diff --git a/.sops.yaml b/.sops.yaml index 7967e56..bc5cfc6 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,7 +5,6 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn - - &kaalut age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -26,12 +25,6 @@ creation_rules: - *nerf - *gonne - *lobon - - path_regex: nixos/machines/kaalut/.* - key_groups: - - age: - - *nerf - - *gonne - - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index ed6f894..c30fff4 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -1,8 +1,4 @@ -{ - inputs, - lib, - ... -}: { +{inputs, ...}: { # debug = true; # We only define machines config in this flake yet, so we only include # the module that builds these. This file might get fuller, if we need to @@ -57,42 +53,6 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; - - overlays = [ - (_: prev: { - alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine - stalwart-mail = assert lib.assertMsg (prev.stalwart-mail.version == "0.11.6-unstable-2025-02-04") '' - 1. If the bug https://github.com/stalwartlabs/sieve/issues/11 is resolved to our satisfaction, try to remove this overlay. - 2. Check whether sieve-rs recieved new updates that our patch needs to be rebased upon. - 3. Check whether the sieve-rs patch below that exchanges the dependency needs updates. - 4. Then update the version comparison in this assert statement. - 5. Update the `cargoHash` by setting it to `lib.fakeHash` and then inserting the result. - 6. Check if we can get rid of alias-to-sieve when stalwart-mail has a builtin alias feature. - ''; - prev.stalwart-mail.override ( - let - rp = pkgs.rustPlatform; - in { - rustPlatform = - rp - // { - buildRustPackage = args: - rp.buildRustPackage ( - args - // rec { - cargoPatches = [ - # Let stalwart-mail depend on our own version of the sieve crate that does not have some “loop prevention” that disables redirects to the original sender. - # We want to redirect to sender if we simulate alias files and not doing so barely prevents loops in my opinion. - ./patches/sieve-rs.patch - ]; - cargoHash = "sha256-fdOU2W/EtkBk+1VmNMkFZTGbwBTQQRelrheVFhiUqlg="; - } - ); - }; - } - ); - }) - ]; }; }; diff --git a/flake.lock b/flake.lock index 8d97402..dc1839f 100644 --- a/flake.lock +++ b/flake.lock @@ -1,23 +1,19 @@ { "nodes": { - "alias-to-sieve": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": "nixpkgs", - "rust-overlay": "rust-overlay" - }, + "blobs": { + "flake": false, "locked": { - "lastModified": 1740490964, - "narHash": "sha256-05mpcJZCX631rNCxJohUu+nhVOlAc3EfcNPBzOFSHMo=", - "ref": "refs/heads/main", - "rev": "c37b6ec8654db4c6e3d79acaeeccb577a9fb66ce", - "revCount": 21, - "type": "git", - "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + "lastModified": 1604995301, + "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", + "type": "gitlab" }, "original": { - "type": "git", - "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + "owner": "simple-nixos-mailserver", + "repo": "blobs", + "type": "gitlab" } }, "flake-parts": { @@ -25,29 +21,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", + "lastModified": 1727826117, + "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib_2" - }, - "locked": { - "lastModified": 1738453229, - "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", + "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "type": "github" }, "original": { @@ -57,11 +35,11 @@ }, "impermanence": { "locked": { - "lastModified": 1737831083, - "narHash": "sha256-LJggUHbpyeDvNagTUrdhe/pRVp4pnS6wVKALS782gRI=", + "lastModified": 1727649413, + "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", "owner": "nix-community", "repo": "impermanence", - "rev": "4b3e914cdf97a5b536a889e939fb2fd2b043a170", + "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", "type": "github" }, "original": { @@ -70,74 +48,82 @@ "type": "github" } }, + "nixos-mailserver": { + "inputs": { + "blobs": "blobs", + "flake-compat": [], + "nixpkgs": [], + "nixpkgs-24_05": "nixpkgs-24_05" + }, + "locked": { + "lastModified": 1722877200, + "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", + "ref": "refs/heads/master", + "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", + "revCount": 593, + "type": "git", + "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" + }, + "original": { + "type": "git", + "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" + } + }, "nixpkgs": { "locked": { - "lastModified": 1740367490, - "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", - "owner": "nixos", + "lastModified": 1728492678, + "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", + "owner": "NixOS", "repo": "nixpkgs", - "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05", + "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", "type": "github" }, "original": { - "owner": "nixos", + "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, + "nixpkgs-24_05": { + "locked": { + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-24.05", + "type": "indirect" + } + }, "nixpkgs-lib": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", + "lastModified": 1727825735, + "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" } }, - "nixpkgs-lib_2": { + "nixpkgs-stable": { "locked": { - "lastModified": 1738452942, - "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1736320768, - "narHash": "sha256-nIYdTAiKIGnFNugbomgBJR+Xv5F1ZQU+HfaBqJKroC0=", + "lastModified": 1728156290, + "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4bc9c909d9ac828a039f288cf872d16d38185db8", + "rev": "17ae88b569bb15590549ff478bab6494dde4a907", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1740367490, - "narHash": "sha256-WGaHVAjcrv+Cun7zPlI41SerRtfknGQap281+AakSAw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0196c0175e9191c474c26ab5548db27ef5d34b05", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "release-24.05", "repo": "nixpkgs", "type": "github" } @@ -146,14 +132,15 @@ "inputs": { "flake-compat": [], "gitignore": [], - "nixpkgs": [] + "nixpkgs": [], + "nixpkgs-stable": [] }, "locked": { - "lastModified": 1737465171, - "narHash": "sha256-R10v2hoJRLq8jcL4syVFag7nIGE7m13qO48wRIukWNg=", + "lastModified": 1728727368, + "narHash": "sha256-7FMyNISP7K6XDSIt1NJxkXZnEdV3HZUXvFoBaJ/qdOg=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "9364dc02281ce2d37a1f55b6e51f7c0f65a75f17", + "rev": "eb74e0be24a11a1531b5b8659535580554d30b28", "type": "github" }, "original": { @@ -164,44 +151,27 @@ }, "root": { "inputs": { - "alias-to-sieve": "alias-to-sieve", - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts", "impermanence": "impermanence", - "nixpkgs": "nixpkgs_3", + "nixos-mailserver": "nixos-mailserver", + "nixpkgs": "nixpkgs", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, - "rust-overlay": { - "inputs": { - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1740450604, - "narHash": "sha256-T/lqASXzCzp5lJISCUw+qwfRmImVUnhKgAhn8ymRClI=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "5961ca311c85c31fc5f51925b4356899eed36221", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1739262228, - "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", + "lastModified": 1728345710, + "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", + "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index e8ecd99..b4b5593 100644 --- a/flake.nix +++ b/flake.nix @@ -2,10 +2,14 @@ description = "Description for the project"; inputs = { - alias-to-sieve = { - url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; - }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-mailserver = { + url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; + inputs = { + flake-compat.follows = ""; + nixpkgs.follows = ""; + }; + }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/nixos/machines/kaalut/allowlistPass.yaml b/nixos/machines/kaalut/allowlistPass.yaml deleted file mode 100644 index 4d60823..0000000 --- a/nixos/machines/kaalut/allowlistPass.yaml +++ /dev/null @@ -1,52 +0,0 @@ -allowlistPass: - matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str] - mathebau: ENC[AES256_GCM,data:ZlIv0MrCVtsyF3t9Gr/zcg==,iv:ZdBlnx4/zQZjT75ssB0osfDlWVerUe6yvwbMxlXpHZs=,tag:ytlNq7zP2WtPafcSQFZ6RQ==,type:str] - mathechor: ENC[AES256_GCM,data:d5KyoD/P8/j+poJSGF1nDA==,iv:ayKtvj4EEqUtMLi/7njbxuUql1A58WNi729svHtZju4=,tag:JqWoxxMN5mVN+gaQTmBv1Q==,type:str] - koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ - VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6 - cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0 - cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa - zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy - NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE - bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv - Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T - ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC - bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ - ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t - TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo - NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv - aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X - MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt - bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR - HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-05T13:49:19Z" - mac: ENC[AES256_GCM,data:i7t/Hb5aW0lIvPLk84geQ792uUGP25vX8FC7kK/3H19tz5i4zsIcvl1d+oB5gJ004gP5pRogcuKL1xHUUl+A0UXXNzRpxc0BBVZaxnIhjfPunORbmZeJQRP298tQpvYYqI/pGhjrlit37U9jecGf1l12Cgv97sGW42d2F+S2Soc=,iv:My21fMF3SEr6mg2+eh8KA6B8tzmQVEDy2BG3hfkafrU=,tag:xdU6j8ti8Z68rbiRxkj7Pw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.2 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml deleted file mode 100644 index 3727470..0000000 --- a/nixos/machines/kaalut/backupKey.yaml +++ /dev/null @@ -1,48 +0,0 @@ -backupKey: ENC[AES256_GCM,data:4ZN6V9ihkUEyz1pih87Xi2OPvfRdx+TY9nvw3CHG0vUeWavxLD8MuzEVL2xlI3A8X1F+KgQ40noaVL5qcq+SENGSdhHJaxzxc/oGN++k5C3b0FuyspI15XqIPjXWu/ApRpPktSrr57dbiQfAUtcg8E1R0Wn3uJxdFnVj9iQjnMzy0qezZbp+8UpEuFUqi4ZsQddltf12HxAGyHcedddUhEdE7bCZcj5/zSiEvXpyp1Ta9naVWnD6KkkVcB3zou7vCjwFKHf+qKUFPC70OCUomXF6scjb47iGexLNQIwaRe3+BmD4X0WFB2EM7DedenKh7SvRdYh25yYR2SzfSb71Aj5JwVi9TuuyhJvlXsDcwERPkq2R7VgbvVqYVVfjbtDlERp11xZzuEX85Pmvfh8rEkVCNfW2pqm5F+rmvFQ4KpwwMvnVEKXvasOECiGq16sp2Zk/e5cOIX+IlqgcY/GW6hBKs8CROxi0w4qCstfyFB0KxS0dGlarvhDJ2i5Rkx9RRP91yU/8QzqNRY0ixJpB,iv:ReA4k7S4F8NBE0VBCy9ks6YZJiubdUdP/AhEwc0kHaA=,tag:zagxPVYKQhf/tdK3tJFa2A==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn - Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x - NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ - ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l - RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD - OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS - WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz - eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l - bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv - bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl - YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN - OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q - C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs - K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK - cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY - RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ - efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix deleted file mode 100644 index 2134b42..0000000 --- a/nixos/machines/kaalut/configuration.nix +++ /dev/null @@ -1,90 +0,0 @@ -{config, ...}: { - imports = [ - ./hardware-configuration.nix - ../../modules/mail.nix - ../../roles - ../../roles/vm.nix - ../../modules/vmNetwork.nix - ]; - - # System configuration here - services.mathebau-mail = { - enable = true; - stalwartAdmin = config.sops.secrets.stalwartAdmin.path; - # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH - stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; - domains = [ - # lists.mathebau.de is forwarded to another VM and does not need to be listed here. - { - domain = "matheball.de"; - allowlistPass = config.sops.secrets."allowlistPass/matheball".path; - } - { - domain = "mathebau.de"; - allowlistPass = config.sops.secrets."allowlistPass/mathebau".path; - virt_aliases = config.sops.secrets."mathebau.aliases".path; - } - { - domain = "mathechor.de"; - allowlistPass = config.sops.secrets."allowlistPass/mathechor".path; - virt_aliases = config.sops.secrets."mathechor.aliases".path; - } - { - domain = "koma89.tu-darmstadt.de"; - allowlistPass = config.sops.secrets."allowlistPass/koma".path; - virt_aliases = config.sops.secrets."koma.aliases".path; - } - ]; - }; - - networking.hostName = "kaalut"; - vmNetwork.ipv4 = "192.168.0.17"; - system.stateVersion = "24.05"; - - sops.secrets = let - allowlistSops = { - sopsFile = ./allowlistPass.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0400"; - }; - in { - # Password for the HRZ API that gets a list of mailaddresses that we serve - "allowlistPass/matheball" = allowlistSops; - "allowlistPass/mathebau" = allowlistSops; - "allowlistPass/mathechor" = allowlistSops; - "allowlistPass/koma" = allowlistSops; - # Virtual alias file - "mathebau.aliases" = { - sopsFile = ./mathebau.aliases.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0440"; - }; - "mathechor.aliases" = { - sopsFile = ./mathechor.aliases.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0440"; - }; - "koma.aliases" = { - sopsFile = ./koma.aliases.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0440"; - }; - # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header - stalwartAdmin = { - sopsFile = ./stalwartAdmin.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0400"; - }; - backupKey = { - sopsFile = ./backupKey.yaml; - owner = "root"; - group = "root"; - mode = "0400"; - }; - }; -} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix deleted file mode 100644 index ce7112d..0000000 --- a/nixos/machines/kaalut/hardware-configuration.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - lib, - pkgs, - ... -}: { - imports = []; - - fileSystems."/" = { - device = "root"; - fsType = "tmpfs"; - options = ["size=1G" "mode=755"]; - }; - fileSystems."/persist" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = ["subvol=persist"]; - neededForBoot = true; - }; - fileSystems."/boot" = { - device = "/dev/disk/by-label/boot"; - fsType = "ext4"; - }; - fileSystems."/nix" = { - device = "/dev/disk/by-label/nixos"; - fsType = "btrfs"; - options = ["subvol=nix"]; - }; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml deleted file mode 100644 index 07329a4..0000000 --- a/nixos/machines/kaalut/koma.aliases.yaml +++ /dev/null @@ -1,48 +0,0 @@ -koma.aliases: ENC[AES256_GCM,data:8wzWdsJKBE4HdsBCVXrK460460aruzre8Eo/fXpTynxG4PpFK6TTSkRpD8JnkBuZO2+bB40bWe+vbT2tBXQxLvCiKR1QlwL3i1nJyIylMFYuRWn6yvxpW6wFF8Fqf9aw7FQ02NxG5ysdhUthgNkihF1B31uM9IpghQ==,iv:Cy6Axz1yFZbAn87HQTqg80yz8+PlVjrN5iGR1n5pQdU=,tag:gC2b8hg/hSNvPKaTehNH9Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5 - SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w - dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n - SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo - DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu - RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u - aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu - MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy - 3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx - SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW - WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD - V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF - GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5 - c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1 - eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL - OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx - t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-20T23:22:30Z" - mac: ENC[AES256_GCM,data:1Ts4BBsXZAfLyQiw0V0hipEClmCBI27IZe4p9cIKB7YpTxdHnoJs/k+Gb8QdEBiiud3quA7LwHeKCb0pMaCgC4/vyRYd8PuVH7fnP9ycVXGz71Kw3kt2qxq/M+lEco1V8he9fvRtipb+hWbpVi+9fGMrtX9d1yHK8xVauc9nYJw=,iv:/5UqWrCP9kJ4K47sZNneLLgJ/e8kio0cNvRO0rQFyDw=,tag:+tKB8o/h7lAcr3uEMLysNw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.4 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml deleted file mode 100644 index f8fa3ed..0000000 --- a/nixos/machines/kaalut/mathebau.aliases.yaml +++ /dev/null @@ -1,48 +0,0 @@ -mathebau.aliases: ENC[AES256_GCM,data:4hqljO7S5F79g8BhL38VG5E2U8VKNANsj3dPAz335traGv2ZFSPUKreIi0x11e11E8sOf1aK3sLj0HnAcRzQrKhyf9b6XjM9Ks2T5NAYuXdpmcpYQyMC5HQ01eVwbKSAeMBtsqggEZOYIeQR5OGCoT3vZTDKH0TG4Y6KgrKsXluezYo9ZM2VuPd5B6STxb4thVEe9UVtGE4AV1W30QVkvx+Qr8C5MIvfgJlIDbscN8RbEsotAxixJu5nG5fDxSbz1hyII2IyMn903y57IqT88cQHDkH9ZKaFh0p5Ip52HfD8DxH1Xa1c609wdn15JAA+PIg/Wem5yLLv48kaIgZapf1FOEORHXBJy7aBfGN9YEudmUBS16HAsl+GmqQ5VExXRQbY1Pcxh6m0+jK5uQyJYReKuRL6x1B+bG5TgRXJkh8BjJ6Xz7ZNyuKX5yE2scgpwCzk8+RNhQwcjNf26UmQVyQuStbZh6KVkT+QodJy6V94b6ILc0cltfWvGIj6RwuZO1jNhIqnByrxIYhsrpDZC4aodDA9kzALUdQd3SwFDfeKps5YXy52I3fKaigNlq3l3QqM6he8BrN5ijeKwIpPswLJC+mgAYnQPK/wfXdiGwn0rferAaSBSGzoudP+XEtgyDKgxJ9JAd+C4Sbp4q7PyyKcX8MWAlIyTU5SvB9Yxgo4CEkGA1UNzw+sfTe1CdADdS8zO+0mUpF1bKbjGUZYxiJFzLyytFpFseFqq1Fpe7VHkRkq4s/dlVqOJ1Jh9YZJPBUEKFj32458q+WhIDOig/xQffh4e4ygVIzRKEaqfL3avk97rryXcLI+0k/eicgBK5SZHebxmYyRy4oMdUL8fFedbgOlvIqvUrUH1S1eEG1HuYUSpXUrC6Vs6jFtSSG260q+LcwxXpIaTxMunKy5vn5PRuqKRe5DFEj5YHb6HlWFvi4+7V+MmfK9cEyup5hNJhNLILIiSDx9SLwvKmhtre7FMImtrgOs3zj6P8GvpY0X0lzPuEh5XwsPK2bYAMFD2FWi12zwGGfwVyO0Phg3X3D9E7eeQUF+YuVONqaH78qM3EjXxxOKCuaaI8WDHI/SxqgT3xCE/Fc4d1+HqbDZ8N3yGGYYeJEcfV5tRaY41W+gJ7Lnn8+Pdpu/kEOWfk7pQmDezOerVFgDMP6g+vM3ppio2IhpSwd7oV2VBmMtHGUV3DHqUJTgNSs4OB2W3PEjR2EClTYt4Tipko+jhCXYjYdYVMjduGtRytSnzZILxR5RadIeA5lfV9I2K9Llk6cmtpnzC2pzSjtVMI5SWMG1G7eKM1ViUkZv5Wk2GJ+k0LHRhqjDgSCB3/V6IhCzWbA12YOGdAfaGLgTJg56pbKuAm5CHX9GTwLyvHLpTniUqICIM03Zf+66YFvIKPrCRoxumcotbBQw3Ck3MPFc9OYnM+4g3FMqitDn1tHhEFBcFIrfyNnEgIZ67FXELG2lMMq0pscPqaws4yP5JesVwR8a/ZIDlrjMeQKXNEGZaOMVLtp+Tm6Zl/rkFnR0LM6FYap1T4YzE5MqvvkhCeO/5grmKS+9Pfr8NHrBGZxQvQ7peO/01xoql9hFc3RwNqmCUdoEavx1o8AoXSGNJCj6F6brx8h3AU/v00iUDFlwmOzHrsLrZ1rjavcHFd2tuGTXUcRUBnnDQvFDnGB0MD/2OMitOwkTdzrRMjV0xsgSalLciwUC0PRIIXbMsuRcwX3e117APaVTvqwi7g9iEKlkoST5914QkAamVuBqk+wt7RDgEg7Oa6PbOBy/xQAgNyMb96isgTayjrtFfx5q7xgawlaeFDE5xVecKn6n0f1BRB+p2atLxfSlvexLsm815udA7Jbz9OXaXXaS2RV5IJbLKAqJ7hNq2xBApcGXjteY1GULLEPZ283RycFsxsunVzcnsHY+Wy099qK908yJvvjUPlrnJG57ZYQjZm3YL5oRXLhYCBU/FfOtBoROO7odxUAVY8wmXm5JJskM2N3ixJsoXKwzOJ5ADmeJUmIRTtycBzzheemN31wS7qXnk4Cbp7Zw18Zsticq/EUEXKp2/jeEGGTR6UGmUBwzvIUSa+yuZ9A9uClcqHYNtx2MZsIt18gPNhrLw9Nwxyc4CZSDJH9xCvwt0gfmcsyo61W7HoElZrj/9CbrNvujFO7JmHBk2oHRdGtrGOU8c76BXFgIAVIg/QPyIscV9rq4w8sE7TeLqHPa5k/rgTQWF4uI/jes+WDWNp/DlDA6sXe7ihS3sg74tjDSYENn/BzRlaecSY4LlTja3zkk6tMxWzAXws8OJLHpEIX+awzpQPJIF9tAC+U+Drr4aSR3XD3Ko7RyAEMZakXoK7tALGBg1kiEurGdIirhICCdnmNIcbk+WKCKM61gKhU8V8ahA5piaLcLWiADBe8Q5oQJ1S5lQwvIWyD9m6lgfC57jABXIZqT74It76Ie7sXiByP8gEaxEX7K6ZbhDz9/QGy7MIKaHqTphwjR258L6bTwzGSk+uUep7waXpRyEMN2C0Eat7rxVLFwG5OYxvyiNtLWHqjjOFfNEqUBMbBroTOSGnPdCcxoBoWSZO4gSQvw2TODH/yemntvxU473C1veT9dIUwVYjEsuG/lAyM0WoZpYDYUKRnzlS8n4v2x6XDBDxf7bBQyC5fCcU60L6YUFzjiSBsck1