From 5cba7d362b5338c380d18cfaefd2fe66b429b0bd Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 144 +++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 39 +++ .../kaalut/allowlistPassMatheball.yaml | 39 +++ .../kaalut/allowlistPassMathebau.yaml | 39 +++ .../kaalut/allowlistPassMathechor.yaml | 39 +++ nixos/machines/kaalut/backupKey.yaml | 39 +++ nixos/machines/kaalut/configuration.nix | 81 +++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 39 +++ nixos/machines/kaalut/mailForwardSieve.yaml | 39 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 39 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 39 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 288 ++++++++++++++++++ 17 files changed, 887 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mailForwardSieve.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..e112b48 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..07ff088 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..d3daa7c 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1731580934, + "narHash": "sha256-b1TZ91IFOEPPXfuhVG0nb4GGyX+g0SQujuqS9RJaC5Q=", + "ref": "refs/heads/main", + "rev": "b3f09cd22fb0f73ee8d91bf19f51f5144280e3cb", + "revCount": 11, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,28 +140,56 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +202,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +217,45 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1730601085, + "narHash": "sha256-Sgax33jGuvVHTjl1P78IwzlhAGyOxtx5Q26inKja8S4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "8d1b40f8dfd7539aaa3de56e207e22b3cc451825", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1732186149, + "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..05ff499 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,39 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:vvXurWHumzWQAvcFlkzJqQ==,iv:8zizeoGXY6zBGYsajuDJdvw8YNL81vXaghvBNOPTwYk=,tag:Fwwh56wLSeIPswSUEKWFZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T08:05:54Z" + mac: ENC[AES256_GCM,data:L/bMe8fpKnUfWyjIANJF7yLkoEGcsjvnFoGpRbGeKV9Xv9NgVfZk+h58BXeq9cMvrcWxeJC1SmiVy31XRkqjaOYqYdW2R2yRqSBKeHX6fjh1iSjdHVctl1Jk7mBNhObD8PqOQ9mMdschTg5s87n3bOgFhrkarktbbmf7fOKQ5Z4=,iv:fClCggabDbSXO5h9p+B10H2J7ouKJnBkHEKWyj1Jnwk=,tag:5MthaOqhUFROdrpJOV3BxQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..35bf6ed --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,39 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:KYrnJRTKt/h5,iv:TSCWpvrBqVvpRBxL1efzIJkdhd3V98EzG3PBoMJjfK0=,tag:L6yR49TuTlvFwtwhQ6WByg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:12Z" + mac: ENC[AES256_GCM,data:NjzqVHpG/KRQNB0slb6rJ7+zJhV9JSsUjfjHk9DhyvgtgP9NUsMTdKKUkJmi0mCwQYk0fDXSDyptCvXk1x6AkgAUcZCdD7nxYH87QTF4hcdiwYohxTEqhuJzEBbIek4z96B1BUd2kQc9pH3OvvHJNXMOO/88uhj2WzOEdeBz+Qw=,iv:iT2aa66hJr3c4HiYsFbzURM8bZegnuAaF9yYMNCd5io=,tag:9ZIB2sofrxB/FxM0Yam7Kg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..64908cd --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,39 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:/82Jz2LOREgt,iv:K04xQd4djPzfg1D2RTVUw0wQLpG3+GEAFwlaC+qx4NY=,tag:GpZmS53bX8egsUEbPlVouw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:22Z" + mac: ENC[AES256_GCM,data:1rcc3zGN+emSqaRw0Yng6w/yHgcGW7k6DFrwouLi0ejZO/yo1fl4kYO/MCk7Ujlgls+KVwn9+sdQxCjfNjIGIIurtcGu2b8BGAZzSz3n8U/EEOqn6lD1xn598xC24hfv17/fbBgzw812FVupHE5ZVxDm92foCN0o64G1iX+3jqw=,iv:/iR3iqQVpQU35h8C1QOtRFFfVtGkKGxtl6JqixTR4VI=,tag:DVPVtcIiCiwkJvJDUkHBSg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..974694c --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,39 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:XEcJzY7R4obq,iv:45yRZwODIcUosD4bESmBxs0nOZHE6YQj5ptwoNyKLe8=,tag:h7SxNVhU9EpiFNv8b7N8yA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:30Z" + mac: ENC[AES256_GCM,data:8/g54eitQhBZscPNQrS2uQH/aMEyxAlghM6wbMm8ynL8XO5of9HG3wk+1/zI3r9EpH8OwC2ZDvMPmgSsM9OZK8Q4v4s3qcsAzXU6yvhfLLeLtQ0F+hxnN2Iq0wa5OhvZkRk+7Q+xZYZSjoseJG240+trO0ltaCCF7ZBodFJ0BK8=,iv:827qo3WHh6zmk9hHrY9yt791cLegw4RHfnFUdR4h9Gg=,tag:VDKXQ8VB4FK3PI9AyxDgaw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3dd60c6 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,39 @@ +backupKey: ENC[AES256_GCM,data:DSbjTD/60Y9wUQRXGUIwRdLgIHNAVqUs+6v1WRIs3tbMh0efOiNQ82GpKFtwmgtyfmLl9HCVZPYgw6ZiLrMj3T3tIl69Q3PZ6OKAPhrecOz9xwPaZzV6UIt2MO/xyUZy0hm+JYor3fnWqKLMv0amRLRlfTtpc6Ol7ocPGtOh/m/VDEFmouQJAlSbnAnL+eijaaEBZMCVkquWxERiYGyqXlnXFO1qDjc5LR3IJwIbNZIZ5j22FsLIp2ot79Tw+so+rqJC5Yd5Q7+BTFPkN8R+BHC8aLnMUhTBe7PQB730XmslOKZ6lixxF7CeXXblfF6RGTNl0gwp4LwkZ3PWx7M/OhgAW1YcdZdBHhSpSNJegXCSXyRcHdFGxesYGohcZJbOFl2rqyA9NiPOGSpfUfoeXHb06h23hVnm4o1xCWXB58521F92AuVystM8+pHrFll1Opin2KuaiQGx3D/3Rj0XDkMgiY8aP6OCRCkgWBARGqNgQOyg6kFwfrlwTNZezSWfyJCbZLggNPntmttC8Kzl,iv:ap0DBhc41rGhwGZkZM54QfFGGCJiGu+WcaTwT2JKjsY=,tag:8xvJHjVT8cKxg2IA0iNqEA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN + Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju + WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL + d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK + hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz + clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp + clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ + UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm + /0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu + Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0 + a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT + Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc + 00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T20:10:40Z" + mac: ENC[AES256_GCM,data:SkhsUgq/d/FBUhIu3qfmIYKcRM6NuyR/e0KGz+0e70Du7hqVFXehoqUiWk869alJCjvIOU3zjq7rA3pFvGakV7nRfCQvYI5QkWHFctbCDtopLWcq67uUdj/VZpaW9UVt3e41hWIodxbDhFaxYAoqEfAUK5rhESMCx4Idd/fpYL8=,iv:DcaeyKkRhv02UbCCvr3XUcI0h0F2ZNA/TBrcyPIBi/c=,tag:CAqsBq055TmgPbSiPRVtAQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..66c997e --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,81 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..7855f8e --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,39 @@ +koma.aliases: ENC[AES256_GCM,data:GfbmoJpX1sQ/Fumey+pGxPKDnTd8cFFiGWQhU5PiAdcoFsO7CdK/alzOlzxut+gDeEpSuyV4fjYJ3+YGswrmbEOSpbylVj7hLakOnrUP+AMq7m8Ku+nQvM5wkT5OmMie6fPyDo6DRXTP84DKvlEtU612e+p6tZwJhbL1luFOxw==,iv:WbD+gAb8Yj2n7HPbbYzC4IrWpKf53COUuyy45iBf9cU=,tag:fdvWGoBnqnLDZUXrTi5PKQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2 + aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy + Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4 + bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy + MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3 + QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45 + c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu + NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR + io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC + RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv + K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy + VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI + N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-20T16:58:33Z" + mac: ENC[AES256_GCM,data:7jlEw0bcNpgqcY+6FByr721UGN6/svyQaXJluCBgD33kYiyZeAclMTEGbH0Hvpg2jgjojNoGLk05boKstfOCvT1T0ifhuIFiU3uiund09qahEv7o0ZPCmEepPF9O/Mdkz9TNB3y2BMEwPXKpWDXwFGAEL59uuTpIhzGDuVhfFd4=,iv:PknetrIaupjTsBfPPdrpthxE05UDFg5Iesz4mS134Oo=,tag:1CFIG7PEEIKb7nlgFUmgTQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mailForwardSieve.yaml b/nixos/machines/kaalut/mailForwardSieve.yaml new file mode 100644 index 0000000..39b24bb --- /dev/null +++ b/nixos/machines/kaalut/mailForwardSieve.yaml @@ -0,0 +1,39 @@ +mailForwardSieve: ENC[AES256_GCM,data:MuESY5OhKunADHNzgqTxHJXCBteGgRFM0j3Mohf2J+VALaxtbHw2koaIx6+yx+EiXI+sQc+kPuQsqSb3mSyiZUucm0fYwIfB43U0fZcFYSxnuLrCrYp1Z1Ur9fmIRMIC5+ZWrj6t6Pfuclmyn0azlx4WzHm2rqZiYojauKtlmrEAMC4zFYeleSPjOXcEGRZ7W/3+DukA4Z7KfAVz9qXQMV18BKZ4w8V2u/hQgAxDzRdkWJZi6jksq3WQcn/DmkE/98Iv60VNi4LkZVMztWnUiSdi8/NTuaNjga8WfzVoLDR5LvK4yVnJTnuWRPWCjgD05NcEZ4Ev/x6k18H5XbsNgCbIZ0AhE0dg1z+hdow0uDRIYVIfRk69pY69E2RIO38DUW3fAnLaUisunLl0jcllWVK0wJvcPO2RslJDD57UF4RJY6dCl0TMr4ap9nuqIlcbXPtQUoj+vfSyf+Z8buiBxYRxpqUbxIGunWyLiwhNOIV8PhxHI1NUTMp3mMBltv9qXZbCd7ddWNOVgn/b5hQFZ865g05wpspIAkaqRmzMCo9SRJVBcxLRlFXbvJgq5A+63LIlUs6B5b4iHPp2zFAGc5uCOZ9F7m5lrM3179zsg8sgjFHTI2tG53YkE5D2fN+TEEx21PY/1tjK5tusYTB0mcOQ+rZAWOeqUBAOCxZ8hLn/N0tbTIbk+ZgMrihldWUxt99QxZk+FwCng9h59BMRa1gC/5+DabxmwembiOu3lU8kbhQGonRAQEvPP5BPSqOq4zhzwJuVwR3l+aKtstUjBtlwEkpqyyoDSgHbBZWxq5LvHeGYIEhYrd1mZtH/Nsv7Bm3iuQjegGwTEJxIKcUZCJrBmxs3IJbXZxzfMQ0zOukyCAans1/NOQX/RycUjav8Re7OWFComgcg0kR17sb5zbbFogo12vidpclkHgEGRoHmftB9wBYRmuW++6By3X2rntX3LCVUeN423iWAh2gj6QhE+k9G5o5IugU2YXbykTapo1LjedTQOCQQrSDbUSb6FDQiDjyCaX6LPjJx1Q8e+cqQWBp1d/2/bLwC6H2gERKZthWMWqBm2PILAKoN4GKLdKZgU1uQ1ND/7UYarzFDSqoX7NWGTLyGl3dbNScUkz9NEcb/BhvRwjlih3tgfXpzbSIfA3PqGeLdTf2oJYOvh62P8WNe6WCgQ+h2bIJqpFNRgEQEY2pzJdO/QsnNiXQf4HF0pF27UIvHUtUM3foAxFrD2O4ozDQkqF+1i4feVq5/BZbqRe1gYITpWfIPECvpKv4YJWSy4Liocw076Lbzdy54bGZf2C6MD2ZyuU07fomqy1hwp3QwJyPxpwrCKzfvsR0dVx9Kx/L8x4X5R3XXWVZrQ2RdIW+63cVZpRwYKc1Tf6f5oci363OmjH5pnEttQcmFs3oaYkmvJ6oib2OIweUPHFYvvNONZZYb5vZryLpXhKuWrWQSflO3Dr+7MNmlb8keIXlJmHZYrIxfKziaSkRq+yNZbKEUf/NHXYz5DZ56fH3CYUx0irM5eZ4EAvFQrbVgI5rTU5H6WUHZx5fBS0FoFcGNgzeVbdAfWimLwO5xkDj06h/KJTf7PFTrSgI96j/fo6iAVjGAKl5JmVTTSplHdqMEuGJyXXmkYil284dCD93AX4HV1CyTXPY+2p0vTdDhs7VGKi6azdm+UN06X8D1jjjwuF9fhnj7XhuJ3479ra2c7VNb+kIoK4TgrDrqd7LSi6J3WjG5ttVyCB5W/W4ATWkM2z+3sRDjHS1At4qbSbwJQHDR9v8T09B6KZC0Ct5Y0ejHoif8zBIfRm61HYoTL1xZlxobgXjtbWPlCZw5lVwRquRoI59OU5T8muI=,iv:8jbgemrc1+q0OoMc0WivjVLwL2dY78fQmwD0oUZZ8B4=,tag:7YkjrPYPccm/bsjdRVnhYQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-02T18:06:42Z" + mac: ENC[AES256_GCM,data:lRrj0QHKJEPsvnF0A009ch7hDXT1kjq60VPoXU44vmcUcA34vb0Eg7YcBprxCkCrmk6nkBo+4dx24mh+KhtqE4IP2JusIUyY8nhnIYawftfZwWSE3MtEe3EhQc+/1dlg6QOBHX+EyxVpPeOPEgNk5cFWYRHVKTYgQTsfAbWM4Q4=,iv:sUVb+7e1/kNKI4adubfLjYQ9CtNlKnMtGcLesoEyRXQ=,tag:Idg/iKz8dX2jHp1C3sHDIA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..1c4c16c --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,39 @@ +mathebau.aliases: ENC[AES256_GCM,data:ZQ3YgmPf0VLaf2TwYVvTbwjxL4ag5xwMPzye9ezOF+/gyPXXu+DzDLQWDlmZg46qqNV5bw0NVnGmZxAylaP4VFQDhFl4KAP4Wq08Q8xDpa5iRhOSzv7lFblyrpEvnployhscFFcxmF5ohraSklVsZCYcJrU3IbIMgxt0VBeIB3LKXq5FBYl4XbO7Alzz1Nz2q0BKKrXtoQg0wdE4Tm429YjgnAaW8rTACNvXiLVTYbyhCdjKbrhVcomvMo3xRho5GOQ7lCZrsJcCxVwLi3nNEyD+Tn9SxON0Ltx16Azv5wsy0BDy/PiQcz24ZzHZcGTFQx/Rt2LgdCYQv8aqMjXnznzLZHNMM4nf2mxXRwHOzHZlxOlZt8cOGxTzuyAFP2xrbApfFi1R3hFTSgGbAM+0Bfb72fk5/0Z5u0dJ7ua6XwhNjWBfrRLwWzmMIpxwa8KWdpfEKypgPKChNHkXlzbyCfGtj5jTm3N6BAzhK+UsnBfnd2Sb0xw9aTExEHnmHZwZo+QYLC6GTw9Rfflas9w+PAhNWqcoYQdGm0nw3T7BYax3VyTgLAz9NZ5jGffhx60tWGGa6lCZJsUEvFegS+Xoz01mWCZJ/8croThuAuD/y4i+qQ4dvptj9df3NP5fGcuolKGdMBEr7Ter06Z4xPuZ+38tyjblyGOHlQnXsiXyO0ft/XGgp+QqAZQAKhldIbaMxRnixlxpEa7vRDvT12PV34F0r/krtAj+znIuGXKOtBCsyGZcsuDTHofRw/erBW4oESxnG8l1091BHYTvI3KrPpIRAADFAJhuR/0nkbmhj1R30q0v7RL1ut9fjXktScyHtk7XwnQ3Mhzm5bR9lQLRElxtW9SGyhLqo0QAT20ck4LcC8bw4K3dvhs12lfH7cMeaKpumyznewI0CaePVP4unLGLt/kkTBvGVPhphoeHGgnTGGSGuiHlhCN+y5AOOLJCfdS/Ja2+rXYolcA56rjQSxcLyJYdfoAr9UTH1HOdAf1U6wwCyalmBZfJFHn3ZVyd2FQ2KXEAFA7CWW1odBTtKLSb8623Ny7PaI3n0hU5yPbLA7pZU2mj4zjYint5xf5/427Hmr4nWxjdE4Cmnnhf4vY/8Xh6msQkhqpnQqVd+9R5R3Uf5NKRqdqFAXrcPETly+Rfj+RRGogYE2e255AI0pEbJUrx3O3HZ7rq85CX8Opxbrryuuj+70tNCJ+NdLthWpTH3iPzPcu0Yy3c7tfyvv9P12KzNKwfrLJYG33y27vas2SUqG4CD/VnluGx1x4uHILa/Ftskv9OIFzBERAFNGFqlUzbyTOI4nJAEyroT2Og7ZXX0Uc20QPZDXHu4FXez5uuRuNdDYfXYrfY4rKKVtpXyWqCGDsj3vl2hpyrAhZC/+Jdu9AiSkul/jhV6HK/BtmuLN5QyJ/Rq7ksjDGEZ8hdsgujo5osiUcQI2abpW6JhZ9La7oSci+mW/kBrx9nTZ2CRZ0FHxgVuEy8WScLNfWPodoDkGWnKGCBtuu2hOk9Uvd1/V68k2u36CVcoDXRLPSQEOPAQJGjtADgOCk1cA3vN/Yiu1INnqOuTxpbMAE1y3jRn9vXm7yQlCi2gqYDl/JLEjdEm7SJpumipeQdbcXRCbhvIOcWdQo5HTVaVIlTUMN7W1HmVqjouXDYciG1c33KPxZDVzv69heyzwz5ndBbh5KUpRWv4LcEDu3j08FXj+rdGz9j68O/zDoltKmIKZcsMJMWTRZF482pCVlQK9LXwYjm+1CS0jQkM/NK0gqhIM0t7wSzHYBYI4Nv9HwxLZCJBTl5mX1nJ2wLZ0NmVrihxUSb5HKWF3hkqtBHWnUYHikxNIMwkAGqtAfCJcaT7pL3oG6TYsn5yMPfqCuJ+KgS6Pi9/SIZDV9iPixPtJoPBQtt5iW2vIUL1/Y+mFmNQnKaiZ+QFhVS5HRwYIuanQS5ErLaIx8K7tesGqhKoyBUOnTTf1eUKQut7j1vhiOFUUPw/TSX/zvc4Y7nPGpzNGeQZvLUmBk4TFlqi8HpGrGFmGzuhrPM8s0eJU5CWj71Xn94uaDPhsE6Eqmx0vF5VqSNbw9imgKSUJmZMEx+m3RBT2w8ZNe/Wbf+WZiM683rJKNYH/LEtoc0PYbXI6hMMAuZSCyynMGUvGleKqbIIcJEo1cmMWzlQti9x8ByMciCFTeIXNJvPdyLMuKoHCIqA2tBCPmZlEkKXrVetSsspNduGPdTZFnZc9Q3jgL618QH9GnQvHwoXGWwdT4gYmG21J6kwPicVVb+BOBwUi9t+xiADIIlVxgcVWDCEZB2VMUpysxd2sNHw9D3Q2ymuAAr45WXvkmnQMk0bw38/qRhER4yj8ZSn1tFddR3ZNMLfnrS3RcIs6X/f95LiJqZmxReIL0OcAddX6EyPvQSRmPXLLg0jKJwMmosO5cFDFeWZkYy9ixOJG0Y3cGlmTCBZfl8FUWtdU6UKPnkxBcORgCPv0bcWvMJ2taYvjZA6wI02uxDs+3XJcTXlxhuRy1ELCNpsLQaBGMBgsEVo2Tu7H1p7ZdSg0BDXvQ+3GBhwy42cQRMiZOdK+MjpXCD66M58LutnTiOCC24JTYRH4x+Kwh+G7wQBnTeTkcdFjvQt2X4eK/Eb5HLg8/YHF7HenDySDTD5D9EnYb5oUr8iu6VpWVRSkhDk3svqsnvWmXUbz3R6GsEqFfHkddA/aS94GnC4BdCZp42x01ytdWaBEY0iiMbSg/4TvzeQ32Oyc8u7JBJvJBhJU3y+VQbjHSEJ3pfxu9vh7JfiocOGOvw1YtwD8W0uzcFnlMW4/9xkkqYxUNyeD4ji3Q/rIykQsYwyjKNgy3WzZEr9gyQTFVs5uFPzVhea+7aCn2gqJTjAr+5BenZMId2VzqVxTGULvPIsrPAyxNm9G278ewmMkTT9kNHTmj6taybYkZ3B2zhv0YVVlNguHbt+vjkWFSLkLucTUVFmrw1dFKOnwW/VzcDiV2Cqnr0OpZiVAIHMakZEN1aX3xAvp7IiMS+PbNccmvzYNQkOWDPCzKKx+Z/M+bGRM+DMMTcVdc4FMBVFA8k3P4De+IrD/govc8d9wyb5ObKu9BoR5RTWhXOsf+JodRjTXu6BMblQpOzoir9eXmhshf3acFEbP8wql+Ah3/bPSrXQhiSYOXE921c/lBnhGx8eoPyXq828q6orOcZtGU2HqmFIhveOLkUTOVAgTkdMDU67ofHlx7A3XTU3zqhcvvmmWv4syuTaoKW0cJmQlSAJNTTGu3bcGERIQ5js/jbWjZhHRK3DzRTEn2i6PGZSNKkZh6auMECVuq5gwyx4DqBtjVJhbDHSOt27sdjQzLDvBCt3lqad9YajzKbIET6PopGkHQiizAmMPib16v2pKwv9QzlFB/nzW5LQtoGe+wiKOvJVu9UYj9dpCbpJY/d7Cjayk3sfXWFZaScGXwRPOsbq9fOIBs6B8cga7tqK5oOP61vqdaQ1gGW2DTGVz7cwKYYWQq77njQD6wnb1TKYqNjN1ohINcRifqTVv3IFsJtBnioZJN8RUBRIpXFlImb5xUX2SjJGAorHkZF3hYepPhmnQF5b7v6cd8vqgIROyXyTcx0in7rJzE2srt/0gQou5CmBynXf3oUT4z+DxAcDaAvPrlLk3lf5XBdUviPiQsrSpVUorFugPjopa32lPyQAJpop2KGda2UMjPSYyf+PSg8ErDG0slt3H1ZzhIzBlXl7EHweqBBZOq5y9fQXu+e2CFbSLtXGYgkM+Iow6lownKojlGhLz/arxO4SrI3eRpGKSpond8M0XQtL9Ufuv3Zrw0oMEv6fv7/LDbnbn/SKe3IlyGOE3zeYFi7bUof3rJbi5Qiy5i/5HdW8QtHtj9gz50xll4pxXNOn473Op/qTbUut+wCcxbhF23BibexEz5SnbIcHYKM+GhkXhTmTS302XApPdV/w2fzkdgZ1x510qGOdgNvAU8cxUx/sg4gxbYhzfFdS2INqA4uuf6eMdGWCY7JicIpvDFOKK8CYXiKaGhQrdELRKgg9NO+gJVnlGz0bsDXxK08ujvv4DHRp5s30uCnoeEg3oahfT6rpCTpvq837dxopWoWlxYI7jRZJYaGN505dBh1uJip18oFHoZMtQ3QPKK2cO64KEA74u7ySt/LNu7ev59qZ0rs3uSqQz6OsRajquXLoLeCZqiseBap2gDBq11dexNwHBAgBNplOqHqqdCPT2d407nQRwBwf+31ZrV063oTMWltqTmHW4/CTwWNa1zPLUzRz8joEbPpJTk+bkOClr5hXsyWDyn3O20l+hrucXgruW4jingktwbpFDseMpGojbsnJeaKMqImR2SytO1ynYdZOTECtVxTgDVY6Ly6Df6E0XZosL4g4Xojs9nzFE/fjrpqzUapCkGtZ2xgmx1oiH+vWzSiX2pbIwvWGNOypFv0xJ4Q9xeFAc99r/7boCf35uUi/vHQVNXhxtjEjhCnbPfB+PzXSEYrcH9oKNFatK7TcA48aetIhGvu0OdXuszSZrtIsrtaHk4leaHgyYPQYb6uFEKbYh4HOsdprgSIH5lo1oRm6kIRb7472TdXvdZhlCikiPX7eFzl2c7il6nUHFla0fbNaR7M6gAqG1CRasOK1sqVwtVm3FTxqnrFlEdrzMBaBbpREq+xDqbwD7TLxQI+MCSxlEjcl7DnR9JIEqvx6Ep5Pzh9wApB2hg/oyu2WpCV/X5Cd7qoNWaxpZ/CIykawT/l8t+y1L0dhFTUBSMFrT6n1Lht6MUHjwN1dm4s4B5p4MOxycD9sys/SHyeR9TuVkkeW9Q/HMdzRU2LrBJiX3ZQ+RFMS+o/HIoHm5MN3EJg2ZQ8xQViAbBigizxxI1SaqKZ/ZWYt3HarOGdrP6RptJIPtYBHLNYgaEzE1+Ntat5Kk3xfuHqjq8BEGHeMVfGAN8kLR2nPGURIPKGOa6iuZli1SmKnT9BuZgG6FN356J4bcN2rVSEYRXZszxpGPBlWotH/sQGI4cpXJuw92BK/oKWc+fc7LX2MbWcQN92x794b0kdMGsUkkguysnNLUv8THRsUw8MtSitASZxOC1zaKrcoskH5Tpyy9UfBVPV+uzr+bEGkKPFTCuTI4AueKQHR9Y0Kes8RtWEdTjTEG1msxqGdlmly63je5QOyH6jJ9ia3OhghBcm2BtavASmB8rpAvGlEKvq1DxE+nUDYAAmDLnreKecMHddC3GV9twBBc1bOkQ6adS2x/XiPRdTz66Kh0ykJIGIBSrSFSFKY/EPCxQoyMX5wMCc+nKNI5CTG7c3UOrb+pBntqxHj/ZxXqJONQIY4Tp+UJJGfrwAsIWxXgc3xt6Xs7be2SZd8G3D0HQQWhXqNk21k/14ntcDTcVBF6SO0dNntVRremOSzdmjGsI4xAVgUAi2cmxPZmfIiZCpurlGnWOWAcDIdHKxbUlkYGmSwsU48gwNKvinNYugz1NM6jhcCJoS28K8nJeHWw44pjTv6W77Ro9mtW4dM9AyKfuIKcuZ8dW5FOVL/cRnTrLPjrJPkLRbzwT59+U47j7KBjfjd7+HguRWZS4We+DddL//DM//Fxh/8hmkU6LDMgUq8n7S6z8TiYYpFHpjQbjikStn9c//lDbq9cm1w1cdOYSbTbdSbJq9RsB46QyqlZGweTZ2IaLdxAHWr46wQ1/Ixnm1kMaiizlminVXaqX0928bkgaZNCYG2kjSidMPF5NMzfe3LXGPM/GxgkVeholHhxzPs2uz3thejz5a+EFzcQXTR5gVFX4jR1qx91aaZzw2TgXRb+qDrJlLcuVjP7SWczCsoMmeSwhQobxa0S0KreTm3u9Cqs+g9HW8bked1Sy2tOEws00qDVy8A18+vhEwhRCLltDZ6mD7xj4hUZCacyoDVO5xH0hjGt7QF3i2diHNgWp7DqvrO3w7WDfwFhOcplkC7UFstSfD03x16H9/EhT8kBfSWSRA3KJLFa4udfFIbkjEBcYk/5SDp5d98NWIlHn8SEfqnZ68drccu0Ci2VRYM3+YZYl8ickA/gG9VcanCCuW2pcOpDbPx7iGAajkrpBRhdW3410o9IEldy4UCqOBS2KOuPqyl16FWbGEOLApWVFSAUBoH6vTx7zwNgIOhGbao9njOAUG4iz9Zd8VGaPxqPqOC/mVOOOV2bfXj1UbgYwExqMPYj2qYcI0xqd/6m0uAMJbccBEoKnKPAOcp8b1IhhFhbivqTBYQTCVvyaTER8O60477aJFKARF32b+L8J/+UTXZj6QmOir13ZP1fqhao1L/dnXjrAT08/t5HZetetdtxs4ueMUvcz89U6VVPNZMZuIEXbvGQECjeqxMj59gkSpqRPp19Nmk7lW8mXFIOFEBPo2pYf87sny9GCtbrKJ7v6HWNJoGV2dt6H2S9gzdH6OB2nq36ejrSZ+7yWBqQ1MWUcvQb+rQvpX10Y08KPh00dnTvbTaJsSd2gXxaKKEr+/2k51UmmlKS4Bd7aXJGsn3GapN65ymUu9CvEKcOpIuCjlM2dz//0qrSI5h6RuOSaix8I5X1KikWjkeN09uLl7sOkezlobDXvD/morUES7uQY1EDiiKkFjou/wtqJB1QeLAbbrAjzoNM6KKycR8UkHkMXN5mjqlpmeevd8sCAZVwuV7/PG89eufzUVCPpuScPYJhJMAsr43qWWxDE1R1ilWP8tSAwWUxi2B9EyOm3eC8VFm0cIlABdiBy8Tc9RqnIWPIhKIxbIk63SA0IdPANgsca8q/qqnpZoz6DXZzMkNSzt+sgMKFgAFDbRwvAJlzB6me0xbGRd5sJZL8RmqeDo1oSkc4T0sDZhOTT6BvO2Q9b+zRJUt8mY8ffxPti1+77gatN5OFJ/E5ztpxMVNH+KIYW/+RVOC8Dx8cy0HVWbk2dVLI0fPp5GDTjKu1o7kZsu6Mp2SsAvDyKcXTFQuDWlpqlQRcdJsRfmwIps2MG46tPWUoYqYU6KAI4op0upuIuyVrdZmnrFA2cMtKpt7MkGenR87e80A16LGAL2SiBBfPMKoCvCBKIQ9HqNmCQGAEHUSEudvOrAmoj21YuPQKMi5V9qZTnap8ivI6qpyENrn7LdCTP0Qlt1DJrh6VoHefCwRCjUuX54KcM3gnMkvvSpfGHQRODXPWl4ud1/ACKxkHTED6BrADjudZJuolPlqCheKu5ssglaco/JHZHlKUCKnwPgMLniRIWajMrXlAI54R+DGQolgNDx6JAQbkvHetrmlFf8aaBdYSsBPIxxHHbuh6u4Sl/Hw7m3eRN1p5J7Zzk+vLpo2jaf4wIJp3K2q8m208r8568nR7LutCJ08vHFXxJYyK+CmghE3t+lgI4Ug7A1G3LjBvmfruUB4Gx1HWbbKsNhxp37Y84K5rObxPqUCcyRTel7/O+y1kpfW+PVvIo1v6/mo5wDJm59Hm9PbrLyN5skmBWq3Ijc37A3bv3/F6ZX2spx1lQknoqYn6QAHjSwko7KUFHLZEFVcn+AoELXBW77ozjvDTBNyUTwwEp4PIQgAlJ3yVedOQFRYgYFoqlA3ajUisRZI9wAQ3zvIIyGHQ2UaF/sKtLNZieT6nUYmA+jUURv4UY0M4hb45AT+T3GFgDKVKzD2EkeQovtRsPeaAEztiLF39/S/LcujJtVMbim9zWozlQymgTdu2+cOvw1eQAMTkcPFuZgQvk+skjtsVY9slMYg6C4KCu9OCeesXiR8KlE3e1g07xHt4e479tXlDwqJo7dvGcoRpCY61sESSnsyJPcqLh7Yt3yjMR42U2LKMYLIi3Ux6Hgw/l+mIKBGM4TtsY9FdF6eeFLq/M3RTFu4kL7KWGm2DzNGzYGJUWND4w6V+soRzgzmNeCDMFugJtG0W8EdQZS7SzKeBu3ktBpDVJ3jszaKXcKbIOiL6JzSNpPJasUgJ8idO2M24Hx4G1TnHWuZSZrMl/iLrHffZv2saS68PfjP6VrERtlCM3egud7PzEfOmEToHCk1OZiMclNL3Z6RDdXscW71FSJB1wS96ZoE+dJIrl8AEUHAuzf+/aZfWDvv6w1NsqRmZQQqWnu2Jy61gxgOCaQ8HM0mW9AHYy7FEvQ0rfg+rdtG5Rm0XvZRbgaetjajasnbtVsxMfNByYI0/WBnucHzmEaUtnPDoCDJWYglwSz2h00PfdiL61sKai5JgcJdOyepG++kRqUIDuTnWG18xZTa4czhlDYpauYszqlmixU5l0orVnUEmyf4glSoWqIIPbA0Y/xzYi5424vMDBfNgpoTe0bq07ARV6Y+mUUffY0g5sKnMZBnRDkplbTJFbkYEOQApJnvxqefn1GXaMIuk4vArVFH4Hq0FU1h/KaZ5gcYIRSRSwKdGxKIMQGk8n/NvmVZbfb1pF2C6wBWYeN7/VOr35I0V9tNcMEbPruq3IesCvsCxRQXvLL53dURW4+FgaSgAq8rNxvLVEOgug7+85xiWhLVj7N2zIH0Rh94kBhQIkLeLij/CLC30OH6zJAgh/bkCA5onO2AkMsUyUAceZ6QArxLaK6pDjG0/jlsiMfkAQK8tuhaQaRyTklaeR0HrDXkqUBXvYYFbIFtMK0DrXiIIAmua6+FLwUBUmgcFin8JFIU9cCL9oop+7nQjgOZ1k8f0HUgL+DyaKzk96h/p2IAURGM7CpUiU+7Sfr6CgXpYY2DMiwAYu8B///+oaZ95LJs7uQ73ZjIWVfujDAX9LegEVJioYaD+hjks1khSmpL6Z0PaIiVRu+OTb/PWP7nRFFwdBHJ0Tid3/oEzHFWcCvyS/qfyIT3VDc2fkmSHzDVfLE7DOPGuZFqiMiTdaarSEEnPKx9U0aMe8Fv1bMo1FY03kAMvevSHzHGlbmu3jIXYCNDxCfjqqXMuK8OScAcLm2xP3QjsBhNNvM/0IvPEY/kSVHYjR9YKNfszHwbO3TwRM/6iMxpATJ2sPQ2yco9waGJjlXWDrvDhP18zmBZZExfZjpaazv/sGilPPSeWISq20QyKeRzWGB4FqZZl8dBBAtIwdfvLQ0f6Zrzv/myHjX+uMdqKvJQIqbY4tD0pV/AiONphH9pc1d2a3r1rKp/UxSDXHoXNuJEL8ZG64BAQknNpBU6B9wb34o4u2TffEZEu+V1PQbRgQddgOpvZ2FLWeCq59NuYpdRksD7+Dwg3NlQVHkcWcNjKmZMlIHiNO/+n54uUmMgP6Iy/1UEYJiayHN5P/edKjeKgZjC2VbsdzliEX0KI2dSQNfwjYG/BhqqdNIZPEPCnKvl4U6HU0IQd3L0hOxUaJHN77o9EDa/2LW4LL+FCG1hmXtR9iE+sdwuQR9gzSzVZZ7XXNVAakixhtsNL2Kb6MGo1RBT09ERlfA5ppI9AU0SHehoNH9uSebeRLSGrWSjXgztUnt5X4zmMHrS3Q0RINPV2gxZZEuFYESo3XXImnun8Q4JpPqtN1hDKhM51rSfEIrzipnmIY2b6eyyJztlAE7CFeQOrz+VFAeUc+HWfzYWqkkADvBm49NWXseACNHILmCNdcp5K8uRIsPPwx5kxYyxyzZFM6ffLelgyJLLzRJ7wOs49rZeQ7n4lZXuBqlOtx2azoisM1lwo5A1Sy4IXNkTwEIDMDKVx5Zv6+eb0oidTQR+0FG76pBE3008AS5p4ZrMAzcOldtUoiEUh6IGmgbxnYGkZ7Qw53oobnqHiWDwWW2LqxqyaYOa1hE+/oakMa9wYq2RLAd1L+iE83geKeLdAOjD0TPe8ZMhkmNxArTBO+mrcndOJ2hADMxXyeAFadWIoD3rBowReNQAJ52F8wh9qsJEmPInmYc26G0e69ArLNrSJVZru5gJHFbUTKBDWGfsh4KMfyMXbnpuoSSVpojjeCDQulnIu6i5yVOZ9L4gjxJSZphk/UP1r7RdY/URpmah2yO9xZEUBEz4gLXxCRn9tlultmLQv0CQobiv/xjxzwXNfolLo9iYppop7cieHnXVlCvKY59x3f27+tUs1uaISKGGJwCK1wCaedQ45d0ePwEYehHuMqGhIf/qFQLHw0ma5jqDe8770auymk8Y8dx+m1wPkB8+ch6b84MyhsKCzb520NsKS4YUjvBLX6FWy9T2w8tWu8Sv7IxzOJfc7UtSvlRFGQbaYiFOwgTxzm5CxmC8l5K8qcBNKJ2l4h/es/VVbVIYfwhO/TKH83G2gO+vytE93XiLk0nFTLCi7O7kelT3pMNNxAwjjK4mvOPQZaOQ0wd2oJ+Yj8sXEOfHLMmEgaToR6KaFX0C5CSJW2G40MvExeMvxTPikvdohQT0glH/06oGixIHj9EyeNFfuMLgFTmpPCKXBhRJko9bhK2Ea110bieyGw85Y48Si8wcEPQXRgfw96Fmdf167q+9mLQmltSPWaYxOWI+kD74D0Dxqe5J4gHV1nQmp7DsykQCaWKCjk5Qx4KamxrW8Juwmn0y7mnvX2icgAPIE0flRAdXD9iXubO5AdSgbrT8TVOrT02niXo4Qgy7RJREdYmK2eDq67TAvRzvvH1XNPJ62o+EnQoPbsEQnugeczm2kygnGVxfxUcDrrSJnngGaTTHC7f9US9QGgFQSEtPtVMWN7Z14JrkYwl+bbcPD1XkgI6gTXTqdCqfioatZhikHdX9cEZbAHJZFATkDSPUHgygByNyqQ+3+0FBjEkFrk0OeTnXbxbKzL475cIypFJOmlBB6MRLGLW80kpKfNxwejAbCx+WEDaxqc9f9yFN3D+1xjRCADwzhcS41mvnlgxHus4AH6spyJCLbRCFZw75HGQ+IYNh/88waD3d5s4vlwqHBRkCYHDW78B/K+xB58Y4zYmKFyaZMyWI9Vmk9mShf3fChcpR1+XVwHmT0FWtTVnnVFmqNCnNWE38i31S8QbDlBjfpvXGSPlehg7yRVzvSVXN8dV9isEDbrtf8gVvCgM/BOJOrt2NWn62vUVORfFU0q7DqIuXByF2dqL5VStNuAZ+Ax0QWBTFGWACvmngzGeo+c6eod4dqYRuwQBNL6jxYfZDsaqfQLUXIcMfEcGHK2EYuFuBM7b+YVh9IAtSHaXp/0n4mo1SyigTP9STYsdECvKs/9UMvJJE70QQh7tl3svZXN5XUCHhA73Olc4FeuzOWZypGggc1BmH7sVj37h0ZEsCxApgstc9Wnd5i1Qg7U5F1UxCEzEHcCSCHsbhnsciFXVZ56agMmBxj8/CU2XO/f5b9MOUrR7srDvwrW5/92y7OuTKOl7m9Umy39cO1pCviI/ednvsFkasEqxfbEBHAYxqsBDEj349BEeX2NcTslzwD4irMMIFh2bqfOP0lOVdziSzlaapOhgvztHH71p8BZzduBxJ1vjIPuWNZs+jf9R9I+SbTpCIYvN++YWYqSBvl7jUBB1IgUN/G2ywRujoKsK8Egthy7DaBYeQIQcUtYN7crljrByYjVcaHir1I7RKR8MMvTKo7Mw8EhBd8zQ80IH3+LPspvR8rg9/rgIhViXcxXdPThfDZ/h4D19kEgXnXVpBB/mnS+BDCnfLU2eNbSuVYJbfHrmJE98KpiEpWZsf0MfnncDQYS1SaWwyObNC+NLmdNC0q0CunnUZfn9Yluo7YsRlhs2zX4CpExvgoUeWKGwWixT8ybnzmRa2sxarhmCwBI/1Y1JdkCiUtMNIZAbLCix1P8/zQzSiqWnuiJ/LS/CmCLQbHIMg2jsPSrNxNtBOaOmHJ7ruOjwVu7w+WelsBOR36Qwfa7NwVhr97ZlPwNvxmiaaMXVkLsKP7pbwgJ/c9U4rblrG1tvw1xU0adlYeQS2jQ4UCEIecEcE8sZBqc6qwujwtem1JWVIZ5QpoHCgPk69iOCPvw4VvUHt6/e8I8umz+u9cX06z0Z6palFN2zOgs1TdUEoMWwv8tpQUN/mN+Zoq7osX/7L0VeRSRXHr2XF0HytXaYaKu1mjNQoIw7Oqv/CDW1FsF3KUolpt1AEwZn6hQPZe2Riyhg/jHcoys2m15fbnJHoVR+3z1Y2TwNgnO+7WmbgMbevQdhHduwRS/7WMjftSsyPHW6kXKHRqlZlvex7Khe895J4FDDWnmTOg+knKc5UZ9mJ1QW4Ydw7fMcocvQ5TOiGmmJ4PnJVqAs5vAe3q3Kguiesc6xEv4Otpwgu4hJmDTf9092Gdv47KvLr+scAlqepMcBZpO+OOJKhLHG8VQNyB0Vx+7lb+9w+UvntxtrX6vtgR6Rsh0U6eLjzAbNiL8yrCwv5o+ABbNzVm5hZNzjnlx6tpJYDQ92LiHiDvqSUYUopnCz54gFdLOuW3MzACe4NQyrl2wJsoeYg4R0v+KCzs0ZfGAoBjLfXr4uQ+i8quONcJe+aTVibQVTOTkmb1fd5NG3rUiRuyy2Gq+s8qMOf/tX5a9FP0QCXVUAJHM2ze8M9/7PZFX9y/H61rYZKMp4VU6gw9BPYNYpdoiLqDh1lunPa1QIXG8ldfN/5CfEMC0U1RoEmFHOeFPpuUhvytyVwlKHc327biF0BNMedxzzS/1Fk5NyqEfZnjdCjHLhQ8ClxiYh4TjnY7T8UeDxtpxi6nXjlqTMBJkdGwEvxqnUS39glJXQ05kfS799ZnX5ZVJb1rmNF9aN6HvFrR8DqStzT8ULmuv535vjlEP+MD0f7Wie0wAyXnhBFcnjuPqIvtO94YchxssId0PbpuMKAPDROH7VNPXYsJehHaJX3IsVAxhWEeGs99FU5OT6c3tvOvM21n0Ob2Rlg3U/XSxIa8gWkqMin+BareFHEXBva1ediO7N+FDP5caM97+YfWFM5gLAaUFD6CusAzUICyCdDjYYoKPVO2rcmPH0AusZqN9YOeFlixGjOfuwVHgmpUXvnreT71qhdDlYoCqhQ7m0VCghdC9nbV+WYMTkt/qiHSNSzsbXJrRweTV3XR6BKD6qL4Q0G7HrUGPgSY0EOgw1MnB8IITvl/vlfPxH7SZJcYLe9hFBsgkpUDq6O1OT/yFUwhV9t0/JonQ8GF4OqZIi5JYjfVi1nmmdHh/srn5exUM9OxEd4+O52UEODFxBKOuLEVGMi3mh7GqkbsUASHoC5+QgQOD/Pemkutyoi0YkMOfcqOeSXJz9jJjKL1stlQUZ5f0bAVUahAGev0cVkG4ib1q3m2KYNlE78YbUYVmK1l8iFNdNoUU8aNlGsRjtApGzomlh+ny/J0ejA99UQX/r8SbJUKGvijTjHz+kIH8qOitlMb/Dcj/Lr5kzFULtI+Wy/NwJIlu/eW1/TeMLYZOAqGGK2CAZAE148slpg5G1yffdpuK3ukEw091B+oS/XUWgw6rYmfaWUNcimLgs7m+Oos8/HCAvp9AwpX4vg3j8Ern3vpGEeEqNXtd0DhthqZQaUJpeJtfUUJKYkpcclU0eYNma9drR58K+Q0m27H9Pxw5E23X9Mz2RqHH46/wX3PsX8n1BCEjJaSZjj+m9JhSy2lHVaL2j0O9cl3Z2cjghCphL8OOX+mVjsADyfkIfOTOM4qn03G8H8/U2Se6liXeKmRqIJ1ee0WT+ivskX6Ip/0fj853+DxSL4SYGs3K5Bvx5DoQn/+WszYSY4Mf+3oja8+B1tr3bBgAPaJ2g9jKYbr/CuKtHy6zOgrVkAVqtAt0aRpqFwQ6mLoewWm0p+iJUXnmxqiaHiwOs4307CwHgW2JcbDLzp9mdATwrz/eUmcyglwv5oTXyyK2PEiineFdozAzPnOsQJ7Jk3nr9CK26niCgBk346BX3+TsVSEvyDAot4KZyhiYV5BriFcFXDWd6wp5UYj2ICfuhyhhbPwy1/rKtjrEKlj9f5SwoJv7pdCLhFan7pwDAzYQumhuDvyFy+yWt92n4cc0Ja3I5Yxy0tBHeyFaJGY+e+rUr4wCtuODtISq1o0j1FEcP9xZMIGRuiKQTCkhC92McEPyLz3etq68yNDHCycGATgzQzUyQmB65z2qLe4IIY3NNAiRal4m0Eb5kC+pdwSS9mtmPT/LtOgBZEMWlnieFd06qoJWlpFtQf687t/Y9jh1rrg3StEjN+iR+Gh2NaqrUcI8c0kDZmeg/QY7vfQX99++DJWzccMUNhwvW+Gn+I6iE7Zleiop7BffpxwNUEgCFwfooXz/3BFhcUogIvTpJXspBlwR7W/zHJP6Ys6nWSkkZhTCfaCMMP6WP8ndjyn+TOruWGF17Tk5m6HZqgj8PtsgWpFgNKoD4VEe0vxnWSNzfZqQLALxlSbvJvFKP6Vr/owlhSiUVEXB0F1VcU+JEdDWMTnvNEHqs5qTgNttf10cmITgXOF7LdLMWVk5irqKcak6A0MVqGHf6N87omkLpEVccLekWozFoTNHRGw6u+cjoewAQe/CQwJ4nl/OGPP2T50DlXdc7W4MiOeS01JPCbO5l5KOYcEPIBZ1imHnuome85Ha/1CRtIL3nYP0duD8DCU5Ako01Cm28EKF9sRojI156y3j8on321wmGRyigHD//LUj1OxwM6NroeQ3ZcdEcHFruyY0NGGh2GC72VAu43xzz0DcvmN+wT2fBYadZ1+9Hn7BMHZ3J/CJnbT6NgQv8GAvefVif+q93/kf+HZRY13c5VcuJicmaNIrWvcfQ+ZLqYT6Ltqn/0AaGBXiXxt8cnrkSQF1NZCt3E32fCb+WYjnLrELGg5YTConOkL/XPjKmfe0xT3myETQIIpTyQBl8FX3WfM1UVfshpmjRwTCugSBKEWWmGYD6xouqWCKGIusd3aO0pntuc/TcSwqlLmzp+UsBqEBaZcE3SxCCry3L1cWQP/7Logb0DOYuiTyRSOXEoC8kqIkafi5Sa2coN7lUCxEF/FNyPYecrSRKfHNghwqNyICrWsdeI39h5r1dpg/9On8z2yAZftIuYgt/3B+bF7Vfk/wND5EC4p842JsYJ3YL7NQ+YcmzADI0fNQLsyOs/kmL5qbX/+3AkIr6j8XjWdIbfzdsz6v2cORmXZ9fQF2EdAfxB/Db50BmwEkF0Q3CGtTP57Vm0VEqeS20FtvraKLqsn+WLd8jCN0NJLVzVxBpTcUclYbcpF8YFMr3PrVuFgsFsSLb9Kz9f4YPmudi2DE9dZwrhQP6gNtgaPu16+q/8B6k3/t74NxH8EToOviV9dhz7f8qZyT8ZgmWfB84m+8iJK5fYj7MRHjQpvtIxojRJcjBDR+fB2p7hT3R69RZgNexvFqDND/iJ1Z3311SQQJVY0brLPRxWCVv+kqtCQrMqcrv4DxQYI1ViKMg61jhcqvUjim1vX4ipfnzVKJSy8laO0OeufrVhxlUk3xGBmaOjBM0ZsIO6rtioj6fzmumUfxncRlzBQ6nK9WJOXciEBXe6sywvpHUB31mj/wcqjTRX+nOs23vSLIZzHg3mUxE+85niw7c+kvMCwvVZRxNYegZHZfXJovr9Z2aOtCFJ7owNh9tkhrw/gk0KqiQLMexDAySe1z3CkH9FN4gHrGMBD6rm/KMeZN8zB+UCOu1ViCV95cHpuIiR6vb3J8mmt2qUtaS3OE0VDyzYiIAJXDBVh2WukHNsjZvQ8XJuLkKsSS+Z6u1zCAGNPdVb9ip/gG1gZjoI6FPNo0nzSvTFR1qoBswgeD12n7MOUjsRikqmNCFxaj3EJ2zN4vukyrtvKq4iU0TB+cBJEa7p5eaomSqjbLs1hzc2mWPBJZjLYlS3w6kqtuHCLype4LQaUKxalYu2dPgcEk4iVVOqdzR84d4BB4D2zuDHvYbWOJUNAH7s141Hnm2Y8wm+hJnQt2gQwIVIu+MxTKRkNzJWKUtJH5zE+XYy8Du8CIC7q5GLRaq7s2q7ER/RLV8yVQOi6JYYEC3nzEAerjvPGnntv/sOenhJy+3QLPAGaul/sb8sKpx171THKPnuqRWjKS16uu6ZEf5+/go+hyKpoL/+4G7wp9Nf4S1sdI59OhejKO2JvzthmIUwSI91PCQQBKNC8QWVjp8UQYESRN/MrD5lBPBi0fxpcHeIGSGHMaeuuNNx+0ARfDMn2jgsg8TSjBskPwIrQLCb0XF+EsRbOvSy36tipinXxWypx5ljaLq5XHefd0Pfm5slCrXc3JUB47qRyseh2N1WZMX5WeE+chOUCkpjfWtf5HODBnIpo+xsZqG3VTC773MQxspFe70gCtyos5ckZmD3WnJWhZChkoWIgnKVaRcBI3T8nS/D8+COYY5hm5Hlq39oTRZsYz/339793xqJss061rHf+0Xpq+1bzrfbwOn9HsVoR8qP1V+U9cxa4aH+9TU+QLmRU1bVWzoe0SwzyB8sIFDg+Wfw/yz1FZVkac8dAn8CTHbQOZS5qUQmwlUXVGRh4gIaXJl29/icaP+rx2LUmw+J1gd0dvco/xWCIFBkObpVr40iCy4ITrqMIbx97d2qPo07+Qnm7CY+Id3DxHCMO/hPdRQHXI+uMII+NLXGfIEkqp9Fs1Zi4ERZbJ5+vlGeRdHE45deTYVQL6/yy0X8pCM5ksS6psU0fTDD141ETUxaIzYRXBrBvyASWWg9nZk9kC2JicElVlskh3UMh3oJhMtCQBKDVQJmQ3jKxf6njNdo/kVyeACQH5glMVyDpExho83LIZDf6Y4geMNGjxdpF8YnIj5C7ovxIs6QOyUC5Uh2FgWu3VcySwOE6Drt37GZ/Tl4kTJP41QbA+Read/englz6gRHKeDra8WVTTKVTsuOkdnuOvIG5a4W2J9ocN3UMRHbwu1MEeFICCIU6Fsy+z7stTy8CDERIA7+NfLdLBVOyLqb2Z2xFALtllTtoRXAiatEhpTlB6ot0RSXgyzxx401h0SQt6o85ubSUzDsMGclUTrkfhpY8B9ULJNbWxzT2qu61+Y3jPpwxPavKM3RbPSYNrocUlgx3KNJ4sgYe/eJWhk2d3rzNrqYWvR4dv5jigPtXKfGERjjfqcos7u6EFZCc0FgNDZN4xQZjSbQb/VJDrUG3dBX9x6zd423ME04Vj217DzcqNCY65JM53T96w5FSLskkI+QV6+fTSP9IY/L++o7HRwDenI/lFojTjGzszVYiQWxmOdTa+jIsmuICCgsOcwbBA1dDZUiOb3w29ZaIJFz+A86AgjdtgqXOHzpwAlJ7vT6aBuDnoIJemAqc6KkyMJapAeSTzK5Buv6X1KcDBG1o8zGncthwM+dadv99PW0bv2BZZVnlxr8jpBWIyGZ0iwF3B0Bl5OwbFvEnrBY56jXAPqiq5o/0/ljdbRxI4Uo04AlVKb4S1gvsAcbuROSAfviHNE6sonbiP1wt48Uj31aDebLhAIeuDjkaG4VVVXF2BMxoGdy5b9EiSRBPERmf8MG2pwHgI6R/yeyC/aL6M1DDSPWms3YNqr95E0wK4V0cZDo7Lor6eaUOEBwU4HYHHYM17k8LUDE/8YeSbavdBQnTuuVdN/qL0pxKkUUobuiVXZC14jYfYDwdvLXZXBLCjYad4jk8BHmstoyQHtePWVZhLcktNbYmvGFwg5rZviRyH42LPNWg8xQnvSUMr+7uYCBtBS6atqL+D/ACOrkERD2CxDPDExbwovC2PMM6cMNV+7nIYIy/qH5gR2k2AIUtsCZxc5tx5WnsNvJTomDASLyPkoJlRGr/r5BZ//h5sDfnL/DVwpTJcCqPkKP+azq0GqwTIyrBfNbYghIecxSZQEez7MGMZ7qQa+f40ZYthtTsqeydvF+ULl9RrVW5/BK88MnzKXWnMymfT+iag5yAeB1kbOBn5dnDOhH6/CFqZeeyqDGL2+Rz4CYberM8CQCW5VVk++Hdne/VIuw7ayY746GNjLVBG04mlDB0XzqiLOuYt4kqqSqilhjuKjLJnZXfQz6Z1KkXL34+JBRKF0p84dA3os3K839cpZhoi7zhagFa84MtOBY4MXhJz3AjCrh9qr2cUu3M2tBGOr6dacLIxBjm4pWkNgv49wDPjnJlgyplz0OZJiSYFKqbHwRJBgoEW6bmw6cl/DnMr1xks8Iu+vkK3sHpyNW2hWLYApmy9UY2AhtrrcgauoKseF4UBDOstoWDonViXB9yCqn1ar2g2tn8EEH5IKRxX/Qmej7MZ5vdGspldkMlS15vsANq9H9G5/hgRISJuqq5/BUq/LFB1hpbA4Ux61/CkzwG9T2+dqGBhXnU/8jBhgZ5HEzLNd1xI+u4e9dkeXniJlf19jRoHAbmzCYKq+GlD+OmzGbE/gTwZIdJKvektoUJBY2h5VEaxVSYeeJ0TiD1X1mz6/WtxEcHADC9cA5QbY5+mhC7mLo2sqPDvH4JgVKWldlzdxHKYhKQtf4KhQ1xj4V3DrRx6yyVG0dykmeeGYxtVwrdhWVTc3eKrzyUI5aVHhuAwEEiCbe/ShfLNn7EsleX48AN55GL/d/1YYvVuSkQq5gvZkKaXMK6bKFO5rURj5MKBpykAX81sQxRjnp1hDuwWnGc47MBeWiw==,iv:uV7DdrhI4u5w1tyRhyzy1J5voJ7smeEq8YyJKQHqfKY=,tag:KPpE8FYcAylIfoD96kD7Yg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-14T14:36:32Z" + mac: ENC[AES256_GCM,data:wz0MkdaDNt33GjZIvlGTWNjjYO6iL2VTSiiGC0ckHkRiGL67Ht3E6m86uT8bbeYrXdvvD4j+pQJArEUTI5UxVOwZI/85iGESgl+07e0QHqabWnmXynj8nC0yF/0i4YJ0mJCGu4hb0dyOhLSW1ThT5TA0iE30nEVRJ3X4QDzEUuc=,iv:u55qvjJHr1gCwSz59q3QgX7Ydx2I9GFH8Ejj11V/6+0=,tag:moMpVWNpd6qS0O/uMfTa8Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..a237fcd --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,39 @@ +stalwartAdmin: ENC[AES256_GCM,data:bivVihZRD+ie1Vo1htEFiZ77u6A=,iv:sJ97O7oT9btgML8YzM4Puy8h+9VajVHSlzWObhrUEWU=,tag:+jZIn18tixkNTprQlz6WiQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr + MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt + U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv + L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt + C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO + bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov + RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR + MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR + Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz + d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H + VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi + dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs + JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T08:06:21Z" + mac: ENC[AES256_GCM,data:2ab0OS7muwU0RrxKIvLJMt9RYaFZ79ABbMzYvO9A01yhuSGQAdkq5h1KfhfSXslTCQTvIIz2meT1wD1JZOOgYo6oA6qxtp2Sfp0XFQtEHL6Rb4vS1iPDt0jHvllTtnA8vj4R6lk2991utiGRNAnmbiAEFCXNZwKHVLAf6SnyjNc=,iv:Eb9nH23WoIeDw+0oViOfRJhb/+sKH17Jc3dL7njrxLQ=,tag:5YnJLBo0qvFr6CmomTAmKQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..b93dcb4 --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,288 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + session.rcpt = { + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; + }; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; # Run every 5 minutes + OnUnitActiveSec = "5m"; + RandomizedDelaySec = "2m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + # Get the mail addresses' local-part + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee /tmp/addresses + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases | tee -a /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +}