zcmbQswVrc=PJN|wR#mcbV7R4Wj+s%UcBoNgRH08nNOopaWr&w!MPQ(FW|X!|g-2$%
zCs(e!zP3?XK|#K8kY`A0enyC|zDus5uUT5LYf(u>hJU(es;7}#VOf4?F_*5LLUD11
zZfc5=si~o*f@e`wu4B4_cBHALzeRAEV@On5szq3-QGI%5v7xtLc(RYNiF1j$ud%za
zNrYc$P;yl{m%Dp*SY&c;erSnTP=!fVT1l3Vo2QFWxlf5-iF3MpSYBkQub)MPo4E<t
zx(J9(6@@OoE@74tK^egTIc}9ko?Zb?X$7I~rGAc<=>-wy#@Xo>0eM*_7Ga)TAp!MK
zQGP{1q2AhVRYj$#B`$8IUdbU<sVN4=Ddy?f75-%wfsRqd8BTc?T)Mit3IRbb7AC1_
zDMf`YxdEv`juus!1};Wn7D2fo1|@D`NiLpYE@q+nCf;HBTr6Ei!r>3IwHTA@gSF>r
zXIVB^Z&+ZG_0hU3q5MXQ@!IXHbwoPrmENW2WTwlVWWCV-Zz*@`i$@8<NB&HFroQL5
z$o&WEH#ycRU%al+s`RN|SbdttCtII`+ky`mXNc}{%VJO8^E=XWdzahn3pMN;PB9y(
zxE1tYx)!&-D`6E^VD`u3d6F|$%y}RBYx2}J>!d2ouUX7Vx_?fXN%735`*wNX?0;EG
z$1Se^p=f({okDaX_xS{cHRo6FiC6C1Hi6APr2EMkwk7)=&ish|CgS@1+@`Is_Aq^0
zyCGWVcKX}-?TZ;tzjz>>-2Wi!+idaXirQ~GXUx<)Gw;9D?KG1EBGbCInqHgg@<rCi
z!{p3|zwsXHnNrFlI-gEtE05SOJMTmG_dBnGD$F}weCO2b7`)xfYyMec#v`q+=8#aS
z>ce#(4ll8oR_T28H_PX33Q9Be^CNCKA5FE;-8uO|X-;IxeD0m1)=!pSns$6+O74n<
zKY2fwf4}b5T6rte^I6;VZ|D1FpKP^oTd?%t`VX}^mwzZ-y2G)>^Xd;a4sr3T#ijqd
zw^sWoPLh6oM*HB*P^bFTObJ$z74cDT>UtKq*gbX9+}Ks$?X%oY)Mi&h5ZC1gR}aNr
z>HfOG>gU6RpRBK%R((!2`d>bS<IKlLxsw8Rt`m^Bl^pDLKJ7=8_U-M8|Agb^t9P>0
zglT=8Z?evDDf|D<ud|aK4}ChY_;JdriY1dh)K>mx<$5wHP$21ab=7Ryo%Ic6zU${_
z221Z;uaM?*q$k-X<m0?ex0?)7IMz-4z|^32^6K{${d+ot)TOv~y!z+OoFAWPWurdh
zesUg%=5DU}UC*Zc`O&_tOyqCw#~3zy=61J$1A%^`PO~esrk5n&KhP*HG+T16Nw`z(
z@k^5;ckL=(wNFvYS4YTUS*7>8539b_AMgI4lGC*`b?*I3Ygfo!-OA1K=)kM6pD|U&
zPQQIOPkY9@vs-O#ktf^Xj(;`&EgA*knq8V)OW#d>+H->E?1kJo;mNh7;SZi@HEvz7
zj_v+3{}kB;9aT2WCguv8e|>+_|26u0SZct5R}y<06W5ggFL7EkXPdHp-TN;+VKVG)
U4PHDu{y$z@K6SUmQ>)r10Amgg<NyEw