uJpWyQJAwsN9Evw8znFIdLBKzCO96tKjMsbdjfj4bhNBEAR5utp1IgIQRV0ju0vBbuw/A313tNxY/qlHv66DQUCAGyWRnxjxS88DOr4kLKk0GhhenZ3J1GzXmJYJdXN30HRCgBEKLokfmHIBnl6E5tAtb0ERukeqh+Fk95xmC1J2RLJzGN/7OSZtQA3DKbPCpEdWJ5pHIhEp3F9SCWMj0SqwACdyX75tXP3FRasx1q+5rFmEQ9HmBGwEvbsrqhvCO2NMJF5l2U9Wrk2CxxiTklSrurOU6VvGMwWdqo9ct77fKVHfKDEPwgPj9BcL5x70jsR8bpg9CdWqvOfgfbLYzKleVWv8OYC5i6NoXX3LZu7i8F9jYOWfx3T9HvHCALXhsm00sVJ8A0BEAn7TboAvDv39kywdB5J/22otfCjAeZQrgpsg0OHSlIanhJUi6SVuH/8XQ+nG8WEkRWbbtwVhDAqwbuw+2RB9eUqVur8H5x58t8uiaUi6oqK4Od514xMG1c6wKJxobrNKBNdLL/5EzGqmw9suvf+ewibCsoylTMVMiIUBHFb0KX9MkuLeXWCfGTu3VIRCYIf+aI85UNV9/4jk8rpPw02sQiunEhiHFXuEaPK7GnMOMpaqdD9+2dVSqB+oaMdkX7uL6jnXPY05WQpGUxK6ZZrOvwXNLK82jVhxqnTSIqswYkrq2OYoQNlT4kt0IwYzXlrd7/z8un+pPHNko5efOhOSup8btJTeuJo5RnDfO4XjkTUFgJ9oCu/J2yS+Fc8GXeFTsqb8f5DRjIfmKACXGPyEmrQKsqy4xjSOUwXE4mKTuUiPf9TSK9pe4535lFTKXpEAFIhge4SyTgWhvAJYFb7BBbCe10Y+1wRFHFpDLjELba+UPeqsg2xmVdktOD1OQRotAZKuUJ1hf4g/6zo6M0ndziUyNKkfSCbgE8nIOTPHqY7Sj0Tn2icoof4w7YaSC15qWJPPkZsdU4nXGPjikVhszFlR/x+a46Pj1yNMJ00t10TM70rGHj/qKCta2DFFnsqYhy+Pr+zJ0Wwh6r/87htq85roHi75+pjhiBqfqrXvlnVpeq5S5RndVRbzsEXoKPq0wb5FWQMKTY+JW5/ezosWBADtSuleQIsSoTQSALNlH16RkdOcz8d+s8Ewru9O4ISF521ENKkPv9CEqBHfpvv1eH3InxHvPbeGCFHmRyDW8lLqrBiLIh+YqraCHbHvyzjnN6kku5wOORyPRM/liy43lmDQgIGNIW7BHWhPFwEtQ0nPP68oPioMI8oqx8Rh6HM7KoIZdpwsnLXNLPS/ag7u9Om4ia2cu/KonTTjvRxYW3Gn5HXKD3rO043vjJOixX5Ez8oxMWIK748xRcLdkSoqA0uDcVxiMdR6IqrXmcXW51TSplSNNCOd6tQDOn8t9DEOBVk2477fE3Yo3knC5RwCASoa+15QFMUmuAo0VRCHiT4Skjm1+om2G+wve6VnJdEBKvL4Q12R4IQcuNzC/rOKPD35BaShVDv1Q76qlWvMFs9vX091UimSn8hkExd3J5oxWopYGuz3cCLsepGY7Geqbc/60ijLp6LpACNye1Q1YAmX0C3bhJeAdBVmnsXEyu2n5Y5j/BLLQ3XCt398D4EPv8/2IQi5eiKiJ4TA1aUlAqgXc1PE7cd4ntBEV93Hi2m8do7f5QukkWOB7DhshrkYw3IGDEAK5OHPVcflpODv/NZsKveMu0MkkX11pkeMZdcW18iumUc/+Z7VqE9YQ9Jeqw+mYApzIy2j7oWBEXvXUROoXgfI0/QORem5HC9eBfELazar6jUlyuEtzpMibwHWevO5TIMvSjp9VitUhIIHhxiL1FJs2UcphQY5HC1UbvqdKdKYOtSQR4GXPQi3/cE0Fgi8KtKA40Wvztu1eLfQR/6pQxakHxCQGZvBVqF1YFTw7cIJ8JTm9F/nIgKmB7XkSdFRwBX0pT97xumX3JTfGjn8bwoJyYfjHX8hi0q2s5dGbIk+jLbjDNwFQNk+yqOCgcJxUTf37GM3+ScYBH8acLrKTkiDbt1IMIlef9oV1AkLEQa7QH22LNewaKAdCjlfCZADC4gBOXUxJGcCKVqlqQzHcgJYmpJqyCT6fCINGHDcesVtKcFPsI27R4+S7lnaEfzeMutLPudmyJg6dSKmzUX1f8W8rVB/bbB2EaW2j0BpteOfHSPBkjtQQ5yNE9ekfb4nU7O1PVGD+TO3IyPbppLWXRQAbtByAXaUWlhHOpoMLujQB7PIs15i2tITUzPOh7Npq5KcT7VYSwDPOSOdMoItRR1G3Jq4zklRhYXJsBCWj8w+9VAZhQhfMgz4ufL/oVn0k5x74JCdT65F4WXnz0fBXqrf1HYSDAmhC61u6aVXkAwI5m9Ba8l+fYaFjGAH+9R1mrF5gBsnPSiconD+fahryqb+5+K48ELJzSPV6awZIq2MHf43+ll72j2nrffbQYJzxtAlVGbPa4WCCJ5HfqBn7orCmu7bftSI9+zxI4J3mndefNvjUFuivDyUZgs3ie6puPnNLk+KLfcJaqIxF6hEjLH+uBwe8yESNAlANxNgDRYkBbPfzQo7qF6y3G2nx0fnPbLTNDIjSqwar7zZjIFdgJioRPD6VnV5iVJxcRhR3eTsIZQzzM95DbdHPUTp4+fjuBNcfesMF0sS8iG+PwEZ+A2HVNJy1NAzkDQHiC3Trj+HbRi16xHYKFWkRYUud+I3BygFxHYP3P+KOHAUTAoVFSMT0bOsqE0fX7RQVxGmS1dCKajPDxe18o3Ag1kDrydLDAzJ7/DxWU3c9HfeNVj2lc/WLT/jDKWKR1bZcFWtDvlk3sZrxpmNCVr9I4BAgpFFlYfyMaYZ4ZfCynOQdv4NI1Jb3I4EQP+fykT8hXyum+bI8L3MG3KCIFE5XDXkBASOnQe/6fqfEbE+JU1Sxx9w86YOOJZbGE3jf/RiiNId9I+N+eRbjJMKhcdpzrmUATbCtxpN5/atRvHUrVJmcIYJwpyredxIBfc45xXEZTbZn9oYFjm+OzsQxWjo1orj+C2ywseSIyxeMswOk6OsxgeXEDhygbGhNLa7f9vJ27k8q2fGtyAAlTINnk6PPwC1lgRkTuh/tBGut24DkN6tTSRUZS7XY1MfA2GgT5BRj8pbRmb1v4v6lnmZzMpo+jqfRwm28TB683PEa21ZIg3AoNFtj7sL+DgOV+3YtoYE5H8TZyhRRAZmJuT7dzQjvVwT5BY/JAGsdq9ojtfsQv+ZYaG8aiPbNfCieHX3guEODr6BulGZmo6z3mC2Wa+gidCKHaAniu/ioWUpSPu0WG15GrxahbFLXyX9bwjAJcQn45Vodt2CCV2U4y9u1mm/sGEYe01hWwsCfSfekk/OqWRJXE4rSGrs4qxDXe5Oh+GGkMTvLfPYk8ZeiSrUjG7+3mjmwtJDw2tYetJH5BaNx1zfHMTZR4uybzTtPMIvvDN6xalAgoe8T83b5oU+nm3AoX09S8y2DADD/VhBijPMWufzumrKnFufzAymB2+jms+T3qjNypSCHR4xuQzFm6t0wq+1/Zpx9CUIUk65Fdj9mH4ZlBMceMQ5xEASb8zYqJSkA+a21utKb30+HfwUvGtkk4T/BhE7iUA2Eg4a163WXpci6rzy+evlrKFyPX0VfF3Id4QHiDlmsAb/5vHxjXMu/dGVRfOMd1qFtMU6/1DYR9c43J992RqYU9mWM2Fq6J+rYYm9h/iV7ehzIC8FibwR/OdehIUVvX6wg/RRkUjJuwddcQYXNEpgZLF8gVwBiZiro9r+cLBw19iXiMkWMXzhTDjVVCno/1jb01teN1s5uWmAo+MAv5seVm5Mn19YzAdv0p/uWnvB/Q4Y5NPnAHuxSPzNcVCdQR7n/TXQYPyuR+02L6cCb/vVEmrJU4G9GsCBUmEL9T5/hG3YbfXEfiZyMZloE2+1hp+SrcIMS2lC2ODruMjMtf1djM+lntYpMkH3mgrcllDSuRCGdne42nK1OItK1Q4gHRY+knbZ8uHuSFMTfaQQIbhUK2NCp3pHkht1Y4CSIMRPUxEA44HfIo5GXpAVJ0DB+NyZu0XZU5C0jpQob7Zbykqov3a2HHdbzfQYCPJIED0ZKRz2M/eYpL4SJXkng98VHP9P6fNW2NOL+GCLj8KR4Z7dMiCNhtYkPAYdPDSCCptaP/cWVTPALl4RHoWwXSg5fJLX9FcKSKroe3V4TU166Go2AxLJtdHlNuI1SpU715OPyI4XIaD/le0NkusvVWjZClEUvHkvjU51tIRCJsDdtAp7qUDupBY0uzYfPwMyKUeJRpviuZop15hoFinHNhAvsCM/qUk7Qrde6r6wLSqCPk6ICbn6cXk+iv3KX6DwmE1t5LIZZYUY5bFAkXVpkJmcEwBdHjGlSDphH/Y1Hg1eNWnYcO5aXS7kjTCjBa6w0sjGZGGrQON4EmxbtPGqRQUvhvNEE7aj1PgOc2LnjN503s2CBsxSvbFBlMyWVdr2b/6L7dtCwTijF3fyaVaQm1hitiQqmW5jsilOvJgSKmD+a8TXmL23Vi4kqdVh4K/J31mU3YYeh2ekJ4Sn25pib8yiGnW/1ESOPUMu+92ztBqsbR9xKpbr0CJEyfUDsY4Ra5vpELX4TPVQwzcAn4EcEDBjHh3OvFz08zsbAvWwmZ9ZLn7pJH9rDGsLbqV2Y/9EUg3d3KL2r4KcL7ZBf7nikebFWnmG7o0FneD1g43FUVo6p5mS2hrANmzIoFlyBlNlAlD3Y6UesiiQZtGGBPQOFYDXZF0vLi0oEIu2bxKJS3+Ymo3+W7I3P3AmGCQmRKEo4mXEX/hO3FEHugoGhXblfAQQg0m2MxGvZOG++K2b7xUV6tls1XBHer80MX8X7DZ+qBOqo0t4M4AIJZwmuH3RQXXYspNoEi5y9oTg1SMTzBELYmvMcHOgqL+uh+cm2ETUFXEvois49ATFwUYLKjH5OatPQInakUGeo/VDDpNRcCHbEO+cnQtykYwdyrInGbh074DRBsF3rx7ZMxY6cea7RMeAU6LfX0veGgx8nI/WljJ8fr5GwpjBNE+volBcC20ZmdwO/Bqy6JTSHd9U5qIR8oWiFLDuiBi3qm1vM4KOhlrYzJzHYTV4QaMUIUAOl5gd6UIOwYCuOayN2gsxAedTIlSj4WeGsQScK2r6wLlz6/4FcL54HZKjOvygHkUeHxDFMe/LMscxSGzjRCwPYkMfLOPEQ3cD4rQDDmvUooO68zBEwiC/h0VcL1gpb1S36zlt6hj/IVVV8n6yWcdXdZUON5JJesI4e1rSYr3ktuRVtf+bgU68zaEbQXQdXH3IwyA24V3ddmyWaMdvdY/FHAOcKwzwzXQ66rGDSB2YGZZ21+InlmWOJ71ySScq5ri+Y7MXSfmCNjN8uInvDZDWoTGsXkTA/FmMbcKxb4UjOar6y4fi6ZiMk+JeeKjEC2TKXtivZYGPebokU9otR9pX/6K/hn/MS00+S1w4GRh+7xle4eGiEzaiWqY/IsK/66npuDvhWBosm1fiasO/wEDzrDq8xvkyHwnSn9CJConCO7TW+Gru3Qa3qPW5C9llfhdHiKL/wc2fk4nNLvsV278778y1co3bG1PgAoIvM6oaJZwGC5K+IT3nH74aBSR8So7qqXuBoiy+frUBsg63C+e47TlmNb2k9xElnmsuZzSf/Gotbrb9CE6NLdvuf3zvxCqrJqVKb7jpZ8OJG9ja0BNemLEC4w87DHWD1LuiLbPCNulXlM4t4ybQksPrGvGkJy/uERyht8VTC/tAnf3VVVN1dnvi2Le8L3tGveJHEpQnxO0CpNh7/MZxLfp97ANJD3aFjFlPeR5FX2OylDY1XkBnUnDVM3PPb8JW91BGiKOllUE3soezSAtQF7dXG/TLebmJFtQkvCAQxSQAr3pV8B5itQiwK/sUbpOLjHKu3oV0m/H+VGFps23FPuARCCXQ2by7hT4bLhDA5HxU/PGLyu5TwkA6/UiMeQ0sh4ELGZWFuSUVKH1rDNIp3bXTndiIeguE/iQpyyNfUpdX83ixqkDWJU/mh/psuMBB+8NsqKe0nkC+xxZ2HzYOnHrFOeJ/YHECeRiHofKXZRKRfzMNYVIpMvENT1feuhyujCn+eMgqKQEbFuGM3RzZ3GbdUvtHPWRKH3KpbsF/SLqJGGq9kjMXRMBuprnAaz3vdQyzA34GyOoNsj0szGV3wi7xqdyuBKDqL/bnln5z/7QhUG4aFrFc2PiLtibDOJWrEjNfVld6sx6b9qZ2m6PNf0+rP2QCznn0SJ8rNeugGvL91HRBNsAHiNd+VyH13ZWPbEXTp8AC9/5Hg+WOsRJf7soOnEImrqGzbL52xpWwYBYTvop7j6eccweMtHd7XqV7OBjoP0z0xxYWGu48HlIGXrKRHDvvHNb2PXQQXNmcZ05Txm2hqrIZ5zLCHE2hiugW7hiWq/LCG0rqgecyDbO6KSSZGs/H4K5zklZajOdLTshw8WSnK/CHRYolD7V4u1R3ZmfZe2PNg/HnOWfTQORIMDvg6HESWBtc2Y1gmGb5hzJ8/qLqMgjVE80bnn9X+oYzM0hRXIOZrUoozuRYihrFTqR6Mx1R7lUFzpXSGidj2L9ngaedTcSkFbxprLN/+dDbmOd5Yaj8fbhMtR+R1eLn6IO2hKBINW5up0GMFlSKpHm3OTBRjjxV0uVLlmKK1WENm+sVhsmzA6J2p8Pfx1A4YTVRSyVknFoaZ+dOELaerhouKBjfbhj5izvj8K2ETcl6wjgN19D/OSdHpp4FtLKrr46FG1Z8ng4qrt4HW8h+uNj32SO/Io6h5nt7RLV2B2SKH/mjd7OCyZyUaV5ujFWtdoMJ35nnySFD0kN9xLL1wjULvv5p9yAlkUGKhWimn3P8qhRwLkDaHhbk/1rgG9fe6BN0G4SnvPQeYkI4ngKGvoKCzkbjuh+7l9lusAYfkevTcM001H2a4UN0goLEdO8dNGJdSppK+fECr57li5pfRbvW1BzizIzSRJVDYq4kP8plWS4W13no6da46zQ1TXIL1M+smMZ2Pu1BFKiU2qs2iOOBKFrV5baZUqGyVXrcee2R+jqLTO3cd8+SZ3fYj3pHTDMMJn0AjJLkN+D2qmxod/49pCCAyVJnaRLBf284VaEN9+3yG534Jft1/tu+7vukOKa7L784r/dxTktg7obnfY1R2t5aG0NBjcmiunGrqqdCsex3z5rner/0BrM4ybgwr0lINxVkoq72ifq+qKSY+lb7gefkTOJPjptuS0Pvo+VhwY8Rjs2CcNfV5hQ8O4yoclFbRz5J+3G7o+We+fGOYd8bS+uzoeWFhdd+x23LTm4Mj/n+w5m5+vh9xW5yajKekquCWQ27Uf3APcLgTLFW/PzcPvB2oLN2O+L2PTjQR5KPieDMVfYL6or6/cxvmxFl0Rc8iFAno4gnK/24BgkW9t0d1IRcVUxwrMGZxrAt9ormJ2qtHdgHiXemEcUduIYw/GlfQ45ByNMahudl9pLIV+xPncMzRtRAYQ7S1IsQbwx5Ccd98x79uz12Wd5I07gsEeihabHx1xPcjo8mhR5m6q5buQuwPNgT76a2Skf7LQ7B5rcUYoWqnICjHVcjNzAjfjPrBYYd0bVf9kM8Q5I6rNk96zNCbWxc2tsgwDENZZSNXnV5b74c0CzlvH/h2QnSZIedzgRxCYI4qeBlD6PmSwnUAvIa1B7CAts3/KgT+oet8eIYtY3Xtg/+vRHVXRXKpsTNtSAjgIwzXIJjCBjtGrEmhGoO2WiaoxNd3ue0x5ntA7sNcBUkWuNXUQNAZrzjPUQE0+2XN7ZG62ZrV9NeiWsLDoovd9x8g/MT06lXLRqca70luuwCRZvbQIdWgNhg/6rtoRhCyMXaSwWmD5HYvK2fg+zWDamGCAcI6HNU2JLVjbj/bOzifZ7qvd6O6ugNumKr7zTxWjobk0l7Jnecuo2391K2qM4ED7XwtEqtEyrUB0ipzMDlxz1X3kaoTFUnUbVjFEBUMD9g7EKe9NfeG9xWgzdHeYGLU+qvvC8dQE6eAOF5L1yDCmqCO1cabRUgW1FEdzQh8sPCed68/AEZRrx62m8yiEdh1EM+m925Q9a9jKdGFxD3lwTqn6pMpvRCJRtXhwXh/JFMyK8wFzVxK4gvDAn+nPjhC2awgI6aS5EukGm6q5/+p93xa8xU+s3nxzAht34vymQLUJD5wQOr2Mv9VGyZYeYGntAvpRA2U1UPA6JDkBh8iK9kY01UUgk7efqnDOwpKqTH6By/JmCcNohOnKYoGl/k4Q/eos3SGoUmdyz52E9fb1mdpvWpxygSF1atizFthR1nU4tvbLMO2goBsI9r15tyacFjJtCXyb3WrbmOVG7ZCcgonrv363ShJ+h6Nch8kGdQlkQn5StsbBp3ixrlTBMhs3YwdIAWFob2WjWMeEksDZEq3RxeDV642XvpZ7ei5ZzMc8tS1D2lFJh3zrDzzVUQyV1vM+3D2fgGpnZr/9QyK4cwKlLYa7s0dQLyAWVkkgeu3BKzyxKDn3wxNx04RnNW74zCvzDYNx1kwYfQ89Vt5SKbgYyl9duDdDm2l1O+kbu7Mjuap8rJxuvoF6v5ohsVw+fKE1iZ+iW3i9CyXcKxunHSM+NM5uJI8560166ghDfN1rRNa4EGaHiLqbKOPaPS3G5CYIQECb9DGLuAexBvne9x1yJ5Y7H75//lycp92oHC5aGLmN+6+zo7iDZ8cUYFE72eh1pxEjbyWZdB/VfEoU21bkABYtO875vyq/A2ezyv5zMfFIMX7Dsi5AUjB0ohokfHoHQBRe+ulgWwugiGSFaoKcC9h/WPk6nUb7a0wJg6RiXb4BLWLgkxtW0gDo93j7rzXBvganqiH6tT8t6w/qd/kTb4jh51owneG6U2/SMp6VXo8Yil+Ks+K2swgfD/o2oG4aFKe0arnBLxrWFUqus2OA+T42jlcXvm7YB2519EG1OnDZus72ZzfB0J8jsv5IPgWpYn9MtuAvmJfQMw+MR1uSK0azZOERLrZpiul+iPLIt2YChbSS6iys+g1v4rzbG+JHGQRNJr8yTqy9W0wpEbGQUebJsIb7FoWqIrNaWgO/kmYfebG2CeW6tjxX/zYr4I8Dve7cv/b0V7KM4a0mSz7a9QOTVmQz1uWkjEiON+ckXoaQfMBb9YpG8KRGywZYzta6xFCpjko/NpjjMn0tgTnlkYFPcjBgoJETg/eJSCSTetHiLO1fLo9KWWas68FXKYo2HePSeJGiSjT9O+jwd4mLkoD61o3FiJ4JqfJ7iRFdX//M5HcbeCn9n6haLnPolpPHpD3CRxKy1nXDYcpcLSsP2b/r98p3KaNpG/i/eA2SyaYMHbpu9HAXzxAGqpllAtpsCMBPPnCTcTPchmo9WHUd7OHb1xbgmy+9qhzKQGkEiHEPkKKkUnP8dPkKpmX1rrnh7SFxh42A7E0c+6ZkEY1q2tV08jc6kwRADc5U3q7xZ4u+S40Nlq8UxHs3qEm4a/1EMY+I0zGpCKK2Ync1Cr+rn4I1q4V/IY+jKk+yFqfVE+ygOA2eDklXBrzWVQOuAWNvMQSZEubwnHrTlJ+nFEKXVZUUZGUqO7/8eLHdXPh+d/l6u0q3WR2MqyHtPZK3bObgRF3cbteyOGzymktluCvSakpw2vWyTqQTP8YNpH7fXrZ4K3tnexpfONvTlBvwWwZiIZKyH5hyOYMaERKUhKh32Aer1j/rcXmq0u0eAHPmyt0Bj3fKLH3iDYaWENR5VRNauE0Cm+dIP97KZXnPSwo0vXpyeDv1nFUmrkzVh9acS4oyhBCuSJjeLM96mUUEjzHqopCk6V0q3d+7pFwTvQ0LLuBxoDWfh6WP8sHjIZezJWahvzlTvVG2zEpIb1QBFoY4BAWJ37owPyZxHftey6XYbiILZRo5f14YbEGvDER+3J5p+4Z4n2SVXAS68q5OXyZ1gZtseQav9/jsvlvbuH71dx60zOAg4orWDgSkAV3+EnGScue80ITssl9POXW+Rr2OM0xYMmIIkgfU5jJlLMMDpv0I89FnEOp+RAwBJxzPa8qdOr3mZ1RZ2uNcylggn1kThkv4SsCw+SpvYTAdyx8TB8/H01imShkOyB5W7RneC2dQeIiY16lQJRfpkXIV42nCtaCdnLKnwg8tZy7ySwFLW3mst8mxaHjl1BFhriyIvyF76vEcLyYRX9gNzFR7CKai4XwqCMj+f/x6TrcT9s0LEW7RsNIUD5FINXpoTlH/GqSci3HLM2jeSwKnCMSz/2xO1Y0D5e4VtDioCux1CWZSAEXcgZCJXSI8pXr7kevGtj9gx1sVXbMK9XSxOPYinP+pOb1TeXRP7aJg1TrrkeTxlXNznmRv5fUJLF30F+n+Dv1pOWgKbz9UoYVFfLCNGDZhdshK7vAW1ieWXecxoQp/rSzHkx07S+xSQ+lKVrLwoxiihH7PKTTC512Fpsl42SO1Ai5hnjxPZYJQQrOg7WgJvCkr0Z1jY/LHJAlJGbUJY6J5WzhpsRGuWCjcwJ2u7eDylE33/aoD8NAa2unSIhOkFcR24oqoYjgdlDj/SKgdku3bpUceMaKiucPVgC0sGGTdwAYKko0WrjSI6YjcB2Zitv5J+sJGDxZin5dOJRvVhgM+sjNNUvTaeR9WIRwtSe1JKgGetZQfX5cKbfHnA+er9yiHu40Ey+HuVtpAu7etX+qcHllldeorX43QcGmlFeXWRQsxZXJffu7WdVNZtE/B9do2/EmstSiBORPmWo8P0nQptZmg7F11Y8vdPMOznzDrNRDXEfF4NI+rMmNBtJCguiH+ALpv5Ek4zZXCGVaDBblvsuJZdhHDMHXsXRf8PfferA1A3hbrv3PXY/kRdyTPTyL1qPk/PYI4FPplLDpuI8UMls+Alj6Y1/qYdr0fDc+3pM4C2PAncr89LyGijDuOliTZD5yJwN/qIyWQkx76LUi1V59yMcgGjlk81rUCKM3vtVd8WJ6HxQ6kshgrSugm6bWE6LxEOa/Jl+W7Od2PcyQx0kWt9f5s0qSWyKA7GO3yyXpPit2ANc8JAMtglBhoxhdN+UueVogwj7Pb0PAI3TEnwvwpe1vxHfwKRzSMdK1Gc9jTtm3QyxuMapLDj1k22R7WikLN6+u9NjiWwZGiv0Yux1EHVHe1fCVX7237JtiuBzKwbY2yqGrrKWIsMwD6KlB9FXweYh4V4F+Hzc4JJ3CjVbagXRG4s1NVCPRcGJcJYJtRFvVfI6l0ffST5azAKxIH8LR7M9hWMjrWXMknP1j/e+j6sGF/Pj87rNZ/zqh+mYOPU6Fu+8m7yowM74sVH5Z84ED9CuyucnblIsBtV36Y92HkJRnmNbeh3F25aaN6SK0JxD70uIssM1u32qwM2I921ijZLf3WfKuE37HSGi5AFPiWYAmklB0I/EKeF6qW++OsEEvXHkisjaQsEXf1NHc4f5hsauS/qXbxbFV2+yoRgr9LQqxoKD/yjbnnOtB1rjfks0p9MXFik9DDY0S99XTUarQp5qqsGYurp0FVktHzkziq5/68Jyw5TE4WGqEAVdI/NcW910CYLtSoO966YSApq2VKKXEcr0HN72S+otXjpmSRQKorDzjKsjde9rb84Tb6FoaPifWFOUD8vjgWTjWlXGT1U98xFPNLBXba86LhdnjwSmY87Cz8VI5MEx8Kd5PKmM1UBKMhS+2MC4zkUCYVjNzgGRfHJYaSLgbSPGnO40TekL/abmSRUlbdOkuLPSSlo2TiFNQEmIlpToPI79656oqifMIVqHC1h0ZX9BbgTaYSNQTLc/g7UC7kibMI240QYvGXIZI+pVL07ueGXxv97TOIE2epxWWjMeyPil2u9t8jHogrF1xu8nJzJHgFHvFteQlAl77+Ue27shJ/OWG81DONefR2mG8dCT3HMAA8QmKElEpLhw9mIqUy9gHH+7eWMU9z5lTcGQNEkCBIIsPU89+A4RSObvCGsaPpq6CoMfhwdQGRwTHu2/+mFAUqCgfSJOYO332vVJk/W5y7881U2M0AHctVOZoy18QN5r830P2NvbP4uvJqJVXg6nhiJhos2m1uTSZbj2JMWcoTisPVoZfJ8KOuaNCYct/GOQrTpuXDYDwbog8SC80VQf20wgIljTielk55gg7vztJr3nRQvFnWTFNKgyg+W2eg3VbwBo7K0oQWYMu1uKXsnNiCqo9j8EULZVK+ByEFiPar5V/WV6vu0v+cmhA3aRTtlQkUS1jCORaykcvidK4l1r/Efy4PTTw2vs+sLlAJOxdVoxkYiceze/8hucKUh2bgU1UDr/3Jbsbe/wLXodE3QeTZFtclLF7FhOyLeXQlsneRm4N0oS3Zv1874Imqu5LI8tlQgC3w8lxlfpggQrwBsYtzE2kdWohZORpOTXaUvUCzMnZZJ1W5+sr49QvF5GjJ86J/HGxbiQIvniFRkgHtyiacVAqQna2niD8MQh3J91P4IV/qyNJ1uTvcGLZpAS6JvLlyXwvAjaGVnOv7HJxhpD07VKG0imkM5msu5lKjXD6sH+oYriugxVs2FT/+HXaHipHdVgPGnbJjVePfJ4QpwWvU5xVwCsh8fCybXD/4MQUd0DsC3F1yIwyZ3HNQ9FrCnxBxfq8tIYcdgrL5kBUQbT/VvrpEsHH9H/07JSGCZEUX9CQVRId0xLh0yUzeRBw79gNSmzxYxTZTwHT5RU3oPjpJ2uIkR584IkxzpLZlwNb6mxIEunBBRKUPTLNgQgsaPpVcXPyD/BZvwLUbCTJ9ZG/KvOxagdbL1+XcoguCVRtjtwjP4MVCWPJqt+x/YxJI8NVxn75gK0F8LyEooJOX+0FQGHVn23SyPUcBudkZkRHf3jJjs0zu6kC4VeMXcK9wYtVJeBRVSznGfA9507aGK8bZk1exMAcDkeHBWJB9b2v4SMoDFuTx2bDFW0WRC8BpiuG8boVEZAuhaiRtjWjmPM3Sbw7/p+HUVONhFf5H/3ZKu9xhHwvUPVqSBzUVocyAZPgcJdSkQrykHKBdNoTmzZAbqobelLS0gEOWzx36WqCClUIvNTrMbZYxrvKWvv6sYD/4mcNHl7JI7Ob+iFQP7UD7JunEr/JLybCE0QwpROdjSLPiuVx001pA5JcfL2vW041FtjJcj4iQXJB04PAqg1bvbI8NMbn2H29JlybgUxYFGIT8rd71I3szfOcn7frNtPypjHWoLL2Ns/Zq40CdGZINmcMMZXPbwT8qhN/efBGZEUtUIR5vnjodKF+sW5EUj5T1HlXnN3zH8UCWdceKbMMRlnibyKXYwmJ+JjGn+4pWsPLuBCws06d9AlNhJEVsUMbPmLt5w1no6pzKVo0aJnHJ+F6RRtb3fs0TmFXS0FmVGdFFswvYhdsCyyY5g5OxhaVTB/WB5dYmi+bknJjh/iK8L1gSISCVxXWC1F/wLttR1FLFNRsFEM5YuVjMjEWbto/Kt4i0Mwj2byyJZJ19W2HkodDDErqQWQTkggTlAaceXFE0EHN5UnSwuviG+7y0XlpO5JslfDCk+pxMb9M1Mq+9c1HSO4shbUZx6staVdUB9pLHBc18iCu+e7om71oJORgqrQFASM7ZJzd6UTkx/MAZdeO6r91r3Jlxay5Re7X+neUBlKtaB+2+OUwNIDFJVxvEiS151B68dIBl3rpJxd7+ao6zG38pnCTM2UxOmUaLYXyLetVi+yT5uxxJDV3v2u4A0n1B2eeSYfjs4lh1upMi8i00mX+tIfpV3l4nCJAS+lFhXJUu7eyFzRjRljf59P3CWaOSoGkKgcf1p3U4QK3mJi4USBlymfBDf3RkXUdhbKZkWpk8Pa53FVT2yzSOg9xIT/XPi6mAkflhkAcgA+o5GOJByUQH6Un9ha5dj0hTj+eCsA3vhs/wh75BA5Ftqx+jth7bFSf6nrEXaZRdBZXOH8V5xiyuw7Qs1Z6Tk5dv9MsGbD83rKc+j7QTvdIo/OOnvn4TnzsGNu1EHaAvduczlzCiokBjnYxuBLC5e5yc02eV480KZwJhUasVX3l04Y1LzAaMT8TneAa3j8RqC9CesTM59WoE7V+PRDDp2nzUMGnhomP+uD3McxuF8o0sRfztPXp5Txl9KXTKwA/zd9Q4WhLhmpPjiMUETZbV8+yr+EfJRhqmDm8mXEgGIZ96+xaSJYRLKybS5JkFW6fpLY7//p/V0rYcWLJeL7/Jq4oahjb2aZkQ2FSBWr+iw4JZ3/AOgxvRdKhMri2Nm9khxADmbjx14np5FnnfbEoNZ45xVfZPVuMHYfTEpNoENOu/gOrYN6i+p0/fV0yipZIm6U4oNwTf1EMSVO18jt20pDuH/0VwqwVDLQ0cgCqeuGp+z4E5SOPFjQkVs6conZfDxXdl7C9UCa5SueQbCp/p+lHMxiz4l2rRkD+ndmSATUA9Twc3PGmzOLEY5xiDGEMFOfoVGdi/hX6i2DqDxLiF23o6vUzGCs2fzgWcmx6gmRh7za3PnFAsBQ3dCB1j5xvncrKQZdET0FgyYNSdlNuaQdVU0HRDm+i+0mHyaplDM4DBLdJAWAoTKaRMvddoECtl5aehlyWPYn19aKKH6Rv4Il4YsRWR0ThfHVnT9+QfZxBVeHE620Orf9RC8CCA7RqSarrJWLf+vEilPKjNrfr3c2HkVDF9j4MvCxz1d3wULOFAaKsvJTAe8dovdsYSYEY4KvLEr2D5LitxovFH1NvrRr2ddfMopetIgo51iyrrXSJZU6Xytk/Yjuu4JcHWZyx+EhmI6iu85iA0s55W7mw+5aSSBx03FAioR/8lV7i+2qHTODSZALlU+IeBPe1wa0T1kO4s6xjgC6BfocjPauOqaCHUxrVPTKWsYpRK/Plymo4GeE157SWAAdn/zup90Rx2BOYyPaiZHrdiBMDJs36tn1Vy8X8ZWNrA4hy+4p5zEEd01ps56GjQ/KJDiijwd1z2T4ANy4dvxNaO075MekOeg1k3B72491qkSU7mp13elAimqCD6hzFrhHfxRD7JBkdNGZD3cryVFyA2RkozdpTBkTj+fZn31quhk5uVqzORF4X8LV2Ew96IsMNEO03bNDx4JY4AXlzugIVIfmmysJoagX/VC3Z84bTk3zmfzgfylLh9EgS3GI03R9iRM63QV2l+C7rYVW8cRKx65XXX+/vYHJpq2miyyruwYSLJaQT4U8cIKnnfb89HcymQgNTuYW0fKpNhsm72Js8V9l9CY9LXazFCiRgUooOArhKhAwaBJgXtmhkIcjoM6qNwKAVK5EzWC/aIsAYO67+kXfek0QTcCqvGP+AakQOnLcH2Nv6D23frgViUmg1oar90tyqFuny04oTwF9hmLwP+kU4FqrVv8wNkYGXFBONik8+eGTJ6jukpLLeRoKMoQUX8JCD2GHnBOMFOlg202s59S2EOYTxPyG6WOuKrDYOwz5p7Xje0ZWzDfdXDpljx6RrhFpBzIfiIPJ8ltuAzWLE2o7YsjRfUzM5w5RvXz3Csls2QccaOXTKLLC36j9V8+dl1kkKkRLGL38ejco7AEC19rmDYIB3jrpJ7enBevrY8vkWJ/pDKmP7sNWeKfkmOYabdFH/y0vsefrKmjxpbpj+Bzqp2Hbztgbbzg/T7vSi5Zke5EQ+shAmzNvBicFrBnBGMUcRcN+XOcur7KzOPdOmqxjgnDh4Bdq+u2jNtSV7VY6q+2pb9kksuvxYFJT+GO8qs+e5JrTUudptXA7KkupVJ5+U7v3wBO4IC/Is=,iv:gMs8Nq2+e7nrBSdeXz7Qp6MrtkvN6gYwLXuP1nm/Hy0=,tag:MLB5QxP2A7E6GwgZlI71FA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQmE1dlVQSi9MRzZ1WGpR - dFYzZU8rR1V1VnQzUHB0VnFOckpIL2tvMzB3CnpXQXk0S0JNSkpNN0FMclBOdjFy - cFZYTjcrN2djbzBkZUFmNCtXS3lRM0EKLS0tIFB2V2FoMU5rZzlxQW5SSHhlZkNx - c1BCVEV4dEU4aE5YeDZMRlFyVHYyQ1EK+znjkJ/JuE5VgYUpkCfDCZV5mFmSXUxU - MtByksmGshA8oyk0SH6B+qg07yDh+jRn4gtvnTxxudtqcVf5EX0vcg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MUhyeCs3Qjl6RmIwVHN1 - cHBQMFEvQU1ZTFE0d0lESXgya3FZRW01cjJJCnNPNGgrVmhYeWhlOTZMYjdyd0Fm - QzJwQ25IOUJOeXpxbC85YlJlTElia00KLS0tIHdHL20yakxaNy9CZmUyaHVUSmxZ - SkZhM3ByQ2o3a0pVZnV2M2lob2xRU1UK14PKZz5blclSkUVJwUFm+A9G5nPD0U0h - AH2kt/kdSxj+0I6uWrD+0KHh8KA0Tgp9Auyv/UF1dB9MoiuQPG15vg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOVFHcloyYW5OK2d1eXJt - NWxLWitrUWdwd0J6R1phaFA1Z2FUV0ROdFhNClg4bG5WSW8zWTdsWGhQUGFySS8w - UFpjK3dzYjdPVTNsbFg0YVl0UnQ3WmMKLS0tIFhBODRqK25TVWpabTVteTRtSURO - NTdYNkFuSm9xVi9QME5DMkRqOUpJYk0KK0e8LjmPqPQD1FzXyAuoUY1d8u//WHvT - S4ijZF8udwPzKTIHd5OiQVfCdmVughKmmRwQEHdFC69fjn6wOqLJhw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa2VYR0RZa0pOSFljVzgz - TS9aRW9OZ2hEV3pWbncyNlp2c0REZk1GRndvClk5U3l5b0dlcktkRXZBa3VPaWpU - ZmVuS3UwV3RmbzdQWC9qYXpCNnJpODQKLS0tIGNabjdpYXp4d2VyMEcxSXhHdGNr - Y21YcmlWTkJDRUh3czJEUWVGaG44cXMKoibsYSOYv329WNzktBVJ18aGAMXCxz3B - c9938x3U7BCsSatnNch/cTbxPFYt8GhgAXXZb8/vsT9URH+9/K2iuA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-05T13:45:59Z" - mac: ENC[AES256_GCM,data:wESfYT9AJDcOKI4QSzXLi844ILNtDa1APlcvhNHfu80mS6JFXifUgbOV8YW9D6TA7X/NIhdpiIiDt2bdmK9GJbSrbNJH1yz5Pm4nEabVdHCU5aJKtlagxkNwzfHfDaRznM6NQTdIFDqsaSSokKYyZiycNOMdisQ5JpbYYig/KTM=,iv:GaYceaZ0drzimn/TTXPBP2Zt81w6YPLNf1oqRtkWt/8=,tag:ptEQRoIsBVSBqSdg1XdLsA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.2 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml deleted file mode 100644 index 55872b1..0000000 --- a/nixos/machines/kaalut/mathechor.aliases.yaml +++ /dev/null @@ -1,48 +0,0 @@ -mathechor.aliases: ENC[AES256_GCM,data:VKEGY6KVtgKApnV7N2e2cqy9erDWQ2fb88Gwcpp5th/t0VGp16KGDtGiuQXhY80j6dDIcQMd9bLHzqAzc4+i/WhmEPhiXUkGiEKuarMfvqNl1LBlXFCoIrUXMMSIqab9q+fE3ignVQapE/YZt9aniyvg1prcmBcwIy9rDoHkiTY006ux5CM+vX0F60ADX8Nf6Qmn/JncPxXgq2jYsBxjXPj7BwJaair/+nxrbVf0,iv:Elj1NDeR1fdIIjIbjvkV3BmcVAKjwdMfknuNxMXJsa4=,tag:AkXWQ8sTMLsd7a+MfRcF/w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy - WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh - SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn - b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp - iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu - SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE - dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4 - YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6 - WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v - SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx - Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX - dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy - cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW - NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5 - RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU - Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro - b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml deleted file mode 100644 index 9fb24d8..0000000 --- a/nixos/machines/kaalut/stalwartAdmin.yaml +++ /dev/null @@ -1,48 +0,0 @@ -stalwartAdmin: ENC[AES256_GCM,data:4vpvxtFa2KiF3ojl+cw3ic/MI7UM9JQCQn76bidYvbW31zgF,iv:DtLAi68oQRf3U69uFK0Cz4qHMkxM6NnB3lVYft/DtqQ=,tag:HYm2mdpTuXNHdQIv2Rkwig==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o - Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh - YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF - MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N - SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2 - SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv - ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO - eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS - FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB - MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK - NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN - d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+ - jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2 - ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy - VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC - UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a - 5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T11:43:23Z" - mac: ENC[AES256_GCM,data:GZ1Q67n43WU3fDQd6SGsD2EZgoaq1mzh5biy42cx6FQWlveK5lhb0F2HUuWWv5zSHKpslEPD6odvkQmMNCRY8NsvT3+KBAnHHU0aHzM9AEV27cDL4x6oBvO52EMxsNCMm+fXPD1CubQxfbfvx/aIuqb1sovgKGgwf4u6yqIrHJ0=,iv:ExX+ySMXhF/c1w2IP7y8mdlcy8W9Zxiy6X67b2f4AeY=,tag:shxQJdaW3HsG6sNY+zDNCA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index 9889238..b552c8b 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,13 +76,6 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; - kaalut = { - authorizedKeysAppendOnly = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" - ]; - path = "/var/lib/backups/kaalut"; - allowSubRepos = true; - }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix deleted file mode 100644 index b8918c7..0000000 --- a/nixos/modules/mail.nix +++ /dev/null @@ -1,319 +0,0 @@ -/* -* Building: We patch our version of stalwart and thus need to built it locally. -* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. -* If you only want to deploy configuration changes and no software updates, consider building on the target VM. -* It has stalwart in its nix store and does not need to rebuild it. -* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy. -* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. -* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and -* and use your personal admin account or create one using the fallback admin password. -* Create users with mail boxes: Go to the admin interface and create them. -* Stalwart mailserver docs can be found at https://stalw.art/docs -* DNS-Records: Collect the right DNS entries from the management interface and copy them to the DNS hoster. Caution: -* Not all entries are applicable since we relay via HRZ. -*/ -{ - config, - lib, - pkgs, - ... -}: let - inherit - (lib) - mkIf - mkEnableOption - mkOption - ; - inherit (lib.types) listOf strMatching str path; - cfg = config.services.mathebau-mail; -in { - options.services.mathebau-mail = { - enable = mkEnableOption "mathebau mail service"; - stalwartAdmin = mkOption { - type = path; - description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth"; - }; - stalwartAdminHash = mkOption { - type = str; - description = "String containing the hashed fallback admin password"; - }; - domains = mkOption { - type = listOf (lib.types.submodule { - options = { - domain = mkOption { - description = "Domain name that we serve. We also push its addresses to HRZ."; - type = strMatching "^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$"; #Regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html - }; - allowlistPass = mkOption { - description = "Password file for the HRZ API that gets a list of mailaddresses that we serve"; - type = path; - }; - virt_aliases = mkOption { - description = "File path to a virtual alias file applicable for this domain"; - type = path; - default = "/dev/null"; # there might not be an alias file and reading an empty one works with our implementation - }; - }; - }); - }; - }; - - config = mkIf cfg.enable { - services = { - stalwart-mail = { - enable = true; - openFirewall = true; - settings = { - server = { - lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. - listener = { - "smtp" = { - bind = ["[::]:25"]; - protocol = "smtp"; - }; - "submissions" = { - bind = ["[::]:465"]; - protocol = "smtp"; - tls.implicit = true; - }; - "imaptls" = { - bind = ["[::]:993"]; - protocol = "imap"; - tls.implicit = true; - }; - "management" = { - # Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/ - # for TLS certificate challenge validation - # whereas the rest of the management interface is not available publically. - # It can be reached via SSH and portforwarding. - bind = ["[::]:80"]; - protocol = "http"; - }; - }; - }; - acme.letsencrypt = { - directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated - challenge = "http-01"; - contact = ["root@mathebau.de"]; - domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; - default = true; - }; - spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding - auth = { - # TODO check if HRZ conforms to these standards and we can validate them strictly - dkim.verify = "relaxed"; - arc.verify = "relaxed"; - dmarc.verify = "relaxed"; - iprev.verify = "relaxed"; - spf.verify.ehlo = "relaxed"; - spf.verify.mail-from = "relaxed"; - }; - - # Forward outgoing mail to HRZ or mail VMs. - # see https://stalw.art/docs/smtp/outbound/routing/ relay host example - queue.outbound = { - next-hop = [ - { - "if" = "rcpt_domain = 'lists.mathebau.de'"; - "then" = "'mailman'"; - } - { - "if" = "is_local_domain('', rcpt_domain)"; - "then" = "'local'"; - } - {"else" = "'hrz'";} - ]; - tls = { - # we only talk to HRZ and our own VMs anyway - mta-sts = "disable"; - dane = "disable"; - starttls = "optional"; # e.g. Lobon does not offer starttls - }; - }; - remote."hrz" = { - address = "mailout.hrz.tu-darmstadt.de"; - port = 25; - protocol = "smtp"; - tls.implicit = false; # Don't assume TLS on this port but use STARTTLS - }; - remote."mailman" = { - address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. - port = 25; - protocol = "smtp"; - tls.implicit = false; # Don't assume TLS on this port but use STARTTLS - }; - - session.rcpt = { - # In order to accept mail that we only forward - # without having to generate an account. - # Invalid addresses are filtered by DFN beforehand. - catch-all = true; - relay = [ - { - "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP - "then" = true; - } - {"else" = false;} - ]; - }; - - # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module - # and from a database that can be configured from web management interface or via Rest API. - # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones - # because only TOML-based keys may use macros to load files from disk. - # We want this to be able to load our sieve-script for mail forwarding. - config.local-keys = - [ - "store.*" - "directory.*" - "tracer.*" - "server.*" - "!server.blocked-ip.*" - "authentication.fallback-admin.*" - "cluster.node-id" - "storage.data" - "storage.blob" - "storage.lookup" - "storage.fts" - "storage.directory" - "lookup.default.hostname" - "certificate.*" - ] # the default ones - ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script - sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script - session.data.script = "'redirects'"; - - authentication.fallback-admin = { - user = "admin"; - # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH - secret = cfg.stalwartAdminHash; - }; - store = { - # structured data in SQLite, blobs on filesystem - db.type = "sqlite"; - db.path = "/var/lib/stalwart-mail/data/index.sqlite3"; - fs.type = "fs"; - fs.path = "/var/lib/stalwart-mail/data/blobs"; - }; - }; - }; - }; - environment.persistence.${config.impermanence.name} = { - directories = [ - "/var/lib/stalwart-mail" - ]; - files = ["/root/.ssh/known_hosts"]; # for the backup server bragi - }; - - # Update HRZ allowlist - # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ - # will stop working if no valid TUIDs are associated to our domain. - systemd = { - timers."mailAllowlist" = { - wantedBy = ["timers.target"]; - timerConfig = { - OnBootSec = "1h"; # Run every hour - OnUnitActiveSec = "1h"; - RandomizedDelaySec = "10m"; # prevent overload on regular intervals - Unit = "mailAllowlist.service"; - }; - }; - services = { - "mailAllowlist" = { - description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; - script = let - scriptTemplate = { - domain, - allowlistPass, - ... - }: '' - echo "process ${domain}" - # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission. - ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses - # This line searches for available redirects and adds them to the submission file. - ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. - # Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload - ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll - # Cleanup submission file - rm /tmp/addresses - ''; - in - lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); - serviceConfig = { - Type = "oneshot"; - User = "stalwart-mail"; - NoNewPrivileges = true; - # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html - PrivateTmp = false; # allow access to sieve script - ProtectHome = true; - ReadOnlyPaths = "/"; - ReadWritePaths = "/tmp"; - InaccessiblePaths = "-/lost+found"; - PrivateDevices = true; - PrivateUsers = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - }; - }; - "stalwart-mail" = { - restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. - serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script - }; - "virt-aliases-generator" = { - description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; - script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]); - wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. - serviceConfig = { - Type = "oneshot"; - User = "stalwart-mail"; - NoNewPrivileges = true; - # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html - PrivateTmp = false; - ProtectHome = true; - ReadOnlyPaths = "/"; - ReadWritePaths = "/tmp"; - InaccessiblePaths = "-/lost+found"; - PrivateDevices = true; - PrivateUsers = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - LockPersonality = true; - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - }; - }; - }; - }; - # Backups - services.borgbackup.jobs.mail = { - paths = [ - "/var/lib/stalwart-mail/data" - ]; - encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. - environment = { - BORG_RSH = "ssh -i /run/secrets/backupKey"; - # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” - # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html - # We don't want this in order to not need to persist borg cache and simplify new deployments. - BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; - }; - repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 - startAt = "daily"; - user = "root"; - group = "root"; - }; - }; -} diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index f4ecd0e..5cfa63d 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -35,7 +35,7 @@ in { proxy_interfaces = "130.83.2.184"; smtputf8_enable = "no"; # HRZ does not know SMTPUTF8 }; - relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) + relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) }; mailman = { enable = true; @@ -64,9 +64,9 @@ in { systemd.timers."mailAllowlist" = { wantedBy = ["timers.target"]; timerConfig = { - OnBootSec = "1h"; # Run every hour - OnUnitActiveSec = "1h"; - RandomizedDelaySec = "10m"; # prevent overload on regular intervals + OnBootSec = "5m"; # Run every 5 minutes + OnUnitActiveSec = "5m"; + RandomizedDelaySec = "2m"; # prevent overload on regular intervals Unit = "mailAllowlist.service"; }; }; diff --git a/patches/sieve-rs.patch b/patches/sieve-rs.patch deleted file mode 100644 index b706d03..0000000 --- a/patches/sieve-rs.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/Cargo.lock b/Cargo.lock -index be36759b..b4316639 100644 ---- a/Cargo.lock -+++ b/Cargo.lock -@@ -6404,8 +6404,7 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" - [[package]] - name = "sieve-rs" - version = "0.6.0" --source = "registry+https://github.com/rust-lang/crates.io-index" --checksum = "15ac54053752c25a0e545dd1953de716abcc80b12cfe0b6c2f2c1c73759d4f45" -+source = "git+https://gitea.mathebau.de/fachschaft/sieve-rs.git#71324550504c0f84fe3e814d05cbe22f90a3b228" - dependencies = [ - "ahash 0.8.11", - "bincode", -diff --git a/Cargo.toml b/Cargo.toml -index f055474f..2b64c9ac 100644 ---- a/Cargo.toml -+++ b/Cargo.toml -@@ -63,3 +63,7 @@ incremental = false - debug-assertions = false - overflow-checks = false - rpath = false -+ -+ -+[patch.crates-io] -+sieve-rs = { git = 'https://gitea.mathebau.de/fachschaft/sieve-rs.git' } -