Hack around sieve execution for multiple recipients.

This directive is supposed to prevent mail delivery loops that would be caused by portforwarding to itself.
Behind this ip address, however, there is our general mail vm and not immediately the mailinglist setup.

.sops.yaml

@@ -1,8 +1,8 @@
 keys:
   - &nerf age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
   - &gonne age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
+  - &daniel age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
 
-  - &nyarlathotep age1s99d0vlj5qlm287n98jratql5fypvjrxxal0k5jl2aw9dcc8kyvqw5yyt4
   - &bragi age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
   - &lobon age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
   - &nyarlathotep age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
@@ -13,28 +13,26 @@ creation_rules:
       - age:
         - *nerf
         - *gonne
+        - *daniel
         - *nyarlathotep
   - path_regex: nixos/machines/bragi/.*
     key_groups:
       - age:
         - *nerf
         - *gonne
+        - *daniel
         - *bragi
   - path_regex: nixos/machines/lobon/.*
     key_groups:
       - age:
         - *nerf
         - *gonne
+        - *daniel
         - *lobon
-  - path_regex: nixos/machines/nyarlathotep/.*
-    key_groups:
-      - age:
-        - *nerf
-        - *gonne
-        - *nyarlathotep
   # this is the catchall clause if nothing above machtes. Encrypt to users but not
   # to machines
   - key_groups:
       - age:
         - *nerf
         - *gonne
+        - *daniel

nixos/machines/bragi/backupKey.yaml

@@ -8,29 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaR2dRc3NPeUwwaHdCL25V
-            RHNaWU9xRUw5dDlaOG5hczVlNm5UR01QUEVNClJsVFRBWU85Z0JuV1l3MDdvd1F2
-            RS9CcXhuNEJWdEE1cktXYjF3RW9wUDQKLS0tIHk3MURmWlJNanVZaHlUR3R2UEZG
-            K2JxOHpNY2hsTysrWjNLajFKQkxuNHcKaFMvnDt9a3HsnbP1Q/i4ifRIXFcXYn8z
-            YyOho0hSmWZNhTbltmuVKjvCNgt9ONVRW93uRDDoju8Odps0qwwvuA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESHBiWEdwNVA4UHh3K3JI
+            aXZIaDV6RER1YVU0Tjg5WEtoZGQ3ODNoM21VCldINWhTK1BDV3dQVDBFZ2pSQXcx
+            ZDNEMVRJOVRURE1VRmltb3psRXJvYVkKLS0tIHdzRXFWa1cxcm9QRkFtNlRhclRW
+            SW9Dd00za2h6RGFBS2JQYzUreW9PelkKH/vpD5kFkUEXjP30GlgcDYq8DLf84Qkp
+            Bz6YfniDXw7EFVFcyXlexxrmDmd/IUxYVZ//uNwkUpal/g2CKZDHPg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMM1NCbHdFZDJvYjJjcmZ6
-            bUFjSG5OUEdydS9pTkNHRjFKb3gvWll0Q0RVCk56ZnhDa0NGeUNhVVdDZENieDFW
-            Q0xSNXhYQXZSVnI3WlRzUjhxOXRyM2sKLS0tIGhnVWJaRG4vSGpUcnQ5SFVFT3VQ
-            YUFzTlNLSE9CbW9oYTFsY0tpTE4vZTQKjurd87tDH8z58pAGJyVXRAu8Q2+k7e4G
-            zOGZhm5DpSmFv2O2fqXgBg8nT5wrPKQDFvcDh1P+a0753tUTbUttIA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOd2NiNW9aZWMzem1lK2NE
+            THVkSkcrNVdORHhpRWk3VFZ2aHBKRitTZWdFCmVrYys1aFZJSFBacStVa3NQdTFJ
+            d0pYUENuSjYzVDlKdHMyci9NMEFNMWMKLS0tIGRTem0xdmhEbzh0dGtOdW1aT0lD
+            aVFZVFZCNHpqY3VTOWdHNGN1MWZTRkUKYuPEc0sl65pQGVg1UiFDvJwQdf//XkDU
+            qb90DQtC1j71l8wscu7ZuuxzNoK0yUGvI8x6LJ5JLo7ljsIy0pTElA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdFMzUXZ0RTAwR1BsbFRs
+            c1R4bmxlM2xQeEErYUJTazZYSmphc3pjTEJJCng2czR1eDJNUEdPd3J4dVFwSVdF
+            b3JkKzgxSk5sbXJZRE5FU3NDRC9OeGMKLS0tIEZ4bXU3L1RNTFlzWHVSL0EvQ2d3
+            UE0zVFFpMEEvaHhaYmlRcWlHVXl3dUUKr31P1ovm1MLGQGWCshLJpug0jsxyRqb+
+            4Y4apn0eutpYfBw3zKP+2huTdMLHk/RkSHJUBs5UxgfOY18StdjIcg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1lqvgpmlemyg9095ujck64u59ma29656zs7a4yxgz4s6u5cld2ccss69jwe
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWmlwS0E5TytFdEpxN09U
-            Y3k0SDhnM2h5Rnh1bXQ2czA5bWt1Mkk3aUFFCmtwT2ZmN0IweGdOYURWNDVHcWtH
-            R3lRaFRkcWYzb2g4NWNFQU5WOXZZaGMKLS0tIHpWNnNvVUNucE5MQ1cxQWl6Qm1x
-            NUZDVnJORXF1NGlyNUkzOGl2REFHdmsK18k9UfOmtFSep6mZcSp6di7SjvrBXgGp
-            oWtLehp1UFEHCgaU5YxlYhtkrrOhb8ykFb1on+kmzrloaHqyvks7Aw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZk9LVmY0SlBpMWttcitK
+            L3djYzlCTENvVXFrZTV5MGd4TWF0WUZkWVQwCjVJLzJsdWVmeFBtd2x4RGw0SmV3
+            clc5d3FtRFk0VWlqbk5CMXFCSllKbHMKLS0tIGRwVEJwUzBMeGFwUnNBVFRJQjIw
+            UFhDYVF2ZHhldFRtUFJEZlBLTG5zS2sK9vvB+5PPSytzN/wNTxzXwYfXxQPEYFeq
+            IAzVWchShU6uTMMZeO88qmkZjz1kYIdjPHqny3g/ZqsW18NCtLYqfg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-03-21T16:38:08Z"
     mac: ENC[AES256_GCM,data:kEVWd988Ia6T8v3w0slQhM0lh78VhnP8qJNa6IZg0NF2B0JQbFRnQNbUfvG9Rf4mkAR/O9PD+r6HR+b3LCwzb/Ok/eD4/M3+oPaEx/JnoHrzF/1N29VEAvBHjQgw6DL05toqu5G03UDcDUFGc111AeRsexhONQRHJx3zqWyWGy4=,iv:T5Pkhl3vhSAIoKkC3r3VQn3tC4t04WxvAZDQ4PMvD84=,tag:h0/aB91SFr5q0Or5daxWUQ==,type:str]

