From 51c83c8ec060107819f637a2c709e17cc65fdba4 Mon Sep 17 00:00:00 2001 From: Gonne Date: Thu, 20 Feb 2025 16:31:55 +0100 Subject: [PATCH 1/8] Pass pkgs to machine configs to enable installation of packages there --- nixos/flake-module.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nixos/flake-module.nix b/nixos/flake-module.nix index bc1769b..1027f0f 100644 --- a/nixos/flake-module.nix +++ b/nixos/flake-module.nix @@ -14,7 +14,13 @@ importedConfig = import (./. + "/machines/${name}/configuration.nix"); systemConfig = if lib.isFunction importedConfig - then x: importedConfig (x // {flake-inputs = inputs;}) + then + x: + importedConfig (x + // { + flake-inputs = inputs; + inherit pkgs; + }) else importedConfig; in pkgs.nixos { From 35707122fa6d555cf4fa1f9889d7f2b4553ef3fe Mon Sep 17 00:00:00 2001 From: Gonne Date: Thu, 20 Feb 2025 16:37:32 +0100 Subject: [PATCH 2/8] Add Nodens, a VM to install NixOS VMs --- README.md | 30 ++++-------- nixos/machines/nodens/configuration.nix | 16 +++++++ .../nodens/hardware-configuration.nix | 48 +++++++++++++++++++ 3 files changed, 74 insertions(+), 20 deletions(-) create mode 100644 nixos/machines/nodens/configuration.nix create mode 100644 nixos/machines/nodens/hardware-configuration.nix diff --git a/README.md b/README.md index 1bfa35a..97d6f3c 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ In any case, to switch the system configuration you will need to have root privi ## Installing a new machine You have written a configuration and now want to deploy it as a new machine. You need to get the build configuration on the -`nixos-installer` machine (regarding this machine see issue [#10]). You can either use either any of the +`nodens` machine. You can either use either any of the versions above, or just continue then the machine will build the configuration implicitly. ### Disk layout @@ -111,22 +111,14 @@ reflect those. - `"/boot"` the place for bootloader configuration and kernel also persistent - any additional data paths for your machine specific needs. Choose filesystems accordingly. -My recommendation is to put `"/persist"` and `"/nix"` on a joint btrfs as subvolumes and `"/boot"` on separate disks (because grub +My recommendation is to put `"/persist"` and `"/nix"` on a joint btrfs labelled `nixos` as subvolumes and `"/boot"` on a separate disk labelled `boot` (because grub will give you a hard time if you do it as a subvolume or bind mount (even though that should be possible but is an upstream problem)). -For how to configure additional persistent data -to be stored in `"/persist"` look at the impermanence section as soon it is merged. Before this look at issue [#9]. +For how to configure additional persistent data to be stored in `"/persist"` look at the impermanence section. I do not recommend this for actual high access application data like databases mailboxes and things like it. You should think about this as data that if lost can be regenerated with only little problems and read/written only a few times during setup. (Like the server ssh keys for example). The configuration also setups some paths for `"/persist"` automatically, again look at the impermanence sections. -#### File system uuids - -You might end with a bit of a chicken/egg problem regarding filesystem uuids. See you need to set them in your system configuration. -There are two ways around that. Either generate the filesystems read out the uuids, and push them into the repository holding -the configuration you want to build, or generate the uuids first, have them in your configuration and set them upon filesystem creation. Most -`mkfs` utilities have an option for that. - ### Installing Just run @@ -151,13 +143,16 @@ A good skeleton is probably: imports = [ ./hardware-configuration.nix ../../roles - ./network.nix + ../../roles/vm.nix + ../../vmNetwork.nix ]; + + vmNetwork.ipv4 = "192.168.0.XX"; networking.hostname = ""; # this will hopefully disappear if I have time to refactor this. system.stateVersion = ""; } @@ -173,9 +168,6 @@ The `flake-inputs` argument is optional, but you can use it if you need to get a else this is a complete normal nixos system configuration module (with a lot of settings already imorted from `../../roles`). -As of moment of writing `network.nix` should contain ip, nameserver and default gateway setup. As parts of -this is constant across all systems and will undergo refactor soon. - I would recommend to split your configuration into small files you import. If this is something machine specific (like tied to your ip address hostname), put it into the machine directory. If it is not, put it into `/nixos/roles/` if it is not but has options to set, put it in `/nixos/modules`. @@ -202,14 +194,12 @@ network configuration. And service configuration that are too closely interwoven mailserver configuration depends heavily on network settings). It also contains the root configuration for that machine called `configuration.nix`. This file usually only includes other modules. These `configuration.nix` files are almost usual nix configurations. The only difference is that they take as an extra argument -the flake inputs. This allows them to load modules from these flakes. For example, nyarlathotep loads the simple-nixos-mailserver -module that way. +the flake inputs. This allows them to load modules from these flakes. For example, lobon loads the mathebau-mailman module that way. #### roles `nixos/roles` contains configuration that is potentially shared by some machines. It is expected that `nixos/roles/default.nix` is imported as (`../../roles`) in every machine. Notable are the files `nixos/roles/admins.nix` which contains -common admin accounts for these machines and `nixos/roles/nix_keys.nix` which contains the additional trusted -keys for the nix store. +common admin accounts for these machines and the additional trusted keys for the nix store. ## sops @@ -289,7 +279,7 @@ by the circumstances or by the person that didn't run fast enough. So we are hap mean that we don't need to have some level of quality, people after us needs to work with it. It is live infrastructure and downtime hurts someone (and in the wrong moment even really bad (Matheball ticket sales for example)). -So here are some Guidelines. +So here are some guidelines. ## Coding style and linting. If you run `nix flake check` there are automated checks in place, please make sure to pass them. diff --git a/nixos/machines/nodens/configuration.nix b/nixos/machines/nodens/configuration.nix new file mode 100644 index 0000000..554e407 --- /dev/null +++ b/nixos/machines/nodens/configuration.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + imports = [ + ./hardware-configuration.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + + environment.systemPackages = [pkgs.git]; + + networking.hostName = "nodens"; + vmNetwork.ipv4 = "192.168.0.18"; + system.stateVersion = "24.11"; +} diff --git a/nixos/machines/nodens/hardware-configuration.nix b/nixos/machines/nodens/hardware-configuration.nix new file mode 100644 index 0000000..31b5450 --- /dev/null +++ b/nixos/machines/nodens/hardware-configuration.nix @@ -0,0 +1,48 @@ +# A machine that exists to install other NixOS machines from some config +{ + lib, + pkgs, + ... +}: { + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + # Different than usual names in order to automount other VMs + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixosNodens"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/bootNodens"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixosNodens"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + #Machine to be installed + fileSystems."/mnt/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + }; + fileSystems."/mnt/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/mnt/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + swapDevices = [{device = "/dev/disk/by-uuid/89e13a83-506a-43b4-b06a-09424500ceda";}]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} From 77bdd979b0202e7e1857955e1607968a40da2eea Mon Sep 17 00:00:00 2001 From: Gonne Date: Thu, 20 Feb 2025 16:37:46 +0100 Subject: [PATCH 3/8] Align file system layout to new naming policy --- nixos/machines/ghatanothoa/hardware-configuration.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/machines/ghatanothoa/hardware-configuration.nix b/nixos/machines/ghatanothoa/hardware-configuration.nix index 05a48b2..f870f0e 100644 --- a/nixos/machines/ghatanothoa/hardware-configuration.nix +++ b/nixos/machines/ghatanothoa/hardware-configuration.nix @@ -7,17 +7,17 @@ options = ["size=1G" "mode=755"]; }; fileSystems."/persist" = { - device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + device = "/dev/disk/by-label/nixos"; fsType = "btrfs"; options = ["subvol=persist"]; neededForBoot = true; }; fileSystems."/boot" = { - device = "/dev/disk/by-uuid/19da7f3a-69da-4fa8-bb68-b355d7697ba7"; + device = "/dev/disk/by-label/boot"; fsType = "ext4"; }; fileSystems."/nix" = { - device = "/dev/disk/by-uuid/e0a160ef-7d46-4705-9152-a6b602898136"; + device = "/dev/disk/by-label/nixos"; fsType = "btrfs"; options = ["subvol=nix"]; }; From e792b469737dce42324ca0d982a980fec6da18cf Mon Sep 17 00:00:00 2001 From: Gonne Date: Sat, 26 Oct 2024 13:10:02 +0200 Subject: [PATCH 4/8] nix flake update --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index dc1839f..846ad85 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ }, "impermanence": { "locked": { - "lastModified": 1727649413, - "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=", + "lastModified": 1729068498, + "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", "owner": "nix-community", "repo": "impermanence", - "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e", + "rev": "e337457502571b23e449bf42153d7faa10c0a562", "type": "github" }, "original": { @@ -71,11 +71,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1728492678, - "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=", + "lastModified": 1729665710, + "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7", + "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", "type": "github" }, "original": { @@ -114,11 +114,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1728156290, - "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", + "lastModified": 1729357638, + "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "17ae88b569bb15590549ff478bab6494dde4a907", + "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", "type": "github" }, "original": { @@ -136,11 +136,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1728727368, - "narHash": "sha256-7FMyNISP7K6XDSIt1NJxkXZnEdV3HZUXvFoBaJ/qdOg=", + "lastModified": 1729104314, + "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "eb74e0be24a11a1531b5b8659535580554d30b28", + "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", "type": "github" }, "original": { @@ -167,11 +167,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1728345710, - "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", + "lastModified": 1729931925, + "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", + "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", "type": "github" }, "original": { From aa13fb974fa9a411914b4de588468e7e7a55a2d7 Mon Sep 17 00:00:00 2001 From: Gonne Date: Wed, 10 Jul 2024 22:56:46 +0200 Subject: [PATCH 5/8] First try to install Stalwart as a mail software --- .sops.yaml | 7 + flake-module.nix | 6 + flake.lock | 144 +++++++-- flake.nix | 3 + nixos/machines/kaalut/allowlistPassKoMa.yaml | 48 +++ .../kaalut/allowlistPassMatheball.yaml | 48 +++ .../kaalut/allowlistPassMathebau.yaml | 48 +++ .../kaalut/allowlistPassMathechor.yaml | 48 +++ nixos/machines/kaalut/backupKey.yaml | 48 +++ nixos/machines/kaalut/configuration.nix | 100 ++++++ .../kaalut/hardware-configuration.nix | 30 ++ nixos/machines/kaalut/koma.aliases.yaml | 48 +++ nixos/machines/kaalut/mathebau.aliases.yaml | 48 +++ nixos/machines/kaalut/mathechor.aliases.yaml | 48 +++ nixos/machines/kaalut/stalwartAdmin.yaml | 48 +++ nixos/modules/borgbackup.nix | 7 + nixos/modules/mail.nix | 301 ++++++++++++++++++ 17 files changed, 1000 insertions(+), 30 deletions(-) create mode 100644 nixos/machines/kaalut/allowlistPassKoMa.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml create mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml create mode 100644 nixos/machines/kaalut/backupKey.yaml create mode 100644 nixos/machines/kaalut/configuration.nix create mode 100644 nixos/machines/kaalut/hardware-configuration.nix create mode 100644 nixos/machines/kaalut/koma.aliases.yaml create mode 100644 nixos/machines/kaalut/mathebau.aliases.yaml create mode 100644 nixos/machines/kaalut/mathechor.aliases.yaml create mode 100644 nixos/machines/kaalut/stalwartAdmin.yaml create mode 100644 nixos/modules/mail.nix diff --git a/.sops.yaml b/.sops.yaml index bc5cfc6..7967e56 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4 - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn + - &kaalut age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a creation_rules: - path_regex: nixos/machines/nyarlathotep/.* @@ -25,6 +26,12 @@ creation_rules: - *nerf - *gonne - *lobon + - path_regex: nixos/machines/kaalut/.* + key_groups: + - age: + - *nerf + - *gonne + - *kaalut # this is the catchall clause if nothing above machtes. Encrypt to users but not # to machines - key_groups: diff --git a/flake-module.nix b/flake-module.nix index c30fff4..7bc32ef 100644 --- a/flake-module.nix +++ b/flake-module.nix @@ -53,6 +53,12 @@ _module.args.pkgs = import inputs.nixpkgs { inherit system; config.permittedInsecurePackages = ["jitsi-meet-1.0.8043"]; + + overlays = [ + (_: _: { + alias-to-sieve = inputs.alias-to-sieve.packages.x86_64-linux.default; # add custom package to convert alias files to sieve scripts on the stalwart machine + }) + ]; }; }; diff --git a/flake.lock b/flake.lock index 846ad85..728f1ae 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,25 @@ { "nodes": { + "alias-to-sieve": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": "nixpkgs", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1733169152, + "narHash": "sha256-HUJuoOjNdweJ/ZjYrwJ13omhLZrztp+0RTZsFIwRojc=", + "ref": "refs/heads/main", + "rev": "963c13f80d80dcff748e57061b18b542ba76a463", + "revCount": 19, + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + }, + "original": { + "type": "git", + "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" + } + }, "blobs": { "flake": false, "locked": { @@ -21,11 +41,29 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1727826117, - "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib_2" + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", "type": "github" }, "original": { @@ -35,11 +73,11 @@ }, "impermanence": { "locked": { - "lastModified": 1729068498, - "narHash": "sha256-C2sGRJl1EmBq0nO98TNd4cbUy20ABSgnHWXLIJQWRFA=", + "lastModified": 1731242966, + "narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=", "owner": "nix-community", "repo": "impermanence", - "rev": "e337457502571b23e449bf42153d7faa10c0a562", + "rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a", "type": "github" }, "original": { @@ -71,15 +109,15 @@ }, "nixpkgs": { "locked": { - "lastModified": 1729665710, - "narHash": "sha256-AlcmCXJZPIlO5dmFzV3V2XF6x/OpNWUV8Y/FMPGd8Z4=", - "owner": "NixOS", + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2768c7d042a37de65bb1b5b3268fc987e534c49d", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", "type": "github" }, "original": { - "owner": "NixOS", + "owner": "nixos", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" @@ -102,28 +140,56 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1727825735, - "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" } }, - "nixpkgs-stable": { + "nixpkgs-lib_2": { "locked": { - "lastModified": 1729357638, - "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=", + "lastModified": 1730504152, + "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1728538411, + "narHash": "sha256-f0SBJz1eZ2yOuKUr5CA9BHULGXVSn6miBuUWdTyhUhU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22", + "rev": "b69de56fac8c2b6f8fd27f2eca01dcda8e0a4221", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-24.05", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1733015953, + "narHash": "sha256-t4BBVpwG9B4hLgc6GUBuj3cjU7lP/PJfpTHuSqE+crk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ac35b104800bff9028425fec3b6e8a41de2bbfff", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -136,11 +202,11 @@ "nixpkgs-stable": [] }, "locked": { - "lastModified": 1729104314, - "narHash": "sha256-pZRZsq5oCdJt3upZIU4aslS9XwFJ+/nVtALHIciX/BI=", + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "3c3e88f0f544d6bb54329832616af7eb971b6be6", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", "type": "github" }, "original": { @@ -151,27 +217,45 @@ }, "root": { "inputs": { - "flake-parts": "flake-parts", + "alias-to-sieve": "alias-to-sieve", + "flake-parts": "flake-parts_2", "impermanence": "impermanence", "nixos-mailserver": "nixos-mailserver", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1732328983, + "narHash": "sha256-RHt12f/slrzDpSL7SSkydh8wUE4Nr4r23HlpWywed9E=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "ed8aa5b64f7d36d9338eb1d0a3bb60cf52069a72", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1729931925, - "narHash": "sha256-3tjYImjVzsSM4sU+wTySF94Yop1spI/XomMBEpljKvQ=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "b2211d1a537136cc1d0d5c0af391e8712016b34e", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b4b5593..2e6f161 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,9 @@ description = "Description for the project"; inputs = { + alias-to-sieve = { + url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; + }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixos-mailserver = { url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPassKoMa.yaml new file mode 100644 index 0000000..826123a --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassKoMa.yaml @@ -0,0 +1,48 @@ +allowlistPassKoMa: ENC[AES256_GCM,data:TGFyk/kVc5+EFtjJXUVTNEk=,iv:QQDiOK81JDQXnuzgrcDHVtu+Pm2Ki7H2sEBuNMSKY9U=,tag:mgd/jPMl7fjl+dH6d2sKTg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ + VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6 + cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0 + cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa + zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy + NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE + bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv + Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T + ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC + bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ + ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t + TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo + NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv + aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X + MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt + bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR + HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:/OUhbhrO36jEdQUc2+fPfYc13Qezbedo534r+dtULWNR3upzIkP1EnZmTe//TQcKe6GYE/AIWOCIdmfj5+TdXZfoFGZ4YjjFof2HYvDjNKHq7m0F5PFmmzNNkpzUdwHBj5N1usPRoPbsYIpfV74AUJJEeBSTpE76vIATNuE21Js=,iv:Rnh+uIDOPW0vdHPhjqyce9xl7MtURMTrp9kYoWZ6zOA=,tag:jONUKe1pXReqHjtnqCOTjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml new file mode 100644 index 0000000..46c9791 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMatheball.yaml @@ -0,0 +1,48 @@ +allowlistPassMatheball: ENC[AES256_GCM,data:cnYmhQ+2sNMR,iv:hSn9JbDce2NZdzptY1Miik4+VFh0i6ehQAGxcd9dJWg=,tag:XI1bE6Z84ppIxPYOasNO/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS2ZFM3JQcGx4VFo2M1Fy + T3pnNFg5dEhiaEI4SkNFbDNmV0Y4cDZHa0ZJCjd2SmRwMWtod2pxbEZkY2ZhbWhT + cEFJVHVyU2R0dncvekNFdzNpODlCMDgKLS0tIDRLSGFISXpXMUlzdGdDK1pBb3JX + N3RJVUpsdFZySTVWYlkwbStCaWVRZzgKInXWOMB5LX87zIKcdllGcOBc1CJHcSWP + htTOydt1XQGlZ809yT1Ovnsenk7SIFrtUGCgpSvju4C68FyS8fgJKQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk1qdTBZRWYvMFgyZ3NN + QkZpb3BjSnVqRFJzeElCYVp1NDlyQitITGp3ClRtbVhBQnFvU0t5cUZGK0MveExJ + c1RtT2lRZm4ybkgxQ2VmV290SFRId1UKLS0tIEttRFFqTWJHbW54MUxCMHZ2NVA5 + NkFnM3R4eTEvdm85TzE5WFJLUTZMclUKpyGsJAAlqRagy13dH3AyeNi9v3oP8R6C + UayJeCPN89IyDsaIsrgAJk67+t92N8wTRIpOzfLEBQzz1WVBYCTPhA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT012TTQ1V1ZlMnZycVB6 + empqdFc1SE13b1NNSCsyNkRMUWZ2aUdIRlc0CmEwYnp6WVI4SmRaVWRqTUZ5cWJJ + SXpUb3JLT2hNalc2ZlBhOTc2YWdDMkUKLS0tIGFPdW1OS0xFYjF3K01YcVh0bDQr + TjcxNTM3cjZrNnN1RThYUW56WHQ1RzAKvNCz1CW4VwI/YPqzpYfhpvhukbhE3g3Q + 31JZhyUViS/tutNy3rUpP+6zS2sY4yKhoavBTmMwI8W9I0JSZaVc5Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQytnV3hWODAva0JGdFF4 + MC84UmdaKzd1MVloK0dXL1NjS3pGaGY5RGw4CnF5NjlvSUU1N0ZlMHMxVXlhekxH + QkJJR3MzQVdJd2ZrT0t0S3FKMFZaOW8KLS0tICt6SEhEcm1QR0MwQjJ1YllRSlY2 + QlZ3Zk1hdkxpNllwSTNxRlZrZWtuVEUK65FpDbLv+S+MvF5+rpTyhjfi9xOUekTP + WupHKoeMMzAFxRK7DcH8bREib731JgBPbZEl8QZcY+xZDORnv1XZhg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:qA7d/k9vSQIvtdHOx20yfi98s5jgdGPYsP2c1rNrX4MeZnJ4RE+KR8wR37A54AvgOURUnTJUSfDNKGuTIPxioRC1j8iNlo/y0IefkbTaO2CBoh+BHurlh6wweTKI3LRUk8V0i5Qn/5INYc+DEzfsiA2g+QcbT5d0fU98+x7V/yY=,iv:xcgMXDFDN0Vo15rr2Eo6QV/Y5+X0t0mvAfuFmN1NDXY=,tag:PywW0L+VspBh2pZGXbM+sA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml new file mode 100644 index 0000000..df69566 --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathebau.yaml @@ -0,0 +1,48 @@ +allowlistPassMathebau: ENC[AES256_GCM,data:DuCBcWAC61JW,iv:g0zYvVmTjsJESTq3kkWtaiypYPLIE6zkFyYLeOp/qhw=,tag:pyK6KMuPLkhLSTPAzbVxdQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaWhNaDFEREcrejY2ejhI + L0tnOEtTWktNVDVoK1JQd3pBY1BndTY1NUFjCjFFSEd2Nkc2TVVMYzlwRXhyenVq + WmlCZkc4VWtFS1drNDRjRXR6SEVoYVEKLS0tIDRCQjJkdUM0V1BGV0hVNUtNQ1d4 + M2J2TEtPTjRVVG8yOHd6WThRNm5SU2MKVIAU8GCGklXvqNf0bpahJ4SsvIQxMged + m6mznRxcK9QPMApHayOBgw+8T+3IQkaEKGRuhI1y9UXahGSr8yxPYA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkNiVWo3SWFmaFlENm5C + cDlJdHM0OXBnTFdYV1NtTHFmTndndTdwQWhRCitMTVJIcnpiRzEvL3JzMTZJMW9p + NTlIREJ5VVpLTVplWVNhSFFDMlVpNTQKLS0tIFkvMjYvVy9DZUZSVDVvQTkzck1F + ZHM5M2tRVUVIYmR5L1FsR3VxNUZSdW8KWIq5Cjbd12SqQfXRZDpUxTnUZGCyMVb+ + XxCixIFoGYZRTBc15k/Z6yM5OxYnSv3tbioF68PYtPaaRJrw0ICDxQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWVHME1JN0gvZlNDQkFt + YTFsRG12UWlLckVLanNGQlozSXFaVGhMQWdzCndPdnRnNFU2dUpQangxUGU1RGVG + Z0Z5SmxZVG1jYW91YW5Jc1UwY25yOEkKLS0tIDJ1U2w1RzhpUk5WR0JUbzhRSStE + VnZpWUFwaHFMa2V6NlpQR285RGU0L2cKeN08hqlFz4re9iVwKmp2THEs1vZFqNXg + uK9Em5IeCx3pBjd5nnguAM751vR9X5O91ntA/R3MoL2bxGhbXHbOmA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYStiSFpMWjh3M0EydEU4 + YlBpcFNYRXJTN0k4MWQ3blFmdW4zTHR6MWhrCmtsVkpGNFlIT0xBQU9SSG45czhU + NzlKSm9RMStFZXpselNBa3NpNGM5SzAKLS0tIDh0LzI0SkdlM0hONmF4RndCV2Q2 + VmwxWjcxVG5Kd1pPYUdpWDJCZkU3Q00Kbc8dYrQ2AiRAUfzXl6Bdj1mlbwlHSKzS + 6B/wzrIB3yws4QXCdZsIifxsGqJh/74UdQSXEab0VNwaHqsyXecIjw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:JLCK4mH4yS4YMhrmI821s/TfONkCyEx8x+pFHD/QOoU4KHyhDIggEhTYo31JFpWIQdDZMPbeFaUN+IvQwh1pqD1V92XfJVC0zHPiwhG7W2kI8WFAONVqI/bbMJ/ne4am5w/koGpQNPiM2RIo+9/9BKOkyLJLB7XTqPBY/FNW2n0=,iv:JiHwaSbPJSJYofiFABjn/AehSKyRrlOKHXBs1DGZcFQ=,tag:ajR0zYdHWxQcY2DhAuAzAw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml new file mode 100644 index 0000000..011559f --- /dev/null +++ b/nixos/machines/kaalut/allowlistPassMathechor.yaml @@ -0,0 +1,48 @@ +allowlistPassMathechor: ENC[AES256_GCM,data:CuLKFiBN6JwB,iv:cwiwShPKrGjjfuglRttmG/AB+qblJ/6ZLyD88mAsZ30=,tag:JIJjHJ4it077RSD3pSOBgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzBXNVFObnk5OWtaemNz + UlFDTFpGRmJ6N0xYUmx3dllzS3hyWmNURmxRCm1CbmpSNWRkVHR5M21ibmJ4ZzNJ + elZQQ0UyN3lOTmRwQ2tnL1lHUFF5djgKLS0tIFUvRUkwSW0wSFhCMFByTkI0eEo4 + emdnN2JoMDVOb3FUTmZhZFIxWFhxZEkKDWFrvxDHjybQ2b9hORThAG2TihGdvaK0 + EHrzz0h1NVEO/nLUJSXRugGJ+J1GqThgOG1WCwJ+2Fk4Hm+q040DWQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbmQ3ZXdhZkV2VTMxTUFK + eHM5aXAyNXdtV2ZkRVZKTC9GdWtDWUJtdFFFCkdBMWs3OFltRjFLVU1rSG52NGo2 + Q0dnS1V2c01EdVRuRGlsZ0lQT1JtUG8KLS0tIHErblZ6U01HTm1FUVJTZjdGQ2RB + bE90R0NsdkQ2UWNrbXZydjR5YTNGVWcK46c5ec7plT6X1874abnSSryG+cUZq/QT + 3LpgQs26dc9nIARiZUk/2UTPiUwxFesi7e4I87bWh5A+mQOHNfRAyw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUmJXMlFlb0pUbkduWkJK + SWhlUXNqZ0FQeFlEMFppUWR6MHFyS282emhJCkNLMDdaQ2JXRExLT3F2Y094VE90 + bTdmNGIvV0JHNlVldTVxUmdueTllYWsKLS0tIDAvNlhRQnFKSW5JT004WDFhSGEv + M0hKbWxuWjRlUWlRaHBQQUpkVlM4dTQKm4vPZTHMIfk79dTOO7mP9IZaJZbu3hx8 + J/y5xwUFVakqPaX144YZXjjStsjp6H71jE+z3EWeqvW3hwI8XAOv/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGFsenFjQkRBTCtsVXRI + VnpQZmVld0VFZ09hWTdlSjNzczA1T1VhWkZrCkpRUml1UFJrU2laQ1FEVi9USEg2 + Y3J5VlZCVG83UUh0bnRVbkZRVWVMMlUKLS0tIEl1VUFPQ3NvMm40clFTMHcwRzlC + dENsZ2ttbFI1aGdFYlZ0M1crZGlRek0KWF+sAOdOGf7GKkY3ZlfPkXGGDwSf89Lk + uvSkh+2Y9RIkQ7HRUvWxPBPi4vBUUhM7y5+lA8sNi+lLMzPyzVeKaQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:4LMhli417gbzauxvsx+cSA0VfCt5+dr1lsGdzVqNts/ELcCxlH2599V/xPdgZJYvbvY/AUDEVc6/7vodqtxsI9d99P9AD9IRaETqHkQ2RmPfyUHLJL8kgLdcql6zBdlZTpy05438Bs53sOQMWCcUmE2TohH9jlvmwpqCaRgfYf0=,iv:BkfHGIFAdlSIjdLvqOeaeoIkBaMQ5yXqYBFgGBrzMjk=,tag:7+vgwa89KxeXWNvfbiKSsg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/backupKey.yaml b/nixos/machines/kaalut/backupKey.yaml new file mode 100644 index 0000000..3727470 --- /dev/null +++ b/nixos/machines/kaalut/backupKey.yaml @@ -0,0 +1,48 @@ +backupKey: ENC[AES256_GCM,data:4ZN6V9ihkUEyz1pih87Xi2OPvfRdx+TY9nvw3CHG0vUeWavxLD8MuzEVL2xlI3A8X1F+KgQ40noaVL5qcq+SENGSdhHJaxzxc/oGN++k5C3b0FuyspI15XqIPjXWu/ApRpPktSrr57dbiQfAUtcg8E1R0Wn3uJxdFnVj9iQjnMzy0qezZbp+8UpEuFUqi4ZsQddltf12HxAGyHcedddUhEdE7bCZcj5/zSiEvXpyp1Ta9naVWnD6KkkVcB3zou7vCjwFKHf+qKUFPC70OCUomXF6scjb47iGexLNQIwaRe3+BmD4X0WFB2EM7DedenKh7SvRdYh25yYR2SzfSb71Aj5JwVi9TuuyhJvlXsDcwERPkq2R7VgbvVqYVVfjbtDlERp11xZzuEX85Pmvfh8rEkVCNfW2pqm5F+rmvFQ4KpwwMvnVEKXvasOECiGq16sp2Zk/e5cOIX+IlqgcY/GW6hBKs8CROxi0w4qCstfyFB0KxS0dGlarvhDJ2i5Rkx9RRP91yU/8QzqNRY0ixJpB,iv:ReA4k7S4F8NBE0VBCy9ks6YZJiubdUdP/AhEwc0kHaA=,tag:zagxPVYKQhf/tdK3tJFa2A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn + Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x + NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ + ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l + RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD + OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS + WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz + eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l + bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv + bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl + YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN + OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q + C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs + K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK + cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY + RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ + efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix new file mode 100644 index 0000000..82cb306 --- /dev/null +++ b/nixos/machines/kaalut/configuration.nix @@ -0,0 +1,100 @@ +{ + imports = [ + ./hardware-configuration.nix + ../../modules/mail.nix + ../../roles + ../../roles/vm.nix + ../../modules/vmNetwork.nix + ]; + + # System configuration here + services.mathebau-mail = { + enable = true; + domains = [ + # lists.mathebau.de is forwarded to another VM and does not need to be listed here. + { + domain = "matheball.de"; + allowlistPass = "/run/secrets/allowlistPassMatheball"; + } + { + domain = "mathebau.de"; + allowlistPass = "/run/secrets/allowlistPassMathebau"; + virt_aliases = "/run/secrets/mathebau.aliases"; + } + { + domain = "mathechor.de"; + allowlistPass = "/run/secrets/allowlistPassMathechor"; + virt_aliases = "/run/secrets/mathechor.aliases"; + } + { + domain = "koma89.tu-darmstadt.de"; + allowlistPass = "/run/secrets/allowlistPassKoMa"; + virt_aliases = "/run/secrets/koma.aliases"; + } + ]; + }; + + networking.hostName = "kaalut"; + vmNetwork.ipv4 = "192.168.0.17"; + system.stateVersion = "24.05"; + + sops.secrets = { + # Password for the HRZ API that gets a list of mailaddresses that we serve + allowlistPassMatheball = { + sopsFile = ./allowlistPassMatheball.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathebau = { + sopsFile = ./allowlistPassMathebau.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassMathechor = { + sopsFile = ./allowlistPassMathechor.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + allowlistPassKoMa = { + sopsFile = ./allowlistPassKoMa.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + # Virtual alias file + "mathebau.aliases" = { + sopsFile = ./mathebau.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "mathechor.aliases" = { + sopsFile = ./mathechor.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + "koma.aliases" = { + sopsFile = ./koma.aliases.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0440"; + }; + # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header + stalwartAdmin = { + sopsFile = ./stalwartAdmin.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + backupKey = { + sopsFile = ./backupKey.yaml; + owner = "root"; + group = "root"; + mode = "0400"; + }; + }; +} diff --git a/nixos/machines/kaalut/hardware-configuration.nix b/nixos/machines/kaalut/hardware-configuration.nix new file mode 100644 index 0000000..ce7112d --- /dev/null +++ b/nixos/machines/kaalut/hardware-configuration.nix @@ -0,0 +1,30 @@ +{ + lib, + pkgs, + ... +}: { + imports = []; + + fileSystems."/" = { + device = "root"; + fsType = "tmpfs"; + options = ["size=1G" "mode=755"]; + }; + fileSystems."/persist" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=persist"]; + neededForBoot = true; + }; + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + fileSystems."/nix" = { + device = "/dev/disk/by-label/nixos"; + fsType = "btrfs"; + options = ["subvol=nix"]; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml new file mode 100644 index 0000000..9c2b1bd --- /dev/null +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -0,0 +1,48 @@ +koma.aliases: ENC[AES256_GCM,data:YXHv59u9hHbkXH9s8CbDmP1adthMLiU3ijCIg/yBfXvwtzWUY45un3D/iP8aIEB31PkfVtmTYcbsrJRU5brPgtev28U9DsTc1UrLdUW7YyAgo8xN0nyte6Qxdv9OfUVmwTg4tY9Tv7WmjgpXuIx2sRglfn42X3S4tVAmqzYNrg==,iv:3PM0wfq4lFG1bV607cGkZ6QgznRk8iLMQ55M/BMMJAg=,tag:npKbdQ4esykcjMcYEVHR5Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5 + SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w + dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n + SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo + DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu + RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u + aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu + MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy + 3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx + SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW + WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD + V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF + GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5 + c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1 + eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL + OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx + t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:L29+n5e38RVgVT71y96EbrboHZigbCUvv1gZ+uTWEchOmB8+pgamKhF/m3mpI1iauKtkNlkcS7NbtsEhbLumEHAibJ1H2EZdbWKB53m0RZMCWdZKV+49DenLjROljWMC+mXs0zIir+ts3mhD3ORhQZVBgs/svfkgIyPkcl0wHaE=,iv:ipUpydj18/fgFgwoD0NDjmwLXM+vfkC85I3uvmG9GLE=,tag:sA1UVTquN7cbWAMh9vF5cg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml new file mode 100644 index 0000000..57f20a9 --- /dev/null +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -0,0 +1,48 @@ +mathebau.aliases: ENC[AES256_GCM,data:byT+/1+e9ca9WPakGluQQnYeEzMJYTiQ4DxzyrB9y0FGmJuwRwZsErgBmxjPDrT/yU2K4q1/f47Oij0NpPLGvHctJ/Lkvyj7q0ovbvKlypOQz13Zr5B7csVRtKbXCEPw64Rk7iLWnWSjku0aIXmmol3ajRPaiiqw/iCnkUtjWpvJEfrnsdOh/zwgSw7nE6jUYDL7FsbJgd4yqi/zOTtDcRXM6cxsKWoOr2Ei5YGwxB6VWwiPJrJixj4yrQYOyRsocyjFHFsmFKV/8M/2yOGC1ojUOuLr49JQ0Ux3X5GaRC9mH3UFVc8XdgkdlD+L0QLcz8g10t1Hmoh7ApGjUYfMINjj+EXBDn4STnmvBU6dyIhRbq0xZaDiVR2NPZHgfmXpbek024iPV7gWB5DGGAVKMIzx5lovdTBXNVRijQX98LQE8zlAHNXaMhih2Erltt/MY66hVJZY0nRCc67GE80Xg6/vtleKg7grUfIXZFcJVlE3mEat3aLAlmZj402s1p2CHD6uD4roCOxkKMmHVV6uQ7KE06Cnmv4jY7wz5jp1zO3AY4ezeWhCfyFB4LIIBoZCjNRvINr0yP8l2B/hi0RXw/HUzNMwINqgE6lgvqdXKleN1cwj15KTpqpVSqjnjIl7KbHsgAqa0/OPeL9S60aXrAKKocUqjgC31LrtAdfHMHDVqukV48ssKN0F7XhOZzEnq1yVBQkMmFIM9l7hDZfXnn7ePgPzZyKDV59As2qvndFOX4+mqb/WlAxoV34bB7Cs40ob0/braOwZxPXvPtdfA3bdtSalOuYrAIUmB2ixpuBCZhwG6PWM1gtlJshjgvWk3AS7UyGCGMv1AhfpkI6UoFc0Lai9eeHu1ro0DeM9W8r2qlzluMAfjMPjST6z5zg/2HltGfDVwM0xg7XDcTFMK+mhWdNJ0SOak+mgpEukLZaQvE0LRS7IGuXsLI/MX2A483sL2anrkL5PDlMbqgJgl4SIA0a6QeUiO6+k0Sc145+KidetdBNx8ZFRr0bNnIPdszaEXLTeIVbNil02d7e9MAx2i96FsZILSGwoAWXbTRUmDwH+axlBKwAwxPHPTVtCjoHx0vsOw4SnVdDEI24z1VbembqDZFxg9CFu2hN6IQBsW0wGD+gltPPD2PFL4m8RuKui3L6psINYd90J7p4Dq/3vzW6iOQl2E0frxCpZyzrKLQOREao8pOol0aDJk9KcVAmuBbuHxiDzvYS5k8sKJhK/8zlMn8msIwvPTzcLLdB0Vu+6VCX9jCNii6Qzh5BS/Rn+dumLxaRZ17zbf5aiaXuSxSTmiZ55yBDScj50jW60r9N348o0L3+EIuuhWt5EvHAqhFhjhDdwFQPVfGz+QnXCahVrf/T8vsgwp1mXPEb5Bk6XBRm6CFR4q9G0GEm2WiRZlx3LEVH59ovRvpaR75Fwvucdqz1Lv+7cCaHVss9L98ubOW2GRTKi7wH+GOHMDdDvw8DJAdEysQ0dTnO03mv58cqXuDYE9/NZvCByCqpBQ+gP44F78/CsiHfkEIeI+wCXvz3MW43v9qvYQT2kUBDZhBrW7tfsx5amKdozYsE/KMmoL4oB3XOg+f/KPuMXdY/xFH8rOfUoPhJa9LyZXEPDfySK7baykcC7Jejtryxuw4fjgTaGhCi8ssCt4r+4vjV2NugrMcPsKFgIPzzj/4nEqPsZTvXC6Amvpb7e2HJ4PQ28o8yHaKZUqlzoG6bGZ6KzVZ1hqoHHqIMRi0wnSnYV8DwWo4ocAEf+xjTIxRb5PTCYk2KBxBx7lmmdIyobLk8t5i5ZcSc1U0cIxQJUaDvbpnPcMsyFpYHRg5cFpD7O1q8KFdi8XvCkqUW27EPwTK/GEBKMwnsB2UxKJM0czgtgERBsjubMLdFAARqar3X9VCmEdLIAUHYWC20zehsnA5P+eYgY8UQJ/Uy8o9icTOyzdDXkU7gUr55VTCmFUk1v78zBLBlbNhNu8vUw6YFfmYp5als12tijsTV/yYIhv9VeggLPjwGYjNXsduuh7s8Frm/hdea7ZfTiD3eU1TlrSm6TUNCenz4DiyaTpWG9fWs4Dy922w9gGg9ui57/aG6GUrFLbP44FtL2XvP3VVWNcF/o/EUMZXuZfcKbH7DP2mncwOe+W7F66vqD6NR9kLDDKVdhfFsVrbNhG5V7toV42pfK9jXHO2I9r8MQ8sUv0cArcEolLNDCZCgu7vaCw9NWMk2zYMgnyTnOKlK1Us2T9kNjbSwrEWm8zMyxgFFLle5lboP1DdOYd+5Hw55Z9Fm0y6WUrxWkCwUUlA7PuepPcN+nxQWaxx3M6OQLd0VFB8A7WsWIHTN3nvgXrbLFkNdJrH0DD3dIYTWVfy5s/xbOyOHjPjyeR9NzKYgildnoV1oTwp1RzfPFPv0s9mKmKWx5CKqhEECeb9UfFYTtArCZIoxtoMh5UYFjr2F8OW6eAuNfZp3r8N1TBv7t5h1ToMoaRKjMwFuUYOC1J1X7drjPNiBfHHRt+Z7ba1jEnv99DYA7yQ1BaYcR4WPwBSbuRx33WkHlAigqH9fSB4cDa8mspt8W0DcCX5KjgpNG35LZvIn4PdPKwkMg4InumNEs8MDudL0h6Vaw44iAA0HdSW5oK1qQICMyFjBiVXZmpS8TkXOzHsIxEbw5OdWozVUAAUbmr0ZCcgZLWLxmEqkob+PNfxtHlGv+YktIEAbI0369X5ur1yfEN6I3UooInVuN64Uro2evUAqeClqtCXiEoaoe8sN1iecf9xYH/Z5rBhsnPyhMpj+eOQSYpfiZEsRjHekAOM+3HN+VCgtRpNtwAL2BqKMbYQioiEFTS6jJPuLzQ5gffBYj8LwzEUVHFWF2Cz66TxxaLh+TjEk1mpka7SHDLQ5RyQEsryTzKo7Ngg2dIcx8KOzhAt1h25Otl/qtFPnZi6lIwIZNPNsdmZsLErxBj8WOx4BNGKvF/xqSvZx6vmW7GjGrZGm/9NTqZWFlGQWS/e65ij63xTZpD035N8ihKhnhFQ6chqfz8XOkvRM71oTooWUMPtNdVbcusQ9ViI/3wmE0XQbRH9LW5dWIYRwy9XFJ4Y6e0qv9mTvXfo9I9iBFzDz9Suym8VqhyynZNeTgFoRz9/rJ6HAA4huPgzs7P+0UdlcbDsYyTQ1NSx3piXvnlS0kyZdt2PjGp6uRmF/ikecqmvcJ9rHy/d1j52T0gfVE25On54RzjB05uzO3RU6BLwY2GJNky1nPIs8wFJT28pExNXSQsley+zp/COrF3Nmn64pTSgkHWyb6x4u755IeUTVK/RYxDfwtqfjmVaOjQ6ZgvM27F9OPoMgjy5+KkwTIuA/y7lnM3xw8kChS37Ow9v3jQ5OyBdXgqqBeba90FsKN+LmRxxXHq9l9417toaOfZddrGpAVMec3J7yTRRpQ3WoMuvG+NKKMWSKH4gxwyJUbN5PL0fSDiuDFb/If8SZseI+qBDfRCr4uuXGmb8gUVIKmMPnJpqmF99Lrqn8Y7w3sil8OYhi7qJsTzq8BMgokzR7bqZdHe/kZze1jAwHYCQ+nw6EshsUFvALTD4Hi3n5L+QVgWnFUthb/NT/z4JI79zdGGOrSaljmHD6cNQxuBXp2EOr6dfHge1G0e0h5Up2L/KBYxZsn6shckMM/Xekr7Mi9PSt9qwUyM5xDbi1PjgD9gbF6nDm8AJ0yLtEoW17GIsQ0X+2SG6jUmLdAFroSRVAAtIBRVRTS7vliyNBig7KHZL3Cay52EIq+EiNhOCo6scraT9wfM4+aqGU+nusJyKCLs7HkaIs1bkqm64W97Yb20Bgtt9CZ6EbzcGoeJtBHkQIwW9QyTVyGMzRmZuuNolSLWIilgkXotWYNwez+00XDdC1qaKltz9yg/kKE41C/T8kN6YrwkkNpy/APQKWYCK2/pMEZW1RGBTKSd+haM5Yyfc9OQQYpKtdCZXdkC/CYkDE2DpKtOV23QbcruNzExm+obpJHXz121gS80CWyZIUgNVkm22hhF6u0pQ+g7wWRgwwtFTx3g7nvsv+41/t5Tc64zwOWfnCHDoLv1pAto/yL7aSJSqpDDhFNR7l4XGDvkV7oyIEmPXcCDDYPPAOucsdfAJMHxcl68vpfzXPZ9JgA10qMe/7yOlv74tX5JoV9xhji6+HQRe0sQ9dN+igoAF14kiU6uWAVsDLOznhaZC0fdFyG0DY7g6hF7OWXkgeJEbXBnwhT1Gs3xsPS8LqZ+c/9kspm5kttKuXrAEXdyPYT1IliDgNNEZtGkc7dvNJ9Md5msm7AGchddK229Bek01DQO5rnR76MqdWzIHd/Ad272iQfX90UJAh2IirePVdOPQ9oe8/X+3ZMaHbyL6a5MlGJr8IVBJzClu4/BdiaKJNjmE+ULvU94Afazw+F4nbayhF9KwKydH/0WBeACI4iMAFvTetJ6zIjiNvvbHKBzTiPADYN4qp6rC0h9BfrtmA9v37/oSmyVl/1IzjWzbeHQSpqwvtMef4IpTl7WpuB3xSzknloC5dzC4sk3sJwZ/46hhmZiQ7oF27upDLB7ReoTnkgQjKw2AlhDW/P32m4GErXFkUF905NlzfhqlWmM7wlFGRTGMICOwXDWRz9G7dHRPuJ5LFU0sb4Xwt0TNkqvl1UA0FeAqzF4TkxYlXr+tUNAhoCCL5Koupm+L56jjkpljdRKYyXt3aTVo45dCZMi2dBheUjUXQjA64ko5+04haWi607NuyBl183bDqTMMt2X9I6ghK0yNq++1hAeVHpSAEbW0knebLrv/KaMcN76nDenCPoAAvaiDrYAtFc/lvofsBHg9YuUBBUHpZF4iY611iCHNvsWh4VBe4yrnPfvGdgBxrJDvGpBs3w/8MRZweUGifsWwjt1+257Zt2TXvmVkuVCogKXMajFus58ZJs/FNGUkMMrV/jMbc5V3XjhlThFKDsNuoUPvUYv2qzv0HybwVyiIL3vZ2rMdOv2JKrE1ftsDxsXFGJUrLPjy1G/5mgHENh+oA9TAQu0Eo8HEjpNhdyFsuU4ImLl9UHtj4GVsLBrxNb7hsieHVwGfMyPBVjDZ774Vk9YaotpgcEDiNUO+YqTIA1xcPgQxnPXbbmupSvpP7oAvZbi91bNdioeiZGV66RUdtnsSeg07wBph9LjIE93AKSex6WVNtsif/YPW3M3pvRGXPpCB/mqrowwX/fzAYA5LcNCYbOwhwSFALEiy1htU1w4ujHmHqugsuWEFPQL08Yjs+X2emKzCpoVtxQN2D04WvjAH2LDufk8aJddj6pGpN/6VO7ZOttjuv3nwjvQSUqQVtuZb738joxRZII5SOYOHeKIPzB9RAPOxkYgH5EYUqA/ZZ3/+f3yhf4NxT4cL26wzSS4bI9sXD2oUI5JglOM1nKHiUy89sAqNswpkkBXTfSKLPL/lAFz1kfCLveTaldfZGGmHAqNxgb+Mlww2bMd3RzvmOovuoR552cb8QyekRTPCzgIqKVTKyn5tRrlaP4cSIYCU/EeArywCKMkXNEhUK/ZECTQIFvinqoMdfNAO9XrAQEZZroJScaYe0ODItqofjEedMvKA6UmA/AW62xyifiquftsg4/o7gfnSTbqBxcdbKATxCiJCnYy1eqeJBZ651YHyQcR7bpHewPhu0fgBPXtl5/vbcZPj9BpSZzPiro0gL4eCn4tzRl+8N8n3LYIIJaBmWLpk+lXCZsoH8rwCO5wAZH9024m/3MJ2Y+LkDYF53T76cLyps+g8Pj8L4lkF4bNjVb/qKZAZ786wusZBjehFhZPwwR6wM5E+FcUlHi+gNr+WpcR74apKsAx8UDeed2LrEgZUJ8xyUBPCRZ0UQyKqPhVmP/RGZnFBU6qwsvjT3CRUuYvlToLjxkydGrkCwEjF+PzjJsMgnkphNKmQN1nRTEuSiPGy32fO0Qg7VlDlO1x/tcgZErbvKRgrRve8L+gPvWMxEXPdbbhJfhxj5N8nG3/+lhmvwFIVzOra3d6EvzgxoWsyvg6H7zELrEM36gSE1Aeaa3HgBQCZ/k2/BXO4Ua4d40vLaG/bWVMbhzOaTASB32picHyr2FwyoSEdDqMt2+qgrdVLm3pUwl6pZygkJ+7EWYaSnf/0Fydt8+C/QHZxlz0Cv4h+H5rKGlerJu0it4hgw0yq4miaXxtPPEdnV1WF3FkNENO/RjVFOQHQeDz/C9JYKKulgw7jg1zdBe8HyYdkMf3VZqkfAf3TP+jN9lcTkPcWVkRZjJYN5dG/jclBlCE1S8Vtc1AQztlrbF76kPeVRCd+vkMmjkVi0RUTuc/M5o9TAxYZTEa268eQyZGnD/YylOULeshfvgWztm0qjexpos7l5lLJihvH+H7itYGqsJPc97PN2WDHGqM2jeZibonRtY1B//YscwPICWqaPWw8eLgQ3G8/WM/P3SFKNWtQNISaciYnfgadCEaKNr9DlNF7IjHJVon1O14AcMQ0u/wRs4x/y4yhA7+OjRKLwEIynXyajSNRkRl8QrljAf+gvShDqGn0qP4oVjI6BwRdvn5ZD71O4uIuN92xXzqNXpW45DwbcOUr9ntWDe+80ayFqRmhbIieyVniWJD2Rhd8MLBWGCqlLbtEY8WHFQCB8E6xznTMnMcKtO4Utvq7RDXrvxNBP1VfEw7Xs7tPBJammdEugx2JnLspMUsYW8zpt7c5dGkOihzqvWBg+gEJK8qW1cfmYsY1uw5Tp0wkjK+Ui1/0yJ5vRtBqJnyqYLzGfaU02ty5TReKZd9JZ430zwD1o67KM+HbvQqLijsIt8e4MYY43CS+9TAPQbjRzSmUBSSSuJdzii6Mrls7RDqjhieOt9zgI5jBLSQfu9YUotXsgLP9mZ+xwlX9SEhT46vcJTJz+EPGiJEMwIsThTWlZNHf/JtD86ArcTHy3CGY0MZTjWHByxv7wP9zZNWxEmfTUd4tZoPP2KgT4tnqOJisL4L2mYvB6tPeM8RjFmDGAjnphaawKRghRI97C7A2J1omMT9ON+hvrG8v2ku6z8hnFTb9CWJHDP1f38Y0SGlA+vy9Tv/bECToEBReux4dhJMLug8vMzluLPTtsugVEfwHDA8Z4d3Js+aPe3p48h7wiK+gaRCKPe3s/jL4fisJLlnoiUEHpk3N+1aoefVUEPuMxpt36kdTY3rP9FkMU72deMYUNw/ARMW5RKcJOfv1C6+ctlIUvNGUppaxDOJupy+V9HkKOFS8BgtPy10NDhV6ukKIjKyJBpMVGIUqVZvSSHhn4lxee2ZXw7cpggnIx+TB9cT6MeZ99Li5z9gvGHpj3rYWgF2KfmtYUXYoOM+8cpOVmd8igb5bfc5alcQoOI2OdgHUDq06FEIHRF5uQQpFQ2suEV9WnhA0c+Pa+mLPBwazM7cRTi0BZFVcafRzRP42ybwdpYG1H5vUKmpoaGVY8c1DffcRPLjvW5Dvz0AOcWU8j/RSmEONBggf3APp8V713Hx+nD9+tn+8Z1GubOUEUgATtioZhDG6WwKN6ti4XL8b4l62aviSGhZPD98B9fsmshci1aUMUHTwJWSX1NzBMGly2GFax+OgOSyN6ymsowRTNvymKdQlKwQKqLR/0PvEewr6v3smGbfFhUQVUQmV8vr/RG9QWBWo7kblj6ucklIfsuZOCji1xXjSx1/L4D/tm6JVqeeactI5baMcLRllyG0n545liqzJAMkxYibRGXY1U3E/brmUBE2pWM8a867o9EuY3HvB4CM3UNh1fejUylZmQLfWFOB9Fva6jBf9VBCEg47SfF2A/G1b8gZ0kOe3riwOW4gdredh5v6HCXZB/h0AyZj3wK40Vj6BYaKDtGiiWAyXw99TIDPSBNGuMRdJ45Hc6Ot3dDO/naoPzoMFtZEBj4Jku788ZIkVEDeYholKSj/Yu6jFFcfexkVPWw7xm347LKS+ELgjbQ2/Ff/D97/zKMuwyUcD32VHv6KTTh5GzxPVcaRI51n7SBmgydPkxG6Xu1ZSGSutk8/5x6DuYhnOUQpmB0nUpDKMQz7AWQ6wlqyyAYwdls16Tbhi+RRTnvovBLR+GpqwCG5mPXwC4rL9eQZ4tAc328XIrLIyjI+JPD3rRc1uFBHluLAftyE/RDWz+XtFxR01/9ri7MZ1I7JyGArtav79tMrLMLx/0emFbgRws+yCzPUPSbkeb+0tPd4FsChxWfSyCgLunzxXwDFQI5M958E2VWMCDKL1hTHWEj7sOqwcij+Rb2sBTA8vU45Jbi5iBUCxwN1Sxr1Lb5UMrN1Ks42I4JP7USWUN9PW2OcAofBH/pJKRKYntn/QxuJhEKMvWTFUkAaSh2lf74IeVgoHxZLqcgN857JfVSQZJ93xToMe6d8WeGO/zAkCdJ66VqIFUOeeHZ+ohAISZ0hTQQPisCP438L/1eTwyoDuxzs0jyPMdaZvz5iwd7BfJBlYPIh0+ACT4EG0w+flkUj3pnmarMB5phF15t4wk3ClH3hxKq9QlQvApKKtxnwLjI17JIbHbc94eIxo1UC3yFOZaWkxf9XVZQ3hG8ikw6b7zJPIENnA9HJ7KHf43Ux6gPQGUOy7Nsrg1QHHewCCxY2slCFV32SRUbAJRzH53UomwCRB0ESobReSdqJU+uT9OFzMIcR5UctAeLpr1NcidkArevFgVN6IY10a11vHV31x9fZn1yauZjxkSpV9y4BPXkGxIt0ASkrviDBBQaYy8w81/Y/Uy/meF3ZF0J6285uhfuHpfhskZrc2jYVaIyeeRAyrNqHIKdrTGuDnlV3L1Tr/AZRI9EqBC9yanLEt88hlPtj6aSgBPmtRAELAI3gZIY9IWtzsoJ8FLdzABSNjnrAIX1ge1mCs1jCsX8jWtCFlpk484D7ydjoAP/dgfyNvXPuYzhWA2t6THZjcF3+I5E8rP91tHauIjKUGhtQ1QDHx40vr+InElNCboZyhN6lay2NFUNIU6Oq9X5BH9Fs3+Mmjb3eShm4SzcLx2OhM0/5sBrEuGe7SG6JVtagqHsmrTImSmqehl9LIlRbPiDtI5emEnCx+/aDYJJd9NGjK63KrL5kIZ4JBozJq2TQvbkbHFw1OrJkZcsPIfVnokd9W5s8T9ufvaGMLdmQoD2SFJUdi7fimm1jMxiQD3qtqQxaMg0fEbxXrNW4MP5p92n9Cnn/dFLiDoEufPHV3UMdKdRws/wmwQlbeZJXyzK+G67jkxk1TFoWOvUXzAsgTU+KMPBoZopexAWRsntfunfnVaucFvCXmQ7vCBkPCby7Rovx/tESy1x0ZCjNblz/yYSsMm9aj0vu+oJgRQ7pbRv+1i2psiITm6bMQ2cMBUvNWYHOItqnnSQBXHubZAF7rsWUKb0rZEGLAAQbvIHpFUI6FmaiM0bwHnIC/xNs1Q3JGDdgQnrGa/+g0PpNKROdF377MCBw6NuNnntUEDg5rKWKkWmUtyfAPD1hhym69VbgT1IWuEbaim20XHuAmpc0owVa5zhYfVlmQiEzPyoD4onFVFB/nG2WxbKxesTwQio6FBlbCYIwxtj/jPuw+o3wIMqO0bcAqE57U9GcyyJjBCZbGm+exeGx2pk4MxlwO+SmBPINHrh3pUQH+OEvEgeTlR8UN9ZV/JoZbDN6fkNSxr7zoCvsZaCraQYdkg4wJT1Fe3S6ySFqrBYFkEgYchCJu1xl6reuFqRpV69SqjqgQNuA4Z9PTKWj9Nla5+0DRJFh9XkjLfY9YFt1TArLXsjMuUwjiSu4SwX+WePJIune44L/bxeOmmfbU0oNhHNwHZNUzDWUP6nbmB1lch0uqUBUfddC6nhbez046nFDu+Am1Iy8LSKVhmL4EakfNtV97x8iZhQoRZgvj7zdGiRi7jPlzz9VViFIjJwTt5kcYhT/f+7VVkb8FwF36vqVjvzG/+2p31SWkEnNxxrgXXxUsda4W7WxLzC1Dojbd6QrR9Bd6rugIKRbFYiINxiB4usei7Bmn7VwXMcrNuF5/JXD+5axGMMEPUf7toX69rFArl+VoLlWmfMpja3JGN2JLfknntZ88GkCmzIKZUYAFM9QhvKSeXCxYtsski/IZK+KU8Xdio0ak1vO4FCtIIzN0xBSR1Ve2dUu4UpOYsklHJIULKu3SGJ4Ud8gLYc1ZWlyYSVRCinF9CRQMSxbx3NTA6kOHxxTezJYzNV4vhqwOPRCPB08lzmr6irOEuXss2tTiP57j8F2Zi5eYspQ1qBju+lhB4szOK5r6jmZXLwy7IZOep5DO2X7pWbYRjSPz4YCZNmGiVSTbOPowRWyfMh4njzz09sZpigopf9cwCxcAe2RrWKOjPjsJAdwtyRHffaq5QRo1shcxtFZnOAMn4CuHcgCQbawLadBnRAcigOq1NM/NbGgyDUI5L9Fa8fvX4zsxQ0ItR3RtVyVXcHuZSfyS+nZEcyIz5WTveDLDIXzodT7IrAQBg3Z3b9/tWoq0+RgMO/Z7hq1OloMw+tZvg/zvLrR/vwRFrOu/+gNggnMZpmfPEZsdSKqhKdOCvp+denOFyISj0iDKbF4Wak8jw6sujWIRzAOw3KfK4kFYQA4bl0o9iwyTXNwZGaY2/wbkKHDPissXzBhCxdtfzlaDajArDHVASQQI/3cIBjFSKLhlZkOmDV00Ob23Ukq5+itMB8q3kCXKsVEJgxubBFGFX47aaLZY5BHxSYgHixjQnHDOV5QLge/vEPz52+S2U5AgG4nEWTrjoZj8kdXGv5qbRia3Z8VQBqlHjlBjlyAHnFxEqd1iN0iK6dpO587AFlC0My/+087cMb2QQ/lLXxw3AaRsknIS5TQZqkwyJS6euiegVwHXA4041bnovFCCQCN/dIpSOPo1mYPkAOxSWP7xc9We4p2S2qigQuos1OQ8bBlkOS/bq5aTjNCZjJ0e/eNs3bZ+mmLlXxSL/aAFZDIse8M5HhxZMXRyA/OMheq/rb0TtOv7nbETKuB+ddTET+TfTsmYDK1oNBmf56PLAnFcl1VMjoyaEI5Wu0dNhqjorXO96rDOQ+8YL++c5tMDecXPDdITKemRsEoNC0uY+CSSDNDlBGYGahVAmnbKpoOrM8bt4lXp+kigyixvKHD/lLGE4pluNbku0oRZKfnNcogC75zpyiiP4qlHtVdjF509uKbe7hGY9hsr+afJsJ38V5XzqHYWPiw/9YeI44wX0jCAoJOxM2037MKmffo1BTvN41X1CIWyrYxxdeAf2DZN9B/Uuzkb37Nu2dyW7juuGKc9qrxaXrPSYwXtvFV+8kMkOMGtsc622YDoTlCmvtPCb/Wze3Su8EXeI9lCLXTffhsKAAivc7maJ3Av348YLiJ35nvRYl84V2H0l22KDDOILjFupdywJZad4pcqwaoqOe5wqi00SYMwlBcw3PZf74Tkq0xFGh+Gj9DFFJqnAbYeq//TQ7UQxcYoWXJcKmGCkR+t2mQ+KnRpx3I7mMMbjrIckRg/bHeoakjIjyS+yF3CRYWqpjX/zeJ8ggC2nVXFGYY+biwTb55eUb9PxioePc5q0+aI0jrGX++R960ZguUls3mT5erLnsy3NYUwexHnsl/XkpzVeQRHbW6i3ST9mqxs546mRNbCchcmYwpwKYIiFjJsIVb/5e2jCton+TznVGlZ902DWwUq1Q0lFZ5VJ6KrSazy+Hms0PvloXhz9r2zNtXy+Zp9q7CCwli38/y6AnkOWj0UtlMBHoIxxFm8ONf+uS8D62pixYUJmD5AZlraggnZ5uVhqCK7ORfZ8l+btsWdtcmb4wUqyjRRCzqZ5Q9eabXDYVA1eTJlgD1S+i/WuBIfTStt9FE3Gtoqe8hwhS7vW3Avg6DDMEVbjh6bOKFsbLtGhpuQpq4jh05jWbQ8pzlNL2Gk09luAUnvJA5fTlM1OteAA1y/pLsJMikkkhpww4BEqtxYq8Gk/rmMnwXni6Jn82wGDRHEoB7O3G4mN8ZV1m20q+IVIfHnRufjjFx108ol11/V7zRGu58cGXH7sLTI7wtgBDbjD7942j6HfkyTN3ibDUXZMQQYMOfrLBvQCZodhLlbi35ZmJF1i+DjLjNAETqspEOL4Cwzac2gM8WUuQ/XD66YuC3QW+Mm0H0AL1Jaro/MExNDlQeAe8meZSyQu1gHJh63tRFlx+63NmnXsygkVSnJ9S2NfQsnNk24CSsv4L9KVa1+JK6q0nFa0gjM5wxKzzZy9cQr/aXe1lnaDBw2n9idnFh/EQUtA2rrlyCJPzWXIYl4JHaV6HjrcmwW7gL+xsvw/rKEWzXXqnZ+HMshrTKp+O3c1wqs0O8PTbFpH1UQAZvBQ07pWua5JR8LBbXGXziM96+oqxJTNw93AV/iLfkUsf6cMeA+xxtqhjZxK8nd5V2hnAPGPAgy2A40sy+RCWJm4KA2XGjq7Mr/YFlI9e7b56Dj05qad6aDBLzRVxYG3s+mREiILrBuBdqyAkJA06IvalbeatVc+/U+w9iJdH54y9LT+fa/PFoNqPzXv5NNTf6OueSzfb0e5MugTUpdc86pUWYvGkMaNztn4Ox8Cemt6j5ki4DERGB3/CjAtmR673Vm4Oj2+i9MIBvtIfDHs9ahBfCnJfU+5AxORKt+uMQhq1SUS9SZ6OXoLu0hw5V/ev17pFpnBEboKN2OtHiKT/RCD16r9tNN7ysXe8R6IqoWj36xpm8VLtX29JKeN4uopERxg4xTVKKAX8Vew+i2i3gpO0nN+vVE2uo1zN4JcjYAWd8WQrgCIgIbfqbsCJI9IUOoWtKU+Gdv9emr6eNd0CRTMIG6q9LCF9RTE25aZkSdYJjNCCilqkGyFK1lE63+FovGkIG0GFBseHc9/Cvw822iFt4dG0DXlk2HKk/9g1foVMgdthmRqFXjKLMV5oAtVJAr+HvwNWo9I53LkyIGfv1vFbToZu/hwNrdcpjQVOFafCJs/SahZA4SHCuqCFSelrocW4GY+RcllvGGrKzKMMbgkLJsAlELp7su8YL9IaAef7J5TTkNiCMBLUYcqiq3arrOsSsoUy1A/d14TtOEeC0+rqq6jQroMxGZ6DhltX6QYHb2hSrKqeKhdlVcEHkuR5O0jskszteNkmkbLLTT0urpQ9K/QfGnri2Dpu8ZCttOoZTu2fZxu9gxGm7ZUVZ1uy3GjHrBqZUdEv/xk4pwuL2ZlSdPJXIk9Lpv8yPar+NU+XFCNtqECcv+121Zze/uhA3OjDIYIXHJ1TcYnUVQc8sAvGF3VDLrZ4ClJtn6iUxHyVoCKFdmuzX896tQF9VWnR0NXGA3kFqXWP9eakEmgHmhl55+8aUeZmir5ZSUIU5KQdWI44wjslv/d4PLvd0y0nNF3YlmeUU0OLfMIgYaekip7b4Qzd5w2xdAB7RxlCIkB8RwggiYn1v4U6/ixXSa6LOqgsQDKROc2Ewm5MSqcvpZ+7B85H0iR8v/5SjxRGWAHtZgxsksPCr3VReZALXxuj+mpcihYG4sGt03KaHXQZvqIPfnW8Pq7fKY/E03pdNrSZ/KcbK1KFsiyQ4CyZCokdaUtj/WJCkQ+WMjZH26XEl6xVsfiFAyJEYccNRb0iiXg2jqzdQ9P/C/jNf5voRbgbzL5X+O90VI+0VpIPPY+hkw27ziFyeMucl/MeHyL7gjd1rm7PvNipz1YwxHo1qTVM7AuRUuwC8ORPuUaNpBbh6g2dsyzs4uZAl9HWfyOo1Jp6fDIVFJ9lMZ5jsbn9qjihpV/+ispc0Kwwj26pyPtpxHKXdFgUIvaneYxujdevEHFWyHNrV+LmB3cQFUPrId4tGcKt2eqqrHZ3pjPvT4IzOgusBKH6Hw456B/fKtMGcBhPEvjcJcXxyvYBACLA/PZVLLAUZjeSq1uBOBjPWH8LtUX51a0ry4xMZq0Zk99sxMgFGCAbI4BQ5DpkuHvLWH5wZ6Kq3fxzPrWzbgmVMLaa7tlsYpLB0zYGAv1p4TGKthZqgSp3fxuyXnqN/AaRmUbR3qMFjr2ZF34Lpr2mXrob5SZSCOKXyuzCprktgn4pjdSpr+iVbI/Z6hIiFKPbKt2QA2kVi9KapZar/zLyu7173HYJ8wNVybHCCOoYD3jhPlxEP+2bUnL5z+PNdSF7wA6FYa2saUc5svOD0acnwTHIdfJ/+FViLcE9eMhzcFOWma9YNtIpfJRhS1wDYofqLWxygaN0l9eX/7UoBuDvT9+005SD4NUgIwxPmoJbS6bgdc2L/4gY9eSuu09QDK4XU+cJejhguLugizfhOQtRrXgPTf3Br6qQAGdAcyoRloq9XICJwIympl3sFYzvoaImz5d5hT/3Cb6U6vAzmmywlZpns0HiNJzXOO+QObkmcxhqNokyA2EkajFrnoZ8oLChVcylIqD/0C3A/mP35T2AhfTNk7oHq7L4aCH7jIhK2QdLnBBGGJVGPWJd8ixYudh9OKHORK4EWPGtA+HlD76Hj4MUhxonQ2KkiQ5bfGBdqlC59LAEgD3THuv+TAORa6tE5kjih9hNkre2WxEYlvYp4Mwx/cNP3UjOZGHxnYnkR0WEzplDhtF8fjBCHeeEC1KFLbSH1KIMKs7dcz0eliwSytyBeNKYc3iqTC7nhMK5mQ6i9tG7yo64XablQokeu637FdSy8h5hLOOe9KpNllJZ6BFrpl8Dgfu/fdvdvWJg7ezLedu/dfYg4f82hxtyopyb8DjSRlkMRfEdOtoXYomZ035gH26yB6042YJwKX1KZMTWTgGMhezlWifzdUC5qhRNifwUNIg8oK22vh/lJ1rLjoUSmzS7ucOGkjIVXUjKr35GMuifERwpkjLxMtqMtd+be24VW9UnkKVO0E6h1lZBFdjyPJGY4aSPJbMt0sz7o5EvoLHlKy7/S29w8c1dIFjY9ms8OLTbwNSRNmfaEV1lrV1h7w5CqQOO2YjTPqf6nDKiI0lRqVhOAEt+I9WWqviu9QFMAbGzDb19FzpDwVPsME5myRfDMsW8o+1eEHaNJ9m9ugx+Og7zj5GsSPDHecnO0xlqbBtGBpGESWbHfpEGw3rrE89UUPpbp5XU+KLcD4wBzH3wSZ3HszLd/ZSQfsIOYg0naDF+juyu4k4l5i+W7LCtOFKXWdGk0wLirFJJxx0BLuEv3x71AVeAGg+DdwGMTP2FBZYISRjOOS1Gt3dx/3oRWFc5ry3PjO+eM/TIVzsUB0N5L3ZrQhVdrtt1kAPdHoDgDJGPlMF3K9cpYJPOKTQR3cbtMdVDMOLqqPagmBuEnChzOxbRthgmBxRrwoMEKKULj1FWA9A2XvsBcRLS2iNcHc/Dc51SjoIg8bUkHoobCQDnQU7o1PLH439cJRJ0wxkbFWp9OmlP2OQ1SCbK6TRqCoKPyHr7mhVitC7vpU2tHK8F97u9lnMmoeidtQjz0ziKPgz9yw0FHVi7hz5GMf9vORwipNHmHOitjPl828zhBv2DVwUk6w8lFVsknCQPMLBqx2ibqiaFHSb9xEYrfEsC0dOI+df6rypguaH/UOD/FB62kS0aTfw6k/9KCfmY1Ejud85S9rqs63DcR35ztt9oPzj2/lVesKkXWBAwqYr/Ge5LIjVwqpsYDYm5LPqK5DAvuoXnxYa+uFgySARfZRbdj9s6/MoYVo8rWxjgd9ylI/E9Yj0GO/zfFh6EiAIJMJsriWtk6pTPT2L5wAiPeZXdEGl+lSlv55uy0POT818asV1YYadXXjanSLOpAzrVd9gFvdD4cI6wcQFCB/Vrr/L+iawUuA9WMS4bJRrextciTgKOFu3zrKyJvBX/EaF02qza5y61Tbq5KA33/CwkD6iUTyG3b4niSHdMNdEO2kmbK6SqFzfj4JtHLbC9EarET3kSZFhnzOnxwcTg4jRhbWwSGMAiSj2EU2I5Nm4SZIpNI4kZ89/8g1TE2iITYgR0EgG8QOCkK32jrwykOaB5HcLYvZoFm3qGbaez73+vNLJXsgqtiOtqjJSyHfxjLzqi4wMZRe+ZINPBr4R/H4LpubpNk9PaGp46VKlm+NxWvBN4ueDX5XNwfDkHtH1hdQDWVLKrvUgqXC5T11sidk/k/KyxD4vlTokVV3O3LhnqyEFZ1iTjwa8qlqDKONUUosW+3SA/t+v164bMSFfXhuilEGBnftP8EDsJUhaIwO6Iwolv8XQwUtyCJMDiZ2rffS5lqVOehOwU+/TuGtEnErgIxuxVaYFJbf5GNuLeN/XCfPKGytR1/iFXHCxDn2k2JFPr48BRdV50d/OH1w7p5wIR2EsrQJHK3rV/YS/QruuzGT36byezvNnZN+MAQGIGv0wNK73CmkSFFOcjCUpDz7p+2GxnD9iY4dErHCacESSzY/14Ln1MplgtqtbzhbBj50sEekJpvfz3X/Pe3Q0fuxxZc/zpm1OEQWTC8E/bIitjPimyyscGtbLSrFmzmGBaIZ0VwtS3eOqpCx4QgDodhsFR3zxC8a3F/JCeia+8xgNLc9MCZKNYOkMX9RtH7Q9GO0r4gGDgIaKzBdZIq8m6J4pDp/LsBdFwXN3259X46qWWpPPHgOIGBdO/EHpLKT9n2I46UwbhwmkciVHQJVeDT/n/sLLls0sc8JzcZJJSLONpxrxTTFWFfFlGVXU7iixOPKiWGr68XC1FBfBGKj/+5O7izTJ+v7nZYk/EhOpNMXXq0E9jHyy5cwp6TZIVvy0XWz51u/t5k6mugicUmPVxVCiUfh5UaFUOybSOA1tmvY15JHQ+4YEJd8S9CPQQIqqA7zdPYKMFq5duKZ6fV6ApqykCICGITwlML+6Ouf1EURkXj5utmMrXjp6XbbzGwg9g3V050bLcNg6gNxaMBiO78K5dl2WJrwCt2Zsv4BJ+nppbkcM9FVVfaxPIxEk8g9dq3KjhMoyeOwE7LhEfCDmxNt+0Mx/jWrkomuhQam22xZJ9LvZaA8mM9zybdPCTHmTKJmUO2rZvHmUvFMXNVKf8dqbfQssk0QuaSKZgq46vW1IbtFYfyFKy7TxKcVFK7wbplehXE9KQfWwvosZL4N4FbTNJCMQ/8K1rbVVpPv5HfjMuWXX17jIkOtaf98Ubf+rt/UU3pkEkNc4XnCLjvV2DIdIWV3qeiVDwuTQrIRJMwIjQb0sNS9ix1ACEaPhKNSKpDlx+B1VUn/eFylz5fNoLHF9/IqKxMXyrcgnd119QBBqUaRfQSWFrMBpyNy/WKphoX7zhdFHCkHZOZdi3FyzkTfMJGKWxUBIKPiHretpIqfNFwvjnPVhajC7I21Ts8snd5UJxNa+b/pPK3mLvH3Ot5YQ+pFzJ+UbTWuwSF/ZLoNKbzmEd/Ki5FddvzFAWP/eU657CIYkSn9JEikJkCJiJ/bqLjYUVF7ILNFJPVeC5hervfqx5KmVC23CWLBWmMtD0CPGlwP6KIh6Omg8h+bXiuNzzx8+H4gRmwWHI+HnrMqcr+OnAzmAVyXL4A6KM6WthVwp1bN3dPygutdtQ0x0yCH9b5Kigbo/4xjPF+JoEduy5x/Ul1SP0YuFY13KLoGggedDwtVRI866Lv5VL6SWkBK4tdheWsLYKcssCwWqbng2FWfNgeq+F+lVwrSPmTUvhKArhxKXTf0OZDoS3eK+7Fep5EnsXgU5bVU9XVUUSIKG9FDig1x5k3mauvC4FFnzf181CgEnxhbixgBjUElm1ZpMewMiYeed5h+dChUjqGeniUm5fWi5HHno4tg3/nKQkua/egnEYPIPD0WzXXM0hfQphVDtomLGJ6sjrB7LIDIzINmC31+ruleCTnDEGfbuTVMcSJXqRDycY6nxCNqlCvmM4F0PPTO+Tss90V4XBwSgYhEprC5fCbizmXq8jJZrrJoS9DZSxu2DV45cHE+qLM/llzETVRBbF34tM1zJi8tKpjZXiQ1jGu1RgegEkZ3OXfTQBFtkSqhfuXnHsy001B5t369N4m8CuVJA42hKyN4ZBtRrO0x9NFD0n3hXBpoL32PqLoe56qbMMizCfkZtZprqE7bkf0dngg9EG6n5Fa3b8VELDwrza5+TppBWPvdM8X8gLlMsFC+kb5wYbrdCHjdRCM1OH9l7GCpdmpkiCfS5R+46U8mHKZeaLWtAQDvgDc/3NAkJ0Z7EVGtAgegVGpER2HqiIDukQK2/aqCX9trBkjjCEpYT0qLdBpPvtDqOJ6zJn4bwiVQ/AWsT+DAHGjP0F0NtHlzSe1a9LZPz4PZT6y2nyWK2+VZwC2uCJGF38WCG/h5/UhgmcZFITlqOftFBIledGDgxXlw4aCbv7Nzro9cMJ7RzsRKfr9NSFSGL48WwdIitO/HmJoBijJYBahmEuzncc6AntUnWLvEnk0WuP3qcsURoOpzguFpSbGPtMgJPinNoXFAt0wmijGMgauUZI0vizZ5JAK9kJt9toz6Xieg0XYj0EArMMQqN3NT4w5TSahXbJqdy2rEU8b29aZw==,iv:+PtXcxSjm3145ES8+6zexVmn2Hizwo6I5eOS/9RA2DI=,tag:vk/beGSoGSxykzD5/bsJXQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzQmE1dlVQSi9MRzZ1WGpR + dFYzZU8rR1V1VnQzUHB0VnFOckpIL2tvMzB3CnpXQXk0S0JNSkpNN0FMclBOdjFy + cFZYTjcrN2djbzBkZUFmNCtXS3lRM0EKLS0tIFB2V2FoMU5rZzlxQW5SSHhlZkNx + c1BCVEV4dEU4aE5YeDZMRlFyVHYyQ1EK+znjkJ/JuE5VgYUpkCfDCZV5mFmSXUxU + MtByksmGshA8oyk0SH6B+qg07yDh+jRn4gtvnTxxudtqcVf5EX0vcg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0MUhyeCs3Qjl6RmIwVHN1 + cHBQMFEvQU1ZTFE0d0lESXgya3FZRW01cjJJCnNPNGgrVmhYeWhlOTZMYjdyd0Fm + QzJwQ25IOUJOeXpxbC85YlJlTElia00KLS0tIHdHL20yakxaNy9CZmUyaHVUSmxZ + SkZhM3ByQ2o3a0pVZnV2M2lob2xRU1UK14PKZz5blclSkUVJwUFm+A9G5nPD0U0h + AH2kt/kdSxj+0I6uWrD+0KHh8KA0Tgp9Auyv/UF1dB9MoiuQPG15vg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOVFHcloyYW5OK2d1eXJt + NWxLWitrUWdwd0J6R1phaFA1Z2FUV0ROdFhNClg4bG5WSW8zWTdsWGhQUGFySS8w + UFpjK3dzYjdPVTNsbFg0YVl0UnQ3WmMKLS0tIFhBODRqK25TVWpabTVteTRtSURO + NTdYNkFuSm9xVi9QME5DMkRqOUpJYk0KK0e8LjmPqPQD1FzXyAuoUY1d8u//WHvT + S4ijZF8udwPzKTIHd5OiQVfCdmVughKmmRwQEHdFC69fjn6wOqLJhw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa2VYR0RZa0pOSFljVzgz + TS9aRW9OZ2hEV3pWbncyNlp2c0REZk1GRndvClk5U3l5b0dlcktkRXZBa3VPaWpU + ZmVuS3UwV3RmbzdQWC9qYXpCNnJpODQKLS0tIGNabjdpYXp4d2VyMEcxSXhHdGNr + Y21YcmlWTkJDRUh3czJEUWVGaG44cXMKoibsYSOYv329WNzktBVJ18aGAMXCxz3B + c9938x3U7BCsSatnNch/cTbxPFYt8GhgAXXZb8/vsT9URH+9/K2iuA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:28fB2H6tdToWcVoGFHYRgSMeLwTVj66lESwITzhIkXnZK/5sLdJA+JS/gw58IhxXoO5oUsRgsB+mbfx6IKd5NuU8oJvJhOJi6kkR796gb09pNww/2zlssCck2SmHOJBpPXSZWl6MLRt5pMoU3nCPjESE7GTSBro7MO6n8Ycn8Uo=,iv:JssdLAzR5tv5n1dTpy/nRoOHYZ9Svy67uBPQk4vFLXI=,tag:wuUZqFXXdjdsSbMWIGFv7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/mathechor.aliases.yaml b/nixos/machines/kaalut/mathechor.aliases.yaml new file mode 100644 index 0000000..55872b1 --- /dev/null +++ b/nixos/machines/kaalut/mathechor.aliases.yaml @@ -0,0 +1,48 @@ +mathechor.aliases: ENC[AES256_GCM,data:VKEGY6KVtgKApnV7N2e2cqy9erDWQ2fb88Gwcpp5th/t0VGp16KGDtGiuQXhY80j6dDIcQMd9bLHzqAzc4+i/WhmEPhiXUkGiEKuarMfvqNl1LBlXFCoIrUXMMSIqab9q+fE3ignVQapE/YZt9aniyvg1prcmBcwIy9rDoHkiTY006ux5CM+vX0F60ADX8Nf6Qmn/JncPxXgq2jYsBxjXPj7BwJaair/+nxrbVf0,iv:Elj1NDeR1fdIIjIbjvkV3BmcVAKjwdMfknuNxMXJsa4=,tag:AkXWQ8sTMLsd7a+MfRcF/w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy + WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh + SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn + b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp + iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu + SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE + dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4 + YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6 + WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v + SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx + Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX + dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy + cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW + NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5 + RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU + Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro + b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T09:05:51Z" + mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/machines/kaalut/stalwartAdmin.yaml b/nixos/machines/kaalut/stalwartAdmin.yaml new file mode 100644 index 0000000..9fb24d8 --- /dev/null +++ b/nixos/machines/kaalut/stalwartAdmin.yaml @@ -0,0 +1,48 @@ +stalwartAdmin: ENC[AES256_GCM,data:4vpvxtFa2KiF3ojl+cw3ic/MI7UM9JQCQn76bidYvbW31zgF,iv:DtLAi68oQRf3U69uFK0Cz4qHMkxM6NnB3lVYft/DtqQ=,tag:HYm2mdpTuXNHdQIv2Rkwig==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o + Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh + YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF + MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N + SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2 + SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv + ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO + eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS + FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB + MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK + NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN + d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+ + jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2 + ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy + VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC + UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a + 5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-23T11:43:23Z" + mac: ENC[AES256_GCM,data:GZ1Q67n43WU3fDQd6SGsD2EZgoaq1mzh5biy42cx6FQWlveK5lhb0F2HUuWWv5zSHKpslEPD6odvkQmMNCRY8NsvT3+KBAnHHU0aHzM9AEV27cDL4x6oBvO52EMxsNCMm+fXPD1CubQxfbfvx/aIuqb1sovgKGgwf4u6yqIrHJ0=,iv:ExX+ySMXhF/c1w2IP7y8mdlcy8W9Zxiy6X67b2f4AeY=,tag:shxQJdaW3HsG6sNY+zDNCA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/modules/borgbackup.nix b/nixos/modules/borgbackup.nix index b552c8b..9889238 100644 --- a/nixos/modules/borgbackup.nix +++ b/nixos/modules/borgbackup.nix @@ -76,6 +76,13 @@ in { path = "/var/lib/backups/ithaqua"; allowSubRepos = true; }; + kaalut = { + authorizedKeysAppendOnly = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcAJkEXcvrDEQf1zRhBXLe1CSHOTooM3qy0KMfS9oug Kaalut Backup" + ]; + path = "/var/lib/backups/kaalut"; + allowSubRepos = true; + }; lobon = { authorizedKeysAppendOnly = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup" diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix new file mode 100644 index 0000000..d024b62 --- /dev/null +++ b/nixos/modules/mail.nix @@ -0,0 +1,301 @@ +/* +* Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. +* Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy. +* Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. +* Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and +* and use your personal admin account or create one using the fallback admin password. +* Create users with mail boxes: Go to the admin interface and create them. +* Stalwart mailserver docs can be found at https://stalw.art/docs +* DNS-Records: Collect the right DNS entries from the management interface and copy them to the DNS hoster. Caution: +* Not all entries are applicable since we relay via HRZ. +*/ +{ + config, + lib, + pkgs, + ... +}: let + inherit + (lib) + mkIf + mkEnableOption + mkOption + ; + inherit (lib.types) listOf str; + cfg = config.services.mathebau-mail; +in { + options.services.mathebau-mail = { + enable = mkEnableOption "mathebau mail service"; + domains = mkOption { + type = listOf (lib.types.submodule { + options = { + domain = mkOption { + type = str; + }; + allowlistPass = mkOption { + # Password for the HRZ API that gets a list of mailaddresses that we serve + type = str; + }; + virt_aliases = mkOption { + type = str; + default = ""; + }; + }; + }); + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts + + services = { + stalwart-mail = { + enable = true; + openFirewall = true; + settings = { + server = { + lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. + listener = { + "smtp" = { + bind = ["[::]:25"]; + protocol = "smtp"; + }; + "submissions" = { + # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 + bind = ["[::]:465"]; + protocol = "smtp"; + tls.implicit = true; + }; + "imaptls" = { + bind = ["[::]:993"]; + protocol = "imap"; + tls.implicit = true; + }; + "management" = { + bind = ["[::]:80"]; # This must also bind publically for ACME to work. + protocol = "http"; + }; + }; + }; + acme.letsencrypt = { + directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated + challenge = "http-01"; + contact = ["root@mathebau.de"]; + domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"]; + default = true; + }; + spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding + auth = { + # TODO check if HRZ conforms to these standards and we can validate them strictly + dkim.verify = "relaxed"; + arc.verify = "relaxed"; + dmarc.verify = "relaxed"; + iprev.verify = "relaxed"; + spf.verify.ehlo = "relaxed"; + spf.verify.mail-from = "relaxed"; + }; + + # Forward outgoing mail to HRZ or mail VMs. + # see https://stalw.art/docs/smtp/outbound/routing/ relay host example + queue.outbound = { + next-hop = [ + { + "if" = "rcpt_domain = 'lists.mathebau.de'"; + "then" = "'mailman'"; + } + { + "if" = "is_local_domain('', rcpt_domain)"; + "then" = "'local'"; + } + {"else" = "'hrz'";} + ]; + tls = { + mta-sts = "disable"; + dane = "disable"; + starttls = "optional"; # e.g. Lobon does not offer starttls + }; + }; + remote."hrz" = { + address = "mailout.hrz.tu-darmstadt.de"; + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + remote."mailman" = { + address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. + port = 25; + protocol = "smtp"; + tls.implicit = false; # somehow this is needed here + }; + + session.rcpt = { + # In order to accept mail that we only forward + # without having to generate an account. + # Invalid addresses are filtered by DFN beforehand. + catch-all = true; + relay = [ + { + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "then" = true; + } + {"else" = false;} + ]; + }; + config.local-keys = + [ + "store.*" + "directory.*" + "tracer.*" + "server.*" + "!server.blocked-ip.*" + "authentication.fallback-admin.*" + "cluster.node-id" + "storage.data" + "storage.blob" + "storage.lookup" + "storage.fts" + "storage.directory" + "lookup.default.hostname" + "certificate.*" + ] # the default ones + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script + session.data.script = "'redirects'"; + + authentication.fallback-admin = { + user = "admin"; + secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext + }; + tracer.stdout.level = "debug"; + }; + }; + }; + environment.persistence.${config.impermanence.name} = { + directories = [ + "/var/lib/stalwart-mail" + ]; + files = ["/root/.ssh/known_hosts"]; # for the backup server bragi + }; + + # Update HRZ allowlist + # For account details see https://www-cgi.hrz.tu-darmstadt.de/mail/ + # will stop working if no valid TUIDs are associated to our domain. + systemd = { + timers."mailAllowlist" = { + wantedBy = ["timers.target"]; + timerConfig = { + OnBootSec = "1h"; # Run every hour + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals + Unit = "mailAllowlist.service"; + }; + }; + services = { + "mailAllowlist" = { + description = "Allowlist update: Post the mail addresses to the HRZ allowllist"; + script = let + scriptTemplate = { + domain, + allowlistPass, + ... + }: '' + echo "process ${domain}" + # Get the mail addresses' local-part + ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. + # Post local-parts to HRZ + ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll + # Cleanup + rm /tmp/addresses + ''; + in + lib.strings.concatStringsSep "" (map scriptTemplate cfg.domains); + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; # allow access to sieve script + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + "stalwart-mail" = { + restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed. + serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script + }; + "virt-aliases-generator" = { + description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; + script = let + scriptTemplate = { + domain, + virt_aliases, + ... + }: + if virt_aliases != "" + then "${virt_aliases} ${domain} " + else ""; + in + lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. + serviceConfig = { + Type = "oneshot"; + User = "stalwart-mail"; + NoNewPrivileges = true; + # See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html + PrivateTmp = false; + ProtectHome = true; + ReadOnlyPaths = "/"; + ReadWritePaths = "/tmp"; + InaccessiblePaths = "-/lost+found"; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + }; + }; + }; + }; + # Backups + services.borgbackup.jobs.mail = { + paths = [ + "/var/lib/stalwart-mail/data" + ]; + encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction. + environment = { + BORG_RSH = "ssh -i /run/secrets/backupKey"; + # “Borg ensures that backups are not created on random drives that ‘just happen’ to contain a Borg repository.” + # https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html + # We don't want this in order to not need to persist borg cache and simplify new deployments. + BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes"; + }; + repo = "borg@192.168.1.11:kaluut"; # TODO for https://gitea.mathebau.de/Fachschaft/nixConfig/issues/33 + startAt = "daily"; + user = "root"; + group = "root"; + }; + }; +} From 43016d852d08a11c007f20cf2406f8078f0f9ec5 Mon Sep 17 00:00:00 2001 From: Gonne Date: Sat, 14 Dec 2024 17:31:31 +0100 Subject: [PATCH 6/8] Address first round of review --- flake.lock | 53 ------------- flake.nix | 7 -- ...owlistPassKoMa.yaml => allowlistPass.yaml} | 12 ++- .../kaalut/allowlistPassMatheball.yaml | 48 ------------ .../kaalut/allowlistPassMathebau.yaml | 48 ------------ .../kaalut/allowlistPassMathechor.yaml | 48 ------------ nixos/machines/kaalut/configuration.nix | 56 ++++++-------- nixos/machines/kaalut/mathebau.aliases.yaml | 8 +- nixos/modules/mail.nix | 75 +++++++++++-------- nixos/modules/mailman.nix | 8 +- 10 files changed, 83 insertions(+), 280 deletions(-) rename nixos/machines/kaalut/{allowlistPassKoMa.yaml => allowlistPass.yaml} (72%) delete mode 100644 nixos/machines/kaalut/allowlistPassMatheball.yaml delete mode 100644 nixos/machines/kaalut/allowlistPassMathebau.yaml delete mode 100644 nixos/machines/kaalut/allowlistPassMathechor.yaml diff --git a/flake.lock b/flake.lock index 728f1ae..d49ea69 100644 --- a/flake.lock +++ b/flake.lock @@ -20,22 +20,6 @@ "url": "https://gitea.mathebau.de/fachschaft/alias_to_sieve" } }, - "blobs": { - "flake": false, - "locked": { - "lastModified": 1604995301, - "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", - "type": "gitlab" - }, - "original": { - "owner": "simple-nixos-mailserver", - "repo": "blobs", - "type": "gitlab" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -86,27 +70,6 @@ "type": "github" } }, - "nixos-mailserver": { - "inputs": { - "blobs": "blobs", - "flake-compat": [], - "nixpkgs": [], - "nixpkgs-24_05": "nixpkgs-24_05" - }, - "locked": { - "lastModified": 1722877200, - "narHash": "sha256-qgKDNJXs+od+1UbRy62uk7dYal3h98I4WojfIqMoGcg=", - "ref": "refs/heads/master", - "rev": "af7d3bf5daeba3fc28089b015c0dd43f06b176f2", - "revCount": 593, - "type": "git", - "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" - }, - "original": { - "type": "git", - "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git" - } - }, "nixpkgs": { "locked": { "lastModified": 1732014248, @@ -123,21 +86,6 @@ "type": "github" } }, - "nixpkgs-24_05": { - "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "ref": "nixos-24.05", - "type": "indirect" - } - }, "nixpkgs-lib": { "locked": { "lastModified": 1730504152, @@ -220,7 +168,6 @@ "alias-to-sieve": "alias-to-sieve", "flake-parts": "flake-parts_2", "impermanence": "impermanence", - "nixos-mailserver": "nixos-mailserver", "nixpkgs": "nixpkgs_3", "pre-commit-hooks": "pre-commit-hooks", "sops-nix": "sops-nix" diff --git a/flake.nix b/flake.nix index 2e6f161..e8ecd99 100644 --- a/flake.nix +++ b/flake.nix @@ -6,13 +6,6 @@ url = "git+https://gitea.mathebau.de/fachschaft/alias_to_sieve"; }; nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixos-mailserver = { - url = "git+https://gitlab.com/simple-nixos-mailserver/nixos-mailserver.git"; - inputs = { - flake-compat.follows = ""; - nixpkgs.follows = ""; - }; - }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/nixos/machines/kaalut/allowlistPassKoMa.yaml b/nixos/machines/kaalut/allowlistPass.yaml similarity index 72% rename from nixos/machines/kaalut/allowlistPassKoMa.yaml rename to nixos/machines/kaalut/allowlistPass.yaml index 826123a..4d60823 100644 --- a/nixos/machines/kaalut/allowlistPassKoMa.yaml +++ b/nixos/machines/kaalut/allowlistPass.yaml @@ -1,4 +1,8 @@ -allowlistPassKoMa: ENC[AES256_GCM,data:TGFyk/kVc5+EFtjJXUVTNEk=,iv:QQDiOK81JDQXnuzgrcDHVtu+Pm2Ki7H2sEBuNMSKY9U=,tag:mgd/jPMl7fjl+dH6d2sKTg==,type:str] +allowlistPass: + matheball: ENC[AES256_GCM,data:4y83ZJ4=,iv:+B1hTSGs5cskmUA9gLpRHPjhxzvwOrplB+lIbNUKtz4=,tag:ZsKA2A4ltbI3px1Z16EgvA==,type:str] + mathebau: ENC[AES256_GCM,data:ZlIv0MrCVtsyF3t9Gr/zcg==,iv:ZdBlnx4/zQZjT75ssB0osfDlWVerUe6yvwbMxlXpHZs=,tag:ytlNq7zP2WtPafcSQFZ6RQ==,type:str] + mathechor: ENC[AES256_GCM,data:d5KyoD/P8/j+poJSGF1nDA==,iv:ayKtvj4EEqUtMLi/7njbxuUql1A58WNi729svHtZju4=,tag:JqWoxxMN5mVN+gaQTmBv1Q==,type:str] + koma: ENC[AES256_GCM,data:bB7px1n5q1+++sctsmIMJg==,iv:DIJGpC9+JyFv3SU9dBVLdnEkRlZzY7DBRAL4zXSbpec=,tag:WaZUGvYtm+5ys2RsBNILog==,type:str] sops: kms: [] gcp_kms: [] @@ -41,8 +45,8 @@ sops: bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:/OUhbhrO36jEdQUc2+fPfYc13Qezbedo534r+dtULWNR3upzIkP1EnZmTe//TQcKe6GYE/AIWOCIdmfj5+TdXZfoFGZ4YjjFof2HYvDjNKHq7m0F5PFmmzNNkpzUdwHBj5N1usPRoPbsYIpfV74AUJJEeBSTpE76vIATNuE21Js=,iv:Rnh+uIDOPW0vdHPhjqyce9xl7MtURMTrp9kYoWZ6zOA=,tag:jONUKe1pXReqHjtnqCOTjw==,type:str] + lastmodified: "2025-01-05T13:49:19Z" + mac: ENC[AES256_GCM,data:i7t/Hb5aW0lIvPLk84geQ792uUGP25vX8FC7kK/3H19tz5i4zsIcvl1d+oB5gJ004gP5pRogcuKL1xHUUl+A0UXXNzRpxc0BBVZaxnIhjfPunORbmZeJQRP298tQpvYYqI/pGhjrlit37U9jecGf1l12Cgv97sGW42d2F+S2Soc=,iv:My21fMF3SEr6mg2+eh8KA6B8tzmQVEDy2BG3hfkafrU=,tag:xdU6j8ti8Z68rbiRxkj7Pw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2 diff --git a/nixos/machines/kaalut/allowlistPassMatheball.yaml b/nixos/machines/kaalut/allowlistPassMatheball.yaml deleted file mode 100644 index 46c9791..0000000 --- a/nixos/machines/kaalut/allowlistPassMatheball.yaml +++ /dev/null @@ -1,48 +0,0 @@ -allowlistPassMatheball: ENC[AES256_GCM,data:cnYmhQ+2sNMR,iv:hSn9JbDce2NZdzptY1Miik4+VFh0i6ehQAGxcd9dJWg=,tag:XI1bE6Z84ppIxPYOasNO/w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHS2ZFM3JQcGx4VFo2M1Fy - T3pnNFg5dEhiaEI4SkNFbDNmV0Y4cDZHa0ZJCjd2SmRwMWtod2pxbEZkY2ZhbWhT - cEFJVHVyU2R0dncvekNFdzNpODlCMDgKLS0tIDRLSGFISXpXMUlzdGdDK1pBb3JX - N3RJVUpsdFZySTVWYlkwbStCaWVRZzgKInXWOMB5LX87zIKcdllGcOBc1CJHcSWP - htTOydt1XQGlZ809yT1Ovnsenk7SIFrtUGCgpSvju4C68FyS8fgJKQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDdk1qdTBZRWYvMFgyZ3NN - QkZpb3BjSnVqRFJzeElCYVp1NDlyQitITGp3ClRtbVhBQnFvU0t5cUZGK0MveExJ - c1RtT2lRZm4ybkgxQ2VmV290SFRId1UKLS0tIEttRFFqTWJHbW54MUxCMHZ2NVA5 - NkFnM3R4eTEvdm85TzE5WFJLUTZMclUKpyGsJAAlqRagy13dH3AyeNi9v3oP8R6C - UayJeCPN89IyDsaIsrgAJk67+t92N8wTRIpOzfLEBQzz1WVBYCTPhA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOT012TTQ1V1ZlMnZycVB6 - empqdFc1SE13b1NNSCsyNkRMUWZ2aUdIRlc0CmEwYnp6WVI4SmRaVWRqTUZ5cWJJ - SXpUb3JLT2hNalc2ZlBhOTc2YWdDMkUKLS0tIGFPdW1OS0xFYjF3K01YcVh0bDQr - TjcxNTM3cjZrNnN1RThYUW56WHQ1RzAKvNCz1CW4VwI/YPqzpYfhpvhukbhE3g3Q - 31JZhyUViS/tutNy3rUpP+6zS2sY4yKhoavBTmMwI8W9I0JSZaVc5Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzQytnV3hWODAva0JGdFF4 - MC84UmdaKzd1MVloK0dXL1NjS3pGaGY5RGw4CnF5NjlvSUU1N0ZlMHMxVXlhekxH - QkJJR3MzQVdJd2ZrT0t0S3FKMFZaOW8KLS0tICt6SEhEcm1QR0MwQjJ1YllRSlY2 - QlZ3Zk1hdkxpNllwSTNxRlZrZWtuVEUK65FpDbLv+S+MvF5+rpTyhjfi9xOUekTP - WupHKoeMMzAFxRK7DcH8bREib731JgBPbZEl8QZcY+xZDORnv1XZhg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:qA7d/k9vSQIvtdHOx20yfi98s5jgdGPYsP2c1rNrX4MeZnJ4RE+KR8wR37A54AvgOURUnTJUSfDNKGuTIPxioRC1j8iNlo/y0IefkbTaO2CBoh+BHurlh6wweTKI3LRUk8V0i5Qn/5INYc+DEzfsiA2g+QcbT5d0fU98+x7V/yY=,iv:xcgMXDFDN0Vo15rr2Eo6QV/Y5+X0t0mvAfuFmN1NDXY=,tag:PywW0L+VspBh2pZGXbM+sA==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathebau.yaml b/nixos/machines/kaalut/allowlistPassMathebau.yaml deleted file mode 100644 index df69566..0000000 --- a/nixos/machines/kaalut/allowlistPassMathebau.yaml +++ /dev/null @@ -1,48 +0,0 @@ -allowlistPassMathebau: ENC[AES256_GCM,data:DuCBcWAC61JW,iv:g0zYvVmTjsJESTq3kkWtaiypYPLIE6zkFyYLeOp/qhw=,tag:pyK6KMuPLkhLSTPAzbVxdQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaaWhNaDFEREcrejY2ejhI - L0tnOEtTWktNVDVoK1JQd3pBY1BndTY1NUFjCjFFSEd2Nkc2TVVMYzlwRXhyenVq - WmlCZkc4VWtFS1drNDRjRXR6SEVoYVEKLS0tIDRCQjJkdUM0V1BGV0hVNUtNQ1d4 - M2J2TEtPTjRVVG8yOHd6WThRNm5SU2MKVIAU8GCGklXvqNf0bpahJ4SsvIQxMged - m6mznRxcK9QPMApHayOBgw+8T+3IQkaEKGRuhI1y9UXahGSr8yxPYA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTkNiVWo3SWFmaFlENm5C - cDlJdHM0OXBnTFdYV1NtTHFmTndndTdwQWhRCitMTVJIcnpiRzEvL3JzMTZJMW9p - NTlIREJ5VVpLTVplWVNhSFFDMlVpNTQKLS0tIFkvMjYvVy9DZUZSVDVvQTkzck1F - ZHM5M2tRVUVIYmR5L1FsR3VxNUZSdW8KWIq5Cjbd12SqQfXRZDpUxTnUZGCyMVb+ - XxCixIFoGYZRTBc15k/Z6yM5OxYnSv3tbioF68PYtPaaRJrw0ICDxQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUWVHME1JN0gvZlNDQkFt - YTFsRG12UWlLckVLanNGQlozSXFaVGhMQWdzCndPdnRnNFU2dUpQangxUGU1RGVG - Z0Z5SmxZVG1jYW91YW5Jc1UwY25yOEkKLS0tIDJ1U2w1RzhpUk5WR0JUbzhRSStE - VnZpWUFwaHFMa2V6NlpQR285RGU0L2cKeN08hqlFz4re9iVwKmp2THEs1vZFqNXg - uK9Em5IeCx3pBjd5nnguAM751vR9X5O91ntA/R3MoL2bxGhbXHbOmA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYStiSFpMWjh3M0EydEU4 - YlBpcFNYRXJTN0k4MWQ3blFmdW4zTHR6MWhrCmtsVkpGNFlIT0xBQU9SSG45czhU - NzlKSm9RMStFZXpselNBa3NpNGM5SzAKLS0tIDh0LzI0SkdlM0hONmF4RndCV2Q2 - VmwxWjcxVG5Kd1pPYUdpWDJCZkU3Q00Kbc8dYrQ2AiRAUfzXl6Bdj1mlbwlHSKzS - 6B/wzrIB3yws4QXCdZsIifxsGqJh/74UdQSXEab0VNwaHqsyXecIjw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:JLCK4mH4yS4YMhrmI821s/TfONkCyEx8x+pFHD/QOoU4KHyhDIggEhTYo31JFpWIQdDZMPbeFaUN+IvQwh1pqD1V92XfJVC0zHPiwhG7W2kI8WFAONVqI/bbMJ/ne4am5w/koGpQNPiM2RIo+9/9BKOkyLJLB7XTqPBY/FNW2n0=,iv:JiHwaSbPJSJYofiFABjn/AehSKyRrlOKHXBs1DGZcFQ=,tag:ajR0zYdHWxQcY2DhAuAzAw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/nixos/machines/kaalut/allowlistPassMathechor.yaml b/nixos/machines/kaalut/allowlistPassMathechor.yaml deleted file mode 100644 index 011559f..0000000 --- a/nixos/machines/kaalut/allowlistPassMathechor.yaml +++ /dev/null @@ -1,48 +0,0 @@ -allowlistPassMathechor: ENC[AES256_GCM,data:CuLKFiBN6JwB,iv:cwiwShPKrGjjfuglRttmG/AB+qblJ/6ZLyD88mAsZ30=,tag:JIJjHJ4it077RSD3pSOBgg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnQzBXNVFObnk5OWtaemNz - UlFDTFpGRmJ6N0xYUmx3dllzS3hyWmNURmxRCm1CbmpSNWRkVHR5M21ibmJ4ZzNJ - elZQQ0UyN3lOTmRwQ2tnL1lHUFF5djgKLS0tIFUvRUkwSW0wSFhCMFByTkI0eEo4 - emdnN2JoMDVOb3FUTmZhZFIxWFhxZEkKDWFrvxDHjybQ2b9hORThAG2TihGdvaK0 - EHrzz0h1NVEO/nLUJSXRugGJ+J1GqThgOG1WCwJ+2Fk4Hm+q040DWQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbmQ3ZXdhZkV2VTMxTUFK - eHM5aXAyNXdtV2ZkRVZKTC9GdWtDWUJtdFFFCkdBMWs3OFltRjFLVU1rSG52NGo2 - Q0dnS1V2c01EdVRuRGlsZ0lQT1JtUG8KLS0tIHErblZ6U01HTm1FUVJTZjdGQ2RB - bE90R0NsdkQ2UWNrbXZydjR5YTNGVWcK46c5ec7plT6X1874abnSSryG+cUZq/QT - 3LpgQs26dc9nIARiZUk/2UTPiUwxFesi7e4I87bWh5A+mQOHNfRAyw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrUmJXMlFlb0pUbkduWkJK - SWhlUXNqZ0FQeFlEMFppUWR6MHFyS282emhJCkNLMDdaQ2JXRExLT3F2Y094VE90 - bTdmNGIvV0JHNlVldTVxUmdueTllYWsKLS0tIDAvNlhRQnFKSW5JT004WDFhSGEv - M0hKbWxuWjRlUWlRaHBQQUpkVlM4dTQKm4vPZTHMIfk79dTOO7mP9IZaJZbu3hx8 - J/y5xwUFVakqPaX144YZXjjStsjp6H71jE+z3EWeqvW3hwI8XAOv/w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0ZGFsenFjQkRBTCtsVXRI - VnpQZmVld0VFZ09hWTdlSjNzczA1T1VhWkZrCkpRUml1UFJrU2laQ1FEVi9USEg2 - Y3J5VlZCVG83UUh0bnRVbkZRVWVMMlUKLS0tIEl1VUFPQ3NvMm40clFTMHcwRzlC - dENsZ2ttbFI1aGdFYlZ0M1crZGlRek0KWF+sAOdOGf7GKkY3ZlfPkXGGDwSf89Lk - uvSkh+2Y9RIkQ7HRUvWxPBPi4vBUUhM7y5+lA8sNi+lLMzPyzVeKaQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:4LMhli417gbzauxvsx+cSA0VfCt5+dr1lsGdzVqNts/ELcCxlH2599V/xPdgZJYvbvY/AUDEVc6/7vodqtxsI9d99P9AD9IRaETqHkQ2RmPfyUHLJL8kgLdcql6zBdlZTpy05438Bs53sOQMWCcUmE2TohH9jlvmwpqCaRgfYf0=,iv:BkfHGIFAdlSIjdLvqOeaeoIkBaMQ5yXqYBFgGBrzMjk=,tag:7+vgwa89KxeXWNvfbiKSsg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/nixos/machines/kaalut/configuration.nix b/nixos/machines/kaalut/configuration.nix index 82cb306..2134b42 100644 --- a/nixos/machines/kaalut/configuration.nix +++ b/nixos/machines/kaalut/configuration.nix @@ -1,4 +1,4 @@ -{ +{config, ...}: { imports = [ ./hardware-configuration.nix ../../modules/mail.nix @@ -10,26 +10,29 @@ # System configuration here services.mathebau-mail = { enable = true; + stalwartAdmin = config.sops.secrets.stalwartAdmin.path; + # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH + stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; domains = [ # lists.mathebau.de is forwarded to another VM and does not need to be listed here. { domain = "matheball.de"; - allowlistPass = "/run/secrets/allowlistPassMatheball"; + allowlistPass = config.sops.secrets."allowlistPass/matheball".path; } { domain = "mathebau.de"; - allowlistPass = "/run/secrets/allowlistPassMathebau"; - virt_aliases = "/run/secrets/mathebau.aliases"; + allowlistPass = config.sops.secrets."allowlistPass/mathebau".path; + virt_aliases = config.sops.secrets."mathebau.aliases".path; } { domain = "mathechor.de"; - allowlistPass = "/run/secrets/allowlistPassMathechor"; - virt_aliases = "/run/secrets/mathechor.aliases"; + allowlistPass = config.sops.secrets."allowlistPass/mathechor".path; + virt_aliases = config.sops.secrets."mathechor.aliases".path; } { domain = "koma89.tu-darmstadt.de"; - allowlistPass = "/run/secrets/allowlistPassKoMa"; - virt_aliases = "/run/secrets/koma.aliases"; + allowlistPass = config.sops.secrets."allowlistPass/koma".path; + virt_aliases = config.sops.secrets."koma.aliases".path; } ]; }; @@ -38,32 +41,19 @@ vmNetwork.ipv4 = "192.168.0.17"; system.stateVersion = "24.05"; - sops.secrets = { + sops.secrets = let + allowlistSops = { + sopsFile = ./allowlistPass.yaml; + owner = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0400"; + }; + in { # Password for the HRZ API that gets a list of mailaddresses that we serve - allowlistPassMatheball = { - sopsFile = ./allowlistPassMatheball.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0400"; - }; - allowlistPassMathebau = { - sopsFile = ./allowlistPassMathebau.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0400"; - }; - allowlistPassMathechor = { - sopsFile = ./allowlistPassMathechor.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0400"; - }; - allowlistPassKoMa = { - sopsFile = ./allowlistPassKoMa.yaml; - owner = "stalwart-mail"; - group = "stalwart-mail"; - mode = "0400"; - }; + "allowlistPass/matheball" = allowlistSops; + "allowlistPass/mathebau" = allowlistSops; + "allowlistPass/mathechor" = allowlistSops; + "allowlistPass/koma" = allowlistSops; # Virtual alias file "mathebau.aliases" = { sopsFile = ./mathebau.aliases.yaml; diff --git a/nixos/machines/kaalut/mathebau.aliases.yaml b/nixos/machines/kaalut/mathebau.aliases.yaml index 57f20a9..f8fa3ed 100644 --- a/nixos/machines/kaalut/mathebau.aliases.yaml +++ b/nixos/machines/kaalut/mathebau.aliases.yaml @@ -1,4 +1,4 @@ -mathebau.aliases: ENC[AES256_GCM,data:byT+/1+e9ca9WPakGluQQnYeEzMJYTiQ4DxzyrB9y0FGmJuwRwZsErgBmxjPDrT/yU2K4q1/f47Oij0NpPLGvHctJ/Lkvyj7q0ovbvKlypOQz13Zr5B7csVRtKbXCEPw64Rk7iLWnWSjku0aIXmmol3ajRPaiiqw/iCnkUtjWpvJEfrnsdOh/zwgSw7nE6jUYDL7FsbJgd4yqi/zOTtDcRXM6cxsKWoOr2Ei5YGwxB6VWwiPJrJixj4yrQYOyRsocyjFHFsmFKV/8M/2yOGC1ojUOuLr49JQ0Ux3X5GaRC9mH3UFVc8XdgkdlD+L0QLcz8g10t1Hmoh7ApGjUYfMINjj+EXBDn4STnmvBU6dyIhRbq0xZaDiVR2NPZHgfmXpbek024iPV7gWB5DGGAVKMIzx5lovdTBXNVRijQX98LQE8zlAHNXaMhih2Erltt/MY66hVJZY0nRCc67GE80Xg6/vtleKg7grUfIXZFcJVlE3mEat3aLAlmZj402s1p2CHD6uD4roCOxkKMmHVV6uQ7KE06Cnmv4jY7wz5jp1zO3AY4ezeWhCfyFB4LIIBoZCjNRvINr0yP8l2B/hi0RXw/HUzNMwINqgE6lgvqdXKleN1cwj15KTpqpVSqjnjIl7KbHsgAqa0/OPeL9S60aXrAKKocUqjgC31LrtAdfHMHDVqukV48ssKN0F7XhOZzEnq1yVBQkMmFIM9l7hDZfXnn7ePgPzZyKDV59As2qvndFOX4+mqb/WlAxoV34bB7Cs40ob0/braOwZxPXvPtdfA3bdtSalOuYrAIUmB2ixpuBCZhwG6PWM1gtlJshjgvWk3AS7UyGCGMv1AhfpkI6UoFc0Lai9eeHu1ro0DeM9W8r2qlzluMAfjMPjST6z5zg/2HltGfDVwM0xg7XDcTFMK+mhWdNJ0SOak+mgpEukLZaQvE0LRS7IGuXsLI/MX2A483sL2anrkL5PDlMbqgJgl4SIA0a6QeUiO6+k0Sc145+KidetdBNx8ZFRr0bNnIPdszaEXLTeIVbNil02d7e9MAx2i96FsZILSGwoAWXbTRUmDwH+axlBKwAwxPHPTVtCjoHx0vsOw4SnVdDEI24z1VbembqDZFxg9CFu2hN6IQBsW0wGD+gltPPD2PFL4m8RuKui3L6psINYd90J7p4Dq/3vzW6iOQl2E0frxCpZyzrKLQOREao8pOol0aDJk9KcVAmuBbuHxiDzvYS5k8sKJhK/8zlMn8msIwvPTzcLLdB0Vu+6VCX9jCNii6Qzh5BS/Rn+dumLxaRZ17zbf5aiaXuSxSTmiZ55yBDScj50jW60r9N348o0L3+EIuuhWt5EvHAqhFhjhDdwFQPVfGz+QnXCahVrf/T8vsgwp1mXPEb5Bk6XBRm6CFR4q9G0GEm2WiRZlx3LEVH59ovRvpaR75Fwvucdqz1Lv+7cCaHVss9L98ubOW2GRTKi7wH+GOHMDdDvw8DJAdEysQ0dTnO03mv58cqXuDYE9/NZvCByCqpBQ+gP44F78/CsiHfkEIeI+wCXvz3MW43v9qvYQT2kUBDZhBrW7tfsx5amKdozYsE/KMmoL4oB3XOg+f/KPuMXdY/xFH8rOfUoPhJa9LyZXEPDfySK7baykcC7Jejtryxuw4fjgTaGhCi8ssCt4r+4vjV2NugrMcPsKFgIPzzj/4nEqPsZTvXC6Amvpb7e2HJ4PQ28o8yHaKZUqlzoG6bGZ6KzVZ1hqoHHqIMRi0wnSnYV8DwWo4ocAEf+xjTIxRb5PTCYk2KBxBx7lmmdIyobLk8t5i5ZcSc1U0cIxQJUaDvbpnPcMsyFpYHRg5cFpD7O1q8KFdi8XvCkqUW27EPwTK/GEBKMwnsB2UxKJM0czgtgERBsjubMLdFAARqar3X9VCmEdLIAUHYWC20zehsnA5P+eYgY8UQJ/Uy8o9icTOyzdDXkU7gUr55VTCmFUk1v78zBLBlbNhNu8vUw6YFfmYp5als12tijsTV/yYIhv9VeggLPjwGYjNXsduuh7s8Frm/hdea7ZfTiD3eU1TlrSm6TUNCenz4DiyaTpWG9fWs4Dy922w9gGg9ui57/aG6GUrFLbP44FtL2XvP3VVWNcF/o/EUMZXuZfcKbH7DP2mncwOe+W7F66vqD6NR9kLDDKVdhfFsVrbNhG5V7toV42pfK9jXHO2I9r8MQ8sUv0cArcEolLNDCZCgu7vaCw9NWMk2zYMgnyTnOKlK1Us2T9kNjbSwrEWm8zMyxgFFLle5lboP1DdOYd+5Hw55Z9Fm0y6WUrxWkCwUUlA7PuepPcN+nxQWaxx3M6OQLd0VFB8A7WsWIHTN3nvgXrbLFkNdJrH0DD3dIYTWVfy5s/xbOyOHjPjyeR9NzKYgildnoV1oTwp1RzfPFPv0s9mKmKWx5CKqhEECeb9UfFYTtArCZIoxtoMh5UYFjr2F8OW6eAuNfZp3r8N1TBv7t5h1ToMoaRKjMwFuUYOC1J1X7drjPNiBfHHRt+Z7ba1jEnv99DYA7yQ1BaYcR4WPwBSbuRx33WkHlAigqH9fSB4cDa8mspt8W0DcCX5KjgpNG35LZvIn4PdPKwkMg4InumNEs8MDudL0h6Vaw44iAA0HdSW5oK1qQICMyFjBiVXZmpS8TkXOzHsIxEbw5OdWozVUAAUbmr0ZCcgZLWLxmEqkob+PNfxtHlGv+YktIEAbI0369X5ur1yfEN6I3UooInVuN64Uro2evUAqeClqtCXiEoaoe8sN1iecf9xYH/Z5rBhsnPyhMpj+eOQSYpfiZEsRjHekAOM+3HN+VCgtRpNtwAL2BqKMbYQioiEFTS6jJPuLzQ5gffBYj8LwzEUVHFWF2Cz66TxxaLh+TjEk1mpka7SHDLQ5RyQEsryTzKo7Ngg2dIcx8KOzhAt1h25Otl/qtFPnZi6lIwIZNPNsdmZsLErxBj8WOx4BNGKvF/xqSvZx6vmW7GjGrZGm/9NTqZWFlGQWS/e65ij63xTZpD035N8ihKhnhFQ6chqfz8XOkvRM71oTooWUMPtNdVbcusQ9ViI/3wmE0XQbRH9LW5dWIYRwy9XFJ4Y6e0qv9mTvXfo9I9iBFzDz9Suym8VqhyynZNeTgFoRz9/rJ6HAA4huPgzs7P+0UdlcbDsYyTQ1NSx3piXvnlS0kyZdt2PjGp6uRmF/ikecqmvcJ9rHy/d1j52T0gfVE25On54RzjB05uzO3RU6BLwY2GJNky1nPIs8wFJT28pExNXSQsley+zp/COrF3Nmn64pTSgkHWyb6x4u755IeUTVK/RYxDfwtqfjmVaOjQ6ZgvM27F9OPoMgjy5+KkwTIuA/y7lnM3xw8kChS37Ow9v3jQ5OyBdXgqqBeba90FsKN+LmRxxXHq9l9417toaOfZddrGpAVMec3J7yTRRpQ3WoMuvG+NKKMWSKH4gxwyJUbN5PL0fSDiuDFb/If8SZseI+qBDfRCr4uuXGmb8gUVIKmMPnJpqmF99Lrqn8Y7w3sil8OYhi7qJsTzq8BMgokzR7bqZdHe/kZze1jAwHYCQ+nw6EshsUFvALTD4Hi3n5L+QVgWnFUthb/NT/z4JI79zdGGOrSaljmHD6cNQxuBXp2EOr6dfHge1G0e0h5Up2L/KBYxZsn6shckMM/Xekr7Mi9PSt9qwUyM5xDbi1PjgD9gbF6nDm8AJ0yLtEoW17GIsQ0X+2SG6jUmLdAFroSRVAAtIBRVRTS7vliyNBig7KHZL3Cay52EIq+EiNhOCo6scraT9wfM4+aqGU+nusJyKCLs7HkaIs1bkqm64W97Yb20Bgtt9CZ6EbzcGoeJtBHkQIwW9QyTVyGMzRmZuuNolSLWIilgkXotWYNwez+00XDdC1qaKltz9yg/kKE41C/T8kN6YrwkkNpy/APQKWYCK2/pMEZW1RGBTKSd+haM5Yyfc9OQQYpKtdCZXdkC/CYkDE2DpKtOV23QbcruNzExm+obpJHXz121gS80CWyZIUgNVkm22hhF6u0pQ+g7wWRgwwtFTx3g7nvsv+41/t5Tc64zwOWfnCHDoLv1pAto/yL7aSJSqpDDhFNR7l4XGDvkV7oyIEmPXcCDDYPPAOucsdfAJMHxcl68vpfzXPZ9JgA10qMe/7yOlv74tX5JoV9xhji6+HQRe0sQ9dN+igoAF14kiU6uWAVsDLOznhaZC0fdFyG0DY7g6hF7OWXkgeJEbXBnwhT1Gs3xsPS8LqZ+c/9kspm5kttKuXrAEXdyPYT1IliDgNNEZtGkc7dvNJ9Md5msm7AGchddK229Bek01DQO5rnR76MqdWzIHd/Ad272iQfX90UJAh2IirePVdOPQ9oe8/X+3ZMaHbyL6a5MlGJr8IVBJzClu4/BdiaKJNjmE+ULvU94Afazw+F4nbayhF9KwKydH/0WBeACI4iMAFvTetJ6zIjiNvvbHKBzTiPADYN4qp6rC0h9BfrtmA9v37/oSmyVl/1IzjWzbeHQSpqwvtMef4IpTl7WpuB3xSzknloC5dzC4sk3sJwZ/46hhmZiQ7oF27upDLB7ReoTnkgQjKw2AlhDW/P32m4GErXFkUF905NlzfhqlWmM7wlFGRTGMICOwXDWRz9G7dHRPuJ5LFU0sb4Xwt0TNkqvl1UA0FeAqzF4TkxYlXr+tUNAhoCCL5Koupm+L56jjkpljdRKYyXt3aTVo45dCZMi2dBheUjUXQjA64ko5+04haWi607NuyBl183bDqTMMt2X9I6ghK0yNq++1hAeVHpSAEbW0knebLrv/KaMcN76nDenCPoAAvaiDrYAtFc/lvofsBHg9YuUBBUHpZF4iY611iCHNvsWh4VBe4yrnPfvGdgBxrJDvGpBs3w/8MRZweUGifsWwjt1+257Zt2TXvmVkuVCogKXMajFus58ZJs/FNGUkMMrV/jMbc5V3XjhlThFKDsNuoUPvUYv2qzv0HybwVyiIL3vZ2rMdOv2JKrE1ftsDxsXFGJUrLPjy1G/5mgHENh+oA9TAQu0Eo8HEjpNhdyFsuU4ImLl9UHtj4GVsLBrxNb7hsieHVwGfMyPBVjDZ774Vk9YaotpgcEDiNUO+YqTIA1xcPgQxnPXbbmupSvpP7oAvZbi91bNdioeiZGV66RUdtnsSeg07wBph9LjIE93AKSex6WVNtsif/YPW3M3pvRGXPpCB/mqrowwX/fzAYA5LcNCYbOwhwSFALEiy1htU1w4ujHmHqugsuWEFPQL08Yjs+X2emKzCpoVtxQN2D04WvjAH2LDufk8aJddj6pGpN/6VO7ZOttjuv3nwjvQSUqQVtuZb738joxRZII5SOYOHeKIPzB9RAPOxkYgH5EYUqA/ZZ3/+f3yhf4NxT4cL26wzSS4bI9sXD2oUI5JglOM1nKHiUy89sAqNswpkkBXTfSKLPL/lAFz1kfCLveTaldfZGGmHAqNxgb+Mlww2bMd3RzvmOovuoR552cb8QyekRTPCzgIqKVTKyn5tRrlaP4cSIYCU/EeArywCKMkXNEhUK/ZECTQIFvinqoMdfNAO9XrAQEZZroJScaYe0ODItqofjEedMvKA6UmA/AW62xyifiquftsg4/o7gfnSTbqBxcdbKATxCiJCnYy1eqeJBZ651YHyQcR7bpHewPhu0fgBPXtl5/vbcZPj9BpSZzPiro0gL4eCn4tzRl+8N8n3LYIIJaBmWLpk+lXCZsoH8rwCO5wAZH9024m/3MJ2Y+LkDYF53T76cLyps+g8Pj8L4lkF4bNjVb/qKZAZ786wusZBjehFhZPwwR6wM5E+FcUlHi+gNr+WpcR74apKsAx8UDeed2LrEgZUJ8xyUBPCRZ0UQyKqPhVmP/RGZnFBU6qwsvjT3CRUuYvlToLjxkydGrkCwEjF+PzjJsMgnkphNKmQN1nRTEuSiPGy32fO0Qg7VlDlO1x/tcgZErbvKRgrRve8L+gPvWMxEXPdbbhJfhxj5N8nG3/+lhmvwFIVzOra3d6EvzgxoWsyvg6H7zELrEM36gSE1Aeaa3HgBQCZ/k2/BXO4Ua4d40vLaG/bWVMbhzOaTASB32picHyr2FwyoSEdDqMt2+qgrdVLm3pUwl6pZygkJ+7EWYaSnf/0Fydt8+C/QHZxlz0Cv4h+H5rKGlerJu0it4hgw0yq4miaXxtPPEdnV1WF3FkNENO/RjVFOQHQeDz/C9JYKKulgw7jg1zdBe8HyYdkMf3VZqkfAf3TP+jN9lcTkPcWVkRZjJYN5dG/jclBlCE1S8Vtc1AQztlrbF76kPeVRCd+vkMmjkVi0RUTuc/M5o9TAxYZTEa268eQyZGnD/YylOULeshfvgWztm0qjexpos7l5lLJihvH+H7itYGqsJPc97PN2WDHGqM2jeZibonRtY1B//YscwPICWqaPWw8eLgQ3G8/WM/P3SFKNWtQNISaciYnfgadCEaKNr9DlNF7IjHJVon1O14AcMQ0u/wRs4x/y4yhA7+OjRKLwEIynXyajSNRkRl8QrljAf+gvShDqGn0qP4oVjI6BwRdvn5ZD71O4uIuN92xXzqNXpW45DwbcOUr9ntWDe+80ayFqRmhbIieyVniWJD2Rhd8MLBWGCqlLbtEY8WHFQCB8E6xznTMnMcKtO4Utvq7RDXrvxNBP1VfEw7Xs7tPBJammdEugx2JnLspMUsYW8zpt7c5dGkOihzqvWBg+gEJK8qW1cfmYsY1uw5Tp0wkjK+Ui1/0yJ5vRtBqJnyqYLzGfaU02ty5TReKZd9JZ430zwD1o67KM+HbvQqLijsIt8e4MYY43CS+9TAPQbjRzSmUBSSSuJdzii6Mrls7RDqjhieOt9zgI5jBLSQfu9YUotXsgLP9mZ+xwlX9SEhT46vcJTJz+EPGiJEMwIsThTWlZNHf/JtD86ArcTHy3CGY0MZTjWHByxv7wP9zZNWxEmfTUd4tZoPP2KgT4tnqOJisL4L2mYvB6tPeM8RjFmDGAjnphaawKRghRI97C7A2J1omMT9ON+hvrG8v2ku6z8hnFTb9CWJHDP1f38Y0SGlA+vy9Tv/bECToEBReux4dhJMLug8vMzluLPTtsugVEfwHDA8Z4d3Js+aPe3p48h7wiK+gaRCKPe3s/jL4fisJLlnoiUEHpk3N+1aoefVUEPuMxpt36kdTY3rP9FkMU72deMYUNw/ARMW5RKcJOfv1C6+ctlIUvNGUppaxDOJupy+V9HkKOFS8BgtPy10NDhV6ukKIjKyJBpMVGIUqVZvSSHhn4lxee2ZXw7cpggnIx+TB9cT6MeZ99Li5z9gvGHpj3rYWgF2KfmtYUXYoOM+8cpOVmd8igb5bfc5alcQoOI2OdgHUDq06FEIHRF5uQQpFQ2suEV9WnhA0c+Pa+mLPBwazM7cRTi0BZFVcafRzRP42ybwdpYG1H5vUKmpoaGVY8c1DffcRPLjvW5Dvz0AOcWU8j/RSmEONBggf3APp8V713Hx+nD9+tn+8Z1GubOUEUgATtioZhDG6WwKN6ti4XL8b4l62aviSGhZPD98B9fsmshci1aUMUHTwJWSX1NzBMGly2GFax+OgOSyN6ymsowRTNvymKdQlKwQKqLR/0PvEewr6v3smGbfFhUQVUQmV8vr/RG9QWBWo7kblj6ucklIfsuZOCji1xXjSx1/L4D/tm6JVqeeactI5baMcLRllyG0n545liqzJAMkxYibRGXY1U3E/brmUBE2pWM8a867o9EuY3HvB4CM3UNh1fejUylZmQLfWFOB9Fva6jBf9VBCEg47SfF2A/G1b8gZ0kOe3riwOW4gdredh5v6HCXZB/h0AyZj3wK40Vj6BYaKDtGiiWAyXw99TIDPSBNGuMRdJ45Hc6Ot3dDO/naoPzoMFtZEBj4Jku788ZIkVEDeYholKSj/Yu6jFFcfexkVPWw7xm347LKS+ELgjbQ2/Ff/D97/zKMuwyUcD32VHv6KTTh5GzxPVcaRI51n7SBmgydPkxG6Xu1ZSGSutk8/5x6DuYhnOUQpmB0nUpDKMQz7AWQ6wlqyyAYwdls16Tbhi+RRTnvovBLR+GpqwCG5mPXwC4rL9eQZ4tAc328XIrLIyjI+JPD3rRc1uFBHluLAftyE/RDWz+XtFxR01/9ri7MZ1I7JyGArtav79tMrLMLx/0emFbgRws+yCzPUPSbkeb+0tPd4FsChxWfSyCgLunzxXwDFQI5M958E2VWMCDKL1hTHWEj7sOqwcij+Rb2sBTA8vU45Jbi5iBUCxwN1Sxr1Lb5UMrN1Ks42I4JP7USWUN9PW2OcAofBH/pJKRKYntn/QxuJhEKMvWTFUkAaSh2lf74IeVgoHxZLqcgN857JfVSQZJ93xToMe6d8WeGO/zAkCdJ66VqIFUOeeHZ+ohAISZ0hTQQPisCP438L/1eTwyoDuxzs0jyPMdaZvz5iwd7BfJBlYPIh0+ACT4EG0w+flkUj3pnmarMB5phF15t4wk3ClH3hxKq9QlQvApKKtxnwLjI17JIbHbc94eIxo1UC3yFOZaWkxf9XVZQ3hG8ikw6b7zJPIENnA9HJ7KHf43Ux6gPQGUOy7Nsrg1QHHewCCxY2slCFV32SRUbAJRzH53UomwCRB0ESobReSdqJU+uT9OFzMIcR5UctAeLpr1NcidkArevFgVN6IY10a11vHV31x9fZn1yauZjxkSpV9y4BPXkGxIt0ASkrviDBBQaYy8w81/Y/Uy/meF3ZF0J6285uhfuHpfhskZrc2jYVaIyeeRAyrNqHIKdrTGuDnlV3L1Tr/AZRI9EqBC9yanLEt88hlPtj6aSgBPmtRAELAI3gZIY9IWtzsoJ8FLdzABSNjnrAIX1ge1mCs1jCsX8jWtCFlpk484D7ydjoAP/dgfyNvXPuYzhWA2t6THZjcF3+I5E8rP91tHauIjKUGhtQ1QDHx40vr+InElNCboZyhN6lay2NFUNIU6Oq9X5BH9Fs3+Mmjb3eShm4SzcLx2OhM0/5sBrEuGe7SG6JVtagqHsmrTImSmqehl9LIlRbPiDtI5emEnCx+/aDYJJd9NGjK63KrL5kIZ4JBozJq2TQvbkbHFw1OrJkZcsPIfVnokd9W5s8T9ufvaGMLdmQoD2SFJUdi7fimm1jMxiQD3qtqQxaMg0fEbxXrNW4MP5p92n9Cnn/dFLiDoEufPHV3UMdKdRws/wmwQlbeZJXyzK+G67jkxk1TFoWOvUXzAsgTU+KMPBoZopexAWRsntfunfnVaucFvCXmQ7vCBkPCby7Rovx/tESy1x0ZCjNblz/yYSsMm9aj0vu+oJgRQ7pbRv+1i2psiITm6bMQ2cMBUvNWYHOItqnnSQBXHubZAF7rsWUKb0rZEGLAAQbvIHpFUI6FmaiM0bwHnIC/xNs1Q3JGDdgQnrGa/+g0PpNKROdF377MCBw6NuNnntUEDg5rKWKkWmUtyfAPD1hhym69VbgT1IWuEbaim20XHuAmpc0owVa5zhYfVlmQiEzPyoD4onFVFB/nG2WxbKxesTwQio6FBlbCYIwxtj/jPuw+o3wIMqO0bcAqE57U9GcyyJjBCZbGm+exeGx2pk4MxlwO+SmBPINHrh3pUQH+OEvEgeTlR8UN9ZV/JoZbDN6fkNSxr7zoCvsZaCraQYdkg4wJT1Fe3S6ySFqrBYFkEgYchCJu1xl6reuFqRpV69SqjqgQNuA4Z9PTKWj9Nla5+0DRJFh9XkjLfY9YFt1TArLXsjMuUwjiSu4SwX+WePJIune44L/bxeOmmfbU0oNhHNwHZNUzDWUP6nbmB1lch0uqUBUfddC6nhbez046nFDu+Am1Iy8LSKVhmL4EakfNtV97x8iZhQoRZgvj7zdGiRi7jPlzz9VViFIjJwTt5kcYhT/f+7VVkb8FwF36vqVjvzG/+2p31SWkEnNxxrgXXxUsda4W7WxLzC1Dojbd6QrR9Bd6rugIKRbFYiINxiB4usei7Bmn7VwXMcrNuF5/JXD+5axGMMEPUf7toX69rFArl+VoLlWmfMpja3JGN2JLfknntZ88GkCmzIKZUYAFM9QhvKSeXCxYtsski/IZK+KU8Xdio0ak1vO4FCtIIzN0xBSR1Ve2dUu4UpOYsklHJIULKu3SGJ4Ud8gLYc1ZWlyYSVRCinF9CRQMSxbx3NTA6kOHxxTezJYzNV4vhqwOPRCPB08lzmr6irOEuXss2tTiP57j8F2Zi5eYspQ1qBju+lhB4szOK5r6jmZXLwy7IZOep5DO2X7pWbYRjSPz4YCZNmGiVSTbOPowRWyfMh4njzz09sZpigopf9cwCxcAe2RrWKOjPjsJAdwtyRHffaq5QRo1shcxtFZnOAMn4CuHcgCQbawLadBnRAcigOq1NM/NbGgyDUI5L9Fa8fvX4zsxQ0ItR3RtVyVXcHuZSfyS+nZEcyIz5WTveDLDIXzodT7IrAQBg3Z3b9/tWoq0+RgMO/Z7hq1OloMw+tZvg/zvLrR/vwRFrOu/+gNggnMZpmfPEZsdSKqhKdOCvp+denOFyISj0iDKbF4Wak8jw6sujWIRzAOw3KfK4kFYQA4bl0o9iwyTXNwZGaY2/wbkKHDPissXzBhCxdtfzlaDajArDHVASQQI/3cIBjFSKLhlZkOmDV00Ob23Ukq5+itMB8q3kCXKsVEJgxubBFGFX47aaLZY5BHxSYgHixjQnHDOV5QLge/vEPz52+S2U5AgG4nEWTrjoZj8kdXGv5qbRia3Z8VQBqlHjlBjlyAHnFxEqd1iN0iK6dpO587AFlC0My/+087cMb2QQ/lLXxw3AaRsknIS5TQZqkwyJS6euiegVwHXA4041bnovFCCQCN/dIpSOPo1mYPkAOxSWP7xc9We4p2S2qigQuos1OQ8bBlkOS/bq5aTjNCZjJ0e/eNs3bZ+mmLlXxSL/aAFZDIse8M5HhxZMXRyA/OMheq/rb0TtOv7nbETKuB+ddTET+TfTsmYDK1oNBmf56PLAnFcl1VMjoyaEI5Wu0dNhqjorXO96rDOQ+8YL++c5tMDecXPDdITKemRsEoNC0uY+CSSDNDlBGYGahVAmnbKpoOrM8bt4lXp+kigyixvKHD/lLGE4pluNbku0oRZKfnNcogC75zpyiiP4qlHtVdjF509uKbe7hGY9hsr+afJsJ38V5XzqHYWPiw/9YeI44wX0jCAoJOxM2037MKmffo1BTvN41X1CIWyrYxxdeAf2DZN9B/Uuzkb37Nu2dyW7juuGKc9qrxaXrPSYwXtvFV+8kMkOMGtsc622YDoTlCmvtPCb/Wze3Su8EXeI9lCLXTffhsKAAivc7maJ3Av348YLiJ35nvRYl84V2H0l22KDDOILjFupdywJZad4pcqwaoqOe5wqi00SYMwlBcw3PZf74Tkq0xFGh+Gj9DFFJqnAbYeq//TQ7UQxcYoWXJcKmGCkR+t2mQ+KnRpx3I7mMMbjrIckRg/bHeoakjIjyS+yF3CRYWqpjX/zeJ8ggC2nVXFGYY+biwTb55eUb9PxioePc5q0+aI0jrGX++R960ZguUls3mT5erLnsy3NYUwexHnsl/XkpzVeQRHbW6i3ST9mqxs546mRNbCchcmYwpwKYIiFjJsIVb/5e2jCton+TznVGlZ902DWwUq1Q0lFZ5VJ6KrSazy+Hms0PvloXhz9r2zNtXy+Zp9q7CCwli38/y6AnkOWj0UtlMBHoIxxFm8ONf+uS8D62pixYUJmD5AZlraggnZ5uVhqCK7ORfZ8l+btsWdtcmb4wUqyjRRCzqZ5Q9eabXDYVA1eTJlgD1S+i/WuBIfTStt9FE3Gtoqe8hwhS7vW3Avg6DDMEVbjh6bOKFsbLtGhpuQpq4jh05jWbQ8pzlNL2Gk09luAUnvJA5fTlM1OteAA1y/pLsJMikkkhpww4BEqtxYq8Gk/rmMnwXni6Jn82wGDRHEoB7O3G4mN8ZV1m20q+IVIfHnRufjjFx108ol11/V7zRGu58cGXH7sLTI7wtgBDbjD7942j6HfkyTN3ibDUXZMQQYMOfrLBvQCZodhLlbi35ZmJF1i+DjLjNAETqspEOL4Cwzac2gM8WUuQ/XD66YuC3QW+Mm0H0AL1Jaro/MExNDlQeAe8meZSyQu1gHJh63tRFlx+63NmnXsygkVSnJ9S2NfQsnNk24CSsv4L9KVa1+JK6q0nFa0gjM5wxKzzZy9cQr/aXe1lnaDBw2n9idnFh/EQUtA2rrlyCJPzWXIYl4JHaV6HjrcmwW7gL+xsvw/rKEWzXXqnZ+HMshrTKp+O3c1wqs0O8PTbFpH1UQAZvBQ07pWua5JR8LBbXGXziM96+oqxJTNw93AV/iLfkUsf6cMeA+xxtqhjZxK8nd5V2hnAPGPAgy2A40sy+RCWJm4KA2XGjq7Mr/YFlI9e7b56Dj05qad6aDBLzRVxYG3s+mREiILrBuBdqyAkJA06IvalbeatVc+/U+w9iJdH54y9LT+fa/PFoNqPzXv5NNTf6OueSzfb0e5MugTUpdc86pUWYvGkMaNztn4Ox8Cemt6j5ki4DERGB3/CjAtmR673Vm4Oj2+i9MIBvtIfDHs9ahBfCnJfU+5AxORKt+uMQhq1SUS9SZ6OXoLu0hw5V/ev17pFpnBEboKN2OtHiKT/RCD16r9tNN7ysXe8R6IqoWj36xpm8VLtX29JKeN4uopERxg4xTVKKAX8Vew+i2i3gpO0nN+vVE2uo1zN4JcjYAWd8WQrgCIgIbfqbsCJI9IUOoWtKU+Gdv9emr6eNd0CRTMIG6q9LCF9RTE25aZkSdYJjNCCilqkGyFK1lE63+FovGkIG0GFBseHc9/Cvw822iFt4dG0DXlk2HKk/9g1foVMgdthmRqFXjKLMV5oAtVJAr+HvwNWo9I53LkyIGfv1vFbToZu/hwNrdcpjQVOFafCJs/SahZA4SHCuqCFSelrocW4GY+RcllvGGrKzKMMbgkLJsAlELp7su8YL9IaAef7J5TTkNiCMBLUYcqiq3arrOsSsoUy1A/d14TtOEeC0+rqq6jQroMxGZ6DhltX6QYHb2hSrKqeKhdlVcEHkuR5O0jskszteNkmkbLLTT0urpQ9K/QfGnri2Dpu8ZCttOoZTu2fZxu9gxGm7ZUVZ1uy3GjHrBqZUdEv/xk4pwuL2ZlSdPJXIk9Lpv8yPar+NU+XFCNtqECcv+121Zze/uhA3OjDIYIXHJ1TcYnUVQc8sAvGF3VDLrZ4ClJtn6iUxHyVoCKFdmuzX896tQF9VWnR0NXGA3kFqXWP9eakEmgHmhl55+8aUeZmir5ZSUIU5KQdWI44wjslv/d4PLvd0y0nNF3YlmeUU0OLfMIgYaekip7b4Qzd5w2xdAB7RxlCIkB8RwggiYn1v4U6/ixXSa6LOqgsQDKROc2Ewm5MSqcvpZ+7B85H0iR8v/5SjxRGWAHtZgxsksPCr3VReZALXxuj+mpcihYG4sGt03KaHXQZvqIPfnW8Pq7fKY/E03pdNrSZ/KcbK1KFsiyQ4CyZCokdaUtj/WJCkQ+WMjZH26XEl6xVsfiFAyJEYccNRb0iiXg2jqzdQ9P/C/jNf5voRbgbzL5X+O90VI+0VpIPPY+hkw27ziFyeMucl/MeHyL7gjd1rm7PvNipz1YwxHo1qTVM7AuRUuwC8ORPuUaNpBbh6g2dsyzs4uZAl9HWfyOo1Jp6fDIVFJ9lMZ5jsbn9qjihpV/+ispc0Kwwj26pyPtpxHKXdFgUIvaneYxujdevEHFWyHNrV+LmB3cQFUPrId4tGcKt2eqqrHZ3pjPvT4IzOgusBKH6Hw456B/fKtMGcBhPEvjcJcXxyvYBACLA/PZVLLAUZjeSq1uBOBjPWH8LtUX51a0ry4xMZq0Zk99sxMgFGCAbI4BQ5DpkuHvLWH5wZ6Kq3fxzPrWzbgmVMLaa7tlsYpLB0zYGAv1p4TGKthZqgSp3fxuyXnqN/AaRmUbR3qMFjr2ZF34Lpr2mXrob5SZSCOKXyuzCprktgn4pjdSpr+iVbI/Z6hIiFKPbKt2QA2kVi9KapZar/zLyu7173HYJ8wNVybHCCOoYD3jhPlxEP+2bUnL5z+PNdSF7wA6FYa2saUc5svOD0acnwTHIdfJ/+FViLcE9eMhzcFOWma9YNtIpfJRhS1wDYofqLWxygaN0l9eX/7UoBuDvT9+005SD4NUgIwxPmoJbS6bgdc2L/4gY9eSuu09QDK4XU+cJejhguLugizfhOQtRrXgPTf3Br6qQAGdAcyoRloq9XICJwIympl3sFYzvoaImz5d5hT/3Cb6U6vAzmmywlZpns0HiNJzXOO+QObkmcxhqNokyA2EkajFrnoZ8oLChVcylIqD/0C3A/mP35T2AhfTNk7oHq7L4aCH7jIhK2QdLnBBGGJVGPWJd8ixYudh9OKHORK4EWPGtA+HlD76Hj4MUhxonQ2KkiQ5bfGBdqlC59LAEgD3THuv+TAORa6tE5kjih9hNkre2WxEYlvYp4Mwx/cNP3UjOZGHxnYnkR0WEzplDhtF8fjBCHeeEC1KFLbSH1KIMKs7dcz0eliwSytyBeNKYc3iqTC7nhMK5mQ6i9tG7yo64XablQokeu637FdSy8h5hLOOe9KpNllJZ6BFrpl8Dgfu/fdvdvWJg7ezLedu/dfYg4f82hxtyopyb8DjSRlkMRfEdOtoXYomZ035gH26yB6042YJwKX1KZMTWTgGMhezlWifzdUC5qhRNifwUNIg8oK22vh/lJ1rLjoUSmzS7ucOGkjIVXUjKr35GMuifERwpkjLxMtqMtd+be24VW9UnkKVO0E6h1lZBFdjyPJGY4aSPJbMt0sz7o5EvoLHlKy7/S29w8c1dIFjY9ms8OLTbwNSRNmfaEV1lrV1h7w5CqQOO2YjTPqf6nDKiI0lRqVhOAEt+I9WWqviu9QFMAbGzDb19FzpDwVPsME5myRfDMsW8o+1eEHaNJ9m9ugx+Og7zj5GsSPDHecnO0xlqbBtGBpGESWbHfpEGw3rrE89UUPpbp5XU+KLcD4wBzH3wSZ3HszLd/ZSQfsIOYg0naDF+juyu4k4l5i+W7LCtOFKXWdGk0wLirFJJxx0BLuEv3x71AVeAGg+DdwGMTP2FBZYISRjOOS1Gt3dx/3oRWFc5ry3PjO+eM/TIVzsUB0N5L3ZrQhVdrtt1kAPdHoDgDJGPlMF3K9cpYJPOKTQR3cbtMdVDMOLqqPagmBuEnChzOxbRthgmBxRrwoMEKKULj1FWA9A2XvsBcRLS2iNcHc/Dc51SjoIg8bUkHoobCQDnQU7o1PLH439cJRJ0wxkbFWp9OmlP2OQ1SCbK6TRqCoKPyHr7mhVitC7vpU2tHK8F97u9lnMmoeidtQjz0ziKPgz9yw0FHVi7hz5GMf9vORwipNHmHOitjPl828zhBv2DVwUk6w8lFVsknCQPMLBqx2ibqiaFHSb9xEYrfEsC0dOI+df6rypguaH/UOD/FB62kS0aTfw6k/9KCfmY1Ejud85S9rqs63DcR35ztt9oPzj2/lVesKkXWBAwqYr/Ge5LIjVwqpsYDYm5LPqK5DAvuoXnxYa+uFgySARfZRbdj9s6/MoYVo8rWxjgd9ylI/E9Yj0GO/zfFh6EiAIJMJsriWtk6pTPT2L5wAiPeZXdEGl+lSlv55uy0POT818asV1YYadXXjanSLOpAzrVd9gFvdD4cI6wcQFCB/Vrr/L+iawUuA9WMS4bJRrextciTgKOFu3zrKyJvBX/EaF02qza5y61Tbq5KA33/CwkD6iUTyG3b4niSHdMNdEO2kmbK6SqFzfj4JtHLbC9EarET3kSZFhnzOnxwcTg4jRhbWwSGMAiSj2EU2I5Nm4SZIpNI4kZ89/8g1TE2iITYgR0EgG8QOCkK32jrwykOaB5HcLYvZoFm3qGbaez73+vNLJXsgqtiOtqjJSyHfxjLzqi4wMZRe+ZINPBr4R/H4LpubpNk9PaGp46VKlm+NxWvBN4ueDX5XNwfDkHtH1hdQDWVLKrvUgqXC5T11sidk/k/KyxD4vlTokVV3O3LhnqyEFZ1iTjwa8qlqDKONUUosW+3SA/t+v164bMSFfXhuilEGBnftP8EDsJUhaIwO6Iwolv8XQwUtyCJMDiZ2rffS5lqVOehOwU+/TuGtEnErgIxuxVaYFJbf5GNuLeN/XCfPKGytR1/iFXHCxDn2k2JFPr48BRdV50d/OH1w7p5wIR2EsrQJHK3rV/YS/QruuzGT36byezvNnZN+MAQGIGv0wNK73CmkSFFOcjCUpDz7p+2GxnD9iY4dErHCacESSzY/14Ln1MplgtqtbzhbBj50sEekJpvfz3X/Pe3Q0fuxxZc/zpm1OEQWTC8E/bIitjPimyyscGtbLSrFmzmGBaIZ0VwtS3eOqpCx4QgDodhsFR3zxC8a3F/JCeia+8xgNLc9MCZKNYOkMX9RtH7Q9GO0r4gGDgIaKzBdZIq8m6J4pDp/LsBdFwXN3259X46qWWpPPHgOIGBdO/EHpLKT9n2I46UwbhwmkciVHQJVeDT/n/sLLls0sc8JzcZJJSLONpxrxTTFWFfFlGVXU7iixOPKiWGr68XC1FBfBGKj/+5O7izTJ+v7nZYk/EhOpNMXXq0E9jHyy5cwp6TZIVvy0XWz51u/t5k6mugicUmPVxVCiUfh5UaFUOybSOA1tmvY15JHQ+4YEJd8S9CPQQIqqA7zdPYKMFq5duKZ6fV6ApqykCICGITwlML+6Ouf1EURkXj5utmMrXjp6XbbzGwg9g3V050bLcNg6gNxaMBiO78K5dl2WJrwCt2Zsv4BJ+nppbkcM9FVVfaxPIxEk8g9dq3KjhMoyeOwE7LhEfCDmxNt+0Mx/jWrkomuhQam22xZJ9LvZaA8mM9zybdPCTHmTKJmUO2rZvHmUvFMXNVKf8dqbfQssk0QuaSKZgq46vW1IbtFYfyFKy7TxKcVFK7wbplehXE9KQfWwvosZL4N4FbTNJCMQ/8K1rbVVpPv5HfjMuWXX17jIkOtaf98Ubf+rt/UU3pkEkNc4XnCLjvV2DIdIWV3qeiVDwuTQrIRJMwIjQb0sNS9ix1ACEaPhKNSKpDlx+B1VUn/eFylz5fNoLHF9/IqKxMXyrcgnd119QBBqUaRfQSWFrMBpyNy/WKphoX7zhdFHCkHZOZdi3FyzkTfMJGKWxUBIKPiHretpIqfNFwvjnPVhajC7I21Ts8snd5UJxNa+b/pPK3mLvH3Ot5YQ+pFzJ+UbTWuwSF/ZLoNKbzmEd/Ki5FddvzFAWP/eU657CIYkSn9JEikJkCJiJ/bqLjYUVF7ILNFJPVeC5hervfqx5KmVC23CWLBWmMtD0CPGlwP6KIh6Omg8h+bXiuNzzx8+H4gRmwWHI+HnrMqcr+OnAzmAVyXL4A6KM6WthVwp1bN3dPygutdtQ0x0yCH9b5Kigbo/4xjPF+JoEduy5x/Ul1SP0YuFY13KLoGggedDwtVRI866Lv5VL6SWkBK4tdheWsLYKcssCwWqbng2FWfNgeq+F+lVwrSPmTUvhKArhxKXTf0OZDoS3eK+7Fep5EnsXgU5bVU9XVUUSIKG9FDig1x5k3mauvC4FFnzf181CgEnxhbixgBjUElm1ZpMewMiYeed5h+dChUjqGeniUm5fWi5HHno4tg3/nKQkua/egnEYPIPD0WzXXM0hfQphVDtomLGJ6sjrB7LIDIzINmC31+ruleCTnDEGfbuTVMcSJXqRDycY6nxCNqlCvmM4F0PPTO+Tss90V4XBwSgYhEprC5fCbizmXq8jJZrrJoS9DZSxu2DV45cHE+qLM/llzETVRBbF34tM1zJi8tKpjZXiQ1jGu1RgegEkZ3OXfTQBFtkSqhfuXnHsy001B5t369N4m8CuVJA42hKyN4ZBtRrO0x9NFD0n3hXBpoL32PqLoe56qbMMizCfkZtZprqE7bkf0dngg9EG6n5Fa3b8VELDwrza5+TppBWPvdM8X8gLlMsFC+kb5wYbrdCHjdRCM1OH9l7GCpdmpkiCfS5R+46U8mHKZeaLWtAQDvgDc/3NAkJ0Z7EVGtAgegVGpER2HqiIDukQK2/aqCX9trBkjjCEpYT0qLdBpPvtDqOJ6zJn4bwiVQ/AWsT+DAHGjP0F0NtHlzSe1a9LZPz4PZT6y2nyWK2+VZwC2uCJGF38WCG/h5/UhgmcZFITlqOftFBIledGDgxXlw4aCbv7Nzro9cMJ7RzsRKfr9NSFSGL48WwdIitO/HmJoBijJYBahmEuzncc6AntUnWLvEnk0WuP3qcsURoOpzguFpSbGPtMgJPinNoXFAt0wmijGMgauUZI0vizZ5JAK9kJt9toz6Xieg0XYj0EArMMQqN3NT4w5TSahXbJqdy2rEU8b29aZw==,iv:+PtXcxSjm3145ES8+6zexVmn2Hizwo6I5eOS/9RA2DI=,tag:vk/beGSoGSxykzD5/bsJXQ==,type:str] +mathebau.aliases: ENC[AES256_GCM,data:4hqljO7S5F79g8BhL38VG5E2U8VKNANsj3dPAz335traGv2ZFSPUKreIi0x11e11E8sOf1aK3sLj0HnAcRzQrKhyf9b6XjM9Ks2T5NAYuXdpmcpYQyMC5HQ01eVwbKSAeMBtsqggEZOYIeQR5OGCoT3vZTDKH0TG4Y6KgrKsXluezYo9ZM2VuPd5B6STxb4thVEe9UVtGE4AV1W30QVkvx+Qr8C5MIvfgJlIDbscN8RbEsotAxixJu5nG5fDxSbz1hyII2IyMn903y57IqT88cQHDkH9ZKaFh0p5Ip52HfD8DxH1Xa1c609wdn15JAA+PIg/Wem5yLLv48kaIgZapf1FOEORHXBJy7aBfGN9YEudmUBS16HAsl+GmqQ5VExXRQbY1Pcxh6m0+jK5uQyJYReKuRL6x1B+bG5TgRXJkh8BjJ6Xz7ZNyuKX5yE2scgpwCzk8+RNhQwcjNf26UmQVyQuStbZh6KVkT+QodJy6V94b6ILc0cltfWvGIj6RwuZO1jNhIqnByrxIYhsrpDZC4aodDA9kzALUdQd3SwFDfeKps5YXy52I3fKaigNlq3l3QqM6he8BrN5ijeKwIpPswLJC+mgAYnQPK/wfXdiGwn0rferAaSBSGzoudP+XEtgyDKgxJ9JAd+C4Sbp4q7PyyKcX8MWAlIyTU5SvB9Yxgo4CEkGA1UNzw+sfTe1CdADdS8zO+0mUpF1bKbjGUZYxiJFzLyytFpFseFqq1Fpe7VHkRkq4s/dlVqOJ1Jh9YZJPBUEKFj32458q+WhIDOig/xQffh4e4ygVIzRKEaqfL3avk97rryXcLI+0k/eicgBK5SZHebxmYyRy4oMdUL8fFedbgOlvIqvUrUH1S1eEG1HuYUSpXUrC6Vs6jFtSSG260q+LcwxXpIaTxMunKy5vn5PRuqKRe5DFEj5YHb6HlWFvi4+7V+MmfK9cEyup5hNJhNLILIiSDx9SLwvKmhtre7FMImtrgOs3zj6P8GvpY0X0lzPuEh5XwsPK2bYAMFD2FWi12zwGGfwVyO0Phg3X3D9E7eeQUF+YuVONqaH78qM3EjXxxOKCuaaI8WDHI/SxqgT3xCE/Fc4d1+HqbDZ8N3yGGYYeJEcfV5tRaY41W+gJ7Lnn8+Pdpu/kEOWfk7pQmDezOerVFgDMP6g+vM3ppio2IhpSwd7oV2VBmMtHGUV3DHqUJTgNSs4OB2W3PEjR2EClTYt4Tipko+jhCXYjYdYVMjduGtRytSnzZILxR5RadIeA5lfV9I2K9Llk6cmtpnzC2pzSjtVMI5SWMG1G7eKM1ViUkZv5Wk2GJ+k0LHRhqjDgSCB3/V6IhCzWbA12YOGdAfaGLgTJg56pbKuAm5CHX9GTwLyvHLpTniUqICIM03Zf+66YFvIKPrCRoxumcotbBQw3Ck3MPFc9OYnM+4g3FMqitDn1tHhEFBcFIrfyNnEgIZ67FXELG2lMMq0pscPqaws4yP5JesVwR8a/ZIDlrjMeQKXNEGZaOMVLtp+Tm6Zl/rkFnR0LM6FYap1T4YzE5MqvvkhCeO/5grmKS+9Pfr8NHrBGZxQvQ7peO/01xoql9hFc3RwNqmCUdoEavx1o8AoXSGNJCj6F6brx8h3AU/v00iUDFlwmOzHrsLrZ1rjavcHFd2tuGTXUcRUBnnDQvFDnGB0MD/2OMitOwkTdzrRMjV0xsgSalLciwUC0PRIIXbMsuRcwX3e117APaVTvqwi7g9iEKlkoST5914QkAamVuBqk+wt7RDgEg7Oa6PbOBy/xQAgNyMb96isgTayjrtFfx5q7xgawlaeFDE5xVecKn6n0f1BRB+p2atLxfSlvexLsm815udA7Jbz9OXaXXaS2RV5IJbLKAqJ7hNq2xBApcGXjteY1GULLEPZ283RycFsxsunVzcnsHY+Wy099qK908yJvvjUPlrnJG57ZYQjZm3YL5oRXLhYCBU/FfOtBoROO7odxUAVY8wmXm5JJskM2N3ixJsoXKwzOJ5ADmeJUmIRTtycBzzheemN31wS7qXnk4Cbp7Zw18Zsticq/EUEXKp2/jeEGGTR6UGmUBwzvIUSa+yuZ9A9uClcqHYNtx2MZsIt18gPNhrLw9Nwxyc4CZSDJH9xCvwt0gfmcsyo61W7HoElZrj/9CbrNvujFO7JmHBk2oHRdGtrGOU8c76BXFgIAVIg/QPyIscV9rq4w8sE7TeLqHPa5k/rgTQWF4uI/jes+WDWNp/DlDA6sXe7ihS3sg74tjDSYENn/BzRlaecSY4LlTja3zkk6tMxWzAXws8OJLHpEIX+awzpQPJIF9tAC+U+Drr4aSR3XD3Ko7RyAEMZakXoK7tALGBg1kiEurGdIirhICCdnmNIcbk+WKCKM61gKhU8V8ahA5piaLcLWiADBe8Q5oQJ1S5lQwvIWyD9m6lgfC57jABXIZqT74It76Ie7sXiByP8gEaxEX7K6ZbhDz9/QGy7MIKaHqTphwjR258L6bTwzGSk+uUep7waXpRyEMN2C0Eat7rxVLFwG5OYxvyiNtLWHqjjOFfNEqUBMbBroTOSGnPdCcxoBoWSZO4gSQvw2TODH/yemntvxU473C1veT9dIUwVYjEsuG/lAyM0WoZpYDYUKRnzlS8n4v2x6XDBDxf7bBQyC5fCcU60L6YUFzjiSBsck1uJpWyQJAwsN9Evw8znFIdLBKzCO96tKjMsbdjfj4bhNBEAR5utp1IgIQRV0ju0vBbuw/A313tNxY/qlHv66DQUCAGyWRnxjxS88DOr4kLKk0GhhenZ3J1GzXmJYJdXN30HRCgBEKLokfmHIBnl6E5tAtb0ERukeqh+Fk95xmC1J2RLJzGN/7OSZtQA3DKbPCpEdWJ5pHIhEp3F9SCWMj0SqwACdyX75tXP3FRasx1q+5rFmEQ9HmBGwEvbsrqhvCO2NMJF5l2U9Wrk2CxxiTklSrurOU6VvGMwWdqo9ct77fKVHfKDEPwgPj9BcL5x70jsR8bpg9CdWqvOfgfbLYzKleVWv8OYC5i6NoXX3LZu7i8F9jYOWfx3T9HvHCALXhsm00sVJ8A0BEAn7TboAvDv39kywdB5J/22otfCjAeZQrgpsg0OHSlIanhJUi6SVuH/8XQ+nG8WEkRWbbtwVhDAqwbuw+2RB9eUqVur8H5x58t8uiaUi6oqK4Od514xMG1c6wKJxobrNKBNdLL/5EzGqmw9suvf+ewibCsoylTMVMiIUBHFb0KX9MkuLeXWCfGTu3VIRCYIf+aI85UNV9/4jk8rpPw02sQiunEhiHFXuEaPK7GnMOMpaqdD9+2dVSqB+oaMdkX7uL6jnXPY05WQpGUxK6ZZrOvwXNLK82jVhxqnTSIqswYkrq2OYoQNlT4kt0IwYzXlrd7/z8un+pPHNko5efOhOSup8btJTeuJo5RnDfO4XjkTUFgJ9oCu/J2yS+Fc8GXeFTsqb8f5DRjIfmKACXGPyEmrQKsqy4xjSOUwXE4mKTuUiPf9TSK9pe4535lFTKXpEAFIhge4SyTgWhvAJYFb7BBbCe10Y+1wRFHFpDLjELba+UPeqsg2xmVdktOD1OQRotAZKuUJ1hf4g/6zo6M0ndziUyNKkfSCbgE8nIOTPHqY7Sj0Tn2icoof4w7YaSC15qWJPPkZsdU4nXGPjikVhszFlR/x+a46Pj1yNMJ00t10TM70rGHj/qKCta2DFFnsqYhy+Pr+zJ0Wwh6r/87htq85roHi75+pjhiBqfqrXvlnVpeq5S5RndVRbzsEXoKPq0wb5FWQMKTY+JW5/ezosWBADtSuleQIsSoTQSALNlH16RkdOcz8d+s8Ewru9O4ISF521ENKkPv9CEqBHfpvv1eH3InxHvPbeGCFHmRyDW8lLqrBiLIh+YqraCHbHvyzjnN6kku5wOORyPRM/liy43lmDQgIGNIW7BHWhPFwEtQ0nPP68oPioMI8oqx8Rh6HM7KoIZdpwsnLXNLPS/ag7u9Om4ia2cu/KonTTjvRxYW3Gn5HXKD3rO043vjJOixX5Ez8oxMWIK748xRcLdkSoqA0uDcVxiMdR6IqrXmcXW51TSplSNNCOd6tQDOn8t9DEOBVk2477fE3Yo3knC5RwCASoa+15QFMUmuAo0VRCHiT4Skjm1+om2G+wve6VnJdEBKvL4Q12R4IQcuNzC/rOKPD35BaShVDv1Q76qlWvMFs9vX091UimSn8hkExd3J5oxWopYGuz3cCLsepGY7Geqbc/60ijLp6LpACNye1Q1YAmX0C3bhJeAdBVmnsXEyu2n5Y5j/BLLQ3XCt398D4EPv8/2IQi5eiKiJ4TA1aUlAqgXc1PE7cd4ntBEV93Hi2m8do7f5QukkWOB7DhshrkYw3IGDEAK5OHPVcflpODv/NZsKveMu0MkkX11pkeMZdcW18iumUc/+Z7VqE9YQ9Jeqw+mYApzIy2j7oWBEXvXUROoXgfI0/QORem5HC9eBfELazar6jUlyuEtzpMibwHWevO5TIMvSjp9VitUhIIHhxiL1FJs2UcphQY5HC1UbvqdKdKYOtSQR4GXPQi3/cE0Fgi8KtKA40Wvztu1eLfQR/6pQxakHxCQGZvBVqF1YFTw7cIJ8JTm9F/nIgKmB7XkSdFRwBX0pT97xumX3JTfGjn8bwoJyYfjHX8hi0q2s5dGbIk+jLbjDNwFQNk+yqOCgcJxUTf37GM3+ScYBH8acLrKTkiDbt1IMIlef9oV1AkLEQa7QH22LNewaKAdCjlfCZADC4gBOXUxJGcCKVqlqQzHcgJYmpJqyCT6fCINGHDcesVtKcFPsI27R4+S7lnaEfzeMutLPudmyJg6dSKmzUX1f8W8rVB/bbB2EaW2j0BpteOfHSPBkjtQQ5yNE9ekfb4nU7O1PVGD+TO3IyPbppLWXRQAbtByAXaUWlhHOpoMLujQB7PIs15i2tITUzPOh7Npq5KcT7VYSwDPOSOdMoItRR1G3Jq4zklRhYXJsBCWj8w+9VAZhQhfMgz4ufL/oVn0k5x74JCdT65F4WXnz0fBXqrf1HYSDAmhC61u6aVXkAwI5m9Ba8l+fYaFjGAH+9R1mrF5gBsnPSiconD+fahryqb+5+K48ELJzSPV6awZIq2MHf43+ll72j2nrffbQYJzxtAlVGbPa4WCCJ5HfqBn7orCmu7bftSI9+zxI4J3mndefNvjUFuivDyUZgs3ie6puPnNLk+KLfcJaqIxF6hEjLH+uBwe8yESNAlANxNgDRYkBbPfzQo7qF6y3G2nx0fnPbLTNDIjSqwar7zZjIFdgJioRPD6VnV5iVJxcRhR3eTsIZQzzM95DbdHPUTp4+fjuBNcfesMF0sS8iG+PwEZ+A2HVNJy1NAzkDQHiC3Trj+HbRi16xHYKFWkRYUud+I3BygFxHYP3P+KOHAUTAoVFSMT0bOsqE0fX7RQVxGmS1dCKajPDxe18o3Ag1kDrydLDAzJ7/DxWU3c9HfeNVj2lc/WLT/jDKWKR1bZcFWtDvlk3sZrxpmNCVr9I4BAgpFFlYfyMaYZ4ZfCynOQdv4NI1Jb3I4EQP+fykT8hXyum+bI8L3MG3KCIFE5XDXkBASOnQe/6fqfEbE+JU1Sxx9w86YOOJZbGE3jf/RiiNId9I+N+eRbjJMKhcdpzrmUATbCtxpN5/atRvHUrVJmcIYJwpyredxIBfc45xXEZTbZn9oYFjm+OzsQxWjo1orj+C2ywseSIyxeMswOk6OsxgeXEDhygbGhNLa7f9vJ27k8q2fGtyAAlTINnk6PPwC1lgRkTuh/tBGut24DkN6tTSRUZS7XY1MfA2GgT5BRj8pbRmb1v4v6lnmZzMpo+jqfRwm28TB683PEa21ZIg3AoNFtj7sL+DgOV+3YtoYE5H8TZyhRRAZmJuT7dzQjvVwT5BY/JAGsdq9ojtfsQv+ZYaG8aiPbNfCieHX3guEODr6BulGZmo6z3mC2Wa+gidCKHaAniu/ioWUpSPu0WG15GrxahbFLXyX9bwjAJcQn45Vodt2CCV2U4y9u1mm/sGEYe01hWwsCfSfekk/OqWRJXE4rSGrs4qxDXe5Oh+GGkMTvLfPYk8ZeiSrUjG7+3mjmwtJDw2tYetJH5BaNx1zfHMTZR4uybzTtPMIvvDN6xalAgoe8T83b5oU+nm3AoX09S8y2DADD/VhBijPMWufzumrKnFufzAymB2+jms+T3qjNypSCHR4xuQzFm6t0wq+1/Zpx9CUIUk65Fdj9mH4ZlBMceMQ5xEASb8zYqJSkA+a21utKb30+HfwUvGtkk4T/BhE7iUA2Eg4a163WXpci6rzy+evlrKFyPX0VfF3Id4QHiDlmsAb/5vHxjXMu/dGVRfOMd1qFtMU6/1DYR9c43J992RqYU9mWM2Fq6J+rYYm9h/iV7ehzIC8FibwR/OdehIUVvX6wg/RRkUjJuwddcQYXNEpgZLF8gVwBiZiro9r+cLBw19iXiMkWMXzhTDjVVCno/1jb01teN1s5uWmAo+MAv5seVm5Mn19YzAdv0p/uWnvB/Q4Y5NPnAHuxSPzNcVCdQR7n/TXQYPyuR+02L6cCb/vVEmrJU4G9GsCBUmEL9T5/hG3YbfXEfiZyMZloE2+1hp+SrcIMS2lC2ODruMjMtf1djM+lntYpMkH3mgrcllDSuRCGdne42nK1OItK1Q4gHRY+knbZ8uHuSFMTfaQQIbhUK2NCp3pHkht1Y4CSIMRPUxEA44HfIo5GXpAVJ0DB+NyZu0XZU5C0jpQob7Zbykqov3a2HHdbzfQYCPJIED0ZKRz2M/eYpL4SJXkng98VHP9P6fNW2NOL+GCLj8KR4Z7dMiCNhtYkPAYdPDSCCptaP/cWVTPALl4RHoWwXSg5fJLX9FcKSKroe3V4TU166Go2AxLJtdHlNuI1SpU715OPyI4XIaD/le0NkusvVWjZClEUvHkvjU51tIRCJsDdtAp7qUDupBY0uzYfPwMyKUeJRpviuZop15hoFinHNhAvsCM/qUk7Qrde6r6wLSqCPk6ICbn6cXk+iv3KX6DwmE1t5LIZZYUY5bFAkXVpkJmcEwBdHjGlSDphH/Y1Hg1eNWnYcO5aXS7kjTCjBa6w0sjGZGGrQON4EmxbtPGqRQUvhvNEE7aj1PgOc2LnjN503s2CBsxSvbFBlMyWVdr2b/6L7dtCwTijF3fyaVaQm1hitiQqmW5jsilOvJgSKmD+a8TXmL23Vi4kqdVh4K/J31mU3YYeh2ekJ4Sn25pib8yiGnW/1ESOPUMu+92ztBqsbR9xKpbr0CJEyfUDsY4Ra5vpELX4TPVQwzcAn4EcEDBjHh3OvFz08zsbAvWwmZ9ZLn7pJH9rDGsLbqV2Y/9EUg3d3KL2r4KcL7ZBf7nikebFWnmG7o0FneD1g43FUVo6p5mS2hrANmzIoFlyBlNlAlD3Y6UesiiQZtGGBPQOFYDXZF0vLi0oEIu2bxKJS3+Ymo3+W7I3P3AmGCQmRKEo4mXEX/hO3FEHugoGhXblfAQQg0m2MxGvZOG++K2b7xUV6tls1XBHer80MX8X7DZ+qBOqo0t4M4AIJZwmuH3RQXXYspNoEi5y9oTg1SMTzBELYmvMcHOgqL+uh+cm2ETUFXEvois49ATFwUYLKjH5OatPQInakUGeo/VDDpNRcCHbEO+cnQtykYwdyrInGbh074DRBsF3rx7ZMxY6cea7RMeAU6LfX0veGgx8nI/WljJ8fr5GwpjBNE+volBcC20ZmdwO/Bqy6JTSHd9U5qIR8oWiFLDuiBi3qm1vM4KOhlrYzJzHYTV4QaMUIUAOl5gd6UIOwYCuOayN2gsxAedTIlSj4WeGsQScK2r6wLlz6/4FcL54HZKjOvygHkUeHxDFMe/LMscxSGzjRCwPYkMfLOPEQ3cD4rQDDmvUooO68zBEwiC/h0VcL1gpb1S36zlt6hj/IVVV8n6yWcdXdZUON5JJesI4e1rSYr3ktuRVtf+bgU68zaEbQXQdXH3IwyA24V3ddmyWaMdvdY/FHAOcKwzwzXQ66rGDSB2YGZZ21+InlmWOJ71ySScq5ri+Y7MXSfmCNjN8uInvDZDWoTGsXkTA/FmMbcKxb4UjOar6y4fi6ZiMk+JeeKjEC2TKXtivZYGPebokU9otR9pX/6K/hn/MS00+S1w4GRh+7xle4eGiEzaiWqY/IsK/66npuDvhWBosm1fiasO/wEDzrDq8xvkyHwnSn9CJConCO7TW+Gru3Qa3qPW5C9llfhdHiKL/wc2fk4nNLvsV278778y1co3bG1PgAoIvM6oaJZwGC5K+IT3nH74aBSR8So7qqXuBoiy+frUBsg63C+e47TlmNb2k9xElnmsuZzSf/Gotbrb9CE6NLdvuf3zvxCqrJqVKb7jpZ8OJG9ja0BNemLEC4w87DHWD1LuiLbPCNulXlM4t4ybQksPrGvGkJy/uERyht8VTC/tAnf3VVVN1dnvi2Le8L3tGveJHEpQnxO0CpNh7/MZxLfp97ANJD3aFjFlPeR5FX2OylDY1XkBnUnDVM3PPb8JW91BGiKOllUE3soezSAtQF7dXG/TLebmJFtQkvCAQxSQAr3pV8B5itQiwK/sUbpOLjHKu3oV0m/H+VGFps23FPuARCCXQ2by7hT4bLhDA5HxU/PGLyu5TwkA6/UiMeQ0sh4ELGZWFuSUVKH1rDNIp3bXTndiIeguE/iQpyyNfUpdX83ixqkDWJU/mh/psuMBB+8NsqKe0nkC+xxZ2HzYOnHrFOeJ/YHECeRiHofKXZRKRfzMNYVIpMvENT1feuhyujCn+eMgqKQEbFuGM3RzZ3GbdUvtHPWRKH3KpbsF/SLqJGGq9kjMXRMBuprnAaz3vdQyzA34GyOoNsj0szGV3wi7xqdyuBKDqL/bnln5z/7QhUG4aFrFc2PiLtibDOJWrEjNfVld6sx6b9qZ2m6PNf0+rP2QCznn0SJ8rNeugGvL91HRBNsAHiNd+VyH13ZWPbEXTp8AC9/5Hg+WOsRJf7soOnEImrqGzbL52xpWwYBYTvop7j6eccweMtHd7XqV7OBjoP0z0xxYWGu48HlIGXrKRHDvvHNb2PXQQXNmcZ05Txm2hqrIZ5zLCHE2hiugW7hiWq/LCG0rqgecyDbO6KSSZGs/H4K5zklZajOdLTshw8WSnK/CHRYolD7V4u1R3ZmfZe2PNg/HnOWfTQORIMDvg6HESWBtc2Y1gmGb5hzJ8/qLqMgjVE80bnn9X+oYzM0hRXIOZrUoozuRYihrFTqR6Mx1R7lUFzpXSGidj2L9ngaedTcSkFbxprLN/+dDbmOd5Yaj8fbhMtR+R1eLn6IO2hKBINW5up0GMFlSKpHm3OTBRjjxV0uVLlmKK1WENm+sVhsmzA6J2p8Pfx1A4YTVRSyVknFoaZ+dOELaerhouKBjfbhj5izvj8K2ETcl6wjgN19D/OSdHpp4FtLKrr46FG1Z8ng4qrt4HW8h+uNj32SO/Io6h5nt7RLV2B2SKH/mjd7OCyZyUaV5ujFWtdoMJ35nnySFD0kN9xLL1wjULvv5p9yAlkUGKhWimn3P8qhRwLkDaHhbk/1rgG9fe6BN0G4SnvPQeYkI4ngKGvoKCzkbjuh+7l9lusAYfkevTcM001H2a4UN0goLEdO8dNGJdSppK+fECr57li5pfRbvW1BzizIzSRJVDYq4kP8plWS4W13no6da46zQ1TXIL1M+smMZ2Pu1BFKiU2qs2iOOBKFrV5baZUqGyVXrcee2R+jqLTO3cd8+SZ3fYj3pHTDMMJn0AjJLkN+D2qmxod/49pCCAyVJnaRLBf284VaEN9+3yG534Jft1/tu+7vukOKa7L784r/dxTktg7obnfY1R2t5aG0NBjcmiunGrqqdCsex3z5rner/0BrM4ybgwr0lINxVkoq72ifq+qKSY+lb7gefkTOJPjptuS0Pvo+VhwY8Rjs2CcNfV5hQ8O4yoclFbRz5J+3G7o+We+fGOYd8bS+uzoeWFhdd+x23LTm4Mj/n+w5m5+vh9xW5yajKekquCWQ27Uf3APcLgTLFW/PzcPvB2oLN2O+L2PTjQR5KPieDMVfYL6or6/cxvmxFl0Rc8iFAno4gnK/24BgkW9t0d1IRcVUxwrMGZxrAt9ormJ2qtHdgHiXemEcUduIYw/GlfQ45ByNMahudl9pLIV+xPncMzRtRAYQ7S1IsQbwx5Ccd98x79uz12Wd5I07gsEeihabHx1xPcjo8mhR5m6q5buQuwPNgT76a2Skf7LQ7B5rcUYoWqnICjHVcjNzAjfjPrBYYd0bVf9kM8Q5I6rNk96zNCbWxc2tsgwDENZZSNXnV5b74c0CzlvH/h2QnSZIedzgRxCYI4qeBlD6PmSwnUAvIa1B7CAts3/KgT+oet8eIYtY3Xtg/+vRHVXRXKpsTNtSAjgIwzXIJjCBjtGrEmhGoO2WiaoxNd3ue0x5ntA7sNcBUkWuNXUQNAZrzjPUQE0+2XN7ZG62ZrV9NeiWsLDoovd9x8g/MT06lXLRqca70luuwCRZvbQIdWgNhg/6rtoRhCyMXaSwWmD5HYvK2fg+zWDamGCAcI6HNU2JLVjbj/bOzifZ7qvd6O6ugNumKr7zTxWjobk0l7Jnecuo2391K2qM4ED7XwtEqtEyrUB0ipzMDlxz1X3kaoTFUnUbVjFEBUMD9g7EKe9NfeG9xWgzdHeYGLU+qvvC8dQE6eAOF5L1yDCmqCO1cabRUgW1FEdzQh8sPCed68/AEZRrx62m8yiEdh1EM+m925Q9a9jKdGFxD3lwTqn6pMpvRCJRtXhwXh/JFMyK8wFzVxK4gvDAn+nPjhC2awgI6aS5EukGm6q5/+p93xa8xU+s3nxzAht34vymQLUJD5wQOr2Mv9VGyZYeYGntAvpRA2U1UPA6JDkBh8iK9kY01UUgk7efqnDOwpKqTH6By/JmCcNohOnKYoGl/k4Q/eos3SGoUmdyz52E9fb1mdpvWpxygSF1atizFthR1nU4tvbLMO2goBsI9r15tyacFjJtCXyb3WrbmOVG7ZCcgonrv363ShJ+h6Nch8kGdQlkQn5StsbBp3ixrlTBMhs3YwdIAWFob2WjWMeEksDZEq3RxeDV642XvpZ7ei5ZzMc8tS1D2lFJh3zrDzzVUQyV1vM+3D2fgGpnZr/9QyK4cwKlLYa7s0dQLyAWVkkgeu3BKzyxKDn3wxNx04RnNW74zCvzDYNx1kwYfQ89Vt5SKbgYyl9duDdDm2l1O+kbu7Mjuap8rJxuvoF6v5ohsVw+fKE1iZ+iW3i9CyXcKxunHSM+NM5uJI8560166ghDfN1rRNa4EGaHiLqbKOPaPS3G5CYIQECb9DGLuAexBvne9x1yJ5Y7H75//lycp92oHC5aGLmN+6+zo7iDZ8cUYFE72eh1pxEjbyWZdB/VfEoU21bkABYtO875vyq/A2ezyv5zMfFIMX7Dsi5AUjB0ohokfHoHQBRe+ulgWwugiGSFaoKcC9h/WPk6nUb7a0wJg6RiXb4BLWLgkxtW0gDo93j7rzXBvganqiH6tT8t6w/qd/kTb4jh51owneG6U2/SMp6VXo8Yil+Ks+K2swgfD/o2oG4aFKe0arnBLxrWFUqus2OA+T42jlcXvm7YB2519EG1OnDZus72ZzfB0J8jsv5IPgWpYn9MtuAvmJfQMw+MR1uSK0azZOERLrZpiul+iPLIt2YChbSS6iys+g1v4rzbG+JHGQRNJr8yTqy9W0wpEbGQUebJsIb7FoWqIrNaWgO/kmYfebG2CeW6tjxX/zYr4I8Dve7cv/b0V7KM4a0mSz7a9QOTVmQz1uWkjEiON+ckXoaQfMBb9YpG8KRGywZYzta6xFCpjko/NpjjMn0tgTnlkYFPcjBgoJETg/eJSCSTetHiLO1fLo9KWWas68FXKYo2HePSeJGiSjT9O+jwd4mLkoD61o3FiJ4JqfJ7iRFdX//M5HcbeCn9n6haLnPolpPHpD3CRxKy1nXDYcpcLSsP2b/r98p3KaNpG/i/eA2SyaYMHbpu9HAXzxAGqpllAtpsCMBPPnCTcTPchmo9WHUd7OHb1xbgmy+9qhzKQGkEiHEPkKKkUnP8dPkKpmX1rrnh7SFxh42A7E0c+6ZkEY1q2tV08jc6kwRADc5U3q7xZ4u+S40Nlq8UxHs3qEm4a/1EMY+I0zGpCKK2Ync1Cr+rn4I1q4V/IY+jKk+yFqfVE+ygOA2eDklXBrzWVQOuAWNvMQSZEubwnHrTlJ+nFEKXVZUUZGUqO7/8eLHdXPh+d/l6u0q3WR2MqyHtPZK3bObgRF3cbteyOGzymktluCvSakpw2vWyTqQTP8YNpH7fXrZ4K3tnexpfONvTlBvwWwZiIZKyH5hyOYMaERKUhKh32Aer1j/rcXmq0u0eAHPmyt0Bj3fKLH3iDYaWENR5VRNauE0Cm+dIP97KZXnPSwo0vXpyeDv1nFUmrkzVh9acS4oyhBCuSJjeLM96mUUEjzHqopCk6V0q3d+7pFwTvQ0LLuBxoDWfh6WP8sHjIZezJWahvzlTvVG2zEpIb1QBFoY4BAWJ37owPyZxHftey6XYbiILZRo5f14YbEGvDER+3J5p+4Z4n2SVXAS68q5OXyZ1gZtseQav9/jsvlvbuH71dx60zOAg4orWDgSkAV3+EnGScue80ITssl9POXW+Rr2OM0xYMmIIkgfU5jJlLMMDpv0I89FnEOp+RAwBJxzPa8qdOr3mZ1RZ2uNcylggn1kThkv4SsCw+SpvYTAdyx8TB8/H01imShkOyB5W7RneC2dQeIiY16lQJRfpkXIV42nCtaCdnLKnwg8tZy7ySwFLW3mst8mxaHjl1BFhriyIvyF76vEcLyYRX9gNzFR7CKai4XwqCMj+f/x6TrcT9s0LEW7RsNIUD5FINXpoTlH/GqSci3HLM2jeSwKnCMSz/2xO1Y0D5e4VtDioCux1CWZSAEXcgZCJXSI8pXr7kevGtj9gx1sVXbMK9XSxOPYinP+pOb1TeXRP7aJg1TrrkeTxlXNznmRv5fUJLF30F+n+Dv1pOWgKbz9UoYVFfLCNGDZhdshK7vAW1ieWXecxoQp/rSzHkx07S+xSQ+lKVrLwoxiihH7PKTTC512Fpsl42SO1Ai5hnjxPZYJQQrOg7WgJvCkr0Z1jY/LHJAlJGbUJY6J5WzhpsRGuWCjcwJ2u7eDylE33/aoD8NAa2unSIhOkFcR24oqoYjgdlDj/SKgdku3bpUceMaKiucPVgC0sGGTdwAYKko0WrjSI6YjcB2Zitv5J+sJGDxZin5dOJRvVhgM+sjNNUvTaeR9WIRwtSe1JKgGetZQfX5cKbfHnA+er9yiHu40Ey+HuVtpAu7etX+qcHllldeorX43QcGmlFeXWRQsxZXJffu7WdVNZtE/B9do2/EmstSiBORPmWo8P0nQptZmg7F11Y8vdPMOznzDrNRDXEfF4NI+rMmNBtJCguiH+ALpv5Ek4zZXCGVaDBblvsuJZdhHDMHXsXRf8PfferA1A3hbrv3PXY/kRdyTPTyL1qPk/PYI4FPplLDpuI8UMls+Alj6Y1/qYdr0fDc+3pM4C2PAncr89LyGijDuOliTZD5yJwN/qIyWQkx76LUi1V59yMcgGjlk81rUCKM3vtVd8WJ6HxQ6kshgrSugm6bWE6LxEOa/Jl+W7Od2PcyQx0kWt9f5s0qSWyKA7GO3yyXpPit2ANc8JAMtglBhoxhdN+UueVogwj7Pb0PAI3TEnwvwpe1vxHfwKRzSMdK1Gc9jTtm3QyxuMapLDj1k22R7WikLN6+u9NjiWwZGiv0Yux1EHVHe1fCVX7237JtiuBzKwbY2yqGrrKWIsMwD6KlB9FXweYh4V4F+Hzc4JJ3CjVbagXRG4s1NVCPRcGJcJYJtRFvVfI6l0ffST5azAKxIH8LR7M9hWMjrWXMknP1j/e+j6sGF/Pj87rNZ/zqh+mYOPU6Fu+8m7yowM74sVH5Z84ED9CuyucnblIsBtV36Y92HkJRnmNbeh3F25aaN6SK0JxD70uIssM1u32qwM2I921ijZLf3WfKuE37HSGi5AFPiWYAmklB0I/EKeF6qW++OsEEvXHkisjaQsEXf1NHc4f5hsauS/qXbxbFV2+yoRgr9LQqxoKD/yjbnnOtB1rjfks0p9MXFik9DDY0S99XTUarQp5qqsGYurp0FVktHzkziq5/68Jyw5TE4WGqEAVdI/NcW910CYLtSoO966YSApq2VKKXEcr0HN72S+otXjpmSRQKorDzjKsjde9rb84Tb6FoaPifWFOUD8vjgWTjWlXGT1U98xFPNLBXba86LhdnjwSmY87Cz8VI5MEx8Kd5PKmM1UBKMhS+2MC4zkUCYVjNzgGRfHJYaSLgbSPGnO40TekL/abmSRUlbdOkuLPSSlo2TiFNQEmIlpToPI79656oqifMIVqHC1h0ZX9BbgTaYSNQTLc/g7UC7kibMI240QYvGXIZI+pVL07ueGXxv97TOIE2epxWWjMeyPil2u9t8jHogrF1xu8nJzJHgFHvFteQlAl77+Ue27shJ/OWG81DONefR2mG8dCT3HMAA8QmKElEpLhw9mIqUy9gHH+7eWMU9z5lTcGQNEkCBIIsPU89+A4RSObvCGsaPpq6CoMfhwdQGRwTHu2/+mFAUqCgfSJOYO332vVJk/W5y7881U2M0AHctVOZoy18QN5r830P2NvbP4uvJqJVXg6nhiJhos2m1uTSZbj2JMWcoTisPVoZfJ8KOuaNCYct/GOQrTpuXDYDwbog8SC80VQf20wgIljTielk55gg7vztJr3nRQvFnWTFNKgyg+W2eg3VbwBo7K0oQWYMu1uKXsnNiCqo9j8EULZVK+ByEFiPar5V/WV6vu0v+cmhA3aRTtlQkUS1jCORaykcvidK4l1r/Efy4PTTw2vs+sLlAJOxdVoxkYiceze/8hucKUh2bgU1UDr/3Jbsbe/wLXodE3QeTZFtclLF7FhOyLeXQlsneRm4N0oS3Zv1874Imqu5LI8tlQgC3w8lxlfpggQrwBsYtzE2kdWohZORpOTXaUvUCzMnZZJ1W5+sr49QvF5GjJ86J/HGxbiQIvniFRkgHtyiacVAqQna2niD8MQh3J91P4IV/qyNJ1uTvcGLZpAS6JvLlyXwvAjaGVnOv7HJxhpD07VKG0imkM5msu5lKjXD6sH+oYriugxVs2FT/+HXaHipHdVgPGnbJjVePfJ4QpwWvU5xVwCsh8fCybXD/4MQUd0DsC3F1yIwyZ3HNQ9FrCnxBxfq8tIYcdgrL5kBUQbT/VvrpEsHH9H/07JSGCZEUX9CQVRId0xLh0yUzeRBw79gNSmzxYxTZTwHT5RU3oPjpJ2uIkR584IkxzpLZlwNb6mxIEunBBRKUPTLNgQgsaPpVcXPyD/BZvwLUbCTJ9ZG/KvOxagdbL1+XcoguCVRtjtwjP4MVCWPJqt+x/YxJI8NVxn75gK0F8LyEooJOX+0FQGHVn23SyPUcBudkZkRHf3jJjs0zu6kC4VeMXcK9wYtVJeBRVSznGfA9507aGK8bZk1exMAcDkeHBWJB9b2v4SMoDFuTx2bDFW0WRC8BpiuG8boVEZAuhaiRtjWjmPM3Sbw7/p+HUVONhFf5H/3ZKu9xhHwvUPVqSBzUVocyAZPgcJdSkQrykHKBdNoTmzZAbqobelLS0gEOWzx36WqCClUIvNTrMbZYxrvKWvv6sYD/4mcNHl7JI7Ob+iFQP7UD7JunEr/JLybCE0QwpROdjSLPiuVx001pA5JcfL2vW041FtjJcj4iQXJB04PAqg1bvbI8NMbn2H29JlybgUxYFGIT8rd71I3szfOcn7frNtPypjHWoLL2Ns/Zq40CdGZINmcMMZXPbwT8qhN/efBGZEUtUIR5vnjodKF+sW5EUj5T1HlXnN3zH8UCWdceKbMMRlnibyKXYwmJ+JjGn+4pWsPLuBCws06d9AlNhJEVsUMbPmLt5w1no6pzKVo0aJnHJ+F6RRtb3fs0TmFXS0FmVGdFFswvYhdsCyyY5g5OxhaVTB/WB5dYmi+bknJjh/iK8L1gSISCVxXWC1F/wLttR1FLFNRsFEM5YuVjMjEWbto/Kt4i0Mwj2byyJZJ19W2HkodDDErqQWQTkggTlAaceXFE0EHN5UnSwuviG+7y0XlpO5JslfDCk+pxMb9M1Mq+9c1HSO4shbUZx6staVdUB9pLHBc18iCu+e7om71oJORgqrQFASM7ZJzd6UTkx/MAZdeO6r91r3Jlxay5Re7X+neUBlKtaB+2+OUwNIDFJVxvEiS151B68dIBl3rpJxd7+ao6zG38pnCTM2UxOmUaLYXyLetVi+yT5uxxJDV3v2u4A0n1B2eeSYfjs4lh1upMi8i00mX+tIfpV3l4nCJAS+lFhXJUu7eyFzRjRljf59P3CWaOSoGkKgcf1p3U4QK3mJi4USBlymfBDf3RkXUdhbKZkWpk8Pa53FVT2yzSOg9xIT/XPi6mAkflhkAcgA+o5GOJByUQH6Un9ha5dj0hTj+eCsA3vhs/wh75BA5Ftqx+jth7bFSf6nrEXaZRdBZXOH8V5xiyuw7Qs1Z6Tk5dv9MsGbD83rKc+j7QTvdIo/OOnvn4TnzsGNu1EHaAvduczlzCiokBjnYxuBLC5e5yc02eV480KZwJhUasVX3l04Y1LzAaMT8TneAa3j8RqC9CesTM59WoE7V+PRDDp2nzUMGnhomP+uD3McxuF8o0sRfztPXp5Txl9KXTKwA/zd9Q4WhLhmpPjiMUETZbV8+yr+EfJRhqmDm8mXEgGIZ96+xaSJYRLKybS5JkFW6fpLY7//p/V0rYcWLJeL7/Jq4oahjb2aZkQ2FSBWr+iw4JZ3/AOgxvRdKhMri2Nm9khxADmbjx14np5FnnfbEoNZ45xVfZPVuMHYfTEpNoENOu/gOrYN6i+p0/fV0yipZIm6U4oNwTf1EMSVO18jt20pDuH/0VwqwVDLQ0cgCqeuGp+z4E5SOPFjQkVs6conZfDxXdl7C9UCa5SueQbCp/p+lHMxiz4l2rRkD+ndmSATUA9Twc3PGmzOLEY5xiDGEMFOfoVGdi/hX6i2DqDxLiF23o6vUzGCs2fzgWcmx6gmRh7za3PnFAsBQ3dCB1j5xvncrKQZdET0FgyYNSdlNuaQdVU0HRDm+i+0mHyaplDM4DBLdJAWAoTKaRMvddoECtl5aehlyWPYn19aKKH6Rv4Il4YsRWR0ThfHVnT9+QfZxBVeHE620Orf9RC8CCA7RqSarrJWLf+vEilPKjNrfr3c2HkVDF9j4MvCxz1d3wULOFAaKsvJTAe8dovdsYSYEY4KvLEr2D5LitxovFH1NvrRr2ddfMopetIgo51iyrrXSJZU6Xytk/Yjuu4JcHWZyx+EhmI6iu85iA0s55W7mw+5aSSBx03FAioR/8lV7i+2qHTODSZALlU+IeBPe1wa0T1kO4s6xjgC6BfocjPauOqaCHUxrVPTKWsYpRK/Plymo4GeE157SWAAdn/zup90Rx2BOYyPaiZHrdiBMDJs36tn1Vy8X8ZWNrA4hy+4p5zEEd01ps56GjQ/KJDiijwd1z2T4ANy4dvxNaO075MekOeg1k3B72491qkSU7mp13elAimqCD6hzFrhHfxRD7JBkdNGZD3cryVFyA2RkozdpTBkTj+fZn31quhk5uVqzORF4X8LV2Ew96IsMNEO03bNDx4JY4AXlzugIVIfmmysJoagX/VC3Z84bTk3zmfzgfylLh9EgS3GI03R9iRM63QV2l+C7rYVW8cRKx65XXX+/vYHJpq2miyyruwYSLJaQT4U8cIKnnfb89HcymQgNTuYW0fKpNhsm72Js8V9l9CY9LXazFCiRgUooOArhKhAwaBJgXtmhkIcjoM6qNwKAVK5EzWC/aIsAYO67+kXfek0QTcCqvGP+AakQOnLcH2Nv6D23frgViUmg1oar90tyqFuny04oTwF9hmLwP+kU4FqrVv8wNkYGXFBONik8+eGTJ6jukpLLeRoKMoQUX8JCD2GHnBOMFOlg202s59S2EOYTxPyG6WOuKrDYOwz5p7Xje0ZWzDfdXDpljx6RrhFpBzIfiIPJ8ltuAzWLE2o7YsjRfUzM5w5RvXz3Csls2QccaOXTKLLC36j9V8+dl1kkKkRLGL38ejco7AEC19rmDYIB3jrpJ7enBevrY8vkWJ/pDKmP7sNWeKfkmOYabdFH/y0vsefrKmjxpbpj+Bzqp2Hbztgbbzg/T7vSi5Zke5EQ+shAmzNvBicFrBnBGMUcRcN+XOcur7KzOPdOmqxjgnDh4Bdq+u2jNtSV7VY6q+2pb9kksuvxYFJT+GO8qs+e5JrTUudptXA7KkupVJ5+U7v3wBO4IC/Is=,iv:gMs8Nq2+e7nrBSdeXz7Qp6MrtkvN6gYwLXuP1nm/Hy0=,tag:MLB5QxP2A7E6GwgZlI71FA==,type:str] sops: kms: [] gcp_kms: [] @@ -41,8 +41,8 @@ sops: Y21YcmlWTkJDRUh3czJEUWVGaG44cXMKoibsYSOYv329WNzktBVJ18aGAMXCxz3B c9938x3U7BCsSatnNch/cTbxPFYt8GhgAXXZb8/vsT9URH+9/K2iuA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:28fB2H6tdToWcVoGFHYRgSMeLwTVj66lESwITzhIkXnZK/5sLdJA+JS/gw58IhxXoO5oUsRgsB+mbfx6IKd5NuU8oJvJhOJi6kkR796gb09pNww/2zlssCck2SmHOJBpPXSZWl6MLRt5pMoU3nCPjESE7GTSBro7MO6n8Ycn8Uo=,iv:JssdLAzR5tv5n1dTpy/nRoOHYZ9Svy67uBPQk4vFLXI=,tag:wuUZqFXXdjdsSbMWIGFv7Q==,type:str] + lastmodified: "2025-01-05T13:45:59Z" + mac: ENC[AES256_GCM,data:wESfYT9AJDcOKI4QSzXLi844ILNtDa1APlcvhNHfu80mS6JFXifUgbOV8YW9D6TA7X/NIhdpiIiDt2bdmK9GJbSrbNJH1yz5Pm4nEabVdHCU5aJKtlagxkNwzfHfDaRznM6NQTdIFDqsaSSokKYyZiycNOMdisQ5JpbYYig/KTM=,iv:GaYceaZ0drzimn/TTXPBP2Zt81w6YPLNf1oqRtkWt/8=,tag:ptEQRoIsBVSBqSdg1XdLsA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2 diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix index d024b62..6079f8a 100644 --- a/nixos/modules/mail.nix +++ b/nixos/modules/mail.nix @@ -1,7 +1,9 @@ /* * Building: For some reason, stalwart is not served by cache.nixos.org and thus needs to be built locally. * Be aware that this needs some hours, about 12Gb RAM and a few Gb free space in /tmp. -* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild and deploy. +* If you only want to deploy configuration changes and no software updates, consider building on the target VM. +* It has stalwart in its nix store and does not need to rebuild it. +* Forwarding mails: Update the Sops-secrets in the machine directory, rebuild on the VM and deploy. * Everything else should happen automatically but new redirects might take up to two hours due HRZ infrastructure. * Using the web admin interface: Set your SSH to do portforwarding of some local port to port 80 of the VM and * and use your personal admin account or create one using the fallback admin password. @@ -22,24 +24,34 @@ mkEnableOption mkOption ; - inherit (lib.types) listOf str; + inherit (lib.types) listOf strMatching str path; cfg = config.services.mathebau-mail; in { options.services.mathebau-mail = { enable = mkEnableOption "mathebau mail service"; + stalwartAdmin = mkOption { + type = path; + description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth"; + }; + stalwartAdminHash = mkOption { + type = str; + description = "String containing the hashed fallback admin password"; + }; domains = mkOption { type = listOf (lib.types.submodule { options = { domain = mkOption { - type = str; + description = "Domain name that we serve. We also push its addresses to HRZ."; + type = strMatching "^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$"; #Regex from https://www.oreilly.com/library/view/regular-expressions-cookbook/9781449327453/ch08s15.html }; allowlistPass = mkOption { - # Password for the HRZ API that gets a list of mailaddresses that we serve - type = str; + description = "Password file for the HRZ API that gets a list of mailaddresses that we serve"; + type = path; }; virt_aliases = mkOption { - type = str; - default = ""; + description = "File path to a virtual alias file applicable for this domain"; + type = path; + default = "/dev/null"; # there might not be an alias file and reading an empty one works with our implementation }; }; }); @@ -47,8 +59,6 @@ in { }; config = mkIf cfg.enable { - environment.systemPackages = [pkgs.alias-to-sieve]; # install converter from alias files to sieve scripts - services = { stalwart-mail = { enable = true; @@ -57,12 +67,13 @@ in { server = { lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO. listener = { + # Do not enable JMAP until https://github.com/stalwartlabs/mail-server/issues/618 is resolved! + # Luckily, this bug does not apply to IMAP. "smtp" = { bind = ["[::]:25"]; protocol = "smtp"; }; "submissions" = { - # Enabling sending from these domains privately blocked on https://github.com/stalwartlabs/mail-server/issues/618 bind = ["[::]:465"]; protocol = "smtp"; tls.implicit = true; @@ -73,7 +84,11 @@ in { tls.implicit = true; }; "management" = { - bind = ["[::]:80"]; # This must also bind publically for ACME to work. + # Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/ + # for TLS certificate challenge validation + # whereas the rest of the management interface is not available publically. + # It can be reached via SSH and portforwarding. + bind = ["[::]:80"]; protocol = "http"; }; }; @@ -111,6 +126,7 @@ in { {"else" = "'hrz'";} ]; tls = { + # we only talk to HRZ and our own VMs anyway mta-sts = "disable"; dane = "disable"; starttls = "optional"; # e.g. Lobon does not offer starttls @@ -120,13 +136,13 @@ in { address = "mailout.hrz.tu-darmstadt.de"; port = 25; protocol = "smtp"; - tls.implicit = false; # somehow this is needed here + tls.implicit = false; # Don't assume TLS on this port but use STARTTLS }; remote."mailman" = { address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses. port = 25; protocol = "smtp"; - tls.implicit = false; # somehow this is needed here + tls.implicit = false; # Don't assume TLS on this port but use STARTTLS }; session.rcpt = { @@ -136,12 +152,18 @@ in { catch-all = true; relay = [ { - "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de'"; + "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP "then" = true; } {"else" = false;} ]; }; + + # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module + # and from a database that can be configured from web management interface or via Rest API. + # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones + # because only TOML-based keys may use macros to load files from disk. + # We want this to be able to load our sieve-script for mail forwarding. config.local-keys = [ "store.*" @@ -165,9 +187,9 @@ in { authentication.fallback-admin = { user = "admin"; - secret = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg"; # see machine secret for plaintext + # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH + secret = cfg.stalwartAdminHash; }; - tracer.stdout.level = "debug"; }; }; }; @@ -201,12 +223,13 @@ in { ... }: '' echo "process ${domain}" - # Get the mail addresses' local-part - ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need. - # Post local-parts to HRZ + # Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload ${pkgs.curl}/bin/curl -s https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=${domain} -F password=$(cat ${allowlistPass}) -F emailliste=@/tmp/addresses -F meldungen=voll - # Cleanup + # Cleanup submission file rm /tmp/addresses ''; in @@ -241,17 +264,7 @@ in { }; "virt-aliases-generator" = { description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file"; - script = let - scriptTemplate = { - domain, - virt_aliases, - ... - }: - if virt_aliases != "" - then "${virt_aliases} ${domain} " - else ""; - in - lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map scriptTemplate cfg.domains ++ ["> /tmp/virt_aliases"]); + script = lib.strings.concatStringsSep "" (["${pkgs.alias-to-sieve}/bin/alias_to_sieve "] ++ map (x: "${x.virt_aliases} ${x.domain} ") cfg.domains ++ ["> /tmp/virt_aliases"]); wantedBy = ["stalwart-mail.service"]; # Rerun on stalwart restart because forwardings may have changed. serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/mailman.nix b/nixos/modules/mailman.nix index 5cfa63d..f4ecd0e 100644 --- a/nixos/modules/mailman.nix +++ b/nixos/modules/mailman.nix @@ -35,7 +35,7 @@ in { proxy_interfaces = "130.83.2.184"; smtputf8_enable = "no"; # HRZ does not know SMTPUTF8 }; - relayHost = "192.168.0.24"; # Relay to eihort which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) + relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp) }; mailman = { enable = true; @@ -64,9 +64,9 @@ in { systemd.timers."mailAllowlist" = { wantedBy = ["timers.target"]; timerConfig = { - OnBootSec = "5m"; # Run every 5 minutes - OnUnitActiveSec = "5m"; - RandomizedDelaySec = "2m"; # prevent overload on regular intervals + OnBootSec = "1h"; # Run every hour + OnUnitActiveSec = "1h"; + RandomizedDelaySec = "10m"; # prevent overload on regular intervals Unit = "mailAllowlist.service"; }; }; From 3b34a5cd587cd06fbb750bc054a041a86001d04c Mon Sep 17 00:00:00 2001 From: Gonne Date: Sat, 14 Dec 2024 17:31:31 +0100 Subject: [PATCH 7/8] Address first round of review --- nixos/machines/kaalut/koma.aliases.yaml | 8 ++++---- nixos/modules/mail.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/nixos/machines/kaalut/koma.aliases.yaml b/nixos/machines/kaalut/koma.aliases.yaml index 9c2b1bd..5da46a2 100644 --- a/nixos/machines/kaalut/koma.aliases.yaml +++ b/nixos/machines/kaalut/koma.aliases.yaml @@ -1,4 +1,4 @@ -koma.aliases: ENC[AES256_GCM,data:YXHv59u9hHbkXH9s8CbDmP1adthMLiU3ijCIg/yBfXvwtzWUY45un3D/iP8aIEB31PkfVtmTYcbsrJRU5brPgtev28U9DsTc1UrLdUW7YyAgo8xN0nyte6Qxdv9OfUVmwTg4tY9Tv7WmjgpXuIx2sRglfn42X3S4tVAmqzYNrg==,iv:3PM0wfq4lFG1bV607cGkZ6QgznRk8iLMQ55M/BMMJAg=,tag:npKbdQ4esykcjMcYEVHR5Q==,type:str] +koma.aliases: ENC[AES256_GCM,data:AB/EiyqSMfA5Gfioh1GsiLaydRJjedbp3FYQA6gZNC0KZ042hWVXxm1tZEx0VjVaan4nVpdiszQTNbs4iF3P72dyJGTcE9l3q3WpS2IEfc1tykCasfWNOorTs1POVTS6sCGs4m7W5HPXQQ==,iv:s9xsEqRYlTkYBgrR9wqCp8BGYey5vAc1bbhYIrS3AVU=,tag:MzA2sMSElVNofuyo2qYmyg==,type:str] sops: kms: [] gcp_kms: [] @@ -41,8 +41,8 @@ sops: OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T09:05:51Z" - mac: ENC[AES256_GCM,data:L29+n5e38RVgVT71y96EbrboHZigbCUvv1gZ+uTWEchOmB8+pgamKhF/m3mpI1iauKtkNlkcS7NbtsEhbLumEHAibJ1H2EZdbWKB53m0RZMCWdZKV+49DenLjROljWMC+mXs0zIir+ts3mhD3ORhQZVBgs/svfkgIyPkcl0wHaE=,iv:ipUpydj18/fgFgwoD0NDjmwLXM+vfkC85I3uvmG9GLE=,tag:sA1UVTquN7cbWAMh9vF5cg==,type:str] + lastmodified: "2025-01-05T14:22:26Z" + mac: ENC[AES256_GCM,data:5u3rV35uXHA0YqWHvnLn+aOmtHAlkuQoIRt3gj1dvc0+bMv+XBAYu+Yih/tkveeIY8Q0wXdhXdJvsdjkZR/INp5DwtjHUBpEeY5Ko0cQnhToJNhZnrXu/KVkwEtAJ5ir1Djex7ZSGCfMgBkCwCHd/VE2/lr1DksoD4cZy4AGPSo=,iv:r4zzreY6NCCuheRNE4etOo3CBl/unNlPL3cRP3Zvm+U=,tag:xyfBbOUqxcUUcSvfY7YBCw==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2 diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix index 6079f8a..9d98d73 100644 --- a/nixos/modules/mail.nix +++ b/nixos/modules/mail.nix @@ -181,7 +181,7 @@ in { "lookup.default.hostname" "certificate.*" ] # the default ones - ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script + ++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script session.data.script = "'redirects'"; From 6fee31dcf1c48486f6da168258607f476a91d0c7 Mon Sep 17 00:00:00 2001 From: Gonne Date: Sun, 12 Jan 2025 21:30:11 +0100 Subject: [PATCH 8/8] Change storage to sqlite + filesystem --- nixos/modules/mail.nix | 9 ++++++++- sieve-rs.patch | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 sieve-rs.patch diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix index 9d98d73..a481bcf 100644 --- a/nixos/modules/mail.nix +++ b/nixos/modules/mail.nix @@ -181,7 +181,7 @@ in { "lookup.default.hostname" "certificate.*" ] # the default ones - ++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script + ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script session.data.script = "'redirects'"; @@ -190,6 +190,13 @@ in { # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH secret = cfg.stalwartAdminHash; }; + store = { + # structured data in SQLite, blobs on filesystem + db.type = "sqlite"; + db.path = "/var/lib/stalwart-mail/data/index.sqlite3"; + fs.type = "fs"; + fs.path = "/var/lib/stalwart-mail/data/blobs"; + }; }; }; }; diff --git a/sieve-rs.patch b/sieve-rs.patch new file mode 100644 index 0000000..1fef1ec --- /dev/null +++ b/sieve-rs.patch @@ -0,0 +1,22 @@ +diff --git a/src/runtime/actions/action_redirect.rs b/src/runtime/actions/action_redirect.rs +index 5b4599d..bfb46b0 100644 +--- a/src/runtime/actions/action_redirect.rs ++++ b/src/runtime/actions/action_redirect.rs +@@ -41,17 +41,6 @@ impl Redirect { + .count() + < ctx.runtime.max_received_headers + { +- // Try to avoid forwarding loops +- if !self.list +- && (address.eq_ignore_ascii_case(ctx.user_address.as_ref()) +- || ctx.envelope.iter().any(|(e, v)| { +- matches!(e, Envelope::From) +- && v.to_string().eq_ignore_ascii_case(address.as_str()) +- })) +- { +- return; +- } +- + if !self.copy && matches!(&ctx.final_event, Some(Event::Keep { .. })) { + ctx.final_event = None; + }