diff --git a/.sops.yaml b/.sops.yaml index 8afa210..0ec6fcd 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,13 +13,12 @@ keys: - &nginx-netcup age1ypq3n3e7gnwqddq5dgkdsfm0wqagrm5pl5tkunzp44lcezsllumqsjz0hz - &wg-server age15ydstgk0fmmgy2ugmqufyqhqsqypd2mvy89enzwczz0m8ar2kvzqlcdsm8 - &nginx-cube age1nh7nnp3rznfqkzudn7dzkkkxuz0ywjw8hacnftvgh60egtw79ejqam4n4p - - &farewellbird age1n7ltu5yh49l7f2pgn7nyp9xpfcp45hjs379yv2txa2t2w0yd2fqq2wt3t9 creation_rules: - path_regex: secrets\/all\/* key_groups: - pgp: [*clara] - age: [*wireguard, *mcserver, *zammad, *forgejo, *mastodon, *paperless, *vikunja, *nginx-netcup, *wg-server, *nginx-cube, *farewellbird] + age: [*wireguard, *mcserver, *zammad, *forgejo, *mastodon, *paperless, *vikunja, *nginx-netcup, *wg-server, *nginx-cube] - path_regex: secrets\/wireguard\/cube.yaml key_groups: - pgp: [*clara] diff --git a/configs/container_config.nix b/configs/container_config.nix index 2ba25a8..3fd2c55 100644 --- a/configs/container_config.nix +++ b/configs/container_config.nix @@ -20,9 +20,6 @@ wget htop sudo - mtr - nettools - tcpdump ]; # because getting a nix shell is super annoying otherwise diff --git a/configs/containers/cube/farewellbird.nix b/configs/containers/cube/farewellbird.nix deleted file mode 100644 index ff7c6da..0000000 --- a/configs/containers/cube/farewellbird.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ lib, pkgs, config, ... }: { - - deployment = { - targetHost = "10.10.0.5"; - targetPort = 22; - targetUser = "root"; - tags = [ "cube" ]; - }; - networking = { - hostName = "farewellbird"; - interfaces.eth0 = { - ipAddress = "10.10.0.5"; - prefixLength = 32; - }; - defaultGateway = { - address = "10.10.0.254"; - interface = "eth0"; - }; - }; - imports = [ - ../../container_config.nix - ../../services/farewellbird.nix - ]; -} diff --git a/configs/containers/cube/wireguard_cube_container.nix b/configs/containers/cube/wg_container.nix similarity index 75% rename from configs/containers/cube/wireguard_cube_container.nix rename to configs/containers/cube/wg_container.nix index e414452..b693c60 100644 --- a/configs/containers/cube/wireguard_cube_container.nix +++ b/configs/containers/cube/wg_container.nix @@ -1,6 +1,6 @@ { lib, pkgs, config, ... }: { deployment = { - targetHost = "10.10.0.4"; + targetHost = "192.168.178.123"; targetPort = 22; targetUser = "root"; tags = [ "cube" ]; @@ -8,6 +8,6 @@ networking.hostName = "wireguard"; imports = [ ../../container_config.nix - ../../services/wireguard_cube.nix + ../../services/wireguard.nix ]; } diff --git a/configs/containers/netcup_pve/wireguard_netcup_container.nix b/configs/containers/netcup_pve/wg_server_container.nix similarity index 86% rename from configs/containers/netcup_pve/wireguard_netcup_container.nix rename to configs/containers/netcup_pve/wg_server_container.nix index 59d732c..c3ce97f 100644 --- a/configs/containers/netcup_pve/wireguard_netcup_container.nix +++ b/configs/containers/netcup_pve/wg_server_container.nix @@ -10,6 +10,6 @@ imports = [ ../../container_config.nix - ../../services/wireguard_netcup.nix + ../../services/wg_server.nix ]; } diff --git a/configs/services/farewellbird.nix b/configs/services/farewellbird.nix deleted file mode 100644 index 8dfe12a..0000000 --- a/configs/services/farewellbird.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ lib, pkgs, config, inputs, ... }: -let - repoDir = "/var/www/site"; -in -{ - - services.nginx = - { - enable = true; - virtualHosts = - { - "farewellbird.de" = { - locations."/" = { - root = repoDir; - }; - }; - }; - }; - - systemd.timers."clone-repo" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "10s"; - OnUnitActiveSec = "5m"; - Unit = "clone-repo.service"; - }; - }; - systemd.services."clone-repo" = { - script = '' - set -eu - if test -d ${repoDir}; then - cd ${repoDir} - ${pkgs.git}/bin/git pull - else - mkdir mkdir -p $(dirname ${repoDir}) - ${pkgs.git}/bin/git clone -b pages https://codeberg.org/YourLocalFops/farewellbird.git ${repoDir} - fi - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; - }; - }; - networking.firewall.allowedTCPPorts = [ 80 ]; -} diff --git a/configs/services/nginx_cube.nix b/configs/services/nginx_cube.nix index f871ab6..505eb16 100644 --- a/configs/services/nginx_cube.nix +++ b/configs/services/nginx_cube.nix @@ -17,13 +17,6 @@ "; }; }; - "farewellbird.de" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://10.10.0.5"; - }; - }; }; }; diff --git a/configs/services/wireguard_netcup.nix b/configs/services/wg_server.nix similarity index 100% rename from configs/services/wireguard_netcup.nix rename to configs/services/wg_server.nix diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix new file mode 100644 index 0000000..a167a3e --- /dev/null +++ b/configs/services/wireguard.nix @@ -0,0 +1,60 @@ +{ lib, pkgs, config, ... }: +let wg_port = 51820; +in { + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = lib.mkDefault true; + "net.ipv6.conf.all.forwarding" = lib.mkDefault true; + }; + + # set up secret key + sops = { + age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + secrets.wg_private_key = { + sopsFile = ../../secrets/wireguard/cube.yaml; + }; + }; + + networking = { + firewall.allowedUDPPorts = [ wg_port ]; + firewall.rejectPackets = true; + firewall.trustedInterfaces = [ "wgbr" "wg0" ]; + interfaces.wgbr.ipv4 = { + routes = [ ]; + addresses = [ + { + address = "10.8.1.1"; + prefixLength = 24; + } + ]; + }; + + wg-quick.interfaces = { + wg0 = { + # Determines the IP address and subnet of the client's end of the tunnel interface. + address = [ "10.8.1.1/16" ]; + listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) + + # Path to the private key file (see sops). + privateKeyFile = "/run/secrets/wg_private_key"; + + peers = [ + # For a client configuration, one peer entry for the server will suffice. + + { + # Public key of the server (not a file path). + publicKey = "AJ1nr0/w8OvsNq5Ju//m4856u7yY0hlPGMEGeZtlhlY="; + + # Forward all the traffic via VPN. + allowedIPs = [ "10.8.0.0/16" ]; + + # Set this to the server IP and port. + endpoint = "202.61.230.52:51820"; + + # Send keepalives every 25 seconds. Important to keep NAT tables alive. + persistentKeepalive = 25; + } + ]; + }; + }; + }; +} diff --git a/configs/services/wireguard_cube.nix b/configs/services/wireguard_cube.nix deleted file mode 100644 index d22afcb..0000000 --- a/configs/services/wireguard_cube.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ lib, pkgs, config, ... }: -let wg_port = 51820; -in { - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = lib.mkDefault true; - "net.ipv6.conf.all.forwarding" = lib.mkDefault true; - }; - - # set up secret key - sops = { - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - secrets.wg_private_key = { - sopsFile = ../../secrets/wireguard/cube.yaml; - }; - }; - - networking = { - # Enable NAT - nat = { - enable = true; - enableIPv6 = true; - externalInterface = "eth0"; - internalInterfaces = [ "wg0" ]; - }; - - # Open ports in the firewall - firewall = { - rejectPackets = true; - trustedInterfaces = [ "wgbr" "wg0" ]; - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 wg_port ]; - }; - - interfaces.wgbr.ipv4 = { - routes = [ ]; - addresses = [ - { - address = "10.8.2.1"; - prefixLength = 24; - } - ]; - }; - - defaultGateway = { - address = "10.10.0.254"; - interface = "eth0"; - }; - - interfaces.eth0.ipv4 = { - routes = [ - { - address = "10.10.0.0"; - prefixLength = 16; - via = "10.10.0.254"; - } - ]; - addresses = [ - { - address = "10.10.0.4"; - prefixLength = 24; - } - ]; - }; - - wg-quick.interfaces = { - wg0 = { - # Determines the IP address and subnet of the client's end of the tunnel interface. - address = [ "10.8.0.1/24" ]; - listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers) - - # Path to the private key file (see sops). - privateKeyFile = "/run/secrets/wg_private_key"; - - - # This allows the wireguard server to route your traffic to the internet and hence be like a VPN - postUp = '' - ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE - ''; - - # Undo the above - preDown = '' - ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT - ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.8.1.1/24 -o wgbr -j MASQUERADE - ''; - - peers = [ - # List of allowed peers. - { - # Laptop Psi - publicKey = "msJJwTPHuxLd1KddbNeLscGgiY7r9sQ3vkUnDtb2Fh4="; - # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. - allowedIPs = [ "10.8.0.2/32" ]; - } - ]; - }; - }; - }; -} diff --git a/flake.nix b/flake.nix index d5f1c26..0b12448 100644 --- a/flake.nix +++ b/flake.nix @@ -7,15 +7,14 @@ colmena = { meta = { nixpkgs = import nixpkgs { - stdenv.hostPlatform.system = "x86_64-linux"; system = "x86_64-linux"; }; specialArgs = { inherit inputs; }; }; - #zammad = import ./configs/containers/cube/zammad_container.nix; + zammad = import ./configs/containers/cube/zammad_container.nix; - forgejo = import ./configs/containers/netcup_pve/forgejo_container.nix; + forgejo = import ./configs/containers/cube/forgejo_container.nix; mastodon = import ./configs/containers/netcup_pve/mastodon_container.nix; @@ -24,10 +23,6 @@ nginx-netcup = import ./configs/containers/netcup_pve/nginx_container.nix; nginx-cube = import ./configs/containers/cube/nginx_container.nix; - - wireguard-cube = import ./configs/containers/cube/wireguard_cube_container.nix; - - farewellbird = import ./configs/containers/cube/farewellbird.nix; }; }; } diff --git a/secrets/all/secrets.yaml b/secrets/all/secrets.yaml index f9c6bc1..00aff8b 100644 --- a/secrets/all/secrets.yaml +++ b/secrets/all/secrets.yaml @@ -4,123 +4,114 @@ sops: - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcTMzNGxCK1VjTm5DWlA0 - QlIxZ0pQejdDa0FTbEpvQnhUNEFsTkt6SVgwCjhyN05Ba0dNQzN1UVF4L2NjQllu - UUhXeFgzNmlENjFtekszVTRiT29oZk0KLS0tIFNJTEw4a1dlR0MrT1d6WGY3VzBh - M1N1Um50VC83QnErK0VyQ2IzS1lXY0EKXaexvogS/+g+wEdsidqRAmkPBfvXp8cN - K5r6WPKCXvDN6k72tIh7y081dAqJECkELhyOxBfwrsyuEBZXUQsL9w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkbzViclZjWlBBT1dlcnph + RVVLTG5tWHloa0ZEbmZNbUZBTCt2VWsvWGw4CitWSVlERDd5YnFpak1meDJkN01K + V25BQ2Q2elMrMVRpQ1pOMDZTSTJ4dDQKLS0tIDVvY0lscDN0T2xBMjdMUFFidm1j + L2F2VC8zb0dSdkN0QVlnTUpyTkdJMFUKL6Gj+Yk/lleYB2iM1ph/OOuxVdwZCSVc + yE/yN0+5A1nsMcyNDv5/G+BPoeXCr/vzYl320llpAkinhcAl8HKFCQ== -----END AGE ENCRYPTED FILE----- - recipient: age1jlt47gkctq7vfrykqlyg9um5mypy872pvtfql7kkpvhnemlex4mq89a3a8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzS3QwN0hEb3RQOTUwbHUv - S21sSXNOS2pmRVhBM3JVMmk5Yit5c1IvWkNFCjVoU0J5eW5wZ0RMTjVzdHp0NEhj - S3VDT3EzSkV6aHNmZTRjN2N1Q2RwQjgKLS0tIDdMNHdUVGtyd1pMaDZ2MHU3eXZW - YkFHdGdJWnhLaENlU050WkZoNWRZeWMK50XHXXrfs5aZNG0tYFotayCFji6JXzak - Lsv/yBO6rK4wNfWuNU8ap7wjLpRxLVqNa1xJya/dYMe1eddUCxYD8Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGYkJ4TW5vRUNobDZtQTd2 + a0V0SzF4TktjWklMUDIyZ2REWWNVUnlqSWtvCkYwVjF3NDJYaFFwSzVrNUNuYmxD + Wk9XVk1EdTFsN25XT2lqM0YzcFJpSGsKLS0tIHVZKzJvdUF4MzlENTFvek5admlK + Q3NCVDlGOHh3Ylp6N25rZVByUEhEUHMKRxGmaE5lLhHlg++yKRG/TpoMhc5+7h5g + uv0zN6q9g1ULgMDdbC5v5g4n6ssIHHb50cFkjEm7b7ee7PWiPJ3/xw== -----END AGE ENCRYPTED FILE----- - recipient: age14ukkn4plvnjacvjux929qwpeynxk4cfxw285vlwddqakm43kfyysfdg02c enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZVk1TUV6VHN5Ym5MMkFL - SXdyWndzTCtyRzBFV1hsV3M5a1FLZHdYZUI0ClNaUmhxUGMxd1cwNzBzczJUU2hR - eXR5elV5T2htTHN1OUpwSlZpZ1NnZ0kKLS0tIElWN2pwSVpHOEM3Vm9JenRlUHdE - bkRCR21DbFU3NFhaZ1hGdlRTMmVpZXMKV1EnC8KOE9HlYrtO5kJRi/Jxz4/bghwR - njmfI3nStV7OR07AT7QGp35nXCEy0lJESiVARCTwWmzf4mtqhYg1yg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzcDlValVTL1czVG4vaXQ0 + NWUzR2lGTk84NnFrd051K2pwZ25lekdBdXd3CmpWWnVlZWswelNMUlVlazg1Wkxw + VlhsNUVrckxzajhKQStzUGdBTG5Ea0UKLS0tIHRGc2FMV2VUeVFJWHdJUEJyYXUr + bGF6eDN0Y0F5cjdPSTJqdDl1M2lHTHcK6QwAWnajE5yBLd+Fp095TCVEurBaGAV8 + hWvLup7dztIxXVKCK7epHvKEamaM/dSahnY6Muvy9GK0Rkf2YDpE/Q== -----END AGE ENCRYPTED FILE----- - recipient: age1vd33efsea2509hm0dwmhkuu7mm2kgw6tsss6lmzsqfg7gat06qyqys3qfh enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrL0wrdmhmUGwyVWkyWnB4 - STBwMFlTaHpwNVZLeCtBZU9NS05PeS9Md2x3ClVIdUp0UjZMN3VZZ0RaUGhrOXI5 - Q2g3RHpFdFI5dWwrTmdCQzBycDNxSTQKLS0tIGVEZGMrZUZCK2tLSjh4MEZhTVlv - NHBySGdjVlVtZFpMaUdqN3dlWklsVWcKMhLmsGRJcmwJEgK8KvHDgYKONPrpFUzt - uXIV9KV4HnDnWVk0d9kAAmNP/9m0JkuqArp8Gv0n5fZyv02mROANKg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajRUT1lteFg1cWlvVlhw + RnQzcjM1S045YWJ5L0FiUnMwM0ZWVzRkRkhrCnVLRzVhSE9seXMzUVRFMGY3VlJn + UGpFZmtVenZNbWVxNWlFbFNvMURHWG8KLS0tIEthRGc2dHRGbDNjcDVMY2ZEK29q + M1FHemlxcXV0VTEyZTlYeUF3dmlBZWMKzcuj0FXT2s+L7LVYcwigSMFb4jtOEhSz + OZYZVl3NzyfoU2Y0PeyIiv5g2CI+EYPUrTPf/HJLeYLQftW9FBUhGA== -----END AGE ENCRYPTED FILE----- - recipient: age19efecaur72d92g452zpe4uxjtwev2ktjtaezascxg9l2p8544s8s05d93r enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBN1lpWnhNbUViUmRlME9Q - V3lMN3JtNTNHSHZhcnk3Snp3cS9WcGxGdTF3CmV6QkNNWVg5VVdrY1dtbWtJaWFP - SFU5aXM0bWNBWnZaTVVCaUN6Z085UFEKLS0tIFVFV1AveUZiZW9xMVVVVmh6SWph - TXR5R0lMek1lOXkxTm1aZXZ3SWxZUzgK18VJbvxSpEBqLTh8wRWtly3oPu+mfxEl - pVRHhPUnm+yBIY7Io8G9Z5MQ6KI1n15Yi735882LYuI6ErW3Utnb8w== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQWxyUG0zNlFEcmNhRzhE + cVZ2ODBBWmZNYk0vWS9qSmpvSkUyQmcyZ3dBCjBXTWxEdk9RbWdHQ2thOVZtamVh + NXIwdlRmZE9hWXpvUlZWRFgwRGFqZncKLS0tIDNSQmlmSzJmOGl1aHhnQ3o0VmR2 + Z2tpUDUxWWlmczdiVmUyUTBaUnlIZncKIVv0fUmv1w0OjI4Fg7Xj4XSeXMAJurJN + Hs9Ydo8FLd6jKJbj75oGqhwFIM5t+9GkH2dvk92mhDmW3Yxx4Y08KA== -----END AGE ENCRYPTED FILE----- - recipient: age1zj3tzzcpyq5s66phlrf2g203am7vl6vxg2jlpr8vy6u385xljapqt0d2fr enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWMmtEN3Z4bTZSOFBNcUl4 - UlJEVWNuSTFDRXV5NmxDcERzTHdWYXl4QVM4Cmd0L3FJUVphMkR4SXFBY1UrekM5 - OVRFd1N6Q1JJbUhaOWFoc3h4OTRvNkkKLS0tIHFHN00vblVHY1dlOFVsY1dhWWU5 - MDFmeDBRMTFld2xHZEo0dkozN3hCWlEKJMSa6v8kbtHboVE6j6+a+TptU2j3EtwX - gfmAmLjEMhgQKOuK0uSWxR1CnmI53R0u+FibcGziOCp258y7LvUfFw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjM2xJMEk5R0ZhZjAvQ3Zm + b0FyY2xXWnVZa3k0ZWRUVHphejV6d0lBWnpBCjNVbmY0bWhJV1RXSm8zUzY0TFo0 + a3k0dGFxSGhRMzYzekM0Nk9yK3lIVWMKLS0tIGY2TEQ5S0J0UnI4RjZ3a3JNSWc1 + eEVOSTc2YkpSWGtnN0FaYVZRTnZoR3cKf6LLS80KXUr9EzPkPrZRIUgt4JDmDLzT + kflBMSaUsg1QJ3dSw3jAIJfVaOXm5Mo2fyBZmp9CtmqJ1VELXB/WSw== -----END AGE ENCRYPTED FILE----- - recipient: age1h7yq7n8gcw35apr7jn8r66dwss4hfcdv0sf4ankfxquyavlrqukqhr0lrc enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwM0VJSlpqZHROa2tmL3RC - NVZlMTMvSk02TDdVdXBadytzVU9LSHRkNHpNCm1SMlJoY3NQWUF0QmZ6MGtUdEhZ - ZjZKdTRVUXptWDdXQ3BhODJEVkFsK1kKLS0tIGtOZnZleURBcjNTMGpMQnoyYnh0 - c25LQXZ6d2ROV1BzQ2lvbE15TVhkdmcKIK0iCAItEau9ZPxc14uKXnLP49bPIxFW - xTbkllqzUHWsUN0EpY1WhClTl4T582n59RStvKDGvEsJty5tMl4PUg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVWUxXck9ENWladlpoZlgx + TEFObE5QVGlVKzltaXcwY1hicVhOYnlPSmkwCnhzVHRTdmo2YnY0NEI1dHZhR0hS + VW9LYzUzbUZZMEpsRHIwYnNXeFRBcGsKLS0tIDhaUzVZQTRLS1pJaWhpSVhGaXZL + S2w4UnFwUFJjUlBUYzR3MjFBVFF0cjgKCmNXjm0yJdZGO7kKPQGv2qaYEZQkbF9a + Jijh75gl0ypHXoIkDDFzqtf9/ss6eUmTOTEs4rKeYkKl7Ze7TNiatA== -----END AGE ENCRYPTED FILE----- - recipient: age1ypq3n3e7gnwqddq5dgkdsfm0wqagrm5pl5tkunzp44lcezsllumqsjz0hz enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQWpSaVNvaEY2UTVOVXN3 - enM4Rkt3T2VjdmhreFpRd3JsSFNBK040N0hZCkhycndyQi9hbnZ6dFN4WC9iM1N2 - YUFiQjVWSXFNMURrczRWYjg5QUJucVUKLS0tIDg2aHVhSm5tNHlSRk1XdUVna3Fw - bUl6bGZDaC8xZUpjVkQ1ajRFWFA0bHMK4hvw9uQyJprR5kpaVD7S/XRdlde66KB4 - DqHP50q0KT6BIqWgbO163ppwzHzLhqkAYCHEz0V7lbekv1JHuj+RRg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaS9aTWNqYU1qMlZkdW5G + d3h1b0hZSDkycnhtRDlYTkF6SUxtVitWM0NzCm5uVzJua0dheE80QW5sN1FqUlJG + UnV0WEh6SzE3UjhaeGpUY0prSnhOZEUKLS0tIHZhNWx3V0tFNzJrSVJBaUdoczN0 + bnJLODQ2NVd4VDkyNHRHbUNpam1mRVkKc/bMfj6h/KerTkr+Fgyv1y5mwPm/jJ/z + jrtIy7Kz+JtlE3p/TkkazHBie9A/RxBUEPTsa/SS2vT+RViB2AhBbA== -----END AGE ENCRYPTED FILE----- - recipient: age15ydstgk0fmmgy2ugmqufyqhqsqypd2mvy89enzwczz0m8ar2kvzqlcdsm8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBONkdtNWw3Y0xGaElmWkZ3 - QjRkMmhxVUs3Mk81bWNyKzlZblF4VmJhN1ZRCmJzZ2FtdTNmMytINUJ0c3hKSDU1 - a00vV09JTkhHb2c3Vm44MlgvOVozaXMKLS0tIDFiK1h6Rnd2LzhHOWI4djd1SzB2 - NHFYTWlEeTdFSjR6WUtjKzM5bnRDUUkKDcUdTggzv3l4GI4iR24YqZNztrSVKWYm - rPCDaDtA4UVTm04H2G8jG4m0wAVaAtnpVN4nm18B9pObFUHVVh/+VQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM1FqZG9WL1EyNDVZWlJw + djBFbUQwNEkyTDU0Z2psY2FLdTVKRU82VldZCkR4WkJMQjJWU3VsZ1NEL1RGQk5V + VU84M081VVFqOXc0bGQwdThEcWthNjQKLS0tIHVFUU5YeHFBOXA0dGR0aXhCQmFa + VSthN3l3cm5ISC9rR0tLMDBmRHkyWkUKhflWL3W72KLrglJCCykaTcrHSyMeGS+s + EMDQck7nY0n5JMEybq1F14EFTv7jGDseLlss3f18Jeseov47JIao8w== -----END AGE ENCRYPTED FILE----- - recipient: age1nh7nnp3rznfqkzudn7dzkkkxuz0ywjw8hacnftvgh60egtw79ejqam4n4p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBERmY4TUlIK0liWlVlTS9v - OWRRRVc5bkt0ajRpdVpZc2E3bm5OWTNzaVZNCnc0RkV0enFLN3ZJZ1J5a1FKSlQ3 - aWNGeTlaOHc0SjcrSkRINW1iWEhGR2cKLS0tIGhNeW9NZ20rNGtXSENodE1BNHlj - NndsN3Zja1hQRkxNNDBYZnorTFpTOGsKvMY9ajPmibz1s7AU+yN8lWHdmh0gu0II - N+bjKnq4i2KeBpYAP8C7w5otHRIVcq+RAmW7R0q3z0wNrHuZVWexFA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1n7ltu5yh49l7f2pgn7nyp9xpfcp45hjs379yv2txa2t2w0yd2fqq2wt3t9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNEJkdVB5bEJmNlY1OWQ0 - N2dSRDRTZThHTFN1bFNQMnptNWFZYUVEVFJFCnJCWXFUcVdFT1p6L08vMVIzdHVv - V0RjZ1ljaW5DanVjY25rWXBubkNnYTgKLS0tIDQyOSt4UmhjcFoyWTRYT29sQlQ5 - OXlLNHlpdHBvQzJVd2FOSGhBTVhJQUUK551YtRFBxVmmWuKulnBSps3Z8Y2k4YFF - Gf1JZc4Y8ggyLdEtr2ArmCVC/u02+6B+p7T1Ja76f8dp8mqUSppjHg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNDhwenphZGUxK3lSbEYv + d3lvN29VSzNVcFpZN2NHU3VUdnhsWjltQkVBCitHL3RzdmswdWltUU9LNGE4Zy9N + dHBpYkV5Z2FTaE4zRThXS1RMbFdiRWsKLS0tIE9pdjI1YWw2b2hoSzF0QUtmbmJN + cE9PZXdBcTY3WVZlSW55dE1hcFp4eXcKXMAWZ2lfYhsJrKSaWeRIByeop6A92vxd + f4lKX5/y5lu9EIH3j16laswfrOYLGpvopbrj2rOp4vWQ0axWVg04Jw== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-08-08T15:38:19Z" mac: ENC[AES256_GCM,data:IoqrJyCNad4/OFH6y24kYMwnkF3OWfsw77POg00btvw7FoPoaSJ76RySMs6hgWs202bDYSDi44OvbgCVeNPkhe9eyM0gwF0Gf0cE3wirc+qj2qfL9/lMOTZm02WymMglJf6xTcPo3BH00XryR7ptid9+WrB0S2aBVNlcXSBwpzY=,iv:aLI2SyUzWqp/4XFPhogq2vq/u47bs6Gmgc/PRMe+GmM=,tag:jVnW7EkqDRfQluGTiw0olA==,type:str] pgp: - - created_at: "2025-11-24T13:25:53Z" + - created_at: "2025-11-18T15:06:30Z" enc: |- -----BEGIN PGP MESSAGE----- - hQIMAzwtBoBqH5ZOAQ/+PPG+DkWHyr1BWMsxmOmxk47TMjVvU9y1XPjTfgXgoE/2 - kRLgnUd57rOzjbHuYW6ipctdBsu/o3kJwRdqXySVoLckaHoqoErejG7msypuDaKj - 0lCFE8KAwqN5QJwYZOFeJ/WN+kbsVTWY2tUgN3kPLTrF/mQwKY1b5gAOvNRjaPLw - rYeR29fJge1PNH6PeaY9ODGG4NU0YctUz0AO0RSVEpO5rxTdxHMzpK6xtviQKhwA - 9MaHJWZmL8F0ccCLM60QO4NHPFe/cw/qhYqAXcc1IJDwOU4uslNwnZY7x0V7dwWt - I9RS73cz4fgaFDLmBl45GOnii5D8Nz4AXfkOyv7hXTbsV86LErudHwV3ARObU9LN - VCln1hu9bbGZXNbxzQceaHFgnnGj+2AC/+T+jZntayMeIKFVEWhKLWl6z47PqEpO - wJRuXnDfuWyg14qVXZ/w43NVvFPAiPBEMZCLSOZXgn2SUD1rbvFuyXo1ZPTi8b4I - yPeYUmSRsrw4ZVgT/loS4Y7JTRe7P1x05csIMsrEHrXsAS3oWxEg52/FufChvwaz - SYdg48lPK1lPpehmAwVNmtugMXIP9GVEa/BZO8Pj4cJQoF780q4TknwkWyFqTWEh - E8wgEzyUB14g8CCxzteOWsv/1WtuXylp4/yEQe2/pSGAR4r4KLf2ZRL1Nj3GsMnS - XgEtYhgBHg4mmUd8T/uo63ZRKGtlLNLLdKkSLkzm0wgTY//r1iEhqwOMQjbRPuM7 - osITmHr5VPhQYLKkEMeg4IweXsN6Zkb79un32hcFGlBGJcMpI22m0svDmGhB5oc= - =USV4 + hQIMAzwtBoBqH5ZOARAAiUhe3cBmpiJrkNinVIqUw+52Q1GC20LmQVfounrLxegY + 5hEWzKUKs3qBF54oVnLITUJfgYAxYMW9Zn0nlASSPc5QHUGNv013KgOaPQjwaoXS + 8Z3wYMh3qFObbJVmiPI7FtoGfBh6WXfPgPwTjzMfsOJg1zr4WWJzuBJbhMtiI3zJ + rrJiK0IYzQkoha34oT1VJaHBH+xQha2JWVIZ4pBKZLkTJFQYKckAxeKmlEn8nQTT + SJwtBKKlc80fZCe/s7hwKPm0GTTV+wwv1jvCsaf/GIFqKoMOBmqEAz8GcETQNaFC + sNkDWWFlxlsioG6Zi+Ok7tvFhyxEoF4sABuYx8LoBbL12UgZJRbhM7HIakxnORBu + a3QomZKAxfZ4zMRKaOYjUVGFdoJWgxb3wqa5WiHM5GeOQJzRzdpPwdTJPrxQSsx4 + /p5+MOFoia9GdBbwcdkVEopX+m5TvY+i3Gs/GnHSWZaXQBjhSW/O5UE29dHas3ai + tY+1FVnUpVyCnqF/BXRhgXydpVzZEAHoYF/hz2ah7AI2CnmeQ3ypO1DsfoADkgm+ + iinHFmU+ZpZJndpPsjoarJHBySoK4N34JsiJcv4DGv+4XbtEySb/r7rgZzrRNuj5 + tMtmQs82Ii+836NDImvJs8vg2H40bPLsVMtJ7xAYSGLXDDueXHPmCFOuJZ0KsR/S + XgFe91sDNTG/6j0PEilYTMyp04qMaxwT4teouMRlLr/rACJj5jpt5BVO4K8nDaYf + uq0wX2mXYJqoWZU1DBYO0vRRTpcpenLMV5M+ZrUy2LQINmLCUAuFB73cGUlQNac= + =8FwO -----END PGP MESSAGE----- fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83 unencrypted_suffix: _unencrypted