eve: add cache2.thalheim.io with mTLS authentication

Mic92 · Mic92 · commit bd478cdaea2a · 2026-01-25T13:57:27.000Z
Set up an experimental mTLS-authenticated binary cache endpoint to test the nix client certificate authentication feature from NixOS/nix#13030. The setup uses clan vars to generate a self-signed CA and client certificate pair. Nginx is configured to require client certificate verification against this CA before proxying to the harmonia backend. This allows testing the new nix substituter options: tls-certificate=/path/to/client.crt tls-private-key=/path/to/client.key Tested with: nix copy --from 'https://cache2.thalheim.io?tls-certificate=~/.nix-mtls/client.crt&tls-private-key=~/.nix-mtls/client.key' /nix/store/i3zw7h6pg3n9r5i63iyqxrapa70i4v5w-hello-2.12.2
diff --git a/machines/eve/configuration.nix b/machines/eve/configuration.nix
@@ -42,6 +42,7 @@
     ./modules/goatcounter.nix
     ./modules/grafana.nix
     ./modules/harmonia.nix
+    ./modules/mtls-cache.nix
     ./modules/knot
     ./modules/mastodon-hnbot.nix
     ./modules/n8n
diff --git a/machines/eve/modules/mtls-cache.nix b/machines/eve/modules/mtls-cache.nix
@@ -0,0 +1,69 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  # mTLS binary cache for testing nix client certificate authentication
+  # See: https://github.com/NixOS/nix/pull/13030
+  #
+  # Usage with nix (once PR is merged):
+  # nix-store --store https://cache2.thalheim.io?tls-certificate=/path/to/client.crt&tls-private-key=/path/to/client.key -r /nix/store/...
+
+  # Generate CA and client certificates using clan vars
+  clan.core.vars.generators.mtls-cache = {
+    files = {
+      # CA certificate and key - nginx needs to read the CA cert
+      ca-cert.owner = "nginx";
+      ca-key.secret = true;
+      # Client certificate and key (for testing)
+      client-cert = { };
+      client-key.secret = true;
+    };
+
+    runtimeInputs = [ pkgs.openssl ];
+
+    script = ''
+      # Generate CA key and certificate
+      openssl ecparam -genkey -name prime256v1 -out "$out/ca-key"
+      openssl req -new -x509 -days 3650 -key "$out/ca-key" -out "$out/ca-cert" \
+        -subj "/CN=cache2.thalheim.io CA"
+
+      # Generate client key and certificate
+      openssl ecparam -genkey -name prime256v1 -out "$out/client-key"
+      openssl req -new -key "$out/client-key" -out /tmp/client.csr \
+        -subj "/CN=nix-client"
+      openssl x509 -req -in /tmp/client.csr \
+        -CA "$out/ca-cert" -CAkey "$out/ca-key" -CAcreateserial \
+        -out "$out/client-cert" -days 3650
+      rm -f /tmp/client.csr
+    '';
+  };
+
+  # Nginx virtual host with mTLS
+  services.nginx.virtualHosts."cache2.thalheim.io" = {
+    useACMEHost = "thalheim.io";
+    forceSSL = true;
+
+    # mTLS configuration
+    extraConfig = ''
+      ssl_client_certificate ${config.clan.core.vars.generators.mtls-cache.files.ca-cert.path};
+      ssl_verify_client on;
+    '';
+
+    # Proxy to harmonia (same backend as cache.thalheim.io)
+    locations."/".extraConfig = ''
+      proxy_pass http://127.0.0.1:5000;
+      proxy_set_header Host $host;
+      proxy_redirect http:// https://;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+
+      # Pass client certificate info to backend (optional, for logging/debugging)
+      proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
+      proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
+    '';
+  };
+}
diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve b/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve
@@ -0,0 +1 @@
+../../../../../../sops/machines/eve
diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/secret b/vars/per-machine/eve/mtls-cache/ca-cert/secret
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:9IdsUQqMCnSqPG3mGzR+0Z/iSHswE20bu98GyQI80WuW/pVdWEsQsz2RKd0WLpBfWhTRGvfdsW5aVuAyqCu+jAweM0aaf5pwSWvHDRhcl4JzTpZ4TqrJnZ3M+liN4knECQg8+rzuALgyoGKvB8FH5IsnpbCAM95hwJD1AsxlnWu0zkVsQi79KmFO2uCZ4V4V5z+rV47u4LvRaP/SP373fav/5z5d/ykrE40ZTQ5/4taNqfB23OQd+VR1LsUh6rS/COLmoSnw+u08d/IVYpvwQXeBGv5abuTUowP7ueeNj74UMYp2618bHDKMNa9ZIgHY8XYts0MsjdsB4TOl/K12KqoL0XdmwcoPVTp1J13LU/pT53DrDnQ4Vp6kBHakaBZwr5OlacmytGuCmm2V1fcHjkPlvfX5lWCB2DAQlJ2zokfQcSGA5fL5zP2RQQyJ0BCu0YRN0WcJyep6ME7UW9oVAXtz/amBe/sQyt8q9jLJmkIELDPmUNdaU2WoQcWroftygKbJ+RZssopiFjw89rwTSOzp+P2qFnY/NdU87eysQcEmG1mEBth8XyKJWY5pHf9DraMs73djEMc9p33EV/3k11VUbYYYuL6k0qBS7oKj3MkUMS2mtYbGpMY9hmM3rIR0SIdyaVApgFObYcEtM2NYBd0KWF+WM7TQmZI1SRNj++vqIQkbAD71i0qTtISa0Jrwk+pJxduHygtJTO7GF1d2C/glm9SejvLWzUBcBAYo63lC5vRK7EYI2/teW08SV9BfxYs+3wfGToFwr2Kr4/aLS1Y0Hk7FtpOiFLLta6RIxe21Vrs=,iv:Upo6s3M652KrWe25zLsevJkNBR+xBkkyklamk0BVq58=,tag:GXoBy15/4vzczAyx/X+L4A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReUFpWlY2aFhuSXo0V3pY\neE94S04xVjZabWxHRnMyZHlGNWl2cGxrdHdzClNqakNPbUJRWDFFK2hmRjl5NkdP\nQnVNamF1ODJEVllzd3dhWnVQMHI5Q1kKLS0tIFE5eHJ1Sjc0QUhPSHg5SjQrbnhs\nbFZSK3h0ZFFyVWc5c3dmMk9JYWdkZFEKvxEHeHmqUxRVzFdRBTnG9Ua89FfFIZNR\nrWWp/cnGu72RLP9TXLqRaf86XXF9AfR7ZiE/MmrtERp/jtvDoOfHCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL1VHaG1lM1gzdE11WHpz\nMThQL05SMU5tL1hsWUtSTzR6bDJnYlZwc0JBCmhwQTA3T250YWRTbUNxVk9raHFJ\nSE9qZUV3RjdBNXM2OFFvcUYvZ1htTEkKLS0tIGROcGR5bUpHN251bkRrZVdQK0E2\nc3IvU2tqMDdYN251SG82NGJvMlIvNXcKMpge6JRlEKl7ZNay6fAGhtO9fCwfhULt\nEFd78tIUcANvpG6ltAqtKcT6kTLHZFjX646Fv7i+2IN98JySYaIvKA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZXNIVDhaZTkySTFqNXlm\ndllDUzloeXErZ04xZFVmVm9ZZ05yM1ZySWhrClAwTTM4dnZjNFNIcmlrQzh6SmZp\nY1RVTnpYRVhXQVlJd005N0RaY1NHY2MKLS0tIGF6Q2dKSGx5UHJPcU5DbklCTjdn\nR1NObHNjV0lVaU81N2VRSUFSbGQyN3MK5ytoOYfw/SV7n6cuFKYqcfSGNhwh+r2Q\nKnU3Qib36H0LQyZQ/4TX4xEpmsnVsBZsR0yhHtzJVl6s0uMgzLthAw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-25T13:48:18Z",
