🚀(project:maison): Install AFFiNE application

Signed-off-by: Alexandre Nicolaie <xunleii@users.noreply.github.com>

projects/chezmoi.sh/src/kubevault/access_control/kubernetes.maison.chezmoi.sh

@@ -1,10 +1,14 @@
 # trunk-ignore-all
 # credentials required by system services (ExternalDNS, cert-manager, etc.)
+apps/affine
 cloud/letsencrypt
 cloud/tailscale/kubernetes.maison.chezmoi.sh
+cloud/openai/affine
 cloud/openai/mealie
+security/sso/oidc/clients/affine
 security/sso/oidc/clients/linkding
 security/sso/oidc/clients/mealie
 security/sso/oidc/clients/paperless-ngx
+storage/minio/affine.maison.chezmoi.sh
 storage/minio/cnpg.maison.chezmoi.sh
 storage/smb/paperless-ngx

projects/chezmoi.sh/src/kubevault/kvstore.enc/apps/affine

@@ -0,0 +1,22 @@
+#ENC[AES256_GCM,data:jDIS70IC6L3Mw+mBvvDK4nl8n4KwlY5w9mVPXLZ0rjrCJMk9CAHaKTeWTChgGKP3+uoR,iv:gnYxA+afaXQ70o+rwOXGbfDVsAbxzEbWl/lVbG8XXUw=,tag:VuDJrcC7i+HPLZltZZgR2w==,type:comment]
+private_key: ENC[AES256_GCM,data:zEFmcrvCJAV23brzn2XeZl/rWzWmBZO6twldk24DF6xZtk8gqqTq7vOC5g5jazSeNF805KYOGzR0S9MhvHHcHiyIUfjlmFuQ5NamikZI82aJN5KUgaEtd7qgmp25e9rffYIS0TFa7ChbU+rXu60qer6ocxubVu66da5uFskDSKXAIaIKt0+AeyKwoaQAbxxNMFapbEpQj93I7AsU/SZ0BoltaI9BqXQAECKH8dIpTfcHkXL8uJFK9NSNzsMETxPJsr79LC0DQEBMyoZ8e3o0EDgqrAADb5A3qSNOnkY5C6IeMg==,iv:vH0duX4pATedgF7Cju5IS6yNhBPudCvisSoVlWSYtWU=,tag:wetvVP/DpI0BJL+ahyrnMw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrcnRpdnJyNWlaNWpMSW5v
+            ZWM3MEI4U0V0czZEWkJLeVBlWUxRZ09RTUFNCmprZ2h3L3VpSXJDajJHRW5weDJS
+            cU5GK2ZmL3JFekpmNkl6UFZ3ZWlOR2MKLS0tIHJUNkNZdjBQbWdXMXpxSDhMNzJv
+            aW14djYxa09YYWNwdVE2Q0FiUGZFcE0KnQ2FkSAJX4mOAXMO98WGmpiSPqsjYBFl
+            YOGdp+yZuoPAM8M9s/c+9bVRd2cIPCi1G9MyJ7bu+R1SKroyTdE44g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-25T22:45:31Z"
+    mac: ENC[AES256_GCM,data:pQk1wo3TqYrYofl5xCXxHE9mmkWtnZdEWEBe1zz2hUt9MGcgXsiA9YWt7bHD8M4XC0j08uQbj1DRhpNII6J598/7CxzgqzeE0Ybs6bJlzzKz5/tGWbyXW5CBKm4vIMMXAgT86BnF2MyzeYqzjIYFktkvlYWuSCx+2iRrIx4mOkc=,iv:8jddjktsW0pMMr722BGqnO83tzHbgQY0e/ybftTADQc=,tag:UXv/WdsbCqZ6e/lLMNR48g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

