flake.nix

@@ -14,23 +14,6 @@
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
 
       nixosConfigurations = {
-        birne = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            ./hosts/birne/configuration.nix
-
-            ./modules/base.nix
-            ./modules/autoupdate.nix
-            ./modules/desktop.nix
-            ./modules/printing.nix
-            ./modules/wifi.nix
-            ./modules/options.nix
-            {
-              fsr.enable_office_bloat = true;
-            }
-
-          ];
-        };
         sanddorn = nixpkgs.lib.nixosSystem {
           system = "aarch64-linux";
           modules = [
@@ -42,8 +25,6 @@
             ./hosts/sanddorn/configuration.nix
             ./modules/infoscreen.nix
             ./modules/base.nix
-            ./modules/autoupdate.nix
-            ./modules/wifi.nix
             ./modules/desktop.nix
             ./modules/options.nix
             "${nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
@@ -66,6 +47,7 @@
             ./modules/nginx.nix
             ./modules/hedgedoc.nix
             ./modules/wiki.nix
+            ./modules/ftp.nix
             ./modules/stream.nix
             ./modules/nextcloud.nix
             ./modules/matrix.nix

hosts/birne/configuration.nix

@@ -1,41 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    # Include the results of the hardware scan.
-    ./hardware-configuration.nix
-  ];
-
-  # Use the systemd-boot EFI boot loader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking = {
-    hostName = "birne";
-    interfaces.wlp4s0.useDHCP = true;
-    interfaces.enp1s0.useDHCP = true;
-    wireless = {
-      enable = true;
-      interfaces = [ "wlp4s0" ];
-    };
-  };
-
-  nixpkgs.config.allowUnfree = true;
-  users.users.printer = {
-    isNormalUser = true;
-    password = "printer";
-    extraGroups = [ ];
-  };
-
-  environment.systemPackages = with pkgs; [
-    firefox
-  ];
-
-  system.stateVersion = "21.05";
-
-}
-

hosts/birne/hardware-configuration.nix

@@ -1,33 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "ohci_pci" "ehci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" "wl" ];
-  boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
-
-  fileSystems."/" =
-    {
-      device = "/dev/disk/by-uuid/9799b183-a191-484e-b9a4-05e29412af25";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/CF58-EB12";
-      fsType = "vfat";
-    };
-
-  swapDevices =
-    [{ device = "/dev/disk/by-uuid/94622e8e-8b58-4b3b-9494-d144ccaeb486"; }];
-
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/quitte/wireguard_server.nix

@@ -1,24 +0,0 @@
-{ config, ... }:
-
-{
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-
-  networking.wg-quick.interfaces = {
-    wg-dvb = {
-      # pubkey: 8iQQSCI14dObcrMw0/rZJxfvpOAhy3CU+haJq2nyIzc=
-      address = [ "10.13.37.1/32" ];
-      privateKeyFile = config.sops.secrets.wg-seckey.path;
-      listenPort = 51820;
-      peers = [
-        {
-          # Tassilo
-          publicKey = "vgo3le9xrFsIbbDZsAhQZpIlX+TuWjfEyUcwkoqUl2Y=";
-          allowedIPs = [ "10.13.37.2/32" ];
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-}
-
-

modules/autoupdate.nix

@@ -1,10 +0,0 @@
-{ pkgs, config, ... }:
-
-{
-  system.autoUpgrade = {
-    enable = true;
-    dates = "12:00";
-    # might need to move this into the configuration of `birne`?
-    allowReboot = true;
-  };
-}

modules/ftp.nix

@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+let
+  domain = "ftp.${config.fsr.domain}";
+in
+{
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    root = "/srv/ftp";
+    extraConfig = ''
+      autoindex on;
+    '';
+    locations."~/(klausuren|uebungen|skripte|abschlussarbeiten)".extraConfig = ''
+      allow 141.30.0.0/16;
+      allow 141.76.0.0/16;
+      allow 172.16.0.0/16;
+      deny all;
+    '';
+
+  };
+}

modules/keycloak.nix

@@ -1,64 +0,0 @@
-{ pkgs, config, lib, ... }: {
-
-  sops.secrets.postgres_keycloak = {
-    owner = config.systemd.services.keycloak.serviceConfig.User;
-    group = "keycloak";
-  };
-
-  users.users.keycloak = {
-    name = "keycloak";
-    isSystemUser = true;
-    group = "keycloak";
-  };
-
-  users.groups.keycloak = {
-    name = "keycloak";
-    members = [ "keycloak" ];
-  };
-
-  services = {
-    keycloak = {
-      enable = true;
-
-      settings = {
-        hostname = "keycloak.quitte.tassilo-tanneberger.de";
-        http-host = "127.0.0.1";
-        http-port = 8000;
-        https-port = 8001;
-        proxy = "edge";
-      };
-
-      database = {
-        username = "keycloak";
-        type = "postgresql";
-        passwordFile = config.sops.secrets.postgres_keycloak.path;
-        name = "keycloak";
-        host = "localhost";
-        createLocally = true;
-      };
-    };
-    postgresql = {
-      enable = true;
-    };
-    nginx = {
-      enable = true;
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "${config.services.keycloak.settings.hostname}" = {
-          enableACME = true;
-          forceSSL = true;
-          http2 = true;
-          locations = {
-            "/" =
-              let
-                cfg = config.services.keycloak.settings;
-              in
-              {
-                proxyPass = "http://${cfg.http-host}:${toString cfg.http-port}";
-              };
-          };
-        };
-      };
-    };
-  };
-}

modules/ldap.nix

@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
 let
   domain = "auth.${config.fsr.domain}";
 
@@ -89,6 +89,29 @@ in
       daemon.enable = true;
     };
 
+  security.pam.services.sshd.text = ''
+    # Account management.
+    account sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+    account required pam_unix.so
+
+    # Authentication management.
+    auth sufficient pam_unix.so  likeauth try_first_pass
+    auth sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so use_first_pass
+    auth required pam_deny.so
+
+    # Password management.
+    password sufficient pam_unix.so nullok sha512
+    password sufficient ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+
+    # Session management.
+    session required pam_env.so conffile=/etc/pam/environment readenv=0
+    session required pam_unix.so
+    session required pam_loginuid.so
+    session optional pam_mkhomedir.so
+    session optional ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
+    session optional ${pkgs.systemd}/lib/security/pam_systemd.so
+
+  '';
 
   services.nginx = {
     enable = true;

modules/mail.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 let
   hostname = "mail.${config.fsr.domain}";
   domain = config.fsr.domain;
@@ -6,7 +6,9 @@ let
   # brauchen wir das überhaupt?
   #ldap-aliases = pkgs.writeText "ldap-aliases.cf" ''
   #server_host = ldap://localhost
-  #search_base = ou=mail, dc=ifsr, dc=de
+  #search_base = dc=ifsr, dc=de
+  #query_filter = (&(objectClass=posixAccount)(uid=%n))
+  #result_attribute=mail
   #'';
   dovecot-ldap-args = pkgs.writeText "ldap-args" ''
     uris = ldap://localhost
@@ -17,8 +19,8 @@ let
     ldap_version = 3
     scope = subtree
     base = dc=ifsr, dc=de
-    user_filter = (&(objectClass=posixAccount)(uid=%n))
-    pass_filter = (&(objectClass=posixAccount)(uid=%n))
+    user_filter = (&(objectClass=posixAccount)(mail=%u))
+    pass_filter = (&(objectClass=posixAccount)(mail=%u))
   '';
 in
 {
@@ -26,33 +28,85 @@ in
   sops.secrets."dovecot_ldap_search".owner = config.services.dovecot2.user;
 
   networking.firewall.allowedTCPPorts = [ 25 465 993 ];
+  users.users.postfix.extraGroups = [ "opendkim" ];
 
   services = {
     postfix = {
       enable = true;
+      enableSubmissions = true;
       hostname = "${hostname}";
       domain = "${domain}";
-      relayHost = "";
       origin = "${domain}";
       destination = [ "${hostname}" "${domain}" "localhost" ];
+      networks = [ "127.0.0.1" "141.30.30.169" ];
       sslCert = "/var/lib/acme/${hostname}/fullchain.pem";
       sslKey = "/var/lib/acme/${hostname}/key.pem";
+      extraAliases = ''
+        # Taken from kaki, maybe we can throw out some at some point
+        # General redirections for pseudo accounts
+        bin:            root
+        daemon:         root
+        named:          root
+        nobody:         root
+        uucp:           root
+        www:            root
+        ftp-bugs:       root
+        postfix:        root
+
+        # Well-known aliases
+        manager:        root
+        dumper:         root
+        operator:       root
+        abuse:          postmaster
+
+        # trap decode to catch security attacks
+        decode:         root
+      '';
       config = {
+        home_mailbox = "Maildir/";
+        smtp_use_tls = true;
+        smtp_tls_security_level = "encrypt";
+        smtpd_use_tls = true;
+        smtpd_tls_security_level = lib.mkForce "encrypt";
+        smtpd_tls_auth_only = true;
+        smtpd_tls_protocols = [
+          "!SSLv2"
+          "!SSLv3"
+          "!TLSv1"
+          "!TLSv1.1"
+        ];
         smtpd_recipient_restrictions = [
-          "reject_unauth_destination"
           "permit_sasl_authenticated"
           "permit_mynetworks"
+          "reject_unauth_destination"
+          "reject_non_fqdn_hostname"
+          "reject_non_fqdn_sender"
+          "reject_non_fqdn_recipient"
+          "reject_unknown_sender_domain"
+          "reject_unknown_recipient_domain"
+          "reject_unauth_destination"
+          "reject_unauth_pipelining"
+          "reject_invalid_hostname"
+        ];
+        smtpd_relay_restrictions = [
+          "permit_sasl_authenticated"
+          "permit_mynetworks"
+          "reject_unauth_destination"
         ];
         #alias_maps = [ "ldap:${ldap-aliases}" ];
+        smtpd_milters = [ "local:/run/opendkim/opendkim.sock" ];
+        non_smtpd_milters = [ "local:/var/run/opendkim/opendkim.sock" ];
         smtpd_sasl_auth_enable = true;
         smtpd_sasl_path = "/var/lib/postfix/auth";
-        virtual_mailbox_base = "/var/mail";
+        smtpd_sasl_type = "dovecot";
+        # virtual_mailbox_base = "/var/mail";
       };
     };
     dovecot2 = {
       enable = true;
       enableImap = true;
       enableQuota = false;
+      mailLocation = "maildir:~/Maildir";
       sslServerCert = "/var/lib/acme/${hostname}/fullchain.pem";
       sslServerKey = "/var/lib/acme/${hostname}/key.pem";
       mailboxes = {
@@ -74,7 +128,6 @@ in
         };
       };
       extraConfig = ''
-        mail_location = maildir:/var/mail/%u
         passdb {
           driver = ldap
           args = ${dovecot-ldap-args}
@@ -92,6 +145,14 @@ in
         }
       '';
     };
+    opendkim = {
+      enable = true;
+      domains = "csl:${config.fsr.domain}";
+      selector = config.networking.hostName;
+      configFile = pkgs.writeText "opendkim-config" ''
+        UMask                   0117
+      '';
+    };
     rspamd = {
       enable = true;
       postfix.enable = true;
@@ -101,12 +162,6 @@ in
           read_servers = "127.0.0.1";
           write_servers = "127.0.0.1";
         '';
-        "dkim_signing.conf".text = ''
-          path = "/var/lib/rspamd/dkim/$domain.$selector.key";
-          selector = "quitte";
-          sign_authenticated = true;
-          use_domain = "header";
-        '';
       };
     };
     redis = {
@@ -140,27 +195,3 @@ in
     };
   };
 }
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

modules/nginx.nix

@@ -1,6 +1,23 @@
 { config, pkgs, ... }:
 {
-  services.nginx.enable = true;
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      map $remote_addr $remote_addr_anon {
+               ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+               ~(?P<ip>[^:]+:[^:]+):       $ip::;
+               # IP addresses to not anonymize
+               127.0.0.1                   $remote_addr;
+               ::1                         $remote_addr;
+               default                     0.0.0.0;
+      }
+      log_format  anon_ip   '$remote_addr_anon - $remote_user [$time_local] "$request" '
+                            '$status $body_bytes_sent "$http_referer" '
+                            '"$http_user_agent" "$http_x_forwarded_for"';
+
+      access_log  /var/log/nginx/access.log  anon_ip;
+    '';
+  };
   security.acme = {
     acceptTerms = true;
     defaults = {

modules/printing.nix

@@ -1,36 +0,0 @@
-{ pkgs, config, ... }:
-
-{
-  # Enable CUPS to print documents.
-  services = {
-    printing.enable = true;
-    printing.drivers = with pkgs; [
-      gutenprint
-      gutenprintBin
-      hplip
-      hplipWithPlugin
-    ];
-    avahi.enable = true;
-  };
-
-  environment.systemPackages = with pkgs; [
-    gnome.gnome-control-center
-  ];
-  # set up Heiko
-  hardware.printers.ensurePrinters = [
-    {
-      description = "Drucker im FSR Buero";
-      deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._ipp._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
-      location = "FSR Buero";
-      model = "Kyocera ECOSYS M6630cidn KPDL";
-      name = "Heiko";
-    }
-    {
-      description = "Drucker im FSR Buero";
-      deviceUri = "dnssd://Kyocera%20ECOSYS%20M6630cidn._pdl-datastream._tcp.local/?uuid=4509a320-007e-002c-00dd-002507504ad0";
-      location = "FSR Buero";
-      model = "Kyocera ECOSYS M6630cidn KPDL";
-      name = "Heiko";
-    }
-  ];
-}

modules/wifi.nix

@@ -1,24 +0,0 @@
-#
-# Useful config 
-# https://tu-dresden.de/zih/dienste/service-katalog/arbeitsumgebung/zugang_datennetz/wlan-eduroam
-# https://www.stura.htw-dresden.de/stura/ref/hopo/dk/nachrichten/eduroam-meets-nixos
-#
-{ pkgs, config, ... }:
-let
-  password = "$(${pkgs.coreutils}/bin/cat /run/secrets/fsr_wifi_psk)";
-in
-{
-  networking = {
-    wireless = {
-      enable = true;
-      networks = {
-        "FSR" = {
-          priority = 10;
-          pskRaw = "9dbdf08e1205b1167a812a35cfac4b49a86e155eec707bd47f4d06d829e7d168";
-        };
-      };
-    };
-  };
-}
-
-

secrets/birne.test.yaml

@@ -1,43 +0,0 @@
-fsr_wifi: ENC[AES256_GCM,data:CD0ge6d5+gc=,iv:yuWfwwGm2HOKvMQQ9lF4TFOqvCU2z06sqS+pzhCFhfY=,tag:1+8MwcPUGgtcdXvTNAuR5g==,type:str]
-fsr_wifi_psk: ENC[AES256_GCM,data:uwq/nkKm9eDdMxUJMQ==,iv:q9mzhfkPBM1oTQN69tSEiQmf3hYZ4pGJEqjVEjU//FI=,tag:g0p+S2jlkAT0jY5hBRKuXw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1925katzy5gws3f9hnvnlwspu6trxf488arwt6ayw3urg2mgumqhszxnmqh
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySHgvQThoSmpXOUc1a3lN
-            dXR6ZElYYlppOXNISXM0bURxQjdIU3pDL2wwCmNoT0pYTEdubWh3eFc3VzVwdnR3
-            TU5CbFlBTWxYaHRjamUzamIzQ1VnbFEKLS0tIDVUSEVtKzh1aVp1ekxVd2xRWHVo
-            dEExQkJySmo5eGtEdXVvd1FFVVhpdFUKNx1FXti0qWKDRYM6wsIUceXbjzra5ezc
-            0fNI2r7qnVQ1QghtKnibwMUR1q4/DphKEm4eX4e6q+jfHleHCSk6+g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-03-05T13:53:02Z"
-    mac: ENC[AES256_GCM,data:ZpEk+wpGQz2ul+Me6i45wXkzvuxzwkibLcljBs2KjTAgjH6F4q1JyXuY271JD95A5HgEvv4Atm3sbHaG+hghXy/36WSFw5jJRBwOjDrOSSAq12+UFeYjgSA2EwbvgbBdIO6VgaRLnXtobtLFG5qaVzUAvSevo6n8vBhEjSHEEJk=,iv:iZ9bJ+it3s6lB8piPeKjVy4QYzwYGUb4EUwvnCR753Q=,tag:Nveq//4C1tiwGOkeXV7a0A==,type:str]
-    pgp:
-        - created_at: "2022-03-05T13:42:43Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA/YLzOYaRIJJARAAvxLI7hxutYG0KDovCjpGKIZA1JyNjp1/QYLKz3QDUFsZ
-            Ykwmixkt2wjTQjn9aE66ujLiEzMDfV2VZ6ao7Ehg04fysU1WurqEB5D+hiS6SCc2
-            3DgvlPeicY+87oZin1iaqL505MzQCEVbmcar++VCdQIGUZSQvbn1Nxn3RxKjHCjm
-            RW0juiSH1FUIZdBPL9NgUEixv7KpdEBxO5JR30GxDgYMG1Xji9Y2KsBy9XP5Lhn2
-            ziuzs6vTfFTuVUdylJNkT6yVgK4V7oEkIMiVPGFYXSUWT3TNZ0qRwuk6UJYLfvnY
-            Mt0jyKyi+hRIWPQEjBmpK/siBsQGSCXsRe84g+LUtdfPbvqwdZb59qy5B65z/ku/
-            6EQIaPRkgCa5AED3gJQCbBYhvymdgl8ZZcXkVV1Ap2VgKS5o0s+CNjdiNkXdGTL/
-            NdE7kehGJCtsHUVGs2I8TfLg/uVgJTKEodTq8eLu8WhVkNKzk9aFBCfHKYtkXBIi
-            ZIXUHNbPtXDL4aHgOTuTYjWM8bhW0pdnkGX7daqPsfNqgR9hzOo3TzoR3DRDK91w
-            cvUZ9hApYJ0OVxuPa38JGiYn3826iSSRK8qPjAndE4HhYgT/lZvu8/vZAW6EF/yH
-            8exruofMHNBNNdotkYDnyaFO6C+00SMcTUkG49vRqQKwrBygAoPLEKQhDBgczcnU
-            aAEJAhBWRVtwhCZtQV1MCl5u0IbSlxQiIH93FrdTfbJQdKM+LFlwkXOngO4blGOi
-            1tQbkiyLzIio+yoyfvbXZOIeMkLA3GynsKtxjnYYipXkuv3LP5BvZiH+bzG9jPW4
-            jXrR59MZPJLY
-            =hWOx
-            -----END PGP MESSAGE-----
-          fp: 91EBE87016391323642A6803B966009D57E69CC6
-    unencrypted_suffix: _unencrypted
-    version: 3.7.1

secrets/birne.yaml

@@ -1,43 +0,0 @@
-fsr_wifi: ENC[AES256_GCM,data:nzfwY2UygQSdboRvfDxVSrUE+WLBJLYBLw==,iv:yR3lCbyUSg97+MnuwUkXEsHtSGuYOPYRgvW/YZYDhv0=,tag:eN/lqD1BetqnFDAFJE6D2g==,type:str]
-fsr_wifi_psk: ENC[AES256_GCM,data:A1Z809FJ0fUd93QcX5NNnfVxyzUZMuPGC6Hu4M9LpRoMOTrMcRPMDaR0N+cgmV7rnjYvzm4gTSTEcnqsnLGyNA==,iv:WMs3/I3SEDJwcpyqclCfxKcx61m/6BcwbGaGS4I4a5s=,tag:oYG8M3NQ2lkcUGr2K5YUEg==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1jyxk2z69pm8hpz5zlf5lh05vrws2sprum3ucx2xjpq8efctcfdaq0jhs3w
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQXByc2lJWnQ0Rm1Wb1V5
-            aVFaY0cwcnVlUFRKNGNYYjJjMnB5NVlkendRCkxJZ0JILzVvbDZRNzlYaWtEREJr
-            VmYzaUNiU0VmTkZzckhJeS84OU5TUkUKLS0tIG5qTnVtbHV3TWh0cW4xYlJiV0Ji
-            MFQrNkJxUUVFSStPenM4Tmx6dlVsSm8KQMPsuc/E89aDek3csMarrKm5qcfQKf3u
-            2ApD8dEN+L1L9bbJGAY6uNM6sXu5eTAGD7+Rc0duZIdDCg0LGFV8jw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-03-05T13:52:43Z"
-    mac: ENC[AES256_GCM,data:/uszrMeVsVlpjFyI29/Sasr8jY3/elnnbbUDmZ1+3YHzoujQRZe47VOpfOgs/XZym+jj7MZInu5Y361YalFb0ArS7GmexZA88rFvOqHPIIUuk2h1iCHLpZRafg96x737snna7L7zHNJFJLBhqcpdt0U4U6SZjXlJ9UgR96c6Agk=,iv:4kCCIhUEfc0GCzoh+3cNxB3cnn71/0jmKI1r62dYFmk=,tag:REOoImReJds8LBKZpeu78w==,type:str]
-    pgp:
-        - created_at: "2022-03-05T13:41:12Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA/YLzOYaRIJJAQ/+Jis1dE0ZmxKIaqJKc1itSqd09ieVJDMmei410O2VycU3
-            98YHvdrkRcG+3tLkvzebATANyHcJeefjt4uvQnMjlswX5DHm3JxNYnfOhCQNpexl
-            80Lp/0qmnCy1rd2C8/Mr9ub2frupEGeBgU4TwA1LW5X1f89NP9R7b6tBcVMyF/OW
-            +WWu2g+0yLC9rle0a5QeIkrKsmyB5+dEYOakCMunKCYXE+MS4ULkZqFxhJ8ckTo7
-            rKiR8UwzDL+iMl4zLgeNF5Uw7WH8tdHiD3thHQvzjL9++Tg4jZWdgtjdICs1ye2y
-            sUGzk0RhjXT/Q3rBwQbiivZq7s3ngBpom0co74+X6DORMN0P8WUdox7j4KUS3/oA
-            KwtyUF92dK9uJwckyN7LXho7zVTnZXV7jjupBacjr0TeHgYzP1eDhbsC6mFlWv2x
-            mHeK7hQF6VBNi1tAVlcMktbuxZRtc8P0ljFeSXRDoLJKdduIb3TKbGSsAHs1lX+n
-            CEK2kfS+V6g4CXaSsAsDqIZ75k6bJYRd8M81a1XvSAMB1fzQYDU1zrPGquggOBku
-            S0R0y0po7OwnqQ0HBgVHC8uU8hbG/EIvA1Wpw9FQnjGugi0pOoIiynqJWzttFwvq
-            XBV27Z7wumWzwij9uFt+TEy7Olulu/Vi/56tiyUNnbklwQqe1mj1m4nnu6z6v4TU
-            aAEJAhDM3iZRqVMChcCd6A/btYAwNnZrJNzxj+BIV5/+sAk3wjqc6UM7+qdBuzsH
-            uYq+HBTcdQgpoyqtFryrjQvCsksB6O4eS62FIAKfD65HaxNYQLUYNJ4Xs3NIqroH
-            MogSWSOw4clo
-            =8/Ez
-            -----END PGP MESSAGE-----
-          fp: 91EBE87016391323642A6803B966009D57E69CC6
-    unencrypted_suffix: _unencrypted
-    version: 3.7.1