From 044326ad38df2027dd8e2dc1ce23c06827c72d78 Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 144 +++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 39 +++ .../kaalut/allowlistPassMatheball.yaml | 39 +++ .../kaalut/allowlistPassMathebau.yaml | 39 +++ .../kaalut/allowlistPassMathechor.yaml | 39 +++ nixos/machines/kaalut/backupKey.yaml | 39 +++ nixos/machines/kaalut/configuration.nix | 100 ++++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 39 +++ nixos/machines/kaalut/mailForwardSieve.yaml | 39 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 39 +++ nixos/machines/kaalut/mathechor.aliases.yaml | 39 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 39 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 303 ++++++++++++++++++ 18 files changed, 960 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mailForwardSieve.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/mathechor.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..5bfb457 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1cwypena442n7kmlk6v7mazfskkswsaqu2y3cp5nuaq0he6hm9ugqvskhs3 creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..7bc32ef 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..f27f9ee 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1732282930, + "narHash": "sha256-hC3qssnwZ9buK61th2x/C+DEQ2yUws+5zLA5Ql7Xtvs=", + "ref": "refs/heads/main", + "rev": "eef3728818c02aa6ba107825bdf45a88a544561e", + "revCount": 12, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,28 +140,56 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +202,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +217,45 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1732242723, + "narHash": "sha256-NWI8csIK0ujFlFuEXKnoc+7hWoCiEtINK9r48LUUMeU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a229311fcb45b88a95fdfa5cecd8349c809a272a", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1732186149, + "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..a1a109c --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,39 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:wsb7LkqKlYBs7wFI3B8kN/8=,iv:NrYRh0dxtFE24z3w0oqTZIsObdNArK6XT5jUmtDZMDM=,tag:A9xsxsL1pdhFjVHbpYLSbw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:10Z" + mac: ENC[AES256_GCM,data:Li4aT/YxpbiH2Y3rlGzaJxRv84KElKYt0a8ggnmdzhNBHMRYuBGLrUZWCEFnLcJ3mwyNN3tVpRzNN+iHFpMu5FTdfnTyhXOQ7S46WJMKFSVRqKkRS876GN/UhDMdQnQ7NfcwADgkXwrv3BZKaDJuYNRKwJaYOU6DKGf59verguw=,iv:ETnAQF78r7UAYHh7BP5Hc09PV6KyCDRXQnplTThBt7w=,tag:9ZSSEqU8iMFSRFjITN5d7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..ac08c8a --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,39 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:5bAT8zsYuvgc,iv:6ftGMZ36jfTawjxH2CFxefBmBVWJJ+26+HMpGU4tAJ8=,tag:qG6o6L9/zu15nsyTakFCiw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:13Z" + mac: ENC[AES256_GCM,data:VD+pb41S20hXLIn0IhVp3cuSB26D+DVXitrGG6/caVsK4Q1GLqh5kpsI3y9UKog3N0hl2qE1+uDWOkdQHrdVFUSBplxraP2dHCKjlU4lPz5nsprW8SA8TQrPrDEsX0aL+xKRDQMracmCskZcujaNsaqjPP3Uvw9e2vWekYdF3l0=,iv:qLUl8D1DDdPCWscELmjE75MfMwr1a7gAEFJka5lpGE8=,tag:W0//60tpXNQwPM1qV4VNrQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..b1d89fb --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,39 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:SPnAybYbTz3/,iv:dGf5kD5xqtQGuOgEwn51ZxIG4isUVPwjKM8Fkk4jzIU=,tag:MY+WnD6NCR0RjaHXPlYArQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:15Z" + mac: ENC[AES256_GCM,data:o9CWiR+010tZ8W+p+u0fy1wgE+ZgJYH4O4U7KLYjHQ7GPMOqViKVVw5DuWEHF/7uI8zhpMsMMRwUJmFas13uwdF0ckq/VMP1d0o31wOK8iJ0EudXMf9GQRH1KncOuQryDZ6CZKRKa/heNa5nn0pf5e0VfHq8S/h2YjBIl5zSbWY=,iv:5wd271XH9qrTbJgIPHu/33HQaU/tAMuf+ZGK5mnzv7M=,tag:42nXpz99MI+UnKC5QNWnhQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..c93691f --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,39 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:ll8NF4oldTUr,iv:WQYXNliuIEsZNRBvMC0OQmXER3sAUfcaLtdLQvaLLpY=,tag:Is2bj5c2PLUkztMvYdf+Ew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:18Z" + mac: ENC[AES256_GCM,data:/KX/ck4aj/dtKl9LaFIfRBi6HbSJ4IEIPDTqlpwH0zfcm37yQPIUZEV4IS4cNqrQ7TZIkSFdE+f30PQbrF81yJ3vgtyvDRCm3IbUZM3SSsEeLvwTmpmU67bR0+bzXOFMYWbIJYZWM9Ucg/nzikRqKCvtSeSjvQOGd21cmwXPhEc=,iv:Os5YJWp3WBCfPPzG7pWAbLoXZPC3cGdYzRFy5OIJO2o=,tag:+f8bdCM8zMguOXhXDMupNQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..bff3087 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,39 @@ +backupKey: ENC[AES256_GCM,data:gRsJpwfsKhCxvePd1dFdqo6+aYarzUTP+Mp06BITUYfzvkYRk/406U0EfLHdw+kmg6sEch51deNCbMh5Q1OVHC1yRle+VscmvHTtWWd90KJlZxeN8nYPfkLZOb4mGYfBLGQ4UyFNptJ15FC9uaBN8i+g9jETyXZBXECNq4/rUmtgK/E/5zVytiXz9o7xCs64V0tk5MCe1UgeSmZvnAWXZzGVhm3Hrf4hBGpHk1RmyKS3CvWIxaGySPTjh+hUsJg5ml7PNB7V6IBIUacsLQkoZ2e0j+/MSd8ooUVl+143OO3HHGkqgnOj0YKvT6q7BW8rXvwwZgVE2GdrG45wyCXbxDy9jV+r9TqGP0s7m+4Ih+1QfqLBZEai+rJajJuYYGmf5pyT3pUcIXycQSTzPcE+vvIFNl0bbab9hmfkNV9cvfwtIxacFS9gw2lljhMmLxqwU2ld+IwtNGg7qL/ogsq6qHUPR1LWL5QoNCHRN1A4SZhMx4O3AG3052cH0Q6FsigbmbR5YkT+8sq/4cjHYgaS,iv:y2iDW/i4D46mE9f6MuTg91jPDi6L8YEpChIZPi0G9e0=,tag:2al2b0qk8WK6QfoVXNotxQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN + Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju + WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL + d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK + hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz + clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp + clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ + UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm + /0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu + Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0 + a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT + Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc + 00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:23Z" + mac: ENC[AES256_GCM,data:Ie0k2AifhYuEs5ht3J0OuLCAEw9HdNDK70BjI4PZntAWgr5iu/dqUGb5xFb8sctbpyyfM0FMI64ds0YZPXZP+HnA/HGJ+O5k3YPTthVv+mXYtw29O60r00IwI1dMiJBTyviYhVRzvQwQ1I1d1G2upoTL+oXFD3PckU9re+6dagA=,iv:hyKAy6HyggkKxXm/mGskpNPSMvi9UkMuz+WypyVU0KQ=,tag:EW73paprAOEUPX8AmuXVpA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..a49a060 --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,100 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + # lists.mathebau.de is forwarded to another VM and does not need to be listed here. + { + domain = "matheball.de"; + allowlistPass = "/run/secrets/allowlistPassMatheball"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + { + domain = "mathechor.de"; + allowlistPass = "/run/secrets/allowlistPassMathechor"; + virt_aliases = "/run/secrets/mathechor.aliases"; + } + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + # Password for the HRZ API that gets a list of mailaddresses that we serve + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + # Virtual alias file + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathechor.aliases" = { + sopsFile = ./mathechor.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..96d0f3e --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,39 @@ +koma.aliases: ENC[AES256_GCM,data:a+oGvyMf2SPxCdMjdu61TEJCYTpOHnyizQi7cSDkhHF2q9YyuuMttHBn/YzOIkZxx9CQeRQhbK1CPmknUEv4oHpYP1TFCHlRhX08g4ZRKHUxMu5u1rK0rTRLiKcHmhQeHfAoVcfRXeURY879ltGYg7mYHdeLMKK0epYb5bM4tA==,iv:1Rgjwiv2XRePmE2UzYstABvQAIaSeOW87VsV29sJUFU=,tag:JcsLDZmsE2lPwxY56ujreg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2 + aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy + Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4 + bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy + MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3 + QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45 + c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu + NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR + io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC + RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv + K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy + VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI + N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:28Z" + mac: ENC[AES256_GCM,data:vK8UIeGZFUfVB3LpsvkFzYGgJSinvsWQDewKVqfAsC0yPHRBP+yCE3SXDeb01sl/ZGlw13o79AxRLBF0Z89QoljWtiWjWWgBnUBFAuURTtMmNBtpbfxgjevXJU9iZgIMAfd/DGuLE7HMLrqfzWOvuZNE9kSz//CkD9PQLorMfGI=,iv:E056ECSWlvSfe8VOQY1KAKyO1Tm3aRsYUCBy8KtLDxo=,tag:nVTmyUB3Pcvjpm1vECmZjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mailForwardSieve.yaml b/nixos/machines/kaalut/mailForwardSieve.yaml new file mode 100644 index 0000000..c346c29 --- /dev/null +++ b/nixos/machines/kaalut/mailForwardSieve.yaml @@ -0,0 +1,39 @@ +mailForwardSieve: ENC[AES256_GCM,data:EYnhE0qs9mA1v+iyOLUu27CR7F0JIHA7lZ3qbXynnfDPjcCRTKBVB5bwcvXx/QKia7Dt7ECysr8XlcYFXsP37MU10daKM6PLkGP46kfN67Lv/IFmot3choWwxZMFSO2l5qwQUp/g0b8IWpWmBSngGcOpdzSt2y55NdSTjXjZGFXcH4mHl6xtSRZUaJsAIySSFXdGyyigHb5G9i3PTiChR4rs48UtXKyzs8cRyntaRlquduvJUfb9rC1eRnwncz+4gWrnnhCZr5Z4b0LHQf4npfaM3zPTUI1/9b7tOy9I+WPD4oIEkhpw64EjGVTHzq1qW5z4HRgEpTSKR9f3TGpoWEtzIBVhwYMn9lZ2pAXfvcfHfti4PGN5eVIk3asXw0OEHUqDe7AW0aRqokXUv5ocI+HD6Dt9+Y8QRkgyN7zGlhVs+YTlMQViBtXjVFzsr1HY1baCkcuUyr0F3pAmOk+749NpqIIQGEgFq4TzsPykyKTWDOMkB4AFIV+mw4ly3UYC+3c2986MV5YdoGJWmicMivHZpvDUEMnpr8/Qg5h8lYJdxlw2aKq1jIJzp+SthSZH+p1RgheIKi2uo1LKS+ZloWknjzqJgzDTpi0UHIJDRKAM1tfFE0/JJW5WBcwal7d2t4J4EmBMfpTfM6+vCyL9VqXtm5rZVO5yByrdJkFW7fyoNyQi9i/iKXW4iZhNbgFysNH/yi2gQ50Nm5Z9+NZLu4K0j2nHOAD8YSDwpO/PWu1zLKXC0mnwuMNOc0RzuWRc2Tsj1koY7F1bsITAY7U94zLMoyaAG/SpDdEKqPS1bXU0z1HZThMIyP/BqJt5zntrLhiFIWmHN3Kr+6qXA/ngMjVI+nrQs8JvaOQcHeHvyUSAwHklV/XguKB57sAdXbVvDgoM/NZn6qIsArwO4d7j3g954rYmI5eIMzeMfh4zGEUDIBTm+CNliSn4f063RmGp0W5+xyFFlpEpJdKJUJ/nJYBy4v+lZ03zEHccCHhvs7jrit6uz+iRuXuBJMF/wdWBlIosDFUlarSanqXqOo+3c1TM9ok7mk6MQttTvaUkEkVnwU5ZcvlRfL2taxtZFfF/odvTuVI9CFDpJBBYToitl1dD/UomSCkCZJ3E7Uk4JNCRr/c9X/Fsym3X5Ir7v+vfn2EuZ814w306NwsRhj/Zs9ZZwIZM3ejZt8tq6W8mnPovBMTXJrsvwmlPXqqL9ZT10FEFC7vaY2L7+7K4oax1KbpxYdDgYi1a1UJ3atkQCpRUbg2LwtbmGgtJQ8b+D3gxLzDSuoMIKBJoA9g82cr5fln9UNPSs7NHGR8Q2+RBYlwIq7S7gK+bIUJ+WT3BbXZJUZvRr9LK5+IQn+S5/EM8UbdSFVQp+ojka3lT+H/jn+sN6ZY5giDgtnKU/k50CG9F/lEqExKjIR8gQshhNBoPtasdhcvbaxVqrB/2sMk8IuoELfG/gayPmEZgNLhM3DuWAbhAu+UgsX4vmRjhISMEw30bJBTnZl89JndRLWsgynySD4relphQWOLLj/ZWSkC0MclHOZmAHoCGmyoOycKjJTZ5Fdkug8kb6lk8x6dgI5+cPHgDVxc3k9Rm5k+fkO6p1CgP+Sa9pmfLdcfaIZpogPAqO15kV0/zXnSl/OGOMaanUKLy3TolQSz6dLYwLAqOVCH92+lD2xtDmiyG44v5L+5xw1h1jwpmTuR4zFdP+E0z4rZ5YhJB7j1ll0yB2UcjBm5WSeFtZy3ZHe9poAznW6/OkXRP08Dtuk0JNZh9iwO/bsirs8T2oUiuJfd8AC7zCJhIOUDSxbmJFG+1J6mrTUKheH7WAvDkCbNpv5jiA9WUb8Z+rJ3tr+FJkYX2MR8=,iv:B4PggssYfBbZA+mEJOiTo8GYWSZxbl9wJIHjUlv6c2A=,tag:isO6wVZR6UOuDLGCA/tddg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:34Z" + mac: ENC[AES256_GCM,data:Num40NAUnNFictwt1Nlo5cOgnLBeih7oqXxpRIvHm10bpqK3VI4oxwrPwSOXXqMIh24zYNe7vgc/laxiqI8HCQkP8InBR5iryL1326efqLrVFUkgBvwkPu1GvgwIpvn0lLRMyF8bYFmWZHN2i3k1pVgS1xtQxGecGosPwyxwO2c=,iv:cupUxpzJhmpZB43t1kFTFrTx0PSfKk5wS1xMa0owz+w=,tag:K+GhidGy66LuL7aL/T3NzA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..51461f9 --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,39 @@ +mathebau.aliases: ENC[AES256_GCM,data:lt9d33t44M/5vK+ZQQpMx8rODvlg+ld4j+a8EmNYNZRM8BYUVZpjVRxk+Prc6MP94z55SyzAQ/qIIKSs85RYDuD3+nYBID9llg48Xq8d6tEg9FOlbRJP/q0C7OaxPKiNnI0lYe9vbDW8S1gW/Fgtpjg30BJh99LKDgFBpboyHFgcw7e3a+8pGyUImC7GcLcbvnjtLUV0Unf9f3fUBm1ei1hDVa8vzXWi1u5YcJWwWvjgk4qe4rgfYbmD9UfzT2EyUwm7Sl8cfxrGgcB2zL38w7DOfT8yhsoqmbolTwOWuLUYPtomuFypwS4SPB21Scw4pfbCahnlih2cTj2d4CvruCcU/vMsDhCiYymRGrT/g42KvNGMwXE0VWT5/tYFVXpMYHWLou/Zt1bReBDOpDl6HAbIiDs5LeVJKLHAOLAo8bw72JaNg+pgM5V9OMvzILonKuFLWA2iTpp2YLlXRvIEopDKQ3ugKfnNvrcQGIvKdD5FeZE9YaqdQ3dCpQNbxf3Mhh9SsrL9lYOuqIH2xQvOFlnPDhGcQQAo5Fp22NA0WvYUt4GC67EqvXCS3oH//OFX0IxuUrZPa2tn9PSLsQFUeSeF26p5g38WLdMWyeeQ3tBvyVZFj6BzzpJAZ0cjneAmbiTyKD+K0u3UQK6SL2JEHnbCqpHZssMt2F6raEqMOvRu5y5750NFowM87FiZnFbdrMfD3iFrGrjqL3RSDg4x0pDa1REKq0ZF49ZyG4PGCHeazKX/hzCgmw84jrXK5TMQpC88oS+QHgHsHzWf3ncM4+hYKhypHN0+mPDT8dTdP0Sry8JUt/YTNIK9Qi/chEdO527cPFvP5shY77FxtS0zrzjMbJkHQ0iZQCr13hH1HPPn32mxHocKx7SRL56iaYbNBHE3Yb/KMR/O3X+OvBU/HxjT912FnlpFY2xVlsxVAtJ7h/ljFItug8e14/urLYaRqJFYrdaEv9uKm7/aWtB/Dqdwl7/oKYFz71Z+i3BYXK5KtxIzOvElV/M9zDddcQKPn1MQP/Ya9aRPN1xSrrmTZXUPlXiliWDJQJ6GwwT0FsD7t/EjPzZbhEA5Zv5X5ExMljjCt12Q4g6xXag5xmuFoV2d5j2dkM3qpVafcsP7lCu+FAmmxMbf15VS2LuEoo4oC955E/MlB7npr+VoQ57KpM88CyOVB0ZdNems3b8KGL6qmgdqOA47SrnSoNu8V+AM4iiL486Gub0+E7xiRzsQpTSYa8IjIReCSNZDSlNnPCFpgnKntbKuOVsJ0w5Phmrk1GmxjN5vaws1erwZDgejNySGKelLZS3Sn5V20eLVf05xBXBrkykttlmiztausm3TFEqC6zFho9Jk9Ur/umcDvIKUGbSN3w+uubuyEOjwDiw1KnIcwBFGmmiV/3d17dJ99nnAmtOZ7RuiDMkdwWO/axWZuEZGq5Pfn5m0p9fhWaTE1DEMrAMNiPhi9+o6+YjaLYeFK8RgN6/fMEY0YPnbkcNKPsAS0pqBBMHlzZIVhfOrnMFJWwsMsQKBJyezJ1Bi64B2A0YgAmOOQ+d7wXu9PQvS43ng9mZSYFY8fRE38ULgN4+GxlGiv+nka29+Au1ZiEb0wB+zmN6ZMfCvdsQqh1HS0c1jwt76klpTjPCtU4VZ3AeO2IN3vTRqX5dR94Yw1pwvFZSbqUmzQY8/J2Lqp9hIgFDgZyMO71+HF2lCnQPHzpybjj9ehOopIk7OozzF5os2LA5UronN7J9B7Fj7uhti3Rio90G2k1TVO35UfXv55VSnYBeyRpfhObe8AkU/pTJcmbwJCre1eJ/fagQiPkq14KcZV9HlVCg/nhEW4n8ygjBKeEvP1B9vRyFUhvDJJj5NGn1QsT7VPw8VquPGybHI4wGss+pK3WzOehuGkk/oo8rLZeq3CMkeODRTik4TPoGOQddO8edbpK5nYDgkYm43V6nQIxszo+ywsPj4vN/f8V2tB0/D0RwMx5kw492WFf83lMVF80aYT2ZCkZoy6g0LGk8s4qfCXfWEx3sMy3ajNpVoZ6K6Me5k97npsBSdVTj3QaGruOE1ZGYBcARIrduhyknhDOo20rBRjkXRiKQGdN78WP75CmXyq7IX4rAw9va5AyV0dHxwIf2LZhnEVYjaaWaRYEafR+K1C154Bc8xxHGGpFOlYs/PYebp9jcQ2UxNOU43MitZ3UyZ+RbABQdG49By7jZlAk22mqrl3LU8zw7Y8gykGNqUbAJfcH0IzGCDBBSrGCYGQkEMrOQUew/PsS42DDiEIqoMSVxfZUAsvvUPhBzYIZ3AL4p+py5BIscoVSs+6E2G22j4xuWF6qkkYMSyilWjF7ue9sH0jBZhhtrQPUMlBcwj3wnljnFI/f91M803qFbY31YO+HtKA7f3NeJc2PvLUHiG93RxJY3MqHrYROoY1d7+IRKCm4VCCi3XwTxfr2s1aQzBuzI9o6Xp7ut2jjRBZjiFAEvj5YLTxDn+KecTUWdsOOxcRhTn9935CL5oha7vKN1/9XFZXoxHeID2PZa2SYxpkerE6dVnVH6qyTFYgdWNYJ9P9a2VV2FZkzcYkEJ9j5rm1IwpRQ/5DyxkMVagz+N50g22fLT5tQupQtt2N5mLWb88NvQSPj2OuhkSdPGxRR4pEJrjvht8bpQTz11HbfyqJ5GAWujUezaqDktiIfgRYIE0BIH1NLhBT3l47VEo5mO033rjMBREk1aiUtIY8gRLGejeeCmdnfbMbGbWotpqKzmm1XiYlnJ5VjqqQf2bn9UYlQAmQGGApNHuJ05D4TOXa8bABE9EJ4reFy4fk2kHdHs66lU/lW505Zm4Cp0Jyap9vmTiTpkaX3fidmb7ZbSts7dE8iSv9EaZOsqupe3NoVr45oakIS+IOLck5qH92lxulAPFGjnxIcRH/GWDBlGiZ6i2EhhSe8tv4zPT5u0DQEwYmX89yb2Xs6UQTmY96udNU5Ed2WGt6Z3MXtqvmwqu275I3ky02LA4NJzgOa7W170ANIh/+LZ8W3P/cAKh0nBU2MisXuNgF/qhrXqo0Ffsvhdm+IlSbx64oZWyv3gb1KQOzXLB4uWlV5n9w2CYCKX48aweQ6lC7sd8s7PfSTsgoKkZVM6BljBqGEDOMyohT37uHExUuBeaEiJgDCsteNZHuaBKukeXQoL4ojLnMWXqbDExqdjHplaOQnpTqtTydmb224A7GPMFDWB/5k3LSh8rbH6XWK5qq1EaNfmlUfY/Ade9q9dTVTXjca2TGax+j2tlt+8N2rixjhXvYR/hW7ksBbtDxlKKtIOZqbaSdekT7XteWlY+HjgY9IKqtJw2xcTJpJxT61P1S4dYZLU74LqGFs8zPK5DkLwjsCwypGCt/pl+L1VVt9Yh93XzkSdlYnM7TTqK68i58NDwKAdN4WORqzTzrPPvk8TfDNpackwMemSAg7B1Ie1krZYBB8h26lxaVyEVDckcpWOvt4ZkBb/9pjzuKcJsawEW+G4CBeASGp7TirsMwNGb//BIPpW6tP2gaVAJNsBNQXrzocNgmFR3aUlQB4YZTDBoPvDc50RFfLUnamIFQ6j0Yday+TxTEI4uuXOx6fcgh4Z71s8AXfrVG1JuVhxlnz+YneIY1YyCo7BK0XC3mw2cZATu/e12zWCKoUihLRkiE+5UZ4rWMF2ExEdLSyLe7TNHN0RYKGBTP4oGOeGFLdCrfNP3aaR06ZC+vwAPz+hvPBHhzPEpkV696UU9dU37rYpIX1yexdqjOz/QNd7nfr66qVddmQ82qZXiDyiEkBRzeqefJVyYtmOczWGbkGq09X4xzl/EDr/1sp8c1FQntD7OcwMiyzWDjRtntu5TKvGAwUFGNYxI9N9t7F9UJANq3Lu8izjzuXTVbFaAyK1rNgYjtvP3JHN0ZnYERrGp8cEtJ63H+7+QlHnkyi8axWvfQbdPupgb0zYvZlRJxUtpsvvI6AQ6QyQCUGxM67O1M+fGXl1GBYJFxuYa/beW2c3JfY5xG6QCEDWj96GTMe5KaSKE7/LSvclgXVH+jOe137eqZ2jjNGJOBxnJA8olANqbXiHlLvV0erGQXw5JfYc2HQZeQCHjtP3lXxQQrTIQwc8CSgQvKSaiT+5xpThV+9QXs2A8z30cfUFPB1TurfPgKk1X3ZXjZLbHB5cCqT+NJeT3NxXMs/qHAfFyCRA7mJWBo7doyKMCkCV1PTG6EV37wQCsoReo1CLtD6KMBZ4mK3hPw+seapv/x/GNWp9sMQpg00/PPQFzqXU2uQG6ZKR5BC7CFZ/TUFfr2t/gJVp/J0ZyM6f0x0M6FXjjkDkzAGpV0rQr+TrdwD6mbG8L8pKQpainW2tDyhqB+SgS5pqSK4gsLmvwPEqlF7zLZNK4Pc1Ajjk3+aP9yP5D6inlQ4Rrupa8BuP49OO3w3VHUBO8XNTf5ui4DtvBzmi++koUvNDuohAuNUZ+X+DPvyYtQ+c6LZ4jzwxsfT29oXKmjibGdjrNukjHTi2PskpIwqLpyGh3qZjgrzHD/gtnuFICjt40Ml9XczlHtB3kybaprrib49O6913qujmlfA1I90y8DiYazYZBvsmSNtd3+6/8BLbdahNxYLadrmqnmALoqzHhNG/zIM0ttyupTKBUOm3ZeWkr6q4gVjG9j5YkAByon96yM5NIHQebrJysrq/v+wq1JpyKFYJj+dX64cLBhNLINN+rSSbt6zvVfOWMY8KcezIPbYieY7ORzxUHCy2U3qsl/eoxKl0lTzMFC5ipp5acL4YnwjtzRZBKtGaVP0O87r7rcZec1QYXr/roipCk/Jen+3TdCdlm+F/5kEWQtSOv1jf/EJSpzakO+n/sNtm1wJtznAK/Rr0aPXF4lkgC0/s8wyRuzh4ziBmbo8QODyswXeyRgSdaHbTKSNmI1aYeLZipr42dHwZhoLsdMiSYLIvjOBISl9O6a32wBwlZzbyrUmuRGxrtvMfO2V38OZLRPaVZj8jxFRG8n+CQvek9M+QXTT8Jf+XM/udl8bpe1ZMcfaLuFcXMz8HYY6KLM1EN25IpIps5jxwaKfHqVvayQC1E2/aBzaVQhCv96mxLQau7UEcyBx4+Cgz8heTscoAe1Bb4JYJIye66hafvyVbnut30qQQYIsdCaQmmEpHNW4UgiTDmxHusIzjBgY0Kw7HPizfCHyu/AANggeho3PWFw5C96PM6WolONSmPZ3Mtz66jaRSefp8g0WCvjE/YGOd46/5WBi2UFns9cZYqQB/ipO615oMmJ41v7N7CLAg9+vzA3CZQtgaIzKqzDdyu7cfuF1NVAozVxUW2qDcDgxO8HTRgIWp3JDy+7R+zxKzl/LAsE5T8X9tWvZ1Fu9Y8axSZJO36Ii6R7as8nZjskPw3gVNX+Mnnv0XDoJIWdEJ8YKKg7sfWiv1w9QmhVE6/7Ap1+fTLZhnr2ngjbXhq9l9QI2VMl+8Hi5Rj542VGx7yFCJlCJzVY8nzGLbwvY0sAP9mZW/mDEq1PcwlJgcv5eOWeYrcUP+Ed4WaM5VmETl7v974n3Ybm8joQq80Dgq+o79sP+0fwj8yo4kI49xHrPUMEOLf5lK62k7lxKbLxYHpKfRtNldgMBPaDzQiURInlSPnz9At20U3uE2iuWrouK89qBbd5u3gvbZ9GNKoHyYyLE+oO12ZxULEmN+c38NxFHYbtvKKTZUGuv9j5qu4UF4mmJ3H0uptlZZSXMWao9JVlk2qtcpN3496A6m8lcrYNW1k+PusHdfyuKDTWyj9m/ur3FEsG3MEt5hQZtsUwSr5F5dqCU+shOVvtDAk/DPPlWt6xmoUPcwpJudGUC6bjzeFNvVaA20PH8PCFfUpGmXp8wBOjqS7L+z4rNf4cqxT9WgZ0OrI8KqgiRerJFDKEXZwau/WcAoNRcudak7oCQ/Ie/It/iJU/Y2VFDrHqJ/WpwrDRuacVJzP/UWcY66uqLmd7hJtcO65b/4BTyOtA7PVUwGX4kN2NuGG5s37HIL6TnjiYmb6icKXjTsiGZHD4VG6R1TxK0Bf2Ji9uqWsVgW0mEKEciU7gnE3joxTubszNHHMyo/MTUuWA50Kmp4XNMPHxlVQZ75zGErDq8IrFiotKpIPfPrhXDPGbzp757dE5MFHsBvENTz0UNtpTFIRHvAE8ilI1WArPPIh9zbJgBra0OCFPFdyalZFWpD7PbeoKiFcKKSBcG2xPi0IPaGsTqaODxTWNzCrn6kWjr152ZhCBu2orlx+Bw5VIPCi8/pv9IZCsGB75mUrkK4mmfxiVfXoZPLUntlTfeNMjlYK/r+8QEHmcHAXSOR5wIxyyqdkZLcYywolDMLfZgsTqTutBjF6BLeRsqi/O5TXABnwJkhhLiOcS0Pyhc/3ehxc35CfPILD4lhW3J9LPYRDHTGEGpmbD6zNA25sb2rTQm5LVUjKMSYY+TnMatZKPQ6xCZWLD9A0ZPELgbiqaGmtZHKtM2TusmZxGxKBaakhC+CYw6GeIcfWoVYPMovv/ZXJi4Lv/STfoGnSOt7elP00A0flKSoHdzDIlfV85py3hQLSBUfHW+6dNIu1Aiq/ZvgwHitCjfT7E73bSB7fQyF0wdT9XI5mkj8ueQNmvIl62SEIC6RaeNiU2JtzSyWMAh2BeuLvz4Rg4S/ruuLdLtnmVro+SNQ52rPx3hDMdEvBLtIKRmdXBzgWXpb7009GyDGojWyIhBd0SuTAdrTaNmvRQHOYkSOhNcYotA/EcmfOzb148lhUFSjCZLhIcZGxfwRbGcTX61I+dVTefgZb7NXTbH1aJ7+al39fc+Yo+htdXDbKb8s18Zqn3NjpSYTcO6fbY2CZe2fdelAOBBgK06ggunLxaEcckiwDCb1iazWALuXrs42qJMHqeTna7pUAxP0i1wOK3yfDm0z48EFiWvljVg9SNUA6EmE/1AGrr/rp+fuUEiuBAkg+StBjGbi2u3gGFUe4vr5Qu+4wurDLf/W/zXkKs4tBR56QFpUSgWU147ywFNjMavluliSgV1BH1PFeoLUt9wl3e3K+xOfnfdMkcDFhibOO7UkHTERXIgmmMUnKQ3Af1LOQFAAwqTgoydL6KGgbeDlUqa6HH+2NlLU2S4l10ncrEn0ZMMwsN/c/oOKwIDvVIHGmG26xkqFAjcWBqsVhudYznIuzuwU9SLSGuRJR9w2sgTfXKB7+A4Kaizld82KQUa63a3Nw2c4QYSxo0kU7EKeJUtURAt2cUZFPfEh+Gt/Am5AL6QxrsI5a/+BUrWdQYHUh+eGXuSO3MimjU0DOjyqosdle2Re7V0qDeHSdZFROQuqLBgLBJWzaHAWm5K1I1nzM3K44dnuha3jiXClJ/dqaWVlWM76Za9ibBnEpgG4EEXAeDseezZiRYwETdKM8ZSGD88svBPSq8e+inW5gaLvNd8s3psEAfRH3jdGMSMnlPmIP1//bBzE9RT6IPPygxmlhgOIJwvVfcEvOt7xiPh2yx113LHV3ue60Xg4JlZw2LvMcTZa5LehzWzlmOia3McLAGIWE638xHXqT0Tuy5XX32D/wf93HimcCQnNaV7zgNYWzNVsVMKbOmPyQUaowJLIERmph1WspGpyvr/BuuEeXvOx5A2H1fRNf1GfAswYhTWlhbjoQoUZnnWasB5RfhPkmedCQUz8UDaj26AAZsaopI9fNKSrbS3E489ytCPspgVGhg/j7RylcY3OT5c916L5OLst0P3d09cMA+yJy+YD6DEupleXxzDy6+J7JodJ73Z5SjSKeLcHZWjzy/BBsEtokjom7qY4sA5AT2bNjzSekznGz0YFEJFl6aH7DBdBWRHKQJ1p1VIrz+d0TcqIl6gdzbhbPRs29ib1y0fKoPfi2wqFt5/Yj4aBAMxDE8x+Vc6JHuEPIcQ4xRxQlDPq/v2QoOomu3+RGsrtdLXy7l47Voem3+qFWDZFRj9cfrVRAs3LkLTP/F5bOrLu/p8vz+X14LDpXnxVqOHq6470596j1FBSIs54wqEE0J4TW06Vj7z4qYa6icl+xbfibYD1rBnwHBkl8bz3SVILk3SUeKum5K+BI5PcTlg4sNXLYhuErXcDqqb9MlQkGU61613A8nzqilAhNXX1Wig7wpkvsuI7BKaY94wotVye8KuzYi7L02oeCo6aPsg6AcJXYaEeI0lOqczNT/z7Yls4y5nh3ddJ1drZVAQGtiWHlfagg6UyaAI0QojB02O4Agl1oYGGFAaUbqw6yjJ3wJAx4ehdU7RCpIjw2QWOhhiCFPbPVw7qjAmTRk2kaQVEpBAHDuDPOUNaZib8BA0cpQP08duiKxlbhMYgL8YjnvlGOYXjMFPIx99LgcOK6DmJ0bQmSP2ZizXtkcmSmcV0zyGbxTSGsnwdvlV3VsVudiswLAW2GZfYy4cbI/738PkXxn1x5a6fuEVNLMYRLSU/N/ehoeBLLyqUpCG9ebFeqn1FCK2TcfFkhg4r3isXecSR3RU7LOAWKFH59QmLmRDKw0Ly8jn0+1w0h+quDtndqUPyoqvMf3HGTpL4yvlMF1AufppiE+93dg982bZZD+CaHpcJLol8jmQRVrqgvh7qnfw6vIhLi8p6c4ZFtxd0XO6VAEGUdx6GGR9cjHNH1MDc7VqV6FYwk02dYnYLumP17zYF3pjn7ggk3YtFDCY7H2AnDA8xgR7kTPp8WBeEsjYlXi060IlMiCtw29w0SVmt7CIURp9YHwGWk3zj/CRYeMYRi5TruUaiZSzoTHng4KE6O57tCjc/kDMIK76U5pM8ldIuBA0gUA0J/aqTwbImtrpWnrpPFnej0Z8dXZLbsx8rwgbxUGYkBemUyVYURi/w8nkMg/993f2a+1YaUsBQrPRl8pJy7KCyTisGGJzgwIDO+9AskUTNDT1AIqV67hmzwZm9Iyu3ah+oNiSMjZWzquAx9gpraG4n31eDtnJN3Wl93hDN6zGfmoV/Wz6ofLQctmnYUOKe0K0WSAnslMAaGhiyU+wHrnjCfGTEr7hJfSK8Ba9P+LZISdYTvdauVF2Cq+i6+X9TWv/YCiLcYOD0PblxoJ3RYk0gt9dhgZQyaf0gX7A65RM0LjJ3+0KjECVl/QgmPaNhktSxSCVVtjun8/jdhnz0K269n5ZD7Ji/+KtRRYCpD0xV3VP7umX9tgYpSZv8jNrJ2xE4utcvT48jHwszkeE1Z866cszCRvCZFLKOdZQk99Xy3QAm0r0yYLXtHgUlNAJnI5kl0oA3EqKj6ER4Nav6lq4Neznxu7vk76dD//bDfVt7rg/eg0zPGN7Rk128u6Ktd0+s78O4J/P0l+8zgLpIm2oZRjvK+9oWgpK5VRnJvuGXSycTT5O+Go7G8glLk3pAMsGCTk1ow8wZsyocMF6cKT/lsxSjIjGh40ROnAFkidj6OKbJh61Hcc0YjLeQ9nG21iN6VPZJ6DNywuL0f6yXxOXW42Exmaxlfy3TAUc00YIKbAZUAiX1sXNMAY882w5YMT/wzLN3eY5TkAaH2Ns2qDAK6o6XyPtmzNZfIPiNW7EwtrDzLfGQtuaA8fx7/FdDRV4dR3rPYUeJUOWgvJoY9TgkVA4+sSjbZC/zrZ1U4/bYHcDoFf4AVu+/RABEcxwf2qhfBTFCT7NroMvJS9dVSFx+OV84pAv4wpMNQO/rZ1muh2C3bcsdwo5qss797SoWyy1C8siIz7g8Ae3qyMfdvM+Un74NLqqZmscG8TQbUgBbBUSXFAO+fOmg3yWwHhlO9cTabBK7qPfUhJNnHwieAwRyO0RaTUMj4GZcw52YXJZ0zVgbP1SfEigwgyf3//rHO3fYA/BcBP6+doNzxoqfBWxEVoAiYSC68eXQaB0GtccN9TRo2oc/1TzefZX5NIEwQos1Og/gWSjPlvacbFTI4R6rJBDpV8lZigG83TAR6b6MFJRRgtoZkcjgee/t1ugGUSxjCB46+MfFSMzd6kqxkbfuGW2tYYNZNRE3gpCYB3skqxQBtCciQqAptbziyDpDzeksssR4VMANv49AZaY3rXG0pKM6kBR8KwQakAtCk2yH4Yn5l7NDXE2WbzYLj52gwkwSd0/7aIvF13wa1Hv38Oc1CrKwTpxv5OOd/k/UZqMH7U4EeMFrmUJ/qqtqHOwUhbmQ0yHIZPwaGDNO5nAz1tKHdd4qavwoFw9LNOhqAHhO1suDAk/