From d9f06234fdf26d38a04c5606c66d89a3bb828be7 Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Thu, 23 Oct 2025 21:55:18 -0500
Subject: [PATCH] add syncthing to holocron

---
 hosts/nixos/snowbelle/configuration.nix       |   3 +-
 modules/holocron/default.nix                  |   1 +
 modules/holocron/syncthing/default.nix        |  65 ++++++-
 modules/holocron/syncthing/myconfig/cert.pem  |  14 ++
 .../holocron/syncthing/myconfig/config.xml    | 173 ++++++++++++++++++
 modules/holocron/syncthing/myconfig/key.pem   |   6 +
 secrets/secrets.yaml                          |  12 +-
 7 files changed, 259 insertions(+), 15 deletions(-)
 create mode 100644 modules/holocron/syncthing/myconfig/cert.pem
 create mode 100644 modules/holocron/syncthing/myconfig/config.xml
 create mode 100644 modules/holocron/syncthing/myconfig/key.pem

diff --git a/hosts/nixos/snowbelle/configuration.nix b/hosts/nixos/snowbelle/configuration.nix
index 7b808a5..b4ebf56 100644
--- a/hosts/nixos/snowbelle/configuration.nix
+++ b/hosts/nixos/snowbelle/configuration.nix
@@ -21,11 +21,12 @@ in
     sops.enable = true;
     podman.enable = true;
     yubikey.enable = true;
-    syncthing.enable = true;
+    syncthing.enable = false;
     tailscale.enable = true;
     nvidia.enable = true;
   };
   holocron = {
+    syncthing.enable = true;
     copyparty.enable = true;
     ensure_perms.enable = false;
     zfs.enable = true;
diff --git a/modules/holocron/default.nix b/modules/holocron/default.nix
index 5a93f9f..f45b546 100644
--- a/modules/holocron/default.nix
+++ b/modules/holocron/default.nix
@@ -10,6 +10,7 @@
     ./nfs
     ./smb
     ./zfs
+    ./syncthing
     ./copyparty
     ./perms
   ];
diff --git a/modules/holocron/syncthing/default.nix b/modules/holocron/syncthing/default.nix
index 4784cca..020c768 100644
--- a/modules/holocron/syncthing/default.nix
+++ b/modules/holocron/syncthing/default.nix
@@ -1,22 +1,67 @@
-{ pkgs, config, lib, ... }:
-
-let
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
   service = "syncthing";
   cfg = config.holocron.${service};
-in
-{
-  options.system.syncthing = {
+  sec = config.sops.secrets;
+in {
+  options.system.${service} = {
     enable = lib.mkEnableOption "enables syncthing";
   };
 
   config = lib.mkIf cfg.enable {
     services.syncthing = {
       enable = true;
-#      user = "blake";
-#      group = "blake";
-#      dataDir = "/var/lib/syncthing";
+      user = "blake";
+      group = "blake";
+      dataDir = "/var/lib/syncthing";
       guiAddress = "0.0.0.0:2222";
-#      openDefaultPorts = true;
+      openDefaultPorts = true;
+      extraFlags = ["--no-default-folder"];
+      key = sec."${service}/snowbelle/key".path;
+      cert = sec."${service}/snowbelle/cert".path;
+      settings = {
+        devices = {
+          "lugia" = {id = "BKKSFPH-YEOVVAB-DTT7KK3-UDKAEJ2-PC6ECG7-Y76ZIVP-JRYMMXS-RTZYVQ3";};
