From 1233b1afde83ba6efb0e56ce22fed511b3d57097 Mon Sep 17 00:00:00 2001
From: "xyno (Philipp Hochkamp)" <git@xyno.systems>
Date: Thu, 14 Sep 2023 15:16:09 +0200
Subject: [PATCH] feat: hedgedoc

---
 hosts/picard/default.nix                 |  11 +++
 lib/options.nix                          |  16 +++++
 nixos-modules/services/authelia.nix      |  83 +++++++++++++++++++++++
 nixos-modules/services/hedgedoc.nix      |  34 +++++++---
 secrets/autheliaEmail.age                | Bin 0 -> 1211 bytes
 secrets/autheliaHedgedoc.age             | Bin 0 -> 1618 bytes
 secrets/autheliaJwtSecret.age            | Bin 0 -> 932 bytes
 secrets/autheliaOidcHmacSecret.age       |  18 +++++
 secrets/autheliaOidcIssuerPrivateKey.age | Bin 0 -> 4089 bytes
 secrets/autheliaSessionSecret.age        | Bin 0 -> 1004 bytes
 secrets/autheliaStorageEncryption.age    |  18 +++++
 secrets/hedgedocSecret.age               | Bin 922 -> 1141 bytes
 secrets/secrets.nix                      |   7 ++
 13 files changed, 178 insertions(+), 9 deletions(-)
 create mode 100644 nixos-modules/services/authelia.nix
 create mode 100644 secrets/autheliaEmail.age
 create mode 100644 secrets/autheliaHedgedoc.age
 create mode 100644 secrets/autheliaJwtSecret.age
 create mode 100644 secrets/autheliaOidcHmacSecret.age
 create mode 100644 secrets/autheliaOidcIssuerPrivateKey.age
 create mode 100644 secrets/autheliaSessionSecret.age
 create mode 100644 secrets/autheliaStorageEncryption.age

diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index 984a4bb3..32c4caa0 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -66,6 +66,17 @@
     enableACME = true;
     forceSSL = true;
     locations."/".return = "307 https://xyno.space$request_uri";
+  } // (lib.findOutTlsConfig "xyno.systems" config);
+
+  security.acme.certs."xyno.systems" = {
+    dnsProvider = "ionos";
+    dnsResolver = "1.1.1.1:53";
+    group = "nginx";
+    extraDomainNames = [
+      "*.xyno.systems"
+    ];
+    credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
+
   };
 
   services.nginx.appendHttpConfig = ''
diff --git a/lib/options.nix b/lib/options.nix
index 13610bad..f4852ff8 100644
--- a/lib/options.nix
+++ b/lib/options.nix
@@ -15,4 +15,20 @@ rec {
     type = types.bool;
     example = true;
   };
+  findOutTlsConfig = domain: config:
+    let
+      spl = builtins.splitString "." domain;
+      outerDomain = builtins.concatStringsSep "." (builtins.take (builtins.length spl - 1) spl);
+    in
+    lib.mkMerge [
+      ((lib.hasAttr outerDomain config.acme.certs) && {
+        forceSSL = true;
+        useACMEHost = "${domain}";
+      })
+      (!(lib.hasAttr outerDomain config.acme.certs) && {
+        forceSSL = true;
+        enableACME = true;
+      })
+    ];
+
 }
diff --git a/nixos-modules/services/authelia.nix b/nixos-modules/services/authelia.nix
new file mode 100644
index 00000000..eb57ae6c
--- /dev/null
+++ b/nixos-modules/services/authelia.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.authelia;
+  stateDir = "/var/lib/authelia";
+  instanceName = "main";
+in
+{
+  options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server";
+  options.ragon.services.authelia.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "sso.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+
+    ragon.secrets.autheliaStorageEncryption = { };
+    ragon.secrets.autheliaSessionSecret = { };
+    ragon.secrets.autheliaOidcIssuerPrivateKey = { };
+    ragon.secrets.autheliaOidcHmacSecret = { };
+    ragon.secrets.autheliaJwtSecret = { };
+    ragon.secrets.autheliaEmail = { user = "authelia"; };
+    services.authelia.instances.${instanceName} = {
+      enable = true;
+      secrets = {
+        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryption.path;
+        sessionSecretFile = config.age.secrets.autheliaSessionSecret.path;
+        oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path;
+        oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
+        jwtSecretFile = config.age.secrets.autheliaJwtSecret.path;
+      };
+      settingstFiles = [
+        config.age.secrets.autheliaEmail.path
+      ];
+      settings = {
+        theme = "auto";
+        default_2fa_method = "webauthn";
+        authentication_backend = {
+          file = {
+            path = "${stateDir}/users.yml";
+          };
+        };
+        storage = {
+          postgres = {
+            host = "/run/postgresql";
+          };
+        };
+        notifier = {
+          smtp = {
+            address = "smtp://smtp.ionos.de:465";
+            sender = "xyno.systems SSO <machdas@xyno.space>";
+            username = "machdas@xyno.space";
+            subject = "[xyno.systems SSO] {title}";
+            startup_check_address = "autodelete@phochkamp.de";
+          };
+        };
+
+      };
+    };
+    systemd.tmpfiles.rules = [
+      "d ${stateDir} 0755 authelia authelia -"
+    ];
+    ragon.agenix.secrets.autheliaSecret.owner = "authelia";
+    services.nginx.virtualHosts."${cfg.domain}" = {
+      locations."/".proxyWebsockets = true;
+      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.authelia.instances.${instanceName}.settings.server.port}";
+    } // (lib.my.findOutTlsConfig cfg.domain config);
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "authelia" ];
+      ensureUsers = [
+        {
+          name = "authelia";
+          ensurePermissions."DATABASE authelia" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "${stateDir}"
+    ];
+  };
+}
diff --git a/nixos-modules/services/hedgedoc.nix b/nixos-modules/services/hedgedoc.nix
index dc77ec23..b796eef1 100644
--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@@ -5,38 +5,54 @@ let
 in
 {
   options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
-  options.ragon.services.hedgedoc.domainPrefix =
+  options.ragon.services.hedgedoc.domain =
     lib.mkOption {
       type = lib.types.str;
-      default = "md";
+      default = "md.xyno.systems";
     };
   config = lib.mkIf cfg.enable {
+    ragon.secrets.autheliaHedgedoc = { user = "authelia"; };
+    services.authelia.instances.main.settingsFiles = [
+      config.age.secrets.autheliaHedgedoc.path
+    ];
     services.hedgedoc = {
       enable = true;
       environmentFile = "${config.age.secrets.hedgedocSecret.path}";
       configuration = {
         protocolUseSSL = true;
         sessionSecret = "$SESSION_SECRET";
-        allowEmailRegister = false;
-        domain = "${cfg.domainPrefix}.${domain}";
+        allowAnonymous = false;
+        allowAnonymousEdits = false;
+        allowFreeURL = true;
+        email = false;
+        oauth2 = {
+          clientID = "$OAUTH2_CLIENT_ID";
+          clientSecret = "$OAUTH2_CLIENT_SECRET";
+          providerName = "xyno.systems SSO";
+          authorizationURL = "https://sso.xyno.systems/oauth2/authorize";
+          tokenURL = "https://sso.xyno.systems/oauth2/token";
+          userProfileURL = "https://sso.xyno.systems/oauth2/userinfo";
+          scope = "openid profile email";
+          userProfileUsernameAttr = "sub";
+          userProfileEmailAttr = "email";
+          userProfileDisplayNameAttr = "name";
+        };
+        domain = "${cfg.domain}";
         db = {
           dialect = "postgres";
           host = "/run/postgresql";
           database = "hedgedoc";
         };
-        allowAnonymousEdits = false;
-        allowFreeURL = true;
       };
 
     };
     ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
     services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
-      forceSSL = true;
-      useACMEHost = "${domain}";
       locations."/".proxyWebsockets = true;
       locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
-    };
+    } // (lib.my.findOutTlsConfig cfg.domain config);
     services.postgresql = {
+
       enable = true;
 
       # Ensure the database, user, and permissions always exist
diff --git a/secrets/autheliaEmail.age b/secrets/autheliaEmail.age
new file mode 100644
index 0000000000000000000000000000000000000000..5f9a03eadd084965eac6e3dcc03eea92e789da70
GIT binary patch
literal 1211
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Pfqpr4^%LzOw8Ag
z2=Ys<$afBO&NL1UaI5n1%S}xzG4Ts<skHRWcJwI=49N6ywBT|nGAMVnFn5o%2+1n3
zaLNcNH?WLK32^iCcTdjph)BxFD-292H}}l)Oh>n^G~FXSyj;Q9!adZ|q%zUc$IMH=
z#3-mZqBJQg(M#Va*EG#P%Einx-OR<b)X3S~$%M<qASy7oG_WwTJUAf8#W1omEHJsi
z#3S7}qB1BjtuoZisVLE~+%-EW3B$I~P|KiTM+M_lFZWQlwA9>+(4a62Q@^B;DvQJ{
zZ+CaUB!B%3*D{w<vuslXUzf^Y6E6SC`~nmAl%(LIl28{93(F|Ww9tZ}w5m$KiZX8l
zGee6k=ak@-K$9>d3v|B)d3hQ;IVu!X==-^Qo2R)H<m9`Dq<Z?BMp=gIyBmAu`gj-w
zdS{!uTNY$_`XqTdmUBhAL{{p%XQw5Zq$K4fM}`NMrdCCU7e)mJ8>N={`IePeI-6&P
zq*;U*g`(RQkyqyBU9MnYnwcEpVq8|_;cr?P9O7l1obH}uT<IBQ<ehDq>)~VI7nbN4
z?BiPOn9Svx@0JmmZepOHZI~Nnn4KPI7Gdt<?w%QLq@Q6_P#T$(V&Pom8J3@s9Eon5
zxu1`zU%G;4pr315v7upja8X{QXGK72YHDd-vagR}Sh`<%aZzQInSN!NiCM90P%@Wy
zh)HFlM`>QLYhXoSQJ6)lzp0N;VP-%`u~Cwxzi)_FaG9r3dbV~}S~AEsqq-tD9o_Vz
z)WqUcg&0HM>NJIj+!)pJ{75d>#41-;w*p6x;IOQs5~qUllHBrOH_Lp-BG=H0QgcHC
z{i2XEBcB{+{gm`Fzo7Jhg7Tcos*3#b%9J!qH-jiH?UG^-*DU9pw1BF_;KH)xl&t)s
za_6K(qr8+5_auW*^QcTulR*EJ@RIDLqH@PjpWIxZ@X~ZHU0q#;ME!~&C+`wBqa^pJ
z6tjFYf77&rY~Pe%uM{7n#K64b3bVk>$nY?a?3{8grWX&3-O9!D9E*189Lp&YKgzm7
zbB<Zy++t3*`^P)|_I*})5~LjbXq!)j2%qPt$aPw~8B+g$G*zj2bWrT+gSGGXF8<Kh
z=>M+tFmKGUSb-{8A-%^Xxq9(C?`mAy$S<=$+WPzhj>b9n)=&MPzI4K4#nWp~HQ#J;
zQtNyBm+x4%xQ@V%|FY~-yq=btKJBmT`cmr`rS@$<e7s%q_Ft*vQq%7qI^lKv^ghN%
za{r|Ip7NVTy?C6iKe-~|^+yps^TdqO1NtV}m$QQz?;qH>(Rm5)<1coceRI|CyPmjR
z5p^}mwYQ4j)a1e{+g)ELscv?x+o$+2gLmJ(+>-u21?O|OJeN+Ys$!heuW7iF(REY6
ziz%#~*AE>Ph*bDLasH9+tWUhT-+LM#+;aSR^T)|~lUEqLN?)>AMRrc7^{iN{?RvZP
UHvW#zGvjX2xn}y=ufI(l05K50H~;_u

literal 0
HcmV?d00001

diff --git a/secrets/autheliaHedgedoc.age b/secrets/autheliaHedgedoc.age
new file mode 100644
index 0000000000000000000000000000000000000000..97b1f7c51ca8bf156497ecb3379b47b34cc8198d
GIT binary patch
literal 1618
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Pfqpr4^${k&&mz0
zEbvG-Hz`R?4hW9S$jT}A4Rg=+OmXooHZrR;4ENFZG|zUf3gq(2&h*Ro4=4yr^6>G@
zGIMhE4lT(kaZdIRD$NVm&o%QYG)%3`G4(gn_e8g?G~FXSyj(%sB_uM-BP!gapd>3e
z$U8aBD>SpLurMVn%hb;|Ip3$iyV#?w(mTo5Ih4z+)Ui0!!=SJrEXh*8%HQ3)pfc01
zILII~JvXStpfcag%O$s<*uTs-%K+WB&``^uU`K`2%>1OBQiF`dWP?JdywH${sO$h|
zW1}4Z<ib>Q(~RWYBs0rYH?!2Fs(da}vx-bJSBqqqboYQz%e-KpJj=qA!mvd5<jPzl
zcQ@n897pHMN-vMF$ZT}mg1kJ9og5W>&C)|EA~Q;}OG`775*>XUvn!%X_4B<<qB67%
zj4}*M!Xv^`BFdejvIDuy!wYg;^Rj}C%k_&*eacJAqYBC`wSDrvjLkE`vQsibjEW*0
zExgN0EiKS(i^wbU@-A1<HV$%*ay3XYax3;LNGZ^_@bqx;bqoqla|<jgN;E9@il~Ul
z2sKSfG)U)4&2i7NNXzj{O)tuDGW9F)H?BxGaxKi#j&S!3PAV<+EeY^2Oeu17Ou_J*
zxu1`zU%En3o@<0@k#A0!MM!XHNos0DR*|o#X;`6Wo<U@kpT56gwnad&X+}<7g)5h%
zSy+m3MMjuUu2GpuNuF;;rFMFFra@AOYi?SoX<3+GvYBDAiFrg|P%_AGHo8t)y6Hu!
ziN&d0-Wkqe+U|+zg)Z9ZMWzvjzDb@{#-7F*7Jh*#iQ3+#PK9OWX?~{Wt}c<`K8gAv
zA*JDNsa2lYi7BQf`Htx&T!mp_PLTy+k!AVX9xka)Vcr?WC51&*p3XsjrhZA`Aw`Z{
zy1Kdw<%Y?DNoCq@?giz>MZr#GzByG<UZ&dK+KENsi3Ohi`u@f#&belhAytlCeWzJV
z_9(?wnJx+7PZv!2c|bPyTvMFg!8%o;+fiH}o*&x(rE`1b8K1~$?1zse*r^>Z<GJ&(
zv?_J>)c--B4zovxUFR%J=PEN%wQyfusJZ*>vSqoCmmm8ru3TyP?ESt&A6k9p?&bcu
zJs~H^O>K_m;h^uYKb(2?q_CQqMgFl<z5UwB!3FC&b)5r02U&K$GVRXn<aT*7Bf8#m
z?<vKw09NS(k}8ir=8Jf}k6pGfhIiU4b)PH!GvA~YonTzCsMv6W-YY)S^4Hg7yncLP
zVowMTZj`cNzHfY`BthW)*$G9{-nOrJo7wyQUBdi>sqaGnoR!_guAlttLQ<Wu^I`Vj
zvln)Rf1TEPIqF-%mexCQIW_(7|IA*$Zhv{4$&bRQttSsRh;9<Nr2am5&iO?rdCR>r
zq>gq!(K%r7w`lvhW1IMD8}pp<kNpn6Yi0C9OkwSX1!20)Aui9W_omJkTp7J9rexlw
z@7!x1RIv3*-3!p-QkrzHkX_+P{In0=qVuFH!mB**HnR#Jy}$cMA5+r97O!bh)=__5
zxyv8^-u*~!PL}iCOFQ#!t&X_DsC9Mw=Ul0O-XXi2+pB7JeptrPyVvk)(N_c3rgtsB
zgu9t$FW2W=FeC1uW)joJ1SQ*7o<+CLO}+fE%jn|8ykD}`X%iT(&QRQV;91!F!xgV*
za=ww*U!grCZp!TQGK(Mmnh=*;`r$>4^lAHNx`IWm-;;eBtE+oG#G|5iJ+=z%Uv!d9
zDbV5OhAua?rSqk$7Vc*Ds4mw&xpLo)7r&&^_stMm_idMw_N_JxLlKwM+=8o4Tm8Qt
zE8srCtMimQR&;hpa>@%m^FQ}@yk}!;G+8P9ktrg$<ZGaA{xQMefQQljVHuj&P8meZ
zjl1^ed`Z@7@7q%C37s1+2H$yWlUglUTxoLXf|X{U=WK~5mrISD5>D>fu+Vwuy)_rP
z7YPJ+oDe;9Lg~g2Umow3(<|B8S529?Yl6T``P)K_#_#tr7s&7CUj3`~&u7Q``a7S9
jJgodGG2brm`kig&Tl7yelm}jE?D}c9&`ok@Ni-V(+7gpJ

literal 0
HcmV?d00001

diff --git a/secrets/autheliaJwtSecret.age b/secrets/autheliaJwtSecret.age
new file mode 100644
index 0000000000000000000000000000000000000000..5d9ba15816e0a0127550423a04fb11c7cf211525
GIT binary patch
literal 932
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Pfqpr4^)Ws)HW#c
zD)HC$Dh)DE%uDt4h|J1}a>__^^{t9Dj`VQ}Hgha7F>!Zx&*w6XOpZ+UNi@wc%XbY*
z&M2-*H7NEsk1#1qHOWl#h&1r@cJeNCHc9mM2}QT9G~FXSyj;O8Da+kFH!9uTHO0sy
zxiT><JTx@KG}}9~yuiGoq9P(OL*Fn$+r28h(t<0%-_^_5tTLi9!?V~VF|fqjCC9s@
zBtNUt*d^b>(lsnN$Sprn+pOGKyByuN&``^uU`GX)@=8||m+<T)cjFYtDu1Vlw6dZy
z3zIS*_f-Ex-_o>-G;J3bx6~A)s(h|c7vtb8ue88SBj;qNsBDwmToZpcCsQ|b?-cK}
zl(14ivvf0qz;ySj^hk8ug1kJ9og5WHP4k>0+;j5G-TZS*Lrq*V-6Mmld~%J;s<I5q
z3=8ti3_T+%3mvm_@{+j>^2`hkJl(4tjq{34!aW>IQp+5TJdC5vJWH~Qic>;8d@O>>
z+>0W-^8?Xsi^wbU@-A11C^oOk3pO_o52-M6^)9R`Fm}rgHYiB(h$^zoFS7KlOiK<k
zODWAx%r)S0^A2;&E%ES9GB7C(i7aw7403cf%nWobEDOr@EG($Xj52l$@hLFL#`K%H
zpO2|ux`KCQzP`R!lv`<5nTdx*UZGz^PN;FFcS%H+L6EPTMUZo9V3tWzUV(PD0atpS
zMOJF2dAP5Kn^8$#RDn-{X@-GUnP+f7RAzaQiD6YiU_f$JNoZES0myIOy6Hu!iN&c3
zp0$;Aj=shU0S*q9Wg51n3i?iJA^y2srctFqT)Mit3ZY(+rOt(^!KF!FM#f%cK90FA
zq3I@uF8<mXm9D8-<`yCPhJLB0DW<N0T;J;W`xaf{FyH5IvFe)4(^Gq&Y6a{reC_m7
zoM-)w>O0=|T2rU>2r4mO-jaDt<ZjHF2&G5wTo+5HAIo(!a}d9_?aCVN&$|qF%-VK(
z-6zrTuH}y!8A5-}sfktpEqvm<-eW7V-xay;>t_CU$er}Fhh1~|hwloK>(0hV^-cPn
rkSB4zEiC5um&mdZjrLH!*`Y!ux0e{tJo=%V*W}u<ub=$eT}|TwW!pt;

literal 0
HcmV?d00001

diff --git a/secrets/autheliaOidcHmacSecret.age b/secrets/autheliaOidcHmacSecret.age
new file mode 100644
index 00000000..e583745d
--- /dev/null
+++ b/secrets/autheliaOidcHmacSecret.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 WceKOQ GZX8heSkmIlR0J+glN7UIQEqaLlYiDAnAtCYCZink0s
+4WCVq/9p/hy0PsLD7+Xicsqy4n/CCjF46AlxqUr950o
+-> ssh-ed25519 ugHWWw 2/N4tJuirok6G0/i5Y3sHwzzWeVBXr55eWjT5q4C8QE
+fso+V6NHhnE/4iW74YBllmgo8VDpA3QsDC5Rq1N5sLY
+-> ssh-ed25519 UU9RSA 74yR0bY8fTudfvg9ZmunA1/8pc/vqfX0Kg1vufsjMX0
+ODe/eWGr70mV3isA1qb4l3ZwIczq7qEKEYXobZoPH3Q
+-> ssh-ed25519 RJI3BA QBti5H5B20NtfcJ2IRLlV5PtbyzdqoluODTIynoDWnM
+dBCr4Pz5hI0sZJzwD0yGFaqfNDOFSdUjuGFLoYL+waQ
+-> ssh-ed25519 XnvJKw cErhiyosJiu1ieQrbTBvnB0A+5p5Hbda2TUVpSOAJVk
+tF60UWD0gfrCZ6NJ16IcpWor68ODW8pEfPsLDqaJVzc
+-> ssh-ed25519 7NL5Ng dl85dHSW8wlQX8jgSiS9T5n+MyCTGaNMucd4plvylG8
+rwWOHQvMbeC6AxktqLUEtFIs164lqv9AKR+3go7HD2Q
+-> Mq'A-grease g '`\|R
+UFazsV5qBZJpqg
+--- JlKOgp5LUisHVWidRe4gM8gW7i4LIZp6QpX/39visbU
+Ñ`áqÛ	’À@ùÇåœ*§Î_Â§I*§Ã²†U²Ö¤À1_gUÈZŽG½o†iQÃR0«ê<Ed‹[ÖÝMúÑfþ*Pˆr"¡‰Âý,|·ŠºYHê‘=2™ªW»|‹âÜ]ðã2Ç–¿ûªé*Äž`Bw€ƒÀ*
+Qì÷¾K³¸ÇUÿ)›qáò-Z¹‘Èeå¦nÞL~
\ No newline at end of file
diff --git a/secrets/autheliaOidcIssuerPrivateKey.age b/secrets/autheliaOidcIssuerPrivateKey.age
new file mode 100644
index 0000000000000000000000000000000000000000..74db3fd18f916a7b78809430d1b35575f5f27e5c
GIT binary patch
literal 4089
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Pfqpr4^(jR^!KVN
zj<hs4ODuOPh$!+hi^?%cFGzPYb<3#A$;~l{^sz9EFey$B4CN|v4vX-PGB!;L@$$4R
ziAeDdb}7j*^3TXjb<6Y2aB_(>D#&t;Om}zB4@I}FG~FXSyj&s5wa_EXJJd(p#ii0W
zI3=+%y)dWH%*o8p$kaW`u`;OGCBWG{%st9Hu$U{`Jg_LpDIz5>%Pqwv*-YCd!pp!f
zwWP!`tGu`{+$qT*GrP#uxTG@M8N;^FP|KiTM};!i;^L}w%XFV|pRi27(7dz?kD{yq
z%h2$s;PA}6fCBF-vqInOoO0h#3$9e>>@@GfT<xsH@}$&EV>kWaa2I!dZEr*URFeu9
z@2VtMFa0W4r@~6Ve00ABd3hQ;IVyx3<tLUGNBHI?d*p`)Wtx}xh2|FNo2TcvmAMC2
zIhW)nni-WACL5TCIC2I0hLjiN6uaiSChGfnxTiQq`bO#(m4}s9gp~&*=T@2qxR_a1
z7`XXsr=!~zkyqyBU9Mp6YHs9`SLo-K?&K8a>K~NqoN1PsR8W)`m|T?Z9H4J%rtMo|
zm|<xU9LZ&#QXEzgT$q~X8WL5SpI#gqlo9IZ6lPGG=a}jj>Rg(X=9J<W;qMq=;fQXV
zxu1`zU%En)fq$N5V0mt^vrCk5dSPI`zNvw!fnkJ~bD(i?N@!G2YH@Z&Syh>@qbFCT
ztG2Iplz&iGc1m(?U}~swSZGpMYH)_BiHAv8QgT#rk#D9)sCG`G8#vx#JQZ!M%yiR>
zQWJ|)6>99`QX&=7+)e#e6||~Nb@fUV3j9(NGPo?G9L+tlO0o=!LkhTbb#)c=9kny_
zJVGpU@=Jpae9H>mGrcpaT>RVuQq7CqialH^1H%lwDpLI%^-Z{*y^u@|*}k0R)xnS6
zdG8|b$sCZYo1%T?vPz<Ylx@j+wjUwacXAn9F8uHP`@z;_YBt|%JkDDzFsNK|aSvau
zbHI^1CtfP|DlgV(^9<S<cdpmBQ9JXj{)E5Xk{h}AA3R`bFD&~@@y&hyq|JNUjb>cn
zy=1X=`4x9@*0zf+pMSJoZi=zr9^l(*_^Yxl`ay`W;)*Cn7SY@GQx-*b>MF8d-y^(?
zU4z%o{AAKA#jc9KV#Z62tQvMsb1>bJ_s@FK)EcF1pOT4>UVr8MBDh@EW#NjiuN-<W
zhNQ773Q8%6xZmp97<IBwhO6m|a)<WA>e)UEM9<sL4T<uLeb)Zy`QplHTWjw;{I)SB
zxq9=-vcGDrb8JpbwB%ajD%vvJv4T@VE0wLffAaLukVyAeYxo|pTF<qa^h5KS>?ZEI
zZ*zYx(mt8;O>>XYEU_;ld%9a$tDYS@v;8vvZBy@SP0#Knox6CHv!zirdq3A7yW&m$
zs^_-)Rx)kWX}kKlJ}NaNV`|x>Gft}{o=*&NHcwg>c2FVV`LT)L6;2zx*|f9X^p!?$
z*XxA7ChzwLs%G13U%Hj6;jOaXC-m&Bbv?b^$?EO<IG3EezT!imqVin!hqHbwH%si*
z`Jp9Jd$Zj6XHZ$h0}BRAxq#(vrU&gJgX(vs<y+7AsGT4<gLQMb%fZlfyMlQ_<5`Yr
z`sM`uH&S;klB<ys4=C4eyphz@<FHzI=C94`cP+_z^DEn6?u>2RA7eI_g*sU0s!c6-
zxV`C}M}Lm%JE>oP1g50>bZM=9Bz(^*aI@95y<F})G@W<ewqXiYU%E5Kev<#nz3R>r
z`?>yf)XQ-n*OK|Y-`_By_1KYct=~2`9?m&k>*bX@d&0c~mbH;b1pS%)&ds<QdTIlA
zYf0BR)63-(1t-ne`O~<0YLD>5Eo-)GUq9ZjTU@xsV?vF;v}S0z`u;cKu21wrc6PP6
zS#GYo|KZ-_^nDdK1V77lv789nxU{h=^v=@x!WW+Xm~zW#de^#ueP;^m&fYkZcW%-C
zEQ_7j4xF}*@_m!MG~KA6bn=go#q~O$SIhBVbyl=pa`r`3*?mUw#@C4{*=G;VlD2(X
zC9$;D?B|a)9nWU>c&&(?$$hGKkALKr3x*O8?_cB;Nc?in+u}=U$@!APeCxD%T*4hE
zcKtV;6#83JOhhZ<apK=So2Ji{wDP`lKA>cxw1L?L_0;tLUJh?A2}j@KtT6p8`uqBx
zI%PxoH3kk+--Iq~TtDA3SVw%G_?vqZD|1&Ri`Cxp;8__^Zm{R1>YPO@=2r+DYg4%0
zcAn|cYK@>(IZ^_T#oJP&lxK2YHRAAbj=pNKHRD;&oT*-abbnppX`HoW*KNK#9c?Dr
z%~J{*a@yk@mMJ{zkrsYb*YUH}oA=0Zz8yzyo&GO<uXvk5h`rU6K+&koiSpKL$M&)8
z-t{Ja<Av%A=Yl#LPjU8bGRfk;w^Bg!ieq!)kGxj52iac7yRY%8?s(#PMRbnU=a&y#
z@7!L)@Hb)A>*_0#`wqV^=vqJXPFd+`;q88R4{>j^@PEr;qH(;mJ~5<I?)6@w>HI;q
z8x&q`4Bff<gEs5))3?0d2nFs}>R!g`zDQT3t<by0oOjmL+k0DtB8^`aOt36U?35K$
zf8B8Dp+aHLNB4T)tL3{He+r2^-4NO+;u!3-;=tnlg{_L#>k>nbiFLl#2y96`-x*f0
z<9nQ^nrqBuRaujqoEyu}9XR{m{_&n)a$BwA#7@<G$PRj;@w46W{KAs7^LI{83UUy*
z%y6vx<AVEh*?+$H@HMMW@co)!t@UhXKlV$=Hp+L+yuyDmQFnRfd8XHXT)CT@eJ39G
zW-9pkBslHR+lq@K9#VGm#8pm;F5a;7Hrs|3C4sD627I4?#BP`J>qtG2{A%8Vsmvkr
zT8Cz5zkhz9gV}#o$3q#3`PcVJOb=RZX|?F%@y-^`p0_hQQm4lkO+D=S<=%F~2ki{<
zjc2|G@qYGCZ0HXBvAfUgN`yv|ao!g7ufO6BJKZ=UWmRytZ(mE}^fF%`Ce>d4gCX0#
zm-i&@e^Pz7wVa*t$*I2_E`J`Lf4$)Fm9htIR~r{L&#!uZJZ5eC<cM6u3KOmG+uSSF
zX5Bq`tm0aMWBX$1l!m!w3#3xDZw2vPXfaZrdCgY#&h9M&bJR?Vb3<+8U1C)D!>8@}
z{k(5(gMkD8G*J;V#<h<ZonlDmmS~-wIHTfHR-<gqsa+CJdtzKVU!=_E3gZ4CF1O~9
z(*u?JGPN@ecjl#E^Oxs1n6*|p;{J|xavD`fr-|G>vhwW2r#=kIneiE+kCM;o%xsdZ
z<Dak5qH%ej732MN3Vc#(TjouFSd^?Isq46E^UY&Z*`ILyR8p9~H0<`LOEw2r_3Iq9
zSYzfn|7@cIyOMLH(Oqt><R!sJT^AY!vBw^?^Dg(YZCq$yS+Ol)i*QW06Zg_LStV1W
zZ`{|-&|4gBIctmf)IauB5B74^1qw4{&c1VFrnYT}OX&w5)n8BCbp2dE-OMy;%=)Ld
zLBQ&}R9r*lv;}ez5lJblf9omEd)3D`r#IPMde0^0PC?a%Q~WvohRebjxW9Q!JU+kr
zzd#0G_?=@to<2*H@AUfc9-4ep^7mrxzW>6%4*x#e`sqo)>a9z~CP(flR^9p|ODJ#G
zv;woE$;o#fnJbA-TDd<vvx>pu^^^#=<aJB)_W!&eS^YjvgM~MAvqnB+@tf*T3Vnem
z#H{reMD0=+H_-cbe3SX+L$%KQ%sR(@xU75ec0<1&gZJd$44UD#-wYO=+g&&LS=z-s
z^Sxz~TlPAre_FY<dhgNTiiC^o1q=rh5~XKfdHt0|ILE5>`7D{9`yGo~gQip$sMfq}
z=G-JSM@f$1dETAht`!rM-^w(`r8RE5-jUAk9j$*%w0Pd};2R%R?=nx%4E-GHHa~Ic
z>5L1fa)fFdRkxhq?7Sed$8T2t-T)5k)1r1kL5yPF5?ie`r%zmbg6Wl^tn<Ax4)2dT
zzx_-8+68?LTt6Xp@1uD$He?)MuuoFm%;K0)_1<%{Z*m^V|D5R^JtI-qDfV4)zUfc*
z?>vux{}9{nwWc)7eyfs*z|GH>a;^Gh{up!4Tey`c`j$aq65sMnZ;zFK#hf23+J0f3
z;49Z8p6#<2+uyplFfCldi6xgi&Gp>%=xZLfHLusJ@LielbBEHc!xBP)r?fj+QqG?e
zkqt}<$d6Kxx9?wG9k=9>R0wz2GkL4cL8jMEIINV5+`P-&b<s7Ex0?eBCMh;a?w_^!
zh;%?x&Vj!Sp`A51H#n9m7@TH#d)djz^J4hYeE|{8dv(ujd-x}IwXf_yvr@GUdxD>{
zzNpG`5~)<l+IZ#Yef0(ZPuUb7*e`A8(CG5vV?kMxX*$#6NuIw&8LYCEtc-=f*-5)j
zuAY>qxPIAzv;uzx?%El4jn3Pzoq4pa^*3jf{AAJ1tG^fTdmGZma;`K=^Hi7dwv>4i
zRf{SXJ`xBi%WQB<+OTZ;fs;F5oJcg@7S5<97_=|Z<>^JIy9QymT`zFxs;rux<9TFO
znfk{ME8Te)O|+Re`~Dg8cd9<0Z3JKYM$KSmd^?-(z=l`L+?r;cDw_Q*jYG$9tBcG6
z8P05uMei4T?yudX<ow+3t@q|kkrkdC_4%)(D#QzK%Kn?YdS+47EB8H}q1O|f&L1c(
z-C!bgVp4zZ&&DW*@`e6qy>ERt+;GG?S=GyA=IV~Rw2YSTCT%LORD0~SGw&~*EB4Md
z==y>~pFf-}J?6BcZPP_Po-)O#gVQ*TJ}5iwo3bnO=gNZDM<%h~@SpjKL(6xm!V^8V
zRHZuEpyxkamQU$7U(FXF<o;JC+dwMIzSiZdQ&PwDLh-N%4#m%{lM0j$>$tCy=Pdks
za^7{*wEc!E4@K2?$BBG7%ku7_eCQV5?HtPsZ|d&v@6P{wD@#GYx#3j6)vCq!btY`R
z!faOa<FPf*D*ZXXPOw~jpY~qiE_0Mge3z}unVX9D_BL<HThtPgW0t#a?(K@c)r?nP
z+I_80`2FyOSx`<%WoJJ3$yH}={i;u1w_2brAUP)c-rp%*n|Dm!wzQ{qrS+`N#b(m=
z*Os{dnR4!q+v1c9{{&`czfSG=az=7*<?M^W`!9Sks;{`<llvj^z&XDaws-heE}c@h
z`$f>r@aKmP^a&N}ZM(E&>%VtmOr@W;Bz{TM+Q>Hd+wTp}wfKJu=AW#1Y^L41<iIlZ
zC9+$Cj+D*HO9*|ps=9Z_GVNru*E>GUW?cL5)4}H@3+F4h?(6f=(Oz?^%ECjqb<@kp
zikg#iW~xZ0Pq>(vd4PR(+7zxOVq3OOy%k}+hdIRL>ir0@&C*{*pTxDeboPJI`Dd=Z
z%y--Cck7?_9N@n-J6>vPe6oRqqEd$QO1m8E^o`rMG;%KcF!c=Etf$VWo_}dRH`(~F
z`-A%XhWndKtG%|k7wqXhr^jN&9vXZ6z+;23vo(*O{Mz=#I(FhOW`pqgbEU6Zyky^d
oqVbK_8T<XG74|<4O0w$q33yykz4<i{M~TJ@2k*!0Gc8U40DE0g$^ZZW

literal 0
HcmV?d00001

diff --git a/secrets/autheliaSessionSecret.age b/secrets/autheliaSessionSecret.age
new file mode 100644
index 0000000000000000000000000000000000000000..5d7336b583a848c244d2f955e95a12acbf43c42d
GIT binary patch
literal 1004
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Pfqpr4^%Ms@F>qs
z3N3U>w@foM_sla(at$}hs>pWAcF!r+_O|qKi|`0EbM#Ah_2mi<2uThwGD|V^H_tOH
z@Q*BrtSm3rw)BfKPA?1fGj(-}tniIUOE)R-C`Y%gG~FXSyj;P<*)Y2xF+;o3-`6X*
zG_*J>$=Er|#L=ZPG0Mxst;#ziJ=ERbDa#-`FP*EzDJa!7)3h?x!p%9))W0Ay&n?3+
zI5HyL-^blGB{--&uQ1U_Kf*N0EEL_g&``^uU`K`0sI-D)j|it^k5pfy)THvPtiVj~
z&?2)mbC-PAD9ZvTQwt9RZ$GoZihM4U%p9lu%!tz9?1HR<bZ3LY;*7wY5KI5uB#S)v
zw1C7yFOSg7tQ7sgd`EQKg1kJ9og5W>O*0}rOrlZ?0t%BOJ(H3QO^hweO4Gd(ecko*
zUCpwMvO+B)lRdM`Lp-_CDvg6m^}P%N4RS-n4Z?G?tAc#XD;@JJEW%TYy!D+e-7?cs
z%gqDa1Cr5gi^wbU@-9~>aw<3Ua5gcF@bWh<PEK_z4Kv8j3&=1x(=INJu*}V@hzK_e
zEDkm>taRiG&G5-B%kc7Za||}jGt-VLa0)0XHj0cWNe!<IP0333&I&X%b1e(V^!G)#
z&D_t&)GuAZATTo{IHWQtugcpeEwdyuJuf*bHNw%ependHvBJQp$fCk2&)YKJ)u5cq
z*WWTPr831S#Mit$%{4g9(74nv%E&p?GuXI1CEV9JzaqoaIMvl4*S{EKTeNO^QEFmw
zDwlI&UQuq8pRc)-S(0CxesXBClYV)Ue`T(-X@yr%d2VQli$%7NdwQjIsX<t1j;~Ll
zk6&tbxOq~let39fdJ0!XaY~4PXogW<j&rhmm3eAnV0ccHw~4-QK)#o2uAg(EX*rj!
zuC78#Vpx&4WkEz}k*il!o@<eIRIYP)XlO)8nWsguQCXs2L`7<vZ%S22lnGbf^|w=+
zPDwq>p0MKP;ni}des_sxG8z;YsXf~~Db-)@?M~rkR~Bqva*;d#Q^Lx3m*fw~ZD*d=
zpuf_dwVXA{!8pgC@6AN}!q)ApL%htF@^8KIW7@3>%_%PSe6>5?W;|I_cVV)}&*|%S
z$R5w;(pkzScS$d-@7y0n(T3pdF02z3CpSMA>3fp6t7-malWu*Hms65nN()$OZ`}Sb
O<pUGLiC?#82mt^*CSAM$

literal 0
HcmV?d00001

diff --git a/secrets/autheliaStorageEncryption.age b/secrets/autheliaStorageEncryption.age
new file mode 100644
index 00000000..6c03770c
--- /dev/null
+++ b/secrets/autheliaStorageEncryption.age
@@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 WceKOQ kK8Inu+x8bNb40lDV/syTa5gihjFWLkjECtmVmBgWlg
+yBiROhh6uRPoMsy8WU5c251QDagUthHBmBkiUUGy9Q0
+-> ssh-ed25519 ugHWWw 7iV+BBHTbvCtIApzmDKHDtp3DoPtVX8qrAF3VMV95nI
+2jbqLmcnjVEgcIg+XaPjg4DhUFTBfVX0tDjJHLR4TGg
+-> ssh-ed25519 UU9RSA pipBNg64f60hGCTU2DjcTVVI6OpV9OyFAy2r9hp9Ggc
+R+FsNnj+TLIa8OS0jnZGb/aS+0BBtY1N5ELZSieHPFM
+-> ssh-ed25519 RJI3BA HwU4W2QgXjVO127XV4pwHXLTZRC46R58m53bxV647jY
+z0PgUObWS0rYjxMPZkXAwI4Ft5mgdkM+JCZxzHrfmlo
+-> ssh-ed25519 XnvJKw CLN1vmYCs1yLmttKMhUifsp5k4rTXLLKk6PgBSXJ2C0
+EwDObMlQXc+Kio0MAQS0rgRmnBw9+N9SWeI4xmGrL9E
+-> ssh-ed25519 7NL5Ng PIKvmA6BPcAunBDRdPpvWKztPXZu6h0LlE7RLtJIMzw
+BVsAeAJFweKWhO6V9P3VoUxMtasI44OJPMhAlv5Hpco
+-> 83-grease 9@=d4zg AUuq< Q}7Z
+fRY6D7W54hHKl4J1JgHEQWxHJvXIkreypqabYStbcKboraN28Mv1pw44euOX4Tkk
+A6rB1Zc/VgfB5XZr7Tf1Bn8Gwsrxt4eZs1QTVz5zSJqSBCNeOlb2y1guLRij
+--- o7qrmcQdzLf5evB6xmNxv9oob81KzOiBHMGAFWRvgzg
+P‘CqÐãžærŸIq·ÍÁÔšoïŽÄöûâ¤ëàœÚQÅŽ›£ïl]0q/°D…Òì™ÏB²ÎIÝËtè«n	D®‘Úõqé¥vŸ‡®ÃŸgfñ|DíÃš)5Ô| ÉEt²F®3QÎN{þÑÿsGÇò^ðåŸd	Ä~2§ÀFù3Ñ)|jßõã{òÄø¥yx:
\ No newline at end of file
diff --git a/secrets/hedgedocSecret.age b/secrets/hedgedocSecret.age
index bb0de1039ec742a8daf817d78be651dd04c5d851..accaeb0cff47c1c033b030eb913fbe3a9ac2acf0 100644
GIT binary patch
delta 1055
zcmbQm{*_~bPQ81wOO8)QZmN5*zJ+#Vv36y;Nu{YrQAtsFZb(!>fw!r%SE5(2WmuX~
zK39rUnYq7_fw^H-rE5rld8AXQPgs(raY1H8a;}$8PH2&tcc5WqhH<2OK9{bYLUD11
zZfc5=si~o*LTS23czC&jhmUz;hDAVzwtrbwrDJw@s#~#nYHnh2ab8)vL2i<flUr7>
zagM8>zkftNSDLA5NV$J`N|lShlSR0rr$MBrVQ!GSmveT0etMO+ze#DNMRBTuhi66p
z#E;_P0pX=3m9AwOd6q$LUO9&0VfjV|uD-^3Q5KaZrXJ<R`kCJOJ{6`eJ}&88nMPHn
zRRvyIB_2kh7Ach#PQJy)rUk`?;St6LW%-^_MTKU;Cc$Z*QQ?u3;~B-ntCC6*Ei!y_
z-Gcl|gQ}t|%EJvEEkkqs{i6c1T|FxO93!&boyyXxiZczkQi44^yi&7DoGblPjLgzA
zyv>u+%ql#S{QZ0koeMMkD>5VeBNIctbF%^`pJf!U&+&Gy@`*G{s!a6B$qER}4^Gc2
z)=xJu$np1fE6g%U4k^s6G<7%gvZ(arN^~#J^>z;O%QZ1gGcYwYNpv*uE=fsD2{$zg
zE=q~WcBwLrNQ=xXNeoCvj{$Q(A5*_{g;3M94C9arA2Ty=ce6y#{M`Bs|A0(SXBQWv
zf~>-_fCyJ(Q_D27P=i1NM=r-IZ_h|~j|va(G!K)+VCOXV{Ish43KwmUL<?7EzuaOI
zcjFLWQ;V_+N04>)dcLN?YP#t~sfop@T*WEb9=;ig!KD^P0nYv@>FMER`ng4psRpTD
zC2mP2RRKX>*_rxT^)3a5&MC$gp@qp|Ug17|*`=m#5x)6OMj2d1fsuuNQITA_y1EMb
zrDYLC*{NBXzEQ!>mVQB5Zk4%~r6v|3j)6snF4-o<xlUPyd0t`Rx#e7*NB(SGki5L|
zeetod?aDE{cb>Cv<oUKoCi(kf?x*XICm4HjyqHo^$lT`>oPDZ(!eNd5Pi&@L*O+hJ
z*UzW4k;&uFmAL%P7gkm}xUQc%&F=V&y*}Yd%L)xc*`L;i{9{X=A;0V8NzdJl`GvLY
zkvlXO@NTtR6>G6vrBKDXK81I?z38MJ3!9^3t@w4C@4ep4cx=YAr}=zdx%X@hWt1nK
zNj?&i{4RXH$BEx1)?MxE9@Uqs8HesRR7jZJm398VkfCR7?-ePZo<Cx&{Fk1t6cEr{
z$C3I)k-L_23v=e*UkBUlUxZBfDJAK++~eYduvYIY-FF@y7XD~`WS^vVN9xj9D?GU;
zmIWC#vdQ@EIkUX-bhupO+G_z*&n)v&t4c{+=2D>?9U$U-i!;+Z`QtJ_<@kqUZSA-0
Y4eSD@eyU%p@T^Vd?dfwBv(F>~0Ja5)ssI20

delta 834
zcmey$F^heIPJK~gX@sj`h-XQ*g=ea}LAG~JP+nwNgm-0eXq35Egp0AhSE5UyYjILu
zK9^&5NQASgiHW{hWmI`&L4Igegh5eCX=YBKN4j^uXJtrIu|Yscnpu#m0hg|wLUD11
zZfc5=si~o*LTS23czC%&d6G}5VStO1L8L`yNn*Kwh?_x(ep<4xN0xI~T53*+kGH#T
zc3_^5Sw>zyms?p`uwQX*dQnMkNR)O}mPN8fWJ!3ck$YikUYdKTiFcl5NPvm6zjkT*
z#E;_PhNThyNfs971?h!eX)Y1orkVbw7HI+I7XD?ah87v&Nnxb{+F@k{W-gvwZY9Y9
z0X~sw{w}Ez+D?h7Sy`U`76ER_Ri%N2nSMbPmKNb2hNW&6NvYYB;~B-no%0I9oJz{_
zU9}xOipt$n6HC+b%u2$Y{oHaq6FrjrOsd?2oXh-@s<M2!(ke1a{0)sQql`+8EwfW|
z3yhPz-IG1?eL}<29equ!Oe?dByu$L*f+DjgpJf!U4~VKPEYA+B3dwOc%*f6RC~%JO
z&bKhpjwtdhaJ4ikE^#Uf4U8y?@(s)9%JRu^@`=jH4@%3nFn2A?ObkdgD)ja9D)w+R
z2umxAFis4!EHzCs%l9)uj{$Q(A5*_{1z-J;(9FoZFaskC<D{}kx5D}=&oakUkFet8
z%p%v2L~qM{=Ws`pRPBHa1FmrIa-THs@Gx)3bThvc<3R6Rb5lQ$WD}RFoT6OwiV9EX
zBy-oq#IPhkUyya7MxMz*y6Hu!iN&d0LBWM?&h8eO+1mbjQSL@g7M__dX6|0jW>H}w
zW|f(~jzM`rW&suf^#+#C1}6D_mPOhni9y*Fu4R6{-oB>6L0lQxY57IzW+mQXZhoeT
z-cH_y=7EO!Q3gi-0ZCOE{y9~FT)Mit3W)(O7Kvd-c~up8`uc%p+LccE2HsBQiRMKW
zc|{o+RjHXJUQT|ADZb{#T(NWB7WE`)vs}}^%COyenQrJ=Z_5KwrZZk?24CF0XP&{g
y<=1u;RBwA9D*p9#aamlG*7UZX4PuVRYt1G;(r$JXu@5~X_la{|_h#;ZS%(2(7acAD

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c06187c5..6ae1aff8 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -38,4 +38,11 @@ in
   "picardSlidingSyncSecret.age".publicKeys = pubkeys.ragon.host "picard";
   "picardResticPassword.age".publicKeys = pubkeys.ragon.host "picard";
   "picardResticHealthCheckUrl.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaStorageEncryption.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaSessionSecret.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaOidcIssuerPrivateKey.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaOidcHmacSecret.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaJwtSecret.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaEmail.age".publicKeys = pubkeys.ragon.host "picard";
+  "autheliaHedgedoc.age".publicKeys = pubkeys.ragon.host "picard";
 }