From 044326ad38df2027dd8e2dc1ce23c06827c72d78 Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH 1/2] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 144 +++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 39 +++ .../kaalut/allowlistPassMatheball.yaml | 39 +++ .../kaalut/allowlistPassMathebau.yaml | 39 +++ .../kaalut/allowlistPassMathechor.yaml | 39 +++ nixos/machines/kaalut/backupKey.yaml | 39 +++ nixos/machines/kaalut/configuration.nix | 100 ++++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 39 +++ nixos/machines/kaalut/mailForwardSieve.yaml | 39 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 39 +++ nixos/machines/kaalut/mathechor.aliases.yaml | 39 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 39 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 303 ++++++++++++++++++ 18 files changed, 960 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mailForwardSieve.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/mathechor.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..5bfb457 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1cwypena442n7kmlk6v7mazfskkswsaqu2y3cp5nuaq0he6hm9ugqvskhs3 creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..7bc32ef 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..f27f9ee 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1732282930, + "narHash": "sha256-hC3qssnwZ9buK61th2x/C+DEQ2yUws+5zLA5Ql7Xtvs=", + "ref": "refs/heads/main", + "rev": "eef3728818c02aa6ba107825bdf45a88a544561e", + "revCount": 12, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,28 +140,56 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +202,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +217,45 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1732242723, + "narHash": "sha256-NWI8csIK0ujFlFuEXKnoc+7hWoCiEtINK9r48LUUMeU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a229311fcb45b88a95fdfa5cecd8349c809a272a", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1732186149, + "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..a1a109c --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,39 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:wsb7LkqKlYBs7wFI3B8kN/8=,iv:NrYRh0dxtFE24z3w0oqTZIsObdNArK6XT5jUmtDZMDM=,tag:A9xsxsL1pdhFjVHbpYLSbw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:10Z" + mac: ENC[AES256_GCM,data:Li4aT/YxpbiH2Y3rlGzaJxRv84KElKYt0a8ggnmdzhNBHMRYuBGLrUZWCEFnLcJ3mwyNN3tVpRzNN+iHFpMu5FTdfnTyhXOQ7S46WJMKFSVRqKkRS876GN/UhDMdQnQ7NfcwADgkXwrv3BZKaDJuYNRKwJaYOU6DKGf59verguw=,iv:ETnAQF78r7UAYHh7BP5Hc09PV6KyCDRXQnplTThBt7w=,tag:9ZSSEqU8iMFSRFjITN5d7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..ac08c8a --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,39 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:5bAT8zsYuvgc,iv:6ftGMZ36jfTawjxH2CFxefBmBVWJJ+26+HMpGU4tAJ8=,tag:qG6o6L9/zu15nsyTakFCiw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:13Z" + mac: ENC[AES256_GCM,data:VD+pb41S20hXLIn0IhVp3cuSB26D+DVXitrGG6/caVsK4Q1GLqh5kpsI3y9UKog3N0hl2qE1+uDWOkdQHrdVFUSBplxraP2dHCKjlU4lPz5nsprW8SA8TQrPrDEsX0aL+xKRDQMracmCskZcujaNsaqjPP3Uvw9e2vWekYdF3l0=,iv:qLUl8D1DDdPCWscELmjE75MfMwr1a7gAEFJka5lpGE8=,tag:W0//60tpXNQwPM1qV4VNrQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..b1d89fb --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,39 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:SPnAybYbTz3/,iv:dGf5kD5xqtQGuOgEwn51ZxIG4isUVPwjKM8Fkk4jzIU=,tag:MY+WnD6NCR0RjaHXPlYArQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:15Z" + mac: ENC[AES256_GCM,data:o9CWiR+010tZ8W+p+u0fy1wgE+ZgJYH4O4U7KLYjHQ7GPMOqViKVVw5DuWEHF/7uI8zhpMsMMRwUJmFas13uwdF0ckq/VMP1d0o31wOK8iJ0EudXMf9GQRH1KncOuQryDZ6CZKRKa/heNa5nn0pf5e0VfHq8S/h2YjBIl5zSbWY=,iv:5wd271XH9qrTbJgIPHu/33HQaU/tAMuf+ZGK5mnzv7M=,tag:42nXpz99MI+UnKC5QNWnhQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..c93691f --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,39 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:ll8NF4oldTUr,iv:WQYXNliuIEsZNRBvMC0OQmXER3sAUfcaLtdLQvaLLpY=,tag:Is2bj5c2PLUkztMvYdf+Ew==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:18Z" + mac: ENC[AES256_GCM,data:/KX/ck4aj/dtKl9LaFIfRBi6HbSJ4IEIPDTqlpwH0zfcm37yQPIUZEV4IS4cNqrQ7TZIkSFdE+f30PQbrF81yJ3vgtyvDRCm3IbUZM3SSsEeLvwTmpmU67bR0+bzXOFMYWbIJYZWM9Ucg/nzikRqKCvtSeSjvQOGd21cmwXPhEc=,iv:Os5YJWp3WBCfPPzG7pWAbLoXZPC3cGdYzRFy5OIJO2o=,tag:+f8bdCM8zMguOXhXDMupNQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..bff3087 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,39 @@ +backupKey: ENC[AES256_GCM,data:gRsJpwfsKhCxvePd1dFdqo6+aYarzUTP+Mp06BITUYfzvkYRk/406U0EfLHdw+kmg6sEch51deNCbMh5Q1OVHC1yRle+VscmvHTtWWd90KJlZxeN8nYPfkLZOb4mGYfBLGQ4UyFNptJ15FC9uaBN8i+g9jETyXZBXECNq4/rUmtgK/E/5zVytiXz9o7xCs64V0tk5MCe1UgeSmZvnAWXZzGVhm3Hrf4hBGpHk1RmyKS3CvWIxaGySPTjh+hUsJg5ml7PNB7V6IBIUacsLQkoZ2e0j+/MSd8ooUVl+143OO3HHGkqgnOj0YKvT6q7BW8rXvwwZgVE2GdrG45wyCXbxDy9jV+r9TqGP0s7m+4Ih+1QfqLBZEai+rJajJuYYGmf5pyT3pUcIXycQSTzPcE+vvIFNl0bbab9hmfkNV9cvfwtIxacFS9gw2lljhMmLxqwU2ld+IwtNGg7qL/ogsq6qHUPR1LWL5QoNCHRN1A4SZhMx4O3AG3052cH0Q6FsigbmbR5YkT+8sq/4cjHYgaS,iv:y2iDW/i4D46mE9f6MuTg91jPDi6L8YEpChIZPi0G9e0=,tag:2al2b0qk8WK6QfoVXNotxQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN + Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju + WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL + d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK + hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz + clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp + clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ + UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm + /0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu + Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0 + a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT + Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc + 00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:23Z" + mac: ENC[AES256_GCM,data:Ie0k2AifhYuEs5ht3J0OuLCAEw9HdNDK70BjI4PZntAWgr5iu/dqUGb5xFb8sctbpyyfM0FMI64ds0YZPXZP+HnA/HGJ+O5k3YPTthVv+mXYtw29O60r00IwI1dMiJBTyviYhVRzvQwQ1I1d1G2upoTL+oXFD3PckU9re+6dagA=,iv:hyKAy6HyggkKxXm/mGskpNPSMvi9UkMuz+WypyVU0KQ=,tag:EW73paprAOEUPX8AmuXVpA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..a49a060 --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,100 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + # lists.mathebau.de is forwarded to another VM and does not need to be listed here. + { + domain = "matheball.de"; + allowlistPass = "/run/secrets/allowlistPassMatheball"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + { + domain = "mathechor.de"; + allowlistPass = "/run/secrets/allowlistPassMathechor"; + virt_aliases = "/run/secrets/mathechor.aliases"; + } + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + # Password for the HRZ API that gets a list of mailaddresses that we serve + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + # Virtual alias file + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathechor.aliases" = { + sopsFile = ./mathechor.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..96d0f3e --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,39 @@ +koma.aliases: ENC[AES256_GCM,data:a+oGvyMf2SPxCdMjdu61TEJCYTpOHnyizQi7cSDkhHF2q9YyuuMttHBn/YzOIkZxx9CQeRQhbK1CPmknUEv4oHpYP1TFCHlRhX08g4ZRKHUxMu5u1rK0rTRLiKcHmhQeHfAoVcfRXeURY879ltGYg7mYHdeLMKK0epYb5bM4tA==,iv:1Rgjwiv2XRePmE2UzYstABvQAIaSeOW87VsV29sJUFU=,tag:JcsLDZmsE2lPwxY56ujreg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2 + aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy + Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4 + bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy + MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3 + QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45 + c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu + NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR + io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC + RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv + K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy + VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI + N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:28Z" + mac: ENC[AES256_GCM,data:vK8UIeGZFUfVB3LpsvkFzYGgJSinvsWQDewKVqfAsC0yPHRBP+yCE3SXDeb01sl/ZGlw13o79AxRLBF0Z89QoljWtiWjWWgBnUBFAuURTtMmNBtpbfxgjevXJU9iZgIMAfd/DGuLE7HMLrqfzWOvuZNE9kSz//CkD9PQLorMfGI=,iv:E056ECSWlvSfe8VOQY1KAKyO1Tm3aRsYUCBy8KtLDxo=,tag:nVTmyUB3Pcvjpm1vECmZjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mailForwardSieve.yaml b/nixos/machines/kaalut/mailForwardSieve.yaml new file mode 100644 index 0000000..c346c29 --- /dev/null +++ b/nixos/machines/kaalut/mailForwardSieve.yaml @@ -0,0 +1,39 @@ +mailForwardSieve: ENC[AES256_GCM,data:EYnhE0qs9mA1v+iyOLUu27CR7F0JIHA7lZ3qbXynnfDPjcCRTKBVB5bwcvXx/QKia7Dt7ECysr8XlcYFXsP37MU10daKM6PLkGP46kfN67Lv/IFmot3choWwxZMFSO2l5qwQUp/g0b8IWpWmBSngGcOpdzSt2y55NdSTjXjZGFXcH4mHl6xtSRZUaJsAIySSFXdGyyigHb5G9i3PTiChR4rs48UtXKyzs8cRyntaRlquduvJUfb9rC1eRnwncz+4gWrnnhCZr5Z4b0LHQf4npfaM3zPTUI1/9b7tOy9I+WPD4oIEkhpw64EjGVTHzq1qW5z4HRgEpTSKR9f3TGpoWEtzIBVhwYMn9lZ2pAXfvcfHfti4PGN5eVIk3asXw0OEHUqDe7AW0aRqokXUv5ocI+HD6Dt9+Y8QRkgyN7zGlhVs+YTlMQViBtXjVFzsr1HY1baCkcuUyr0F3pAmOk+749NpqIIQGEgFq4TzsPykyKTWDOMkB4AFIV+mw4ly3UYC+3c2986MV5YdoGJWmicMivHZpvDUEMnpr8/Qg5h8lYJdxlw2aKq1jIJzp+SthSZH+p1RgheIKi2uo1LKS+ZloWknjzqJgzDTpi0UHIJDRKAM1tfFE0/JJW5WBcwal7d2t4J4EmBMfpTfM6+vCyL9VqXtm5rZVO5yByrdJkFW7fyoNyQi9i/iKXW4iZhNbgFysNH/yi2gQ50Nm5Z9+NZLu4K0j2nHOAD8YSDwpO/PWu1zLKXC0mnwuMNOc0RzuWRc2Tsj1koY7F1bsITAY7U94zLMoyaAG/SpDdEKqPS1bXU0z1HZThMIyP/BqJt5zntrLhiFIWmHN3Kr+6qXA/ngMjVI+nrQs8JvaOQcHeHvyUSAwHklV/XguKB57sAdXbVvDgoM/NZn6qIsArwO4d7j3g954rYmI5eIMzeMfh4zGEUDIBTm+CNliSn4f063RmGp0W5+xyFFlpEpJdKJUJ/nJYBy4v+lZ03zEHccCHhvs7jrit6uz+iRuXuBJMF/wdWBlIosDFUlarSanqXqOo+3c1TM9ok7mk6MQttTvaUkEkVnwU5ZcvlRfL2taxtZFfF/odvTuVI9CFDpJBBYToitl1dD/UomSCkCZJ3E7Uk4JNCRr/c9X/Fsym3X5Ir7v+vfn2EuZ814w306NwsRhj/Zs9ZZwIZM3ejZt8tq6W8mnPovBMTXJrsvwmlPXqqL9ZT10FEFC7vaY2L7+7K4oax1KbpxYdDgYi1a1UJ3atkQCpRUbg2LwtbmGgtJQ8b+D3gxLzDSuoMIKBJoA9g82cr5fln9UNPSs7NHGR8Q2+RBYlwIq7S7gK+bIUJ+WT3BbXZJUZvRr9LK5+IQn+S5/EM8UbdSFVQp+ojka3lT+H/jn+sN6ZY5giDgtnKU/k50CG9F/lEqExKjIR8gQshhNBoPtasdhcvbaxVqrB/2sMk8IuoELfG/gayPmEZgNLhM3DuWAbhAu+UgsX4vmRjhISMEw30bJBTnZl89JndRLWsgynySD4relphQWOLLj/ZWSkC0MclHOZmAHoCGmyoOycKjJTZ5Fdkug8kb6lk8x6dgI5+cPHgDVxc3k9Rm5k+fkO6p1CgP+Sa9pmfLdcfaIZpogPAqO15kV0/zXnSl/OGOMaanUKLy3TolQSz6dLYwLAqOVCH92+lD2xtDmiyG44v5L+5xw1h1jwpmTuR4zFdP+E0z4rZ5YhJB7j1ll0yB2UcjBm5WSeFtZy3ZHe9poAznW6/OkXRP08Dtuk0JNZh9iwO/bsirs8T2oUiuJfd8AC7zCJhIOUDSxbmJFG+1J6mrTUKheH7WAvDkCbNpv5jiA9WUb8Z+rJ3tr+FJkYX2MR8=,iv:B4PggssYfBbZA+mEJOiTo8GYWSZxbl9wJIHjUlv6c2A=,tag:isO6wVZR6UOuDLGCA/tddg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:34Z" + mac: ENC[AES256_GCM,data:Num40NAUnNFictwt1Nlo5cOgnLBeih7oqXxpRIvHm10bpqK3VI4oxwrPwSOXXqMIh24zYNe7vgc/laxiqI8HCQkP8InBR5iryL1326efqLrVFUkgBvwkPu1GvgwIpvn0lLRMyF8bYFmWZHN2i3k1pVgS1xtQxGecGosPwyxwO2c=,iv:cupUxpzJhmpZB43t1kFTFrTx0PSfKk5wS1xMa0owz+w=,tag:K+GhidGy66LuL7aL/T3NzA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..51461f9 --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,39 @@ +mathebau.aliases: ENC[AES256_GCM,data:lt9d33t44M/5vK+ZQQpMx8rODvlg+ld4j+a8EmNYNZRM8BYUVZpjVRxk+Prc6MP94z55SyzAQ/qIIKSs85RYDuD3+nYBID9llg48Xq8d6tEg9FOlbRJP/q0C7OaxPKiNnI0lYe9vbDW8S1gW/Fgtpjg30BJh99LKDgFBpboyHFgcw7e3a+8pGyUImC7GcLcbvnjtLUV0Unf9f3fUBm1ei1hDVa8vzXWi1u5YcJWwWvjgk4qe4rgfYbmD9UfzT2EyUwm7Sl8cfxrGgcB2zL38w7DOfT8yhsoqmbolTwOWuLUYPtomuFypwS4SPB21Scw4pfbCahnlih2cTj2d4CvruCcU/vMsDhCiYymRGrT/g42KvNGMwXE0VWT5/tYFVXpMYHWLou/Zt1bReBDOpDl6HAbIiDs5LeVJKLHAOLAo8bw72JaNg+pgM5V9OMvzILonKuFLWA2iTpp2YLlXRvIEopDKQ3ugKfnNvrcQGIvKdD5FeZE9YaqdQ3dCpQNbxf3Mhh9SsrL9lYOuqIH2xQvOFlnPDhGcQQAo5Fp22NA0WvYUt4GC67EqvXCS3oH//OFX0IxuUrZPa2tn9PSLsQFUeSeF26p5g38WLdMWyeeQ3tBvyVZFj6BzzpJAZ0cjneAmbiTyKD+K0u3UQK6SL2JEHnbCqpHZssMt2F6raEqMOvRu5y5750NFowM87FiZnFbdrMfD3iFrGrjqL3RSDg4x0pDa1REKq0ZF49ZyG4PGCHeazKX/hzCgmw84jrXK5TMQpC88oS+QHgHsHzWf3ncM4+hYKhypHN0+mPDT8dTdP0Sry8JUt/YTNIK9Qi/chEdO527cPFvP5shY77FxtS0zrzjMbJkHQ0iZQCr13hH1HPPn32mxHocKx7SRL56iaYbNBHE3Yb/KMR/O3X+OvBU/HxjT912FnlpFY2xVlsxVAtJ7h/ljFItug8e14/urLYaRqJFYrdaEv9uKm7/aWtB/Dqdwl7/oKYFz71Z+i3BYXK5KtxIzOvElV/M9zDddcQKPn1MQP/Ya9aRPN1xSrrmTZXUPlXiliWDJQJ6GwwT0FsD7t/EjPzZbhEA5Zv5X5ExMljjCt12Q4g6xXag5xmuFoV2d5j2dkM3qpVafcsP7lCu+FAmmxMbf15VS2LuEoo4oC955E/MlB7npr+VoQ57KpM88CyOVB0ZdNems3b8KGL6qmgdqOA47SrnSoNu8V+AM4iiL486Gub0+E7xiRzsQpTSYa8IjIReCSNZDSlNnPCFpgnKntbKuOVsJ0w5Phmrk1GmxjN5vaws1erwZDgejNySGKelLZS3Sn5V20eLVf05xBXBrkykttlmiztausm3TFEqC6zFho9Jk9Ur/umcDvIKUGbSN3w+uubuyEOjwDiw1KnIcwBFGmmiV/3d17dJ99nnAmtOZ7RuiDMkdwWO/axWZuEZGq5Pfn5m0p9fhWaTE1DEMrAMNiPhi9+o6+YjaLYeFK8RgN6/fMEY0YPnbkcNKPsAS0pqBBMHlzZIVhfOrnMFJWwsMsQKBJyezJ1Bi64B2A0YgAmOOQ+d7wXu9PQvS43ng9mZSYFY8fRE38ULgN4+GxlGiv+nka29+Au1ZiEb0wB+zmN6ZMfCvdsQqh1HS0c1jwt76klpTjPCtU4VZ3AeO2IN3vTRqX5dR94Yw1pwvFZSbqUmzQY8/J2Lqp9hIgFDgZyMO71+HF2lCnQPHzpybjj9ehOopIk7OozzF5os2LA5UronN7J9B7Fj7uhti3Rio90G2k1TVO35UfXv55VSnYBeyRpfhObe8AkU/pTJcmbwJCre1eJ/fagQiPkq14KcZV9HlVCg/nhEW4n8ygjBKeEvP1B9vRyFUhvDJJj5NGn1QsT7VPw8VquPGybHI4wGss+pK3WzOehuGkk/oo8rLZeq3CMkeODRTik4TPoGOQddO8edbpK5nYDgkYm43V6nQIxszo+ywsPj4vN/f8V2tB0/D0RwMx5kw492WFf83lMVF80aYT2ZCkZoy6g0LGk8s4qfCXfWEx3sMy3ajNpVoZ6K6Me5k97npsBSdVTj3QaGruOE1ZGYBcARIrduhyknhDOo20rBRjkXRiKQGdN78WP75CmXyq7IX4rAw9va5AyV0dHxwIf2LZhnEVYjaaWaRYEafR+K1C154Bc8xxHGGpFOlYs/PYebp9jcQ2UxNOU43MitZ3UyZ+RbABQdG49By7jZlAk22mqrl3LU8zw7Y8gykGNqUbAJfcH0IzGCDBBSrGCYGQkEMrOQUew/PsS42DDiEIqoMSVxfZUAsvvUPhBzYIZ3AL4p+py5BIscoVSs+6E2G22j4xuWF6qkkYMSyilWjF7ue9sH0jBZhhtrQPUMlBcwj3wnljnFI/f91M803qFbY31YO+HtKA7f3NeJc2PvLUHiG93RxJY3MqHrYROoY1d7+IRKCm4VCCi3XwTxfr2s1aQzBuzI9o6Xp7ut2jjRBZjiFAEvj5YLTxDn+KecTUWdsOOxcRhTn9935CL5oha7vKN1/9XFZXoxHeID2PZa2SYxpkerE6dVnVH6qyTFYgdWNYJ9P9a2VV2FZkzcYkEJ9j5rm1IwpRQ/5DyxkMVagz+N50g22fLT5tQupQtt2N5mLWb88NvQSPj2OuhkSdPGxRR4pEJrjvht8bpQTz11HbfyqJ5GAWujUezaqDktiIfgRYIE0BIH1NLhBT3l47VEo5mO033rjMBREk1aiUtIY8gRLGejeeCmdnfbMbGbWotpqKzmm1XiYlnJ5VjqqQf2bn9UYlQAmQGGApNHuJ05D4TOXa8bABE9EJ4reFy4fk2kHdHs66lU/lW505Zm4Cp0Jyap9vmTiTpkaX3fidmb7ZbSts7dE8iSv9EaZOsqupe3NoVr45oakIS+IOLck5qH92lxulAPFGjnxIcRH/GWDBlGiZ6i2EhhSe8tv4zPT5u0DQEwYmX89yb2Xs6UQTmY96udNU5Ed2WGt6Z3MXtqvmwqu275I3ky02LA4NJzgOa7W170ANIh/+LZ8W3P/cAKh0nBU2MisXuNgF/qhrXqo0Ffsvhdm+IlSbx64oZWyv3gb1KQOzXLB4uWlV5n9w2CYCKX48aweQ6lC7sd8s7PfSTsgoKkZVM6BljBqGEDOMyohT37uHExUuBeaEiJgDCsteNZHuaBKukeXQoL4ojLnMWXqbDExqdjHplaOQnpTqtTydmb224A7GPMFDWB/5k3LSh8rbH6XWK5qq1EaNfmlUfY/Ade9q9dTVTXjca2TGax+j2tlt+8N2rixjhXvYR/hW7ksBbtDxlKKtIOZqbaSdekT7XteWlY+HjgY9IKqtJw2xcTJpJxT61P1S4dYZLU74LqGFs8zPK5DkLwjsCwypGCt/pl+L1VVt9Yh93XzkSdlYnM7TTqK68i58NDwKAdN4WORqzTzrPPvk8TfDNpackwMemSAg7B1Ie1krZYBB8h26lxaVyEVDckcpWOvt4ZkBb/9pjzuKcJsawEW+G4CBeASGp7TirsMwNGb//BIPpW6tP2gaVAJNsBNQXrzocNgmFR3aUlQB4YZTDBoPvDc50RFfLUnamIFQ6j0Yday+TxTEI4uuXOx6fcgh4Z71s8AXfrVG1JuVhxlnz+YneIY1YyCo7BK0XC3mw2cZATu/e12zWCKoUihLRkiE+5UZ4rWMF2ExEdLSyLe7TNHN0RYKGBTP4oGOeGFLdCrfNP3aaR06ZC+vwAPz+hvPBHhzPEpkV696UU9dU37rYpIX1yexdqjOz/QNd7nfr66qVddmQ82qZXiDyiEkBRzeqefJVyYtmOczWGbkGq09X4xzl/EDr/1sp8c1FQntD7OcwMiyzWDjRtntu5TKvGAwUFGNYxI9N9t7F9UJANq3Lu8izjzuXTVbFaAyK1rNgYjtvP3JHN0ZnYERrGp8cEtJ63H+7+QlHnkyi8axWvfQbdPupgb0zYvZlRJxUtpsvvI6AQ6QyQCUGxM67O1M+fGXl1GBYJFxuYa/beW2c3JfY5xG6QCEDWj96GTMe5KaSKE7/LSvclgXVH+jOe137eqZ2jjNGJOBxnJA8olANqbXiHlLvV0erGQXw5JfYc2HQZeQCHjtP3lXxQQrTIQwc8CSgQvKSaiT+5xpThV+9QXs2A8z30cfUFPB1TurfPgKk1X3ZXjZLbHB5cCqT+NJeT3NxXMs/qHAfFyCRA7mJWBo7doyKMCkCV1PTG6EV37wQCsoReo1CLtD6KMBZ4mK3hPw+seapv/x/GNWp9sMQpg00/PPQFzqXU2uQG6ZKR5BC7CFZ/TUFfr2t/gJVp/J0ZyM6f0x0M6FXjjkDkzAGpV0rQr+TrdwD6mbG8L8pKQpainW2tDyhqB+SgS5pqSK4gsLmvwPEqlF7zLZNK4Pc1Ajjk3+aP9yP5D6inlQ4Rrupa8BuP49OO3w3VHUBO8XNTf5ui4DtvBzmi++koUvNDuohAuNUZ+X+DPvyYtQ+c6LZ4jzwxsfT29oXKmjibGdjrNukjHTi2PskpIwqLpyGh3qZjgrzHD/gtnuFICjt40Ml9XczlHtB3kybaprrib49O6913qujmlfA1I90y8DiYazYZBvsmSNtd3+6/8BLbdahNxYLadrmqnmALoqzHhNG/zIM0ttyupTKBUOm3ZeWkr6q4gVjG9j5YkAByon96yM5NIHQebrJysrq/v+wq1JpyKFYJj+dX64cLBhNLINN+rSSbt6zvVfOWMY8KcezIPbYieY7ORzxUHCy2U3qsl/eoxKl0lTzMFC5ipp5acL4YnwjtzRZBKtGaVP0O87r7rcZec1QYXr/roipCk/Jen+3TdCdlm+F/5kEWQtSOv1jf/EJSpzakO+n/sNtm1wJtznAK/Rr0aPXF4lkgC0/s8wyRuzh4ziBmbo8QODyswXeyRgSdaHbTKSNmI1aYeLZipr42dHwZhoLsdMiSYLIvjOBISl9O6a32wBwlZzbyrUmuRGxrtvMfO2V38OZLRPaVZj8jxFRG8n+CQvek9M+QXTT8Jf+XM/udl8bpe1ZMcfaLuFcXMz8HYY6KLM1EN25IpIps5jxwaKfHqVvayQC1E2/aBzaVQhCv96mxLQau7UEcyBx4+Cgz8heTscoAe1Bb4JYJIye66hafvyVbnut30qQQYIsdCaQmmEpHNW4UgiTDmxHusIzjBgY0Kw7HPizfCHyu/AANggeho3PWFw5C96PM6WolONSmPZ3Mtz66jaRSefp8g0WCvjE/YGOd46/5WBi2UFns9cZYqQB/ipO615oMmJ41v7N7CLAg9+vzA3CZQtgaIzKqzDdyu7cfuF1NVAozVxUW2qDcDgxO8HTRgIWp3JDy+7R+zxKzl/LAsE5T8X9tWvZ1Fu9Y8axSZJO36Ii6R7as8nZjskPw3gVNX+Mnnv0XDoJIWdEJ8YKKg7sfWiv1w9QmhVE6/7Ap1+fTLZhnr2ngjbXhq9l9QI2VMl+8Hi5Rj542VGx7yFCJlCJzVY8nzGLbwvY0sAP9mZW/mDEq1PcwlJgcv5eOWeYrcUP+Ed4WaM5VmETl7v974n3Ybm8joQq80Dgq+o79sP+0fwj8yo4kI49xHrPUMEOLf5lK62k7lxKbLxYHpKfRtNldgMBPaDzQiURInlSPnz9At20U3uE2iuWrouK89qBbd5u3gvbZ9GNKoHyYyLE+oO12ZxULEmN+c38NxFHYbtvKKTZUGuv9j5qu4UF4mmJ3H0uptlZZSXMWao9JVlk2qtcpN3496A6m8lcrYNW1k+PusHdfyuKDTWyj9m/ur3FEsG3MEt5hQZtsUwSr5F5dqCU+shOVvtDAk/DPPlWt6xmoUPcwpJudGUC6bjzeFNvVaA20PH8PCFfUpGmXp8wBOjqS7L+z4rNf4cqxT9WgZ0OrI8KqgiRerJFDKEXZwau/WcAoNRcudak7oCQ/Ie/It/iJU/Y2VFDrHqJ/WpwrDRuacVJzP/UWcY66uqLmd7hJtcO65b/4BTyOtA7PVUwGX4kN2NuGG5s37HIL6TnjiYmb6icKXjTsiGZHD4VG6R1TxK0Bf2Ji9uqWsVgW0mEKEciU7gnE3joxTubszNHHMyo/MTUuWA50Kmp4XNMPHxlVQZ75zGErDq8IrFiotKpIPfPrhXDPGbzp757dE5MFHsBvENTz0UNtpTFIRHvAE8ilI1WArPPIh9zbJgBra0OCFPFdyalZFWpD7PbeoKiFcKKSBcG2xPi0IPaGsTqaODxTWNzCrn6kWjr152ZhCBu2orlx+Bw5VIPCi8/pv9IZCsGB75mUrkK4mmfxiVfXoZPLUntlTfeNMjlYK/r+8QEHmcHAXSOR5wIxyyqdkZLcYywolDMLfZgsTqTutBjF6BLeRsqi/O5TXABnwJkhhLiOcS0Pyhc/3ehxc35CfPILD4lhW3J9LPYRDHTGEGpmbD6zNA25sb2rTQm5LVUjKMSYY+TnMatZKPQ6xCZWLD9A0ZPELgbiqaGmtZHKtM2TusmZxGxKBaakhC+CYw6GeIcfWoVYPMovv/ZXJi4Lv/STfoGnSOt7elP00A0flKSoHdzDIlfV85py3hQLSBUfHW+6dNIu1Aiq/ZvgwHitCjfT7E73bSB7fQyF0wdT9XI5mkj8ueQNmvIl62SEIC6RaeNiU2JtzSyWMAh2BeuLvz4Rg4S/ruuLdLtnmVro+SNQ52rPx3hDMdEvBLtIKRmdXBzgWXpb7009GyDGojWyIhBd0SuTAdrTaNmvRQHOYkSOhNcYotA/EcmfOzb148lhUFSjCZLhIcZGxfwRbGcTX61I+dVTefgZb7NXTbH1aJ7+al39fc+Yo+htdXDbKb8s18Zqn3NjpSYTcO6fbY2CZe2fdelAOBBgK06ggunLxaEcckiwDCb1iazWALuXrs42qJMHqeTna7pUAxP0i1wOK3yfDm0z48EFiWvljVg9SNUA6EmE/1AGrr/rp+fuUEiuBAkg+StBjGbi2u3gGFUe4vr5Qu+4wurDLf/W/zXkKs4tBR56QFpUSgWU147ywFNjMavluliSgV1BH1PFeoLUt9wl3e3K+xOfnfdMkcDFhibOO7UkHTERXIgmmMUnKQ3Af1LOQFAAwqTgoydL6KGgbeDlUqa6HH+2NlLU2S4l10ncrEn0ZMMwsN/c/oOKwIDvVIHGmG26xkqFAjcWBqsVhudYznIuzuwU9SLSGuRJR9w2sgTfXKB7+A4Kaizld82KQUa63a3Nw2c4QYSxo0kU7EKeJUtURAt2cUZFPfEh+Gt/Am5AL6QxrsI5a/+BUrWdQYHUh+eGXuSO3MimjU0DOjyqosdle2Re7V0qDeHSdZFROQuqLBgLBJWzaHAWm5K1I1nzM3K44dnuha3jiXClJ/dqaWVlWM76Za9ibBnEpgG4EEXAeDseezZiRYwETdKM8ZSGD88svBPSq8e+inW5gaLvNd8s3psEAfRH3jdGMSMnlPmIP1//bBzE9RT6IPPygxmlhgOIJwvVfcEvOt7xiPh2yx113LHV3ue60Xg4JlZw2LvMcTZa5LehzWzlmOia3McLAGIWE638xHXqT0Tuy5XX32D/wf93HimcCQnNaV7zgNYWzNVsVMKbOmPyQUaowJLIERmph1WspGpyvr/BuuEeXvOx5A2H1fRNf1GfAswYhTWlhbjoQoUZnnWasB5RfhPkmedCQUz8UDaj26AAZsaopI9fNKSrbS3E489ytCPspgVGhg/j7RylcY3OT5c916L5OLst0P3d09cMA+yJy+YD6DEupleXxzDy6+J7JodJ73Z5SjSKeLcHZWjzy/BBsEtokjom7qY4sA5AT2bNjzSekznGz0YFEJFl6aH7DBdBWRHKQJ1p1VIrz+d0TcqIl6gdzbhbPRs29ib1y0fKoPfi2wqFt5/Yj4aBAMxDE8x+Vc6JHuEPIcQ4xRxQlDPq/v2QoOomu3+RGsrtdLXy7l47Voem3+qFWDZFRj9cfrVRAs3LkLTP/F5bOrLu/p8vz+X14LDpXnxVqOHq6470596j1FBSIs54wqEE0J4TW06Vj7z4qYa6icl+xbfibYD1rBnwHBkl8bz3SVILk3SUeKum5K+BI5PcTlg4sNXLYhuErXcDqqb9MlQkGU61613A8nzqilAhNXX1Wig7wpkvsuI7BKaY94wotVye8KuzYi7L02oeCo6aPsg6AcJXYaEeI0lOqczNT/z7Yls4y5nh3ddJ1drZVAQGtiWHlfagg6UyaAI0QojB02O4Agl1oYGGFAaUbqw6yjJ3wJAx4ehdU7RCpIjw2QWOhhiCFPbPVw7qjAmTRk2kaQVEpBAHDuDPOUNaZib8BA0cpQP08duiKxlbhMYgL8YjnvlGOYXjMFPIx99LgcOK6DmJ0bQmSP2ZizXtkcmSmcV0zyGbxTSGsnwdvlV3VsVudiswLAW2GZfYy4cbI/738PkXxn1x5a6fuEVNLMYRLSU/N/ehoeBLLyqUpCG9ebFeqn1FCK2TcfFkhg4r3isXecSR3RU7LOAWKFH59QmLmRDKw0Ly8jn0+1w0h+quDtndqUPyoqvMf3HGTpL4yvlMF1AufppiE+93dg982bZZD+CaHpcJLol8jmQRVrqgvh7qnfw6vIhLi8p6c4ZFtxd0XO6VAEGUdx6GGR9cjHNH1MDc7VqV6FYwk02dYnYLumP17zYF3pjn7ggk3YtFDCY7H2AnDA8xgR7kTPp8WBeEsjYlXi060IlMiCtw29w0SVmt7CIURp9YHwGWk3zj/CRYeMYRi5TruUaiZSzoTHng4KE6O57tCjc/kDMIK76U5pM8ldIuBA0gUA0J/aqTwbImtrpWnrpPFnej0Z8dXZLbsx8rwgbxUGYkBemUyVYURi/w8nkMg/993f2a+1YaUsBQrPRl8pJy7KCyTisGGJzgwIDO+9AskUTNDT1AIqV67hmzwZm9Iyu3ah+oNiSMjZWzquAx9gpraG4n31eDtnJN3Wl93hDN6zGfmoV/Wz6ofLQctmnYUOKe0K0WSAnslMAaGhiyU+wHrnjCfGTEr7hJfSK8Ba9P+LZISdYTvdauVF2Cq+i6+X9TWv/YCiLcYOD0PblxoJ3RYk0gt9dhgZQyaf0gX7A65RM0LjJ3+0KjECVl/QgmPaNhktSxSCVVtjun8/jdhnz0K269n5ZD7Ji/+KtRRYCpD0xV3VP7umX9tgYpSZv8jNrJ2xE4utcvT48jHwszkeE1Z866cszCRvCZFLKOdZQk99Xy3QAm0r0yYLXtHgUlNAJnI5kl0oA3EqKj6ER4Nav6lq4Neznxu7vk76dD//bDfVt7rg/eg0zPGN7Rk128u6Ktd0+s78O4J/P0l+8zgLpIm2oZRjvK+9oWgpK5VRnJvuGXSycTT5O+Go7G8glLk3pAMsGCTk1ow8wZsyocMF6cKT/lsxSjIjGh40ROnAFkidj6OKbJh61Hcc0YjLeQ9nG21iN6VPZJ6DNywuL0f6yXxOXW42Exmaxlfy3TAUc00YIKbAZUAiX1sXNMAY882w5YMT/wzLN3eY5TkAaH2Ns2qDAK6o6XyPtmzNZfIPiNW7EwtrDzLfGQtuaA8fx7/FdDRV4dR3rPYUeJUOWgvJoY9TgkVA4+sSjbZC/zrZ1U4/bYHcDoFf4AVu+/RABEcxwf2qhfBTFCT7NroMvJS9dVSFx+OV84pAv4wpMNQO/rZ1muh2C3bcsdwo5qss797SoWyy1C8siIz7g8Ae3qyMfdvM+Un74NLqqZmscG8TQbUgBbBUSXFAO+fOmg3yWwHhlO9cTabBK7qPfUhJNnHwieAwRyO0RaTUMj4GZcw52YXJZ0zVgbP1SfEigwgyf3//rHO3fYA/BcBP6+doNzxoqfBWxEVoAiYSC68eXQaB0GtccN9TRo2oc/1TzefZX5NIEwQos1Og/gWSjPlvacbFTI4R6rJBDpV8lZigG83TAR6b6MFJRRgtoZkcjgee/t1ugGUSxjCB46+MfFSMzd6kqxkbfuGW2tYYNZNRE3gpCYB3skqxQBtCciQqAptbziyDpDzeksssR4VMANv49AZaY3rXG0pKM6kBR8KwQakAtCk2yH4Yn5l7NDXE2WbzYLj52gwkwSd0/7aIvF13wa1Hv38Oc1CrKwTpxv5OOd/k/UZqMH7U4EeMFrmUJ/qqtqHOwUhbmQ0yHIZPwaGDNO5nAz1tKHdd4qavwoFw9LNOhqAHhO1suDAk/mLU/M1hZVHfQoZEd7fJrmWEaGWCP4a+ayLQTWsG362nhgWMprXebLkrx6JXvURcet6Q4lMQ8/uFm85YwakzAaHEFJ3mgnKsBBbRwQFzaLFjm0gJD0C0D3YuBLKHNkFjcZcLy8AVJLVEinlEJmNFr72/wa+1sQqlV1ZUJdGdWQFdGslsVZ31xMrUGoe3FEv1K5kxrOt+sAoHuuGcLZF9K6W4QMldkIpjKWYHBCDGEhYeWDWRR20mh9tecgCpHc7KOO5sbYfENjbvj0KUHgDoeO6bdkcht0sJPthg/lJnJVw8jZS1ddmaqVM7Z2aN/SMWX4Urw+CnJA7JAlpNB+9v8mSgdHJnfcbCDEeYySI5kV7E2rbAHiI328CbyKx8XnM33IhLMBEC0cwiT9EKJIHMFT2hBF/5T1EN79o//tXkzT/z5MAwlfFAtUHltsKB1pDnWejJEp34Br3puA9SpRpn4TPGT8odJULrZuZWMQg18/Vdq8PAdyQOcNU2Z1xx7aGFcSeIZsI4JUA39xNdoR1V0clVQdcceX5N7AMDmC/N+il6uiym6RSoshIH7YmLUG52kSY7iBh6o//p4uFrN3sJxdqRGfU3gkbJ7SPAFkwBJHGA8QeJUFPVQAUxBbQDi+PXlJ4d5MqiaJgUwrzNZYbnVfdNKWyX+uk66PU2/DVYPStm/rCyBLyfZ5t9CPNhGkxGu9AFXfvdP54VgKm81J2hHSbsitoRaCatGovJqNHjQZnn0CdXQG5u6GVguBJfx3ckerV9K3T8YMw+m1Ex4FAsLLhCZnbMv/i5wTrdaVyFW68WN/mjC+4e4fId0zwjIPJ9RVLfWXlm2OSRCxZF9LQWfvew7cfG/DG0KLhGrkERkPb45EdN+uykmWSAsq2bJox5wimdHVcRpejWoM9+j/Ru/47rE4XOHKeXy3B6a/6cDwZwFP6kwYX3bvESc+PgVh4a99VsmmqU68h8ErlandATinpkj/b+hE1p0JGeTTbQ8uprcg18uwebAFpo77dbhhk+1MC2xb2Ah7WRNEGyqP+zzbkHodRdqnt3q/ifXwNZ3/Xk53/Nv8eW/xpJBel57oRrhDZvVts2LUF2zJnkzkNoXaW/RANtC/DVzS9UVwwUx42M/VEuWw+1b/U25hIxP7ahRZlDj7l5vV1XcZ/7pt9XLk1jLp2z2cvMll07egdxEJyqlpeZFYotpsdhHbhzHEyVirXX4V3do5UCl+LZXCz+Pi/6FZnrYssDazuo0Wdh3oiq37ESMTyuXgsfjSJgbp/sD0tbvpAm8uf69aWXvIuUMIHRb4DhHssDjuCHSCM/mxT/wY/cXBKsqoHmzLH3AK2bPMCYrzD44+Nbpiu6O9mqQsQESZnYCH5lmmF4sdw3NrmIWsvZfaeWNI2LfH39/oagRBWW2gwagGOJgGaD6SyZcl+zFS661Iwit/mgf2JfSRGubywx15rS8ULqTJT5VU3FlLhblRtZyXS4B6h5Q7Waf7RacorrRUVW3oN6eeOT9wjkU7XTud5on9LzE+YKA4Iy52sJtQ8dC7t5eDy4OEWusxeQgAyPbw6NsoeK7v1RWpzUemcq/0VrVWhnK/xsW1tPqR2dY7JJReBouhhLPCTy19e+CxxIEbkF2fKi2ueJJN/SGyTo5lfkx2SWvMuhB8imKQXTDNUz/EKn8yY7qbsCSAIJbbuO1egQetRB8Z9qOR7X44UxU7yRfCEtcBsiXtso2YoV9lZZ2CsPn3v219J9T2YtQjJiGGOPTRrp3jOi5+mm8byuzzJayXSmtOfC2WsBLp7OB2173ib3qVoyQmkyQHL1mmY8rtKkchbVNVYEDLP9NV1+Iy0O9tWnyQR5jgrEeEQ4AfEwAsGdp6qofEsjGZk7vjCIoWaQpeWHMIxCrH89JufDgT8Y5U/FcGIK/Ec03THNGDJK+503GZ8holmcIG6XbB5teMKQ4rUm6UcHDmYCwZO+1ECQQsVQgL6bqP3BMExEqrN57OGyY9EtO4ccGoibqnvgXSARhmvRbOKHk2sdv2uCS1Mz+Ha1eQMsH3ZZt0T4wOuQEEo/tEQHe0bsNTr3Fw0dJmqLi4RkqjEEED/gRSsWDNITgs1pPwnWVnsSY35P7YBqgWJn0fzIVprJG4rlN+t77BxSnRKyvrUhfNdN8osFOealzp6lcWI+vmLx967IQBMTxGLhxKbQ1TqVhEF6oqdjD5DxeDWHtFZVMgGGHqXEO6ovkdFkqWagYK7+I8Sa+nHHTN+3MBip7KVBMlIk9vww7Yuo51cPL0Ky4zVrPdit94vi5S/RbVVlKDRoAki5QCGCZcN18MHV0uq3zRb5+1rXjczELY7XLBFSkaNe8AuuNxQg3zSO+fu+oYlAx7x9ZE4RjfW8HH7xVKIOpwJnmz5ZwRo2vOcwaAcpTUGxDqgu1ltVsfhaPfq6Wc/FFzHQEVVXeh5NMTqslLfpsJnx6NghFV9uvqIV0hJ0FUQCL9gqIaOqldtlB4ypOzeToPJaXbyymRljjgKCuY/SUcDMHBUZRRLkw10fUeRbhp3Koq37VUSbKdirD3CrKZCqcFgmDNin4DZcfvD6taEUdHlcbexC2y3zUWmBTFoILXt0F/XaU02IzrmfQGqqjX6sQN/+0ZxNOsWygzOXN6HHRUKYt1zjN80PaYSQtPEuJDHDkADrwx3kRHB/vQ6OLMjdWj5i7MGrqlLTmSpnKz1zv8dMKclJ8ULspx+TcbAVbtHJtjMZ1JEbkTyT3ul6Zj3GcCKryceZrbByDSEBljkpdCsSC7rqIvoPMcBXqFmhDA5WhIrGQ50HcgSEo6Oa71cKH9G3zmIKNGZnN9SjqiXHjWyg7jDro4S5xKIwlnve2xI3d4fb/eP/tRWJraGW/wIddqExgK8RPgM/nAe+/4MlKVlYv0jfLBGvo7Vna6C+0fRv/3x61gpbpif5+JR6ZZA1N/9e6w1/3T1f7OCT7q2EAhEm8wnMywy2P8Y/XqGJ+nRStY1IFpT4TCwKE38vsAigQvgySZ7P7fCrleg1dGjFLypEHjtlrnpkKMTaN2r1K4O9Ia+xptMTuIGq2SdInKLqpVB/PpxzrYSAPRduhCIXsj+NIH/L3y9ELPWcihbPv04dDlG34yWe/uehKcegeJCOGz3i1CUwOSRGYZwsJWolREdnpqe8YRpYGOfPRXI7M4eLDnF1Rx9ggikF+YNIvqo7E7BBSlnsfp63taw9QwfOC26DfeP/k5E4ua0/RHQ7cDiOIAGOmdsrHMaBjvOksTVl/wX4I48K0XybPX0yd0RTPtPBwr64WORUUMEwc9HHuapoiVaU3OkzcitvOncGx6b14zAMECdiEdGzhhezenziYsEqmYOUy4aVbOsg3NQSSYykN8kd1qcrKw6RxSQDmjP0jr96XOZi2f+gGlSvN99v4TCvsQe7Wqxy74IIxOLjitJ4y/IAWjybQ24W40aCmkQLku37nxPAkz/ksiH9DDWcevnps9CEGALl1Fo8wlnjOcW/QeqDwrG/Ks7XwpDtcOkhI/YM3laf6+52awHspNF5z8svGvF1kbPjDk1XN5RhXl+Dft/gkIzhr32opak3uwX9bD9LYVHhH2TxTh4dbE88JW6L+izw6IY10of0s+ZBXhKwVX6bv/2+Nja1FeVTqpkdULutcxPAScrtf8mTbmirXENCJesiFcsX/ZTSeGFIiUSe++PnmkAdXus3JADmIKZi4MBb2wkvRJB0ppuIXBp8vNr/FkdMkfqRnPlMCF9DorKGuCGDo17g5pjZ/HuM/xV9SqUvGO0dQwGWrt+7e7JlZvbRBKlnJh2gRx0aMVFmPr5Z7xVze6W2Q8aOSM4bTZL+jV/jPfC5RvZVdhdex60jYDdoma6efO5jl4ly5QP7T3tROCgJ6mC4H3xtYIzWSdcikmZvf7bftoQfwt5lYkt9jjYPumLq9HEXMgzTwlKqvFzaLR7kTh58S+zXg0iPciAm43TOw59A2zV38X0KsWkBFJQyCJf6xRV/bG7DaFAqyztEKn4Qwj0WRypCrE/p4cMW5h/VCzvuPtk7rtFZewFhYqqELwQdvmq5ZGdHPvKelx97jIPYjRZr03tg0itXSjpaRS7DIrEr2QERrN9qA9I/irRqqrMKDfhSmMR2nupxXd3ghZ7hdC9pNTJYl8bdBW4adMCPMKImSfENNuFeO2g7kbvJjWCFLYRhapoJ2Zm0y8BuE1VuNM3+1Ds9vw3lbjBZoNCF6m/sKGawguyrrCZdp1EBEGTmFLyDgTtSGFGEZlnMYVGcx/3EScWKB2mMTR8aiCZLBsRdqWFln1mZuMvkevlIDlTCH9nGJMmiFB+rizCC7HJHBC6F0HBEfDXsKIofBZoMCJqp7lWqPYQQB4ES9aZOZRDax5YyXE30JwENPrK1ZaicGxDixh4ikE/5R+VadVJA0psbqqn9OSt4b3mQVcqg/XK82A65KMu0+KDRZUgwdJz2UEbCu8d0KVPD50ClWmcZ/0ZGR7pUNznDEWs4H5AfJI/nvFy+phBi++VDm2QNYp8uFMRy3SdNNG84LxVLUZK4udG1kVy7xvY2QchslGEEvrDhDOHErGJNRJsFgKMjrqc/2iSnmlAaAOnqFuK3oW6mPqcOxWIV/Ek9YemA7xoqURallyNg8/yCjObnmZ+YSVMKVAUd0dnCmpHBAVzUmGKo5B3qu03f4DvoeUylynwQ/3x1ayfsnafaqiU5tJk7nouNRrw0U1/fZnQcQQ3gJ6R5t+Bzozmmx5fd/rJv5Ykykd9FNHaL7ULVNWJqrrrs8w/pfOz6OrNDpnVYlphWMONA1Ct7cd6CqbU2+Nrm9Ufw7SwFU1+paiCm3R9f8JP6I2AacL2F2TYUmMt0uQVCZwAUg8LC03LClKgrXgBDXJ4kbJgrMqaci4KJSxMqXawyZmiJi1r4p2el9vuLrqS19gjsgFtGGDmh063/MQ1X+DkBGh2lEIh1h3UHlWW1cCBcrrc+8JmtiAvfTDPaDS7r5JjmtwccCZOQPb3lcWJ31ASG4x1jrYeof4/cgNAB4qPWaHUGUcXnkChJx+sAznDde8cMc7wGHOviuXe22FPbu+6G1Dc2Rtgzg/g8OjGypWl5zFPFg6gvuOBoPkkK4De3beLjG6WFJ4NYzw7TQ1JhYgtQH3h8GXg3ZPuA0bcOAI2HqUkrmyHvKgmbMChPVt/iaYQBClIS45q+JIJtz2HXmk5C9AL8MLNxO1NxzTOCKY+hgWXGPKn8wzTaqxJg44Ih5Nagmer/bBm1CjSo2dM6ao8H7YOFyBzjuV3FBCPJ1EwtE5iwwwLM76ckNzWiqpDI2Ix6HR3tG9bTNpQtvKsl97JeapssCf8fVPwiwsbU0uu8qYBcYOl+orjSwo8BACBp2XzHoaqcTrwhDfOwAm80KnXtv7Jdwz2DLyY/1pH78/NlNQKWsQ8hD5gAH8np64RmshrPEJ8g23ZUyVRb3Cic7rCgu6wb4VnyUK4m33A/hxmyoUYctAuV+yQ09IX9UozycGvTSWk52IrYGNukwjOLaj3fSSSqpamvLEuyLa4VEYsPwwTXZgMIyUZ0M4OSVXLJys3toFeneSlI4