diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..7967e56 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/README.md b/README.md index 1bfa35a..97d6f3c 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ In any case, to switch the system configuration you will need to have root privi ## Installing a new machine You have written a configuration and now want to deploy it as a new machine. You need to get the build configuration on the -`nixos-installer` machine (regarding this machine see issue [#10]). You can either use either any of the +`nodens` machine. You can either use either any of the versions above, or just continue then the machine will build the configuration implicitly. ### Disk layout @@ -111,22 +111,14 @@ reflect those. - `"/boot"` the place for bootloader configuration and kernel also persistent - any additional data paths for your machine specific needs. Choose filesystems accordingly. -My recommendation is to put `"/persist"` and `"/nix"` on a joint btrfs as subvolumes and `"/boot"` on separate disks (because grub +My recommendation is to put `"/persist"` and `"/nix"` on a joint btrfs labelled `nixos` as subvolumes and `"/boot"` on a separate disk labelled `boot` (because grub will give you a hard time if you do it as a subvolume or bind mount (even though that should be possible but is an upstream problem)). -For how to configure additional persistent data -to be stored in `"/persist"` look at the impermanence section as soon it is merged. Before this look at issue [#9]. +For how to configure additional persistent data to be stored in `"/persist"` look at the impermanence section. I do not recommend this for actual high access application data like databases mailboxes and things like it. You should think about this as data that if lost can be regenerated with only little problems and read/written only a few times during setup. (Like the server ssh keys for example). The configuration also setups some paths for `"/persist"` automatically, again look at the impermanence sections. -#### File system uuids - -You might end with a bit of a chicken/egg problem regarding filesystem uuids. See you need to set them in your system configuration. -There are two ways around that. Either generate the filesystems read out the uuids, and push them into the repository holding -the configuration you want to build, or generate the uuids first, have them in your configuration and set them upon filesystem creation. Most -`mkfs` utilities have an option for that. - ### Installing Just run @@ -151,13 +143,16 @@ A good skeleton is probably: imports = [ ./hardware-configuration.nix ../../roles - ./network.nix + ../../roles/vm.nix + ../../vmNetwork.nix ]; + + vmNetwork.ipv4 = "192.168.0.XX"; networking.hostname = ""; # this will hopefully disappear if I have time to refactor this. system.stateVersion = ""; } @@ -173,9 +168,6 @@ The `flake-inputs` argument is optional, but you can use it if you need to get a else this is a complete normal nixos system configuration module (with a lot of settings already imorted from `../../roles`). -As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of -this is constant across all systems and will undergo refactor soon. - I would recommend to split your configuration into small files you import. If this is something machine specific (like tied to your ip address hostname), put it into the machine directory. If it is not, put it into `/nixos/roles/` if it is not but has options to set, put it in `/nixos/modules`. @@ -202,14 +194,12 @@ network configuration. And service configuration that are too closely interwoven mailserver configuration depends heavily on network settings). It also contains the root configuration for that machine called `configuration.nix`. This file usually only includes other modules. These `configuration.nix` files are almost usual nix configurations. The only difference is that they take as an extra argument -the flake inputs. This allows them to load modules from these flakes. For example, nyarlathotep loads the simple-nixos-mailserver -module that way. +the flake inputs. This allows them to load modules from these flakes. For example, lobon loads the mathebau-mailman module that way. #### roles `nixos/roles` contains configuration that is potentially shared by some machines. It is expected that `nixos/roles/default.nix` is imported as (`../../roles`) in every machine. Notable are the files `nixos/roles/admins.nix` which contains -common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted -keys for the nix store. +common admin accounts for these machines and the additional trusted keys for the nix store. ## sops @@ -289,7 +279,7 @@ by the circumstances or by the person that didn't run fast enough. So we are hap mean that we don't need to have some level of quality, people after us needs to work with it. It is live infrastructure and downtime hurts someone (and in the wrong moment even really bad (Matheball ticket sales for example)). -So here are some Guidelines. +So here are some guidelines. ## Coding style and linting. If you run `nix flake check` there are automated checks in place, please make sure to pass them. diff --git a/flake-module.nix b/flake-module.nix index c30fff4..7bc32ef 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index dc1839f..d49ea69 100644 --- a/flake.lock +++ b/flake.lock @@ -1,19 +1,23 @@ { "nodes": { - "blobs": { - "flake": false, + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, "locked": { - "lastModified": 1604995301, - "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", - "type": "gitlab" + "lastModified": 1733169152, + "narHash": "sha256-HUJuoOjNdweJ/ZjYrwJ13omhLZrztp+0RTZsFIwRojc=", + "ref": "refs/heads/main", + "rev": "963c13f80d80dcff748e57061b18b542ba76a463", + "revCount": 19, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" }, "original": { - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "type": "gitlab" + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" } }, "flake-parts": { @@ -21,11 +25,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +57,11 @@ }, "impermanence": { "locked": { - "lastModified": 1727649413, - "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -48,82 +70,74 @@ "type": "github" } }, - "nixos-mailserver": { - "inputs": { - "blobs": "blobs", - "flake-compat": [], - "nixpkgs": [], - "nixpkgs-24_05": "nixpkgs-24_05" - }, - "locked": { - "lastModified": 1722877200, - "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", - "ref": "refs/heads/master", - "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", - "revCount": 593, - "type": "git", - "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" - }, - "original": { - "type": "git", - "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" - } - }, "nixpkgs": { "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", - "owner": "NixOS", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-24_05": { - "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-24.05", - "type": "indirect" - } - }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1728156290, - "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "17ae88b569bb15590549ff478bab6494dde4a907", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1733015953, + "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +150,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1728727368, - "narHash": "sha256-7FMyNISP7K6XDSIt1NJxkXZnEdV3HZUXvFoBaJ/qdOg=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "eb74e0be24a11a1531b5b8659535580554d30b28", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +165,44 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", - "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1732328983, + "narHash": "sha256-RHt12f/slrzDpSL7SSkydh8wUE4Nr4r23HlpWywed9E=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "ed8aa5b64f7d36d9338eb1d0a3bb60cf52069a72", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1728345710, - "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..e8ecd99 100644 --- a/flake.nix +++ b/flake.nix @@ -2,14 +2,10 @@ description = "Description for the project"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixos-mailserver = { - url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; - inputs = { - flake-compat.follows = ""; - nixpkgs.follows = ""; - }; + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; }; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index bc1769b..1027f0f 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -14,7 +14,13 @@ importedConfig = import (./. + "/machines/${name}/configuration.nix"); systemConfig = if lib.isFunction importedConfig - then x: importedConfig (x // {flake-inputs = inputs;}) + then + x: + importedConfig (x + // { + flake-inputs = inputs; + inherit pkgs; + }) else importedConfig; in pkgs.nixos { diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix index 05a48b2..f870f0e 100644 --- a/nixos/machines/ghatanothoa/hardware-configuration.nix +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -7,17 +7,17 @@ options = ["size=1G" "mode=755"]; }; fileSystems."/persist" = { - device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + device = "/dev/disk/by-label/nixos"; fsType = "btrfs"; options = ["subvol=persist"]; neededForBoot = true; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/19da7f3a-69da-4fa8-bb68-b355d7697ba7"; + device = "/dev/disk/by-label/boot"; fsType = "ext4"; }; fileSystems."/nix" = { - device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + device = "/dev/disk/by-label/nixos"; fsType = "btrfs"; options = ["subvol=nix"]; }; diff --git a/nixos/machines/kaalut/allowlistPass.yaml b/nixos/machines/kaalut/allowlistPass.yaml new file mode 100644 index 0000000..4d60823 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPass.yaml @@ -0,0 +1,52 @@ +allowlistPass: + matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str] + mathebau: ENC[AES256_GCM,data:ZlIv0MrCVtsyF3t9Gr/zcg==,iv:ZdBlnx4/zQZjT75ssB0osfDlWVerUe6yvwbMxlXpHZs=,tag:ytlNq7zP2WtPafcSQFZ6RQ==,type:str] + mathechor: ENC[AES256_GCM,data:d5KyoD/P8/j+poJSGF1nDA==,iv:ayKtvj4EEqUtMLi/7njbxuUql1A58WNi729svHtZju4=,tag:JqWoxxMN5mVN+gaQTmBv1Q==,type:str] + koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ + VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6 + cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0 + cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa + zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy + NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE + bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv + Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T + ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC + bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ + ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t + TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo + NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv + aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X + MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt + bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR + HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-05T13:49:19Z" + mac: ENC[AES256_GCM,data:i7t/Hb5aW0lIvPLk84geQ792uUGP25vX8FC7kK/3H19tz5i4zsIcvl1d+oB5gJ004gP5pRogcuKL1xHUUl+A0UXXNzRpxc0BBVZaxnIhjfPunORbmZeJQRP298tQpvYYqI/pGhjrlit37U9jecGf1l12Cgv97sGW42d2F+S2Soc=,iv:My21fMF3SEr6mg2+eh8KA6B8tzmQVEDy2BG3hfkafrU=,tag:xdU6j8ti8Z68rbiRxkj7Pw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3727470 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,48 @@ +backupKey: ENC[AES256_GCM,data:4ZN6V9ihkUEyz1pih87Xi2OPvfRdx+TY9nvw3CHG0vUeWavxLD8MuzEVL2xlI3A8X1F+KgQ40noaVL5qcq+SENGSdhHJaxzxc/oGN++k5C3b0FuyspI15XqIPjXWu/ApRpPktSrr57dbiQfAUtcg8E1R0Wn3uJxdFnVj9iQjnMzy0qezZbp+8UpEuFUqi4ZsQddltf12HxAGyHcedddUhEdE7bCZcj5/zSiEvXpyp1Ta9naVWnD6KkkVcB3zou7vCjwFKHf+qKUFPC70OCUomXF6scjb47iGexLNQIwaRe3+BmD4X0WFB2EM7DedenKh7SvRdYh25yYR2SzfSb71Aj5JwVi9TuuyhJvlXsDcwERPkq2R7VgbvVqYVVfjbtDlERp11xZzuEX85Pmvfh8rEkVCNfW2pqm5F+rmvFQ4KpwwMvnVEKXvasOECiGq16sp2Zk/e5cOIX+IlqgcY/GW6hBKs8CROxi0w4qCstfyFB0KxS0dGlarvhDJ2i5Rkx9RRP91yU/8QzqNRY0ixJpB,iv:ReA4k7S4F8NBE0VBCy9ks6YZJiubdUdP/AhEwc0kHaA=,tag:zagxPVYKQhf/tdK3tJFa2A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn + Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x + NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ + ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l + RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD + OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS + WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz + eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l + bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv + bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl + YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN + OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q + C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs + K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK + cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY + RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ + efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..2134b42 --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,90 @@ +{config, ...}: { + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + stalwartAdmin = config.sops.secrets.stalwartAdmin.path; + # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH + stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; + domains = [ + # lists.mathebau.de is forwarded to another VM and does not need to be listed here. + { + domain = "matheball.de"; + allowlistPass = config.sops.secrets."allowlistPass/matheball".path; + } + { + domain = "mathebau.de"; + allowlistPass = config.sops.secrets."allowlistPass/mathebau".path; + virt_aliases = config.sops.secrets."mathebau.aliases".path; + } + { + domain = "mathechor.de"; + allowlistPass = config.sops.secrets."allowlistPass/mathechor".path; + virt_aliases = config.sops.secrets."mathechor.aliases".path; + } + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = config.sops.secrets."allowlistPass/koma".path; + virt_aliases = config.sops.secrets."koma.aliases".path; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = let + allowlistSops = { + sopsFile = ./allowlistPass.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + in { + # Password for the HRZ API that gets a list of mailaddresses that we serve + "allowlistPass/matheball" = allowlistSops; + "allowlistPass/mathebau" = allowlistSops; + "allowlistPass/mathechor" = allowlistSops; + "allowlistPass/koma" = allowlistSops; + # Virtual alias file + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathechor.aliases" = { + sopsFile = ./mathechor.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..5da46a2 --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,48 @@ +koma.aliases: ENC[AES256_GCM,data:AB/EiyqSMfA5Gfioh1GsiLaydRJjedbp3FYQA6gZNC0KZ042hWVXxm1tZEx0VjVaan4nVpdiszQTNbs4iF3P72dyJGTcE9l3q3WpS2IEfc1tykCasfWNOorTs1POVTS6sCGs4m7W5HPXQQ==,iv:s9xsEqRYlTkYBgrR9wqCp8BGYey5vAc1bbhYIrS3AVU=,tag:MzA2sMSElVNofuyo2qYmyg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5 + SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w + dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n + SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo + DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu + RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u + aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu + MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy + 3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx + SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW + WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD + V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF + GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5 + c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1 + eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL + OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx + t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-05T14:22:26Z" + mac: ENC[AES256_GCM,data:5u3rV35uXHA0YqWHvnLn+aOmtHAlkuQoIRt3gj1dvc0+bMv+XBAYu+Yih/tkveeIY8Q0wXdhXdJvsdjkZR/INp5DwtjHUBpEeY5Ko0cQnhToJNhZnrXu/KVkwEtAJ5ir1Djex7ZSGCfMgBkCwCHd/VE2/lr1DksoD4cZy4AGPSo=,iv:r4zzreY6NCCuheRNE4etOo3CBl/unNlPL3cRP3Zvm+U=,tag:xyfBbOUqxcUUcSvfY7YBCw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..f8fa3ed --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,48 @@ +mathebau.aliases: ENC[AES256_GCM,data:4hqljO7S5F79g8BhL38VG5E2U8VKNANsj3dPAz335traGv2ZFSPUKreIi0x11e11E8sOf1aK3sLj0HnAcRzQrKhyf9b6XjM9Ks2T5NAYuXdpmcpYQyMC5HQ01eVwbKSAeMBtsqggEZOYIeQR5OGCoT3vZTDKH0TG4Y6KgrKsXluezYo9ZM2VuPd5B6STxb4thVEe9UVtGE4AV1W30QVkvx+Qr8C5MIvfgJlIDbscN8RbEsotAxixJu5nG5fDxSbz1hyII2IyMn903y57IqT88cQHDkH9ZKaFh0p5Ip52HfD8DxH1Xa1c609wdn15JAA+PIg/Wem5yLLv48kaIgZapf1FOEORHXBJy7aBfGN9YEudmUBS16HAsl+GmqQ5VExXRQbY1Pcxh6m0+jK5uQyJYReKuRL6x1B+bG5TgRXJkh8BjJ6Xz7ZNyuKX5yE2scgpwCzk8+RNhQwcjNf26UmQVyQuStbZh6KVkT+QodJy6V94b6ILc0cltfWvGIj6RwuZO1jNhIqnByrxIYhsrpDZC4aodDA9kzALUdQd3SwFDfeKps5YXy52I3fKaigNlq3l3QqM6he8BrN5ijeKwIpPswLJC+mgAYnQPK/wfXdiGwn0rferAaSBSGzoudP+XEtgyDKgxJ9JAd+C4Sbp4q7PyyKcX8MWAlIyTU5SvB9Yxgo4CEkGA1UNzw+sfTe1CdADdS8zO+0mUpF1bKbjGUZYxiJFzLyytFpFseFqq1Fpe7VHkRkq4s/dlVqOJ1Jh9YZJPBUEKFj32458q+WhIDOig/xQffh4e4ygVIzRKEaqfL3avk97rryXcLI+0k/eicgBK5SZHebxmYyRy4oMdUL8fFedbgOlvIqvUrUH1S1eEG1HuYUSpXUrC6Vs6jFtSSG260q+LcwxXpIaTxMunKy5vn5PRuqKRe5DFEj5YHb6HlWFvi4+7V+MmfK9cEyup5hNJhNLILIiSDx9SLwvKmhtre7FMImtrgOs3zj6P8GvpY0X0lzPuEh5XwsPK2bYAMFD2FWi12zwGGfwVyO0Phg3X3D9E7eeQUF+YuVONqaH78qM3EjXxxOKCuaaI8WDHI/SxqgT3xCE/Fc4d1+HqbDZ8N3yGGYYeJEcfV5tRaY41W+gJ7Lnn8+Pdpu/kEOWfk7pQmDezOerVFgDMP6g+vM3ppio2IhpSwd7oV2VBmMtHGUV3DHqUJTgNSs4OB2W3PEjR2EClTYt4Tipko+jhCXYjYdYVMjduGtRytSnzZILxR5RadIeA5lfV9I2K9Llk6cmtpnzC2pzSjtVMI5SWMG1G7eKM1ViUkZv5Wk2GJ+k0LHRhqjDgSCB3/V6IhCzWbA12YOGdAfaGLgTJg56pbKuAm5CHX9GTwLyvHLpTniUqICIM03Zf+66YFvIKPrCRoxumcotbBQw3Ck3MPFc9OYnM+4g3FMqitDn1tHhEFBcFIrfyNnEgIZ67FXELG2lMMq0pscPqaws4yP5JesVwR8a/ZIDlrjMeQKXNEGZaOMVLtp+Tm6Zl/rkFnR0LM6FYap1T4YzE5MqvvkhCeO/5grmKS+9Pfr8NHrBGZxQvQ7peO/01xoql9hFc3RwNqmCUdoEavx1o8AoXSGNJCj6F6brx8h3AU/v00iUDFlwmOzHrsLrZ1rjavcHFd2tuGTXUcRUBnnDQvFDnGB0MD/2OMitOwkTdzrRMjV0xsgSalLciwUC0PRIIXbMsuRcwX3e117APaVTvqwi7g9iEKlkoST5914QkAamVuBqk+wt7RDgEg7Oa6PbOBy/xQAgNyMb96isgTayjrtFfx5q7xgawlaeFDE5xVecKn6n0f1BRB+p2atLxfSlvexLsm815udA7Jbz9OXaXXaS2RV5IJbLKAqJ7hNq2xBApcGXjteY1GULLEPZ283RycFsxsunVzcnsHY+Wy099qK908yJvvjUPlrnJG57ZYQjZm3YL5oRXLhYCBU/FfOtBoROO7odxUAVY8wmXm5JJskM2N3ixJsoXKwzOJ5ADmeJUmIRTtycBzzheemN31wS7qXnk4Cbp7Zw18Zsticq/EUEXKp2/jeEGGTR6UGmUBwzvIUSa+yuZ9A9uClcqHYNtx2MZsIt18gPNhrLw9Nwxyc4CZSDJH9xCvwt0gfmcsyo61W7HoElZrj/9CbrNvujFO7JmHBk2oHRdGtrGOU8c76BXFgIAVIg/QPyIscV9rq4w8sE7TeLqHPa5k/rgTQWF4uI/jes+WDWNp/DlDA6sXe7ihS3sg74tjDSYENn/BzRlaecSY4LlTja3zkk6tMxWzAXws8OJLHpEIX+awzpQPJIF9tAC+U+Drr4aSR3XD3Ko7RyAEMZakXoK7tALGBg1kiEurGdIirhICCdnmNIcbk+WKCKM61gKhU8V8ahA5piaLcLWiADBe8Q5oQJ1S5lQwvIWyD9m6lgfC57jABXIZqT74It76Ie7sXiByP8gEaxEX7K6ZbhDz9/QGy7MIKaHqTphwjR258L6bTwzGSk+uUep7waXpRyEMN2C0Eat7rxVLFwG5OYxvyiNtLWHqjjOFfNEqUBMbBroTOSGnPdCcxoBoWSZO4gSQvw2TODH/yemntvxU473C1veT9dIUwVYjEsuG/lAyM0WoZpYDYUKRnzlS8n4v2x6XDBDxf7bBQyC5fCcU60L6YUFzjiSBsck1uJpWyQJAwsN9Evw8znFIdLBKzCO96tKjMsbdjfj4bhNBEAR5utp1IgIQRV0ju0vBbuw/A313tNxY/qlHv66DQUCAGyWRnxjxS88DOr4kLKk0GhhenZ3J1GzXmJYJdXN30HRCgBEKLokfmHIBnl6E5tAtb0ERukeqh+Fk95xmC1J2RLJzGN/7OSZtQA3DKbPCpEdWJ5pHIhEp3F9SCWMj0SqwACdyX75tXP3FRasx1q+5rFmEQ9HmBGwEvbsrqhvCO2NMJF5l2U9Wrk2CxxiTklSrurOU6VvGMwWdqo9ct77fKVHfKDEPwgPj9BcL5x70jsR8bpg9CdWqvOfgfbLYzKleVWv8OYC5i6NoXX3LZu7i8F9jYOWfx3T9HvHCALXhsm00sVJ8A0BEAn7TboAvDv39kywdB5J/22otfCjAeZQrgpsg0OHSlIanhJUi6SVuH/8XQ+nG8WEkRWbbtwVhDAqwbuw+2RB9eUqVur8H5x58t8uiaUi6oqK4Od514xMG1c6wKJxobrNKBNdLL/5EzGqmw9suvf+ewibCsoylTMVMiIUBHFb0KX9MkuLeXWCfGTu3VIRCYIf+aI85UNV9/4jk8rpPw02sQiunEhiHFXuEaPK7GnMOMpaqdD9+2dVSqB+oaMdkX7uL6jnXPY05WQpGUxK6ZZrOvwXNLK82jVhxqnTSIqswYkrq2OYoQNlT4kt0IwYzXlrd7/z8un+pPHNko5efOhOSup8btJTeuJo5RnDfO4XjkTUFgJ9oCu/J2yS+Fc8GXeFTsqb8f5DRjIfmKACXGPyEmrQKsqy4xjSOUwXE4mKTuUiPf9TSK9pe4535lFTKXpEAFIhge4SyTgWhvAJYFb7BBbCe10Y+1wRFHFpDLjELba+UPeqsg2xmVdktOD1OQRotAZKuUJ1hf4g/6zo6M0ndziUyNKkfSCbgE8nIOTPHqY7Sj0Tn2icoof4w7YaSC15qWJPPkZsdU4nXGPjikVhszFlR/x+a46Pj1yNMJ00t10TM70rGHj/qKCta2DFFnsqYhy+Pr+zJ0Wwh6r/87htq85roHi75+pjhiBqfqrXvlnVpeq5S5RndVRbzsEXoKPq0wb5FWQMKTY+JW5/ezosWBADtSuleQIsSoTQSALNlH16RkdOcz8d+s8Ewru9O4ISF521ENKkPv9CEqBHfpvv1eH3InxHvPbeGCFHmRyDW8lLqrBiLIh+YqraCHbHvyzjnN6kku5wOORyPRM/liy43lmDQgIGNIW7BHWhPFwEtQ0nPP68oPioMI8oqx8Rh6HM7KoIZdpwsnLXNLPS/ag7u9Om4ia2cu/KonTTjvRxYW3Gn5HXKD3rO043vjJOixX5Ez8oxMWIK748xRcLdkSoqA0uDcVxiMdR6IqrXmcXW51TSplSNNCOd6tQDOn8t9DEOBVk2477fE3Yo3knC5RwCASoa+15QFMUmuAo0VRCHiT4Skjm1+om2G+wve6VnJdEBKvL4Q12R4IQcuNzC/rOKPD35BaShVDv1Q76qlWvMFs9vX091UimSn8hkExd3J5oxWopYGuz3cCLsepGY7Geqbc/60ijLp6LpACNye1Q1YAmX0C3bhJeAdBVmnsXEyu2n5Y5j/BLLQ3XCt398D4EPv8/2IQi5eiKiJ4TA1aUlAqgXc1PE7cd4ntBEV93Hi2m8do7f5QukkWOB7DhshrkYw3IGDEAK5OHPVcflpODv/NZsKveMu0MkkX11pkeMZdcW18iumUc/+Z7VqE9YQ9Jeqw+mYApzIy2j7oWBEXvXUROoXgfI0/QORem5HC9eBfELazar6jUlyuEtzpMibwHWevO5TIMvSjp9VitUhIIHhxiL1FJs2UcphQY5HC1UbvqdKdKYOtSQR4GXPQi3/cE0Fgi8KtKA40Wvztu1eLfQR/6pQxakHxCQGZvBVqF1YFTw7cIJ8JTm9F/nIgKmB7XkSdFRwBX0pT97xumX3JTfGjn8bwoJyYfjHX8hi0q2s5dGbIk+jLbjDNwFQNk+yqOCgcJxUTf37GM3+ScYBH8acLrKTkiDbt1IMIlef9oV1AkLEQa7QH22LNewaKAdCjlfCZADC4gBOXUxJGcCKVqlqQzHcgJYmpJqyCT6fCINGHDcesVtKcFPsI27R4+S7lnaEfzeMutLPudmyJg6dSKmzUX1f8W8rVB/bbB2EaW2j0BpteOfHSPBkjtQQ5yNE9ekfb4nU7O1PVGD+TO3IyPbppLWXRQAbtByAXaUWlhHOpoMLujQB7PIs15i2tITUzPOh7Npq5KcT7VYSwDPOSOdMoItRR1G3Jq4zklRhYXJsBCWj8w+9VAZhQhfMgz4ufL/oVn0k5x74JCdT65F4WXnz0fBXqrf1HYSDAmhC61u6aVXkAwI5m9Ba8l+fYaFjGAH+9R1mrF5gBsnPSiconD+fahryqb+5+K48ELJzSPV6awZIq2MHf43+ll72j2nrffbQYJzxtAlVGbPa4WCCJ5HfqBn7orCmu7bftSI9+zxI4J3mndefNvjUFuivDyUZgs3ie6puPnNLk+KLfcJaqIxF6hEjLH+uBwe8yESNAlANxNgDRYkBbPfzQo7qF6y3G2nx0fnPbLTNDIjSqwar7zZjIFdgJioRPD6VnV5iVJxcRhR3eTsIZQzzM95DbdHPUTp4+fjuBNcfesMF0sS8iG+PwEZ+A2HVNJy1NAzkDQHiC3Trj+HbRi16xHYKFWkRYUud+I3BygFxHYP3P+KOHAUTAoVFSMT0bOsqE0fX7RQVxGmS1dCKajPDxe18o3Ag1kDrydLDAzJ7/DxWU3c9HfeNVj2lc/WLT/jDKWKR1bZcFWtDvlk3sZrxpmNCVr9I4BAgpFFlYfyMaYZ4ZfCynOQdv4NI1Jb3I4EQP+fykT8hXyum+bI8L3MG3KCIFE5XDXkBASOnQe/6fqfEbE+JU1Sxx9w86YOOJZbGE3jf/RiiNId9I+N+eRbjJMKhcdpzrmUATbCtxpN5/atRvHUrVJmcIYJwpyredxIBfc45xXEZTbZn9oYFjm+OzsQxWjo1orj+C2ywseSIyxeMswOk6OsxgeXEDhygbGhNLa7f9vJ27k8q2fGtyAAlTINnk6PPwC1lgRkTuh/tBGut24DkN6tTSRUZS7XY1MfA2GgT5BRj8pbRmb1v4v6lnmZzMpo+jqfRwm28TB683PEa21ZIg3AoNFtj7sL+DgOV+3YtoYE5H8TZyhRRAZmJuT7dzQjvVwT5BY/JAGsdq9ojtfsQv+ZYaG8aiPbNfCieHX3guEODr6BulGZmo6z3mC2Wa+gidCKHaAniu/ioWUpSPu0WG15GrxahbFLXyX9bwjAJcQn45Vodt2CCV2U4y9u1mm/sGEYe01hWwsCfSfekk/OqWRJXE4rSGrs4qxDXe5Oh+GGkMTvLfPYk8ZeiSrUjG7+3mjmwtJDw2tYetJH5BaNx1zfHMTZR4uybzTtPMIvvDN6xalAgoe8T83b5oU+nm3AoX09S8y2DADD/VhBijPMWufzumrKnFufzAymB2+jms+T3qjNypSCHR4xuQzFm6t0wq+1/Zpx9CUIUk65Fdj9mH4ZlBMceMQ5xEASb8zYqJSkA+a21utKb30+HfwUvGtkk4T/BhE7iUA2Eg4a163WXpci6rzy+evlrKFyPX0VfF3Id4QHiDlmsAb/5vHxjXMu/dGVRfOMd1qFtMU6/1DYR9c43J992RqYU9mWM2Fq6J+rYYm9h/iV7ehzIC8FibwR/OdehIUVvX6wg/RRkUjJuwddcQYXNEpgZLF8gVwBiZiro9r+cLBw19iXiMkWMXzhTDjVVCno/1jb01teN1s5uWmAo+MAv5seVm5Mn19YzAdv0p/uWnvB/Q4Y5NPnAHuxSPzNcVCdQR7n/TXQYPyuR+02L6cCb/vVEmrJU4G9GsCBUmEL9T5/hG3YbfXEfiZyMZloE2+1hp+SrcIMS2lC2ODruMjMtf1djM+lntYpMkH3mgrcllDSuRCGdne42nK1OItK1Q4gHRY+knbZ8uHuSFMTfaQQIbhUK2NCp3pHkht1Y4CSIMRPUxEA44HfIo5GXpAVJ0DB+NyZu0XZU5C0jpQob7Zbykqov3a2HHdbzfQYCPJIED0ZKRz2M/eYpL4SJXkng98VHP9P6fNW2NOL+GCLj8KR4Z7dMiCNhtYkPAYdPDSCCptaP/cWVTPALl4RHoWwXSg5fJLX9FcKSKroe3V4TU166Go2AxLJtdHlNuI1SpU715OPyI4XIaD/le0NkusvVWjZClEUvHkvjU51tIRCJsDdtAp7qUDupBY0uzYfPwMyKUeJRpviuZop15hoFinHNhAvsCM/qUk7Qrde6r6wLSqCPk6ICbn6cXk+iv3KX6DwmE1t5LIZZYUY5bFAkXVpkJmcEwBdHjGlSDphH/Y1Hg1eNWnYcO5aXS7kjTCjBa6w0sjGZGGrQON4EmxbtPGqRQUvhvNEE7aj1PgOc2LnjN503s2CBsxSvbFBlMyWVdr2b/6L7dtCwTijF3fyaVaQm1hitiQqmW5jsilOvJgSKmD+a8TXmL23Vi4kqdVh4K/J31mU3YYeh2ekJ4Sn25pib8yiGnW/1ESOPUMu+92ztBqsbR9xKpbr0CJEyfUDsY4Ra5vpELX4TPVQwzcAn4EcEDBjHh3OvFz08zsbAvWwmZ9ZLn7pJH9rDGsLbqV2Y/9EUg3d3KL2r4KcL7ZBf7nikebFWnmG7o0FneD1g43FUVo6p5mS2hrANmzIoFlyBlNlAlD3Y6UesiiQZtGGBPQOFYDXZF0vLi0oEIu2bxKJS3+Ymo3+W7I3P3AmGCQmRKEo4mXEX/hO3FEHugoGhXblfAQQg0m2MxGvZOG++K2b7xUV6tls1XBHer80MX8X7DZ+qBOqo0t4M4AIJZwmuH3RQXXYspNoEi5y9oTg1SMTzBELYmvMcHOgqL+uh+cm2ETUFXEvois49ATFwUYLKjH5OatPQInakUGeo/VDDpNRcCHbEO+cnQtykYwdyrInGbh074DRBsF3rx7ZMxY6cea7RMeAU6LfX0veGgx8nI/WljJ8fr5GwpjBNE+volBcC20ZmdwO/Bqy6JTSHd9U5qIR8oWiFLDuiBi3qm1vM4KOhlrYzJzHYTV4QaMUIUAOl5gd6UIOwYCuOayN2gsxAedTIlSj4WeGsQScK2r6wLlz6/4FcL54HZKjOvygHkUeHxDFMe/LMscxSGzjRCwPYkMfLOPEQ3cD4rQDDmvUooO68zBEwiC/h0VcL1gpb1S36zlt6hj/IVVV8n6yWcdXdZUON5JJesI4e1rSYr3ktuRVtf+bgU68zaEbQXQdXH3IwyA24V3ddmyWaMdvdY/FHAOcKwzwzXQ66rGDSB2YGZZ21+InlmWOJ71ySScq5ri+Y7MXSfmCNjN8uInvDZDWoTGsXkTA/FmMbcKxb4UjOar6y4fi6ZiMk+JeeKjEC2TKXtivZYGPebokU9otR9pX/6K/hn/MS00+S1w4GRh+7xle4eGiEzaiWqY/IsK/66npuDvhWBosm1fiasO/wEDzrDq8xvkyHwnSn9CJConCO7TW+Gru3Qa3qPW5C9llfhdHiKL/wc2fk4nNLvsV278778y1co3bG1PgAoIvM6oaJZwGC5K+IT3nH74aBSR8So7qqXuBoiy+frUBsg63C+e47TlmNb2k9xElnmsuZzSf/Gotbrb9CE6NLdvuf3zvxCqrJqVKb7jpZ8OJG9ja0BNemLEC4w87DHWD1LuiLbPCNulXlM4t4ybQksPrGvGkJy/uERyht8VTC/tAnf3VVVN1dnvi2Le8L3tGveJHEpQnxO0CpNh7/MZxLfp97ANJD3aFjFlPeR5FX2OylDY1XkBnUnDVM3PPb8JW91BGiKOllUE3soezSAtQF7dXG/TLebmJFtQkvCAQxSQAr3pV8B5itQiwK/sUbpOLjHKu3oV0m/H+VGFps23FPuARCCXQ2by7hT4bLhDA5HxU/PGLyu5TwkA6/UiMeQ0sh4ELGZWFuSUVKH1rDNIp3bXTndiIeguE/iQpyyNfUpdX83ixqkDWJU/mh/psuMBB+8NsqKe0nkC+xxZ2HzYOnHrFOeJ/YHECeRiHofKXZRKRfzMNYVIpMvENT1feuhyujCn+eMgqKQEbFuGM3RzZ3GbdUvtHPWRKH3KpbsF/SLqJGGq9kjMXRMBuprnAaz3vdQyzA34GyOoNsj0szGV3wi7xqdyuBKDqL/bnln5z/7QhUG4aFrFc2PiLtibDOJWrEjNfVld6sx6b9qZ2m6PNf0+rP2QCznn0SJ8rNeugGvL91HRBNsAHiNd+VyH13ZWPbEXTp8AC9/5Hg+WOsRJf7soOnEImrqGzbL52xpWwYBYTvop7j6eccweMtHd7XqV7OBjoP0z0xxYWGu48HlIGXrKRHDvvHNb2PXQQXNmcZ05Txm2hqrIZ5zLCHE2hiugW7hiWq/LCG0rqgecyDbO6KSSZGs/H4K5zklZajOdLTshw8WSnK/CHRYolD7V4u1R3ZmfZe2PNg/HnOWfTQORIMDvg6HESWBtc2Y1gmGb5hzJ8/qLqMgjVE80bnn9X+oYzM0hRXIOZrUoozuRYihrFTqR6Mx1R7lUFzpXSGidj2L9ngaedTcSkFbxprLN/+dDbmOd5Yaj8fbhMtR+R1eLn6IO2hKBINW5up0GMFlSKpHm3OTBRjjxV0uVLlmKK1WENm+sVhsmzA6J2p8Pfx1A4YTVRSyVknFoaZ+dOELaerhouKBjfbhj5izvj8K2ETcl6wjgN19D/OSdHpp4FtLKrr46FG1Z8ng4qrt4HW8h+uNj32SO/Io6h5nt7RLV2B2SKH/mjd7OCyZyUaV5ujFWtdoMJ35nnySFD0kN9xLL1wjULvv5p9yAlkUGKhWimn3P8qhRwLkDaHhbk/1rgG9fe6BN0G4SnvPQeYkI4ngKGvoKCzkbjuh+7l9lusAYfkevTcM001H2a4UN0goLEdO8dNGJdSppK+fECr57li5pfRbvW1BzizIzSRJVDYq4kP8plWS4W13no6da46zQ1TXIL1M+smMZ2Pu1BFKiU2qs2iOOBKFrV5baZUqGyVXrcee2R+jqLTO3cd8+SZ3fYj3pHTDMMJn0AjJLkN+D2qmxod/49pCCAyVJnaRLBf284VaEN9+3yG534Jft1/tu+7vukOKa7L784r/dxTktg7obnfY1R2t5aG0NBjcmiunGrqqdCsex3z5rner/0BrM4ybgwr0lINxVkoq72ifq+qKSY+lb7gefkTOJPjptuS0Pvo+VhwY8Rjs2CcNfV5hQ8O4yoclFbRz5J+3G7o+We+fGOYd8bS+uzoeWFhdd+x23LTm4Mj/n+w5m5+vh9xW5yajKekquCWQ27Uf3APcLgTLFW/PzcPvB2oLN2O+L2PTjQR5KPieDMVfYL6or6/cxvmxFl0Rc8iFAno4gnK/24BgkW9t0d1IRcVUxwrMGZxrAt9ormJ2qtHdgHiXemEcUduIYw/GlfQ45ByNMahudl9pLIV+xPncMzRtRAYQ7S1IsQbwx5Ccd98x79uz12Wd5I07gsEeihabHx1xPcjo8mhR5m6q5buQuwPNgT76a2Skf7LQ7B5rcUYoWqnICjHVcjNzAjfjPrBYYd0bVf9kM8Q5I6rNk96zNCbWxc2tsgwDENZZSNXnV5b74c0CzlvH/h2QnSZIedzgRxCYI4qeBlD6PmSwnUAvIa1B7CAts3/KgT+oet8eIYtY3Xtg/+vRHVXRXKpsTNtSAjgIwzXIJjCBjtGrEmhGoO2WiaoxNd3ue0x5ntA7sNcBUkWuNXUQNAZrzjPUQE0+2XN7ZG62ZrV9NeiWsLDoovd9x8g/MT06lXLRqca70luuwCRZvbQIdWgNhg/6rtoRhCyMXaSwWmD5HYvK2fg+zWDamGCAcI6HNU2JLVjbj/bOzifZ7qvd6O6ugNumKr7zTxWjobk0l7Jnecuo2391K2qM4ED7XwtEqtEyrUB0ipzMDlxz1X3kaoTFUnUbVjFEBUMD9g7EKe9NfeG9xWgzdHeYGLU+qvvC8dQE6eAOF5L1yDCmqCO1cabRUgW1FEdzQh8sPCed68/AEZRrx62m8yiEdh1EM+m925Q9a9jKdGFxD3lwTqn6pMpvRCJRtXhwXh/JFMyK8wFzVxK4gvDAn+nPjhC2awgI6aS5EukGm6q5/+p93xa8xU+s3nxzAht34vymQLUJD5wQOr2Mv9VGyZYeYGntAvpRA2U1UPA6JDkBh8iK9kY01UUgk7efqnDOwpKqTH6By/JmCcNohOnKYoGl/k4Q/eos3SGoUmdyz52E9fb1mdpvWpxygSF1atizFthR1nU4tvbLMO2goBsI9r15tyacFjJtCXyb3WrbmOVG7ZCcgonrv363ShJ+h6Nch8kGdQlkQn5StsbBp3ixrlTBMhs3YwdIAWFob2WjWMeEksDZEq3RxeDV642XvpZ7ei5ZzMc8tS1D2lFJh3zrDzzVUQyV1vM+3D2fgGpnZr/9QyK4cwKlLYa7s0dQLyAWVkkgeu3BKzyxKDn3wxNx04RnNW74zCvzDYNx1kwYfQ89Vt5SKbgYyl9duDdDm2l1O+kbu7Mjuap8rJxuvoF6v5ohsVw+fKE1iZ+iW3i9CyXcKxunHSM+NM5uJI8560166ghDfN1rRNa4EGaHiLqbKOPaPS3G5CYIQECb9DGLuAexBvne9x1yJ5Y7H75//lycp92oHC5aGLmN+6+zo7iDZ8cUYFE72eh1pxEjbyWZdB/VfEoU21bkABYtO875vyq/A2ezyv5zMfFIMX7Dsi5AUjB0ohokfHoHQBRe+ulgWwugiGSFaoKcC9h/WPk6nUb7a0wJg6RiXb4BLWLgkxtW0gDo93j7rzXBvganqiH6tT8t6w/qd/kTb4jh51owneG6U2/SMp6VXo8Yil+Ks+K2swgfD/o2oG4aFKe0arnBLxrWFUqus2OA+T42jlcXvm7YB2519EG1OnDZus72ZzfB0J8jsv5IPgWpYn9MtuAvmJfQMw+MR1uSK0azZOERLrZpiul+iPLIt2YChbSS6iys+g1v4rzbG+JHGQRNJr8yTqy9W0wpEbGQUebJsIb7FoWqIrNaWgO/kmYfebG2CeW6tjxX/zYr4I8Dve7cv/b0V7KM4a0mSz7a9QOTVmQz1uWkjEiON+ckXoaQfMBb9YpG8KRGywZYzta6xFCpjko/NpjjMn0tgTnlkYFPcjBgoJETg/eJSCSTetHiLO1fLo9KWWas68FXKYo2HePSeJGiSjT9O+jwd4mLkoD61o3FiJ4JqfJ7iRFdX//M5HcbeCn9n6haLnPolpPHpD3CRxKy1nXDYcpcLSsP2b/r98p3KaNpG/i/eA2SyaYMHbpu9HAXzxAGqpllAtpsCMBPPnCTcTPchmo9WHUd7OHb1xbgmy+9qhzKQGkEiHEPkKKkUnP8dPkKpmX1rrnh7SFxh42A7E0c+6ZkEY1q2tV08jc6kwRADc5U3q7xZ4u+S40Nlq8UxHs3qEm4a/1EMY+I0zGpCKK2Ync1Cr+rn4I1q4V/IY+jKk+yFqfVE+ygOA2eDklXBrzWVQOuAWNvMQSZEubwnHrTlJ+nFEKXVZUUZGUqO7/8eLHdXPh+d/l6u0q3WR2MqyHtPZK3bObgRF3cbteyOGzymktluCvSakpw2vWyTqQTP8YNpH7fXrZ4K3tnexpfONvTlBvwWwZiIZKyH5hyOYMaERKUhKh32Aer1j/rcXmq0u0eAHPmyt0Bj3fKLH3iDYaWENR5VRNauE0Cm+dIP97KZXnPSwo0vXpyeDv1nFUmrkzVh9acS4oyhBCuSJjeLM96mUUEjzHqopCk6V0q3d+7pFwTvQ0LLuBxoDWfh6WP8sHjIZezJWahvzlTvVG2zEpIb1QBFoY4BAWJ37owPyZxHftey6XYbiILZRo5f14YbEGvDER+3J5p+4Z4n2SVXAS68q5OXyZ1gZtseQav9/jsvlvbuH71dx60zOAg4orWDgSkAV3+EnGScue80ITssl9POXW+Rr2OM0xYMmIIkgfU5jJlLMMDpv0I89FnEOp+RAwBJxzPa8qdOr3mZ1RZ2uNcylggn1kThkv4SsCw+SpvYTAdyx8TB8/H01imShkOyB5W7RneC2dQeIiY16lQJRfpkXIV42nCtaCdnLKnwg8tZy7ySwFLW3mst8mxaHjl1BFhriyIvyF76vEcLyYRX9gNzFR7CKai4XwqCMj+f/x6TrcT9s0LEW7RsNIUD5FINXpoTlH/GqSci3HLM2jeSwKnCMSz/2xO1Y0D5e4VtDioCux1CWZSAEXcgZCJXSI8pXr7kevGtj9gx1sVXbMK9XSxOPYinP+pOb1TeXRP7aJg1TrrkeTxlXNznmRv5fUJLF30F+n+Dv1pOWgKbz9UoYVFfLCNGDZhdshK7vAW1ieWXecxoQp/rSzHkx07S+xSQ+lKVrLwoxiihH7PKTTC512Fpsl42SO1Ai5hnjxPZYJQQrOg7WgJvCkr0Z1jY/LHJAlJGbUJY6J5WzhpsRGuWCjcwJ2u7eDylE33/aoD8NAa2unSIhOkFcR24oqoYjgdlDj/SKgdku3bpUceMaKiucPVgC0sGGTdwAYKko0WrjSI6YjcB2Zitv5J+sJGDxZin5dOJRvVhgM+sjNNUvTaeR9WIRwtSe1JKgGetZQfX5cKbfHnA+er9yiHu40Ey+HuVtpAu7etX+qcHllldeorX43QcGmlFeXWRQsxZXJffu7WdVNZtE/B9do2/EmstSiBORPmWo8P0nQptZmg7F11Y8vdPMOznzDrNRDXEfF4NI+rMmNBtJCguiH+ALpv5Ek4zZXCGVaDBblvsuJZdhHDMHXsXRf8PfferA1A3hbrv3PXY/kRdyTPTyL1qPk/PYI4FPplLDpuI8UMls+Alj6Y1/qYdr0fDc+3pM4C2PAncr89LyGijDuOliTZD5yJwN/qIyWQkx76LUi1V59yMcgGjlk81rUCKM3vtVd8WJ6HxQ6kshgrSugm6bWE6LxEOa/Jl+W7Od2PcyQx0kWt9f5s0qSWyKA7GO3yyXpPit2ANc8JAMtglBhoxhdN+UueVogwj7Pb0PAI3TEnwvwpe1vxHfwKRzSMdK1Gc9jTtm3QyxuMapLDj1k22R7WikLN6+u9NjiWwZGiv0Yux1EHVHe1fCVX7237JtiuBzKwbY2yqGrrKWIsMwD6KlB9FXweYh4V4F+Hzc4JJ3CjVbagXRG4s1NVCPRcGJcJYJtRFvVfI6l0ffST5azAKxIH8LR7M9hWMjrWXMknP1j/e+j6sGF/Pj87rNZ/zqh+mYOPU6Fu+8m7yowM74sVH5Z84ED9CuyucnblIsBtV36Y92HkJRnmNbeh3F25aaN6SK0JxD70uIssM1u32qwM2I921ijZLf3WfKuE37HSGi5AFPiWYAmklB0I/EKeF6qW++OsEEvXHkisjaQsEXf1NHc4f5hsauS/qXbxbFV2+yoRgr9LQqxoKD/yjbnnOtB1rjfks0p9MXFik9DDY0S99XTUarQp5qqsGYurp0FVktHzkziq5/68Jyw5TE4WGqEAVdI/NcW910CYLtSoO966YSApq2VKKXEcr0HN72S+otXjpmSRQKorDzjKsjde9rb84Tb6FoaPifWFOUD8vjgWTjWlXGT1U98xFPNLBXba86LhdnjwSmY87Cz8VI5MEx8Kd5PKmM1UBKMhS+2MC4zkUCYVjNzgGRfHJYaSLgbSPGnO40TekL/abmSRUlbdOkuLPSSlo2TiFNQEmIlpToPI79656oqifMIVqHC1h0ZX9BbgTaYSNQTLc/g7UC7kibMI240QYvGXIZI+pVL07ueGXxv97TOIE2epxWWjMeyPil2u9t8jHogrF1xu8nJzJHgFHvFteQlAl77+Ue27shJ/OWG81DONefR2mG8dCT3HMAA8QmKElEpLhw9mIqUy9gHH+7eWMU9z5lTcGQNEkCBIIsPU89+A4RSObvCGsaPpq6CoMfhwdQGRwTHu2/+mFAUqCgfSJOYO332vVJk/W5y7881U2M0AHctVOZoy18QN5r830P2NvbP4uvJqJVXg6nhiJhos2m1uTSZbj2JMWcoTisPVoZfJ8KOuaNCYct/GOQrTpuXDYDwbog8SC80VQf20wgIljTielk55gg7vztJr3nRQvFnWTFNKgyg+W2eg3VbwBo7K0oQWYMu1uKXsnNiCqo9j8EULZVK+ByEFiPar5V/WV6vu0v+cmhA3aRTtlQkUS1jCORaykcvidK4l1r/Efy4PTTw2vs+sLlAJOxdVoxkYiceze/8hucKUh2bgU1UDr/3Jbsbe/wLXodE3QeTZFtclLF7FhOyLeXQlsneRm4N0oS3Zv1874Imqu5LI8tlQgC3w8lxlfpggQrwBsYtzE2kdWohZORpOTXaUvUCzMnZZJ1W5+sr49QvF5GjJ86J/HGxbiQIvniFRkgHtyiacVAqQna2niD8MQh3J91P4IV/qyNJ1uTvcGLZpAS6JvLlyXwvAjaGVnOv7HJxhpD07VKG0imkM5msu5lKjXD6sH+oYriugxVs2FT/+HXaHipHdVgPGnbJjVePfJ4QpwWvU5xVwCsh8fCybXD/4MQUd0DsC3F1yIwyZ3HNQ9FrCnxBxfq8tIYcdgrL5kBUQbT/VvrpEsHH9H/07JSGCZEUX9CQVRId0xLh0yUzeRBw79gNSmzxYxTZTwHT5RU3oPjpJ2uIkR584IkxzpLZlwNb6mxIEunBBRKUPTLNgQgsaPpVcXPyD/BZvwLUbCTJ9ZG/KvOxagdbL1+XcoguCVRtjtwjP4MVCWPJqt+x/YxJI8NVxn75gK0F8LyEooJOX+0FQGHVn23SyPUcBudkZkRHf3jJjs0zu6kC4VeMXcK9wYtVJeBRVSznGfA9507aGK8bZk1exMAcDkeHBWJB9b2v4SMoDFuTx2bDFW0WRC8BpiuG8boVEZAuhaiRtjWjmPM3Sbw7/p+HUVONhFf5H/3ZKu9xhHwvUPVqSBzUVocyAZPgcJdSkQrykHKBdNoTmzZAbqobelLS0gEOWzx36WqCClUIvNTrMbZYxrvKWvv6sYD/4mcNHl7JI7Ob+iFQP7UD7JunEr/JLybCE0QwpROdjSLPiuVx001pA5JcfL2vW041FtjJcj4iQXJB04PAqg1bvbI8NMbn2H29JlybgUxYFGIT8rd71I3szfOcn7frNtPypjHWoLL2Ns/Zq40CdGZINmcMMZXPbwT8qhN/efBGZEUtUIR5vnjodKF+sW5EUj5T1HlXnN3zH8UCWdceKbMMRlnibyKXYwmJ+JjGn+4pWsPLuBCws06d9AlNhJEVsUMbPmLt5w1no6pzKVo0aJnHJ+F6RRtb3fs0TmFXS0FmVGdFFswvYhdsCyyY5g5OxhaVTB/WB5dYmi+bknJjh/iK8L1gSISCVxXWC1F/wLttR1FLFNRsFEM5YuVjMjEWbto/Kt4i0Mwj2byyJZJ19W2HkodDDErqQWQTkggTlAaceXFE0EHN5UnSwuviG+7y0XlpO5JslfDCk+pxMb9M1Mq+9c1HSO4shbUZx6staVdUB9pLHBc18iCu+e7om71oJORgqrQFASM7ZJzd6UTkx/MAZdeO6r91r3Jlxay5Re7X+neUBlKtaB+2+OUwNIDFJVxvEiS151B68dIBl3rpJxd7+ao6zG38pnCTM2UxOmUaLYXyLetVi+yT5uxxJDV3v2u4A0n1B2eeSYfjs4lh1upMi8i00mX+tIfpV3l4nCJAS+lFhXJUu7eyFzRjRljf59P3CWaOSoGkKgcf1p3U4QK3mJi4USBlymfBDf3RkXUdhbKZkWpk8Pa53FVT2yzSOg9xIT/XPi6mAkflhkAcgA+o5GOJByUQH6Un9ha5dj0hTj+eCsA3vhs/wh75BA5Ftqx+jth7bFSf6nrEXaZRdBZXOH8V5xiyuw7Qs1Z6Tk5dv9MsGbD83rKc+j7QTvdIo/OOnvn4TnzsGNu1EHaAvduczlzCiokBjnYxuBLC5e5yc02eV480KZwJhUasVX3l04Y1LzAaMT8TneAa3j8RqC9CesTM59WoE7V+PRDDp2nzUMGnhomP+uD3McxuF8o0sRfztPXp5Txl9KXTKwA/zd9Q4WhLhmpPjiMUETZbV8+yr+EfJRhqmDm8mXEgGIZ96+xaSJYRLKybS5JkFW6fpLY7//p/V0rYcWLJeL7/Jq4oahjb2aZkQ2FSBWr+iw4JZ3/AOgxvRdKhMri2Nm9khxADmbjx14np5FnnfbEoNZ45xVfZPVuMHYfTEpNoENOu/gOrYN6i+p0/fV0yipZIm6U4oNwTf1EMSVO18jt20pDuH/0VwqwVDLQ0cgCqeuGp+z4E5SOPFjQkVs6conZfDxXdl7C9UCa5SueQbCp/p+lHMxiz4l2rRkD+ndmSATUA9Twc3PGmzOLEY5xiDGEMFOfoVGdi/hX6i2DqDxLiF23o6vUzGCs2fzgWcmx6gmRh7za3PnFAsBQ3dCB1j5xvncrKQZdET0FgyYNSdlNuaQdVU0HRDm+i+0mHyaplDM4DBLdJAWAoTKaRMvddoECtl5aehlyWPYn19aKKH6Rv4Il4YsRWR0ThfHVnT9+QfZxBVeHE620Orf9RC8CCA7RqSarrJWLf+vEilPKjNrfr3c2HkVDF9j4MvCxz1d3wULOFAaKsvJTAe8dovdsYSYEY4KvLEr2D5LitxovFH1NvrRr2ddfMopetIgo51iyrrXSJZU6Xytk/Yjuu4JcHWZyx+EhmI6iu85iA0s55W7mw+5aSSBx03FAioR/8lV7i+2qHTODSZALlU+IeBPe1wa0T1kO4s6xjgC6BfocjPauOqaCHUxrVPTKWsYpRK/Plymo4GeE157SWAAdn/zup90Rx2BOYyPaiZHrdiBMDJs36tn1Vy8X8ZWNrA4hy+4p5zEEd01ps56GjQ/KJDiijwd1z2T4ANy4dvxNaO075MekOeg1k3B72491qkSU7mp13elAimqCD6hzFrhHfxRD7JBkdNGZD3cryVFyA2RkozdpTBkTj+fZn31quhk5uVqzORF4X8LV2Ew96IsMNEO03bNDx4JY4AXlzugIVIfmmysJoagX/VC3Z84bTk3zmfzgfylLh9EgS3GI03R9iRM63QV2l+C7rYVW8cRKx65XXX+/vYHJpq2miyyruwYSLJaQT4U8cIKnnfb89HcymQgNTuYW0fKpNhsm72Js8V9l9CY9LXazFCiRgUooOArhKhAwaBJgXtmhkIcjoM6qNwKAVK5EzWC/aIsAYO67+kXfek0QTcCqvGP+AakQOnLcH2Nv6D23frgViUmg1oar90tyqFuny04oTwF9hmLwP+kU4FqrVv8wNkYGXFBONik8+eGTJ6jukpLLeRoKMoQUX8JCD2GHnBOMFOlg202s59S2EOYTxPyG6WOuKrDYOwz5p7Xje0ZWzDfdXDpljx6RrhFpBzIfiIPJ8ltuAzWLE2o7YsjRfUzM5w5RvXz3Csls2QccaOXTKLLC36j9V8+dl1kkKkRLGL38ejco7AEC19rmDYIB3jrpJ7enBevrY8vkWJ/pDKmP7sNWeKfkmOYabdFH/y0vsefrKmjxpbpj+Bzqp2Hbztgbbzg/T7vSi5Zke5EQ+shAmzNvBicFrBnBGMUcRcN+XOcur7KzOPdOmqxjgnDh4Bdq+u2jNtSV7VY6q+2pb9kksuvxYFJT+GO8qs+e5JrTUudptXA7KkupVJ5+U7v3wBO4IC/Is=,iv:gMs8Nq2+e7nrBSdeXz7Qp6MrtkvN6gYwLXuP1nm/Hy0=,tag:MLB5QxP2A7E6GwgZlI71FA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQmE1dlVQSi9MRzZ1WGpR + dFYzZU8rR1V1VnQzUHB0VnFOckpIL2tvMzB3CnpXQXk0S0JNSkpNN0FMclBOdjFy + cFZYTjcrN2djbzBkZUFmNCtXS3lRM0EKLS0tIFB2V2FoMU5rZzlxQW5SSHhlZkNx + c1BCVEV4dEU4aE5YeDZMRlFyVHYyQ1EK+znjkJ/JuE5VgYUpkCfDCZV5mFmSXUxU + MtByksmGshA8oyk0SH6B+qg07yDh+jRn4gtvnTxxudtqcVf5EX0vcg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MUhyeCs3Qjl6RmIwVHN1 + cHBQMFEvQU1ZTFE0d0lESXgya3FZRW01cjJJCnNPNGgrVmhYeWhlOTZMYjdyd0Fm + QzJwQ25IOUJOeXpxbC85YlJlTElia00KLS0tIHdHL20yakxaNy9CZmUyaHVUSmxZ + SkZhM3ByQ2o3a0pVZnV2M2lob2xRU1UK14PKZz5blclSkUVJwUFm+A9G5nPD0U0h + AH2kt/kdSxj+0I6uWrD+0KHh8KA0Tgp9Auyv/UF1dB9MoiuQPG15vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOVFHcloyYW5OK2d1eXJt + NWxLWitrUWdwd0J6R1phaFA1Z2FUV0ROdFhNClg4bG5WSW8zWTdsWGhQUGFySS8w + UFpjK3dzYjdPVTNsbFg0YVl0UnQ3WmMKLS0tIFhBODRqK25TVWpabTVteTRtSURO + NTdYNkFuSm9xVi9QME5DMkRqOUpJYk0KK0e8LjmPqPQD1FzXyAuoUY1d8u//WHvT + S4ijZF8udwPzKTIHd5OiQVfCdmVughKmmRwQEHdFC69fjn6wOqLJhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa2VYR0RZa0pOSFljVzgz + TS9aRW9OZ2hEV3pWbncyNlp2c0REZk1GRndvClk5U3l5b0dlcktkRXZBa3VPaWpU + ZmVuS3UwV3RmbzdQWC9qYXpCNnJpODQKLS0tIGNabjdpYXp4d2VyMEcxSXhHdGNr + Y21YcmlWTkJDRUh3czJEUWVGaG44cXMKoibsYSOYv329WNzktBVJ18aGAMXCxz3B + c9938x3U7BCsSatnNch/cTbxPFYt8GhgAXXZb8/vsT9URH+9/K2iuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-05T13:45:59Z" + mac: ENC[AES256_GCM,data:wESfYT9AJDcOKI4QSzXLi844ILNtDa1APlcvhNHfu80mS6JFXifUgbOV8YW9D6TA7X/NIhdpiIiDt2bdmK9GJbSrbNJH1yz5Pm4nEabVdHCU5aJKtlagxkNwzfHfDaRznM6NQTdIFDqsaSSokKYyZiycNOMdisQ5JpbYYig/KTM=,iv:GaYceaZ0drzimn/TTXPBP2Zt81w6YPLNf1oqRtkWt/8=,tag:ptEQRoIsBVSBqSdg1XdLsA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.2 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml new file mode 100644 index 0000000..55872b1 --- /dev/null +++ b/nixos/machines/kaalut/mathechor.aliases.yaml @@ -0,0 +1,48 @@ +mathechor.aliases: ENC[AES256_GCM,data:VKEGY6KVtgKApnV7N2e2cqy9erDWQ2fb88Gwcpp5th/t0VGp16KGDtGiuQXhY80j6dDIcQMd9bLHzqAzc4+i/WhmEPhiXUkGiEKuarMfvqNl1LBlXFCoIrUXMMSIqab9q+fE3ignVQapE/YZt9aniyvg1prcmBcwIy9rDoHkiTY006ux5CM+vX0F60ADX8Nf6Qmn/JncPxXgq2jYsBxjXPj7BwJaair/+nxrbVf0,iv:Elj1NDeR1fdIIjIbjvkV3BmcVAKjwdMfknuNxMXJsa4=,tag:AkXWQ8sTMLsd7a+MfRcF/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy + WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh + SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn + b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp + iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu + SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE + dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4 + YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6 + WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v + SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx + Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX + dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy + cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW + NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5 + RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU + Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro + b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..9fb24d8 --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,48 @@ +stalwartAdmin: ENC[AES256_GCM,data:4vpvxtFa2KiF3ojl+cw3ic/MI7UM9JQCQn76bidYvbW31zgF,iv:DtLAi68oQRf3U69uFK0Cz4qHMkxM6NnB3lVYft/DtqQ=,tag:HYm2mdpTuXNHdQIv2Rkwig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o + Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh + YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF + MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N + SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2 + SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv + ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO + eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS + FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB + MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK + NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN + d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+ + jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2 + ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy + VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC + UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a + 5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T11:43:23Z" + mac: ENC[AES256_GCM,data:GZ1Q67n43WU3fDQd6SGsD2EZgoaq1mzh5biy42cx6FQWlveK5lhb0F2HUuWWv5zSHKpslEPD6odvkQmMNCRY8NsvT3+KBAnHHU0aHzM9AEV27cDL4x6oBvO52EMxsNCMm+fXPD1CubQxfbfvx/aIuqb1sovgKGgwf4u6yqIrHJ0=,iv:ExX+ySMXhF/c1w2IP7y8mdlcy8W9Zxiy6X67b2f4AeY=,tag:shxQJdaW3HsG6sNY+zDNCA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/nodens/configuration.nix b/nixos/machines/nodens/configuration.nix new file mode 100644 index 0000000..554e407 --- /dev/null +++ b/nixos/machines/nodens/configuration.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + imports = [ + ./hardware-configuration.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + + environment.systemPackages = [pkgs.git]; + + networking.hostName = "nodens"; + vmNetwork.ipv4 = "192.168.0.18"; + system.stateVersion = "24.11"; +} diff --git a/nixos/machines/nodens/hardware-configuration.nix b/nixos/machines/nodens/hardware-configuration.nix new file mode 100644 index 0000000..31b5450 --- /dev/null +++ b/nixos/machines/nodens/hardware-configuration.nix @@ -0,0 +1,48 @@ +# A machine that exists to install other NixOS machines from some config +{ + lib, + pkgs, + ... +}: { + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + # Different than usual names in order to automount other VMs + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixosNodens"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/bootNodens"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixosNodens"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + #Machine to be installed + fileSystems."/mnt/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + }; + fileSystems."/mnt/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/mnt/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + swapDevices = [{device = "/dev/disk/by-uuid/89e13a83-506a-43b4-b06a-09424500ceda";}]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..a481bcf --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,321 @@ +/* +* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. +* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. +* If you only want to deploy configuration changes and no software updates, consider building on the target VM. +* It has stalwart in its nix store and does not need to rebuild it. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy. +* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. +* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and +* and use your personal admin account or create one using the fallback admin password. +* Create users with mail boxes: Go to the admin interface and create them. +* Stalwart mailserver docs can be found at https://stalw.art/docs +* DNS-Records: Collect the right DNS entries from the management interface and copy them to the DNS hoster. Caution: +* Not all entries are applicable since we relay via HRZ. +*/ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf strMatching str path; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + stalwartAdmin = mkOption { + type = path; + description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth"; + }; + stalwartAdminHash = mkOption { + type = str; + description = "String containing the hashed fallback admin password"; + }; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + description = "Domain name that we serve. We also push its addresses to HRZ."; + type = strMatching "^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$"; #Regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html + }; + allowlistPass = mkOption { + description = "Password file for the HRZ API that gets a list of mailaddresses that we serve"; + type = path; + }; + virt_aliases = mkOption { + description = "File path to a virtual alias file applicable for this domain"; + type = path; + default = "/dev/null"; # there might not be an alias file and reading an empty one works with our implementation + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + # Do not enable JMAP until https://github.com/stalwartlabs/mail-server/issues/618 is resolved! + # Luckily, this bug does not apply to IMAP. + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + # Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/ + # for TLS certificate challenge validation + # whereas the rest of the management interface is not available publically. + # It can be reached via SSH and portforwarding. + bind = ["[::]:80"]; + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + # we only talk to HRZ and our own VMs anyway + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # Don't assume TLS on this port but use STARTTLS + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. + port = 25; + protocol = "smtp"; + tls.implicit = false; # Don't assume TLS on this port but use STARTTLS + }; + + session.rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP + "then" = true; + } + {"else" = false;} + ]; + }; + + # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module + # and from a database that can be configured from web management interface or via Rest API. + # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones + # because only TOML-based keys may use macros to load files from disk. + # We want this to be able to load our sieve-script for mail forwarding. + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH + secret = cfg.stalwartAdminHash; + }; + store = { + # structured data in SQLite, blobs on filesystem + db.type = "sqlite"; + db.path = "/var/lib/stalwart-mail/data/index.sqlite3"; + fs.type = "fs"; + fs.path = "/var/lib/stalwart-mail/data/blobs"; + }; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; # Run every hour + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + echo "process ${domain}" + # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission. + ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses + # This line searches for available redirects and adds them to the submission file. + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload + ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup submission file + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +} diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 5cfa63d..f4ecd0e 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -35,7 +35,7 @@ in { proxy_interfaces = "130.83.2.184"; smtputf8_enable = "no"; # HRZ does not know SMTPUTF8 }; - relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) + relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) }; mailman = { enable = true; @@ -64,9 +64,9 @@ in { systemd.timers."mailAllowlist" = { wantedBy = ["timers.target"]; timerConfig = { - OnBootSec = "5m"; # Run every 5 minutes - OnUnitActiveSec = "5m"; - RandomizedDelaySec = "2m"; # prevent overload on regular intervals + OnBootSec = "1h"; # Run every hour + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals Unit = "mailAllowlist.service"; }; }; diff --git a/sieve-rs.patch b/sieve-rs.patch new file mode 100644 index 0000000..1fef1ec --- /dev/null +++ b/sieve-rs.patch @@ -0,0 +1,22 @@ +diff --git a/src/runtime/actions/action_redirect.rs b/src/runtime/actions/action_redirect.rs +index 5b4599d..bfb46b0 100644 +--- a/src/runtime/actions/action_redirect.rs ++++ b/src/runtime/actions/action_redirect.rs +@@ -41,17 +41,6 @@ impl Redirect { + .count() + < ctx.runtime.max_received_headers + { +- // Try to avoid forwarding loops +- if !self.list +- && (address.eq_ignore_ascii_case(ctx.user_address.as_ref()) +- || ctx.envelope.iter().any(|(e, v)| { +- matches!(e, Envelope::From) +- && v.to_string().eq_ignore_ascii_case(address.as_str()) +- })) +- { +- return; +- } +- + if !self.copy && matches!(&ctx.final_event, Some(Event::Keep { .. })) { + ctx.final_event = None; + }