projects/chezmoi.sh/src/kubevault/kvstore.enc/cloud/openai/affine

@@ -0,0 +1,22 @@
+#ENC[AES256_GCM,data:TicgO52X6VrAf1ucjleZdgrDYzeOvvyIf5ztsF5LDbLgKQG3aUtHrV9oHg==,iv:ClqjDR+rMlXA5LnbJP2XkWa//orlxD7oOhxH0vxGxvE=,tag:8Lmf/VPqgvDx3cPeuCNkNw==,type:comment]
+openai_api_key: ENC[AES256_GCM,data:GbbmYN8Qbmg54CmgSxWv8A+FB5GVtGwalVJ9Q6VoXT3BstW0nHMMSXD/H+7XvllkMmpqkJbCouTFZGJ8d1cO2IHGly2XsJkvstFN1E86WD1Q3qYQueJ7cui2dWCjnDqFXIghv+guYV8TNTB3BJVnNTEf9QIOQw4g9MinylmWkfPxQonsPhcTp/BYHLXmaGs9vHlj3xTOs1wOrJTSfpFFTA7jpew=,iv:fCoxAHtNKCMASc3qcE2/XlHWtDoX5Yyh9WvxS+pjvc0=,tag:ZfqO1gI8Q+J8Qd2/fbugdw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuS0t6QjZLSUE5RDAxTE5F
+            dHlkd1JIbWowTGNrQytha2RwdDl2a3U1VkdZCjZ1OXJhZE1pWXkrcGM0ZUtNUjJP
+            VUF5RDB1LzUwcDFwZ2wzVTF3dDlTeDQKLS0tIFVSZWN0SS9qREJ0NFQ4RUdRbHlz
+            SHhwL0dXZkp2NzJvWTRyQUpxOEdTcHcKCPNnna0UsTh7NYvTjmc+GXoIY4yOJni3
+            rZi1UL19uObottr9bDjgloeFMggN2t85LGaGm7wQGKF7PnXQkCitBw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-25T19:41:55Z"
+    mac: ENC[AES256_GCM,data:TpIsNA/RKBTfhS3u9luD+w8WnHHKwl0Qu5ripKZqY5IlsuL7ry0UpfeLlshyRf+45b8DK1gpJgcZ1M6Z7sNeze3FnOoSk+rpP3gSoxbCRKHFssdMAA4D9KEz/yhznFKVeOuVKYKjqQSQTFacOZywhdsXz5A5Q0bdkjlqSRVdOMo=,iv:b35KYboMgSVNRsPgn0fDmbGXVEcFh01ALK082HNlLrc=,tag:rj5bxHKDvcBF97CcfqJp8g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

projects/chezmoi.sh/src/kubevault/kvstore.enc/security/sso/oidc/clients/affine

@@ -0,0 +1,22 @@
+#ENC[AES256_GCM,data:oCItD96coCP4/dLg+5Xx9oBWJrV+R2WrH0+IdbswRFPe0PDTJM6vG+NmhRmyb8w=,iv:rSY94qSrB3JvftzovhOM3cl3hWzwo/40OYtJPulrt84=,tag:kZxv6QQUAwGWaoYfe+DvNw==,type:comment]
+oidc_configuration: ENC[AES256_GCM,data:5ni2QALK52P0rytgMOfraFLcDv7AZ610MKlISInsAi/vzYWmHRIABD9f0X7wBcVbzTg62uqw7dpQE1OFcmp2MtXXDH5fwWqBjxV44hiWNrqoy5ZUeMlqmt5J5K+1wCf8YXygqaXgef4tPChdMgda6ivIvatP8bIV+UQuT0BGwM2iBtM3oX2CCCwInh7gMO5VKD5YBPkBTQvu9X0q3HbU0b4cWcwZOXTtiOcxnyAqzWqlFf5MLYndJ9oCHIMTHrcc2cuKdApfhRJ+CXRfw48gXN/OPEga3kCo5tZmCklX29MFuGY39UpLufgVy7OhZ1aa23Mi6diE+X5VQEILaP804hPuqZuBEeZLjU+2OEeWt0DxIlmbBkdetz91aiPd5hUH/k2M3Yvo59gyUJoD0PTzgeSxeiE+MNsz8Zm99GxHrVFUVDgxwi4lkyBXJNcFTNCFyw81ov2HUaNzblsT1Uve1SAp1G1VuZoBCm+Cmh14Q4AzGRAkTAGmMqtAhjUVwuyHvXfAE04EkkQXauFtLZHmYPEdBdpVVI+y7HFHh4CDxW26pmw/gdhzAUvKBhA1V1jWGMUrf75zwOcR9OR6hPZIoLhCVwTgoXAlxSkq/wBcmq+4j4P/4r81rQmYQhumDxw5iMP3KZKLP+WGSpKHNL2ibwY7lcaZLNXLUsskPIuD8/XjR+NvpxLXSBRd3iNxtVFWfrlDL++d9BRs/cqyRNApuqBuCfq79TwIK5sqNCd/3/yHUk4K7485n5mkmiBH0ZTOOe9Fb0a3HwCBH/0Nup7KdsFhofZQzuzRX/bKveZNm9oLMGNBoSRCxSPKpubzMYRLn577FJxGA/Hbz6TVAesWS7tmLAqmjwl591fT3rFRHxMlVKywfbIf5ZDW2cjDmSqb1Gxo0aHl6RevFzouaGkn/4NijWlDkkJETmmFNiPyBUFdcEakKa3IRDG8j0IK1kXOwvo07NU9ZoDxYy8oDRsNLXrl4VBfjuUG,iv:HLumFZnWAEzxxUQwgAS71YHSWbKVR6r2G2eA4CcAKH0=,tag:ISpvLtrgL3ulx5YZGGY1vg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPY0pWOWpqSGs3VzI1ZUVK
+            ckdhMk9iMzdRTUJLVCtBS2FKZ0xHYndRZDJJCmFQc2RwVDV5S3I5dm1LVnVqR29j
+            WUZvZUNLd0pWTWprZHBKajhXdWhuR28KLS0tIGpQUEJyRytRb3lpU01uc0pmQ2Q0
+            RFN4STBkSWY5T0dUaGtvcUVYb1J2WjQKQb6Xv232CIxranmC3HCxxYlE2s/YfDXR
+            PIwH8EvNink5FQyFajljv/da0Wu9SVvcJx9KWpb5hFiJD8tjCKPysw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-25T22:42:45Z"
+    mac: ENC[AES256_GCM,data:xxarxwDyEw2RuGDbwA/N6EZ5TLyNxBdTfSrvZXM0Vdqjd+nX1Ztb4CK0Vz2YRFb/uoYX4/tP48P8Ew6bAHh297UMRtl9sVDFmj+Ye8lMdY6DfyyA7zGxFKDnDeC8UxF0426lpMVn/Uhqbi3wVbGSbz1o9TtQ1DNfn2G/WxPjwMY=,iv:vPdAIjX0wO8fZhqkLIVsuHqoNwcTmmrsMeysm72qAtk=,tag:G1w0lRrqnGo5BKX5IggQJg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

projects/chezmoi.sh/src/kubevault/kvstore.enc/storage/minio/affine.maison.chezmoi.sh

@@ -0,0 +1,24 @@
+access_key_id: ENC[AES256_GCM,data:ERaC6tADMT/wlqJoINO4xpD2jn0=,iv:82foHBQSbQ7OprGHGCWH8pnkAwmKloA63fwuuG0o1LA=,tag:xs9MJnzgILhyNtMiKZiFUg==,type:str]
+access_secret_key: ENC[AES256_GCM,data:57sV7BLfUyY+jteSVcUqIsjXDqgbftlZB5lOrbBnOp+JqavZEJIJ8Q==,iv:HXCvNXgmMwUcsEQgtHLg5H2yziAhuRpoOwPlYHzodHw=,tag:9QKBSaU3MVxapmbr/JOJxA==,type:str]
+endpoint_url: ENC[AES256_GCM,data:NSEH2TI23pXQ/7MGv6VolQIDenGtJhk4Jlc=,iv:4DFasdmzMO5OJgIcYyIAwsn4d558WeMZUPwiCPDZJgk=,tag:Hzeqoy0c5qjZ3oPe2m0pkA==,type:str]
+region: ENC[AES256_GCM,data:Ya35IcaolU7b,iv:sQpfjleU3BA95JNmizAwggYAVg9/XZOVXadipPHqYFQ=,tag:XxEQYkSwbBzGRg1GcT3d3w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1fj0yj3na3n5udfjmnxfwrlkp80tvj49w80wh699x33dh48clnvnshtjxe9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVGpPOC9XOWlxaWZ1VHhV
+            ZkNPRGtmajMzdndldFJTNlM2ZitWN2tFYjFJCkNxSEVrcUVvL21rbmZkL3o0M1lq
+            dlRmNXU4UE5PSXBnbXpmRitkOWRMRDgKLS0tIGpOZ29NSDNyeCt5czZTc0VWZFRQ
+            eWNWYWlSc0pKdURma01CcTB2elloM1kK0NMoDcsQa1s0OY8MmurOtvYeNAaY6iil
+            igLkFejHfjp3VtxzK3aRiYuMOtfwZ7fu7r4ZR89oRP51Y6Zpil2IAA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-25T20:19:48Z"
+    mac: ENC[AES256_GCM,data:nQc7Us5XUUAln1lknsJ3vyNkTmjwPAPJ7J5VzSfSZz6pTrimIjBkFc7qn+PI5QJtEMemq11kFYzsY4cgQAfLUKpg6oviIFFNz7yyM6EU+CYTFQir9ue5Oo68CmF0LoTCBT+RlQ90CO7EiMZpQCaZKJzMTkaRzu7LgVunjQ/a6gA=,iv:2LTI1l9QAUqIo65AqfAHBMH4xdkmDuSRAjfmUADfnTc=,tag:YL5MkNZauxid6poFNAO+WQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