ZSUwFFACQIKoIyjO2nUqci7u1g3TGB9hv028k7mNbEtaLWKteCV0OMLRI3apXzHkjDecdldNMIxGND4OaEV4Jo+TolWBA4WVRU+wGREG4Hgq3q8tsjRpqKyLb7cqNCOM2LEGd8UMPLI9iREaAu+m97Jx/HsWaOHM2SAQNmHh+LooEY0Vds2dM+qj7Ef4YrJjf6XgxT6ZhlCo08HCzroWSvSX0tefiClzMSe0dxai/Lo4T72v69Xfpx624E4fRVgFdJU0fgZXqNUo8Q0LIJsJdQRNOc7yZxz1TTCGCWkg5M6DIeg71yLwF6AsoJVTajfOoWu5f1tKf/w4dJGPRUBPBVIipJ1cnKefcX8bbNmuIero0s7Fj+uVosnsni9MQSNAl1g1XXKr4F3rPXpbMUxgS01DyAn1zjBkgBKMAdmdY+szXscvVUJz3sl6DbIQXkGX/6XiY7J06F9cioqokwkAOBEpKie6HU6TFL2V5RLNG7Eof0hAMHFAbYkNu9Ygce8Yv/l+0aitytO6nymR+uK+i2lZl/g5z937Uyolcw3vWkCl2eJHzOeyO/ud0q9GM3OZ7/tsLaa7KmSY8oDjLYEB8BsFVAl2vlsnLa7zfPYmRik8yP0hG1HU1/l4h757Ft4KEj8adz/nFId4EMJuG6MAivSfNcloUgB8ptBU0E/npudifJpzZ5OzhNMONQgm5qaQI8IjoZ7ptJY5RLCy00tnkWpGgDTeh6RO1mrKsmAXLMevqlhWumZFGrpyN13iUhEfUpHPlhbvnlwY0bU+dEIazzIzU7zzyOwbMTnFfHouvRVjhZO978zGEKT03baVSMXMtzIQTsVeFCLoccnFNf9+YKu8XBesB88VmlEHiQ7c524SHIAN2Bz+k4SThjXzwlsvDQnUvWFxt9/7fXXyth7MmrBnxpWmrs5BFJa8Nuunytr0juPUnU19NSZD81tb+7+X5VcAYYIzj55pk8Mh2YIpESLz66YzZ9sQsfOarbJ0jr4YSV0LV4/mzdQAh6ZMMpz9EZozx/8PlqdQ/Juhcd3Ge+COZX8a3fG/O2ZJpj6UARfbSOJh3KEohv0GGwOBlsSOkOuUOthAdVdTURYvsF0Jy3cCQlGc/5O8mWd2p3UusJDe309QVyu0kB4FDKV79OZh1rly+RfiNbg78zkqXHzHRTAvqRRlT6Ym+gfyeP4YRQXsPBQBkCzIc13pyYFktNwz6TnCIXr+XCbJXQMuEJ3xEjbAFm/SnNDSnzhgfIfyW0CMJicBJWyeDT7G2CnbCASDhT9XOBoDqbdrUCWLYFYQmBfE87fwyT9HN0kxjBUd5qZVTsghlDrKZ26Qb/DNmBQrl5yZ0/Ua7FoJD/ufYR3O5AeHDxCoF+JhDb6iddEbzxtarEA2NvkgHvB8KiP4ctq7INxr7M7wnyODv94CL8T61cy6QxX4obehrSREf4FIXftPfdcSnIa/9wAKEcsnX02aD0PrCJSsiV8u2PdmTW20B4h+AY5lufLoVvTVPRX27y5MBGOa2dCbIsMl406CRYCnLyIugpF5tZACwOSD9aQvAsEmTokidjHpXr0ZNTtGxIW4qd0NZKve3l3MKbDgrI4isedfAJWdjySjiqr+QzT/+WoRmqtBw/ftXDErybPhIWMFnzUziiXlfp/FYkcbTB/ghKtFbT6mD3Qi5S4sd/AuVrP0bgNQg0/iXcCBqbTIdL68F/WWzDsyQqeAWivIAgdMJ+dhMjUsoX9Qv4ISLzFmbVT7ooQAIjRkIKxTajWn40kixQ09u84VNVc7UP5ooyvQ0D1XmBsm6Ao5gYxC8f5as6JLxzmGBnOvnfPSv3oWRkcqvz5mL/8z9ZMs6J66uARQAUuLwLbHhRUyUuV3JKUysTeXzpqFDZopX9RZD5Vgg6lOz9DsZIJt6/r6w4nGhlEHzS0FuZkg8EGoSEL9lsbWza/vE8izO+SLfTNEnA+ryUJoyDYCfvawN1UW2JWTtocTCtYMhdlxtK8d07+8g9F92BZkSmvA1twClO6MW12wXvZLGNwb/JjYjSIXnwP0koZJoxZU9gvOphcGlRS7D7WWzC9QSawC6z5HQe2sTsnxZXMGzNGInxVOhpRzE/28aSGULYzkhaJdSeYFtAJx6cj18N29P8Opfg6PpwhgfS6Ax4NDH889dkEFeu8s3JWYRQzhiqOZo5ZzA1Y8EcyVjFWX3yD+PDjsNeCDGNES30IPUH2il/PuuoBlTidNpMXe22nCCouj1q4GFRJhDeKLRT8pCncorrEVJDycyrQ79tBkdDltfU4L1rP+GrFGmpBQ0Ibkd7/zTPap8H5fYO94DD6ALZwfddyR/5BW/PpZJNCrutI+l1Z2vZbccPL0kYgVC1eJguxT3As+TxrfHheUrx/RHp0XAmda98zS80h5aPqpEjMO9rkjZrFETZQeT6vfzvIUjeH8pxDoUkfBawvZZPEEQG/CwdVnkOh6qhH21jF1IbFo2MeApT+bNsDpyfR7kJjm1RdpV52NWhreGA/7+8TF5WqvfxWLgH0aEh+ZThCGs+Xb9pNUc3LIt6NOicnW48MYgN3X1RWZQQ+BMBX8bZD9SmcHvqF98XvtFQv1dvLpI4sb/q9KoyCt6s13WSAKnFGaAe31GAgg==,iv:AoUadsxH2h6Vfx2lxFBHqrsng9sbC36q969oc8ZIWhM=,tag:1BYb/JDr2ZbH6BMgQjIGxw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:38Z" + mac: ENC[AES256_GCM,data:19tRwx7AFcNm3YDVSy5luk5cHHJPcDLT6DGcq6iF0M1pbwUiik819KiorKIv9rTHk5sTbGSRAMMdP9tQx1rvpR+G0PZfdw0fbU9Qoez6KxnjOyIx9XuxnfK7TrpRH0Q2JhzoxjzvzADqsDBDKaNn3LwRuYWP6/TDIN9oW0fI/Qc=,iv:QLZgVfOTMWPYhDXYM0C+5xF5iZI30UIW6O3X3S9qyko=,tag:tXUHA1rmYlhBNUU40PZE5Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml new file mode 100644 index 0000000..4d9f1c5 --- /dev/null +++ b/nixos/machines/kaalut/mathechor.aliases.yaml @@ -0,0 +1,39 @@ +mathechor.aliases: ENC[AES256_GCM,data:jq9oLiCQmAWVcdH13YRmTvCC23dSOAsszwQEVzi1Ij125XlDgVeR1lDXjeVsubTAAd9P8LJFjliz1mL6nA5tP7QTgkygBhLqAP22bAE+L1mDNejYXki2NdOuy8HJgWElCjxFZLGrI7FU+b8zILGsNPEDKa25o3PJbd6dlQeJ7Q2s3bPQ2K/y6FC2RFjCBuGJuNAGAtC5l6ymvjKBdh70At/IZXqtk13vyHVJbMwB,iv:FsQeDq3LMH+hxKcthdQZmyPkLe7XBwiLqfB0Yt+s7r0=,tag:rKjphs1Tss2+3b5bWDzfUw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2 + aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy + Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4 + bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy + MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3 + QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45 + c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu + NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR + io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC + RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv + K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy + VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI + N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:43Z" + mac: ENC[AES256_GCM,data:2tceG586ydMqiNPkPbT7ZM4+zoGslbif9TuB26Pz2ji/KsLvnOSwPsmmilNST32Nz5RYym1JGbU0uVQMzBM6uaQvYoR6vVwgC95lEnkY5nenhh3Xhy/OLtXmRdmrIXvvyxWK/2Gtspyy3HR2yFV0Gw0PY5ODPxpxtrypE2N9YmY=,iv:4d7M/LF0UVkEicXRNUDEDKUldehav60nTCS1Jh/RvwU=,tag:mLOwUSE5osUwZp/8cUqClw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..39a9064 --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,39 @@ +stalwartAdmin: ENC[AES256_GCM,data:lAd0XfikNLJxK5qMtrBkKdbhwZo=,iv:3H3E8JPGPg3af3doeTSD9cuq2+ZLBNK3g1cqiI1k5rw=,tag:Wa/Fsc00mxuFnzyKTQp7CQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr + MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt + U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv + L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt + C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO + bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov + RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR + MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR + Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz + d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H + VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi + dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs + JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T08:39:45Z" + mac: ENC[AES256_GCM,data:GGDnb19XQPXR3Apzn9oDFH03NjU9LR0HCHgtjLErJbmHZJl6wAmjST79cDpaDSWKtdT4KPrJLXCuRt1a/LbmqmTzegsfXsfmq881WwFJ1pyyrK9Z9kVxdNeXmb3GyGU7Mrg929O3V2xRhXgpTaOxNCWPWtZPITOE561sU8X0eb8=,iv:LNPIpNGWAP5VvFnLBAf8MPwMNfjwz1veazvlIw4r8JA=,tag:h4SAW6uIHpeRfYKLVSRPkA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..5217141 --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,303 @@ +/* +* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. +* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy. +* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. +* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and +* and use your personal admin account or create one using the fallback admin password. +* Create users with mail boxes: Go to the admin interface and create them. +* Stalwart mailserver docs can be found at https://stalw.art/docs +*/ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + # Password for the HRZ API that gets a list of mailaddresses that we serve + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + session.rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext + }; + tracer.stdout.level = "debug"; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; # Run every 5 minutes + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + # Get the mail addresses' local-part + # TODO: These features have been removed from stalwart-cli and needs to be replaced by undocumented API calls. + # see https://github.com/stalwartlabs/mail-server/discussions/803 + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +} From 597f4d365cded5cf3724f0c36292a4ec40668169 Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH 2/2] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 144 +++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 48 +++ .../kaalut/allowlistPassMatheball.yaml | 48 +++ .../kaalut/allowlistPassMathebau.yaml | 48 +++ .../kaalut/allowlistPassMathechor.yaml | 48 +++ nixos/machines/kaalut/backupKey.yaml | 48 +++ nixos/machines/kaalut/configuration.nix | 100 ++++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 48 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 48 +++ nixos/machines/kaalut/mathechor.aliases.yaml | 48 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 48 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 302 ++++++++++++++++++ 17 files changed, 1001 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/mathechor.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..7967e56 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..7bc32ef 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..f27f9ee 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1732282930, + "narHash": "sha256-hC3qssnwZ9buK61th2x/C+DEQ2yUws+5zLA5Ql7Xtvs=", + "ref": "refs/heads/main", + "rev": "eef3728818c02aa6ba107825bdf45a88a544561e", + "revCount": 12, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,28 +140,56 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +202,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +217,45 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1732242723, + "narHash": "sha256-NWI8csIK0ujFlFuEXKnoc+7hWoCiEtINK9r48LUUMeU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a229311fcb45b88a95fdfa5cecd8349c809a272a", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1732186149, + "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..826123a --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,48 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:TGFyk/kVc5+EFtjJXUVTNEk=,iv:QQDiOK81JDQXnuzgrcDHVtu+Pm2Ki7H2sEBuNMSKY9U=,tag:mgd/jPMl7fjl+dH6d2sKTg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ + VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6 + cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0 + cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa + zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy + NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE + bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv + Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T + ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC + bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ + ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t + TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo + NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv + aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X + MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt + bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR + HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:/OUhbhrO36jEdQUc2+fPfYc13Qezbedo534r+dtULWNR3upzIkP1EnZmTe//TQcKe6GYE/AIWOCIdmfj5+TdXZfoFGZ4YjjFof2HYvDjNKHq7m0F5PFmmzNNkpzUdwHBj5N1usPRoPbsYIpfV74AUJJEeBSTpE76vIATNuE21Js=,iv:Rnh+uIDOPW0vdHPhjqyce9xl7MtURMTrp9kYoWZ6zOA=,tag:jONUKe1pXReqHjtnqCOTjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..46c9791 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,48 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:cnYmhQ+2sNMR,iv:hSn9JbDce2NZdzptY1Miik4+VFh0i6ehQAGxcd9dJWg=,tag:XI1bE6Z84ppIxPYOasNO/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS2ZFM3JQcGx4VFo2M1Fy + T3pnNFg5dEhiaEI4SkNFbDNmV0Y4cDZHa0ZJCjd2SmRwMWtod2pxbEZkY2ZhbWhT + cEFJVHVyU2R0dncvekNFdzNpODlCMDgKLS0tIDRLSGFISXpXMUlzdGdDK1pBb3JX + N3RJVUpsdFZySTVWYlkwbStCaWVRZzgKInXWOMB5LX87zIKcdllGcOBc1CJHcSWP + htTOydt1XQGlZ809yT1Ovnsenk7SIFrtUGCgpSvju4C68FyS8fgJKQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk1qdTBZRWYvMFgyZ3NN + QkZpb3BjSnVqRFJzeElCYVp1NDlyQitITGp3ClRtbVhBQnFvU0t5cUZGK0MveExJ + c1RtT2lRZm4ybkgxQ2VmV290SFRId1UKLS0tIEttRFFqTWJHbW54MUxCMHZ2NVA5 + NkFnM3R4eTEvdm85TzE5WFJLUTZMclUKpyGsJAAlqRagy13dH3AyeNi9v3oP8R6C + UayJeCPN89IyDsaIsrgAJk67+t92N8wTRIpOzfLEBQzz1WVBYCTPhA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT012TTQ1V1ZlMnZycVB6 + empqdFc1SE13b1NNSCsyNkRMUWZ2aUdIRlc0CmEwYnp6WVI4SmRaVWRqTUZ5cWJJ + SXpUb3JLT2hNalc2ZlBhOTc2YWdDMkUKLS0tIGFPdW1OS0xFYjF3K01YcVh0bDQr + TjcxNTM3cjZrNnN1RThYUW56WHQ1RzAKvNCz1CW4VwI/YPqzpYfhpvhukbhE3g3Q + 31JZhyUViS/tutNy3rUpP+6zS2sY4yKhoavBTmMwI8W9I0JSZaVc5Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQytnV3hWODAva0JGdFF4 + MC84UmdaKzd1MVloK0dXL1NjS3pGaGY5RGw4CnF5NjlvSUU1N0ZlMHMxVXlhekxH + QkJJR3MzQVdJd2ZrT0t0S3FKMFZaOW8KLS0tICt6SEhEcm1QR0MwQjJ1YllRSlY2 + QlZ3Zk1hdkxpNllwSTNxRlZrZWtuVEUK65FpDbLv+S+MvF5+rpTyhjfi9xOUekTP + WupHKoeMMzAFxRK7DcH8bREib731JgBPbZEl8QZcY+xZDORnv1XZhg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:qA7d/k9vSQIvtdHOx20yfi98s5jgdGPYsP2c1rNrX4MeZnJ4RE+KR8wR37A54AvgOURUnTJUSfDNKGuTIPxioRC1j8iNlo/y0IefkbTaO2CBoh+BHurlh6wweTKI3LRUk8V0i5Qn/5INYc+DEzfsiA2g+QcbT5d0fU98+x7V/yY=,iv:xcgMXDFDN0Vo15rr2Eo6QV/Y5+X0t0mvAfuFmN1NDXY=,tag:PywW0L+VspBh2pZGXbM+sA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..df69566 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,48 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:DuCBcWAC61JW,iv:g0zYvVmTjsJESTq3kkWtaiypYPLIE6zkFyYLeOp/qhw=,tag:pyK6KMuPLkhLSTPAzbVxdQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaWhNaDFEREcrejY2ejhI + L0tnOEtTWktNVDVoK1JQd3pBY1BndTY1NUFjCjFFSEd2Nkc2TVVMYzlwRXhyenVq + WmlCZkc4VWtFS1drNDRjRXR6SEVoYVEKLS0tIDRCQjJkdUM0V1BGV0hVNUtNQ1d4 + M2J2TEtPTjRVVG8yOHd6WThRNm5SU2MKVIAU8GCGklXvqNf0bpahJ4SsvIQxMged + m6mznRxcK9QPMApHayOBgw+8T+3IQkaEKGRuhI1y9UXahGSr8yxPYA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkNiVWo3SWFmaFlENm5C + cDlJdHM0OXBnTFdYV1NtTHFmTndndTdwQWhRCitMTVJIcnpiRzEvL3JzMTZJMW9p + NTlIREJ5VVpLTVplWVNhSFFDMlVpNTQKLS0tIFkvMjYvVy9DZUZSVDVvQTkzck1F + ZHM5M2tRVUVIYmR5L1FsR3VxNUZSdW8KWIq5Cjbd12SqQfXRZDpUxTnUZGCyMVb+ + XxCixIFoGYZRTBc15k/Z6yM5OxYnSv3tbioF68PYtPaaRJrw0ICDxQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWVHME1JN0gvZlNDQkFt + YTFsRG12UWlLckVLanNGQlozSXFaVGhMQWdzCndPdnRnNFU2dUpQangxUGU1RGVG + Z0Z5SmxZVG1jYW91YW5Jc1UwY25yOEkKLS0tIDJ1U2w1RzhpUk5WR0JUbzhRSStE + VnZpWUFwaHFMa2V6NlpQR285RGU0L2cKeN08hqlFz4re9iVwKmp2THEs1vZFqNXg + uK9Em5IeCx3pBjd5nnguAM751vR9X5O91ntA/R3MoL2bxGhbXHbOmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYStiSFpMWjh3M0EydEU4 + YlBpcFNYRXJTN0k4MWQ3blFmdW4zTHR6MWhrCmtsVkpGNFlIT0xBQU9SSG45czhU + NzlKSm9RMStFZXpselNBa3NpNGM5SzAKLS0tIDh0LzI0SkdlM0hONmF4RndCV2Q2 + VmwxWjcxVG5Kd1pPYUdpWDJCZkU3Q00Kbc8dYrQ2AiRAUfzXl6Bdj1mlbwlHSKzS + 6B/wzrIB3yws4QXCdZsIifxsGqJh/74UdQSXEab0VNwaHqsyXecIjw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:JLCK4mH4yS4YMhrmI821s/TfONkCyEx8x+pFHD/QOoU4KHyhDIggEhTYo31JFpWIQdDZMPbeFaUN+IvQwh1pqD1V92XfJVC0zHPiwhG7W2kI8WFAONVqI/bbMJ/ne4am5w/koGpQNPiM2RIo+9/9BKOkyLJLB7XTqPBY/FNW2n0=,iv:JiHwaSbPJSJYofiFABjn/AehSKyRrlOKHXBs1DGZcFQ=,tag:ajR0zYdHWxQcY2DhAuAzAw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..011559f --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,48 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:CuLKFiBN6JwB,iv:cwiwShPKrGjjfuglRttmG/AB+qblJ/6ZLyD88mAsZ30=,tag:JIJjHJ4it077RSD3pSOBgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzBXNVFObnk5OWtaemNz + UlFDTFpGRmJ6N0xYUmx3dllzS3hyWmNURmxRCm1CbmpSNWRkVHR5M21ibmJ4ZzNJ + elZQQ0UyN3lOTmRwQ2tnL1lHUFF5djgKLS0tIFUvRUkwSW0wSFhCMFByTkI0eEo4 + emdnN2JoMDVOb3FUTmZhZFIxWFhxZEkKDWFrvxDHjybQ2b9hORThAG2TihGdvaK0 + EHrzz0h1NVEO/nLUJSXRugGJ+J1GqThgOG1WCwJ+2Fk4Hm+q040DWQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbmQ3ZXdhZkV2VTMxTUFK + eHM5aXAyNXdtV2ZkRVZKTC9GdWtDWUJtdFFFCkdBMWs3OFltRjFLVU1rSG52NGo2 + Q0dnS1V2c01EdVRuRGlsZ0lQT1JtUG8KLS0tIHErblZ6U01HTm1FUVJTZjdGQ2RB + bE90R0NsdkQ2UWNrbXZydjR5YTNGVWcK46c5ec7plT6X1874abnSSryG+cUZq/QT + 3LpgQs26dc9nIARiZUk/2UTPiUwxFesi7e4I87bWh5A+mQOHNfRAyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUmJXMlFlb0pUbkduWkJK + SWhlUXNqZ0FQeFlEMFppUWR6MHFyS282emhJCkNLMDdaQ2JXRExLT3F2Y094VE90 + bTdmNGIvV0JHNlVldTVxUmdueTllYWsKLS0tIDAvNlhRQnFKSW5JT004WDFhSGEv + M0hKbWxuWjRlUWlRaHBQQUpkVlM4dTQKm4vPZTHMIfk79dTOO7mP9IZaJZbu3hx8 + J/y5xwUFVakqPaX144YZXjjStsjp6H71jE+z3EWeqvW3hwI8XAOv/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGFsenFjQkRBTCtsVXRI + VnpQZmVld0VFZ09hWTdlSjNzczA1T1VhWkZrCkpRUml1UFJrU2laQ1FEVi9USEg2 + Y3J5VlZCVG83UUh0bnRVbkZRVWVMMlUKLS0tIEl1VUFPQ3NvMm40clFTMHcwRzlC + dENsZ2ttbFI1aGdFYlZ0M1crZGlRek0KWF+sAOdOGf7GKkY3ZlfPkXGGDwSf89Lk + uvSkh+2Y9RIkQ7HRUvWxPBPi4vBUUhM7y5+lA8sNi+lLMzPyzVeKaQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:4LMhli417gbzauxvsx+cSA0VfCt5+dr1lsGdzVqNts/ELcCxlH2599V/xPdgZJYvbvY/AUDEVc6/7vodqtxsI9d99P9AD9IRaETqHkQ2RmPfyUHLJL8kgLdcql6zBdlZTpy05438Bs53sOQMWCcUmE2TohH9jlvmwpqCaRgfYf0=,iv:BkfHGIFAdlSIjdLvqOeaeoIkBaMQ5yXqYBFgGBrzMjk=,tag:7+vgwa89KxeXWNvfbiKSsg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3727470 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,48 @@ +backupKey: ENC[AES256_GCM,data:4ZN6V9ihkUEyz1pih87Xi2OPvfRdx+TY9nvw3CHG0vUeWavxLD8MuzEVL2xlI3A8X1F+KgQ40noaVL5qcq+SENGSdhHJaxzxc/oGN++k5C3b0FuyspI15XqIPjXWu/ApRpPktSrr57dbiQfAUtcg8E1R0Wn3uJxdFnVj9iQjnMzy0qezZbp+8UpEuFUqi4ZsQddltf12HxAGyHcedddUhEdE7bCZcj5/zSiEvXpyp1Ta9naVWnD6KkkVcB3zou7vCjwFKHf+qKUFPC70OCUomXF6scjb47iGexLNQIwaRe3+BmD4X0WFB2EM7DedenKh7SvRdYh25yYR2SzfSb71Aj5JwVi9TuuyhJvlXsDcwERPkq2R7VgbvVqYVVfjbtDlERp11xZzuEX85Pmvfh8rEkVCNfW2pqm5F+rmvFQ4KpwwMvnVEKXvasOECiGq16sp2Zk/e5cOIX+IlqgcY/GW6hBKs8CROxi0w4qCstfyFB0KxS0dGlarvhDJ2i5Rkx9RRP91yU/8QzqNRY0ixJpB,iv:ReA4k7S4F8NBE0VBCy9ks6YZJiubdUdP/AhEwc0kHaA=,tag:zagxPVYKQhf/tdK3tJFa2A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn + Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x + NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ + ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l + RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD + OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS + WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz + eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l + bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv + bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl + YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN + OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q + C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs + K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK + cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY + RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ + efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..a49a060 --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,100 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + # lists.mathebau.de is forwarded to another VM and does not need to be listed here. + { + domain = "matheball.de"; + allowlistPass = "/run/secrets/allowlistPassMatheball"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + { + domain = "mathechor.de"; + allowlistPass = "/run/secrets/allowlistPassMathechor"; + virt_aliases = "/run/secrets/mathechor.aliases"; + } + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + # Password for the HRZ API that gets a list of mailaddresses that we serve + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + # Virtual alias file + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathechor.aliases" = { + sopsFile = ./mathechor.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..9c2b1bd --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,48 @@ +koma.aliases: ENC[AES256_GCM,data:YXHv59u9hHbkXH9s8CbDmP1adthMLiU3ijCIg/yBfXvwtzWUY45un3D/iP8aIEB31PkfVtmTYcbsrJRU5brPgtev28U9DsTc1UrLdUW7YyAgo8xN0nyte6Qxdv9OfUVmwTg4tY9Tv7WmjgpXuIx2sRglfn42X3S4tVAmqzYNrg==,iv:3PM0wfq4lFG1bV607cGkZ6QgznRk8iLMQ55M/BMMJAg=,tag:npKbdQ4esykcjMcYEVHR5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5 + SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w + dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n + SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo + DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu + RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u + aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu + MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy + 3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx + SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW + WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD + V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF + GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5 + c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1 + eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL + OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx + t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:L29+n5e38RVgVT71y96EbrboHZigbCUvv1gZ+uTWEchOmB8+pgamKhF/m3mpI1iauKtkNlkcS7NbtsEhbLumEHAibJ1H2EZdbWKB53m0RZMCWdZKV+49DenLjROljWMC+mXs0zIir+ts3mhD3ORhQZVBgs/svfkgIyPkcl0wHaE=,iv:ipUpydj18/fgFgwoD0NDjmwLXM+vfkC85I3uvmG9GLE=,tag:sA1UVTquN7cbWAMh9vF5cg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..57f20a9 --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,48 @@ +mathebau.aliases: ENC[AES256_GCM,data:byT+/1+e9ca9WPakGluQQnYeEzMJYTiQ4DxzyrB9y0FGmJuwRwZsErgBmxjPDrT/yU2K4q1/f47Oij0NpPLGvHctJ/Lkvyj7q0ovbvKlypOQz13Zr5B7csVRtKbXCEPw64Rk7iLWnWSjku0aIXmmol3ajRPaiiqw/iCnkUtjWpvJEfrnsdOh/zwgSw7nE6jUYDL7FsbJgd4yqi/zOTtDcRXM6cxsKWoOr2Ei5YGwxB6VWwiPJrJixj4yrQYOyRsocyjFHFsmFKV/8M/2yOGC1ojUOuLr49JQ0Ux3X5GaRC9mH3UFVc8XdgkdlD+L0QLcz8g10t1Hmoh7ApGjUYfMINjj+EXBDn4STnmvBU6dyIhRbq0xZaDiVR2NPZHgfmXpbek024iPV7gWB5DGGAVKMIzx5lovdTBXNVRijQX98LQE8zlAHNXaMhih2Erltt/MY66hVJZY0nRCc67GE80Xg6/vtleKg7grUfIXZFcJVlE3mEat3aLAlmZj402s1p2CHD6uD4roCOxkKMmHVV6uQ7KE06Cnmv4jY7wz5jp1zO3AY4ezeWhCfyFB4LIIBoZCjNRvINr0yP8l2B/hi0RXw/HUzNMwINqgE6lgvqdXKleN1cwj15KTpqpVSqjnjIl7KbHsgAqa0/OPeL9S60aXrAKKocUqjgC31LrtAdfHMHDVqukV48ssKN0F7XhOZzEnq1yVBQkMmFIM9l7hDZfXnn7ePgPzZyKDV59As2qvndFOX4+mqb/WlAxoV34bB7Cs40ob0/braOwZxPXvPtdfA3bdtSalOuYrAIUmB2ixpuBCZhwG6PWM1gtlJshjgvWk3AS7UyGCGMv1AhfpkI6UoFc0Lai9eeHu1ro0DeM9W8r2qlzluMAfjMPjST6z5zg/2HltGfDVwM0xg7XDcTFMK+mhWdNJ0SOak+mgpEukLZaQvE0LRS7IGuXsLI/MX2A483sL2anrkL5PDlMbqgJgl4SIA0a6QeUiO6+k0Sc145+KidetdBNx8ZFRr0bNnIPdszaEXLTeIVbNil02d7e9MAx2i96FsZILSGwoAWXbTRUmDwH+axlBKwAwxPHPTVtCjoHx0vsOw4SnVdDEI24z1VbembqDZFxg9CFu2hN6IQBsW0wGD+gltPPD2PFL4m8RuKui3L6psINYd90J7p4Dq/3vzW6iOQl2E0frxCpZyzrKLQOREao8pOol0aDJk9KcVAmuBbuHxiDzvYS5k8sKJhK/8zlMn8msIwvPTzcLLdB0Vu+6VCX9jCNii6Qzh5BS/Rn+dumLxaRZ17zbf5aiaXuSxSTmiZ55yBDScj50jW60r9N348o0L3+EIuuhWt5EvHAqhFhjhDdwFQPVfGz+QnXCahVrf/T8vsgwp1mXPEb5Bk6XBRm6CFR4q9G0GEm2WiRZlx3LEVH59ovRvpaR75Fwvucdqz1Lv+7cCaHVss9L98ubOW2GRTKi7wH+GOHMDdDvw8DJAdEysQ0dTnO03mv58cqXuDYE9/NZvCByCqpBQ+gP44F78/CsiHfkEIeI+wCXvz3MW43v9qvYQT2kUBDZhBrW7tfsx5amKdozYsE/KMmoL4oB3XOg+f/KPuMXdY/xFH8rOfUoPhJa9LyZXEPDfySK7baykcC7Jejtryxuw4fjgTaGhCi8ssCt4r+4vjV2NugrMcPsKFgIPzzj/4nEqPsZTvXC6Amvpb7e2HJ4PQ28o8yHaKZUqlzoG6bGZ6KzVZ1hqoHHqIMRi0wnSnYV8DwWo4ocAEf+xjTIxRb5PTCYk2KBxBx7lmmdIyobLk8t5i5ZcSc1U0cIxQJUaDvbpnPcMsyFpYHRg5cFpD7O1q8KFdi8XvCkqUW27EPwTK/GEBKMwnsB2UxKJM0czgtgERBsjubMLdFAARqar3X9VCmEdLIAUHYWC20zehsnA5P+eYgY8UQJ/Uy8o9icTOyzdDXkU7gUr55VTCmFUk1v78zBLBlbNhNu8vUw6YFfmYp5als12tijsTV/yYIhv9VeggLPjwGYjNXsduuh7s8Frm/hdea7ZfTiD3eU1TlrSm6TUNCenz4DiyaTpWG9fWs4Dy922w9gGg9ui57/aG6GUrFLbP44FtL2XvP3VVWNcF/o/EUMZXuZfcKbH7DP2mncwOe+W7F66vqD6NR9kLDDKVdhfFsVrbNhG5V7toV42pfK9jXHO2I9r8MQ8sUv0cArcEolLNDCZCgu7vaCw9NWMk2zYMgnyTnOKlK1Us2T9kNjbSwrEWm8zMyxgFFLle5lboP1DdOYd+5Hw55Z9Fm0y6WUrxWkCwUUlA7PuepPcN+nxQWaxx3M6OQLd0VFB8A7WsWIHTN3nvgXrbLFkNdJrH0DD3dIYTWVfy5s/xbOyOHjPjyeR9NzKYgildnoV1oTwp1RzfPFPv0s9mKmKWx5CKqhEECeb9UfFYTtArCZIoxtoMh5UYFjr2F8OW6eAuNfZp3r8N1TBv7t5h1ToMoaRKjMwFuUYOC1J1X7drjPNiBfHHRt+Z7ba1jEnv99DYA7yQ1BaYcR4WPwBSbuRx33WkHlAigqH9fSB4cDa8mspt8W0DcCX5KjgpNG35LZvIn4PdPKwkMg4InumNEs8MDudL0h6Vaw44iAA0HdSW5oK1qQICMyFjBiVXZmpS8TkXOzHsIxEbw5OdWozVUAAUbmr0ZCcgZLWLxmEqkob+PNfxtHlGv+YktIEAbI0369X5ur1yfEN6I3UooInVuN64Uro2evUAqeClqtCXiEoaoe8sN1iecf9xYH/Z5rBhsnPyhMpj+eOQSYpfiZEsRjHekAOM+3HN+VCgtRpNtwAL2BqKMbYQioiEFTS6jJPuLzQ5gffBYj8LwzEUVHFWF2Cz66TxxaLh+TjEk1mpka7SHDLQ5RyQEsryTzKo7Ngg2dIcx8KOzhAt1h25Otl/qtFPnZi6lIwIZNPNsdmZsLErxBj8WOx4BNGKvF/xqSvZx6vmW7GjGrZGm/9NTqZWFlGQWS/e65ij63xTZpD035N8ihKhnhFQ6chqfz8XOkvRM71oTooWUMPtNdVbcusQ9ViI/3wmE0XQbRH9LW5dWIYRwy9XFJ4Y6e0qv9mTvXfo9I9iBFzDz9Suym8VqhyynZNeTgFoRz9/rJ6HAA4huPgzs7P+0UdlcbDsYyTQ1NSx3piXvnlS0kyZdt2PjGp6uRmF/ikecqmvcJ9rHy/d1j52T0gfVE25On54RzjB05uzO3RU6BLwY2GJNky1nPIs8wFJT28pExNXSQsley+zp/COrF3Nmn64pTSgkHWyb6x4u755IeUTVK/RYxDfwtqfjmVaOjQ6ZgvM27F9OPoMgjy5+KkwTIuA/y7lnM3xw8kChS37Ow9v3jQ5OyBdXgqqBeba90FsKN+LmRxxXHq9l9417toaOfZddrGpAVMec3J7yTRRpQ3WoMuvG+NKKMWSKH4gxwyJUbN5PL0fSDiuDFb/If8SZseI+qBDfRCr4uuXGmb8gUVIKmMPnJpqmF99Lrqn8Y7w3sil8OYhi7qJsTzq8BMgokzR7bqZdHe/kZze1jAwHYCQ+nw6EshsUFvALTD4Hi3n5L+QVgWnFUthb/NT/z4JI79zdGGOrSaljmHD6cNQxuBXp2EOr6dfHge1G0e0h5Up2L/KBYxZsn6shckMM/Xekr7Mi9PSt9qwUyM5xDbi1PjgD9gbF6nDm8AJ0yLtEoW17GIsQ0X+2SG6jUmLdAFroSRVAAtIBRVRTS7vliyNBig7KHZL3Cay52EIq+EiNhOCo6scraT9wfM4+aqGU+nusJyKCLs7HkaIs1bkqm64W97Yb20Bgtt9CZ6EbzcGoeJtBHkQIwW9QyTVyGMzRmZuuNolSLWIilgkXotWYNwez+00XDdC1qaKltz9yg/kKE41C/T8kN6YrwkkNpy/APQKWYCK2/pMEZW1RGBTKSd+haM5Yyfc9OQQYpKtdCZXdkC/CYkDE2DpKtOV23QbcruNzExm+obpJHXz121gS80CWyZIUgNVkm22hhF6u0pQ+g7wWRgwwtFTx3g7nvsv+41/t5Tc64zwOWfnCHDoLv1pAto/yL7aSJSqpDDhFNR7l4XGDvkV7oyIEmPXcCDDYPPAOucsdfAJMHxcl68vpfzXPZ9JgA10qMe/7yOlv74tX5JoV9xhji6+HQRe0sQ9dN+igoAF14kiU6uWAVsDLOznhaZC0fdFyG0DY7g6hF7OWXkgeJEbXBnwhT1Gs3xsPS8LqZ+c/9kspm5kttKuXrAEXdyPYT1IliDgNNEZtGkc7dvNJ9Md5msm7AGchddK229Bek01DQO5rnR76MqdWzIHd/Ad272iQfX90UJAh2IirePVdOPQ9oe8/X+3ZMaHbyL6a5MlGJr8IVBJzClu4/BdiaKJNjmE+ULvU94Afazw+F4nbayhF9KwKydH/0WBeACI4iMAFvTetJ6zIjiNvvbHKBzTiPADYN4qp6rC0h9BfrtmA9v37/oSmyVl/1IzjWzbeHQSpqwvtMef4IpTl7WpuB3xSzknloC5dzC4sk3sJwZ/46hhmZiQ7oF27upDLB7ReoTnkgQjKw2AlhDW/P32m4GErXFkUF905NlzfhqlWmM7wlFGRTGMICOwXDWRz9G7dHRPuJ5LFU0sb4Xwt0TNkqvl1UA0FeAqzF4TkxYlXr+tUNAhoCCL5Koupm+L56jjkpljdRKYyXt3aTVo45dCZMi2dBheUjUXQjA64ko5+04haWi607NuyBl183bDqTMMt2X9I6ghK0yNq++1hAeVHpSAEbW0knebLrv/KaMcN76nDenCPoAAvaiDrYAtFc/lvofsBHg9YuUBBUHpZF4iY611iCHNvsWh4VBe4yrnPfvGdgBxrJDvGpBs3w/8MRZweUGifsWwjt1+257Zt2TXvmVkuVCogKXMajFus58ZJs/FNGUkMMrV/jMbc5V3XjhlThFKDsNuoUPvUYv2qzv0HybwVyiIL3vZ2rMdOv2JKrE1ftsDxsXFGJUrLPjy1G/5mgHENh+oA9TAQu0Eo8HEjpNhdyFsuU4ImLl9UHtj4GVsLBrxNb7hsieHVwGfMyPBVjDZ774Vk9YaotpgcEDiNUO+YqTIA1xcPgQxnPXbbmupSvpP7oAvZbi91bNdioeiZGV66RUdtnsSeg07wBph9LjIE93AKSex6WVNtsif/YPW3M3pvRGXPpCB/mqrowwX/fzAYA5LcNCYbOwhwSFALEiy1htU1w4ujHmHqugsuWEFPQL08Yjs+X2emKzCpoVtxQN2D04WvjAH2LDufk8aJddj6pGpN/6VO7ZOttjuv3nwjvQSUqQVtuZb738joxRZII5SOYOHeKIPzB9RAPOxkYgH5EYUqA/ZZ3/+f3yhf4NxT4cL26wzSS4bI9sXD2oUI5JglOM1nKHiUy89sAqNswpkkBXTfSKLPL/lAFz1kfCLveTaldfZGGmHAqNxgb+Mlww2bMd3RzvmOovuoR552cb8QyekRTPCzgIqKVTKyn5tRrlaP4cSIYCU/EeArywCKMkXNEhUK/ZECTQIFvinqoMdfNAO9XrAQEZZroJScaYe0ODItqofjEedMvKA6UmA/AW62xyifiquftsg4/o7gfnSTbqBxcdbKATxCiJCnYy1eqeJBZ651YHyQcR7bpHewPhu0fgBPXtl5/vbcZPj9BpSZzPiro0gL4eCn4tzRl+8N8n3LYIIJaBmWLpk+lXCZsoH8rwCO5wAZH9024m/3MJ2Y+LkDYF53T76cLyps+g8Pj8L4lkF4bNjVb/qKZAZ786wusZBjehFhZPwwR6wM5E+FcUlHi+gNr+WpcR74apKsAx8UDeed2LrEgZUJ8xyUBPCRZ0UQyKqPhVmP/RGZnFBU6qwsvjT3CRUuYvlToLjxkydGrkCwEjF+PzjJsMgnkphNKmQN1nRTEuSiPGy32fO0Qg7VlDlO1x/tcgZErbvKRgrRve8L+gPvWMxEXPdbbhJfhxj5N8nG3/+lhmvwFIVzOra3d6EvzgxoWsyvg6H7zELrEM36gSE1Aeaa3HgBQCZ/k2/BXO4Ua4d40vLaG/bWVMbhzOaTASB32picHyr2FwyoSEdDqMt2+qgrdVLm3pUwl6pZygkJ+7EWYaSnf/0Fydt8+C/QHZxlz0Cv4h+H5rKGlerJu0it4hgw0yq4miaXxtPPEdnV1WF3FkNENO/RjVFOQHQeDz/C9JYKKulgw7jg1zdBe8HyYdkMf3VZqkfAf3TP+jN9lcTkPcWVkRZjJYN5dG/jclBlCE1S8Vtc1AQztlrbF76kPeVRCd+vkMmjkVi0RUTuc/M5o9TAxYZTEa268eQyZGnD/YylOULeshfvgWztm0qjexpos7l5lLJihvH+H7itYGqsJPc97PN2WDHGqM2jeZibonRtY1B//YscwPICWqaPWw8eLgQ3G8/WM/P3SFKNWtQNISaciYnfgadCEaKNr9DlNF7IjHJVon1O14AcMQ0u/wRs4x/y4yhA7+OjRKLwEIynXyajSNRkRl8QrljAf+gvShDqGn0qP4oVjI6BwRdvn5ZD71O4uIuN92xXzqNXpW45DwbcOUr9ntWDe+80ayFqRmhbIieyVniWJD2Rhd8MLBWGCqlLbtEY8WHFQCB8E6xznTMnMcKtO4Utvq7RDXrvxNBP1VfEw7Xs7tPBJammdEugx2JnLspMUsYW8zpt7c5dGkOihzqvWBg+gEJK8qW1cfmYsY1uw5Tp0wkjK+Ui1/0yJ5vRtBqJnyqYLzGfaU02ty5TReKZd9JZ430zwD1o67KM+HbvQqLijsIt8e4MYY43CS+9TAPQbjRzSmUBSSSuJdzii6Mrls7RDqjhieOt9zgI5jBLSQfu9YUotXsgLP9mZ+xwlX9SEhT46vcJTJz+EPGiJEMwIsThTWlZNHf/JtD86ArcTHy3CGY0MZTjWHByxv7wP9zZNWxEmfTUd4tZoPP2KgT4tnqOJisL4L2mYvB6tPeM8RjFmDGAjnphaawKRghRI97C7A2J1omMT9ON+hvrG8v2ku6z8hnFTb9CWJHDP1f38Y0SGlA+vy9Tv/bECToEBReux4dhJMLug8vMzluLPTtsugVEfwHDA8Z4d3Js+aPe3p48h7wiK+gaRCKPe3s/jL4fisJLlnoiUEHpk3N+1aoefVUEPuMxpt36kdTY3rP9FkMU72deMYUNw/ARMW5RKcJOfv1C6+ctlIUvNGUppaxDOJupy+V9HkKOFS8BgtPy10NDhV6ukKIjKyJBpMVGIUqVZvSSHhn4lxee2ZXw7cpggnIx+TB9cT6MeZ99Li5z9gvGHpj3rYWgF2KfmtYUXYoOM+8cpOVmd8igb5bfc5alcQoOI2OdgHUDq06FEIHRF5uQQpFQ2suEV9WnhA0c+Pa+mLPBwazM7cRTi0BZFVcafRzRP42ybwdpYG1H5vUKmpoaGVY8c1DffcRPLjvW5Dvz0AOcWU8j/RSmEONBggf3APp8V713Hx+nD9+tn+8Z1GubOUEUgATtioZhDG6WwKN6ti4XL8b4l62aviSGhZPD98B9fsmshci1aUMUHTwJWSX1NzBMGly2GFax+OgOSyN6ymsowRTNvymKdQlKwQKqLR/0PvEewr6v3smGbfFhUQVUQmV8vr/RG9QWBWo7kblj6ucklIfsuZOCji1xXjSx1/L4D/tm6JVqeeactI5baMcLRllyG0n545liqzJAMkxYibRGXY1U3E/brmUBE2pWM8a867o9EuY3HvB4CM3UNh1fejUylZmQLfWFOB9Fva6jBf9VBCEg47SfF2A/G1b8gZ0kOe3riwOW4gdredh5v6HCXZB/h0AyZj3wK40Vj6BYaKDtGiiWAyXw99TIDPSBNGuMRdJ45Hc6Ot3dDO/naoPzoMFtZEBj4Jku788ZIkVEDeYholKSj/Yu6jFFcfexkVPWw7xm347LKS+ELgjbQ2/Ff/D97/zKMuwyUcD32VHv6KTTh5GzxPVcaRI51n7SBmgydPkxG6Xu1ZSGSutk8/5x6DuYhnOUQpmB0nUpDKMQz7AWQ6wlqyyAYwdls16Tbhi+RRTnvovBLR+GpqwCG5mPXwC4rL9eQZ4tAc328XIrLIyjI+JPD3rRc1uFBHluLAftyE/RDWz+XtFxR01/9ri7MZ1I7JyGArtav79tMrLMLx/0emFbgRws+yCzPUPSbkeb+0tPd4FsChxWfSyCgLunzxXwDFQI5M958E2VWMCDKL1hTHWEj7sOqwcij+Rb2sBTA8vU45Jbi5iBUCxwN1Sxr1Lb5UMrN1Ks42I4JP7USWUN9PW2OcAofBH/pJKRKYntn/QxuJhEKMvWTFUkAaSh2lf74IeVgoHxZLqcgN857JfVSQZJ93xToMe6d8WeGO/zAkCdJ66VqIFUOeeHZ+ohAISZ0hTQQPisCP438L/1eTwyoDuxzs0jyPMdaZvz5iwd7BfJBlYPIh0+ACT4EG0w+flkUj3pnmarMB5phF15t4wk3ClH3hxKq9QlQvApKKtxnwLjI17JIbHbc94eIxo1UC3yFOZaWkxf9XVZQ3hG8ikw6b7zJPIENnA9HJ7KHf43Ux6gPQGUOy7Nsrg1QHHewCCxY2slCFV32SRUbAJRzH53UomwCRB0ESobReSdqJU+uT9OFzMIcR5UctAeLpr1NcidkArevFgVN6IY10a11vHV31x9fZn1yauZjxkSpV9y4BPXkGxIt0ASkrviDBBQaYy8w81/Y/Uy/meF3ZF0J6285uhfuHpfhskZrc2jYVaIyeeRAyrNqHIKdrTGuDnlV3L1Tr/AZRI9EqBC9yanLEt88hlPtj6aSgBPmtRAELAI3gZIY9IWtzsoJ8FLdzABSNjnrAIX1ge1mCs1jCsX8jWtCFlpk484D7ydjoAP/dgfyNvXPuYzhWA2t6THZjcF3+I5E8rP91tHauIjKUGhtQ1QDHx40vr+InElNCboZyhN6lay2NFUNIU6Oq9X5BH9Fs3+Mmjb3eShm4SzcLx2OhM0/5sBrEuGe7SG6JVtagqHsmrTImSmqehl9LIlRbPiDtI5emEnCx+/aDYJJd9NGjK63KrL5kIZ4JBozJq2TQvbkbHFw1OrJkZcsPIfVnokd9W5s8T9ufvaGMLdmQoD2SFJUdi7fimm1jMxiQD3qtqQxaMg0fEbxXrNW4MP5p92n9Cnn/dFLiDoEufPHV3UMdKdRws/wmwQlbeZJXyzK+G67jkxk1TFoWOvUXzAsgTU+KMPBoZopexAWRsntfunfnVaucFvCXmQ7vCBkPCby7Rovx/tESy1x0ZCjNblz/yYSsMm9aj0vu+oJgRQ7pbRv+1i2psiITm6bMQ2cMBUvNWYHOItqnnSQBXHubZAF7rsWUKb0rZEGLAAQbvIHpFUI6FmaiM0bwHnIC/xNs1Q3JGDdgQnrGa/+g0PpNKROdF377MCBw6NuNnntUEDg5rKWKkWmUtyfAPD1hhym69VbgT1IWuEbaim20XHuAmpc0owVa5zhYfVlmQiEzPyoD4onFVFB/nG2WxbKxesTwQio6FBlbCYIwxtj/jPuw+o3wIMqO0bcAqE57U9GcyyJjBCZbGm+exeGx2pk4MxlwO+SmBPINHrh3pUQH+OEvEgeTlR8UN9ZV/JoZbDN6fkNSxr7zoCvsZaCraQYdkg4wJT1Fe3S6ySFqrBYFkEgYchCJu1xl6reuFqRpV69SqjqgQNuA4Z9PTKWj9Nla5+0DRJFh9XkjLfY9YFt1TArLXsjMuUwjiSu4SwX+WePJIune44L/bxeOmmfbU0oNhHNwHZNUzDWUP6nbmB1lch0uqUBUfddC6nhbez046nFDu+Am1Iy8LSKVhmL4EakfNtV97x8iZhQoRZgvj7zdGiRi7jPlzz9VViFIjJwTt5kcYhT/f+7VVkb8FwF36vqVjvzG/+2p31SWkEnNxxrgXXxUsda4W7WxLzC1Dojbd6QrR9Bd6rugIKRbFYiINxiB4usei7Bmn7VwXMcrNuF5/JXD+5axGMMEPUf7toX69rFArl+VoLlWmfMpja3JGN2JLfknntZ88GkCmzIKZUYAFM9QhvKSeXCxYtsski/IZK+KU8Xdio0ak1vO4FCtIIzN0xBSR1Ve2dUu4UpOYsklHJIULKu3SGJ4Ud8gLYc1ZWlyYSVRCinF9CRQMSxbx3NTA6kOHxxTezJYzNV4vhqwOPRCPB08lzmr6irOEuXss2tTiP57j8F2Zi5eYspQ1qBju+lhB4szOK5r6jmZXLwy7IZOep5DO2X7pWbYRjSPz4YCZNmGiVSTbOPowRWyfMh4njzz09sZpigopf9cwCxcAe2RrWKOjPjsJAdwtyRHffaq5QRo1shcxtFZnOAMn4CuHcgCQbawLadBnRAcigOq1NM/NbGgyDUI5L9Fa8fvX4zsxQ0ItR3RtVyVXcHuZSfyS+nZEcyIz5WTveDLDIXzodT7IrAQBg3Z3b9/tWoq0+RgMO/Z7hq1OloMw+tZvg/zvLrR/vwRFrOu/+gNggnMZpmfPEZsdSKqhKdOCvp+denOFyISj0iDKbF4Wak8jw6sujWIRzAOw3KfK4kFYQA4bl0o9iwyTXNwZGaY2/wbkKHDPissXzBhCxdtfzlaDajArDHVASQQI/3cIBjFSKLhlZkOmDV00Ob23Ukq5+itMB8q3kCXKsVEJgxubBFGFX47aaLZY5BHxSYgHixjQnHDOV5QLge/vEPz52+S2U5AgG4nEWTrjoZj8kdXGv5qbRia3Z8VQBqlHjlBjlyAHnFxEqd1iN0iK6dpO587AFlC0My/+087cMb2QQ/lLXxw3AaRsknIS5TQZqkwyJS6euiegVwHXA4041bnovFCCQCN/dIpSOPo1mYPkAOxSWP7xc9We4p2S2qigQuos1OQ8bBlkOS/bq5aTjNCZjJ0e/eNs3bZ+mmLlXxSL/aAFZDIse8M5HhxZMXRyA/OMheq/rb0TtOv7nbETKuB+ddTET+TfTsmYDK1oNBmf56PLAnFcl1VMjoyaEI5Wu0dNhqjorXO96rDOQ+8YL++c5tMDecXPDdITKemRsEoNC0uY+CSSDNDlBGYGahVAmnbKpoOrM8bt4lXp+kigyixvKHD/lLGE4pluNbku0oRZKfnNcogC75zpyiiP4qlHtVdjF509uKbe7hGY9hsr+afJsJ38V5XzqHYWPiw/9YeI44wX0jCAoJOxM2037MKmffo1BTvN41X1CIWyrYxxdeAf2DZN9B/Uuzkb37Nu2dyW7juuGKc9qrxaXrPSYwXtvFV+8kMkOMGtsc622YDoTlCmvtPCb/Wze3Su8EXeI9lCLXTffhsKAAivc7maJ3Av348YLiJ35nvRYl84V2H0l22KDDOILjFupdywJZad4pcqwaoqOe5wqi00SYMwlBcw3PZf74Tkq0xFGh+Gj9DFFJqnAbYeq//TQ7UQxcYoWXJcKmGCkR+t2mQ+KnRpx3I7mMMbjrIckRg/bHeoakjIjyS+yF3CRYWqpjX/zeJ8ggC2nVXFGYY+biwTb55eUb9PxioePc5q0+aI0jrGX++R960ZguUls3mT5erLnsy3NYUwexHnsl/XkpzVeQRHbW6i3ST9mqxs546mRNbCchcmYwpwKYIiFjJsIVb/5e2jCton+TznVGlZ902DWwUq1Q0lFZ5VJ6KrSazy+Hms0PvloXhz9r2zNtXy+Zp9q7CCwli38/y6AnkOWj0UtlMBHoIxxFm8ONf+uS8D62pixYUJmD5AZlraggnZ5uVhqCK7ORfZ8l+btsWdtcmb4wUqyjRRCzqZ5Q9eabXDYVA1eTJlgD1S+i/WuBIfTStt9FE3Gtoqe8hwhS7vW3Avg6DDMEVbjh6bOKFsbLtGhpuQpq4jh05jWbQ8pzlNL2Gk09luAUnvJA5fTlM1OteAA1y/pLsJMikkkhpww4BEqtxYq8Gk/rmMnwXni6Jn82wGDRHEoB7O3G4mN8ZV1m20q+IVIfHnRufjjFx108ol11/V7zRGu58cGXH7sLTI7wtgBDbjD7942j6HfkyTN3ibDUXZMQQYMOfrLBvQCZodhLlbi35ZmJF1i+DjLjNAETqspEOL4Cwzac2gM8WUuQ/XD66YuC3QW+Mm0H0AL1Jaro/MExNDlQeAe8meZSyQu1gHJh63tRFlx+63NmnXsygkVSnJ9S2NfQsnNk24CSsv4L9KVa1+JK6q0nFa0gjM5wxKzzZy9cQr/aXe1lnaDBw2n9idnFh/EQUtA2rrlyCJPzWXIYl4JHaV6HjrcmwW7gL+xsvw/rKEWzXXqnZ+HMshrTKp+O3c1wqs0O8PTbFpH1UQAZvBQ07pWua5JR8LBbXGXziM96+oqxJTNw93AV/iLfkUsf6cMeA+xxtqhjZxK8nd5V2hnAPGPAgy2A40sy+RCWJm4KA2XGjq7Mr/YFlI9e7b56Dj05qad6aDBLzRVxYG3s+mREiILrBuBdqyAkJA06IvalbeatVc+/U+w9iJdH54y9LT+fa/PFoNqPzXv5NNTf6OueSzfb0e5MugTUpdc86pUWYvGkMaNztn4Ox8Cemt6j5ki4DERGB3/CjAtmR673Vm4Oj2+i9MIBvtIfDHs9ahBfCnJfU+5AxORKt+uMQhq1SUS9SZ6OXoLu0hw5V/ev17pFpnBEboKN2OtHiKT/RCD16r9tNN7ysXe8R6IqoWj36xpm8VLtX29JKeN4uopERxg4xTVKKAX8Vew+i2i3gpO0nN+vVE2uo1zN4JcjYAWd8WQrgCIgIbfqbsCJI9IUOoWtKU+Gdv9emr6eNd0CRTMIG6q9LCF9RTE25aZkSdYJjNCCilqkGyFK1lE63+FovGkIG0GFBseHc9/Cvw822iFt4dG0DXlk2HKk/9g1foVMgdthmRqFXjKLMV5oAtVJAr+HvwNWo9I53LkyIGfv1vFbToZu/hwNrdcpjQVOFafCJs/SahZA4SHCuqCFSelrocW4GY+RcllvGGrKzKMMbgkLJsAlELp7su8YL9IaAef7J5TTkNiCMBLUYcqiq3arrOsSsoUy1A/d14TtOEeC0+rqq6jQroMxGZ6DhltX6QYHb2hSrKqeKhdlVcEHkuR5O0jskszteNkmkbLLTT0urpQ9K/QfGnri2Dpu8ZCttOoZTu2fZxu9gxGm7ZUVZ1uy3GjHrBqZUdEv/xk4pwuL2ZlSdPJXIk9Lpv8yPar+NU+XFCNtqECcv+121Zze/uhA3OjDIYIXHJ1TcYnUVQc8sAvGF3VDLrZ4ClJtn6iUxHyVoCKFdmuzX896tQF9VWnR0NXGA3kFqXWP9eakEmgHmhl55+8aUeZmir5ZSUIU5KQdWI44wjslv/d4PLvd0y0nNF3YlmeUU0OLfMIgYaekip7b4Qzd5w2xdAB7RxlCIkB8RwggiYn1v4U6/ixXSa6LOqgsQDKROc2Ewm5MSqcvpZ+7B85H0iR8v/5SjxRGWAHtZgxsksPCr3VReZALXxuj+mpcihYG4sGt03KaHXQZvqIPfnW8Pq7fKY/E03pdNrSZ/KcbK1KFsiyQ4CyZCokdaUtj/WJCkQ+WMjZH26XEl6xVsfiFAyJEYccNRb0iiXg2jqzdQ9P/C/jNf5voRbgbzL5X+O90VI+0VpIPPY+hkw27ziFyeMucl/MeHyL7gjd1rm7PvNipz1YwxHo1qTVM7AuRUuwC8ORPuUaNpBbh6g2dsyzs4uZAl9HWfyOo1Jp6fDIVFJ9lMZ5jsbn9qjihpV/+ispc0Kwwj26pyPtpxHKXdFgUIvaneYxujdevEHFWyHNrV+LmB3cQFUPrId4tGcKt2eqqrHZ3pjPvT4IzOgusBKH6Hw456B/fKtMGcBhPEvjcJcXxyvYBACLA/PZVLLAUZjeSq1uBOBjPWH8LtUX51a0ry4xMZq0Zk99sxMgFGCAbI4BQ5DpkuHvLWH5wZ6Kq3fxzPrWzbgmVMLaa7tlsYpLB0zYGAv1p4TGKthZqgSp3fxuyXnqN/AaRmUbR3qMFjr2ZF34Lpr2mXrob5SZSCOKXyuzCprktgn4pjdSpr+iVbI/Z6hIiFKPbKt2QA2kVi9KapZar/zLyu7173HYJ8wNVybHCCOoYD3jhPlxEP+2bUnL5z+PNdSF7wA6FYa2saUc5svOD0acnwTHIdfJ/+FViLcE9eMhzcFOWma9YNtIpfJRhS1wDYofqLWxygaN0l9eX/7UoBuDvT9+005SD4NUgIwxPmoJbS6bgdc2L/4gY9eSuu09QDK4XU+cJejhguLugizfhOQtRrXgPTf3Br6qQAGdAcyoRloq9XICJwIympl3sFYzvoaImz5d5hT/3Cb6U6vAzmmywlZpns0HiNJzXOO+QObkmcxhqNokyA2EkajFrnoZ8oLChVcylIqD/0C3A/mP35T2AhfTNk7oHq7L4aCH7jIhK2QdLnBBGGJVGPWJd8ixYudh9OKHORK4EWPGtA+HlD76Hj4MUhxonQ2KkiQ5bfGBdqlC59LAEgD3THuv+TAORa6tE5kjih9hNkre2WxEYlvYp4Mwx/cNP3UjOZGHxnYnkR0WEzplDhtF8fjBCHeeEC1KFLbSH1KIMKs7dcz0eliwSytyBeNKYc3iqTC7nhMK5mQ6i9tG7yo64XablQokeu637FdSy8h5hLOOe9KpNllJZ6BFrpl8Dgfu/fdvdvWJg7ezLedu/dfYg4f82hxtyopyb8DjSRlkMRfEdOtoXYomZ035gH26yB6042YJwKX1KZMTWTgGMhezlWifzdUC5qhRNifwUNIg8oK22vh/lJ1rLjoUSmzS7ucOGkjIVXUjKr35GMuifERwpkjLxMtqMtd+be24VW9UnkKVO0E6h1lZBFdjyPJGY4aSPJbMt0sz7o5EvoLHlKy7/S29w8c1dIFjY9ms8OLTbwNSRNmfaEV1lrV1h7w5CqQOO2YjTPqf6nDKiI0lRqVhOAEt+I9WWqviu9QFMAbGzDb19FzpDwVPsME5myRfDMsW8o+1eEHaNJ9m9ugx+Og7zj5GsSPDHecnO0xlqbBtGBpGESWbHfpEGw3rrE89UUPpbp5XU+KLcD4wBzH3wSZ3HszLd/ZSQfsIOYg0naDF+juyu4k4l5i+W7LCtOFKXWdGk0wLirFJJxx0BLuEv3x71AVeAGg+DdwGMTP2FBZYISRjOOS1Gt3dx/3oRWFc5ry3PjO+eM/TIVzsUB0N5L3ZrQhVdrtt1kAPdHoDgDJGPlMF3K9cpYJPOKTQR3cbtMdVDMOLqqPagmBuEnChzOxbRthgmBxRrwoMEKKULj1FWA9A2XvsBcRLS2iNcHc/Dc51SjoIg8bUkHoobCQDnQU7o1PLH439cJRJ0wxkbFWp9OmlP2OQ1SCbK6TRqCoKPyHr7mhVitC7vpU2tHK8F97u9lnMmoeidtQjz0ziKPgz9yw0FHVi7hz5GMf9vORwipNHmHOitjPl828zhBv2DVwUk6w8lFVsknCQPMLBqx2ibqiaFHSb9xEYrfEsC0dOI+df6rypguaH/UOD/FB62kS0aTfw6k/9KCfmY1Ejud85S9rqs63DcR35ztt9oPzj2/lVesKkXWBAwqYr/Ge5LIjVwqpsYDYm5LPqK5DAvuoXnxYa+uFgySARfZRbdj9s6/MoYVo8rWxjgd9ylI/E9Yj0GO/zfFh6EiAIJMJsriWtk6pTPT2L5wAiPeZXdEGl+lSlv55uy0POT818asV1YYadXXjanSLOpAzrVd9gFvdD4cI6wcQFCB/Vrr/L+iawUuA9WMS4bJRrextciTgKOFu3zrKyJvBX/EaF02qza5y61Tbq5KA33/CwkD6iUTyG3b4niSHdMNdEO2kmbK6SqFzfj4JtHLbC9EarET3kSZFhnzOnxwcTg4jRhbWwSGMAiSj2EU2I5Nm4SZIpNI4kZ89/8g1TE2iITYgR0EgG8QOCkK32jrwykOaB5HcLYvZoFm3qGbaez73+vNLJXsgqtiOtqjJSyHfxjLzqi4wMZRe+ZINPBr4R/H4LpubpNk9PaGp46VKlm+NxWvBN4ueDX5XNwfDkHtH1hdQDWVLKrvUgqXC5T11sidk/k/KyxD4vlTokVV3O3LhnqyEFZ1iTjwa8qlqDKONUUosW+3SA/t+v164bMSFfXhuilEGBnftP8EDsJUhaIwO6Iwolv8XQwUtyCJMDiZ2rffS5lqVOehOwU+/TuGtEnErgIxuxVaYFJbf5GNuLeN/XCfPKGytR1/iFXHCxDn2k2JFPr48BRdV50d/OH1w7p5wIR2EsrQJHK3rV/YS/QruuzGT36byezvNnZN+MAQGIGv0wNK73CmkSFFOcjCUpDz7p+2GxnD9iY4dErHCacESSzY/14Ln1MplgtqtbzhbBj50sEekJpvfz3X/Pe3Q0fuxxZc/zpm1OEQWTC8E/bIitjPimyyscGtbLSrFmzmGBaIZ0VwtS3eOqpCx4QgDodhsFR3zxC8a3F/JCeia+8xgNLc9MCZKNYOkMX9RtH7Q9GO0r4gGDgIaKzBdZIq8m6J4pDp/LsBdFwXN3259X46qWWpPPHgOIGBdO/EHpLKT9n2I46UwbhwmkciVHQJVeDT/n/sLLls0sc8JzcZJJSLONpxrxTTFWFfFlGVXU7iixOPKiWGr68XC1FBfBGKj/+5O7izTJ+v7nZYk/EhOpNMXXq0E9jHyy5cwp6TZIVvy0XWz51u/t5k6mugicUmPVxVCiUfh5UaFUOybSOA1tmvY15JHQ+4YEJd8S9CPQQIqqA7zdPYKMFq5duKZ6fV6ApqykCICGITwlML+6Ouf1EURkXj5utmMrXjp6XbbzGwg9g3V050bLcNg6gNxaMBiO78K5dl2WJrwCt2Zsv4BJ+nppbkcM9FVVfaxPIxEk8g9dq3KjhMoyeOwE7LhEfCDmxNt+0Mx/jWrkomuhQam22xZJ9LvZaA8mM9zybdPCTHmTKJmUO2rZvHmUvFMXNVKf8dqbfQssk0QuaSKZgq46vW1IbtFYfyFKy7TxKcVFK7wbplehXE9KQfWwvosZL4N4FbTNJCMQ/8K1rbVVpPv5HfjMuWXX17jIkOtaf98Ubf+rt/UU3pkEkNc4XnCLjvV2DIdIWV3qeiVDwuTQrIRJMwIjQb0sNS9ix1ACEaPhKNSKpDlx+B1VUn/eFylz5fNoLHF9/IqKxMXyrcgnd119QBBqUaRfQSWFrMBpyNy/WKphoX7zhdFHCkHZOZdi3FyzkTfMJGKWxUBIKPiHretpIqfNFwvjnPVhajC7I21Ts8snd5UJxNa+b/pPK3mLvH3Ot5YQ+pFzJ+UbTWuwSF/ZLoNKbzmEd/Ki5FddvzFAWP/eU657CIYkSn9JEikJkCJiJ/bqLjYUVF7ILNFJPVeC5hervfqx5KmVC23CWLBWmMtD0CPGlwP6KIh6Omg8h+bXiuNzzx8+H4gRmwWHI+HnrMqcr+OnAzmAVyXL4A6KM6WthVwp1bN3dPygutdtQ0x0yCH9b5Kigbo/4xjPF+JoEduy5x/Ul1SP0YuFY13KLoGggedDwtVRI866Lv5VL6SWkBK4tdheWsLYKcssCwWqbng2FWfNgeq+F+lVwrSPmTUvhKArhxKXTf0OZDoS3eK+7Fep5EnsXgU5bVU9XVUUSIKG9FDig1x5k3mauvC4FFnzf181CgEnxhbixgBjUElm1ZpMewMiYeed5h+dChUjqGeniUm5fWi5HHno4tg3/nKQkua/egnEYPIPD0WzXXM0hfQphVDtomLGJ6sjrB7LIDIzINmC31+ruleCTnDEGfbuTVMcSJXqRDycY6nxCNqlCvmM4F0PPTO+Tss90V4XBwSgYhEprC5fCbizmXq8jJZrrJoS9DZSxu2DV45cHE+qLM/llzETVRBbF34tM1zJi8tKpjZXiQ1jGu1RgegEkZ3OXfTQBFtkSqhfuXnHsy001B5t369N4m8CuVJA42hKyN4ZBtRrO0x9NFD0n3hXBpoL32PqLoe56qbMMizCfkZtZprqE7bkf0dngg9EG6n5Fa3b8VELDwrza5+TppBWPvdM8X8gLlMsFC+kb5wYbrdCHjdRCM1OH9l7GCpdmpkiCfS5R+46U8mHKZeaLWtAQDvgDc/3NAkJ0Z7EVGtAgegVGpER2HqiIDukQK2/aqCX9trBkjjCEpYT0qLdBpPvtDqOJ6zJn4bwiVQ/AWsT+DAHGjP0F0NtHlzSe1a9LZPz4PZT6y2nyWK2+VZwC2uCJGF38WCG/h5/UhgmcZFITlqOftFBIledGDgxXlw4aCbv7Nzro9cMJ7RzsRKfr9NSFSGL48WwdIitO/HmJoBijJYBahmEuzncc6AntUnWLvEnk0WuP3qcsURoOpzguFpSbGPtMgJPinNoXFAt0wmijGMgauUZI0vizZ5JAK9kJt9toz6Xieg0XYj0EArMMQqN3NT4w5TSahXbJqdy2rEU8b29aZw==,iv:+PtXcxSjm3145ES8+6zexVmn2Hizwo6I5eOS/9RA2DI=,tag:vk/beGSoGSxykzD5/bsJXQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQmE1dlVQSi9MRzZ1WGpR + dFYzZU8rR1V1VnQzUHB0VnFOckpIL2tvMzB3CnpXQXk0S0JNSkpNN0FMclBOdjFy + cFZYTjcrN2djbzBkZUFmNCtXS3lRM0EKLS0tIFB2V2FoMU5rZzlxQW5SSHhlZkNx + c1BCVEV4dEU4aE5YeDZMRlFyVHYyQ1EK+znjkJ/JuE5VgYUpkCfDCZV5mFmSXUxU + MtByksmGshA8oyk0SH6B+qg07yDh+jRn4gtvnTxxudtqcVf5EX0vcg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MUhyeCs3Qjl6RmIwVHN1 + cHBQMFEvQU1ZTFE0d0lESXgya3FZRW01cjJJCnNPNGgrVmhYeWhlOTZMYjdyd0Fm + QzJwQ25IOUJOeXpxbC85YlJlTElia00KLS0tIHdHL20yakxaNy9CZmUyaHVUSmxZ + SkZhM3ByQ2o3a0pVZnV2M2lob2xRU1UK14PKZz5blclSkUVJwUFm+A9G5nPD0U0h + AH2kt/kdSxj+0I6uWrD+0KHh8KA0Tgp9Auyv/UF1dB9MoiuQPG15vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOVFHcloyYW5OK2d1eXJt + NWxLWitrUWdwd0J6R1phaFA1Z2FUV0ROdFhNClg4bG5WSW8zWTdsWGhQUGFySS8w + UFpjK3dzYjdPVTNsbFg0YVl0UnQ3WmMKLS0tIFhBODRqK25TVWpabTVteTRtSURO + NTdYNkFuSm9xVi9QME5DMkRqOUpJYk0KK0e8LjmPqPQD1FzXyAuoUY1d8u//WHvT + S4ijZF8udwPzKTIHd5OiQVfCdmVughKmmRwQEHdFC69fjn6wOqLJhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa2VYR0RZa0pOSFljVzgz + TS9aRW9OZ2hEV3pWbncyNlp2c0REZk1GRndvClk5U3l5b0dlcktkRXZBa3VPaWpU + ZmVuS3UwV3RmbzdQWC9qYXpCNnJpODQKLS0tIGNabjdpYXp4d2VyMEcxSXhHdGNr + Y21YcmlWTkJDRUh3czJEUWVGaG44cXMKoibsYSOYv329WNzktBVJ18aGAMXCxz3B + c9938x3U7BCsSatnNch/cTbxPFYt8GhgAXXZb8/vsT9URH+9/K2iuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:28fB2H6tdToWcVoGFHYRgSMeLwTVj66lESwITzhIkXnZK/5sLdJA+JS/gw58IhxXoO5oUsRgsB+mbfx6IKd5NuU8oJvJhOJi6kkR796gb09pNww/2zlssCck2SmHOJBpPXSZWl6MLRt5pMoU3nCPjESE7GTSBro7MO6n8Ycn8Uo=,iv:JssdLAzR5tv5n1dTpy/nRoOHYZ9Svy67uBPQk4vFLXI=,tag:wuUZqFXXdjdsSbMWIGFv7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml new file mode 100644 index 0000000..55872b1 --- /dev/null +++ b/nixos/machines/kaalut/mathechor.aliases.yaml @@ -0,0 +1,48 @@ +mathechor.aliases: ENC[AES256_GCM,data:VKEGY6KVtgKApnV7N2e2cqy9erDWQ2fb88Gwcpp5th/t0VGp16KGDtGiuQXhY80j6dDIcQMd9bLHzqAzc4+i/WhmEPhiXUkGiEKuarMfvqNl1LBlXFCoIrUXMMSIqab9q+fE3ignVQapE/YZt9aniyvg1prcmBcwIy9rDoHkiTY006ux5CM+vX0F60ADX8Nf6Qmn/JncPxXgq2jYsBxjXPj7BwJaair/+nxrbVf0,iv:Elj1NDeR1fdIIjIbjvkV3BmcVAKjwdMfknuNxMXJsa4=,tag:AkXWQ8sTMLsd7a+MfRcF/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy + WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh + SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn + b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp + iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu + SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE + dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4 + YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6 + WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v + SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx + Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX + dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy + cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW + NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5 + RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU + Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro + b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..446791a --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,48 @@ +stalwartAdmin: ENC[AES256_GCM,data:/rZc/woATc0PzUPL6tFqOi7j61Q=,iv:oYOMSUcO+83KgQhmGnd1cHIzd3Pdhc2ldpRLOYgCS4s=,tag:C7uyFSR/pTzsbjgKW3IMLQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o + Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh + YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF + MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N + SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2 + SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv + ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO + eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS + FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB + MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK + NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN + d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+ + jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2 + ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy + VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC + UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a + 5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:UcotPbsy/bwcLGjLc2wstTWwFEr1jyYD+xipAF2SuZ6aE5QYz3Kz/26O9Wicjgg+H5E4INjC+MA98Io6U3MzWukBQbiSCaLfrRRRISe5qeTGDGc9dKMk5Xkb9Y32WIzCGRc+LYENlNwx8K1LWWXsj+rPcD6Tt9ER07TMv3y5oRg=,iv:3lG/49SHuPhgd0v0SFN1bh1nPjkqeWL78GToXeJYWoY=,tag:ymWcYBgIpGDGypO4MfgDLA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..7a9294d --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,302 @@ +/* +* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. +* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy. +* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. +* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and +* and use your personal admin account or create one using the fallback admin password. +* Create users with mail boxes: Go to the admin interface and create them. +* Stalwart mailserver docs can be found at https://stalw.art/docs +*/ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + # Password for the HRZ API that gets a list of mailaddresses that we serve + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + session.rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext + }; + tracer.stdout.level = "debug"; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; # Run every 5 minutes + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + # Get the mail addresses' local-part + # TODO: These features have been removed from stalwart-cli and needs to be replaced by undocumented API calls. + # see https://github.com/stalwartlabs/mail-server/discussions/803 + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + # ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' >> /tmp/addresses + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +}