From f1f8662e987393463417371b2a41d58fc63f3882 Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Tue, 21 Oct 2025 13:21:21 +0200 Subject: [PATCH 1/2] feat: add docuseal mail Signed-off-by: Lander Van den Bulcke --- hosts/servers/mail-01.nix | 10 ++++++++++ hosts/servers/mail-01.yaml | 5 +++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/hosts/servers/mail-01.nix b/hosts/servers/mail-01.nix index 32cc880..a779fa8 100644 --- a/hosts/servers/mail-01.nix +++ b/hosts/servers/mail-01.nix @@ -45,6 +45,11 @@ in hashedPasswordFile = config.sops.secrets.mail-password-kinkystar-bitwarden.path; sendOnly = true; }; + + "docuseal@kinkystar.com" = { + hashedPasswordFile = config.sops.secrets.mail-password-kinkystar-docuseal.path; + sendOnly = true; + }; }; extraVirtualAliases = { @@ -101,6 +106,11 @@ in owner = "root"; group = "root"; }; + + mail-password-kinkystar-docuseal = { + owner = "root"; + group = "root"; + }; }; }; diff --git a/hosts/servers/mail-01.yaml b/hosts/servers/mail-01.yaml index a7483f1..9e03e91 100644 --- a/hosts/servers/mail-01.yaml +++ b/hosts/servers/mail-01.yaml @@ -2,6 +2,7 @@ mail-password-lander: ENC[AES256_GCM,data:eSsuEoAyIAL41qCD9SoqwqPsgkYM43Dp/OEatN mail-password-authelia: ENC[AES256_GCM,data:JCSPMP2DMFeb7fdBbkLhj35A3C6h4PmHSKgIuRrrfVlLPHXA+FyhQrl8P3hxdrFiFB1vr+G4ftOcoeZa,iv:Vk1xWJNrETCBKLqijE+Ftc7+hOg5u7KdcdqngIq9ZCE=,tag:pNubO1GLaiegRLAkU6rw4Q==,type:str] mail-password-forgejo: ENC[AES256_GCM,data:8BQcs6getbwXLvSTJ+j5j1XyS54qa9XMsyVvGaRocNUIgNnjhGndOVtEa2HfdXouIspbBP2rEY/yWRQj,iv:H87iJeDxR5n1VcdCtvVe29VJbvB2xfZE/DyIsl8pzzY=,tag:kIWsl2Rh0If1/8E22qf2BA==,type:str] mail-password-kinkystar-bitwarden: ENC[AES256_GCM,data:GhhF3k4awem4qldNqX6iInXOq8WVdHg0BKgzr9gq2KjHByAmDwIE5YtsQhHBZe73uUgyKryLBkqDdr/o,iv:wMLuJ/H/ChUKX5CcY6c+gV+kNKIEpqnZMbRd2QlFCNI=,tag:eJTE7iRVjSzaQD6bcLz+MQ==,type:str] +mail-password-kinkystar-docuseal: ENC[AES256_GCM,data:NxOjZ7pP2EWu2kOVfQdlSGcklyEaG8qIssrfSxkKgz9NVdaD/6CA/8HrnxIxoFMGzYOmHPSsrezoq0z9,iv:RQOeeI/Mt2xSRIxC25wcYwnYKiqtLMMVfSh2nU4FM2Q=,tag:XJBLlaHxXihWaD409QrcdA==,type:str] sops: age: - recipient: age1u2a7wakgsyct6ed7ah2pksymh7jjl08ankedeyl5pa5jcs8r0uks02jpza @@ -13,8 +14,8 @@ sops: MjI1UTlRRXdVaE5oSHBVRy9hcFNESzAKhdgGeeLl+BhslAFJmChAy7Ht+CPmZQqo 0Km8AGCKAmOQWEym0yRW/rKp35sOla4PQ4JWGlthNhcqyR2Kd916OQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-21T08:56:35Z" - mac: ENC[AES256_GCM,data:6ICy3l8BoHAi4NB3VbfiVs7PJdrqgloQUaLWKGam8Qp2gfzTYDm1TQaH/FjAgfE7AtTa5v0CRb0X/+emBpWdh1Swf4sGL/ILyNNSmg1E/mu0/z0FpzSSbCy4JpBwn8aCrUZ6oX/zMobwbNCBBsmhqhFRt8FNDcUeYxkfk3MofnU=,iv:Y8hfwcOCzr7tB2hRosDZsNg5aPUMRlZPnet6YzHpjts=,tag:ypNhw2+VLgx2gqWAG2NH2w==,type:str] + lastmodified: "2025-10-21T11:21:12Z" + mac: ENC[AES256_GCM,data:HKJybU7LOGAaXKmD08QNnSABDrua3v2mMKD1A6p/8UKhgkhh6s9sETGaFitYj7cmTqPRaLEbbPvBwrdNaMCzUiWFIw+GeGAR6IVuZHrK8SiOfAy0KEKrOHkyoG2PRv0H+TnfKHmmD2FfvoJ9Mk9twWi8c2nAzkm8Hd2W14vcjkI=,iv:CiD82E/QeY0CkSuhYfxHrrj5jL9d4pgwQ9XDpww9eFA=,tag:gri2I0mANOXqn2EBvJ7QNw==,type:str] pgp: - created_at: "2025-10-21T06:31:32Z" enc: |- From 440e1a6541a6b7eab8a0dea0cd13192a3bb65083 Mon Sep 17 00:00:00 2001 From: Lander Van den Bulcke Date: Tue, 21 Oct 2025 13:34:45 +0200 Subject: [PATCH 2/2] refactor: add hosting-01 to colmena Signed-off-by: Lander Van den Bulcke --- .sops.yaml | 6 ++ flake.nix | 15 ++-- hosts/hosting-01/disk-config.nix | 52 ------------ hosts/hosting-01/secrets.yaml | 50 ----------- .../{hosting-01 => servers}/auth/authelia.nix | 53 ++++++------ .../{hosting-01 => servers}/auth/default.nix | 0 hosts/{hosting-01 => servers}/auth/lldap.nix | 24 +++--- hosts/{hosting-01 => servers}/git/default.nix | 0 hosts/{hosting-01 => servers}/git/forgejo.nix | 84 +++++++++---------- .../default.nix => servers/hosting-01.nix} | 44 ++++------ hosts/servers/hosting-01.yaml | 50 +++++++++++ 11 files changed, 155 insertions(+), 223 deletions(-) delete mode 100644 hosts/hosting-01/disk-config.nix delete mode 100644 hosts/hosting-01/secrets.yaml rename hosts/{hosting-01 => servers}/auth/authelia.nix (87%) rename hosts/{hosting-01 => servers}/auth/default.nix (100%) rename hosts/{hosting-01 => servers}/auth/lldap.nix (76%) rename hosts/{hosting-01 => servers}/git/default.nix (100%) rename hosts/{hosting-01 => servers}/git/forgejo.nix (55%) rename hosts/{hosting-01/default.nix => servers/hosting-01.nix} (86%) create mode 100644 hosts/servers/hosting-01.yaml diff --git a/.sops.yaml b/.sops.yaml index bd8509c..07a7ca0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -52,6 +52,12 @@ creation_rules: - *db-01 pgp: - *lander + - path_regex: hosts/servers/hosting-01.yaml$ + key_groups: + - age: + - *hosting-01 + pgp: + - *lander - path_regex: hosts/hosting-01/secrets.yam?l$ key_groups: - age: diff --git a/flake.nix b/flake.nix index fbca8d1..11bac15 100644 --- a/flake.nix +++ b/flake.nix @@ -158,15 +158,6 @@ ./hosts/heimdall ]; }; - - # servers - hosting-01 = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - specialArgs = { inherit inputs outputs; }; - modules = [ - ./hosts/hosting-01 - ]; - }; }; colmenaHive = @@ -187,6 +178,7 @@ { imports = [ inputs.disko.nixosModules.disko + inputs.headplane.nixosModules.headplane inputs.nixos-mailserver.nixosModules.mailserver inputs.sops-nix.nixosModules.sops nixosModules.bandcamp-collection-downloader @@ -218,7 +210,10 @@ meta = { nixpkgs = import nixpkgs { system = "aarch64-linux"; - overlays = [ overlays.unstable-packages ]; + overlays = [ + overlays.unstable-packages + inputs.headplane.overlays.default + ]; }; }; } diff --git a/hosts/hosting-01/disk-config.nix b/hosts/hosting-01/disk-config.nix deleted file mode 100644 index aa2e1fa..0000000 --- a/hosts/hosting-01/disk-config.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - lib, - disks ? [ "/dev/sda" ], - ... -}: -{ - disko.devices = { - disk = lib.genAttrs disks (disk: { - device = disk; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - name = "boot"; - size = "256M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - main = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # override existing partition - subvolumes = { - "/" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/"; - }; - "/home" = { - mountOptions = [ "compress=zstd" ]; - mountpoint = "/home"; - }; - "/nix" = { - mountOptions = [ - "compress=zstd" - "noatime" - ]; - mountpoint = "/nix"; - }; - }; - }; - }; - }; - }; - }); - }; -} diff --git a/hosts/hosting-01/secrets.yaml b/hosts/hosting-01/secrets.yaml deleted file mode 100644 index d65e468..0000000 --- a/hosts/hosting-01/secrets.yaml +++ /dev/null @@ -1,50 +0,0 @@ -authelia: - hmac_secret: ENC[AES256_GCM,data:BKW1DTLgoGR5Z+lJxIzDugqDaJD4I9YgwPYKvaY3GyLsjZ+A9YmAKrSVIxixjaV465H2dJU1Gy9IFf1fL1IdKw==,iv:u3lN2yXlJ53Q+KHwjKNOUz+wdFziFGRPYrWYPvPbp3M=,tag:CslQZLCB40KfPnsGNBQh3w==,type:str] - jwt_secret: ENC[AES256_GCM,data:4FvIOu8GFTLfQ5n5owAd2gJxLmamyZaciJFDXG50SADIaS/BTK0e1wp7lw6YvPFmNnpzfUcQ7jxmYatNU1wZjg==,iv:gEu/hOsKAGdXBbvXZAEqaE1a5mIYD4eS80WlxRbDLaM=,tag:2IfNyPZUTsnilPD9a1GBCw==,type:str] - jwks: ENC[AES256_GCM,data:jqVP5S+b/KXDJzOkbSmq9IVr1Kjk4qp2VtVZFcW4GB7syISBcqFUFOJt7VZ9Wj+WksxdfxcNscxvTRe9etkU+foCf0MX5z65M3nOYdisApDc+Xiv014wWQqUp91tWEmR2lEHZY6fNtjx77BS4M3gkQLob4wIHfumKt9dWTfE6nk4NKRS2EDo2omIBzFgAplTnZkTC9gZI49HI+m7r4qWNnH5T7Lmd36ALhezV6H9S0sww271sIsQjFC+G1wTU3rnd2IRS415SQvzrqpdcdx+iSXa7wdqIXFOVFk5swhPhRNsmr7IMlLJAXne3h1hl1M+M89hSTO1dySFbTawS7TvPaBKbZ11LXhXD5PORzocUdR+jxsVtjsbAQBPR2rj13I1KuCRLgWo+P7CTRmueXiCc14rwLabR1AeEM64eF+CGJ6sbFQxkC+ZloN3qYYxo7UMSRReS6GYsNlT3Tgzb4c2WZ5/3vMT/ESE5yOaeSYEZ+T/nyN20sL7bumaA6t+u0vX4GLDkwNHhQ8ph38hLSfezlxrTJIqJVILaGH2cF7aNfCZ3vIA/IRoxKnhS66MKZvY3aWX1mZoLTnGpnXoIZvcKieF1jNpdjcUyUTXkCtB1aDauuE6gYITsvApUd3GLcQnga0iFeWsacghy5CBbqJLRdabvIKHSDFLI9BZlVlxiAXC8JS9b6JW6tKcsUNbrSc7XJn8MiTZDjsKQNrTaYYeqv/EaP/ToJBHmQpJ0Xg/q9dh4Tklhfqma4S02mqwrJ7S0K32vAGfUdt8NwukD6FOocysmh/sO/soiBEMgwO01InbroRRgYPeXrwxG7eRnHXGj+sRKaDa6BR/qxDLEVjxVRlOu2L+sXWE9rMUME7qUn/6oVCpxv4PwsEQ5IReL1tvi5wUzykXxScKOJPz8Djatjtw5xq/79mioasw0tF7K5zBEiSAZuuuq7+ndOtMCRmyg77SNYT/GDd2pwL+CvY7eEtZ0h367Zp+2t2r9qlrOgetckTrVBDApaYSwQCkEJweZ1RrPWUZdpvkV8x6JyHBY9+iN4bK39iFGeR0mzRStEzF5Zu7DfsHA2Sq4YIZz5ba91me2Jgh52CLM4Gis5goatJoRHcfMl5DYIxhOVo9DM2631DJDy5xHGf9tmZ5aO7PPjH46pzWsVj1Uh9i086Qd6FkOwPFVjfoMB1AdZl7AwKk4XHjavdINcBzr9roXlTIPGRyRCzfuodV1EptFQ6H+171NN7rDXZGXVvxkAJnxhpo/w5H7t6ST4/lnmDlr+Vgesa91rAEl9R74dmAiznc6CR9PVWk8dPvAdWIjiGYeXSrTEsqdBXW3Oh33A4j2F1jeUmWErL3RJbg1GoFbSZ43uBgJA58rylM0Xp+70sO0iROYyYK4Ow9wn7WRUIkIPRc5a5+xFsoS07Fd2siHw9mI2JNVTpbsYbi++0/Ffhmks1P5H1R63oNfk3tmcl2FH2jtA/T9wL6Zbk0ouMZGjjnV33lO8frHqfTm1uziIZa3nc40jN1cpTzjRxtKOCaUVk2be+RbUaqrNwicx755nosu5md8ULJE1g4nkbOLVPUfniMER8KlvSTISjPJqChnz8FtubqIOa/jca9Bd92ILxK0NumPubni/E4SecXcdH6RqAAMvpX1oXn87xZ66/BYBCR7iE0NZB1Ggqcudc5asYzBoBBetN516+ak4gD7eOZmX4AtXBZAvbPdQtigiVcN9IrvpodUNlPI/vI1OgczwMSehoI9Vx8wIV7wzp5HZka0y03soMFdpJvql6racyMC/ff2rgWAFgmxuShDkZJx20t/x4vr/zOcLhZA4AaFR9DbVgAHboB30NTs3fE1JecPvQNsxQQAfumwskpLSu9lMsBC9bdtti6tbCyVGmsZD4FmoebgepJ9G6UeC1psh5iVuSNs+Anovly9mcuqvGzL65s4qSDzAIrQlLIPqa1LqlQhdYv8epks7bBkisexlRygZhC9w/ru48XUWVQFfBLqYSBo4old1Ma4hyvBFBAyhILu215AcZ5mNEyP2v+7OJ5CWaCA0gwovW+A4Phr8lIO7Wo+eZtCKOY753US2SCOlIsc74j82U0TfG+7AwJON5Te7SKTXM5Gkxjv8WnNt2osqyY79c63R5UTrLADMh5kyL6QMUVREaTpFpjpJW/UbiHMbBKCxZ7cvpRcNBoq+WcREYB+C859yD4oV2G1DkTeIDeSr0V9ewd3RfFCTloqK/phMtdq3SuMsnzI112uIr6EI5bKDmkJ/BCx/5ChA==,iv:rN0J3aCHpdRSEyx8K8FQCuTvEBaKDV6+pQWZVB55wxo=,tag:StQWyn4EpUtRyium8Skg+Q==,type:str] - lldap_authelia_password: ENC[AES256_GCM,data:OdW47EXFf9AwDtnjy1BBeHnMA8Jj4SBjLIGMF8BR4sw=,iv:DWqLJ9Hu16H5mMUxDSEi78W9kdaPmGmtvd2PamM1NqY=,tag:1Im3hAAd17PWdSjH+w+LKA==,type:str] - session_secret: ENC[AES256_GCM,data:Xw4K4DA1jyJGg6nzLLv2y9j4vwoodHeZhL35DrNB9BKBx8Muv99BbPIvz3lDZ2xB2p+aqB+3WzY/8jgkANlgAg==,iv:CxMkaBnOty4Q7dFH6Kn5v3L+F5QWJP9TR86xVRXCKN8=,tag:KIa2BsNn5gzDiaOxEZ2LQg==,type:str] - smtp_password: ENC[AES256_GCM,data:L7yf9g01QysPSirr9IK5ITvnl6XNQONv1AS91zrkf7E=,iv:fRJ9ZIviravLvgdl5BigSoOjUiAfQGB492/bS5GvhL8=,tag:DLhVqa/2Xn/vdChz4/ZixA==,type:str] - storage_encryption_key: ENC[AES256_GCM,data:hl5ciFqrQzv0iGE1RlIFctDMIFv7QOrVqZfqWBuHqn792i8ewwQxWnWQOxglsxSmvZwWYK9c2FcPJuMBWsYlpg==,iv:FBJXZQeenoV84wGCDinerifofKMSqJIY9qw0o3qUmeY=,tag:cymRnw2Jp+VaOo/lhX1C8Q==,type:str] -lldap: - jwt_secret: ENC[AES256_GCM,data:9h7XljbIrLxK3ekcAP8dZTAwlx8u/2eLqdfRHhHn+Lwj/sav3QNmqgfee9pyHhaoLvgZKWwKr7I+ijLZtOpIgQ==,iv:+VZUqDTy9EOm65ATJ6fPGeyA6aR043VmvXTzVmeMH+o=,tag:8nyYCrwoZADmt05EgldymA==,type:str] - key_seed: ENC[AES256_GCM,data:gt3jgAk4upREudd1HYXCSsqg6E3Vuq0WbiDSTjYZF+QJXa7cdq0Ke8XrjJVCAokbp7ZZsf1MMo/wEkr47HXggg==,iv:7xrMZrWNpsAtBoOx4p3RjaEJru9jXrdXkR/Z8rA4vwI=,tag:oLbli5vAw8X00eiD87sSCA==,type:str] - admin_password: ENC[AES256_GCM,data:RBibqepGrtX8hKVzdcAtTbsVZg==,iv:RLu3JkhtmCfXVwZA8EX/dVgqqu7hWURIWNSywlW/8ew=,tag:jQXYo2a+Idh1AIfr1687gg==,type:str] -oidc_clients: - headscale: - hashed: ENC[AES256_GCM,data:WWD40bVWbFAp1qIDHjKhc2UWTtCuVPaMrU+NqHBwvc7CDQ9CiUIb19vGqvUR11dhg5XyX2TgDRKuwRusA6Sv7cKjiLS7Mh1vkPi2rthYt/v5xKK0dvdI7VykkJQ1PV15VWumVuswhHuTu1FHweTA9dnMyaz4fE3cWerb22SRbT7LCko=,iv:psR3lnD/kO5+WTqcmTKbuOFfnd/YNZFR0qYYMGYgzhM=,tag:QPgfxytRP+X6mgtRqZngBg==,type:str] - unhashed: ENC[AES256_GCM,data:UPW0HSB712h6sjSHdEf3dsJ5iwodNyzutxPQy4tFdSrjoBRxzr0ad8uzOsMtqGX7fEt7w88QQBNNvki/9IXRfV07vQMAcOnN,iv:EvdLrxdhq6nLBc8zaGmImRRiuHZJ/R0cofuoj4RNUHI=,tag:R0DLJ0fngr4MRx38bZ9WWA==,type:str] -forgejo: - access-key-id: ENC[AES256_GCM,data:LVlYp0wQ1gxTg/RVG9HduoVpiUKLNCzwmX6DX7dQrv0=,iv:Oh4CA1Gp+nSWmQhX5OGI9vf3yC1XU/VpV/oveQefz8c=,tag:RguhY9Zh2q+cZ8rthhVcrw==,type:str] - secret-access-key: ENC[AES256_GCM,data:nODhpLuUG2uaaSDbULstA6YFHIRPg3mvgIyHqRB0Vj11f5X0TMuLjp3Feq7UeV9DbQWyjDVtEsRg9VGIywrD/Q==,iv:hsStXkXVLBkEWtBP6dY6z2mwfzv3t4L6E+Ht/18KE4E=,tag:vQBUwqXq41bbQ/+aSUIQJg==,type:str] - mailer-password: ENC[AES256_GCM,data:sO8Tt1Smwcr8hME/zYs118DiUfbcmhKnT2FCyjyUZfId4cHfjvxHuqZIHvBSlec27sbCmxRBHeCJ3Can6IFCAA==,iv:kPmW6oFCRBEzKScpFrW3Z0xhFCRg+MpiA9qJozakHjE=,tag:9xCVN/wFjN8Kl95PSC9aXA==,type:str] - oidc-secret: ENC[AES256_GCM,data:NeLfEXssdP5f4ff1uz3RwURw+OWAm3QgYz/EPpWb1aE+vIDIhPigiPem1+NrVvdBQ5uysL3VdnLtJPxwppcouoT7VGJkcog+,iv:eCl4I7EC7GTeQNSthk5QrMqNl1B9qvGGxQTspjD+LEU=,tag:qyPKf7E5xNmUI913Fb8n8A==,type:str] -mealie-env: ENC[AES256_GCM,data:3fZJffJs/WwtmMirHBRkghfPPkTB5sgY6oWNs5GUbkUzOooWurOvm0OcQHAEQf+HLn21kCOk/ilmlrcdMFtzXijClpHuy8n7cwmdGI0bwZ14QPCVlSYvSPisjX0=,iv:tc77J3T4tNGzBnXNBlq4wmfFMFQ44ZFEtl2N1QAt77U=,tag:hW7YceS5/GQveJj8fcf5uA==,type:str] -vaultwarden: ENC[AES256_GCM,data:6yLk6ip/Bd/469XNDYq5kKl+fPy8/+9Ybhruyly0HopNXbrBmzfAkAhuP0geZZTeAkxp2k/nn8vQ9I10QwzQ5Si0RhQWWidUdd2VyAlDlppiGBhtpeiY3J/2tlEGH1rf1O0NL23oGtqvRe4mEMZtyqK6YPYv7skOjaV5mzxu97psTQlqnOOAaisIVN/LqmKmzR72T3/SxlN8I0JzMneICfSLcwEp2//qVplqvTwTQgWziMf/Gkf2kkbugKRWSbp7sQ6cel2Gk2zyREx86biTje6nOjZ5goT2dcXzGexp6bzFb+XKu1Zj5wfY7dmvxZzMyigm4SSkjLd0Fh0QxU9cEiMAe5Max8c0i4Nqfh3Y1JZFj5sMS7e34oERMSA5wNu0l9hTaM5AYWiNPpvi4T3kLlguX5oerWvZWzeQT53soZF2iKdah2+J/0Wck8FRU3JXhC56XfIb,iv:AFzQvZnD8Aswoshp6X3AFkdxRCvL7rbClMwoW9C8epA=,tag:+W4t7W59LQMc3JzwoaAAcA==,type:str] -sops: - age: - - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFcjltUDdJL2lrMEZvRk5Q - TFErTFYrYTlvbTc3OHd0SWZEQTNuQzFIZ2dJClNhcWRmWkh4MXlaeklJdEh0K3lp - MG9hMHU1OWcybUhKM1QrclBBeGpOaWcKLS0tIEZMYVNKN1ZxQmxHcFRUQ1BVUUtq - NW9CUkJQbis1NmpyU0xrb3J4UVNKTDgKsPFnlQBa8LGm6s8uZsUXq9RIt4WzzROc - mz9dEVq/R54xvjMRltgzZyu54BWWOQYgkZUEhOnDoqwVnA7XwGGYtA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-21T09:26:44Z" - mac: ENC[AES256_GCM,data:yiWDzGJj/Yuq/Y8DvE+muEGiynr8TI0RkX2YAu3KdloSvtAvjBRbc3kkyFqEAjLA9EKJAhb+0O00Ugul5uo0icw8PMBOBg2lMgLGcW7w531O1DgSgoVloUNRp+YlAnFQMkBO/euRwWOgfHmp3Usj4NmnUStTXuZUH225EeSBYkE=,iv:dPnfHLkgpp/AyuAAY4r13toPlMa5myzo3ubNDDN8Ya0=,tag:FaA31H6Rd8RUJvixsIo9BQ==,type:str] - pgp: - - created_at: "2025-07-06T18:28:35Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DARdpY4woM6wSAQdAzqZHVo7/A+jPwSx63zOXGJ9tCF7qYDvu/Eg7HxCxhFYw - P277CjIB3imnRHCms18b+ze9Bv3A2wNdBGlbqhG/Z1R10NPx3nJydnYCUdZtbKFk - 0lwBTahORz3Ha2RqKTiuUGhncNtz+4U5i08sbLCzp/1Vc32RAwEGtfbMFosS4Uf2 - qCFsnEICj2MuXgBtub5Mw2zpDIFkjaIRGLPohiJy+Yrp9J14hWuZmC79lwGRgQ== - =umk4 - -----END PGP MESSAGE----- - fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 - unencrypted_suffix: _unencrypted - version: 3.11.0 diff --git a/hosts/hosting-01/auth/authelia.nix b/hosts/servers/auth/authelia.nix similarity index 87% rename from hosts/hosting-01/auth/authelia.nix rename to hosts/servers/auth/authelia.nix index e3ffd85..b4b7b71 100644 --- a/hosts/hosting-01/auth/authelia.nix +++ b/hosts/servers/auth/authelia.nix @@ -158,34 +158,31 @@ }; }; - sops.secrets = { - "authelia/hmac_secret" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; - }; - "authelia/jwks" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; - }; - "authelia/jwt_secret" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; - }; - "authelia/session_secret" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; - }; - "authelia/storage_encryption_key" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; - }; - "authelia/lldap_authelia_password" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; - }; - "authelia/smtp_password" = { - owner = "authelia-escapeangle"; - sopsFile = ../secrets.yaml; + sops = { + defaultSopsFile = ../hosting-01.yaml; + + secrets = { + "authelia/hmac_secret" = { + owner = "authelia-escapeangle"; + }; + "authelia/jwks" = { + owner = "authelia-escapeangle"; + }; + "authelia/jwt_secret" = { + owner = "authelia-escapeangle"; + }; + "authelia/session_secret" = { + owner = "authelia-escapeangle"; + }; + "authelia/storage_encryption_key" = { + owner = "authelia-escapeangle"; + }; + "authelia/lldap_authelia_password" = { + owner = "authelia-escapeangle"; + }; + "authelia/smtp_password" = { + owner = "authelia-escapeangle"; + }; }; }; } diff --git a/hosts/hosting-01/auth/default.nix b/hosts/servers/auth/default.nix similarity index 100% rename from hosts/hosting-01/auth/default.nix rename to hosts/servers/auth/default.nix diff --git a/hosts/hosting-01/auth/lldap.nix b/hosts/servers/auth/lldap.nix similarity index 76% rename from hosts/hosting-01/auth/lldap.nix rename to hosts/servers/auth/lldap.nix index 40cbc57..1612d2f 100644 --- a/hosts/hosting-01/auth/lldap.nix +++ b/hosts/servers/auth/lldap.nix @@ -32,18 +32,18 @@ groups.lldap = { }; }; - sops.secrets = { - "lldap/jwt_secret" = { - owner = "lldap"; - sopsFile = ../secrets.yaml; - }; - "lldap/key_seed" = { - owner = "lldap"; - sopsFile = ../secrets.yaml; - }; - "lldap/admin_password" = { - owner = "lldap"; - sopsFile = ../secrets.yaml; + sops = { + defaultSopsFile = ../hosting-01.yaml; + secrets = { + "lldap/jwt_secret" = { + owner = "lldap"; + }; + "lldap/key_seed" = { + owner = "lldap"; + }; + "lldap/admin_password" = { + owner = "lldap"; + }; }; }; } diff --git a/hosts/hosting-01/git/default.nix b/hosts/servers/git/default.nix similarity index 100% rename from hosts/hosting-01/git/default.nix rename to hosts/servers/git/default.nix diff --git a/hosts/hosting-01/git/forgejo.nix b/hosts/servers/git/forgejo.nix similarity index 55% rename from hosts/hosting-01/git/forgejo.nix rename to hosts/servers/git/forgejo.nix index 8a36d44..3296ca3 100644 --- a/hosts/hosting-01/git/forgejo.nix +++ b/hosts/servers/git/forgejo.nix @@ -69,34 +69,35 @@ in systemd.services.forgejo = { requires = [ "tailscaled.service" ]; - preStart = '' - auth="${lib.getExe config.services.forgejo.package} admin auth" + preStart = # bash + '' + auth="${lib.getExe config.services.forgejo.package} admin auth" - echo "Trying to find existing sso configuration for Authelia"... - set +e -o pipefail - id="$($auth list | grep "Authelia.*OAuth2" | cut -d' ' -f1)" - found=$? - set -e +o pipefail + echo "Trying to find existing sso configuration for Authelia"... + set +e -o pipefail + id="$($auth list | grep "Authelia.*OAuth2" | cut -d' ' -f1)" + found=$? + set -e +o pipefail - if [[ $found = 0 ]]; then - echo Found sso configuration at id=$id, updating it if needed. - $auth update-oauth \ - --id $id \ - --name "Authelia" \ - --provider openidConnect \ - --key forgejo \ - --secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \ - --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration - else - echo Did not find any sso configuration, creating one with name Authelia. - $auth add-oauth \ - --name Authelia \ - --provider openidConnect \ - --key forgejo \ - --secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \ - --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration - fi - ''; + if [[ $found = 0 ]]; then + echo Found sso configuration at id=$id, updating it if needed. + $auth update-oauth \ + --id $id \ + --name "Authelia" \ + --provider openidConnect \ + --key forgejo \ + --secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \ + --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration + else + echo Did not find any sso configuration, creating one with name Authelia. + $auth add-oauth \ + --name Authelia \ + --provider openidConnect \ + --key forgejo \ + --secret $(tr -d '\n' < ${config.sops.secrets."forgejo/oidc-secret".path}) \ + --auto-discover-url https://auth.escapeangle.com/.well-known/openid-configuration + fi + ''; }; services.nginx.virtualHosts."git.escapeangle.com" = { @@ -110,22 +111,21 @@ in }; }; - sops.secrets = { - "forgejo/mailer-password" = { - owner = "forgejo"; - sopsFile = ../secrets.yaml; - }; - "forgejo/oidc-secret" = { - owner = "forgejo"; - sopsFile = ../secrets.yaml; - }; - "forgejo/access-key-id" = { - owner = "forgejo"; - sopsFile = ../secrets.yaml; - }; - "forgejo/secret-access-key" = { - owner = "forgejo"; - sopsFile = ../secrets.yaml; + sops = { + defaultSopsFile = ../hosting-01.yaml; + secrets = { + "forgejo/mailer-password" = { + owner = "forgejo"; + }; + "forgejo/oidc-secret" = { + owner = "forgejo"; + }; + "forgejo/access-key-id" = { + owner = "forgejo"; + }; + "forgejo/secret-access-key" = { + owner = "forgejo"; + }; }; }; } diff --git a/hosts/hosting-01/default.nix b/hosts/servers/hosting-01.nix similarity index 86% rename from hosts/hosting-01/default.nix rename to hosts/servers/hosting-01.nix index 8ffc673..e87b520 100644 --- a/hosts/hosting-01/default.nix +++ b/hosts/servers/hosting-01.nix @@ -1,8 +1,7 @@ { - inputs, config, - pkgs, lib, + pkgs, ... }: let @@ -18,23 +17,10 @@ let in { imports = [ - ./disk-config.nix - { - _module.args.disks = [ "/dev/sda" ]; - } - - inputs.headplane.nixosModules.headplane - - ../common/servers - ./auth ./git ]; - time.timeZone = "Europe/Berlin"; - - networking.hostName = "hosting-01"; - networking.nameservers = [ "8.8.8.8" ]; networking.firewall = { enable = true; allowedTCPPorts = [ @@ -43,8 +29,6 @@ in ]; }; - nixpkgs.overlays = [ inputs.headplane.overlays.default ]; - services.nginx = { enable = true; recommendedGzipSettings = true; @@ -126,11 +110,6 @@ in credentialsFile = config.sops.secrets.mealie-env.path; }; - sops.secrets.mealie-env = { - owner = "mealie"; - sopsFile = ./secrets.yaml; - }; - services.nginx.virtualHosts."recipes.escapeangle.com" = { forceSSL = true; enableACME = true; @@ -166,11 +145,6 @@ in environmentFile = config.sops.secrets.vaultwarden.path; }; - sops.secrets.vaultwarden = { - owner = "root"; - sopsFile = ./secrets.yaml; - }; - services.nginx.virtualHosts."bitwarden.kinkystar.com" = { forceSSL = true; enableACME = true; @@ -179,8 +153,20 @@ in }; }; - security.acme.defaults.email = "landervandenbulcke@gmail.com"; - security.acme.acceptTerms = true; + sops = { + defaultSopsFile = ./hosting-01.yaml; + validateSopsFiles = false; + + secrets = { + mealie-env = { + owner = "mealie"; + }; + + vaultwarden = { + owner = "root"; + }; + }; + }; system.stateVersion = "25.05"; } diff --git a/hosts/servers/hosting-01.yaml b/hosts/servers/hosting-01.yaml new file mode 100644 index 0000000..62a419a --- /dev/null +++ b/hosts/servers/hosting-01.yaml @@ -0,0 +1,50 @@ +authelia: + hmac_secret: ENC[AES256_GCM,data:DbU0RE1cM3W2nW0qSZWFH8NCmd9qkjOuhTfGMXn+q6+UoKzh4Gf5bma8iXha4Y4ZZjpAHsj0csStGkrdayzjdQ==,iv:Q3Usgu6GXR3n5p9E9r1tUeM8CELl1WJ2gUhbOF2vzlE=,tag:8dLj1PFA/+LU2ToC44mtyA==,type:str] + jwt_secret: ENC[AES256_GCM,data:jIUeEUlv2ghFieuiTgfY7EoirOial0ZVWzUIEhvAL71GVKtYC+YfHMERiQ8l3d4FHH5gGR4VwvfX2Qo0M8JYPQ==,iv:ZbyQeoXWQHm5ql1L14XtdKYELpmEgoc3o3uldZCJsaQ=,tag:6U5xPh4tRUcox3LvFyzYwg==,type:str] + jwks: ENC[AES256_GCM,data:r3P9NWIxhcrTWKEM5paz3J/41d9LPcwSLaw/u0yNtVU6s/B1UROHnRFJSev/ed215s1YzzR5ouiIChLKyLLO9EAiz+yZKdM2l9JH3d2LxxHqZMtL3tTfKjei1uqvpr9+zuw9T0U7y/IZOm81of/vOZa7JS5IzGuRj8w9zXZey0L8CWbq7dA1WMWYmT506VlxjcktCeZCNO0vndNLxhOzQl2334OtKrVFs0LNohLu1JgvsXA3qPPX/c7t2LbttlcNni+dIZlTWWKgtg7F1FuPxfi4j6qNVbgITf253P1h1u9UsG+TPdC9x6SDVDMNbz6zzMpR1kr4tv2euDV99SYYDAzpy7W1aaiqxew+rCPqYUSTEU2zymZrLGzP3RrNWKbaZPLD2eaT0hymIdoEVQOsNYgKM/pIUF7KKFg4BYm7WqEUIfoTcFe5p2+hYHop5tHivEAgyBMFU8SkcIUGMfZFmyjTeryUK8MG9VgG2ll8Y90BRp+VRqS9D3Y0YgKGP+UfkgISsjDwo+tu9oJ3duJgzYUrOPD6ongm+u2S0hPt8SUOBdbFRnF1MwYfehShrg8Jca6y55hvNe1InQwV/oDldkOFwmWNb0nzXNIeatjKsuAmOEXWniEk44GWGk5OumgL71pfqWW8S6djp7DeWoLfTFCLZwjD8i6IfvzgsaGYUcjfj4KeHCRcjL6fplfw12cCbymCMxmAWw8w43Nz56t+9nPRC0+neI9WX8PzLONB+m+p08KGLY+6jEcy+MCIEbTmN2+leqSsB0uk2ToCRzd0FmIGImVSaKgYCOaUoT2NYBGsjIN/31num6Im/gKnN39qO4hIvIz+h6QfJyKCdzcbZ2lggvxWau48PmoDKIjy0mzfa1g3ah0GBgqWbg4pOlaNCumQ6NyRH/oBS8xVKSMLp2D4LubDcbFsTTbiXfljwwrfMQz7Ne5GFeWBIN+5pjVUtbqDM+7HlFwrTuAUWLBDbeJUe2vJMWzqeSbBihKzYHrPFX8Ic4G1HJh68wHssGnWGXQ6pWU9C0w3zCOIXBzPr8q7fd9kcjr5hWwteydIAakvKPNTGFnsw3kHL9d4TmKftCRwitFOH2YaGs7olArMAWAGL7/n8YT60A+K3vGwgMRW3X8sbLOs7kirjYMm4i5PPSfg7e3acME5Cr58UmKO7nqu8MXgU6KaR7axA1ypRrjIY0dhIiUiTMW7WaiiPXMbgV5LzWVhzb3YzEczL9c9nQUkpLWh8YGufuifaaKJpopgZoSDfu7A8u8g4yweHtFtg+fMU2ayrTUyfgtHlJ/ULIrKad3bDrvOJDRODwkUNS7NrqWVbAMP6EBRVBj65WXgqhWgsKYw6p2x9sD+Cy4Q1w5YpczcnlUu+qiV/LyZZJ0SrsoEe6UUKC0fQS7T03DHur+htvcBGwCftHqYCvf1YVDDW/sSWkdGUW8vAl3ajZuD8jGuK4faKzPCZRiwqDWiINXy3v3MC4lPUBwO1uCKeu7rnzd00xvT/C66BIKVs7R3eq1UVhVsAEEQljOb1ch2v8qMSYRKJAEICLlWWdoQazUJDoG9O3IZukva9BQU1vC07Jq3qI7EtbJM3+M1p+otwOgfZD7QOOjw08D3LtOPBn450ydDI6cl8v0ZW09Esog9nCJcyt8DfDJ/Y+5FJZ7MgQsXKWJTjIzQ8mvu888BGWeYtgDOY2wEUpk3VwzBQQR3i/qyvQm5b6w4H2AFNIxakK0Y+WX58E1AYeO+kPgXqWhxSeY9+zbj14MOV5+00ExPIZtw/rYiZhlDyu/PQ8tGzUB8MiT+8QMYWVsFKJ8l+v6uB7mhnPSo+m1rOwZQs4CxW4HDC8No+8GFNmbBXxzbmZ9E6DonCaftYEBluAAGM1ONGUSkxnb+a0PTgbDSrQ2K03LJxrkdJwvK9mMrJJ3mCNKGePTEN9PwDhY3/uMD6KLvsWAkX7/8krK8LkuPIIk3JT4p01ZYWtBVY6WH7eOnC+5FaUbDxrpVNL5hS7DrAN4fSuHtYE7R4fYslImzTILvR3Zg7Z0gkbm+SDWjvnqHcXJv3yDM1LCLgJ7OUFL8oEG+PYtUVildEPW56Ng6uww+LfsV7hJ3BR6iINIyU79zsXtL1w+UJ641ORfdy1pikKlhDflXhbYqxDLzUbAKUjyFcwSNTFSJD7LE2Gc1HdKWM8sWiHWR2OP7S2ftVpeGj5KKQ2+5Y8/W15Di/QaaZAcicED4lYmrxOTYLdxR0CaAvGd5TmKfmjQ8ePsJN8xGJMRjiLwJ7p/AlQ==,iv:H32i8uJWcvMjL8HJcYfIrGcGINBDqasIXsRgITjMmxk=,tag:Jfn82j50QAljozvvqySlug==,type:str] + lldap_authelia_password: ENC[AES256_GCM,data:zc9TIslPGg6evzinIsuAJKjt2IADOQMjQjiRq88t8eM=,iv:6EvE9yS4e2fSuo06n2ARoOpcTXzjlwpMwgg4xrJVwcQ=,tag:5wWcJJotUlEV0umKjeMLQA==,type:str] + session_secret: ENC[AES256_GCM,data:pJ/DEcH9dydXQRPBW9bfmnTfRhCBK9uV0wtLFH7aTpj5i3Fa0UzrdsgPLvSPiG3XlQwHeALszzAkj+JpYI+dIQ==,iv:g5GFeOxrxYJU0B2o/eLfSmgbOPop0duuX5WhKJkttMg=,tag:Y7hsRtopuYmXWZly1DnOQA==,type:str] + smtp_password: ENC[AES256_GCM,data:Hca+LzID58tde/TXJuTaFj82kcWY3eGcc4ndvw7L7JE=,iv:Os/+7BSLHLwUHdeRkt1T/sLX/DCaNZGa9g/e9Fftfjk=,tag:fLYJ2ybRHV56m0BSzwfUxQ==,type:str] + storage_encryption_key: ENC[AES256_GCM,data:7tbBpgE48g4LvcE7KQUFQ18ejfOMEfxKRGMLe9dpu7sLftQbTVW9dGWcSiwW1NSomMefaflqISOV077y9/EqnQ==,iv:KtSQGFB4P8i9VphgNPHgqYytSeYA/kFnL4n6N87vqPI=,tag:bYR//XM8JhQDFiPK+pfPkw==,type:str] +lldap: + jwt_secret: ENC[AES256_GCM,data:T32xPJpMno8u1w1NJ+kar4yb3IKW+hQAfuxxBJ7uv8+tLAVi6YytTKwDz7dS3KCA1H7kxHmINEqbXng5qGP+Yg==,iv:EK3cVN7kpZnxldqSLd2OxyrGd1uCeEXpNcyIDUNxUI0=,tag:UZzrwhJ6isMNHLlFGFVvSg==,type:str] + key_seed: ENC[AES256_GCM,data:1y2snXLHVAnuwBSQ3ksvsMg9g3sozTkC5P0IgbJIg328RL8dZK3K9+mMe71W5a970NwP8agvEHaq4y/pQbbtIg==,iv:6sKjiaHPexmYjyzf+w1wU/rZk20cMawKXnsQ0PSbB2Y=,tag:kVi+s90LiLTgiYICjTNTUA==,type:str] + admin_password: ENC[AES256_GCM,data:08Wgc0iZGnd5MZm3BCiFY9VRGw==,iv:4RsV1KSfXk70zpMp589c5p8HOh6ybLULVXjevIdco2o=,tag:7ylVDQ9shfXUYWutzprP8g==,type:str] +oidc_clients: + headscale: + hashed: ENC[AES256_GCM,data:R1ePOxO+TBeM9oGjIayq34H3EBS7InGfbWtWc1+4GtQpUUDlk2elxPqzZf2fKcUcxJm5ToavRfJzkfv9G9RX1xm+YcP6J25anWUrjp4fkAL092CdYY4YxCti/nNqxm2IyeytyE9iS3p/fBGLdzQilXzsT2iW4tfW7mDtyh+ikp3I/po=,iv:E1+1K3oXYTv1xyFsyq9jHIjgHdrcRtSkv0WP2xePRm0=,tag:OlYBl3IJwSarpZDwfxKrmQ==,type:str] + unhashed: ENC[AES256_GCM,data:1+WcSLyYJofKz5VFgfPuAzreVOSTNiqLsavsL6fo0C0VW3tgINdvYeAqncr44ugrN3ZYkyo9KB/uN882/Vex/TAfUL4WSgkJ,iv:bXlqtcLFQv1cCravGYKuwImFKtYzjk39mFKAMy2PUKY=,tag:+vHaGjtldPvWlEpO86Ct1Q==,type:str] +forgejo: + access-key-id: ENC[AES256_GCM,data:RTNN8jVGLM1gLdLL8LIn8ntBBrrCevHTAweydc4cpLo=,iv:gU0vCbqgWAANBP/WsZwnoKpFeLgRlJhEWS7pxma2b8I=,tag:NSzRIQvS6A47bwUq+kRlrA==,type:str] + secret-access-key: ENC[AES256_GCM,data:sIubWLP6XT5rETypmHduKKdJmTGTsr0K9litkBqmLSNppqzaCNzK6XuTwn+3Ge22Pjk8hgk+cWbCGYID9gtYGg==,iv:3iZgxvXYkOppMTXZxpWWmgtd2gYnNXlg+WaUnlkxMhA=,tag:P7fZyHvUOaaFuzcOOQPrNw==,type:str] + mailer-password: ENC[AES256_GCM,data:smIdxI/OiqjDmatCV5nh2qkY4/2J9Vmi1lP5sEezduqpUp2Lsd7DkYJIpI5927Bf5Nb/rUlnYMipz9nd/KjfkA==,iv:rfMOGk2/bP1MxQVYQBgmR/Z6z2p1yWhejvz66OjqvH4=,tag:XvZfHh5ndpGQIN2cubYVHg==,type:str] + oidc-secret: ENC[AES256_GCM,data:CC78bq7nFYXAV0MLIshBkB1s7kQOgn0bkk21olNf9xT10KjJBB4KkbIZ6WI45T88MsK9Lv3FB6C9tRaPo3TLzcuz7D2Yk6O7,iv:ouUIoQY03DRlKpbEy8LTFnuClmYADa38Tp9EN932XSU=,tag:ieVnmE1A6g91qw9p1ek49Q==,type:str] +mealie-env: ENC[AES256_GCM,data:E9z2K/HJNs3MrYMG+WjxUjxl5vslVskQOyHSs2qwDWbL6Dzjqd3ifvwuT6vSufEce0QaU9d+lIC/EAwi3LIxl9M77eBaUq3QXLeTdJ87DObJOpsxhbelaV5rKec=,iv:w1cdMEIaHFES8oHvMGcGp4jHhMPMje3SVepbaMJcEe4=,tag:wl5+xDtjM8rd9ecq2ws/Xw==,type:str] +vaultwarden: ENC[AES256_GCM,data:YTGRVjajeSSRnjqaZHTa9HiV1c0kQj6+3m3BMirMH4Pu6NNlTYJgGOdz44jEmx4plbZkyM+ZkFVK3sL9rDryaxKGeDxZyM/2zPTlcosPVgA4ObzmmyT0XUoNRjOPYiE3CibmG9ZAEKp8hkGJGJATFOaQrphDS0Zczq/zc8+vUpVSJi8ycB1y1fxNAvfrftyETUsGYdKrD5+5s4fl422L6G12xdcy3TQNdfPz+SeXfhcTXSnORCglyYVzYlbUFQF9N6rpyZROv0dsN+s+c1d6Fsg6ROL3NrfQ0DkUy2rdmzAxrMNlRa89ZAybkDNeW/Wm24E/P+S5gqysRKA9ZJ6H/F9JZWJOazESgzcBLsWvSRO7U0O4Nou8uWAVuvQ/lmgwbepjUKG1EWRXJdNkZtL4EQiWR5G7NnhXjiLb22do7w5O8qiCXOHtQek/wfT57loLCn8oQfz6,iv:Sq7Mom6PwmmjU9t+qZM3I+Ybb416eEzqwAFeCHaeB8M=,tag:8mb+YC6zq22V/qgjMKHbPw==,type:str] +sops: + age: + - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Y3JKMVB6Mkw1QVRFTmtm + NnRBV2k0WDhoZ0pKUzJGS2JWbzFBb3RvNnlvCkVrT200bExhc3hxMTJ4N1NFdWlH + SDBmVzRGZXJaWWtsNEU3WDlXQ0NnV2sKLS0tIEQ5bldJNlUyVUlsdW5qUWtFaGdV + RWRCYlk1RkM1Z0ZiS25mYnRuWjYybzAKcZgEfGBifKHkEowQxe+1xQJhk6JuhJXQ + LLdL9jBdfMrqXz48653XRKf3h4Nn4K70E65Ek8sPyZ5qSJYJHOwjYw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-21T11:33:52Z" + mac: ENC[AES256_GCM,data:6N0F+M2EyTiuXQokdVLGn3dZ5AG6Oq+uvrVoEvKPatyy8ynO0X7fS4GbvmHXmrzXcZwEIz16Y8M3Mk8S+PsVR0Zpc08HRwcIKtXCS7y00Y1iokAL83MoqG4m0kZbuvyY4nOvYAfH1VEJXsD5wSCYL2rMcer5oZ9zQagrNSjTUzw=,iv:+0990xD6258PwlWsggOLeXjSTqPSiN/qF6/xS9gRfXI=,tag:fZg+cQZncU0VV1maNSPOgg==,type:str] + pgp: + - created_at: "2025-10-21T11:33:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DARdpY4woM6wSAQdAnTJPigLMOtu+U77zU4a4lLCbOQXQEHA4nfTpE08zbB0w + 84QM/lVMfCa0T6Gng3tmJoyrwzoQyuSlo78NQcHFziFKKgKHpMfm1iAVEh27UFz9 + 0lwB/J66BejarAaPZYV6Wfht0T4KAzT+3UE97YfTT8PqR4UP4oleZXB8GCEYcO7y + ioHi4s0HbdB452J1pmTe3MwkalmCWLr9dPLWk9KNNqn/k6c/L8F5YjtAdU775A== + =/Qvi + -----END PGP MESSAGE----- + fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92 + unencrypted_suffix: _unencrypted + version: 3.11.0