diff --git a/secrets/infra/forgejo-oidc-client-secret.age b/secrets/infra/forgejo-oidc-client-secret.age
index ce6c440fdceb5760a8d86c0c66563114384ab150..68c35e939b4c18b0775b757e38e174fe63aa1f40 100644
GIT binary patch
delta 560
zcmaFDe2Ha(Zhb*YVpv&bQh<Sncam#Tq_#y`U`d6CmwCQ_VS#b7p<i*apJ9oASU{yC
zmv?z`N`7EUfsucTg^_P?L{fOMV`;u`YI1R^Nk&kfZ<T45X=p)MT2x>@m#&>cadC!j
zYKoDmsiCEUXHitHW4c0cws)~>p>wgTr;%xXq*H~3TfM8liIa=FXO4SNx|v6AR+w*M
zx<yc~TcsnHe|m<Key*!!QF?xUa)xoZQ<#Z!U~-UUVtH<6L_v<ZOHiS6o_3~jVQ3(_
zbq3kt0qKDXL7}C28J=MtrHQGPPKBQ3nVxxhMU_q^eo-!tZbd#N&e@Umh9Sk}72dA-
zTw!@$9#xS=`W7KU!MXXCMFHB{ZaMiTIbr&l#U4>^z8TJ`5rxJskzVeuAnPI^9!pCt
z%Fy>nGONh9DAljX)X&k+G4~8EboR@yG!8Ph@Q?HfaVZH(HcQU)<O*?2&UW?FH_XjX
zaS6%JH+Bq8jI7TLb@vW;t1>9dHp_7}H_S{-GEOxr3gyz()m89HG4`nP_bp5*3QKkN
zC~<Xj&MM8w$<4}3%y2fz$<8-O4|Pe;%**ugwct9Kt;;y^?H2~_-ICw$WQT2@Igevg
z!!O%e(`_F0eeLRh$QdyuF{a>jPX_agI)U;`rEAac^Iex-tyveTY5LYB%3<@hh~^m&
h<X5>*{PZ*;?2Dw=zLOV>B+mcv6<wkFyF>1REC9Ip$DjZJ

delta 449
zcmcb_@`QPUZhfMcxu=0+WoAiGcz{ntUPw}6VpT|Hph01okxP)bzms2ig|>EJSdn`+
zmtk<Sd!?bPpM^m|ky&7tmvcyds(xfpl0l_MshdlXWkFVcVz{Tidrr6om#&>cadC!j
zYKoDmsiCEUXHitHW4eN4pl6j)X1ITFsdj34Zep=xV!c6LkXx9cd3uqfslI1Wriq`c
zQ)ZrbVxR?=MWAPCnoE9mcx6&jW>9#TzQ0#as(H45N`7voe_ljzUWHexx0|+Uq$k+A
z2#8IV1^xy_S#Cz=fx&@hQU2*Znc<FANzP850mi;zQNf7?PTHj@nWa@G1_oT_CgJtP
z#>LL%CjQ1AW%<q#mS&+DQ7L9ghQYoCC9W1mRhIsqrLLL9{-qXNy1Kdw7NJ3=nUOwO
zj`?QUhK|M=1?8FU+WNVfMp5OdzAj}UNoASZ5x(J>nYoT!-C7L`+Lkdcjas2`aZ2Fs
zBfN2p9e38BF4fkPzJ5F}V}7yi5reQktDeU}Zd@mA-BTHlKew)$`nWSU{%}~UZ{oWm
nzV_qUCK;>$um1ew?!+CFHr7Sj>=$_U`{;RP$!%8O9@zl^AG4tK

diff --git a/secrets/infra/headscale-oidc-client-secret.age b/secrets/infra/headscale-oidc-client-secret.age
index 925512cb9692b0538eddfa2c4f83fa98fe8b0c66..81cff1c5b9e23216013b14e69a1819e0a6a400ab 100644
GIT binary patch
delta 562
zcmaFLe3@l}PQ687iAPwFMM`Q~Mq*L0WkG>sv5$XVd4!>(afqpNp`TAiqK}KaiD99E
zD_2RNQ>c$|cvXf;j%RtUr;~e@kB4b`R&kkgMtHuNyO&91MMSc8vR_I{D3`9CLUD11
zZfc5=si~o*f@e`wu4B4FNV<=4Nm06^v9?KOSw(?oL4BEik!xytR&G>ccCc%OxszF{
zQE{?KMMh9LmtVMve|nf#R7RLrXoRnmM`B`Dwt<;*g{xOqRZ(efVThlnk-k}wi?4|z
zx^)KG;Q{G^3Z+i@#cmN<CVtKlPUWT%+8O#)MMi->&K`N$871jqQLd5o{vNJQPVV_`
zkz76@MFojP{zayl<&Lhd0lwNrAyJhs6<%&$5&C(7#UYUeektz3>E0o!#USe<ARenq
z@;6Vcuyi$ct4uV{E%OV|FHLpQkMJ=H^)oE?NVV`R);3Bv%kZ@bcjOAl%kuWg){hEw
zEAlePb@xn)u&7T<wk#+tHx4m!3kfj@4-QRq$?`LF)-LDL)zwvS%+5=*ObJLSGA?w{
zE-5wjs0=YT@iFr9ElD>qbIytMF>rHo$;k96s_^8xz_*0CpLw>ValD+>z5PY}ZAsf5
z>$bH?mgOCq>8^j}r0y%bj(*cG`?lZnj_G*a-Swm<GeWXXyI6KgguuCDiZ@-|_OIKx
i`lI@a{mEslmUdT`?JMf?m|M}c?u=_dg57?xDJubgOu}sd

