diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml new file mode 100644 index 0000000..93d16c5 --- /dev/null +++ b/.github/workflows/fmt.yaml @@ -0,0 +1,27 @@ +name: main + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + check-flake: + name: Nixpkgs Formatting + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v18 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos + - run: nix-channel --update + - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..8f203d2 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,34 @@ +name: main + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + check-flake: + name: Check Flake + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v18 + with: + install_url: https://releases.nixos.org/nix/nix-2.13.3/install + extra_nix_config: | + experimental-features = nix-command flakes + + - uses: cachix/cachix-action@v12 + with: + name: fruitbasket + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + extraPullNames: nix-community + + - run: nix build + + - run: nix flake check diff --git a/.sops.yaml b/.sops.yaml index 7513f79..0b6cb06 100755 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,11 +7,9 @@ keys: - &helene B43C3A8A92CA28486AC6C4E2F115100C787C1C19 - &fugi BF37903AE6FD294C4C674EE24472A20091BFA792 - &emmanuel E83F398E6423179FE4F63D4FF085CAD394DE329D + - &jonas A4F92BC7B792108A463995827C1F2DA2BC929412 - &joachim B1A16011B86BACB56ADB713DB712039D23133661 - - &hendrik FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D - - &frieder age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6 - &quitte age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t - - &tomate age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d creation_rules: - path_regex: secrets/quitte\.yaml$ @@ -23,23 +21,9 @@ creation_rules: - *rouven - *fugi - *joachim - - *hendrik + - *jonas age: - - *frieder - *quitte - - path_regex: secrets/tomate\.yaml$ - key_groups: - - pgp: - - *bennofs - - *revol-xut - - *felix - - *rouven - - *fugi - - *joachim - - *hendrik - age: - - *frieder - - *tomate - path_regex: secrets/admin\.yaml$ key_groups: - pgp: @@ -49,5 +33,4 @@ creation_rules: - *rouven - *fugi - *joachim - - *hendrik - - *frieder + - *jonas diff --git a/flake.lock b/flake.lock index 5da240b..bfeb662 100644 --- a/flake.lock +++ b/flake.lock @@ -1,134 +1,37 @@ { "nodes": { - "authentik": { - "inputs": { - "authentik-src": "authentik-src", - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "flake-utils": "flake-utils", - "napalm": "napalm", - "nixpkgs": "nixpkgs", - "poetry2nix": "poetry2nix", - "systems": "systems" - }, - "locked": { - "lastModified": 1745663775, - "narHash": "sha256-zRamFjTxegQE0Ysi46sfDU2CIghiMWJIdEYdq7O0jiQ=", - "owner": "nix-community", - "repo": "authentik-nix", - "rev": "a8a5de789006bb1dea0ffb5370a8f7e453d06113", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "authentik-nix", - "type": "github" - } - }, - "authentik-src": { - "flake": false, - "locked": { - "lastModified": 1744135136, - "narHash": "sha256-7wvoCRhLipX4qzrb/ctsozG565yckx+moxiF6vRo84I=", - "owner": "goauthentik", - "repo": "authentik", - "rev": "74eab55c615b156e4191ee98dc789e2d58c016f9", - "type": "github" - }, - "original": { - "owner": "goauthentik", - "ref": "version/2025.2.4", - "repo": "authentik", - "type": "github" - } - }, "course-management": { "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2", - "poetry2nix": "poetry2nix_2" - }, - "locked": { - "lastModified": 1730751072, - "narHash": "sha256-+FQjzCNV3k8U4BfNcFmoZTRf8aO9ufn3s7kkzHj/b7s=", - "owner": "fsr", - "repo": "course-management", - "rev": "60b7062ce47ee9f0609e701ad5eb5e3e0a857ff2", - "type": "github" - }, - "original": { - "owner": "fsr", - "repo": "course-management", - "type": "github" - } - }, - "ese-manual": { - "inputs": { + "flake-utils": "flake-utils", "nixpkgs": [ "nixpkgs" - ] + ], + "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1730889586, - "narHash": "sha256-SLgo7UjWLaFaaUPFqzKbr9DLAGzm5kparfxuJHEpK3w=", - "ref": "refs/heads/main", - "rev": "a111147ce5eaea4f1d691afe1203e7529d68522d", - "revCount": 9, - "type": "git", - "url": "https://git.ifsr.de/ese/manual-website" - }, - "original": { - "type": "git", - "url": "https://git.ifsr.de/ese/manual-website" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "lastModified": 1694358978, + "narHash": "sha256-gHWIIYJZepq1/3oFVkUkl0n52bRJWnNgmGaiZ2aGEwc=", + "owner": "fsr", + "repo": "course-management", + "rev": "5ccbee8151c5caa519ebdb2ce2b8ec52b7749949", "type": "github" }, "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", + "owner": "fsr", + "repo": "course-management", "type": "github" } }, "flake-utils": { "inputs": { - "systems": [ - "authentik", - "systems" - ] + "systems": "systems" }, "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", "owner": "numtide", "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", "type": "github" }, "original": { @@ -142,47 +45,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1681202837, - "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", "type": "github" }, "original": { @@ -198,11 +65,11 @@ ] }, "locked": { - "lastModified": 1744024964, - "narHash": "sha256-zmYWGZ7/tRSCy/PzghdguMpAdauWiYr6AJnbYCVHBFE=", + "lastModified": 1693305731, + "narHash": "sha256-ku0FU1pn6eXGdoEx0Tg0Kp8c8wmd6TF7IrdOnX0Uco0=", "owner": "fsr", "repo": "kpp", - "rev": "03e9650edb8d1e9ff424c2c2799736fbae56314b", + "rev": "7c04f958bb652de680ae3311b6eab080ac64b3ad", "type": "github" }, "original": { @@ -211,296 +78,81 @@ "type": "github" } }, - "napalm": { - "inputs": { - "flake-utils": [ - "authentik", - "flake-utils" - ], - "nixpkgs": [ - "authentik", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725806412, - "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", - "owner": "willibutz", - "repo": "napalm", - "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", - "type": "github" - }, - "original": { - "owner": "willibutz", - "ref": "avoid-foldl-stack-overflow", - "repo": "napalm", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "authentik", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-github-actions_2": { - "inputs": { - "nixpkgs": [ - "course-management", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-index-database": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745725746, - "narHash": "sha256-iR+idGZJ191cY6NBXyVjh9QH8GVWTkvZw/w+1Igy45A=", - "owner": "nix-community", - "repo": "nix-index-database", - "rev": "187524713d0d9b2d2c6f688b81835114d4c2a7c6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-index-database", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1745391562, - "narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", + "lastModified": 1694499547, + "narHash": "sha256-R7xMz1Iia6JthWRHDn36s/E248WB1/je62ovC/dUVKI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e5f018cf150e29aac26c61dac0790ea023c46b24", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1693675694, + "narHash": "sha256-2pIOyQwGyy2FtFAUIb8YeKVmOCcPOTVphbAvmshudLE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", + "rev": "5601118d39ca9105f8e7b39d4c221d3388c0419d", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "release-23.05", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1743296961, - "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1745742390, - "narHash": "sha256-1rqa/XPSJqJg21BKWjzJZC7yU0l/YTVtjRi0RJmipus=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "26245db0cb552047418cfcef9a25da91b222d6c7", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1682134069, - "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "fd901ef4bf93499374c5af385b2943f5801c0833", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "notenrechner": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils" - }, - "locked": { - "lastModified": 1742228793, - "narHash": "sha256-USud87Uu/ZI6R+4vM0hxLdkOUr6nsJCnAEeIrtSRkCU=", - "ref": "refs/heads/main", - "rev": "c100e3dba23a089fbdf403d2ba31cf87614ee035", - "revCount": 10, - "type": "git", - "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git" - }, - "original": { - "type": "git", - "url": "https://git.ifsr.de/frieder.hannenheim/notenrechner.git" - } - }, "poetry2nix": { "inputs": { - "flake-utils": [ - "authentik", - "flake-utils" - ], - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "authentik", - "nixpkgs" - ], - "systems": [ - "authentik", - "systems" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1743690424, - "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, - "poetry2nix_2": { - "inputs": { - "flake-utils": "flake-utils_3", - "nix-github-actions": "nix-github-actions_2", + "flake-utils": "flake-utils_2", "nixpkgs": [ "course-management", "nixpkgs" - ], - "systems": "systems_4", - "treefmt-nix": "treefmt-nix_2" - }, - "locked": { - "lastModified": 1730284601, - "narHash": "sha256-eHYcKVLIRRv3J1vjmxurS6HVdGphB53qxUeAkylYrZY=", - "owner": "nix-community", - "repo": "poetry2nix", - "rev": "43a898b4d76f7f3f70df77a2cc2d40096bc9d75e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "poetry2nix", - "type": "github" - } - }, - "print-interface": { - "inputs": { - "nixpkgs": [ - "nixpkgs" ] }, "locked": { - "lastModified": 1706540741, - "narHash": "sha256-4/JI3xhw76Z1oa8Ivn3AzR6zNqXkmSEgHl+v0PRGnTc=", - "owner": "fsr", - "repo": "print-interface", - "rev": "ca830bc64ee92ec24562e707ddf36c19a5607a94", + "lastModified": 1688440303, + "narHash": "sha256-hFfOyityHdVFI0HNM+sqZfpi9Fbvjvy0N9O7FjuqPWY=", + "owner": "nix-community", + "repo": "poetry2nix", + "rev": "04714155bae013fb9b207e54d1faf9f0c3d08706", "type": "github" }, "original": { - "owner": "fsr", - "repo": "print-interface", + "owner": "nix-community", + "repo": "poetry2nix", "type": "github" } }, "root": { "inputs": { - "authentik": "authentik", "course-management": "course-management", - "ese-manual": "ese-manual", "kpp": "kpp", - "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_3", - "notenrechner": "notenrechner", - "print-interface": "print-interface", - "sops-nix": "sops-nix", - "vscode-server": "vscode-server" + "nixpkgs": "nixpkgs", + "sops-nix": "sops-nix" } }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1745310711, - "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=", + "lastModified": 1694495315, + "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c", + "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", "type": "github" }, "original": { @@ -511,16 +163,16 @@ }, "systems": { "locked": { - "lastModified": 1689347949, - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", "owner": "nix-systems", - "repo": "default-linux", - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", "type": "github" }, "original": { "owner": "nix-systems", - "repo": "default-linux", + "repo": "default", "type": "github" } }, @@ -538,146 +190,6 @@ "repo": "default", "type": "github" } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "id": "systems", - "type": "indirect" - } - }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "authentik", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "course-management", - "poetry2nix", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730120726, - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "utils": { - "inputs": { - "systems": "systems_5" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "vscode-server": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_4" - }, - "locked": { - "lastModified": 1729422940, - "narHash": "sha256-DlvJv33ml5UTKgu4b0HauOfFIoDx6QXtbqUF3vWeRCY=", - "owner": "nix-community", - "repo": "nixos-vscode-server", - "rev": "8b6db451de46ecf9b4ab3d01ef76e59957ff549f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-vscode-server", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 923b081..9f0c453 100755 --- a/flake.nix +++ b/flake.nix @@ -1,132 +1,61 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - sops-nix.url = "github:Mic92/sops-nix"; + nixpkgs.url = github:nixos/nixpkgs/nixos-23.05; + sops-nix.url = github:Mic92/sops-nix; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - nix-index-database.url = "github:nix-community/nix-index-database"; - nix-index-database.inputs.nixpkgs.follows = "nixpkgs"; kpp.url = "github:fsr/kpp"; kpp.inputs.nixpkgs.follows = "nixpkgs"; - print-interface = { - url = "github:fsr/print-interface"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - ese-manual.url = "git+https://git.ifsr.de/ese/manual-website"; - ese-manual.inputs.nixpkgs.follows = "nixpkgs"; - vscode-server.url = "github:nix-community/nixos-vscode-server"; - notenrechner.url = "git+https://git.ifsr.de/frieder.hannenheim/notenrechner.git"; - notenrechner.inputs.nixpkgs.follows = "nixpkgs"; - authentik = { - url = "github:nix-community/authentik-nix"; - }; - - course-management = { url = "github:fsr/course-management"; - # inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = - { self - , nixpkgs - , sops-nix - , nix-index-database - , kpp - , ese-manual - , vscode-server - , course-management - , print-interface - , authentik - , ... - }@inputs: - let - supportedSystems = [ "x86_64-linux" ]; - forAllSystems = nixpkgs.lib.genAttrs supportedSystems; - pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system}); - - in + outputs = { self, nixpkgs, sops-nix, kpp, course-management, ... }@inputs: { - packages = forAllSystems (system: rec { - default = quitte; - quitte = self.nixosConfigurations.quitte.config.system.build.toplevel; - tomate = self.nixosConfigurations.tomate.config.system.build.toplevel; - }); - formatter = forAllSystems (system: pkgs.${system}.nixpkgs-fmt); - hydraJobs = forAllSystems (system: { - quitte = self.packages.${system}.quitte; - }); + packages."x86_64-linux".quitte = self.nixosConfigurations.quitte.config.system.build.toplevel; + packages."x86_64-linux".default = self.packages."x86_64-linux".quitte; + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; + hydraJobs."x86-64-linux".quitte = self.packages."x86_64-linux".quitte; - devShells = forAllSystems (system: { - default = pkgs.${system}.mkShell { - packages = with pkgs.${system}; [ - sops - ]; - }; - }); - overlays.default = import ./overlays; nixosConfigurations = { - quitte = nixpkgs.lib.nixosSystem rec { + quitte = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - specialArgs = inputs // { inherit system; }; modules = [ inputs.sops-nix.nixosModules.sops inputs.kpp.nixosModules.default - inputs.nix-index-database.nixosModules.nix-index - ese-manual.nixosModules.default course-management.nixosModules.default - vscode-server.nixosModules.default - authentik.nixosModules.default - ./hosts/quitte/configuration.nix - ./options - - ./modules/core - ./modules/authentik + ./modules/bacula.nix + ./modules/options.nix + ./modules/base.nix + ./modules/sops.nix + ./modules/kpp.nix ./modules/ldap ./modules/mail - ./modules/web - ./modules/courses - ./modules/wiki - ./modules/matrix - ./modules/keycloak - ./modules/monitoring - - ./modules/nix-serve.nix + ./modules/mailman.nix + ./modules/nginx.nix + ./modules/hydra.nix + ./modules/userdir.nix ./modules/hedgedoc.nix ./modules/padlist.nix - ./modules/nextcloud.nix - ./modules/vaultwarden.nix - ./modules/forgejo - ./modules/kanboard.nix - ./modules/zammad.nix - # ./modules/decisions.nix + ./modules/postgres.nix + ./modules/wiki.nix + ./modules/ftp.nix ./modules/stream.nix - # ./modules/struktur-bot.nix + ./modules/nextcloud.nix + ./modules/matrix.nix + ./modules/mautrix-telegram.nix + ./modules/sogo.nix + ./modules/vaultwarden.nix + ./modules/website.nix + ./modules/zsh.nix + ./modules/course-management.nix + ./modules/gitea.nix { - nixpkgs.overlays = [ - self.overlays.default - ]; sops.defaultSopsFile = ./secrets/quitte.yaml; } ]; }; - tomate = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - specialArgs = inputs; - modules = [ - inputs.sops-nix.nixosModules.sops - inputs.nix-index-database.nixosModules.nix-index - vscode-server.nixosModules.default - print-interface.nixosModules.default - ./hosts/tomate/configuration.nix - ./modules/core/base.nix - ./modules/core/zsh.nix - ./modules/core/sssd.nix - { - sops.defaultSopsFile = ./secrets/tomate.yaml; - } - ]; - }; }; }; } diff --git a/hosts/quitte/configuration.nix b/hosts/quitte/configuration.nix index 7f75d9d..98b70a7 100644 --- a/hosts/quitte/configuration.nix +++ b/hosts/quitte/configuration.nix @@ -7,61 +7,47 @@ ./network.nix ]; - boot.loader.systemd-boot = { - enable = true; - extraInstallCommands = '' - ${pkgs.coreutils}/bin/cp -r /boot/* /boot2 - ''; - }; - # boot.kernelParams = [ "video=VGA-1:1024x768@30" ]; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + #boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + #boot.kernelParams = [ "video=VGA-1:1024x768@30" ]; boot.loader.efi.canTouchEfiVariables = true; - boot.supportedFilesystems = [ "zfs" ]; + #boot.supportedFilesystems = [ "zfs" ]; + #boot.zfs.devNodes = "/dev/"; - services.zfs = { - trim.enable = true; - autoScrub.enable = true; - }; + services.qemuGuest.enable = true; + + # don't freeze the whole system while building something + nix.settings.cores = 16; + + # allows everyone in the nix-trusted group to perform builds + nix.settings.trusted-users = [ "@nix-trusted" ]; # Set your time zone. time.timeZone = "Europe/Berlin"; - i18n.defaultLocale = "en_US.UTF-8"; - security.sudo.extraRules = [ - { - commands = [ - { - command = "ALL"; - options = [ "NOPASSWD" ]; - } - ]; - groups = [ "admins" ]; - } - ]; - # prevent fork bombs - security.pam.loginLimits = [ - { - domain = "@users"; - item = "nproc"; - type = "hard"; - value = "2000"; - } - { - domain = "@nixbld"; - item = "nproc"; - type = "hard"; - value = "10000"; - } + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim + wget + git ]; - systemd = { - services.nix-daemon.serviceConfig = { - MemoryMax = "32G"; - }; - # all users together may not use more than $MemoryMax of RAM - slices."user".sliceConfig = { - MemoryMax = "32G"; - }; - }; + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [ 443 80 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/hosts/quitte/hardware-configuration.nix b/hosts/quitte/hardware-configuration.nix index 5dad929..3c7c759 100644 --- a/hosts/quitte/hardware-configuration.nix +++ b/hosts/quitte/hardware-configuration.nix @@ -1,52 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. { config, lib, modulesPath, ... }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; + imports = + [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "megaraid_sas" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; + boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = { - device = "rpool/nixos/root"; - fsType = "zfs"; - }; + fileSystems."/" = + { + device = "/dev/disk/by-uuid/4d57c7c1-ed70-4fb1-af4c-4ba027b75248"; + fsType = "ext4"; + }; - fileSystems."/home" = { - device = "rpool/nixos/home"; - fsType = "zfs"; - }; + boot.initrd.luks.devices."luksroot".device = "/dev/disk/by-uuid/cfb9b37e-152d-45e9-b75d-88d71471be45"; - fileSystems."/nix" = { - device = "rpool/nixos/nixnew"; - fsType = "zfs"; - }; - - fileSystems."/var/lib" = { - device = "rpool/nixos/var/lib"; - fsType = "zfs"; - }; - - fileSystems."/var/log" = { - device = "rpool/nixos/var/log"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/3278-8D00"; - fsType = "vfat"; - options = [ "nofail" ]; - }; - fileSystems."/boot2" = { - device = "/dev/disk/by-uuid/3366-F71E"; - fsType = "vfat"; - options = [ "nofail" ]; - }; + fileSystems."/boot" = + { + device = "/dev/disk/by-uuid/06C4-1FDB"; + fsType = "vfat"; + }; swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; } diff --git a/hosts/quitte/network.nix b/hosts/quitte/network.nix index f984edd..858f70e 100644 --- a/hosts/quitte/network.nix +++ b/hosts/quitte/network.nix @@ -1,59 +1,88 @@ -{ config, lib, ... }: +{ config, ... }: +let + wireguard_port = 51820; +in { - networking = { - # portunus module does weird things to this, so we force it to some sane values - hosts = { - "127.0.0.1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; - "::1" = lib.mkForce [ "quitte.ifsr.de" "quitte" ]; + sops.secrets = { + "wg-fsr" = { + owner = config.users.users.systemd-network.name; }; + }; + + networking = { hostId = "a71c81fc"; domain = "ifsr.de"; hostName = "quitte"; rDNS = config.networking.fqdn; + enableIPv6 = true; + useDHCP = true; + interfaces.ens18.useDHCP = true; useNetworkd = true; - nftables.enable = true; - firewall = { - logRefusedConnections = false; - trustedInterfaces = [ "podman0"]; - }; + firewall.allowedUDPPorts = [ wireguard_port ]; + wireguard.enable = true; }; services.resolved = { enable = true; - fallbackDns = [ "9.9.9.9" ]; + #dnssec = "false"; + fallbackDns = [ "1.1.1.1" ]; }; + # workaround for networkd waiting for shit + systemd.services.systemd-networkd-wait-online.serviceConfig.ExecStart = [ + "" # clear old command + "${config.systemd.package}/lib/systemd/systemd-networkd-wait-online --any" + ]; + systemd.network = { enable = true; - wait-online.anyInterface = true; # Interfaces on the machine - networks."10-wired-default" = { - matchConfig.Name = "enp65s0f0np0"; + networks."10-ether-bond" = { + matchConfig.Name = "ens18"; - address = [ - - "141.30.30.194/26" - "2a13:dd85:b23:1::1337/64" - ]; + address = [ "141.30.30.169/25" ]; routes = [ { - Gateway = "141.30.30.193"; - } - { - Gateway = "fe80::7a24:59ff:fe5e:6e2f"; + routeConfig.Gateway = "141.30.30.129"; } ]; networkConfig = { - DNS = [ - "9.9.9.9" - "149.112.112.112" - "2620:fe::fe" - "2620:fe::9" - ]; - LLDP = true; - EmitLLDP = "nearest-bridge"; + DNS = "141.30.1.1"; + #IPv6AcceptRA = true; + }; + }; + + # defining network device for wireguard connections + netdevs."fsr-wg" = { + netdevConfig = { + Kind = "wireguard"; + Name = "fsr-wg"; + Description = "fsr enterprise wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = config.sops.secrets."wg-fsr".path; + ListenPort = wireguard_port; + }; + wireguardPeers = [ + { + # tassilo + wireguardPeerConfig = { + PublicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y="; + AllowedIPs = [ "10.66.66.100/32" ]; + PersistentKeepalive = 25; + }; + } + ]; + }; + + # fsr wireguard server + networks."fsr-wg" = { + matchConfig.Name = "fsr-wg"; + networkConfig = { + Address = "10.66.66.1/24"; + IPForward = "ipv4"; }; }; }; diff --git a/hosts/tomate/configuration.nix b/hosts/tomate/configuration.nix deleted file mode 100644 index dffdcea..0000000 --- a/hosts/tomate/configuration.nix +++ /dev/null @@ -1,176 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, pkgs, ... }: - -{ - imports = - [ - # Include the results of the hardware scan. - ./network.nix - ./hardware-configuration.nix - ]; - - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - - nix = { - settings = { - substituters = [ - "https://cache.ifsr.de" - ]; - trusted-public-keys = [ - "cache.ifsr.de:y55KBAMF4YkjIzXwYOKVk9fcQS+CZ9RM1zAAMYQJtsg=" - ]; - }; - }; - - # Set your time zone. - time.timeZone = "Europe/Berlin"; - - # Select internationalisation properties. - i18n.defaultLocale = "de_DE.UTF-8"; - - i18n.extraLocaleSettings = { - LC_ADDRESS = "de_DE.UTF-8"; - LC_IDENTIFICATION = "de_DE.UTF-8"; - LC_MEASUREMENT = "de_DE.UTF-8"; - LC_MONETARY = "de_DE.UTF-8"; - LC_NAME = "de_DE.UTF-8"; - LC_NUMERIC = "de_DE.UTF-8"; - LC_PAPER = "de_DE.UTF-8"; - LC_TELEPHONE = "de_DE.UTF-8"; - LC_TIME = "de_DE.UTF-8"; - }; - - # Enable the X11 windowing system. - services.xserver.enable = true; - - # Enable the KDE Plasma Desktop Environment. - services.displayManager.sddm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; - - # Configure keymap in X11 - services.xserver = { - xkb.layout = "de"; - xkb.variant = ""; - }; - - # Configure console keymap - console.keyMap = "de"; - - - - services.printing = { - enable = true; - stateless = true; - drivers = with pkgs; [ cups-kyocera ]; - browsing = true; - defaultShared = true; - # todo fix - allowFrom = [ "all" ]; - listenAddresses = [ "0.0.0.0:631" ]; - }; - - sops.secrets."print/smtp-password" = { - owner = config.services.print-interface.user; - group = config.services.print-interface.group; - }; - - services.print-interface = { - enable = true; - smtp = { - username = "print"; - passwordFile = config.sops.secrets."print/smtp-password".path; - }; - }; - - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - publish = { - enable = true; - userServices = true; - }; - }; - networking.firewall = { - allowedTCPPorts = [ - 631 - config.services.print-interface.listenPort - ]; - allowedUDPPorts = [ 631 ]; - }; - - # Enable sound with pipewire. - hardware.pulseaudio.enable = false; - security.rtkit.enable = true; - services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - - # use the example session manager (no others are packaged yet so this is enabled by default, - # no need to redefine it in your config for now) - #media-session.enable = true; - }; - - # Enable touchpad support (enabled default in most desktopManager). - # services.xserver.libinput.enable = true; - - # Allow unfree packages - nixpkgs.config.allowUnfree = true; - - # List packages installed in system profile. To search, run: - # $ nix search wget - environment.systemPackages = with pkgs; [ - # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - # wget - ]; - security = { - pam = { - u2f = { - enable = true; - }; - services = { - login.u2fAuth = true; - sudo.u2fAuth = true; - }; - }; - - }; - - # Some programs need SUID wrappers, can be configured further or are - # started in user sessions. - # programs.mtr.enable = true; - # programs.gnupg.agent = { - # enable = true; - # enableSSHSupport = true; - # }; - - # List services that you want to enable: - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? - -} diff --git a/hosts/tomate/hardware-configuration.nix b/hosts/tomate/hardware-configuration.nix deleted file mode 100644 index 4d71ba7..0000000 --- a/hosts/tomate/hardware-configuration.nix +++ /dev/null @@ -1,42 +0,0 @@ -# Do not modify this file! It was generated by ‘nixos-generate-config’ -# and may be overwritten by future invocations. Please make changes -# to /etc/nixos/configuration.nix instead. -{ config, lib, modulesPath, ... }: - -{ - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { - device = "/dev/disk/by-uuid/618e281f-a8bf-4129-bfc1-aa47f86a8c54"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { - device = "/dev/disk/by-uuid/0844-2A73"; - fsType = "vfat"; - }; - - swapDevices = - [{ device = "/dev/disk/by-uuid/8bdeb0c1-8f1e-43a7-b4b9-c06e27a94460"; }]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; -} diff --git a/hosts/tomate/network.nix b/hosts/tomate/network.nix deleted file mode 100644 index dd04916..0000000 --- a/hosts/tomate/network.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, ... }: -{ - sops.secrets.ifsr-apb-auth = { }; - networking = { - domain = "ifsr.de"; - hostName = "tomate"; - useNetworkd = true; - nftables.enable = true; - # Radius authentification - supplicant."enp3s0" = { - driver = "wired"; - configFile.path = config.sops.secrets.ifsr-apb-auth.path; - }; - }; - - services.resolved = { - enable = true; - fallbackDns = [ "9.9.9.9" ]; - }; - - systemd.network = { - enable = true; - - networks."10-wired-default" = { - matchConfig.Name = "enp3s0"; - - address = [ "141.30.86.196/26" ]; - routes = [ - { - Gateway = "141.30.86.193"; - } - ]; - networkConfig = { - DNS = "141.30.1.1"; - LLDP = true; - EmitLLDP = "nearest-bridge"; - }; - }; - }; -} diff --git a/keys/pgp/hendrik.asc b/keys/pgp/hendrik.asc deleted file mode 100644 index ad13ab9..0000000 --- a/keys/pgp/hendrik.asc +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mDMEZNJqYBYJKwYBBAHaRw8BAQdAKncDaEdOUQGOqVBQuEsJ42wCcyLB7x1XcNDZ -VEQpVyO0JkhlbmRyaWsgV29sZmYgPGhlbmRyaWsud29sZmZAYWdkc24ubWU+iJAE -ExYIADgWIQT7v6wmDZKD0e8jl908pl6d1usxnQUCZNJqYAIbAwULCQgHAgYVCgkI -CwIEFgIDAQIeAQIXgAAKCRA8pl6d1usxnX6zAP9Rut+Yg31zBAiRdQxV4tlK+hko -wCq9WIKtIbBvrqv5/AEAujkRCgBpFeHzhId55QmvK0FXZgFgfy9wm/QtXb4+lQ64 -MwRk0mrEFgkrBgEEAdpHDwEBB0AidcMADt+W+eSbrInHeCPZThyd1V7NKEMhk3sL -xJApx4j1BBgWCAAmFiEE+7+sJg2Sg9HvI5fdPKZendbrMZ0FAmTSasQCGwIFCQeE -zgAAgQkQPKZendbrMZ12IAQZFggAHRYhBEK0YmsN4JpCoNWvKp5LZR/BVBjgBQJk -0mrEAAoJEJ5LZR/BVBjg6ogBAOcFh/S99L/aN6bQu9bYRPomakbNqypHA1YbodjG -1IQgAPwLj19BXNnQmTgYzY3bWmtcAc8lsGWTNkDDTZMRRTP+BSS1AP9qBuCeU/fj -2hpa17LiV6sjdRquxWQXjKxTlBRV8oKj1gD/WarlxiHt8nMn527FXuBrGZC+mZq2 -NvvoTb+uvZNliAq4OARk0mtEEgorBgEEAZdVAQUBAQdAkK0jBo/37NbRHMOYCal0 -9vGuK3KaxU3Cl9No+VbZDEYDAQgHiH4EGBYIACYWIQT7v6wmDZKD0e8jl908pl6d -1usxnQUCZNJrRAIbDAUJB4TOAAAKCRA8pl6d1usxnbaqAP9abTf+DibaAR6hdU9y -CEE5TD32EB+ySw/v45yCi28B8AEA5PcpwMD6emVrNQGeVChkOlwauwA3HkE6DDTO -yeebAwi4MwRk0mvNFgkrBgEEAdpHDwEBB0DSYGCNq15sOLj1wDJjoKoCRMGH8I/y -ARMUws7PQ4KPkYh+BBgWCAAmFiEE+7+sJg2Sg9HvI5fdPKZendbrMZ0FAmTSa80C -GyAFCQeEzgAACgkQPKZendbrMZ1HggEAxSBYuJ4BTr9GCl8e79HTSwg8iIIJx8Nc -REFvro0BrnEA/3AbyQYBQVAhqIwSSza5dr4+FiLbbVhPFcxU98TLBTQJ -=sA2V ------END PGP PUBLIC KEY BLOCK----- diff --git a/keys/pgp/jonas.asc b/keys/pgp/jonas.asc new file mode 100644 index 0000000..db77ff9 --- /dev/null +++ b/keys/pgp/jonas.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGNunVEBEADRAqVGhtK60adwuY6MsrULGr56R1rqnA0tH+pgvDLly7Tbravx +vtgdcQmA4ZublaGGKbOo/ECa3AASlaPT7Tan0TssYJ6gw8MxYvad5WW6gW9tYvJB +ajDklWg/TS1rBZ64W4Jiuin08cE6Jx+l7l1JDK7U2TUwMVJ1UW1hBwnXVE353dBm +HZBYwrMnCYupXdm9PY1tSY9DeoZPEBSDP4v8qHEMnm0YzW2HPaYv/gjAEYfSM/R0 +PVOyItG4K8p2D3dl23L9i+BzSKyG5P0SXMygCuE1Ua6pXPHYDdkxJFx6Kf5SyEZB +8dVflxPTgMLKZ8nlG5AaYicw4sLdC8TmiGIQDZlo6iGGjAwzykugm+B3DEG4yf43 +1VPrVJTzDyf2LImRYNKDwhZRMchY65/4RCAj5ItvQAKj6BsDgRXoZ6ml+VkCKYFC +sbUNzBq9fpAPmdhBrlZgKn0dwAO91R2QWBskqkkS1+A01EJ6Ys5fHFx1yTYtgucv +qJWnVklMHrYmeKErnfN2pttZjQLeWmigKfjx9dWgJhCWsgcSVovRFrJcAX1jF7wL +CtEwgrK/P2sJ6lYVYoId4lhbu2pncN9fDdfepzlhvtePHJGoQ1gWwCIBXTMHn9gK +qhEvAWIx1r4gXHNmBla+BXtt/1vGdWb5/WZKqwqYcuVWZI4eKUOfml7lfwARAQAB +tDNoYWxjeW9uIDw1NTMxNzU3MytoeGxjeXhuQHVzZXJzLm5vcmVwbHkuZ2l0aHVi +LmNvbT6JAk4EEwEIADgWIQSk+SvHt5IQikY5lYJ8Hy2ivJKUEgUCY26hYgIbAwUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB8Hy2ivJKUEhxeD/44LyEiR9LUpiqZ +YoUjvEJm1/WnR1g46tGPcjzpeAa11ZUK4ByES4yFT+1DMjmywloLOmvPxFj4pR5S +N17wohLYaqIQ+RjmR/73UpZo7aB1oFwzzBNnYzCrU8MvcYkmHu6WhsioO39zmLDp +s8RpyUchfWQIQQKqnwsOuZVnW1QXKCGPowaZoqcYzubcKI8LAx/OI7bcyss6Z8hV +HnNX+MkFYVjrz8tAiJDjwvlPaWEJ+5hMdavunVtgDi+K6zK+YpbSweTD0E3Z1hOI +YaLGlrpHL1Jj+4OpcYUwfaoXOIe8jYmYe87Dq2ygT3b6zxEG7KRdDCCLN6YRTDqr +CGyWYyktLClphINzTsyEpKMjqBauntahvtoiBySKwujNNr1KOGSJXTjs9RK9IZEu +F/6Fg7pnjgsarOR+nLyqGTJvbgCJGQhM76iT6KJ8Z/FoLHDgLxLUygM1ZwuoHmHK +Df7zhdNZQ1cGcJjdh4MWFsB65DA8NWHu01BIiGryB2EbM0hWSIw+OQGmo7UMK74p +57obRz+gXiHoSEmlgJ7f9EJVY21XOqKxVTmCrYLBgiAHnqlAxCiJ3Yq5CzVnllWW +8EFZbSeiMJLDreFxiM5iwlIz7hAL7UgC/QMaJSPLLnau0dfkEFh0yyo/rDFW/IBV +Sswxu0WrY1XR971JgvD2KSZpgGA5WLQHaGFsY3lvbokCTgQTAQgAOBYhBKT5K8e3 +khCKRjmVgnwfLaK8kpQSBQJjbp1RAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA +AAoJEHwfLaK8kpQSbUIP+gKqWF4TkqDdP3QWOY3xJ5p7DsNOc1pO3uobFkLzlFd/ +bZdg3W1puC7WL1yeLsiuic0OnZukBqSQkXMRRc14TwmjYuebQAqGzXd1nfHcGdxb +bKIOUvWdn86rXpXLDL22LLZpmlel5uB2OcagSlGnzzrSx5KsK/9S4ryml+47b1eU +KRir5HtcR1gyKepLl0qGXNCYjn2ItOhYTqf6YehXiu9x6XfMOHHloGE+ttDvUkBX +NL8Twrd0n2N4UTP/WlzaNo1Mg5k5nM2lEOVqlTi5269cXsuJDHeap/fSMT74sdWU +k/3ZnCOM9oztQXZopeOHqlmkL7IxPXThBK3a8h16G8dkdkkwJdbbha3ygRcd2Hc4 +OqBi7o7q0PoRqxN+FQisPi8PrSxjDqKCS0H7Fzy2bb5Zg7dDPSS1ki7nwOp20VAy +0jnPW6HHqsP1Ik+JS4Rv/YaRDprn9UsK1HgfjagpEZxHf2sm5zm4yZ4Y8OgF4NnK +u2CRLA1eNv53hbexgNgqgLh5KgzgrIPHZZkob3E5rmw5w15fxLkXg3tHeDU++fSK +RjrCjM1FovbXbUd9BgPJqBSj3s1N2iQ+sVGAuHYPtTDuKkhtTHxlqcfvUq5LCYfv +qWjwhNAUhwACSchG5y5+MrShRnCvt4Cjx//fK7/fnH1DSDHiMET4XV55mqxoSJ/5 +tCNoYWxjeW9uIDxqb25hcy5zZWlmZXJ0MDRAZ21haWwuY29tPokCTgQTAQgAOBYh +BKT5K8e3khCKRjmVgnwfLaK8kpQSBQJjbqH+AhsDBQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJEHwfLaK8kpQSwoEQAJJx8JNeiJeUJc9uQJWjlPwlcx6YgR4UAegf +8J9HUPu1SQVttJQEWsbOYUxGX3OVPDMlgGY8nsTmtAGHKEqwsgxgo5wI38XQVss3 +XC8TLhBiPpToK35Mh4DWrphbxEUcn86TltlWmEtUtZnTPt8aHt+0597SJq2bd59O +rNM6ywOMtDLFImLAKzgnxeEzVwHQufx56Tal7LzcP44SMVIAtqlzO+LudIQCBNhj +CYjsptxFini2JrLVVL5rQUo7ALV1eRfMTNUWZkr3MHgiEp5MIUW2qKuJsR6bP4dz +KgBCvx/lZ2nMLWeypIsDTNELHda9qU9KN/MZSP1SxJ/h/qc8ic62l3MEOXt+CxzW +ge0S5y3EXIbqcmGONJ5bDAhWx1ywTwczco7VVo0Itttg16uUS9Sy6oGTTh7W3J53 +U9y96aFThIzuEPeY45tmjxMNhQqwQFAqYVxZgB8R5D88SUKV6ysNt1wdgypFCThu +S5iQ57PcUHvZZrY+BUgN2GgBQ7zdX4MNl0ttGKgA4HVq0WY/VFS+m2E2ArBiV2kG +KjuN0r8tmi8B4etuuyI+R24rRq/ynbmEuVufZHXQUBgL3cFuID7YNQUslfodkMXL +Nhx12UYEc5bEySKfocirK1eWKNUrg0EVEXhqyYuNEqt0712yycvzQM283z7Ru4W3 +FhevoSc5uQINBGNunVEBEACeScywMTebpxo+bBPg/M48EgbSM0eOjYd07VT80QnD +EJJI6SLM+BLGCpnx5l8IjLDnjCy+sAFYw5W9R6fe2DZCOkY4PFxxN2mQm/pUip1r +2JF5USE3QrUCMBBIHYpaDqurCGKMQYjtmQshcvttPRhXeSjEMKMu+KhiTFTezHAb +77y5K7k/0GpUvJCgbXE1GipJSWcT1xopvVC2FnEtE1ix2Ugd6GPF39hRD9gfYQGh +u3bFWIub9zprUQwck7VEVgXP7N8fPutVtSi/dkFlBxm2S0Trov/Gs9C1OshcUwlC +us+HviepXma6nW/idjMfqLpcw6Q7R06gxfPmKsta1g8p4Xs+T5r5oapeyG4bRHnT +EdE8fdVGopa3r2JFemWeNL0RYFY00FGu9AE7zzutvVI9YgMXQdGzG5F1trEz+L9I +b8+a7PRSi3dUliO1LuWeOosxDGbZOJjZI85/MabFaadulil5O2PBgtoaCNphC+fn +6nW6IitDoDIRuDqtzrYbpCq+WpJHninbohykXsr9owNQ2iS067CtYq1B4fqu7dsT +b8Kn0OUAqreuFV6VvWbkauJOh4lt1XHTK7mthRWWW9LlOTND5OViy1TPDJpkTGEl +HD+2JwCCr/B5PeRDA7n/Odw+BHKUMNsRzxlyusyZalCBZRCeSGbBFT3AeiQL80ET +xQARAQABiQI2BBgBCAAgFiEEpPkrx7eSEIpGOZWCfB8torySlBIFAmNunVECGwwA +CgkQfB8torySlBLGDg//ROPDDuk8YVdmT9I2A057SQB6tkvXEvIE3u7sNsUjgsmv +oGc6BKYSC2yVUMyagZz7Mm64oMmvwSG/9ctI+1R4mhhlGgsPlrhzfMDWzm6OBRkB +XtpPsIcotNNYeEdydCdvK2XOJJ4hp9QGG0vsnuiSQL52ZM8j+A7a3NGRoDFtQ/2E +uB+AHpbbOu1avp5bNpmCBfbxl+upNDBP5er2OlyfTbaBSf8Z20dwLeXJJsb3AlED +eU3XUspAI0UsvUo1QLFWBv/MVU/Ryyqz2B4KMC9I1bRYLdaKaEtxIgQVT+cRwr0B +zwJc6+IewtQO1EjSSrkZxJSaZK7Jb600aiz3skRurQrpY+UoP9yAk7i4q1tJDNiR +t3QH2C4RwuWymhy8JlvVHKeo3KxEtJ0+3BKPnSyB9FNFELj8Mg1i+8mFCDVANUB/ +mdbg+Jhpw9fBWq0B/qi5NcLq2GDWqxPEgRbX5Kc/PfY95DcBeWWAJ4wiZqalN49X +Wa6gstiQIvsxbKHnx8qoti1YRbnpHOqUYk41P2FLmREgaj1LVQRdL5A+4+NoXhdk +a7pC8jX+egWoP36wcbjb2DJsYWiYwbjYKeOxSZOFUT+Cb7iaCGf2KuIoh/tZ5NJ8 +e5l0MwK1U6XpKTap1NF8WhoIge3lcQt/BH3cTdM+1CkQyTqtuHok6WAVqwgTa5Q= +=Fs3l +-----END PGP PUBLIC KEY BLOCK----- diff --git a/keys/ssh/frieder b/keys/ssh/frieder deleted file mode 100644 index 1e1228e..0000000 --- a/keys/ssh/frieder +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH70IC7DaiGBYdftUhuOE9CatcdYj2L50eZfztQA+pVs fried@Frieders-Void-Laptop diff --git a/keys/ssh/jonasga b/keys/ssh/jonasga new file mode 100644 index 0000000..5081d1f --- /dev/null +++ b/keys/ssh/jonasga @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpOQuIl31BL16yXdLlbzSDCle6bjE3WNVXzOV9ibdzEC3PpUufJDTU7FMW3WCO9fnYJ5osPKbV9nou5/10mPuN0g+k1e0NWUZNHbG+5zRqS7QYGFmtDC8EUTx1xnri5zMBMn9jzjNE8BkqvsjGrHcVCtI2T51slwFjE60GFkloQ7izRDrNkge1iM57KhoXz5MeYJtolDqeOh5P7nfAUR4bGT/gGtYVd85oCvbsHcjF9vgDovAfNP+zQhUn51ZOXvGp8+1/MAJVtxLfjC9Ma3LRiiliD6w5zcsksG5cUGcj2Sk9i/7nTm7g5MGo4EKwgPMw/MRzSRzvlZ76oPSPSLKn jonas@T14s \ No newline at end of file diff --git a/modules/authentik/default.nix b/modules/authentik/default.nix deleted file mode 100644 index eb65477..0000000 --- a/modules/authentik/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, ... }: -let - domain = "idm.${config.networking.domain}"; -in -{ - sops.secrets."authentik/env" = { }; - services.authentik = { - enable = true; - nginx = { - enable = true; - host = domain; - enableACME = true; - }; - environmentFile = config.sops.secrets."authentik/env".path; - }; -} diff --git a/modules/bacula.nix b/modules/bacula.nix new file mode 100644 index 0000000..abb6c96 --- /dev/null +++ b/modules/bacula.nix @@ -0,0 +1,78 @@ +{ pkgs, config, lib, ... }: +with lib; + +let + # We write a custom config file because the upstream config has some flaws + fd_cfg = config.services.bacula-fd; + fd_conf = pkgs.writeText "bacula-fd.conf" '' + Client { + Name = ${fd_cfg.name} + FDPort = ${toString fd_cfg.port} + WorkingDirectory = /var/lib/bacula + Pid Directory = /run + ${fd_cfg.extraClientConfig} + } + + ${concatStringsSep "\n" (mapAttrsToList (name: value: '' + Director { + Name = ${name} + Password = ${value.password} + Monitor = ${value.monitor} + } + '') fd_cfg.director)} + + Messages { + Name = Standard; + syslog = all, !skipped, !restored + ${fd_cfg.extraMessagesConfig} + } + ''; + # AGDSN is running an outdated version that we have to comply to + bacula_package = (pkgs.bacula.overrideAttrs (old: rec { + version = "9.6.7"; + src = pkgs.fetchurl { + url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz"; + sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4="; + }; + })); +in +{ + sops.secrets = { + "bacula/password".owner = "bacula"; + "bacula/keypair".owner = "bacula"; + "bacula/masterkey".owner = "bacula"; + }; + networking.firewall.allowedTCPPorts = [ config.services.bacula-fd.port ]; + networking.firewall.allowedUDPPorts = [ config.services.bacula-fd.port ]; + services.bacula-fd = { + enable = true; + name = "ifsr-quitte"; + extraClientConfig = '' + Maximum Concurrent Jobs = 20 + FDAddress = 141.30.30.169 + PKI Signatures = Yes + PKI Encryption = Yes + PKI Keypair = ${config.sops.secrets."bacula/keypair".path} + PKI Master Key = ${config.sops.secrets."bacula/masterkey".path} + ''; + extraMessagesConfig = '' + director = abel-dir = all, !skipped, !restored + mailcommand = "${bacula_package}/bin/bsmtp -f \"Bacula \" -s \"Bacula report" %r" + mail = root+backup = all, !skipped + ''; + director."abel-dir".password = "@${config.sops.secrets."bacula/password".path}"; + }; + environment.etc."bacula/bconsole.conf".text = '' + Director { + Name = abel-dir + DIRport = 9101 + address = 10.144.0.11 + Password = @${config.sops.secrets."bacula/password".path} + } + Console { + Name = ifsr-quitte-console + Password = @${config.sops.secrets."bacula/password".path} + } + ''; + systemd.services.bacula-fd.serviceConfig.ExecStart = lib.mkForce "${bacula_package}/sbin/bacula-fd -f -u root -g bacula -c ${fd_conf}"; +} diff --git a/modules/core/base.nix b/modules/base.nix similarity index 72% rename from modules/core/base.nix rename to modules/base.nix index 906aa65..a19083d 100755 --- a/modules/core/base.nix +++ b/modules/base.nix @@ -1,5 +1,6 @@ { pkgs, config, ... }: { nix = { + package = pkgs.nixUnstable; # or versioned attributes like nix_2_4 extraOptions = '' experimental-features = nix-command flakes ''; @@ -10,17 +11,10 @@ echo System package diff: ${config.nix.package}/bin/nix store diff-closures /run/current-system $systemConfig || true fi - - NO_FORMAT="\033[0m" - F_BOLD="\033[1m" - C_RED="\033[38;5;9m" - ${pkgs.diffutils}/bin/cmp --silent \ - <(readlink /run/current-system/{kernel,kernel-modules}) \ - <(readlink $systemConfig/{kernel,kernel-modules}) \ - || echo -e "''${F_BOLD}''${C_RED}Kernel version changed, reboot is advised.''${NO_FORMAT}" ''; # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; console = { #font = "Lat2-Terminus16"; font = "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz"; @@ -28,17 +22,7 @@ }; # Enable the OpenSSH daemon. - services.openssh = { - enable = true; - settings = { - PermitRootLogin = "yes"; - PasswordAuthentication = false; - }; - }; - programs.mosh.enable = true; - - # vs code server - services.vscode-server.enable = true; + services.openssh.enable = true; # set root ssh keys users.users.root.openssh.authorizedKeys = { @@ -56,33 +40,32 @@ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXMHwy4AZ9B4pMRBa/P/rb7N3SCas9e7Lp89plTHdFS halcyon@eisvogel.moe" # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAJ7qUGZUjiDhQ6Se+aXr9DbgRTG2tx69owqVMkd2bna simon@mayushii" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLlITzcTVnSi8EpEW3leSuqYCDhbnJyoGCjFOtIJ0Dl5uRNm0UNXS7AbQtLLylEeI1+/qinQDEWAJ6cBDAaPfNw= rouven@thinkpad" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINJgYI2rXmw4uPXAMmOgqgJEwYfwj/IBExTCzs9Dgo+R w0lff" + ]; keyFiles = [ - ../../keys/ssh/marcus-sapphire - ../../keys/ssh/schrader - ../../keys/ssh/jannusch - ../../keys/ssh/jannusch-arch - ../../keys/ssh/tassilo - ../../keys/ssh/rouven - ../../keys/ssh/joachim + ../keys/ssh/marcus-sapphire + ../keys/ssh/schrader + ../keys/ssh/jannusch + ../keys/ssh/jannusch-arch + ../keys/ssh/tassilo + ../keys/ssh/jonasga + ../keys/ssh/rouven + ../keys/ssh/joachim ]; }; time.timeZone = "Europe/Berlin"; # basic shell & editor - programs.vim.enable = true; programs.vim.defaultEditor = true; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ atop - btop bat git - htop-vim + htop fd ripgrep tldr @@ -90,7 +73,6 @@ usbutils wget neovim - helix nmap tcpdump bat @@ -104,17 +86,13 @@ ltrace strace mtr - nix-output-monitor traceroute smartmontools sysstat tree whois - eza + exa zsh - unzip - yazi - imagemagick ]; } diff --git a/modules/core/bacula.nix b/modules/core/bacula.nix deleted file mode 100644 index c28a7d2..0000000 --- a/modules/core/bacula.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ pkgs, config, ... }: -{ - sops.secrets = { - "bacula/password".owner = "bacula"; - "bacula/keypair".owner = "bacula"; - "bacula/masterkey".owner = "bacula"; - }; - networking.firewall = { - extraInputRules = '' - ip saddr 10.144.0.11 tcp dport ${builtins.toString config.services.bacula-fd.port} accept comment "Only allow Bacula access from Abel" - ''; - }; - services.bacula-fd = { - enable = true; - name = "ifsr-quitte"; - extraClientConfig = '' - Comm Compression = no - Maximum Concurrent Jobs = 20 - FDAddress = 141.30.30.194 - PKI Signatures = Yes - PKI Encryption = Yes - PKI Keypair = ${config.sops.secrets."bacula/keypair".path} - PKI Master Key = ${config.sops.secrets."bacula/masterkey".path} - ''; - extraMessagesConfig = '' - director = abel-dir = all, !skipped, !restored - mailcommand = "${pkgs.bacula}/bin/bsmtp -f \"Bacula \" -s \"Bacula report" %r" - mail = root+backup = all, !skipped - ''; - director."abel-dir" = { - password = "@${config.sops.secrets."bacula/password".path}"; - tls.enable = false; - }; - }; - environment.etc."bacula/bconsole.conf".text = '' - Director { - Name = abel-dir - DIRport = 9101 - address = 10.144.0.11 - Password = @${config.sops.secrets."bacula/password".path} - } - Console { - Name = ifsr-quitte-console - Password = @${config.sops.secrets."bacula/password".path} - } - ''; -} diff --git a/modules/core/default.nix b/modules/core/default.nix deleted file mode 100755 index de763c0..0000000 --- a/modules/core/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: { - imports = [ - ./base.nix - ./logging.nix - ./bacula.nix - ./fail2ban.nix - ./initrd-ssh.nix - ./mysql.nix - ./nginx.nix - ./podman.nix - ./postgres.nix - ./sssd.nix - ./zsh.nix - ]; -} diff --git a/modules/core/fail2ban.nix b/modules/core/fail2ban.nix deleted file mode 100644 index 5c08578..0000000 --- a/modules/core/fail2ban.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: -{ - services.fail2ban = { - enable = true; - ignoreIP = [ - "141.30.0.0/16" - "141.76.0.0/16" - ]; - bantime-increment = { - enable = true; - }; - - jails = { - dovecot = '' - enabled = true - # aggressive mode to add blocking for aborted connections - filter = dovecot[mode=aggressive] - maxretry = 15 - ''; - postfix = '' - enabled = true - filter = postfix[mode=aggressive] - maxretry = 15 - ''; - sshd.settings.maxretry = 15; - }; - }; -} diff --git a/modules/core/initrd-ssh.nix b/modules/core/initrd-ssh.nix deleted file mode 100644 index a244b21..0000000 --- a/modules/core/initrd-ssh.nix +++ /dev/null @@ -1,29 +0,0 @@ -# Find the required kernel module for the network adapter using `lspci -v` and add it to `boot.initrd.availableKernelModules`. -# Enable `networking.useDHCP` or set a static ip using the `ip=` kernel parameter. -# Generate another SSH host key for the machine: -# $ ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key_initrd -C HOSTNAME-initrd -# Add the public key to your known_hosts and create an ssh config entry. -{ config, ... }: -{ - boot.initrd = { - availableKernelModules = [ "mlx5_core" ]; - systemd = { - enable = true; - network = { - enable = true; - networks."10-wired-default" = config.systemd.network.networks."10-wired-default"; - }; - users.root.shell = "/bin/systemd-tty-ask-password-agent"; - }; - network = { - enable = true; - ssh = { - enable = true; - port = 222; - hostKeys = [ "/etc/ssh/ssh_host_ed25519_key_initrd" ]; - # authorizedKeys option inherits root's authorizedKeys.keys, but not keyFiles - }; - }; - }; -} - diff --git a/modules/core/logging.nix b/modules/core/logging.nix deleted file mode 100644 index 75f482f..0000000 --- a/modules/core/logging.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs, ... }: -{ - services.rsyslogd = { - enable = true; - defaultConfig = '' - $FileCreateMode 0640 - :programname, isequal, "postfix" /var/log/postfix.log - :programname, isequal, "portunus" /var/log/portunus.log - - auth.* -/var/log/auth.log - ''; - }; - services.logrotate.configFile = pkgs.writeText "logrotate.conf" '' - weekly - missingok - notifempty - rotate 4 - "/var/log/postfix.log" { - compress - delaycompress - weekly - rotate 156 - } - "/var/log/nginx/*.log" { - compress - delaycompress - weekly - postrotate - [ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid` - endscript - rotate 26 - su nginx nginx - } - ''; -} diff --git a/modules/core/mysql.nix b/modules/core/mysql.nix deleted file mode 100644 index f35b278..0000000 --- a/modules/core/mysql.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: -{ - services.mysql = { - enable = true; - package = pkgs.mariadb; - settings.mysqld.bind_address = "127.0.0.1"; - }; - services.mysqlBackup = { - enable = true; - user = "mysql"; - location = "/var/lib/backup/mysql"; - databases = [ - "fsrewsp" - "nightline" - "wiki_ese" - "wiki_vernetzung" - ]; - }; -} diff --git a/modules/core/nginx.nix b/modules/core/nginx.nix deleted file mode 100644 index 36e596e..0000000 --- a/modules/core/nginx.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ lib, config, pkgs, ... }: -{ - # set default options for virtualHosts - options = with lib; { - services.nginx.virtualHosts = mkOption { - type = types.attrsOf (types.submodule - ({ name, ... }: { - enableACME = true; - forceSSL = true; - # enable http3 for all hosts - quic = true; - http3 = true; - # split up nginx access logs per vhost - extraConfig = '' - access_log /var/log/nginx/${name}_access.log; - error_log /var/log/nginx/${name}_error.log; - add_header Alt-Svc 'h3=":443"; ma=86400'; - ''; - }) - ); - }; - }; - - config = { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; - services.nginx = { - enable = true; - package = pkgs.nginxQuic; - additionalModules = [ pkgs.nginxModules.pam ]; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - - # appendHttpConfig = '' - # map $remote_addr $remote_addr_anon { - # ~(?P\d+\.\d+\.\d+)\. $ip.0; - # ~(?P[^:]+:[^:]+): $ip::; - # # IP addresses to not anonymize - # 127.0.0.1 $remote_addr; - # ::1 $remote_addr; - # default 0.0.0.0; - # } - # log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - # access_log /var/log/nginx/access.log anon_ip; - # ''; - }; - security.acme = { - acceptTerms = true; - defaults = { - #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - email = "root@${config.networking.domain}"; - }; - }; - security.pam.services.nginx.text = '' - auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so - account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so - ''; - }; -} diff --git a/modules/core/podman.nix b/modules/core/podman.nix deleted file mode 100644 index 9927a43..0000000 --- a/modules/core/podman.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ pkgs, ... }: -{ - # From: https://nixos.wiki/wiki/Podman - virtualisation.containers.enable = true; - virtualisation = { - podman = { - enable = true; - - # Create a `docker` alias for podman, to use it as a drop-in replacement - dockerCompat = true; - - # Required for containers under podman-compose to be able to talk to each other. - defaultNetwork.settings.dns_enabled = true; - }; - }; - virtualisation.oci-containers.backend = "podman"; - - - # Useful otherdevelopment tools - environment.systemPackages = with pkgs; [ - dive # look into docker image layers - podman-tui # status of containers in the terminal - #docker-compose # start group of containers for dev - #podman-compose # start group of containers for dev - ]; -} diff --git a/modules/core/sssd.nix b/modules/core/sssd.nix deleted file mode 100644 index a23a0bb..0000000 --- a/modules/core/sssd.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, ... }: -{ - sops.secrets = { - "sssd/env" = { }; - - }; - services.sssd = { - enable = true; - environmentFile = config.sops.secrets."sssd/env".path; - sshAuthorizedKeysIntegration = true; - config = '' - [sssd] - config_file_version = 2 - services = nss, pam, ssh - domains = ldap - - [ssh] - - [nss] - - [pam] - - [domain/ldap] - auth_provider = ldap - ldap_uri = ldaps://auth.ifsr.de - ldap_default_authtok_type = password - ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK - ldap_search_base = dc=ifsr,dc=de - id_provider = ldap - ldap_default_bind_dn = uid=search,ou=users,dc=ifsr,dc=de - cache_credentials = True - ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt - ldap_tls_reqcert = hard - ''; - - }; - security.pam.services = { - sshd.makeHomeDir = true; - login.makeHomeDir = true; - }; -} diff --git a/modules/core/zsh.nix b/modules/core/zsh.nix deleted file mode 100644 index 349f3dd..0000000 --- a/modules/core/zsh.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ lib, pkgs, ... }: -{ - users.users.root.shell = pkgs.zsh; - programs.command-not-found.enable = false; - programs.nix-index-database.comma.enable = true; - environment.systemPackages = with pkgs; [ - # fzf - bat - duf - ]; - programs.fzf = { - keybindings = true; - }; - programs.zsh = { - enable = true; - autosuggestions = { - enable = true; - highlightStyle = "fg=#00bbbb,bold"; - }; - - # don't override agdsn-zsh-config aliases - shellAliases = lib.mkForce { }; - - shellInit = '' - zsh-newuser-install () {} - ''; - interactiveShellInit = '' - source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh - HW_CONF_ALIASES_GIT_AUTHOR_REMINDER=0 - source ${pkgs.agdsn-zsh-config}/etc/zsh/zshrc - ''; - promptInit = ""; - }; -} - diff --git a/modules/courses/default.nix b/modules/course-management.nix similarity index 66% rename from modules/courses/default.nix rename to modules/course-management.nix index 9b971fd..88cbc3b 100644 --- a/modules/courses/default.nix +++ b/modules/course-management.nix @@ -38,28 +38,15 @@ in enable = lib.mkForce true; # upstream bacula config wants to disable it, so we need to force ensureUsers = [{ name = "course-management"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE \"course-management\"" = "ALL PRIVILEGES"; + }; }]; ensureDatabases = [ "course-management" ]; }; services.nginx.virtualHosts.${hostName} = { - # phil redirects - locations = - let - philDomain = "https://kurse-phil.ifsr.de"; - courses = [ "238" "239" "240" "241" "242" "243" ]; - subjects = [ - "ESE 2023 PHIL Campustour" - "ESE 2023 PHIL Bowlingabend" - "ESE 2023 PHIL Filmabend" - "ESE 2023 PHIL Wandern" - "ESE 2023 PHIL Spieleabend Pen and Paper" - ]; - in - { - "~ \"^/course/(${builtins.concatStringsSep "|" courses})/\"".return = "301 ${philDomain}/course/$1"; - "~ \"^/subject/(${builtins.concatStringsSep "|" subjects})/\"".return = "301 ${philDomain}/subject/$1"; - }; + enableACME = true; + forceSSL = true; }; } diff --git a/modules/courses/phil.nix b/modules/courses/phil.nix deleted file mode 100644 index 7bd1b69..0000000 --- a/modules/courses/phil.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ config, lib, course-management, ... }: -let - hostName = "kurse-phil.${config.networking.domain}"; -in -{ - services.nginx.virtualHosts."${hostName}" = { - locations."/".proxyPass = "http://127.0.0.1:8084"; - enableACME = true; - forceSSL = true; - }; - - sops.secrets = { - "course-management-phil/secret-key" = { }; - "course-management-phil/adminpass" = { }; - }; - containers."courses-phil" = { - autoStart = true; - extraFlags = [ - "--load-credential=course-secret-key:${config.sops.secrets."course-management-phil/secret-key".path}" - "--load-credential=course-adminpass:${config.sops.secrets."course-management-phil/adminpass".path}" - ]; - config = { config, ... }: { - system.stateVersion = "23.05"; - networking.domain = "ifsr.de"; - imports = [ - course-management.nixosModules.default - ]; - systemd.services.course-management = { - after = [ "postgresql.service" ]; - serviceConfig = { - LoadCredential = [ - "secret-key:course-secret-key" - "adminpass:course-adminpass" - ]; - }; - }; - services.course-management = { - inherit hostName; - enable = true; - listenPort = 5001; - - settings = { - secretKeyFile = "$CREDENTIALS_DIRECTORY/secret-key"; - adminPassFile = "$CREDENTIALS_DIRECTORY/adminpass"; - admins = [{ - name = "Root iFSR"; - email = "root@${config.networking.domain}"; - }]; - database = { - ENGINE = "django.db.backends.postgresql"; - NAME = "course-management"; - }; - email = lib.mkDefault { - fromEmail = "noreply@${config.networking.domain}"; - serverEmail = "root@${config.networking.domain}"; - }; - }; - }; - security.acme = { - acceptTerms = true; - defaults = { - email = "root@${config.networking.domain}"; - }; - }; - services.postgresql = { - enable = true; - enableTCPIP = lib.mkForce false; - ensureUsers = [{ - name = "course-management"; - ensureDBOwnership = true; - }]; - ensureDatabases = [ "course-management" ]; - }; - systemd.services.postgresql.serviceConfig.ExecStart = lib.mkForce "${config.services.postgresql.package}/bin/postgres -c listen_addresses=''"; - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - - - virtualHosts.${hostName} = { - listen = [{ - addr = "127.0.0.1"; - port = 8084; - }]; - }; - }; - - }; - }; -} diff --git a/modules/decisions.nix b/modules/decisions.nix deleted file mode 100644 index c19085d..0000000 --- a/modules/decisions.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, ... }: -let - domain = "decisions.${config.networking.domain}"; -in -{ - sops.secrets."decisions_env" = { }; - virtualisation.oci-containers = { - containers.decisions = { - image = "ghcr.io/fsr/decisions"; - volumes = [ - "/var/lib/nextcloud/data/root/files/FSR/protokolle:/protokolle:ro" - ]; - extraOptions = [ "--network=host" ]; - environmentFiles = [ - config.sops.secrets."decisions_env".path - ]; - }; - }; - - services.nginx = { - virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:5055"; - }; - }; - }; - - systemd.timers."decisions-to-db" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "01:11:00"; - Unit = "decisions-to-db.service"; - }; - }; - - # systemd.services."decisions-to-db" = { - # script = '' - # set -eu - # ${pkgs.podman}/bin/podman exec decisions python tex_to_db.py - # ''; - # serviceConfig = { - # Type = "oneshot"; - # User = "root"; - # }; - # }; -} diff --git a/modules/forgejo/actions.nix b/modules/forgejo/actions.nix deleted file mode 100644 index 16d6d24..0000000 --- a/modules/forgejo/actions.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, pkgs, ... }: -{ - sops.secrets."forgejo/runner-token" = { }; - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances."quitte" = { - enable = true; - labels = [ - # provide a debian base with nodejs for actions - "debian-latest:docker://node:18-bullseye" - # fake the ubuntu name, because node provides no ubuntu builds - "ubuntu-latest:docker://node:18-bullseye" - # provide native execution on the host - # "native:host" - ]; - tokenFile = config.sops.secrets."forgejo/runner-token".path; - url = "https://git.ifsr.de"; - name = "quitte"; - settings = { - container = { - # use podman's default network, otherwise dns was not working for some reason - network = "podman"; - # don't mount the docker socket into the build containers, - # this would basically mean root on the host... - docker_host = "-"; - }; - }; - }; - }; -} diff --git a/modules/ftp.nix b/modules/ftp.nix new file mode 100644 index 0000000..205ed7c --- /dev/null +++ b/modules/ftp.nix @@ -0,0 +1,23 @@ +{ config, pkgs, ... }: +let + domain = "ftp.${config.networking.domain}"; +in +{ + services.nginx.additionalModules = [ pkgs.nginxModules.fancyindex ]; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + root = "/srv/ftp"; + extraConfig = '' + fancyindex on; + fancyindex_exact_size off; + ''; + locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = '' + allow 141.30.0.0/16; + allow 141.76.0.0/16; + allow 172.16.0.0/16; + deny all; + ''; + + }; +} diff --git a/modules/forgejo/default.nix b/modules/gitea.nix similarity index 78% rename from modules/forgejo/default.nix rename to modules/gitea.nix index aee832d..9924f61 100644 --- a/modules/forgejo/default.nix +++ b/modules/gitea.nix @@ -1,46 +1,40 @@ { config, lib, pkgs, ... }: let domain = "git.${config.networking.domain}"; - gitUser = "git"; + giteaUser = "git"; in { - imports = [ - ./actions.nix - ]; sops.secrets.gitea_ldap_search = { key = "portunus/search-password"; - owner = config.services.forgejo.user; + owner = config.services.gitea.user; }; - users.users.${gitUser} = { + users.users.${giteaUser} = { isSystemUser = true; - home = config.services.forgejo.stateDir; - group = gitUser; + home = config.services.gitea.stateDir; + group = giteaUser; useDefaultShell = true; }; - users.groups.${gitUser} = { }; + users.groups.${giteaUser} = { }; - services.forgejo = { + services.gitea = { enable = true; - user = gitUser; - group = gitUser; - package = pkgs.forgejo; + package = pkgs.forgejo; # community fork + user = giteaUser; + group = giteaUser; + appName = "iFSR Git"; lfs.enable = true; database = { type = "postgres"; - name = "git"; # legacy createDatabase = true; - user = gitUser; + user = giteaUser; }; # TODO: enable periodic dumps of the DB and repos, maybe use this for backups? # dump = { }; settings = { - DEFAULT = { - APP_NAME = "iFSR Git"; - }; server = { PROTOCOL = "http+unix"; DOMAIN = domain; @@ -48,7 +42,6 @@ in ROOT_URL = "https://${domain}"; OFFLINE_MODE = true; # disable use of CDNs }; - log.LEVEL = "Warn"; database.LOG_SQL = false; service = { DISABLE_REGISTRATION = true; @@ -70,15 +63,12 @@ in COOKIE_SECURE = true; PROVIDER = "db"; }; - actions.ENABLED = true; - # federation.ENABLED = true; - webhook.ALLOWED_HOST_LIST = "*.ifsr.de"; }; }; - systemd.services.forgejo.preStart = + systemd.services.gitea.preStart = let - exe = lib.getExe config.services.forgejo.package; + exe = lib.getExe config.services.gitea.package; portunus = config.services.portunus; basedn = "ou=users,${portunus.ldap.suffix}"; ldapConfigArgs = '' @@ -115,8 +105,10 @@ in ''; services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; locations."/" = { - proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; + proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}:/"; proxyWebsockets = true; }; locations."/api/v1/users/search".return = "403"; diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 244734a..bbe2c47 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -14,7 +14,9 @@ in ensureUsers = [ { name = "hedgedoc"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE hedgedoc" = "ALL PRIVILEGES"; + }; } ]; ensureDatabases = [ "hedgedoc" ]; @@ -49,7 +51,6 @@ in # allow anonymous editing, but not creation of pads allowAnonymous = false; allowAnonymousEdits = true; - allowAnonymousUploads = false; defaultPermission = "limited"; defaultNotePath = builtins.toString template; # ldap auth @@ -69,16 +70,12 @@ in recommendedProxySettings = true; virtualHosts = { "${domain}" = { + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}"; proxyWebsockets = true; }; - locations."/robots.txt" = { - extraConfig = '' - add_header Content-Type text/plain; - return 200 "User-agent: *\nDisallow: /\n"; - ''; - }; }; }; }; diff --git a/modules/hydra.nix b/modules/hydra.nix index 77c347e..8a252d5 100644 --- a/modules/hydra.nix +++ b/modules/hydra.nix @@ -4,7 +4,6 @@ let in { sops.secrets."hydra_ldap_search" = { owner = "hydra"; group = "hydra"; mode = "440"; }; - nix.settings.allowed-uris = [ "https://github.com/nix-community" ]; # whitelisted to fetch nix-index services.hydra = { enable = true; port = 4000; @@ -60,6 +59,8 @@ in }; services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.hydra.port}"; }; diff --git a/modules/kanboard.nix b/modules/kanboard.nix deleted file mode 100644 index 2416ed8..0000000 --- a/modules/kanboard.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, ... }: -let - domain = "kanboard.${config.networking.domain}"; - domain_short = "kb.${config.networking.domain}"; -in -{ - sops.secrets."kanboard_env" = { }; - - virtualisation.oci-containers = { - containers.kanboard = { - image = "ghcr.io/kanboard/kanboard:v1.2.43"; - volumes = [ - "kanboard_data:/var/www/app/data" - "kanboard_plugins:/var/www/app/plugins" - ]; - ports = [ "127.0.0.1:8045:80" ]; - environmentFiles = [ - config.sops.secrets."kanboard_env".path - ]; - }; - }; - - services.nginx = { - virtualHosts."${domain_short}" = { - locations."/".return = "301 $scheme://${domain}$request_uri"; - }; - - virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:8045"; - }; - }; - }; -} diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix deleted file mode 100644 index 6aa1afb..0000000 --- a/modules/keycloak/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, pkgs, ... }: -let - domain = "sso.${config.networking.domain}"; -in -{ - sops.secrets."keycloak/db" = { }; - services.keycloak = { - enable = true; - # we use unstable as the release in stable is insecure - # package = nixpkgs-unstable.legacyPackages.x86_64-linux.keycloak; - settings = { - http-port = 8086; - https-port = 19000; - hostname = domain; - proxy-headers = "xforwarded"; - http-enabled = true; - hostname-strict-https = false; - }; - # The module requires a password for the DB and works best with its own DB config - # Does an automatic Postgresql configuration - database = { - passwordFile = config.sops.secrets."keycloak/db".path; - }; - initialAdminPassword = "plschangeme"; - themes = with pkgs ; { - ifsr = keycloak_ifsr_theme; - }; - }; - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.keycloak.settings.http-port}"; - extraConfig = '' - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; - ''; - }; - }; -} diff --git a/modules/keycloak/theme.nix b/modules/keycloak/theme.nix deleted file mode 100644 index 0500e47..0000000 --- a/modules/keycloak/theme.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ stdenv }: -stdenv.mkDerivation rec { - name = "keycloak_ifsr_theme"; - version = "1.1"; - - src = ./theme; - - nativeBuildInputs = [ ]; - buildInputs = [ ]; - - installPhase = '' - mkdir -p $out - cp -a login $out - ''; -} diff --git a/modules/keycloak/theme/login/resources/css/login.css b/modules/keycloak/theme/login/resources/css/login.css deleted file mode 100644 index 6314ff8..0000000 --- a/modules/keycloak/theme/login/resources/css/login.css +++ /dev/null @@ -1,772 +0,0 @@ -.login-pf { - background: none; -} - -.login-pf body { - background: url(../img/background.jpg) no-repeat center center fixed; - background-size: cover; - height: 100%; -} - -/*IE compatibility*/ -.pf-c-form-control { - font-size: 14px; - font-size: var(--pf-global--FontSize--sm); - border-width: 1px; - border-width: var(--pf-global--BorderWidth--sm);; - border-color: #EDEDED #EDEDED #8A8D90 #EDEDED; - border-color: var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--300) var(--pf-global--BorderColor--200) var(--pf-global--BorderColor--300); - background-color: #FFFFFF; - background-color: var(--pf-global--BackgroundColor--100); - height: 36px; - height: calc(var(--pf-c-form-control--FontSize) * var(--pf-c-form-control--LineHeight) + var(--pf-c-form-control--BorderWidth) * 2 + var(--pf-c-form-control--PaddingTop) + var(--pf-c-form-control--PaddingBottom)); - padding: 5px 0.5rem; - padding: var(--pf-c-form-control--PaddingTop) var(--pf-c-form-control--PaddingRight) var(--pf-c-form-control--PaddingBottom) var(--pf-c-form-control--PaddingLeft); -} - -textarea.pf-c-form-control { - height: auto; -} - -.pf-c-form-control:hover, .pf-c-form-control:focus { - border-bottom-color: #0066CC; - border-bottom-color: var(--pf-global--primary-color--100); - border-bottom-width: 2px; - border-bottom-width: var(--pf-global--BorderWidth--md); -} - -.pf-c-form-control[aria-invalid=true] { - border-bottom-color: #C9190B; - border-bottom-color: var(--pf-global--danger-color--100); - border-bottom-width: 2px; - border-bottom-width: var(--pf-global--BorderWidth--md); -} - -.pf-c-check__label, .pf-c-radio__label { - font-size: 14px; - font-size: var(--pf-global--FontSize--sm); -} - -.pf-c-alert.pf-m-inline { - margin-bottom: 0.5rem; /* default - IE compatibility */ - margin-bottom: var(--pf-global--spacer--sm); - padding: 0.25rem; - padding: var(--pf-global--spacer--xs); - border: solid #ededed; - border: solid var(--pf-global--BorderColor--300); - border-width: 1px; - border-width: var(--pf-c-alert--m-inline--BorderTopWidth) var(--pf-c-alert--m-inline--BorderRightWidth) var(--pf-c-alert--m-inline--BorderBottomWidth) var(--pf-c-alert--m-inline--BorderLeftWidth); - display: -ms-flexbox; - display: grid; - -ms-grid-columns: max-content 1fr max-content; - grid-template-columns:max-content 1fr max-content; - grid-template-columns: var(--pf-c-alert--grid-template-columns); - grid-template-rows: 1fr auto; - grid-template-rows: var(--pf-c-alert--grid-template-rows); -} - -.pf-c-alert.pf-m-inline::before { - position: absolute; - top: -1px; - top: var(--pf-c-alert--m-inline--before--Top); - bottom: -1px; - bottom: var(--pf-c-alert--m-inline--before--Bottom); - left: 0; - width: 3px; - width: var(--pf-c-alert--m-inline--before--Width); - content: ; - background-color: #FFFFFF; - background-color: var(--pf-global--BackgroundColor--100); -} - -.pf-c-alert.pf-m-inline.pf-m-success::before { - background-color: #92D400; - background-color: var(--pf-global--success-color--100); -} - -.pf-c-alert.pf-m-inline.pf-m-danger::before { - background-color: #C9190B; - background-color: var(--pf-global--danger-color--100); -} - -.pf-c-alert.pf-m-inline.pf-m-warning::before { - background-color: #F0AB00; - background-color: var(--pf-global--warning-color--100); -} - -.pf-c-alert.pf-m-inline .pf-c-alert__icon { - padding: 1rem 0.5rem 1rem 1rem; - padding: var(--pf-c-alert--m-inline__icon--PaddingTop) var(--pf-c-alert--m-inline__icon--PaddingRight) var(--pf-c-alert--m-inline__icon--PaddingBottom) var(--pf-c-alert--m-inline__icon--PaddingLeft); - font-size: 16px; - font-size: var(--pf-c-alert--m-inline__icon--FontSize); -} - -.pf-c-alert.pf-m-success .pf-c-alert__icon { - color: #92D400; - color: var(--pf-global--success-color--100); -} - -.pf-c-alert.pf-m-success .pf-c-alert__title { - color: #486B00; - color: var(--pf-global--success-color--200); -} - -.pf-c-alert.pf-m-danger .pf-c-alert__icon { - color: #C9190B; - color: var(--pf-global--danger-color--100); -} - -.pf-c-alert.pf-m-danger .pf-c-alert__title { - color: #A30000; - color: var(--pf-global--danger-color--200); -} - -.pf-c-alert.pf-m-warning .pf-c-alert__icon { - color: #F0AB00; - color: var(--pf-global--warning-color--100); -} - -.pf-c-alert.pf-m-warning .pf-c-alert__title { - color: #795600; - color: var(--pf-global--warning-color--200); -} - -.pf-c-alert__title { - font-size: 14px; /* default - IE compatibility */ - font-size: var(--pf-global--FontSize--sm); - padding: 5px 8px; - padding: var(--pf-c-alert__title--PaddingTop) var(--pf-c-alert__title--PaddingRight) var(--pf-c-alert__title--PaddingBottom) var(--pf-c-alert__title--PaddingLeft); -} - -.pf-c-button{ - padding:0.375rem 1rem; - padding: var(--pf-global--spacer--form-element) var(--pf-global--spacer--md); -} - -/* default - IE compatibility */ -.pf-m-primary { - color: #FFFFFF; - background-color: #0066CC; - background-color: var(--pf-global--primary-color--100); -} - -/* default - IE compatibility */ -.pf-m-primary:hover { - background-color: #004080; - background-color: var(--pf-global--primary-color--200); -} - -/* default - IE compatibility */ -.pf-c-button.pf-m-control { - border: solid 1px; - border: solid var(--pf-global--BorderWidth--sm); - border-color: rgba(230, 230, 230, 0.5); -} -/*End of IE compatibility*/ -h1#kc-page-title { - margin-top: 10px; -} - -#kc-locale ul { - background-color: #FFF; - background-color: var(--pf-global--BackgroundColor--100); - display: none; - top: 20px; - min-width: 100px; - padding: 0; -} - -#kc-locale-dropdown{ - display: inline-block; -} - -#kc-locale-dropdown:hover ul { - display:block; -} - -/* IE compatibility */ -#kc-locale-dropdown a { - color: #6A6E73; - color: var(--pf-global--Color--200); - text-align: right; - font-size: 14px; - font-size: var(--pf-global--FontSize--sm); -} - -/* IE compatibility */ -a#kc-current-locale-link::after { - content: 2c5; - margin-left: 4px; - margin-left: var(--pf-global--spacer--xs) -} - -.login-pf .container { - padding-top: 40px; -} - -.login-pf a:hover { - color: #0099d3; -} - -#kc-logo { - width: 100%; -} - -div.kc-logo-text { - background-image: url(../img/agdsn_logo.png); - background-repeat: no-repeat; - background-size: auto; - position: relative; - top: 0%; - left: 25%; - width: 950px; - height: 250px; - - -} - -div.kc-logo-text span { - display: none; -} - -#kc-header { - color: #ededed; - overflow: visible; - white-space: nowrap; -} - -#kc-header-wrapper { - font-size: 29px; - text-transform: uppercase; - letter-spacing: 3px; - line-height: 1.2em; - padding: 62px 10px 20px; - white-space: normal; -} - -#kc-content { - width: 100%; -} - -#kc-attempted-username { - font-size: 20px; - font-family: inherit; - font-weight: normal; - padding-right: 10px; -} - -#kc-username { - text-align: center; - margin-bottom:-10px; -} - -#kc-webauthn-settings-form { - padding-top: 8px; -} - -#kc-form-webauthn .select-auth-box-parent { - pointer-events: none; -} - -#kc-form-webauthn .select-auth-box-desc { - color: var(--pf-global--palette--black-600); -} - -#kc-form-webauthn .select-auth-box-headline { - color: var(--pf-global--Color--300); -} - -#kc-form-webauthn .select-auth-box-icon { - flex: 0 0 3em; -} - -#kc-form-webauthn .select-auth-box-icon-properties { - margin-top: 10px; - font-size: 1.8em; -} - -#kc-form-webauthn .select-auth-box-icon-properties.unknown-transport-class { - margin-top: 3px; -} - -#kc-form-webauthn .pf-l-stack__item { - margin: -1px 0; -} - -#kc-content-wrapper { - margin-top: 20px; -} - -#kc-form-wrapper { - margin-top: 10px; -} - -#kc-info { - margin: 20px -40px -30px; -} - -#kc-info-wrapper { - font-size: 13px; - padding: 15px 35px; - background-color: #F0F0F0; -} - -#kc-form-options span { - display: block; -} - -#kc-form-options .checkbox { - margin-top: 0; - color: #72767b; -} - -#kc-terms-text { - margin-bottom: 20px; -} - -#kc-registration { - margin-bottom: 0; -} - -/* TOTP */ - -.subtitle { - text-align: right; - margin-top: 30px; - color: #909090; -} - -.required { - color: #A30000; /* default - IE compatibility */ - color: var(--pf-global--danger-color--200); -} - -ol#kc-totp-settings { - margin: 0; - padding-left: 20px; -} - -ul#kc-totp-supported-apps { - margin-bottom: 10px; -} - -#kc-totp-secret-qr-code { - max-width:150px; - max-height:150px; -} - -#kc-totp-secret-key { - background-color: #fff; - color: #333333; - font-size: 16px; - padding: 10px 0; -} - -/* OAuth */ - -#kc-oauth h3 { - margin-top: 0; -} - -#kc-oauth ul { - list-style: none; - padding: 0; - margin: 0; -} - -#kc-oauth ul li { - border-top: 1px solid rgba(255, 255, 255, 0.1); - font-size: 12px; - padding: 10px 0; -} - -#kc-oauth ul li:first-of-type { - border-top: 0; -} - -#kc-oauth .kc-role { - display: inline-block; - width: 50%; -} - -/* Code */ -#kc-code textarea { - width: 100%; - height: 8em; -} - -/* Social */ -.kc-social-links { - margin-top: 20px; -} - -.kc-social-provider-logo { - font-size: 23px; - width: 30px; - height: 25px; - float: left; -} - -.kc-social-gray { - color: #737679; /* default - IE compatibility */ - color: var(--pf-global--Color--200); -} - -.kc-social-item { - margin-bottom: 0.5rem; /* default - IE compatibility */ - margin-bottom: var(--pf-global--spacer--sm); - font-size: 15px; - text-align: center; -} - -.kc-social-provider-name { - position: relative; - top: 3px; -} - -.kc-social-icon-text { - left: -15px; -} - -.kc-social-grid { - display:grid; - grid-column-gap: 10px; - grid-row-gap: 5px; - grid-column-end: span 6; - --pf-l-grid__item--GridColumnEnd: span 6; -} - -.kc-social-grid .kc-social-icon-text { - left: -10px; -} - -.kc-login-tooltip { - position: relative; - display: inline-block; -} - -.kc-social-section { - text-align: center; -} - -.kc-social-section hr{ - margin-bottom: 10px -} - -.kc-login-tooltip .kc-tooltip-text{ - top:-3px; - left:160%; - background-color: black; - visibility: hidden; - color: #fff; - - min-width:130px; - text-align: center; - border-radius: 2px; - box-shadow:0 1px 8px rgba(0,0,0,0.6); - padding: 5px; - - position: absolute; - opacity:0; - transition:opacity 0.5s; -} - -/* Show tooltip */ -.kc-login-tooltip:hover .kc-tooltip-text { - visibility: visible; - opacity:0.7; -} - -/* Arrow for tooltip */ -.kc-login-tooltip .kc-tooltip-text::after { - content: ; - position: absolute; - top: 15px; - right: 100%; - margin-top: -5px; - border-width: 5px; - border-style: solid; - border-color: transparent black transparent transparent; -} - -@media (min-width: 768px) { - #kc-container-wrapper { - position: absolute; - width: 100%; - } - - .login-pf .container { - padding-right: 80px; - } - - #kc-locale { - position: relative; - text-align: right; - z-index: 9999; - } -} - -@media (max-width: 767px) { - - .login-pf body { - background: white; - } - - #kc-header { - padding-left: 15px; - padding-right: 15px; - float: none; - text-align: left; - } - - #kc-header-wrapper { - font-size: 16px; - font-weight: bold; - padding: 20px 60px 0 0; - color: #72767b; - letter-spacing: 0; - } - - div.kc-logo-text { - margin: 0; - width: 150px; - height: 32px; - background-size: 100%; - } - - #kc-form { - float: none; - } - - #kc-info-wrapper { - border-top: 1px solid rgba(255, 255, 255, 0.1); - background-color: transparent; - } - - .login-pf .container { - padding-top: 15px; - padding-bottom: 15px; - } - - #kc-locale { - position: absolute; - width: 200px; - top: 20px; - right: 20px; - text-align: right; - z-index: 9999; - } -} - -@media (min-height: 646px) { - #kc-container-wrapper { - bottom: 12%; - } -} - -@media (max-height: 645px) { - #kc-container-wrapper { - padding-top: 50px; - top: 20%; - } -} - -.card-pf form.form-actions .btn { - float: right; - margin-left: 10px; -} - -#kc-form-buttons { - margin-top: 20px; -} - -.login-pf-page .login-pf-brand { - margin-top: 20px; - max-width: 360px; - width: 40%; -} - -/* Internet Explorer 11 compatibility workaround for select-authenticator screen */ -@media all and (-ms-high-contrast: none), -(-ms-high-contrast: active) { - .select-auth-box-parent { - border-top: 1px solid #f0f0f0; - padding-top: 1rem; - padding-bottom: 1rem; - cursor: pointer; - } - - .select-auth-box-headline { - font-size: 16px; - color: #06c; - font-weight: bold; - } - - .select-auth-box-desc { - font-size: 14px; - } - - .pf-l-stack { - flex-basis: 100%; - } -} -/* End of IE11 workaround for select-authenticator screen */ - -.select-auth-box-arrow{ - display: flex; - align-items: center; - margin-right: 2rem; -} - -.select-auth-box-icon{ - display: flex; - flex: 0 0 2em; - justify-content: center; - margin-right: 1rem; - margin-left: 3rem; -} - -.select-auth-box-parent{ - border-top: 1px solid var(--pf-global--palette--black-200); - padding-top: 1rem; - padding-bottom: 1rem; - cursor: pointer; -} - -.select-auth-box-parent:hover{ - background-color: #f7f8f8; -} - -.select-auth-container { -} - -.select-auth-box-headline { - font-size: var(--pf-global--FontSize--md); - color: var(--pf-global--primary-color--100); - font-weight: bold; -} - -.select-auth-box-desc { - font-size: var(--pf-global--FontSize--sm); -} - -.select-auth-box-paragraph { - text-align: center; - font-size: var(--pf-global--FontSize--md); - margin-bottom: 5px; -} - -.card-pf { - margin: 0 auto; - box-shadow: var(--pf-global--BoxShadow--lg); - padding: 0 20px; - max-width: 500px; - border-top: 4px solid; - border-color: #0066CC; /* default - IE compatibility */ - border-color: var(--pf-global--primary-color--100); -} - -/*phone*/ -@media (max-width: 767px) { - .login-pf-page .card-pf { - max-width: none; - margin-left: 0; - margin-right: 0; - padding-top: 0; - border-top: 0; - box-shadow: 0 0; - } - - .kc-social-grid { - grid-column-end: 12; - --pf-l-grid__item--GridColumnEnd: span 12; - } - - .kc-social-grid .kc-social-icon-text { - left: -15px; - } -} - -.login-pf-page .login-pf-signup { - font-size: 15px; - color: #72767b; -} -#kc-content-wrapper .row { - margin-left: 0; - margin-right: 0; -} - -.login-pf-page.login-pf-page-accounts { - margin-left: auto; - margin-right: auto; -} - -.login-pf-page .btn-primary { - margin-top: 0; -} - -.login-pf-page .list-view-pf .list-group-item { - border-bottom: 1px solid #ededed; -} - -.login-pf-page .list-view-pf-description { - width: 100%; -} - -#kc-form-login div.form-group:last-of-type, -#kc-register-form div.form-group:last-of-type, -#kc-update-profile-form div.form-group:last-of-type { - margin-bottom: 0px; -} - -.no-bottom-margin { - margin-bottom: 0; -} - -#kc-back { - margin-top: 5px; -} - -/* Recovery codes */ -.kc-recovery-codes-warning { - margin-bottom: 32px; -} -.kc-recovery-codes-warning .pf-c-alert__description p { - font-size: 0.875rem; -} -.kc-recovery-codes-list { - list-style: none; - columns: 2; - margin: 16px 0; - padding: 16px 16px 8px 16px; - border: 1px solid #D2D2D2; -} -.kc-recovery-codes-list li { - margin-bottom: 8px; - font-size: 11px; -} -.kc-recovery-codes-list li span { - color: #6A6E73; - width: 16px; - text-align: right; - display: inline-block; - margin-right: 1px; -} - -.kc-recovery-codes-actions { - margin-bottom: 24px; -} -.kc-recovery-codes-actions button { - padding-left: 0; -} -.kc-recovery-codes-actions button i { - margin-right: 8px; -} - -.kc-recovery-codes-confirmation { - align-items: baseline; - margin-bottom: 16px; -} -/* End Recovery codes */ - - diff --git a/modules/keycloak/theme/login/resources/img/background.jpg b/modules/keycloak/theme/login/resources/img/background.jpg deleted file mode 100644 index 0a1a60d..0000000 Binary files a/modules/keycloak/theme/login/resources/img/background.jpg and /dev/null differ diff --git a/modules/keycloak/theme/login/theme.properties b/modules/keycloak/theme/login/theme.properties deleted file mode 100644 index c0d3ad2..0000000 --- a/modules/keycloak/theme/login/theme.properties +++ /dev/null @@ -1,4 +0,0 @@ -parent=keycloak -import=common/keycloak - -styles=css/login.css diff --git a/modules/web/kpp.nix b/modules/kpp.nix similarity index 59% rename from modules/web/kpp.nix rename to modules/kpp.nix index bf30ec2..262da76 100644 --- a/modules/web/kpp.nix +++ b/modules/kpp.nix @@ -7,4 +7,9 @@ in enable = true; hostName = domain; }; + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + }; + } diff --git a/modules/ldap/0001-update-user-validation-regex.patch b/modules/ldap/0001-update-user-validation-regex.patch index ce78894..6ae40f9 100644 --- a/modules/ldap/0001-update-user-validation-regex.patch +++ b/modules/ldap/0001-update-user-validation-regex.patch @@ -1,35 +1,25 @@ -diff --git a/cmd/portunus-orchestrator/config.go b/cmd/portunus-orchestrator/config.go -index 4db19f2..290128a 100644 ---- a/cmd/portunus-orchestrator/config.go -+++ b/cmd/portunus-orchestrator/config.go -@@ -23,7 +23,7 @@ type valueCheck struct { - } - - var ( -- userOrGroupPattern = `^[a-z_][a-z0-9_-]*\$?$` -+ userOrGroupPattern = `^[a-z_][a-z0-9._-]*\$?$` - envDefaults = map[string]string{ - //empty value = not optional - "PORTUNUS_DEBUG": "false", -diff --git a/internal/grammars/grammars.go b/internal/grammars/grammars.go -index 1253c05..e458fd0 100644 ---- a/internal/grammars/grammars.go -+++ b/internal/grammars/grammars.go -@@ -39,7 +39,7 @@ const ( - // This regex is based on the respective format description in the useradd(8) manpage. - // - // This is only shown for documentation purposes here; use func IsPOSIXAccountName instead. -- POSIXAccountNameRegex = `^[a-z_][a-z0-9_-]*\$?$` -+ POSIXAccountNameRegex = `^[a-z_][a-z0-9._-]*\$?$` +From f5c68898be345fb0dca5ab7b596b9cbe674f5dfb Mon Sep 17 00:00:00 2001 +From: Rouven Seifert +Date: Tue, 4 Jul 2023 15:14:00 +0200 +Subject: [PATCH] update user validation regex + +--- + internal/core/validation.