projects/maison/architecture.d2

@@ -243,6 +243,21 @@ maison: {
       source-arrowhead: HTTP (5006)
     }
 
+    # - AFFiNE
+    AFFiNE: {
+      class: [application]
+      icon: assets/icons/apps/affine.svg
+      link: https://affine.pro/
+      tooltip: AFFiNE is a workspace with fully merged docs, whiteboards and databases.
+    }
+    AFFiNE <- _.system.Traefik: {
+      source-arrowhead: HTTP (3000)
+    }
+    AFFiNE <- _.system.Tailscale: {
+      class: [connect-vpn]
+      source-arrowhead: HTTP (3000)
+    }
+
     # - Mealie
     Mealie: {
       class: [application]

projects/maison/src/apps/affine.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: affine
+spec:
+  interval: 12h0m0s
+  timeout: 30s
+  retryInterval: 0s
+
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./projects/maison/src/apps/affine
+
+  prune: true
+  wait: true

projects/maison/src/apps/affine/TODO

@@ -0,0 +1,4 @@
+Initialisation de AFFiNE
+- Migration de la base de données → yarn prisma migrate deploy
+- Pre-Stop → kill -s SIGTERM 1
+- Faire un service LB Tailscale devant Treafik et faire pointer les domaines (notes.chezmoi.sh) vers le record DNS (external service ?)

projects/maison/src/apps/affine/config/affine.js

@@ -0,0 +1,155 @@
+// ###############################################################
+// ##                AFFiNE Configuration System                ##
+// ###############################################################
+// This is the main configuration file for AFFiNE server settings.
+// Changes to this file require a server restart to take effect.
+// All settings are accessible via the global AFFiNE object.
+
+// ###############################################################
+// ##                       General settings                    ##
+// ###############################################################
+// Core server configuration including naming, networking, and access
+
+// /* Server name displayed in the UI */
+AFFiNE.serverName = "AFFiNE - chezmoi.sh";
+
+// /* HTTPS proxy configuration */
+AFFiNE.server.https = false;
+
+// /* Server hostname configuration */
+AFFiNE.server.host = "notes.chezmoi.sh";
+
+// /* The local port of your server that will listen on */
+AFFiNE.server.port = 3010;
+
+// /* The external URL of your server, will be consist of protocol + host + port by default */
+// /* Useful when you want to customize the link to server resources for example the doc share link or email link */
+AFFiNE.server.externalUrl = "https://notes.chezmoi.sh";
+
+// ###############################################################
+// ##                   Server Function settings                ##
+// ###############################################################
+// Core functionality configuration including auth, GraphQL, and doc management
+
+// /* Session Management
+//  * ttl: Total session lifetime
+//  * ttr: Time-to-refresh threshold before expiration
+//  */
+AFFiNE.auth.session = {
+	/* How long the login session would last by default */
+	ttl: 15 * 24 * 60 * 60, // 15 days
+	/* How long we should refresh the token before it getting expired */
+	ttr: 7 * 24 * 60 * 60, // 7 days
+};
+
+// /* GraphQL Server Configuration
+//  * Controls API endpoint, schema options, and development tools
+//  */
+AFFiNE.graphql = {
+	/* Path to mount GraphQL API */
+	path: "/graphql",
+	buildSchemaOptions: {
+		numberScalarMode: "integer",
+	},
+	/* Whether allow client to query the schema introspection */
+	introspection: process.env.NODE_ENV !== "production",
+	/* Whether enable GraphQL Playground UI */
+	playground: process.env.NODE_ENV !== "production",
+};
+
+// /* Document Management Settings
+//  * Controls how often documents are saved and updated
+//  */
+// /* Doc Store & Collaboration */
+// /* How long the buffer time of creating a new history snapshot when doc get updated */
+AFFiNE.doc.history.interval = 1000 * 60 * 10; // 10 minutes
+
+// /* How often the manager will start a new turn of merging pending updates into doc snapshot */
+AFFiNE.doc.manager.updatePollInterval = 1000 * 3;
+
+// /* Whether enable metrics and tracing while running the server */
+// /* The metrics will be available at `http://localhost:9464/metrics` with [Prometheus] format exported */
+AFFiNE.metrics.enabled = false;
+
+// /* Whether enable the telemetry system */
+AFFiNE.metrics.telemetry.enabled = false;
+
+// /* Email Service Configuration */
+AFFiNE.mailer = {
+	host: "email-smtp.us-east-1.amazonaws.com",
+	port: 465,
+	auth: {
+		user: "{{ .aws_ses_username }}",
+		pass: "{{ .aws_ses_password }}",
+	},
+	from: "AFFiNE <noreply@amazonses.chezmoi.sh>",
+	secure: true,
+};
+
+// /* Redis Configuration */
+AFFiNE.redis = {
+	host: "affine-redis",
+	port: 6379,
+};
+
+// ###############################################################
+// ##                        Plugins settings                   ##
+// ###############################################################
+// Plugin configurations for extended functionality
+
+// /* AWS S3 Storage Configuration
+//  * Used for storing workspace blobs and user avatars
+//  */
+AFFiNE.use("aws-s3", {
+	credentials: {
+		accessKeyId: "{{ .minio_access_key_id }}",
+		secretAccessKey: "{{ .minio_access_secret_key }}",
+	},
+	endpoint: "{{ .minio_endpoint_url }}",
+	region: "{{ .minio_region }}",
+	forcePathStyle: true,
+});
+// /* Update the provider of storages */
+AFFiNE.storages.blob.provider = "aws-s3";
+AFFiNE.storages.blob.bucket = "affine-assets";
+AFFiNE.storages.avatar.provider = "aws-s3";
+AFFiNE.storages.avatar.bucket = "affine-assets";
+
+// /* OAuth Authentication Configuration
+//  * OpenID Connect integration settings
+//  */
+AFFiNE.use("oauth", {
+	providers: {
+		oidc: {
+			// OpenID Connect
+			issuer: "https://sso.chezmoi.sh",
+			clientId:
+				'{{ regexReplaceAll "client_id: (.+?)" (.oidc_configuration | split "\n")._1 "${1}" }}',
+			clientSecret:
+				'{{ regexReplaceAll "# client_secret: (.+?)" (.oidc_configuration | split "\n")._3 "${1}" }}',
+			args: {
+				scope: "openid email offline_access profile",
+				claim_id: "preferred_username",
+				claim_email: "email",
+				claim_name: "name",
+			},
+		},
+	},
+});
+
+// /* Copilot AI Integration
+//  * Settings for AI-powered features
+//  */
+AFFiNE.use("copilot", {
+	openai: {
+		apiKey: "{{ .openai_api_key }}",
+	},
+	// fal: {
+	//   apiKey: 'your-key',
+	// },
+	// unsplashKey: 'your-key',
+	storage: {
+		provider: "aws-s3",
+		bucket: "affine-assets",
+	},
+});

projects/maison/src/apps/affine/httproute.yaml

@@ -0,0 +1,17 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    external-dns.alpha.kubernetes.io/exclude-cloudflare: "true"
+  name: affine
+  namespace: affine
+spec:
+  parentRefs:
+    - name: default
+      namespace: default
+  hostnames:
+    - notes.chezmoi.sh
+  rules:
+    - backendRefs:
+        - name: affine
+          port: 80

projects/maison/src/apps/affine/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+labels:
+  - pairs:
+      app.kubernetes.io/name: affine
+    includeTemplates: true
+    includeSelectors: true
+  - pairs:
+      app.kubernetes.io/managed-by: fluxcd
+      app.kubernetes.io/part-of: notes-workspace
+    includeTemplates: true
+
+configMapGenerator:
+  - name: affine-configuration
+    namespace: affine
+    options:
+      disableNameSuffixHash: true
+    files:
+      - config/affine.js
+
+resources:
+  - httproute.yaml
+  - namespace.yaml
+  - vpn.yaml
+  - workload.affine.yaml
+  - workload.database.yaml
+  - workload.redis.yaml

projects/maison/src/apps/affine/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    clusterexternalsecret.eso.io/name: cnpg-s3-credentials
+  name: affine

projects/maison/src/apps/affine/vpn.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  annotations:
+    external-dns.alpha.kubernetes.io/exclude-adguard: "true"
+  name: notes.chezmoi.sh
+  namespace: affine
+spec:
+  endpoints:
+    - dnsName: notes.chezmoi.sh
+      recordType: CNAME
+      targets:
+        - ts.maison.chezmoi.sh