nixos/machines/lobon/allowlistPass.yaml

@@ -8,29 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAySVhjV0xXdGE2am85RVJh
-            NXJLRy92blkzeENuWHh3QSsxNHBXcUpibGxnCnVHUEVoYVgxbk5WSmxQRXNzMC9i
-            Y1g4MUFrNEVjVjJWM0xhU0JzTzNZTk0KLS0tIFIrdmhrbXFHb2VaQ1p2dDJMMmlR
-            Um5CcGlZanBBRzJKOVNZeWVPTmsrcVUK905uViHD7uZMVQHPfFraIHXYTHaT+ERl
-            ZvyRDdjjRCyxu0qcIpYVpPAmfGCo0++bXSRUX8rCp48YN20MbPNjgA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhQTRPaXNNUWlwU0hTdHA4
+            RTAycU12SFZXRGJqbTZVV1Rkd3NFQVJrWGtvCkNzc1FzemkxaGNzd0FjU3hPcWl6
+            U3J1V3Q5WVcwNVZ0ZTUxckY2Z0RBa2cKLS0tIHBHVzVGVHg5N1FyTFhOd3JPVEJy
+            Kys4SjE2cGpVeGZDenFGN3VsQjZLUWMKThmZnM0wYLVh0xEsr8bqtgvo50sPn4rp
+            vo4Cn+7osvABl4BJKKhcrLoxgIrz9NcdQLToOZHn7YfHRpAGH+VIAg==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1xv5rfxkxg9jyqx5jg2j82cxv7w7ep4a3795p4yl5fuqf38f3m3eqfnefju
+        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNkNpN2RlcHBuOUxoYmkx
-            QzdOM1E0cFBSc1I0NzVRbmhiUXhjM3dQOWhnCmlOQzJ3b2Q5NFJkb2haMDNGSFBv
-            SkdySWtRUzhic1FNeXhiUFBPRVNoWmcKLS0tIGNaVW5xUmxWOEtXVkRqVEJJSEVv
-            NFBWREFQbnFXclhiNW51M0ZsOEMxdnMKdOPVRbD42q7MRw1CX1M30Xdil7VFLDVD
-            G8j4sjxlDkcwQK/3WjZdBLXAzJcrvAp0okGzw8lymC812CXTSEfmxw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxNUhhM1NlRDFoMHQzYVN0
+            MW9hcUZPQXc1YTJQeWRsL2pXYjBPSUZJQ25zCnNSREszRFo2cnFVd055WWlMR3A5
+            NWdINkdKRnU0M3ZIeEtXSGY3UVZkUGMKLS0tIHpUeEc5Yk9sMkVucnlHeWtTaHdj
+            TVdZVDd1Q3UrS2JoNHR3RVhoZFB1VUkKmo0HHSwh1pzqoeKUtiDD5UAa44efv11c
+            9QymycpZ7e//69uKHlY+r19TIvBz6s6jTguFY6JhQ9VeqfIlFLuokg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvU0QvQy9jdmVRTzZzSnFI
+            NU1rQjRpWWV5WFUrMWZzV2huVGhIUU8ySG44CjllRUh3T3MzcmF6cjg5RjIxZHds
+            QUc4b3krZi9CWjRjUENNUnZrNTdlN1kKLS0tIDNtRW9IZlVxVlk1THBNMzhtQmw2
+            TTExeG5hMnNOdHF1djlmM0xaM05XODAK2XnV+iluWnpC7snAEpGaYRADKbZbNlx2
+            yIplp4Mj8nakS1OKMTK+FdwP/qmEs7e804AfPFtI9j/ljYKub4gKgQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKVVN2THloaU1pVnhtWDhm
-            TWpPaHNLSXlud0RLU3ovS0s4REtUTzQwMHhZClF5OFZQVHB2VG9BeThSYzVSMUFJ
-            VDNkT0Y1Y3RUemkwSmxlM0drUlNDR1UKLS0tIDYrcVhXMWJxR2dhcXhjdTQ3MjV1
-            Y3lWbHdLOGRGamhRY0xoRnVJczc2aFUKWWAflRwoszNw5bEDTSaVI65FtQve/HrC
-            uY1JvYwXLq4m4hu76dyrplDpzb8ant/YAUXpG6F4U7nn9GiLBaoyUQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUTFrbUh3M0JNTDQrQVlv
+            cnRrQ3hsN1FkMkUycnNxZXQwYlg1YldWdERRCmZZYk1nQk5RT0orUXc4UzlIcWR3
+            L0VJZHNRSW5VdDAwVU1GWE5FUm1DencKLS0tIFhaVklqSUZoNmRqZkV4YUJoTTZi
+            cEtEN1ZCZW11eFZrUGlQd254cHVIRXcKiYx1tsJ5Y6kuOZLMooV2lNXb83q9FCvr
+            sOm7rWsMjWb083QgbiWpkY1ndMA6bOODDVII5HEKypy6rp1IIytScQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-03-31T14:34:54Z"
     mac: ENC[AES256_GCM,data:sjWiO96NcFUT4L9mdBuQwt6Zl5cS16o73zes30SYJxzM1R3ZBIg9oOmhXxY9BC3yKjEb6bVuemj/bnnopSR/m3RPH7xfaYCBfz97Zgc4SGtoqLIra5OUCRpWnKSsD6Nf09Qss5Pbla9EIrI0kQt7fpf4iKLF7VJwrQryslnvfcM=,iv:ilnbLK6sttweEyqszVHxVnjbTq8jF5ZTO24OEIPMprE=,tag:3XgAlXMl/RIaUfkVwHJeBQ==,type:str]

nixos/machines/lobon/backupKey.yaml

@@ -8,29 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNVExTHQrY2h1M3RZOEdU
-            Wm5kdDBHZ1NmZGpQU0VOYWtjOTdBVURQZkJnCmZzWTEvSWxvMFk4NlFOVnBDbm9q
-            Tncva0VyMGVDL29ZZ0YxeGE3RFBUS3cKLS0tIDluK05NMUNNM3pEUmlCNE9BV3lT
-            L0dPYTBwbjJzUmJnYktiM2JBME5LM3cKvPwth4DxQgFYhvr9vJLfeaiNc+UfAo4c
-            RdXPLkwtq3vksrU1IR54tHcUJ0yZiZ1HxxGp3PCPaXXJiUykllnJPw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TjF6RzNpTlVOMWlmU0pm
+            YUJTZzNBMU9PMlFsZ2dyTCswR3FJRkwvb0c4CnlFc3lWeHpYRVl3ZlJYWEtVNnNj
+            RE9RTWtmbHFvVGJ5QUkvUUNjU21zWmMKLS0tIFVJMnladmwreGJFYWkwZU5kd0RE
+            L1REeU44a1dkbDYyMFJXSTRZaGpzRG8KtXgSQsLBYln5IvME2hL9ih8arLZBZS11
+            dKAXCO2HWxP4lOBOO4Mpzc/q4iyLzq/n7HLamrfyfT9HhjDtP39MGg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdFV0OVA5VTBuOVhsL3lp
-            MFpDN2RHVDExck5vcWpDNDNPM2k3S1FqQUFFCjNreXdSbDFXOHJ4b21mNGlZb0xQ
-            YUh0WVNGN2o1aFVaaGpxbmk4aUQ4ZTAKLS0tIHhtci84Zk1zZlBOOHk4a3VKUlM1
-            MXNZbWdpVEJiTTlIRERLYzBlNWxBMlUK4Z8JLlN5FOegfdg5njhHjbCwAm/f+kJS
-            buOHGWzWirW0ZibOP+fikzJwdIzIsX8v8tGaV89nQwf0hrxK0748Hg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQS080clRBemY4bnRhdm5o
+            dXpjVjI3YkpTdVZHbXpsenBweUtMT0lZTWxRCmNzbk5GVHdpd0V3V3JaWVYwZEFM
+            SEdRV1hHRGRpNXh1TTdxZmR4VlpXRkkKLS0tIG83bSttTDJLa3NBRW9tMjRKR2FB
+            WmJ0Ky95eC96a2pTQ3FjaTBKTVFhTEkKzW8WguQ2wO93DLETao6FDxaVRshz+aqZ
+            7pQnbun/Q+Bu3GT7PX1zFKjNRem4pUI7wYzvhpAUwmrs78bc8TUH1A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxcUpQMmZDdVIzTmdNUnM3
+            ZVdaQlVkTmdjT1dBZ2ZPbUppRkg3WlFMYXpnClMrU01LOGFNTmRRMmsya0hmQ3VZ
+            S1k3bGFSemZDYzZYUVlXUnFSYzVyejQKLS0tIGR0ZjFyWmF4MitNSlZZdk5lYjFH
+            STRvNTZ0RG5pNmdaNmcrZ3AwYkFjU2sKlynGN6YUeNQiyWWuspphLpgcZbC2Sqkj
+            8E7tWHSWqIc6rmuRi9+xu83MDL4197wlidT0IIZm/tNO36u85fruXQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age12nz7dtc0m5wasxm4r9crtkgwnzvauyfp0xh0n8z8jld0arn9ea9qe0agvn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZa2pUZlZsVmhPU242d0Nj
-            bi9BSlJBU1Q1cFU4ZjA4NnlJNmdwaVFBc2xNCjJlSG5UaDFnSzFHZ01RVVNjOHY5
-            L1JVUit6SThvbGRIU0loNmtZanllNXcKLS0tIFhMR1pxRmlGQWFEQURiRFJoMWJZ
-            dlExV2xTVWR6bWI3VCtSdU81SmtqYncKLFQczlIj89vzlfgE33w6ktotYFdxaWr9
-            YyewbY8qZmOUGQ4xKlZmhojeMh/FEH8dGNEf1AxnKbuQdnW6lqGR/w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNHNhUk5zdXlGS1huUjk1
+            UnUwb2VFOE9BaEp0ZHlpcDJ3M0JtdytFQmpnCkNKYmplSDRIejVoV05BdTE2Y2NG
+            SXVJWFZ3b1hrVmwrUDgwanVHRDFxb00KLS0tIEtLMWZDQzl6aUFMcHlRUi84a3ps
+            cWNaUEJJWFRQU05RcS80ZFN2YnlKUGMKdBvUcdULwbsoo/n2tgow+qDlWmJAJUqP
+            wcPf1SiP0i15jza2+MU1MzAfv58uwfvAiA2kdHawLXtqv9nZD0qeag==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-03-31T16:01:00Z"
     mac: ENC[AES256_GCM,data:AawTzIXyX+3FyFpw8pXFeVJJtXN7ZpTFnUqhedC2vcbbNUzMMt1X0SaxtNNJ5chZI/tYHn59FT6zznl1eO4Xn29Zc2Up4dkT1BE4yqkEG0hiCFXrXMz/PaHfROzBhIWCVyF4fYj6MZKg1iBBxhWRqhJlQ1q4UVkoaITRUKpFJgs=,iv:3lTPOQ8VjmP3WNGbFK2yLU4Ks1KviNS/l7TH4SnvSUs=,tag:KUbAU6+76/Uxj2Wn9EnqnA==,type:str]

nixos/machines/nyarlathotep/allowlistPass.yaml

@@ -12,38 +12,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpWW9FZHEwejRaRER1MHJQ
-            VXgyaE1GQmhhNFh1dEtBNjRnZXVqWm5hV25vCjliank4KzFobEZtbitzaXBhT1F6
-            cCtqeVorS1BLMmMzZkVVOEN6NERFdDAKLS0tIGkzUUt1NnBUWUJWTy9Pd2FIeTF0
-            cDVaUHowSEpoRjR3Zm81Z1p5NlYzV1kKMRvC7+3TS5EKjWg/NPnbwvVIikxf+Bpa
-            zNo9jhw3GREMScBXOiarm+xgMZ1e2SRrLrUwfR4DiXI4uvg1Jk/tPg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiL2dqdWhPRmFHcjhqeTE1
+            YzdPbEpHMmhzVktPVGxKcVpZYTJ3WjFhcWg4CjEvclpTYVJ6YUhKeG1VbzRYVk05
+            RDUrcS9NbnYwRFlwSXY2UlVJNDRwcUkKLS0tIDVoaXQ0TFJONVM1WVg4VUF3dkdu
+            SVFIS2taSGV1K3o3SnpIRERaR2YrZGcKR3QRXITbg3rKZLAiZk/m9saT/46jULEo
+            a7HnyFBYYdEcHxs1KT3FfGTRjr9vLRmU5+KNcOo1AYM9xGERmqOjrA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRYk1LQTVDNGhHWXJZSmsy
-            NEZ0WTNlek4yVnRwL3BKNXYrcm84SzIvNlRZCjlDdXU1a2NRNUVHZmkyK2ltZ3pE
-            bmtmVE5TR1hBcVNhaTBGK2F6VWZ1d2MKLS0tIDVKcXhDbjBncFlsR3FzanRhWWQv
-            Um1jcExjN2RWbHhzY2ZpcWVTWE1IbHMKfRSAmfbk+JDWdhSTSg9GZ+lws5DOHv9T
-            ZO9nQV37X9zFD6sXDWaspG3sf4kJZUCbWjCTKyQL/xmh4+E8+CAXYw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZVXZoaEtpZGF1OWViK1A2
+            OWtQK0xGT3crYXZzZUhpc2hleUNmY1VKc2hBCml0RU1zL01lWWhpUmYvQmJqKzZF
+            OFRMSkU5NHVSL0hiY1B3RXZvUTZtZDAKLS0tIFM2T2szQUFCR1EwS2FLSFRsTXhI
+            dFFEcDFWT3pWR2JUNFpmTDdaZm85aE0Kh4PD2b/cMOtL5k/mBzqvympY9iD8KP28
+            jF95w5ED53hpTjYJmeTC3Buk1FcTzSitt8MT1RGI4SqlF4D/230bbg==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzOXBwTUF3ZXJCTFJOQjVC
-            bGplRDRCQVhtUEJPcnhENEF3UVVnbmVKNnprCjFOZW94ajI2d21RamZKT0xFMmtZ
-            ZzZFYjg3WDBmOVhlaFZyOW83M1NYVXcKLS0tIGltWUJGczNJS0pWTmxaZHU5Wi9t
-            TDRCdStocXRvLzBPUTd2blZFV0IyblkKjufZg39n/TI6BhGhIFNz4jplUx6u3/bo
-            NMbr9uJy/I1sdlfGNaheG/TIGOgFG1KqGkGdwpisU3gUD9uMUo1dvw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRmNQblgyM3hqQnlTeE5h
+            d2xOQ1ZUbDdGY2VJR2tvSUdBYTIvYm9zNm1NCldleVZQRHc0bktvcnAxSk5aOVI5
+            UWpWOGdxSFN0V2g5TVRoc0xGaHhZL2MKLS0tIG0zNmRNbWp6ekxjTDZzMitJK0x0
+            Qnp3ckswMmdzRDhBUzVDQ0NLVkFzTUEKsUE9u8fzqEOhbIffeF1nhP2yPv21yZoN
+            llKJ5FDD1/SFmRlxTLRaAOXxTFbVwwexh17i9bGAUKyywyXXijZcSQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdDdsdW44ZlQyMzdJNmsv
-            aTIzVWRoSDhzamlqTDFOemZlc1JQMFdZbFJNCmVZbDVVaDBSVi8yTkdOQ1UySy9X
-            MlhXTzRvNWtqUzQxTlNqQ2RlN2J1OXMKLS0tIC9aZEZMVkFybnRTQmhpM1dzc1lt
-            bDdvdHc3Y1NmeE5WUzl3cXVRc3pmOUkK+9WueS1wDQDJlenec4jJCfynbPnuOFYR
-            HFsWmvEZJ+XhH6N9Q0phCHQgZGiR67FH6CHkCblmb6ZfZcWSEe1oTg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMUNURWlHYnExZW14d0Jv
+            QXIwbklNOUVUQnE4MFUwWlRxcWQ5d3BlQVJnCmUxbDVhVkJ1WWlrT05FUWF5cWQx
+            K0RKTnR4bmlBSSsxYnIyQmwxT1MwNmsKLS0tIGlxclVTMXlscTRNRVFsdjBUSkZF
+            MWhDMU54Q05EK1kyNU5pTjRWeGNtTjgKNciChLoT3SoVSSVNUqQwLxTM9HeTQeHX
+            VUEooMETXOkdcnRVbJMz1nIO9PCqFNXK0DA75fkpBSYpAGRsVZZ2UQ==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-01-05T13:49:19Z"
     mac: ENC[AES256_GCM,data:i7t/Hb5aW0lIvPLk84geQ792uUGP25vX8FC7kK/3H19tz5i4zsIcvl1d+oB5gJ004gP5pRogcuKL1xHUUl+A0UXXNzRpxc0BBVZaxnIhjfPunORbmZeJQRP298tQpvYYqI/pGhjrlit37U9jecGf1l12Cgv97sGW42d2F+S2Soc=,iv:My21fMF3SEr6mg2+eh8KA6B8tzmQVEDy2BG3hfkafrU=,tag:xdU6j8ti8Z68rbiRxkj7Pw==,type:str]

