fixup! WIP: temmie/userweb: inject users from passwd into httpd sandbox

.sops.yaml

@@ -20,6 +20,7 @@ keys:
   - &host_lupine-4 age1ml48zztcmnrdrhrdsjrlyxf09jtmjgz46u8td4zm59wn3fm4g57qs4wg0l
   - &host_lupine-5 age12gws5nws69vxryd3kt7q0ayngch90efmhqcrfhnnsmj00lkgxd4qsdkvqn
   - &host_skrot age1hzkvnktkr8t5gvtq0ccw69e44z5z6wf00n3xhk3hj24emf07je5s6q2evr
+  - &host_temmie age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7
   - &host_gluttony age12czfkvuw9pjk5qny5c6m2hjhd634cj9r4dsa3ss5zkux5h4vvc7s7k4urq
 
 creation_rules:
@@ -121,6 +122,19 @@ creation_rules:
       pgp:
       - *user_oysteikt
 
+  - path_regex: secrets/temmie/[^/]+\.yaml$
+    key_groups:
+    - age:
+      - *host_temmie
+      - *user_danio
+      - *user_felixalb
+      - *user_pederbs_sopp
+      - *user_pederbs_nord
+      - *user_pederbs_bjarte
+      - *user_vegardbm
+      pgp:
+      - *user_oysteikt
+
   - path_regex: secrets/gluttony/[^/]+\.yaml$
     key_groups:
     - age:

flake.lock

@@ -309,6 +309,27 @@
         "url": "https://nixos.org/channels/nixos-unstable-small/nixexprs.tar.xz"
       }
     },
+    "passwd2systemd-users": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1780062186,
+        "narHash": "sha256-FSkwKO/56i9RddwSydK804fSnIvbczBnFJgr2/m+F9U=",
+        "ref": "main",
+        "rev": "db2b19f144af046161b7f9ca69ddaf3f06fcceea",
+        "revCount": 13,
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git"
+      },
+      "original": {
+        "ref": "main",
+        "type": "git",
+        "url": "https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git"
+      }
+    },
     "pvv-calendar-bot": {
       "inputs": {
         "nixpkgs": [
@@ -387,6 +408,7 @@
         "nix-topology": "nix-topology",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "passwd2systemd-users": "passwd2systemd-users",
         "pvv-calendar-bot": "pvv-calendar-bot",
         "pvv-nettsiden": "pvv-nettsiden",
         "qotd": "qotd",

flake.nix

@@ -50,6 +50,8 @@
 
     bro.url = "git+https://git.pvv.ntnu.no/Projects/bro.git?ref=main";
     bro.inputs.nixpkgs.follows = "nixpkgs";
+    passwd2systemd-users.url = "git+https://git.pvv.ntnu.no/Projects/passwd2systemd-users.git?ref=main";
+    passwd2systemd-users.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs = {
@@ -220,6 +222,7 @@
         temmie = stableNixosConfig "temmie" {
           overlays = [
             inputs.bro.overlays.default
+            inputs.passwd2systemd-users.overlays.default
           ];
           modules = [
             inputs.bro.nixosModules.default

hosts/temmie/services/userweb/default.nix

@@ -130,6 +130,9 @@ let
       file
       findutils
       gawk
+      glibc.getent
+      strace
+      systemd
       gnugrep
       gnumake
       gnupg
@@ -154,6 +157,11 @@ in
     ./mail.nix
   ];
 
+  sops.secrets = {
+    "httpd/passwd-ssh-key" = { };
+    "httpd/ssh-known-hosts" = { };
+  };
+
   services.httpd = {
     enable = true;
     adminAddr = "drift@pvv.ntnu.no";
@@ -276,17 +284,62 @@ in
     serviceConfig = {
       Type = lib.mkForce "notify";
 
+      ExecStartPre = let
+        rsyncCommand = ''${lib.getExe pkgs.rsync} -e "${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=%d/ssh-known-hosts -i %d/sshkey" -avz'';
+      in lib.mkForce [
+        "${lib.getExe (pkgs.writeShellApplication {
+          name = "http-exec-start-pre-remove-old-semaphores";
+          text = ''
+            # Get rid of old semaphores.  These tend to accumulate across
+            # server restarts, eventually preventing it from restarting
+            # successfully.
+            for i in $(${pkgs.util-linux}/bin/ipcs -s | grep ' ${cfg.user} ' | cut -f2 -d ' '); do
+                ${pkgs.util-linux}/bin/ipcrm -s "$i"
+            done
+          '';
+        })}"
+        # "${pkgs.systemd}/bin/resolvectl query smtp.pvv.ntnu.no"
+        "${pkgs.strace}/bin/strace ${pkgs.glibc.getent}/bin/getent ahosts smtp.pvv.ntnu.no"
+        "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/passwd /run/httpd/pamunix-sync/"
+        "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/group /run/httpd/pamunix-sync/"
+        # "+|echo 'wwwrun:x:54:54:Apache httpd user:/var/empty:/run/current-system/sw/bin/nologin' >> /run/httpd/pamunix-sync/passwd"
+        # "+|echo 'root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash' >> /run/httpd/pamunix-sync/passwd"
+        # "+|echo 'wwwrun:x:54:' >> /run/httpd/pamunix-sync/group"
+        # "${rsyncCommand} pvv@smtp.pvv.ntnu.no:/etc/shadow /run/httpd/pamunix-sync/"
+        (let
+          args = lib.cli.toCommandLineShellGNU { } {
+            passwd-file = "/run/httpd/pamunix-sync/passwd";
+            group-file = "/run/httpd/pamunix-sync/group";
+            output-dir = "/run/httpd/systemd-userdb";
+            shadow-file = pkgs.emptyFile;
+            email-domain = "pvv.ntnu.no";
+            ignore-user-file = toString ./ignore_user_file.txt;
+            ignore-group-file = toString ./ignore_group_file.txt;
+            set-default-umask = "0077";
+            set-default-mount-no-devices = "true";
+            set-default-mount-no-suid = "true";
+            set-default-mount-no-execute = "false";
+          };
+        in ''${lib.getExe pkgs.passwd2systemd-users} ${args}'')
+        "${lib.getExe' pkgs.coreutils "shred"} -u /run/httpd/pamunix-sync/passwd /run/httpd/pamunix-sync/group"
+      ];
       ExecStart = lib.mkForce "${cfg.package}/bin/httpd -D FOREGROUND -f /etc/httpd/httpd.conf -k start";
       ExecReload = lib.mkForce "${cfg.package}/bin/httpd -f /etc/httpd/httpd.conf -k graceful";
       ExecStop = lib.mkForce "";
       KillMode = "mixed";
 
+      LoadCredential=[
+        "sshkey:${config.sops.secrets."httpd/passwd-ssh-key".path}"
+        "ssh-known-hosts:${config.sops.secrets."httpd/ssh-known-hosts".path}"
+      ];
+
       ConfigurationDirectory = [ "httpd" ];
       LogsDirectory = [ "httpd" ];
       LogsDirectoryMode = "0700";
 
-      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
-      LockPersonality = true;
+      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_PTRACE" ];
+      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_PTRACE" ];
+      # LockPersonality = true;
       PrivateDevices = true;
       PrivateTmp = true;
       # NOTE: this removes CAP_NET_BIND_SERVICE...
@@ -313,20 +366,45 @@ in
         "tcp:443"
       ];
       SystemCallArchitectures = "native";
-      SystemCallFilter = [
-         "@system-service"
-      ];
+      # SystemCallFilter = [
+      #    "@system-service"
+      # ];
       UMask = "0077";
 
-      RuntimeDirectory = [ "httpd/root-mnt" ];
+      RuntimeDirectory = [
+        "httpd/root-mnt"
+        "httpd/pamunix-sync"
+        "httpd/systemd-userdb"
+      ];
       RootDirectory = "/run/httpd/root-mnt";
       MountAPIVFS = true;
       BindReadOnlyPaths = [
         builtins.storeDir
         "/etc"
+        "/dev/null"
         # NCSD socket
-        "/var/run"
+        # "/var/run"
+        # "/var/run/systemd/resolve"
+        "/etc/resolv.conf"
         "/var/lib/acme"
+        "/run/httpd/systemd-userdb:/etc/userdb"
+        "${pkgs.writeText "userweb-fake-nsswitch.conf" ''
+          passwd:    systemd files
+          group:     systemd files
+          shadow:    systemd files
+          sudoers:   files
+
+          hosts:     mymachines resolve [!UNAVAIL=return] files myhostname dns
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+
+          subuid:    files
+          subgid:    files
+        ''}:/etc/nsswitch.conf"
 
         "${fhsEnv}/bin:/bin"
         "${fhsEnv}/sbin:/sbin"

hosts/temmie/services/userweb/ignore_group_file.txt

@@ -0,0 +1,91 @@
+Debian-exim
+_cvsadmin
+_ssh
+adm
+audio
+avahi
+backup
+bin
+cdrom
+cl-builder
+clamav
+clock
+colord
+courier
+crontab
+daemon
+debian-spamd
+dialout
+dip
+dirmngr
+disk
+dovecot
+fax
+floppy
+fuse
+games
+geoclue
+gnats
+input
+irc
+kmem
+kvm
+list
+lock
+lp
+lpadmin
+mail
+man
+messagebus
+mlocate
+munin
+netdev
+news
+nogroup
+ntp
+ntpsec
+oident
+opendkim
+operator
+plocate
+plugdev
+polkitd
+postdrop
+postfix
+postgres
+prometheus
+prometheus-exporter
+proxy
+rdma
+root
+# runit
+salt
+sambashare
+saned
+sasl
+scanner
+sgx
+shadow
+src
+ssl-cert
+staff
+stunnel4
+sudo
+sys
+systemd-coredump
+systemd-journal
+systemd-network
+systemd-resolve
+systemd-timesync
+tape
+tcpdump
+tty
+users
+utempter
+utmp
+uucp
+uuidd
+video
+voice
+winbindd_priv
+www-data

hosts/temmie/services/userweb/ignore_user_file.txt

@@ -0,0 +1,74 @@
+# System Users
+Debian-exim
+_apt
+_rpc
+avahi
+backup
+bin
+cl-builder
+clamav
+colord
+courier
+daemon
+debian-spamd
+debian-spamd
+dirmngr
+distccd
+dovecot
+dovenull
+driftsupport
+fetchmail
+games
+geoclue
+gitea
+gnats
+hplip
+irc
+list
+lp
+mail
+mail2news
+mailnews
+man
+messagebus
+munin
+news
+nobody
+noone
+ntp
+ntpsec
+oident
+opendkim
+polkitd
+postfix
+postgres
+prometheus
+prometheus-exporter
+proxy
+root
+rwhod
+salt
+saned
+spamd
+sshd
+statd
+stunnel4
+sync
+sys
+systemd-coredump
+systemd-network
+systemd-resolve
+systemd-timesync
+tcpdump
+uucp
+uuidd
+vaultwarden
+www-data
+
+# Misc
+nuccc04
+nuccc
+kybkokos
+kybkokos2
+testbruker2309
+testbruker2404

secrets/temmie/temmie.yaml

@@ -0,0 +1,93 @@
+httpd:
+    passwd-ssh-key: ENC[AES256_GCM,data:fXfqlhNbAIdacm7s4yirp+XS7gWhsp4jrD5yRzsU8lP+oueqS8cCkQGV4MB83OKa/D3wm1zxvjRsys9uxa+4kKL2/xOetDex5WXH7xAjzMaE0jHRNCjJMYM44L9+n3oc2c6rXz2DZ+4TEdGfJOru3pUIZx2LVYO/NB+FXSW59632PFhkuSypmpeeXRFn13ksd27W5x9fB4lOw9nrdyQkfuqvl0pD9uC6zef/sZ12rfre1JHyhN+jiowzWjJuzA9iiJpjNcek2wTyymVYZNxngfugnCkTKtWcfl+BOTgyhpEtGmL3mLs3n9r6bD725IAuoXUSzBEJqE1dCw93AvlPyrUwOXLM5lOX4h9IYS/0Izfc4w+qC+ID02XU0/cFufT8ODfTK08xF5QAOp5AdLxbcvMq3KadVPesD/5K75mzWtfC+UM4lo8TfphqnEtetL/P0DBXIJIsyY04gyTWsUVCfjcwWcliW6p3pcZZ+rkqObFs9n06uMWQq8qULa85yLq+mMsyPlBW1HE+TIV8jrLtVBqPkfXp85ZtllMOJRpeEOf/l48=,iv:1BE0moa2a4k2yqVBboS/EbNiFGLTu4Df/tnXBassls4=,tag:iPUOAEhqKbF9umsyBLaoJg==,type:str]
+    ssh-known-hosts: ENC[AES256_GCM,data:E2NiTUQokUDHzkfmTh5eECHZxt8v/Ug63ETA/CcO8358EpPeaFI1tAFt3q0o5rTCAUlB5cJ1ZOxX4mTeIH370wnwFN6emg+iAaK3VM+AL3Tp8Acb5EwErSOTKjAwrS5vwqb3oTYMzj42bKBk0b/qPWspGnoUfDI481+p99PS8eqpNCcGaNEDNk0BPwDvngwuur9o2RTmuWwxZO+s3wqlktQPkCguii8/FD3x3O8eow+v,iv:tJNxoY4UsRrB9k/fX9jLUc4hC3bioekpgKu4aa2o/4Q=,tag:DLj9rqse33D8PDLMxF/heQ==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrMStZRlNCem0zRWgvMytj
+            b2tGR0M4SmF2Z1dYR2RBK1ZTUEx4c3NhMmlnCkVwcStqZ0RPRm1EK01lTWJpUmd2
+            Qis2WlU2ZUpFcUVXZUdVaWVyQno4NFEKLS0tIGJZWmlSdEtaUnd1alZ6NURsSFY3
+            VXJGank2UlBqY0hNZ1QvUGZUdVljaXMK9P4IVuSZ8uhDXDWMOkqABWImL4mu18AU
+            7X+1t3nZVmPze3MOTBRWf483DBAM+69QDlio1uSzZjJQc1X0H6ePKQ==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age10avsdvqger25z0lyzlq8v7xfzcmypkmjsswswaxwqnpnl6x9wcjq0uv2n7
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMGdHZ2xvdnVMbFAxYkhF
+            WHRPWjg3OE4vU1RhTWxPc0cxNm1RU1BPem40CnRHc0gyQVNxelBnZERMNlp2YnFk
+            U0xpbHN6RlVHZHdkZktnK0hCMFQ1aGcKLS0tIDVtODVvNzN0NFJ3UGFYdkpLTmZR
+            R0FvdzE5NDhUNFpWZTYreklCMmhCWmcKuD5nNqDSP4SK3E1AsnZtE4jzYgxfgHau
+            nmPKA2dgsPoA2rug/kGB9uXeUUA0oL26FyjlPi6NYDVvN4u1IHgPSw==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1ug30gg4y7ftuya0wdv7q0vh4egn00wlv2th7mt7cgc2ze46wmvyq9lq6ge
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3SUdGMUgwSEV2SUhkMEJm
+            MWJ5Y1VMdWsyK1NWYmxUK3N1cHoydWp5eUVrCllZK3hKZjNDYzMwQTFENTg2aFFi
+            dXpkWGZkT0hiWGRQdjltNXZ6ZkN2S1EKLS0tIFREeDFVZkZEV0phM3dRYUVRSSsx
+            UVpkZ3hTd0JuWm16WnFFREt4S0hxMjAKbihmtr3/d/BbX21zkZWNarCNa4cYCM9B
+            HGwcEfP4fnevWdM4LbXXBBmfoVUErKjK5tiMwocVZXZrsHBYI4amPA==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1mrnldl334l2nszuta6ywvewng0fswv2dz9l5g4qcwe3nj4yxf92qjskdx6
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3d3g2aHUrT0d5Kzl1RmVk
+            MUh4eW8vTS9qbkZ3WHNYMjFHSlZLV2M1aVgwCllWTDFwZDV1QTFkQkVrUnN0bSto
+            aTlvVTVaOWVldDJjSHMyaFhLNXlBcUEKLS0tIHZ6d0ZZWlo5SVJ3a0VNbjRFYnkz
+            dDFFT1JVN2N1cjg2TW5xOUZKZDVzZkUKjtRmm87B4AECzS8mmL6rUyVfNYlsem1w
+            HDFw4p0Nt9JWFFWEWamnTQ+Bq2UPsueBW4Ei/WyDj5d4EyNptoJrDQ==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1hmpdk4h69wxpwqk9tkud39f66hprhehxtzhgw97r6dvr7v0mx5jscsuhkn