+          "zygarde" = {id = "UYLTF52-VVKUR7F-JN33HQZ-RFNWGL3-JER52LA-GZD2LPJ-QIFEE7K-MNMZRQ5";};
+          "CEN-IT-07" = {id = "DPYKA4Z-3PX7JB2-FBEOXXX-SC7TLT2-QC5P2IR-SXOPJGX-QO3DMII-5B7UCA4";};
+        };
+        folders = {
+          "holocron" = {
+            path = "/holocron/users/blake/holocron";
+            devices = ["lugia" "zygarge" "CEN-IT-07"];
+            versioning = {
+              type = "staggered";
+              fsPath = "/syncthing/backup";
+              params = {
+                cleanInterval = "3600";
+                maxAge = "0";
+              };
+            };
+
+          };
+        };
+        options = {
+          urAccepted = -1;
+        };
+      };
+    };
+
+    sec = {
+      "${service}/snowbelle/key" = {
+        owner = "blake";
+        group = "blake";
+      };
+      "${service}/snowbelle/cert" = {
+        owner = "blake";
+        group = "blake";
+      };
+    };
+   homelab.backups.baks = {
+      ${service} = { paths = [ config.services.syncthing.dataDir ]; };
     };
   };
 }
diff --git a/modules/holocron/syncthing/myconfig/cert.pem b/modules/holocron/syncthing/myconfig/cert.pem
new file mode 100644
index 0000000..aec65c4
--- /dev/null
+++ b/modules/holocron/syncthing/myconfig/cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICHTCCAaOgAwIBAgIJAN+4AxPl9/adMAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
+CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
+BgNVBAMTCXN5bmN0aGluZzAeFw0yNTEwMjQwMDAwMDBaFw00NTEwMTkwMDAwMDBa
+MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
+ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
+A2IABGnzZnvBY5L+WRINOiflmbzejWK5CsPb0PvVV9hZaYtTRgdIgY7sP9i7zS8h
+TuOaT/Ooa6GWLHPQTtMnnx6vBKTdkt0UVP0tqhJHcalqrenXI1juTAyd99xiBNEW
+hftM9aNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
+BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
+hkjOPQQDAgNoADBlAjBtKMxB057YFRTITu9fZl7XwjlNWKdmqMpcGmL5hdD8thE8
+ncHWBoKXe1IrhQAc5CQCMQCmIno5pns5AfV/dUGe2TzWOSUZXbpOGGwk7URjjAUn
+oVa5oL1FEOfrFIu5JUfvtes=
+-----END CERTIFICATE-----
diff --git a/modules/holocron/syncthing/myconfig/config.xml b/modules/holocron/syncthing/myconfig/config.xml
new file mode 100644
index 0000000..1f37121
--- /dev/null
+++ b/modules/holocron/syncthing/myconfig/config.xml
@@ -0,0 +1,173 @@
+<configuration version="37">
+    <folder id="default" label="Default Folder" path="/home/blake/Sync" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" fsWatcherTimeoutS="0" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+        <device id="6WQ6ATA-5AT4RUM-NW67PAL-N62CPNV-ALRFG3P-5BDRO22-HWFC2Q4-5S5BDA5" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
+    <device id="6WQ6ATA-5AT4RUM-NW67PAL-N62CPNV-ALRFG3P-5BDRO22-HWFC2Q4-5S5BDA5" name="snowbelle" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+        <numConnections>0</numConnections>