nixos/machines/nyarlathotep/backupKey.yaml

@@ -8,38 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSGRWTEd6TVAzWjk2cHRn
-            Wkg1NlhxNXVYVXpDdnFiWmJSejE4SDhuZURFCklQWUFiaHZvbkZ1T21aZHNuME5x
-            NXN1ZHBoQzU4RUc3Y3lJVnMyRjluckUKLS0tIDRRVTdwcVplUFJmajkvWEZ0UlFJ
-            ZWpXTzI2NVhldnRrYnFybzErZXBQaVkK4hi/aksGcLlELTUPjJPoVR518z+Twt6l
-            RCFOnLsmsRu8/pigphbGMjOxYPsEsEpclU2vAobL1H3nPE/uKt4t/Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwU20wVE1YVEtYYnl6OGNu
+            NzZkNmxDQTNzTXFNdDFTM3RuZWdPWlhLSWdnCjhSVTNjUzE2bGF1KzhpT0dLSXZN
+            Wk9BODZGOUR6d0dzQ2FFQ01tTS85bEUKLS0tIEVYYU5jTDBVZkRkZTFUUTJmTGZL
+            eUJUMGpjSE40SXZ1SXhKQnRJN0p3OHcK+VCaqOcWZcLA4NW2G6xRGqZE4pMet5GF
+            68v9wJvY765fZbBMo1GS9ImxOrXSxqqXPI7XMbFnUskNthd6y1y5QQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByN3BGN2IvdkhkcENJZEJD
-            OStNdWw2Q25hSXZHcDczRnRUd3h1ZGhDODA0Clo4cktoL2FUYmlkY2JJZFp6bkVS
-            WHdFeDZxSEU3a0RBMmI3cGk2N05hb0UKLS0tIDdDOElueDhPR1pxVEdmaTg3RVgz
-            eHVGak9sRkEydjdiam5QWHNpRG1hTnMKWqSIdNP6yMw6xoPqmK9Lss2Ztb72T7+l
-            bK4VYCnyuuQ24AhlVHLZdbRbk4Rvp2V7bCTWwTNamrRMJieLMZwt8g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOK3MzU2s2QXpOblNSRUJ2
+            Y1RPM1p0Ky9xZUtJVVdEWksyenVKTG0vekNvCk9JZkFHeFhhM0piNVJtV1JqcHV3
+            WVR4Q2Jkd1hxN1N4TUxoL2lnSEMrMDQKLS0tIEVjTUZNd09FQVpxTXo5SXVoenJv
+            UVpqSW9BN3k5Ti9HRWlZQjdCVjBZK2sKv4EDhNZp8i6X3kh9ZHprazDUyeMwxeZv
+            +2cPHo8n2onlYBayDvjWrh0RhId2s8WOC592GMoyVx4U1YY/qxTJFw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlNmtkRGlCTFYvdEJWZEhv
-            bXY5Z3ZibjRjQTV2c3R4OE1JSXBxeTN4Z0Y0CmU3aUVNN0NEeGgwOExvOFRDc2Jl
-            YlQ3dDJtQ1hvSHNFSzNyNGJMYklrRzAKLS0tIFB0Q21WU0hkOWxLajhRdlZaMGFN
-            OTYzMW9aMERGTVdXUnBZM0hxSzBWYTAK0k+pyltKHe6FfdYPqAQcax/u5r1JKP4q
-            C8qXIuAXY9FI4mV8xyuRZEIDr5A2y3hCCilieGr1KGkAwBZyZhQy4w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRTVMZWllUVhMM3FiRjR5
+            dFRuRVZ5b2dxNWxQYTFXOXJvZDZLcFlXQkg0Cjc5ZUphdmlybEgyYWc0dWhzdUhn
+            ekg5bnZKYks3c1JBRXpLeWtyUWt6M1kKLS0tIEN1dHN5TXU2azgxZ1MzeFEwVmM5
+            MHZ5SmxhcjZHMzllN0phby9McjcyeWsKSljECJAJ6A59UJFR4uzZU2o6cmAOhB8+
+            jIfZYIVoKt1GSp6vPBg7XejkeZ/e1FlREWEZ+9NxNwG1G+2fps68AA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZStjM25VQnQ3Y2d3Skxs
-            K3k2NU5yeXUwT1F6SmNUVGpPVDUxeHdKZ0JJClFYcUIzazZ2R1BIbElWS3hCeHFK
-            cjFRY1pIL29YUktiR0t5bm5wT1JzZ1EKLS0tIFRPYi9veS9RZHhIRHNyZjZvL3JY
-            RTk1RE9GRitTMFFoUUQwOWtiTWRwMjQKkoA2wiTAholKq7ngDE/OWZKHjFbDg7WZ
-            efax0e0/riC3EEyvR3kIfjCenc2GBvVoaMgzD3Dra9Gz+3JpM11/+w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeWhCR3RqVHVLTnl2akox
+            Yk9tTXNnM3B6aUlLSFVyM3JCLzh5cVRkcVZnCk95b3FPVzNGZHo3Ty92WE0wMWFK
+            Vmk2ZHllVG03aXNFZDlta1BWcFNOeVkKLS0tIDFsRWJmOEZ0ZGN3THF6U0ZqUEFG
+            cC9ZVEFxUUJIWXRvS05PdXI1MzJob28KoehQSuQwkbOQyYMLj0wnHKo2fsqF8IA1
+            m1MhZbCeBti8dYshRc6C7ktYHQgZ011+Iu1v7eZD33wLvNPf7CUxlg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-11-23T09:05:51Z"
     mac: ENC[AES256_GCM,data:yYBzhvg1g9GQk+Os6wkzNE3FyXIp7N2AnxuzPfexoA0aWXhYD2zQ7ylTiRGZLkbSODezXT0pD9sjYFN8yTXuY5HMIlCYSCPQGIUblZKRqB0EES3JyhQ4bULCMO7pXrsIuAICzoWM9vn7RQ9cVbL3N2rocYiSURhsGuMA47d3QFk=,iv:xS/am6/hLq2sQGB+vMzS6ZqmFr1ZOIDj1l6b56nVMhE=,tag:erNYX6U4/uSlSUBpN7kKiA==,type:str]

nixos/machines/nyarlathotep/configuration.nix

@@ -15,10 +15,12 @@
     stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
     domains = [
       # lists.mathebau.de is forwarded to another VM and does not need to be listed here.
-      {
+      /*
+        {
         domain = "matheball.de";
         allowlistPass = config.sops.secrets."allowlistPass/matheball".path;
       }
+      */
       {
         domain = "mathebau.de";
         allowlistPass = config.sops.secrets."allowlistPass/mathebau".path;
@@ -73,6 +75,18 @@
       group = "stalwart-mail";
       mode = "0440";
     };
+    "dkim_rsa" = {
+      sopsFile = ./dkim.keys.yaml;
+      owner = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0440";
+    };
+    "dkim_ed25519" = {
+      sopsFile = ./dkim.keys.yaml;
+      owner = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0440";
+    };
     # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header
     stalwartAdmin = {
       sopsFile = ./stalwartAdmin.yaml;

nixos/machines/nyarlathotep/dkim.keys.yaml

@@ -0,0 +1,40 @@
+dkim_rsa: ENC[AES256_GCM,data:cVzKHs/1H/8UL2aQ6fiXLFn0Y0yTGUUss/G9NiXtJMwWpa1SDuONs6CaplWF/c1z8Ph4b4GgQQHQqXGKnZIacpUlv1C0y1W5rr4DNqsWQ9F1Ncx7NIZDHJ3nQ2KKXy+I7NgxwdIuqBtg9ZticYZjf1ArcWUGnt+UEDmgXw4fSo05YS+scg0o5hyrkrduZntBBlUu8hH0qMrE8usptGAmR+iwJ33U5Xan0G0eURVCQJ9xV7tUkZERmZi1TtEmuKa7TCTzNWTHWjuDFRdQ0u6EWajCVa8/UcswTKuKLh0h9OU6DPt8lHYgshiSF1SRRiDq5ytjAFMMpA0hfrqpDx2LQtnyZIv/E8ZGtt5QeikUUTgLMmrqIkMddGufPp8lvFCLh1dlCf1QuiQQmNyMsNPAuu5UzUNCel4ideJFYm3hEoPUQ8uHNmujCOi89NpTwFyp9p0By/4fGWFPezn9VxOKhID0/zKUHp7jUAbZT66XbyDmv6TG0AYGNWhWsrjcCyGKCybOjV7+Wm5viVDFY5chojHciQMG/nEu47vBNJwUhAD/r0T3hisfixuh3rtDvj6w/UXB6xkQi8TDyfjWpZF2ay/DwNcK0HAyOfAYyXVWU7Ck2D8NY3+YQrxaYhY/GAjBM/R0n/dpHBh9EInlyEFhvZhB5KwEuaVHSxtcudFxt5IZ8wzEC8PZIuFHnPJDXfjth5SjzVaQ6tBkvof/eMQmc2XDMofZoQODPOYL5RUifWDx7fQlgsKgLmhR6PgWigqZxis4V7XAT3BiqaYyxxdnYK08mR7dmm04o+TPWx6gQ7xTpW0zoufetBglwuxdEuzWoaTEs+vH5YCJfEdZ3ddk7IT3R8pTC3YrAIrD+IWkxolVk4nUvYWkaO+7pVSGO/QFI0ZaHDV4qK8cCD2p315LecL2bSnymXPKuHCGQHauwvgyGgja5+fs7VtteYPNLc71TONAWAV4Gh+LIejKDe6gnovEkHSKU1/q9qkELMTbnjYLM42CRGfg9K7Rf0ywwdv654yQr6wC/+wzDLcfmcqjiw1a3woEecAsqQ+RmpiFq80eCi6ZZCnLCa+kseV1+j48B1lwgQZg+9LwrV8YHG0ciW8IxhZ9O0wUMv/o2Udwo+NfA5iha+EcIBSr7VoV/PVIKZSpb3JeNbfZ/AwOr1y8/LyyoX7VtvIK8jOdulpOtwHAZ0GX5dYrH/gWgjdyfVbd7irehO15y1L5jbNulzouv69aLYwwQxUcmRK+O/krNDDp6Jy0Clz6+di2Lvm8W7ykk7NwMgTqlyUIi7jWTC5xEzY22bANqMuyE2s1sFdfxqLY7Tbb5PBJ9uzy45mwbM0760aOca1fAawwfwgsL4FkgHHQxn2SIMxmOB3+5kgCrelLKzk3Eu3Hq58rW53oVX+hSUd9YGLuCN0Re7+kybkHfWF/4r+A682Z5Zp5GLla/kCntZDPYODtz0Wl62AC21MAGv/RKWaUGWPaktx9M3w28YHa+mffuiCUSMdlN5TB12TVhsF3BSQ9rNztEfSuEtZzS8HbarsGg25wuv6gUQ36whBvgjmJJ/5/7Zc9a+l/mhKIblek+U+J5oKkQkiV3UuUdGzR7iYMXE9skt1b3JNYer6BaJQ+uaiJQsu4KVWj4H3G47owbtO9q7JMVnQ9SwbjuGf8tge1VV/ppD0t3Ay8S0bX+fd3dkDRR9zEG0UfKuWvpsLjyBqs+b/tsntMMB89BRrle4mZFhKlXVorQ7n1KV8o+2KC4y1Nkbg10HcPPQmsL+YGQG3OkWixpslMeIv8Y89RjBVxY/5A4BiO9FIe0Zt+rpAFUoFLvujkQc7Qau+b3kRFDk7agiETblUQxYMSPu4IqMxS5OM5mlahcsfEaYFn2AT9EBCGVi+ZKu+rufcsVkMf3TmOpMvXX+u7db8EvC1iosY5UUP6RziFd0WqUHbpRSrXXusPm038ddM5iifw5dW4s62cWfrcGZInD2mWwVXDtg3lDgAZZAK3flIMFnaTi1XTHJ5YrkrUm/DpYORsCXm2sLYPhUGdYT5OXYSjR6/3D6VyTHoxODLQSbc7t53LePFNw8cXK26vw6hDl/34ZE8NzE9RKBGI94FlX26VupYdcMdVWs5Ko+Q0ooFpYKGazDW+lLXWX/ntRODDcm+c0MI5Bq9zSt6b1WKoCrMZpDYEjMdjBdAdiK6Ia7zlOdOZwn97Xp1Lav0G7+eO4xwSTS/busXsOBSAKhk/Q3njkgBtnDuI71U28XP1BjGaTEQuXM0yJ0DX,iv:QbZVXp5FQhmYZvXxXNxWKrNm5GqM+2P3a5pPk499mlc=,tag:F+KNoPRnoLLhOpEj6Czj6Q==,type:str]
+dkim_ed25519: ENC[AES256_GCM,data:cZHm7bVpQ/VhYLt2CnNk9364k+J5ybgSLrR7Vm1GsCU6JcAvHl8Y5R7mqwgS+gTnHX7K02GuIGXa8909/aEotE0ZMY5irKJ25SGJqTaqQafbiMOz65CRQh5trtcMBF4s4wRYOkDGgz09KkELbkDHyQZFcrGqvgM=,iv:p9ROj/epqR3xtrimXF1onJJHH9JUqNG9z1MxKVu9uPg=,tag:m53rXkcu+ernS5JX+k8YcA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VnhvWHdsZWNHemlueFo4
+            L0xCTGp4NlRuU3YwRWJiSHFBbmtURTNMQkVRCnlSbFc0Q2xINjRvU2tQeStQc1U5
+            VElxcTVuNm9MUm01RkpGYytrYWg0czgKLS0tIHZqUWhkMGRNNjJvUTQrOHBpZXVS
+            NlpjeDQxbVZIRHFCcmNtT1JSVHp1K2sKSNcC0fcOar/KKzs1twaozB8wfdFT9OdB
+            4quV/ycNpJpfs6+2r0RTLBxYFyusybu1swosAni+PJsRXS82+PTXHQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUTUzYzZuMkYvcTlrUmRK
+            aStnak5IWitFUSt0eVBQOHIzcTlrMFRFTjA4CmlYUTdobXFUK2tYMWtFekNqNnhp
+            R2RRRFdHc1p6bFVjYU9lbTRBeEM3Y2sKLS0tIHdsRW1wR25pVkZIYU1yMm9sQXpr
+            NFhiN0pyaHVWT1h5eVFXMWZDb0sxUGMKIVkYYheD8F9aaAyCA+m9ZGlV8vKbAW4r
+            H6FUe+ats30abxoYfHZfMJv17BxJtpodksSxWjnPYm0dfRf/EF/vSQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvU3NzY0Uxc0NhY2xJZyti
+            TCtTS1crV3hzMXZNV3k4cm0zUFNuY2tBL0dNCnNpYytoaUI1eERhdG1PUlZ2eE5C
+            R2UrVlBwcXR2L1VNR3RJL1lEQmlTSDgKLS0tIFJyLzhZeG5zejFmL2VkYy8xVEM1
+            U3QwOXlRdU8yd3ozL2hUVzRXNGE0bDQKT7SLAqICsbFmRUF+3s2avpBt0dLUbHLX
+            AgQzx5v6GpMMNwCkCrOnpFX6al7zkRSYHe7hbn03BBORz9mPHek5ew==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-02T07:58:00Z"
+    mac: ENC[AES256_GCM,data:OvERjDFfHTJbTfwq9BmXBQy6pjeyIhao6zP4we0KeYL3skbw4+aaMixjUFzjauby0C7nJjEPBSk6pwK3lN+rScS5g7J8tTNtmhfEDQbfsS5zNDKzIQjYxbUbDr2cTPWwCA73gRGMwLbyNvdfuEp46jNV8OJ8km/y2nyG9lDcBb4=,iv:0RSU2MdZWiYEapwXGzevP9/vc/Sk1MS6a0MnCRQyIs8=,tag:vvngXS2IRzH999yzo4JyFQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

nixos/machines/nyarlathotep/koma.aliases.yaml

@@ -8,38 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBS283ZTdKVTVLaDRDV1N5
-            SGhJQjJWdXJzc1l5OWtCWVdueTJMdjZpUjJzCmtUZFRYR0JXTW15Z0NyMktEbW5w
-            dkk1TjF0dVQ3MlFhNUFTbU0vMFdySWcKLS0tIDZPQmxSVGYzT2dDM244ek95dk9n
-            SnhtQWJic3B2YTM1ZlE3SHVRSjl1YVkKgUXW7JW3WSM5EusBoxQMsBRGwIqqi7Lo
-            DgWLq/P1rruuqRAS8hl4cht3jz6PlCJgVh2xpaM/kfkFS8ZuhVFw4g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYmxCQk5RdGxjb3YraVhS
+            NGozeUtNZjBISFArMk9iT013azZUdUtkMVg0ClJ2dFpsUTRoWmlaQjFTOFBuUnJ0
+            dEZhSTd2c0JRdjJDdTRacXRMNk5rWGMKLS0tIDQ5eDk5NWdiQ29Qd21jcXE0SWFI
+            Yms3dVFmT1NBbEZVNENraDVzcmdCYkUKXUpP2S1BNrZNVJWpHOeRljieo0WnGsfF
+            DKsc+3Xa2T31ISsErnM2nC+ie3Xwhd/W+kzvWaIpZDw+jYHreVTM9g==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKdmcyM3hSUFdlM25UUndu
-            RUhzdEhsakdEdytBUGRyRTFXRzdYK2RBR0dnCmJqOTlvYkZkeld3eDYvRmRmUU5u
-            aHArR0FkZWRtT0hoNTZpS1JmaTRHencKLS0tIGVVSWN0NWQyQWdrcXdQUnQxUjdu
-            MWFZWVQ3RmZZS3FnRkJPdDRrOTZrWG8KVgFqfeBLw5gTBKugfnC4a5OLwOhosSgy
-            3hXbGMrJiBDwOS+70H3L+IwiNSoJ6mL+ufShCTq8wER2L9GTteI8gg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyVGN4bW1FMGI5elpkWHNK
+            TXVEOFh1bWVyemxzS0VOdmNVZFp4TSt1d0JzCi9ZQ1ZJd0FoTGdWSlEvTVh4VmVU
+            MHNDVk9oYlpVWlBvTktJbWRJVXFvSXcKLS0tIEMvTCtmdldOYk0wTlUxSXZqVGRn
+            V0NZYmQrZzQ4c2t1OFBKazY1dnJmU2cKHDw0nsK2EODeR6/ouZXAgxIXTf55iI87
+            mvN255aANofIKW8/by2mECU7fRRkI1gZn3lp7vy8iUPb0979A795Vg==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamM5TDVQM0hnZklsbncx
-            SlBMM0NpcnBBai94czV5WE1Md21EeE1kVXpFClpDVTRqYm5rWFhjVjRPQm1IVWxW
-            WTNlZFo4Y3VVNjZhckZ0RFVlQlV0OEEKLS0tIGJOR3k0OUorYTNXL01KQWJBUzVD
-            V0xidWR0SnBDM01hRlkrTlY4eEIrc1EK1Hye/jrQebkEDQ8muJpgHqBLefjnEJPF
-            GxdANetJLuZeeiOUjaUcbP6tecqZpiWN8fFEXrjNL4vnrHvJ+bR1aA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUW4xTi9pL1IydVIyL1dj
+            SmJGYVhaM0swZVRSNncwdjY2ZlJkeUpCRFZJCk1jU0NnbFBNdzBTVzY5OE5MbE42
+            OGtTTy8zcTlkZlcwY1lpSDBQNEluZUEKLS0tIFVTWHZCZ0gxM0x0N2FPeHNuU0VO
+            U1JReVBqMDdrTlJ6NWhsUWpqUU5RREkKjEBva2DIWC8b7FdE/78zWeBCjHqBXY0S
+            c2gEh8aHDoI7MRndSqoye6SLmqZsF5SDAcPT8BJs9OnXjB4V8t+iQQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqQURCeGJBYytCdlhrWjF5
-            c1ZrbEFENDF5bTNMaE52SE5CS1dVdWJCNlFzClZtK1QxOWY0dEVRRWY4MEtlZ1N1
-            eGlaYXVLMUJiUi9FckdNcllBRCt4cmMKLS0tIEZuOTZQTm9vWHQ4Y3Z6RVloT0VL
-            OW5ZQWIvU2x1OEN6OW84K0dqRmhGNUUKOA3ugnG/ZD7m1DKrFjpZ8opPnjPtLaQx
-            t8qgGuQIoX6KeUb+YybRAOAPPzl51/m9GSUB43Eanm/tVJpdaew7/g==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdWNRN2dRSHV1a01pK0FG
+            MjR4MnEwTmhQQ1dKQUNoRnFvT1ZnRGh6UVZRCjJsdDg1QkVyMjB3SHVlNnBITDFB
+            V3d4VUVhNFVieHpTUkwrKyt0Wm1uNzQKLS0tIHRpZWZaenZWc0RPUDF4WFUzTWlQ
+            cEdrMFEyL1doTjA4Kzh5cDFvbGxFUTAKplJpFXx3UJ102IBvvaTyNPbZ6t7MM1kr
+            ORpuT7HHgMSfT+5EDEbUGjyGbxJIZu8R+bv56kW0nJpXHXUPdLqQ/g==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-02-25T17:41:29Z"
     mac: ENC[AES256_GCM,data:lZ9AXtJzVuc8Jg9L0aGhS18cs8pTjOG/xNP2tG25/7/PEdEV1SNwbxubGQOFAHrNbiDbmJMKJq96mhV8e3tHszlrzQnU1uyu9MrWiAYwV3CjmwSqC4J9ezSm/AY9e9+OWKn6sb4RVsz9A7aDGUhhoZMycnPNRKlpTuzdTIJK98o=,iv:LxSsZoHkJ2HFXBLWkw+SUb/LYW2ciE1DtzpoV4YLOwQ=,tag:QeYmreRGZk4PqlLWJLLD8g==,type:str]

nixos/machines/nyarlathotep/mathechor.aliases.yaml

@@ -8,38 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjMlRsWnkrREVaQitsWHMy
-            WHZFVG1qN25QbWFHcUxNS1Z0SFRDd1oxeG5RCi8wNUhkeWh2VjI4ZGowM1ExaExh
-            SE1yVGFTUHZadUdDL3pxaGdKTHQ0VTgKLS0tIHVNM2xlOFNNS3dFalJqZUtPODRn
-            b2NOTHpXSUVyaFRJNG5ONCt0TTVjOEkKYld7KN995QxdrGBVRYgCxO7kGwsiq+cp
-            iQJTjMdoFygIrTkgE5Rj89/GCiVe0+yAWJuQF7PEnC3cyq0M1g+fzw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnamd0eEV5ci93VE0wYUFk
+            WjFKdHlvdUUzcVZKOXZqWjlibFlWbzNyY0EwCkdibGxsU2I4YlhkTXRtRXpQY3RK
+            V0E5SEZaMVJHOE1xTW5ubzdvZEJvM2cKLS0tIFlhekt6b0loZFkreFRVQ3gxVHhp
+            MFZ5YjRlTTBuUU8zS09wU2pVakpXc3MKVg6OF8lgYRzlCgQs0/YADdQkKeXITevl
+            LnA7J6/rCLt04YXlsp2GzvFJpXTdSVU9E7MV+bNS8e2ilgpFiBpZHg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPRFJCeXhwQVFSWmgzNHBu
-            SHlTTGtiRkI5bmhKa1B0QTZMY3FERmlUd0FBCk1vOUpydEFZUExpR2hpWm9mRHpE
-            dk9MQ042K0FpSVJ3dUlQcktGT2k1VjAKLS0tIHpGRmwzNE01YkV1TW94RkNmMjN4
-            YnNXZUlta3NMVW9Cc3V2T0t4R01RSlkKNTW3gnF49BuPwF3jwciOYThJe+gJa0a6
-            WKYt+aJuHi0a4y5rS/wfttij+hS5vYVNOrgfJ5bGinkNuAygA2hMOg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWUkVPMkd2UWJha2RuSm5B
+            UlNGNnNiSituMldmYUhyT2RqSU9XZThySFQ4CjE4eHFIdTJEenVGeHJDaG9LY3N1
+            WTNmVWNTcnlFZkptTGsvdzBLeWNqdkkKLS0tIEhFTUYxdW9ERkpoUGdVYVg2ZGFv
+            a3BWVThndTcySTNWclZ2bDZqUkhMSjAKcwml/zw7suq80SiC2ll1g6TZ0Z+lYA8w
+            cKrVjXRbF8hZJUafcqnkeX2UlAWEriRfSFRksWlJvU3bKpXcpr+eGw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6MjZOR1dwb3RjZnlNNW4v
-            SzJnT1BRVktWNDI5S2Z2NnhQQzdNeS9ralI0CnN0SU9ESEV3ZCtRQmpZK3VZOGYx
-            Y3FVUy9zY3RZcGxyVmttVzFJL1haYWsKLS0tIENGRW1KZkpUdldOZWgzSXVoenpX
-            dTVpNUpWallSTzJ3cEZJTXk3c2t1czgKzJCwhMspzAsjzwSRdSPUoseEAsKp8HFy
-            cL9if92ar68HMHTdoy0Zvy+5AbxKUxgXZ2t8cDgkL8bNG5Ri2xYaUA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUTGhoZmhBcHZMOUxhSEhR
+            TXYyd043S2ZVWlA4d3dxTjEydXQrR1BHQVNRCkZab01nWlVtUyt5ZkxQeGw4UEd4
+            c2RwY0IxVkRweXhoazZEU3hqRkEzdG8KLS0tIGhLQ0ZXaDdTVHNpcjNYWVZBL3ky
+            Z3cwSEo4OWpxUEthMUs5RkdSRjM4eTgK2H3gbR7LFy4H93MGVeuYT1KyIfJVT7Vv
+            vVj+uj0iWvEhj7KRGzai8KenwqyQh8bjLdV05HvV+EBNNRpIvukmEA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNm5xUGkrK1dYd2ZtamFW
-            NXpNMEtvNTl3U3MzeVNSbVJOdGdlWGsxRHlZCllQVmNtYzBJNDc2Y0dmUlNsbTF5
-            RHB4QWZ1VGNFVkx1Q0hNK3FDTTRrUlkKLS0tIG9hbldDeHk0YmVZV2IwMXNpYStU
-            Q29uVHBCb2pTeWVJVmVXbWpycnFneWMKnDmu5917dddV8vjO0L8OP3wXMjDi46Ro
-            b9eOY8l74jm4sTxyKNvnkEjD6iHn1t7f8J7HAbWrpZY+J0i77nrzQw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTVQyRDdGQ0E1VkNBZTNZ
+            cWVsYjN5MVlKcmR4c1VOVnp6UGdDNENEdng0CkVVZ2orOTgwMC8xeE90Q1d5bkNP
+            OUh6L0FzZ2pzclF4TVpwUHIyRWNYRzgKLS0tIFZLVU9wRFl1bW44d25zRmRqRHJQ
+            Z1I2c3h3TVIyeTNYSzhGbkV3TVZ6dWsKdxp5Lqlkk3Awa/G9OwaCyHBM4OHxu0Gb
+            cmzw0frdL7+EUiLzxoi7okXhMluj9R3G/lQicDq0+5tCjDRPkuOHcg==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-11-23T09:05:51Z"
     mac: ENC[AES256_GCM,data:Xnulo0681LtgH9SZt9DL3nd9bSDH+TCQDvbKdggVBJ66rxBiKmlbu5MAblAWqxbdZ6EelldaVeX9OaL2rYJoYbTWxzw2iuPieldp3Ah3PsTI2C8W+UD9KVHcB+3AMOmVmJZzFlZvTwyfPfZRNNb0HAijkN97P3fP0r1Iqf3YjiI=,iv:vhu38HM4e+PyyChXvI87LWSGtKQQiXUr4MKrI7kotzk=,tag:eNuQD74kUO+duqEXNbLJBw==,type:str]

nixos/machines/nyarlathotep/stalwartAdmin.yaml

@@ -8,38 +8,38 @@ sops:
         - recipient: age1rasjnr2tlv9y70sj0z0hwpgpxdc974wzg5umtx2pnc6z0p05u3js6r8sln
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcTRqZXRoNTJCdFhQUG9o
-            Qmx2cVl0TWdaQzZZUThTOEpQdjIxVFh3eHhzCjlHWHhSYmM1ajYrdjl3Nm90TkRh
-            YWE3c0hJYzdFWXpZUGI0cHBQdThSWWsKLS0tIFh5M20wV2ZZbzllS1BNOGtaRUVF
-            MFN3bENrZ0tDMllJM1E5MWkyZ2thZEkKfZlUzE5t8K0oHZYOSVItvRJZP2MJlA7N
-            SLozGlpwCoZKWP6qAqP5jisTG/npQRhcqwkd7P39EytO2HXU9m8sJA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTDh1UjRDemo1TjE2VzBy
+            Zkh3NTBVVmhVL0oycHJCRXVnR0hnSWJTakhnCnNza2o2NTFHTGd3WjliUlp3M1BR
+            VVltaldhcjRUSXdtWTd0RHBoNS9UM2MKLS0tIEJTOWpxRURGcStmbUs2TzBSN1FC
+            YVArVzdqODYvRTkyVFRVSERiU0pFMUEKxiFM8xnNtQvAPeuSd/rAhRveqS8dlp7Z
+            N6q3vXaL72Fb3KOMKN47OXE1Fevra5IyB51Fc3NDX2VQ/H5dg7xN+w==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1epz92k2rkp43hkrg3u0jgkzhnkwx8y43kag7rvfzwl9wcddelvusyetxl7
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVldRVmtPUzFxV0ltK0d2
-            SHRqbXZCTW5wZUtZM0ZkL3lXOEJmVXdjMXdZCjE5MUUrSEhnWHRSOVhtWWQxdndv
-            ckUzTFl4ZXM5VHBTRlY3SzVsZWpxNUEKLS0tIEtpbTBhaWR1c3RhSW5nclZvMTdO
-            eTBYL1Q5cXNvTGkvQzJMWHZHaEZseVUK5w2MPZMquT0luq+tl2owLrrSBx9KPskS
-            FupcAZTcCo+YsemKLjJ6GlHch5x8Mw98NHS5h1AKxwZYtcfwg3lfbQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGYU50QytQQ3hVNUg1cFp2
+            V3lQUWJJczlzTG8zc1BoRnZEYTFMS2NYeUZJCjRPRXRnMDB2ZGx5ZGFpTHB3Zjgz
+            Qk9XNzN5ZjRpWFdKdndEd1oxcTRUYXMKLS0tIDBZYzc3SDdHVXVHMUNkV1RaZ2tz
+            NU9JWWtxdXhPZTlQODFZM1FpbW1mbjgKJzsaoeNZSumYRWUbxEgdgtNZ/ykVr/Pp
+            ujlm5Te21pQ4Xna5yyTPdVecPPGFmIuF70F0VjwCdgESV/KbeYj32w==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1dhzugelagj6vge5jjxwwn0522ngf7fhxn04sxy2tm8557rtme5tstprwnj
+        - recipient: age1mmpdvzy6d23qyhrl55jtv3c25pus2wwfplx9tujmqps2xsreuv8qwc6gv5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUitNeHNWOTVjWkF4YWhB
-            MnEwWDFnT0wyNUx3VmlQMmZTRmZRbXBGOVFvCmpoOHZZSXRweUtZaHZ6azF2Q3dK
-            NFBwa242U3JSVjhtOUlRTUZuakhkcXcKLS0tIEN5TGhMRFphdEpvcU5zTmVlTTJN
-            d2JRc2p4YmpuUHAycUoxc1FuZmxhemcKOgGyieFVS57tsvUtVooahqswYZH0Fi6+
-            jxM6Ga/tIM/bZ/qSwYrNlNiz0XHm8/XFH2s8sxypDZ+NHGLs3zGjsw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoZENYOGx0dW53b0pFSUZk
+            YytGRDNyRmJWOUh3L083TkdNQ1FOTUhSSUZzCkIrbk5uNGlSdXRQM1pyYmhZZHJK
+            SnIxZ05oT2xSUXdjQmFMeFVqMzluam8KLS0tIE1EbFg2ODBveGNzMWZlaHZwcXpn
+            UWNKREJ6STc0RHR4K0hIbkw5UG5vczgKhcGeG1kYK3KLAid9oQzPuJml3PEQaYwf
+            Zc9PmY7aA6Gww9RY3aUGneLSUrpcdJRY7bDsYDbwve+CNO1Ln/+oPA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1ktwclxa640l89le6yecm8v2z6hmwr4lusd6x9gyzamhv57887szqtqp59a
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERTdvSTZ3eEVNbEZpUnQ2
-            ZC85blRQVzgrckljcnZPeVhZWUxGd01tankwCjBCZHdWRnpoZkdRQWdoK0VmOFVy
-            VmpiOFkvNisrWmp2NE1kalB4dUhzdWsKLS0tIEJ6T1FsTFlIMUVWd3FwbEtldmlC
-            UjFHWHNZci8zRlFXNVpNNk5oSUNvaTQKW9T88GflSysJwqMnBrc/jZVwL/fRdg2a
-            5XysXb/dCo4uNxLQit/KNSpINj7rAkf4Pk819DO6SKiIiuIJDXw9cA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBd3FTMnEzU0xuVnZtSUd1
+            dU1YVjVZU2dST09EZDdiMHoxZ0RXTUU3RlJNClU5UXRPRXIrdkZzRkxtK2RUSTEr
+            UEltNTlnWVRzOFIra01PNk9keW1YU3MKLS0tIFl3Z2szLzREN3ZBeW5pUUE1VmRh
+            YytJNUt5NWRncmJua3o1NzdtK3JnekUKHgzr7iAqCfPT+oi0I3yn7CrhRLSXsKv2
+            TfXTa4G88ume9S/awMF+iZigX5ubGHVOeuvOwuPY+EdIDY4E3RSfgw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-11-23T11:43:23Z"
     mac: ENC[AES256_GCM,data:GZ1Q67n43WU3fDQd6SGsD2EZgoaq1mzh5biy42cx6FQWlveK5lhb0F2HUuWWv5zSHKpslEPD6odvkQmMNCRY8NsvT3+KBAnHHU0aHzM9AEV27cDL4x6oBvO52EMxsNCMm+fXPD1CubQxfbfvx/aIuqb1sovgKGgwf4u6yqIrHJ0=,iv:ExX+ySMXhF/c1w2IP7y8mdlcy8W9Zxiy6X67b2f4AeY=,tag:shxQJdaW3HsG6sNY+zDNCA==,type:str]

nixos/modules/mail.nix

@@ -65,7 +65,7 @@ in {
         openFirewall = true;
         settings = {
           server = {
-            lookup.default.hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
+            hostname = "fb04184.mathematik.tu-darmstadt.de"; # Because the DNS PTR of 130.83.2.184 is this and this should be used in SMTP EHLO.
             listener = {
               "smtp" = {
                 bind = ["[::]:25"];
@@ -82,7 +82,7 @@ in {
                 tls.implicit = true;
               };
               "management" = {
-                # Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/
+                # Cthulhu forwards requests for http://fb04184.mathematik.tu-darmstadt.de/.well-known/acme-challenge/ http://imap.mathebau.de/.well-known/acme-challenge/ and http://smtp.mathebau.de/.well-known/acme-challenge/ and http://mathebau.de/.well-known/acme-challenge/
                 # for TLS certificate challenge validation
                 # whereas the rest of the management interface is not available publically.
                 # It can be reached via SSH and portforwarding.
@@ -95,19 +95,28 @@ in {
             directory = "https://acme-v02.api.letsencrypt.org/directory"; # This setting is necessary for this block to be activated
             challenge = "http-01";
             contact = ["root@mathebau.de"];
-            domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
+            domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de" "mathebau.de"];
             default = true;
           };
           # Reevaluate after DKIM and DMARC deployment
           spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
           auth = {
-            # TODO check if HRZ conforms to these standards and we can validate them strictly
+            # TODO check if HRZ and our own VMs conform to these standards and we can validate them strictly
             dkim.verify = "relaxed";
             arc.verify = "relaxed";
             dmarc.verify = "relaxed";
             iprev.verify = "relaxed";
             spf.verify.ehlo = "relaxed";
             spf.verify.mail-from = "relaxed";
+
+            # Sign *our* outgoing mails with the configured signatures.
+            dkim.sign = [
+              {
+                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
+                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+              }
+              {"else" = false;}
+            ];
           };
 
