From 61f10a311ec975b7f787a134e450c92a498f615f Mon Sep 17 00:00:00 2001 From: ibizaman Date: Mon, 22 Jan 2024 16:49:07 -0800 Subject: [PATCH] update nextcloud demo to have sso too fixes #17 --- demo/homeassistant/flake.lock | 44 +++---- demo/homeassistant/secrets.yaml | 31 +++-- demo/nextcloud/README.md | 163 +++++++++++++++++++------- demo/nextcloud/flake.lock | 44 +++---- demo/nextcloud/flake.nix | 198 +++++++++++++++++++++++++++++++- demo/nextcloud/secrets.yaml | 67 ++++------- 6 files changed, 403 insertions(+), 144 deletions(-) diff --git a/demo/homeassistant/flake.lock b/demo/homeassistant/flake.lock index 8069c75..2d3446c 100644 --- a/demo/homeassistant/flake.lock +++ b/demo/homeassistant/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704194953, - "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", + "lastModified": 1705677747, + "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", + "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261", "type": "github" }, "original": { @@ -51,11 +51,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", "type": "github" }, "original": { @@ -67,11 +67,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1704161960, - "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", + "lastModified": 1705697961, + "narHash": "sha256-XepT3WS516evSFYkme3GrcI3+7uwXHqtHbip+t24J7E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "63143ac2c9186be6d9da6035fa22620018c85932", + "rev": "e5d1c87f5813afde2dda384ac807c57a105721cc", "type": "github" }, "original": { @@ -84,11 +84,11 @@ "nmdsrc": { "flake": false, "locked": { - "lastModified": 1701431551, - "narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=", + "lastModified": 1705050560, + "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", "ref": "refs/heads/master", - "rev": "f18defadcc25e69e95b04493ee02682005472255", - "revCount": 65, + "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", + "revCount": 66, "type": "git", "url": "https://git.sr.ht/~rycee/nmd" }, @@ -111,11 +111,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1704702906, - "narHash": "sha256-VUMQJjwjUAjqBC4lcZHRJctSzaO99mLphRQ6zGSs75g=", + "lastModified": 1705970650, + "narHash": "sha256-DePq0MZkchIHXqVGztVDsqhhJxw5uzbvzLOFPCrQAe0=", "owner": "ibizaman", "repo": "selfhostblocks", - "rev": "a5e9af27b5b3c379a2155467dd4faa7dcb3659b9", + "rev": "1cf6d264e4c8a527e5b67bb529b8981abcfbfc92", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1704596510, - "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", + "lastModified": 1705805983, + "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", + "rev": "ae171b54e76ced88d506245249609f8c87305752", "type": "github" }, "original": { diff --git a/demo/homeassistant/secrets.yaml b/demo/homeassistant/secrets.yaml index 3c9eef2..e0e488c 100644 --- a/demo/homeassistant/secrets.yaml +++ b/demo/homeassistant/secrets.yaml @@ -1,7 +1,7 @@ -home-assistant: ENC[AES256_GCM,data:P5EYiIJ6Kz45LkPo+5mRkhuJ20K/Y7Lp8EGzfWL4ShNI50YBzZKZXNhZNTvrNSIfYS61Ls0qjlaRVgzZ11igsB7ZQQohSnuI+OXL2WfITMwvE3vTsnYxxG9BvMqRdBFIGvc81HhZDB43DT/s6SprBe/7PQ==,iv:dJ7FUkquMI4g4K2Nnv3kFFQk/va2QgwfgGoWif5f2tU=,tag:cykqmJJRWXJ47kGnPkNdBw==,type:str] +home-assistant: ENC[AES256_GCM,data:acEXqx3bdQp0zB5FnHCBsic/kgu2L8Q6h/fsfrLmdk7SOfzEibPpPLCCv8eYmh4D5VuIAsq/PeJ3k+uqWGbTrJt7EIcxt0kYTLRuWZRG8YJH1+HCxoKcO/mx9bwbRd3LtXiVscgP9zIZLoLPK2XieFKOeg==,iv:dJ7FUkquMI4g4K2Nnv3kFFQk/va2QgwfgGoWif5f2tU=,tag:6LIBt9whdRPVsoF1RY3Pew==,type:str] lldap: - user_password: ENC[AES256_GCM,data:Mcbh0ZrcnmR8FuT97OdoS2vAHzGdOrEOTlNKaoLa9hk=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:sGzhdhEDt0quZwgi+4QDfw==,type:str] - jwt_secret: ENC[AES256_GCM,data:a2CG5iGvVf7jz/JVP1RBDww+joT1TbJkXgsAyD1I00VTQZhkX04mb6wwDfFkATnhBn7GkP++nz+1YBirVWQV3wFfZ3ZufHwS+lQ0VTO6dcjLuTjuLnqprNjp/1cMQeu3vYADA3R7fuqEo/g3QUJzJJeGI48he5c/Cff0hQYgBRU=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:Os6U0AvkkROuXWC7y6JMaw==,type:str] + user_password: ENC[AES256_GCM,data:JrFraqFSqAhRVjB5fagIoB864aejt24q+qqWeu8ySC0=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:5L7fx6/KhDtjHPruwac/sw==,type:str] + jwt_secret: ENC[AES256_GCM,data:W1T/QoxuzMD+2AL7sP5KkMcC+GvFdd4kfd70rHLnQD+jWNs9G0igkC/BxxgbIfnSASwtSnBaaiU6/pxLFOcUVh0Nyd0Zmb/KTbagpUvSl//AZnTt/WKF9Q/8sqKzsGv0QdMyZKWi4cxiEILcTbxOsgwriFGgOJ1k5N8JEif15ig=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:qC6N61rE8CfPSXrsEqFoIQ==,type:str] sops: kms: [] gcp_kms: [] @@ -11,14 +11,23 @@ sops: - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWG1tK1duS2ROZFZ3SnFs - djRxT2xVZ2RzZ1FrNHRjalVjOVp6MVNxem1NCmRWMlNrWUVRcWx4QTI1M0tMMlNh - Q0dseklJR1V2WGo3em1WVVMwTGVFVEkKLS0tIEZ1cDhWM0dNS25LZlNSNllCdXBT - V3VueVVyWW9SMHB1L2VzVGJQQUNkVWMKd7TymvawidPiW417fbC88NojEhfux/dp - Op2cayvqIt2LI2yG+8u2fPbLsdwwg2ybxccIBqTldIbcELAsBruQkw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVU9TMjJlRzNKY0hFSktD + MkFMUkg2OTZ4aFZMUUJ0UEF3OVpxWFloVWtJCmtrb2UzUDI2b0poc21Cd1A1N0xW + cnBZVVNrcllVNktpS0kzRGozbHREK1UKLS0tIHZmSUhTVkRQNGUremZXQlJOOGNB + SExYU3VXNVVjMElXdlVsc1VmOFRwYlEKQYeGc8F33qs3PzxXmbwqX+c+fZeEuPpv + n0zBA46/HdoCYyuZsW828XVftVcQqiThq/XAe0i648k7E8Slo3Y5bg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-20T08:14:08Z" - mac: ENC[AES256_GCM,data:1POnLEqucCUC/5fMBuUXF358fUl6bbZr8oHja6XGUVLU17G1T14yqXUJqlooW0wHt/RoF0RB1k+Fwtgn/NSYS83khscYzPZOiqncbI9/YOnUYTai7E0YH3GPF1t+DZIk2LzP8NQc8Xoo3da59boFPU7NU7NpQb5k4q9wJDiCAO0=,iv:tD7TD9wi80yYJhXxFxAlfDiv0Z+sCPKRQKN6wEKJTH8=,tag:qiqJ/wcNQNIXGAdlDH3Isg==,type:str] + - recipient: age1slc23ln7g0ty5re2n25w3hq0sw2eyphnshe45af55vd23fgwtuhq36hpqr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNlpOL3lFMVA1L3NkQlE1 + bnJIRlZ4Z1lCSWdJTzdtTW5SNXRXOTZ6UDJnCndwamZnWnA5TzdsSzZ4MjlTN09K + YVZCZkFINDRjQWh2dFVuSmswbWw1dlkKLS0tIGdMalFlc1VrOGdHU2tIZzZoak1n + VlJpS1BYd2UrZU1mZTEwU1BYODhqM2sKvQnFV8xsy1tEmYZu4izBYb7XQqTPOLTL + bRkU6n17uiyXNbiXDAbX0Png/XmVG96/+Zl38BBXPQvARX8c2tzq6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-23T00:46:58Z" + mac: ENC[AES256_GCM,data:kBkUCStabQ32JK/UDPATgOz3HoI/dVkNLsl6uEhHk8ODbF+ZBg6BDEaxtMFFh0bV+71klAmF0KsL/kHKiHlbNuoNWOxwbsANGeL8xtV6JCU58zTF0nfgAP/3KJYveridgylRRZS5hYl5Mg+z6Zdgw+43r3Iiizf86BZVc5OaDyY=,iv:ZXWLXQUrVIwYCCVnXI0jTf5paOWNuujG/Pw+Nf/M34A=,tag:+P/UJqBI3prcxEUO4Zqu/A==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 \ No newline at end of file + version: 3.8.1 diff --git a/demo/nextcloud/README.md b/demo/nextcloud/README.md index fedeac2..9f85145 100644 --- a/demo/nextcloud/README.md +++ b/demo/nextcloud/README.md @@ -3,14 +3,19 @@ **This whole demo is highly insecure as all the private keys are available publicly. This is only done for convenience as it is just a demo. Do not expose the VM to the internet.** -The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [25 -lines](./flake.nix#L31-L55) of related code. It also defines a Nextcloud server that integrates with -a [LDAP server](./flake.nix#L76-L143). +The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are actually 3 demos: -This guide will show how to deploy this setup to a Virtual Machine, like showed +- The `basic` demo sets up a lone Nextcloud server accessible through http. +- The `ldap` demo sets up a Nextcloud server integrated with a LDAP provider. +- The `sso` demo sets up a Nextcloud server integrated with a LDAP provider and an SSO provider. + +They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This +guide will show how to deploy these demos to a Virtual Machine, like showed [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. -## Deploy to the VM {#demo-nextcloud-deploy-to-the-vm} +## Deploy to the VM {#demo-nextcloud-deploy} + +### Prerequisite {#demo-nextcloud-deploy-prereq} Build the VM and start it: @@ -49,32 +54,29 @@ chmod 600 sshkey This is only needed because git mangles with the permissions. You will not even see this change in `git status`. -You can ssh into the VM with, but this is not required for the demo: +You can ssh into the VM like this, but this is not required for the demo: ```bash ssh -F ssh_config example ``` -Finally, we can deploy. To deploy a basic Nextcloud with only the Preview Generator app enabled, -run: +### Nextcloud through HTTP {#demo-nextcloud-deploy-basic} + +:::: {.note} +This section corresponds to the `basic` section of the [Nextcloud +manual](services-nextcloud.html#services-nextcloud-server-usage-basic). +:::: + +To deploy a basic Nextcloud with only the Preview Generator app enabled, run: ```bash SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic ``` -To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP -service, run: - -```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap -``` - The deploy will take a few minutes the first time and subsequent deploys will take around 15 seconds. -## Access Nextcloud Through Your Browser {#demo-nextcloud-access-through-your-browser} - -Add the following entry to your `/etc/hosts` file: +Add the following entry to the `/etc/hosts` file on the host machine (not the VM): ```nix networking.hosts = { @@ -89,7 +91,32 @@ $ cat /etc/hosts 127.0.0.1 n.example.com ``` -If you deployed the `ldap` target host, add instead: +Go to [http://n.example.com:8080](http://n.example.com:8080) and login with: + +- username: `root` +- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is + `43bb4b8f82fc645ce3260b5db803c5a8`. + +This is the admin user of Nextcloud and that's the end of the `basic` demo. + +### Nextcloud with LDAP through HTTP {#demo-nextcloud-deploy-ldap} + +:::: {.note} +This section corresponds to the `ldap` section of the [Nextcloud +manual](services-nextcloud.html#services-nextcloud-server-usage-ldap). +:::: + +To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP +service, run: + +```bash +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap +``` + +The deploy will take a few minutes the first time and subsequent deploys will take around 15 +seconds. + +Add the following entry to the `/etc/hosts` file on the host machine (not the VM): ```nix networking.hosts = { @@ -97,29 +124,74 @@ networking.hosts = { }; ``` -If you deployed the `basic` target host, go to -[http://n.example.com:8080](http://n.example.com:8080) and login with: +Which produces: -- username: `root` -- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`. +```bash +$ cat /etc/hosts +127.0.0.1 n.example.com ldap.example.com +``` -And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to -[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: +Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: - username: `admin` - password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`. -Create the group `nextcloud_user` and a user assigned to that group. +Create the group `nextcloud_user` and a create a user and assign them to that group. Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and password you just created above. -Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you -might see errors loading scripts. +Nextcloud doesn't like being run without SSL protection, which this demo does not setup, so you +might see errors loading scripts. See the `sso` demo for SSL. -## In More Details {#demo-nextcloud-in-more-details} +This is the end of the `ldap` demo. -### Files {#demo-nextcloud-files} +### Nextcloud with LDAP and SSO through self-signed HTTPS {#demo-nextcloud-deploy-sso} + +:::: {.note} +This section corresponds to the `sso` section of the [Nextcloud +manual](services-nextcloud.html#services-nextcloud-server-usage-oidc). +:::: + +To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP +service and an SSO service, run: + +```bash +SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on sso +``` + +The deploy will take a few minutes the first time and subsequent deploys will take around 15 +seconds. + +Here, there is a `dnsmasq` server running in the VM. You must create a SOCKS proxy to the `dnsmasq` +service like so: + +```bash +ssh -F ssh_config -D 1080 -N example +``` + +This is a blocking call that will create a SOCKS proxy on port 1080. It is not necessary to fork +this process in the background by appending `&` because we will not need to use the terminal for the +rest of the demo. + +Now, configure your browser to use that proxy. When that's done go to +[https://ldap.example.com](https://ldap.example.com) and login with: + +- username: `admin` +- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`. + +Create the group `nextcloud_user` and a create a user and assign them to that group. + +Visit [https://auth.example.com](https://auth.example.com) and make your browserauthorize the certificate. + +Finally, go to [https://n.example.com](https://n.example.com) and login with the user and +password you just created above. You will see that the login page is actually the one from the SSO provider. + +This is the end of the `sso` demo. + +## In More Details {#demo-nextcloud-tips} + +### Files {#demo-nextcloud-tips-files} - [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for [colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting @@ -142,7 +214,7 @@ might see errors loading scripts. hostname `example`. Usually you would store this info in your `~/.ssh/config` file but it's provided here to avoid making you do that. -### Virtual Machine {#demo-nextcloud-virtual-machine} +### Virtual Machine {#demo-nextcloud-tips-virtual-machine} _More info about the VM._ @@ -159,7 +231,7 @@ That being said, the VM uses `tmpfs` to create the writable nix store so if you space issue, you must increase the `virtualisation.vmVariantWithBootLoader.virtualisation.memorySize` setting. -### Secrets {#demo-nextcloud-secrets} +### Secrets {#demo-nextcloud-tips-secrets} _More info about the secrets._ @@ -178,10 +250,21 @@ The `secrets.yaml` file must follow the format: nextcloud: adminpass: 43bb4b8f82fc645ce3260b5db803c5a8 onlyoffice: - jwt_secret: XYZ... + jwt_secret: XXX... + sso: + secret: YYY... lldap: user_password: c2e32e54ea3e0053eb30841f818a3d9a - jwt_secret: 3b19030938608881dc1d2cb2753d9778 + jwt_secret: ZZZ... +authelia: + jwt_secret: AAA... + storage_encryption_key: BBB... + session_secret: CCC... + hmac_secret: DDD. + private_key: | + -----BEGIN PRIVATE KEY----- + MII... + -----END PRIVATE KEY----- ``` To open the `secrets.yaml` file and optionnally edit it, run: @@ -195,12 +278,12 @@ SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \ You can generate random secrets with: ```bash -$ nix run nixpkgs#openssl -- rand -hex 64 +nix run nixpkgs#openssl -- rand -hex 64 ``` -If you choose a password too small, ldap could refuse to start. +If you choose secrets too small, some services could refuse to start. -#### Why do we need the VM's public key {#demo-nextcloud-public-key-necessity} +#### Why do we need the VM's public key {#demo-nextcloud-tips-public-key-necessity} The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the [`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add @@ -213,7 +296,7 @@ creating the VM in the step above, a new private key and its accompanying public automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and add it to the `secrets.yaml` which we did in the Deploy section. -### SSH {#demo-nextcloud-ssh} +### SSH {#demo-nextcloud-tips-ssh} The private and public ssh keys were created with: @@ -231,7 +314,7 @@ authentication, here is what you would need to do to copy over the key: $ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example ``` -### Deploy {#demo-nextcloud-deploy} +### Deploy {#demo-nextcloud-tips-deploy} If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input selfhostblocks`. @@ -240,7 +323,7 @@ selfhostblocks`. error: NAR hash mismatch in input ... ``` -### Update Demo {#demo-nextcloud-update-demo} +### Update Demo {#demo-nextcloud-tips-update-demo} If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy. diff --git a/demo/nextcloud/flake.lock b/demo/nextcloud/flake.lock index ff99cef..2d3446c 100644 --- a/demo/nextcloud/flake.lock +++ b/demo/nextcloud/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704194953, - "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", + "lastModified": 1705677747, + "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", + "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261", "type": "github" }, "original": { @@ -51,11 +51,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", + "lastModified": 1705033721, + "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", + "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea", "type": "github" }, "original": { @@ -67,11 +67,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1704161960, - "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", + "lastModified": 1705697961, + "narHash": "sha256-XepT3WS516evSFYkme3GrcI3+7uwXHqtHbip+t24J7E=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "63143ac2c9186be6d9da6035fa22620018c85932", + "rev": "e5d1c87f5813afde2dda384ac807c57a105721cc", "type": "github" }, "original": { @@ -84,11 +84,11 @@ "nmdsrc": { "flake": false, "locked": { - "lastModified": 1701431551, - "narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=", + "lastModified": 1705050560, + "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=", "ref": "refs/heads/master", - "rev": "f18defadcc25e69e95b04493ee02682005472255", - "revCount": 65, + "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3", + "revCount": 66, "type": "git", "url": "https://git.sr.ht/~rycee/nmd" }, @@ -111,11 +111,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1704703146, - "narHash": "sha256-yXeMTRP8ovTtFZypBp2Yeqv/+gEhe3+dHqDjjS4IahQ=", + "lastModified": 1705970650, + "narHash": "sha256-DePq0MZkchIHXqVGztVDsqhhJxw5uzbvzLOFPCrQAe0=", "owner": "ibizaman", "repo": "selfhostblocks", - "rev": "107d57ae898818468d358e43378f0f34120a221d", + "rev": "1cf6d264e4c8a527e5b67bb529b8981abcfbfc92", "type": "github" }, "original": { @@ -130,11 +130,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1704596510, - "narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", + "lastModified": 1705805983, + "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", + "rev": "ae171b54e76ced88d506245249609f8c87305752", "type": "github" }, "original": { diff --git a/demo/nextcloud/flake.nix b/demo/nextcloud/flake.nix index 0e55664..6f6fd73 100644 --- a/demo/nextcloud/flake.nix +++ b/demo/nextcloud/flake.nix @@ -36,7 +36,7 @@ tracing = null; # This option is only needed because we do not access Nextcloud at the default port in the VM. - externalFqdn = "n.example.com:8080"; + port = 8080; adminPassFile = config.sops.secrets."nextcloud/adminpass".path; @@ -106,7 +106,7 @@ tracing = null; # This option is only needed because we do not access Nextcloud at the default port in the VM. - externalFqdn = "n.example.com:8080"; + port = 8080; adminPassFile = config.sops.secrets."nextcloud/adminpass".path; @@ -146,6 +146,200 @@ shb.nginx.accessLog = true; shb.nginx.debugLog = false; }; + + sso = { config, ... }: { + imports = [ + ./configuration.nix + selfhostblocks.inputs.sops-nix.nixosModules.default + selfhostblocks.nixosModules.x86_64-linux.default + ]; + + # Used by colmena to know which target host to deploy to. + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + + shb.certs = { + cas.selfsigned.myca = { + name = "My CA"; + }; + certs.selfsigned = { + n = { + ca = config.shb.certs.cas.selfsigned.myca; + domain = "*.example.com"; + }; + }; + }; + + services.dnsmasq = { + enable = true; + settings = { + domain-needed = true; + # no-resolv = true; + bogus-priv = true; + address = + map (hostname: "/${hostname}/127.0.0.1") [ + "example.com" + "n.example.com" + "ldap.example.com" + "auth.example.com" + ]; + }; + }; + + shb.nextcloud = { + enable = true; + domain = "example.com"; + subdomain = "n"; + ssl = config.shb.certs.certs.selfsigned.n; + dataDir = "/var/lib/nextcloud"; + tracing = null; + + adminPassFile = config.sops.secrets."nextcloud/adminpass".path; + + apps = { + previewgenerator.enable = true; + ldap = { + enable = true; + host = "127.0.0.1"; + port = config.shb.ldap.ldapPort; + dcdomain = config.shb.ldap.dcdomain; + adminName = "admin"; + adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path; + userGroup = "nextcloud_user"; + }; + sso = { + enable = true; + endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; + clientID = "nextcloud"; + fallbackDefaultAuth = true; + + secretFile = config.sops.secrets."nextcloud/sso/secret".path; + secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path; + }; + }; + }; + + # Secret needed for services.nextcloud.config.adminpassFile. + sops.secrets."nextcloud/adminpass" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "phpfpm-nextcloud.service" ]; + }; + # Secret needed for LDAP app. + sops.secrets."nextcloud/ldap_admin_password" = { + sopsFile = ./secrets.yaml; + key = "lldap/user_password"; + mode = "0400"; + owner = "nextcloud"; + group = "nextcloud"; + restartUnits = [ "nextcloud-setup.service" ]; + }; + sops.secrets."nextcloud/sso/secret" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = "nextcloud"; + restartUnits = [ "nextcloud-setup.service" ]; + }; + sops.secrets."authelia/nextcloud_sso_secret" = { + sopsFile = ./secrets.yaml; + key = "nextcloud/sso/secret"; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + }; + + # Set to true for more debug info with `journalctl -f -u nginx`. + shb.nginx.accessLog = true; + shb.nginx.debugLog = false; + + shb.ldap = { + enable = true; + domain = "example.com"; + subdomain = "ldap"; + ssl = config.shb.certs.certs.selfsigned.n; + ldapPort = 3890; + webUIListenPort = 17170; + dcdomain = "dc=example,dc=com"; + ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path; + jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path; + }; + sops.secrets."lldap/user_password" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "lldap"; + group = "lldap"; + restartUnits = [ "lldap.service" ]; + }; + sops.secrets."lldap/jwt_secret" = { + sopsFile = ./secrets.yaml; + mode = "0440"; + owner = "lldap"; + group = "lldap"; + restartUnits = [ "lldap.service" ]; + }; + + shb.authelia = { + enable = true; + domain = "example.com"; + subdomain = "auth"; + ssl = config.shb.certs.certs.selfsigned.n; + + ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}"; + dcdomain = config.shb.ldap.dcdomain; + + secrets = { + jwtSecretFile = config.sops.secrets."authelia/jwt_secret".path; + ldapAdminPasswordFile = config.sops.secrets."authelia/ldap_admin_password".path; + sessionSecretFile = config.sops.secrets."authelia/session_secret".path; + storageEncryptionKeyFile = config.sops.secrets."authelia/storage_encryption_key".path; + identityProvidersOIDCHMACSecretFile = config.sops.secrets."authelia/hmac_secret".path; + identityProvidersOIDCIssuerPrivateKeyFile = config.sops.secrets."authelia/private_key".path; + }; + }; + sops.secrets."authelia/jwt_secret" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + restartUnits = [ "authelia.service" ]; + }; + # Here we use the password defined in the lldap/user_password field in the secrets.yaml file + # and sops-nix will write it to "/run/secrets/authelia/ldap_admin_password". + sops.secrets."authelia/ldap_admin_password" = { + sopsFile = ./secrets.yaml; + key = "lldap/user_password"; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + restartUnits = [ "authelia.service" ]; + }; + sops.secrets."authelia/session_secret" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + restartUnits = [ "authelia.service" ]; + }; + sops.secrets."authelia/storage_encryption_key" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + restartUnits = [ "authelia.service" ]; + }; + sops.secrets."authelia/hmac_secret" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + restartUnits = [ "authelia.service" ]; + }; + sops.secrets."authelia/private_key" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + restartUnits = [ "authelia.service" ]; + }; + }; }; }; } diff --git a/demo/nextcloud/secrets.yaml b/demo/nextcloud/secrets.yaml index 3349475..43f89d2 100644 --- a/demo/nextcloud/secrets.yaml +++ b/demo/nextcloud/secrets.yaml @@ -1,10 +1,19 @@ nextcloud: - adminpass: ENC[AES256_GCM,data:667e6562Q1SSZRKLMgur1viGd8+MmjU6Oz/DzQ4GLHI=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:5APQH+snOUJ8UPXaIdqR5w==,type:str] + adminpass: ENC[AES256_GCM,data:nD/4oml7mXbWF0axiqWQCZujFqeJMF0P/1vY9f4EPqg=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:gwvrHsX22ygfUcOlxeC/5g==,type:str] onlyoffice: - jwt_secret: ENC[AES256_GCM,data:5TMDyySlsAHN1DfJLEJXt5jg7r2Gd8RVmLv4T44ye+2B71r6CWew8tcaYybFXT8aXrmVjOcBkVjBlFJ6B3ozkajtZC3teXCUzG+hlKGdN+Oyvd1+WXJO2USk1pREKc4kGwVvYr02lM1PEVLUokh/j/wmL1uFsAYM9482ik5veYg=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:hYRtuqE7ygjHc6zHOz5kBQ==,type:str] + jwt_secret: ENC[AES256_GCM,data:v4BScbfRHpHAZ0MCIyb1H1vYISsR1JQRaI1mFHbZKDNhuf5Zyc6znzz+DtqXOZfVNgp9aIeWIEam0GI/O3ih0jzEN0ut/jqI3onoSghq22h2VTKdLMcT6JG2p/R1mHgD+C7KeeepcdWMbwLXswi2jBys3FyxTY3mfiNv3AcndGA=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:Ixm0VtO5ySCQxiKweDop0A==,type:str] + sso: + secret: ENC[AES256_GCM,data:9uZfvBXETbP47Cf6lZNLqskqmbxcAaQ/e3jiHqW9VweqrmByyadaE3DgCcODUJNEatuFxIyP+ptBdeX9FBRPmAvVl/BaK5oKzp84i+5zb1nvxvxBx+KQhqFKZgk81jJQeMSxwLlDKguWnLx83QhYvOMphZNQOeLQ/Cx+qrvCWsk=,iv:pF87avRdm2tgwA+cQnvcYSUIxAh18jDrMA6eAHoyBZU=,tag:FaJwUr2fR9dZUdDOfq/C5Q==,type:str] lldap: - user_password: ENC[AES256_GCM,data:qZO3L7IM9UJ7iR7Q2bdDfY1wmt3TEWLR8NK3rXdojN4=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:KwJFHd85kkm8YGH3NtqanA==,type:str] - jwt_secret: ENC[AES256_GCM,data:oCrUTEYO8oETPd8XHq1DiLCSzeRAnrkty3gyo8dxk5c=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:JZUjCbo7CdCmJYJrrsosxQ==,type:str] + user_password: ENC[AES256_GCM,data:4ImmaC2T1hj6L8tzrxv4d7/I4F9xEA/uuc56QOqkY08=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:Aw+juIV2AM0J+89itNDjVA==,type:str] + jwt_secret: ENC[AES256_GCM,data:btABIOGRgioXmPe8QirhyozQzhVaAcF2sbB07hevz+Q=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:zkbJ+SeNnzQyAZxOjso8fg==,type:str] +authelia: + ldap_admin_password: ENC[AES256_GCM,data:Ze1FJSl8ZJYCYrULlkwcbDFzxCS4MzujJbCGZasOiWU=,iv:X/su9ty9883+4qmrQhAIe6HDwjFoqHQ43aqd/4ZmtBw=,tag:QeLqUtYlZcHMR+bqRHCb2A==,type:str] + jwt_secret: ENC[AES256_GCM,data:xom/W92DGS2RafO+olwG8oKAbKPbkPKyZ2mYv0lWqtVAWUFwSoCGLgxe4uHAoGcLosJmDxU/srq+HNPzYORY8+mHn9wMoQgYg2oceLw2xamYdkIzvswof6LoYAV7MaZReYgYXcqMy2LZuU3PnnE4wag3liSuEx4qtJrLKB52ljE=,iv:t5PsBdZDze3/4S8utfnkmiToaorqq5BiJn99JuRirXY=,tag:ZJCszIOpaSwl9Sua8VWHoA==,type:str] + storage_encryption_key: ENC[AES256_GCM,data:wUmF+0etuhEr3FNy7x0LBJunn1vmWO+IExm/wgkh0CEDWzxblpylC/PGAGgHdlJMQOhUY6tDPD67sJgO2g+yTBB3lfOo/kql0gnGVKQjRMMHqfEEmXK56yXP+J2JePJ6DlaqzdAXko4Tmh4GnRKsswMQZVA5PDOuHHNRcVTCb0E=,iv:wz1Mry7jMwGvD9mF1/PbQsHb/jmm8WOWchLL95YADeY=,tag:AZp43iti+nxW0TYK7MlYNg==,type:str] + session_secret: ENC[AES256_GCM,data:TSe2YEyXl0Ls8wAynUYRJBQL8mbC1i/31ueuCj7d7ouO9gCX/Igz6OM9EgWigxucsMVQkiUtDCI9DD9B8jFaYGMIiB9FrKQnixigptrIUj210zJ3Aer38GyFxSI541PaBzmnauEo1MtBykjSg93xyI6ivB8FJmmauQOMYNiTYvk=,iv:OBtUCw7BevaF3VQKLJ2HiB828IzJqS27SZUOoAqoD+E=,tag:WfCGlHi6a15AYeSFXnnOVw==,type:str] + hmac_secret: ENC[AES256_GCM,data:RmPr/kJmimMmeZCluMBsYL+w5VtJ1IZNFo2VOVNGiu0ajMJoK06RQx9AAYb+GvPRrGz9wzRy38hTH7unIiq59WOZCw245StsawSCeszadh8RrjPJPNCKPt3vaBbIzlvz0xMvgX4UT2k+uK1dqR7QXiCrBDludU3nnHIpbgkcADM=,iv:z5KLaAlevgk2HsxMWggU1DL0g+Ae+DaBLZ0SnZoKYcA=,tag:2ChIOxMCI4psqIhX+GE8EQ==,type:str] + private_key: ENC[AES256_GCM,data:ogK8+ecyRhd1OrhpmjtXUK2Lyhg/D9FJwTwC2HtlmViLrAx5ovKGcZOrHQ2JFhCvRTj2n54+Me2JpOS70v0ugLTOVbZtw1eYJr7rNohhu8nBITuDYOkEVHZ7Q6xZ5Toabm2/y6yr2zJuj9N8NPCPv5uf6h3/DzBITvUkF9l79ypAgs5yP8JZYvpkG2aMv6bkRp5+9H9nNywrDdggwdEF0kRl+KS0gd4SpDLJzJ00W+hpPRd0qYukCJaKCKs/76vklN47Xk9UVnwYZP4dxh0unYJdffuBYSJXrAEP/bxOdyszZ2v0vr7HYOY7/+o/S1ZOmVqlv+1EVWpluDytuwnfpNdxY7I2HJjvM7Ua5zs8KmGKz/er0wFjWeakP7l+YKs+vi8IEG6sJJiakuI8n4neZmQrHf9MG5ynYKhA55+gaaiJYg29CTHxWpYsDyEQhoDxHeyxGhe7zQ8SeEVyADtfkHYB6hGJrds0wAJaZ9cqyKpmvqsogh0ipUBmt62ytAl0KMEZ7IgRHIq6P+q+sFXvgUyehh85+Ud13F+gQvMkITN2r6c+BS1/u8gMv9jHi/3mvLtA3nBB86w06QRFrG6fHkn1UBGjjQ5TvPlVmJBTM8pDVb3VFlsX2xRHS7lCX4AAy4JXEXJFWUSWN1zZ/3caE3ishgMnJbptGw5JS5/DQsu0s+CtUKjv8Xup0eiZ/12+0AzRTjihRAysCprnuqUvlb6OP4vDP5PNbDCAZLF/LYfGhIiOGTph8hC5Hmxql3mDmW0CN6VfdtpBgPfPp1SMEYTh07gBxxNqGVViAjOTF31NWuektF9vKtmFEeX1CqY512KtvW5Q9zIs/MBrSeONPZYrr01xEEFeqet8T/kqaiTGpI3fFHwiDmfKajlcFj9xPlhzvMbQV3eFBdC0FdxssTrWP3cEs03vexA+bLEM4E0aSagTpd0TWFeZd4AjG8GsjF80c7P/CSScg3yYYHFI3V6ljRY72oKh9361UnmdU3Y1PGcjmw2nVkVlywRAK+P6F4tRqhmKrYzNxw+AHGEgCG347pYPeRKj12acyX8lmuFa7ULCFoHng+DJITR26HrHDhzzg7/EDIc8c7orfvWS5qYlPIsfwSMBrwfm91eGgcgnEhrLE4krpgSZcrQTXOhC4cinzxqK+GhoERfFzRMNzxjVaEFCO0yQuLnydwJWdBMCV4gEUNmCwWGDNaBYqKLPdyK753LEylb/MAOmqX/YBp7rhLNt/5P6kSacZzIvqLYt9zbITrrF13nDLmP3ZOhIbGRVG1F3r2ReIW+PnmHxHnSrOV4tMel0ql2nlcLIh41WHiKCaeIiQ0zPQOBXJbXis2pCuJ0Mut68abe0bicFpEDrQ5CgIjTWOzbxFq+tVvmX2amTGRW51048mPuod0ZofYPzI9l6YwO7eO02mEYCUhcgPFZaIBnEF9cZHWtBGturXi/A6LNh/6bnFnozy4SdaUrmlK2o4uaBPr/av4zjSFOQaZ6+NQOysmdLUzupq6ysbsOZIS7cUngr5v7otxxvR/qYtC4SNOkSaU53LsfSuxvu3/5nOMAr+O9ez/N+BJV5GHbABJ6l2TkeWjbDL/RcCE0nXHkwLH1YEGBmt93KTagjCOt/n+GN0/F/7jQtxhNjI84CRHzYAdzqSXP78J1vcqctPWhQBrWfNioQkjLwy5+ndDT1Uu7yVTMPD3teQq7sjQ4g6hfHqmjWWSewxnopxkJyz/ZnwQqTXig1QXwTVcIUI/IiNp9a4D/kI5eEUbbjbXD7nScaoIb5b7oE9eK6/qmRmKv8m4ySKiFN5kNwME/y2a17K2w5HwCOi8cqPKT7LHegLoYQvJ9DrIFLHQZpKjYfKQAxTcDyFitJvSxbcD2iM2eZMXuNKcbyHOHwZr2sC4BicF+0InfsOZE8R1+v4/98elbisnV1rSO38/1vxQZzV8x5JHbZpMegD/cdxxC3fsgwsoyBt3wynrt1S8xqqIxuwbEX8uN2J8qR1YYK7Qn1mDhlyl8dTvI7W65HLpF5HWC1Hn+nDB/arjL9jEeMWVimxkMIpGt69337uyugfJsu54uiIm70zpzsh+otYDvvZUrvG/KoDejP40ZbmtsLknbpmzr1ezgrxYV9W4NJcjZtZ4x64pXKvSrbYt+yMorXujmVFg0og/TxnkJ3kJdB6a3sg4bymPnJiAAl9ya3DYHHPQrHXQa2LnV02ps6Y6jq0LdKy3cu7DxOYtmpI6KRz0k1fRVBNBnSX7aUEsZ8aZ9XYTB1FuvT,iv:WYnE50BRK5Q7TA/24LDDkSq+wu9+S6ckb3+NR/eHkUs=,tag:X9s50TdOPEjDV+7Kv6prOQ==,type:str] sops: kms: [] gcp_kms: [] @@ -14,50 +23,14 @@ sops: - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObnkzVkdmUnhyOG1vNE04 - ZmExS1RkVE5qUm83aVk1bGtTbmo5bGhsc3pBCnNMWjN5cStVRWNlTUVmWi9BQ2py - NEswQS9xNGtPZGdQRWdzWDV1RnJNbGsKLS0tIC8yQW9ZazlNTm80d0l5bEo0M2lW - QnVXMUpXcUFZRWhpUHJjOFZjWGFYSFkKomaixOjgaD1LubawJVhWAgVqjOkpc9+2 - xNHKlgBEXDnBeMK9BgPgYIRk8ce79rxuqwaOAPqrEmPsafvoxZq5Wg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRjg2SWR0SjhpWExqbi9E + a3pJbXJyMmMyY1F5NFNVNWY0TXRicFdycEhJCkdWL1dmNjdCRVhKNmllcGpmNkNV + U1lTUjI3elBoOStNZVhoL1o3WGZLWjgKLS0tIE1XRTVPUE91d2k2dFpMbVJ1a0ZB + dTNrOUhzOSsvRnNSMC9VOTJaY1orWUEK8IcLk/4X7O+ZRosM7KNQNSEgyGkFklRw + YSutsre5OOEUx1X+hxzu2GF9I4DGcSAbQtzPYBq7qcwxUR+oIXiJyQ== -----END AGE ENCRYPTED FILE----- - - recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndGErUWt4M3BtR3dVT2lo - SmY1M0k0bkxEcGNxNkdYZDFVaUVIaFA0blhNCm9oWmVyRlJ4eVlxM2l0anhrMERz - RTZ1Z1dINDZZdGN3UUJweWRjRWUyT1UKLS0tIGl1dUNwU0ZSRFhwUENIbHhGT3VP - MTlZVFVtbEFnV1pJTTRjV2pqRnUrYW8KXTdes+gb8h7PL0l34rnRKtPvIr3tUJKZ - UfD+/e3I/+Gw4IpCvIpMoBBT0bxyyMJROKo4oP9GTIrbw5fHV9+bcg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTjZiZkl3QnUzYkxjSzYr - NDVEcWROZDNVV0tUbWVOTUhQWE5LenBrU2c4CmRHcTlkamtibVhOU1dTOTlIanFp - MUt1dnJpR2RUVGwwbTBaYnpXdE1XOHMKLS0tIGJ2YlRMQXpXVlpJRExOdUZ2MDJ6 - WVJMRFMvYkFJenhlQjVGRlZsYlpLdFUKGQmMb2aZKvWnBp4hKAdBZnQMW+pLZC9t - FJCAxZpFEaq22Zthe2dvh1v8X51Jde7bkylL2Z6CcuCLYkPgHhOgCw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ldwxeqq5a9umgj36afsyl0tn8nrl7ecaam36dc8gxjqy5r6vaursj2d94s - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazRkcVBvT0NGYk1nUjdK - V1o5V3VaYjY4YTNmYlpQUkZNV1lZN0JSSXdBCngrdjd3T1RHK1dOQUd6alFVQkhm - blRPNlg5T2xQVThqNzAybkk5U2VrQmMKLS0tIGVOVFlpNlIzcG9BY0R5UVMrUTk0 - YzM4cTdoOHFzUGREZnBBTkFHZ2hQNVkKvZefP0yX08wSaXSvNh5NH+lUu4GvDeVQ - ieagXUh5IYmpZ6W8+Ifz3DqbLTELpLCdL45yj8ChoVkEGGGt2XHiiw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1wfqc4hyekue3z6dn0khtsszvy8wlkh07msany9mfdy0yn9rfxp9sjyz6ze - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZHZEU3RnKzYrTWovSUNu - aUszcHFxMVBqMnpiV3d3d3lNQk40TjdSdTNnCjluSUNpeTg0QUUxYkhPeHRubFE4 - cEVOcFU4eUwvZitwN3JESUFoWnlCcFEKLS0tIElTN2J2M3ZhUUgxbGlWY242YkNF - UlFuMGFVeElOdGVwL0NReXhFVDJOZzgKTROtZpvVl+d1wfuf7otaIo6nDdVzsQ9O - kT+S01M2kC2gX+oDAcD20cNJdwnD/ETCdTk93qxpX1jAtDiz1WBSmg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-06T09:06:26Z" - mac: ENC[AES256_GCM,data:pitmTT1egqTEOI4fEsaE/kpLOdPjO3AHwNIUB4MYp9E8GeD+AOkX7U/KwOailC245wqGNNzCDJn7PD/IZ93cOXcsdMuhKUg/QNogz337DIioeFxx+Vf50mFv44Lf1Vtu7MG80zOXVHrmls/hb+E4HL55OujWmEKXWodeECvgfpw=,iv:57716xGcpRNxGdnihH7qbr8/I7t0MWYIbh3PoxqDZBo=,tag:qqA7nEbSPrpWBwZyuOWN8g==,type:str] + lastmodified: "2024-01-22T06:30:53Z" + mac: ENC[AES256_GCM,data:mdCpYLoaMcotuOU8qB7Gj+79ALG4d4HAR0Yw6Y3gf5SFUOc59B4WdK4A3+cgSm3dvRB8HCg9Vo9llEjiOBNVFpBgIjOvUeyAMYNi6ZndS/yr4x3NSL2rPz2s9c+0tm8Qg61T5RtYS/on+gWiUoA+lzXN2uFFWyo09fWF4N5EOQo=,iv:TgdI759YCkgmGAbUtgiV+NoT40Cg8+BcRGH0ZlQZ5SE=,tag:LGgFrlJPNpG+HzQLHDcDUQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1