diff --git a/.sops.yaml b/.sops.yaml index acbef1f..be3dc5c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -19,6 +19,7 @@ keys: - &netboot age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw - &mail-social-grow-tech age1gtulvdj4aclpfhk3mmzvpz9xysccxhvu99x6ayaqlj8m44ehffgq6zuc5u + - &web-social-grow-tech age1md4kkdf08zmagqv0yzza8h75f80c9j8np2p6eqea6fpa94szd5lsltz9va creation_rules: - path_regex: ^[^/]+\.yaml$ key_groups: @@ -87,6 +88,13 @@ creation_rules: - *dominik - *dominik2 - *mail-social-grow-tech + - path_regex: hosts/web.social-grow.tech/[^/]+\.yaml$ + key_groups: + - age: + - *bitwarden + - *dominik + - *dominik2 + - *web-social-grow-tech - path_regex: utils/modules/lego/[^/]+\.yaml$ key_groups: - age: @@ -105,6 +113,7 @@ creation_rules: - *fw - *fw-new - *mail-social-grow-tech + - *web-social-grow-tech - path_regex: hosts/web-01.cloonar.com/modules/bitwarden/[^/]+\.yaml$ key_groups: - age: diff --git a/README.md b/README.md index 1d43ad3..43333ab 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ - install ubuntu 20.04 - get age key from SSH ```console +curl https://raw.githubusercontent.com/elitak/nixos-infect/master/nixos-infect | PROVIDER=hetznercloud NIX_CHANNEL=nixos-24.05 bash 2>&1 | tee /tmp/infect.log nix-shell -p ssh-to-age --run 'ssh-keyscan example.com | ssh-to-age' ``` - fix secrets files @@ -52,3 +53,8 @@ systemd-cryptenroll --fido2-device=auto --fido2-with-client-pin=yes /dev/nvme0n1 wg genkey | (umask 077 && tee privatekey) | wg pubkey > publickey umask 0077; wg genpsk > psk ``` + +# 7. Hash for new packages +```console +nix hash to-sri --type sha256 $(nix-prefetch-url https://tar.gz) +``` diff --git a/fleet.nix b/fleet.nix index bfbcc3a..1f6b57e 100644 --- a/fleet.nix +++ b/fleet.nix @@ -52,6 +52,10 @@ username = "mail.social-grow.tech"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH1K4mhBji1kMGnO55OOFaDknBf2Q6wgm7DaMYKip+S5"; } + { + username = "web.social-grow.tech"; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIw4lHUd/+rHIWP2WBAj9smo2CkeHEOHhTqZzacmxMcC"; + } ]; in { imports = builtins.map create_users users; diff --git a/hosts/web.social-grow.tech/channel b/hosts/web.social-grow.tech/channel new file mode 100644 index 0000000..425c774 --- /dev/null +++ b/hosts/web.social-grow.tech/channel @@ -0,0 +1 @@ +https://channels.nixos.org/nixos-24.05 diff --git a/hosts/web.social-grow.tech/configuration.nix b/hosts/web.social-grow.tech/configuration.nix new file mode 100644 index 0000000..dcfc54f --- /dev/null +++ b/hosts/web.social-grow.tech/configuration.nix @@ -0,0 +1,62 @@ +{ lib, pkgs, ... }: { + imports = [ + ./utils/bento.nix + ./utils/modules/sops.nix + ./utils/modules/lego/lego.nix + + + ./modules/mysql.nix + ./utils/modules/nginx.nix + ./modules/authelia + ./modules/collabora.nix + ./modules/nextcloud + + ./utils/modules/autoupgrade.nix + ./utils/modules/borgbackup.nix + + ./hardware-configuration.nix + + ./modules/web/stack.nix + ]; + + environment.systemPackages = with pkgs; [ + vim + davfs2 + screen + ucommon + php + php83 + ]; + + time.timeZone = "Europe/Vienna"; + + services.logind.extraConfig = "RuntimeDirectorySize=2G"; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ./secrets.yaml; + + nix.gc = { + automatic = true; + options = "--delete-older-than 60d"; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "web"; + networking.domain = "social-grow.tech"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHC9YODKEKu5bOC61qkpPd8QeZxbNPCQKgfh8xUFMdV0" # dominik + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + # backups + borgbackup.repo = "u428777-sub3@u428777.your-storagebox.de:borg"; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + + system.stateVersion = "22.05"; +} diff --git a/hosts/web.social-grow.tech/fleet.nix b/hosts/web.social-grow.tech/fleet.nix new file mode 120000 index 0000000..5b16de1 --- /dev/null +++ b/hosts/web.social-grow.tech/fleet.nix @@ -0,0 +1 @@ +../../fleet.nix \ No newline at end of file diff --git a/hosts/web.social-grow.tech/hardware-configuration.nix b/hosts/web.social-grow.tech/hardware-configuration.nix new file mode 100644 index 0000000..faaabf2 --- /dev/null +++ b/hosts/web.social-grow.tech/hardware-configuration.nix @@ -0,0 +1,14 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = true; + device = "nodev"; + configurationLimit = 5; + }; + fileSystems."/boot" = { device = "/dev/sda15"; fsType = "vfat"; }; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; +} diff --git a/hosts/web.social-grow.tech/modules/authelia/default.nix b/hosts/web.social-grow.tech/modules/authelia/default.nix new file mode 100644 index 0000000..4e1fcf2 --- /dev/null +++ b/hosts/web.social-grow.tech/modules/authelia/default.nix @@ -0,0 +1,251 @@ +{ config, lib, ... }: +let + domain = config.networking.domain; + components = lib.strings.splitString "." domain; + dcComponents = map (x: "dc=" + x) components; + ldapPath = builtins.concatStringsSep "," dcComponents; +in { + sops.secrets.authelia-jwt-secret = { + owner = "authelia-main"; + }; + sops.secrets.authelia-backend-ldap-password = { + owner = "authelia-main"; + }; + sops.secrets.authelia-storage-encryption-key = { + owner = "authelia-main"; + }; + sops.secrets.authelia-session-secret = { + owner = "authelia-main"; + }; + sops.secrets.authelia-identity-providers-oidc-hmac-secret = { + owner = "authelia-main"; + }; + sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = { + owner = "authelia-main"; + }; + sops.secrets.authelia-identity-providers-oidc-issuer-private-key = { + owner = "authelia-main"; + }; + + services.authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; + storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; + sessionSecretFile = config.sops.secrets.authelia-session-secret.path; + oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path; + oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path; + }; + environmentVariables = { + "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; + "AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; + }; + settings = { + theme = "dark"; + default_redirection_url = "https://${domain}"; + + server = { + host = "127.0.0.1"; + port = 9091; + }; + + # log = { + # level = "debug"; + # format = "text"; + # }; + + authentication_backend = { + ldap = { + url = "ldaps://ldap.${domain}"; + base_dn = ldapPath; + additional_users_dn = "OU=users"; + users_filter = "(&({username_attribute}={input})(objectClass=person))"; + username_attribute = "mail"; + mail_attribute = "mail"; + display_name_attribute = "cn"; + additional_groups_dn = "OU=groups"; + groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + group_name_attribute = "cn"; + permit_referrals = false; + permit_unauthenticated_bind = false; + user = "cn=authelia,ou=system,ou=users,${ldapPath}"; + }; + }; + + webauthn = { + disable = false; + display_name = "Authelia"; + attestation_conveyance_preference = "indirect"; + user_verification = "preferred"; + timeout = "60s"; + }; + + totp = { + disable = false; + issuer = "auth.${domain}"; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = ["auth.${domain}"]; + policy = "bypass"; + } + { + domain = ["*.${domain}"]; + policy = "two_factor"; + } + ]; + }; + + session = { + name = "authelia_session"; + expiration = "12h"; + inactivity = "45m"; + remember_me_duration = "1M"; + domain = domain; + # todo: enable with 4.38 + # cookies = [ + # { + # domain = "${domain}"; + # } + # ]; + }; + + regulation = { + max_retries = 3; + find_time = "5m"; + ban_time = "15m"; + }; + + storage = { + # mysql = { + # host = "/run/mysqld/mysqld.sock'"; + # port = 3306; + # database = "authelia_main"; + # username = "authelia_main"; + # password = "socket_auth"; + # timeout = "5s"; + # }; + local = { + path = "/var/lib/authelia-main/db.sqlite3"; + }; + }; + + notifier = { + disable_startup_check = false; + smtp = { + host = "mail.${domain}"; + port = 25; + username = "authelia@${domain}"; + sender = "Authelia "; + }; + }; + identity_providers = { + oidc = { + ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. + ## See: https://www.authelia.com/c/oidc + # authorization_policies = { + # support = { + # default_policy = "deny"; + # rules = [ + # { + # policy = "two_factor"; + # subject = "group:support"; # Deny access to users of services group + # } + # { + # policy = "two_factor"; + # subject = "group:admin"; # Deny access to users of services group + # } + # ]; + # }; + # }; + clients = [ + { + id = "nextcloud"; + description = "Nextcloud"; + secret = "$pbkdf2-sha512$310000$P/kCFCL7FPwrZORA7KLIcg$HfC4qdmCJclSICHBjCltyT2Q1B4hiq.h75U1V1pfM4UbUu9kqll100I4/tdxjCBcPDePPXq8OFTQedNLsp.feA"; + public = false; + authorization_policy = "one_factor"; + redirect_uris = [ + "https://cloud.${domain}/apps/oidc_login/oidc" + ]; + pre_configured_consent_duration = "1y"; + scopes = [ + "openid" + "profile" + "email" + "groups" + ]; + userinfo_signing_algorithm = "none"; + } + ]; + }; + }; + }; + }; + services.nginx.virtualHosts."auth.${domain}" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + + locations."/api/verify" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + + extraConfig = '' + allow 127.0.0.1; + allow 49.12.244.139; + allow 77.119.230.30; + deny all; + ''; + }; + + locations."/" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + + extraConfig = '' + client_body_buffer_size 128k; + + #Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + # If behind reverse proxy, forwards the correct IP + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.0.0.0/8; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + ''; + }; + }; +} diff --git a/hosts/web.social-grow.tech/modules/authelia/secrets.yaml b/hosts/web.social-grow.tech/modules/authelia/secrets.yaml new file mode 100644 index 0000000..8b3893b --- /dev/null +++ b/hosts/web.social-grow.tech/modules/authelia/secrets.yaml @@ -0,0 +1,45 @@ +authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:yyqauvp+/8ufhCaZ1o0DWn4Nx1rdTW8C1HRVAtyCRuBaQA/yFVmZkwFVbnIDC3TrmuEMc2MXzVCREbdDsEqkGm6LJAB4Eq31NyhhbAtKufeqKHhMgEF4d41K71V//FJn2/ZBY6CaR1Ke0rX3p/Rpwk0rwddikkUmdJ7i7w9ayP8=,iv:ONBU0uWEUeQxQCGmHtGOySuLmTnJlAx//lQcK32i1Gs=,tag:Tk2BbYZSqbJRc/2cj8yxHQ==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:oQwBKE0VjTIKYWOGKFtLwkOkjTh16gf5lJvMEEVs3Sy/+gmyGGmnDHm+xv9aT7Mmq9wSM7SVBe39yT5K9bUd0vGXO2Ze5V55B+B+9bAPKUL4rPNQAeSy3QCJPh6EoG3urDD/HUklV8QCprgTlokdgVgY3fv3be2Y1oOdiZDvbacol6OlcRXSi8ZqMro+f15e44j8NGhzsSahhzOLtmiRGLr5zWnzk8b221HZWtjSdG4rLrtcCZ1UjvvUX5pf8J5PI/9X4S6J7pglG+IlI0WGSHvQ9BXGQqWgmWky/3+hnC/B3ZPm3bz5CqMHzsdx/QmiCtQQf08GOoan/3rgp3pAu5J5TPDldnzEQkWPjciOMp4ewlu4nC1AViat7DH8wFtV9IpixEZm3fMidpPBpkTTRZMCy6AstNlPMvvvRDN/6nJypN++gvkBw3OJac2xBdtbdF5uC9nIrZqWENLnOn4623/C8yJJ8a2l1W1FF95hHiZDQKua+kB4CfFJSFxhtcWj3vcCzv7QIGHZPTIVn+aCozb4CdOegLswCuY9g5ncHfOnqIhSCY3Bc2xbd5GO7kVRvqT79abwHsAdArdDJAE4Fq3mNJG9/fy0N31GW4qKMTb3W5EgEt/2OtfsUn8MwHJV9BGPMeZhpn9hdzkXo9vmakVMKNoK4SEgZmFiKCj/uwhwdvJfYMRvl/n1DSpy8mxzKWt1IO9FD5HRUhkKeas6spOSyzbi4FTJJmJb9NQ5gzAcfTXs8C49S/DSocRwUHvQMvRIRZzBejxFKdnwGxwIJiVDY/04FWAjMR4HgxkCBvo9x+CxajnCw/S9g02uY85vxW1ZURi9wUK9Q9nbEyMu1IGWadhVO6fKvqWr9rVZ6tqqJ7FP81LKca80nkY+6Elec6l6u01Lzb4pLA6MFLyJbCE97+Vmoh056N73RNapWP6G3Txs2CvtzqWdup0J4xpwAxoEqVlnkBQ61abucZH9veMoq4gvxM90S+bBX7c6A+FYRha/PXovRL/SZWEfuKlVDeLQyb2IwQ==,iv:jhnNkcLXN3pHx6S8g78+R6X+ckhOF35QK615zcH2gqI=,tag:JSHDo9nbBbhpiQFSrLuDdg==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:Et0DaniERibvBeRBmJR5zsBXRpB4yAjQpLRlJc/8+sSZ1RymDelD689/7ETe1QwBZzOxJf35dMbjBmUjcpcxl7iLiujVtd4DR8hirAwYv1HTk4WLbrTOuVhX9O/yWcdfnrn4e4MlBme54HLkeKt5F9xQ+/XvRPkuY+E+zlVd9K2rgdKuPRB4GSkW8AH55P10ts4ICN7hayFLfKWRNjs2LR3JtE/cRppe6Gse61/CG7HWlAlcTYddpYUbIGIaB9yrW3QcV11sTuJ9KpuU/jE6i/0dOosYqPLVUfShMjjnnpnk1wYmaL7F5Ibljk9g1Fzqm1Vwl/S98PYYgt98zOAuMo9djogORpI7in5tV+JoT5V/Lk3Uq3MvkalpdHJShVHUuuJPMMaFjlONS0y2ZYTyWasrwGI9KUYoKtWq5oqrHJkjtWNSagJqRMPBNK/RRtiIxBWwsWMpIlUcks/rZF+CiHKnm/Zb6a+dNsdhqz3qVCI33ry5Wmy6YdTaDBPWv3iFXLz0skVMXCN5vV7PQ86c6yRbEo5HzGdJxxdIacTZ7JLzECPS2MuWGoTKH0VwQgx3qvuMyi0r7/1VwCBGjZkO6vxie5yYlMA1AveepE+8zxCSbLuUMzC5DDVYk98SH2qNL5BZXm2mkRXxBXkQ37SOtnONNqYwvRD9wNWpSBkIumgRG3k3NEcwPwLnrCgNAlev4sXG+DUDgHy4SZ518shGkafUNncst9odQaGvx5EeSD3ItjRptFuPSU554ZZy8bV3wau8enzRP2R47sSg7jW+y0NslCwdVam2SpiXrgqeghplQCNP8uS1Py3DFf8pDOIy/9gV3kjPEOs/RNbv/2bIS20lQbEoMOotk8BHeM5/QytrArnkDcfB4d7FPWRT/Sw2imLQ8A7Q7PidhwEuugfWI6HjSW2bsW+zSf/gdG30ragEgkW9WpTAD6rbLdLdYMYa233zs9b/K6qYAoqEVjJWc+OnCTZ6PTr76Gq/kaIrJ3UlWNJadgCSNMkVs7vNYnczwGQJiaqTnAaB2yuXkIAsC6QIf83G6Z9nw5kFoyWZR5Eytfl/uU9lxv4TrvLtfEqJrdaaYXdAfefpZKmFrQJMeyoJj3ven0j61qmIiBDbkoYkNaBWQJl/mOy+lJ8J2ZaQ62cqVQCFkpcrAWdaxEHCrTu1djfCOGVqQ5d5o1E/GQiAAVgRBQtgv94PCIeCurAUtoWumfBF1wi0h1HMdJd8yZ6MgGXpPoOIZcWc1SRGkNVuoiobdfXO4fyNcJAM+XnOfJ4xO17PhnwBbaM5ECX1TRKbEyc5V36QfD5Fo/VaVOFIDt0KfxIHUxydxa83RpEYV4s13C0I+/hoULtNIDl9KNxaaT4Klq/6HL2jIaCwlRNlb1mc1lhkgaJobXygi/8iW2yyPIoSZQJKsYZhlildGTBlxrlhSDZ+3Dy1RAIRO+cvSr5/eM44xgV8DUs+z9nb+j3Kefl7qn4QBNIEWZkTcLokw/qp58O1EK/h4vays37A1628wfuCDOBSBOPZjtuX9jFg64tcZWZ6rwlVRd5RsMq9iW9MoGcfHvN6DAYTifEs7yiwZdng50OHu1k6/UJ1/LI1mVx7r+//S3rd88fQa76uosBuN5XqDrQiK+iPj3E8rThMJkeR7Hh0yUrkGBAJCs140yFTJeSt+vr6CsqSLy2RR7tb1C2wNm40F7N37Vi1rHm5jzSakm4TPd6aY3kqis6nXavnxUQHO3BKnx0ceQVoz8jqIiy1mjzVwafAn6s/ap6Fzv+sNc/zs++Mod59YnGyqKaeOkoAcmVuWgV7l4VHf1Q/K3o5ri14CHpSqkjBlL9zD3Lh1B0cQNCwHJeIKAgm+1rCpuzx45QeV/MAwWJ6/o8PjHVPm9dQG5nXEPFJA0X4lNKGkRb5wwMsXRf6RC41vvhvbD6pFZ5TCrMX/IW2ym0hOm9Trswm6SlnyLsPtAYB4SdVJxuwqy8gqPpogCm+vgsobIcs4cVAeK3ZW4ikWnSNowXJFeqjQY7ZuO42Anzddn+dodVw923KfVKJTBDK4lDQp5QrWjukbYFK33AIE2vaeJ3mqkJxzmJ027L4w0gQeaUuxh9sOKgxG7xCkzkG0HbIMuIA9E6yBCHNSwj0daB3SRrbxIEMF7F0DI3Lw0dlS4SxJ9ucJoySD1pBENuVm7bgWcY+pL5iJlkKAbVJOEk3cGJ+37XgXDkQHsNF/mxNaIxZ2losxv8GQEuldAxjCXM2hGgOF+64ccxSdH4T/OZtAmAprcB377/tJMuOXrsjMknT77FShgtRfyIzX0cJTPvuvhnswcFj9gr/1REkTkz5XL4fQx8ik4MEbEN3jiDdZEwSW5wjKuuHIZhDt+AnTqHIQZq2SdJ9g2P/36UMzWKfweRe8i7yJ/FRyqVDn63mimyxb12ZB1CkNuNe64yEVsRQvZZpYVLVhzcJrG+nNZXnCne2rFLxl3jRG2y2dgcvl1hmxYGSEFSh1scVt+d0gUmfi0u2MxX0swBpzTFlMwx2hz6pFvnl7jMCeZSitQVRw0VSaaqGeH6ZQIyEKkk8myovbV/PWn3gqcMs5L8Grm6myluBbxuaH/F7xMQadleGSft6iE0/EXoNfLWwQqNj20uuPVmF/UIehUYApHoGpYujFPFKGEdjjCGcdRYpGtlmGmaCPfc4oWJ4GjeLI6VePVhRhM+iyb+zPv8V4SltDfqih/Txs6kfsnOQ0KpjnMSobLX70xV1tm/sxAtqAzJ5I4QtX8EQaWR/rb5VIikAxuQ8yJCii/RFcSd0ss4+4vhGlOHAT1t7+lH0bnTaiUWfm169l+B01JJO8Cz3muJVC/f+PIJUNP5VHgNDUeMDB35USCxnU/0bLlxEuYHtTMLqSabU/bv6YchKZFjSlFHGFXdAEDgQ2HYi9FY1F657dvNqrGO2AwHVdeX8RSiorRlNyeb80NqyASsx6MSWPDWYtVjpD7zHXVlWDLcMVkGwvX4RtJZF8wlXR/iEur8iC+v8g2w7iG2hZD1TFmkJsn/ira4UYLzPxYNAzl4BH5sB5BUJ8GCZrHwV8dny/FTQAwtYNq7TwnAi+2dwhWF7DgX0T6fVD/utyLK19+Aash6h4TX8Y1U345l4r+ADfUfQ3d/B0m6wFEgSD60kOv6wnnYbJEbFAZ2BZEwhzeyEacQjxHceyQg256GiCvRDHX4jonyZm3Vu6kCUNWYaRCKQJY5OyL9zRF9pFsCqqkNEfvDqmjPUjXcO/xarkjjdQz4y4gsPqovhtVi0GuExxhfT1KcJk6uzS1NiX0yBi/s22cI4WLmO/QNHXeUoi0Lbw/XUwj6krNMYrvqofUOqM5tK7BpmplxzMFJeB+mhDXLfpyWAS7Yq1RfHLmnA0OBYu7MQ3UB/zZ7zGcpnAT42MlQ20M7bXCpEBaAaPzlXky9bogNEVkwoOMtVHYzQnucTAKRYzb1PnlA+GMBQpxL27IAn2EbwXNLRwSVh0lgRQFb/94J4TV09CeR5hkKMi5WaCFy50utlLL4gHDg11oNGbu0vseB1AmxzbRExW5qJ87a0A0/ECLOoo2vlgnMJECB6MYNe2na1aTOiOUpI8rArj2fUjVjAlNrUpFWIug2C+b2/I43K8Sg4Tc3ZHcrywHQ4xt2IQeeysUP8C9lHEQW2q4sF7iMujSD1Kzu8bYyCzW2AJuTJCj5psbwlag4ezwmgXpJGsC+yLrCuA/BHzrUDadoBuofNQq7tFKTGDWlN+IfkI0PY5sxMVSbm/5NSWBR060QLDq6XdKOYnzR4oI3mm1NXY4+OrVEJBXqD6zAa7ECLKo+sHBt9uL4CfEfLVNhAi2bmfauPzBZ3NiNeqoneoU16AjGNHiADLyrdRQHmWLzm1xnVmCjtpn3hPnF4AwPYKSf2ALkqHR0UpMWCzRztJGLuRG1EUpD39DgbJOQujyNLU/2g+YdZbixeD6oJ5j+l0gG7+CaumkHGsj2uhEpV1Hq8TKHV/O8I3LkF634Zu7NGaX5xP+8cOYfk3Kqm/V/u2AmMKOCU3AXHK43KhIZvEZYhTRfkICFCbdYE5co6zcvQ6Irn+wSlc5J0ozSrm0fQcFdQAMbf0odwe5VoMb66m6EngoL/VAYRJZtrmPBKUZLELRIcOXv/Nvz4oiEw+NV5u5MyKKJA2Tb6FxOPZdAf339oMCMmN/sUA9fBJ6dvzuDkVNCH5qZzlKWVq/DkZZr3TGA3cbU9FKLNKPrBpBaCdCtrjbaw2YB3HWAky/Qcmx97dRRZGcn7HvMtRnZfBbbFxYVGtgoGcaVZYyz/J4zuibpZcxdNLhu4jeJpMkX4,iv:PWdVLhu0BPx7sXMzow9wl+cqDXD2Y5J5lfVSX3tNCMg=,tag:P4vHogedMdAUeIh4XHlmdw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWkRuWXdaQ1RUbkF1d2p0 + elZkbnFVSW9tVjdqSHFvbjFiL202cW1tWjJ3ClpDUEFIMDFteFA1QTdTVmtVWHI0 + OFRuU1Fockh4aTBwa3l3ZjdiMFFYSm8KLS0tIGdCZjZNVXNVZWV3ZlJzY3ZyZXhr + WFp1eVZna1VWUUZuTVY4Q2h2c0Y2ZDAKcglSV3UBoZ65+SsM+zRFJmjIH61jXbT0 + rpeJ8/0i4THmVpbZY+NOIh2zECmzBkAA06jv0jMoftL40h2wsdgncg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBna282T2hYcDl4UWFISDVL + eE42MjVxZndUVEU5bjJwUzdHU2xHNXVNRW13CmZwUmdCWDFNVmdDbktwOXBIbzNZ + eGgrZHQwMEdRSG11aWpoSllrcjBBY2cKLS0tIFBZRUdYVUhsbFZYV0w5T3RYc0Ez + RDJZcjA4VFNadEZCUmpOVWRBdGNKMzQKhhQCbeRxDvhFVsF3G+OoXo4i+koqqgrV + o/esYoxA1ZNsS9mhFbfMw1C2YO43iPtaWChAO5zUABDALD6dJ1Rf1A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZUJuMnNwTGpSdVA4UXV5 + bkdGTWJsRjliMGJWcXBKekc3WDZiN0FWV0MwCmZIVld4M0xaWWhmUDVqSGcwbGpz + S0kzQy9scDRObS82WkMzYUw2dVBaWXMKLS0tIGpkeFZqdXIrY0lFdUgwekNJeDN4 + eFhnWGdoTzdyZmtjZDJBc3FveTRaN0EKBj2hSr6qDxwW+k5hox47P5uyoHQAzCjH + +TplhMUd5p8/ud3U4lixLezGu1qftVSKtz/4SAXrSC5DYZJF1w7tDQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-17T01:43:14Z" + mac: ENC[AES256_GCM,data:zcCKk+VAddbb4vZltdC6hKPAnoo4rvcLcmIsKATQekbVo9OUk5Q5JnxglgAxXyj/YMZ7tIY/IXoWdSW4Kw673vthVnWpGLnuHtXJFGslkQ+GEkIt0z/oepr33gXErsEolZ3rIx02CVsIK5tb38ol0DhAe+6dUihsi23HruMJNog=,iv:2RVGRBTgqR9YLrRpoxuN72NOcXvRlZVTaPNiU7l75w0=,tag:lr4/sBBE9F27II289OWUNQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/web.social-grow.tech/modules/collabora.nix b/hosts/web.social-grow.tech/modules/collabora.nix new file mode 100644 index 0000000..e15f8e9 --- /dev/null +++ b/hosts/web.social-grow.tech/modules/collabora.nix @@ -0,0 +1,68 @@ +{ config, ... }: +let + domain = config.networking.domain; +in { + #Collabora Containers + virtualisation.oci-containers.containers.collabora = { + image = "docker.io/collabora/code:latest"; + ports = [ "9980:9980/tcp" ]; + environment = { + server_name = "code.${domain}"; + aliasgroup1 = "https://cloud.${domain}:443"; + dictionaries = "en_US"; + extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; + }; + extraOptions = [ + "--pull=newer" + ]; + }; + + services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = { + enableACME = true; + forceSSL = true; + + extraConfig = '' + # static files + location ^~ /browser { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # main websocket + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # Admin Console websocket + location ^~ /cool/adminws { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 36000s; + } + ''; + }; +} diff --git a/hosts/web.social-grow.tech/modules/mysql.nix b/hosts/web.social-grow.tech/modules/mysql.nix new file mode 100644 index 0000000..23b8159 --- /dev/null +++ b/hosts/web.social-grow.tech/modules/mysql.nix @@ -0,0 +1,80 @@ +{ pkgs, ... }: + +let + mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" '' + #!/usr/bin/env bash + if [ $# -lt 2 ] + then + echo "Usage: $0 " + exit 1 + fi + + if ! [ $EUID -eq 0 ] + then + echo "Must be root!" >&2 + exit 1 + fi + + DB="$1" + HOST="$2" + PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)" + + cat <" + exit 1 + fi + + if ! [ $EUID -eq 0 ] + then + echo "Must be root!" >&2 + exit 1 + fi + + DB="$1" + PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)" + + cat <= node_filefd_maximum + FOR 20m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", + description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" + } + ALERT node_load1_90percent + IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Running on high load.", + description = "{{$labels.alias}} is running with > 90% total load for at least 1h." + } + ALERT node_cpu_util_90percent + IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: High CPU utilization.", + description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." + } + ALERT node_ram_using_90percent + IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 + FOR 30m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Using lots of RAM.", + description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", + } + ALERT node_swap_using_80percent + IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 + FOR 10m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Running out of swap soon.", + description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." + } + ALERT homeassistant = { + IF homeassistant_entity_available{domain="persistent_notification", entity!~"persistent_notification.http_login|persistent_notification.recorder_database_migration"} >= 0 + ANNOTATIONS { + description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}" + } + + ALERT gitea + IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3 + ANNOTATIONS { + description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes" + } + '' + ]; + scrapeConfigs = [ + { + job_name = "telegraf"; + scrape_interval = "60s"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = [ + "web-01.cloonar.com:9273" + ]; + labels.host = "web-01.cloonar.com"; + } + { + targets = [ + "web-arm.cloonar.com:9273" + ]; + labels.host = "web-arm.cloonar.com"; + } + { + targets = [ + "fw.cloonar.com:9273" + ]; + labels.host = "fw.cloonar.com"; + } + { + targets = [ + "mail.cloonar.com:9273" + ]; + labels.host = "mail.cloonar.com"; + } + { + targets = [ + "git.cloonar.com:9273" + ]; + labels.host = "git.cloonar.com"; + } + { + targets = [ + "home-assistant.cloonar.com:9273" + ]; + labels.host = "home-assistant.cloonar.com"; + } + { + targets = map (host: "${host}.cloonar.com:9273") [ + "web-01" + "web-arm" + "fw" + "mail" + "git" + "home-assistant" + ]; + + labels.org = "cloonar"; + } + ]; + } + { + job_name = "homeassistant"; + scrape_interval = "60s"; + metrics_path = "/api/prometheus"; + + authorization.credentials_file = config.sops.secrets.hass-token.path; + + scheme = "https"; + static_configs = [ + { + targets = [ + "home-assistant.cloonar.com:443" + ]; + } + ]; + } + { + job_name = "gitea"; + scrape_interval = "60s"; + metrics_path = "/metrics"; + + scheme = "https"; + static_configs = [ + { + targets = [ + "git.cloonar.com:443" + ]; + } + ]; + } + ]; + }; + # services.prometheus.alertmanager = { + # enable = true; + # environmentFile = config.sops.secrets.alertmanager.path; + # webExternalUrl = "https://alertmanager.cloonar.com"; + # listenAddress = "[::1]"; + # configuration = { + # global = { + # # The smarthost and SMTP sender used for mail notifications. + # smtp_smarthost = "mail.cloonar.com:587"; + # smtp_from = "alertmanager@cloonar.com"; + # smtp_auth_username = "alertmanager@cloonar.com"; + # smtp_auth_password = "$SMTP_PASSWORD"; + # }; + # route = { + # receiver = "default"; + # routes = [ + # { + # group_by = [ "host" ]; + # match_re.org = "krebs"; + # group_wait = "5m"; + # group_interval = "5m"; + # repeat_interval = "4h"; + # receiver = "krebs"; + # } + # { + # group_by = [ "host" ]; + # match_re.org = "nix-community"; + # group_wait = "5m"; + # group_interval = "5m"; + # repeat_interval = "4h"; + # receiver = "nix-community"; + # } + # { + # group_by = [ "host" ]; + # match_re.org = "clan-lol"; + # group_wait = "5m"; + # group_interval = "5m"; + # repeat_interval = "4h"; + # receiver = "clan-lol"; + # } + # { + # group_by = [ "host" ]; + # group_wait = "30s"; + # group_interval = "2m"; + # repeat_interval = "2h"; + # receiver = "all"; + # } + # ]; + # }; + # receivers = [ + # { + # name = "krebs"; + # webhook_configs = [ + # { + # url = "http://127.0.0.1:9223/"; + # max_alerts = 5; + # } + # ]; + # } + # #{ + # # name = "numtide"; + # # slack_configs = [ + # # { + # # token = "$SLACK_TOKEN"; + # # api_url = "https://"; + # # } + # # ]; + # #} + # { + # name = "nix-community"; + # webhook_configs = [ + # { + # url = "http://localhost:9088/alert"; + # max_alerts = 5; + # } + # ]; + # } + # { + # name = "clan-lol"; + # webhook_configs = [ + # # TODO + # #{ + # # url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"; + # # max_alerts = 5; + # #} + # ]; + # } + # { + # name = "all"; + # pushover_configs = [ + # { + # user_key = "$PUSHOVER_USER_KEY"; + # token = "$PUSHOVER_TOKEN"; + # priority = "0"; + # } + # ]; + # } + # { + # name = "default"; + # } + # ]; + # }; + # }; + +} diff --git a/hosts/web.social-grow.tech/modules/rustdesk.nix b/hosts/web.social-grow.tech/modules/rustdesk.nix new file mode 100644 index 0000000..047aa1b --- /dev/null +++ b/hosts/web.social-grow.tech/modules/rustdesk.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: + +{ + virtualisation = { + podman.enable = true; + oci-containers.containers = { + rustdesk-server = { + image = "rustdesk/rustdesk-server-s6:1"; + volumes = [ "/var/lib/rustdesk-server:/data" ]; + environment = { + RELAY = "rustdesk.cloonar.com:21117"; + }; + ports = [ + "21115:21115" + "21116:21116" + "21116:21116/udp" + "21118:21118" + "21117:21117" + "21119:21119" + ]; + }; + }; + }; + + users.users.rustdesk-server = { + isSystemUser = true; + group = "rustdesk-server"; + home = "/var/lib/rustdesk-server"; + createHome = true; + }; + users.groups.rustdesk-server = { }; + users.groups.docker.members = [ "rustdesk-server" ]; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 5000 21115 21116 21117 21118 21119 ]; + allowedUDPPorts = [ 21116 ]; + }; +} diff --git a/hosts/web.social-grow.tech/modules/victoriametrics.nix b/hosts/web.social-grow.tech/modules/victoriametrics.nix new file mode 100644 index 0000000..a2788e7 --- /dev/null +++ b/hosts/web.social-grow.tech/modules/victoriametrics.nix @@ -0,0 +1,43 @@ +{ config, ... }: +let + configure_prom = builtins.toFile "prometheus.yml" '' + scrape_configs: + - job_name: 'server' + stream_parse: true + static_configs: + - targets: + - ${config.networking.hostName}:9100 + ''; +in { + services.prometheus.exporters.node.enable = true; + + sops.secrets.victoria-nginx-password.owner = "nginx"; + + services.victoriametrics = { + enable = true; + extraOptions = [ + "-promscrape.config=${configure_prom}" + ]; + }; + + services.nginx.virtualHosts."victoria-server.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + auth_basic "Victoria password"; + auth_basic_user_file ${config.sops.secrets.victoria-nginx-password.path}; + + proxy_read_timeout 1800s; + proxy_redirect off; + proxy_connect_timeout 1600s; + + access_log off; + proxy_pass http://127.0.0.1:8428; + ''; + }; + }; + +} diff --git a/hosts/web.social-grow.tech/modules/web/stack.nix b/hosts/web.social-grow.tech/modules/web/stack.nix new file mode 100644 index 0000000..e588cf3 --- /dev/null +++ b/hosts/web.social-grow.tech/modules/web/stack.nix @@ -0,0 +1,328 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.webstack; + + instanceOpts = { name, ... }: + { + options = { + user = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + User of the typo3 instance. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + domain = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Domain of the typo3 instance. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + domainAliases = mkOption { + type = types.listOf types.str; + default = []; + example = [ "www.example.org" "example.org" ]; + description = lib.mdDoc '' + Additional domains served by this typo3 instance. + ''; + }; + + phpPackage = mkOption { + type = types.package; + example = literalExpression "pkgs.php"; + description = lib.mdDoc '' + Which PHP package to use in this typo3 instance. + ''; + }; + + phpOptions = mkOption { + type = types.lines; + default = ""; + description = '' + "Options appended to the PHP configuration file {file}`php.ini` used for this PHP-FPM pool." + ''; + }; + + enableMysql = mkEnableOption (lib.mdDoc "MySQL Database"); + enableDefaultLocations = mkEnableOption (lib.mdDoc "Create default nginx location directives") // { default = true; }; + + authorizedKeys = mkOption { + type = types.listOf types.str; + default = null; + description = lib.mdDoc '' + Authorized keys for the typo3 instance ssh user. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = '' + if (!-e $request_filename) { + rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; + } + ''; + description = lib.mdDoc '' + These lines go to the end of the vhost verbatim. + ''; + }; + + locations = mkOption { + type = types.attrsOf (types.submodule (import { + inherit lib config; + })); + default = {}; + example = literalExpression '' + { + "/" = { + proxyPass = "http://localhost:3000"; + }; + }; + ''; + description = lib.mdDoc "Declarative location config"; + }; + + }; + }; +in + +{ + options.services.webstack = { + dataDir = mkOption { + type = types.path; + default = "/var/www"; + description = lib.mdDoc '' + The data directory for MySQL. + + ::: {.note} + If left as the default value of `/var/www` this directory will automatically be created before the web + server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. + ::: + ''; + }; + + instances = mkOption { + type = types.attrsOf (types.submodule instanceOpts); + default = {}; + description = lib.mdDoc "Create vhosts for typo3"; + example = literalExpression '' + { + "typo3.example.com" = { + domain = "example.com"; + domainAliases = [ "www.example.com" ]; + phpPackage = pkgs.php81; + authorizedKeys = [ + "ssh-rsa AZA==" + ]; + }; + }; + ''; + }; + }; + + config = { + systemd.services = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + in + nameValuePair "phpfpm-${domain}" { + serviceConfig = { + ProtectHome = lib.mkForce "tmpfs"; + BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}"; + }; + } + ) cfg.instances; + + services.phpfpm.pools = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair domain { + user = user; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "syslog"; + "php_admin_value[max_execution_time]" = 240; + "php_admin_value[max_input_vars]" = 1500; + "access.log" = "/var/log/$pool.access.log"; + }; + phpOptions = instanceOpts.phpOptions; + phpPackage = instanceOpts.phpPackage; + phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ]; + } + ) cfg.instances; + + }; + + + config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair domain { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = cfg.dataDir + "/" + domain + "/public"; + + locations = lib.mkMerge [ + instanceOpts.locations + (mkIf instanceOpts.enableDefaultLocations { + "/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + # Cache.appcache, your document html and data + "~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = '' + expires -1; + # access_log logs/static.log; # I don't usually include a static log + ''; + + "~* \\.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + # Cache Media: images, icons, video, audio, HTC + "~* \\.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' + expires 1y; + access_log off; + add_header Cache-Control "public"; + ''; + + # Feed + "~* \\.(?:rss|atom)$".extraConfig = '' + expires 1h; + add_header Cache-Control "public"; + ''; + + # Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts + "~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' + expires 1y; + access_log off; + add_header Cache-Control "public"; + ''; + + "/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + }) + { + "~ [^/]\\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + } + ]; + + extraConfig = instanceOpts.extraConfig; + + + # locations = mapAttrs' (location: locationOpts: + # nameValuePair location locationOpts) instanceOpts.locations; + + } + ) cfg.instances; + + config.users.users = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair user { + isNormalUser = true; + createHome = true; + home = "/var/www/" + domain; + homeMode= "770"; + group = config.services.nginx.group; + openssh.authorizedKeys.keys = instanceOpts.authorizedKeys; + } + ) cfg.instances; +config.users.groups = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in nameValuePair user {}) cfg.instances; + + config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + mkIf instanceOpts.enableMysql { + name = user; + ensurePermissions = { + "${user}.*" = "ALL PRIVILEGES"; + }; + }) cfg.instances; + + config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + mkIf instanceOpts.enableMysql user + ) cfg.instances; + config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + mkIf instanceOpts.enableMysql user + ) cfg.instances; +} + diff --git a/hosts/web.social-grow.tech/secrets.yaml b/hosts/web.social-grow.tech/secrets.yaml new file mode 100644 index 0000000..0ede01b --- /dev/null +++ b/hosts/web.social-grow.tech/secrets.yaml @@ -0,0 +1,60 @@ +borg-passphrase: ENC[AES256_GCM,data:CnaF4M/fSHNrNUJ7LwZRVp+RpUWpE2Pr1t9edCvkQ8c+ParvFgAcGQOGTpLtAbunUaPZCH2I32qhwgoABVr5TQ==,iv:ZII4SoivJEVHBD5iEHom7MbjeSDqgFUnNNr2T2UGL74=,tag:+O2B+pYl369y+MExxLL20Q==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:vhcDNj5m3Ly9YxB7m1m1TFlFegND1K9cPgPFtIGBCHYJnsoYMNYaVoZMekZIyXZkP9UR4aps6pbcQEXcggYiRbUwucdKClJRoRnbYHaS5UVRN1wKhih7iwCaos+OOtnYEP7TxkNwczOyoq2C7iakBUD0tLTkLlyAkBSR/s+BQiq8ad/P09zM9vTK/LDHZPY+TAYLuSmOJyZM+pwzxgvhs15gcAwrio8t3nuZoDXsAsjFKVNfGE4s3cQTPzWIkJ4MJkIkRD3S/avXiXWfUExNggPGigQpa9TJ6OMEeCglu2f4CW+FnlZKP6qfVKR0FOcRuNJkwsZRpDmNHcrEd+l30UbLxbtmVRo+LQIXL8LqPZRyyyTFa0yvQ76jGHtzlGqSHUG8z5oclW4+j+QIjh6SmeBhXGGLanghTRJpi0SOkvp9OAH+gikMDiLU84Aw5udMAMvRiYj0LyfOnPGEotJsbD3c7DZeBy1QtEqbuGNq51mrKF91RjPccdh1b4lo6ScKHQELyc6C8OVvjfVMEo7f,iv:PHVop1XIKvPrhlAt2Kk+NrhQWw0qmkF2wDydwyu6s88=,tag:7vm+Fzf/FyZODCccEgfgXg==,type:str] +authelia-jwt-secret: ENC[AES256_GCM,data:txm7218ZPwx14WHvULbT0Wwb/41Zu/uEM7NyNlZPBrp6ahn7cW4DRhV2i3NAQ8pw796mMCsfpDHH2na9uOBmSQ==,iv:f0XCDp+qnS9oU8LiILScVUmUpyj8wDIZYh8ZphtsmqY=,tag:4rHEiAiMurd5yKvnCXnWbA==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:HmPF/BgTH36H0tMry0E0q5YNevsmQc4GnAaHj+D4wScVtoR/6Y/j0XavaLy5VYsVLoNtMX3dJ6UZQ8ECmEkVGQ==,iv:w0p22wo7hgXXpqIV+UqM1+8S4v34Wf2aBPLA68MMrVQ=,tag:QXUbz7kqdL4XhOMfq+6xUw==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:pYhnvNK8yzX97zLQ9sbNMDsICjOZYmunYwb4zIKv+mgMMqZwMtPEnzz42xZEYo0xxoSrXwrr3eqG1dB7isgP+vP7rQF9pbjnVIDOw+vwlDyvnkB2S9+/oeCf7g0FOtLolwV3febdo+0dO2nHIdD4oBAUrhUq64vsft8P3QCkAWc=,iv:Eu28tFG1i/Qj/GtW7EXzqeFPwawxthrc74xqSvpkGHw=,tag:ZK8zbTdyakHddHqorcZ4nQ==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:6AhdM13jdD3eEOTdztm8TLBpgqfl4b9R9fvz52wkgIONHRNswuXxRRATlgWS0IFbkWO9O/RC/+dhMUd36R78bNRIdyx33Rsj7g9JOkdLldJe3ofLtn4IL2bsNwHc+9cF5J4VCYSqo4q33FSkqGOpVyf8sQxuWKC6gC5UUqkG7P4=,iv:GqZhovL5eAVYDM/nM2eKcRBamw/E60nIHnT4muJQ1b4=,tag:OZQjy8GGzgkTMR2aqJZlyw==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:ljswWCWEemDzFugrt2wZikqmSE7+tTbGiMzfN8rufd0ec/AsZq3CoHNuCcLpBT99/PlUts32XPY0GLvbq4i7vA==,iv:h2RZs4AyrHCnxybe/MNZHRGXHmLvrTFy8J15CUdjpXE=,tag:JbPSKt5YNfnRgd2NKm1rWA==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:lgECf58ywXRdOjd7nka357tr0LImBTgPrtTfaSfA17sxTHsoo9yi8ViIpGlWt0IvFsoflau5J9/9UZRqkSFxURyIrbIhOdGLEJdXb6Cf5BkFP4uS6qxOC6zmOiaftW+iev6pvrqfVbF9Mf+F+g6Gz5U1bSL7nxJRuLsglGChZXA1TWIAX/C4Xz0hrd/cfanu7fZxll/aaPRktf58/bia3k8VPosp0Dion1va3/wkF6/eb6mxtsp7KK6IxdjyN5VebduwanwNQqDFq/gxwUqBDE1EYmldQRx7kHy7zZZ/c05K6k3RcUgCZZ4M/N5/juVQq/SQhj/SVim1Kf5944c5z9z5LmtIrXstxE+XR0mqY7gRjUBv7dxI1jvBKe+9z8ess21PR8cNu8gvi6yZwRo8pUQN8L9bhohVxRDq1dzcxeKWY8Fj2tgdUsLPTqUHTBA1w2x6ig4E2YmZ4rRBrt5mJQyJKN2WMr4HwI7koye904rB4KLhqW5LV5ZrtR6ccJodcBEwOMlwu+xLajrAOGlBV3CJTFRVyTnY9cOj9e4DRHCRezr7rR5+2tztsXpyGD2yU8kLREal30Z0hHaXQD3rrd1PsK2vt/hL3cYL5anheQawE9CWLU1liO/lYBGY9UThpNRxgxUsOJRfvF6pL7nU3kHa8La5Mmf4v/ivJqrMeFpoFyD53ayfC