           # Forward outgoing mail to HRZ or mail VMs.
@@ -131,36 +140,61 @@ in {
               starttls = "optional"; # e.g. Lobon does not offer starttls
             };
           };
-          remote."hrz" = {
-            address = "mailout.hrz.tu-darmstadt.de";
-            port = 25;
-            protocol = "smtp";
-            tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
-          };
-          remote."mailman" = {
-            address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
-            port = 25;
-            protocol = "smtp";
-            tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
+          remote = {
+            "hrz" = {
+              address = "mailout.hrz.tu-darmstadt.de";
+              port = 25;
+              protocol = "smtp";
+              tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
+            };
+            "mailman" = {
+              address = "lobon.mathebau.de"; # must be created in DNS as a MX record because this field does not accept ip addresses.
+              port = 25;
+              protocol = "smtp";
+              tls.implicit = false; # Don't assume TLS on this port but use STARTTLS
+            };
           };
 
-          session.rcpt = {
-            # In order to accept mail that we only forward
-            # without having to generate an account.
-            # Invalid addresses are filtered by DFN beforehand.
-            catch-all = true;
-            relay = [
+          session = {
+            ehlo.require = [
               {
-                "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP
-                "then" = true;
+                "if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
+                "then" = false;
               }
-              {"else" = false;}
+              {"else" = true;}
             ];
+            ehlo.reject-non-fqdn = [
+              {
+                "if" = "starts_with(remote_ip, '192.168.0.')"; #TODO setup vms properly
+                "then" = false;
+              }
+              {"else" = true;}
+            ];
+
+            rcpt = {
+              # In order to accept mail that we only forward
+              # without having to generate an account.
+              # Invalid addresses are filtered by DFN beforehand.
+              # See also https://stalw.art/docs/smtp/inbound/rcpt/#catch-all-addresses
+              catch-all = true;
+              relay = [
+                {
+                  "if" = "!is_empty(authenticated_as) || rcpt_domain == 'lists.mathebau.de' || starts_with(remote_ip, '192.168.0.')"; #TODO restrict trust by IP
+                  "then" = true;
+                }
+                {"else" = false;}
+              ];
+              # The sieve script only handles the last RCPT TO command (https://stalw.art/docs/sieve/variables).
+              # Since we want it to run for every recipient, we need to accept them one at a time. :-(
+              # This setting throws a temporary error for the second RCPT TO command after which the HRZ retries in a new connection.
+              max-recipients = 1;
+            };
+            data.script = "'redirects'";
           };
 
           # Stalwart gets its configuration from two places: A TOML configuration file that we control in this module
           # and from a database that can be configured from web management interface or via Rest API.
-          # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
+          # We here define what comes from the TOML-file and especially add "sieve.trusted.*" to the default ones
           # because only TOML-based keys may use macros to load files from disk.
           # We want this to be able to load our sieve-script for mail forwarding.
           # See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
@@ -181,9 +215,47 @@ in {
               "lookup.default.hostname"
               "certificate.*"
             ] # the default ones
-            ++ ["sieve.trusted.scripts.*"]; #for macros to be able to include our redirection script
-          sieve.trusted.scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
-          session.data.script = "'redirects'";
+            ++ ["sieve.trusted.*"]; #for macros to be able to include our redirection script
+          sieve.trusted = {
+            scripts.redirects.contents = "%{file:/tmp/virt_aliases}%"; # generated redirect script
+            return-path = "sender"; # set the outgoing MAIL FROM to the original sender as specified in the incoming MAIL FROM.
+
+            # If we are the sender, we sign the message with DKIM. Else we leave it alone.
+            sign = [
+              {
+                "if" = "is_local_domain('', sender_domain) || sender_domain == 'lists.mathebau.de'";
+                "then" = "['rsa-' + sender_domain, 'ed25519-' + sender_domain]";
+              }
+              {"else" = false;}
+            ];
+            limits = {
+              redirects = 50;
+              out-messages = 50;
+            };
+          };
+          # See https://stalw.art/docs/smtp/authentication/dkim/sign
+          # We need two blocks per domain because the domain setting in the blocks does not accept variables like `sender_domain`.
+          signature = let
+            signatureTemplate = domain: {
+              "rsa-${domain}" = {
+                private-key = "%{file:/run/secrets/dkim_rsa}%";
+                domain = "${domain}";
+                selector = "rsa-default";
+                headers = ["From" "To" "Cc" "Date" "Subject" "Message-ID" "Organization" "MIME-Version" "Content-Type" "In-Reply-To" "References" "List-Id" "User-Agent" "Thread-Topic" "Thread-Index"];
+                algorithm = "rsa-sha256";
+                canonicalization = "relaxed/relaxed";
+              };
+              "ed25519-${domain}" = {
+                private-key = "%{file:/run/secrets/dkim_ed25519}%";
+                domain = "${domain}";
+                selector = "ed-default";
+                headers = ["From" "To" "Cc" "Date" "Subject" "Message-ID" "Organization" "MIME-Version" "Content-Type" "In-Reply-To" "References" "List-Id" "User-Agent" "Thread-Topic" "Thread-Index"];
+                algorithm = "ed25519-sha256";
+                canonicalization = "relaxed/relaxed";
+              };
+            };
+          in
+            map signatureTemplate (["lists.mathebau.de"] ++ (map ({domain, ...}: domain) cfg.domains));
 
           authentication.fallback-admin = {
             user = "admin";
@@ -229,7 +301,8 @@ in {
               echo "process ${domain}"
               # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
               # The regex searches for alphanumerics combined with some special characters as local paths and the right domain.
-              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
+              # Exclude @domain.tld which is not a valid mail address but used for catch-all accounts.
+              ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | grep -v "@${domain}" | tee /tmp/addresses
               # This line searches for available redirects and adds them to the submission file.
               ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
               # Post local-parts to HRZ, see https://www-cgi.hrz.tu-darmstadt.de/mail/index.php?bereich=whitelist_upload
@@ -267,6 +340,7 @@ in {
         "stalwart-mail" = {
           restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
           serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script
+          serviceConfig.ProtectSystem = lib.mkForce "full"; # "strict" does not allow writing to /tmp which we need for unpacking the webadmin interface. "full" is less strict.
         };
         "virt-aliases-generator" = {
           description = "Virtual Aliases Generator: Generate a sieve script from the virtual alias file";

nixos/modules/mailman.nix

@@ -32,7 +32,6 @@ in {
         config = {
           transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
           local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
-          proxy_interfaces = "130.83.2.184";
           smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
         };
         relayHost = "mathebau.de"; # Relay to mail vm which relays to HRZ (see https://www.hrz.tu-darmstadt.de/services/it_services/email_infrastruktur/index.de.jsp)
@@ -44,7 +43,11 @@ in {
         webHosts = [cfg.hostName];
         serve.enable = true; #
         # Don't include confirmation tokens in reply addresses, because we would need to send them to HRZ otherwise.
-        settings.mta.verp_confirmations = "no";
+        settings.mta = {
+          verp_confirmations = "no";
+          max_recipients = "1"; # We can only send to one recipient at a time due to how forwarding currently works. See also the mail module.
+          max_sessions_per_connection = "1";
+        };
       };
     };
 

nixos/roles/admins.nix

@@ -5,6 +5,7 @@ with lib; let
       hashedPassword = "$y$j9T$SJcjUIcs3JYuM5oyxfEQa/$tUBQT07FK4cb9xm.A6ZKVnFIPNOYMOKC6Dt6hadCuJ7";
       sshKeys = [
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEdA4LpEGUUmN8esFyrNZXFb2GiBID9/S6zzhcnofQuP nerf@nerflap2"
+        "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEdfOWD1DLuB1Ho69uRC3VgQu+X3gExFzVHhu2CAl8JSAAAABHNzaDo= laptop_child-sk"
       ];
       nixKeys = [
         "nerflap2-1:pDZCg0oo9PxNQxwVSQSvycw7WXTl53PGvVeZWvxuqJc="
@@ -19,6 +20,15 @@ with lib; let
         "gonne.mathebau.de-1:FsXFyFiBFE/JxC9MCkt/WuiXjx5dkRI9RXj0FxOQrV0="
       ];
     };
+    daniel = {
+      hashedPassword = "$y$j9T$.p7R1mqmbotP3SvuaH4KS.$l3hsHJyh0A0.ZhZ.4Tc1cgKAcKWKntXYsPKmPpUvYnD";
+      sshKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCrx7aeIIOvdc+mW4ji8RlIuMRY55oDrcCs4q1KU7VG Daniel"
+      ];
+      nixKeys = [
+        "nix.mathebau.firespike.de-1:OmST0YGbAaBjPo5xSM5Bqwk6/W5o7B5CnW/NDr0NacI="
+      ];
+    };
   };
 
   mkAdmin = name: {