+		"mac": "ENC[AES256_GCM,data:iZzaBmrEKX9eivoOPjf4LTViclHAZA/qfg8WW/aC+trb04M0r2Qho2oNWLa+DAWrK9rzT4Qd39Iw6ZsSIq4AKrHnO4XDaHBjPp0v+Hi1VJuPYr39gqO7TbhvZJQq6Am9qVP+xkXH2MPb6U3+Xf3bPERyid+FfBQcFBv/5Gp9p88=,iv:5TIgqcuEsQEtd3z+mmAMCmqhuIiyvYVQ/XPldw712VU=,tag:d8tgaQSyZDq9JjKPN2uV8g==,type:str]",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg b/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg
@@ -0,0 +1 @@
+../../../../../../sops/users/joerg
diff --git a/vars/per-machine/eve/mtls-cache/ca-key/machines/eve b/vars/per-machine/eve/mtls-cache/ca-key/machines/eve
@@ -0,0 +1 @@
+../../../../../../sops/machines/eve
diff --git a/vars/per-machine/eve/mtls-cache/ca-key/secret b/vars/per-machine/eve/mtls-cache/ca-key/secret
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:S/OEZkYq+8mradRB3fcjKqWBD5hWdXSNz/V3XBVoTE/ojsl6o6OOvUCzvNQGdwfUGr/ooPkZmxqQXRY8qwqagUAbAQVKQZCcR8BzRFk9TmSs5OtckuFe7/CK0pnuMES46lqhLsKicUu9DQy0pfj1GBJF0P6sbC/BJ3Xp7Ih5oqBJwJEPBiwVnL9HsrmnJwoGmBNwco1iHIbpee7+EKe0PtXuGz7b1BqOyl0biLcQvpoGHKGJKziki5txuuBLkBMI4WjIJyaqBFpbX/UMkpjaxTh5kiUaWG3++gDMu58dB+wOTvNsMvPiMkElKHaHJYUWiWD/4E/ELO/+wb1pyp7UXCwH+cfvbreCGb//5w+eHwiji3sFHKmEi1c81uBwmT1yakgFgbDfb1/jUR8tRyA=,iv:hWtRVY9M/tXksrAveGT3oWQYn7Xiz/937M/gyERLvRo=,tag:45/YPpnz6M5hrDNblBkhjw==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeHo1QWgwNjltQ0FCL0RP\nS1B6dFI1M3RGZHZWbWtqNUE0ajdyTFdFM2tvClp1SlR4SklQOTM2MzV3bHYvdFBr\ncCszSUlwc2VYRU9kZVBhNDR4aEF6Q0kKLS0tIHVsVU1mSEluOHJpMHJZTmVEeVAy\nLzR2bWhGRHNRQzNub1p0VGlsOVY4bzgKFXC+UT6YeIVEj7sm9kz1FzeYRcA41MFK\nThPfnxKOiAW79RuRoXk0Spne8yPFe7XRUs+ZkBH8C06Am4N948BwCA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUEVhcEhnSnJwbEVnaUZy\nT0NaS3JDSGpJZEpoTS9jSTdHQ0lHd0NOZFRJCjMyeEhZV0VHZDNYOTN6bGxRcXhT\nVlJMaFdBd0EyVkN4OTU2bzdTc1Z3OXcKLS0tIHRIR2Y4ekpqaWFHNmEwcngzSk54\nbnZKVks2a1FlalpIWWNJcXB2Y2NkZUEKqKCxy7LB8iLKwRqiSl68L1BiFnmZnPw1\nRLDxy6jfwMx5zeWfwM+iHsHMneO5IfI/9hu7JLB9i/EUx5oC2WCYmQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbjJoTHFDUSs5N1AySkZV\nRjNnNjlVQ3hNcitqdUR2bUttaGhvMDJJVlNNCjBOcEZ2MXBDekx6M3NQSXdiZFFG\nZjE3ZnVKczBLUTg4bXRDVzl5aURnTzgKLS0tIDNmYk9aeFNPN2w2bVRkSURzVFZa\nRS9iWXF3cHNOSG5QZFczTXZhVExKMWcKEyPjDAtq4pEJEhbba/cnpL4G0nMO6VBw\nxS+3KmtHUZYd7CkRJoiFRZqpQ9RPWSCfsEXnN8c7LZ+TTaJ/LCJGdA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-25T13:48:19Z",
+		"mac": "ENC[AES256_GCM,data:dHqLqyvmXqHDDXbkfVc9ugxYTaU0gJa76QEm+XpF8sGD2T3cEPrhTJUqucjxYjFoVltsbAQ4CS8QCIIhI5ydZTOW5onKdlZzyilQsuNpw8gQUYxoLVGmS0fVT0k0INczCFr/t5nQs91vVohG0FJJhs1LnOGiDuEtsgKd3KcbuKI=,iv:81X1YwBfz+wh6BA1oboPMZd22rtAIRucYdrbVD/JD3Q=,tag:iCCI3d/slGhdRo0Kaosilg==,type:str]",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/eve/mtls-cache/ca-key/users/joerg b/vars/per-machine/eve/mtls-cache/ca-key/users/joerg
@@ -0,0 +1 @@
+../../../../../../sops/users/joerg
diff --git a/vars/per-machine/eve/mtls-cache/client-cert/machines/eve b/vars/per-machine/eve/mtls-cache/client-cert/machines/eve
@@ -0,0 +1 @@
+../../../../../../sops/machines/eve
diff --git a/vars/per-machine/eve/mtls-cache/client-cert/secret b/vars/per-machine/eve/mtls-cache/client-cert/secret
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:GLpCJ38v4aeGaHt/HvUxuhc5vZ1wo67u0B+LyNYnPLTETfPcZQVwTXXdXAlXxgV0+aYfcxcFEPZlx3tFOO37zgYUuKSfUq+SFz8VWtXCG9iAw6R2DRmIR6yJ3gOZF12Y65zQ+gXnIdjGc/Q0kDN69cZxh8zuHPwOFMpMZOIOyabM/OVemXT48Pr5/2isRRdR0kHok+hre4Qkod8/Vbhsu70sWVJBXwPwXCtXlk4ZPI3QzrAxDvOo08ctE5byamsJuFYrjF4UtmXkvH/I0yU0DPgXA5/Cms3siS8D8e6owkBj+Ai/8H761o7pFHFVyKGiKivrZJehgGUYasVl7lV3ZBUJx4m0mpPah1RQMPF2dnkusyuG1rgflt0M/0D0EOziVr8d8qDx5aGtZWpzg7oI4UQZByUM3Dj+LiPuvGMgE5rlV22WP8uDPls53+DhF5WJysCjpoW2WtTeUOwqt1datm89ncr3agvuJNzlGE6PY/EJHLy8yvcQTGmsyD6Y84c3GqmhdLpgMnltm9GV4PXVyS8U2dHL6yYoGBK+3LGFTQ5GX5CTLrvq9+fdPSrJ68TS3BOOf+fKYHUaDKkEnmPkfCORxMiJmuJ8Gvuv3Pprv/ExaQU8BYA8IBjYlVuOvEdGNC6dhVJCpnewg8SbYbZB6Tpu2Iq9mMiSiowSKz3kPrWkgz4z3/vYmWbCIDLQqXORFnkQZmL/mjSyb1x86f9KKgHy5E/km46+atmHPUHrD5SB8sOrlacVx/t8Q4lvBw==,iv:XyKhUawB6oXDKdIS7dggjZa8YWvhwMDDauf1W1HncxU=,tag:R6eWoEt+OPn0XVZ/BlolwA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4blI2K3BaNGd2MG5hQ1Aw\nbWg2WWpKRm5aaG5VdUhseDB2NjJsd3p0Z1JBClEzWEswSHRYRUZJQ1l1NnhQTGMr\nTDdNbWRXblhjL2toMTNNODJBSkVyVDQKLS0tIDlMOUFaczl6VkdiVmg2SFF1ajI1\nVldnc2Q1WWUvdVhWZmh6NWZQdWhBYjAKPqL/Oswdf1iR6JWUllbxihm9dFefyx41\nFNh40Ie3WnXngPz5KRRccCO99psqy7qqLjrAqFOZg9m9JP25jYJPxQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWS8rU2lHTnRVNGdKVTlh\naG9BamlHVWlDM09HQWtUNnlqWVFJNGpWNVVvCnc0b1JHVXJXdlc3MEpJb3dZckFT\nMXA4SUtxNXlZbjBEWWZHa1ZLa3I3eUkKLS0tIHcrMzlBaG1BVy9LRGVzbURzSjh0\nK2Z3Y2J0VFhsWXRwWGlLQ05ldHc1dGsKOH5tkuhvzOMNuZwu1xabrRWroNZfFAi4\nvC4Zg715I5AjfJHd/QcYMxg1LacCRE+l9L4PCe1pEVxi4wjsGVZZFQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUVhQN2dDeGNVSmhoK05u\nTTNsbVRmZjd5QUVlanpnV2UybFp3eVhRckdFClRxNm1YUFJ4NmFwSHI5THhvUGdt\ncFNaT3ZRZ0ppanBLb0g1WnVIanJMS1UKLS0tIC81bXRRTkJmZnJUL1hRQ0duNnVz\nM05nN1pGRFRQTG03czJOZ1FRNGw5OXcKrMkVJWBIzMvl2ZKzsWIdb5eDWyUCXfYs\nojpyqyKpKxDTvg3l1Drt9cEmVmBf8yDa0udBCBbkSTF2LE8C9CqDnA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-25T13:48:19Z",