+    </device>
+    <gui enabled="true" tls="false" debugging="false" sendBasicAuthPrompt="false">
+        <address>127.0.0.1:8384</address>
+        <apikey>QcahbTcCfpJSH2PFwtKpeAmFCniikFkC</apikey>
+        <theme>default</theme>
+    </gui>
+    <ldap></ldap>
+    <options>
+        <listenAddress>tcp://0.0.0.0:41035</listenAddress>
+        <listenAddress>dynamic+https://relays.syncthing.net/endpoint</listenAddress>
+        <listenAddress>quic://0.0.0.0:41035</listenAddress>
+        <globalAnnounceServer>default</globalAnnounceServer>
+        <globalAnnounceEnabled>true</globalAnnounceEnabled>
+        <localAnnounceEnabled>true</localAnnounceEnabled>
+        <localAnnouncePort>21027</localAnnouncePort>
+        <localAnnounceMCAddr>[ff12::8384]:21027</localAnnounceMCAddr>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <reconnectionIntervalS>60</reconnectionIntervalS>
+        <relaysEnabled>true</relaysEnabled>
+        <relayReconnectIntervalM>10</relayReconnectIntervalM>
+        <startBrowser>true</startBrowser>
+        <natEnabled>true</natEnabled>
+        <natLeaseMinutes>60</natLeaseMinutes>
+        <natRenewalMinutes>30</natRenewalMinutes>
+        <natTimeoutSeconds>10</natTimeoutSeconds>
+        <urAccepted>0</urAccepted>
+        <urSeen>0</urSeen>
+        <urUniqueID></urUniqueID>
+        <urURL>https://data.syncthing.net/newdata</urURL>
+        <urPostInsecurely>false</urPostInsecurely>
+        <urInitialDelayS>1800</urInitialDelayS>
+        <autoUpgradeIntervalH>12</autoUpgradeIntervalH>
+        <upgradeToPreReleases>false</upgradeToPreReleases>
+        <keepTemporariesH>24</keepTemporariesH>
+        <cacheIgnoredFiles>false</cacheIgnoredFiles>
+        <progressUpdateIntervalS>5</progressUpdateIntervalS>
+        <limitBandwidthInLan>false</limitBandwidthInLan>
+        <minHomeDiskFree unit="%">1</minHomeDiskFree>
+        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
+        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
+        <tempIndexMinBlocks>10</tempIndexMinBlocks>
+        <unackedNotificationID>authenticationUserAndPassword</unackedNotificationID>
+        <trafficClass>0</trafficClass>
+        <setLowPriority>true</setLowPriority>
+        <maxFolderConcurrency>0</maxFolderConcurrency>
+        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
+        <crashReportingEnabled>true</crashReportingEnabled>
+        <stunKeepaliveStartS>180</stunKeepaliveStartS>
+        <stunKeepaliveMinS>20</stunKeepaliveMinS>
+        <stunServer>default</stunServer>
+        <databaseTuning>auto</databaseTuning>
+        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
+        <announceLANAddresses>true</announceLANAddresses>
+        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
+        <connectionLimitEnough>0</connectionLimitEnough>
+        <connectionLimitMax>0</connectionLimitMax>
+        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
+        <connectionPriorityTcpLan>10</connectionPriorityTcpLan>
+        <connectionPriorityQuicLan>20</connectionPriorityQuicLan>
+        <connectionPriorityTcpWan>30</connectionPriorityTcpWan>
+        <connectionPriorityQuicWan>40</connectionPriorityQuicWan>
+        <connectionPriorityRelay>50</connectionPriorityRelay>
+        <connectionPriorityUpgradeThreshold>0</connectionPriorityUpgradeThreshold>
+    </options>
+    <defaults>
+        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" fsWatcherTimeoutS="0" ignorePerms="false" autoNormalize="true">
+            <filesystemType>basic</filesystemType>
+            <device id="6WQ6ATA-5AT4RUM-NW67PAL-N62CPNV-ALRFG3P-5BDRO22-HWFC2Q4-5S5BDA5" introducedBy="">
+                <encryptionPassword></encryptionPassword>
+            </device>
+            <minDiskFree unit="%">1</minDiskFree>
+            <versioning>
+                <cleanupIntervalS>3600</cleanupIntervalS>
+                <fsPath></fsPath>
+                <fsType>basic</fsType>
+            </versioning>
+            <copiers>0</copiers>
+            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+            <hashers>0</hashers>
+            <order>random</order>
+            <ignoreDelete>false</ignoreDelete>
+            <scanProgressIntervalS>0</scanProgressIntervalS>
+            <pullerPauseS>0</pullerPauseS>
+            <maxConflicts>10</maxConflicts>
+            <disableSparseFiles>false</disableSparseFiles>
+            <disableTempIndexes>false</disableTempIndexes>
+            <paused>false</paused>
+            <weakHashThresholdPct>25</weakHashThresholdPct>
+            <markerName>.stfolder</markerName>
+            <copyOwnershipFromParent>false</copyOwnershipFromParent>
+            <modTimeWindowS>0</modTimeWindowS>
+            <maxConcurrentWrites>2</maxConcurrentWrites>
+            <disableFsync>false</disableFsync>
+            <blockPullOrder>standard</blockPullOrder>
+            <copyRangeMethod>standard</copyRangeMethod>
+            <caseSensitiveFS>false</caseSensitiveFS>
+            <junctionsAsDirs>false</junctionsAsDirs>
+            <syncOwnership>false</syncOwnership>
+            <sendOwnership>false</sendOwnership>
+            <syncXattrs>false</syncXattrs>
+            <sendXattrs>false</sendXattrs>
+            <xattrFilter>
+                <maxSingleEntrySize>1024</maxSingleEntrySize>
+                <maxTotalSize>4096</maxTotalSize>
+            </xattrFilter>
+        </folder>
+        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+            <address>dynamic</address>
+            <paused>false</paused>