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/internal/core/validation.go b/internal/core/validation.go +index 3e168b5..10dfc0a 100644 +--- a/internal/core/validation.go ++++ b/internal/core/validation.go +@@ -30,7 +30,7 @@ import ( ) - //TODO There is also some `import "regexp"` in cmd/orchestrator/ldap.go to render -@@ -159,7 +159,7 @@ func checkByteInPOSIXAccountName(idx, length int, b byte) bool { - switch { - case (b >= 'a' && b <= 'z') || b == '_': - return true -- case (b >= '0' && b <= '9') || b == '-': -+ case (b >= '0' && b <= '9') || b == '-' || b == '.': - return idx != 0 // not allowed at start - default: - return false + //this regexp copied from useradd(8) manpage +-const posixAccountNamePattern = `[a-z_][a-z0-9_-]*\$?` ++const posixAccountNamePattern = `[a-z_][a-z0-9._-]*\$?` + + var ( + errIsMissing = errors.New("is missing") +-- +2.41.0 + diff --git a/modules/ldap/0002-both-ldap-and-ldaps.patch b/modules/ldap/0002-both-ldap-and-ldaps.patch index 3ebda7e..9ae71a5 100644 --- a/modules/ldap/0002-both-ldap-and-ldaps.patch +++ b/modules/ldap/0002-both-ldap-and-ldaps.patch @@ -1,8 +1,8 @@ -diff --git a/cmd/portunus-orchestrator/ldap.go b/cmd/portunus-orchestrator/ldap.go -index 9564c5e..40cd2d7 100644 ---- a/cmd/portunus-orchestrator/ldap.go -+++ b/cmd/portunus-orchestrator/ldap.go -@@ -134,7 +134,7 @@ func runLDAPServer(environment map[string]string) { +diff --git a/cmd/orchestrator/ldap.go b/cmd/orchestrator/ldap.go +index ed0d466..a672046 100644 +--- a/cmd/orchestrator/ldap.go ++++ b/cmd/orchestrator/ldap.go +@@ -130,7 +130,7 @@ func runLDAPServer(environment map[string]string) { bindURL := "ldap:///" if environment["PORTUNUS_SLAPD_TLS_CERTIFICATE"] != "" { diff --git a/modules/ldap/0003-gecos-ascii-escape.patch b/modules/ldap/0003-gecos-ascii-escape.patch index 83650f4..c3918cb 100644 --- a/modules/ldap/0003-gecos-ascii-escape.patch +++ b/modules/ldap/0003-gecos-ascii-escape.patch @@ -1,26 +1,24 @@ -diff --git a/internal/ldap/object.go b/internal/ldap/object.go -index d4e5c6f..fcefec7 100644 ---- a/internal/ldap/object.go -+++ b/internal/ldap/object.go -@@ -8,6 +8,7 @@ package ldap +diff --git a/internal/core/user.go b/internal/core/user.go +index e74ccfe..291c75b 100644 +--- a/internal/core/user.go ++++ b/internal/core/user.go +@@ -8,6 +8,7 @@ package core import ( "fmt" -+ "regexp" - - "github.com/majewsky/portunus/internal/core" ++ "strconv" ) -@@ -94,10 +95,11 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object { - if u.POSIX.LoginShell != "" { + + // User represents a single user account. +@@ -86,9 +87,9 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject obj.Attributes["loginShell"] = []string{u.POSIX.LoginShell} } -+ var nonASCII = regexp.MustCompile("[^\\x00-\\x7F]") if u.POSIX.GECOS == "" { - obj.Attributes["gecos"] = []string{u.FullName()} -+ obj.Attributes["gecos"] = []string{nonASCII.ReplaceAllString(u.FullName(), "")} ++ obj.Attributes["gecos"] = []string{strconv.QuoteToASCII(u.FullName())} } else { - obj.Attributes["gecos"] = []string{u.POSIX.GECOS} -+ obj.Attributes["gecos"] = []string{nonASCII.ReplaceAllString(u.POSIX.GECOS, "")} ++ obj.Attributes["gecos"] = []string{strconv.QuoteToASCII(u.POSIX.GECOS)} } obj.Attributes["objectClass"] = append(obj.Attributes["objectClass"], "posixAccount") } diff --git a/modules/ldap/0004-make-givenName-optional.patch b/modules/ldap/0004-make-givenName-optional.patch index 4b6ecf6..4131252 100644 --- a/modules/ldap/0004-make-givenName-optional.patch +++ b/modules/ldap/0004-make-givenName-optional.patch @@ -1,20 +1,8 @@ diff --git a/internal/core/user.go b/internal/core/user.go -index f45fdf7..4f93b37 100644 +index e74ccfe..ce03eeb 100644 --- a/internal/core/user.go +++ b/internal/core/user.go -@@ -76,7 +76,6 @@ func (u User) validateLocal(cfg *ValidationConfig) (errs errext.ErrorSet) { - MustBePosixAccountNameIf(u.LoginName, u.POSIX != nil), - )) - errs.Add(ref.Field("given_name").WrapFirst( -- MustNotBeEmpty(u.GivenName), - MustNotHaveSurroundingSpaces(u.GivenName), - )) - errs.Add(ref.Field("family_name").WrapFirst( -diff --git a/internal/ldap/object.go b/internal/ldap/object.go -index d4e5c6f..1225084 100644 ---- a/internal/ldap/object.go -+++ b/internal/ldap/object.go -@@ -73,7 +73,6 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object { +@@ -64,7 +64,6 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject "uid": {u.LoginName}, "cn": {u.FullName()}, "sn": {u.FamilyName}, @@ -22,7 +10,7 @@ index d4e5c6f..1225084 100644 "userPassword": {u.PasswordHash}, "isMemberOf": memberOfGroupDNames, "objectClass": {"portunusPerson", "inetOrgPerson", "organizationalPerson", "person", "top"}, -@@ -83,6 +82,9 @@ func renderUser(u core.User, dnSuffix string, allGroups []core.Group) Object { +@@ -74,6 +73,9 @@ func (u User) RenderToLDAP(suffix string, allGroups map[string]Group) LDAPObject if u.EMailAddress != "" { obj.Attributes["mail"] = []string{u.EMailAddress} } @@ -32,3 +20,15 @@ index d4e5c6f..1225084 100644 if len(u.SSHPublicKeys) > 0 { obj.Attributes["sshPublicKey"] = u.SSHPublicKeys } +diff --git a/internal/frontend/users.go b/internal/frontend/users.go +index 225c5b3..1a961ca 100644 +--- a/internal/frontend/users.go ++++ b/internal/frontend/users.go +@@ -168,7 +168,6 @@ func buildUserMasterdataFieldset(e core.Engine, u *core.User, state *h.FormState + Name: "given_name", + Label: "Given name", + Rules: []h.ValidationRule{ +- core.MustNotBeEmpty, + core.MustNotHaveSurroundingSpaces, + }, + }, diff --git a/modules/ldap/default.nix b/modules/ldap/default.nix index bdf3d3b..98274df 100644 --- a/modules/ldap/default.nix +++ b/modules/ldap/default.nix @@ -1,7 +1,7 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let domain = "auth.${config.networking.domain}"; - seedSettings = { + seed = { groups = [ { name = "admins"; @@ -46,6 +46,11 @@ in sops.secrets = { "portunus/admin-password".owner = config.services.portunus.user; "portunus/search-password".owner = config.services.portunus.user; + "dex/environment".owner = config.systemd.services.dex.serviceConfig.User; + nslcd_ldap_search = { + key = "portunus/search-password"; + owner = config.systemd.services.nslcd.serviceConfig.User; + }; }; services.portunus = { @@ -57,11 +62,13 @@ in ./0003-gecos-ascii-escape.patch ./0004-make-givenName-optional.patch ]; - doCheck = false; # posix regex related tests break }); - inherit domain seedSettings; + inherit domain; port = 8681; + dex.enable = true; + seedPath = pkgs.writeText "portunus-seed.json" (builtins.toJSON seed); + ldap = { suffix = "dc=ifsr,dc=de"; searchUserName = "search"; @@ -72,13 +79,46 @@ in }; }; + services.dex.settings.oauth2.skipApprovalScreen = true; + + systemd.services.dex.serviceConfig = { + DynamicUser = lib.mkForce false; + EnvironmentFile = config.sops.secrets."dex/environment".path; + StateDirectory = "dex"; + User = "dex"; + }; + + users = { + users.dex = { + group = "dex"; + isSystemUser = true; + }; + groups.dex = { }; + + ldap = + let portunus = config.services.portunus; in + rec { + enable = true; + server = "ldap://localhost"; + base = "${portunus.ldap.suffix}"; + bind = { + distinguishedName = "uid=${portunus.ldap.searchUserName},ou=users,${base}"; + passwordFile = config.sops.secrets.nslcd_ldap_search.path; + }; + daemon.enable = true; + }; + }; + security.pam.services.sshd.makeHomeDir = true; services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { + forceSSL = true; + enableACME = true; locations = { "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; }; }; }; diff --git a/modules/mail/default.nix b/modules/mail/default.nix index e6af452..2be0e73 100644 --- a/modules/mail/default.nix +++ b/modules/mail/default.nix @@ -1,17 +1,298 @@ -{ config, ... }: +{ config, pkgs, ... }: let hostname = "mail.${config.networking.domain}"; + domain = config.networking.domain; + rspamd-domain = "rspamd.${config.networking.domain}"; + dovecot-ldap-args = pkgs.writeText "ldap-args" '' + uris = ldap://localhost + dn = uid=search, ou=users, dc=ifsr, dc=de + auth_bind = yes + !include ${config.sops.secrets."dovecot_ldap_search".path} + + ldap_version = 3 + scope = subtree + base = dc=ifsr, dc=de + user_filter = (&(objectClass=posixAccount)(uid=%n)) + pass_filter = (&(objectClass=posixAccount)(uid=%n)) + ''; + # see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/ + header_cleanup = pkgs.writeText "header_cleanup_outgoing" '' + /^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2 + /^\s*User-Agent/ IGNORE + /^\s*X-Enigmail/ IGNORE + /^\s*X-Mailer/ IGNORE + /^\s*X-Originating-IP/ IGNORE + /^\s*Mime-Version/ IGNORE + ''; in { - imports = [ - ./postfix.nix - ./dovecot2.nix - ./rspamd.nix - ./sogo.nix - ./mailman.nix - ]; + sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; + sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; + sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user; - security.acme.certs."${hostname}" = { + networking.firewall.allowedTCPPorts = [ + 25 # insecure SMTP + 143 + 465 + 587 # SMTP + 993 # IMAP + 4190 # sieve + ]; + users.users.postfix.extraGroups = [ "opendkim" ]; + environment.etc = { + "dovecot/sieve-pipe/sa-learn-spam.sh" = { + text = '' + #!/bin/sh + ${pkgs.rspamd}/bin/rspamc learn_spam + ''; + mode = "0555"; + }; + "dovecot/sieve-pipe/sa-learn-ham.sh" = { + text = '' + #!/bin/sh + ${pkgs.rspamd}/bin/rspamc learn_ham + ''; + mode = "0555"; + }; + "dovecot/sieve/report-spam.sieve" = { + source = ./report-spam.sieve; + user = "dovecot2"; + group = "dovecot2"; + mode = "0544"; + }; + "dovecot/sieve/report-ham.sieve" = { + source = ./report-ham.sieve; + user = "dovecot2"; + group = "dovecot2"; + mode = "0544"; + }; + }; + + services = { + postfix = { + enable = true; + enableSubmission = true; + enableSubmissions = true; + hostname = "${hostname}"; + domain = "${domain}"; + origin = "${domain}"; + destination = [ "${hostname}" "${domain}" "localhost" ]; + networksStyle = "host"; # localhost and own public IP + sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslKey = "/var/lib/acme/${hostname}/key.pem"; + relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; + config = { + home_mailbox = "Maildir/"; + # hostname used in helo command. It is recommended to have this match the reverse dns entry + smtp_helo_name = config.networking.rDNS; + smtp_use_tls = true; + # smtp_tls_security_level = "encrypt"; + smtpd_use_tls = true; + # smtpd_tls_security_level = lib.mkForce "encrypt"; + # smtpd_tls_auth_only = true; + smtpd_tls_protocols = [ + "!SSLv2" + "!SSLv3" + "!TLSv1" + "!TLSv1.1" + ]; + # "reject_non_fqdn_hostname" + smtpd_recipient_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + "reject_non_fqdn_sender" + "reject_non_fqdn_recipient" + "reject_unknown_sender_domain" + "reject_unknown_recipient_domain" + "reject_unauth_destination" + "reject_unauth_pipelining" + "reject_invalid_hostname" + "check_policy_service inet:localhost:12340" + ]; + smtpd_relay_restrictions = [ + "permit_sasl_authenticated" + "permit_mynetworks" + "reject_unauth_destination" + ]; + smtp_header_checks = "pcre:${header_cleanup}"; + # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ]; + alias_maps = [ "hash:/etc/aliases" ]; + alias_database = [ "hash:/etc/aliases" ]; + # alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ]; + smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ]; + non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ]; + smtpd_sasl_auth_enable = true; + smtpd_sasl_path = "/var/lib/postfix/auth"; + smtpd_sasl_type = "dovecot"; + #mailman stuff + mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; + + transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; + virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ]; + local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ]; + }; + }; + dovecot2 = { + enable = true; + enableImap = true; + enableQuota = true; + quotaGlobalPerUser = "10G"; + enableLmtp = true; + mailLocation = "maildir:~/Maildir"; + sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; + sslServerKey = "/var/lib/acme/${hostname}/key.pem"; + protocols = [ "imap" "sieve" ]; + mailPlugins = { + perProtocol = { + imap = { + enable = [ "imap_sieve" ]; + }; + lmtp = { + enable = [ "sieve" ]; + }; + }; + }; + mailboxes = { + Spam = { + auto = "subscribe"; + specialUse = "Junk"; + autoexpunge = "60d"; + }; + Sent = { + auto = "subscribe"; + specialUse = "Sent"; + }; + Drafts = { + auto = "subscribe"; + specialUse = "Drafts"; + }; + Trash = { + auto = "subscribe"; + specialUse = "Trash"; + }; + }; + modules = [ + pkgs.dovecot_pigeonhole + ]; + extraConfig = '' + auth_username_format = %Ln + passdb { + driver = ldap + args = ${dovecot-ldap-args} + } + userdb { + driver = ldap + args = ${dovecot-ldap-args} + } + service auth { + unix_listener /var/lib/postfix/auth { + group = postfix + mode = 0660 + user = postfix + } + } + service managesieve-login { + inet_listener sieve { + port = 4190 + } + service_count = 1 + } + + namespace inbox { + separator = / + inbox = yes + } + + service lmtp { + unix_listener dovecot-lmtp { + group = postfix + mode = 0600 + user = postfix + } + client_limit = 1 + } + + + mail_plugins = $mail_plugins listescape + plugin { + sieve_plugins = sieve_imapsieve sieve_extprograms + sieve_global_extensions = +vnd.dovecot.pipe + sieve_pipe_bin_dir = /etc/dovecot/sieve-pipe + + # Spam: From elsewhere to Spam folder or flag changed in Spam folder + imapsieve_mailbox1_name = Spam + imapsieve_mailbox1_causes = COPY APPEND FLAG + imapsieve_mailbox1_before = file:/etc/dovecot/sieve/report-spam.sieve + + # Ham: From Spam folder to elsewhere + imapsieve_mailbox2_name = * + imapsieve_mailbox2_from = Spam + imapsieve_mailbox2_causes = COPY + imapsieve_mailbox2_before = file:/etc/dovecot/sieve/report-ham.sieve + + # https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/ + listescape_char = "\\" + } + ''; + }; + opendkim = { + enable = true; + domains = "csl:${config.networking.domain}"; + selector = config.networking.hostName; + configFile = pkgs.writeText "opendkim-config" '' + UMask 0117 + ''; + }; + rspamd = { + enable = true; + postfix.enable = true; + locals = { + "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; + "redis.conf".text = '' + read_servers = "127.0.0.1"; + write_servers = "127.0.0.1"; + ''; + # headers in spamassasin style to not break old sieve scripts + "worker-proxy.inc".text = '' + spam_header = "X-Spam-Flag"; + ''; + "milter_headers.conf".text = '' + use = ["x-spam-level", "x-spam-status"]; + ''; + }; + }; + redis = { + vmOverCommit = true; + servers.rspamd = { + enable = true; + port = 6379; + }; + }; + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."${hostname}" = { + forceSSL = true; + enableACME = true; + }; + virtualHosts."${rspamd-domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://127.0.0.1:11334"; + proxyWebsockets = true; + }; + }; + }; + }; + }; + security.acme.certs."${domain}" = { reloadServices = [ "postfix.service" "dovecot2.service" diff --git a/modules/mail/dovecot2.nix b/modules/mail/dovecot2.nix deleted file mode 100644 index ef3bbcc..0000000 --- a/modules/mail/dovecot2.nix +++ /dev/null @@ -1,158 +0,0 @@ -{ lib, config, pkgs, ... }: -let - hostname = "mail.${config.networking.domain}"; - dovecot-ldap-args = pkgs.writeText "ldap-args" '' - uris = ldap://localhost - dn = uid=search, ou=users, dc=ifsr, dc=de - auth_bind = yes - !include ${config.sops.secrets."dovecot_ldap_search".path} - - ldap_version = 3 - scope = subtree - base = dc=ifsr, dc=de - user_filter = (&(objectClass=posixAccount)(uid=%n)) - pass_filter = (&(objectClass=posixAccount)(uid=%n)) - ''; -in -{ - networking.firewall.allowedTCPPorts = [ - 993 # IMAPS - 4190 # Managesieve - ]; - sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user; - services.dovecot2 = { - enable = true; - enableImap = true; - enableQuota = true; - quotaGlobalPerUser = "10G"; - enableLmtp = true; - enablePAM = false; - mailLocation = "maildir:~/Maildir"; - sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem"; - sslServerKey = "/var/lib/acme/${hostname}/key.pem"; - protocols = [ "imap" "sieve" ]; - mailPlugins = { - globally.enable = [ "listescape" ]; - perProtocol = { - imap = { - enable = [ "imap_sieve" "imap_filter_sieve" ]; - }; - lmtp = { - enable = [ "sieve" ]; - }; - }; - }; - mailboxes = { - Spam = { - auto = "subscribe"; - specialUse = "Junk"; - autoexpunge = "60d"; - }; - Sent = { - auto = "subscribe"; - specialUse = "Sent"; - }; - Drafts = { - auto = "subscribe"; - specialUse = "Drafts"; - }; - Trash = { - auto = "subscribe"; - specialUse = "Trash"; - }; - Archive = { - auto = "no"; - specialUse = "Archive"; - }; - }; - modules = [ - pkgs.dovecot_pigeonhole - ]; - # set to satisfy the sieveScripts check, will be overridden by userdb lookups anyways - mailUser = "vmail"; - mailGroup = "vmail"; - sieve = { - # just pot something in here to prevent empty strings - extensions = [ "notify" ]; - pipeBins = map lib.getExe [ - (pkgs.writeShellScriptBin "learn-ham.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_ham") - (pkgs.writeShellScriptBin "learn-spam.sh" "exec ${pkgs.rspamd}/bin/rspamc learn_spam") - ]; - plugins = [ - "sieve_imapsieve" - "sieve_extprograms" - ]; - scripts = { - before = pkgs.writeText "spam.sieve" '' - require "fileinto"; - - if anyof( - header :contains "x-spam-flag" "yes", - header :contains "X-Spam-Status" "Yes"){ - fileinto "Spam"; - } - ''; - }; - }; - imapsieve.mailbox = [ - { - # Spam: From elsewhere to Spam folder or flag changed in Spam folder - name = "Spam"; - causes = [ "COPY" "APPEND" "FLAG" ]; - before = ./report-spam.sieve; - - } - { - # From Junk folder to elsewhere - name = "*"; - from = "Spam"; - causes = [ "COPY" ]; - before = ./report-ham.sieve; - } - ]; - extraConfig = '' - auth_username_format = %Ln - passdb { - driver = ldap - args = ${dovecot-ldap-args} - } - userdb { - driver = ldap - args = ${dovecot-ldap-args} - } - service auth { - unix_listener /var/lib/postfix/auth { - group = postfix - mode = 0660 - user = postfix - } - } - service managesieve-login { - inet_listener sieve { - port = 4190 - } - service_count = 1 - } - - namespace inbox { - separator = / - inbox = yes - } - - service lmtp { - unix_listener dovecot-lmtp { - group = postfix - mode = 0600 - user = postfix - } - client_limit = 1 - } - - - plugin { - # https://doc.dovecot.org/configuration_manual/plugins/listescape_plugin/ - listescape_char = "\\" - } - ''; - }; -} diff --git a/modules/mail/postfix.nix b/modules/mail/postfix.nix deleted file mode 100644 index 2ba240a..0000000 --- a/modules/mail/postfix.nix +++ /dev/null @@ -1,98 +0,0 @@ -{ config, pkgs, ... }: -let - domain = config.networking.domain; - hostname = "mail.${config.networking.domain}"; - # see https://www.kuketz-blog.de/e-mail-anbieter-ip-stripping-aus-datenschutzgruenden/ - header_cleanup = pkgs.writeText "header_cleanup_outgoing" '' - /^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2 - /^\s*User-Agent/ IGNORE - /^\s*X-Enigmail/ IGNORE - /^\s*X-Mailer/ IGNORE - /^\s*X-Originating-IP/ IGNORE - /^\s*Mime-Version/ IGNORE - ''; - # https://unix.stackexchange.com/questions/294300/postfix-prevent-users-from-changing-the-real-e-mail-address - login_maps = pkgs.writeText "login_maps.pcre" '' - # basic username => username@ifsr.de - /^([^@+]*)(\+[^@]*)?@ifsr\.de$/ ''${1} - ''; -in -{ - sops.secrets."postfix_ldap_aliases".owner = config.services.postfix.user; - - networking.firewall.allowedTCPPorts = [ - 25 # SMTP - 465 # Submissions - 587 # Submission - ]; - services = { - postfix = { - enable = true; - enableSubmission = true; - enableSubmissions = true; - hostname = "${hostname}"; - domain = "${domain}"; - origin = "${domain}"; - destination = [ "${hostname}" "${domain}" "localhost" ]; - networksStyle = "host"; # localhost and own public IP - sslCert = "/var/lib/acme/${hostname}/fullchain.pem"; - sslKey = "/var/lib/acme/${hostname}/key.pem"; - config = { - home_mailbox = "Maildir/"; - # 25 MiB - message_size_limit = "26214400"; - # hostname used in helo command. It is recommended to have this match the reverse dns entry - smtp_helo_name = config.networking.rDNS; - smtpd_banner = "${config.networking.rDNS} ESMTP $mail_name"; - smtp_tls_security_level = "may"; - smtpd_tls_security_level = "may"; - smtpd_tls_auth_only = true; - smtpd_tls_protocols = [ - "!SSLv2" - "!SSLv3" - "!TLSv1" - "!TLSv1.1" - ]; - # "reject_non_fqdn_hostname" - smtpd_recipient_restrictions = [ - "permit_sasl_authenticated" - "permit_mynetworks" - "reject_unauth_destination" - "reject_non_fqdn_sender" - "reject_non_fqdn_recipient" - "reject_unknown_sender_domain" - "reject_unknown_recipient_domain" - "reject_unauth_destination" - "reject_unauth_pipelining" - "reject_invalid_hostname" - "check_policy_service inet:localhost:12340" - ]; - smtpd_relay_restrictions = [ - "permit_sasl_authenticated" - "permit_mynetworks" - "reject_unauth_destination" - ]; - # https://www.postfix.org/smtp-smuggling.html - smtpd_data_restrictions = [ - "reject_unauth_pipelining" - ]; - smtpd_sender_restrictions = [ - "reject_authenticated_sender_login_mismatch" - ]; - smtpd_sender_login_maps = [ - "pcre:/etc/special-aliases.pcre" - "pcre:${login_maps}" - ]; - smtp_header_checks = "pcre:${header_cleanup}"; - # smtpd_sender_login_maps = [ "ldap:${ldap-senders}" ]; - alias_maps = [ "hash:/etc/aliases" ]; - alias_database = [ "hash:/etc/aliases" ]; - # alias_maps = [ "hash:/etc/aliases" "ldap:${ldap-aliases}" ]; - smtpd_sasl_auth_enable = true; - smtpd_sasl_path = "/var/lib/postfix/auth"; - smtpd_sasl_type = "dovecot"; - local_recipient_maps = [ "ldap:${config.sops.secrets."postfix_ldap_aliases".path}" "$alias_maps" ]; - }; - }; - }; -} diff --git a/modules/mail/report-ham.sieve b/modules/mail/report-ham.sieve index 6217a90..a9d30cf 100755 --- a/modules/mail/report-ham.sieve +++ b/modules/mail/report-ham.sieve @@ -12,4 +12,4 @@ if environment :matches "imap.user" "*" { set "username" "${1}"; } -pipe :copy "learn-ham.sh" [ "${username}" ]; +pipe :copy "sa-learn-ham.sh" [ "${username}" ]; diff --git a/modules/mail/report-spam.sieve b/modules/mail/report-spam.sieve index 9d4c74b..4024b7a 100755 --- a/modules/mail/report-spam.sieve +++ b/modules/mail/report-spam.sieve @@ -4,4 +4,4 @@ if environment :matches "imap.user" "*" { set "username" "${1}"; } -pipe :copy "learn-spam.sh" [ "${username}" ]; +pipe :copy "sa-learn-spam.sh" [ "${username}" ]; \ No newline at end of file diff --git a/modules/mail/rspamd.nix b/modules/mail/rspamd.nix deleted file mode 100644 index cab3fd0..0000000 --- a/modules/mail/rspamd.nix +++ /dev/null @@ -1,219 +0,0 @@ -{ config, pkgs, ... }: -let - domain = "rspamd.${config.networking.domain}"; -in -{ - sops.secrets."rspamd-password".owner = config.users.users.rspamd.name; - users.users.rspamd.extraGroups = [ "redis-rspamd" ]; - services = { - rspamd = { - enable = true; - postfix.enable = true; - locals = { - "worker-controller.inc".source = config.sops.secrets."rspamd-password".path; - "redis.conf".text = '' - read_servers = "/run/redis-rspamd/redis.sock"; - write_servers = "/run/redis-rspamd/redis.sock"; - ''; - # headers in spamassasin style to not break old sieve scripts - "worker-proxy.inc".text = '' - spam_header = "X-Spam-Flag"; - ''; - "milter_headers.conf".text = '' - use = ["x-spam-level", "x-spam-status", "x-spamd-result", "authentication-results" ]; - ''; - "neural.conf".text = '' - servers = "/run/redis-rspamd/redis.sock"; - enabled = true; - ''; - "neural_group.conf".text = '' - symbols = { - "NEURAL_SPAM" { - weight = 0.5; # fairly low weight since we don't know how this will behave - description = "Neural network spam"; - } - "NEURAL_HAM" { - weight = -0.5; - description = "Neural network ham"; - } - } - ''; - "dmarc.conf".text = '' - reporting { - enabled = true; - email = 'noreply-dmarc@${config.networking.domain}'; - domain = '${config.networking.domain}'; - org_name = '${config.networking.domain}'; - from_name = 'DMARC Aggregate Report'; - } - ''; - "dkim_signing.conf".text = '' - selector = "quitte2024"; - allow_username_mismatch = true; - allow_hdrfrom_mismatch = true; - use_domain_sign_local = "ifsr.de"; - path = /var/lib/rspamd/dkim/$domain.$selector.key; - - ''; - "reputation.conf".text = '' - rules { - ip_reputation = { - selector "ip" { - } - backend "redis" { - servers = "/run/redis-rspamd/redis.sock"; - } - - symbol = "IP_REPUTATION"; - } - spf_reputation = { - selector "spf" { - } - backend "redis" { - servers = "/run/redis-rspamd/redis.sock"; - } - - symbol = "SPF_REPUTATION"; - } - dkim_reputation = { - selector "dkim" { - } - backend "redis" { - servers = "/run/redis-rspamd/redis.sock"; - } - - symbol = "DKIM_REPUTATION"; # Also adjusts scores for DKIM_ALLOW, DKIM_REJECT - } - generic_reputation = { - selector "generic" { - selector = "ip"; # see https://rspamd.com/doc/configuration/selectors.html - } - backend "redis" { - servers = "/run/redis-rspamd/redis.sock"; - } - - symbol = "GENERIC_REPUTATION"; - } - } - ''; - "groups.conf".text = '' - group "reputation" { - symbols = { - "IP_REPUTATION_HAM" { - weight = 1.0; - } - "IP_REPUTATION_SPAM" { - weight = 4.0; - } - - "DKIM_REPUTATION" { - weight = 1.0; - } - - "SPF_REPUTATION_HAM" { - weight = 1.0; - } - "SPF_REPUTATION_SPAM" { - weight = 2.0; - } - - "GENERIC_REPUTATION" { - weight = 1.0; - } - } - } - ''; - - "multimap.conf".text = - let - local_ips = pkgs.writeText "localhost.map" '' - ::1 - 127.0.0.1 - ''; - tud_ips = pkgs.writeText "tud.map" '' - 141.30.0.0/16 - 141.76.0.0/16 - ''; - in - '' - WHITELIST_SENDER_DOMAIN { - type = "from"; - filter = "email:domain"; - map = "/var/lib/rspamd/whitelist.sender.domain.map"; - action = "accept"; - regexp = true; - } - WHITELIST_SENDER_EMAIL { - type = "from"; - map = "/var/lib/rspamd/whitelist.sender.email.map"; - action = "accept"; - regexp = true; - } - BLACKLIST_SENDER_DOMAIN { - type = "from"; - filter = "email:domain"; - map = "/var/lib/rspamd/blacklist.sender.domain.map"; - action = "reject"; - regexp = true; - } - BLACKLIST_SENDER_EMAIL { - type = "from"; - map = "/var/lib/rspamd/blacklist.sender.email.map"; - action = "reject"; - regexp = true; - } - BLACKLIST_SUBJECT_KEYWORDS { - type = "header"; - header = "Subject" - map = "/var/lib/rspamd/blacklist.keyword.subject.map"; - action = "reject"; - regexp = true; - } - RECEIVED_LOCALHOST { - type = "ip"; - action = "accept"; - map = ${local_ips}; - } - RECEIVED_TU_NETWORKS { - type = "ip"; - map = ${tud_ips}; - } - ''; - }; - }; - redis = { - vmOverCommit = true; - servers.rspamd = { - port = 0; - enable = true; - }; - }; - nginx = { - virtualHosts."