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2aWs5V0xhTzJlMi9PNks0
+            ZUNiOFB5TDZQUVBnVThRQjdzYTJ0Uml1blJzCjhUdTdpRURsVlIrUkxnUXVhM3Vn
+            cmJSL0x2Y29aMnltcWhiYmhLem1ldGsKLS0tIFpMa1lmZjZPQ0FvSUhTbUhzRlM5
+            bHNqMm1xRGdMd2NOdVo0Y0xFLzJCbGcKnSMBn2kp/RGDr5NL+qMoWqqdCdSu4wFz
+            GjjUS43nW0++TVXusGIj60sDJtK623N4srpubykZtYfEO1c1cAURpg==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1wrssr4z4g6vl3fd3qme5cewchmmhm0j2xe6wf2meu4r6ycn37anse98mfs
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnU2d6bFRqMk5jZ3lDdzA5
+            WFpsNVdLL2lXRGZ5ZjRIdGs5VjRVZ1JKdDJJCmxQeHZsZk9OQ1g4dG00MVNGeFF2
+            OURQUndCOTM3eUh1SnRaOGFKMi80TjQKLS0tIEE2eE8vK1dnN0dnbGNqaWZqdzJx
+            WGhRM2R0VzV1SlpxeGVWOXNCeWlzcVUK/nD3DWVDjVbWJmP33OC4LSKA3qrjN0hb
+            kZV4U44y+8uLtBVm3WnkZd/cg5wqoD/1agG7aCc9DMmOmxHUfdfrJw==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1zhxul786an743u0fascv4wtc5xduu7qfy803lfs539yzhgmlq5ds2lznt5
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtczYrL3NrM295NEd4N3V0
+            WndPRXltZFhOUU1LdGVNM05LRzV5blhmU1JRClBpU0g2K0FJbFE0RVEyVW1ZRTJU
+            d2ZoeTM0QWx1NE9wSjc3c0tUa3Z3VlkKLS0tIEVrQStXSWRTUkJvK2paTU1EUkcy
+            ZWtMdDRhTWdLZnI2T2ZmS2VXdjFpZVkK1LAo54bl2QIx08rMJ0A8Q5bVXWcaoFPo
+            Y0/PSyL+vMa2Ab6b4vD6GNY5/KAE5XPlvBEKBrIe2oIAMJw38KUq8g==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1sqs7urnzsdy64efmd0zukzv3gs5pnjksuxd7nqmdwdy5l0nqnunq6hyune
+    lastmodified: "2026-05-29T13:54:14Z"
+    mac: ENC[AES256_GCM,data:g1PT225ggTfHuzU9qaNfNrhIVqtTWRCSm7iFDTlCZTDr4PPGbRtUH5fIJSY1F+2mu+H2XRM9ueenhqTyyyDJGsq+Oqp6Ae4E7vp2Uo4qH8O2d/u78EL2zNVestTvCnJGJ5lPWrN2i41pqOWbNx+dXt0O+sdgS890IQkj4i8VrRU=,iv:CjBKRSCMpAT+gWEFjvqb5OBy5u6ZsDelsCg5lGNOsN0=,tag:k1ia0wkw3YQfeFdv0GTX6g==,type:str]
+    pgp:
+        - created_at: "2026-05-29T13:54:02Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA0av/duuklWYARAAq4qDoGJmeum8aPwO6TGOO+iIKNE3rqIdCsUsTs+SF3VL
+            ejSW3yB9hw5ptg3CCUH0tZRuZyvQ3fkXFh08hSBfBhICSr9NS2vllXp4ILlhNG0P
+            gEIq67+daK2YyWBcV3Rh8OMz5niGYDKF6WZjzlkFxinUFcqVtQrVKw9pti+Crhs9
+            QgZbTz5+Cph/ACSLufSUV2yyjv+zO+VhyMpHR4x/B/el/T921vAQAdGx9DprC1ed
+            cse2kg9ouhMQI+Aii5oSnDCAuVZGZQN23WXQBQp66l4gFmR3Av85miguEF5Gf8YW
+            44GiixHyul5583NDsMQuoPu1gzE8CqUPMVFVGzp5BsXbb4HzmEslxkpi7obCs7wx
+            fCplc2L+mLa4hTBJXYcCcRbsbopjDnYLNLfl4nvYHW5utimNej4EBdzQQg3DNf8J
+            zdNXlwHXUBgU8ayAyOwThQIP4s+VDSh2ASSWwEmqNMr5nkocIl7UO3J9MzkLNuc1
+            0S4b8rM9om755SlQTeLrOy/4aloZwCMFxQOeIoJ0fxNlgap1BS1FQ68leA+uiCcc
+            vCFVMlYUOwMl2wqkQ84pY3SEL6z96o9wpOyRERk/yfjBWnGjqjANNz4uSXggo4B9
+            LTLIqO+Li26+geyTATIMJU5SeMdP5s+Lvc2qzn0c4qr67hVo9H5Df2qzijsqIqrS
+            XgHQdNafa0JYSH07UKFvfmcDYU/sWRi7QrFD3/zn5HPUN2XNQj4P9OF93NV8tAqK
+            pFqgdJCybDSp4sQujjQOZkJ3tpVnlq/G/QjiAY2TpbYxzPUDWP0Pu0yGxVIrJ5Q=
+            =atHd
+            -----END PGP MESSAGE-----
+          fp: F7D37890228A907440E1FD4846B9228E814A2AAC
+    unencrypted_suffix: _unencrypted
+    version: 3.13.0