+            <autoAcceptFolders>false</autoAcceptFolders>
+            <maxSendKbps>0</maxSendKbps>
+            <maxRecvKbps>0</maxRecvKbps>
+            <maxRequestKiB>0</maxRequestKiB>
+            <untrusted>false</untrusted>
+            <remoteGUIPort>0</remoteGUIPort>
+            <numConnections>0</numConnections>
+        </device>
+        <ignores></ignores>
+    </defaults>
+</configuration>
diff --git a/modules/holocron/syncthing/myconfig/key.pem b/modules/holocron/syncthing/myconfig/key.pem
new file mode 100644
index 0000000..872357d
--- /dev/null
+++ b/modules/holocron/syncthing/myconfig/key.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDA9hp4MRq2AKZ/jWr/H7X0qRFzaeMaZKowq3oCuYbG0pcmqj/5va69c
+qGhJHY7YaeWgBwYFK4EEACKhZANiAARp82Z7wWOS/lkSDTon5Zm83o1iuQrD29D7
+1VfYWWmLU0YHSIGO7D/Yu80vIU7jmk/zqGuhlixz0E7TJ58erwSk3ZLdFFT9LaoS
+R3Gpaq3p1yNY7kwMnffcYgTRFoX7TPU=
+-----END EC PRIVATE KEY-----
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 0e49c96..6a77bbf 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -6,10 +6,14 @@ klefki_auth_map: ENC[AES256_GCM,data:u8OBLtT/,iv:THW21BDyhyFIjcwixsAnaAODofxbuQZ
 tailscale_authkey: ENC[AES256_GCM,data:SU0k3asrJd+WZ86VbC4w8TDJp+MqsbyagrzCfDcgTzO5yvBjpWAKbJ7A+VxgQvdu4+S2jMYbdrONPp3YbQ==,iv:VMYmGVk5GpUQApKKQYhdOw/cYCXrXxEZJJwHfQL4MjQ=,tag:7ruaoCDxuFQ7tE/JLJ37Xw==,type:str]
 #ENC[AES256_GCM,data:bEbCic+ZDAA5ieNedCbiVbJrse17,iv:UwRYlis6NPB/RUcv+YnPxrGdbIcF4hrNiZt19YvWZNQ=,tag:m6PVlzPNnahX7X7KzMUj7A==,type:comment]
 borg_passwd: ENC[AES256_GCM,data:XOMJtr+DRs7xn5Iclc49iTzK9cFJyc/fSXJjhdKa9jdN,iv:YB8z7zNYjh6NpSxQb1TfPxAYUdzThdVfNZIe6tO5grA=,tag:bO6kZ3cLJDL4IQoWmGvRdg==,type:str]
+#ENC[AES256_GCM,data:VdbMrwGKUKNJHw==,iv:OLwBh6KQXR/H8eRgp/hH8k3QfIkK/ydL735kx/dpc8E=,tag:N+v+ym6RMbvW4IckbiLK8Q==,type:comment]
+syncthing:
+    gui_passwd: ENC[AES256_GCM,data:CicGIe5dT8lJVchCcE4wg3E8va3RYR8d53MISkE=,iv:8ziDDyQvU8ABaKKwYlcHmvm8Qybk4G+q5F0Ghqluu9w=,tag:YlyNPE04KD3detL1QUTrgQ==,type:str]
+    snowbelle:
+        key: ENC[AES256_GCM,data:MrAc4RXi6h4WOboZgBRjggPNGUrQwM1Vu5N5aPYBxeBZPi2ut8OApWcA9apWzYZNQTFF5QCtCpG9W+1CLJRG701PRK1Wf01r5SDI8aIXkgc2MjXuzS/y/WIqWoPK1nmtjxTYqaDR68II2tc/P7hgtf2EwYPV2JP6v6cCihADOKvXW1pBxi9kMjZGcbY54IyUrOdNauDvaZRgCSP7xtg8aWf1FlmJbiQgMW2lK/f+8rc/3OGS+ieFt35h29Khl4rhuYGB6rgTwvDaWa9g60rPzVcg6tKw+Unef99pA+CQnhVJJIejKlC07pCdqdjCUc+w0oQ69cVoucWeHqlq3xA7IvYIGi9K+OFCLmsoqjMe/wUSC/r2s/nnqbXsgVx9j8j0,iv:2FoZwwzKUky02Z34KRVP/jPhOMXnLZh841+4lybsbCY=,tag:ZL5qh3OcFjiWgqtmTCUFkw==,type:str]
+        cert: ENC[AES256_GCM,data:tvJX88ounzIzKmKcvEe0UtHrq51DMAIHGVZE2StqfNkn2QP+Er/geEh0wwmP9Q8+XBBjDT6oSAlWLjq6Tc1yYWSKju6Ig8GEJNDHL2UMVniBFzroSlO9hqZzbbNe1896WiwhhypvBoves7STTE7tJ2+Hzyss1BCYjcI+evGliJslq2nqxroMxIwBXfuDtxcTAeJ+SiKonY7W29NA05P1zYm6o6Td09VUS0cYWx2VUoP/8PMpeWLNciaHz8TjUeZ2Qob3pcNielu/VDqbunLvbFapqdV0hkl8gxgho+MmkC3+DXp/JDnG+vRm603wxqDECh6CNYc0CEXvM0/8gSXt6AkjATv6tBV98VeLknZkqVjBahtxrZuwquMuQbh1jD53RgsvnwB39FyFHZw29DGcUD0A7hIGnqSYVc2TXW+sgRxzXVFYsVrt1sWrYa2DpZT5zaFbps0dd194/j0SHOdf3p/4HF0GncWfTWLT89F/oAyJLio4X7yjES/DljgvmsrX0LdHnAYYAKDCWhZml3wSHBJ7Uvj1KiH2asxXkdiTPf8wulmwT+01hhBoX3QCkVYkdJpDbVddjLkwpLNyJATHctyuqzOdEMR4w5usTv9vKcgkMtbmxfWajb4lhjCpuaavkDUoI5h6eB8veXbZqAuX24bCvsLBWOVkg4qt1GGRqHx7+lfFanzMGyYYC/ufAXWD6eOOVsCjHJbHJoI16zq0HkfNpr30w+gO8hOyKgBP64anElzT3NB1sDi2GWxhSUKTDZ3rLsagPhZb3l3/u5SMf6lLWsY6IyFgPcVgY1snSOtd+PO9z9ipfyQZn4kKCtkNPPof8T58Qi7CP4KmVvbJsF67BH26SFclQLaJv5RO7e936vNwLrVhbyaclM0Vz6Y8wJvG4vW1Z4qPt6kP80NEATdrfwAr9nvZkb5rHqRWdxqIWSD5as+HPFzM/Mv0sBZ+B+CnsSv1btdB/iLacd032PGKXfZLxqGGOL1HIjM+QjSjaBTqrYcMke3GvnVfIujfdtcn9tOqGK+QYPS1CTYxWznmHloL2/WYwBY=,iv:qlIfrPxz7NvjkIXSkumfKvN0O1qq1S0T5j+37L8aReU=,tag:Qg8CYcDY/MaLWwNY566wBQ==,type:str]
 #ENC[AES256_GCM,data:A0ITyGOGMIoyVOcn5JOi1RAtqUM=,iv:+wWpmFbeLiX/Ae53pj0QmnYY3MEzOMib4cqbePUKtGI=,tag:JHXvrN4bOH+oD3Q70pUuew==,type:comment]
 pia_auth: ENC[AES256_GCM,data:rwAu4f5XVS4v4FCLj2zXAegIZeRPLIzUVv6TCrdfg9RGSDJYHgVAX0aFXCBQsDQju9RDycXmc9Id8IuyYN8=,iv:kEA4ADQyUI+zlQoZOKi81dw5BLE1oesqhVf6bfiLgB4=,tag:VHT2uPNW27F3KRM7ZhWdCw==,type:str]
-#ENC[AES256_GCM,data:7y1mtYNfbsagqtr66kOx2rinneEW3EZaCJIXzK0qjLX36g==,iv:8ozXuBYirLbKd8sCln2xv/WjhTojY85xU0cL5NVeMlQ=,tag:mclz0GfQ9j2EGWMiQ62QmA==,type:comment]
-openvpn_pia_mexico_config: ENC[AES256_GCM,data:59HQ3OZ0QKq92jI=,iv:DZTNvfi6kLXG7dsNkPcXUmXhAG2UdPZBy/L9eWNmRdE=,tag:ndxDDQNL2z1fjxFfU2VRwQ==,type:str]
 #ENC[AES256_GCM,data:mbIgMJBhL8nWJzl8q2dFL8XtO1Xa1Q==,iv:caYHYp1boK9wRgCcQe40HTWT/HxAIvYe+HyaruI53Vc=,tag:S6wowhAHObEcs7z8FimZ1g==,type:comment]
 wg_mex_key: ENC[AES256_GCM,data:vxDXixo6X6D33+p21L4hB0/yCH+TvMHZl991BkRsE/jdz7rzZuJF+zI7h+Q=,iv:8WR+feHXNUcat8DB2wY7wpos+P7TzgRF7rFD0fYosjY=,tag:p9b9ck0/VZjyLxtHut3n5Q==,type:str]
 #ENC[AES256_GCM,data:CO5nrcDbgymnEmCvuTexOBEMncuNM5lQ,iv:6HrxqSN6e7ODuz09MIFgPbIqDCKQySRDaKk5Wdu4HoQ=,tag:JBRjZeEdOg+trohfanO6Mg==,type:comment]
@@ -50,7 +54,7 @@ sops:
             U0tmdFBuZnJES3piOTZNV0VKQmQ0eVUKCWRQ/flLzmpC64WyLoipklZBmrkpYiUg
             PRu+itNolpPTHm96pe+P93g2iP0wgekG0cX21wkiU2xaLF3dY2FEIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-19T19:33:09Z"
-    mac: ENC[AES256_GCM,data:xownqG5ZDtSfZkGRK1jmA7TvK0Ty3Lo26R/IYKTa+rncr85KmAq6CekCdEGP86k9BKh/wFgYgCs9T3BexwxPy5Fy6880k2D4B3ExiZfdY07EyXDqnKmjfUw0HFUaXUQ3hq8FYn3BDUhpo1uSaaNmKFk7PoPvsDDpU/ojhJTveV8=,iv:QlnXIv8tqEwJp7ffMnFtlGOOSCTzkIxABxzlVBwbr1g=,tag:1M4DC2zY2MVuJ5eZQ51Q5A==,type:str]
+    lastmodified: "2025-10-24T02:40:54Z"
+    mac: ENC[AES256_GCM,data:1x21LVoE1T/0+cKPiTpfsExWFzCpTQN3BTL2I5LmCX1qlH6s/2zW7LxVrqnVFYcoM+MNjJ/2e0Srp13HDCwxpnjuOYYsEL6fpaZJVOta9IFQYZc5UyZ8fgblt8+F3e6o4fu4ZrweqtFanAknQ0yqFXg7yEwAm+yoRRJOnSc7LI4=,iv:/vZ6DZ7qWqifuZaIFF454oNb4KO7s5AZ4O2hez3aJcA=,tag:WVtfBO6wpKEcCe5VhY2CRw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0