delta 451
zcmcc2@|1akPJMEQiKSziQ<O(wj#-9pVYz>pf39<$bE<DxUXinNzJXa%vRjF-L4L7Y
zI+szdyIWFNQnp8^k5hiAPoRrwm6wZqL}GYUlt-XTy0(S6UzTIIkA+WFB$uw8LUD11
zZfc5=si~o*f@e`wu4B4_nX_|oP-Tg6U{Q9KWuS+lQGIcEU`U9kiMOXoc&?YRWmJ)=
zXO?BDf0$b+m#Md7aY%)Jcx0tfc8;g9QG}nHYmTM1X+}YIesX?JnPs{`V79)#Q*m}O
z$hruKO*vVCnUPLr;c1EK&ZY%sq2b9P`94NrS&=!B;U<OJg+`fS2I+>8xgnXpTp_;o
zrJ=^Deu<?XE*?b%<<8!op@t^T#^ou76^522`W{(TX>O%Cr5TxF<y^YDx(Wt4<|Qef
z-ui+1#@ddixv3rnF2O#A#z`(Ig_TJzMgBom8I_rNAx_@mzFhx|f<Em}efom!v*xnc
z*-s<oy}w+a5bm-$>v;#yiVlX$mtS5Cm|^pDUV6-w-=DT{J=1x!L)_w=ZrjDAmOr`S
rC%GO>TATKLPE48PoNtpt9ZpUDoEB1N%4hKGN7?CFe_GV{RPF=-Z}+BS

diff --git a/secrets/infra/tailscale-oidc-client-secret.age b/secrets/infra/tailscale-oidc-client-secret.age
index e88c2d1b5cf2b362996e3a4403d3f70773e12a72..3c3c07468aa611765480683d977310e72ae7ca83 100644
GIT binary patch
delta 561
zcmaFDe2Ha(PJMW3p?*+eX_953ex^@iQDJ~{rhi_taYac)KvYIVlDV&AQdM}BX{d3P
zCs#>kiHVU>N~l3nS($m2zN@FXdAW~vYEe){MOl)0hLd4QsY#xte??)TCzr0BLUD11
zZfc5=si~o*f@e`wu4B4FmA^?;U}~neuYq5Vt8th~M1536PF1e4Z>f`$exz}LW0FaJ
zc6Nw)nU9etS7NePu2W8ARjN^eMX;k~p^sa(hlN{yMx<GJuBB^wN^(k8L4jXsgh?fa
zbq3kt0qKDX`e~tVX<0>nsS#<GSpi-tAyu9^MR~4e+DX2lK?SB^+Try%zU3j|Mm}zV
zT;An=PT{^z*`>MVMaJd@mY$Z0p+13rE+#%zL6${T{$Y;pj_yugi5?b?Am2qmJQfsI
zP#jqp8f@xmQW6xB;cf0}YU!4i?Pz3_p`C10RbiBF;o(>0=TqwH$rWK)T#@P&=xLno
zmFkj`<y2tiTVEcUT~y(ls_kWLmg1S0>*rKZS`g%J7|ErptE-S+oT{H$7-Eo|SXz`7
zl$jJ6>ggHoY~dB@?Hv^4n-h}gRNz>iUgD8v<jTeOWkT)yy6l59MGYtaOIvuvk|pJ9
zW%s6&hk0bOQ_i=jGfbQ$rJytIViI?YU)4fZu1@PkGkf~Ae%1z_ImM9gCYsS`dg+E-
ggY|bA<_Z1Dg5Rv4IxL%RkiC+n>*=KVN|PC!0SXJjJOBUy

delta 450
zcmcb_@`QPUPQ7<pnU8O#hq;%Bt67=3NkD<VesE!xQ-DQysG+Z4rJ=rSa$&K*Ur0z`
zAXlVWuv<iUs=jGJQK^}>aapKYs+oCGP?Sr!OLl2?N?N*Wgn4OTmXk?nIhU@TLUD11
zZfc5=si~o*f@e`wu4B4_qg$T2Q-FzEc1dWYhh<=yU%gjAm`jRZvTK1?R%BtWe^F*}
zS%hVTdzgU*S5!v6wzpqNwqaRlV3et8mSIJxM@n(IW0paPL2!OnroM->S%G0maagh=
z$hruKO~qxV2ANS=PMKNZ-f0D9p4vWXK{>8oM#Y7BS*H3%xds_Q;Z>%7g+3wKTplU)
zX=VA^7Uor{xxvnE;V!{BRoMl(Wgb4IWyuC5Srx7&2KmXEApu3s>0G+Hx(ZI&fhi{b
zM!EW#mKH@hPRV{5$yK3d;aLV5CHa|tK7lTI2H|Fv-g$=l$y}oRyotMbR=wM`U+G}@
zWuF`G8<xk2%~GCU<?`&?<o_Rn3YpFHc3KNOU)^-+S*^0gp-tI>kMd>jR0<T@9r8KO
pv18iD#+ZciV^hA`rRl%_*nC2C-S&%H{>JGji*aSR*x1E70{}D+pvC|I