mLU/M1hZVHfQoZEd7fJrmWEaGWCP4a+ayLQTWsG362nhgWMprXebLkrx6JXvURcet6Q4lMQ8/uFm85YwakzAaHEFJ3mgnKsBBbRwQFzaLFjm0gJD0C0D3YuBLKHNkFjcZcLy8AVJLVEinlEJmNFr72/wa+1sQqlV1ZUJdGdWQFdGslsVZ31xMrUGoe3FEv1K5kxrOt+sAoHuuGcLZF9K6W4QMldkIpjKWYHBCDGEhYeWDWRR20mh9tecgCpHc7KOO5sbYfENjbvj0KUHgDoeO6bdkcht0sJPthg/lJnJVw8jZS1ddmaqVM7Z2aN/SMWX4Urw+CnJA7JAlpNB+9v8mSgdHJnfcbCDEeYySI5kV7E2rbAHiI328CbyKx8XnM33IhLMBEC0cwiT9EKJIHMFT2hBF/5T1EN79o//tXkzT/z5MAwlfFAtUHltsKB1pDnWejJEp34Br3puA9SpRpn4TPGT8odJULrZuZWMQg18/Vdq8PAdyQOcNU2Z1xx7aGFcSeIZsI4JUA39xNdoR1V0clVQdcceX5N7AMDmC/N+il6uiym6RSoshIH7YmLUG52kSY7iBh6o//p4uFrN3sJxdqRGfU3gkbJ7SPAFkwBJHGA8QeJUFPVQAUxBbQDi+PXlJ4d5MqiaJgUwrzNZYbnVfdNKWyX+uk66PU2/DVYPStm/rCyBLyfZ5t9CPNhGkxGu9AFXfvdP54VgKm81J2hHSbsitoRaCatGovJqNHjQZnn0CdXQG5u6GVguBJfx3ckerV9K3T8YMw+m1Ex4FAsLLhCZnbMv/i5wTrdaVyFW68WN/mjC+4e4fId0zwjIPJ9RVLfWXlm2OSRCxZF9LQWfvew7cfG/DG0KLhGrkERkPb45EdN+uykmWSAsq2bJox5wimdHVcRpejWoM9+j/Ru/47rE4XOHKeXy3B6a/6cDwZwFP6kwYX3bvESc+PgVh4a99VsmmqU68h8ErlandATinpkj/b+hE1p0JGeTTbQ8uprcg18uwebAFpo77dbhhk+1MC2xb2Ah7WRNEGyqP+zzbkHodRdqnt3q/ifXwNZ3/Xk53/Nv8eW/xpJBel57oRrhDZvVts2LUF2zJnkzkNoXaW/RANtC/DVzS9UVwwUx42M/VEuWw+1b/U25hIxP7ahRZlDj7l5vV1XcZ/7pt9XLk1jLp2z2cvMll07egdxEJyqlpeZFYotpsdhHbhzHEyVirXX4V3do5UCl+LZXCz+Pi/6FZnrYssDazuo0Wdh3oiq37ESMTyuXgsfjSJgbp/sD0tbvpAm8uf69aWXvIuUMIHRb4DhHssDjuCHSCM/mxT/wY/cXBKsqoHmzLH3AK2bPMCYrzD44+Nbpiu6O9mqQsQESZnYCH5lmmF4sdw3NrmIWsvZfaeWNI2LfH39/oagRBWW2gwagGOJgGaD6SyZcl+zFS661Iwit/mgf2JfSRGubywx15rS8ULqTJT5VU3FlLhblRtZyXS4B6h5Q7Waf7RacorrRUVW3oN6eeOT9wjkU7XTud5on9LzE+YKA4Iy52sJtQ8dC7t5eDy4OEWusxeQgAyPbw6NsoeK7v1RWpzUemcq/0VrVWhnK/xsW1tPqR2dY7JJReBouhhLPCTy19e+CxxIEbkF2fKi2ueJJN/SGyTo5lfkx2SWvMuhB8imKQXTDNUz/EKn8yY7qbsCSAIJbbuO1egQetRB8Z9qOR7X44UxU7yRfCEtcBsiXtso2YoV9lZZ2CsPn3v219J9T2YtQjJiGGOPTRrp3jOi5+mm8byuzzJayXSmtOfC2WsBLp7OB2173ib3qVoyQmkyQHL1mmY8rtKkchbVNVYEDLP9NV1+Iy0O9tWnyQR5jgrEeEQ4AfEwAsGdp6qofEsjGZk7vjCIoWaQpeWHMIxCrH89JufDgT8Y5U/FcGIK/Ec03THNGDJK+503GZ8holmcIG6XbB5teMKQ4rUm6UcHDmYCwZO+1ECQQsVQgL6bqP3BMExEqrN57OGyY9EtO4ccGoibqnvgXSARhmvRbOKHk2sdv2uCS1Mz+Ha1eQMsH3ZZt0T4wOuQEEo/tEQHe0bsNTr3Fw0dJmqLi4RkqjEEED/gRSsWDNITgs1pPwnWVnsSY35P7YBqgWJn0fzIVprJG4rlN+t77BxSnRKyvrUhfNdN8osFOealzp6lcWI+vmLx967IQBMTxGLhxKbQ1TqVhEF6oqdjD5DxeDWHtFZVMgGGHqXEO6ovkdFkqWagYK7+I8Sa+nHHTN+3MBip7KVBMlIk9vww7Yuo51cPL0Ky4zVrPdit94vi5S/RbVVlKDRoAki5QCGCZcN18MHV0uq3zRb5+1rXjczELY7XLBFSkaNe8AuuNxQg3zSO+fu+oYlAx7x9ZE4RjfW8HH7xVKIOpwJnmz5ZwRo2vOcwaAcpTUGxDqgu1ltVsfhaPfq6Wc/FFzHQEVVXeh5NMTqslLfpsJnx6NghFV9uvqIV0hJ0FUQCL9gqIaOqldtlB4ypOzeToPJaXbyymRljjgKCuY/SUcDMHBUZRRLkw10fUeRbhp3Koq37VUSbKdirD3CrKZCqcFgmDNin4DZcfvD6taEUdHlcbexC2y3zUWmBTFoILXt0F/XaU02IzrmfQGqqjX6sQN/+0ZxNOsWygzOXN6HHRUKYt1zjN80PaYSQtPEuJDHDkADrwx3kRHB/vQ6OLMjdWj5i7MGrqlLTmSpnKz1zv8dMKclJ8ULspx+TcbAVbtHJtjMZ1JEbkTyT3ul6Zj3GcCKryceZrbByDSEBljkpdCsSC7rqIvoPMcBXqFmhDA5WhIrGQ50HcgSEo6Oa71cKH9G3zmIKNGZnN9SjqiXHjWyg7jDro4S5xKIwlnve2xI3d4fb/eP/tRWJraGW/wIddqExgK8RPgM/nAe+/4MlKVlYv0jfLBGvo7Vna6C+0fRv/3x61gpbpif5+JR6ZZA1N/9e6w1/3T1f7OCT7q2EAhEm8wnMywy2P8Y/XqGJ+nRStY1IFpT4TCwKE38vsAigQvgySZ7P7fCrleg1dGjFLypEHjtlrnpkKMTaN2r1K4O9Ia+xptMTuIGq2SdInKLqpVB/PpxzrYSAPRduhCIXsj+NIH/L3y9ELPWcihbPv04dDlG34yWe/uehKcegeJCOGz3i1CUwOSRGYZwsJWolREdnpqe8YRpYGOfPRXI7M4eLDnF1Rx9ggikF+YNIvqo7E7BBSlnsfp63taw9QwfOC26DfeP/k5E4ua0/RHQ7cDiOIAGOmdsrHMaBjvOksTVl/wX4I48K0XybPX0yd0RTPtPBwr64WORUUMEwc9HHuapoiVaU3OkzcitvOncGx6b14zAMECdiEdGzhhezenziYsEqmYOUy4aVbOsg3NQSSYykN8kd1qcrKw6RxSQDmjP0jr96XOZi2f+gGlSvN99v4TCvsQe7Wqxy74IIxOLjitJ4y/IAWjybQ24W40aCmkQLku37nxPAkz/ksiH9DDWcevnps9CEGALl1Fo8wlnjOcW/QeqDwrG/Ks7XwpDtcOkhI/YM3laf6+52awHspNF5z8svGvF1kbPjDk1XN5RhXl+Dft/gkIzhr32opak3uwX9bD9LYVHhH2TxTh4dbE88JW6L+izw6IY10of0s+ZBXhKwVX6bv/2+Nja1FeVTqpkdULutcxPAScrtf8mTbmirXENCJesiFcsX/ZTSeGFIiUSe++PnmkAdXus3JADmIKZi4MBb2wkvRJB0ppuIXBp8vNr/FkdMkfqRnPlMCF9DorKGuCGDo17g5pjZ/HuM/xV9SqUvGO0dQwGWrt+7e7JlZvbRBKlnJh2gRx0aMVFmPr5Z7xVze6W2Q8aOSM4bTZL+jV/jPfC5RvZVdhdex60jYDdoma6efO5jl4ly5QP7T3tROCgJ6mC4H3xtYIzWSdcikmZvf7bftoQfwt5lYkt9jjYPumLq9HEXMgzTwlKqvFzaLR7kTh58S+zXg0iPciAm43TOw59A2zV38X0KsWkBFJQyCJf6xRV/bG7DaFAqyztEKn4Qwj0WRypCrE/p4cMW5h/VCzvuPtk7rtFZewFhYqqELwQdvmq5ZGdHPvKelx97jIPYjRZr03tg0itXSjpaRS7DIrEr2QERrN9qA9I/irRqqrMKDfhSmMR2nupxXd3ghZ7hdC9pNTJYl8bdBW4adMCPMKImSfENNuFeO2g7kbvJjWCFLYRhapoJ2Zm0y8BuE1VuNM3+1Ds9vw3lbjBZoNCF6m/sKGawguyrrCZdp1EBEGTmFLyDgTtSGFGEZlnMYVGcx/3EScWKB2mMTR8aiCZLBsRdqWFln1mZuMvkevlIDlTCH9nGJMmiFB+rizCC7HJHBC6F0HBEfDXsKIofBZoMCJqp7lWqPYQQB4ES9aZOZRDax5YyXE30JwENPrK1ZaicGxDixh4ikE/5R+VadVJA0psbqqn9OSt4b3mQVcqg/XK82A65KMu0+KDRZUgwdJz2UEbCu8d0KVPD50ClWmcZ/0ZGR7pUNznDEWs4H5AfJI/nvFy+phBi++VDm2QNYp8uFMRy3SdNNG84LxVLUZK4udG1kVy7xvY2QchslGEEvrDhDOHErGJNRJsFgKMjrqc/2iSnmlAaAOnqFuK3oW6mPqcOxWIV/Ek9YemA7xoqURallyNg8/yCjObnmZ+YSVMKVAUd0dnCmpHBAVzUmGKo5B3qu03f4DvoeUylynwQ/3x1ayfsnafaqiU5tJk7nouNRrw0U1/fZnQcQQ3gJ6R5t+Bzozmmx5fd/rJv5Ykykd9FNHaL7ULVNWJqrrrs8w/pfOz6OrNDpnVYlphWMONA1Ct7cd6CqbU2+Nrm9Ufw7SwFU1+paiCm3R9f8JP6I2AacL2F2TYUmMt0uQVCZwAUg8LC03LClKgrXgBDXJ4kbJgrMqaci4KJSxMqXawyZmiJi1r4p2el9vuLrqS19gjsgFtGGDmh063/MQ1X+DkBGh2lEIh1h3UHlWW1cCBcrrc+8JmtiAvfTDPaDS7r5JjmtwccCZOQPb3lcWJ31ASG4x1jrYeof4/cgNAB4qPWaHUGUcXnkChJx+sAznDde8cMc7wGHOviuXe22FPbu+6G1Dc2Rtgzg/g8OjGypWl5zFPFg6gvuOBoPkkK4De3beLjG6WFJ4NYzw7TQ1JhYgtQH3h8GXg3ZPuA0bcOAI2HqUkrmyHvKgmbMChPVt/iaYQBClIS45q+JIJtz2HXmk5C9AL8MLNxO1NxzTOCKY+hgWXGPKn8wzTaqxJg44Ih5Nagmer/bBm1CjSo2dM6ao8H7YOFyBzjuV3FBCPJ1EwtE5iwwwLM76ckNzWiqpDI2Ix6HR3tG9bTNpQtvKsl97JeapssCf8fVPwiwsbU0uu8qYBcYOl+orjSwo8BACBp2XzHoaqcTrwhDfOwAm80KnXtv7Jdwz2DLyY/1pH78/NlNQKWsQ8hD5gAH8np64RmshrPEJ8g23ZUyVRb3Cic7rCgu6wb4VnyUK4m33A/hxmyoUYctAuV+yQ09IX9UozycGvTSWk52IrYGNukwjOLaj3fSSSqpamvLEuyLa4VEYsPwwTXZgMIyUZ0M4OSVXLJys3toFeneSlI4ZSUwFFACQIKoIyjO2nUqci7u1g3TGB9hv028k7mNbEtaLWKteCV0OMLRI3apXzHkjDecdldNMIxGND4OaEV4Jo+TolWBA4WVRU+wGREG4Hgq3q8tsjRpqKyLb7cqNCOM2LEGd8UMPLI9iREaAu+m97Jx/HsWaOHM2SAQNmHh+LooEY0Vds2dM+qj7Ef4YrJjf6XgxT6ZhlCo08HCzroWSvSX0tefiClzMSe0dxai/Lo4T72v69Xfpx624E4fRVgFdJU0fgZXqNUo8Q0LIJsJdQRNOc7yZxz1TTCGCWkg5M6DIeg71yLwF6AsoJVTajfOoWu5f1tKf/w4dJGPRUBPBVIipJ1cnKefcX8bbNmuIero0s7Fj+uVosnsni9MQSNAl1g1XXKr4F3rPXpbMUxgS01DyAn1zjBkgBKMAdmdY+szXscvVUJz3sl6DbIQXkGX/6XiY7J06F9cioqokwkAOBEpKie6HU6TFL2V5RLNG7Eof0hAMHFAbYkNu9Ygce8Yv/l+0aitytO6nymR+uK+i2lZl/g5z937Uyolcw3vWkCl2eJHzOeyO/ud0q9GM3OZ7/tsLaa7KmSY8oDjLYEB8BsFVAl2vlsnLa7zfPYmRik8yP0hG1HU1/l4h757Ft4KEj8adz/nFId4EMJuG6MAivSfNcloUgB8ptBU0E/npudifJpzZ5OzhNMONQgm5qaQI8IjoZ7ptJY5RLCy00tnkWpGgDTeh6RO1mrKsmAXLMevqlhWumZFGrpyN13iUhEfUpHPlhbvnlwY0bU+dEIazzIzU7zzyOwbMTnFfHouvRVjhZO978zGEKT03baVSMXMtzIQTsVeFCLoccnFNf9+YKu8XBesB88VmlEHiQ7c524SHIAN2Bz+k4SThjXzwlsvDQnUvWFxt9/7fXXyth7MmrBnxpWmrs5BFJa8Nuunytr0juPUnU19NSZD81tb+7+X5VcAYYIzj55pk8Mh2YIpESLz66YzZ9sQsfOarbJ0jr4YSV0LV4/mzdQAh6ZMMpz9EZozx/8PlqdQ/Juhcd3Ge+COZX8a3fG/O2ZJpj6UARfbSOJh3KEohv0GGwOBlsSOkOuUOthAdVdTURYvsF0Jy3cCQlGc/5O8mWd2p3UusJDe309QVyu0kB4FDKV79OZh1rly+RfiNbg78zkqXHzHRTAvqRRlT6Ym+gfyeP4YRQXsPBQBkCzIc13pyYFktNwz6TnCIXr+XCbJXQMuEJ3xEjbAFm/SnNDSnzhgfIfyW0CMJicBJWyeDT7G2CnbCASDhT9XOBoDqbdrUCWLYFYQmBfE87fwyT9HN0kxjBUd5qZVTsghlDrKZ26Qb/DNmBQrl5yZ0/Ua7FoJD/ufYR3O5AeHDxCoF+JhDb6iddEbzxtarEA2NvkgHvB8KiP4ctq7INxr7M7wnyODv94CL8T61cy6QxX4obehrSREf4FIXftPfdcSnIa/9wAKEcsnX02aD0PrCJSsiV8u2PdmTW20B4h+AY5lufLoVvTVPRX27y5MBGOa2dCbIsMl406CRYCnLyIugpF5tZACwOSD9aQvAsEmTokidjHpXr0ZNTtGxIW4qd0NZKve3l3MKbDgrI4isedfAJWdjySjiqr+QzT/+WoRmqtBw/ftXDErybPhIWMFnzUziiXlfp/FYkcbTB/ghKtFbT6mD3Qi5S4sd/AuVrP0bgNQg0/iXcCBqbTIdL68F/WWzDsyQqeAWivIAgdMJ+dhMjUsoX9Qv4ISLzFmbVT7ooQAIjRkIKxTajWn40kixQ09u84VNVc7UP5ooyvQ0D1XmBsm6Ao5gYxC8f5as6JLxzmGBnOvnfPSv3oWRkcqvz5mL/8z9ZMs6J66uARQAUuLwLbHhRUyUuV3JKUysTeXzpqFDZopX9RZD5Vgg6lOz9DsZIJt6/r6w4nGhlEHzS0FuZkg8EGoSEL9lsbWza/vE8izO+SLfTNEnA+ryUJoyDYCfvawN1UW2JWTtocTCtYMhdlxtK8d07+8g9F92BZkSmvA1twClO6MW12wXvZLGNwb/JjYjSIXnwP0koZJoxZU9gvOphcGlRS7D7WWzC9QSawC6z5HQe2sTsnxZXMGzNGInxVOhpRzE/28aSGULYzkhaJdSeYFtAJx6cj18N29P8Opfg6PpwhgfS6Ax4NDH889dkEFeu8s3JWYRQzhiqOZo5ZzA1Y8EcyVjFWX3yD+PDjsNeCDGNES30IPUH2il/PuuoBlTidNpMXe22nCCouj1q4GFRJhDeKLRT8pCncorrEVJDycyrQ79tBkdDltfU4L1rP+GrFGmpBQ0Ibkd7/zTPap8H5fYO94DD6ALZwfddyR/5BW/PpZJNCrutI+l1Z2vZbccPL0kYgVC1eJguxT3As+TxrfHheUrx/RHp0XAmda98zS80h5aPqpEjMO9rkjZrFETZQeT6vfzvIUjeH8pxDoUkfBawvZZPEEQG/CwdVnkOh6qhH21jF1IbFo2MeApT+bNsDpyfR7kJjm1RdpV52NWhreGA/7+8TF5WqvfxWLgH0aEh+ZThCGs+Xb9pNUc3LIt6NOicnW48MYgN3X1RWZQQ+BMBX8bZD9SmcHvqF98XvtFQv1dvLpI4sb/q9KoyCt6s13WSAKnFGaAe31GAgg==,iv:AoUadsxH2h6Vfx2lxFBHqrsng9sbC36q969oc8ZIWhM=,tag:1BYb/JDr2ZbH6BMgQjIGxw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:38Z" + mac: ENC[AES256_GCM,data:19tRwx7AFcNm3YDVSy5luk5cHHJPcDLT6DGcq6iF0M1pbwUiik819KiorKIv9rTHk5sTbGSRAMMdP9tQx1rvpR+G0PZfdw0fbU9Qoez6KxnjOyIx9XuxnfK7TrpRH0Q2JhzoxjzvzADqsDBDKaNn3LwRuYWP6/TDIN9oW0fI/Qc=,iv:QLZgVfOTMWPYhDXYM0C+5xF5iZI30UIW6O3X3S9qyko=,tag:tXUHA1rmYlhBNUU40PZE5Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml new file mode 100644 index 0000000..4d9f1c5 --- /dev/null +++ b/nixos/machines/kaalut/mathechor.aliases.yaml @@ -0,0 +1,39 @@ +mathechor.aliases: ENC[AES256_GCM,data:jq9oLiCQmAWVcdH13YRmTvCC23dSOAsszwQEVzi1Ij125XlDgVeR1lDXjeVsubTAAd9P8LJFjliz1mL6nA5tP7QTgkygBhLqAP22bAE+L1mDNejYXki2NdOuy8HJgWElCjxFZLGrI7FU+b8zILGsNPEDKa25o3PJbd6dlQeJ7Q2s3bPQ2K/y6FC2RFjCBuGJuNAGAtC5l6ymvjKBdh70At/IZXqtk13vyHVJbMwB,iv:FsQeDq3LMH+hxKcthdQZmyPkLe7XBwiLqfB0Yt+s7r0=,tag:rKjphs1Tss2+3b5bWDzfUw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2 + aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy + Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4 + bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy + MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3 + QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45 + c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu + NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR + io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC + RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv + K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy + VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI + N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:43Z" + mac: ENC[AES256_GCM,data:2tceG586ydMqiNPkPbT7ZM4+zoGslbif9TuB26Pz2ji/KsLvnOSwPsmmilNST32Nz5RYym1JGbU0uVQMzBM6uaQvYoR6vVwgC95lEnkY5nenhh3Xhy/OLtXmRdmrIXvvyxWK/2Gtspyy3HR2yFV0Gw0PY5ODPxpxtrypE2N9YmY=,iv:4d7M/LF0UVkEicXRNUDEDKUldehav60nTCS1Jh/RvwU=,tag:mLOwUSE5osUwZp/8cUqClw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..39a9064 --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,39 @@ +stalwartAdmin: ENC[AES256_GCM,data:lAd0XfikNLJxK5qMtrBkKdbhwZo=,iv:3H3E8JPGPg3af3doeTSD9cuq2+ZLBNK3g1cqiI1k5rw=,tag:Wa/Fsc00mxuFnzyKTQp7CQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr + MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt + U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv + L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt + C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO + bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov + RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR + MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR + Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz + d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H + VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi + dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs + JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:45Z" + mac: ENC[AES256_GCM,data:GGDnb19XQPXR3Apzn9oDFH03NjU9LR0HCHgtjLErJbmHZJl6wAmjST79cDpaDSWKtdT4KPrJLXCuRt1a/LbmqmTzegsfXsfmq881WwFJ1pyyrK9Z9kVxdNeXmb3GyGU7Mrg929O3V2xRhXgpTaOxNCWPWtZPITOE561sU8X0eb8=,iv:LNPIpNGWAP5VvFnLBAf8MPwMNfjwz1veazvlIw4r8JA=,tag:h4SAW6uIHpeRfYKLVSRPkA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..5217141 --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,303 @@ +/* +* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. +* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy. +* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. +* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and +* and use your personal admin account or create one using the fallback admin password. +* Create users with mail boxes: Go to the admin interface and create them. +* Stalwart mailserver docs can be found at https://stalw.art/docs +*/ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + # Password for the HRZ API that gets a list of mailaddresses that we serve + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + session.rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext + }; + tracer.stdout.level = "debug"; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; # Run every 5 minutes + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + # Get the mail addresses' local-part + # TODO: These features have been removed from stalwart-cli and needs to be replaced by undocumented API calls. + # see https://github.com/stalwartlabs/mail-server/discussions/803 + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +}