Drift/pvv-nixos-config
Drift
/
pvv-nixos-config
16
4
Fork 1
Code Issues Pull Requests 6 Wiki Activity

Compare commits

base: Drift:b4437d4e4481d9a892a7f32a075beb4775d88e3c
Branches Tags
Drift:main
Drift:gitea-gpg-signing
Drift:pvvvvv
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim
...
compare: Drift:02f817145f4719ca893016ab6da445c8fe2ba36c
Branches Tags
Drift:main
Drift:gitea-gpg-signing
Drift:pvvvvv
Drift:init-bakke
Drift:hookshot
Drift:disable-postgres-on-bekkalokk
Drift:sleipner-authorised-keys
Drift:sounding
Drift:retain-flake-inputs
Drift:openstack-image-builder
Drift:elysium
Drift:cleanup
Drift:fix-openstack-networking
Drift:systemd_exporter
Drift:backup-databases
Drift:smartd-notifs
Drift:systemd-journald-remote
Drift:skrot
Drift:deploy-doorbell
Drift:misc-gitea-fixes
Drift:run-vm
Drift:spotifyd
Drift:remote
Drift:nix-topology
Drift:dagali-heimdal-openldap-sasl-stack
Drift:setup-bikkje-login
Drift:ozai-prod
Drift:add-bluemap
Drift:ozai
Drift:setup-postfix-for-service-machines
Drift:fix-gitea-ci-runner-network-issues
Drift:heimdal-openldap-sasl-testing-on-salsa-on-buskerud
Drift:gitea-metrics
Drift:misc1
Drift:add-simple-saml-theme
Drift:misc-extra-gitea-setup
Drift:add-skrott
Drift:setup-kerberos
Drift:setup-home-areas
Drift:setup-openvpn-tunnel
Drift:shark-kanidm
Drift:prometheusexim

3 Commits
b4437d4e44 ... 02f817145f

Author SHA1 Message Date
Oystein Kristoffer Tveit 02f817145f bekkalokk: init mediawiki
Eval nix flake / evals (push) Failing after 1m49s Details
Eval nix flake / evals (pull_request) Failing after 1m48s Details 
Co-authored-by: Jørn Åne <yorinad@pvv.ntnu.no>
 2024-04-01 13:21:00 +02:00
Oystein Kristoffer Tveit 574e577828 bekkalokk: init idp-simplesamlphp 2024-04-01 13:21:00 +02:00
Oystein Kristoffer Tveit ce45ba309f base/nginx: 404 requests to nonexistent virtualhosts 2024-04-01 13:21:00 +02:00
15 changed files with 3347 additions and 165 deletions
Show Stats Expand all files Collapse all files

3
.sops.yaml
View File

@ -17,6 +17,9 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_jokum - *host_jokum
- *host_ildkule
- *host_bekkalokk
- *host_bicep
- *user_danio - *user_danio
- *user_felixalb - *user_felixalb
- *user_eirikwit - *user_eirikwit

25
base.nix
View File

@ -82,5 +82,30 @@
settings.PermitRootLogin = "yes"; settings.PermitRootLogin = "yes";
}; };
# nginx 404 for nonexistent virtualhosts
sops.age = {
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true;
};
sops.secrets = lib.mkIf (config.services.nginx.enable) {
"snakeoil_cert/public" = {
owner = "nginx";
group = "nginx";
sopsFile = ./secrets/common.yaml;
};
"snakeoil_cert/private" = {
owner = "nginx";
group = "nginx";
sopsFile = ./secrets/common.yaml;
};
};
services.nginx.virtualHosts."_" = lib.mkIf (config.services.nginx.enable) {
sslCertificate = config.sops.secrets."snakeoil_cert/public".path;
sslCertificateKey = config.sops.secrets."snakeoil_cert/private".path;
addSSL = true;
extraConfig = "return 444;";
};
} }

1
flake.nix
View File

@ -81,6 +81,7 @@
(final: prev: { (final: prev: {
heimdal = unstablePkgs.heimdal; heimdal = unstablePkgs.heimdal;
mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { }; mediawiki-extensions = final.callPackage ./packages/mediawiki-extensions { };
simplesamlphp = final.callPackage ./packages/simplesamlphp { };
}) })
]; ];
}; };

3
hosts/bekkalokk/configuration.nix
View File

@ -14,7 +14,8 @@
./services/gitea/default.nix ./services/gitea/default.nix
./services/kerberos ./services/kerberos
./services/webmail ./services/webmail
# ./services/mediawiki.nix ./services/mediawiki
./services/idp-simplesamlphp
]; ];
sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml; sops.defaultSopsFile = ../../secrets/bekkalokk/bekkalokk.yaml;

135
hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php Normal file
View File

@ -0,0 +1,135 @@
<?php
/**
* Authenticate using HTTP login.
*
* @author Yorn de Jong
* @author Oystein Kristoffer Tveit
* @package simpleSAMLphp
*/
namespace SimpleSAML\Module\authpwauth\Auth\Source;
class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase
{
protected $pwauth_bin_path;
protected $mail_domain;
public function __construct(array $info, array &$config) {
assert('is_array($info)');
assert('is_array($config)');
/* Call the parent constructor first, as required by the interface. */
parent::__construct($info, $config);
$this->pwauth_bin_path = $config['pwauth_bin_path'];
if (array_key_exists('mail_domain', $config)) {
$this->mail_domain = '@' . ltrim($config['mail_domain'], '@');
}
}
public function login(string $username, string $password): array {
$username = strtolower( $username );
if (!file_exists($this->pwauth_bin_path)) {
die("Could not find pwauth binary");
return false;
}
if (!is_executable($this->pwauth_bin_path)) {
die("pwauth binary is not executable");
return false;
}
$handle = popen($this->pwauth_bin_path, 'w');
if ($handle === FALSE) {
die("Error opening pipe to pwauth");
return false;
}
$data = "$username\n$password\n";
if (fwrite($handle, $data) !== strlen($data)) {
die("Error writing to pwauth pipe");
return false;
}
# Is the password valid?
$result = pclose( $handle );
if ($result !== 0) {
if (!in_array($result, [1, 2, 3, 4, 5, 6, 7], true)) {
die("pwauth returned $result for username $username");
}
throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
}
/*
$ldap = ldap_connect('129.241.210.159', 389);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ldap);
ldap_bind($ldap, 'passordendrer@pvv.ntnu.no', 'Oi7aekoh');
$search = ldap_search($ldap, 'DC=pvv,DC=ntnu,DC=no', '(sAMAccountName='.ldap_escape($username, '', LDAP_ESCAPE_FILTER).')');
$entry = ldap_first_entry($ldap, $search);
$dn = ldap_get_dn($ldap, $entry);
$newpassword = mb_convert_encoding("\"$password\"", 'UTF-16LE', 'UTF-8');
ldap_modify_batch($ldap, $dn, [
#[
# 'modtype' => LDAP_MODIFY_BATCH_REMOVE,
# 'attrib' => 'unicodePwd',
# 'values' => [$password],
#],
[
#'modtype' => LDAP_MODIFY_BATCH_ADD,
'modtype' => LDAP_MODIFY_BATCH_REPLACE,
'attrib' => 'unicodePwd',
'values' => [$newpassword],
],
]);
*/
#0 - Login OK.
#1 - Nonexistant login or (for some configurations) incorrect password.
#2 - Incorrect password (for some configurations).
#3 - Uid number is below MIN_UNIX_UID value configured in config.h.
#4 - Login ID has expired.
#5 - Login's password has expired.
#6 - Logins to system have been turned off (usually by /etc/nologin file).
#7 - Limit on number of bad logins exceeded.
#50 - pwauth was not run with real uid SERVER_UID. If you get this
# this error code, you probably have SERVER_UID set incorrectly
# in pwauth's config.h file.
#51 - pwauth was not given a login & password to check. The means
# the passing of data from mod_auth_external to pwauth is messed
# up. Most likely one is trying to pass data via environment
# variables, while the other is trying to pass data via a pipe.
#52 - one of several possible internal errors occured.
$uid = $username;
# TODO: Reinstate this code once passwd is working...
/*
$cn = trim(shell_exec('getent passwd '.escapeshellarg($uid).' | cut -d: -f5 | cut -d, -f1'));
$groups = preg_split('_\\s_', shell_exec('groups '.escapeshellarg($uid)));
array_shift($groups);
array_shift($groups);
array_pop($groups);
$info = posix_getpwnam($uid);
$group = $info['gid'];
if (!in_array($group, $groups)) {
$groups[] = $group;
}
*/
$cn = "Unknown McUnknown";
$groups = array();
$result = array(
'uid' => array($uid),
'cn' => array($cn),
'group' => $groups,
);
if (isset($this->mail_domain)) {
$result['mail'] = array($uid.$this->mail_domain);
}
return $result;
}
}

1293
hosts/bekkalokk/services/idp-simplesamlphp/config.php Normal file
View File

File diff suppressed because it is too large Load Diff

203
hosts/bekkalokk/services/idp-simplesamlphp/default.nix Normal file
View File

@ -0,0 +1,203 @@
{ config, pkgs, lib, ... }:
let
pwAuthScript = pkgs.writeShellApplication {
name = "pwauth";
runtimeInputs = with pkgs; [ coreutils heimdal ];
text = ''
read -r user1
user2="$(echo -n "$user1" | tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz')"
if test "$user1" != "$user2"
then
read -r _
exit 2
fi
kinit --password-file=STDIN "''${user1}@PVV.NTNU.NO" >/dev/null 2>/dev/null
kdestroy >/dev/null 2>/dev/null
'';
};
package = pkgs.simplesamlphp.override {
extra_files = {
# NOTE: Using self signed certificate created 30. march 2024, with command:
# openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem
"metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" ''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = array(
'host' => '__DEFAULT__',
'privatekey' => '${config.sops.secrets."idp/privatekey".path}',
'certificate' => '${./idp.crt}',
'auth' => 'pwauth',
);
?>
'';
"metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" ''
<?php
${ lib.pipe config.services.idp.sp-remote-metadata [
(map (url: ''
$metadata['${url}'] = [
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP',
'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp',
],
],
'AssertionConsumerService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 0,
],
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact',
'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp',
'index' => 1,
],
],
];
''))
(lib.concatStringsSep "\n")
]}
?>
'';
"config/authsources.php" = pkgs.writeText "idp-authsources.php" ''
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'pwauth' => array(
'authpwauth:PwAuth',
'pwauth_bin_path' => '${lib.getExe pwAuthScript}',
'mail_domain' => '@pvv.ntnu.no',
),
);
?>
'';
"config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } ''
cp ${./config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."idp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "idp2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=idp"' \
--replace '$SAML_DATABASE_USERNAME' '"idp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."idp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/idp'
'';
"modules/authpwauth/src/Auth/Source/PwAuth.php" = ./authpwauth.php;
};
};
in
{
options.services.idp.sp-remote-metadata = lib.mkOption {
type = with lib.types; listOf str;
default = [ ];
description = ''
List of urls point to (simplesamlphp) service profiders, which the idp should trust.
:::{.note}
Make sure the url ends with a `/`
:::
'';
};
config = {
sops.secrets = {
"idp/privatekey" = {
owner = "idp";
group = "idp";
mode = "0770";
};
"idp/admin_password" = {
owner = "idp";
group = "idp";
};
"idp/postgres_password" = {
owner = "idp";
group = "idp";
};
"idp/cookie_salt" = {
owner = "idp";
group = "idp";
};
};
users.groups."idp" = { };
users.users."idp" = {
description = "PVV Identity Provider Service User";
group = "idp";
createHome = false;
isSystemUser = true;
};
systemd.tmpfiles.settings."10-idp" = {
"/var/cache/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
"/var/lib/idp".d = {
user = "idp";
group = "idp";
mode = "0770";
};
};
services.phpfpm.pools.idp = {
user = "idp";
group = "idp";
settings = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
};
};
services.nginx.virtualHosts."idp2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${package}/share/php/simplesamlphp/public";
locations = {
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"/" = {
alias = "${package}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.idp.socket};
fastcgi_param SCRIPT_FILENAME ${package}/share/php/simplesamlphp/public/$phpfile;
fastcgi_param SCRIPT_NAME /$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
};
};
};
}

33
hosts/bekkalokk/services/idp-simplesamlphp/idp.crt Normal file
View File

@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUL2+PMM9rE9wI5W2yNnJ2CmfGxh0wDQYJKoZIhvcNAQEL
BQAwZDELMAkGA1UEBhMCTk8xEzARBgNVBAgMClNvbWUtU3RhdGUxHjAcBgNVBAoM
FVByb2dyYW12YXJldmVya3N0ZWRldDEgMB4GCSqGSIb3DQEJARYRZHJpZnRAcHZ2
Lm50bnUubm8wHhcNMjQwMzMwMDAyNjQ0WhcNMjUwMzMwMDAyNjQ0WjBkMQswCQYD
VQQGEwJOTzETMBEGA1UECAwKU29tZS1TdGF0ZTEeMBwGA1UECgwVUHJvZ3JhbXZh
cmV2ZXJrc3RlZGV0MSAwHgYJKoZIhvcNAQkBFhFkcmlmdEBwdnYubnRudS5ubzCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/0l0jdV+PoVxdd21F+2NLm
JN6sZmSJexOSk/sFjhhF4WMtjOfDAQYjt3hlLPyYl//jCe9WteavvtdCx1tHJitd
xjOUJ/leVjHzBttCVZR+iTlQtpsZ2TbRMJ5Fcfl82njlPecV4umJvnnFXawE4Qee
dE2OM8ODjjrK1cNaHR74tyZCwmdOxNHXZ7RN22p9kZjLD18LQyNr5igaDBeaZkyk
Gxbg4tbP51x9JFRLF7kUlyAc83geFnw6v/wBahr49m/X4y7xE0rdPb2L0moUjmOO
Zyl3hvxMI3+g/0FVMM5eKmfIIP2rIVEAa6MWMx0vPjC6h2fIyxkUqg5C8aFlpqav
+8f2rUc+JfdiFsIZNrylBXsleGzS+/wY1uB/pAy5Vg9WCp+eC75EtWMt0k2f442G
rhKa3lAZ6GIYrtEiQiNGM1aT1Cs1nqTtslfnHiuAKBefLjCXgq9uvL2yRodwe9/m
oZiqYnLHy/v1xfnF5rKTcRmOleU3tc+nlN6tZSGC1nZgMpqpoqdcbJXAkvaJ2Km4
sl0YS28VQnztgzuVPNdnv8lcS6HmkaGaNWbepKgWeaH5oT7O6u99wZIv88m+tf5m
Eu197YVpcclnojQCYKauWcQFsXS20egsVP87Qk0e2SHmGTUQp6YEYX6RLjkg7/vS
BelDBbCldraNVEiC0jmpAgMBAAGjUzBRMB0GA1UdDgQWBBSL0yofG5NEmzFIRuqC
xmyiuZW6DTAfBgNVHSMEGDAWgBSL0yofG5NEmzFIRuqCxmyiuZW6DTAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAZZVs7BLk/NLq3f4Ik8qH3IoDN
2m4XXRZS+xxw5RwctgSnik7AffgAfv8QQm2co8UYkHbB0whaG1PDz+L7wB1hVkWn
DVUaJcKQnn0x+sNU5LoTbjI0PlaST7PO5D0OMFab8FSNxpzzpbUcgZUhelc99Ri/
2Gh8mf4b3Y3Uzq6YKFsuFM65OuJhH8f1w6onai9x28t6tERHUSUfJ2keXzU4ytCV
EitWXwhe759VLqmdP4BATwlCOCuwa5aDeGcWRIqFpYIn0SOAmVV3o4V71JdZc1jE
fuOo/PbiHZ+R9ZGbh98aMidb0moL1ZDhmir9KbedezNyki6JJ72mVclhLqUajFxr
T39FXd5e2+QBMHPPhVFznQoHWnHEbZigTt61b0cg/TsxaxOkF4Ilmr/2DmSWysWK
TF5eq8hp6/53qVbXXSzrCjxd3wzGnRabsEVPX/L2hYDx81hluovJQCtskqTq1joI
W2R7AO5Sdyc6NfOR85kl0HXzHa+0Slsf8ZDs5nCz/mOOPoAGl7IxF7xQ6kPO7V+U
HdGE2tkblM/TrAObJH0HXySeJGI7Vfya+D1Y8IqGtyZtWyx1DmlA/OezGGf5D3rG
88LywHQQ2mQ+8aosBTE4+HQ+apLKZBprqQKuiDjT1RSUbfUHQkYuL+D1oIVmklAc
UxTpf01QJnZkMqf5NQ==
-----END CERTIFICATE-----

22
hosts/bekkalokk/services/idp-simplesamlphp/metadata.php.nix Normal file
View File

@ -0,0 +1,22 @@
''
<?php
$metadata['https://idp2.pvv.ntnu.no/'] = [
'metadata-set' => 'saml20-idp-hosted',
'entityid' => 'https://idp2.pvv.ntnu.no/',
'SingleSignOnService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleSignOnService',
],
],
'SingleLogoutService' => [
[
'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
'Location' => 'https://idp2.pvv.ntnu.no/module.php/saml/idp/singleLogout',
],
],
'NameIDFormat' => [ 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' ],
'certificate' => '${./idp.crt}',
];
?>
''

160
hosts/bekkalokk/services/mediawiki.nix
View File

@ -1,160 +0,0 @@
{ pkgs, lib, config, values, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
user = config.systemd.services.mediawiki-init.serviceConfig.User;
# "mediawiki"
group = config.users.users.${user}.group;
in {
sops.secrets = {
"mediawiki/password" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user;
group = group;
};
"keys/postgres/mediawiki" = {
restartUnits = [ "mediawiki-init.service" "phpfpm-mediawiki.service" ];
owner = user;
group = group;
};
};
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
passwordFile = config.sops.secrets."mediawiki/password".path;
passwordSender = "drift@pvv.ntnu.no";
database = {
type = "postgres";
host = "postgres.pvv.ntnu.no";
port = config.services.postgresql.port;
passwordFile = config.sops.secrets."keys/postgres/mediawiki".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki_test";
};
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = "on";
"env[PATH]" = lib.makeBinPath [ pkgs.php ];
"catch_workers_output" = true;
# to accept *.html file
"security.limit_extensions" = "";
};
extensions = {
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
};
extraConfig = let
SimpleSAMLphpRepo = pkgs.stdenvNoCC.mkDerivation rec {
pname = "configuredSimpleSAML";
version = "2.0.4";
src = pkgs.fetchzip {
url = "https://github.com/simplesamlphp/simplesamlphp/releases/download/v${version}/simplesamlphp-${version}.tar.gz";
sha256 = "sha256-pfMV/VmqqxgtG7Nx4s8MW4tWSaxOkVPtCRJwxV6RDSE=";
};
buildPhase = ''
cat > config/authsources.php << EOF
<?php
$config = array(
'default-sp' => array(
'saml:SP',
'idp' => 'https://idp.pvv.ntnu.no/',
),
);
EOF
'';
installPhase = ''
cp -r . $out
'';
};
in ''
$wgServer = "https://bekkalokk.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = true;
# Disable anonymous editing
$wgGroupPermissions['*']['edit'] = false;
# Styling
$wgLogo = "/PNG/PVV-logo.png";
$wgDefaultSkin = "monobook";
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${SimpleSAMLphpRepo}";
$wgSimpleSAMLphp_AuthSourceId = "default-sp";
$wgSimpleSAMLphp_RealNameAttribute = "cn";
$wgSimpleSAMLphp_EmailAttribute = "mail";
$wgSimpleSAMLphp_UsernameAttribute = "uid";
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
# Override because of https://github.com/NixOS/nixpkgs/issues/183097
systemd.services.mediawiki-init.script = let
# According to module
stateDir = "/var/lib/mediawiki";
pkg = cfg.finalPackage;
mediawikiConfig = config.services.phpfpm.pools.mediawiki.phpEnv.MEDIAWIKI_CONFIG;
inherit (lib) optionalString mkForce;
in mkForce ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
fi
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath / \
--dbserver "${cfg.database.host}" \
--dbport ${toString cfg.database.port} \
--dbname ${cfg.database.name} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
--dbtype ${cfg.database.type} \
${cfg.name} \
admin
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
'';
}

216
hosts/bekkalokk/services/mediawiki/default.nix Normal file
View File

@ -0,0 +1,216 @@
{ pkgs, lib, config, values, pkgs-unstable, ... }: let
cfg = config.services.mediawiki;
# "mediawiki"
user = config.systemd.services.mediawiki-init.serviceConfig.User;
# "mediawiki"
group = config.users.users.${user}.group;
simplesamlphp = pkgs.simplesamlphp.override {
extra_files = {
"metadata/saml20-idp-remote.php" = pkgs.writeText "mediawiki-saml20-idp-remote.php" (import ../idp-simplesamlphp/metadata.php.nix);
"config/authsources.php" = ./simplesaml-authsources.php;
"config/config.php" = pkgs.runCommandLocal "mediawiki-simplesamlphp-config.php" { } ''
cp ${./simplesaml-config.php} "$out"
substituteInPlace "$out" \
--replace '$SAML_COOKIE_SECURE' 'true' \
--replace '$SAML_COOKIE_SALT' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/cookie_salt".path}")' \
--replace '$SAML_ADMIN_NAME' '"Drift"' \
--replace '$SAML_ADMIN_EMAIL' '"drift@pvv.ntnu.no"' \
--replace '$SAML_ADMIN_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/admin_password".path}")' \
--replace '$SAML_TRUSTED_DOMAINS' 'array( "wiki2.pvv.ntnu.no" )' \
--replace '$SAML_DATABASE_DSN' '"pgsql:host=postgres.pvv.ntnu.no;port=5432;dbname=mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_USERNAME' '"mediawiki_simplesamlphp"' \
--replace '$SAML_DATABASE_PASSWORD' 'file_get_contents("${config.sops.secrets."mediawiki/simplesamlphp/postgres_password".path}")' \
--replace '$CACHE_DIRECTORY' '/var/cache/mediawiki/idp'
'';
};
};
in {
services.idp.sp-remote-metadata = [ "https://wiki2.pvv.ntnu.no/simplesaml/" ];
sops.secrets = lib.pipe [
"mediawiki/password"
"mediawiki/postgres_password"
"mediawiki/simplesamlphp/postgres_password"
"mediawiki/simplesamlphp/cookie_salt"
"mediawiki/simplesamlphp/admin_password"
] [
(map (key: lib.nameValuePair key {
owner = user;
group = group;
}))
lib.listToAttrs
];
services.mediawiki = {
enable = true;
name = "Programvareverkstedet";
passwordFile = config.sops.secrets."mediawiki/password".path;
passwordSender = "drift@pvv.ntnu.no";
database = {
type = "mysql";
host = "mysql.pvv.ntnu.no";
port = 3306;
user = "mediawiki";
passwordFile = config.sops.secrets."mediawiki/postgres_password".path;
createLocally = false;
# TODO: create a normal database and copy over old data when the service is production ready
name = "mediawiki";
};
# Host through nginx
webserver = "none";
poolConfig = let
listenUser = config.services.nginx.user;
listenGroup = config.services.nginx.group;
in {
inherit user group;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"listen.owner" = listenUser;
"listen.group" = listenGroup;
"catch_workers_output" = true;
"php_admin_flag[log_errors]" = true;
# "php_admin_value[error_log]" = "stderr";
# to accept *.html file
"security.limit_extensions" = "";
};
extensions = {
inherit (pkgs.mediawiki-extensions) DeleteBatch UserMerge PluggableAuth SimpleSAMLphp;
};
extraConfig = ''
$wgServer = "https://wiki2.pvv.ntnu.no";
$wgLocaltimezone = "Europe/Oslo";
# Only allow login through SSO
$wgEnableEmail = false;
$wgEnableUserEmail = false;
$wgEmailAuthentication = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgPluggableAuth_EnableAutoLogin = false;
# Misc. permissions
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;
# Misc. URL rules
$wgUsePathInfo = true;
$wgScriptExtension = ".php";
$wgNamespacesWithSubpages[NS_MAIN] = true;
# Styling
$wgLogos = array(
"2x" => "/PNG/PVV-logo.png",
"icon" => "/PNG/PVV-logo.svg",
);
$wgDefaultSkin = "vector-2022";
# from https://github.com/wikimedia/mediawiki-skins-Vector/blob/master/skin.json
$wgVectorDefaultSidebarVisibleForAnonymousUser = true;
$wgVectorResponsive = true;
# Misc
$wgEmergencyContact = "${cfg.passwordSender}";
$wgShowIPinHeader = false;
$wgUseTeX = false;
$wgLocalInterwiki = $wgSitename;
# SimpleSAML
$wgSimpleSAMLphp_InstallDir = "${simplesamlphp}/share/php/simplesamlphp/";
$wgPluggableAuth_Config['Log in using my SAML'] = [
'plugin' => 'SimpleSAMLphp',
'data' => [
'authSourceId' => 'default-sp',
'usernameAttribute' => 'uid',
'emailAttribute' => 'mail',
'realNameAttribute' => 'cn',
]
];
# Fix https://github.com/NixOS/nixpkgs/issues/183097
$wgDBserver = "${toString cfg.database.host}";
'';
};
# Cache directory for simplesamlphp
# systemd.services.phpfpm-mediawiki.serviceConfig.CacheDirectory = "mediawiki/simplesamlphp";
systemd.tmpfiles.settings."10-mediawiki"."/var/cache/mediawiki/simplesamlphp".d = {
user = "mediawiki";
group = "mediawiki";
mode = "0770";
};
users.groups.mediawiki.members = [ "nginx" ];
services.nginx.virtualHosts."wiki2.pvv.ntnu.no" = {
forceSSL = true;
enableACME = true;
root = "${config.services.mediawiki.finalPackage}/share/mediawiki";
locations = {
"/" = {
index = "index.php";
};
"~ /(.+\\.php)" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
'';
};
# based on https://simplesamlphp.org/docs/stable/simplesamlphp-install.html#configuring-nginx
"^~ /simplesaml/" = {
alias = "${simplesamlphp}/share/php/simplesamlphp/public/";
index = "index.php";
extraConfig = ''
location ~ ^/simplesaml/(?<phpfile>.+?\.php)(?<pathinfo>/.*)?$ {
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket};
fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile;
# Must be prepended with the baseurlpath
fastcgi_param SCRIPT_NAME /simplesaml/$phpfile;
fastcgi_param PATH_INFO $pathinfo if_not_empty;
}
'';
};
"/images/".alias = "${config.services.mediawiki.uploadsDir}/";
"= /PNG/PVV-logo.svg".alias = ../../../../assets/logo_blue_regular.svg;
"= /PNG/PVV-logo.png".alias = ../../../../assets/logo_blue_regular.png;
"= /favicon.ico".alias = pkgs.runCommandLocal "mediawiki-favicon.ico" {
buildInputs = with pkgs; [ imagemagick ];
} ''
convert \
-resize x64 \
-gravity center \
-crop 64x64+0+0 \
${../../../../assets/logo_blue_regular.png} \
-flatten \
-colors 256 \
-background transparent \
$out
'';
};
};
}

11
hosts/bekkalokk/services/mediawiki/simplesaml-authsources.php Normal file
View File

@ -0,0 +1,11 @@
<?php
$config = array(
'admin' => array(
'core:AdminPassword'
),
'default-sp' => array(
'saml:SP',
'entityID' => 'https://wiki2.pvv.ntnu.no/simplesaml/',
'idp' => 'https://idp2.pvv.ntnu.no/',
),
);

1293
hosts/bekkalokk/services/mediawiki/simplesaml-config.php Normal file
View File

File diff suppressed because it is too large Load Diff

17
secrets/bekkalokk/bekkalokk.yaml
View File

@ -10,9 +10,18 @@ gitea:
epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str] epsilon: ENC[AES256_GCM,data:JMnZVBdiy+5oPyXgDpfYvy7qLzIEfHy09fQSBDpNG4zDXTil2pSKBKxk09h5xg==,iv:/8oXKJW6+sMBjDt51MqVAWjQPM5nk02Lv5QqbZsZ5ms=,tag:+Rx7ursfVWc0EcExCLgLhQ==,type:str]
mediawiki: mediawiki:
password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str] password: ENC[AES256_GCM,data:HsBuA1E7187roGnKuFPfPDYxA16GFjAUucgUtrdUFmcOzmTNiFH+NWY2ZQ==,iv:vDYUmmZftcrkDtJxNYKAJSx9j+AQcmQarC62QRHR4IM=,tag:3TKjNrGRivFWoK3djC748g==,type:str]
database: ENC[AES256_GCM,data:EvVK3Mo6cZiIZS+gTxixU4r9SXN41VqwaWOtortZRNH+WPJ4xcYvzYMJNg==,iv:JtFTRLn3fzKIfgAPRqRgQjct7EdkEHtiyQKPy8/sZ2Q=,tag:nqzseG6BC0X5UNI/3kZZ3A==,type:str] postgres_password: ENC[AES256_GCM,data:XIOmrOVXWvMMcPJtmovhdyZvLlhmrsrwjuMMkdEY1NIXWjevj5XEkp6Cpw==,iv:KMPTRzu3H/ewfEhc/O0q3o230QNkABfPYF/D1SYL2R8=,tag:sFZiFPHWxwzD9HndPmH3pQ==,type:str]
simplesamlphp:
postgres_password: ENC[AES256_GCM,data:FzykBVtJbA+Bey1GE5VqnSuv2GeobH1j,iv:wayQH3+y0FYFkr3JjmulI53SADk0Ikur/2mUS5kFrTk=,tag:d+nQ/se2bDA5aaQfBicnPQ==,type:str]
cookie_salt: ENC[AES256_GCM,data:BioRPAvL4F9ORBJDFdqHot81RhVpAOf32v1ah3pvOLq8E88bxGyKFQZxAwpIL3UkWQIsWMnEerm5MEMYL1C2OQ==,iv:yMVqiPTQ8hO1IVAax6PIkD0V9YTOEunwDTtnGcmy6Kc=,tag:Z4+bZF4olLlkx7YpXeQiUw==,type:str]
admin_password: ENC[AES256_GCM,data:4eUXvcO7NLOWke9XShfKzj+x3FvqPONa,iv:3iZ+BTBTZ7yMJ0HT14cEMebKZattWUcYEevRsl/6WOk=,tag:CU0iDhPP2ndztdX5U5A4cw==,type:str]
keycloak: keycloak:
database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str] database: ENC[AES256_GCM,data:76+AZnNR5EiturTP7BdOCKE90bFFkfGlRtviSP5NHxPbb3RfFPJEMlwtzA==,iv:nS7VTossHdlrHjPeethhX+Ysp9ukrb5JD7kjG28OFpY=,tag:OMpiEv9nQA7v6lWJfNxEEw==,type:str]
idp:
cookie_salt: ENC[AES256_GCM,data:cyV6HDCPHKQIa8T1+rFBFh6EuHtG5B508lg6uFYENK7qVpYuiTUIokdVQhY8SRLs2mECx/ampgnUHxCRB/Cc/A==,iv:QRrRUhzRQrLkmg38rrYtCEfF8U4/7ZHZUDSEq++BlbI=,tag:fLqFSLd+CKqJvmCh1fx8vg==,type:str]
admin_password: ENC[AES256_GCM,data:Vf33Oenk6x6BIij1uW8RQDjTPcKhUVYA,iv:RNeyCNpTAYdBPrZwE3Y6CCjoAML/3XUvjfJCrr06IEU=,tag:zVOrx1oXnEyr/VwFCFaCDQ==,type:str]
postgres_password: ENC[AES256_GCM,data:HGwKLbn/umPLPgH+qpXtugvXzOcXdlhK,iv:ypTW0VLSape8K5aCYu3BdjG/oMmqvfDSLw9uGLthb0Q=,tag:qlDMGz59qzMwEwBYxsC0XQ==,type:str]
privatekey: ENC[AES256_GCM,data:pK74wjuk9lt2PNJIzi6NpPBkxcSRsBZJl28BElUiri2zz17CY81x66CMlFsNjvzKB3JVX+b28FHFuSsEpd/mAPtmzZPR+CoWBHvU+OrSYYoufBxexRTtXzu0vx/KFL4X5tsb+GCgfm72CM+u9dElYHJzn3teBUmZc0pIoF29slTuwF+iZrbFwaieECxXMjHC9f+ivxWQsOvYFjhmAwgjBw/LsfURgLxZwcIRiiKsN41P2WtR9a/hjN53sJnihL9VZw/Xbbynm+bDmaAwhKUAZR28TU9Q1PTfNPEAOMoRgKF4MFuhQ5o0Cxq8RRz7fwCcCTV2sK4jgL7gKiy/gI/K41ybPQPon3NrDj3U2G1VhNgBfSNaTHgygiWI08HGWRHk83eJPHp3Ph8/A774g15SE10BXkL12n0kzodsZWYu3ybrhp167vL/ZW3xUnvFFlm4dTX/ndwS5rp1dIW0a5/0EDwMoGIJw94W5ph5sK9YoUTXwLdAJ9UWRZKQGk6iJstq2BMEBAN2BCSPHS2cflMjoVV4KKX1eq6s8/w6YFzCSQkt3+pGQ3DmiOaaqiv7sUfxyfMDzDcuTVETYRhsvr1ChfBFNn1yoH8BffeVTI2Ei3Edek1vXcg05mHxslhCmzQ4U4us0agtpm2Ar6ppvuedJHLWLFz8pgWSENeGdRcbz0CXiy7lIEYW4uQBru4MAjQ+ZQhz/F4L6At60Q4NelYMDxryQ8LxV0fA/ba2llwl8bDHDFDYkxu3/IaaWG8bp1i6gqvEao3/CRpPt/OAJGAHO3HViPm6xmWlWinUEatNlgCoDotkc56eZU/Af/P7R0QPQF0PpEIDHPcNjc/HcfheUXzJSzkD7wja8VB6rtqdRHFC793QsgdHJMJ+/bvJWZSQciSwaY3PBKLLuB6vrn7VD2NB4cE6beaGwneiAn83lAV+I4cJMDQFLkhWm8LIC7JIZKq/7eBfDEmajWEBL6wSbomBi/UGbA+FyvOokYYMemwVu1JGULcz9Lvn6pxkftQlN0gqE3MncrcZ/l59fepbka/z8oqH6i+3nKdaEh6D+WudD/0xiJSdXAVM6jGrxQtFc1R+OmGTTKJB4aLqgcM25YQ760wKavx5+B52pSki7XdYLmb6Xbnnv7AnyCNmGcpcj795P7qasE2sVokqq9a2PZD7VhP9TPHGtEO6QkkNV5gLxGsGvmshMM8KQgjK60HPQuSfHFVN/SlcOKvvH5ec8sBuYUt24xcDPewV9cXZwjcmwufFOVbC72FTEmU5qvmKobJTGjjbhWsHwpopESctmXuArIcVPsX5jSe3C9Y+9tjbkBGW6/+o8pTfodsjioXevVDXwjVBmGYk8xjZtF6/xfhpWvfunDXgEhnpT4i6ikoQiva8Mw8NvLe8U8Ivr6qCDE4ys4RTs56aw/CJHzydKjX96ZPzim52fAIJvEt1HvMvQx/O/q00h0WujYBcSBivYDtl7hC2fl6pBvM7fjipbeF04idkAKKXf4j6SGunx4hWq+eIA5tnlG8XVZZKIpdXKLgarvWs5pLlTSAK5ckF/yddcik7gAZc+pwo8kCAXIXPisX/yw9cZhI51PNTG1yxtPHAWKgULYLoWcnBCGTmPVXmj6IhpGuNuQ18TTpEtwnrMmcGq6aG/M2ZI+oq0q6suJUWwsCKUVM/TS6SKXEArzDtOMdXgyyDC/H3u+w3Bt/DwALLacq6lwoKBJZxQ6ewv3+ZkLcOkMRKu97hgV+rKmFqdPXqs+Skrf2MRl48sUCPIUXhD46ocFNpemcXcr73G7AxmmFLT6T4ZFm69K6eftUP6FsgUwbed+SaWTeptaG+wueL1NECoXafGlJAmXkjbBdWVgF2oMQFP3Kau135fiqmHpoWGzG5UhKxshTTtRIvbG/296NOkNZWBT/VzjwZti3IUka7HjC3leu28IlLsN0fsNPjQc2uIR3uVsR020g6et0m/Nys9gHDWXG/aCAYKhrgU8w37ZHBs383rkl4uUIYJH61SmTS4JP/wgh/+Q1aU8gXaZ8/Bc0BZUJdF3JR48fjkuMi2A8q5vkTQ1yFCvbBTtdg336v5tZc/xOW5/pt0W1Y7IgPFwHNh4iPAtKQZ3Qybh5PXs4N80YeYFWIjV6Ai0uY4yPdwYPfd1pRdpf3Ll+bhnbDPg0ye4f9lAhSR/cAZpft7BTd6W6jCv8QfWZcDmoBGZy68GZsYfCJ3QAo6szxzDtuyp7WMJRxioPt1EVA9q+8Rp7hHmZosoZOIUV+q3W5yZymL/PXZABiIc2OW9kryNlxQlBo79CSLGdXWeMq3dN1MSWoKJzxEseQqtSY5E1DYQosT1+3B8DXm77WSLMuB6OLjEz760y8jyIiLTGAVslcOb5XNfrQf5+l52nxCl/uSZo9FxiKg7ip0v3PZLuFSTSEaR2R2WeSuv/KoXi7WxFiG6VskpyL5jMhBwjepExFVosrOi4XugqR8vD3byTYUnmQvWJyyrI2LqQsYsa3o65SIO4g8SMKRsJJ8WWHpywLjF00HJSWiGRu8bQguvDTQd3UP6lgudzpubERXuUIBiMPqBKFJ1QTWA6N/t7dxR7NVaSexrGmY4ZSoIBKb9Jnge/+lkKrO9CgqDQpTAAvwwBZpFOV7EYLZNRpW+F8HaCNMeql7V/nFqdaaNdm9yLBhXbaeujalyiLtvBCghe330JVjbBTYWiRulJ2xnlX4GLzORBRIVHJYjxEKzCeVW7J2wAKkJ6gx5rlfDOd6r+Tf+1L8ZZoJEdBhIW7flslxo4amGRTI9QGJKVCIq/hrUGEgIAKsDsqTd21lVdhy+EDM+gumO7FbMcqVPRpwmQMFAZbJgH6TeS46tA4XQJGbwQhhBaqVb3jz7OJVOZ9C3/XfxPPpK4B2OyqINKNIRfyZ0fSmGlIT4LPf2IUEDCEKuPd3ClX51qNnVAPt/MbooF++Vp91KImdqCHwdiAygZTH9u91UN8S9IW8vo0XE4eAgdInjOM+IzUPhC+G8i6UNHbOpfQ7dntDc2nCv4nFKLjLZrgpm2kFrQ60/gDlbXBFF2eRcfYkSQSxVLWC4kWF1ce9YZf/j6erm6GnsQiyNoePe/Nb0v2f5DAR+9yoSJEOAi/AHacA9Dq5kfcoOYCrLkoc17SKQYmy/M9m5Mh3inI/O4wbUQrYDKHT0j77BJnkY11M6AiEF9YC0F4lCV4hIefQ3PnI4nmmo9b8rHnqvmrwUZrcOom6Zp+A7ydo4t0Bw1cDzEwJfpcb3JjpFi7F32/vHHLtGuPDvcJqkhw8VLuaAWAcEPJcIHJ+vAKCGWtDH7yQEOhFq4touwyPYDWBA5tqPY2xkFIAImFRhyLtTQupiNbZVR4G4dj24l8uQl2iz9aoDbJlNhoT+9YhwrKrYdM6hqnvpmiYqLIM+2kijZ8JmBS0BWNLCr+6rnbZbEB5e1ezokice8HQ1XcXbsegcI+eJ+gfDhYKw75VVyOd1Uy/pjLCCwQTywTIbf3iSuETvs3YjQrET1m7GJm3q8G4dx2M9c2B7R6B0ej06pkC4WwzFg3hEG6z2BaNrkopKkoE99bjoB2VHkgGTe+YM1Q3t+jA8IB7XNlnVH82AJ6eDMqgGSWBZiGxwx0KVUMg7cTi0iD6JNSYea0ykw+fh7Mj+8N0zhmzdUjdNBwZqxHVUbqIhUhk6meGRN5EASyt6qR329AqzbKaloS2VqjLjDkSEMhQfL4jHa8yPp8Cyj6EjgM2n5LnZs0u/43eh0h4ig3zQYMkwrHixI5hNQTBwSm3QnNpr3OnXAlypCPbCTiMC5sxHfrSTFkmjduT29aZ5qHQOc5zYG5bE2CmhWJdCOZm1s1mUT+Pxbxf4m/sh8w7TwnA+leD1rUvwYfyl5WI8f071vPcg62uTwScxr+TErvdzAkg9HElnsO6km0IncHIh79zexCR51CrtrZAVxc1gnnDtTLsaKmcEDkqIY4U2cUv+1CtPWz7IfKea9B56x+bFY32pwqYeXCHdDVfBGSMuM7mqZUBu+3jETSbglozYrukbgjftdWob3s/hR0WB0lH9uwkugfoGVonasPkmPvBhuvozkCLvP9aplqwUoL74D4JhHFLciPvV+Cmw5ag1WtErB89Oimm3tnOpynCJwZTQM+NVgBtKjom0qOnyn7l0vYIKQFJwV2k5w+RfrX5EOOjFfg9D2u+gHgmrqzaSl6kk2dHlQYmfeP+nJxiH7eGO5D3ooYHp7JKZBAaJHcAWWpgqVL/L8pjSJLCPRGBF/5DnfggwFdNprl3LqYnr4io+Wp4+Du74uvQHNpojrUQ4j7Qp330rSbCK9iX5v14zYr6RlqKe5CtTqHjPzuL8CxFUI1ImHgViNpff4=,iv:8cb1FcIm0oGkcrfLNqXamx4aDA3owBZoHur8+uFsdmA=,tag:oFPP/Yene6QrxFDKlmoVcA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -46,8 +55,8 @@ sops:
akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX akVjeTNTeGorZjJQOVlMeCtPRUVYL3MK+VMvGxrbzGz4Q3sdaDDWjal+OiK+JYKX
GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ== GHiMXVHQJZu/RrlxMjHKN6V3iaqxZpuvLAEJ2Lzy5EOHPtuiiRyeHQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-09-17T02:02:24Z" lastmodified: "2024-03-30T21:22:02Z"
mac: ENC[AES256_GCM,data:Lkvj9UOdE/WZtFReMs6n8ucFuJNPb76ZhPHFpYAEqYEe8d9FdMPMzq05DBAJe9IqpFS0jc9SWxJUPHfGgoMR8nPciZuR/mpJ+4s/cRkPbApwBPcLlvatE/qkbcxzoLlb1vN0gth5G/U7UEfk5Pp9gIz6Yo4sEIS3Za42tId1MpI=,iv:s3VELgU/RJ98/lbQV3vPtOLXtwFzB3KlY7bMKbAzp/g=,tag:D8s0XyGnd8UhbCseB/TyFg==,type:str] mac: ENC[AES256_GCM,data:o3buZqOYZXiNyJ7zDtaBDFwbtP5i0QNvHxVVxtVWdLdRASVmau/ZXdQ8MNsExe6gUF4dS6Sv7QYXRfUO7ccmUDP4zABlIOcxjwsRTs5lE45S6pVIB98OIAODHdyl6LVsgxEkhdPmSoYRjLIWO56KlKArxPQGiprCI7AIBe6DYik=,iv:sAEeBMuJ8JwI3STZuy4miZhXA9Lopbof+3aaprtWVJ4=,tag:LBIRH7KwZ0CuuXuioVL10Q==,type:str]
pgp: pgp:
- created_at: "2023-05-21T00:28:40Z" - created_at: "2023-05-21T00:28:40Z"
enc: | enc: |
@ -70,4 +79,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.8.1

97
secrets/common.yaml Normal file
View File

@ -0,0 +1,97 @@
snakeoil_cert:
public: ENC[AES256_GCM,data:YBV90zdyW39hnprJFgvtDYfBjRFvQam7a3SjOVwg+N7qeRc2JNl3rAUHyMMA5y0pUlzVCyVM6IyU7Nh7+rHvTEnQ8IHOxbnZzYnj3ccdFTMSTwQCJsy8tgMSYrrDvc/KqzNjjdUjSJm4iyVbkvxbV5UWm41k8pGMe++wkL2JmF4SyAm1ex3EriipoPohmGnO4XPz8ph8nXlyCE9OePQNkYjmN0zrPq9tv7jeEbMWsRhe/tjFGPvByBqnTLZ5cpx3Qqb78U93VYcrYozlKz4k40Wh1j94PRdLUD1KEpGvaIYmvs9E+RTvYdEYKlysNrPOKI0pHz5MhFnVgQsCfuWe4hyC6EkPoYK16eA6STjN9NGt/fQCUjoEYCDTUqaPhi2rIEw8EwQu3V2WdK1CiscLH16CTsmOksrnBC5awADP8prloBamAVwGotL/8C9STsfdZjJye2WLBw4jn1teZuFCJRxXfIQyJXgr+XsdaUIRV9SrQlnYu7+wsD/fFH4gn5DCLl5PHr4tu13ecGFS8UmOAEUg0AfpXjxIFodZNjUVraCKEUCeqG0NpbeOVifHfrjzbiiOIAKe3IBtXVsLBhHF1pLeP2Y4gdswleA/DvTNeHctIn6Fm/o3zavvJTCELCMHZy8imUVZ3xlqRNt+mavgpkbht1xiv8bfV6zQL90WVI1EwAT8OclwSObpwS14fmC4kgHsTkFMwK1Lj+2xK3HctW9hkzGPg/rBkc1ZQZSNAqM3KlMkLueuO6XuYxIT80D2D2CZdaYwYRAtfAvqWzwJXfU7D7VyzMj6rAbLX+Jjc9UyBSigH1ipvMHQeL8259QIeuV+J8kABUNUi4CqRHqhQmO4XQWriFZBXY6YB5VR1EEOJ3yDiLcgSq0Y/qi7sJpSNhY5Qmfm+q23M0sFUAvYPpWJArnkuXfyZopgDaIdqnVl2zabw5V+/McaL7cDcHsHG51eEoSquzv2jXejKE4Z4NGfGGqYj0ORO3nViW7oQzS5W72HsGB+yuCBDvJ3YCT9mX5vM+G/LsPoQyqJOmmammI0vgaLGI0LDqFB6s1+Mrvu51ln7V2kKGx7GIyUVdETfOvZq0mrIxN0YHhXvIdj4LcMlDxgN3TdtsU0GdtOXLGPWzykptgOe0pxujY0PRwMEFBAuyJ+gsMNDDucbFsrvyzpSI6+advL7oUhI0aC9VAhCtTAFCnyZVq9hRgRgEQm6hWbP/zLqTm59kjs6Un6m5YW0lR2Tpn5HXE7C1Q7pM+3cqHsTGItjkbSqWBmpamkYIEgyQtbcBNus6mBLqbnDTQmYmkZMNtYlBq4tSfkYDKyZWojuIE4zab87Sx7myNEkrgxu0By5KXQX8brELLhLClrTW/j+Dmu14D4obOgbAVFlPn2EAs2ZXPgQKrChnmnthkFeR1KRgLXO24U5pqNiN5tfqUFZ8rJ0QTYww1zN7j/Cd+mLGQ4ZDA872istz1Lkl7x1zmwLesKcGgczgfGjjqRHwC/ZKBjFyAg6bnTNjfoKAh98RJ7Hm4KTeACytWZvK2I+QLpuKTQjjNIzgDQXI8Ifke0OD83Tcy0IWtuRODRYqJJ9Y9uIyvvaPuNVMUWLycVHbOvKd6624GYU3ESWm5n8ynIXqDbTwEBkXtEkxAjW8KB4U2k/vvMkCSgacndmrJE8GhUROO5IAw0yFQYsy0p2jyxddTNvF9H594zvQMHxMQd6/xZXJnI4RxY+MoShiLGaj+1tHAKn6whtv2KMI5Tsq26Gh32nivvIp9Sodcvz9OziHLXDjEuSRXy9FXU/L11F4gWcIGNpts1oa/Cmk9d2dYzVr8B3jwk4Z3I6gc/LgwMdR65N8KfmvHBMkilaQ5B9K+RFCXmhLAu0sf0seVuFn0Vtzs7hkHDXFmjXzv3XAKQTk24jgFHUzSg68w3cf+b75GcRfbInCcB7KO+IKnL82tVG220hFK+3i4XkDkFAe/lukmJry/pJ/t9YYdzZMUiQW7g0F/LvEhWXPdF6o/Z9/QPoNvNcK83hJhSSxAz35He/JaFANgLqIECv2KHGEodG2dL2dHW/Q1YLCzkoLasQfNK/HPS9fxhh54B9BeNw/bOWsdsSwSLvMfughdv527FLI61h70rE5hMXhO0SKqoSNPEdomOA6nTG8Nbc0gmoODe94A7LfDsED7nqMTCH3SH6YRJVxOMAuoBw8eDpCwsN+d046kghm0eHJLDqa7wk9/pmGxnV506QikTLAWvHoPhLkXhvhXYSqRijpFQX1eT5pVUADTAY1JaYnzW7TKAdo82sIb3L8EnojOGAnEC+r82hjJj/k79BA2Irxufe0+zb+XIYnKdSrL27PsVqEiVkAb6+iDWDEwHoVR9RhMRmUKFE5ziV7idyEIKDUidOaDT3UaMlmQLDZ2AwKIxOXOsxNdwbtDlffZNYI2O5u5O7sM8mINOHUvMIR6moUyscyBEEbycQn1+PP/b9W68dHeV7goqafPxoqnsiwpWoCKtjTTYsNlBFOHiGMzds6L0q9YnZ24YXeF1PtxR0x9/z87gRxffjXx1eSG66K19dsOhyVIkcf814sSyQvq9FDEDkDI3tPWAxCbK1uFm/eelZcMfI5o+D3qZHY3ClNnky4m19Agn2dNtoVOgoyYnKe6T5njbhX/eK/plMidt6zM976sKNX1QoByy7xnU9lpgYnW4T5vwDO6thh6H,iv:3cF66kWxR/z89P8nyo2oBmS1vvVYzwXg21517VMyLnw=,tag:839M+5Q2fQb7tuq/Vk3VBw==,type:str]
private: ENC[AES256_GCM,data:wH2SCm9a+otsjbLzBeevjFgK2c3v1Ev/+NqZ7/N+53O3G0uuiS2yCO+/8Lunsl8AyNVHBHPoKFBNgDjo/RmAktuQl2U8pcgw2ARnWcR07QCPnGhco9aYM6GtsqnvOotclyPvP68w/Nn1g8ueVSNjUAR1kS2oO1NbOlxc8MaY66Y7wXyYiNN05td5+3qDsIUd9Ceez5xNIkfDtM1ueRQVY5GQNTEroAIQgqdedjumdbqgKTZMm3oQm+mc7TbQpKa+i5jXBKsN7FRg98fZWKsuEEUe4L0Y+Dzve8iWrTfQbt0zIU74/fGi1Lca0k+NfaaMrRRqT1Ub4OVp4OmIztn8Fle4QL4mJQcNsaORxBPC6npBxirHbNXJ6vM/+ljznt1Xjq60R1TqagWIfNPvKNMN67/Ua/eofSg/kK3kl3rzz88Znd9iAJshqdzwsuS7beLbxJlk3JyiwdAv7KRjPn1S4majiPQ0YGjI6QWk+4WsZNYhIFBepZKQD8v/6jcCtLwa7zYGGjs6iWG2+qrKNlvBowPlVJ7yU7h2lsJhhESG7mPusxy1iwqJt+l+lAh/vWSyskGoSdBV8U0F21TKkOZOxiMzTKHZXvOLkLirUjZYoOJTyjEZEj9C0Ci01gDm9gMYhniMT4am7RY/UAFcoMKtt1ertku2tfTw8MlWUTwrxYJ6T4L4UF7MxgTVqW/DEtn2BlQNJ2oqKfXJLdeRU3nRFxxsH1p/PL0LFp8s4zlprYahTVUnpt6QVBaFqriqcitBEfZ+DJSRak5/oygNzE0clShra20wgphD5sdVY5lGGKLhuwmTX3QSCDtWtSL6A07NuL/97g8/8t05bK0o5hIK377aMsOSbFcYy/FcCr+ELM8oHAehog4c5gPmp+zr9FnCfAGC0skqoboEIPe8nu6ee/V7Rl7oMLlpXI1yM90QGUMCemcwdQA1+r9cr11qkaUopNRvuv1exEjSnPZevO5DRuTF2iHAjWnucXw5V3XczCY0T0GGMpEBLJivB6PvSHgNQ0MClkcr0r5k7nlJ9BLkDkbGCRc2E8s+puu/uyFgexQjvIQBTcL2TmvIZq2Oas4pSQpn2Tr79SnJiyznhjuHcWZTCez6yV4UfKhmxkk76XdNL6UnIn7bwWZNjGfI6kt1ErVXtxnCCH5taXr+pvnjZoSW7zUX6Ubk6eGtcrQGkTt0x/jYqDocSsqVuKRCJlhrtkZ5/WR58147cr0bY445Im240nYQ5/CYqmuirLdIJHYeBS0FCkUmfysc5Q4qouCE/KMQfIg0bt/RqXr40n7msuCexzwzDxyjK8BjDlFYFvACkI0vFVbEWDpx9KKlt6V4cfm6AoewRZ4qMdaJ1xXtjy1lB8ugFXhlHBRKz5LwM6RU40a6Rra77s8e4i/g+MzDZIeGx9XPX3wVOwJg6W8/Pw+vghmZyv/3jF7zPT7L8Odety8tG3kVb+e6GFnYTkoIWHTFOV5UMCErQxADd/LDszK7Fp1+P/ScZo9ckV9DcqzZ1EEEvApfFLZHHCv3agb+MViGS2hue2AspKuv4E8aNTUL6yIDG0DpD401p2P/C7EwPWruY+Y8S04Y87YoRhMetnyOxbEQIchSfwhz8wkfuwVsSVPGWFvz5/kygA7OPCHoS0m+GjwO1VfjDhoiy1gQpsgXIeMi97k2SX/1Oxzp6oTWy7WiZ2jvJn1wR7eEAaXAAIv1jveHLU607rAN3zcV9MsfV6PaddJGFI22V4gc9qGiubCFxj51opGHnerx4G0ACjuY/B3sAF5JqU1ruLIpijprLtx89rVTH5p57NV5MQtQDoCZan5poCXFX3MA6KqjVQrEWIbr6T4Am5essSZLK+zWzwdLT7eoKkhMK/+0YnBeAB4CeETpQrcRmfOypFZo5JUn9EdAQsY5F4iwStEmgce5k+Mt63E/CUH5CoH/5nNSLqTbdoQRLaPup4Pb9qun07pI1TpdTM0DABso+gwbbgYG3Bq14yG3QIXq+6r6HVM2e0nlThl+fGj8F+9RPWeW6s5AgORRoZifG5CmXUJfTLU7bao63bZuoAKRZUrctT9/Mu23toj+x8tKrkIlEV7C5LR3bQh00IkfB5l+kafhjq73bg6dEgIiClTZHGSz2/6LMr5aHH01jmmnjhAZtpb4g9OfxDp/DKCYiSZrVCx/fN7QJQQ87baX7gj3SxwRY13NyiYsrtIhQ4k0KJQu6b/X7QXKAtngj760lpAfn0xw07C66A8geOoG9XHvG33DDkBW/3SJVG92VNkMLg124cgZxEsS2zP9EobbpwJoAd9KbDdrdaJsA3DvxIxl8uYpxHrRQiiGwzUdS84mmPGratUnYOPGSQzMyy3cXH4EpsypF3fi03yqOJTOvXXa+jcfK6GCYGAqeR4M116cyqEGasc14ZaCYcq4toMzeXrVvuV9hJ40umyhDL+tQ++2Mi2/Vz8OwaLDz5+oBxlnVYqsTrEfKADvH24Jry+IsWhP5gon3Q4SBP5YfDAvcJbmwMeJsIXAJi6YnHFFdMUC37Rd1nOEKY9vjnrzXfKEPLHqL7/NYrQ3sMjp+I53jdmXAICPF9AzndbnupA5XqZK+mmu/VKXTqOY8uoRZiIyVpN1m9mRboTSyzHUJV5vBHTchhpJbIYIV6MdMYKimrU7iONj3ql+ie6uI5rqNTsYQvCNehpNZ3f/8cINY1/+PO9Bi40Btsq+PcJgHuOY2bsPB87DM1/Jwgux7jA8ENVJnBSX7abE/W138I5XnxAKBTFSIq40iqCxAK+k72pMC6pjKr6oaZzzb9pwv9raN8Qc695C3dnZgEriaZbB/AbTjRbJjorHHgI234DIEb3dr3pspoFoJMRP3OKeG43ro5u6IZo6bBg8lH50TxVwbfTPPLYDNNSpsm0StaYOOPbIDdUcnP+guGVsHw89Dx4k2xjTMQhuKjyrORSJCBy2uaZWMlS/Y7NddIcN9+D9gOluT/Ewj7bA0lUCe04r0sdoewZ4u8IZ4gZbEipUAJaj4aOlpP0Bm5MIpCsy0COgjaTVYARXo3OeG82kfBuUAMqmrcoU4U7eJhkVcFgrrYbET05TG3dPuBIRccwejV2UW8Fe9Y4ZH1xx5GM3gbIRxdnoBixMbbfepgOWQIn/SIuv8hW6uBblAYom691q4PVC1XH3io6eeceNKOeAkANpGp1Ma7fy2DsMCvmCqwJS/x0M2bBVPs5694rbNMy6LErzR/hRxxHoL3BLFFl8C65FTSOiCRLF2wlnvVv5GkBahKUUCHMfQfp2OSgZh8UdT9t/fTNYctTWPVeijXRvD7uqmlcZnFlXgqI1gPVz+ByblF7vi9Br5M4gE7PdvVjxmlWmT2iPaTjY6eygdHZY105aQX2gSSEbWHc4u6p5qqT04+FfOgWp+7ocraQfV/orMkSHglswpRZYA0mAMXoUYRsxQfc6p0vkPsshsVwgrDMJwMNEsK+bs2OvvihrsPt5Hav3gUc2eINIA5TKr1Wbzzb+mbhZwjMt2AlYDv5xFs2+ZyLPZVnd5NzA2oZIP6C9xtzs/1VItTif9q9iGlC0E+NS/McZ2Nmwg5FuCyeN85RJW6SbJmxrR9a3wU8lmVjmk1PSnDmNo2YWP1ARO4XrHpK905Mv+ueDqhQJu1zURdON6BRtJDsOfWANb7Kj93nlJCn4MKzwWw8dXZkkikzw9u5Jg1H1FgDxW5kTE5w6FQmxw82AVqmO8pWVEz7K06wh2RQJfrEIpnwu5fUsXlhxZl+99ksxqlwG9TwhY+wUTkiklDDqRc9AFdkh2UL3JRHvIUhURfKSQSSX9LMYYFDV8EA+dHxbu5IAiXGa8Vj5SD0Dg6fZMxFFtSm6iTpkqN21qmlI6YvXmwFjimnuC9uyI1WHcWq2bQQuHT+6VTBxOkBATCCqFJZtKz+gc54Ly693scKATHoYxcLW5I5ZYLUzVcyEdu2+2cflRStWTR9meo1d1fiioaaTXAW6e1Aa9/x++TwtBZdt7s2vTN7ZBeTQA+RNFGHYbKnV1URzTSVYnEr1Ls6omGGoxyxryMlxWYV9UNa/sX4aJvQm+Liy4YhvC7l7qbUE+ycSww2GFldQcg3ngxcbPw9L4CWWoF0/iG3ykZHahZ9PW9jVzrZyf/BjUMaK8/2QdR0pg9HTaKmQMKubPlBdYriJY2sYrVq3mzGDeiRJXL91k2rImCT3NsNG7VMERBSTJ82L4qfU3zJnw92/NZlNnVd7JH2cpurUO40gAI6ylrqZiuZKVoYoufU8EmRrd76Rx+vuwBgukvwogUR2OM9mIqHbrfpN5Pq79Rts7YCl4HYBXM6l2Vdh6yiXnXoWgNybMNKPa/X8Bgz2C914V/OGiyQ=,iv:xq056Ani+OGZ3/Fx4r6s6awdH2SAk6antLMxBGJaM3g=,tag:ORy1QO+Fw9vrv0wetg82UQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1gp8ye4g2mmw3may5xg0zsy7mm04glfz3788mmdx9cvcsdxs9hg0s0cc9kt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhK3hTbmdjYlhPNk1vM2Y3
YjVUb3Q5MytwbGgvU0lCVHJsOUxhQWNhc1ZRCnYwT05Xd3JIVktQWUNwcXkzKzEy
eUl2WTlqRHBnUzFWNnorUGc3RFJQQ00KLS0tIHAyUWlqR0VaOERjMWVuOFVtZkt4
Mmk0V1o1V2pTcE9DWUM2bUdMWVNPa2cK+KI1lwxxcwk+mXPKBoxMbIKzLvLgVp9m
+gLSg0W4UJgxSjyzlk6z9i+xhS6u67YL3hUvth3JzPn0WeAARZLqrQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1hn45n46ypyrvypv0mwfnpt9ddrlmw34dwlpf33n8v67jexr3lucq6ahc9x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlR1dGT3FKamI3MW9DVDBz
dDY0RmRwVDVyRkVnOEhRVlNUSG9TcUg4RXp3ClRNalZHM0RwdG4xait6ZGpKd3BT
dFdTa1NvV211N0ZXZWgrRmtqMmxzS0kKLS0tIDFQK1ArRW9keVc3OXIxTkFVQUhx
UlJCV3hUNEkzRTZmaE1SdVJnN2V0QzQKQU8A+8IOqWsSV17Sfro5qxSS4TrfHocH
nl32Zlz4xb6QS6o7PbORGo/Ck0UUWE1SNqHfLj0zOLlgTZU4mPFtww==
-----END AGE ENCRYPTED FILE-----
- recipient: age12nj59tguy9wg882updc2vjdusx5srnxmjyfaqve4zx6jnnsaw3qsyjq6zd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RHFDTE1TbjlpQzFDTm5T
L0J0TmlJSUVBUFdlM0dkY3RjaGVYNmJRMm1JCmF2Z1FxVXdaWm41YXBuQVNWRUR6
UUNkL3lYQSttaVJKVVhuM2ovQ2paMW8KLS0tIEFtVzA2bEhXYjJxdmpLSUQ2YlVw
RGxqcTR3Njc2dUozcEZLWmMrRldDaE0KWPflKVLM0mj8TuLRYD23hBB5jtJ/MbN6
BBJ41efzm+3GMvZ/whahl3mF/csCOuefoUL1S9MYmocfwl4K5tR5wQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1sl43gc9cw939z5tgha2lpwf0xxxgcnlw7w4xem4sqgmt2pt264vq0dmwx2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSXdoUEpaaEZxb01wVjgz
YzNVNzJYSGx0OGlFYnR2ZmNnVEE3MVVqZjI0CnR4eVkxYXFEUmlxcDFXTWpUYjFY
TTcvaXNrUTFaVHdXZ29qcThJYzViQUEKLS0tIG85SThFTnN6QnI2dGxtRjJwVlQ3
ODZUK0ZMZW9GUVNMWktiNHJPSVE5d0EKBGM7ay7sJbvIZdiOjDFNLhc5sRB8aFE7
iUGgikUNQ1UFHtcaXu7MNbhIrqUBkaQNfDtPPLE6aM483sAbkBz4rQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17tagmpwqjk3mdy45rfesrfey6h863x8wfq38wh33tkrlrywxducs0k6tpq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdzBtbG55bGYzTllTbHIw
SGtUQk1EcHpTbkNFWHNKb20zMTlRY3QrU3owCkhjVkhGLzZpMHgzQ1VCNnZsMSt6
M0ZOOFBhOE5IeGdGc3M4b3RycU51a00KLS0tIGZPTTEwTzkyMVlIVDk0bm81ckVx
UzdOWE4rZVhpcGZpb3dWSVY5OG8wSVkKNWXZO2zPVS3hgPYU5ktQNPGXB1GA9WaD
ac7b1YEfbG8fRF7hGu1p3uCI9+cz8VrNE3fbDUXRmp+zkVoK62Fzig==
-----END AGE ENCRYPTED FILE-----
- recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzUjJQbk5sV0VDU2drUmx0
c3JYdTUybVRqZmNqcWdiNDV5L1VhaWp5MTBJCnhPc2hxMzlja3Ftbk5jQm9EVVdG
aUI4M25mb04vdnJ0WFU4bzU2UzZiQ28KLS0tIE1rbFNqM2NHdThRL1VvQ2JkeEwy
THRaQ20zSlVmRXpOVnQ1R2g1OVJLek0KStr3Qmu4P00vqxVq/mzVFKQc+3uTH1u4
PPo7Tw2f9PWE7A+EUi9LDKxNHJ/HugrUkq1YXDIPbL56tfHpVeCtzA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ju7rd26llahz3g8tz7cy5ld52swj8gsmg0flrmrxngc0nj0avq3ssh0sn5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArRHhoQis4M3dXeDdCRWNu
UmJKR0lnaUpIeFFZQVUxV2RHb001SGRuSFJZCmhlT1RBUEZKcWhTMWRwZWZIb2Rm
ZkxWQi9lek5sU2c2My9aeFBPbTRTNTAKLS0tIEh2VmV2d0d2TEhBUzZoME1JVTQ4
T212OUN5VmxmLzlKSHROdjZ3WjVSNW8Kr7K2Y7GIDqR5sbte+yZIFTLMSaa6cyUJ
of5clYcJSv9jkvNOOLR3ZWMK+c1NY9SUSS+No8phPrtqBqcIWsGxYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-01T11:12:03Z"
mac: ENC[AES256_GCM,data:Ky2xbYdZijuS5TWWwum0ed8d2L/EdbFi0Bnrxlpw5Hc9XWnoXoJUXFLL3skfEMF0H/tLvtVuV6q10nBrKHkKeA2ex99I+KTRNyw7NmXikr7QZFXqBadul63lAFKlwm/js8q+3rIgVeu9uTsXX2QJqbN7rJ2frwIDYolSCvUSD/I=,iv:Y0UbW9AFMz0YmJzld+hipjmmurDl73ZOKDTFIg5AEqs=,tag:CPPvWdVknamBaT3M93tD/w==,type:str]
pgp:
- created_at: "2024-04-01T10:55:18Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA0av/duuklWYAQ/8D9k8KG7kvpTuGZ+khrB4RxGNGEQKV9qmrrX2TzSlajDs
dAt+qjh670Wh23xnYwg62G49g0tmZpaOhrZ9bvPL7GCbABm5eNNWh25owKpIcStb
J1cpytoKw5f2fjEcVj0Pw1gkx1YojZW46nE/Hkak9sJNqKR/9mGRYlZ537TjySzq
HqEr32VxyCbwnWSicxnCpGez6g7D/Z8ET3V8IVCEsaqyUMGCIzsUqWzgZoTxbryF
osvir8lyAc4U0pHjma9jHudjhyAHSbX5IAQBRUbRcDitAwmFOWdQ/1ts/7xs+atd
bC4aQnDrk7JpApXNj3+LKFnt3ZgLu3aCV6Fxp2BJBW7XYgulGOCEO/x5MOh0tZOi
RAu89PA4+vBpJvMq9mMNQhYfOa6e7WVYitKjjTRVAZbArjNjMYEj9EVYxC00vmwK
ZIs8zTfQsyYPPr9MyKvRPDScOf0f3Gw0WyH5VIHpO8dtlTOABqJddhmomD8jImsZ
VsXXcuqTWRUMS/z4f3/OmQ7nLaA3bX6/bi7VAUg9g22YJBwzDSbVi/M409+uakaO
eC6otcyn8uzIBar/cBf4ovgpCTBPVZ+Pf7qmL0AN4pQk+Pi94J12yTUyDZJfCfrP
PXUsjjYb+7rlAXo+KYkVjAOkhPn2zfNHPHi1naDGYBYaMwa1hoAqAeW15r4MRgvS
XgGsC1YeMF955Gysqaqk6VStaHAJuIHTPb6p4+iTdYYUYn5JPgjjTzFw3Sy9QBN+
h2YFCxL1PXQedRQ2VCVNkvwFChQDxFGTmXA0f4ItK9z5AzRM6NSbI5cYa/o/wEc=
=stLw
-----END PGP MESSAGE-----
fp: F7D37890228A907440E1FD4846B9228E814A2AAC
unencrypted_suffix: _unencrypted
version: 3.8.1