From a4ec046ead4b148d9801013ccad1e8031fbe7552 Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 153 ++++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 39 +++ .../kaalut/allowlistPassMatheball.yaml | 39 +++ .../kaalut/allowlistPassMathebau.yaml | 39 +++ .../kaalut/allowlistPassMathechor.yaml | 39 +++ nixos/machines/kaalut/backupKey.yaml | 39 +++ nixos/machines/kaalut/configuration.nix | 81 +++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 39 +++ nixos/machines/kaalut/mailForwardSieve.yaml | 39 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 39 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 39 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 285 ++++++++++++++++++ 17 files changed, 897 insertions(+), 26 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mailForwardSieve.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..e112b48 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..07ff088 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..b3a8028 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1731580934, + "narHash": "sha256-b1TZ91IFOEPPXfuhVG0nb4GGyX+g0SQujuqS9RJaC5Q=", + "ref": "refs/heads/main", + "rev": "b3f09cd22fb0f73ee8d91bf19f51f5144280e3cb", + "revCount": 11, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,23 +140,35 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs-lib_2": { + "locked": { + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730602179, + "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c", "type": "github" }, "original": { @@ -128,6 +178,38 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1731319897, + "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "dc460ec76cbff0e66e269457d7b728432263166c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "pre-commit-hooks": { "inputs": { "flake-compat": [], @@ -136,11 +218,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", "type": "github" }, "original": { @@ -151,14 +233,33 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1730601085, + "narHash": "sha256-Sgax33jGuvVHTjl1P78IwzlhAGyOxtx5Q26inKja8S4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "8d1b40f8dfd7539aaa3de56e207e22b3cc451825", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ @@ -167,11 +268,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1731364708, + "narHash": "sha256-HC0anOL+KmUQ2hdRl0AtunbAckasxrkn4VLmxbW/WaA=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "4c91d52db103e757fc25b58998b0576ae702d659", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..05ff499 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,39 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:vvXurWHumzWQAvcFlkzJqQ==,iv:8zizeoGXY6zBGYsajuDJdvw8YNL81vXaghvBNOPTwYk=,tag:Fwwh56wLSeIPswSUEKWFZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T08:05:54Z" + mac: ENC[AES256_GCM,data:L/bMe8fpKnUfWyjIANJF7yLkoEGcsjvnFoGpRbGeKV9Xv9NgVfZk+h58BXeq9cMvrcWxeJC1SmiVy31XRkqjaOYqYdW2R2yRqSBKeHX6fjh1iSjdHVctl1Jk7mBNhObD8PqOQ9mMdschTg5s87n3bOgFhrkarktbbmf7fOKQ5Z4=,iv:fClCggabDbSXO5h9p+B10H2J7ouKJnBkHEKWyj1Jnwk=,tag:5MthaOqhUFROdrpJOV3BxQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..35bf6ed --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,39 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:KYrnJRTKt/h5,iv:TSCWpvrBqVvpRBxL1efzIJkdhd3V98EzG3PBoMJjfK0=,tag:L6yR49TuTlvFwtwhQ6WByg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:12Z" + mac: ENC[AES256_GCM,data:NjzqVHpG/KRQNB0slb6rJ7+zJhV9JSsUjfjHk9DhyvgtgP9NUsMTdKKUkJmi0mCwQYk0fDXSDyptCvXk1x6AkgAUcZCdD7nxYH87QTF4hcdiwYohxTEqhuJzEBbIek4z96B1BUd2kQc9pH3OvvHJNXMOO/88uhj2WzOEdeBz+Qw=,iv:iT2aa66hJr3c4HiYsFbzURM8bZegnuAaF9yYMNCd5io=,tag:9ZIB2sofrxB/FxM0Yam7Kg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..64908cd --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,39 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:/82Jz2LOREgt,iv:K04xQd4djPzfg1D2RTVUw0wQLpG3+GEAFwlaC+qx4NY=,tag:GpZmS53bX8egsUEbPlVouw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:22Z" + mac: ENC[AES256_GCM,data:1rcc3zGN+emSqaRw0Yng6w/yHgcGW7k6DFrwouLi0ejZO/yo1fl4kYO/MCk7Ujlgls+KVwn9+sdQxCjfNjIGIIurtcGu2b8BGAZzSz3n8U/EEOqn6lD1xn598xC24hfv17/fbBgzw812FVupHE5ZVxDm92foCN0o64G1iX+3jqw=,iv:/iR3iqQVpQU35h8C1QOtRFFfVtGkKGxtl6JqixTR4VI=,tag:DVPVtcIiCiwkJvJDUkHBSg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..974694c --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,39 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:XEcJzY7R4obq,iv:45yRZwODIcUosD4bESmBxs0nOZHE6YQj5ptwoNyKLe8=,tag:h7SxNVhU9EpiFNv8b7N8yA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZElMTjFGWEs5NXVqK2kv + dlhpM2txSXluODFKVDM2bExucGJzYW9xU25BCm5QMnYrNS9PN3ozeW1LbGRNdzlo + TU5zQ3c3enNZSXh1TDMvUHV3TkdRVmMKLS0tIGw3SnlVQWttbVJqK3JLZjgvZUgy + MzlwYlZNblJka0Yxb1QyMnV3OENkOGsKON4XW2H6kOEFcPPub2WdJ3PD4a1wnSYK + wjJZ2dz0peRTzHLhQovDI5Qj1ESc+J1RlCL+cSJ187sejestVGSaNA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnYzV2em9uWUtzeW5uekdm + THBkQ29zK0J5Sk56a1hnOWI4R2Q1bU9nYldJCk9IbU1vZS9mSjhkaCtEWG03cGds + M1Jmbzh3SzZGODN1c095Q3JyKy9lVHMKLS0tIE1DMjc2S0ZiRFQ1OE5ZcGs4VEVG + WU11bFMzQjZlejhCcmVGL1Z2Y2ZaTncKcj0Ysj6L73mfbqAp/ViWFcoCS1hk8EPr + hOlZIAWPg45ND8rttW9cOIIHhCYAWZqMZEAVvxPBftHc+WGjpoeK9g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWnVrelZ5U2pwR3EyUmg4 + My9JeXIvdG9WY0RyazFZd0JrTDZNNkIxUEZnClBHbXh2Zmd0cERjQUZUMy9scUVG + VUxqc3FJMGlET2o2cXpMaWNyWFZjeDAKLS0tIGpKSlRlSFVjZmlvUmhZZGNpSDR5 + VXVsYlNnSVJUbTh6dm5CTVpXMEFSZ2sKSBTQLmWRe8jvDROG3bdMMFKDOghBeZui + uat6NxOEDVo6VDqu8hxZ7/4uKpyXh816I7TJPsLYnLy5K46+hcg7/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T19:57:30Z" + mac: ENC[AES256_GCM,data:8/g54eitQhBZscPNQrS2uQH/aMEyxAlghM6wbMm8ynL8XO5of9HG3wk+1/zI3r9EpH8OwC2ZDvMPmgSsM9OZK8Q4v4s3qcsAzXU6yvhfLLeLtQ0F+hxnN2Iq0wa5OhvZkRk+7Q+xZYZSjoseJG240+trO0ltaCCF7ZBodFJ0BK8=,iv:827qo3WHh6zmk9hHrY9yt791cLegw4RHfnFUdR4h9Gg=,tag:VDKXQ8VB4FK3PI9AyxDgaw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3dd60c6 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,39 @@ +backupKey: ENC[AES256_GCM,data:DSbjTD/60Y9wUQRXGUIwRdLgIHNAVqUs+6v1WRIs3tbMh0efOiNQ82GpKFtwmgtyfmLl9HCVZPYgw6ZiLrMj3T3tIl69Q3PZ6OKAPhrecOz9xwPaZzV6UIt2MO/xyUZy0hm+JYor3fnWqKLMv0amRLRlfTtpc6Ol7ocPGtOh/m/VDEFmouQJAlSbnAnL+eijaaEBZMCVkquWxERiYGyqXlnXFO1qDjc5LR3IJwIbNZIZ5j22FsLIp2ot79Tw+so+rqJC5Yd5Q7+BTFPkN8R+BHC8aLnMUhTBe7PQB730XmslOKZ6lixxF7CeXXblfF6RGTNl0gwp4LwkZ3PWx7M/OhgAW1YcdZdBHhSpSNJegXCSXyRcHdFGxesYGohcZJbOFl2rqyA9NiPOGSpfUfoeXHb06h23hVnm4o1xCWXB58521F92AuVystM8+pHrFll1Opin2KuaiQGx3D/3Rj0XDkMgiY8aP6OCRCkgWBARGqNgQOyg6kFwfrlwTNZezSWfyJCbZLggNPntmttC8Kzl,iv:ap0DBhc41rGhwGZkZM54QfFGGCJiGu+WcaTwT2JKjsY=,tag:8xvJHjVT8cKxg2IA0iNqEA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFMkU2WlF3U2UzQTJ2QWxN + Yyt3OTVYN3NubWlubUkySjVVdStWT1hhdDNJCjU3UVM5RTF6d2dtbWo2RUN5Z2Ju + WE5SR1lTclkxSnROeUpZWWZ3c1JYUVEKLS0tIGhWTngrc2pvRS9nOVhEUW9XQzVL + d2NQUG9xRXdVbjI4VTUzN2tabXNZTUUKBVEZrW1IRV2B2lNMzIdzcEbyU6j6bcLK + hUWF9UBk7oZGzgPcZ9Mv+ZzkI4wEmCTy8R1lev/ocVSRNdApZpxguw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuczB3WW5LUURHRHdCSkcz + clBXZ0RwQlpabkR4ZkhlSkJhbHd3ejJJQ3g0CjhXejB4WnM5QURlcmIzTWNETGVp + clBBNWlqZmptNkNKMEhjRUpadTlzV2cKLS0tIGFYaHJCQk9pc2xnQ2R0ejJLc1dZ + UVYxYm5LOWxnQmE2U0RGbnpHK3ZpWTgKmNuXeamFRAwwi0byKfT9KV7O9zLpQhYm + /0sewbJhOnuxSc1g55Tdle1dZYYwQqbF3WFdg4XBe37HvIyDYpWZAw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cGRDT3VMeks5ODdyT1lu + Wjc1N0dMLzMzc1N4ckJ5RE94MmdHQ2lZcXlJCktialhsWWRCbytiSHlyKzdIZTF0 + a2l3bnIyVE9RM2IrY2liRi9NYXBTK2cKLS0tIEhCYXJrTWV6cEJST2Q4WHZ6cGtT + Ty93MXkrMzNvWWZ5SUp4czlrSnpVRnMKJIH8fLwGt9KkKi9D+0OY7sYvmxj6NAHc + 00YQXOspEq4TbAxLj881jh2Kfyprxl64sDHpb2icAXzVv6wE2cI2ZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T20:10:40Z" + mac: ENC[AES256_GCM,data:SkhsUgq/d/FBUhIu3qfmIYKcRM6NuyR/e0KGz+0e70Du7hqVFXehoqUiWk869alJCjvIOU3zjq7rA3pFvGakV7nRfCQvYI5QkWHFctbCDtopLWcq67uUdj/VZpaW9UVt3e41hWIodxbDhFaxYAoqEfAUK5rhESMCx4Idd/fpYL8=,iv:DcaeyKkRhv02UbCCvr3XUcI0h0F2ZNA/TBrcyPIBi/c=,tag:CAqsBq055TmgPbSiPRVtAQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..66c997e --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,81 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..ebe59e0 --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,39 @@ +koma.aliases: ENC[AES256_GCM,data:sc+ow5kkklMDJEq4IkqQnNI91+79dnwJyagADrDsBd08dm1s+0ky7q8=,iv:oF78Hm5PklYKPpJswBdoHRrWDOoLcUEgzc75ZERytTI=,tag:JopwPj6NxDt4ZpqrZuhoGQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6encybXQydVFxOEExa3h2 + aklSRzljdmEvdlk0K1I4QzVrT3R0TEI3L1JBCjdCNnc4V2xWZTFoWDJBMEg2elcy + Z2U3MmdKWlNqYklUZkJMUUFVbzhOYlEKLS0tIEFYU3N2MEZCUndKa3FzMHkrRDZ4 + bmhWeUVXK1hHamwwc0VkWU9zSHdqQ0EK21CI9uabjcy/8TaYAZ2dnkEAkp0f+1cy + MWsy3gf72qhIPBcqECet1nVdsjWIqVzagSsGnvbM1qVyqWRp/56JbA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTGJjS1owL2tMeXFyY1p3 + QUxubUZid0pKUDQzMXdxN1prMkZ3L3NOalFjCnF3TzRWZ2xEd1FnZUh4WEVUUG45 + c1lnazhzanBsMEFUMmVmOVNVOFV0d0UKLS0tIGF6UWt2azU5UG9YMUthZVBsRitu + NU9XVzJXdjdSM0JZbWRoUmdmM2FRUWsKQIfAkTZ2BaN0ot9gqmVCshI5KTMHALMR + io1VeEKeyIP/Lr5r+RggCdV/YlazjSiUGJfdGgBaVF5u6ItU3UYVug== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeE9JOE9reGdwd2lYaUZC + RkxpNG95Tkl3UWNXT0YxWkU4VkFoUGlDeVJnCnA3SDNXMGZYbXEyZ0hLcnNJQ0gv + K3l6T2dOVVIzbEt1amNoVGhGWW9vdEUKLS0tIDFrckxValhzQ216a0Q5RTNCSjBy + VHQ5SFhQRzZDTFUxTUR6N0JnV0w0aVEK13d5XK4C+qpgPRqiEo69exZu1//0HKiI + N2n2Uzaj7qoqe6rM5XWAYUZeuiqfk98q72tl0GeBt0rNb92C4Sugkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-10T20:15:06Z" + mac: ENC[AES256_GCM,data:VuDvgcnQP8ksVfvZtEUdcRq58Dhs5r8O55dYXUkTafUq0a7dQ4nz1fMnRqN7f3Z6TKjgbkqtRVa1L45e6szWFbY7W86PdaohdQ7rQZKHSxb49XQJtiEU59Lk4U4Cf+6sxx5MKbF5HbMFsus3Ukcu0v5pUF9JDUFrLTnPgoMQ9gM=,iv:dMRBmwkzEjn5SJ5xXAAF9QSHTIJdS8McxIi2LLokKpA=,tag:U2dvWlvcchUeW5S6JiUzRg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mailForwardSieve.yaml b/nixos/machines/kaalut/mailForwardSieve.yaml new file mode 100644 index 0000000..39b24bb --- /dev/null +++ b/nixos/machines/kaalut/mailForwardSieve.yaml @@ -0,0 +1,39 @@ +mailForwardSieve: ENC[AES256_GCM,data:MuESY5OhKunADHNzgqTxHJXCBteGgRFM0j3Mohf2J+VALaxtbHw2koaIx6+yx+EiXI+sQc+kPuQsqSb3mSyiZUucm0fYwIfB43U0fZcFYSxnuLrCrYp1Z1Ur9fmIRMIC5+ZWrj6t6Pfuclmyn0azlx4WzHm2rqZiYojauKtlmrEAMC4zFYeleSPjOXcEGRZ7W/3+DukA4Z7KfAVz9qXQMV18BKZ4w8V2u/hQgAxDzRdkWJZi6jksq3WQcn/DmkE/98Iv60VNi4LkZVMztWnUiSdi8/NTuaNjga8WfzVoLDR5LvK4yVnJTnuWRPWCjgD05NcEZ4Ev/x6k18H5XbsNgCbIZ0AhE0dg1z+hdow0uDRIYVIfRk69pY69E2RIO38DUW3fAnLaUisunLl0jcllWVK0wJvcPO2RslJDD57UF4RJY6dCl0TMr4ap9nuqIlcbXPtQUoj+vfSyf+Z8buiBxYRxpqUbxIGunWyLiwhNOIV8PhxHI1NUTMp3mMBltv9qXZbCd7ddWNOVgn/b5hQFZ865g05wpspIAkaqRmzMCo9SRJVBcxLRlFXbvJgq5A+63LIlUs6B5b4iHPp2zFAGc5uCOZ9F7m5lrM3179zsg8sgjFHTI2tG53YkE5D2fN+TEEx21PY/1tjK5tusYTB0mcOQ+rZAWOeqUBAOCxZ8hLn/N0tbTIbk+ZgMrihldWUxt99QxZk+FwCng9h59BMRa1gC/5+DabxmwembiOu3lU8kbhQGonRAQEvPP5BPSqOq4zhzwJuVwR3l+aKtstUjBtlwEkpqyyoDSgHbBZWxq5LvHeGYIEhYrd1mZtH/Nsv7Bm3iuQjegGwTEJxIKcUZCJrBmxs3IJbXZxzfMQ0zOukyCAans1/NOQX/RycUjav8Re7OWFComgcg0kR17sb5zbbFogo12vidpclkHgEGRoHmftB9wBYRmuW++6By3X2rntX3LCVUeN423iWAh2gj6QhE+k9G5o5IugU2YXbykTapo1LjedTQOCQQrSDbUSb6FDQiDjyCaX6LPjJx1Q8e+cqQWBp1d/2/bLwC6H2gERKZthWMWqBm2PILAKoN4GKLdKZgU1uQ1ND/7UYarzFDSqoX7NWGTLyGl3dbNScUkz9NEcb/BhvRwjlih3tgfXpzbSIfA3PqGeLdTf2oJYOvh62P8WNe6WCgQ+h2bIJqpFNRgEQEY2pzJdO/QsnNiXQf4HF0pF27UIvHUtUM3foAxFrD2O4ozDQkqF+1i4feVq5/BZbqRe1gYITpWfIPECvpKv4YJWSy4Liocw076Lbzdy54bGZf2C6MD2ZyuU07fomqy1hwp3QwJyPxpwrCKzfvsR0dVx9Kx/L8x4X5R3XXWVZrQ2RdIW+63cVZpRwYKc1Tf6f5oci363OmjH5pnEttQcmFs3oaYkmvJ6oib2OIweUPHFYvvNONZZYb5vZryLpXhKuWrWQSflO3Dr+7MNmlb8keIXlJmHZYrIxfKziaSkRq+yNZbKEUf/NHXYz5DZ56fH3CYUx0irM5eZ4EAvFQrbVgI5rTU5H6WUHZx5fBS0FoFcGNgzeVbdAfWimLwO5xkDj06h/KJTf7PFTrSgI96j/fo6iAVjGAKl5JmVTTSplHdqMEuGJyXXmkYil284dCD93AX4HV1CyTXPY+2p0vTdDhs7VGKi6azdm+UN06X8D1jjjwuF9fhnj7XhuJ3479ra2c7VNb+kIoK4TgrDrqd7LSi6J3WjG5ttVyCB5W/W4ATWkM2z+3sRDjHS1At4qbSbwJQHDR9v8T09B6KZC0Ct5Y0ejHoif8zBIfRm61HYoTL1xZlxobgXjtbWPlCZw5lVwRquRoI59OU5T8muI=,iv:8jbgemrc1+q0OoMc0WivjVLwL2dY78fQmwD0oUZZ8B4=,tag:7YkjrPYPccm/bsjdRVnhYQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-02T18:06:42Z" + mac: ENC[AES256_GCM,data:lRrj0QHKJEPsvnF0A009ch7hDXT1kjq60VPoXU44vmcUcA34vb0Eg7YcBprxCkCrmk6nkBo+4dx24mh+KhtqE4IP2JusIUyY8nhnIYawftfZwWSE3MtEe3EhQc+/1dlg6QOBHX+EyxVpPeOPEgNk5cFWYRHVKTYgQTsfAbWM4Q4=,iv:sUVb+7e1/kNKI4adubfLjYQ9CtNlKnMtGcLesoEyRXQ=,tag:Idg/iKz8dX2jHp1C3sHDIA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..b4bca63 --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,39 @@ +koma.aliases: ENC[AES256_GCM,data:MFkuymFDsV//hBC6420+pHLN+NWuIOMuyDRdnii9Fl0aEtNNEfdb70wKPzfYZjXbbSFCKxvm7e3A3ZpE1P6LRk2WvpMemcoJrI3xfOsaiEjdfhjyZ7K22PIB9dwXDrggVZ1FeAp11PXZEemJq0lsF3ZaBcPqn4THVmSkQix5CD4vmy0ZdrlnLuZkjhNRE/9fBwLhUxYxo9gAKI5D+jmEtQYpU5myMaLfFHi+q+aULcrO9zobpA/lA4uCxSZ/6xPZPFhzip3AcRsmTEN0959xCsP6OPhkrOrrWIb9uZ9/SDw6FHB/dHmwmSgH3yfG+2KJJrrU3oDLy5xtyRcyK5OmVlGMnPJydybobsP4V9Vnx8CszUhqztr590aljf8Ja2qk0eUYOAqH4jmbFtefGDhD2DQsyoBxVg/k+rJHaryZZVwM+1NiGLRIHWoHAu/aTDPnCHraR7F10y6sOYlm5RpDQlPOL/JHBqwIxuPUIaTLedGof+zgbJyWZuc36robJYnW6MS1wVxoJJS4KXrHDk9QX7cjXjm+72gm9o4Qhf6bYNfOhnajUvM6wLEw75KFAx2qj/nEh/N4t3BAx37+bFMdXgSdSRXFBV4o2e1wbeixJEf5O+nnjdduBgsB8aacgtTLJgPGwV7NUSWrqM6+jqo62xs9WR4y0sTX7xeHkP7vwRQMazMn6+OsNhoIJc1dqKIjzJR9AToV5zyvVkqHPbIQ1IB6tzfpXCnGmpnUhwQo8abPvWJ6xvkn78+cmrlGZNP7L2LzH0coGRUf9VZ7/FmIgdy7gEOyx7f3EGIrRFBqAZo6aQX9NBt+7lZ23iMQfs92lH8aF1Pno7Gff8xLbYsrslv8OQewOW8rkXohiByrLVG5WGtVjejraPUS2Wn6rmihza+5RF71Wc2QHcm2H1z8+U8MGYoN9g4rTc7GIZNN6xZk45kB7g73bTwXLIXEWAG70wPsNMgFf2ro0oRkZu+lulP+nysYlmJMVVsQQQ5NXNL6gIcfuqn19RemDTA17AH9Ct8KLBNZoQIkLdIgrEMzbXOUxpuho0tGB8/wfaOMieABO8KgP/TrlAKa9FN8X4Hk9iTStKNlxeJCV31DSK2X1y+IJC9hgQh0bUsoZcN7rRgB96Pyxb7sPbVdY73MLnehaZP84bYkeg0E0Mutph21XLspMwHtX8O/PyUy9OA7vrwttAcBriYOHs4hdWDH6DsqXU6UG+vM4GJxF0hfi0M7ZQgVMSBYVnEWPmZkysVtGrX1wJgYFSI01rvLZhVsSGaODRJcXUR3Gm5qVAC9mrpEoJp5PiSMNlLLki9fam+WtRtGmeqClpRzziu6RFLV8WFdB+CPVvyHbfH+LDsehsJuM4IMlygoYpnQ/TXo3cY1Ip9L1K56tgmnXkFFKHSjU1AEqoUNe9OsL0AUsjbH3n6VKcGd4ABIVTEA7dHDrsXvuLF2CjjYh0bJufM0LSdUEhht4Scc7f4cYMoj1eMfHDAZW6mrGi5RJQkrwqpMtFfV/P6ACCRj08G+bB8Fi5WPgkqhPZXECfUbpRddtpsvS2gDc8Ny4At7wF5MD0kaqa0eHSHZ5U87Z7/agirnqD5+FopBDzRHrQyHuFuB3pLgCB0ZTmQ3Q6K5R/3s1tOANN66qDR5wxZDwEmlJKIhFFY7Qyl2LFsaVPkNhNYnOVObvbEvfy5qAQAF4RBtANpUuNybGgYwIN9brk2V4f/SY9QvPnq2oVdWI/oGcPnfaTkpVcbSgUZ60qedrbK4ugi9Gzvhr+jLJYtFAv1ZO1b5m1rpBt6gkdQw4Pop7dbSYoMwoJ0Z07vddJ8DB7swW0WUk/WWZTfQri7tjNdHh+Xy543pCJeUl6USvhbqGEfYM7+yjqro8IBmpDtnsSbFffUysd1WxYf6uRA71GkpQc6aEdsZPAjYwgq/uw+VYmG5/ZGdoUo4q5MpE9Tyx5ps6/VtAHmsX29OpWroIacT3Xh80AuztzwVgV9G/tQ5T6su1tkFlWC9+FoFtbUI1rNfc49EoA67CsIfzPdqwgUWF2wiWCMfnDGPxySOnkBUm9G9gksEnBr7oGnK8cKYZNss8cVsxiwWvemO4kE8uJg/EwkbjUNjTORc8/u9umpgYfwqW4mYBKdG2dR+aADMrye6wTVfccx5RB/a5DuaPYnmniv71EgnceWGGVjJn/fyWp0u/IKL+VXlOaMArUufSOs3myUCGwPnVsT2DWcBg1/1M8MBtESayDGmFWpphBEqDZw06/sDHiobULkp9uNZ8ch5swMn9fSXMoBnB4uZBCDc1vUwProtQMqRunkGUZ5VcprhxY21UqTKSsL2f5XH3gPvP8jgXHowy9WHE4rcc6iPqM5LDxsNFtY3RfKzGWfwHc28zHzrAVU9Z5UCaj28dADMftri9pZQeeUDIY4PIqBO/wLE5RZ4S9LCG5O1F3PzoocOYIbe1z8i8VKWNKePF54CoZqL1fKAw8/1pAy/gAyp7vEJJHFKyOzLk+p9AKZLNxpJ/lcMM7EmlwpsH/gYVlfZ6ocOJyksYYzbgKqMHlV07dqGpY1jQTaQUlyyLuyYD9MOS/08dZTAIFwNKqcliSVqT1wmWrw2qfC/agsf8GbdyfA8Ldgclickc4kKv4GfI0O9Ov1dupC+YHCstRNYN8wTTUfKvPR4JPUtmtRzkNRfo8XptgfbEk9LsY02rg0uGL5ygV7dsUKC/FLStfP2ZNYSlQOkH+1taXBPgkWKE/caDaIaHJwM/4UoTLf5yV9thQZCsx1rSTDoKJkxzIwfWs5xl8QcinHIcKZaUY8vhIjA0T0PA9dah3igxKmCrFt/FoXXjF0V2U6WVMaLLbHZ/k5txZ4bVC61DgjRwU/M9Hy4tXDknDqtJiErfs/XoJvQeORYwH0hnyY4LQCj4bujvfgZFMIpmgj/cmtExSe0Kj/CZEOb4ca0/vjIbI/1tIH6URx0IkeebxlEZXmPkKapUyeXd5UtNkjhsEpaJiUA1WzjPhYykm5UNSHfOx8J9Qtro5/dxh9xuiSS7jb/X4kmcHno9teH6NfXhvph2oUhGK3fMkEg8lePbPeqQXsFZNVVev+2Z4dmARviaa1Z5pDcJ6CV7JfFdymyZLxVsoLV/G5SlAsN/5tqLKz+Zn/c3tuaEMGSfeSpLgyyfl/MI7UCD3lCW94tu8bJocg5WzI4/vseh5HxqADO+0oIxQ7TV83Jco2eEsnZH7lDn5Jp4OQd5lSXE6CWr35lxvyw3eYFLoits2D6XZvlCYHC9XTRj7DNOXLIBiSGSETzgGdbtBP018qJMTrmCe5xPZR+y5tAZEghO0VgE8phlquASufndbMkeRySFpUj+9CIue2DELVmKRQPbCy6pbX3P70Ev2r0tLx1az9gqh8zqXPUnuegUDJvFsypvpLLe9TPNytQtR7ZOftq6pY3o2XCn6Ymr+mHhzj5yBsUNDpUwPtxqS+/7yw7reywd/LRJeiAAr53rSarlawlc1APr4oLkHO/xNlQJkLcmh6M3kA8wVz+eUALFb+orkJZ5a1d5ZFTk3aDhpKs9J5S6TY4CMVD4uUDFXkhoshNa7LR0Dz2sOq1l6jUnirkGAeq+LbPnM5eX+K+d+eWqlWk8h7cIvJkLWOInRx5/qkLtLN/JuEM5I22OZ4q1xa8Pq22CQmWgVt9cMsBLnVK01dVMKYrVvS8NeGjsHFcNe/dz5zjVOgNKJm4Hd79+s+tdOKrl0zyOZ2QYHs3aFT34/Kvs3xnt5qDiHfSZOGy5UfkZS8PxrBIBl3oq+7ZcmGWnABHjFqMw5fFR3sfuRoETlGsZMYSD6a8Pl42vXcjv+DFORI+a6xAJAUKNkUQBTZTU3x5VGWqoDgXWyZN338zjNKJcLY4A5zwDYgl8BrdYYcUox0dzRcSt/yZGbfzXBhpqhERiOmj+QWCJafHz9AgS+lKTyxuqkllRKfMuLuwBwsitLWPE5bqRDufM7jeqwR9k0baKCoCcG6pIXSDrPtBRhomF/1IDWootr24qmAFZJo7m53jsVW9E2ooWLHGqjqcLxMZgmOmM66nV9qApvLzEidZ7lDK1oUeTEzaYf6ba+Jrw0PBB8VRIAD9DZbYYald67IUXPb4LJed3WLnlRarbDk9ffDBH6fqG6xEhPESnqGVPpKxmC8jenfEDxWmL21G2yelLLZJ+0n6WV2QpAbAxAMqCoRrTTSymFYt8aysIzwBF+H1LigaW8AAu8I4ymAgpAAVdBo/tahsjjZiugJP35/kDZM4TRfh+9nKcGriL6Tfa+gaAVTgSkqLnu9Xp37mRtRzL0R3bV+VqxDH0VmxgHUtqK8+nloJRnF7X6wFQ5i8dT9R9d7tTqlGvBzKW4VgGc7uUTJwGnJVLnGT9j5nXGoKkTJktL4QMZDPNjA7XWAt8eTT2qijongS+O4YrrBWr6z16mHI7G6a55mvXZNaDygZyysnVHKLq5qfGboFX/xFexH4Pl4lPsvsR1/LCWlFO0LXRGOED81IoGj2KE1l5z2ADO+V/SdwnbGxkJDsrgo1SOpmIhE8kLOHvGplDAivUn8F9CjsOEH51efSyfilTlxi5LOBq8mMHTlwx7MNtLpPl3yFeu2SnjbZBeGbSovQ7Onw8fK7R4KMDSpPmkyHKZpnu5FfcUsisRm8jRF/G2ZYQGS6hQnbcXYpIJRHlbJvjficoy+KS2YXFwjC5RMZJj3iJLVdRhIUmo+t56SukGgvgI9BTl7xRgB7oiBSiNMuRL7lfdL+pcsrtf+LG3Co7QRE0aLlno2tS0SiQkSpnbNtwj31jl4eFeSlCAwS9vv/PCzku4hV9mXfRaoEDK2tuF2OlOT0J9mLHzoX/JJ4tDw2Nd4CuQmojPlSYR6SE6x3YoFwwjJIvGALHlSsX6PakQjauvecVK1bGOd54bR5DIuQumnEo/8/P0krkq/bwMFFyycELPxO8FVpolfnu0kpRNw64SUGs444eMIK5mb72zBVb9UF0j46DF3F8fO32HSm+XE6RgOifuy70lej8FC5pi2a1My9696hj3LRX46VlT8CMK84xbRn5y9HrCss2Eo3kX4BMKqkijupLJEsqfu9cysV7vEZI/WrE7yAbbgu4qoIsA4ruL3Hjnzqg9h1m/Mha+tH/sBV3/hAGcG8OhKAcl4qSsff3xL5PFwdXa+cXsTrJFjMscMfgJ4d0xJqu1zSyKNu2gh3+HN9c8aXs/4VBwPAdtANzzsdSCx1mCRNIhKdRparOBrLrYwjAtP8UKLsxPUeL/LED/04LqOpkiOwH84MnjWJXhceH4CM/KfnXMILUFG8RD2fGKyb/g3ndGdw2EgPSdiyYdcvRJqlYy++6YyL1Ys4JGW4HOvodkIaaMbwwp+MklP87tO5SK0+m3ce+n2FuoShEowT0L5L66PODrS0vOoK5dAUHcmvK1UbX4nF8ug6UVR7M5YFMhqYOgAJiSEKExW5BJ8jefBowC3uOTt/rhpr1kRe3ggXapjM1Ck4ubForYLzNQOSUuSNNgrMNpso6ahjZ9lUkNur1j6XiZD7km0UlYXUM0mxJFiws80/N8lil04UqCWTkWGIbzJK8YESPmmAiVu33WNQMYtTP3uaXa1LmtcNNbHE+qL3O10fbOYPrU6dMm5CasAb9qaWNk/xSo2eXTKnKGtTlyQGgEEOwO2ZVCahk8OM4GAJlJbI0bao09CBYD/L76voAQRXmg3QutBsPAEb7ZefPlCd4LvEZaeHIqjGTwJSntjtR1lKthibaGn0BCJH94vbt/pmrmLFqBtPwTBfXh2lJTPfRzEXSk6Ec4NsKUK8Zq7cyrZltzp0r67ASibI5HtzaGehc6pqgwvUXpK0G6fPGk647S9TcS08a+ablnTk4p0skoGGtWr6F0IWDyGVhQH76kHJWD4ncuMDN6CcNHGncd2wfyZbd9tIu8q/PMknPF9LAuyBOv94nyBbxEwv+xEOo2tRbb2L7WNnMaDQC+S01hDQxovKmnTG6oM8lstjLZ18FjXVifT7VHgBrx0bPXBlypNmJqSrQJe5pYHUmSvki4Mjs2F/WmCiAGWyRKxnwUzhORUk8RwgE+KsP+HgoMgQzQYBwEStzOHBQa2TxQeKd6myPYUgE/E8Sj+Upe7A+RGlgZHzDxejwV6D1hEDN+62oEzHhFZlR9N5ZRWO2oo+F2VD7paGt9/JG1r2N3LB+yM17lmdRrCu+x033llfPDNNmTVbI6RdzUExD7/hkxsV+b4pmcegGzl1v1WXAI++wLefGxc6L5PFwGvZfDNVLn1+TMQ6//wBxk9Rl5rvlSS3fnVcT5X4PI54dd0Wu0wlETK75Ns1fz13IbEoqBVRRiQmDnpSmA/fZUGlj5VN5HK9grZEWjrn588cWK39smlqYY9wXaKaeyAxr6hMc+YHH1y5+eTXlLZayVWhN9wz+AXqKeJsotBLvnPK3zTjk0MlpFgyikJhcN4Gzn19Eu9MEgOQcN/YjpvF8bHWkT+0TB0FlX7FjH7KlsOgyi/YnVaUPz9l6u71FU7c0tonA8jB0QqCUrEPOrE4o0rMuNpEZoLgW+n68gBiw0Mpqft2cGqsI1VYYeInW5umKeC5Tep4i2Kc4DhgOjPKsYgnWvu6/YyNa30oIKZa+dMpJrIvaUWZ7wuuj5VChyH4UtStd2K454SWOoCNq7Nwltm8egZfrcnuXhj8O+wITlLbHS3zXxEt1j/ro2deUm9V5mDIs6HmTdFXNcLbmGcXG6CC9sY69tZkw1AA4Mh2/f0ZBEhYVV/PvA/zEsP8Ed9Ot5LU3Gcrj34waRpdG2oWI+2XTvsZzyW3fEDkODz3rTmSeZoR+WHXCsKVTWkRSLNdXg3BmQmNsqK1ycbKJo6sXTp6kRnle8FHZx5E3SnBcqOv4XwbFXOsJVthniJpZh5wOBKnTpJBXrkhcneKIZxn6NoRlJJ8mUp6kjiBCtdCFEKjKRJnYvhAEdk0CfpNY7xAg/4HOxqN1czPeZeQYIGJZW6BhfETyyhLLTWf9z8PuR1iysry7a64xCaJt/5L0aoDKApU1VPNXONdfw44e4H4kdo38i/DuHClsUOgVHU5R1DvF6lHNQWVnKo01Vps5ncK048uSKYo0Wi8vblcgezKj7mH2P3XZRBf07FZoDc5R1CfhyaC8lZqVOstNZef7GcqV78BGEEyWI4qB95g/n8SExAmjzJqUCdIyWR9hR/erEDtAvromOKkgYVE4E7gr4mRoG+NrjdyDE5mDlrDLkYo347YNqRqN6Z9xgRiXB0TA48+Wym48PARkeJySXj7rqK0T0mBwsqTKnA7/u/i1nc3lzh6TEY4hl07MI1MlDQwlS/kShnTO2MGR4y2TGLTJovYp/kSzmiyob1/QmGnEwjrdsKvXoHfTe+9ee73sFpNk2SzxT6v095TNXAJbJYA8/IB0fZpOtw4YPa6z61Mt/ZhVoJZ6rUpAfnAiy1QpVbnnuTWE3Hziv17TnB57D53qJxHt2nq0b2shBkM67aSt2RJvYrqIbMuzZzuB0MoZ1GtjzQjnExFkLMnqYaAoQ46kSjU4KDVAHfe4qTIm7EkUEcc4QouG5Petza4yMfhZ+xy4146ID7ONCedGmccU64wEl2KtmBjwoBULhp9nyDFTrtO6nfDa+6dmRKslPIkBdNP9UClxgdMTyG+5yewQnEWMYuQi0/47kpyVkOgPWh/+foTQkgtSqR5BYoogSKrKwznjonoKhfgnYyeSVoGwfNmZMzUhQwRKYrHybfjU9r1SjnNJiVnsFvYjJyG7q93ej1UWkWrIcJR//VxHJXWpR47QZFwAk/AmQIgAniR7y4RN3rq2xWiYX5dlH+8Otma1lx7h8ra8qVJ//4HJAbXU4MobbcQBRMkK3BUaMXiUwy4uCyvTvHOFYqNHShXxHBrDkrT5T4tJI2D8DIw5YqYI/2me/WqIDjwppgv/dAinITWbj/Ko8GGwQb753fPVayopyxccvoP9DmNLglebAKXm7BVgjfSWGpUTN+W5g5LHs83Kjr1Z8ofrsqh81AYMVbVxxa+T9cym4xAeZ9wvF/XJAWQhag+VBZxAXx0Pft0da5MiCeUTYqeO3BmLnMvch4CAko//EPc1poMMWlJfdUdowkuDMjBvF7p2l1C5Q80zc84K72C4l08TSKNjkRYsgvLSKcvRA5lTDwQPs5Xy6P55hQGoLcdt7okpzuNj0QVzAwrZSdBG8Z2p0xANCF0nBbzLWv2PbUgzA7Tr16OjvmcVrapH7uw2AsoP6tscLOWzllB2GFuShkPExemIoF2TBpCL+tyXjpOJ9qgx3fxdRpQar+dfplrbi0FnqlFFyRu3aNabRyeqUTQwA+d1XaZCYa601BjAHtW3336naKMJtGaphMxI+CO6P94o/4be0GPDB0BFAtq/mkpjyJTz8kZkKFTrqvXLtFOCbkDcwBxWcGvStVvzJGjmkB3Uj/88EXTk70QZC7domYrRZPULAd/UhdCt2HDr9ppOHXAUGwSrAcN9PBGDdw7IDOb/CBLQ5rLm7UjISsXzlzPdeUybuLNxXQRLPV5fHxX00/HyH/SJQkNw3NYOOWEbCZeYyI70jfqNlONTpcJu8yn8DstwxHcgS5EBMWuGrFXcOKHDEqpExZQKcxLiYVjxFW3lTNaKhW/pqsSBtXKfs1GZd8tpkMVVdXsjzZs+Oz9Ds6KsjZPVeHYg1qSaK54affmnCrtQPalJpeuT/lLfTPaumlqR6wUKO/mT+XbsVmldLuEAsxS9Gsd4owekZWzsb+KhxHcxJShjFv5ovstLIC0U0oCgBld2cnKMGrA98G1UmvxHNZ8LPcLQhxnMf0ItNwdbR70WxC0wqr1g6qIopSsXoYfZASgWTP03Np+xGG0GKYTBYTDEV66IsrZPN+J7k/BDpY+zA3QialfqlG+gZbOJFQEkxGaD/xyJam8Eo+kplyD3Jvof/eitSyi9GfI3G9+Low5I0dNsqRw7s5cxQ1agoqgfsoqowukFEXHzJA5Ag+HjPpxytXNHKzaXGN6QTr+o4t6jzVk+uKw70Xx/tmu1DbGv0fRaDy6AYQIJQGz/8e6M1+AuQ75I763ke4iDlXgXPgqOfIxWn3E0oECYG/CFUq/69r6lrL9cNHZNgCiDQ5jaFKcBcQ3acOuh2pcwVfQGy3s/AOIWSvH35HMWhz7lLJXt91pMD4PeoemTKkRBr/FJa7ZyYK8PX6AW1lB9+u5ilSraETiRNNHfCPyT2wkYFRqjEJ8P/Lr23GlKlTOfmSQi2HS5hcEAKaAR0ETDR1pCrftRM5PmSqo0BRIsnKIXbHB5v6M/wDr8bvWB0pOpQjn9hfJ7xCxDRsOm0lq6/9qrpE5l/v7ytWJ4T82vpXZGfMr6cNTYLklM3OyuUrhQOBkEl20tJh5+UdI5LfWNwilGD52KZExKmxOsef4izDW+mqJbdMlQa09/lRKGshRuNKAp0/V5ak0kayKh0Qd9lwhPnnModTxAUurWWTYMj+8466+l9Sctgsx2jJIm/viLABrLUWvLYT6rZVTxzIiqhI5Q/VfiJSHPaF9zi7KSqwz87mVcPLFgMvEizjcqZc9MvJntw43moCOQ3acaSj2lsd9PD9l90KpEwxOOf6uLR5bisGQR0+MKB5sbePlRnv3yeg4eZdc0OMyDoAkqpxMzmUeN7jPKCHG+8MegpZfwVfL5zQHbsFdxNR3rMjyLGh4VfaDAr9mQx1QZMyo2VHCl+wjwtHMkTYizhZPO1JRrEiobLplS62dDzFNk2DE/9BxDCdzQN44jFiosPnFTRY+6fxi6Qe/1LRig6a0BgmmRba4MtX9SyUU35XyVV/1kDSg1zxyE0iE7RjHy9QkzJGlI564Chzd9nQ7EtHKhqn64Qwf07kN30Dpod13TryjCDUVnyRgdbih4HftQ0I0Y8Hvzn7uuqEalieuUaMDwAZUcPCE0vz5liggkKollbD7BM5IPVcBx+JcaCX7WNS//xMDBcH4Cge+UfqxZek5Dmur+FS4tN3z/+13OAo+adLtdEnCWMNBVeInraoyMOTCjTCDEPd8UY8P86oeks+uh5+91JDet8HjAxkyGhANPc7DeRXJogRD4Ko11N6/ONMNiLehFEVXIR1bbwYr1DkThtKZ5uGGf+9CmEI1GXHVk3+ENQzW4ZDUC4xxBltfJm70rROJGPDNX41xlGmhKh3w+SuM7kJh5tXty6ByjSuRPNatQDNisoUTOzmrAjQHwCXBGhLVTlQyuN4Pk0+0x4tafnULDgcJCTejs5SXydTwnGBo4AvUMS49v9B5es4RwLi/5fASHRGTWyJNZwKA7ivdK2mel0WdT7slhAvAEPIur96GRTGIrxcT6pdk2LdCUmcr+mAuuUXw/H7ZTcAwGVa/COjdN/QFn8sxMAzK68H3TXHOA1hWjLzOkmlbiz52ksUvvCr+iIBAnegSXNQLgHFjAIR+T9cMWSOiqL90nB4V1paZ0Hou06yW3azeHmYFuZPw+/uzYPvuoSai5rTA3Xiy8X5Tw5TeZaQ2Rw5cd6VwNqg/GT7S2I3+QeFQydyw2jQSjBqi+pjZJoNI97wT8wU8DtvbqGWDwdYBIq54pI3nZXHccKrUzgtbfVvizAhgkwDXq1ovG1C6kHUzbVLhEnWUTNIQIFutnqZPgK13a26JqSPDwGnNqBllCLud/iVkZL3XKPlM+U5nluyzWdGizr0pu0R0jagYgp4sDyAfI72tEybxwFYaqnEJm6BuWXwa1Pi3CEw5kWKYqmjn5NXpWBfUI9+mhUo1J2Nnfz3VqW6Hh5jcM4edjIqdcDsG90fAD/Amj9m9wg3ywYfNkGkh/HkRG/FAGCVEKIT74CiAuLZhXqfnJuEIB5vbl3gZk3IxO7ipCuPh91Ciz4kpd2CUN4uLZtGj1eLyd0udU2i1syJ/YkneoVVAlduABOItOhd22EQalbJSxaUIMfmrZe2GN90HOSvXZKKOQ2vOMO3ny1T6wpiNacgeswKuUf4RaTEzDLBlqSbRj2CnYCNE0ZTnQuhT5zP+8klnVUGxur9uI0wYGuqWIPwrwpBecEWllUTe3LwlZ3nFC3gyj8JZU23Mh8NAuXiHxDaXPGqylLde1ACbOihJXlIh9raWNXQbMn/FmaAX5phf5E/Q6Z2F1UwunWGKC4hhiwA1Y+ObZmyRbtY6gO6CdC9EeCdJHAmbaqIjINXuHGeQckXzu1Eexc1mfLoY7DxQs+aBNnDf3NQPEnlsNbSf/2rvKm3AobYamsoErm1kDkYAwCWfFaCNSCG0MSnUWuYC6wfwMhQaLOGrC0+ggV9yFNhZ3K5k9Qq7zGGSaKErcfaULEFkBF4odyyW3kf/MvBx4oyL9duX8Xx4WsvrIraXhfudnel2I3k0OUw4rwm9M5zerz3bsRZ0nYoVwel612bI8LUNGWm95Iwbq1uDLB/HluDTfpAHKmhwGqqWcPBBhOW/zEy5z4kG6+ayhivvfL4WMyxb/vRx5X6gHd7qA005QvIfQbNOb678+z/d8pXISaL+AEHBgORlLDZ73/qtcjF9mkU5QlOwjSwPUUWFrXa3zDbEvwSbS5M1KnvVAfaGQubmo+nKPKgALtM+u4snz38xfyYZfLmSC+gLjoLvw8F20EODG7rjPW+rmK+f3pPBx+cMl9z0b87gceRksaDHf5lFkzVRowGhbqvd5Ra7NRDGsvZFSujZicM69uQoWFKsP2Qhb/09IemudJYLXdzVmxKooq96AMpEQCSFT/MSm6cfUg7xt5Fp8uMe5ajZwhbWvwqrdkc8YX+e+BH9fTcTbLSFBMwL6nNPcufMIlYEQLRwvjH+uw2/n0i8GRiy6C9Eodj/oMqfS0EkRDE2ovKI0G1phGr0P3tE7nFTM8d1p40OqALt0vDQ7+AlMXvLumZjDlbFmrujp/A4yPT7+4WG1+GyQS0+bjgfi/TPma4O76ghFK6jL+FrYWtNRsdnNeyIHKc3DPEIayuu/tpcLCr54AYwakX7JeVXAId9A4ehLBF9GLrZ949VZwAxcK0I8w5a7Kf6xEaR6xCT3a1zAx3VzusnjCmoMmCYUvck97Uc9hWryulXfrn/RpouSnEGeCORnwnRiioh0hbfmbzn6Dk55iGNJPeyz4zGW8NItUE9E5ZZbm2nUQNUKLtGubcWHxyERU1k1QSx6YBzxq77VaZsnwCNd7lW5Bs+xnNFrBfTkopJKoTerwGpZ+sxf0qfds1r3VvNX/YStSYF2EMGL8JLD0KhlDmMcDyCSsG1HrYps76AioP28tBPfH5YewbQ1z63p+W+W0ABZJVDV28qLX5rzz6CS7DI418DRJjdA7OUpayeziO6yyqV22uTFUxxHPzHCmET32JaE6/iojgybGU7B5ADzz0CpP5NgQ4NOuPE4GgoVd9JZ4vn04sD57dKlApZwaJhmi2NCj8s3ryGoSTGm1oqboyJ8NW5KaVyuGVIbRUmqko08mYn2SjRfOLoHE+qiu4dVWQ6jmS8eaI/e9W/nmu8UbnkeCrWs15EM+Pn1CBhcmo4osZNfcrpi0dielbudaz1Ii/QHaRnk6N04ov1eQwDY6NLdsJGWJhyfOia11gxFzc9Kh9Cy85wUdLvlrj1zxy2VB2OVAwoGXzo6oIzEWcRm6ys7rCIF7Qk9DYOVN/t6Nter05wu72p8UYGc/ExHncsdmuifbOzFHCMMV1MSAELNVqW/XZS8iq9eg7Vxek6b3QMFZTZAc+k/lqgyhrQ8JHdTWTx3PtPuqYAtqxi4eCx947bXDPiJTW9nShmMbqRmdZTH4a0B501xoIXwez4g33BoTRTd/5uDNB45ihC5t4SVLY0U8wsChgjFc07SeztEdGBWBum/11pHbsoJ8PjEaJl84vFAT8UABNMK5CTjydLqYcPQgBmonaT9PqZ2JU0JOzNZ1SHmL0x867/ynpGA41Dm+2nSeWaisksFWtM+CaQVBSyzImkR+EuIZegBtxO0eTrYc9qoRXWfVjIM82APzcZmH25uK5NeVc2ZE0DVTADbVCoaTmFB0357pdKcKvYaPMYk4A8Mzx0fC+8Y5EG1U2txLi2SS4JK3KT5ZpFGy0ZU0T3yD55zmvYYy13hmhSSRMeS0h1eCchhHi9AECJJnUNAKAcGthhCHL6IlQXNYJZ+HGgZa1zT/YCka1oC7+kuzFLIsEQxTpdaYQm7hR07nwCRuuPqY7px4W67QT3IHuwEMKrZaL7uF6XDFPKk7gU6/R9JVd+oVACL5TLcyFx/AlTV/4tnkW3MiIRjtWB4WBH7xeYevPwHbjL9TyOTbS+tJYseoi76alETPLRlVkcjO2qgPiAFxlmriblS3KyAZtV4x2LqvhuauMEGVcxjUPSYrVpe+7IJs4eNpW4Fkg8TEXRrbL6i5657gFZyYGks8u4VTFiXVJC1LsPn2oU3ay3vt0ixh5YDzcksFvtmZlsZTOBgrJPJXsLmPQeNFiB6L2jghT0J0uaF7w5qMsBzZGW8ylqux9KkLa5WCZUXO4LOCL+rvX2G8ge3idiNbUdJZaWL4AAeqjfL2cLOJaZvYMWW4P5ZMP9xfcqDk8rG+H4UFj9fY4lbkuzB1LhAqkFPkxQrO+jFWcAa6zeMBx1I/6SqRB8+wi16KHCwZykM17J4BXaJiD0QgjhVeq/IoLh40n+xLOBg97mifxU1IiCCD6l3YAyzlw+4an+AQhoi0Edf81fVKQjc1AXm6ge53oUs6jL5b4F5BILp0y/r2lNT2H7dRkKj6sxqWh9lvYvLQflQR9LwR+8CYh+jlQzWmrGs8mpZWks93RnntF+HXO3jCULhi6Y3yXWN1kQBNyCC+hTCpO9gz+sOHPSAvzrFbNUfNq3qgoizVM2dYIbUEZfVdskW7n4SWltAM0tkoca3ifkU/o6YS4VLyUozzKuojDROCB2jjmG5Ruf6lonWB0tMB9UlCY8KrhN4U8auFUlFgfhX+kfgh6lftrtMXK4SZFoWYh4SbbjCpAFovbyPDYBOM0iDCryAOu804k2kHnTmrUFgeguRYdssXcaN0QsTG+4mhdYPYijBdByjuw3n4hI2c0g22LmvxbIqvfL39QU+uvnHaZ6Onf5gW2fdG0y59nhFKbxPwOmTsHvePaD3CAZPuFRot3DEwRjzlnfPoqCgAsR4zKmScXYvg2Vv9gSuNjK0IiYi158vfPec6+cLI8r1btA7+aLEUQk+XYWp6I0J2TSALly5j/5JEaPkFVgtXaMQdnf0JthJIRsIM+GeniNxjEpEZGoN2Am2NokddGl03BcXEkMMy7NrFzx0odqNFr8uTXiL8jiEIrBGOTNd6Kedc1WOIIYqhuEk+rZ700RGiIAJPnU8uTp/HaFZJxlJXJtT/w40wk/xN0aW4Sd24gRiB6B+AReqD5pt6THpNocAiHKWZpF63B6JNdQ49s6qE5tWgTqK+Mf2KvNIFtXEh9Bsidkylwt7I35Q8PeQmuINSAeg9B7dxxBEyNoXYxoA8B4MLvctpxaXWa+A6+Xwh89yB9fiCeLs1UNv/aL4wlayo7MHgP2/gtXGdnLWmFPKyh+Y2fzUgrk0uxI6AcCvIuVokKbUJixFP/y89+LFkFGPlHf5WL4GWkFPBzfNpBRSn7zvEW1iGisl6OrE73i5edTWzCZCICTCyVTUuHOuSsN4+CLb0EJH1Mo3nyDvQ95jUVm0wymwQU8f29FtN9u4Ddwqq9wsRiCZunRG+hu4Pp8O3KQtjged2HrKYCRMUVTRSBYZs84nyvBJ4Mq/FLEsOzYpEQbfhjbWV+RbDXyr0QPh0gzaYjjaqhF+EK0WpF1ehLH5GfQqqQzivzEMdkwaMHaKNurD8rxFT+amvkW8S6XG1rWuyIhjM9rqTsD9iP5zOSK9BN17tWsyoWCzkX0AkYkg+vVr7LKZ8A3z1vZAuY0EBL2kTd9niLzEvrqFCvhSjO8xaMlPnosyIwQPuc5NTZ+G4kBCxCRpWzW/A8j/KycK8xkIFQl/eAhy+y5OAILZA6ckHX0yJ/fTrtwJA8CpBIR6AilaMjypfad5GNT6NH8far5btF9Y2ZlraroPdcgvG66+t9A/F5bZlz73jcKMIIDMt0vGUML32i8FJYjfDWJ1mkb7iiynVjM8VBcP0LROKLmC3gVa8XNwa2+wkX4osLQ+E1gf5zDXJ6vZNYznJ10T6+CXK8eQ0t8HlmzOGJEtkscAarRBYVL0CVGMEshOHAAovzgj5LRxVJsW2cxaK1hQrMPhpVpzI7hdp68PeM05a4Srqe/hqE3XSpo2czqOmhGKvJj9VRa0Oe8/khGscgqwJDhrQ9Wek7Nm95TgpqeCl/u812YyllGjhelq6MP8yutU6ymw9R2oVNzDG+i0TT3gGIcIQENKsbEYfRMpuRD2CoCtuDRV3vBvWAe1P28fiSjfoGfEwgyKoeHsxIvIsdUHXb9dMtr8w9jcR1Gatbkhjd20nCrKfy/6fFv8YmfFJa0/8adDyTW6d54ZAIl/UT1NQZB5+/UqSnzgN8kZS9opGEBDzMJqiwd0+TJokaVvIMtRkZCfbAGJTFqFOfymBChjFIuKT7dYm7ZiIFH9y+aw6XTt5QODPwG/jaSH9hgKQH8WbE+LtV5fD0jVJSIMqcEDfl/W6BkVdz3rKdgXLNkbPbRvfyLZ1dANyL/nRbIxqGPBdcJygS54AmkZz/Blwm/jebehg3Z4v7OPObhAWRqPhGKyDImPdvjiz89umaJaOj/FtvOMbx2ECaQeZjLTtfcrCrwj4jQTN8HuyQ6wLcH8+P+vW8eTm+Rn1dzjsSk0mX88l9E5i3B8nUNjE3GBBKp5Vwct7QezTwP75RTDRRlrVhYKEEZm9bBJ+dhIjA6s+7fWN46M2OCoqn2obgvI2r69BxI6j/0LvmqpsPV4lVs9XC0hI8vqexW84GPzh9+7wgVLWF+MK12AKgq/LYFcgAn0WLW6kBhl1MuPjEh9Y0e16bTWhQY9VjVfDBKBnTk3rHQqbPomt2yyUrcRf1XDKvXQaAjTlQqzxi4Kk4RMLlo0LjGY9dXjUXQWr4VS+2J7Bx7ScHE62FoTg+xh31kYMcAcNKTF7HtpNH2bZYmqlIX3whN6p5Q99kb6PARr7jpIJYv7ypczzGnS94+syG5eT8IgVqFcqFUT26ogvyv53MPLLp5CnRfjBNtbrZW22SReqGgTH6X5KS3BanHq9fnpUWwhty8dxNFr+ZW5xJiY0I8RdRh2eu+vvqarzhUviVQ0f34nEqPuALnJfPTOS9clJZqsdGfOB9XJe/NPi2ntx5hyDMyKynqb+vMrp5DGYFidh98BQMAxpSAZPZRQ8iRTv61sN/2Dy8SitVnkwe/EKXJ0VkarQBlkTPgv4CZl+ioEyWkD8iYivtUw2gm3xJCSKRVKrmbn0u/qMACdFpZe7c/bOYWbwG69jcYOYypAFzdwN2l26KIWKPwmD89xK6IfuvLLEgTqp56kC/ucQ+lxqKaee0Pbu3mwobDAtlz6hGn3jSj/1yRbZMFouIzGWOUErc3Ss8ESYq6H2qEOme53w1SD+AtQrC0YQLNICooylVX8Tt46kXjLVh6zk95efyXpPw2YujlgXy2sqTuvW/98EkzHdUJWvpMuvOwOckiXmFCEOmqZu/k875dJPoel3TpYJU3Fw80HTZ8EHEL0PY9co4XoavsEGil69aYHyFxq5KJcQ3K6aH3BK+GB1QiurtcNru2AXzgrERBIzFv5GBR1Pk1dqs+36SrTekkQKnLMYB40oW12YdKji+r/WYrM2A/T7ogVuSue45m1LID6lEWeOlh1NRDCdqofI5vN3gl55nyq7dl5MEwOQwUYu60LyKENGlDa0BhJ2nZOhiVPpTgY7rZg89X+qdux2Rm+FIN52HT5Ag3ZkrseYZphV/wQ2WWihyeHVPGnOlxrPSrAStZeCBBBl79F5oCCW8ZEXX9pHv7TaaacJnMYPaNX+qgj9q09AEjzmdYOBd61hNzvQZxRFAD0BSry56gxaVlIqFl8GLAkUXbRuEB0l1ohwJHd9ZDXwhWJtBn+Ifm4ciWl6k6NgV35rD59evgtK8aywdcXaW1yyhI9F8X6q9aSjKlmlM4bdpBPOfE49E9kO/OYulmUWlIF0nVJp3DoK1AFXFfec4CoeB5Akwep7rp1OVN30klt7nSveEFSfFlskf8zAfOJsE+EEGi2jAza1A306/T7fCg482g3oVrtPh6xvZL2yYEFazW1h2ECCJkCxlxh6HEyFSIBqgex5O+8RKKRkQWdveQ/dKzBdP+7hmom5jCrkz5fsrv2eVx6CdxiJu0ZHxIKJXPAEvKlon1luSuDmp6pf9E2eqnIi12Q61A9iayt9yLO9LAtzIXkW1Hu98+cd8q3TxOkR4pOcKInEHRoVBvHoGqJYOOZTsqsKwva+33+yWV82wtA0iqOF3qSeAPWZ7jvfIF7wjr9v7CUwLnYTJ8iFssOYNqTsN8Z+16yC3QOzLBxCdgQZqJYvC5eB5Wc5Ss+/n1roJYPfqDc7W5aJ4hQbszae55RPeMOL7hHPKaOV3aK09Eh2FCWh67Y5OyO+yFP3qSXMivk9GKGKqzhTmVSPN6FPLnx0wFHCfvSGg5FfM4Cj3RLBXC3n8psMEVJOzAbd6C/kbn7uiCtyWuYcp8UZsQ/z4himl3cTriiwxx4tQM8W46pZGjCsrNFzQHHLDZYYHXj64C6VXm0lmwfb/4YzuYbHgqYykP9c3EdeYQYCbwDa3qwovVI8/CDS5IB6OrLnzk0U5qnqy4bHT7isR7EmreR/0UBHHhomT2lAuCV/jQ2XS3GccTHp4+Bg6//0JbE6xbYQEE23tkn+2bquu9roMfrCA7L1f7lNANwWF8pfKiqWI0vaH8H2nIdMrhnBiaSWj0eMjbnxOjtyFTG9Xzyj4L7NmLAgn7Kz2XJjvZoT6lRbkkiW5aYAI2CQb2GM6efNIrHIjTOGBesKO4rG72rslRvKmueCGAhx3LUUtiZY+DZzpE3CrzLVOqaeSQq/LxCjrhqxLZVbf8WvYwtrxQkRdYYkwrzVppyM2Jis5nEq/Y3t7EZYig/4RQd+sYnVjX8RjOYeRmCszw5Cb1MUFyKKhsBR2eMNzTrA/fVQmHG3hWAOUd9yGDsrFlRsxu9wDirxRQBsSZtHKuAS/N+WDRPZ1mUoCHp7gaN84AlD33h5lwHjnRHwfyEePHF3NnrN2ybX0lRHj7AGk8kDVojmxVO4iGxWW6Y5+OPhv2tdVr8asHdW+CNdRs7uOL01fb8c3V2BovoMRx8v4XIfBN86ng5nx4AYnb99oyH5Y66gFSLfL72V5PnC28srz5DLi2CuyrrfMKNmweLtC0NAtSyTmQVHjE2e7YTLG4A0A74MsYw6QjyeGIRmlfCfbr9+8HGA==,iv:vmPRZvSHxzh/LZGwKJONISE5Y3KIrHYLJ+X3m9eB7NY=,tag:TW4hJNymoBs2zuJ4qgBEww==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0c2YkJ6ZkI2RUJRNUY2 + QTRZSFhZNU51L09rRk40OWhZQTZweG53bDNBCnM5Sm1MRmJxS24zV2lwQUdJc1Q2 + ZFNPU0hTaCtod3BrRDZKV3VLOUVyQVkKLS0tIDZycm52VmJsUWhaQXRJRnZ0RXJ3 + bFF0Tm1nODY2ZlRhM2JEZkRNMHU5M1UKqCZtZetF0sR0NCGbuC9OJqomaL0cDzpQ + LiEV4UmnEnBAPnQNmGUK/HZReWZe0j4pYBT8Jkyob7dvgkRTzdpJpQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZVBLblNjNjhmS2ZSTW81 + bUF1cmpSUE5JaDJFVDRTc3kvNFIrMVg3Q0NjCm5aSnU2MXNFQ1NtUnRaQ2FmOG04 + Q0UvRTJYK1ZZL3p4bzR0bnI5S2Z2ZTgKLS0tIGF4dVh4QzdRdUNKMG1leWp2UFhm + Y25tSVRaelVVQWRCcmtVRTMrSis4V2cKVbz6SVEQgAIcdVtRarZqfTaJcgxRphdd + WX6YDsdMAFg2fwKKMQy+jQhQl4OymxzhKd4Xzls7KVWMvoSQQJWUDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeW1kcWEwYTBhQTJBMmRn + QTM2bDVnd3dxVm1HWWZPeDZzdjc5ZzVvdTN3Cit0NmtXbk96K3ZlNkNuRk5RZ2NV + R3RETmlCNGdWdk1ORGtmK0pQWVNlMjQKLS0tIHZJLzd5WHY1U1BPbjZESnA5SGdy + VVduS0lDU3hETGxtWFZ5YmFUVXQzbEEKFy3uE2yJHygr7lBBfuw1sHonaFVsVaEs + lADtRxUOGbxQumFIIYhCVC8R3ZbX569iwtFE0JyNhvcFsLYiUu2gHw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-10T20:05:53Z" + mac: ENC[AES256_GCM,data:5TpBJCTSeidya4+QLz1ltrKy5uuquvGZ/UkxZVX7Welt5AWQYzGtha2UltkhJRXBAptJA7344ePsGLBzFvYfKpq/rj7I66aLxw7bXDAq6I9mCa7hzNEK3xdiP9q9GVv9DiWt4IoO1+SYPi+1eW7rmNBbNiX1D1lPoWGy+YYPJQI=,iv:VH1DOFSdH5vUdhlbrjvbcbZZ5BRWQmeJ/j4hyZlfRJk=,tag:6wrzZRfBrx2Sn1xFZl442Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..a237fcd --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,39 @@ +stalwartAdmin: ENC[AES256_GCM,data:bivVihZRD+ie1Vo1htEFiZ77u6A=,iv:sJ97O7oT9btgML8YzM4Puy8h+9VajVHSlzWObhrUEWU=,tag:+jZIn18tixkNTprQlz6WiQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBncElOY2VuRUNzWHhCdkVr + MWJmbXNLRWpnT1NCK0pJeWpsQ0pwSVpialVJCmVzaVBRMitKRWpLOThBMGl4c2pt + U291Zk8yeFhtVWNmamxJbVF3V3NMSVEKLS0tIDR5Nmhvb2hPNUVlVU9BQnJxU0lv + L3ZvZ3VXZVdIVXJYOHkwYUR1N0dSVFkK5LRlqyJbxuKkddgO4xSNUkrAiUnrbVUt + C72CNDg4q/KQ8nQ5TP+JgKyYZQFzvKPhP7+YdfUobDaHOPnKG0cVAg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WXoweFRJME1sRzhSd1VO + bDY1QWp1aWtldEdwbHRXUGt4UmN1T1hhem4wCmQwcnBnRkFsaFVBd0FqNHNoc0ov + RTQwbFpZa0E2aVRLWGNEc2NySkcwNzAKLS0tIERrWVBSNFlQQVV1c2g1YjI4RjlR + MFJQUU94RUoxTVErVHFkYmM3TlhFcTgKHCsbj8nfFOb4eYh6IdXKL+xXWNF7JSjR + Zl0rUTXSWlf4DOGtolp9ZuYMkJ9tcDUh1Qy090lQ0+FKUdTpnreorg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcUsrZThHZ1VCNzhOS1Iz + d1pvR3M3WHNOdUJ5c0tzYVdYT20vYmF5Y2cwCmQ1ejRuMGxIS2U3NGdMOTFuN21H + VXgveWc0SE5TVlgzV1lieVZpRTN5SXMKLS0tIGlxSHVUMEh4R0pUekRGeGRjejdi + dEg0V01PdWpNdUxmN1RzQVZjdTlMSkEKdT7VEl5kIRyNY1KwWShuvyIZkyT+KlHs + JbhcFJznJNkn13G+SuPaLQ/WxpuO1MxDCeKnya/vuNw3sSu74nSWrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-09T08:06:21Z" + mac: ENC[AES256_GCM,data:2ab0OS7muwU0RrxKIvLJMt9RYaFZ79ABbMzYvO9A01yhuSGQAdkq5h1KfhfSXslTCQTvIIz2meT1wD1JZOOgYo6oA6qxtp2Sfp0XFQtEHL6Rb4vS1iPDt0jHvllTtnA8vj4R6lk2991utiGRNAnmbiAEFCXNZwKHVLAf6SnyjNc=,iv:Eb9nH23WoIeDw+0oViOfRJhb/+sKH17Jc3dL7njrxLQ=,tag:5YnJLBo0qvFr6CmomTAmKQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..a04c933 --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,285 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + session.rcpt = { + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; + }; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "5m"; # Run every 5 minutes + OnUnitActiveSec = "5m"; + RandomizedDelaySec = "2m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + # Get the mail addresses' local-part + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) account list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee /tmp/addresses + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) list list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses + ${pkgs.stalwart-mail}/bin/stalwart-cli --url http://localhost:80 -c $(cat /run/secrets/stalwartAdmin) group list | grep '@${domain}' | sed 's/| //' | sed 's/ |//' | tee -a /tmp/addresses + ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases | tee -a /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail".serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +}