From d2ab4d8eea71c8fe2394c0f77065535072a0b165 Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 144 +++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 48 +++ .../kaalut/allowlistPassMatheball.yaml | 48 +++ .../kaalut/allowlistPassMathebau.yaml | 48 +++ .../kaalut/allowlistPassMathechor.yaml | 48 +++ nixos/machines/kaalut/backupKey.yaml | 48 +++ nixos/machines/kaalut/configuration.nix | 100 ++++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 48 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 48 +++ nixos/machines/kaalut/mathechor.aliases.yaml | 48 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 48 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 301 ++++++++++++++++++ 17 files changed, 1000 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/mathechor.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..7967e56 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..7bc32ef 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..728f1ae 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1733169152, + "narHash": "sha256-HUJuoOjNdweJ/ZjYrwJ13omhLZrztp+0RTZsFIwRojc=", + "ref": "refs/heads/main", + "rev": "963c13f80d80dcff748e57061b18b542ba76a463", + "revCount": 19, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,28 +140,56 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1733015953, + "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +202,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +217,45 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1732328983, + "narHash": "sha256-RHt12f/slrzDpSL7SSkydh8wUE4Nr4r23HlpWywed9E=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "ed8aa5b64f7d36d9338eb1d0a3bb60cf52069a72", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..826123a --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,48 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:TGFyk/kVc5+EFtjJXUVTNEk=,iv:QQDiOK81JDQXnuzgrcDHVtu+Pm2Ki7H2sEBuNMSKY9U=,tag:mgd/jPMl7fjl+dH6d2sKTg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ + VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6 + cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0 + cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa + zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy + NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE + bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv + Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T + ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC + bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ + ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t + TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo + NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv + aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X + MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt + bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR + HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:/OUhbhrO36jEdQUc2+fPfYc13Qezbedo534r+dtULWNR3upzIkP1EnZmTe//TQcKe6GYE/AIWOCIdmfj5+TdXZfoFGZ4YjjFof2HYvDjNKHq7m0F5PFmmzNNkpzUdwHBj5N1usPRoPbsYIpfV74AUJJEeBSTpE76vIATNuE21Js=,iv:Rnh+uIDOPW0vdHPhjqyce9xl7MtURMTrp9kYoWZ6zOA=,tag:jONUKe1pXReqHjtnqCOTjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..46c9791 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,48 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:cnYmhQ+2sNMR,iv:hSn9JbDce2NZdzptY1Miik4+VFh0i6ehQAGxcd9dJWg=,tag:XI1bE6Z84ppIxPYOasNO/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS2ZFM3JQcGx4VFo2M1Fy + T3pnNFg5dEhiaEI4SkNFbDNmV0Y4cDZHa0ZJCjd2SmRwMWtod2pxbEZkY2ZhbWhT + cEFJVHVyU2R0dncvekNFdzNpODlCMDgKLS0tIDRLSGFISXpXMUlzdGdDK1pBb3JX + N3RJVUpsdFZySTVWYlkwbStCaWVRZzgKInXWOMB5LX87zIKcdllGcOBc1CJHcSWP + htTOydt1XQGlZ809yT1Ovnsenk7SIFrtUGCgpSvju4C68FyS8fgJKQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk1qdTBZRWYvMFgyZ3NN + QkZpb3BjSnVqRFJzeElCYVp1NDlyQitITGp3ClRtbVhBQnFvU0t5cUZGK0MveExJ + c1RtT2lRZm4ybkgxQ2VmV290SFRId1UKLS0tIEttRFFqTWJHbW54MUxCMHZ2NVA5 + NkFnM3R4eTEvdm85TzE5WFJLUTZMclUKpyGsJAAlqRagy13dH3AyeNi9v3oP8R6C + UayJeCPN89IyDsaIsrgAJk67+t92N8wTRIpOzfLEBQzz1WVBYCTPhA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT012TTQ1V1ZlMnZycVB6 + empqdFc1SE13b1NNSCsyNkRMUWZ2aUdIRlc0CmEwYnp6WVI4SmRaVWRqTUZ5cWJJ + SXpUb3JLT2hNalc2ZlBhOTc2YWdDMkUKLS0tIGFPdW1OS0xFYjF3K01YcVh0bDQr + TjcxNTM3cjZrNnN1RThYUW56WHQ1RzAKvNCz1CW4VwI/YPqzpYfhpvhukbhE3g3Q + 31JZhyUViS/tutNy3rUpP+6zS2sY4yKhoavBTmMwI8W9I0JSZaVc5Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQytnV3hWODAva0JGdFF4 + MC84UmdaKzd1MVloK0dXL1NjS3pGaGY5RGw4CnF5NjlvSUU1N0ZlMHMxVXlhekxH + QkJJR3MzQVdJd2ZrT0t0S3FKMFZaOW8KLS0tICt6SEhEcm1QR0MwQjJ1YllRSlY2 + QlZ3Zk1hdkxpNllwSTNxRlZrZWtuVEUK65FpDbLv+S+MvF5+rpTyhjfi9xOUekTP + WupHKoeMMzAFxRK7DcH8bREib731JgBPbZEl8QZcY+xZDORnv1XZhg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:qA7d/k9vSQIvtdHOx20yfi98s5jgdGPYsP2c1rNrX4MeZnJ4RE+KR8wR37A54AvgOURUnTJUSfDNKGuTIPxioRC1j8iNlo/y0IefkbTaO2CBoh+BHurlh6wweTKI3LRUk8V0i5Qn/5INYc+DEzfsiA2g+QcbT5d0fU98+x7V/yY=,iv:xcgMXDFDN0Vo15rr2Eo6QV/Y5+X0t0mvAfuFmN1NDXY=,tag:PywW0L+VspBh2pZGXbM+sA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..df69566 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,48 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:DuCBcWAC61JW,iv:g0zYvVmTjsJESTq3kkWtaiypYPLIE6zkFyYLeOp/qhw=,tag:pyK6KMuPLkhLSTPAzbVxdQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaWhNaDFEREcrejY2ejhI + L0tnOEtTWktNVDVoK1JQd3pBY1BndTY1NUFjCjFFSEd2Nkc2TVVMYzlwRXhyenVq + WmlCZkc4VWtFS1drNDRjRXR6SEVoYVEKLS0tIDRCQjJkdUM0V1BGV0hVNUtNQ1d4 + M2J2TEtPTjRVVG8yOHd6WThRNm5SU2MKVIAU8GCGklXvqNf0bpahJ4SsvIQxMged + m6mznRxcK9QPMApHayOBgw+8T+3IQkaEKGRuhI1y9UXahGSr8yxPYA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkNiVWo3SWFmaFlENm5C + cDlJdHM0OXBnTFdYV1NtTHFmTndndTdwQWhRCitMTVJIcnpiRzEvL3JzMTZJMW9p + NTlIREJ5VVpLTVplWVNhSFFDMlVpNTQKLS0tIFkvMjYvVy9DZUZSVDVvQTkzck1F + ZHM5M2tRVUVIYmR5L1FsR3VxNUZSdW8KWIq5Cjbd12SqQfXRZDpUxTnUZGCyMVb+ + XxCixIFoGYZRTBc15k/Z6yM5OxYnSv3tbioF68PYtPaaRJrw0ICDxQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWVHME1JN0gvZlNDQkFt + YTFsRG12UWlLckVLanNGQlozSXFaVGhMQWdzCndPdnRnNFU2dUpQangxUGU1RGVG + Z0Z5SmxZVG1jYW91YW5Jc1UwY25yOEkKLS0tIDJ1U2w1RzhpUk5WR0JUbzhRSStE + VnZpWUFwaHFMa2V6NlpQR285RGU0L2cKeN08hqlFz4re9iVwKmp2THEs1vZFqNXg + uK9Em5IeCx3pBjd5nnguAM751vR9X5O91ntA/R3MoL2bxGhbXHbOmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYStiSFpMWjh3M0EydEU4 + YlBpcFNYRXJTN0k4MWQ3blFmdW4zTHR6MWhrCmtsVkpGNFlIT0xBQU9SSG45czhU + NzlKSm9RMStFZXpselNBa3NpNGM5SzAKLS0tIDh0LzI0SkdlM0hONmF4RndCV2Q2 + VmwxWjcxVG5Kd1pPYUdpWDJCZkU3Q00Kbc8dYrQ2AiRAUfzXl6Bdj1mlbwlHSKzS + 6B/wzrIB3yws4QXCdZsIifxsGqJh/74UdQSXEab0VNwaHqsyXecIjw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:JLCK4mH4yS4YMhrmI821s/TfONkCyEx8x+pFHD/QOoU4KHyhDIggEhTYo31JFpWIQdDZMPbeFaUN+IvQwh1pqD1V92XfJVC0zHPiwhG7W2kI8WFAONVqI/bbMJ/ne4am5w/koGpQNPiM2RIo+9/9BKOkyLJLB7XTqPBY/FNW2n0=,iv:JiHwaSbPJSJYofiFABjn/AehSKyRrlOKHXBs1DGZcFQ=,tag:ajR0zYdHWxQcY2DhAuAzAw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..011559f --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,48 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:CuLKFiBN6JwB,iv:cwiwShPKrGjjfuglRttmG/AB+qblJ/6ZLyD88mAsZ30=,tag:JIJjHJ4it077RSD3pSOBgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzBXNVFObnk5OWtaemNz + UlFDTFpGRmJ6N0xYUmx3dllzS3hyWmNURmxRCm1CbmpSNWRkVHR5M21ibmJ4ZzNJ + elZQQ0UyN3lOTmRwQ2tnL1lHUFF5djgKLS0tIFUvRUkwSW0wSFhCMFByTkI0eEo4 + emdnN2JoMDVOb3FUTmZhZFIxWFhxZEkKDWFrvxDHjybQ2b9hORThAG2TihGdvaK0 + EHrzz0h1NVEO/nLUJSXRugGJ+J1GqThgOG1WCwJ+2Fk4Hm+q040DWQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbmQ3ZXdhZkV2VTMxTUFK + eHM5aXAyNXdtV2ZkRVZKTC9GdWtDWUJtdFFFCkdBMWs3OFltRjFLVU1rSG52NGo2 + Q0dnS1V2c01EdVRuRGlsZ0lQT1JtUG8KLS0tIHErblZ6U01HTm1FUVJTZjdGQ2RB + bE90R0NsdkQ2UWNrbXZydjR5YTNGVWcK46c5ec7plT6X1874abnSSryG+cUZq/QT + 3LpgQs26dc9nIARiZUk/2UTPiUwxFesi7e4I87bWh5A+mQOHNfRAyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUmJXMlFlb0pUbkduWkJK + SWhlUXNqZ0FQeFlEMFppUWR6MHFyS282emhJCkNLMDdaQ2JXRExLT3F2Y094VE90 + bTdmNGIvV0JHNlVldTVxUmdueTllYWsKLS0tIDAvNlhRQnFKSW5JT004WDFhSGEv + M0hKbWxuWjRlUWlRaHBQQUpkVlM4dTQKm4vPZTHMIfk79dTOO7mP9IZaJZbu3hx8 + J/y5xwUFVakqPaX144YZXjjStsjp6H71jE+z3EWeqvW3hwI8XAOv/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGFsenFjQkRBTCtsVXRI + VnpQZmVld0VFZ09hWTdlSjNzczA1T1VhWkZrCkpRUml1UFJrU2laQ1FEVi9USEg2 + Y3J5VlZCVG83UUh0bnRVbkZRVWVMMlUKLS0tIEl1VUFPQ3NvMm40clFTMHcwRzlC + dENsZ2ttbFI1aGdFYlZ0M1crZGlRek0KWF+sAOdOGf7GKkY3ZlfPkXGGDwSf89Lk + uvSkh+2Y9RIkQ7HRUvWxPBPi4vBUUhM7y5+lA8sNi+lLMzPyzVeKaQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:4LMhli417gbzauxvsx+cSA0VfCt5+dr1lsGdzVqNts/ELcCxlH2599V/xPdgZJYvbvY/AUDEVc6/7vodqtxsI9d99P9AD9IRaETqHkQ2RmPfyUHLJL8kgLdcql6zBdlZTpy05438Bs53sOQMWCcUmE2TohH9jlvmwpqCaRgfYf0=,iv:BkfHGIFAdlSIjdLvqOeaeoIkBaMQ5yXqYBFgGBrzMjk=,tag:7+vgwa89KxeXWNvfbiKSsg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3727470 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,48 @@ +backupKey: ENC[AES256_GCM,data:4ZN6V9ihkUEyz1pih87Xi2OPvfRdx+TY9nvw3CHG0vUeWavxLD8MuzEVL2xlI3A8X1F+KgQ40noaVL5qcq+SENGSdhHJaxzxc/oGN++k5C3b0FuyspI15XqIPjXWu/ApRpPktSrr57dbiQfAUtcg8E1R0Wn3uJxdFnVj9iQjnMzy0qezZbp+8UpEuFUqi4ZsQddltf12HxAGyHcedddUhEdE7bCZcj5/zSiEvXpyp1Ta9naVWnD6KkkVcB3zou7vCjwFKHf+qKUFPC70OCUomXF6scjb47iGexLNQIwaRe3+BmD4X0WFB2EM7DedenKh7SvRdYh25yYR2SzfSb71Aj5JwVi9TuuyhJvlXsDcwERPkq2R7VgbvVqYVVfjbtDlERp11xZzuEX85Pmvfh8rEkVCNfW2pqm5F+rmvFQ4KpwwMvnVEKXvasOECiGq16sp2Zk/e5cOIX+IlqgcY/GW6hBKs8CROxi0w4qCstfyFB0KxS0dGlarvhDJ2i5Rkx9RRP91yU/8QzqNRY0ixJpB,iv:ReA4k7S4F8NBE0VBCy9ks6YZJiubdUdP/AhEwc0kHaA=,tag:zagxPVYKQhf/tdK3tJFa2A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn + Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x + NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ + ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l + RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD + OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS + WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz + eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l + bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv + bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl + YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN + OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q + C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs + K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK + cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY + RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ + efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..82cb306 --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,100 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + # lists.mathebau.de is forwarded to another VM and does not need to be listed here. + { + domain = "matheball.de"; + allowlistPass = "/run/secrets/allowlistPassMatheball"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + { + domain = "mathechor.de"; + allowlistPass = "/run/secrets/allowlistPassMathechor"; + virt_aliases = "/run/secrets/mathechor.aliases"; + } + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + # Password for the HRZ API that gets a list of mailaddresses that we serve + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + # Virtual alias file + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathechor.aliases" = { + sopsFile = ./mathechor.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..9c2b1bd --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,48 @@ +koma.aliases: ENC[AES256_GCM,data:YXHv59u9hHbkXH9s8CbDmP1adthMLiU3ijCIg/yBfXvwtzWUY45un3D/iP8aIEB31PkfVtmTYcbsrJRU5brPgtev28U9DsTc1UrLdUW7YyAgo8xN0nyte6Qxdv9OfUVmwTg4tY9Tv7WmjgpXuIx2sRglfn42X3S4tVAmqzYNrg==,iv:3PM0wfq4lFG1bV607cGkZ6QgznRk8iLMQ55M/BMMJAg=,tag:npKbdQ4esykcjMcYEVHR5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5 + SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w + dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n + SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo + DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu + RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u + aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu + MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy + 3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx + SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW + WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD + V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF + GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5 + c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1 + eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL + OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx + t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:L29+n5e38RVgVT71y96EbrboHZigbCUvv1gZ+uTWEchOmB8+pgamKhF/m3mpI1iauKtkNlkcS7NbtsEhbLumEHAibJ1H2EZdbWKB53m0RZMCWdZKV+49DenLjROljWMC+mXs0zIir+ts3mhD3ORhQZVBgs/svfkgIyPkcl0wHaE=,iv:ipUpydj18/fgFgwoD0NDjmwLXM+vfkC85I3uvmG9GLE=,tag:sA1UVTquN7cbWAMh9vF5cg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..57f20a9 --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,48 @@ +mathebau.aliases: ENC[AES256_GCM,data:byT+/1+e9ca9WPakGluQQnYeEzMJYTiQ4DxzyrB9y0FGmJuwRwZsErgBmxjPDrT/yU2K4q1/f47Oij0NpPLGvHctJ/Lkvyj7q0ovbvKlypOQz13Zr5B7csVRtKbXCEPw64Rk7iLWnWSjku0aIXmmol3ajRPaiiqw/iCnkUtjWpvJEfrnsdOh/zwgSw7nE6jUYDL7FsbJgd4yqi/zOTtDcRXM6cxsKWoOr2Ei5YGwxB6VWwiPJrJixj4yrQYOyRsocyjFHFsmFKV/8M/2yOGC1ojUOuLr49JQ0Ux3X5GaRC9mH3UFVc8XdgkdlD+L0QLcz8g10t1Hmoh7ApGjUYfMINjj+EXBDn4STnmvBU6dyIhRbq0xZaDiVR2NPZHgfmXpbek024iPV7gWB5DGGAVKMIzx5lovdTBXNVRijQX98LQE8zlAHNXaMhih2Erltt/MY66hVJZY0nRCc67GE80Xg6/vtleKg7grUfIXZFcJVlE3mEat3aLAlmZj402s1p2CHD6uD4roCOxkKMmHVV6uQ7KE06Cnmv4jY7wz5jp1zO3AY4ezeWhCfyFB4LIIBoZCjNRvINr0yP8l2B/hi0RXw/HUzNMwINqgE6lgvqdXKleN1cwj15KTpqpVSqjnjIl7KbHsgAqa0/OPeL9S60aXrAKKocUqjgC31LrtAdfHMHDVqukV48ssKN0F7XhOZzEnq1yVBQkMmFIM9l7hDZfXnn7ePgPzZyKDV59As2qvndFOX4+mqb/WlAxoV34bB7Cs40ob0/braOwZxPXvPtdfA3bdtSalOuYrAIUmB2ixpuBCZhwG6PWM1gtlJshjgvWk3AS7UyGCGMv1AhfpkI6UoFc0Lai9eeHu1ro0DeM9W8r2qlzluMAfjMPjST6z5zg/2HltGfDVwM0xg7XDcTFMK+mhWdNJ0SOak+mgpEukLZaQvE0LRS7IGuXsLI/MX2A483sL2anrkL5PDlMbqgJgl4SIA0a6QeUiO6+k0Sc145+KidetdBNx8ZFRr0bNnIPdszaEXLTeIVbNil02d7e9MAx2i96FsZILSGwoAWXbTRUmDwH+axlBKwAwxPHPTVtCjoHx0vsOw4SnVdDEI24z1VbembqDZFxg9CFu2hN6IQBsW0wGD+gltPPD2PFL4m8RuKui3L6psINYd90J7p4Dq/3vzW6iOQl2E0frxCpZyzrKLQOREao8pOol0aDJk9KcVAmuBbuHxiDzvYS5k8sKJhK/8zlMn8msIwvPTzcLLdB0Vu+6VCX9jCNii6Qzh5BS/Rn+dumLxaRZ17zbf5aiaXuSxSTmiZ55yBDScj50jW60r9N348o0L3+EIuuhWt5EvHAqhFhjhDdwFQPVfGz+QnXCahVrf/T8vsgwp1mXPEb5Bk6XBRm6CFR4q9G0GEm2WiRZlx3LEVH59ovRvpaR75Fwvucdqz1Lv+7cCaHVss9L98ubOW2GRTKi7wH+GOHMDdDvw8DJAdEysQ0dTnO03mv58cqXuDYE9/NZvCByCqpBQ+gP44F78/CsiHfkEIeI+wCXvz3MW43v9qvYQT2kUBDZhBrW7tfsx5amKdozYsE/KMmoL4oB3XOg+f/KPuMXdY/xFH8rOfUoPhJa9LyZXEPDfySK7baykcC7Jejtryxuw4fjgTaGhCi8ssCt4r+4vjV2NugrMcPsKFgIPzzj/4nEqPsZTvXC6Amvpb7e2HJ4PQ28o8yHaKZUqlzoG6bGZ6KzVZ1hqoHHqIMRi0wnSnYV8DwWo4ocAEf+xjTIxRb5PTCYk2KBxBx7lmmdIyobLk8t5i5ZcSc1U0cIxQJUaDvbpnPcMsyFpYHRg5cFpD7O1q8KFdi8XvCkqUW27EPwTK/GEBKMwnsB2UxKJM0czgtgERBsjubMLdFAARqar3X9VCmEdLIAUHYWC20zehsnA5P+eYgY8UQJ/Uy8o9icTOyzdDXkU7gUr55VTCmFUk1v78zBLBlbNhNu8vUw6YFfmYp5als12tijsTV/yYIhv9VeggLPjwGYjNXsduuh7s8Frm/hdea7ZfTiD3eU1TlrSm6TUNCenz4DiyaTpWG9fWs4Dy922w9gGg9ui57/aG6GUrFLbP44FtL2XvP3VVWNcF/o/EUMZXuZfcKbH7DP2mncwOe+W7F66vqD6NR9kLDDKVdhfFsVrbNhG5V7toV42pfK9jXHO2I9r8MQ8sUv0cArcEolLNDCZCgu7vaCw9NWMk2zYMgnyTnOKlK1Us2T9kNjbSwrEWm8zMyxgFFLle5lboP1DdOYd+5Hw55Z9Fm0y6WUrxWkCwUUlA7PuepPcN+nxQWaxx3M6OQLd0VFB8A7WsWIHTN3nvgXrbLFkNdJrH0DD3dIYTWVfy5s/xbOyOHjPjyeR9NzKYgildnoV1oTwp1RzfPFPv0s9mKmKWx5CKqhEECeb9UfFYTtArCZIoxtoMh5UYFjr2F8OW6eAuNfZp3r8N1TBv7t5h1ToMoaRKjMwFuUYOC1J1X7drjPNiBfHHRt+Z7ba1jEnv99DYA7yQ1BaYcR4WPwBSbuRx33WkHlAigqH9fSB4cDa8mspt8W0DcCX5KjgpNG35LZvIn4PdPKwkMg4InumNEs8MDudL0h6Vaw44iAA0HdSW5oK1qQICMyFjBiVXZmpS8TkXOzHsIxEbw5OdWozVUAAUbmr0ZCcgZLWLxmEqkob+PNfxtHlGv+YktIEAbI0369X5ur1yfEN6I3UooInVuN64Uro2evUAqeClqtCXiEoaoe8sN1iecf9xYH/Z5rBhsnPyhMpj+eOQSYpfiZEsRjHekAOM+3HN+VCgtRpNtwAL2BqKMbYQioiEFTS6jJPuLzQ5gffBYj8LwzEUVHFWF2Cz66TxxaLh+TjEk1mpka7SHDLQ5RyQEsryTzKo7Ngg2dIcx8KOzhAt1h25Otl/qtFPnZi6lIwIZNPNsdmZsLErxBj8WOx4BNGKvF/xqSvZx6vmW7GjGrZGm/9NTqZWFlGQWS/e65ij63xTZpD035N8ihKhnhFQ6chqfz8XOkvRM71oTooWUMPtNdVbcusQ9ViI/3wmE0XQbRH9LW5dWIYRwy9XFJ4Y6e0qv9mTvXfo9I9iBFzDz9Suym8VqhyynZNeTgFoRz9/rJ6HAA4huPgzs7P+0UdlcbDsYyTQ1NSx3piXvnlS0kyZdt2PjGp6uRmF/ikecqmvcJ9rHy/d1j52T0gfVE25On54RzjB05uzO3RU6BLwY2GJNky1nPIs8wFJT28pExNXSQsley+zp/COrF3Nmn64pTSgkHWyb6x4u755IeUTVK/RYxDfwtqfjmVaOjQ6ZgvM27F9OPoMgjy5+KkwTIuA/y7lnM3xw8kChS37Ow9v3jQ5OyBdXgqqBeba90FsKN+LmRxxXHq9l9417toaOfZddrGpAVMec3J7yTRRpQ3WoMuvG+NKKMWSKH4gxwyJUbN5PL0fSDiuDFb/If8SZseI+qBDfRCr4uuXGmb8gUVIKmMPnJpqmF99Lrqn8Y7w3sil8OYhi7qJsTzq8BMgokzR7bqZdHe/kZze1jAwHYCQ+nw6EshsUFvALTD4Hi3n5L+QVgWnFUthb/NT/z4JI79zdGGOrSaljmHD6cNQxuBXp2EOr6dfHge1G0e0h5Up2L/KBYxZsn6shckMM/Xekr7Mi9PSt9qwUyM5xDbi1PjgD9gbF6nDm8AJ0yLtEoW17GIsQ0X+2SG6jUmLdAFroSRVAAtIBRVRTS7vliyNBig7KHZL3Cay52EIq+EiNhOCo6scraT9wfM4+aqGU+nusJyKCLs7HkaIs1bkqm64W97Yb20Bgtt9CZ6EbzcGoeJtBHkQIwW9QyTVyGMzRmZuuNolSLWIilgkXotWYNwez+00XDdC1qaKltz9yg/kKE41C/T8kN6YrwkkNpy/APQKWYCK2/pMEZW1RGBTKSd+haM5Yyfc9OQQYpKtdCZXdkC/CYkDE2DpKtOV23QbcruNzExm+obpJHXz121gS80CWyZIUgNVkm22hhF6u0pQ+g7wWRgwwtFTx3g7nvsv+41/t5Tc64zwOWfnCHDoLv1pAto/yL7aSJSqpDDhFNR7l4XGDvkV7oyIEmPXcCDDYPPAOucsdfAJMHxcl68vpfzXPZ9JgA10qMe/7yOlv74tX5JoV9xhji6+HQRe0sQ9dN+igoAF14kiU6uWAVsDLOznhaZC0fdFyG0DY7g6hF7OWXkgeJEbXBnwhT1Gs3xsPS8LqZ+c/9kspm5kttKuXrAEXdyPYT1IliDgNNEZtGkc7dvNJ9Md5msm7AGchddK229Bek01DQO5rnR76MqdWzIHd/Ad272iQfX90UJAh2IirePVdOPQ9oe8/X+3ZMaHbyL6a5MlGJr8IVBJzClu4/BdiaKJNjmE+ULvU94Afazw+F4nbayhF9KwKydH/0WBeACI4iMAFvTetJ6zIjiNvvbHKBzTiPADYN4qp6rC0h9BfrtmA9v37/oSmyVl/1IzjWzbeHQSpqwvtMef4IpTl7WpuB3xSzknloC5dzC4sk3sJwZ/46hhmZiQ7oF27upDLB7ReoTnkgQjKw2AlhDW/P32m4GErXFkUF905NlzfhqlWmM7wlFGRTGMICOwXDWRz9G7dHRPuJ5LFU0sb4Xwt0TNkqvl1UA0FeAqzF4TkxYlXr+tUNAhoCCL5Koupm+L56jjkpljdRKYyXt3aTVo45dCZMi2dBheUjUXQjA64ko5+04haWi607NuyBl183bDqTMMt2X9I6ghK0yNq++1hAeVHpSAEbW0knebLrv/KaMcN76nDenCPoAAvaiDrYAtFc/lvofsBHg9YuUBBUHpZF4iY611iCHNvsWh4VBe4yrnPfvGdgBxrJDvGpBs3w/8MRZweUGifsWwjt1+257Zt2TXvmVkuVCogKXMajFus58ZJs/FNGUkMMrV/jMbc5V3XjhlThFKDsNuoUPvUYv2qzv0HybwVyiIL3vZ2rMdOv2JKrE1ftsDxsXFGJUrLPjy1G/5mgHENh+oA9TAQu0Eo8HEjpNhdyFsuU4ImLl9UHtj4GVsLBrxNb7hsieHVwGfMyPBVjDZ774Vk9YaotpgcEDiNUO+YqTIA1xcPgQxnPXbbmupSvpP7oAvZbi91bNdioeiZGV66RUdtnsSeg07wBph9LjIE93AKSex6WVNtsif/YPW3M3pvRGXPpCB/mqrowwX/fzAYA5LcNCYbOwhwSFALEiy1htU1w4ujHmHqugsuWEFPQL08Yjs+X2emKzCpoVtxQN2D04WvjAH2LDufk8aJddj6pGpN/6VO7ZOttjuv3nwjvQSUqQVtuZb738joxRZII5SOYOHeKIPzB9RAPOxkYgH5EYUqA/ZZ3/+f3yhf4NxT4cL26wzSS4bI9sXD2oUI5JglOM1nKHiUy89sAqNswpkkBXTfSKLPL/lAFz1kfCLveTaldfZGGmHAqNxgb+Mlww2bMd3RzvmOovuoR552cb8QyekRTPCzgIqKVTKyn5tRrlaP4cSIYCU/EeArywCKMkXNEhUK/ZECTQIFvinqoMdfNAO9XrAQEZZroJScaYe0ODItqofjEedMvKA6UmA/AW62xyifiquftsg4/o7gfnSTbqBxcdbKATxCiJCnYy1eqeJBZ651YHyQcR7bpHewPhu0fgBPXtl5/vbcZPj9BpSZzPiro0gL4eCn4tzRl+8N8n3LYIIJaBmWLpk+lXCZsoH8rwCO5wAZH9024m/3MJ2Y+LkDYF53T76cLyps+g8Pj8L4lkF4bNjVb/qKZAZ786wusZBjehFhZPwwR6wM5E+FcUlHi+gNr+WpcR74apKsAx8UDeed2LrEgZUJ8xyUBPCRZ0UQyKqPhVmP/RGZnFBU6qwsvjT3CRUuYvlToLjxkydGrkCwEjF+PzjJsMgnkphNKmQN1nRTEuSiPGy32fO0Qg7VlDlO1x/tcgZErbvKRgrRve8L+gPvWMxEXPdbbhJfhxj5N8nG3/+lhmvwFIVzOra3d6EvzgxoWsyvg6H7zELrEM36gSE1Aeaa3HgBQCZ/k2/BXO4Ua4d40vLaG/bWVMbhzOaTASB32picHyr2FwyoSEdDqMt2+qgrdVLm3pUwl6pZygkJ+7EWYaSnf/0Fydt8+C/QHZxlz0Cv4h+H5rKGlerJu0it4hgw0yq4miaXxtPPEdnV1WF3FkNENO/RjVFOQHQeDz/C9JYKKulgw7jg1zdBe8HyYdkMf3VZqkfAf3TP+jN9lcTkPcWVkRZjJYN5dG/jclBlCE1S8Vtc1AQztlrbF76kPeVRCd+vkMmjkVi0RUTuc/M5o9TAxYZTEa268eQyZGnD/YylOULeshfvgWztm0qjexpos7l5lLJihvH+H7itYGqsJPc97PN2WDHGqM2jeZibonRtY1B//YscwPICWqaPWw8eLgQ3G8/WM/P3SFKNWtQNISaciYnfgadCEaKNr9DlNF7IjHJVon1O14AcMQ0u/wRs4x/y4yhA7+OjRKLwEIynXyajSNRkRl8QrljAf+gvShDqGn0qP4oVjI6BwRdvn5ZD71O4uIuN92xXzqNXpW45DwbcOUr9ntWDe+80ayFqRmhbIieyVniWJD2Rhd8MLBWGCqlLbtEY8WHFQCB8E6xznTMnMcKtO4Utvq7RDXrvxNBP1VfEw7Xs7tPBJammdEugx2JnLspMUsYW8zpt7c5dGkOihzqvWBg+gEJK8qW1cfmYsY1uw5Tp0wkjK+Ui1/0yJ5vRtBqJnyqYLzGfaU02ty5TReKZd9JZ430zwD1o67KM+HbvQqLijsIt8e4MYY43CS+9TAPQbjRzSmUBSSSuJdzii6Mrls7RDqjhieOt9zgI5jBLSQfu9YUotXsgLP9mZ+xwlX9SEhT46vcJTJz+EPGiJEMwIsThTWlZNHf/JtD86ArcTHy3CGY0MZTjWHByxv7wP9zZNWxEmfTUd4tZoPP2KgT4tnqOJisL4L2mYvB6tPeM8RjFmDGAjnphaawKRghRI97C7A2J1omMT9ON+hvrG8v2ku6z8hnFTb9CWJHDP1f38Y0SGlA+vy9Tv/bECToEBReux4dhJMLug8vMzluLPTtsugVEfwHDA8Z4d3Js+aPe3p48h7wiK+gaRCKPe3s/jL4fisJLlnoiUEHpk3N+1aoefVUEPuMxpt36kdTY3rP9FkMU72deMYUNw/ARMW5RKcJOfv1C6+ctlIUvNGUppaxDOJupy+V9HkKOFS8BgtPy10NDhV6ukKIjKyJBpMVGIUqVZvSSHhn4lxee2ZXw7cpggnIx+TB9cT6MeZ99Li5z9gvGHpj3rYWgF2KfmtYUXYoOM+8cpOVmd8igb5bfc5alcQoOI2OdgHUDq06FEIHRF5uQQpFQ2suEV9WnhA0c+Pa+mLPBwazM7cRTi0BZFVcafRzRP42ybwdpYG1H5vUKmpoaGVY8c1DffcRPLjvW5Dvz0AOcWU8j/RSmEONBggf3APp8V713Hx+nD9+tn+8Z1GubOUEUgATtioZhDG6WwKN6ti4XL8b4l62aviSGhZPD98B9fsmshci1aUMUHTwJWSX1NzBMGly2GFax+OgOSyN6ymsowRTNvymKdQlKwQKqLR/0PvEewr6v3smGbfFhUQVUQmV8vr/RG9QWBWo7kblj6ucklIfsuZOCji1xXjSx1/L4D/tm6JVqeeactI5baMcLRllyG0n545liqzJAMkxYibRGXY1U3E/brmUBE2pWM8a867o9EuY3HvB4CM3UNh1fejUylZmQLfWFOB9Fva6jBf9VBCEg47SfF2A/G1b8gZ0kOe3riwOW4gdredh5v6HCXZB/h0AyZj3wK40Vj6BYaKDtGiiWAyXw99TIDPSBNGuMRdJ45Hc6Ot3dDO/naoPzoMFtZEBj4Jku788ZIkVEDeYholKSj/Yu6jFFcfexkVPWw7xm347LKS+ELgjbQ2/Ff/D97/zKMuwyUcD32VHv6KTTh5GzxPVcaRI51n7SBmgydPkxG6Xu1ZSGSutk8/5x6DuYhnOUQpmB0nUpDKMQz7AWQ6wlqyyAYwdls16Tbhi+RRTnvovBLR+GpqwCG5mPXwC4rL9eQZ4tAc328XIrLIyjI+JPD3rRc1uFBHluLAftyE/RDWz+XtFxR01/9ri7MZ1I7JyGArtav79tMrLMLx/0emFbgRws+yCzPUPSbkeb+0tPd4FsChxWfSyCgLunzxXwDFQI5M958E2VWMCDKL1hTHWEj7sOqwcij+Rb2sBTA8vU45Jbi5iBUCxwN1Sxr1Lb5UMrN1Ks42I4JP7USWUN9PW2OcAofBH/pJKRKYntn/QxuJhEKMvWTFUkAaSh2lf74IeVgoHxZLqcgN857JfVSQZJ93xToMe6d8WeGO/zAkCdJ66VqIFUOeeHZ+ohAISZ0hTQQPisCP438L/1eTwyoDuxzs0jyPMdaZvz5iwd7BfJBlYPIh0+ACT4EG0w+flkUj3pnmarMB5phF15t4wk3ClH3hxKq9QlQvApKKtxnwLjI17JIbHbc94eIxo1UC3yFOZaWkxf9XVZQ3hG8ikw6b7zJPIENnA9HJ7KHf43Ux6gPQGUOy7Nsrg1QHHewCCxY2slCFV32SRUbAJRzH53UomwCRB0ESobReSdqJU+uT9OFzMIcR5UctAeLpr1NcidkArevFgVN6IY10a11vHV31x9fZn1yauZjxkSpV9y4BPXkGxIt0ASkrviDBBQaYy8w81/Y/Uy/meF3ZF0J6285uhfuHpfhskZrc2jYVaIyeeRAyrNqHIKdrTGuDnlV3L1Tr/AZRI9EqBC9yanLEt88hlPtj6aSgBPmtRAELAI3gZIY9IWtzsoJ8FLdzABSNjnrAIX1ge1mCs1jCsX8jWtCFlpk484D7ydjoAP/dgfyNvXPuYzhWA2t6THZjcF3+I5E8rP91tHauIjKUGhtQ1QDHx40vr+InElNCboZyhN6lay2NFUNIU6Oq9X5BH9Fs3+Mmjb3eShm4SzcLx2OhM0/5sBrEuGe7SG6JVtagqHsmrTImSmqehl9LIlRbPiDtI5emEnCx+/aDYJJd9NGjK63KrL5kIZ4JBozJq2TQvbkbHFw1OrJkZcsPIfVnokd9W5s8T9ufvaGMLdmQoD2SFJUdi7fimm1jMxiQD3qtqQxaMg0fEbxXrNW4MP5p92n9Cnn/dFLiDoEufPHV3UMdKdRws/wmwQlbeZJXyzK+G67jkxk1TFoWOvUXzAsgTU+KMPBoZopexAWRsntfunfnVaucFvCXmQ7vCBkPCby7Rovx/tESy1x0ZCjNblz/yYSsMm9aj0vu+oJgRQ7pbRv+1i2psiITm6bMQ2cMBUvNWYHOItqnnSQBXHubZAF7rsWUKb0rZEGLAAQbvIHpFUI6FmaiM0bwHnIC/xNs1Q3JGDdgQnrGa/+g0PpNKROdF377MCBw6NuNnntUEDg5rKWKkWmUtyfAPD1hhym69VbgT1IWuEbaim20XHuAmpc0owVa5zhYfVlmQiEzPyoD4onFVFB/nG2WxbKxesTwQio6FBlbCYIwxtj/jPuw+o3wIMqO0bcAqE57U9GcyyJjBCZbGm+exeGx2pk4MxlwO+SmBPINHrh3pUQH+OEvEgeTlR8UN9ZV/JoZbDN6fkNSxr7zoCvsZaCraQYdkg4wJT1Fe3S6ySFqrBYFkEgYchCJu1xl6reuFqRpV69SqjqgQNuA4Z9PTKWj9Nla5+0DRJFh9XkjLfY9YFt1TArLXsjMuUwjiSu4SwX+WePJIune44L/bxeOmmfbU0oNhHNwHZNUzDWUP6nbmB1lch0uqUBUfddC6nhbez046nFDu+Am1Iy8LSKVhmL4EakfNtV97x8iZhQoRZgvj7zdGiRi7jPlzz9VViFIjJwTt5kcYhT/f+7VVkb8FwF36vqVjvzG/+2p31SWkEnNxxrgXXxUsda4W7WxLzC1Dojbd6QrR9Bd6rugIKRbFYiINxiB4usei7Bmn7VwXMcrNuF5/JXD+5axGMMEPUf7toX69rFArl+VoLlWmfMpja3JGN2JLfknntZ88GkCmzIKZUYAFM9QhvKSeXCxYtsski/IZK+KU8Xdio0ak1vO4FCtIIzN0xBSR1Ve2dUu4UpOYsklHJIULKu3SGJ4Ud8gLYc1ZWlyYSVRCinF9CRQMSxbx3NTA6kOHxxTezJYzNV4vhqwOPRCPB08lzmr6irOEuXss2tTiP57j8F2Zi5eYspQ1qBju+lhB4szOK5r6jmZXLwy7IZOep5DO2X7pWbYRjSPz4YCZNmGiVSTbOPowRWyfMh4njzz09sZpigopf9cwCxcAe2RrWKOjPjsJAdwtyRHffaq5QRo1shcxtFZnOAMn4CuHcgCQbawLadBnRAcigOq1NM/NbGgyDUI5L9Fa8fvX4zsxQ0ItR3RtVyVXcHuZSfyS+nZEcyIz5WTveDLDIXzodT7IrAQBg3Z3b9/tWoq0+RgMO/Z7hq1OloMw+tZvg/zvLrR/vwRFrOu/+gNggnMZpmfPEZsdSKqhKdOCvp+denOFyISj0iDKbF4Wak8jw6sujWIRzAOw3KfK4kFYQA4bl0o9iwyTXNwZGaY2/wbkKHDPissXzBhCxdtfzlaDajArDHVASQQI/3cIBjFSKLhlZkOmDV00Ob23Ukq5+itMB8q3kCXKsVEJgxubBFGFX47aaLZY5BHxSYgHixjQnHDOV5QLge/vEPz52+S2U5AgG4nEWTrjoZj8kdXGv5qbRia3Z8VQBqlHjlBjlyAHnFxEqd1iN0iK6dpO587AFlC0My/+087cMb2QQ/lLXxw3AaRsknIS5TQZqkwyJS6euiegVwHXA4041bnovFCCQCN/dIpSOPo1mYPkAOxSWP7xc9We4p2S2qigQuos1OQ8bBlkOS/bq5aTjNCZjJ0e/eNs3bZ+mmLlXxSL/aAFZDIse8M5HhxZMXRyA/OMheq/rb0TtOv7nbETKuB+ddTET+TfTsmYDK1oNBmf56PLAnFcl1VMjoyaEI5Wu0dNhqjorXO96rDOQ+8YL++c5tMDecXPDdITKemRsEoNC0uY+CSSDNDlBGYGahVAmnbKpoOrM8bt4lXp+kigyixvKHD/lLGE4pluNbku0oRZKfnNcogC75zpyiiP4qlHtVdjF509uKbe7hGY9hsr+afJsJ38V5XzqHYWPiw/9YeI44wX0jCAoJOxM2037MKmffo1BTvN41X1CIWyrYxxdeAf2DZN9B/Uuzkb37Nu2dyW7juuGKc9qrxaXrPSYwXtvFV+8kMkOMGtsc622YDoTlCmvtPCb/Wze3Su8EXeI9lCLXTffhsKAAivc7maJ3Av348YLiJ35nvRYl84V2H0l22KDDOILjFupdywJZad4pcqwaoqOe5wqi00SYMwlBcw3PZf74Tkq0xFGh+Gj9DFFJqnAbYeq//TQ7UQxcYoWXJcKmGCkR+t2mQ+KnRpx3I7mMMbjrIckRg/bHeoakjIjyS+yF3CRYWqpjX/zeJ8ggC2nVXFGYY+biwTb55eUb9PxioePc5q0+aI0jrGX++R960ZguUls3mT5erLnsy3NYUwexHnsl/XkpzVeQRHbW6i3ST9mqxs546mRNbCchcmYwpwKYIiFjJsIVb/5e2jCton+TznVGlZ902DWwUq1Q0lFZ5VJ6KrSazy+Hms0PvloXhz9r2zNtXy+Zp9q7CCwli38/y6AnkOWj0UtlMBHoIxxFm8ONf+uS8D62pixYUJmD5AZlraggnZ5uVhqCK7ORfZ8l+btsWdtcmb4wUqyjRRCzqZ5Q9eabXDYVA1eTJlgD1S+i/WuBIfTStt9FE3Gtoqe8hwhS7vW3Avg6DDMEVbjh6bOKFsbLtGhpuQpq4jh05jWbQ8pzlNL2Gk09luAUnvJA5fTlM1OteAA1y/pLsJMikkkhpww4BEqtxYq8Gk/rmMnwXni6Jn82wGDRHEoB7O3G4mN8ZV1m20q+IVIfHnRufjjFx108ol11/V7zRGu58cGXH7sLTI7wtgBDbjD7942j6HfkyTN3ibDUXZMQQYMOfrLBvQCZodhLlbi35ZmJF1i+DjLjNAETqspEOL4Cwzac2gM8WUuQ/XD66YuC3QW+Mm0H0AL1Jaro/MExNDlQeAe8meZSyQu1gHJh63tRFlx+63NmnXsygkVSnJ9S2NfQsnNk24CSsv4L9KVa1+JK6q0nFa0gjM5wxKzzZy9cQr/aXe1lnaDBw2n9idnFh/EQUtA2rrlyCJPzWXIYl4JHaV6HjrcmwW7gL+xsvw/rKEWzXXqnZ+HMshrTKp+O3c1wqs0O8PTbFpH1UQAZvBQ07pWua5JR8LBbXGXziM96+oqxJTNw93AV/iLfkUsf6cMeA+xxtqhjZxK8nd5V2hnAPGPAgy2A40sy+RCWJm4KA2XGjq7Mr/YFlI9e7b56Dj05qad6aDBLzRVxYG3s+mREiILrBuBdqyAkJA06IvalbeatVc+/U+w9iJdH54y9LT+fa/PFoNqPzXv5NNTf6OueSzfb0e5MugTUpdc86pUWYvGkMaNztn4Ox8Cemt6j5ki4DERGB3/CjAtmR673Vm4Oj2+i9MIBvtIfDHs9ahBfCnJfU+5AxORKt+uMQhq1SUS9SZ6OXoLu0hw5V/ev17pFpnBEboKN2OtHiKT/RCD16r9tNN7ysXe8R6IqoWj36xpm8VLtX29JKeN4uopERxg4xTVKKAX8Vew+i2i3gpO0nN+vVE2uo1zN4JcjYAWd8WQrgCIgIbfqbsCJI9IUOoWtKU+Gdv9emr6eNd0CRTMIG6q9LCF9RTE25aZkSdYJjNCCilqkGyFK1lE63+FovGkIG0GFBseHc9/Cvw822iFt4dG0DXlk2HKk/9g1foVMgdthmRqFXjKLMV5oAtVJAr+HvwNWo9I53LkyIGfv1vFbToZu/hwNrdcpjQVOFafCJs/SahZA4SHCuqCFSelrocW4GY+RcllvGGrKzKMMbgkLJsAlELp7su8YL9IaAef7J5TTkNiCMBLUYcqiq3arrOsSsoUy1A/d14TtOEeC0+rqq6jQroMxGZ6DhltX6QYHb2hSrKqeKhdlVcEHkuR5O0jskszteNkmkbLLTT0urpQ9K/QfGnri2Dpu8ZCttOoZTu2fZxu9gxGm7ZUVZ1uy3GjHrBqZUdEv/xk4pwuL2ZlSdPJXIk9Lpv8yPar+NU+XFCNtqECcv+121Zze/uhA3OjDIYIXHJ1TcYnUVQc8sAvGF3VDLrZ4ClJtn6iUxHyVoCKFdmuzX896tQF9VWnR0NXGA3kFqXWP9eakEmgHmhl55+8aUeZmir5ZSUIU5KQdWI44wjslv/d4PLvd0y0nNF3YlmeUU0OLfMIgYaekip7b4Qzd5w2xdAB7RxlCIkB8RwggiYn1v4U6/ixXSa6LOqgsQDKROc2Ewm5MSqcvpZ+7B85H0iR8v/5SjxRGWAHtZgxsksPCr3VReZALXxuj+mpcihYG4sGt03KaHXQZvqIPfnW8Pq7fKY/E03pdNrSZ/KcbK1KFsiyQ4CyZCokdaUtj/WJCkQ+WMjZH26XEl6xVsfiFAyJEYccNRb0iiXg2jqzdQ9P/C/jNf5voRbgbzL5X+O90VI+0VpIPPY+hkw27ziFyeMucl/MeHyL7gjd1rm7PvNipz1YwxHo1qTVM7AuRUuwC8ORPuUaNpBbh6g2dsyzs4uZAl9HWfyOo1Jp6fDIVFJ9lMZ5jsbn9qjihpV/+ispc0Kwwj26pyPtpxHKXdFgUIvaneYxujdevEHFWyHNrV+LmB3cQFUPrId4tGcKt2eqqrHZ3pjPvT4IzOgusBKH6Hw456B/fKtMGcBhPEvjcJcXxyvYBACLA/PZVLLAUZjeSq1uBOBjPWH8LtUX51a0ry4xMZq0Zk99sxMgFGCAbI4BQ5DpkuHvLWH5wZ6Kq3fxzPrWzbgmVMLaa7tlsYpLB0zYGAv1p4TGKthZqgSp3fxuyXnqN/AaRmUbR3qMFjr2ZF34Lpr2mXrob5SZSCOKXyuzCprktgn4pjdSpr+iVbI/Z6hIiFKPbKt2QA2kVi9KapZar/zLyu7173HYJ8wNVybHCCOoYD3jhPlxEP+2bUnL5z+PNdSF7wA6FYa2saUc5svOD0acnwTHIdfJ/+FViLcE9eMhzcFOWma9YNtIpfJRhS1wDYofqLWxygaN0l9eX/7UoBuDvT9+005SD4NUgIwxPmoJbS6bgdc2L/4gY9eSuu09QDK4XU+cJejhguLugizfhOQtRrXgPTf3Br6qQAGdAcyoRloq9XICJwIympl3sFYzvoaImz5d5hT/3Cb6U6vAzmmywlZpns0HiNJzXOO+QObkmcxhqNokyA2EkajFrnoZ8oLChVcylIqD/0C3A/mP35T2AhfTNk7oHq7L4aCH7jIhK2QdLnBBGGJVGPWJd8ixYudh9OKHORK4EWPGtA+HlD76Hj4MUhxonQ2KkiQ5bfGBdqlC59LAEgD3THuv+TAORa6tE5kjih9hNkre2WxEYlvYp4Mwx/cNP3UjOZGHxnYnkR0WEzplDhtF8fjBCHeeEC1KFLbSH1KIMKs7dcz0eliwSytyBeNKYc3iqTC7nhMK5mQ6i9tG7yo64XablQokeu637FdSy8h5hLOOe9KpNllJZ6BFrpl8Dgfu/fdvdvWJg7ezLedu/dfYg4f82hxtyopyb8DjSRlkMRfEdOtoXYomZ035gH26yB6042YJwKX1KZMTWTgGMhezlWifzdUC5qhRNifwUNIg8oK22vh/lJ1rLjoUSmzS7ucOGkjIVXUjKr35GMuifERwpkjLxMtqMtd+be24VW9UnkKVO0E6h1lZBFdjyPJGY4aSPJbMt0sz7o5EvoLHlKy7/S29w8c1dIFjY9ms8OLTbwNSRNmfaEV1lrV1h7w5CqQOO2YjTPqf6nDKiI0lRqVhOAEt+I9WWqviu9QFMAbGzDb19FzpDwVPsME5myRfDMsW8o+1eEHaNJ9m9ugx+Og7zj5GsSPDHecnO0xlqbBtGBpGESWbHfpEGw3rrE89UUPpbp5XU+KLcD4wBzH3wSZ3HszLd/ZSQfsIOYg0naDF+juyu4k4l5i+W7LCtOFKXWdGk0wLirFJJxx0BLuEv3x71AVeAGg+DdwGMTP2FBZYISRjOOS1Gt3dx/3oRWFc5ry3PjO+eM/TIVzsUB0N5L3ZrQhVdrtt1kAPdHoDgDJGPlMF3K9cpYJPOKTQR3cbtMdVDMOLqqPagmBuEnChzOxbRthgmBxRrwoMEKKULj1FWA9A2XvsBcRLS2iNcHc/Dc51SjoIg8bUkHoobCQDnQU7o1PLH439cJRJ0wxkbFWp9OmlP2OQ1SCbK6TRqCoKPyHr7mhVitC7vpU2tHK8F97u9lnMmoeidtQjz0ziKPgz9yw0FHVi7hz5GMf9vORwipNHmHOitjPl828zhBv2DVwUk6w8lFVsknCQPMLBqx2ibqiaFHSb9xEYrfEsC0dOI+df6rypguaH/UOD/FB62kS0aTfw6k/9KCfmY1Ejud85S9rqs63DcR35ztt9oPzj2/lVesKkXWBAwqYr/Ge5LIjVwqpsYDYm5LPqK5DAvuoXnxYa+uFgySARfZRbdj9s6/MoYVo8rWxjgd9ylI/E9Yj0GO/zfFh6EiAIJMJsriWtk6pTPT2L5wAiPeZXdEGl+lSlv55uy0POT818asV1YYadXXjanSLOpAzrVd9gFvdD4cI6wcQFCB/Vrr/L+iawUuA9WMS4bJRrextciTgKOFu3zrKyJvBX/EaF02qza5y61Tbq5KA33/CwkD6iUTyG3b4niSHdMNdEO2kmbK6SqFzfj4JtHLbC9EarET3kSZFhnzOnxwcTg4jRhbWwSGMAiSj2EU2I5Nm4SZIpNI4kZ89/8g1TE2iITYgR0EgG8QOCkK32jrwykOaB5HcLYvZoFm3qGbaez73+vNLJXsgqtiOtqjJSyHfxjLzqi4wMZRe+ZINPBr4R/H4LpubpNk9PaGp46VKlm+NxWvBN4ueDX5XNwfDkHtH1hdQDWVLKrvUgqXC5T11sidk/k/KyxD4vlTokVV3O3LhnqyEFZ1iTjwa8qlqDKONUUosW+3SA/t+v164bMSFfXhuilEGBnftP8EDsJUhaIwO6Iwolv8XQwUtyCJMDiZ2rffS5lqVOehOwU+/TuGtEnErgIxuxVaYFJbf5GNuLeN/XCfPKGytR1/iFXHCxDn2k2JFPr48BRdV50d/OH1w7p5wIR2EsrQJHK3rV/YS/QruuzGT36byezvNnZN+MAQGIGv0wNK73CmkSFFOcjCUpDz7p+2GxnD9iY4dErHCacESSzY/14Ln1MplgtqtbzhbBj50sEekJpvfz3X/Pe3Q0fuxxZc/zpm1OEQWTC8E/bIitjPimyyscGtbLSrFmzmGBaIZ0VwtS3eOqpCx4QgDodhsFR3zxC8a3F/JCeia+8xgNLc9MCZKNYOkMX9RtH7Q9GO0r4gGDgIaKzBdZIq8m6J4pDp/LsBdFwXN3259X46qWWpPPHgOIGBdO/EHpLKT9n2I46UwbhwmkciVHQJVeDT/n/sLLls0sc8JzcZJJSLONpxrxTTFWFfFlGVXU7iixOPKiWGr68XC1FBfBGKj/+5O7izTJ+v7nZYk/EhOpNMXXq0E9jHyy5cwp6TZIVvy0XWz51u/t5k6mugicUmPVxVCiUfh5UaFUOybSOA1tmvY15JHQ+4YEJd8S9CPQQIqqA7zdPYKMFq5duKZ6fV6ApqykCICGITwlML+6Ouf1EURkXj5utmMrXjp6XbbzGwg9g3V050bLcNg6gNxaMBiO78K5dl2WJrwCt2Zsv4BJ+nppbkcM9FVVfaxPIxEk8g9dq3KjhMoyeOwE7LhEfCDmxNt+0Mx/jWrkomuhQam22xZJ9LvZaA8mM9zybdPCTHmTKJmUO2rZvHmUvFMXNVKf8dqbfQssk0QuaSKZgq46vW1IbtFYfyFKy7TxKcVFK7wbplehXE9KQfWwvosZL4N4FbTNJCMQ/8K1rbVVpPv5HfjMuWXX17jIkOtaf98Ubf+rt/UU3pkEkNc4XnCLjvV2DIdIWV3qeiVDwuTQrIRJMwIjQb0sNS9ix1ACEaPhKNSKpDlx+B1VUn/eFylz5fNoLHF9/IqKxMXyrcgnd119QBBqUaRfQSWFrMBpyNy/WKphoX7zhdFHCkHZOZdi3FyzkTfMJGKWxUBIKPiHretpIqfNFwvjnPVhajC7I21Ts8snd5UJxNa+b/pPK3mLvH3Ot5YQ+pFzJ+UbTWuwSF/ZLoNKbzmEd/Ki5FddvzFAWP/eU657CIYkSn9JEikJkCJiJ/bqLjYUVF7ILNFJPVeC5hervfqx5KmVC23CWLBWmMtD0CPGlwP6KIh6Omg8h+bXiuNzzx8+H4gRmwWHI+HnrMqcr+OnAzmAVyXL4A6KM6WthVwp1bN3dPygutdtQ0x0yCH9b5Kigbo/4xjPF+JoEduy5x/Ul1SP0YuFY13KLoGggedDwtVRI866Lv5VL6SWkBK4tdheWsLYKcssCwWqbng2FWfNgeq+F+lVwrSPmTUvhKArhxKXTf0OZDoS3eK+7Fep5EnsXgU5bVU9XVUUSIKG9FDig1x5k3mauvC4FFnzf181CgEnxhbixgBjUElm1ZpMewMiYeed5h+dChUjqGeniUm5fWi5HHno4tg3/nKQkua/egnEYPIPD0WzXXM0hfQphVDtomLGJ6sjrB7LIDIzINmC31+ruleCTnDEGfbuTVMcSJXqRDycY6nxCNqlCvmM4F0PPTO+Tss90V4XBwSgYhEprC5fCbizmXq8jJZrrJoS9DZSxu2DV45cHE+qLM/llzETVRBbF34tM1zJi8tKpjZXiQ1jGu1RgegEkZ3OXfTQBFtkSqhfuXnHsy001B5t369N4m8CuVJA42hKyN4ZBtRrO0x9NFD0n3hXBpoL32PqLoe56qbMMizCfkZtZprqE7bkf0dngg9EG6n5Fa3b8VELDwrza5+TppBWPvdM8X8gLlMsFC+kb5wYbrdCHjdRCM1OH9l7GCpdmpkiCfS5R+46U8mHKZeaLWtAQDvgDc/3NAkJ0Z7EVGtAgegVGpER2HqiIDukQK2/aqCX9trBkjjCEpYT0qLdBpPvtDqOJ6zJn4bwiVQ/AWsT+DAHGjP0F0NtHlzSe1a9LZPz4PZT6y2nyWK2+VZwC2uCJGF38WCG/h5/UhgmcZFITlqOftFBIledGDgxXlw4aCbv7Nzro9cMJ7RzsRKfr9NSFSGL48WwdIitO/HmJoBijJYBahmEuzncc6AntUnWLvEnk0WuP3qcsURoOpzguFpSbGPtMgJPinNoXFAt0wmijGMgauUZI0vizZ5JAK9kJt9toz6Xieg0XYj0EArMMQqN3NT4w5TSahXbJqdy2rEU8b29aZw==,iv:+PtXcxSjm3145ES8+6zexVmn2Hizwo6I5eOS/9RA2DI=,tag:vk/beGSoGSxykzD5/bsJXQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQmE1dlVQSi9MRzZ1WGpR + dFYzZU8rR1V1VnQzUHB0VnFOckpIL2tvMzB3CnpXQXk0S0JNSkpNN0FMclBOdjFy + cFZYTjcrN2djbzBkZUFmNCtXS3lRM0EKLS0tIFB2V2FoMU5rZzlxQW5SSHhlZkNx + c1BCVEV4dEU4aE5YeDZMRlFyVHYyQ1EK+znjkJ/JuE5VgYUpkCfDCZV5mFmSXUxU + MtByksmGshA8oyk0SH6B+qg07yDh+jRn4gtvnTxxudtqcVf5EX0vcg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MUhyeCs3Qjl6RmIwVHN1 + cHBQMFEvQU1ZTFE0d0lESXgya3FZRW01cjJJCnNPNGgrVmhYeWhlOTZMYjdyd0Fm + QzJwQ25IOUJOeXpxbC85YlJlTElia00KLS0tIHdHL20yakxaNy9CZmUyaHVUSmxZ + SkZhM3ByQ2o3a0pVZnV2M2lob2xRU1UK14PKZz5blclSkUVJwUFm+A9G5nPD0U0h + AH2kt/kdSxj+0I6uWrD+0KHh8KA0Tgp9Auyv/UF1dB9MoiuQPG15vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOVFHcloyYW5OK2d1eXJt + NWxLWitrUWdwd0J6R1phaFA1Z2FUV0ROdFhNClg4bG5WSW8zWTdsWGhQUGFySS8w + UFpjK3dzYjdPVTNsbFg0YVl0UnQ3WmMKLS0tIFhBODRqK25TVWpabTVteTRtSURO + NTdYNkFuSm9xVi9QME5DMkRqOUpJYk0KK0e8LjmPqPQD1FzXyAuoUY1d8u//WHvT + S4ijZF8udwPzKTIHd5OiQVfCdmVughKmmRwQEHdFC69fjn6wOqLJhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa2VYR0RZa0pOSFljVzgz + TS9aRW9OZ2hEV3pWbncyNlp2c0REZk1GRndvClk5U3l5b0dlcktkRXZBa3VPaWpU + ZmVuS3UwV3RmbzdQWC9qYXpCNnJpODQKLS0tIGNabjdpYXp4d2VyMEcxSXhHdGNr + Y21YcmlWTkJDRUh3czJEUWVGaG44cXMKoibsYSOYv329WNzktBVJ18aGAMXCxz3B + c9938x3U7BCsSatnNch/cTbxPFYt8GhgAXXZb8/vsT9URH+9/K2iuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:28fB2H6tdToWcVoGFHYRgSMeLwTVj66lESwITzhIkXnZK/5sLdJA+JS/gw58IhxXoO5oUsRgsB+mbfx6IKd5NuU8oJvJhOJi6kkR796gb09pNww/2zlssCck2SmHOJBpPXSZWl6MLRt5pMoU3nCPjESE7GTSBro7MO6n8Ycn8Uo=,iv:JssdLAzR5tv5n1dTpy/nRoOHYZ9Svy67uBPQk4vFLXI=,tag:wuUZqFXXdjdsSbMWIGFv7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml new file mode 100644 index 0000000..55872b1 --- /dev/null +++ b/nixos/machines/kaalut/mathechor.aliases.yaml @@ -0,0 +1,48 @@ +mathechor.aliases: ENC[AES256_GCM,data:VKEGY6KVtgKApnV7N2e2cqy9erDWQ2fb88Gwcpp5th/t0VGp16KGDtGiuQXhY80j6dDIcQMd9bLHzqAzc4+i/WhmEPhiXUkGiEKuarMfvqNl1LBlXFCoIrUXMMSIqab9q+fE3ignVQapE/YZt9aniyvg1prcmBcwIy9rDoHkiTY006ux5CM+vX0F60ADX8Nf6Qmn/JncPxXgq2jYsBxjXPj7BwJaair/+nxrbVf0,iv:Elj1NDeR1fdIIjIbjvkV3BmcVAKjwdMfknuNxMXJsa4=,tag:AkXWQ8sTMLsd7a+MfRcF/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy + WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh + SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn + b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp + iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu + SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE + dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4 + YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6 + WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v + SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx + Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX + dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy + cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW + NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5 + RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU + Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro + b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..9fb24d8 --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,48 @@ +stalwartAdmin: ENC[AES256_GCM,data:4vpvxtFa2KiF3ojl+cw3ic/MI7UM9JQCQn76bidYvbW31zgF,iv:DtLAi68oQRf3U69uFK0Cz4qHMkxM6NnB3lVYft/DtqQ=,tag:HYm2mdpTuXNHdQIv2Rkwig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o + Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh + YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF + MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N + SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2 + SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv + ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO + eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS + FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB + MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK + NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN + d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+ + jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2 + ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy + VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC + UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a + 5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T11:43:23Z" + mac: ENC[AES256_GCM,data:GZ1Q67n43WU3fDQd6SGsD2EZgoaq1mzh5biy42cx6FQWlveK5lhb0F2HUuWWv5zSHKpslEPD6odvkQmMNCRY8NsvT3+KBAnHHU0aHzM9AEV27cDL4x6oBvO52EMxsNCMm+fXPD1CubQxfbfvx/aIuqb1sovgKGgwf4u6yqIrHJ0=,iv:ExX+ySMXhF/c1w2IP7y8mdlcy8W9Zxiy6X67b2f4AeY=,tag:shxQJdaW3HsG6sNY+zDNCA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..d024b62 --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,301 @@ +/* +* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. +* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy. +* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. +* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and +* and use your personal admin account or create one using the fallback admin password. +* Create users with mail boxes: Go to the admin interface and create them. +* Stalwart mailserver docs can be found at https://stalw.art/docs +* DNS-Records: Collect the right DNS entries from the management interface and copy them to the DNS hoster. Caution: +* Not all entries are applicable since we relay via HRZ. +*/ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + # Password for the HRZ API that gets a list of mailaddresses that we serve + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + session.rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext + }; + tracer.stdout.level = "debug"; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; # Run every hour + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + echo "process ${domain}" + # Get the mail addresses' local-part + ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +}