1
0
Fork 0

update nextcloud demo to have sso too

fixes #17
This commit is contained in:
ibizaman 2024-01-22 16:49:07 -08:00 committed by Pierre Penninckx
parent 1cf6d264e4
commit 61f10a311e
6 changed files with 403 additions and 144 deletions

View file

@ -5,11 +5,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1705309234,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -35,11 +35,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1704194953, "lastModified": 1705677747,
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -51,11 +51,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1704290814, "lastModified": 1705033721,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -67,11 +67,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1704161960, "lastModified": 1705697961,
"narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", "narHash": "sha256-XepT3WS516evSFYkme3GrcI3+7uwXHqtHbip+t24J7E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "63143ac2c9186be6d9da6035fa22620018c85932", "rev": "e5d1c87f5813afde2dda384ac807c57a105721cc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -84,11 +84,11 @@
"nmdsrc": { "nmdsrc": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1701431551, "lastModified": 1705050560,
"narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=", "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "f18defadcc25e69e95b04493ee02682005472255", "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3",
"revCount": 65, "revCount": 66,
"type": "git", "type": "git",
"url": "https://git.sr.ht/~rycee/nmd" "url": "https://git.sr.ht/~rycee/nmd"
}, },
@ -111,11 +111,11 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
}, },
"locked": { "locked": {
"lastModified": 1704702906, "lastModified": 1705970650,
"narHash": "sha256-VUMQJjwjUAjqBC4lcZHRJctSzaO99mLphRQ6zGSs75g=", "narHash": "sha256-DePq0MZkchIHXqVGztVDsqhhJxw5uzbvzLOFPCrQAe0=",
"owner": "ibizaman", "owner": "ibizaman",
"repo": "selfhostblocks", "repo": "selfhostblocks",
"rev": "a5e9af27b5b3c379a2155467dd4faa7dcb3659b9", "rev": "1cf6d264e4c8a527e5b67bb529b8981abcfbfc92",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -130,11 +130,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1704596510, "lastModified": 1705805983,
"narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", "rev": "ae171b54e76ced88d506245249609f8c87305752",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -1,7 +1,7 @@
home-assistant: ENC[AES256_GCM,data:P5EYiIJ6Kz45LkPo+5mRkhuJ20K/Y7Lp8EGzfWL4ShNI50YBzZKZXNhZNTvrNSIfYS61Ls0qjlaRVgzZ11igsB7ZQQohSnuI+OXL2WfITMwvE3vTsnYxxG9BvMqRdBFIGvc81HhZDB43DT/s6SprBe/7PQ==,iv:dJ7FUkquMI4g4K2Nnv3kFFQk/va2QgwfgGoWif5f2tU=,tag:cykqmJJRWXJ47kGnPkNdBw==,type:str] home-assistant: ENC[AES256_GCM,data:acEXqx3bdQp0zB5FnHCBsic/kgu2L8Q6h/fsfrLmdk7SOfzEibPpPLCCv8eYmh4D5VuIAsq/PeJ3k+uqWGbTrJt7EIcxt0kYTLRuWZRG8YJH1+HCxoKcO/mx9bwbRd3LtXiVscgP9zIZLoLPK2XieFKOeg==,iv:dJ7FUkquMI4g4K2Nnv3kFFQk/va2QgwfgGoWif5f2tU=,tag:6LIBt9whdRPVsoF1RY3Pew==,type:str]
lldap: lldap:
user_password: ENC[AES256_GCM,data:Mcbh0ZrcnmR8FuT97OdoS2vAHzGdOrEOTlNKaoLa9hk=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:sGzhdhEDt0quZwgi+4QDfw==,type:str] user_password: ENC[AES256_GCM,data:JrFraqFSqAhRVjB5fagIoB864aejt24q+qqWeu8ySC0=,iv:RS7VS+9tsSknn9SwpfyYVi41m3lN4SkZ4CSwrzH/Eso=,tag:5L7fx6/KhDtjHPruwac/sw==,type:str]
jwt_secret: ENC[AES256_GCM,data:a2CG5iGvVf7jz/JVP1RBDww+joT1TbJkXgsAyD1I00VTQZhkX04mb6wwDfFkATnhBn7GkP++nz+1YBirVWQV3wFfZ3ZufHwS+lQ0VTO6dcjLuTjuLnqprNjp/1cMQeu3vYADA3R7fuqEo/g3QUJzJJeGI48he5c/Cff0hQYgBRU=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:Os6U0AvkkROuXWC7y6JMaw==,type:str] jwt_secret: ENC[AES256_GCM,data:W1T/QoxuzMD+2AL7sP5KkMcC+GvFdd4kfd70rHLnQD+jWNs9G0igkC/BxxgbIfnSASwtSnBaaiU6/pxLFOcUVh0Nyd0Zmb/KTbagpUvSl//AZnTt/WKF9Q/8sqKzsGv0QdMyZKWi4cxiEILcTbxOsgwriFGgOJ1k5N8JEif15ig=,iv:rHlRt6nWMz8rVmU0aKH6VWWVXunOfJcDvZOxgWbK1FI=,tag:qC6N61rE8CfPSXrsEqFoIQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -11,14 +11,23 @@ sops:
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiWG1tK1duS2ROZFZ3SnFs YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVU9TMjJlRzNKY0hFSktD
djRxT2xVZ2RzZ1FrNHRjalVjOVp6MVNxem1NCmRWMlNrWUVRcWx4QTI1M0tMMlNh MkFMUkg2OTZ4aFZMUUJ0UEF3OVpxWFloVWtJCmtrb2UzUDI2b0poc21Cd1A1N0xW
Q0dseklJR1V2WGo3em1WVVMwTGVFVEkKLS0tIEZ1cDhWM0dNS25LZlNSNllCdXBT cnBZVVNrcllVNktpS0kzRGozbHREK1UKLS0tIHZmSUhTVkRQNGUremZXQlJOOGNB
V3VueVVyWW9SMHB1L2VzVGJQQUNkVWMKd7TymvawidPiW417fbC88NojEhfux/dp SExYU3VXNVVjMElXdlVsc1VmOFRwYlEKQYeGc8F33qs3PzxXmbwqX+c+fZeEuPpv
Op2cayvqIt2LI2yG+8u2fPbLsdwwg2ybxccIBqTldIbcELAsBruQkw== n0zBA46/HdoCYyuZsW828XVftVcQqiThq/XAe0i648k7E8Slo3Y5bg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-20T08:14:08Z" - recipient: age1slc23ln7g0ty5re2n25w3hq0sw2eyphnshe45af55vd23fgwtuhq36hpqr
mac: ENC[AES256_GCM,data:1POnLEqucCUC/5fMBuUXF358fUl6bbZr8oHja6XGUVLU17G1T14yqXUJqlooW0wHt/RoF0RB1k+Fwtgn/NSYS83khscYzPZOiqncbI9/YOnUYTai7E0YH3GPF1t+DZIk2LzP8NQc8Xoo3da59boFPU7NU7NpQb5k4q9wJDiCAO0=,iv:tD7TD9wi80yYJhXxFxAlfDiv0Z+sCPKRQKN6wEKJTH8=,tag:qiqJ/wcNQNIXGAdlDH3Isg==,type:str] enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCNlpOL3lFMVA1L3NkQlE1
bnJIRlZ4Z1lCSWdJTzdtTW5SNXRXOTZ6UDJnCndwamZnWnA5TzdsSzZ4MjlTN09K
YVZCZkFINDRjQWh2dFVuSmswbWw1dlkKLS0tIGdMalFlc1VrOGdHU2tIZzZoak1n
VlJpS1BYd2UrZU1mZTEwU1BYODhqM2sKvQnFV8xsy1tEmYZu4izBYb7XQqTPOLTL
bRkU6n17uiyXNbiXDAbX0Png/XmVG96/+Zl38BBXPQvARX8c2tzq6w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-23T00:46:58Z"
mac: ENC[AES256_GCM,data:kBkUCStabQ32JK/UDPATgOz3HoI/dVkNLsl6uEhHk8ODbF+ZBg6BDEaxtMFFh0bV+71klAmF0KsL/kHKiHlbNuoNWOxwbsANGeL8xtV6JCU58zTF0nfgAP/3KJYveridgylRRZS5hYl5Mg+z6Zdgw+43r3Iiizf86BZVc5OaDyY=,iv:ZXWLXQUrVIwYCCVnXI0jTf5paOWNuujG/Pw+Nf/M34A=,tag:+P/UJqBI3prcxEUO4Zqu/A==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

View file

@ -3,14 +3,19 @@
**This whole demo is highly insecure as all the private keys are available publicly. This is **This whole demo is highly insecure as all the private keys are available publicly. This is
only done for convenience as it is just a demo. Do not expose the VM to the internet.** only done for convenience as it is just a demo. Do not expose the VM to the internet.**
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server in only about [25 The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are actually 3 demos:
lines](./flake.nix#L31-L55) of related code. It also defines a Nextcloud server that integrates with
a [LDAP server](./flake.nix#L76-L143).
This guide will show how to deploy this setup to a Virtual Machine, like showed - The `basic` demo sets up a lone Nextcloud server accessible through http.
- The `ldap` demo sets up a Nextcloud server integrated with a LDAP provider.
- The `sso` demo sets up a Nextcloud server integrated with a LDAP provider and an SSO provider.
They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This
guide will show how to deploy these demos to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. [here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
## Deploy to the VM {#demo-nextcloud-deploy-to-the-vm} ## Deploy to the VM {#demo-nextcloud-deploy}
### Prerequisite {#demo-nextcloud-deploy-prereq}
Build the VM and start it: Build the VM and start it:
@ -49,32 +54,29 @@ chmod 600 sshkey
This is only needed because git mangles with the permissions. You will not even see this change in This is only needed because git mangles with the permissions. You will not even see this change in
`git status`. `git status`.
You can ssh into the VM with, but this is not required for the demo: You can ssh into the VM like this, but this is not required for the demo:
```bash ```bash
ssh -F ssh_config example ssh -F ssh_config example
``` ```
Finally, we can deploy. To deploy a basic Nextcloud with only the Preview Generator app enabled, ### Nextcloud through HTTP {#demo-nextcloud-deploy-basic}
run:
:::: {.note}
This section corresponds to the `basic` section of the [Nextcloud
manual](services-nextcloud.html#services-nextcloud-server-usage-basic).
::::
To deploy a basic Nextcloud with only the Preview Generator app enabled, run:
```bash ```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
``` ```
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15 The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds. seconds.
## Access Nextcloud Through Your Browser {#demo-nextcloud-access-through-your-browser} Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
Add the following entry to your `/etc/hosts` file:
```nix ```nix
networking.hosts = { networking.hosts = {
@ -89,7 +91,32 @@ $ cat /etc/hosts
127.0.0.1 n.example.com 127.0.0.1 n.example.com
``` ```
If you deployed the `ldap` target host, add instead: Go to [http://n.example.com:8080](http://n.example.com:8080) and login with:
- username: `root`
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is
`43bb4b8f82fc645ce3260b5db803c5a8`.
This is the admin user of Nextcloud and that's the end of the `basic` demo.
### Nextcloud with LDAP through HTTP {#demo-nextcloud-deploy-ldap}
:::: {.note}
This section corresponds to the `ldap` section of the [Nextcloud
manual](services-nextcloud.html#services-nextcloud-server-usage-ldap).
::::
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds.
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
```nix ```nix
networking.hosts = { networking.hosts = {
@ -97,29 +124,74 @@ networking.hosts = {
}; };
``` ```
If you deployed the `basic` target host, go to Which produces:
[http://n.example.com:8080](http://n.example.com:8080) and login with:
- username: `root` ```bash
- password: the value of the field `nextcloud.adminpass` in the `secrets.yaml` file which is `43bb4b8f82fc645ce3260b5db803c5a8`. $ cat /etc/hosts
127.0.0.1 n.example.com ldap.example.com
```
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
- username: `admin` - username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`. - password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
Create the group `nextcloud_user` and a user assigned to that group. Create the group `nextcloud_user` and a create a user and assign them to that group.
Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and Finally, go to [http://n.example.com:8080](http://n.example.com:8080) and login with the user and
password you just created above. password you just created above.
Nextcloud doesn't like being run without SSL protection, which this demo does not setup yet, so you Nextcloud doesn't like being run without SSL protection, which this demo does not setup, so you
might see errors loading scripts. might see errors loading scripts. See the `sso` demo for SSL.
## In More Details {#demo-nextcloud-in-more-details} This is the end of the `ldap` demo.
### Files {#demo-nextcloud-files} ### Nextcloud with LDAP and SSO through self-signed HTTPS {#demo-nextcloud-deploy-sso}
:::: {.note}
This section corresponds to the `sso` section of the [Nextcloud
manual](services-nextcloud.html#services-nextcloud-server-usage-oidc).
::::
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service and an SSO service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on sso
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds.
Here, there is a `dnsmasq` server running in the VM. You must create a SOCKS proxy to the `dnsmasq`
service like so:
```bash
ssh -F ssh_config -D 1080 -N example
```
This is a blocking call that will create a SOCKS proxy on port 1080. It is not necessary to fork
this process in the background by appending `&` because we will not need to use the terminal for the
rest of the demo.
Now, configure your browser to use that proxy. When that's done go to
[https://ldap.example.com](https://ldap.example.com) and login with:
- username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
Create the group `nextcloud_user` and a create a user and assign them to that group.
Visit [https://auth.example.com](https://auth.example.com) and make your browserauthorize the certificate.
Finally, go to [https://n.example.com](https://n.example.com) and login with the user and
password you just created above. You will see that the login page is actually the one from the SSO provider.
This is the end of the `sso` demo.
## In More Details {#demo-nextcloud-tips}
### Files {#demo-nextcloud-tips-files}
- [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for - [`flake.nix`](./flake.nix): nix entry point, defines the target hosts for
[colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting [colmena](https://colmena.cli.rs) to deploy to as well as the selfhostblock's config for setting
@ -142,7 +214,7 @@ might see errors loading scripts.
hostname `example`. Usually you would store this info in your `~/.ssh/config` file but it's hostname `example`. Usually you would store this info in your `~/.ssh/config` file but it's
provided here to avoid making you do that. provided here to avoid making you do that.
### Virtual Machine {#demo-nextcloud-virtual-machine} ### Virtual Machine {#demo-nextcloud-tips-virtual-machine}
_More info about the VM._ _More info about the VM._
@ -159,7 +231,7 @@ That being said, the VM uses `tmpfs` to create the writable nix store so if you
space issue, you must increase the space issue, you must increase the
`virtualisation.vmVariantWithBootLoader.virtualisation.memorySize` setting. `virtualisation.vmVariantWithBootLoader.virtualisation.memorySize` setting.
### Secrets {#demo-nextcloud-secrets} ### Secrets {#demo-nextcloud-tips-secrets}
_More info about the secrets._ _More info about the secrets._
@ -178,10 +250,21 @@ The `secrets.yaml` file must follow the format:
nextcloud: nextcloud:
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8 adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
onlyoffice: onlyoffice:
jwt_secret: XYZ... jwt_secret: XXX...
sso:
secret: YYY...
lldap: lldap:
user_password: c2e32e54ea3e0053eb30841f818a3d9a user_password: c2e32e54ea3e0053eb30841f818a3d9a
jwt_secret: 3b19030938608881dc1d2cb2753d9778 jwt_secret: ZZZ...
authelia:
jwt_secret: AAA...
storage_encryption_key: BBB...
session_secret: CCC...
hmac_secret: DDD.
private_key: |
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
``` ```
To open the `secrets.yaml` file and optionnally edit it, run: To open the `secrets.yaml` file and optionnally edit it, run:
@ -195,12 +278,12 @@ SOPS_AGE_KEY_FILE=keys.txt nix run --impure nixpkgs#sops -- \
You can generate random secrets with: You can generate random secrets with:
```bash ```bash
$ nix run nixpkgs#openssl -- rand -hex 64 nix run nixpkgs#openssl -- rand -hex 64
``` ```
If you choose a password too small, ldap could refuse to start. If you choose secrets too small, some services could refuse to start.
#### Why do we need the VM's public key {#demo-nextcloud-public-key-necessity} #### Why do we need the VM's public key {#demo-nextcloud-tips-public-key-necessity}
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add [`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add
@ -213,7 +296,7 @@ creating the VM in the step above, a new private key and its accompanying public
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
public key and add it to the `secrets.yaml` which we did in the Deploy section. public key and add it to the `secrets.yaml` which we did in the Deploy section.
### SSH {#demo-nextcloud-ssh} ### SSH {#demo-nextcloud-tips-ssh}
The private and public ssh keys were created with: The private and public ssh keys were created with:
@ -231,7 +314,7 @@ authentication, here is what you would need to do to copy over the key:
$ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example $ nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
``` ```
### Deploy {#demo-nextcloud-deploy} ### Deploy {#demo-nextcloud-tips-deploy}
If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input
selfhostblocks`. selfhostblocks`.
@ -240,7 +323,7 @@ selfhostblocks`.
error: NAR hash mismatch in input ... error: NAR hash mismatch in input ...
``` ```
### Update Demo {#demo-nextcloud-update-demo} ### Update Demo {#demo-nextcloud-tips-update-demo}
If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy. If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy.

View file

@ -5,11 +5,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1701680307, "lastModified": 1705309234,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -35,11 +35,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1704194953, "lastModified": 1705677747,
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", "narHash": "sha256-eyM3okYtMgYDgmYukoUzrmuoY4xl4FUujnsv/P6I/zI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", "rev": "bbe7d8f876fbbe7c959c90ba2ae2852220573261",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -51,11 +51,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1704290814, "lastModified": 1705033721,
"narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -67,11 +67,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1704161960, "lastModified": 1705697961,
"narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", "narHash": "sha256-XepT3WS516evSFYkme3GrcI3+7uwXHqtHbip+t24J7E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "63143ac2c9186be6d9da6035fa22620018c85932", "rev": "e5d1c87f5813afde2dda384ac807c57a105721cc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -84,11 +84,11 @@
"nmdsrc": { "nmdsrc": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1701431551, "lastModified": 1705050560,
"narHash": "sha256-5HPHG1u3koaWHG/TXHl5/YxYPYOuKc58104btrD8ypE=", "narHash": "sha256-x3zzcdvhJpodsmdjqB4t5mkVW22V3wqHLOun0KRBzUI=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "f18defadcc25e69e95b04493ee02682005472255", "rev": "66d9334933119c36f91a78d565c152a4fdc8d3d3",
"revCount": 65, "revCount": 66,
"type": "git", "type": "git",
"url": "https://git.sr.ht/~rycee/nmd" "url": "https://git.sr.ht/~rycee/nmd"
}, },
@ -111,11 +111,11 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
}, },
"locked": { "locked": {
"lastModified": 1704703146, "lastModified": 1705970650,
"narHash": "sha256-yXeMTRP8ovTtFZypBp2Yeqv/+gEhe3+dHqDjjS4IahQ=", "narHash": "sha256-DePq0MZkchIHXqVGztVDsqhhJxw5uzbvzLOFPCrQAe0=",
"owner": "ibizaman", "owner": "ibizaman",
"repo": "selfhostblocks", "repo": "selfhostblocks",
"rev": "107d57ae898818468d358e43378f0f34120a221d", "rev": "1cf6d264e4c8a527e5b67bb529b8981abcfbfc92",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -130,11 +130,11 @@
"nixpkgs-stable": "nixpkgs-stable" "nixpkgs-stable": "nixpkgs-stable"
}, },
"locked": { "locked": {
"lastModified": 1704596510, "lastModified": 1705805983,
"narHash": "sha256-tupdwwg1WeX2hNMOQrvtyafTaTVty0QC/gQp7yaYJic=", "narHash": "sha256-HluB9w7l75I4kK25uO4y6baY4fcDm2Rho0WI1DN2Hmc=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "f5fbcc0f50e7fc60c4f806fa7a09abccf0826d8a", "rev": "ae171b54e76ced88d506245249609f8c87305752",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -36,7 +36,7 @@
tracing = null; tracing = null;
# This option is only needed because we do not access Nextcloud at the default port in the VM. # This option is only needed because we do not access Nextcloud at the default port in the VM.
externalFqdn = "n.example.com:8080"; port = 8080;
adminPassFile = config.sops.secrets."nextcloud/adminpass".path; adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
@ -106,7 +106,7 @@
tracing = null; tracing = null;
# This option is only needed because we do not access Nextcloud at the default port in the VM. # This option is only needed because we do not access Nextcloud at the default port in the VM.
externalFqdn = "n.example.com:8080"; port = 8080;
adminPassFile = config.sops.secrets."nextcloud/adminpass".path; adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
@ -146,6 +146,200 @@
shb.nginx.accessLog = true; shb.nginx.accessLog = true;
shb.nginx.debugLog = false; shb.nginx.debugLog = false;
}; };
sso = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.certs = {
cas.selfsigned.myca = {
name = "My CA";
};
certs.selfsigned = {
n = {
ca = config.shb.certs.cas.selfsigned.myca;
domain = "*.example.com";
};
};
};
services.dnsmasq = {
enable = true;
settings = {
domain-needed = true;
# no-resolv = true;
bogus-priv = true;
address =
map (hostname: "/${hostname}/127.0.0.1") [
"example.com"
"n.example.com"
"ldap.example.com"
"auth.example.com"
];
};
};
shb.nextcloud = {
enable = true;
domain = "example.com";
subdomain = "n";
ssl = config.shb.certs.certs.selfsigned.n;
dataDir = "/var/lib/nextcloud";
tracing = null;
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminName = "admin";
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
clientID = "nextcloud";
fallbackDefaultAuth = true;
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
};
};
};
# Secret needed for services.nextcloud.config.adminpassFile.
sops.secrets."nextcloud/adminpass" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
# Secret needed for LDAP app.
sops.secrets."nextcloud/ldap_admin_password" = {
sopsFile = ./secrets.yaml;
key = "lldap/user_password";
mode = "0400";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
sops.secrets."nextcloud/sso/secret" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
sops.secrets."authelia/nextcloud_sso_secret" = {
sopsFile = ./secrets.yaml;
key = "nextcloud/sso/secret";
mode = "0400";
owner = config.shb.authelia.autheliaUser;
};
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = true;
shb.nginx.debugLog = false;
shb.ldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ssl = config.shb.certs.certs.selfsigned.n;
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
};
sops.secrets."lldap/user_password" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
shb.authelia = {
enable = true;
domain = "example.com";
subdomain = "auth";
ssl = config.shb.certs.certs.selfsigned.n;
ldapEndpoint = "ldap://127.0.0.1:${builtins.toString config.shb.ldap.ldapPort}";
dcdomain = config.shb.ldap.dcdomain;
secrets = {
jwtSecretFile = config.sops.secrets."authelia/jwt_secret".path;
ldapAdminPasswordFile = config.sops.secrets."authelia/ldap_admin_password".path;
sessionSecretFile = config.sops.secrets."authelia/session_secret".path;
storageEncryptionKeyFile = config.sops.secrets."authelia/storage_encryption_key".path;
identityProvidersOIDCHMACSecretFile = config.sops.secrets."authelia/hmac_secret".path;
identityProvidersOIDCIssuerPrivateKeyFile = config.sops.secrets."authelia/private_key".path;
};
};
sops.secrets."authelia/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
# Here we use the password defined in the lldap/user_password field in the secrets.yaml file
# and sops-nix will write it to "/run/secrets/authelia/ldap_admin_password".
sops.secrets."authelia/ldap_admin_password" = {
sopsFile = ./secrets.yaml;
key = "lldap/user_password";
mode = "0400";
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
sops.secrets."authelia/session_secret" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
sops.secrets."authelia/storage_encryption_key" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
sops.secrets."authelia/hmac_secret" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
sops.secrets."authelia/private_key" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
};
}; };
}; };
} }

View file

@ -1,10 +1,19 @@
nextcloud: nextcloud:
adminpass: ENC[AES256_GCM,data:667e6562Q1SSZRKLMgur1viGd8+MmjU6Oz/DzQ4GLHI=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:5APQH+snOUJ8UPXaIdqR5w==,type:str] adminpass: ENC[AES256_GCM,data:nD/4oml7mXbWF0axiqWQCZujFqeJMF0P/1vY9f4EPqg=,iv:KoxmL9tLPBoIJT7rxkEhxrQqZFicbEm8qXbZMrnHSGY=,tag:gwvrHsX22ygfUcOlxeC/5g==,type:str]
onlyoffice: onlyoffice:
jwt_secret: ENC[AES256_GCM,data:5TMDyySlsAHN1DfJLEJXt5jg7r2Gd8RVmLv4T44ye+2B71r6CWew8tcaYybFXT8aXrmVjOcBkVjBlFJ6B3ozkajtZC3teXCUzG+hlKGdN+Oyvd1+WXJO2USk1pREKc4kGwVvYr02lM1PEVLUokh/j/wmL1uFsAYM9482ik5veYg=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:hYRtuqE7ygjHc6zHOz5kBQ==,type:str] jwt_secret: ENC[AES256_GCM,data:v4BScbfRHpHAZ0MCIyb1H1vYISsR1JQRaI1mFHbZKDNhuf5Zyc6znzz+DtqXOZfVNgp9aIeWIEam0GI/O3ih0jzEN0ut/jqI3onoSghq22h2VTKdLMcT6JG2p/R1mHgD+C7KeeepcdWMbwLXswi2jBys3FyxTY3mfiNv3AcndGA=,iv:TFs+fTlMGWKTVJ3pUmXCpGskQ2h6uSLr+TlmG6OXQYg=,tag:Ixm0VtO5ySCQxiKweDop0A==,type:str]
sso:
secret: ENC[AES256_GCM,data:9uZfvBXETbP47Cf6lZNLqskqmbxcAaQ/e3jiHqW9VweqrmByyadaE3DgCcODUJNEatuFxIyP+ptBdeX9FBRPmAvVl/BaK5oKzp84i+5zb1nvxvxBx+KQhqFKZgk81jJQeMSxwLlDKguWnLx83QhYvOMphZNQOeLQ/Cx+qrvCWsk=,iv:pF87avRdm2tgwA+cQnvcYSUIxAh18jDrMA6eAHoyBZU=,tag:FaJwUr2fR9dZUdDOfq/C5Q==,type:str]
lldap: lldap:
user_password: ENC[AES256_GCM,data:qZO3L7IM9UJ7iR7Q2bdDfY1wmt3TEWLR8NK3rXdojN4=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:KwJFHd85kkm8YGH3NtqanA==,type:str] user_password: ENC[AES256_GCM,data:4ImmaC2T1hj6L8tzrxv4d7/I4F9xEA/uuc56QOqkY08=,iv:SljGhXi3SYoMNcR9onwqthOAyFX1D8KsegmWRypbblQ=,tag:Aw+juIV2AM0J+89itNDjVA==,type:str]
jwt_secret: ENC[AES256_GCM,data:oCrUTEYO8oETPd8XHq1DiLCSzeRAnrkty3gyo8dxk5c=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:JZUjCbo7CdCmJYJrrsosxQ==,type:str] jwt_secret: ENC[AES256_GCM,data:btABIOGRgioXmPe8QirhyozQzhVaAcF2sbB07hevz+Q=,iv:vBOq4Mab3RE69rOA8ZbMX72Gm3KEng6HaCveZrXsIrU=,tag:zkbJ+SeNnzQyAZxOjso8fg==,type:str]
authelia:
ldap_admin_password: ENC[AES256_GCM,data:Ze1FJSl8ZJYCYrULlkwcbDFzxCS4MzujJbCGZasOiWU=,iv:X/su9ty9883+4qmrQhAIe6HDwjFoqHQ43aqd/4ZmtBw=,tag:QeLqUtYlZcHMR+bqRHCb2A==,type:str]
jwt_secret: ENC[AES256_GCM,data:xom/W92DGS2RafO+olwG8oKAbKPbkPKyZ2mYv0lWqtVAWUFwSoCGLgxe4uHAoGcLosJmDxU/srq+HNPzYORY8+mHn9wMoQgYg2oceLw2xamYdkIzvswof6LoYAV7MaZReYgYXcqMy2LZuU3PnnE4wag3liSuEx4qtJrLKB52ljE=,iv:t5PsBdZDze3/4S8utfnkmiToaorqq5BiJn99JuRirXY=,tag:ZJCszIOpaSwl9Sua8VWHoA==,type:str]
storage_encryption_key: ENC[AES256_GCM,data:wUmF+0etuhEr3FNy7x0LBJunn1vmWO+IExm/wgkh0CEDWzxblpylC/PGAGgHdlJMQOhUY6tDPD67sJgO2g+yTBB3lfOo/kql0gnGVKQjRMMHqfEEmXK56yXP+J2JePJ6DlaqzdAXko4Tmh4GnRKsswMQZVA5PDOuHHNRcVTCb0E=,iv:wz1Mry7jMwGvD9mF1/PbQsHb/jmm8WOWchLL95YADeY=,tag:AZp43iti+nxW0TYK7MlYNg==,type:str]
session_secret: ENC[AES256_GCM,data:TSe2YEyXl0Ls8wAynUYRJBQL8mbC1i/31ueuCj7d7ouO9gCX/Igz6OM9EgWigxucsMVQkiUtDCI9DD9B8jFaYGMIiB9FrKQnixigptrIUj210zJ3Aer38GyFxSI541PaBzmnauEo1MtBykjSg93xyI6ivB8FJmmauQOMYNiTYvk=,iv:OBtUCw7BevaF3VQKLJ2HiB828IzJqS27SZUOoAqoD+E=,tag:WfCGlHi6a15AYeSFXnnOVw==,type:str]
hmac_secret: ENC[AES256_GCM,data:RmPr/kJmimMmeZCluMBsYL+w5VtJ1IZNFo2VOVNGiu0ajMJoK06RQx9AAYb+GvPRrGz9wzRy38hTH7unIiq59WOZCw245StsawSCeszadh8RrjPJPNCKPt3vaBbIzlvz0xMvgX4UT2k+uK1dqR7QXiCrBDludU3nnHIpbgkcADM=,iv:z5KLaAlevgk2HsxMWggU1DL0g+Ae+DaBLZ0SnZoKYcA=,tag:2ChIOxMCI4psqIhX+GE8EQ==,type:str]
private_key: ENC[AES256_GCM,data:ogK8+ecyRhd1OrhpmjtXUK2Lyhg/D9FJwTwC2HtlmViLrAx5ovKGcZOrHQ2JFhCvRTj2n54+Me2JpOS70v0ugLTOVbZtw1eYJr7rNohhu8nBITuDYOkEVHZ7Q6xZ5Toabm2/y6yr2zJuj9N8NPCPv5uf6h3/DzBITvUkF9l79ypAgs5yP8JZYvpkG2aMv6bkRp5+9H9nNywrDdggwdEF0kRl+KS0gd4SpDLJzJ00W+hpPRd0qYukCJaKCKs/76vklN47Xk9UVnwYZP4dxh0unYJdffuBYSJXrAEP/bxOdyszZ2v0vr7HYOY7/+o/S1ZOmVqlv+1EVWpluDytuwnfpNdxY7I2HJjvM7Ua5zs8KmGKz/er0wFjWeakP7l+YKs+vi8IEG6sJJiakuI8n4neZmQrHf9MG5ynYKhA55+gaaiJYg29CTHxWpYsDyEQhoDxHeyxGhe7zQ8SeEVyADtfkHYB6hGJrds0wAJaZ9cqyKpmvqsogh0ipUBmt62ytAl0KMEZ7IgRHIq6P+q+sFXvgUyehh85+Ud13F+gQvMkITN2r6c+BS1/u8gMv9jHi/3mvLtA3nBB86w06QRFrG6fHkn1UBGjjQ5TvPlVmJBTM8pDVb3VFlsX2xRHS7lCX4AAy4JXEXJFWUSWN1zZ/3caE3ishgMnJbptGw5JS5/DQsu0s+CtUKjv8Xup0eiZ/12+0AzRTjihRAysCprnuqUvlb6OP4vDP5PNbDCAZLF/LYfGhIiOGTph8hC5Hmxql3mDmW0CN6VfdtpBgPfPp1SMEYTh07gBxxNqGVViAjOTF31NWuektF9vKtmFEeX1CqY512KtvW5Q9zIs/MBrSeONPZYrr01xEEFeqet8T/kqaiTGpI3fFHwiDmfKajlcFj9xPlhzvMbQV3eFBdC0FdxssTrWP3cEs03vexA+bLEM4E0aSagTpd0TWFeZd4AjG8GsjF80c7P/CSScg3yYYHFI3V6ljRY72oKh9361UnmdU3Y1PGcjmw2nVkVlywRAK+P6F4tRqhmKrYzNxw+AHGEgCG347pYPeRKj12acyX8lmuFa7ULCFoHng+DJITR26HrHDhzzg7/EDIc8c7orfvWS5qYlPIsfwSMBrwfm91eGgcgnEhrLE4krpgSZcrQTXOhC4cinzxqK+GhoERfFzRMNzxjVaEFCO0yQuLnydwJWdBMCV4gEUNmCwWGDNaBYqKLPdyK753LEylb/MAOmqX/YBp7rhLNt/5P6kSacZzIvqLYt9zbITrrF13nDLmP3ZOhIbGRVG1F3r2ReIW+PnmHxHnSrOV4tMel0ql2nlcLIh41WHiKCaeIiQ0zPQOBXJbXis2pCuJ0Mut68abe0bicFpEDrQ5CgIjTWOzbxFq+tVvmX2amTGRW51048mPuod0ZofYPzI9l6YwO7eO02mEYCUhcgPFZaIBnEF9cZHWtBGturXi/A6LNh/6bnFnozy4SdaUrmlK2o4uaBPr/av4zjSFOQaZ6+NQOysmdLUzupq6ysbsOZIS7cUngr5v7otxxvR/qYtC4SNOkSaU53LsfSuxvu3/5nOMAr+O9ez/N+BJV5GHbABJ6l2TkeWjbDL/RcCE0nXHkwLH1YEGBmt93KTagjCOt/n+GN0/F/7jQtxhNjI84CRHzYAdzqSXP78J1vcqctPWhQBrWfNioQkjLwy5+ndDT1Uu7yVTMPD3teQq7sjQ4g6hfHqmjWWSewxnopxkJyz/ZnwQqTXig1QXwTVcIUI/IiNp9a4D/kI5eEUbbjbXD7nScaoIb5b7oE9eK6/qmRmKv8m4ySKiFN5kNwME/y2a17K2w5HwCOi8cqPKT7LHegLoYQvJ9DrIFLHQZpKjYfKQAxTcDyFitJvSxbcD2iM2eZMXuNKcbyHOHwZr2sC4BicF+0InfsOZE8R1+v4/98elbisnV1rSO38/1vxQZzV8x5JHbZpMegD/cdxxC3fsgwsoyBt3wynrt1S8xqqIxuwbEX8uN2J8qR1YYK7Qn1mDhlyl8dTvI7W65HLpF5HWC1Hn+nDB/arjL9jEeMWVimxkMIpGt69337uyugfJsu54uiIm70zpzsh+otYDvvZUrvG/KoDejP40ZbmtsLknbpmzr1ezgrxYV9W4NJcjZtZ4x64pXKvSrbYt+yMorXujmVFg0og/TxnkJ3kJdB6a3sg4bymPnJiAAl9ya3DYHHPQrHXQa2LnV02ps6Y6jq0LdKy3cu7DxOYtmpI6KRz0k1fRVBNBnSX7aUEsZ8aZ9XYTB1FuvT,iv:WYnE50BRK5Q7TA/24LDDkSq+wu9+S6ckb3+NR/eHkUs=,tag:X9s50TdOPEjDV+7Kv6prOQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -14,50 +23,14 @@ sops:
- recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 - recipient: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObnkzVkdmUnhyOG1vNE04 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqRjg2SWR0SjhpWExqbi9E
ZmExS1RkVE5qUm83aVk1bGtTbmo5bGhsc3pBCnNMWjN5cStVRWNlTUVmWi9BQ2py a3pJbXJyMmMyY1F5NFNVNWY0TXRicFdycEhJCkdWL1dmNjdCRVhKNmllcGpmNkNV
NEswQS9xNGtPZGdQRWdzWDV1RnJNbGsKLS0tIC8yQW9ZazlNTm80d0l5bEo0M2lW U1lTUjI3elBoOStNZVhoL1o3WGZLWjgKLS0tIE1XRTVPUE91d2k2dFpMbVJ1a0ZB
QnVXMUpXcUFZRWhpUHJjOFZjWGFYSFkKomaixOjgaD1LubawJVhWAgVqjOkpc9+2 dTNrOUhzOSsvRnNSMC9VOTJaY1orWUEK8IcLk/4X7O+ZRosM7KNQNSEgyGkFklRw
xNHKlgBEXDnBeMK9BgPgYIRk8ce79rxuqwaOAPqrEmPsafvoxZq5Wg== YSutsre5OOEUx1X+hxzu2GF9I4DGcSAbQtzPYBq7qcwxUR+oIXiJyQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1ej98rmjug4j0psyr3ppwmddtu868mlhknjkcx4a7yjrgk480dfrs3ayjl9 lastmodified: "2024-01-22T06:30:53Z"
enc: | mac: ENC[AES256_GCM,data:mdCpYLoaMcotuOU8qB7Gj+79ALG4d4HAR0Yw6Y3gf5SFUOc59B4WdK4A3+cgSm3dvRB8HCg9Vo9llEjiOBNVFpBgIjOvUeyAMYNi6ZndS/yr4x3NSL2rPz2s9c+0tm8Qg61T5RtYS/on+gWiUoA+lzXN2uFFWyo09fWF4N5EOQo=,iv:TgdI759YCkgmGAbUtgiV+NoT40Cg8+BcRGH0ZlQZ5SE=,tag:LGgFrlJPNpG+HzQLHDcDUQ==,type:str]
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndGErUWt4M3BtR3dVT2lo
SmY1M0k0bkxEcGNxNkdYZDFVaUVIaFA0blhNCm9oWmVyRlJ4eVlxM2l0anhrMERz
RTZ1Z1dINDZZdGN3UUJweWRjRWUyT1UKLS0tIGl1dUNwU0ZSRFhwUENIbHhGT3VP
MTlZVFVtbEFnV1pJTTRjV2pqRnUrYW8KXTdes+gb8h7PL0l34rnRKtPvIr3tUJKZ
UfD+/e3I/+Gw4IpCvIpMoBBT0bxyyMJROKo4oP9GTIrbw5fHV9+bcg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1j6scagnygyzr4q96l0a5ntwgjqj7xscx5sx4avy7fry3fzgcff8se0ylfq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTjZiZkl3QnUzYkxjSzYr
NDVEcWROZDNVV0tUbWVOTUhQWE5LenBrU2c4CmRHcTlkamtibVhOU1dTOTlIanFp
MUt1dnJpR2RUVGwwbTBaYnpXdE1XOHMKLS0tIGJ2YlRMQXpXVlpJRExOdUZ2MDJ6
WVJMRFMvYkFJenhlQjVGRlZsYlpLdFUKGQmMb2aZKvWnBp4hKAdBZnQMW+pLZC9t
FJCAxZpFEaq22Zthe2dvh1v8X51Jde7bkylL2Z6CcuCLYkPgHhOgCw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ldwxeqq5a9umgj36afsyl0tn8nrl7ecaam36dc8gxjqy5r6vaursj2d94s
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRazRkcVBvT0NGYk1nUjdK
V1o5V3VaYjY4YTNmYlpQUkZNV1lZN0JSSXdBCngrdjd3T1RHK1dOQUd6alFVQkhm
blRPNlg5T2xQVThqNzAybkk5U2VrQmMKLS0tIGVOVFlpNlIzcG9BY0R5UVMrUTk0
YzM4cTdoOHFzUGREZnBBTkFHZ2hQNVkKvZefP0yX08wSaXSvNh5NH+lUu4GvDeVQ
ieagXUh5IYmpZ6W8+Ifz3DqbLTELpLCdL45yj8ChoVkEGGGt2XHiiw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wfqc4hyekue3z6dn0khtsszvy8wlkh07msany9mfdy0yn9rfxp9sjyz6ze
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZHZEU3RnKzYrTWovSUNu
aUszcHFxMVBqMnpiV3d3d3lNQk40TjdSdTNnCjluSUNpeTg0QUUxYkhPeHRubFE4
cEVOcFU4eUwvZitwN3JESUFoWnlCcFEKLS0tIElTN2J2M3ZhUUgxbGlWY242YkNF
UlFuMGFVeElOdGVwL0NReXhFVDJOZzgKTROtZpvVl+d1wfuf7otaIo6nDdVzsQ9O
kT+S01M2kC2gX+oDAcD20cNJdwnD/ETCdTk93qxpX1jAtDiz1WBSmg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-06T09:06:26Z"
mac: ENC[AES256_GCM,data:pitmTT1egqTEOI4fEsaE/kpLOdPjO3AHwNIUB4MYp9E8GeD+AOkX7U/KwOailC245wqGNNzCDJn7PD/IZ93cOXcsdMuhKUg/QNogz337DIioeFxx+Vf50mFv44Lf1Vtu7MG80zOXVHrmls/hb+E4HL55OujWmEKXWodeECvgfpw=,iv:57716xGcpRNxGdnihH7qbr8/I7t0MWYIbh3PoxqDZBo=,tag:qqA7nEbSPrpWBwZyuOWN8g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1