+		"mac": "ENC[AES256_GCM,data:pM1r5i1J6S5S+tUhxOdVhtZAcPPWAdi/cUrszNN9VHA79TMGLiJSkAY9mIrDT8f0fO8te8VNkd7rDGehO1G0BsKdDHnnkzTm66hd4WpJQmHE2GDQmkjBuizfNEItjOnZ6LawLEmTNGblMSUgQ/7ktNor3i54Lka+9S+NQt6+NQQ=,iv:kD/+zTZ7OS5zlcKdTbqKwttBb71HjCWjZNmMWZNdzz4=,tag:IRKkKkQIFofQjxJqLvvPww==,type:str]",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/eve/mtls-cache/client-cert/users/joerg b/vars/per-machine/eve/mtls-cache/client-cert/users/joerg
@@ -0,0 +1 @@
+../../../../../../sops/users/joerg
diff --git a/vars/per-machine/eve/mtls-cache/client-key/machines/eve b/vars/per-machine/eve/mtls-cache/client-key/machines/eve
@@ -0,0 +1 @@
+../../../../../../sops/machines/eve
diff --git a/vars/per-machine/eve/mtls-cache/client-key/secret b/vars/per-machine/eve/mtls-cache/client-key/secret
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:uk5Xxk0HjXLTU+RJLcYd34H+kovch+OfIiSoHHbab1CyJs6BcHReHADkWyWQd5CdBd69MYYtDQPG0Kt2X2ChbfxBXm3CubihfkAAu8PQ0Lgpv+mVZDtwP88J1kNY++dsv8aP2TRPhBesuodPUfb4YuO0bNpkDH4Unji09NrdSM4W0qAYWyxM1h2EVC5PQVyrVQSuxevb7p5hZF5tA5clYGGvjz/YC4rlGae6DMZ51XZiIx1KSNKXTmC8hGNDnFx9x7qQwvjHPaEAgsNJCPHEw1ZuTh8ua83XMJXkUiAxAtiEa6FBzxr2gwgyowbOiJazloiy0/TRDNaD7begNq3Gu0hC7DDF+wUXDBsK5Sw0k1W7RC1cs8r8ARGZV3rXTLgeyA9Xa44YyyGNIuif0ro=,iv:FajR192MaT40xCiSFferxW3EMDMw7816CpiE6G8qnhM=,tag:zCYYBucnasQhwKwRfIYR0A==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSitPeXVYWEoxd0F1d0p5\nZ2dkaDVNT2krZzRFYWwrNkpxUVZuYjRKbFhnCm9rc0xsNmVNcW1VVlJ0Y1ZGdEpj\nUnBweTg0N0J4eEhzVTEydzMwUUpXN2MKLS0tIDNtSG9wVmg2TVFPNFVtcVVWcWxa\nYXU2RWVweWFMbGMvS1VVcU4yVzVYSGsKJDOXIX7AxutZCKelowWOInMX7zB/lb02\nu800sbwDn64nQQg0/QbvWKJG9efnm036RbMoYMLQRHQkhodW+uJIZw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2amNMVHBVRVhRR3I5Smx3\nMUJhSnk0aTVFR1NTTjFLalBRQzhGd0xNTVVzCmJwL1RNSGY0dFFKa0dEMkYwRGpK\nWCtaVmNORjlPZnZPL3haY2ladUQvTXcKLS0tIGtiQXdYRjA4M3hjZFAwZytnbWti\nMS9Qa21NbHRLNFBDNUhNcldDMWpNNEEK8SE4IdBVMDE/gtGpxprWM5sg12Ig9XZU\n63duV+8Ws5VJCYJ6Pj95vHUPjgvFxAPQhVFJlAHLo0+qCBG4d5WnMA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBb1l3Z2NIbHNXMkxOeFVj\nclczcFhydHk4WnFFYmVVZk1GM2s0bTJKZ0FZClYzWmExMW1GSi8wZUhGTnB0Q1VS\nWU5YNC9scit0a3RhclNLVzNpOXdUaUkKLS0tIDdhSXdnNnJuTjh4R3JsSm4xMjJI\ndDNxVVNlTmk1OFE2ZEloVUlmRnRCY1UKcPlERhq8eECYLGHAF6JiHzw1qJKKXBgj\noGxAGS/LdgpsuZRq9UbsuQ2AFgeoPemVxAED+HNiOJ+TidZtHCycBg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2026-01-25T13:48:19Z",
+		"mac": "ENC[AES256_GCM,data:RxWTiPQaQoTwruaVtxuK3LrSPzPOgSWsOcGQq4eHBKCBNZ+gYkj+uTM1idTeza2Vhg8T4Y+JIOIjYdvbtgoFNcPHqqU+YqH/AV+S5W0xb3uatnIm+85IXmGwayTGtuyVblxp3ig+P0VyF+14cGQF2GqBJbJK3DzlzZzjYryCvEA=,iv:LHEGopEMv/hE1FJnSgjh5u1tlB9+8CRrRkczEfa5fuo=,tag:F8lNDrKVQZ+yxiXUZDVYHg==,type:str]",
+		"version": "3.11.0"
+	}
+}
diff --git a/vars/per-machine/eve/mtls-cache/client-key/users/joerg b/vars/per-machine/eve/mtls-cache/client-key/users/joerg
@@ -0,0 +1 @@
+../../../../../../sops/users/joerg