${domain}" = { - locations = { - "/" = { - proxyPass = "http://127.0.0.1:11334"; - proxyWebsockets = true; - extraConfig = '' - allow 141.30.0.0/16; - allow 141.76.0.0/16; - deny all; - ''; - }; - }; - }; - }; - }; - systemd = { - services.rspamd-dmarc-report = { - description = "rspamd dmarc reporter"; - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.rspamd}/bin/rspamadm dmarc_report -v"; - User = "rspamd"; - Group = "rspamd"; - }; - startAt = "daily"; - }; - }; -} diff --git a/modules/mail/mailman.nix b/modules/mailman.nix similarity index 59% rename from modules/mail/mailman.nix rename to modules/mailman.nix index 23d36a9..efaee90 100644 --- a/modules/mail/mailman.nix +++ b/modules/mailman.nix @@ -20,10 +20,8 @@ webSettings = { DATABASES.default = { ENGINE = "django.db.backends.postgresql"; - NAME = "mailman-web"; + NAME = "mailmanweb"; }; - ACCOUNT_EMAIL_UNKNOWN_ACCOUNTS = false; - ACCOUNT_PREVENT_ENUMERATION = false; }; ldap = { enable = true; @@ -42,43 +40,26 @@ superUserGroup = "cn=admins,ou=groups,dc=ifsr,dc=de"; }; }; - services.postfix = { - relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ]; - config = { - mailbox_transport = "lmtp:unix:/run/dovecot2/dovecot-lmtp"; - transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; - virtual_alias_maps = [ "hash:/var/lib/mailman/data/postfix_vmap" ]; - local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ]; - }; - }; services.postgresql = { enable = true; ensureUsers = [ { name = "mailman"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE mailman" = "ALL PRIVILEGES"; + }; } { name = "mailman-web"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE mailmanweb" = "ALL PRIVILEGES"; + }; } ]; - ensureDatabases = [ "mailman" "mailman-web" ]; + ensureDatabases = [ "mailman" "mailmanweb" ]; }; services.nginx.virtualHosts."lists.${config.networking.domain}" = { - locations."/accounts/signup" = { - extraConfig = '' - allow 141.30.0.0/16; - allow 141.76.0.0/16; - deny all; - uwsgi_pass unix:/run/mailman-web.socket; - ''; - }; - locations."/robots.txt" = { - extraConfig = '' - add_header Content-Type text/plain; - return 200 "User-agent: *\nDisallow: /\n"; - ''; - }; + enableACME = true; + forceSSL = true; }; } diff --git a/modules/matrix/default.nix b/modules/matrix.nix similarity index 86% rename from modules/matrix/default.nix rename to modules/matrix.nix index 03d58e1..4162020 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: let - domainServer = "matrix.${config.networking.domain}"; - domainClient = "chat.${config.networking.domain}"; + domainServer = "matrix.staging.${config.networking.domain}"; + domainClient = "chat.staging.${config.networking.domain}"; clientConfig = { "m.homeserver" = { @@ -19,17 +19,15 @@ let return 200 '${builtins.toJSON data}'; ''; - matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3; + # build ldap3 plugin from git because it's very outdated in nixpkgs + matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ../pkgs/matrix-synapse-ldap3.nix { }; + # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3; in { - imports = [ ./mautrix-telegram.nix ]; sops.secrets.matrix_ldap_search = { key = "portunus/search-password"; owner = config.systemd.services.matrix-synapse.serviceConfig.User; }; - nixpkgs.config.permittedInsecurePackages = [ - "olm-3.2.16" - ]; services = { postgresql = { @@ -44,6 +42,9 @@ in virtualHosts = { # synapse "${domainServer}" = { + enableACME = true; + forceSSL = true; + # homeserver discovery locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; @@ -58,12 +59,12 @@ in # element "${domainClient}" = { + enableACME = true; + forceSSL = true; + root = pkgs.element-web.override { conf = { - default_server_config = { - inherit (clientConfig) "m.homeserver"; - "m.identity_server".base_url = ""; - }; + default_server_config = clientConfig; disable_3pid_login = true; }; }; @@ -76,10 +77,6 @@ in plugins = [ matrix-synapse-ldap3 ]; - - log = { - root.level = "WARNING"; - }; settings = { server_name = domainServer; diff --git a/modules/matrix/mautrix-telegram.nix b/modules/mautrix-telegram.nix similarity index 93% rename from modules/matrix/mautrix-telegram.nix rename to modules/mautrix-telegram.nix index 270ccc7..2b96d14 100644 --- a/modules/matrix/mautrix-telegram.nix +++ b/modules/mautrix-telegram.nix @@ -10,7 +10,9 @@ in enable = true; ensureUsers = [{ name = "mautrix-telegram"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE \"mautrix-telegram\"" = "ALL PRIVILEGES"; + }; }]; ensureDatabases = [ "mautrix-telegram" ]; }; @@ -44,13 +46,12 @@ in # Use postgresql instead of sqlite database = "postgresql:///mautrix-telegram?host=/run/postgresql"; port = 8082; - address = "http://localhost:${toString port}"; + address = "localhost:${toString port}"; }; bridge = { relaybot.authless_portals = false; permissions = { - # Add yourself here temporarily "@admin:${homeserverDomain}" = "admin"; }; relay_user_distinguishers = [ ]; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix deleted file mode 100644 index 4601db9..0000000 --- a/modules/monitoring/default.nix +++ /dev/null @@ -1,97 +0,0 @@ -{ config, ... }: -let - domain = "monitoring.${config.networking.domain}"; -in -{ - sops.secrets."grafana/oidc_secret" = { - owner = "grafana"; - }; - # grafana configuration - services.grafana = { - enable = true; - settings = { - server = { - inherit domain; - http_addr = "127.0.0.1"; - http_port = 2342; - root_url = "https://monitoring.ifsr.de"; - }; - database = { - type = "postgres"; - user = "grafana"; - host = "/run/postgresql"; - }; - "auth.generic_oauth" = { - enabled = true; - name = "iFSR"; - allow_sign_up = true; - client_id = "grafana"; - client_secret = "$__file{${config.sops.secrets."grafana/oidc_secret".path}}"; - scopes = "openid email profile offline_access roles"; - - email_attribute_path = "email"; - login_attribute_path = "username"; - name_attribute_path = "full_name"; - - auth_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/auth"; - token_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/token"; - api_url = "https://sso.ifsr.de/realms/internal/protocol/openid-connect/userinfo"; - role_attribute_path = "contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'"; - }; - }; - }; - - services.postgresql = { - enable = true; - ensureUsers = [ - { - name = "grafana"; - ensureDBOwnership = true; - } - ]; - ensureDatabases = [ "grafana" ]; - }; - - services.prometheus = { - enable = true; - port = 9001; - exporters = { - node = { - enable = true; - enabledCollectors = [ "systemd" ]; - port = 9002; - }; - }; - scrapeConfigs = [ - { - job_name = "node"; - static_configs = [{ - targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; - }]; - scrape_interval = "15s"; - } - { - job_name = "rspamd"; - static_configs = [{ - targets = [ "rspamd.ifsr.de:11334" ]; - }]; - scrape_interval = "15s"; - } - { - job_name = "fabric"; - static_configs = [{ - targets = [ "127.0.0.1:25585" ]; - }]; - scrape_interval = "60s"; - } - ]; - }; - - # nginx reverse proxy - services.nginx.virtualHosts.${domain} = { - locations."/" = { - proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}"; - proxyWebsockets = true; - }; - }; -} diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index b2557cc..5c21be4 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,6 +1,7 @@ { config, pkgs, lib, ... }: let - domain = "nc.${config.networking.domain}"; + domain = "nc.staging.${config.networking.domain}"; + legacy_domain = "oc.${config.networking.domain}"; in { sops.secrets = { @@ -14,8 +15,8 @@ in services = { nextcloud = { enable = true; - configureRedis = true; - package = pkgs.nextcloud30; + package = pkgs.nextcloud25; + enableBrokenCiphersForSSE = false; # disable the openssl warning hostName = domain; https = true; # Use https for all urls phpExtraExtensions = all: [ @@ -28,22 +29,17 @@ in }; # postgres database is configured automatically database.createLocally = true; + }; - # enable HEIC image preview - settings.enabledPreviewProviders = [ - "OC\\Preview\\BMP" - "OC\\Preview\\GIF" - "OC\\Preview\\JPEG" - "OC\\Preview\\Krita" - "OC\\Preview\\MarkDown" - "OC\\Preview\\MP3" - "OC\\Preview\\OpenDocument" - "OC\\Preview\\PNG" - "OC\\Preview\\TXT" - "OC\\Preview\\XBitmap" - "OC\\Preview\\HEIC" - ]; - + # Enable ACME and force SSL + nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + }; + nginx.virtualHosts.${legacy_domain} = { + enableACME = true; + forceSSL = true; + locations."/".return = "301 https://nc.ifsr.de"; }; }; @@ -78,9 +74,6 @@ in preStart = pkgs.writeScript "nextcloud-preStart" '' # enable included LDAP app ${occ} app:enable user_ldap - ${occ} app:enable calendar - ${occ} app:enable tasks - ${occ} app:enable polls # set up new LDAP config if it does not exist if ! ${occ} ldap:show-config s01 > /dev/null; then diff --git a/modules/nginx.nix b/modules/nginx.nix new file mode 100644 index 0000000..45cb296 --- /dev/null +++ b/modules/nginx.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: +{ + services.nginx = { + + additionalModules = [ pkgs.nginxModules.pam ]; + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + appendHttpConfig = '' + map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+\.\d+)\. $ip.0; + ~(?P[^:]+:[^:]+): $ip::; + # IP addresses to not anonymize + 127.0.0.1 $remote_addr; + ::1 $remote_addr; + default 0.0.0.0; + } + log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log anon_ip; + ''; + }; + security.acme = { + acceptTerms = true; + defaults = { + #server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + email = "root@${config.networking.domain}"; + }; + }; + security.pam.services.nginx.text = '' + auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + ''; +} diff --git a/modules/nix-serve.nix b/modules/nix-serve.nix deleted file mode 100644 index 643ceb0..0000000 --- a/modules/nix-serve.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, pkgs, ... }: -let - domain = "cache.${config.networking.domain}"; -in -{ - sops.secrets."nix-serve/key" = { }; - services.nix-serve = { - enable = true; - package = pkgs.nix-serve-ng; - secretKeyFile = config.sops.secrets."nix-serve/key".path; - port = 5002; - }; - services.nginx.virtualHosts."${domain}" = { - locations."/" = { - proxyPass = "http://127.0.0.1:${toString config.services.nix-serve.port}"; - }; - }; -} diff --git a/options/default.nix b/modules/options.nix similarity index 100% rename from options/default.nix rename to modules/options.nix diff --git a/modules/padlist.nix b/modules/padlist.nix index c7ea438..53b2557 100644 --- a/modules/padlist.nix +++ b/modules/padlist.nix @@ -24,7 +24,13 @@ in services.nginx = { virtualHosts.${domain} = { - root = "/srv/web/padlist"; + root = pkgs.callPackage ../pkgs/padlist { }; + enableACME = true; + forceSSL = true; + extraConfig = '' + auth_pam "LDAP Authentication Required"; + auth_pam_service_name "nginx"; + ''; locations = { "= /" = { extraConfig = '' @@ -35,16 +41,13 @@ in extraConfig = '' try_files $uri =404; fastcgi_pass unix:${config.services.phpfpm.pools.padlist.socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; ''; }; - "/vendor".return = "403"; - "/.git".return = "403"; }; }; }; + } diff --git a/modules/core/postgres.nix b/modules/postgres.nix similarity index 73% rename from modules/core/postgres.nix rename to modules/postgres.nix index daf44ff..331c24a 100644 --- a/modules/core/postgres.nix +++ b/modules/postgres.nix @@ -6,10 +6,8 @@ location = "/var/lib/backup/postgresql"; databases = [ "course-management" - "git" - "grafana" + "gitea" "hedgedoc" - "keycloak" "matrix-synapse" "mautrix-telegram" "mediawiki" @@ -18,10 +16,7 @@ "sogo" "vaultwarden" "mailman" - "mailman-web" - "zammad" + "mailmanweb" ]; }; - - services.postgresql.settings.max_connections = 1000; } diff --git a/modules/mail/sogo.nix b/modules/sogo.nix similarity index 96% rename from modules/mail/sogo.nix rename to modules/sogo.nix index 4999dfd..8b2490b 100644 --- a/modules/mail/sogo.nix +++ b/modules/sogo.nix @@ -51,7 +51,9 @@ in ensureUsers = [ { name = "sogo"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE sogo" = "ALL PRIVILEGES"; + }; } ]; ensureDatabases = [ "sogo" ]; @@ -65,7 +67,11 @@ in proxy_buffers 8 64k; proxy_buffer_size 64k; ''; + forceSSL = true; + enableACME = true; locations = { + + "^~/SOGo".extraConfig = lib.mkForce '' proxy_pass http://127.0.0.1:20000; proxy_redirect http://127.0.0.1:20000 default; diff --git a/modules/sops.nix b/modules/sops.nix new file mode 100644 index 0000000..d34979f --- /dev/null +++ b/modules/sops.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.age.generateKey = false; +} diff --git a/modules/stream.nix b/modules/stream.nix index 5d36501..3227e45 100644 --- a/modules/stream.nix +++ b/modules/stream.nix @@ -1,12 +1,15 @@ { config, ... }: -let cfg = config.services.owncast; -in { services = { nginx = { virtualHosts = { "stream.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; locations."/" = + let + cfg = config.services.owncast; + in { proxyPass = "http://${toString cfg.listen}:${toString cfg.port}"; proxyWebsockets = true; @@ -18,12 +21,8 @@ in enable = true; port = 13142; listen = "[::ffff:127.0.0.1]"; + openFirewall = true; rtmp-port = 1935; }; }; - networking.firewall = { - extraInputRules = '' - ip saddr {141.30.0.0/16, 141.76.0.0/16} tcp dport ${toString cfg.rtmp-port} accept comment "Allow rtmp access from campus nets" - ''; - }; } diff --git a/modules/struktur-bot.nix b/modules/struktur-bot.nix deleted file mode 100644 index 9773474..0000000 --- a/modules/struktur-bot.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ config, pkgs, ... }: -{ - sops.secrets."strukturbot_env" = { }; - # virtualisation.docker.daemon.settings.dns = [ "141.30.1.1" "141.76.14.1" ]; - virtualisation.oci-containers = { - containers.struktur-bot = { - image = "struktur-bot"; - environmentFiles = [ - config.sops.secrets."strukturbot_env".path - ]; - extraOptions = [ "--network=host" ]; - }; - }; - systemd.timers."overleaf-backup" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "02:22:00"; - Unit = "overleaf-backup.service"; - }; - }; - - systemd.services."overleaf-backup" = { - script = '' - set -eu - ${pkgs.docker}/bin/docker exec struktur-bot python3 backup.py - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; -} diff --git a/modules/web/userdir.nix b/modules/userdir.nix similarity index 63% rename from modules/web/userdir.nix rename to modules/userdir.nix index 25f5bfa..16a8d27 100644 --- a/modules/web/userdir.nix +++ b/modules/userdir.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, ... }: let domain = "users.${config.networking.domain}"; port = 8083; @@ -18,21 +18,18 @@ in mkdir -p $HOME/public_html # public_html dir: apache and $USER have rwx on everything inside - setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:''${USER}:rwx $HOME/public_html + setfacl -m u:${apacheUser}:rwx,d:u:${apacheUser}:rwx,d:u:$USER:rwx $HOME/public_html fi ''; services.httpd = { enable = true; enablePHP = true; - maxClients = 10; - mpm = "prefork"; - extraModules = [ "userdir" ]; virtualHosts.${domain} = { + enableUserDir = true; extraConfig = '' - UserDir disabled root - UserDir /home/users/*/public_html/ + UserDir /home/users/*/public_html Options -Indexes +MultiViews +SymLinksIfOwnerMatch +IncludesNoExec DirectoryIndex index.php index.html @@ -50,33 +47,14 @@ in inherit port; }]; }; - - phpPackage = pkgs.php.buildEnv { - extraConfig = '' - display_errors=0 - post_max_size = 40M - upload_max_filesize = 40M - extension=sysvsem.so - ''; - }; }; services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + locations."/" = { proxyPass = "http://localhost:${toString port}"; - extraConfig = '' - proxy_intercept_errors on; - error_page 403 404 =404 /404.html; - client_max_body_size 40M; - ''; }; - - locations."/robots.txt" = { - extraConfig = '' - add_header Content-Type text/plain; - return 200 "User-agent: *\nDisallow: /\n"; - ''; - }; - }; } diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix index a88a7ca..3ec5e09 100644 --- a/modules/vaultwarden.nix +++ b/modules/vaultwarden.nix @@ -25,12 +25,16 @@ in ensureUsers = [ { name = "vaultwarden"; - ensureDBOwnership = true; + ensurePermissions = { + "DATABASE vaultwarden" = "ALL PRIVILEGES"; + }; } ]; ensureDatabases = [ "vaultwarden" ]; }; services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; }; diff --git a/modules/web/default.nix b/modules/web/default.nix deleted file mode 100644 index 3be7efd..0000000 --- a/modules/web/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: -{ - imports = [ - ./ifsrde.nix - ./ese.nix - ./infoscreen.nix - ./kpp.nix - ./nightline.nix - ./fsrewsp.nix - ./manual.nix - ./sharepic.nix - ./userdir.nix - ./ftp.nix - ./hyperilo.nix - ./notenrechner.nix - ]; -} diff --git a/modules/web/ese.nix b/modules/web/ese.nix deleted file mode 100644 index 3929671..0000000 --- a/modules/web/ese.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, pkgs, ... }: -let - domain = "ese.${config.networking.domain}"; - webRoot = "/srv/web/ese"; -in -{ - services.nginx = { - virtualHosts."${domain}" = { - locations."= /" = { - return = "302 /2025/"; - }; - locations."/" = { - root = webRoot; - tryFiles = "$uri $uri/ =404"; - }; - # cache static assets - locations."~* \.(?:css|svg|webp|jpg|jpeg|gif|png|ico|mp4|mp3|ogg|ogv|webm|ttf|woff2|woff)$" = { - root = webRoot; - extraConfig = '' - expires 1y; - ''; - }; - }; - }; - - users.users."ese-deploy" = { - isNormalUser = true; - openssh.authorizedKeys.keys = [ - ''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEWGdTdobZN2oSLsTQmHOahdc9vqyuwUBS0PSk5IQhGV'' - ]; - }; - -} diff --git a/modules/web/fsrewsp.nix b/modules/web/fsrewsp.nix deleted file mode 100644 index 5fe4cd3..0000000 --- a/modules/web/fsrewsp.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ pkgs, config, lib, ... }: -let - domain = "fsrewsp.de"; - user = "fsrewsp"; - group = "fsrewsp"; -in -{ - users.users.${user} = { - group = group; - isSystemUser = true; - }; - users.groups.${group} = { }; - users.users.nginx = { - extraGroups = [ group ]; - }; - - services.phpfpm.pools.fsrewsp = { - user = "fsrewsp"; - group = "fsrewsp"; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - }; - - - - services.nginx.enable = true; - services.nginx = { - virtualHosts."www.${domain}" = { - locations."/".return = "301 $scheme://${domain}$request_uri"; - }; - virtualHosts."${domain}" = { - root = "/srv/web/fsrewsp"; - extraConfig = '' - index index.php index.html; - ''; - - locations = { - "/" = { - tryFiles = "$uri $uri/ /index.php?$args"; - }; - "~ \.php$" = { - extraConfig = '' - try_files $uri =404; - fastcgi_pass unix:${config.services.phpfpm.pools.fsrewsp.socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; - fastcgi_param HTTP_HOST $host; - ''; - }; - "~ \.log$".return = "403"; - "~ ^/\.user\.ini".return = "403"; - "~* \.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = '' - expires max; - log_not_found off; - ''; - }; - }; - }; -} diff --git a/modules/web/ftp.nix b/modules/web/ftp.nix deleted file mode 100644 index 7529169..0000000 --- a/modules/web/ftp.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, pkgs, ... }: -let - domain = "ftp.${config.networking.domain}"; -in -{ - services.nginx.additionalModules = [ pkgs.nginxModules.fancyindex ]; - services.nginx.virtualHosts."${domain}" = { - root = "/srv/ftp"; - extraConfig = '' - fancyindex on; - fancyindex_exact_size off; - error_page 403 /403.html; - fancyindex_localtime on; - charset utf-8; - ''; - locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = '' - allow 141.30.0.0/16; - allow 141.76.0.0/16; - deny all; - ''; - locations."~ /komplexpruef".extraConfig = '' - default_type text/plain; - ''; - locations."=/403.html" = { - root = pkgs.writeTextDir "403.html" '' - - - - - - 403 Forbidden - iFSR - - - -
- -

403

-

Zugriff verweigert / Access Forbidden

- -
-
- 🇩🇪 Deutsch -
-

- Dieser Ordner ist nur aus dem Uni-Netz zugänglich. -

-
    -
  • Stellen Sie sicher, dass Sie mit dem TUD-Netzwerk verbunden sind
    • -
  • Oder wählen Sie sich über VPN ein
    • -
-
- -
-
- 🇬🇧 English -
-

- This directory is only accessible from the TUD network. -

-
    -
  • Make sure you are connected to the TUD network
    • -
  • Or connect via VPN
    • -
-
-
- - - ''; - }; - }; -} diff --git a/modules/web/hyperilo.nix b/modules/web/hyperilo.nix deleted file mode 100644 index fd46958..0000000 --- a/modules/web/hyperilo.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ ... }: - -{ - # provide access to iLO of colocated server - # in case of questions, contact @bennofs - services.nginx.virtualHosts."hyperilo.deutschland.gmbh" = { - forceSSL = true; - locations."/".proxyPass = "https://192.168.0.120:443"; - locations."/".basicAuthFile = "/run/secrets/hyperilo_htaccess"; - locations."/".extraConfig = '' - proxy_ssl_verify off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade_capitalized; - proxy_set_header Authorization ""; # drop the basic auth headers, otherwise remote console doesn't work - ''; - }; - - # HP iLO requires uppercase Upgrade, not lowercase "upgrade" - services.nginx.commonHttpConfig = '' - map $http_upgrade $connection_upgrade_capitalized { - default Upgrade; - ''' close; - } - ''; - - systemd.network.networks."20-hyperilo" = { - matchConfig.Name = "eno8303"; - address = [ "192.168.0.1/24" ]; - networkConfig.LLDP = true; - networkConfig.EmitLLDP = "nearest-bridge"; - }; - - sops.secrets."hyperilo_htaccess".owner = "nginx"; -} diff --git a/modules/web/infoscreen.nix b/modules/web/infoscreen.nix deleted file mode 100644 index 601d0e2..0000000 --- a/modules/web/infoscreen.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: -let - domain = "infoscreen.${config.networking.domain}"; -in -{ - services.nginx = { - enable = true; - virtualHosts."${domain}" = { - root = "/srv/web/infoscreen/dist"; - }; - }; -} diff --git a/modules/web/manual.nix b/modules/web/manual.nix deleted file mode 100644 index afcc154..0000000 --- a/modules/web/manual.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, ... }: -let - domain = "manual.${config.networking.domain}"; -in -{ - services.ese-manual = { - enable = true; - hostName = domain; - }; -} diff --git a/modules/web/nightline.nix b/modules/web/nightline.nix deleted file mode 100644 index 8abd76d..0000000 --- a/modules/web/nightline.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ pkgs, config, lib, ... }: -let - domain = "nightline-dresden.de"; - user = "nightline"; - group = "nightline"; -in -{ - users.users.${user} = { - group = group; - isSystemUser = true; - }; - users.users.nginx = { - extraGroups = [ group ]; - }; - users.groups.${group} = { }; - - services.phpfpm.pools.nightline = { - user = "nightline"; - group = "nightline"; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - }; - - services.nginx = { - virtualHosts."www.${domain}" = { - locations."/".return = "301 $scheme://${domain}$request_uri"; - }; - virtualHosts."${domain}" = { - root = "/srv/web/nightline"; - extraConfig = '' - index index.php index.html; - ''; - - locations = { - "/" = { - tryFiles = "$uri $uri/ /index.php?$args"; - }; - "~ \.php$" = { - extraConfig = '' - try_files $uri =404; - fastcgi_pass unix:${config.services.phpfpm.pools.nightline.socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; - fastcgi_param HTTP_HOST $host; - ''; - }; - "~ \.log$".return = "403"; - "~ ^/\.user\.ini".return = "403"; - "~* \.(js|css|png|jpg|jpeg|gif|ico)$".extraConfig = '' - expires max; - log_not_found off; - ''; - }; - }; - }; -} diff --git a/modules/web/notenrechner.nix b/modules/web/notenrechner.nix deleted file mode 100644 index 06d4d05..0000000 --- a/modules/web/notenrechner.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, specialArgs, ... }: -let - domain = "notenrechner.${config.networking.domain}"; -in -{ - services.nginx.virtualHosts."${domain}" = { - root = specialArgs.notenrechner.packages."x86_64-linux".default; - }; -} diff --git a/modules/web/sharepic.nix b/modules/web/sharepic.nix deleted file mode 100644 index 6c9e597..0000000 --- a/modules/web/sharepic.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, config, ... }: -let - domain = "sharepic.${config.networking.domain}"; -in -{ - services.nginx.virtualHosts."${domain}" = { - root = pkgs.fetchFromGitHub { - owner = "jannikmenzel"; - repo = "iFSR-Sharepicgenerator"; - rev = "ac721d5fff2dba1f046939a6d6532b1a8cfceba8"; - hash = "sha256-of+N58TDt2BcbDVEriKn6rjQVl0GdV4ZMEblrdUutZk="; - }; - }; -} diff --git a/modules/web/ifsrde.nix b/modules/website.nix similarity index 92% rename from modules/web/ifsrde.nix rename to modules/website.nix index 84c4ad1..d6e8339 100644 --- a/modules/web/ifsrde.nix +++ b/modules/website.nix @@ -10,9 +10,7 @@ in isSystemUser = true; }; users.groups.${group} = { }; - users.users.nginx = { - extraGroups = [ group ]; - }; + services.phpfpm.pools.ifsrde = { user = user; group = group; @@ -34,9 +32,14 @@ in services.nginx = { virtualHosts."www.${config.networking.domain}" = { + enableACME = true; + forceSSL = true; locations."/".return = "301 $scheme://ifsr.de$request_uri"; + }; virtualHosts."${config.networking.domain}" = { + enableACME = true; + forceSSL = true; root = "/srv/web/ifsrde"; extraConfig = '' index index.html index.php; @@ -60,8 +63,6 @@ in "~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1"; "/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6"; "/kpp".return = "301 https://kpp.ifsr.de"; - "/mese".return = "301 https://ifsr.de/news/mese-and-welcome-back"; - "/sso".return = "301 https://sso.ifsr.de/realms/internal/account"; # security "~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403"; # deny running scripts inside core system folders diff --git a/modules/wiki/fsr.nix b/modules/wiki.nix similarity index 70% rename from modules/wiki/fsr.nix rename to modules/wiki.nix index ac16e41..1c82037 100644 --- a/modules/wiki/fsr.nix +++ b/modules/wiki.nix @@ -38,7 +38,6 @@ in }; extraConfig = '' - wfLoadSkin( 'MinervaNeue' ); $wgSitename = "FSR Wiki"; $wgArticlePath = '/$1'; @@ -58,54 +57,49 @@ in $wgUseAjax = true; $wgEnableMWSuggest = true; $wgDefaultSkin = 'timeless'; - $wgDefaultMobileSkin = 'minerva'; //TODO what about $wgUpgradeKey ? # Auth # https://www.mediawiki.org/wiki/Extension:PluggableAuth # https://www.mediawiki.org/wiki/Extension:OpenID_Connect - $wgOpenIDConnect_MigrateUsersByEmail = true; - //$wgOpenIDConnect_MigrateUsersByUserName = true; - $wgPluggableAuth_EnableLocalLogin = false; + $wgPluggableAuth_EnableLocalLogin = true; $wgPluggableAuth_Config["iFSR Login"] = [ "plugin" => "OpenIDConnect", "data" => [ - "providerURL" => "https://sso.ifsr.de/realms/internal", + "providerURL" => "${config.services.portunus.domain}/dex", "clientID" => "wiki", "clientsecret" => file_get_contents('${config.sops.secrets."mediawiki/oidc_secret".path}'), ], ]; ''; + extensions = { - # some extensions are included and can enabled by passing null - VisualEditor = null; - # the dir in the mediawiki-1.42.3.tar.gz inside of the extension folder is called "SyntaxHighlight_GeSHi" not "SyntaxHighlight" - SyntaxHighlight_GeSHi = null; - MobileFrontend = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/MobileFrontend-REL1_43-3b4cac8.tar.gz"; - hash = "sha256-aJOArZl+oO/ADjxIhlFVGS8hGmpSp6nsgC7XkKEk1Ks="; - }; PluggableAuth = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_42-1da98f4.tar.gz"; - hash = "sha256-5uBUy7lrr86ApASYPWgF6Wa09mxxP0o+lXLt1gVswlA="; + url = "https://web.archive.org/web/20230615112924/https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_39-068be5d.tar.gz"; + hash = "sha256-kmdSPMQNaO0qgEzb8j0+eLlsNQLmfJfo0Ls4yvYgOFI="; }; OpenIDConnect = pkgs.fetchzip { - url = "https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_42-6c28c16.tar.gz"; - hash = "sha256-X5kUuvxINbuXaLMKRcLOl2L3qbnMT72lg2NA3A9Daj8="; + url = "https://web.archive.org/web/20230615113527/https://extdist.wmflabs.org/dist/extensions/OpenIDConnect-REL1_39-42e4d75.tar.gz"; + hash = "sha256-VN0G0Crjlx0DTLeDvaSFtMmYsfB7VzgYkSNDS+nkIyQ="; + }; + VisualEditor = pkgs.fetchzip { + url = "https://web.archive.org/web/20230723212424/https://extdist.wmflabs.org/dist/extensions/VisualEditor-REL1_39-b1204c9.tar.gz"; + hash = "sha256-g/ATW3xkecHynwbwLbmYgawNW+LCVTth0ZlhY7A3N5U="; }; }; }; + portunus.dex.oidcClients = [{ + id = "wiki"; + callbackURL = "https://${domain}/Spezial:PluggableAuthLogin"; + }]; + nginx = { recommendedProxySettings = true; virtualHosts.