2NPKUd+OlWABN0XUaN3GMEi0cJIK6hC1xk1KdEHito5Cw5NDSm8NowAV4UztdXIZB504PMH0lP4+1wFR1bfMv0g9rj+dwIJ2tieI2eyC5n14yacvLRbqLvkWnBm3t4ec/pWnsjgHPXr60KIxY/2BCh1b/gsjcxD56GVyjFbNF6ZkY+MlLXp7Ki1QE071bunYgUXAJQOPqV57efzdplc8h2Rcsp/bHJoiKxTldpA24sE4usGlYVMXsEKQ2IBjLz2bXG7zwFORcYR3Kc3SNfcgq3nmNeMMQWKOGBwuCZIsyBPGpKK4316sg3ZOI4UnDb7jZTnc6Z9dqoHntp8Ry+R3uUgyaD8LMCLLqA1DQk+OvSCoEcRcUeMu9aqCbIYNPswKyHMJF+qw9G7ZJWGEkvR3/SnBXplgZXYom+Wd9Pd+8OhmpD3p9H9rmUIIAnp7XWdOEMT1uwvcV6tqzkykBfIiH2qMwMg+L20jl4vkGPKK3jS4RNb9wpvb9oIte5C7b2EBz8KBdWRyZwzkltvSBN/cLLcLdVWpeGgUdGsSiKGs3Y5o1xR/3xCHzidHi39BE7BIWrBgfbAmzVPOyQ20Tv9yfzkTTPQ3HFXgRIh4itfS6+HyngnAVKKyxUt+dRHdG9lNwxIBw69ubfJVhga4qYpNnJpVouq1TYfBic636lCWbkN+g1TtLtCBSbOKIKJ8DfsJxRohTjX1rPX7GUGpd6dDAfAXAaV3R+jm/kK48qWuuXGFUHcdmgeuGIVi/Bx8eGh9x8gYSaDTSuiNMSvKvsMhS8vOXqHYgnlLUmbQ2/OJmEooDP4ZJghAof42zqg3QnTUck17OmWwOCCj2NA74mes1f+/t6PuSJmUKmpQWZcff6ur2hwWBAACuQMt6r2SyfVFRuiEVUvac7jUKmmsZxnY5F978FnB80XB+y1BTNlXJ1xDDNtBe+PAdeWt1rLvO2iKUTX/wuvS7Sh7Bq1rhen8OWAx0pFcqPzMOormNA9k/srHbf17kFic9+3Jvp0WbwTEMFckWcuyATtPRAD/VO3sUGsG2fUe936CEa2gBdqVGvXlsCsG81owQjmplkeZ9pQKXHyGq/bXpN5TQTnCke3NYKUwzHxjKgUcf2y98or4xbIxDJoT6hQ/E4ezSA6qw+YfpbTh+vDB8C5ysGDhq8QNyoAg7qAqEWkvvY1ovA/TFNyDq7RcIHjfQKBh0QBIt8XoPEnTU8sXCKHXaoQNAA3QxhMI2eGDO10Wyuiepsvr69xNoXBNFvB/v0dLa55405LPWo4UD7GgjeXpo2vhSsB7FoyAaUczOb9kIDaXedtG7Om8yI45BX8PmlBJQTujY9ZBeI8YeZTGf/3iOSa/tCvherAD2hveUqMCynNcoMT8Ir6xBqUpn8uKFuZGsHaq4fmHTFepmZdUM5S/Hic584SZaF/uut7Uo4nY3BctSg71aTtIjO3sJZ1mAF995KvhN3dTGbnYgCmjRMwAeMiAKYQa2el2lTi2cpf7Fk5J7bQT/Fao2nWfvdlpKC8y4ICWVwsWWHvSRFFzjeqgkF+gwfYsqpWV6d0uxwOyDxJhva83NNYkR+8a+fu6DcQU+rWvonun/iqCvQLvo+0ZcNeGhwhSPwqyHtOps7ozn2tjq6+ORtzw9K4GPwZAxW5RJLL0YALhqIbrRkYhFQE0JQ2cm5/nwIHW+yHVxn45AkK2lKBgdnnT4TtvodMGwiVi6jxg6gmgUgCpkHEGl4ktZ0jNo3Ru2e0DK3jzOb82F4ZTF/Xxc8xA+oFLX49IfOt4h5SvvPFbhQ9RchZ12/cfBaOYJYAINr/B3BJpf7plWgHY9sP6u8pffhZ4aUhCKQagRVAoZmzdd9t1Y9413lm9Bn/KCE67kbdwEzraK1xW/hcVA==,iv:n0ybHvyZCIDufdJ6VDT+0txXqFKEJg8BX3LvoBvkpmU=,tag:Pdy+Gl2177yVkXNwoLCmzw==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:SWVTYvjgU3SCXfonEkzU4/38AIWferd2/0pDssScj4mJCCBZv5+ZAsc4KtWLZHcv8PlacGn4+mt8BeQLS/QC2Olxt7SPfR0xsJPA9OJWy+Vl3Xdf/RPZzOdQBB2HqH2IPXl7r2n9e3IO60nP6n38FpHQ3JvvitAMVF6nbf3B1tlCKEofqU7efnCOuU1iWWepof2xGnIut6As6EXE0v0aV2fwrZSz7c6vFTs/MtNwfNcsgkUXPOSqDXtotLjblKyTmARMHyP6YDinm+4s2TnHjsrxcXhXEX0VQkzNpLzMivXSKExooymeG/c6zW802hoxjrD9mDJoptlzqT8VkxrWrUtwgznZHcZXyueFyfscBY+3J8s/33WOhnaQ9OEL+ID40dxMDTisVOK3TvTObb2hMFikW3HqcTJQ7eAd+5bZzoFwe+k2SfV5cUSdSAJb6p9LKT4dYT6kKCAABeGEFOxetSt+eyU82kHcYpXwFzuXSrzzLlG260lb8orjOPMRpjq/joblPoBXcw3kUxhkIWKeEmtc7NBnCfdN/Ut0p3EZRinjO6Ms4+4blXhuQPZvHGgdDpPun6EkmrozHGgcIkWDegBOKyMnlV5elXZKW0lJqSc5TpLEIBRN8YcRZOfG3xH+pxrRXqt60OCjLoU27Kd6XqrruTGjnXtr7lEvkBQBgw+jQhCkQ/FFzcNOdKvU4RE5UxhSA0ZnDmn3c5g7r8kqN33+H33EMvU69kA/OQVUle2ttwKfRm3vShVq5V8/gJBFviHaCti3ZyFC6UNragKsR3cWptWvWul905khhn9pVDcey1Y0ycUdmK1voyyrwoD2bjswhq554gbffsHrn4LrccQC33Ei1IUoqVhnNtbpA1Q15qK0AHcWsCdkZz3kFsGVHKqW2xjFBdju59UqbObNU0aAlTSd++jPf5xfSqeMBHuV7/qTBXLkkQsZrrqGYMlb6OpfC/2fXgkwpjGQ3Zp/qh0VYnbspRJvyvX6TbhHNhDKDjrFeOU39NudqqwCl58NXST92WavDeD1nTXXP2S78XrCjZjEZkUaO5r0lztv7eMcrUQca3DQ9ucBRXIc/idX+dFrFnK9+ChT/kvSncK+/Tz4EbwkRNz7OJDjDN6yTxFkvbelUlifE0pj5q1Qd9XsJvoi6tB5j8An2ABZJZluv2Gy8gxo3eY7wmCdia3a0Preizx0U10TMHZY5NEj4FjRSwKkndsXchHOw+VuBcJynEpzu60gEanNDJFCWdctFhJUu0yas4rwRrzeMn5gXGmO4luLiCzXHeFCAmSA8CQQKQ0SMaZ8e8bptj89RFaiaE91YvEw/cpWwYevdvi40hVhOhIqGd4bjOl7tw13nkuPAqUAqCv+wZ8UAUfZEOH+/c5eXspgTd/Y4MAo2JgVQogSiUTZrbkG3mBPq/QLTywMHXBjVVRdI10bHtgN38ljkC1SGw+dbHuZZytMHC2tXa7RiFKX0ko1DG0Jn0U0QyrMoqwUW5wld6QNMIVV9GpqGj7PMHQA4GVfKDgiGfAuEwf9/2cq1cM1dXOTbszYFGuHDuv0GNyQL6vv9A8mqrQF3VaJPM9ipyl3gXlfCN2qrDUi0BatS3qeOcllXHXPpE7xkYNoChtj+xxUKqhbPvoIT8M0Jxgy7D1VQjUBcX/hCbuICkDfWF4vEIX04DOP+BzNvm3Z6zU+6GuhkU/gCZhvoiYZc+mK45YHvKcxQcftiOPwJUAt99OjXbZXBospM14dFnCGi+b9Vh4zj9XlNj46afQc60aCG/dm9l0I/2PnaQikIQdFEnwOgY2lQ7Z1M2VH8AE5AwNn7BYTF6qoCMrMpM5F56KfmysY0yF3E7pjZDkrbLDWhvkafbSdYjyqG/K0eO32X57NVNNro75J/YtacbnaSrnZrHmEAZYRxy2YWdqVhtJ47gc0sg4EebGR5nlU2hBAW9PavlHuCyxl0TMwHB4rrOBpWGt31eQzV6MBFvX1KKFIy1JlCF986+W4v6tN9oUqS132rYp+B9IjAvGkNbreGi1GTJ06tyXdX8ZNAOyRrxo5uDdBey6XrEArJIoXD/jpC6NoQ25EKdfhomw8JnobXk+thyQNGJeQ3W4LQQDeaTGKGhlNzuI0tzAHS0T8nC9abKtuEXyLSRmXhTt1ALgSX6/bgeVH+mXUr2Z3NcCOIRsBkRO7ejlvuh7uPRJbQBvnS+Wz5GSoY1QOxhZvL0/2zYLpejsMkb4Sq0pv9YAFDWDZGS3GZ15e9jIZo3k37YvrUzjbFaNeICBu0R9mr9oNAgM0WAR2JdOeH1UsDEbaUiRjqhUZAvYQJvwcm5fdIRbndkV1OXcLGaIIJAHYla0m8eQGFX09ye5rVwICXOlDIwIMC6fn3mFovXwizOgGG38rmSPKkckzrYcLAdJC4822hRoohzpdDbQNMnX9Mbe64yaR1HV+Ds4Ni+aOXxtotwmMlb6UIQ4gFzkkrHTyvpE4yxp7JiskuvmSgHFOU4IbaohKaqFUZHcrP8Q70ih/cNYRbCMEn4HjFPT0Vl+Fpjnnn0Asq3gHRPCDUU+m9apjFjPSheBAOsz/OFlVVulvtOYRHH9lTyqeoBNb6pxhi3S3+tM8zuJTs85U6gaI2vI9Ih/9BMdpa9HsXM+/UOPwk8mjE57FgiDqcYQNPEXuk5fAK1wvGq38kUlf1BN0e6mJESxgG8j1Oox5+hzGoOemnpbCOBI9Wsbmb8bLQ7zye5NYAMldet/uuD4Jxq7YdlOni0S+V7iEQKpqDRme2kwC8ZjXDLKlRYalVGyz5JpCj7dv+BGDdae1LeD9XHca/NwE+N/t3UAcYGAYBafrVO3q9la4hvvAQtoaQra9yVgJ2C3+lsdWoUepoOuQISXZ12gZl423EWF946UAtr/Pixyb563j4YOLLOAgRBjTJPbUYWqfiMUXHP6FPgWs2rcxqdWY4SRCgqXWP3y82cm4mXMH8K8IEL9edp5Ty6piZuOiC7YWfycvHtzzoki7Zr7tzVHjxFCcSn0SmRYl6vo1nAzg4V8GOO3rzeT9PUPBHmVQDGyAE9igIv6zadAZkk5i64co32XO7OPwDThFgBvOrEB02YRMfSOQ5PfJ7hXLolmnGr+mqGk5yg0+FVT4E7ypT0hFqN6KS/8L8acbrqsivOTimPN/wTMyWK0e6xYYc8I/0LfNZySPCbA1gqNOa+mPx98UtQDlFi93h+rtlBMrmiFYMpR7qJFTlBOesTFisUlpYE0yrrmeDOTuz7eetZ0u7PS3iL6iLEKyYRW9COY3bOKtDZPuhANwV5lXVIK76XQe37/lVKgKuBbx96AzKIKBgi1QjZhQLntKRf/RW9lAHFRGNpgoV+PO3Ydt59Olzl8WNUTgAWszI7AL9FZikoIQKrtUi1c1uvEt6oKgeM+X6nVLAyhlS+5HbEBEVHLNOi1t98i0cV+sNWsOqE4Y9LPqJCHIWX71/PEFFfaYpOL2kI1NdyXksKfuiDr6P9ZTkA/pMO9rjsBaei0IKqSmV9z4UE28U7NIzYW7Il4aZlIXdt9O3h+u8aMwRhU1RkcFnaX+EZGSXxWMz69iwbdRYAJhLBNfkz0RZKnMkTpJL1/w2wWRGt15kmOrOnuSqmHECpOfX9Jxs8TRGdgMo+De/c6P8XW7TgyeGm778c5+CempFX/hRY1jie6G7A9pNm6IYBLiEI8l5ldR/HXydCg8ZGEm0cLyqEosDjs30h77+OMBmqMDvUflZ765UPp4bH064/KrmHLibXXh0pbVrU4JDcGZQUBkXsN/RaRwwMq/JUgjUmq/UQsWXvwmGvHTVEHtMlozl8A8QR156XvhCbS121f2Z7JAdSxlU/XePlNiIkTsV4kd6n7VI+doWjDeUa8KVA1Mcm0yWtul0cafJ4Q/scfBYY6mZ+G7X3qTZ8k79o/+YtOGOvAOM1ensSY/B0JOdsED6Rzeb9hNmqRrNXV0xYPO5MORwjzcz50QFy1ijP60WzAubSusPQWV3OVJiJysX2qWzcCagCgkt+EHkC6qriFsWBcC2kqWox4tyc4q+t0vrN9tGjAyoEodyc72u8YyicBPaNx8rYu0VrUTquZHcmDdu8tbzvVVdddzkbw1IxNZ6bAkQq75bMFjRi+tA+GA9NM+ANU5LeInWIu9KdMK8L2rRDm/3VTK65D1glI4kQU1HzQf54Le3k4FAguve13VgimsEuYEh+c5toKBJDMXR1lpQ9ppX5+IR2jJj9c22fnvqTGcnJolq3/UYa9i9R6CPpprSXa081AVSfzpYqLqBK7QiAwJDIuvLZasCrndO/oSVisQiJfrHaw8xJumfisAYajs7HeOTU/k0bH/Qr6CeAiwbS0Pz58L6At/8Bw=,iv:ybaZfw0o4MYwUn+QZCydeJtrEgwCC5/hKm/MTqJ1ny4=,tag:bNxCYKTtrBTxb/REaCwZJg==,type:str] +nextcloud-ldap-password: ENC[AES256_GCM,data:PTURzI/Nu23LZo/ICxFRNURPD4oZwT0150CYs98KQ4GAAVzycboIocUXr8WRiu3O8/+kZkHO/7QV9Pa//i2ipw==,iv:4rW/SDZ+4LkTa2auVGvXHGQXPqHJmUStZoLlI+yFUdk=,tag:TQSDoxzvD036M6z91w9YDw==,type:str] +nextcloud-adminpass: ENC[AES256_GCM,data:4j80ZLynFjJDy9egCPZUbusPhlsi1iTCpN6+EeBoA8ph3wQRaRzolqRnrgrvpsr2HEAfLEf6ErmLlMdT8jQGiQ==,iv:oQjyxf0EDwzLhgIujpnxbQ2vnXZFJgT99YdMo8w1jpM=,tag:f4AOoZZp8v1JL3vycU9dxg==,type:str] +nextcloud-secrets: ENC[AES256_GCM,data:iyLYZWUnMcejvO4iXf6dyJfAiYtCoIrCjafRJzycRqVVxwpHK2o0xetkkymFvWCiWQKFZUpV7v8u4L1pnD/Zwmbvwlvyasstfvj10NztpZ9tFFGLUqgcs+AOSw5rqhWqo3pewHpRUpskyuZPCg==,iv:Z+AATaNqI4LpCkFPD5+skL2fUeM9Oz/krVPW31vMl1s=,tag:OKpnYN/IXP7e/m620XzHAg==,type:str] +nextcloud-smb-credentials: ENC[AES256_GCM,data:jmFV1dVq6dThe2BlSb28YAKwGayBn10f98tc2jjibpAa5oAVzD04NpAtpcTQThtY,iv:SJADE393kJH5VgPd919ZH2UKS0GBCaelo+/Xyb9kFAY=,tag:n/UApNtPS8esGfkx5dIwzw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFUFR5UzNXWDlCU3Y5bWQ4 + VUl2akE1Ym1jWlFaU3BTb2FDYW15aEJRZ1JJClRhOWNDUTZTZzhwVmN1TG9PTUNs + SHN5b0pQMGhyNmtDdGwvVUlNU29RVGMKLS0tIEJpNnE4KzM4bkxuNlhhR1FRbTZ4 + ekZUdjlSSG5OQXoySkZ2WEZ1dWFIQkkKB1lM2FdslIg+JzllHyilnMH3EqvHRImD + Qi3M64gKr3s6ulIU0k0HjCetILONUdX6VRXIMozDaGZCz7f+yXHkwQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpQ3A3SkovZUtpS20vcVVH + SUJKMnU3Z21oN2tqZ05nTUhFTEZZK3JLeFFVCkZadVAyUEhFaGVRalJUOTJ5N1JV + Qi85dStiajErSndtV3BFVXBRS0w1N2cKLS0tIHRIbGlZMmtYdDRMQm5WRXFBWUpF + VjlVaDh2K1FGdmVwSWVqYmNES2hLYTQKTpO9nN+gD/EohH9Yo1+bkM4hncWrpfIG + Vyv7Rfval0QWGHU52VO6xlTieOse4NzrYQ9NQ3m/UROBpSmdiBWiBg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUXNXM1Y3eTljcm9OUGpY + c0hTa0F0THhiZHNQSWNoUDgxNmMzbks1amlVCmFsUGtuQzNKeDVxZ1hMYytEZnlP + bUd0bTZnM0xPMTl2ajB4K0F5cWF0eWMKLS0tIE1jNnRXRG9UaUU1TXBWdVdpaUlx + RE1xeHFpNFF2QkRKYzl5YUxiZjJtU2cKou/P1Aw9h2by7FoyQF4fyXu3IwxqVEHq + c97KVXI+MoHm6sq1OTJ94XsKB/h+VjiUk8KEl3kmnC0twzd56qsb4A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1md4kkdf08zmagqv0yzza8h75f80c9j8np2p6eqea6fpa94szd5lsltz9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBraWFHUTI1Q2hMa1RaM2Fz + M0djcUIzendUUnlaY2N1SnJVM3JuMDZSZ0hzCndNbHJoN3o0ODl5SGhDVzJpS0c3 + Q1dxMEFSOEJwUGRBQlhOUkRBV3hBTkUKLS0tIFhOSWphVVV4QS9jaDFza3VOdVps + T09oTGJjaU1kUlM4TTV4NmRjMHFyNEkKRdunkGCAOXtfhAxp/baX1GH6JI09jSRf + jK4gPmuNTcxQRSRoKigX04LdKr1YjYvyfeejIzNZEDd22EYj1ISS/w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-23T21:04:42Z" + mac: ENC[AES256_GCM,data:D+FJiH4CLfiYcsFHpW1Lf6V7Ej9AFzVhTpM97mkd0rsDIVCFb+4PQmwQ8aF3SQvpuVmo49G7MmHhgC4WJPMyCVGs87E1J5QgNzaj/uBvEze42YRkC0rsePsoq/CyG+3DPFPE7DoPtijNqT+vTQk0Ku2245vTejk6oF2JdbzQ3u8=,iv:3tWsnBgmceqqhb01fGfBBqLD5F3bD8J9M4NIcdxNzgY=,tag:caeRk/lvI1ymHv91N85c4g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/web.social-grow.tech/utils b/hosts/web.social-grow.tech/utils new file mode 120000 index 0000000..6b18391 --- /dev/null +++ b/hosts/web.social-grow.tech/utils @@ -0,0 +1 @@ +../../utils \ No newline at end of file diff --git a/utils/modules/lego/secrets.yaml b/utils/modules/lego/secrets.yaml index c8c3596..722f2ff 100644 --- a/utils/modules/lego/secrets.yaml +++ b/utils/modules/lego/secrets.yaml @@ -8,137 +8,146 @@ sops: - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYmY3L1VuYndVd2thbEk0 - aUgzU1RIMGFxVGtyM1RCYmw4SW1sU2VMZmtnCnN6WjlDN25JdTRISEVYcGJTWUor - aDV5UkhQNjIrVHducDA3cmFQSnlzZTQKLS0tIGdQWWhsdTlVa2kzdDU2WUhqUDJJ - ekNsQWlEQi8vTm5vWVorelpvUUNrbmsKYzKVSvj+BXFqrty1jTr99e/rIBoSuHY8 - lxLOH7ussA0JC0bOegKmk21d70H2pOOa0yLbBUIpW6+pmA+1L8zauA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Y1VTUWNXMWdDRERPcUxU + ZTNadjlodGptbDhpRHJ2Z0gvY2JNQmFkdVdzClVGeWRIOGxqUHlkUEU1L0NTMUc5 + YmozYmR1TTdOTDNXOTNpbll0bGhqUGMKLS0tIDhTclB1NUtQZXFLR3phcEVkRzl2 + blVocE9wZjRydTMxa1E4ZUNOV0dPN3MKlP/9qMY3JgUb0fV+oIAVYVooX8I9lhIH + oRCALbQJQETlczXf4zSx1htXVctP0/fifSozFvo197pCjAxIl6d4qw== -----END AGE ENCRYPTED FILE----- - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMHhEaWRZdklDVFcyQW1y - TWplalJFeTBIb1BRM1NWZnYyc2xTOFVhQTFBCmlHUHE2WGs0bWdlTlBpR0ZCSnc5 - eUFJcG5PMm1wUVZXY0ZLa29QcU1SWEUKLS0tIGVzWjJaZThpY21oMEtwWTd1TUJ1 - THRHZDBGY1lMeFQvQWxjOTlneEExbncK0UC0bd8jSLlS+Pb3nO7zlnowSO1iYaBx - P32gdPFWdAlnfX6SA0HzJJ3pyCH7uKS2JZD/Lbao7TfZPZ727fvdJg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTGF2bEwreFA2dzNnbjdR + UktlTm84UTcxNDdyaXE3akZzWkdaVXJPbWhFCkJWandOZDFXZWpFdXQ2Wm9CR3kz + eVZQdEdDMTN1SWlOVlJMSGNCQ0JMZU0KLS0tIGZvYTJ6bnJqYXdiVkhqMjBsbGRF + WS94bVpvWklpTTlDeVZET2pWRWJNOXMKlzLWxsxCqIf3h2+ObCoyR8KuDQdPM86R + DA7XCvfBOMkr1bnZLVi0mLM3mwnYmLDyfGIjULaR9KK/S5CCzF7JDw== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMFU5RjJjcHFWWVd4ek1S - QWZSSGtZR0MxbklYeDA0RnM5cmFpeEVrU1FJCjd4ckl5L0pYQWRxcndpemdMY0t5 - NElycVU2R0c1ZW5STHdXOFZnVHFaWUEKLS0tIFB1RFFiNjZGL2szT1o2K0JUMk5Z - ZUlQYWxRUTIyVXBJaStWN0xXRTdrZnMK4453Uqzl1EYusOqf3S2YyJvz7Mh7ToUg - 6kzq2+wVPhM6xu/zPg6BTZRpvbq7hAN/bfzDlsgcCt4nOZp/d+4XJw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTZWVhenNQUVJRc0NjZWNR + M3RBVVByUHV5L0FqZEZmUklkLytGUlNGVERJCmZDWXRjSk0yM0lLMDVlVUI1bG9C + RTNlUHZ5WHp5NTVURDVnQnZ3OFRnUnMKLS0tIHh4c3psanl5cWs1NVMwNHlEcE9l + aHBzdktDZGdrc0UrMng3R2xwWHpFclEKuum93/+TrG0Bz/FyPT7N6U1fpYjD63bj + KDOaNxsfo7oagMJyNRkUSv4q1zZ8uwMKUXBSiWdiQCKt2m66Dm8ctg== -----END AGE ENCRYPTED FILE----- - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhOWdSREZQL1ExRnpqQ293 - VXlWZkdkd21hTDhHQ1gybmNIQ1RBVUF2Q25vCkM3emN4bnltbUxFZG15aytLU05Z - VytlK0ZWdU1FY3pxaVFTb2lCZzBqcGcKLS0tIFd4ZElpUjc0M3RtNjNVcDNtWk5k - TE5Zbk9VdHh5TGVRVkdIUUd3dU1zNzAKcDUY+RghrJuHlDFy3IqD2Xr7YJPnXcwv - OC3/RT174ES97OHQdzep4X3ipYB7XLL1UNa24QKhpbXWpNy6kcDeLg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOEl4RkRXMFU1ek1sWmdG + UEZaS0h4aXNybUIzalVNbm5sMzNtL1dqc0ZjCjI5d1N1bGNCRTdzTWZEeEdzYlQw + d0xGMS9TakVCZVpVVHcyYXZWQ0NubE0KLS0tIG52VU1kT0JYMkRVc0F1NjFjZi9K + MlJRODVhRUN6czNUV3RROWpsZTRTWnMKEBMyebasef2bz6zmO89xaaU2SfNZOWau + tl0p+FoK3KcX3QxGJnnOTvyMMoUEGSu7JPuy3+p2rzOwFYYeMOJYIg== -----END AGE ENCRYPTED FILE----- - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIR3B1bit5Q1hJYjRjU0xy - eFZFeXAza24rSlEzR3E0KzUxQ1RMS3BmV2xJCjVxN3hzaHNTY1VhdlRPVk9wb0Zi - SmxjRnp6cnpzcmJLbk9MUWpoU3pXUVUKLS0tIHlzM3pMZFBHWlQ5NWVWZHZ1UDFp - OVVJMkhHUWxENlhVYVl1V1Y5VjNPc28KrcDoLT26nLtzRYxlnvB8gL7Nvn2MVr6R - 1OZhEmIQSH6eNItU/oK7G6S8FqNPksfFwWHA9aZ/K67pWmzu0ow+Tg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TFZhL0NCdnFLeWw4b3pU + RDFXM3hUU29GMXVIcFhUT1lGeGlBRVd0OHlzCjR1YStsMHNGcmdnMm0xUFpOd0RU + QjFQMGlBMHQ1bktZRFZvZ1Q0OHhmajQKLS0tIHA4TGlVRCt4TEN0dGp3NUcvVjZq + ekc2R0VadzdwVzFpN09CRENjN1F6RTQKmGMPWX2k8OP8YYSYgfn9fRqsmvhyyvg5 + CqcLwAFo8NjMMLybTLUy3PEZbymwwV4uCUOGk8hxayPnBY3VICDw7w== -----END AGE ENCRYPTED FILE----- - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZHFqWGk0bVMwbWhxTC9L - d3BLN2dxcmNoRTRVeVpDUHhLdjRuM0Vlbm5RCnJFNURuQ28zN2FCQzU3M0hkbk5N - RW93ZmU2NVlxYjFsdmoxM2MxVndMYTQKLS0tIDVacmI3Ukw0Z2RwSzViYkV0d0pN - NDc1aHJ1Z0t0dGhxMGluQm1yRHVTQ2cKBvGYrEiLlZwEbEdqGqR7ju8INj13QkHB - JA1hNfZLwClReN4rXFZ2ffZURxEIhVGSMxcVZUOvRuXXy3GpVRLdOg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFamxVcDZhRDJSRWoyYmp3 + NklibFVBR3MyZXJLa2xXcFdPaHJETmo3bm1RCnVsVkU2M1pINTdSdEtJbElBQ1hJ + OWdJc1RnYVhCVmc4UmNDRU5iZ2JaYnMKLS0tIC9GZjNFM3NybkhlbWlrZVNDNldz + ZVF2SjU1bDA3R2RJd3NzdStqQzV3ajQKDc/9sVNcYLir3+xVSRb5yPiMtx9dYm/s + Nk4CgnxY24GN8kivUk8a2bILXpg5LuR/8SvXchMHH61TNgKwnd++fg== -----END AGE ENCRYPTED FILE----- - recipient: age1ylrpaytkm0k5kcecsxvyv5xd9ts4md0uap48g6wsmj9pwm4lf5esffu0gw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxN3pYNjlIQ1NrZzRBamk5 - SDYvWHExekVXSXZpTTZqZnFpL2NXYVpiQWhVCmxVN2o1Sjg5THpHT3VHMzVjM3Jk - ZVJ3NXltT2haM3ZYWVdKZklWNFV4VlUKLS0tIEhwKzg0KzhTd1FUSEhjNGU2SjQ1 - aHA3NU56Tit2QXNDVi9NYXdVSlZMNDgKKZtu+suDC7A8gvL2iz7ANiqOgQISGLyW - oI+LuNovMysqTBcb/NSx1T241hw2SAENO6WmV+/sH4/wWSYYVpPJUA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaUVNUbFIwd3hZaTFudExB + cnluSm5pcXVTeUdXTzFsWkU0OHJCamw5dmswCmhJeVB0eHRIRkxoVjVPaVdqR1A1 + Tk11UjVYTzFQbEx0RWxvWElSd09SdTgKLS0tIHJ0OEl4U3J3TkdIZHA5Q2dGRmVL + QzJpQXBycDUrQjh5OUxuY0taRVdtMDAKXb3h1tpdXaIotKIAfSFLP0StVKyiM4O7 + TB4D1T/+sBhP3k2120ZvgVL+G8k8O4ABBduuYkAuN9HxlQfSnLQk0w== -----END AGE ENCRYPTED FILE----- - recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYN2o0aUpKeFFnNGdSUTNC - ZzFqL2RiUVVlOFZEdEszZ3QrWTQ3eXNaWXgwCk1Ua0oyOGVEdGRXb2lOU0FSbjls - NW4rWEFWbEU2UnFvRmNCYTkwTzZTYVEKLS0tIHhZYWxWdGgxcUVTTE8vZjliekNj - MTluR2RGSEtKelNtOFJOWDQzVE1kREEKpv7aTl+HhVUQn51AfHcsRjXbYU0Aa/n4 - 7gMWZTm6nsCGTLqhRBOEhWHeGVMP8e8LnWzppMufv0Z1WxQ2PbMMKw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSRDNKaWgzZFdrVTVQYmw1 + R0hhQkZNcFc3Q2pLWEdGcnU4MWJvL0xaMEVZCjVJRytPSXFHNm8xYXJSak5zbTZ4 + dkp6eHZDOU1ucjg4SFZMb2RoMTA0WEkKLS0tIFJMZlF5dHRsWmV4eStxbXBPdDg2 + cmZ4c002SlFreVU3QTQxQURLSmxHblUKGG+BN/ROTFiIbTjIAOioLt8/Rv45OC3e + Rg6AHYGyaLWTDIqn8JC0X06Vg5GFxuwWKZp3OFbrUEGzXsx1zpS56w== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBucHR2SjBaUjZHSFR4Rm5w - a0NYMXhPMFNjQ1hZdS9XVlMxQk1IUnZxSVdnCndUSkE2RC9QRDRhdW1yTVB1V2dT - TU9Oa1FhdFY0b0o4ellabHFuMVVXczgKLS0tIG9sWWNuV3RrQ0V3eEhkMmVVSmJH - V2RScFVneFlKdG1SQ25KK2FqSXJVVmMKjcR+mi48qs9GX1He2qYSXsf6VZhbR/s4 - eCjgN7zKzIhg4x97+N8mEcgTF6w1690/V6cIUYDsaaxpm5Y80/KF0g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVTV0a0xna3MrZkcrZzQz + Q3ZQcGdlWDZKczdBaElTSlFFT1YzaEZDOUNVCjR0MFpBVytkWFJoWVJRdkhFekIz + N29pVHNMdHVMZ1U3SklEaytzc0tzcVkKLS0tIDhQeE12MlhKemF4eUJVSS9jeUk2 + MWl5bDc2VzNzelk4WUZ1L0tZZ2gwNmcKkJKw07+WOl7lb5dlsPz3Hk6B3OJMbIoH + vWRDRo/GHBncs0W8QC8kRA9YytxaKkeaRAbfQl0cKebaSklTpMDbkw== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUkRDZGliOGpvajZML0x4 - TU1pUU5TaVB2d0o3TGJkd2ZhME9jNnBncGdNCnZiVDUvbzJUR21CNUZLYTBkRjZU - b1hyUDVZbnVVM3hqTnBCU2NmYW5WQ2MKLS0tIDZaSlNsWUg4c1pOYnAyd0h3Zlhw - VEtDMGtUN3d1cDlGVUIrUVZ3OEVMQzgK/ftAJQ2QuQCR5h8BBdLu10Y6myTXCjs6 - Z1RoghfHGWxOFFuHzcsRdklInVLTeNhv8BI1SRwYuqZ2zVw8n29YCg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSFJPTGhaT3NBKzRTNVMx + bGhXeThGUDd5WUhJblZQRnRPWnJ1OXcxcW5zCis0SmN3TksraUp6SXc2VFJiRm42 + USs2VlRmdkRJakRFS3FFblRzQjVOcFkKLS0tIGZCc0U3YUdvWk5QZDVqUnZlNkVo + Nlh5NWJQUWZEV05Fa1gwNm1jRXZmbDQKO5XUjgp9N0ZmPbGAMjgP9MUoVOQwh+lG + 4mNktIWLlzbnzeBdRcpT+TdceOXM180osgs/SbXHr7FvsGKDqCnY9g== -----END AGE ENCRYPTED FILE----- - recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzWjFvWkxxKzd2eE01dE1j - SHJsQTdhQlY3cW5OdWk2azdPR2UwRWc4T1VvCmdoN01EU0xybGFBZmNQL2Fub2tX - ZFB0NlRKUkpQTXhZd2R4QTZSeTZmeTQKLS0tIFBQenBCMGlxWGsvRndvWnk0YzZp - RVVVRU9hM2V3Ym1YQVJsVjkxV2ZzSmcKZDd1nHWduaWuixFWP5njiy5vT5pUX5eF - 0KHukAqPm0UXkC3kFSfEPH84mhycrMcniIV8vagdVqjuMB/od2mZHw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWDdvWHdSRkNqS3FPbkRn + OVVvZlhwcUhZbk80UmQ3cGxyMFVLQzBJUUZnCnRwcHk1c1cvUTRTblNZUkVxSGNX + dGVaZUxYSkdaVWlNalY5TC9hd2x0YncKLS0tIC9YdTR5Y014WG91NEg3aFRFeS9B + TDZsYkdNQUQxeG55TERvdXJkaCt1RUEKlXO1HKPQSizBSjB18c107Zp9KT6JaJ5z + 783E/kejunfbUiFDFpLcSw4jyi7XZn3chhxHYjt6Ce+9BMObRBfGaw== -----END AGE ENCRYPTED FILE----- - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtOXZyNThEcTd5OXpFazBk - akxyYnNYYkt5MGk1dGNkWEtxWFlBdUtVakgwCk9KNDZPdHRZaEFtOGJHY295b2FS - SnpCdGJlMFZxTWpBMDJKM0dHUjlPV00KLS0tIDY3TXAwNXQ2R0pUM1dYbnYvNGZE - cU9heUlXT2IzTUhWa2dkN1BFWklYYzgKX6puoU0T5ozcy1rCnV1k+E1PC96Y2CAN - nD1lFrvkB8G+rO9ps1gEeV1oxY/wBFznDCxyAHuCKcnxAvIb0lKvcQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVkplQk00Nm4wVGVnUk1l + dXVwbGVIVTlqcHh3ZDZaWThoYzVtU3hiV2xFCm1TZGJvUUxPbUMrY0VYUXAzbW9i + bHFFTHRNMzJXM1RqazFzbFh2RWthUlUKLS0tIFZlaExtUzBOb2pmL01JL2h3U1Jr + a0NpNks1L3NpemJwbUJnMzhjYTlReXcKx9T/Dhu5q9hmMCCG9GvmrS+3DLdtAfFN + IOM0eP/M4M/WUfu/mrYnX/nfArfOEz7us0SnRJLri5nijliwe+Pdrg== -----END AGE ENCRYPTED FILE----- - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKMW84RlFjRW00RmRET25Q - YlJ1SXJxWERibGRTeDlPVXlHQWxCcDA4M1ZvCkRVZER5WWUxeFNiZTV3RTYzMWpX - VlB6WFBUbTE4SThuejM2M2lGZndzRUkKLS0tIFM0K1ZhbmtIU1JSSTd6Q0pWc0dE - NjJkVnlSbVVOQ0R0b3pyeHNRdko5aXMKNZpSu/yTqxpZt6jMC1mQcyEDe+VU7JEU - BxlRMW9/8s5Fqu852uRTQwrvAHtnlBPKrzurqjQq9byUY1Q6a0puJg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIU3dQNU42MVNyYU84cnBu + TmYzdDJuU0dtREU2NFNDYU5qOUY4d2UwOVVRCjh6QVBldWlvVEp3ZHU5MGl6MGRT + dUtPY3prbW04Z0tOTjZOTThJTllNb3MKLS0tIHQ4Rm9lMVNDa1h2a09BVnZ6N1Bt + MG5IN04rbGRLNWtPT2ZQb3NjV0R2OFkKNZ/2/bupwTgxRQR6lXOa6TuYwk8VP0q3 + 4MJMv0aIsCEt7sb8ZgaiZ7NLzHn6459iT4RTtdmu+ex7bj5kxGwNBw== -----END AGE ENCRYPTED FILE----- - recipient: age12msc2c6drsaw0yk2hjlaw0q0lyq0emjx5e8rq7qc7ql689k593kqfmhss2 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUkJzcExuSFEzYnhPcFpp - ZFFld2JZYkRaQmZHc3d5aGRubFp3eFljbFhBCmhacmRWK1hVYnJzK2N0K0tYOTkv - SHZWaUt1clhpS0FXQzJoQTl2TmVaZmcKLS0tIFVWKzdQeXQwQkhFOGVDaUxsMnUr - L05EWEJZS2t3dUN2M3ZiR0VDQUVDS00K1Ju36/t7TGSY5JIpx+2+EfVnFem0JEGk - nFgwu7OWAqISnlICD6BEOE2ikZemO7UMJuy2+U4yKCnnztjzXyKmAw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPMGszNmJxc1Y4bUJTMjFK + SFpwL29YMElZc1BBTnl4Z1FaS2dnNVFUYTM0CmVFSFFxMVp2d1RkMENRcHlHWHJu + MG5YNXBZOTdPTm1oR0I1eU9XcXp6TncKLS0tIFFUZG1wS0wxVnJ2NnpNNG5DYlht + a3U1QkJMM2NQOU9uR25zcUxuNjNsajQKgi4Qls/XcEsoMewy1SNYIZhIjSDZmepp + 0Rw+c+8iODkAZQVYgXQ/1VOj6Aju+8n/MrsO1p3vWu/6h/lOr7pZqg== -----END AGE ENCRYPTED FILE----- - recipient: age1gtulvdj4aclpfhk3mmzvpz9xysccxhvu99x6ayaqlj8m44ehffgq6zuc5u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTXRvY3FoWWpuUFJzazlx - Nml1dmQ3ZjRpSy9TQjhGS29pVTR4Q2JSalM0Ck9qbEhHWVB0RFhyNzI2Y1dVYUt2 - WENEUlVja2JzVzA0RElnYk9pWEpCaWMKLS0tIEwxWG9UbVczMEFiaUZzNkZsZVk5 - ZXBOQm9wZFg1TmhManpUMXdmcy84SmMKiO5gYDCEMd+oyQS4+VDZ/+x7dwgm0QVf - pFbUYGzVH3My2KOW3mX4AsYny/VAZrBbyQudqCb+kuwc6zR2N/ovZg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4YjhMVFBnRmlTQitDb005 + MGpJa1M1ci95QnJpL1BzZ2N1bHJRM3ZiNkNJCnFMSnNNS1dUd3gvSUhhZzRJNW02 + YS9oNFYzdnByaWFIWU8rQjJvWGNWYkEKLS0tIGh3dzZWL2Q2emtib1JiOWUwaU5s + S3RqWE5HT1hzQ0dRWlVQYzFlK1lEdW8Kdz1k/0XXhj+NXQeKYhrq2YTeNjDretuh + 0bAqgpleFs8len7plrP98VsGClZ4nQn/DF7PpOL6F4lrtaeWfnyEOg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1md4kkdf08zmagqv0yzza8h75f80c9j8np2p6eqea6fpa94szd5lsltz9va + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDbFZsQlUrNTROcjhsVEE5 + TUQvb3JKN1pNVDhKd2dhVExBMWZOdk9vOUR3CmU4bmU5VHhVRitlZ01wVlVzbUFj + Y0tnRDFINXJkbnFORjN0RS9lMTFkMkEKLS0tIEVNWkJDKzFka0ltcFlsUlZZQVh0 + VU95d2o3aVo4S0tLV01ydjc3TWdZeUkKOHat3eaGtvxXIaQO9OMH/9+MB+HPKMXB + YkH7sn3JTvy0nyAlYm2d7nb3wP2wWYH+5APdFSR6+sESWOotNMZpyA== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-11-09T07:12:13Z" mac: ENC[AES256_GCM,data:gqsD5gTtE5ZqWzWKAAIscecvIsGSC9j4Cnbik6Yk7Jf7Z5/NIxbkInzDsLmlU3ObbLZAhGAlOAKIrUVy37rCcEZ+I04ICXK1dmUdsVud6E4SvTdDjh9qlXTbEkcDCY2YqXlTuQl6IZyveaPuF6fRe1FMh8JEpDv/foZTl8+AuQQ=,iv:+nV6YW9m1B0qo7xbB1lw9dgiQ877GQ6OxMqjk7lei10=,tag:NmeSwBWRKpqlwZxYYC7trg==,type:str]