${domain} = { - locations."/robots.txt" = { - extraConfig = '' - add_header Content-Type text/plain; - return 200 "User-agent: *\nDisallow: /\n"; - ''; - }; + enableACME = true; + forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString listenPort}"; proxyWebsockets = true; diff --git a/modules/wiki/default.nix b/modules/wiki/default.nix deleted file mode 100644 index 372553e..0000000 --- a/modules/wiki/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: -{ - imports = [ - ./fsr.nix - ./vernetzung.nix - ./ese.nix - ]; -} diff --git a/modules/wiki/ese.nix b/modules/wiki/ese.nix deleted file mode 100644 index 4125198..0000000 --- a/modules/wiki/ese.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, ... }: -let - domain = "wiki.ese.${config.networking.domain}"; - user = "wiki-ese"; - group = "wiki-ese"; -in -{ - - system.activationScripts.hacky-mediawiki-convert = '' - cp ${pkgs.imagemagick}/bin/convert /srv/web/wiki.ese/convert - ''; - users.users.${user} = { - group = group; - isSystemUser = true; - }; - users.groups.${group} = { }; - services.phpfpm.pools.wiki-ese = { - user = user; - group = group; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - }; - services.nginx = { - virtualHosts."${domain}" = { - root = "/srv/web/wiki.ese"; - extraConfig = '' - index index.php; - ''; - locations = { - "/" = { - tryFiles = "$uri $uri/ @rewrite"; - }; - "@rewrite".extraConfig = '' - rewrite ^/(.*)$ /index.php?title=$1&$args; - ''; - "^~ /maintenance/".return = "403"; - "~ \.php$" = { - extraConfig = '' - fastcgi_pass unix:${config.services.phpfpm.pools.wiki-ese.socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; - ''; - }; - "/rest.php" = { - tryFiles = "$uri $uri/ /rest.php?$args"; - }; - "~* \.(js|css|png|jpg|jpeg|gif|ico)$" = { - tryFiles = "$uri /index.php"; - extraConfig = '' - expires max; - log_not_found off; - ''; - }; - "/_.gif" = { - extraConfig = '' - expires max; - empty_gif; - ''; - }; - "^~ /cache/".extraConfig = '' - deny all; - ''; - "/dumps" = { - root = "/srv/web/wiki-ese/local"; - extraConfig = '' - autoindex on; - ''; - }; - }; - }; - }; -} diff --git a/modules/wiki/vernetzung.nix b/modules/wiki/vernetzung.nix deleted file mode 100644 index bd1a4a9..0000000 --- a/modules/wiki/vernetzung.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, lib, pkgs, ... }: -let - domain = "vernetzung.${config.networking.domain}"; - user = "vernetzung"; - group = "vernetzung"; -in -{ - - users.users.${user} = { - group = group; - isSystemUser = true; - }; - users.groups.${group} = { }; - services.phpfpm.pools.vernetzung = { - user = user; - group = group; - settings = { - "listen.owner" = config.services.nginx.user; - "pm" = "dynamic"; - "pm.max_children" = 32; - "pm.max_requests" = 500; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 2; - "pm.max_spare_servers" = 5; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = true; - "catch_workers_output" = true; - }; - phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; - }; - services.nginx = { - virtualHosts."${domain}" = { - root = "/srv/web/vernetzung"; - extraConfig = '' - index index.php; - ''; - locations = { - "/" = { - tryFiles = "$uri $uri/ @rewrite"; - }; - "@rewrite".extraConfig = '' - rewrite ^/(.*)$ /index.php?title=$1&$args; - ''; - "^~ /maintenance/".return = "403"; - "~ \.php$" = { - extraConfig = '' - fastcgi_pass unix:${config.services.phpfpm.pools.vernetzung.socket}; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name; - ''; - }; - "/rest.php" = { - tryFiles = "$uri $uri/ /rest.php?$args"; - }; - "~* \.(js|css|png|jpg|jpeg|gif|ico)$" = { - tryFiles = "$uri /index.php"; - extraConfig = '' - expires max; - log_not_found off; - ''; - }; - "/_.gif" = { - extraConfig = '' - expires max; - empty_gif; - ''; - }; - "^~ /cache/".extraConfig = '' - deny all; - ''; - "/dumps" = { - root = "/srv/web/vernetzung/local"; - extraConfig = '' - autoindex on; - ''; - }; - }; - }; - }; -} diff --git a/modules/zammad.nix b/modules/zammad.nix deleted file mode 100644 index cbff484..0000000 --- a/modules/zammad.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, ... }: -let - domain = "tickets.${config.networking.domain}"; -in -{ - services.zammad = { - enable = true; - database = { - createLocally = true; - type = "PostgreSQL"; - }; - redis.port = 6380; - port = 8085; - secretKeyBaseFile = config.sops.secrets."zammad_secret".path; - }; - - - services.redis = { - servers.zammad = { - port = lib.mkForce 6380; - enable = true; - }; - }; - # disably spammy logs - systemd.services.zammad-web.preStart = '' - sed -i -e "s|debug|warn|" ./config/environments/production.rb - ''; - - services.nginx.virtualHosts.${domain} = { - locations."/" = { - proxyPass = "http://localhost:${toString config.services.zammad.port}"; - }; - locations."/ws" = { - proxyPass = "http://localhost:${toString config.services.zammad.websocketPort}"; - proxyWebsockets = true; - }; - }; - - sops.secrets."zammad_secret".owner = "zammad"; -} diff --git a/modules/zsh.nix b/modules/zsh.nix new file mode 100644 index 0000000..bb3ac04 --- /dev/null +++ b/modules/zsh.nix @@ -0,0 +1,36 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + # fzf + bat + duf + ]; + users.defaultUserShell = pkgs.zsh; + programs.fzf = { + fuzzyCompletion = true; + keybindings = true; + }; + programs.zsh = { + enable = true; + shellAliases = { + l = "ls -l"; + ll = "ls -la"; + la = "ls -a"; + less = "bat"; + }; + histSize = 100000; + histFile = "~/.local/share/zsh/history"; + autosuggestions = { + enable = true; + highlightStyle = "fg=#00bbbb,bold"; + }; + + shellInit = + '' + source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh + + zsh-newuser-install () {} + ''; + }; +} + diff --git a/overlays/default.nix b/overlays/default.nix deleted file mode 100644 index 3d7b533..0000000 --- a/overlays/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -_final: prev: -let - inherit (prev) fetchurl; - inherit (prev) fetchpatch; - inherit (prev) callPackage; -in -{ - # AGDSN is running an outdated version that we have to comply to - bacula = (prev.bacula.overrideAttrs (old: rec { - version = "9.6.7"; - src = fetchurl { - url = "mirror://sourceforge/bacula/${old.pname}-${version}.tar.gz"; - sha256 = "sha256-3w+FJezbo4DnS1N8pxrfO3WWWT8CGJtZqw6//IXMyN4="; - }; - })); - # Mailman internal server error fix - # https://gitlab.com/mailman/mailman/-/issues/1137 - # https://github.com/NixOS/nixpkgs/pull/321136 - pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [ - (_python-final: python-prev: { - readme-renderer = python-prev.readme-renderer.overridePythonAttrs (_oldAttrs: { - propagatedBuildInputs = [ python-prev.cmarkgfm ]; - }); - }) - ]; - - keycloak_ifsr_theme = callPackage ../modules/keycloak/theme.nix { }; - portunus = callPackage ./portunus.nix { }; - mediawiki = (prev.mediawiki.overrideAttrs (_old: rec { - version = "1.43.0"; - - src = fetchurl { - url = "https://releases.wikimedia.org/mediawiki/${prev.lib.versions.majorMinor version}/mediawiki-${version}.tar.gz"; - hash = "sha256-VuCn/i/3jlC5yHs9WJ8tjfW8qwAY5FSypKI5yFhr2O4="; - }; - - })); - - hedgedoc = prev.hedgedoc.overrideAttrs ({ patches ? [ ], ... }: { - patches = patches ++ [ - ./hedgedoc/0001-anonymous-uploads.patch - ]; - }); -} diff --git a/overlays/hedgedoc/0001-anonymous-uploads.patch b/overlays/hedgedoc/0001-anonymous-uploads.patch deleted file mode 100644 index 83eead2..0000000 --- a/overlays/hedgedoc/0001-anonymous-uploads.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff --git a/app.js b/app.js -index d41dbfbd7..faf686cfa 100644 ---- a/app.js -+++ b/app.js -@@ -203,6 +203,7 @@ app.locals.serverURL = config.serverURL - app.locals.sourceURL = config.sourceURL - app.locals.allowAnonymous = config.allowAnonymous - app.locals.allowAnonymousEdits = config.allowAnonymousEdits -+app.locals.allowAnonymousUploads = config.allowAnonymousUploads - app.locals.disableNoteCreation = config.disableNoteCreation - app.locals.authProviders = { - facebook: config.isFacebookEnable, -diff --git a/lib/config/default.js b/lib/config/default.js -index d038e5311..9ab9a6bb1 100644 ---- a/lib/config/default.js -+++ b/lib/config/default.js -@@ -33,6 +33,7 @@ module.exports = { - protocolUseSSL: false, - allowAnonymous: true, - allowAnonymousEdits: false, -+ allowAnonymousUploads: false, - allowFreeURL: false, - requireFreeURLAuthentication: false, - disableNoteCreation: false, -diff --git a/lib/config/environment.js b/lib/config/environment.js -index da50a660d..b74d122f4 100644 ---- a/lib/config/environment.js -+++ b/lib/config/environment.js -@@ -31,6 +31,7 @@ module.exports = { - allowOrigin: toArrayConfig(process.env.CMD_ALLOW_ORIGIN), - allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS), - allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS), -+ allowAnonymousUploads: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_UPLOADS), - allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL), - requireFreeURLAuthentication: toBooleanConfig(process.env.CMD_REQUIRE_FREEURL_AUTHENTICATION), - disableNoteCreation: toBooleanConfig(process.env.CMD_DISABLE_NOTE_CREATION), -diff --git a/lib/config/hackmdEnvironment.js b/lib/config/hackmdEnvironment.js -index c40ffc961..20c2da83b 100644 ---- a/lib/config/hackmdEnvironment.js -+++ b/lib/config/hackmdEnvironment.js -@@ -22,6 +22,7 @@ module.exports = { - allowOrigin: toArrayConfig(process.env.HMD_ALLOW_ORIGIN), - allowAnonymous: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS), - allowAnonymousEdits: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_EDITS), -+ allowAnonymousUploads: toBooleanConfig(process.env.HMD_ALLOW_ANONYMOUS_UPLOADS), - allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL), - defaultPermission: process.env.HMD_DEFAULT_PERMISSION, - dbURL: process.env.HMD_DB_URL, -diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js -index d9964827b..7321bc805 100644 ---- a/lib/web/imageRouter/index.js -+++ b/lib/web/imageRouter/index.js -@@ -59,8 +59,7 @@ async function checkUploadType (filePath) { - imageRouter.post('/uploadimage', function (req, res) { - if ( - !req.isAuthenticated() && -- !config.allowAnonymous && -- !config.allowAnonymousEdits -+ !config.allowAnonymousUploads - ) { - logger.error( - 'Image upload error: Anonymous edits and therefore uploads are not allowed' diff --git a/overlays/portunus.nix b/overlays/portunus.nix deleted file mode 100644 index ac09a9b..0000000 --- a/overlays/portunus.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ lib -, buildGoModule -, fetchFromGitHub -, libxcrypt-legacy -, nixosTests -}: - -buildGoModule rec { - pname = "portunus"; - version = "2.1.1"; - - src = fetchFromGitHub { - owner = "majewsky"; - repo = "portunus"; - rev = "v${version}"; - sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM="; - }; - - buildInputs = [ libxcrypt-legacy ]; - - vendorHash = null; - - passthru.tests = { inherit (nixosTests) portunus; }; - - meta = with lib; { - description = "Self-contained user/group management and authentication service"; - homepage = "https://github.com/majewsky/portunus"; - license = licenses.gpl3Plus; - platforms = platforms.linux; - maintainers = with maintainers; [ majewsky ] ++ teams.c3d2.members; - }; -} diff --git a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch deleted file mode 100644 index 2b60316..0000000 --- a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch +++ /dev/null @@ -1,25 +0,0 @@ -From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001 -From: Rouven Seifert -Date: Thu, 2 May 2024 11:20:27 +0200 -Subject: [PATCH] cleanup: also catch milter-reject - ---- - postfix_exporter.go | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/postfix_exporter.go b/postfix_exporter.go -index f20d99c..676d767 100644 ---- a/postfix_exporter.go -+++ b/postfix_exporter.go -@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) { - e.cleanupProcesses.Inc() - } else if strings.Contains(remainder, ": reject: ") { - e.cleanupRejects.Inc() -+ } else if strings.Contains(remainder, ": milter-reject: ") { -+ e.cleanupRejects.Inc() - } else { - e.addToUnsupportedLine(line, subprocess, level) - } --- -2.44.0 - diff --git a/pkgs/matrix-synapse-ldap3.nix b/pkgs/matrix-synapse-ldap3.nix new file mode 100644 index 0000000..0635ab0 --- /dev/null +++ b/pkgs/matrix-synapse-ldap3.nix @@ -0,0 +1,21 @@ +{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }: + +buildPythonPackage rec { + pname = "matrix-synapse-ldap3"; + version = "0.2.2"; + + format = "pyproject"; + + src = pkgs.fetchFromGitHub { + owner = "matrix-org"; + repo = "matrix-synapse-ldap3"; + rev = "2584736204165f16c176567183f9c350ee253f74"; + sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8="; + }; + + propagatedBuildInputs = [ service-identity ldap3 twisted ]; + + # ldaptor is not ready for py3 yet + doCheck = !isPy3k; + checkInputs = [ ldaptor mock ]; +} diff --git a/pkgs/padlist/default.nix b/pkgs/padlist/default.nix new file mode 100644 index 0000000..e3f4640 --- /dev/null +++ b/pkgs/padlist/default.nix @@ -0,0 +1,10 @@ +{ stdenvNoCC, ... }: +stdenvNoCC.mkDerivation { + name = "padlister"; + src = ./.; + phases = [ "unpackPhase" "installPhase" ]; + installPhase = '' + mkdir -p $out + cp -r $src/index.php $out + ''; +} diff --git a/pkgs/padlist/index.php b/pkgs/padlist/index.php new file mode 100644 index 0000000..60bf364 --- /dev/null +++ b/pkgs/padlist/index.php @@ -0,0 +1,79 @@ +getMessage(); + die(); +} + +$query = 'SELECT "Notes".title, "Notes"."updatedAt", "Notes"."shortid", "Users".profile FROM "Notes" JOIN "Users" ON "Notes"."ownerId" = "Users".id WHERE (permission = \'freely\' OR permission = \'editable\' OR permission = \'limited\') AND strpos(content, \'tags: listed\')>0 ORDER BY "Notes"."updatedAt" DESC'; +try { + $stmt = $dbh->query($query); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); +} catch (PDOException $e) { + echo "Error: " . $e->getMessage(); + die(); +} + +function formatDateString($stringDate) +{ + $datetime = DateTime::createFromFormat('Y-m-d H:i:s.uP', $stringDate); + $formattedDate = $datetime->format('d.m.Y H:i'); + return $formattedDate; +} +?> + + + + + + + + + Pad lister + + + + + +
+

+ + + + + + + + + + + + + + + +
TitelOwnerLast edit
+ + + username ?> + + +
+

+
+ + + diff --git a/secrets/admin.yaml b/secrets/admin.yaml index 576f3a8..7f6d4f3 100644 --- a/secrets/admin.yaml +++ b/secrets/admin.yaml @@ -1,147 +1,135 @@ -cachix_password: ENC[AES256_GCM,data:SjzpKHIFRvXDARjidS03eA0EmzXtsNjfkSnPTsafNhc=,iv:mAr67t4jvLc7cUn7WQaY/oU3AN1w28tCBJBI1ZfeS3U=,tag:VSPF158J1iP5x6qkytGeGA==,type:str] +cachix_password: ENC[AES256_GCM,data:7SleCWYfyhlde2vuIr6hGtAwuSbiz5W8PpUHd8TIh4I=,iv:mAr67t4jvLc7cUn7WQaY/oU3AN1w28tCBJBI1ZfeS3U=,tag:Dodk7V+nnswtSuEH6R5LGw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-12-26T17:03:43Z" - mac: ENC[AES256_GCM,data:RJ1qczvz9tRPf0krPFbSDURZJSx5Bx/K7Pz3urNYn8wt4/M1B9EJI0nlHMuun/QjCDYMmiOzvvJMEdOBI/OeRZaQrp9+9LBB+9r4jOhU8BIP5czzKaGpDpZ9o/6avZf38SfrjR0M8NHVuTRGW8vzstu92KyeXaIRqfJ1JX+ucbo=,iv:93dkoIJHFVQaGqNBW/9/QxobRLiv+hd73lsV2ZXJHX4=,tag:H7IJVW+c4EaMPdmJDr+7oA==,type:str] + lastmodified: "2023-08-14T09:08:46Z" + mac: ENC[AES256_GCM,data:Vb5iZpE0D0kQrhrtm18y4WQj7W4c8oT+oFeFPgQBCJ1EJyHemREgn2RskCZeevad896qjWAR3xtk2uGc9SOEqFhWX4OkyhTGAo5h66YygNw3LbCsarfUcYQ7Jthdw2rnozLLIOEZ0yykeaayWEULbdHZjgaJwI+DIwOyTkBgmK8=,iv:96/Ph7+HDjT8su+vmtUB7d24OVY4h4BmfiTudwW+7DQ=,tag:F9JfGnSZOMN3GHdMXCVRPg==,type:str] pgp: - - created_at: "2024-02-29T15:23:18Z" - enc: |- + - created_at: "2023-08-14T09:08:12Z" + enc: | -----BEGIN PGP MESSAGE----- - hF4DntlvaG5T7wcSAQdAnAE456PXzGekxSnrumXHqeCY5tm0/20vrPDDidjy3Wcw - k4WIu4Sglhukn5LrQkzzcskoFpGHrPj5tN84jilNDjMz8nVR1zniAlrKTP59C/fQ - 0l4BIQYlqkqkEDc+kuWzy2O0mteKrlo86Byv6NryvY5DseXUFd6pVde8n8ns5tSZ - /jSh5Fo3/xkmJ+aS2SturNqUixHYbGBHUpfQ/IakxriSfLdtkf3N82M8e5jJUWB3 - =ZaVg + hF4DntlvaG5T7wcSAQdASuJ50zZbRm83JgWvBkhhqb9CYA7I5b4erFYEG4YAugMw + r0nWOEVjWhMiYuvgQkNbD2QLioNbmYrElL7zRpLW66HhXX0F+SSF07SGxBY3DFX5 + 0l4BqOepz3eG9yUO3rWewZZmdFmtgSSgutCqHSA3Z/3dmNupSoScGUl2qVTFTZ0n + pZqfDRnLrrRLGdqQ8ChgyzkaD4g6wQULApScmewit/QlRi4s84JBvqVcro6OXXof + =8TRl -----END PGP MESSAGE----- fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B - - created_at: "2024-02-29T15:23:18Z" - enc: |- + - created_at: "2023-08-14T09:08:12Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA/YLzOYaRIJJAQ/9F9PE1/Dpehh2HvyzkbBMxar0ZrWItB9UpMN4VJjipI7x - 8cMU7iIp3gDrVfwEzdARzXOUGugoxYPttJMe4ZRrIHtjnQBWf+e0TcDy4eqdHqYH - COAWRBctYAWqSU7n4Gq/mqtNGe1VDY9Q5rhpDqhPc01KWO72AgLUwH6zoyGM4YBN - 7u7eF0vqcaZGQyzo4IjasnYlPjgIDehVzdl8Zpy/yYOFNozLFBV7HLqItEl7vdEq - DPGzz7vKAK1pHK0Qie5MBTbEMJ2yIBiGIJ/rZv5h9RvAuVu0uqjFbehis5yK2N4s - hEBVaECXfvuvc0wP7EIgxdUoDeh+o4OUL6OneQRXeMqdlsw+oq8WnKywi4bf8dDl - 1gNs7PLa0ROQKyOiB/LAZn4GmnNLSD2KnlTYoyrt3s8tgfRCHOhoWxGmBGfV3Z2C - KjbucxT0Wz0gSSBr6ht0lL0DD0UFQ9WJbz2Dns82CCr5T+ehHk5YVGQPSSxPaDlz - qnNdS+OvrgbofKAk7JcR9Po/ajoOAEvv6GfA0ujFi3FxyjwgaPS6Je4fC2gUVrwb - 2z7OCzmpp3vGrFB0BvKSwrCQLIeffWl8M4bOoCDKM+XyMEUML7TsTrFkoQ+wzvqN - V53askywgCRfSkfBsEWV1Aoms4QmPnvkuoD0N4F40MRtD2HmhxrgqwmSh3Iu9qPS - XgGkJ/TnuWJ0KkBePo8xBqokVTfbhiGufYXXz6B80tHl6Xrmd5rcz8km0tCc/GUZ - R8yygpt4uFujJEQzaCdT7Y8kt+WRXaNq7pZ0lsQF7lYtpusZhPBv3pDkb4/6ALs= - =nVIs + hQIMA/YLzOYaRIJJAQ//aIBDcdbJwRjT0xgiRjmMIpiM9ZXfipl/UGP6N3y9Xndx + IaVp4trITGXIIvChYo0WylCvPPrXdnUdwthu7sR7P7yjF/ZyDorYnSGB856/bUaV + nX6to+zNnk6Zo7VBXW9HIqH+nG1JQW2kv8uF7hZSIvXVTYuuS2FfZMV3Vye1eQJ+ + 5hbraPc0ioJFZe+sz9vLICGGdS7aY73lGrWllgpOgmtKc+S6OAHSH6zSkJ0rGzxq + AhkaVytNeB6Wc9QZw0YETwRv5ZKEZNCuMLDsB6OvP11T5Bod+SK59uFk4qFyHk40 + AcZ/FpdVPyH38rpBEjR68ARypLCXQqcTCUcVMtqW3+xm+msOF5Oax7psqBFLd1C3 + C1X7MnXNWIcUiqm0Cl/d8DQUB4SNoKLwKMFGH9voPmpcht/1aqudMuloiSJrR8ia + B7out4PhQh4UGtdqilbEsntWmoiDmftvYKQiK+iA2PaNZPvFaDET6a21L9Ezk4mW + XVZ8AiSxyQRH2c7l2jVPZZ3KZa40EOvdP1lIiCvlrp2KBlj+r+lqduFR/qG7vr/E + avRT2qxqR4y+wVlXGcPONyTrb9qGZrn1bnwkZ5at4O0QYYyiOt2PTe16WBgEhOyd + WDT2dnb7lG7fDSiY6iVzhYmnywEOREDEZ7ZoGzfGpgz9fDwrVvfpWgWkfLayHDLS + XgEGvE2F1rGyAQVrAaLWNH01WL/7waZd8C/M3R0tbvyNVl+cEWnVmtz/LhRQuji1 + qVXKzZSkc/YKuDLoJnIl4x9pVoi42AWf23YGltdk8osyq5b4eOMmoExhsdXItLg= + =dCdG -----END PGP MESSAGE----- fp: 91EBE87016391323642A6803B966009D57E69CC6 - - created_at: "2024-02-29T15:23:18Z" - enc: |- + - created_at: "2023-08-14T09:08:12Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA8uqUsBLHj6XAQ/+Ofo4GZUZEca+ThmZmF8g5OlPOfgPxRUHuTHoiOthXTuS - IO7BSCYPHdZlnDqNMELdQfKZHRFirehibMIFedfoiKEuhJaQ1p9go0CnIhcX7tzA - aNaBbbJBmAYxUfPdExkJK9SqDxV7aXC8OHzXHwcZqCc/G38E4fOMVsvUVdD+Nymf - lEXmgXpU1ib5vRaH1oCOf8d1C6LFFC+peBBbyzwhNgFgVYP8NrXWkeIiRSiKpFpx - 3lsLODLIYXteoO0DkkuT2z/0G86EYo+bmSx5Ubi0waxfO3sLdUnDaIIC/6pJqbS8 - QM3HtEL1kQaAFure/r+K7Ck8l0eTKbfnd52jLoMFK+1g5587KjV70fpx4QBvyq0X - d0xJAfJSRptkIlMOS5+tYOXd2SOtoG7XwprrUs+lleE/Z4SaOjyGWkLE0L1D+Qhp - /8jw0cU46O69ig0p47H1klvJ5TkZkSroCkarVRUS4AHhpnLLnDMYDkuVoZeKM+rz - tOF8Sj/ySF3PA0W5cGf8dK8u8EXgIlApLbo4ZOBHff9yJJvuDJjt2b3hWPZh/uHF - ASxPF26cz6+ysGLl8COvWLRlxDD22aP27P2A7+9LYi9p1csNL+wuYwfnF7/rrrLx - Suv2InJqsUV5JkLlhoTYnv6kIwrz0oVSnTOFIBgQ3dex3T0DUn/eEdFO1BHY7BfU - aAEJAhDp5eds7PB2IJhFuHuYcsYquRDlwlQ6CY0fWTR3cI3bzNTLAe+ITv19CBUV - eGi9XUc05QDgUapvUewGXZXlFxo7iDDw1H7S1exSeRY/sbmeDE1G8beZxEqD2Rbq - Rlwq7HypFnxX - =M/ss + hQIMA8uqUsBLHj6XAQ//b1bA73WQ0H2rYX/scP68fDjnkeIRq227YW6sY3Fm/ob1 + 4vmllEgZBTlzQwZb84fc0FBIP2xBzHXgKCmzt/+EEb0VUAc0KvNyJwa65apOV1MV + juzNYzL1rPph+rlk0NVkWQvop6OTGZ1rsq8GgJoffm3dYUAZysoyKJFwn+zy2sh6 + Q9kbWCsX8O/6ImLp6WgJXGUGt2MkkXUkMTdIvWHQntNuQtgh2E4Fz/HCdSW5TT3z + FoV/FaVNPMP1JiG3ym+q4p9zRQTynWb8JqGlWgt86vKdyqf/sBDMZHpjbZeX5O4m + RKiTpjAgDoJJYCB7WrnHhHJkVo2E0vi8bM86BJ0G4rubWTYhYlpLOMNIl+iVo1j5 + H11vtJ/dphat1/8006dpeyA7xlw6Woq09Org6dRGV43sBK2oiNNznbigt6BCKylw + m2sUY/VyAEqkd2knYsfkfiVUy6R/yHkgGUJo94QUtfEs7Yw0VMwx8U/N7Gwrx5zB + 8CUxxOnCNeynDPP3sPsei61RXretbJ0wXxoOv8P1GHIPYhAbEX9Oi3u81FnAmykJ + NxM+Ip9RbeS9lRvuasMJSFawqJU10v7XLp6EjB+Ed+vNDzxPBnhbUYNKJRE/Gq4k + Phx/ySn900r+MX/1097TvL0GQH5TDK94R/Pip6K+iAeZPoFQFbhh0r4aYlARTpnU + aAEJAhCiPLz6o+/CDSsM7HQuATjywPk487/2PZ7SVYXNl1mXPgTfQJaDvOHjlinU + yPO2XNwDkKQwtq72AY1oSEODJvFQyTLHSNNCt3Wbfm7LNbzp3UAarQ8g8dFOfCuY + p6vOQwd0oQ4B + =ZwoK -----END PGP MESSAGE----- fp: F8634A1CFF7D61608503A70B24363525EA0E8A99 - - created_at: "2024-02-29T15:23:18Z" + - created_at: "2023-08-14T09:08:12Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAzUXo8ZPJwGLAQ/+Jbtq6OyOcXYHWj6T74BDA1hcilHrP7yp5w3Za7DwKWpp - sLTcXo1ZywokwSBH8lm1zmhnho5BN968YTbwqb/y4FMX2MJP/VIgjgpkl9KoiZHM - py818xRsVttggsqoTnN6mtOYIEOu9lQCtA8zXgc5BIr1xDpRlVmz8VyeG70a32vI - PaG6BAmOoIQXNikNqhzyinSKkHHzDFGyxfdYGR2bMuGNSbpIr42DHOHVKWd7mzHW - Wm3BOaFHe76aYUByXujBPJ1oXm3PYLAPxXVudc4GCj23V3fj7oczCU74ggmmFLGk - PJkRRIRHHqAjb3C6LZ2V1sF2+eazlpSLcvf/KVRc12wFMzoPSpEb+Ft3MHYEhBn6 - o+7+BC94RhGUzu7OI2dK0oMUMZaeByLqFLHH0iZ171TuD3Tqr3NnsUBTJWT7hPw+ - FN/yFsf0ZbRiShv4Vvxyib3NRZZfZ3VTG11qlV1xEBEsBnA3QzUr+J923FxPwOkj - jBzxv9EJX/imXCj965R3vevCbc/6xf8Hy4x4GlqtTTFsw8uKwaQgoqL9eSejEcpU - TXrMaKN4zUEgT/ZPI76teU7HKBxNfS+1yocznaZ6dr3SN5IwX0tX9q3k9Y7D0DyR - LI1U0Wrx7JmbXQa/6ArKzp3fuwNFVkfQNbjvNFh7ghBTWQ8rWXtOU920KzAKwL/S - XgHlxl1gj7/YMrifU01zjSOerzzLetDRBtBQkl0DKeTUXwIjM82Hd8CP2yFaTAFx - AqjVgiJBB5ffCnKLz2wB8QP7BX0IzbVaNAgxwM+dx1tBH5riSXuzCIgrPnuEq8c= - =0rd1 + wcFMAzUXo8ZPJwGLAQ//YGciouPJhSuo1gEi8A31dsuXM0ka9INVTCtOP1kcZmAT + 4ov/00GfaCd0XkoX43ZEV7lZrpQ8zW1iBFNi2Ojknu3HRJrmiRtTj2wv6ZOtsyvz + 2Ac2ADp91AMaACibt+XzEPGtnU9FitVEl0MM7pbllcu6jqcV/sa8CNf2564OTTQ0 + 6Fy1NsvbpAwJ5lyk5fXxsUlR/SGN8HWJRjytal0DLwyhgQZpnbZro+pMfM771x6U + 5JztJVTILMGhfomSa5Tjotkncfilymjhg4eVGoD2MVbc9pjmze+pLzH2cjP8NyyA + 4zrp7UgNT/EQM8RNgYg1KxIPGYYIEa+83253bjfCexR2gh0xlyVqc5o0Ql2xBUVY + LckLYVFAowgxuTOFDLIEgs5t0qFotHbLxQsfy1grFShhp/4p+vPRq8UgAHBjTzTJ + NKw69yaJySeZ47hR7p+AUODTfjyZ0UrdFraI8qT16LRa9xPH7S8+F50dj8aeeEU+ + ss+3g1ionuNGztLWJOK7yIm3ZHh/RIP6DyLp7r+PAII9jyWQLOOWZ1+Ugo8irevb + xGBMxt7FhqWAxzGMBL+x7qSOGAh+hDv4aIP2692nBjSOwmao5LF5A5jsLk7JbJ3e + 6DJz435wCdbNklHu09oSn6hoD5LuTFNP1K/q+FmOd8GZKhaqR6SXJuTN6RfPwyHS + UQHZexhIfUx4aUQFzY/PbFxjI6QnHoW8PgaZ8vrL598Mpb5Sqd8Dx+NSnN8ifEXz + ophXLjNmlamF0wyx8z9bEitGwZvckt5rSdu+KxkF+duVAQ== + =QRWO -----END PGP MESSAGE----- fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - - created_at: "2024-02-29T15:23:18Z" - enc: |- + - created_at: "2023-08-14T09:08:12Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA30JDs8MiK29ARAAvPwNXd3KkiVXNtNsOg1udXh08URE59ZJJUPBbe/XOHZI - aUlrU5kwfswTcpmbHok1Faw8ppw9u9HMmL5HoUQ3LpdYBoZFDUmnu2AAhWjEilMB - EoQ/Er+Nq+EfZ1XDufZT3DkHydPVHEIPrau3U+Lf92xzOi6Gqcdx655orHrZSyXl - Z7xRUZi/Py43olmJm3jaLhhju3nVTOPJWAr/im+lVEtTL0jEw/OuSo+63GFmkILi - bESz682YVL4ZtrPwQKZpdoIzsqwTGUSEO4yjuLEshM5QDL1HFE2E9whtehBAfOt+ - 4wTt756hHFpaweQDUm9e+Ce3sA7lifTVjX/h4ZJ55etW53EPP59bTW327mk4Sxxj - X85wo2kD7CaUxwrk01QBkAptuSdUf9d03cw6t3EH/uXYER2mc0BNPdlJB44eYtXE - mwUIk1UZ5rZ2tUPKIdUj0xFNywbTJPN+FKgW44y7k1/PcEKQpwndK1Xoi45HemY7 - cMxMptNSldv1DAQank0CG3xYdCLfkLXfixOrI64Cqx8owTPLvUCic29e7Rw3+vAw - LOR6+mSpF2bGMt1NvpZAP0nHTijWWuGg4V8eMyJcdQ6eHnhFjVaq+EVqQlYas9ym - gPHLZ+eQ2Zy39nutaV/CgmgeniXS45l/H1K6QFhJahg7bpa4Z/qWRAkF/jaUfBbS - XgFhjoVIe3SO2E8YUh+Z0pFyHo5GlKkgENBeO7KJbiOYzwLoIpvpO1baIhHGPyrj - Th/Qj0uYyPYknrwgNivl/c+1nZbkNU4Btsp22+bw+4vq8c8jHKgtvMCwKsNbU4Y= - =beaI + hQIMA30JDs8MiK29AQ//bWhIT9dYWez0pXeu/NGoMFBa2OxsxxRiJh4Yz0FPTpBl + meDjRhVgg5avcGQT30bFzN8YAxFjoLns0/eWTZvoXWA2boSIwGbH9Yi5tmXp2OKD + mKxtxOQzBsDnzCR5wdUYNbgDX7ebgeRL4dodDpG3MSzWaydSLogCvhDgCE6Spfyc + N/ZvdN4pFzeylQUMgtMinfuAnqSplU1mgkE6Fpzi/BG1mUZyqDEIwlEzJ8uxQqMj + DbiE0aZkt7tOoYaSaX6X/wCkncToIjoVBm3Vvy4nVD/U3HwJMWW+xxZKHEyg3bwm + jySJ8bSoj3u9B0OVn3x/CQpRbGfYvWleCgSR/AbB8x7ccL49x+n5U72q3zsijSGJ + NmS8HZfEvYCEP82Zp7pCZOphrjZg1TKgHB3MXkRdo6tmy/jtznnMbQyobYkj6lFB + NsLg9wcGwG9nK5PK0kB3YrBTi+wSsu8ExxD0MaNpOm12v9ygMbNU0n+bNyUyEseI + KZLapICHWSLSRuQWbbk682CadXmqLlzzzF/FP+4mhx1z+S7f6nuzbariK+ccI4XY + JeeIE9M0vX1foO782WBYI3TvGUAA/MCWdrze3j304RgTxSOl6m3IKq7e89HCt0xo + PUQyfD/e7lsC46dxhuqI62ikKrTgtadVEjTCSUqRlVkJ4DGCkGae5BPsPcF7GpvS + XgHm3czu9w4jda9Qhqv3aqNZhletlYeyJEbY8/7V+mSDvvgjRTZxrxfDcPslraLm + WqqT1IAZRL339pJnPXtPnvAZyjxU6INTzGQfV8j0AAZbIzCGqMU6xkuaStugASY= + =vPdd -----END PGP MESSAGE----- fp: BF37903AE6FD294C4C674EE24472A20091BFA792 - - created_at: "2024-02-29T15:23:18Z" + - created_at: "2023-08-14T09:08:12Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DNffZWjBmO5ASAQdAluq9PmE0yZUumm/G4UtwQpohy8vpNzAh8D1EWVj2KgIw - CkO+UYwhgB0Sl4rqYYgyGI1FK0aVQQYEV8jlvVpzWvaKga2bm3yT7kAp1o8b5Nv4 - 1GgBCQIQp3OqASoqHK2MGQURJr/NY3aHQVBltEe2bkgXj4FgBXu9a1L5hwxow9Ze - YMDBVLkDaH8oCBBwvQVdqBmQe+LEwyr5eb/r0PtTksOfuQQ1TV3kX1Gj1XN31ilQ - LHXyhm6gI7zslw== - =zVpt + wV4DNffZWjBmO5ASAQdAKSKcjuQ4oCCz1foAgnTSXiRz5FRTE8kGfFMVnZxOpF0w + FCTf4e/KeNBkkHs3fU8KikPirMmbO57MxU+w578efXrM8LRgJFvvkkxLr6tMpfkh + 0lEB6rCNiRb0PzqkowhMZqL6vwqBA7TF0hog1BGkdQPjac7V52oIVdqMyMJU1le2 + lb6NWDgi4mqYlrX/6+cTHnXC9Mub75r5iYzKV935PmUb3JA= + =U9Xi -----END PGP MESSAGE----- fp: B1A16011B86BACB56ADB713DB712039D23133661 - - created_at: "2024-02-29T15:23:18Z" - enc: |- + - created_at: "2023-08-14T09:08:12Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA1tId/HHLgxAARAAkoe0CqLnz2Nythjm3wnMVrwv+U/ZeaVGemBJCaS9MWXd - inmKUj9fmGdrbqoIhxwgbMBjuHFWrHWO10ahMjQ+X8qOH22SJEDYhZ7H3I+KkuFa - dBrubZizjI7STYSC4vsLftcgNkVtaIWNhc34t4Gv5Dk5rjSXuM3WORm9xrIvJ0N1 - KXBUP6JF9LF0JZTwn86EWeb7Fa3QDKuQ3T7tM+8kypqyh40gd7sKLx7onXLRacbq - U6fcls4Z3m2N+NayNyi+EoKDCUOkDJfms49I21acq7wiigGE/pIDA6MFhL2X5N82 - lj1V3SySHNXfm3QeHi0HvWiNtLp5W7yDoN/T2kLf76gIsiXlrnSR9BnvY0LrnYTR - wY+j9q+942eG3QL0g9gG7L0mM8wZ8QcvdVmbgw3WpbValHSEXwfg4kSuCroZH38e - XEzSgqbuBMrEprGnH8/+gp2VxxDcOnpUQApe6tvrSk0d3GmGxoIriIQonrvEPnNJ - B/25jIns9X3DK3FxL2tYzUSIXv00plLLuy5P0Sl1fvD3/J3faTJ1uX8xB0z4c9Nv - /GG88hE4Al+2da5XRdDhgrS8L5YX0gxKPvwFcALO58v4YU9UxNjp12kEnteqbfPh - 0X57Tin/2cvPdH3e3g7CDi1RPHK7mcxqpcshmuiPNVhou7I7tTh7BGJpP6vpJB7S - XgHwQVfKx/rmB//dUZ3ZcZ6IXActfAxm+F1uXjhRi3hbctLV4GlMAV2/ijLX92Ob - WZv+zdCH1fioicsObmRgYuyk6gPlpMyAA9u915MH12o0G/AwZaquIfocmRlDwuU= - =zv+X + hQIMA6MARpDCLIz2AQ/7Bvm+qrO0UdHN3goHTwAcy2TKmthBOrknBjTN12ZVPV0L + 21fmywd1MAJrARYnshhUkaaZrjd/hkeRfk2GfRAM58sHQi7J16xVxhvurqErVTTF + 3vOyDeZ1VkscmB9kWYpg9B6dkffs87Yq17N6wTPh/bxStYImRuHx1TmzhdsEZ+9k + QmBeOY1nEGeaHYcXsVLNrfHwcL+VX8kCG9f5W0voR5wOcoJwOEQzz8URzKlzgV8L + uRAhtEt6zWmXv7BiVW39r1JnWNgTjVwp9PhJI6knghiIfibXndGc9pDhJRuWnSQK + d9SrCEPmtWfQxzhdAlFobLI3XkagrZvSj1fIyYbT1dwEiR+4p+FoOp4YuN87xs0I + WeDPUoEMABVpYG6PoICWxCvaFU1cv9yqAc7TKhM8vDFQn1tJ4Ante4U9dLZ+iEbw + LxFr2XdQXLiqYUOI4dtEWO8IQqjyxva3AxU92clN7LIi3CeCDoEJZcg3l4eCtwyP + NUOXozZjnEixw4Q+1EVZZACCTPyAb5Gd994JqtjYmb5575xApWWiQNXf4hGo/WGn + zV0ZIfvohRBKxpWvgv3KUZwwHzz13AbWlBjrPIextRDdnQRZWv9jU6xRUFLM99XO + PlYbAPp5amaYRmwvG86opjcqmPuUTT/W+ss/aK8ddU69KYM+YI7OzqUXC0zPg4bS + XgGpDo6bqCP2YYkSzLYwKzMUHgHz9Ml0IyL5DQw3DMvu54IGL9nkgEd3DyIHdvsn + roJxHvGw18eBhHT0mXuWi9iK0vVMJW8tPw7CVZVSKuLFFsm+3LgkC1UftLvT2yY= + =NSHU -----END PGP MESSAGE----- - fp: FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB - - created_at: "2024-02-29T15:23:18Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4Da5T//DC6DJkSAQdAtDsm8pgrR36jWw5qeWr2Ezxa0Y/feoC5R2rDatrPySsw - rXez9HoJLmHPJf5iFMxpEhgO8LAeRkSOUVDoMQAKnwP76CRAI+Y6uDa9qlWvWFDQ - 0l4Byo0ib5MviXkFCy0ZslKpwAL5NR4VllC87HhndwkynizQgRevmB+ITU4QeNZo - +eNJaGphJdn0CuAO1F4vOw/qTHSzVxrLaux9J7Ovy1oM/jbFcAbUIelfkLZc13xR - =5kVn - -----END PGP MESSAGE----- - fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D + fp: A4F92BC7B792108A463995827C1F2DA2BC929412 unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 108a8ea..aee5279 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -1,173 +1,167 @@ -nextcloud_adminpass: ENC[AES256_GCM,data:v6FYsO/RklPSz5uf6aYQDhdudHb0962I1WxJM3VGc0af6s/fEz2j+UTu,iv:WzS+jU7qmNQbd1RWDempdu4nv0ytWeybF/PKoc4mvTc=,tag:1CF3ZnQNDLv11j7UoyYsjg==,type:str] -hedgedoc_session_secret: ENC[AES256_GCM,data:WO3j/Sp0LHyNC51jdzChKB46KLU7l57TBVNL3v92sjs=,iv:HVizKMCd+d9cTQEzRncRpv9scldg5Nn2fBRz0D58OOg=,tag:8HZttVgZs4Ah8JWTDaTySA==,type:str] -nix-serve: - key: ENC[AES256_GCM,data:GptsUgeXOOrwJctoMZ+mWXcw9DwJ0f0LOlLyMlH/877N4uA5/NtNKIaFHl3z2GWPRBnDLBzDEO1Q6EDuWbakr+Uq4zTJm2MOV6Qf4kM0BlNpXGIdjvh7tD2La7GV4ID+CT8U6p0E,iv:3A/Yy4PHsq9VdhW4SKIYdpd1enQ5cDiKLk5S9VrH0b4=,tag:WZzbct7LZmOhEvx9KVQ8WA==,type:str] -keycloak: - db: ENC[AES256_GCM,data:DVf/pVCHHUed2cQleECk0paBTZ/6Q3NE,iv:j3sWWNL0dqPJBLUx10+jJ7QvdAHvGM55KKDwG2aQEs0=,tag:6VTeE+Prsm+LPemzbEtVYg==,type:str] +nextcloud_adminpass: ENC[AES256_GCM,data:AJHISi8zIVXOMPZAghgBhEsIYS9NT4XogmyCC5TI33k=,iv:sb09G5T+7UdUumbaz20XFHuOR2tC8rQIqQP9/wOT77c=,tag:uju5DqwJtFtC7Tn5J5Xmqw==,type:str] +hedgedoc_session_secret: ENC[AES256_GCM,data:l5a9sd731MDjNRu85XNOWJcGmNkMLsyW1jHbucn9fGg=,iv:SZhcy7IWD0pwCnL03QH5VKHsIvvAL/Ex7zFiSp2JQ60=,tag:chWdf27vLwb4W4SQl/Y7Ug==,type:str] +wg-fsr: ENC[AES256_GCM,data:g4h7yCox7rLhJOVkvEPJi0g8pVMf6OduI5LpcmXBOrQHEbnyj6OajD3nbO0=,iv:WWyvftIoWwUv7MmcnVobcyFYyLdpbK5zDhj17j30VQk=,tag:ZxSkrRGfSL119/E4eNcntA==,type:str] +dex: + environment: ENC[AES256_GCM,data:98xqoRjGZX40f2+gqTiLITuj3285sa359gapa2XurQQD6zg0mqmDTxgcU2dj0Q6k9GE0l5xF5bkguA1eVofylTY9mbidWy5BThisqb1Krv6/gdfybY8Vft/x/A8Y5S71iAzyQkSeLj9Dyoh2Jjro5eSpiA5GnAgTnFL3q3mhy8herANRNMSP6s2A5Exzsw0qzTC22KGlmAycGP2jlm3OU9cqwLYWR0WItJBE/2hYaRSaow/VVuQLTY2zdqrs6cp8SmOiMDdJ5teu910/FLi13jah9148jNKZqLtKx3gxiHweBKjjFglj+jZMTQu3O9aGF7CR3y/EuzAAnqMR5dahONURu06w/0KSXCHX14DxfFU=,iv:meB+u6JhU24aqOHJLmxH37k7DOuuDc61V7R3rMm/qic=,tag:eAzSueiRa3EfSnpZxxGiXw==,type:str] portunus: - admin-password: ENC[AES256_GCM,data:fESE6vrKhtslQO6ZJGv0T9t+leOSrgkY291orkwY+HPnOh26g2PSMX3j,iv:qmbCmjg0WsbOzfv6LsKcY3S1ssVXmaRB3lE6ZWzKSww=,tag:t8cP8XRTtto3EnNLEdz0yw==,type:str] - search-password: ENC[AES256_GCM,data:xtbWS98IkQbnBu67sN413VNHZLg6eedbStE2uZ2pljS30uoM3coO2d32,iv:lKMTNnQJJfjAG7aX+G0eNnL36Cxmn+cWMRAlTovMJ4Y=,tag:FQGRBqsmY2c9VVIdBvGwCw==,type:str] -forgejo: - runner-token: ENC[AES256_GCM,data:6m2iTuIffqWqVnyD3lo8EazKU4NnKsqvafLF3CpN5qgLshG5ouseaf2RJaX0og==,iv:Nou0N5Z4k4+R9ZdFlTKRBmEJSlIGIPlCQ6E/6i1vdts=,tag:otDe67Hwccoxz1dGmnIqAw==,type:str] -sssd: - env: ENC[AES256_GCM,data:ng189+ulH79xCZKOn9N5kN3KqED9dWqLM8dErukJH3a3ivxhUjyy3Tpa+uSnJDh8tAyOesT1j71mlTgKQKb3phylVEdL,iv:i8NEGR+eQ42q5be4gJdNMf/9DCCcjr3gwkEW/+hrgxs=,tag:16EvtkTu+0M5bIlgxC2j9Q==,type:str] -dovecot_ldap_search: ENC[AES256_GCM,data:xip5KREy8oqH+58DOtw9QLcVdDlO5Nr0IHki8X0i9J1rrI/BreH2tVPC8aRTDHFPRgpBxiL6,iv:98PSXajEis7sSJ4+IkPuBC05y8w7/XRYQVFH1cripEU=,tag:LcId5rlzz3JjjZIHwoh+AA==,type:str] -rspamd-password: ENC[AES256_GCM,data:Dd6lTyDh3FFqOTeipY0o5uJz5/Mh6FsVahbI5M1njn5S690avzQ4+8YISrwkuA==,iv:OAuA+t2KzGDvURng2RWFAoMNfw+RNLtM1hLEniuzz9c=,tag:RBN41BmsrvgXKEOa8gCDfw==,type:str] -authentik: - env: ENC[AES256_GCM,data:7Mcqe2/ny5oghO8kfV1b5LksxxmNGTn6u0LCDH1Q8kwkidOD6MXyMbyzN9LRU4ovDXwXy+ztwnNHBZPvGSGMKUMczIn5hhiA5ri93kk9G8Wy4rGjjt+0Z+JKsZV33rlrYgIr6eGy6Ps=,iv:gkzjx9yQQj31g5fBdAVKzAslpTUjPp1yWnOWQyotYy4=,tag:uOSU653xBYUai6DOF1ddYA==,type:str] -grafana: - oidc_secret: ENC[AES256_GCM,data:oH+VCL4e4wve6RyVwlTXPSmirbf+STD5FxUj9OjGDLs=,iv:PhVVCy5JyRa+fOrYAsnjDL+97zYASmKcBzB8t9ZVWIU=,tag:JzGO/FeKem4vd7ApvZ2Zcg==,type:str] + admin-password: ENC[AES256_GCM,data:9EglcINrzDw1d4VaZALOFy3KddlwAvaWRuUZvXXCmE8=,iv:Z33gf3BqmtvSTNadrAQl0LgU1fZ8fReyO4fFBvy+vlw=,tag:zPTvOeEsc+MvqigesaBMkw==,type:str] + search-password: ENC[AES256_GCM,data:Rf69jCganUJJxyR44mbEgB475SitvvqGCmsMXHH5VAw=,iv:ilOVy1r+HAY3t26yJiO6jExtrl7kll8Mi6fqzBcjYRQ=,tag:KyZCbPhlLSkgkxGT2Du5AQ==,type:str] +dovecot_ldap_search: ENC[AES256_GCM,data:e19xmqOra7xJPPVnW7FtCV6q1JfTDnzgtvEpAY3SFuxCJ8Ucnt/6c/ZlJEM=,iv:XlYw6XpvENraLCnoGpEnqa2pg7VIuU0WyFZJRqjusmc=,tag:UaPkh/Vtv61kRaW3s1dznw==,type:str] +hydra_ldap_search: ENC[AES256_GCM,data:TkaLjcnB1M8/6PiKqzKb2kiv+ix8k5Jn6msV6xQcfcWDA91LUrLlHpIP,iv:N2KSltfWhbn2Csg8chi6DfO6UcIsP8dA+BDQQ7mGPUM=,tag:FyNtOl2WkQ6mi+5gDnjftw==,type:str] +rspamd-password: ENC[AES256_GCM,data:mn8UWBlXKG1s7cP/sLW6DWiqbAydEbv8q1rJzX5zNaZEMjpYAxrGj54Md5XmwQ==,iv:C9vvICgL7GbsOsWx5FyFktospIomfZK4qPh8qMqCELo=,tag:stOGL8UmHocAGWjjjRNZVw==,type:str] mediawiki: - initial_admin: ENC[AES256_GCM,data:JzW2rgXQHXxj1e3vFhkXVkWSgrA3Y88KWlQ81hqUHw2UvnBH4GWtMXbZ,iv:zqKUyEaIOa/7hpwzjJPwk5gfqbEYJrE7Oc1Zqcqm3vo=,tag:T1gObIGtI4uVdpONvIXofA==,type:str] - oidc_secret: ENC[AES256_GCM,data:XNbpKd42PLV+orXY/HqnYKOpt+HD4EmVMtAR+lRw+x8=,iv:XtmVdArhYmp0E1xL5lD1LMjJt+vyQPv/lG3g6fnsD00=,tag:onxncWUsG3QuvUebgVpLnQ==,type:str] -mautrix-telegram_env: ENC[AES256_GCM,data:FyMtJChtir8Ip8S7zlBSvKccjt+7Hl0StHzxmKO7VdwNNA650HHfni9o7akIY52+r86tvP3D/bqHaBZqkq61ZNICnFJuYIkROvt1035uej1cdjlHeCrZBttI2w3ZkkKT/RZq5BOLt52o/fnw5Jlt+3yr6Kzd5mvcz6a2e5V96kFjaib6mMdg/Y6axiXvOSeFOHCjs6Js+ab7MDe90KUM3aLtBezXx9YTeU7RiqEiZl21dxzPIwilj8bhEB0RRIb1,iv:1ojF2NyQfaZbKwlHQND7LEOLWT1SWCpGPQTm2+0Y+xo=,tag:RavBAv49Ldm4rH+2DDGstQ==,type:str] -postfix_ldap_aliases: ENC[AES256_GCM,data:beJTXpJYlAz4vyv2rAyuMtU2gkwf4JNnsFAG0oKLWuKQZnX/EyqyGTFK7hOs12qye26H9Ysl5vP12iDyVXU4cyYmBOMSOiIS4opPVs7yjp/FH0u6DXHExzd8qs5vwa+D+c9j05kLVZ85EGneDma4ITNBjo/JMjyXCHB0e8EZTFyfR8+fq+qvuyOUmLBfJSO5BK96u370DJ7EmIPLDiCUSO2MCD86yfFEq5J++ljeuKLxUtisqFWDPNeNq3YGjz0EHUgcqqDwzLwEEXyvn5FEI00nR0qBgSBTSWRDrndo5O2k3JMfZWW9UhXXS4kPwCYEkQSM240cwLNV/Rb9XceH2wxzL8PcfTNiy2vd,iv:lb9u3ryu1+G95OIizX17ft+fGK2CA2xt9DhYhtKda1c=,tag:CsS2Q32AgAyS5eZ7Z/Kf8g==,type:str] -vaultwarden_env: ENC[AES256_GCM,data:JFySiTHahlUFsM+FcuSJPnGYMijphrnZpFFdoNe7DYxWjIgPRWdfH9WC/a5GsK2xCJXllXAASHNxgkYRrdPw2KaCiUR/QhAjtUmyv2NsIBcMYStafDUEK9emddR+ACedScsgS0FtP8f3cz1enTBi+DkYgL8lMAoCw5p8vMRyE9mVOLpTUDOO7T4=,iv:992REuXzHAxxhy2BbeCGNhTZkn8eSi8N2RyBXqqy7U0=,tag:iP5AFQqzoR66AkTGfYAUZg==,type:str] -kanboard_env: ENC[AES256_GCM,data:AQ3jU78hi8YGzfWXTo2wnS9Q9hucgtKBrB/xiIyrZl/j6QpQmr/HS6gEizgY7Du8ZhkRmRTZ8ks99EOpPUdN0LXhegZB0loCWEozkPCn+N0UZXqKDVAz2UsyQu04Eu4FPRqw9VMIS30qJarqZGjvAJmBWNd8znW9ggtg8bMxqwWuErdyMhCCbXeAsw4O8XasGR27e4SGRJNWR5QH7VX7GqOb0Q2AFr9BQhNyO9MgczmqwldqirqaIACIaSVvOOByh56M+rbWyiaAL2O7BqcHS0dtV+XG2uVpxb02b456iArRyKco41bVC1sSRfi2ewCNLma+yNgR7t1WYZeA8537gMX9LaU5ORnn+L0toM8j2yUnfW9RYA3dqp50Yt2UKH/jjLwW5wKLrOF1G2Pb5TAl12ghPLfTfJiuv1SLgahLK5lP/I/x3dJ/n3gm7/lqu2EPDnaPtPDotV0VWfBLwQoXAjSFvSZVfxwYIon/ErxsACtxgT1Ss4L88Ggc33ae1BFyURX7p7738eizsqUV8WWqa74Jt+uT32nU45B2DyyzFQWfy4mGsgBssuZzgFbzLyYDiXfcq500K16950cWPH9s5Sx1XooCcHeTJYyVHklCJ/0r3Iz2g1TtKktpr5XW7EEcCLKQ86UqpKwg9PwEHVnYgFKe8IuSeAAGzZczeUFvERrRJs8qZqPE1IaufozSr5bGBh4eRdv/kVDFyh7wJ62xStVb7IV+sXogA13m/emfxdy1RBWftHcsgZ03r4pdp7mHzNqRvYYscx4UzB237GNzG82PJ/zLk73XGRCv4iE11KWZs9oyoOI4RFFvGwNS8jV3wWh4I7Is3SWO0cy+41qeuL0oNeRVseVENZ5zqxC1sPIP+z16XiTlGWUefTYinFjKmjojF2+uSS6bGZteB70iynB28FUUEqU4Wa0RwGDOck21cw8PnIMpiP+LWdnaH6sKS+EMl9IXcraH31wNK76dcUy3dPqU257bp1e1OJ0Y/fO/1ZTT4Usm7CrXCon0gcDWFAB+c57c+omfYW3kZ4F99Y2ht5QZEvjK20rEXLQb5e1SqIC0ssjP+7vpc+SfNQ6jQ6B6Vye9cyaNkgzGoWZFwHME7cgehs+2FkCOVgPlJ8hDupSTc1BgFzT3JJtejsflbMeoa13nvTYWZopW5M6Ym81TQGv/awPimMh17sDx9r38bU+kiVs5Y6MVuSQZIRICOtg6cxh5Q+fDzTyirsrctVGdcI96WyW90IwBL2wYI7ntWdNwaAPoTu8OFw0kKW2+JsaNHeXQfGmWZfUtKWIJetnUn22SLAe86J71hFBveVlokehQ7Fcg0MFt2r9mlR0/eP1aWyrN54tyEv5uOekmKE00FN/8PpzgH7qasvRPuuXkotj1gazJYk7Tz0oO9OTM4M/yplrL8fLOwP75Uc5PGGVu3pHmwkfrjhh72V993Su0V3us4p+whv2ItZ/A4O0np9CSvFEJXOS4esCmsXLqr4BbBy2veoxnIiF3MEmEqbkMtgkslnVwM1RVNPCKESxFzu0oU5phyWn0a4JW46g5lx1tm/GWXlHQWa4=,iv:x3+PuXdpZ+SEuqHo7icQVyzGEI3IdEyYjjOFkKbzq2o=,tag:pWoe2PC/tEODmz7o6wcVPQ==,type:str] + initial_admin: ENC[AES256_GCM,data:osX7QwHPfmFAJHGuXHY/td7Z+JNzHicixZRvWNLfG+o=,iv:SuKTItyOipoVqx/39+UTDg8npsp0jDaK94k9rPfYdkA=,tag:emNMythpZGwm3Rp8Nx5xCw==,type:str] + oidc_secret: ENC[AES256_GCM,data:2JRvHObJ5xB3A0XduUwdF9a7zzeEPz1nElLEzWC6Hz4=,iv:1tKMlme1bR5JcEk07Xpq99+OHxdtCxjc4xHNlBxq7X0=,tag:cyhstQYvEmjI5Zjj2GWtFQ==,type:str] +mautrix-telegram_env: ENC[AES256_GCM,data:cuQLaLyZ/hSQsN0DnyuBSsIuoZGTUrDsV0lNq6Ky/1pgd5Ull9OYJu5bsgMWauki6lOprxqBE+32TSoWPb8WFUT9/NO7U9b+aoaCs/R8HeePxnaIyiBiGv881YY54Ze8jLXFU3XAxj4VHESSCNSEktApTvJvd1VXJjJGoV3iFWZhl1VbLsE+lQSHSiDLU6JqUyXa6k1BGUepGrkwObGoKyLVFODF3uahXsXtcfgbMQ4UfqZevh44dj+kDDtohXje,iv:jmcWTyVkqu9nDc1ws2NxkMKrHPZ13i3jqDkk4Y0kejw=,tag:h7llbDCz8PmvfxLzrQlrCA==,type:str] +postfix_ldap_aliases: ENC[AES256_GCM,data:11ARqAOq4bXWFGZqFKqUOGulV6rBOZ4375WXdiAD/khToVYyCdJ30ThCQuTk4q9D3L1CT1RcbQf0nQwJfAz9zODpqhrucFAIWhfreHSPeLxgWIPXVKqEISDHsM80f8cZHoTyh+hr2lNhecum4XgdUYy/keLlmzQrwNWxKQcN6fXRyEhnyIiLMEuClAfpL4vvW1pFka9txPnWFtwjPZecwCNn9pD9VpEhIukETtjVM2oCU1WRT0w6fAeFQnpHqBq/E7lPc32rn71gSpMmmbpGB5qPuGJ051Mr/QLdADX0+f8bebzGCtFudyBK5BrTeW1J2iScmXnPNYphA3Zr+Uq2Ss8=,iv:dQM6LNmIwrwJLF1pGuoHZhoJulfVhgC0HWdZXZS4pxQ=,tag:vyH8Zbh7eSQhIQ4bhwnLOw==,type:str] +vaultwarden_env: ENC[AES256_GCM,data:lGDemdGgYemaaWhWBPEMuP4yie5Ceum5ZZ0hKRLz8TJENrBNuTGGnG9cQ+L5m0uC4c0+GmRYHZZFAbWxz2JAjx8rR3lGQkSzbynTWKPuVMMulsjMO1DLVcRv5MzLRNAKgZnqiNYGXOMVhGNyTq+qNgp02TEpDJytfP5U1ZzQcjaPKmCUkEUSH0I=,iv:foByTYQw1KnB1MmwSQqmwza9PJJmdYdZbIHKrZ9vog4=,tag:OoqJ5kIjNaJZYyno31x5rA==,type:str] course-management: - secret-key: ENC[AES256_GCM,data:zMoIj8gjNmLdSbQmFo8n1pDIKaUUMzPfVoKkPlqNtm4=,iv:AM5wwvAFXKVss4N2/lK6bKYHV/4Bv5EOz2MVTxAPF1w=,tag:ARzQUVVjz+HhUT+JAISHkA==,type:str] - adminpass: ENC[AES256_GCM,data:EariUHHtWirIXuRARj7lEneAOlKcjca9T+J0oH2xPv99w4ac1cRrvEVD,iv:cjC/+AnZdwWXkJOIAE36Hk/if4fqofVFf0H8WkHkRY8=,tag:M+s4hPzSp8eR76M/7TKXPg==,type:str] + secret-key: ENC[AES256_GCM,data:wWzoUGt/5Yusy1s/RPhZbDJFdTCjxHiRODKhDnOUUik=,iv:svN+pmwBXlL7ghOiF4y04Tnivv9Zr6ZoVWrCVFzs/gY=,tag:+gTxfipVNLGuYZM8KDsoIg==,type:str] + adminpass: ENC[AES256_GCM,data:Y2/WTOCGme1C8jbKla+I0dzNWbf3JtACtZD9pd9V3w0=,iv:zXAtduU460I7E4dQjyln71Icq9PYGP40qxqRfv85WIQ=,tag:dMz5jlyy1S04/sMt2xLb+A==,type:str] bacula: - password: ENC[AES256_GCM,data:MrmA++fEUNNJojl9xAHlaWjhMrpAWjqi2X+6x2dWd1NZU7gDpLR16hDwyj3cfTsK,iv:iVN0pOx4/VrlcUxeHtMuavM/Z0/iZSGE+oY3idCKjtU=,tag:QiWT1xT8ntcyAjOU5SQLGA==,type:str] - keypair: ENC[AES256_GCM,data:d+ogqLfdUGiUnyL8nhlVO3JQUX065hx0Om8mSX2zE701MLPhM7riCkpW3DiKcKgiPSMWBWrEqYtMJzr3rJmwqOEp52M+Oj/meR9o4lepJ9tfYoXOft8TIz7lslBS/YCnIV/3PO9B6fjBPxoSEU8cWoq0KExU3UM8NdsRK07SdgzO6cOkVdkGGpplDCAzKX31tgDDcryjbvgaxbIKIL89OepdAcep9gOOEeJx4w4ACiwE+BP4e5ZzCfxiObx+D9SdzUl5dmyg5eTER/DstCpociEis/FQK6dlAk2+njnrDJKl1cis3rlH09w2GSCmfej9f2Ecm2zPfgKQLv8Rj6Yo95aCRisqoseJJo8L/hqbfrMOKMGuiynEh6lP4PMHGSrfqTTS4et7OeDit2mw9O+n5qbfFclB9BxVURcbrB/K1PZwFHmbBm4K3rSo7mKLnRssTno3lWLgL2txTcNnWn3s2r1pbaU57g4SubU75rgoUJVALL/EA9OaOqSLyvns8XEXZUPMzxSy9tUladnr7bqB6EDbZ3r7QflCWBQ79ZrDKCxax4v6je8wCvo16xjfHpqjEi5+kH+B0OsuQ/HwvIcKWImN69c9Y6Zjhr12tkhH9wM5W1BVb8qyRaxiR9xIlHSOKWqeojubu7TsF9oSCwMv5xutlYa6mnJ0Da5V7yPeW4L6VXdYLEwAgGucDDqIvkIVnn7CT/cJ9tcQ1EDk8Wbdi1D/iM3X01TQX7aX4516yAwQQWcDXVHENRNm4AAO1uxYzVGWO7HhgqZzCmKcX1kD1pC69o+d2obZhiymNFJfAyvoAuUh+pD11eGGbKqmXtiVXC5PxxKUfq+zwnYpe9FWFXlOoNaY/xq6PxHr+Xq/5PnZYjTKa2jEEFX851LMW+JIomVlctWsHqVYknnHiJVC/huIuyUgDKZwCWOrsQlD9+gMK7uwVV/g5lTG6NRLLGsFq22wKmJbdyXBj/sRKtAepuS6JWBm7OLOqWFHP9ggFIw0EWtL2UcSLTajGKXXx6nu9uuloiVuHGGwkBEwJwXWvFlSHbErBr9KEWMCmPYwthQfX7EhawqaUmtJ14442G/9zF79PV96SV55IlicMHa7Mj0P7q/WMtwSAZuZcAb09XFEwayWHLvc4m8LxV08cKkft8H27EJDbc9cqspunu0rtlKsPpFXXi3Nj2S6ytLWLK8OON4ZTuBxrE1Od78nMLkuqJboxTE40bM5PAJbHWD1cLALf7LOMOkPuhnEl9R5pbJoM+U/+PsArufHb3qHbDdCS49ythxdzRqLU7teX/9DGeIDknmzuqZx4KIt/F5hlfFRflS2GpJnc8a4s/6nGNFKAiOail9uI0LWLxYz1pjXNoL3z9YflBUrp5rkiqbsXhihA3RYfaqiQQbvkFYcsYfVpHFkI8fkhMQ/lCJG2OORZAoafE4GI+w3m6uFN58V0OIqgyaMYna11CZWzsx8zAurHH7TcRvXSV2/sdk5gRk/EyWzrClGbajMluBbedIEPkOyAb+y0jtMSGMV73hFspqvgzNKueikcQ9azZ0pl/D4JuIFXGVlwfXPjJJ9Y/Cdk3N4JIpvEMeLs39YARFW6v+TdrvRL/AzUcUiWQsjhvyUYkE1k02nXLLdv9vkMWh7pIO0t9meMucxVCJBE7OgSf5f224m2Wnwwfp+yxsTktQBobydtzlnphzxo/wcxRJ+nGBfSA1wJj90qc0uSUrmNZ1KG3QNpwiLmYdFElKZZByByc8oD/p1VEZZAxVGKFmORLEWDU6bLz32NNiQr/zJLbTCdp9+oFbbTbQnUnvLY/L6B4UkNfRwI8peNGS6cnzm5lPMph4p6tFjju1yNpVfcrkpDTMBZMW2HvR1TJgaEpj4mR2+wYMIEXE1lj6lh6YmJdVdat8w3TX+ZXbrs4TxFYkJ99stb1b1nyVDAVDmVHWdtlxUDnwplCpv1joxoCkEhZSoNG38JaYvqsr+eESgDXF4g+coZlkrO9Bbur94KE6jS820BzdmgE7AZCoIkPHKMRTid5gYY7tvrE1oq0SZIloijLiMH4XyhoM4nYHsp2QpHl3pvglV3n6cXDN2ewVHcuQee06U3GbvPSC4Jvao2nF5LWG23ILJ0PwB7r0lfszLGy9wnprgldCp/w05Se5kIB66jDnQv+mz5rVDXoEGyDxGs+XPyzTpp7KmhxU4z3mmTRFFQSOSVf1ygzqYNLLU5Apx3UNKSbVNwdiA0TzH5LzlBY5eukoPjjyzMVqhLyrstqTpjSgWEcw3is2Y2OG1V/zDr5X6oRNGmjbvGAt0x+ApWLW7ycGPX6yUYNyjN/J3zO32rmOl3Q/Y3SzM7jnnRaw3qy3HFrVg+FLwsvhnyVWKePlzmOBFeufAPNBvqe2X659cM1N+3xQVbg41+DDK7OqerU2k7jm7AX2w1cZsLp1wLxMrXoGqTNGvwrzX7IjHoyNAggCjLwTzCC7IfkJi9SfYV4YTku3HFQa47hxpQbK7DkZyFE7BAeoIbxUohDgPjf8zGrZIsGZ+2E1dFSK7P8gmv3gxBMDLWFM5ZgIOcpj/3vMgdcKbObAWQQyY8UQqSkMDwbVRBF3nj6gFz1zoC7ZVTITyAxfG/TZeK8mpnNW/dVaCC5Sg3JXsOGj90L53BdSRkz8k8ONZIjRv14zNPI74uadiyo2P56Cc8hAptoQZlETzd41xajHYYn/E3eXBSy1eh2w2bLsqCmsqd1PwEWgaiPKAO+Np7/gWPRh5qaJ67mUeuRs2B+XfEEw/FiYk2/2zt0kMlbA0Nc8iMRzoPsOK7fKVQ+mxV188nOOtkuujPMLFliSiCkMoMhxgzntaEmRZx8f206EG3QgicJf9Pbtk8elCzO038uxki559zZkSx5TLVUHiClSI6+mHHfvjpLxfnGITrorFCOOuSvg+eiM2sxmXrHRAFT/SYzdzskjTmqWSrMMAMUY/N9KPE5fYylwPQETruV6+VuB1I0x0qxLdFE8HZEWj5+JvjrHl1Si2MGLNCbdLtotsWqju6G1djoY4KAWLohxiuwd9776kJk0iv/QzN6mt9eh2WWkvk7KiW7YyUnyfIjhcZi6ZAkmdMynEj7dGlJRy2jZMdafaz10PPJYMNsKnUs6iHTJ9lE+fOnEhEPXj6LxDTrBerXv3pI8XH6A4gSTjuEi1S6gz9Tp2O/jFnAMoZV9audf8CKraYuTcttaM32X2JDsFmZ4+RJAC6n1glsdL4cGMeDWIk1uxb+mRlpuTxDm62ObmA2GzGrrXz+Zd6EuNgy2A3hQpyoUUMZhiUUGQG058XuHh4+YtP201MhvkRK5DsHV1ugbooIazy1ESAGgo37Gu4RbTkJ37XPSXdwx1i4igQLJcM5oRP9TuuBWv/gRIcmU8amJMAINTZ2SbTd4FsOxTFRk1cukv9L6vveh7DGM42tz8yclmlKwkqv4PdVN8pkhUiCCeoyP4Ti8Ao/Ox1fk+4T0/mXWMywDi1tb9fZ+P+Zdv9xRpa6SwwOyVMdxWl5OHmNLZWwnSU9aeafk1LPX+jgQnGZedZB/0Iwiken4jg/sSf2ucT3wp5IKwBPl1qnqbFXWsnMytsS+DtVXkCk/RhyFv02ucbn95oEIudDp4fZH108mFsMHPxBahJWqCmSwWS9yq3dM0Smce8MUxXbgLGM1vM2nIxFG84HU7RJEqnc4zQQMMuMNV0ehm+ffLiBuvxN0RzssNWhDRk9iMIrXX2taFofUdW5vqoLvSbyvovmbFN6sAwYh1q1IW8OKn1yQtLFm00+C6bjbrhTK7xLPQZ50lOs2QbbFtGRAj6Es9H+waHoUXExwA+KtTyOCJuBlox77VfJ6MEalQi/rmOPx0tkP1/zUHsZbF3RzlewuarHnHiXsTrMbl39vl3j7hN1weNsCfqIBD5gDWVwkWZhrphiT3YYU6JgOYF8/vzbN81f/CddYybW+A8vGUm+zTTyDqXMJRlH2T2oZUduaEeowTukduPmz0pvSeiRZbWjEvxAfO93QA9dEssR6kS4ZwxW+q5N3ECr7wbo3ttHDJqSrEg9jOuQTLFxsRvNWzFufR+H1/p324/RJEj6RLvlwWT0UcSZHVdyFRJlXMLp3rIeIVJIr/eAVNwqAMRs5Zw9J2nE2d5hgZvWLEPZnNrIbnAi5XDa2ia3s6Lkqrgdn6PvITyWVFk9ecxou/2SzWjKVQYTe9XZsocI4aME7wVHz3Z1/jnAOaV/xAxFkfs6YBe/GoyDctUNh9FQsrfmnn9vSpv88GKe5pzUgx1rOP8ujbN92E/VTqpUOYPBS+p8ARiO3VogXufZ+lro69g9YDHs9xQDqUtWOdKd3fb6oLdCdArFZa8/ke5aUyYFxORTbxUgCqgSbk7LhtvfCMustqpLLN3dU1nVIv0H6Xp01KqArJKwtOFnAt3xJ0Ir/XT/0XVd8fjZAkXc/Wb1Tj4UeS0Ae0aC5Xq7BKdxWy8PB/7NEHC+tzxuYbgcIATWkARnWDgwtnIaByItH/eJjO/1K1xozd+Hh/+7IfhLoJG5gru556s6O2mlQOYEHixGBmOaAkPCayfYxjI4hQv9xIVPg2RV/zDl1nK0ewohizPgEaaz5N3zUkvbPp7USufj9+xVhdSFqSqjms70qYoUYixaSN+CJRsb95UQjg7/aKLIE6XqPDEGZxAFEU/P1AJaWBF2NGMV9NCdTfZCrWqoNVvM7Vnt+qpiEcmUqtSqZjCdSNSl/C5MUm2Lp+5VNfJMv4tiZmOLh6iJ//ii6+cha5+r8em2RpIte9R0bZZXX0TshUVpHOxnuVcswrb8b37ijIxfn5ssRgU9yJptT1PZD/P/65UEVTVvgi9bv314wBRJtZDJJR1sYEEf+GGOIIprIpiOrwOE5ede/liUMJa/vwAwWEiIsAWvU8S4EEpVIbgoZOGQHKQpA1grcpgGj+p81UZY/GWkFvLK4D256a/5spUmr6fvpEStRDARmi2BGLuPviUiyNvXFYzOMqGfx8VxlpX9vQcvwTWAMwtgk4SS7S9Q711BLcCMpF230SZbiz+OD7eyfKOfa+JlxY6orPY1Xt46zmC8FyVV8Kq5cnlAMNGBmmdC9FS05LSO0ZWkna8eBM+ul4licjWFv10qq8nG3t8ghwsTTiFQ2Bpz9+3k74TKbcOcH1+qSknsN7gCA+XijCq5DraTrIJCCibvQGeNnf+CwGVadtCJKV+qUhB84clWwVKHd72pdrAw4IjdJQafocPd5PwQf27ZmdnmGFIOG7IRQCMNWu2c//wulypupM5e2ZnRrUTxr+Kg5p8Bm9qivVrUuJIFeK8lzN8E/YoCR1OGQ+cKOZRxfe8sEpwxtGJmi4htQINZ8KEtjZ9OkrqtetrWpUnSZ3nrirkvOOY9cDvZL9I4u4v4eYGKlD3ewbHwmoGKK/UPq5F5Mc9Wms71aGdk5Pqtrnunlw6eeeleHC7XScaUdt66fllfNg0uort6qE5Ern1x04v88l76dAHLAGH3ycHQUNuNo/keddkUcGA/mOiuNUlPg+loDezqo2BxIrsGD5lcFBcy7Fvq6KfcvWbMQiHWwOSgNk6W26M2FB55MtyP5HOsP8+2t/s5eHy0LW/eotsCNOSAvin6LVp+bUt4vub5JqGw5/zJ7imSERo8TbnkNBG5VJMN4yqVIMqdZ2xsRbiYNdKgj5QSUJ5rj1fw5JK/OBIecjMr4scSOXxNQKkMyb/7du3kjEa2l/slsqkLssqqXxQEkaaVvcqF9I9cj2Pf+/D7H8BwxrMjpDkbu2cB4Bde/bAgznJSW4IZebPbOd6QBR6TbNrf/iZva3a8zBNZ7nlVchqcexJtSS5M8NEPEvYSNMfhCXBgpqz8MRUvfGtO8BjVqC9zV6L2t1wInUsdr7UbImUfZpudyX3p9Nfe6bUI7m39pljg5mbhEtfhzgfwdkM/X1rd+ofQa15pg3HW38fwicIWpTk0iKuw0HIxlbz2PZfWjn4r/l9xlHoDfsC1kxkyaAKRJTh5R0MLYmpBHKT3ERE+gXmN4h+S74B0M9OeLu1lcAy57541ZOkfCTOWAIofYPhnVmnmYL3hE17mzFPkOr0u4ZVcdo9ZqGowowVVV5X8nQKJfrS+eWfwpq7m+MLszHvDy91DQaGmUfbgKynq8yceRLXfhqAEEtgLR3QUOXpJVXb/AVIf1M6kSMx3pMLMNZPQfgEYwi4/uZ+i9bb1OyrIjMs2cBv6w2K0NyRe6X2erVnRKdlhhYHM4Farj9Xz4dWoVujU1NofUexu5R3mryQBg4IW/ShDJ9DckMaFATI7/cMEy7ZCJyEsNTDVd7urGUG50+eU6NlyHylUNCU0t/B4DDK18ZAazsBHuWgrRCR14OMztaWsku6NankTU0CK1EXeo6zxLwg7OMV2UrRWXHSkDvdehF5Y3TyhtIIKW/49411lVFuxqITy9IlrwtwD0MAE6dr+URd9Tsmw18kHPUBVUaxnG74Bg97pIKLOkEgBez1Yr34wIvntgkxqu+9ZAaVJhLsx5eoZVpQoMIjN0VLnBTI1oFfK7ckFzRaiK//37eFvGIPKUOqgavZ/+SlCJmjrXx3kwZUMo4lzsu1TyLdGYDd2yKjLH1fyFvDAqABdRgDNjLuIqJFEITjfYXi0fMO5DLHvNyHcKBMDNY7j7ODkwRGVrVViC9j65GxC4wPZ/fWqEQ6MsOrsn3mLW602edd0bgrwuv6xOPcwCajRCkKNkXCkX+T/RZ+h7wneDZum7OJzUIWcb+R5kQvXcu+lJKnA7o1QRkPGb3wbfwiuZhIV0SNshtDRndcFVghcX+/CGD8nZzccts8MQ3/ximHecVvP2fs7p0QBuqhCsoUATwsZOlCZs0BhdRxQZQrEYf1BwNoYEuh0Us0EkjnhRmbI9NiPyI64e2qT7UYpCQW5JsUAI6av8+vAa/qlWf/V17epb/UAWh4EhwuFIdns6jCRqoaif8papTjtZrzBZVNNz+0FJsacAW6v03CQ+D3tWF7dH3VW8w2AZU1f5JKyzeHih6ytlv4iHos4fumoPSjE5Of2E9flKg/+ADQGSAS2JNPD11yZGdM+YO1+fW5iszD20NfPUBfpQt/ohwxNzdIgX/PZsfwf27Oam0qP9OBueLT8cKakY2ilSnzTLYzGqxJWhg6MJxA+pzqow4,iv:pxhCdbDA0jZLRFLg/2cXy9j18nvWOgIHMHrgkAfYSbo=,tag:4Z73qrehEkiLca2HO1MhKA==,type:str] - masterkey: ENC[AES256_GCM,data:YvkiTf1tXMK3Q7O3v/MNMulc7Z2lgDNVLb3KrFx3oh0gsIdwbEwwPMQB28YolWIIzjhKwX189mvG7hIjl6SsG/FqNDE5B1chrrof06EGiBghdPjsvBW4gvuzsxO3y+HOBcq5FEGzltgYvUSKg/9Kw55ZIGbvGTRreMN/skg+mRC/G0DHaXRkPDbPf++SJ3Xcog8Tltjzg8BKjnQqYu6M7t0ofJ+hqj5HAFO4TxBO2yMfeRdHmKhLY9xwjFPcYy/2AuXIlPS1PWi8BNL/Q2wMTKkK3X5cC+l9vwbx6r80i7z+JA6d+2pNkqz5KU9ZCmsQZAXM6TeiuSP6uIbAcu3V1iUXODZOcsXAY1wJuV9WGkJ1IrPLEhO/xjpMX8Un220rH18U8WHFdvWwEbgPRvXdCWSXFRW5oeIFOfLoP3M3POK6boXnDr32/tadeojMplTU4OSGb5PGFvrQKeiesSgZU+4vlV0nJZo21rlIDMLqYeSYfpsSLZCMqdYVhrULHMUIbAnNpBeTbtZeZCHu/XD9/J2bgPYHGL8ker53qa05/x9Qd/VMXb0qAkgDhItLO7a+VDpc6ikgsQvShAZiZ789yYLgY/JWJh+GKb2NvIGRLfda8P/mkDaTax81yB+L0SM9ZsZ3wjXVyyjeuVimLKX+4lafl0Oui88Jx2kzRaCLwmhv+XPmR2poDVmY9nV+KsgSSBRFwYkhzRh8d5tvU618tnRO6hXFueI+L2Sw3u2O7xcYs1E7+qe2MRUrwZvJeh1k82kTeSAQtGtmugGcaG3dMgPWZ7dH3XWC9jxzaL42zlKPzqCjEk6wsHut9gE45Rbu87TU5eF4c4wcNfxjizdDSYIwoin89Qr3jLcnjtQ0CSLqyUzm1VG7VxWEQ6kOu8hOuPqPC+GG0sB8zROaQFl2itGVK8rQ8Wl27kdC0Y2OQ66oyLO5av4KfHhelqHmrEyc0p6zKmckEsV7A0odXJMhTEp57U4dsjl/GaX/JTJRTtppmt4aEZ4S4RyucXFgenshVVEIeNc206ou74xvLhiXc3XNUq4Nwp1vbbDM+6vvSO2mNNCs9ZOyfo3tv/yGXqflhdOyEdGW763mv5ifD2CpKx+pKxzVpwMhTE9cPQr2S5rkCLtuO066ZSYGR+QUA/B4iqFMHsh8NL1bhG/nPmsQcKHb/BWpvKgoG46XlAD/lArSq0jIkyWg64IvHeXvM+0I00H47/vXulbad9cXq7t9tJA/jkS6YAsUN6AxUr2998DXi6Mu0y03XEk5/tZ5ISvzjlhDkTtFcxVo84+FRKwKq7lmrC9hG6IZ7fFz6r4n4tzYMeCIotshA4xGVljNpB0e6zemrj7rCyWB/MIbtUEna0E/j4pkqIX/bFLnovYFVaiF2DHiTj+LM6GqX0MGbUWF8BJc/i/8xPpGTojaKCLeMBQcRykdwwBIoVSBghQPR+3Q3On2CgFvix/TmgH8nabs02Kmift1effJm8M16+xAH0/KTbp/YuUFstmsdr6zrOoiPDVN2CzMO7GukiqM2D1YjRld79SnbeBJ/m4rFx0rZT9AwWNWn1T8XDvG/iEqQEUWqplvJfF4B1USJE1wdDF18tS/T+N3X1ivFpCmCfcGoHm55MoHofYbM47kWGEOV6RbbiVhtIzervk6kN2LD/DENQ5Qe93c7gefSiO3RubwZXZWPKNqLQSnBRk/cm2XqfAkiK3TUOzdy/sXkDpz/9ak73jjl7mnNbIc2GsVec0P13A73v+6Yk+wMuboLaLpQxrJggT8dQ0yZzmj3S03P/p30zLL9PzH9M9Vz52ACYrdosP9xXyoYVJw0yRauFCTCD6PF9hRiWkdNI7GFPxP8RmMK6d33YdxXZFD0xvdfcB3ZUUll69nGtzU5Q+5S2saWQyXznL+pAKvZ4+IQnFwe9WjYWuPhqBVywsXF7/O2PZeg+Ba4vld+fazHm8R8WHy71sLFpqTgUdUICqKidP5gs7Rs2P5Iq5M+sWPo7UuBAIkvQ8EVPLn15t/Bt+MDQaxp+pE98sNxzQeuAXln+oP8/iwc/9tdBTchCUKq7fAQbSBy2jSS+lASbnBEPphlIH54MeJEA+1Wq/UxjmguvKA51VoA3dR23+yo6wxu4e9JI8qXIcZTvG8eqTJ/QQRF3xNFIgNn2J2+2SAvX4E091QTIDcceiRd62p7IiSG5bXOiEpLuUf410XDTBSh/KDT7lgJneviyCeclsVkvjdo4C373/pomMa+TjeyyICaokyyxxJ8RSc5B7U6vwXdQQ6dZkRrgE0Xcifv/sksn2lO0iqq5czjprb7ubAh9o/KNOnZq/6UpGHqOFfU7wpNWBMoEO9DpFFllpPnHnY7IkTQHsp/ZMgSsgvoOEw5AELf81klcUpkiLbaaDkqt8xx6bWhhzfnZVOYde7bIVvlXRxCCeP+QqpxAzdMLPtF9+lTAdPnD/8jaB5s2mvKxIk96lgNb91ARhGVRCNCsF2DJ3L/n2V8XH88OMjfdQUWDaYD8gtNFKSWizZSeqAdh5YngsGirzgc2JlED1fSET9qR4YCS2e9vWk/l5zfmdmUjayOqhtNx2Ww4JAIvmjDDkL2nLtyy0iIoGn1KUByFJkU+VhPlXzWZQ4qfURfCdZeDgx35rkmpcoFUK+7budj1LoCK+z6gdiocMH4x/V7F2Oh7VKlVrWEMrvDMws6D3MNv+qHGacjPBEXlPJC45FzeSCu5dVNycqmuRJmr9kpceBNF1cFIrHhrn3lHaodLd9sw5MjdlFD2m8zA6jJrYHCjpi/bpCjy3fGBujRA==,iv:TZrIcQKmo2UtO0MdBSWJZmn0nIZ0cjStD0SZLoiHkT0=,tag:D0qeJLtY0cwA2yDdCP3UYA==,type:str] -zammad_secret: ENC[AES256_GCM,data:Ok01cE+lgNaN0+wLZuBD6k2gsyTWDFVXEPprEvdwlIAQvwqYu2nou0GiCEcm/NF2cgsxERH2rYxxS/lPXIQxXjvHHLfovLSMH+Kd1F/T+qWZioDz7tzDV3GBom52c92kZ4XO2F3udku8IQLGsR7J6eA/xY7yj1g2CF7Vt37BMkg=,iv:5cdEBtgjXoJCve8PJDUcLQvXwe7sn/mgZIOUhzJtr/c=,tag:4fLmvfG6Ujcb5J3YGjP7Hg==,type:str] -hyperilo_htaccess: ENC[AES256_GCM,data:FuHR9S6FhVyraJ6w9j6RTUryCqgVrhpfQg9y2OdnaqMFNcIR239OBmvqn+WlgFxcMqJtpIKe8ixBZq67pjxbSl2p,iv:zKMyhEJ160MN3+54csuurMXvIAFfWG95bv/cIH3hqJo=,tag:Nr0G7qx8cdpNoW3t5P1CBA==,type:str] + password: ENC[AES256_GCM,data:je85cIfdDrRl5mkOujiZM57xFG7HrtLyfsDNVab6tBAXMZ6TvcaZrrmzjfKDOYrT,iv:lfPpWXz2h8iSyECaPVJzi8sdks7fxPHewHagaKCBHY0=,tag:1WcE5wRA/q7IB7Y1TgjtvA==,type:str] + keypair: ENC[AES256_GCM,data:lYDS3U7+++aXowGA2DLWGs4/pBxzjk9VXivEqqvEcMOLvgPwPiVKuXqHShw4NkH6qcoLzOqqjDpEt9aW5sYcVkIR7gNTiBcGLrVe88ZPHYNa1/mnwZbNVKGutM/S6wuyf8J33mrfbQ0ujkavSIE5zOqFyaHx4kU0wHdxjIl3q8RqUL+6s3+vwOoxubKndBzV7NhfvCZBZ7JRJK5bORuOrbgQMgwrACTysR4gRVyiu39ku/AlHXGCmrl+GBHTAm3EOJyrIBBoZSLNyGkFv5ay82Oe/CvRxzkR5lK2xHi7tdBUtoOOrqT1KNRKZxsXpKUP0N8ctCD5/4pAVYbhDE7KQDGfwWioT6xSJJvHF2IYAnxV+A63SkrgSSMWG/xj4ZtvMqbngJZ6KqGDqS8qmjupB4fS7mMp/lsOFcL4w8w+isAHM637Yb4/Sfw704+oBMViBFGFJ+o4V5BbjGHygIgUQXHabeOk4u17e+4V6CVxEIlrzafRcYPDAwQE1qvJ388dq9z6wws94dQnTgEaW1O6/ye8uAvtvuUzwgfnT5CU4ypqn0OylOzthNqJfr7KfX3/+Nu8tiAZEkzCvCDGDnyla0fzpm+BZwpLcAmhMv47vS5NwUghJ5iCGjssmdEDncclwolwi/vvmtYdPchbUKuKn+ro/R/ZkMDOGvQHvC9fmbn7lEJFUesCQLwtxHNsj6NqR6tYqJJRPIFOtSeak70DKak9/2NCInVwrbZ8Z12Lp6xGgc19RYDDVQ302cGhWkYfcXMoM7Vgxl5Ta57TALDbs0aZnvtlUxmWpUUwF43+t5gxKW6nEbJwHfD60G5Je8tiik0fuO0D/XsV56/ih9yKgqxhTqaMNrWgYoTjqmqg9dfhVwe8AhpXdlUR9R71TKAmkkmNJUHJmRNk4rp5ZIlVu193eybA9WyPPTWojMaKV8GQVdhkRKCUSeIyhttGZov1Xg5xIvpQ/l+TDYVpnF9ol/RR8zqCKguU+D8i1Bju28kCbmmogzlmS4Q3QoMJk5pn0wqX8NytE62mmE+sbmqSt+vK2xXIUvxUQSOvzka/Cyj6lyd0+9W1YiaTK1xe2no4QswJuTVZ7PRMZLQL2O3eGOrAR+BbVnIhsfi4fFNcQ1pxmtqCT+wvulaLd+CH1xUTBjkc30YbMpN+ElLFZBuhXv48RP82iizUSs6FumBNG53QHN+Ucv0u3wpqQwjlGlv9euARxJZVxqA65clXc7f2VzJNHBYXB97LG4eOTykVYUWsUS5fIurCZseGgyVAMCAo/YO2jMXrqcEJiyLs4EKCRo4Yin7wNyf34qhZ3ilpofADhKtSU17vXL8HQwKn0fpt6RI2hSc8xTalOAFF9B4J08a8f/6Mx5jy8FHKSEbu91usKDy9bGi/Cq/f09vBymwjoe0cvPdllOZT0Ik7WO1gl8UU8sXxDkjM0mekslQSE3vzlQpZ2JcjRHSxVsC0u+500jap979aShw63OJTa2sQ8KCQ/EJrw7P/xQJ8STtMxd5JBl/fX1e0AM7tKhb7h2JpwqrR221iQtG8FdJD8JUT6hTOQKMW5L3SZj3//GF4XrmsowP6eEbFJUhCXGUoSHWeVF2RZVALDHm8HC9cWUASIyiNCBJmV0mE1LgrAvSd7jkZE+P0DQcMOjjnMn44xYqnrQgplgI/glTt0QQqdyMfAgGrv8dfwQGn8TafY4rPjMU3L768Y3mvSCfE2//lKued4B88LAG4zBfxh8iF2wEAptU4xHy8cf3Y1cJWUPwg0xBVsslA0FKpxHKQ95LGIU0vq3EYvSOk+9eQ3BBmql9vflfhjlSlS7DUcwLJ6iGurTksapczu5kQu5vDuyc4OFUz21+rSPUph1LaOUj0PgF1B4NGRyevW4/LKIyYFxKj9ibYVWEfNrDvRXJnpXT/ffwT2t68OIMwyBIygNwLKaa2mg5RK6Il6T/F85CSxbNs0XMZnempZfbCDR1THtIY2B8WyPXH1WIEqDlEzxuAq/ldl+LOyql0R9Coos8+wVx6ehCLODsQLq+mwJIxbBc6Y91r54Pmjtk+Y4FNysLOvS1uvgRvuNJ+vz7ZJ5IB4wtFPUKGBFdUue7x9ov4GR67wHWnRARvnpgKGuvoA4ktupLXAsF6zzfgI2z/+aN6cxtUYR7yrGnxABPAA0LlWZnl6NCaGrOTNo/e8chbD+uoayVHUhQY0t4xbFedwHIEeB1c98i56SRbCqc07TpPKOV1w+DmmUvHWunUWfWMSAZs5hu5CipKSyvawnCLaHoEcvpx1nynffspzikgMeYdacxGKzR0UshySv7XWyV8ruPgjjCv7hc7hu/+ixAFKZql36Gl/uObNfSzIWjJ0qKWxzHiCQEfpkT37x9EBpLDZn426GsHix+UCH6Zucyoby4UveM+q24mi/JgBaokGcyItQHuJiTuD5fot+6bEowu4bm98R05aDjfDf3vdO3/W/31J4yYKPMvTf1z67A+pBRIfzNjDBpI8i5zXZoo5Y/urRGt6FdxT1ww1NzpkL5ebz9kbEpRqnJuHYs2JMqrsTPlQdJ25O6sPgHrU+XJPmehN1bKu09v6ThbUelVEn2+TROvzyemoPRzqjmE5BLfMjFrffnnTX4M09rNI2UhXivdDTmnFHZ5hdpZfVjhYFnPJaHwfNOSa9TQ/6zPwii1WcuxelD3JldTnZxx2k6BFsSo3g2qNefcpHBJTS9Nddu1qHAdbJLlHusc+go/yZ93h5mQdzSnO2NfNAv+cX7Liz4PP1Vj9SJiBmlNbowJxyoYF4ji0EQ/OxDvt/iLoQsdDXb5qN7YDecfdsULXY5uTdjmDlwkhvAYrCs0VHTEfPG7o8GxZna0GAK3dIFUzxMhL+ZjagMyq+YUrDe+nRzHOzGQqX87Oxv8/7WW8+uSY3URRQR0P3/gL7YyK2HsHrYR3ENMXg76a3M/pLFB6y95q7u57pJrceNed3W9j7cR5JTci34cNsfQ0VOnW8JcEjrKvve4wA97AedTUBPAjo2Uz7n6UWswbC3hv8Ffzld7SsAEdJW54uqQvUharR1vyp48RLrIv8Y51xtoQ0nfY+i65Ii09zm6LC5WR+/YV2i3Os3VKgDmBjuT/btDvi0tP82288vffR77Q5OToVRLUXfpXDd4FXzct79h4ZhXuy3tIlxPc+U1Oe6Ly6R6cKWRG58jTM+Epql2Dy79tpU+LCJon7A3UhglHlpJlT3tfVGbFyncm+Vfb4e9lTqhDRhqVo5CyWeRrMBhyHKAmBvzjeQp7Qur5c2Gsr9gYibiVTGnYijMAL5iigyndDt2tZoXolOmy908k9PfOWd4TAnXdTcYssoT4bI4C6jiIyZlf+WyxrjdvEBRxZ47+qkj49/wV3fYlpsgE1pzfPwvLDOMIeTr6sw6b22Wtir9LZUVY9OA46NZ7yzqMRDaolYIeH2MMEK1QwIrCVZrQi5NBi4Wy+ghVs4s6x0/W7gimFK7PV/Vjo2bhA2nNLcnrHvddey/k2JD0aG0TvNRYKuzr4fsXb4I92d08VNJ83zfcxeZJgzt2FOvbwLj66R56Rdy/ITKpAUNzYQXBSGyVdPiEPv5Lz8YvyAFIB+BySjXerb6jtdFsqbGRgXOn61kAlBZtADzAbi9en7mB1O0fBcFBW9En/rZ+dUkzd2pOokdXWDT7dKK604QFdcALFCnwEGlSljypU253yKMGoSYaD7E5vtjuhPxLXggq8ZP4yx0mll57VCHEgYjO/z5HzpoXbUzOtaBHsSFyEiecbHdHjlJGDHPh3sz20YyFu7bZLs6p8uKXD0wo3+wm+afkOm1zTH4sGCS1PwdekdknHLCK6PlPZRQ83n2ra6dLPvK66b1zPPvOwqrpf7OE1ieNg/WKRqmfUjViBNnaftpYnQ+wNq6Q0I75r/UfwarBoru3Xm59xRLupCGTRLqJSYEVRsyUOYBfOjhb3fAKvZJS1HSgexvQCD4b4kwCNToTdmpGBAYoPBsDJw1yZpto6eyXLO1Ad5sKmHUvlUFZHxL1tQghNCcSEVP9k/LLAwnHAV/XNPpFlvOGHtFolYSuI9t2s+EVioXLD7X+tlJHVQ+hrnGrJprvSVhjR+JJ/N1jPr6eBhbYzp55GG6C0svmhoxXDqFsG4LRhqTgHCxuajsMHOJc0uWuKKRjVWm5miIOx5qe140OgJ5mXYJv+3VJjrm4XnjppRhNeKM46Om2ovlgkqoJCMRxI4ct+AZtBCnF4NGLg40kYJpKZOSaOyuj2A6gB3G+sCOi2dKOPr6u5WseLFfy9u5fg01Z3G1MiXZIM5E7Ny0Ecos63ofyGYbSm0VXYknBsQt5XuKsgMLHlHcNZaaOpni7sn63hNI7JDsvCdQw191stL01hEL3VtmNOtfKPZXlOdaP6V2M2p933eApLCpV2VJ3eMDpB5z1WTVp0XQxDOD9IThDLKnt/AbhMC81ROklyp3sxTZY+AjHITkWdDGOFmY/zwjs9M2UuwEt8eo/4HkIqKDfK4u0y1jKf5NHzwf25hn7xAo8uvZR8ZSOpO1YNi3ecp9qUgesyY0acxY2Y5F0+Kyx9Mhfc4YetYL1Wtkr83SaFCxMjsMx5VOVNrb2q0IPJTYDY3iy2ElWlrDLKH1HNzUz3QsyH1h8csmblz2PbReHR4lUbwqfkNixNMkh752xNd4qA8CSKjK3shHle4vW44ewJQyaOLfevF9/+JkVrjbWjqdm5N4dCBQhNlfD43EHUuGTQVisbmokikapHE7lZZM1WXjT6hnvR2pnivV09GfaKxyruvFu40UZfIeD+ChXzDMcjom5knRLmB5njjpizlXiZw8cZoXy8QFNu0CtSxkP3b0VkJ8vrq5tJXfIOYO7Uc4FSIQKPig2LyYMXXuaOPPOkkwXxqo16ZFgdpBbqe3/uRciVgaxvYNrhdU0YZZj0DGsZlWgS3ClpRqO7Ka3AIZzzWJaSt5uh/YdXQtNqN9zUuSmfJkjLZ9s+Ojdw6BvJbC5y+Ia/MWOSfqxLTYZUMD5r2S0YLzF6nBGeIbZtzUKIdJ6X0Nq9N1l+2UdUJ9yvmFHfUBjUddRZWiVzIAQQ4rk0WFayHfA36dyr34wp1O8mD6rex+BHDRHPc2wwKEk3wBb2QwtLAJ21tANH//ZRhB4MM8lBLMxO5Ya90r4zXgp+buYuj0lFKz6/IowjvHY9M+fBpAVkrQi6AEPq5z6YtTC8HU1kcJ4Cmts8sacl9fsv8jvexuA0x6c0YTJq68oDgESfrcbEdDXkU1m/XxMUSVPxHGAxyhksELbfRsWRXrgOMUEGSlGC7gf0XnK25M3VdEAlKhKVIo5Qbg1Z0UllwrlAfG0IM+Br3VAghzIQJFDuycdNAjuArIo61U7iBd1veOBBch7g7nzwdbYqOhvPqmTz84pzRp/3yuEWYLkcCwph7YiAaBUh7yRwumxJQkDTk3qBIVh5M04PAXfFDFN0wekGEZ7qzv9JbNKxPl59al+hxrMnfGvvyuhVo9PvPKHa5xJCU22BNfB7LfKWo/OxxhKDVWDruNivz46/cSJcM5iaNPlwyU1hl8s8OXLJMzHSmZajkEDJWk+G677zHD0/2G+bdArdTHchQG2iE/EMq1mbD/so/Yf2T7U25Histn9DPnsi1/4Hq4/tUaPAUK8kEwTQSaWAtF+uf6hZtxoqtCtyGzpPcnxJX/yIthkJDqkhMA8YYPbbX7Uk1FrLEK4UiP758bu6lvuCRD6Y6u5e5HjODFV/RjGpoODKIVPIlVTNGXu9boaK/0wTmhS8LtXlUJfSZt5F/LDGzfDl7o9w7u3otf24DsQAEvvMBRKl7DqknUSuR0rjadxrnwzi2rbrOmMQ7VWGhcTaV8LnKh7owpAAeDdxH8X/Kg7BIvez9rjKiVQYSAV1SqEwUdOrEkaOnqIV2xnwYCETfuykoeNDJQ1M/GaVr2eNgYB0fAjHJdTYtVMEFLXJMJyxSYk95/RHNDMr862I+dHnhSJg5u13fACXricKsHZOg0gxMHgTs9pfieBGxQtG9+2JVK1ws8W73aKjVL2WYTysE7eh4j/J01nPjayRt6rNdkYePf2qhDi6mLc0Z1L7m6LlA5opzDpX3Fh/586k9XdEgizZ6OIC+/emHAdNteSzwBv6P73tXqZk9PsekA2/MYIKZoRVbBOi8C270WJNPA6lRBItyGrIUz/QZiyMTFg73NcX5lskk5AbiO2+0LfR2UCKVxM5dvzE4dYPLk0if6Zvl4uHBI0ayIVN9hi6IZIExsrER+91DqzalZM/AHSa6pl44qtk7o8+yGSJJG8i5TjgdPn7sq+LrXkJ7QJfa1YHGB7y2Q8bIvm+A4MdqDx535vWgNRQ+iYeRtdq0jtxQdJZspFas0ceaOJKYNByPLRIBXB7rBwusEmEdkAN0xMUAN/iO1T0B/A2WL4XZxbmaaEa03CJHf26gyJS/ARnDJLVgfP13EIwXVjD6vMrqC6x2dCpBEkcn48cLyd9wEskylfklEDAi6TLdwTyO/VGxvimdF42MkF5sdly4Ui/4xbjIHY3tNyXmagjJVvtKJnTlwEQT+tiHo1i83z84q9tgwnkL+3BAk+G66xcRmTAHBNfYhu8kBpb/gMeVIt/z2Gpe3tqlUCFyKvlebC+a0+7V1pRhBAgbFb1NmM++EPjEC8fFbilLbgbq9HKDm0Fqcrz3qewh8bAy93ZuAVQusnakUGKherN+tgw9WEcgfLI7lvbdAz37m4fyabustXMK+Zb6PYpF+X6P3n9hf1cZalh9RNytC22TFIksG6j2ZcbBKLF2wf6d8Y083BNceeE0ADW0vc5lEFmgx5AuaZHOUHzKIDX5Y8OXfevibnnmhlCtNjuRVPx1oR+ZD8LYhjv7KWlz+wiLkkKZnB0Hvy+GspSaFsMG6pO6m6vWZ8T14l3mkhe6oV8EO95Rxe2s5kIkq/hCzrKefc2K+GvXJ/aEmwU9OtN1YBS89QICIq8t/OMvx2CjN/Nd5aewc47mZBW2ashKiLute+2/0dJt/8JKG+SxGWHxtkDa7EPSwc4ZZjpoPF0MhXMB3PgbvoZWARegOihW7c6BvHFsxLQS+AjqYVxAYvcnx2NE2y8KS4EkTn/pKaIryG6mAvrAolpnXjVPBFTQU9PaYFlMJ1tQc1ZrUH3Yev4GP,iv:DEzZocX7nChUd6L9v3iqEeMcxWCZY+kbUnDLbikBVe8=,tag:ya/g5UxFYI7LJuiqbc7wPQ==,type:str] + masterkey: ENC[AES256_GCM,data:Em5QVv2qQ4qO/XxTKd/Gud0yPGqEJz80Xag7MfHat8CDoBS40dJbqDKBkBrIFBLqUnHf84ilkjw+lqFhkX1XHsBztETX+Cn52fxMUQKo53lKVjbOCJ17vnJKHH7gfDNgKXIOauFesWN9SEATC7podlc4ARP15jEwkVz+R0dCIS+Cs+sYSKbU4Jqkg9wAy2GWvVJXlRnQ0RKPFXww0L3VE0wZtcEqJHOeTvJvp/PAQj9q7FzIaU8krHt0byZuVbQ99drvxOEjjsnE1jwZqpFDgCLmvDsmqctUvjIX63r3mDwxMw5EF2cgE9AumVYovSj17Z8F0n8xlk+htRBTQbLvANa0y0wLB247bZDo68ByRZTW6wpgDRheIcGh6eXMqU5fde8FtNtKGhZJI/Rwx8LWQXmUKHbFReiwCHIYEqmuntZFy4h0Tz8jvJn/jl24Dr4miJI54ZJGhFZSV0hN4C8/e+fE5sWYT/PiiB+BarpRm72OeU8pJew/Xou8mdOZHgiH4JvW7JhG4tuJmVV7aNmeqQn14ICHBNSumn3oXh6n24U7IMmSybIkmQZmx3Y1Uu5jNzX27RUaf+G+n6WEV994/ow1cGT72H0NCIgIjBZI/VkR/lDdfNmo3Gd2e/u24JvpFBKavVtDmpQNwSfbnbdYPujqvplNKzmyclGJ1QKXh/q+fs1HoFDRyHCLprI+rI+hqyTRpQBABi6cNVSU6rgnRJ0U53HI1eQglT12ZVr1ckfHIic/hg4scowbHyXomopYHEzIw/1j2EFqM3tlz+Z4T2D/VozKH/a/Tm9EL0F6+0nP4kWCMgcK/KIFcR1ccG4TVKVjBcqadNO3gqObRB/AIbzNgGHrv4Vw+1LDbLSbXtLSsqR+ivjsXehg8EL4TMhhZmN1wI4QiqCcgG8UQaVyERzYoyzNuQicukECbBshRk9V6Gkc10SP2AXJnie4OiQN7Lv4vZmJ7TAamoCQOYZZyE/c+8SpsAHNoKhDYwqG6OdvgzD9uryZu83WzUY9EANivryS17KUq8RYZ9RItrotHZ9UrdJ9S8FPI4PPQx+cBsfquzsnEnacibFqUJDs8Etj96OS5oB/UvV+e6VCnG9k2OUEuqJ5X3cVfVpjvFdFk7Ercg6EteJcCKGPiFVn3LSweFw4HK9dPAtBGIfUOf2zYWjhmDqLWfRlLLRZjqLC2k6PWUMKeFCVmNMA0ilsiGdpijZzgFnkMJHSZ60I0UbwKw1HANORvZt/HuOQRWkKEI6rM3X+cHVCJSo8JvTJGc6IBCN7xbgO2Z+v8BgnEwlCcZlYC3d4e7dn5tDSmw73L6Kni8J+nFZnomvJMZGHwv06f/d1DG45wHxpZo6tWKKtHc70diQZjcPp/MHSyG/ptePsp3FyAEGhG8spYyQZTBplJdVvMLkJkMVKEGO/jGcu8G6zO9Kvdc67KYcC/l24NSlzsHPIhxeflmE/3zRtMO4qmis6I9TvpGp8CbCLWIuDeD5nrdsgIwKkYIyAreEZ+kc03akv+A8dM++IW/ZP1PGzJ9qedrninfjv2dSLgvaNBYklYYdOo8IGmVK70AGxMgAvYpcVDq6KYgtB5izrzjonYkw9aQ1XE8OJ+H6bJ7Irdmj3BIjnXkDLrH5oTR6u8q+i+JJ5rJRg6PQPhUn0rMjnl5WS5Ht7XQNhPxP0qP4hYm/+kfuGSamXfFGbXEhozRGG2HC1M7IAOiQpHWa5qw2tUv/I9rrL5N0PYbxX2OrHm/tEvLHf2qJTH/IHZk/xUEsIz/vStR6CNSB8FC0B2/XKnG7s4eGRAjixJBZD2jnfUhl01X9F3Rj18QtulW227KY9i8XYvczpf7xKo6aebYfg6FYGg3Amduwx/Z5HGB7IRp4J7rOb2U0PB0/N3dLEWAUDAx23XZ7LLX19CG63StyKHwL59ariRtpuVZCAYt3r7JFt6GNC5ZCZj7P3u3mpZusQ7jbFouS6R6LckLjitdS4yyszLy4lUCxtGXDA0aeA1hAVTxAfgDNC4f/2pVV02hOPG2R75i9UfpAqdsx6LqllZSZjDWsydtIP6BVReDo5twb+OryPv9sNc3DrxLgDK0Ag5+VTc8Jn/A34QpX9onaY2URhBcRcXS9mXCrV9kOar8N+nrmvMJOrmXyqRP+Mc5XtWDEPQHeYULBw74xuYW5jd8Bq58Ja3LIgELWkpW1sO0xYNINEP9Vnc4ToZH9HNuAoRkLx+3xEMdlNczhjiIDeQDCYX59oWrkGCqFHbTju6of191rUKZNv1OgvQW4pm4lLnqE5xzr+E6xmB7pgB8LeL810ccyy5A7DWzqYO7RkiUehBJZU8Rpu0zm5xiCCJNNfwRCtdQfx9Ii7z/BDa2QLYT2/X8ClMXPdUMww8aTd35KF4fyPCu75w6StrkAi+6jjI0X/Nduc9jHHhbMruRpkarYFmmNeJSQQXmT6PAYZm72sWno0AJA3oOml4A+DGJA3G3ppbmh4vn1PeX45u7i0antyqkhvO2Eu/r+2T0SIOjXEuM4uexAnE+B63CDhw29Gei3hVeX8oPRXXHnrY7aasA6CyG9jOaZNCWDnXwrD7mdFNPC9TVB6dnbGZ0MRHeIL1qxlKYf+/4RMJPYXULuhCqhm9jkv1bpMbuDLATKNNwMRr6bzNLfBNILjgYBbJHnEDzgqBpCjckxdc4LmCeX5OwnuhBOR8maCOShRWgbvkUOD+y8uHUBwpMHvpHp38+CVIRAbmPS3i1rKS09IxpN5Ic0DYDK3FngYV0kVCiHenRx3lmYOgRn4iNuB24kLXSyTdQ==,iv:G85YO9nGE6ABZS5LPEBhyaiU/Zei19H3ImERCjk8hQY=,tag:k7docmRD/3anaMDrzKuSpw==,type:str] sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] age: - - recipient: age1x76ajqw8w4l5vlkwt5s3flz5a5jq5qlxv7uppmnf8ckj9egh9ekqjclzt6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcEFnOE93NGtwWGdlY1dB - Ti9ZQjVSc0VyY05DbE9iZkQ3bGVCQ1FlSEN3CjF3NUZHR01Lbm90SC9qWmFUMjBM - TTNoWGtlYnZMOHZRMEhEbVQ3d3pINTQKLS0tIHZnN2REdnlmTWI0aGc1K29jaTNW - b2NHTjV3b2xjOUxIam55WGFMM1N4WkEKibrW+oTxXWEkdWLcQA71u4zW0I42MV8V - IoQTPOJ0sfnKL1d9LflQ5aClC0sdXe97MZKoq5HV7ZPeL3IIYPuW6Q== - -----END AGE ENCRYPTED FILE----- - recipient: age1wvdnprpnq2rcc4se3zpx2p267n0apxg2jucvlm93e3pfj439ephqh2506t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdTBXa2wyZWIzQkMxQVg5 - MjRLVWZwNzVXRGg0cU5lcjlWbllqdWtjdnpNCk1SYnlCcUNKampzYU12ZlE0MHRQ - WHYvcForelFWMGVXWXJaOEFmY3I3cUkKLS0tIGlJaHR0STMzRklDbVE2THVlczBr - MWM0M3FvbjUzL3p3ZU1zUG94ckV3ZTAKUOAkZ8nlvT36cyPy5USyDzoIG569N818 - tMM5aQsEQ9vTOaUoK4gtBEXBva7VerMprdcTRYLcSJ/9L1vXdlVT/g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVUXlpV1lkOHd4bGs4MHZv + VzhCSmEra1h2ZnhFRElqdU5UMUJ4QkNoMHpFCjB5aFBvcGVWN1BFMS8xVHFsUTk2 + cWZza2p3ZmRRSCtWdHhEOUZSSC9JSmcKLS0tIEpBdGplUngzcnNBdHB3M2pBaXls + dFpScGZzYlFQZWMyUEErOVhVVjc4SlkK3KUct/NJwDdeGeWrqbZ5eAIb/G8f/ZCI + T4gO0Y/fznXkNf1fm5d3JHwTC8yAzxmSSGu2f/LLzKx1oNeAw0Ll4Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-15T12:57:41Z" - mac: ENC[AES256_GCM,data:NKpGBhz9WFt9xbcbIZ+S8fkgbhfOk4g+5vhXSYPz5tVF/uLDjI4+T1nzy1yKVJA+9MGgQ5OHXgQ7kszrXHgn8fm+sG++MUEXJILcX840Poo9wRBhvDxtNL/oLFbSHsQ0FDe9oCcx+/T8Rmg7vYWARlokKDsXZ7wsTYjF9GkBivQ=,iv:SKVBvdyT3cRTfXuenLDEgk0yJJltwIBShZOkrDfnI10=,tag:58eNQ5k5hTUBTr/nwJULug==,type:str] + lastmodified: "2023-09-04T06:55:01Z" + mac: ENC[AES256_GCM,data:CvdFvN0usYbFG+W6gTXEfoX3vOhKbXkAC0gy9k26zaywPeVNcUaCpkItAp32PL/9r60ZOUplrsUWd0HlOsCvYplS9wrSmSQomkoUjAw5vJFNUT+9Ci6r4T1dRAJnijNvSr5flCv0+Gu6KLBuDuVeS3zXj5HHOOtibrrt+1j7EhM=,iv:bwL9mW23jwfp4jcnuhT2iG4qyCNyfS42B2P3uuX2U0U=,tag:AdxTPlUAPSND9+ysG8O7Mw==,type:str] pgp: - - created_at: "2025-03-07T23:03:16Z" - enc: |- + - created_at: "2023-08-14T09:07:55Z" + enc: | -----BEGIN PGP MESSAGE----- - hF4DntlvaG5T7wcSAQdAoaGQG1W4yMq0MxUwvYIrxwdzKKBHJgv9hLCPvSyJwBEw - f177FgAT9PQW69wM2x3QZm4+HsozWqs3k7SlMRsRy0he0fAtdkGUr0EL0DCFi5ml - 0lwBJxkI/R2CI08fRqkS0GuM+6HiV6BRypVy15C1oXEhxlE/MhnCYlP/0MeHbQ7H - MkStwmbVqvOm8aizboD0EePZpHC0M+61ULgMt9HnzWzQ/ue/YepI1dPfEWBQ1g== - =etd/ + hF4DntlvaG5T7wcSAQdAd35Nytx4deWRNHb5IOjf+DRVCvYq4C1PsINL6snAk2Qw + C24cIS+h7nBFCy0zOiXsFbbKBdIdqUXWTOF+8GLXUlKQpbcWodlWKVxQidw4S3CJ + 0l4B2ycQM2NFEEVaPbi6urnjw5qTAo8UNXNHXrZThVURihhdh+Bi5mjyiKXaXj3B + lrgbuCdYstsnewRCP0BIFcwjKZ5Ou+bmp98nwxorN4VMv2q13R+2pEc8f7Vi0s4b + =Ldji -----END PGP MESSAGE----- fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B - - created_at: "2025-03-07T23:03:16Z" - enc: |- + - created_at: "2023-08-14T09:07:55Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA/YLzOYaRIJJARAA22jsmHM0HtkFMMH2p4jQn9E1n7eYGwnnD51CxdwrYI2a - 6xIVwCkSNlIqzGH8RysaPdXth2KCyGUR7Ll9KRO3wIKAnpY7lIDpI8LLz/ad8+ez - jnw09oVN0Hiob8Std79pVX2qGZpKwjJ1r8u/+QDhJpY+PkgGU/e8fIYYxb8P4SMJ - aWdh9tCL2/z7UDKQk0AjxEKbFrATfVBNYkyI0d+QlXJVsUukaQ99KBtTABboNFW/ - BYaAqJaJoGkJLvQQ23NnsKZDhZ7eD4S1WTUyJG2C/lBSu7e1t9lftmyv4MekeE5B - wo+9G3hGzUayXWQ3W28QnvGJO8hqDkwBzyAzN2532UDymqsUZr4uHsuE9JwEg171 - x5kxpd4UL5WTcj8LTM12tDLzTyW0exUIiM0mP9U+F8dUkRCH5fqmu5peCb18Con2 - pDDHhhrqd5cxIHFqFawPufRtw8N88fLSzgGcHYq98bP83/SqIzpRDxWPayBRxL9v - 84oPPRbRp4WsWlzqBY/D3lhE/YM/rAc+BleWM5Asmf3yVkhfr4rLW0cD8SL255Rh - PTFEsfhaNG4RN0Syt2toM6oiKEvO66akijWXhNbKKhr4UjoezNxr9XRi4DIHrwf7 - HyEv82mN03C4YhiQTARs+UHC1g3LPjOUMyaQuntZruEpQJN+UE3K+Uxldlt9tGPS - XAG10G4sLXfeeOEt/HFVe3jf31pAMbNGozEl253oZ06EZdbjqMvnPcREm4qFYsJ3 - CtF0ReA5W6/vLFwusIR4T64tV7w9vdH7JH0VFisZgb4fZqohbZSRGABbCkib - =USB6 + hQIMA/YLzOYaRIJJARAA1WiV3O66jKhz2CpOq/uow4ywrQmQ318d1CFHUrz5KPy6 + eH9V8Ry93UF1NlLOLTGCoUcqF5k9E3Et8P3asn7rg8YeB0y25FmqmjBGL1nEmnFR + KTtHYgdGpy8SKds4HhWVZBagL6NRW9oQ9Tjcw3bAVNL+QnKDqoTZ74l9FH8KHHj3 + 66/oCp7733d88JjTEFOLIrUOzFIcVOEvLjkqSt2PYfYQhvG5Vm74/0cEM1lI1lyq + drA4VDrQgsEkX/NKxI7kJrJ2liDXHMJgMoa/2Op0/T7AZgNJd07BrNSVUElyWRsq + HESSZACOTbx8iKL1dvTF4dEjOKrgigsi1eA3YIgcNbgBVN/+jrrUfvZS75BziYfh + twM8Yy82bp6T3+LP5OD4UG+PlVV4puLwbhGhb7BKfYYclutjjA3aiS0JZnRA8FEB + +qOehgy6DWURvNLRkOiThZLGvQRJXsTPjh7+S9gwl2sauNoenNb8HxI8ukcO99tk + UOLmEwcM0Pojvwk1KPzEl7QjsbsXUp6wfrBky8nvOApiSKo9u5Gw1noBTLr+eOmt + g20c41JJ1CiibQGhOWY+EIUQImM1jJdUDrQoTEYKXu0sh2Obv71aCsNtJuirNi6D + nexdRm+9PYSaDoTLqDo1xGP6qBZZF3qeFZ06tMARDovmPD+V5xHvCCQftPPceznS + XgGPKXd/2QSiCEnlYLP5cV0uFu7saRSn/Ez+1WQA6uGK+lMfuSGCCVs10CRwArS8 + UGO5QYgW8Kbp9D/0PoWWJ68Y3DndUA6gzs434Wbj8mqp7DTNuN6awElQdznXxEw= + =OYP/ -----END PGP MESSAGE----- fp: 91EBE87016391323642A6803B966009D57E69CC6 - - created_at: "2025-03-07T23:03:16Z" - enc: |- + - created_at: "2023-08-14T09:07:55Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA8uqUsBLHj6XARAAmpdUg8/6iT+S5GHFGUdnI35UyEPOx7h6gjvvSWRDGbY/ - 05CTwj1JBi02FLiiKO0hPus5HAWgMhL6Vi0K//y6soKFhV0lC26s1nJFG/AWrHa1 - yQiuvcRTsj4fn1S9GruEaj2nn6579+aYCBRnM2SGEE8Us1oFkkuBXsEgzObHDsZ6 - 2trnlFJV8m7Uu7QOLN4/ghCB0A//2TqoV9qHneAyPucL3pP+HBaoLtoc1DzgrZBL - S+SngFUBIjiM0sRyAngAORpQYJmsW95zKBBE9Q+CB+VRy6Yxnz1yAruwODQCEyY+ - bq+yXhWDnyrAAvdgi6ju75eQ7nZvoZXh7hPfFKFjYHQVY2zSuMIkU37IPtL/R5z8 - Y8xnI3hOlmQ48IcjXr6jwgK0hR756aJ//XVUesQ4VTlA/YnaifSquakZ3iwmOpR3 - PmNceArxMqpN4FRxlBVDomEt2D9MOhzyxKd/Cs6sCO3uV3k3YFDsV5+oHt5phuuA - fBApR1Y80M+duGzujM2QCqTWx7Yi+I6LBcfv6P/ya4W3gdDjOZ0fkGqF6H9mcI20 - rDOIMcu0pA9hA8H3FzG9xABsGQtKEFzhd4ylMSHLeFU3byUo9f19R3+0rL6eHZMW - 2kbIhn8dmAeBc2Uygkma1Ru2NiM2ZpHFm3q8YPkolOShE4X8g85pTN6GnhD3FHjS - XAGv1hzCc+R+PjGNvtEcb/fcejiQ/fV8ps6RO6GQHrNnRiu8bb22KX1OaiAMjffH - hwv/rMTWI0TIBJSxPTolEF4JleD24QvIrQBBhEBXkiSJrcyBaj7evXueV+PQ - =cL+E + hQIMA8uqUsBLHj6XAQ/9GYctx6xUG2+i2RHYhTQIytBpLCiEte8zvfLcRM7k4fp9 + OBo1Rne4VI/TJo7nZP8HBNlD3clLWCbi+O2Xz86ACUaImiDX1wKeI7h5Im1mNFOi + /hlKCjnYOt57gic7THt/xtFWfl1QdZ6klgBKK2eAx0sSl8HfpmozHkb2NVo1CPYV + rPGBi/bpACyITyt0AW5413b3Ltt1kTfdsSH8myBzobiA8xJqDRbcidtw+9WVXp71 + AbJzUgXELzZqjcMg/8XZ0rEK/nBMIi4yE7t4lVbNLH32ECLGZvaEB9hqCqOUPcGC + VB+fPCYZBbzMuyyFeil6eX0lI9PiLHKNMalMvHz/YR+7okZ+E6N5yHP1E6FSS3ds + +IUE47S9bV+mgC7UxHR7rzvu2Sw4ZOuJaaWHEuG/oipOxMxcvLR+KRy7lWynSykp + iP0bv85uHeUq4waJ4U9wqWUu3zUXGbpkr2vchSoQP8KohGsU6mJUkwcgssQzG8Et + 4oNOPw4X/QGn1Sp2zZBV2/b584VW8KA+StyYTeDuW06yCYTzehIwngqcr2AAv6zk + 8TmlqI7kTTcmPiOe9YgjqMKP8nsYI/xyXb1Rk/X72oh7UKha6x+sD6yWnjBMuiG0 + XMvXROVl1NkA5fbdym1cW7su7LEBKpwl1a70djE/afl1DJVYQZdX8cR7aQRMa+HU + aAEJAhAqALQJDkMiTz2kmMw7WWrPENzgAflQ7d6cuuwZ7OLPwCqv6/Wb9yogOvJ4 + ws8j97f3BPdgUg4KSqHEqIvOg0Ccn9CrGgzEReMJTHNwltmkJzlvIyJSp5F33y0+ + /DtN0Yj/UUpA + =KgiM -----END PGP MESSAGE----- fp: F8634A1CFF7D61608503A70B24363525EA0E8A99 - - created_at: "2025-03-07T23:03:16Z" + - created_at: "2023-08-14T09:07:55Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAzUXo8ZPJwGLARAAkDuS3LCJqk3fyqqE9orB++QWD1U+chUSQfe7RlBSp9O9 - 84bV5+RgWjVKmJGnr+8iYnAqr4AJRUsPw8d/4v6VOrQwOO0cPefGRBDI69eEqj3D - sJcCGdXrhrNaRj5oVtuqWP6zracmpt9mc8zpvJA0cQL7Ldt0YZnK2ohVYNe+obcd - twD5L/aVrLjvBl0J1KOHOoaJZilmv9dpbrjJzT6cFI6SbmD87IXVC7ME+sTfAXdw - jPrnKWUQ/6ww738EiKf3/rwgn0rIVnV53djy+FHXD8Ki+69TMYFXz8pZOI43jj4y - M4BR3PqaoisE0rXd5IbmuPDBelIXalpl5MwHnvlOErpTCmybJ1FyHEhNDHesoss/ - Kn41QTDeG07qBlbsgYOdA0K1+ZfGTctDllITjcJ21fBE4d3uMfUDo0EDSu5aZSCQ - Fz/YGPQQ2J8agv/HLpiruF8pGboG+d0SRfnka/ITlqRhG+x8xmyiMxybgPOfDV08 - neRB4Jl83zVfbBAdx+JBdW3p0twRWrLCUpUCh/L2z2RH8wVd5mijFH7aM7c2sayy - IPmIJYwg7cztM+bTeuNqywDSiNp8Z9HUxQd8QJOiG+1b3NdDswcaLWEIKhvkCQOp - cZGaqPXr3ec10Xxkk1y4PR/xPPvOgDZvONcnYLjS2yhHhNLDSiyDDel5grUqWT7S - XAG4pnmOC09sTOTCq+VID6qREFTYLMpN2sLVD2tmlU6pICifeLfWaX84vgDqouew - av7HX2HXExY9YdhEDEj8VnJAmSzkOI82YNQGFACCCbfMTK0B4EtW7KvR8Njv - =n6ef + wcFMAzUXo8ZPJwGLAQ//S2W6YlF3uMy5fohr7s374W+JG/uFB7fFfpUwaXis4wTY + y/ITUZ1CtyBsN6HT7iQsHwVN9bDzI1o7qbWkLgoSNNNh2AFT5fmWFZb3GoGPRiac + 1yVAGXX0V8+KaODGLXK48cIVPUFfwnpR4cw4eq6SnQyA77fYnCeUt9sxyn0KYbOH + SQ17FpbaYMk66KzOEqQhnN9GFCfnf+2e/7/jgimeG7mErlCT6FbkYePgdHQ2W2LO + ptSBelbuJUIg3gjzbhQHgYSmuMgwKZtRyy4Z8ELzmQorLChM0qlkLXXVAk755WuK + MmDnPiXrcB0QsUKn4mhuLA/IKR+FOuFP9nmnN8+sBcS0OaXXDYXrjqs3/dDyfXca + qyP1c3NMYkgHfevdXz2PNiq2d7l/pNBcfWKcUa7V6toA1n+UonjE4GhMl+Pr4Si5 + 6NWX38YmgCnnqGmixP+BrKufR8xyt7RZvNUkSlO+fP2rYpg9vuFVcsKF2wVP9w5z + bW7vcxPc8PYrTWi0p7DDFqfEZIxnG55hoIIy6RENbvFjKVDZQNX82SFi5hY+9yIX + JpW5Pf3liCwHQCxHN8dc3xH8bTmxZwbA4wZ04PMccGvtVL3IY+mboz6iVjwtvNen + 9nKVE9ad/ZAH2wejlk/zSz+3JOXjtCxLH71cV03NzuzaA61C3OazSJ9K109xZ8/S + UQH9XsM1jSbEzawuWk2bnFtaQ/fGGQU+0Ph6byeZLhiNRoBc6nNxiQ3BFV9tCrpD + IZBwIwwU+OtB1LNEWrs7wrD0NAgidKNBxZemLrnTUgrc0A== + =1eth -----END PGP MESSAGE----- fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - - created_at: "2025-03-07T23:03:16Z" - enc: |- + - created_at: "2023-08-14T09:07:55Z" + enc: | -----BEGIN PGP MESSAGE----- - hQIMA30JDs8MiK29AQ/+IihR4yGJDJnDXqtggP3mfUIFajsUgNSdk1NHJ23MtM2k - hdvre0HaHKnJQprHmYPw/cbI5Rwogi+5xGU2sRsiHqBLZk1WEqgWcOeBMV/t8nc9 - p7M9LoKowaWpQ2S827+An6AemFa058Tj1pa4oXFzWC6jsl3RbB/IC0meyYJjl+Dk - gu556cVbpNRS0Z7wMmVJvBkErP6426hZBAHQcxaz3YZG9rqHZTCmd4PkzmuNVbU6 - iRF5b7Ov+IMmVd4OmCrs4sw7KrHahIu0g2U8V0smQphvV8MDKc6sMIyscT9FFYki - 6qmqCPhtTivTG1lTTCm9W+CIr2240VxpuwLiS9/OKke63gpSa3NJX+V9mZ+jMy43 - V1nUa3J45Sv1S3hvVpIsfqnd5xHCSB4w9X+YXJll0AEcMsI38gDQd4/stTAlYRIp - O2hygqMY8bjPdt9tS3AHmOMksNdD6vlO72N68ugALgcRYpq8chUhHiImKXKFI5yC - YFFBZhsM7r1N42ti1yDR5cBF1f0ZYIYCwUedJ6fLOZsG3nVWh/isho/b0vbnNK3P - JLBMW1w2fYpH8fIEDIYasaOF8Reg+yPh87tKA+M1THam8ek5B0pFs03HeYneXJs/ - geyYOYD43kHmg4bM7SgjOMlwVALz0tYorNpj/p8ojO3cBfIp1lKuegZss2iHImXS - XAFpEl60dqYeehT51t4/bjg7e8L0tkQf8/CwVATvMi6PxrPjwlN419fn22F9ZF+u - fRg4nX3ZMBTZAE8xhkQ5MVn6alLTHQu26Yal8bhqpD+VJ3JC5CpdUya3VMNK - =oelB + hQIMA30JDs8MiK29AQ/9Gz9v/L97v6sxNyplvRuvAmSR6lXjRoBIWGYiX1pJonTf + LIs/X/6Jtjata3GXeMJ/XOnFvmHrkL0m0njayuuntiA/F+vaUTe9f5gHRdpcDCmr + LqAQqXh4KlknEUszqQb/5YG+gK+NnmQigmBucFRzYg47fm6WGXm4zYkQP2mgz0vR + LOlC1b7xrCt/Nt5NLYZjrxzZYf+UQ8zLutiOD+Y2jYElym5rmQdUP1wOxx4VWHJS + EMYkIgNX6q5Pnk6AkfFXLEQlNbym8ljdO6Nl9fKLU17NPddgUXPKv4aonN52QCwh + XRP+40FEa+cvImzgjycj/+V2CUDaDJmlCAckv5PrOLL8z7/v4Qrvev9gF6lhutZk + SecHblTxjFaYoNK+Ver3kklV7xE7BO0CykthnaKLBcu9ERfWohm0o4FZ0XMnxlDL + ExuEJ/8axaeS7hRVccMjcEyA4/ZbsyUWziE+jEJ7mNimKrTLK1XNjade3VRcsTy4 + m1lsfN/RDvCbJBrNHRQuInD212Qpc+durZnFdEf2A8ymTvVWlZoK/UtUSPEfbevf + UWOToP558fsCHXqgzula3cqfXLJuED+XiPaxdpfTCU7XCI9xaW1kGiUOa42+CPU4 + o/aGMvlEQJiegZ7A6J7Cl4Z04DUU4RTadLyIZZnFFdhEWKhB+SpgqywOxAbAoHHS + XgE5ZZfsZbP2XJ9t48pU0mTRrplg4NFu/pHxnDn6wTMDqDCvF+gqNJsmA5dNmFDD + XE19avAuDRd9JPkyhYDZD9CvxoIOlzsJfU24sR2wWqoNIFTDl0vG2txXJVz93D8= + =GZZY -----END PGP MESSAGE----- fp: BF37903AE6FD294C4C674EE24472A20091BFA792 - - created_at: "2025-03-07T23:03:16Z" + - created_at: "2023-08-14T09:07:55Z" enc: |- -----BEGIN PGP MESSAGE----- - hF4DNffZWjBmO5ASAQdA07imap27d/V8R6oVOlXUxEYL8QJcTaSiBICEnBnfJnww - i69xnBOhGKwnWAgFipvXwFeyiQcmr+LnLbdXB5YGTblDzG46PCEH8JyeMakHpHAI - 0lwBHOOaak4roVNGoxmDedniFhdH0rmd8c9MtG00iT4Bc95fjM3eSFuTrESWPY9i - RUApyfYx9WJq5jZ+lFii3uOSQg/rMpVTIpjjXC3HyJTvfy+MnECBAI6+cAWsjQ== - =J26p + wV4DNffZWjBmO5ASAQdArEfjFNtkwsa6Qz+RgLCqUa/3G38dx8CgynaUkvMsGUIw + 2UvO8PIbp5pfI+9pdisQO+0AXJMTxisUhSkNWYa64Ey3mlNmRDaH//Qhfb7RI+/i + 0lEBxRWqhmcNXRmmV7Y7EU4we3NLm73IN7HMNyxNZyzGirdJED1Ie0kPl0XJpOZs + WJVCpC6FJ3aivsYMfv7PL/aSt7tNg/TTjxMI8W6m7TmlV6k= + =dvRv -----END PGP MESSAGE----- fp: B1A16011B86BACB56ADB713DB712039D23133661 - - created_at: "2025-03-07T23:03:16Z" - enc: |- + - created_at: "2023-08-14T09:07:55Z" + enc: | -----BEGIN PGP MESSAGE----- - hF4Da5T//DC6DJkSAQdAkFwtDJxwbCFZ8EyxkK1R4v5Ntfy0QIzLpKk1CxXklnkw - GKQPVXU2qFH4UwH/58fKENIGTVHlDRXZa6gALeW6EBr3uQFoJ3d/APHpD4nprqOy - 0lwB45yH3YjdTG2YY4bI3eZKplK6R9mK/lzAVG7zV7nVs+glr6/1XpaeYJxiT1/K - p6aV8I+/FTg30d7Rfv2PpPaB31spmUxA3RDIbybzn2uygwOdKB0PQnnGLAOXBA== - =vuaK + hQIMA6MARpDCLIz2AQ//RwloWGHjB9zkZuDNqiqYqLT7L95ETHD3A0rEnLCmMHp2 + 0/FJVjpghzXeCUcTqCPGGvETy7xsjXAzbbrZgFFiCHj+L62WBO+h7YuMtZygBUY0 + nvoKyV7247HiL8PZlvJVXIChrypKgF2iTotgTvmB9rJWrZaxl+M8W7ce0DyORwXT + ZoWhfR501SWrvXGCe6hdH6+qBdWgUYlZJu/WhLZ6Ii0kQCeIJjC6lG+8fYFv9Hnq + mRMD+6piReFBehm0LSK806V64+NCHYkcFPXmoRXhZVQMtIbc4ONjOB/XMVk2sq11 + x/SRossZnQ7V7x4mP1chTLY3DWn+l1kHM/tD7Fm6xYxdA9FUrKhToEyM6uJ0GUVf + V+dx9lHvyCseRtgS1sje2SllTfP6i4tQtFBSlgOtKGP0JBVH9uNlYynIMeRF0ssD + P+k/IYaLCB3d85w4kG8093QqhR0urrOzy2XPRaAPE3CFJcxKWZ1pMIJRNjKqgP3f + zeuVtprUicb9j7pejcINodG/tQAwy1gTlKkzzgDRHlDzYz64dA7BOAHXL/C8PeQK + OrFGJ1+FvnmD6L/fnKr+p/dnHWq/M9OyKj2wPoiq3VZU3S6SAfORKmH1YbLNr+iP + ME+XDEXruZZC64Hk5wzkVT6081/NaHfyWfpguaJ87f5Ruto6mqu7A5Y6twIRsNDS + XgEmEktsdVD8egMQ3rnRqPuWo9F+Xa0sOjXuQEwxWAKtTIIHuZgkyLYVHJc/2ati + Ml6yr7uiXOwtUzbo1a/ocKbvcQg1Qi4X89/aGKyI5L3XCn6YPStmekeyvJRFSBE= + =9A7J -----END PGP MESSAGE----- - fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D + fp: A4F92BC7B792108A463995827C1F2DA2BC929412 unencrypted_suffix: _unencrypted - version: 3.10.1 + version: 3.7.3 diff --git a/secrets/tomate.yaml b/secrets/tomate.yaml deleted file mode 100644 index 01caa04..0000000 --- a/secrets/tomate.yaml +++ /dev/null @@ -1,162 +0,0 @@ -portunus: - search-password: ENC[AES256_GCM,data:lUG8qGioYZOAQHRhDMCBq6rRRFOs9R4ohMHEctxi/f6soE4aQZHyENEW,iv:6wgDgre5wr630SkRlT2kHak4nnOkx3DVFbNcq4FehGw=,tag:S5EiXEsoId+pGYaQ8lq7JA==,type:str] -print: - smtp-password: ENC[AES256_GCM,data:XoaLiEpqAdKapeS9YoBfh2w7HFuTCV9rHIciH+qUbhHcdsgVpnPMsSlC,iv:WxfP5d2K9soJPoRPuS6O6PbNvo4TBQjPGiV0e+a501Q=,tag:ZsTdR+b/oYFAYz/MN73PFg==,type:str] -sssd: - env: ENC[AES256_GCM,data:9IbU7uaElmemQHVUvsM88hcyNl3WFehgQeLZPtUxt2Sd0IECm8qNkQhWJ4kuvoBnQsdsUrFm/0QuW7AfDFOeE7FxMxg0,iv:dyzsYHlqClWbfzsoJ36iYjaXWpidB1ZqHXI7RP7js2Y=,tag:97FMOeVwAEy8Ka79uZKC8Q==,type:str] -ifsr-apb-auth: ENC[AES256_GCM,data:hxJOvRbgjB//YU3wy04P7yrQbV0Ggoi18wQxwy4hHgbXizTHbmlfiZ/MstITrZQ6qEPVBEW41/iGU3DO2Cg2ofpWvFU5Gr8FM1AC9DKq8SppLGqzel1mEejPfrh4RbQUMe0zZlc/YfhCah5sM0oPnBQNg8bPpveEO+5/bRq5S24jkkv7w6/AAS8tGvjALVf/g95jsCrQO2MYg9jCCEkdhORU0bowGD8cjTr6wnPkNhwzn5tiKoPn6eH6TFBkqNC+Q/5E+os10i9F1c3z/sv8Snrcl7V5higqrQekhEvGRDmax/4lE8Yb3AoxC/2M4/+9x+OPi0JUkkhC6rghETXpmYkuaD7E8+eEtLeSbiJPlPijq2HTtbtsHcSoMUdoGO8644TVe/jDxaEe54p9OWEFjRRpONijQKsfH3wENlUXmqDQDLfMSpoANxIHMh+RmRzktGIvTgvs6rlKXsWp7/gggFVxdM/5QPbE3pUvGr+JPWz4,iv:6c1HxYGrItPwKzAnQ0zUvO3TSejVZ/aWF9zs99ufzl4=,tag:fELOskceJWKmkm74MCsfoA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18lwgjazaxujqgcc5j0gjllnykhtjn6p0q44jzrsk4au2a5k6nd9s77kd6d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW5yM1o5SHNXZldjcWtO - NkxENWNqTlpVeXVRS0MvNFhCUnNlWmVDSkZJCi9KNiszcUZHTXl0WXdJMExtcGYw - WFZVNGJkZVRrdkNRV3llUEJjay83NmMKLS0tIEhWNGRkREJuYWhaamFWQ2lEZUo2 - TXVrMHZCNU5zOG5hVnNkdEoxcTZqWXMKA9eG1zM6HeLAAOpIo8Z5+5KD4Z5P3rdc - kE8sUXHD3d8SMmSKcTYe6gGVzFuw0xxnMb/AmjAQosvDFTQsWy1sTw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-16T08:58:21Z" - mac: ENC[AES256_GCM,data:2aOOVZK7kshJFBWphvW/BqRUXht4p80Q15nGJNA1EbjT05f3tYdrr8QuM5Xd1vJO07rgmokWv4XwbzodRIwqidEXD5xuJ1v+kHC/jJnO3yrBKY7kVMHkia2Wq00bcN/iwdW6G6AP5D4HQbmFNo+rLHyjIVwPvtu9jutKpz12NH0=,iv:YCBX2gSEmiUa6HrHi0VEcRGWDJrXGajD8ZbOZcppFnM=,tag:FK2E4hukl8oL5aZNTCQESA==,type:str] - pgp: - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DntlvaG5T7wcSAQdAVYr0vThE6byTzCZiUrErtuouL9k2b3uTQKR3pnk1qmcw - Pw8+vdUOal5i/M9jFWexJzJ1nenzhIogFWry4FdXRX7V39/nRJQ1mbF3+3T/yldD - 0l4BdQ3xmtVUiz+PYCzazHC5+wPB4iCVs3fkTiLvNBNzUDEHvj6T7w72eKhld9VT - NFcOI2lSDea9EYksEdLef4VnE8gI1DeYxJAc60GXydmBJZO30xeOFMru+XE2N7Cy - =S7ex - -----END PGP MESSAGE----- - fp: B8E1727497FC48AA14158BDF947F769D7B95EC2B - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA/YLzOYaRIJJARAA0fWU9NbHhvooG/4gYcadlwNPtQqOIw+6g/L9Gx8wKEhR - i9451S9oez3ElkwIeiF1YPCzokF6TuKv/++nV5SjC9PZVSHnrixrQscdN1FtMvH9 - ad2dC4GD69fXebq3f1vj77fAZxif6OMcEMpDiRRXHHJetzuUDkLpk0YSR/ZM23m/ - ag/JrHNUNgSJPLFRjvSNqX/DO/Etf/RfEwuMoPmwpGrQFhBTwtcIjjrJ2zT38q21 - PhWrjAL0Mxjnt1zFOGLLXwV5wkpmLOj2GGIBJJ+/B1zEawkbOx/ROuzPFKrDmrrh - xz29AVi7Ok9JanwgPGRNytnUHmxToisIH+FZqwpDTsop0ZQOCtiUWIZot+i8XGxs - rJhHTKxetJfsJCQUe4K2RJtHnVKIluzLDFyxoOb5SVmXoslY/EIQEYJz2lFPG2sc - PbP6XUh5ObZTK3IRIFqeQzjjLI1eaLdYjEOr+a4Do98Dd7+vJ1nLwkC9Wo7JLaaR - yd4emYpyB8R72Zf5+TPhN6ZWAL97OQdCZCSxyh3hDUZt4Wckg3I2yjw1mh56yVJF - fFOCOA/nXWpYXyRTbxuPuvCqjVsmVDEh+STZLIFsARzvz+yrlpEFoQw0G+Xa/XfO - aUt+HWGYji15+KVZJnSOXHhN4z4amsg8mtAEKfhCU7pl3jyrxa2MvArPBIU8FB/S - XgG8vs/FjyRkm+BvmHHEHmh8JkC9B9Lx1kmMpHw+fMis90IqZ52I82RmA6aO5jqR - ywlIrtvDLC/5STZaBdTt6EJwf3OAvRY+H1Br+SLtz9xXUxgzV9JOHWTefzRH2JQ= - =3Wnv - -----END PGP MESSAGE----- - fp: 91EBE87016391323642A6803B966009D57E69CC6 - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA8uqUsBLHj6XAQ//SVU6B8zLxtpp1gQ/U+EGpgbP8N3IrIcUPrPVx72dIu+y - 7acCmdgralvEe/MLG4vNSnkrJdCCk7piBG2JFTMUFbqbFkUVSyZyG1yRsyezB3AZ - czSdffSQ0SbxWL73ANO7Z4asRwXkqjDTTKTl3xL3Iw8tDu22INeFwmcZPFV9F19J - K/BanSBuofUOiQB73BNv/8lA6ssxqufj+9pDDoutzF5XWpd8wUPn2hIcNWtr6NyY - wl9U/Jb/gkhnUR/UHGO2Nz5kAWz1lhysa/dur6I1mrxBJ0mO9I0j8A6U2cBPxdG5 - JBiTuKlFi4RhKUAraPDC+c3fM3Zp6zIOWhZgRNGlnR0Tu3fTeqdt7DwYh0bCOpJy - tTtj779hRj+cnleKG0QB89MY3XFpHQR60iBEMnqg522LLlTzLbvu6BEUvM/4jv+j - 2aq45zyYyIHC99k8xG9vl5Ou+3XhDqqVRUQ3qCRbavupWRKdibaNqjcaMr/zDqQ3 - TxmDluLnsbCGnyYmZDocwAqVvTVorHEr8yumjViFpXPImRe+na/0JCuxRHbBcVt+ - 9WynLgKy83rHY3tWKhqYobh20mLXNNcCiUvdGFYI2X/wyUmSRMkuNpT8fsvdr179 - BtERX0a3VpzaBV41pMsEIj7okx1MScMxXEmAktnDEQgyPBwV2CZpp2lM3YJajVjU - aAEJAhBKMkW8iDDTeG/ISzhGv3Qz4B2ujOvb22N1j/LVH6HUcq/Kg9tNJ3nDuT0v - zP1O6zxkwZsm23at68ZkfxXdBm6Qwf/sblfxYi2SOvWn+fXSmkSfGPVgw0vDG3+G - 0DskmbWWbRuD - =9+VA - -----END PGP MESSAGE----- - fp: F8634A1CFF7D61608503A70B24363525EA0E8A99 - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAzUXo8ZPJwGLAQ/+MGbYqzJX74UDkNrAC1QUvA54pROBzoKnI45ODtT9gp/5 - 9Cv5Hx3d/1UA/IGjGh6Wjv7ljCjH335R47bWBDmnE4WmrD9O2gopjBqAuF/k/tIs - Vc4+8AD7F85PTSSdb1t/2hu/gYO/FAmwpwxLBmWD7iwAwpDZoPB3lBYwvqNOlnmX - 8cFYALyacBBMskwp5ydNEUtQO02ycHUfr3WVC3TponHva971Bsif2Lq4aQW2jCfm - 0a+RvO9cdv4RjVkd0/eKXnjpsFRkmggTAmXrlrer1hydENbdq9Fl9QHPxRG/jp6b - SjzqSEc38wbxX2zo9GihPWRHPNjXEJbXGWfwAA6MZpHpI16NEU98+B3OOsrFZ6D7 - Zr7BAhVqYXgriICx9K/czFN+oDp5Dpsy1/9NGhx2mg+KJXx6F66MN4ZB24u/rgTR - iC3YGoXfx9vq0tbv2m8zPOoJ3PjmmLzfSwXQszK/GOFvu89r57Hz92K4UpyFiLPf - jUoT7GDfEnU+4OFKdmBDzqFV2xm5TCnoCpjCfi+kbpszThoaF2L3ZvgypxK5K4cf - SkPoU2HgXwL79sXfFknajKKtBFcE55eLggtKmANoBN2NOf+yUQuqwnJRaN+ELtKp - 1HJ+ztoPEcrEG3zljNZ77/n8B8kprVA+E4sxzLrNHM+sRzoiDixq+nEB7p5F6+zS - XgH/wanI8NFYgP4w48mM50rboUeeadwGoju7XNNoEcaLzCaGWkoUWNbtH+NGnaAR - OGux0gslpa4mPnHWySU7b/1LZiIop9PyXCqGDyUzjBCaNKQypMMO3BhmvdHf0ug= - =oRNh - -----END PGP MESSAGE----- - fp: 116987A8DD3F78FF8601BF4DB95E8FE6B11C4D09 - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA30JDs8MiK29AQ/+JcDqCXFj6/8NsrMx+mv92Xgqo5b8hQC92DxOEVd2kBrE - aqe7LPbhpm8ujuR5rRRNKmnJX1QQXn7GHAua8tA2+7oYVhVJfpIp1m3FlOkv6Jt0 - Mz2FMotFfts/Lq5MGUB2WU1fkXMcZ2J9gXZGoEwVRFFATu4lHy6IZKtbYHm8onlM - WXuhX3+uM1Tw4TCaqnyfi8fEGvocpwD1kT4Y2F7VipNVoSbP9DNf9rVIuKfTzLMX - NxueFmfUcLt3Z1/HSV40KkYseaZcLhWOtKbpFTwG/zdzdSIWzCjxPGwcK+nVBDeS - OhFdcoKC7c9GKb1bbxaPq5BwSpy29/PBv7SBM2vfUvyc9MrKvXdh1VzOgTkSAjdH - DxeEtFNMIhrCeCuMZwjBrIckSr3dFh73YqvEbSV/1Z2nK8qLBWKEy4noAOhI0Kxe - T05cCaGFHVJxy34lmb1AMHATLt6ZDDUn+kgiOD13SozMAsS9045MSnJgcVCb953/ - cxx5LfyN3KJO/17YFgNlq28yVavFTp5h5en/DexY35nvvACBi7uah5WQh8Y3fbB6 - 5Eb0t2FcsHY3L11tbjnVz16oFRE/SuS2NK+k20QEo36eBc272cKjkj9CS1w6D3lq - 7qFQCBD4NWITn1FgHDNfDVNZI3rocMMp8VgBzpknvBZmRc2PQlW1+jIt/7x+JP3S - XgFd5m3vvtbLhJVG5X0GMbFHC4QaBTou6buKdfvuQ8ZqUb8o52MPNXKmTDW99ywM - 5pItfzPtHZ7q8T+rZKEnNcL2TBhgfHsuFzqC06D2jeC/tulvbhw0VtBcnJzSlSg= - =ihPC - -----END PGP MESSAGE----- - fp: BF37903AE6FD294C4C674EE24472A20091BFA792 - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DNffZWjBmO5ASAQdAD+Em/15kuzC0vIaYSkTGQS5SwwCGRmBc9V5u5ChsunAw - RiXIlOl3EhpR6qzxCfUgLSr+WEXK20AFGo8gEfCpKqAVE3orPGh4btwcV/AzZyID - 1GgBCQIQO4OYcDhulX1kReGuRHVJWLsjvWlUJQjlYPXPaS7QD6vCmie986wNEOAN - kqDyuSsoetM3OdZgTvyj0tmTdNNm9X90xKjyV+wcYKlAkVL82PbnEwIqQhlMoZv/ - 0Uhdu9hQ3VXC1Q== - =0iem - -----END PGP MESSAGE----- - fp: B1A16011B86BACB56ADB713DB712039D23133661 - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1tId/HHLgxAAQ/+P7hzNKzSA3JVSSAqfAV5umI1hACWf3ticSkT9tlfGYx6 - +xWvkwmtLBAumPYwIrVVvKSG2KBdiD/p0CugbpMUA2164IGrJVQsnBpeyV3fgaNQ - GMbb+Jq1Nfh5QsmI0X+D4xcNcPae3Ml+4TXtjXkDlowG2c4x7AHiHKnQj9Agszry - F+IUdlVt4dESbMGv+ck6fz6AqJ3OiQaesRps+FTrWtVhzuu9DIuup4E+nb7qaADz - knmjPfPxX7rSwfAVbvgmGZ0hRM4KaIqt26Fyd0pnnxc37KslgBcQDl2bIu214SKT - vmaSwqCOF1JXe3MAKJjFu0e1Rq+6/Dt9sZxWcXi+uKVqXaQznHXrxXywG8dmV2jZ - SS1rLoHKZ7Sk+3EG9WAfNA0SDNpcRQ11TXCXKYaNkbhsNucKBa3ipGO+l3ypFWNj - zmJMHR9mZuH/cV/DRC7eyWihbcYSAVfOuNYp61KUsW5Z4aYN/yrBZIDi8wqbN2J5 - TNI13Opj/3Xvu8mVC4fipORvwRpwlFX5hT1ioDZ/vmtgufWWPNSc7XEN6HIie3OY - 8nljJqPOhdYuTStejtBkt/qvqWWGlpPILCKndqTEFoMv5h7ussNV/+6eGUIx3+1Q - G1Hj0Dptw+w9dx/CAh6BVjSCF05892o8UNljOzr0mdxvZYfOrnrMjm2aqWLYO37S - XgGHuVKMpj8zFhIERSZj9q5ZZuH4f7AFgEzeRBghNZCGeMlA9T8BW1ctZ7v20wpL - q5F3s6h/Vpif4WrdcuVwxrsF5Sar08mJaVRQdJrps6hFENwy0qs0zn55gKIae/Q= - =HZ7i - -----END PGP MESSAGE----- - fp: FB44F0746DF25F0B24A2EAE586C8A257C3EC82AB - - created_at: "2024-02-29T15:23:28Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4Da5T//DC6DJkSAQdALa6lkOmkWCMYVZj7SE95wbejf6w18ouzh0NeKx1SeTEw - NoAN13YgKuk1b30zfSbjbr1LeGvk4xvDF+1nk+8dLccUPFQO8svT0/L2DhAQ8EV3 - 0l4Bf3h1T3Hoc28my9LvjvMo7brUGqX6TDRsZiLdOe/wk/EbnuGnTUCtHytxGUIy - dtQa263hpVrA1xRIxHyhHRKACp+4PD3SvmDpQ2u33bVfZ9F9vzRPGXvE6E3Rw8jD - =Dxdr - -----END PGP MESSAGE----- - fp: FBBFAC260D9283D1EF2397DD3CA65E9DD6EB319D - unencrypted_suffix: _unencrypted - version: 3.8.1