From d0b284cbbcb843cd0b18ab38df40438b5db5b518 Mon Sep 17 00:00:00 2001 From: gabo Date: Sat, 12 Oct 2024 17:14:48 +0200 Subject: [PATCH 01/41] Ajout VM Bitwarden --- hosts/vm/vaultwarden/default.nix | 15 ++++++ .../vm/vaultwarden/hardware-configuration.nix | 32 +++++++++++ hosts/vm/vaultwarden/networking.nix | 53 +++++++++++++++++++ 3 files changed, 100 insertions(+) create mode 100644 hosts/vm/vaultwarden/default.nix create mode 100644 hosts/vm/vaultwarden/hardware-configuration.nix create mode 100644 hosts/vm/vaultwarden/networking.nix diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix new file mode 100644 index 0000000..1396d4b --- /dev/null +++ b/hosts/vm/vaultwarden/default.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./networking.nix + + ../../../modules + ]; + + networking.hostName = "vaultwarden"; + boot.loader.grub.devices = [ "/dev/sda" ]; + + system.stateVersion = "23.11"; +} diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix new file mode 100644 index 0000000..dd003c8 --- /dev/null +++ b/hosts/vm/vaultwarden/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/03214fba-5aad-4f5d-9e0c-da089dcb5d2b"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + # networking.interfaces.ens19.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/vm/vaultwarden/networking.nix b/hosts/vm/vaultwarden/networking.nix new file mode 100644 index 0000000..5e870b4 --- /dev/null +++ b/hosts/vm/vaultwarden/networking.nix @@ -0,0 +1,53 @@ +{ ... }: + +{ + networking = { + interfaces = { + ens18 = { + + ipv4 = { + addresses = [{ + address = "172.16.10.159"; + prefixLength = 24; + }]; + }; + + ipv6 = { + addresses = [{ + address = "fd00::10:0:ff:fe01:5910"; + prefixLength = 64; + }]; + }; + + }; + + ens19 = { + + ipv4 = { + addresses = [{ + address = "172.16.3.159"; + prefixLength = 24; + }]; + routes = [{ + address = "0.0.0.0"; + via = "172.16.3.99"; + prefixLength = 0; + }]; + }; + + ipv6 = { + addresses = [{ + address = "2a0c:700:3::ff:fe01:5903"; + prefixLength = 64; + }]; + routes = [{ + address = "::"; + via = "2a0c:700:3::ff:fe00:9903"; + prefixLength = 0; + }]; + }; + + }; + }; + }; +} From 7910f90380dade2b742d5863ddb4d7ea94a659ab Mon Sep 17 00:00:00 2001 From: gabo Date: Sat, 12 Oct 2024 17:24:06 +0200 Subject: [PATCH 02/41] correction sur le flake --- flake.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/flake.nix b/flake.nix index 7f747b2..e4d64c4 100644 --- a/flake.nix +++ b/flake.nix @@ -71,7 +71,12 @@ specialArgs = inputs; modules = [ ./hosts/vm/two ] ++ baseModules; }; + + vaultwarden = nixosSystem { + specialArgs = inputs; + modules = [ ./hosts/vm/vaultwarden ] ++ baseModules; }; + }; }; perSystem = From 1019072dc6e01e2455865da399349cba9251256f Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Sat, 12 Oct 2024 18:21:03 +0200 Subject: [PATCH 03/41] Ajout nouvel UUID --- hosts/vm/vaultwarden/hardware-configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix index dd003c8..f580b41 100644 --- a/hosts/vm/vaultwarden/hardware-configuration.nix +++ b/hosts/vm/vaultwarden/hardware-configuration.nix @@ -14,7 +14,7 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/03214fba-5aad-4f5d-9e0c-da089dcb5d2b"; + { device = "/dev/disk/by-uuid/4ded0657-a876-48d2-8fe0-9e1c0d3373f8"; fsType = "ext4"; }; From 3fa6f4a8ef3837c9d89bd2ac2a07668a9ea73d2a Mon Sep 17 00:00:00 2001 From: gabo Date: Sun, 13 Oct 2024 19:49:40 +0200 Subject: [PATCH 04/41] changement disk et State version --- hosts/vm/vaultwarden/default.nix | 2 +- hosts/vm/vaultwarden/hardware-configuration.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix index 1396d4b..f2f2fd6 100644 --- a/hosts/vm/vaultwarden/default.nix +++ b/hosts/vm/vaultwarden/default.nix @@ -11,5 +11,5 @@ networking.hostName = "vaultwarden"; boot.loader.grub.devices = [ "/dev/sda" ]; - system.stateVersion = "23.11"; + system.stateVersion = "24.05"; } diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix index f580b41..babe446 100644 --- a/hosts/vm/vaultwarden/hardware-configuration.nix +++ b/hosts/vm/vaultwarden/hardware-configuration.nix @@ -14,7 +14,7 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/4ded0657-a876-48d2-8fe0-9e1c0d3373f8"; + { device = "/dev/disk/by-uuid/e4e8f7c8-1673-464a-9688-468510d28b23"; fsType = "ext4"; }; From cf4d7dd1136438c1bc39eeb21fdc18bf7f53a972 Mon Sep 17 00:00:00 2001 From: gabo Date: Sat, 23 Nov 2024 14:50:38 +0100 Subject: [PATCH 05/41] ajout hardware-configuration.nix --- hosts/vm/vaultwarden/hardware-configuration.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix index babe446..9b113d6 100644 --- a/hosts/vm/vaultwarden/hardware-configuration.nix +++ b/hosts/vm/vaultwarden/hardware-configuration.nix @@ -14,7 +14,7 @@ boot.extraModulePackages = [ ]; fileSystems."/" = - { device = "/dev/disk/by-uuid/e4e8f7c8-1673-464a-9688-468510d28b23"; + { device = "/dev/disk/by-uuid/c97aeccd-b88a-407e-a08d-f821a3f34936"; fsType = "ext4"; }; From db2d2d3986099c832e9eebee49002481e144faab Mon Sep 17 00:00:00 2001 From: gabo Date: Sat, 23 Nov 2024 15:29:51 +0100 Subject: [PATCH 06/41] ajout module vaultwarden --- modules/services/vaultwarden.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 modules/services/vaultwarden.nix diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix new file mode 100644 index 0000000..7df899d --- /dev/null +++ b/modules/services/vaultwarden.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + backupDir = "/var/backup/vaultwarden"; + environmentFile = + }; +} + From d360e5d769766a0faabfa60f88ddf33b83a20bc4 Mon Sep 17 00:00:00 2001 From: gabo Date: Sat, 26 Apr 2025 18:19:44 +0200 Subject: [PATCH 07/41] configuration de minimale (pas du tout fini) avec rebase sur main pour les secrets --- modules/services/vaultwarden.nix | 11 - modules/services/vaultwarden/default.nix | 11 + modules/services/vaultwarden/env | 581 ++++++++++++++++++++++ modules/services/vaultwarden/env.template | 581 ++++++++++++++++++++++ 4 files changed, 1173 insertions(+), 11 deletions(-) delete mode 100644 modules/services/vaultwarden.nix create mode 100644 modules/services/vaultwarden/default.nix create mode 100644 modules/services/vaultwarden/env create mode 100644 modules/services/vaultwarden/env.template diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix deleted file mode 100644 index 7df899d..0000000 --- a/modules/services/vaultwarden.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; - backupDir = "/var/backup/vaultwarden"; - environmentFile = - }; -} - diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden/default.nix new file mode 100644 index 0000000..9adfcc9 --- /dev/null +++ b/modules/services/vaultwarden/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + backupDir = "/var/backup/vaultwarden"; + environmentFile = "/etc/nixos/modules/services/vaultwarden/env"; #fichier de configuration de vaultwarden, peut être la seed pour la mettre ailleur + }; +} + diff --git a/modules/services/vaultwarden/env b/modules/services/vaultwarden/env new file mode 100644 index 0000000..80eb475 --- /dev/null +++ b/modules/services/vaultwarden/env @@ -0,0 +1,581 @@ +# shellcheck disable=SC2034,SC2148 +## Vaultwarden Configuration File +## Uncomment any of the following lines to change the defaults +## +## Be aware that most of these settings will be overridden if they were changed +## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . +## +## By default, Vaultwarden expects for this file to be named ".env" and located +## in the current working directory. If this is not the case, the environment +## variable ENV_FILE can be set to the location of this file prior to starting +## Vaultwarden. + +#################### +### Data folders ### +#################### + +## Main data folder +# DATA_FOLDER=data + +## Individual folders, these override %DATA_FOLDER% +# RSA_KEY_FILENAME=data/rsa_key +# ICON_CACHE_FOLDER=data/icon_cache +# ATTACHMENTS_FOLDER=data/attachments +# SENDS_FOLDER=data/sends +# TMP_FOLDER=data/tmp + +## Templates data folder, by default uses embedded templates +## Check source code to see the format +# TEMPLATES_FOLDER=data/templates +## Automatically reload the templates for every request, slow, use only for development +# RELOAD_TEMPLATES=false + +## Web vault settings +# WEB_VAULT_FOLDER=web-vault/ +# WEB_VAULT_ENABLED=true + +######################### +### Database settings ### +######################### + +## Database URL +## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 +# DATABASE_URL=data/db.sqlite3 +## When using MySQL, specify an appropriate connection URI. +## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html +# DATABASE_URL=mysql://user:password@host[:port]/database_name +## When using PostgreSQL, specify an appropriate connection URI (recommended) +## or keyword/value connection string. +## Details: +## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html +## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING +# DATABASE_URL=postgresql://user:password@host[:port]/database_name + +## Enable WAL for the DB +## Set to false to avoid enabling WAL during startup. +## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, +## this setting only prevents Vaultwarden from automatically enabling it on start. +## Please read project wiki page about this setting first before changing the value as it can +## cause performance degradation or might render the service unable to start. +# ENABLE_DB_WAL=true + +## Database connection retries +## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely +# DB_CONNECTION_RETRIES=15 + +## Database timeout +## Timeout when acquiring database connection +# DATABASE_TIMEOUT=30 + +## Database max connections +## Define the size of the connection pool used for connecting to the database. +# DATABASE_MAX_CONNS=10 + +## Database connection initialization +## Allows SQL statements to be run whenever a new database connection is created. +## This is mainly useful for connection-scoped pragmas. +## If empty, a database-specific default is used: +## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;" +## - MySQL: "" +## - PostgreSQL: "" +# DATABASE_CONN_INIT="" + +################# +### WebSocket ### +################# + +## Enable websocket notifications +# ENABLE_WEBSOCKET=true + +########################## +### Push notifications ### +########################## + +## Enables push notifications (requires key and id from https://bitwarden.com/host) +## Details about mobile client push notification: +## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification +# PUSH_ENABLED=false +# PUSH_INSTALLATION_ID=CHANGEME +# PUSH_INSTALLATION_KEY=CHANGEME + +# WARNING: Do not modify the following settings unless you fully understand their implications! +# Default Push Relay and Identity URIs +# PUSH_RELAY_URI=https://push.bitwarden.com +# PUSH_IDENTITY_URI=https://identity.bitwarden.com +# European Union Data Region Settings +# If you have selected "European Union" as your data region, use the following URIs instead. +# PUSH_RELAY_URI=https://api.bitwarden.eu +# PUSH_IDENTITY_URI=https://identity.bitwarden.eu + +##################### +### Schedule jobs ### +##################### + +## Job scheduler settings +## +## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), +## and are always in terms of UTC time (regardless of your local time zone settings). +## +## The schedule format is a bit different from crontab as crontab does not contains seconds. +## You can test the the format here: https://crontab.guru, but remove the first digit! +## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK +## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri" +## "0 30 * * * * " +## "0 30 1 * * * " +## +## How often (in ms) the job scheduler thread checks for jobs that need running. +## Set to 0 to globally disable scheduled jobs. +# JOB_POLL_INTERVAL_MS=30000 +## +## Cron schedule of the job that checks for Sends past their deletion date. +## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. +# SEND_PURGE_SCHEDULE="0 5 * * * *" +## +## Cron schedule of the job that checks for trashed items to delete permanently. +## Defaults to daily (5 minutes after midnight). Set blank to disable this job. +# TRASH_PURGE_SCHEDULE="0 5 0 * * *" +## +## Cron schedule of the job that checks for incomplete 2FA logins. +## Defaults to once every minute. Set blank to disable this job. +# INCOMPLETE_2FA_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Defaults to hourly (3 minutes after the hour). Set blank to disable this job. +# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *" +## +## Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Defaults to hourly (7 minutes after the hour). Set blank to disable this job. +# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *" +## +## Cron schedule of the job that cleans old events from the event table. +## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. +# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" +## Number of days to retain events stored in the database. +## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +# EVENTS_DAYS_RETAIN= +## +## Cron schedule of the job that cleans old auth requests from the auth request. +## Defaults to every minute. Set blank to disable this job. +# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. +## Defaults to every minute. Set blank to disable this job. +# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" + +######################## +### General settings ### +######################## + +## Domain settings +## The domain must match the address from where you access the server +## It's recommended to configure this value, otherwise certain functionality might not work, +## like attachment downloads, email links and U2F. +## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs +## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy +## Details: +## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS +## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples +## For development +# DOMAIN=http://localhost +## For public server +# DOMAIN=https://vw.domain.tld +## For public server (URL with port number) +# DOMAIN=https://vw.domain.tld:8443 +## For public server (URL with path) +# DOMAIN=https://domain.tld/vw + +## Controls whether users are allowed to create Bitwarden Sends. +## This setting applies globally to all users. +## To control this on a per-org basis instead, use the "Disable Send" org policy. +# SENDS_ALLOWED=true + +## HIBP Api Key +## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key +# HIBP_API_KEY= + +## Per-organization attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per organization. +## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. +# ORG_ATTACHMENT_LIMIT= +## Per-user attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further attachments. +# USER_ATTACHMENT_LIMIT= +## Per-user send storage limit (KB) +## Max kilobytes of send storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further sends. +# USER_SEND_LIMIT= + +## Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +# TRASH_AUTO_DELETE_DAYS= + +## Number of minutes to wait before a 2FA-enabled login is considered incomplete, +## resulting in an email notification. An incomplete 2FA login is one where the correct +## master password was provided but the required 2FA step was not completed, which +## potentially indicates a master password compromise. Set to 0 to disable this check. +## This setting applies globally to all users. +# INCOMPLETE_2FA_TIME_LIMIT=3 + +## Disable icon downloading +## Set to true to disable icon downloading in the internal icon service. +## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external +## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons +## will be deleted eventually, but won't be downloaded again. +# DISABLE_ICON_DOWNLOAD=false + +## Controls if new users can register +# SIGNUPS_ALLOWED=true + +## Controls if new users need to verify their email address upon registration +## Note that setting this option to true prevents logins until the email address has been verified! +## The welcome email will include a verification link, and login attempts will periodically +## trigger another verification email to be sent. +# SIGNUPS_VERIFY=false + +## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time +## an email verification link has been sent another verification email will be sent +# SIGNUPS_VERIFY_RESEND_TIME=3600 + +## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification +## email will be re-sent upon an attempted login. +# SIGNUPS_VERIFY_RESEND_LIMIT=6 + +## Controls if new users from a list of comma-separated domains can register +## even if SIGNUPS_ALLOWED is set to false +# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org + +## Controls whether event logging is enabled for organizations +## This setting applies to organizations. +## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. +# ORG_EVENTS_ENABLED=false + +## Controls which users can create new orgs. +## Blank or 'all' means all users can create orgs (this is the default): +# ORG_CREATION_USERS= +## 'none' means no users can create orgs: +# ORG_CREATION_USERS=none +## A comma-separated list means only those users can create orgs: +# ORG_CREATION_USERS=admin1@example.com,admin2@example.com + +## Invitations org admins to invite users, even when signups are disabled +# INVITATIONS_ALLOWED=true +## Name shown in the invitation emails that don't come from a specific organization +# INVITATION_ORG_NAME=Vaultwarden + +## The number of hours after which an organization invite token, emergency access invite token, +## email verification token and deletion request token will expire (must be at least 1) +# INVITATION_EXPIRATION_HOURS=120 + +## Controls whether users can enable emergency access to their accounts. +## This setting applies globally to all users. +# EMERGENCY_ACCESS_ALLOWED=true + +## Controls whether users can change their email. +## This setting applies globally to all users +# EMAIL_CHANGE_ALLOWED=true + +## Number of server-side passwords hashing iterations for the password hash. +## The default for new users. If changed, it will be updated during login for existing users. +# PASSWORD_ITERATIONS=600000 + +## Controls whether users can set or show password hints. This setting applies globally to all users. +# PASSWORD_HINTS_ALLOWED=true + +## Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured and password hints are allowed. +## Not recommended for publicly-accessible instances because this provides +## unauthenticated access to potentially sensitive data. +# SHOW_PASSWORD_HINT=false + +######################### +### Advanced settings ### +######################### + +## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" +## Set to the string "none" (without quotes), to disable any headers and just use the remote IP +# IP_HEADER=X-Real-IP + +## Icon service +## The predefined icon services are: internal, bitwarden, duckduckgo, google. +## To specify a custom icon service, set a URL template with exactly one instance of `{}`, +## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. +## +## `internal` refers to Vaultwarden's built-in icon fetching implementation. +## If an external service is set, an icon request to Vaultwarden will return an HTTP +## redirect to the corresponding icon at the external service. An external service may +## be useful if your Vaultwarden instance has no external network connectivity, or if +## you are concerned that someone may probe your instance to try to detect whether icons +## for certain sites have been cached. +# ICON_SERVICE=internal + +## Icon redirect code +## The HTTP status code to use for redirects to an external icon service. +## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). +## Temporary redirects are useful while testing different icon services, but once a service +## has been decided on, consider using permanent redirects for cacheability. The legacy codes +## are currently better supported by the Bitwarden clients. +# ICON_REDIRECT_CODE=302 + +## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") +## Default: 2592000 (30 days) +# ICON_CACHE_TTL=2592000 +## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") +## Default: 2592000 (3 days) +# ICON_CACHE_NEGTTL=259200 + +## Icon download timeout +## Configure the timeout value when downloading the favicons. +## The default is 10 seconds, but this could be to low on slower network connections +# ICON_DOWNLOAD_TIMEOUT=10 + +## Block HTTP domains/IPs by Regex +## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. +## Useful to hide other servers in the local network. Check the WIKI for more details +## NOTE: Always enclose this regex withing single quotes! +# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' + +## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. +## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block +# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true + +## Client Settings +## Enable experimental feature flags for clients. +## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". +## +## The following flags are available: +## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. +## - "autofill-v2": Use the new autofill implementation. +## - "browser-fileless-import": Directly import credentials from other providers without a file. +## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) +## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. +## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. +## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) +## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) +# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials + +## Require new device emails. When a user logs in an email is required to be sent. +## If sending the email fails the login attempt will fail!! +# REQUIRE_DEVICE_EMAIL=false + +## Enable extended logging, which shows timestamps and targets in the logs +# EXTENDED_LOGGING=true + +## Timestamp format used in extended logging. +## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime +# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" + +## Logging to Syslog +## This requires extended logging +# USE_SYSLOG=false + +## Logging to file +# LOG_FILE=/path/to/log + +## Log level +## Change the verbosity of the log output +## Valid values are "trace", "debug", "info", "warn", "error" and "off" +## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests +## For a specific module append a comma separated `path::to::module=log_level` +## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" +# LOG_LEVEL=info + +## Token for the admin interface, preferably an Argon2 PCH string +## Vaultwarden has a built-in generator by calling `vaultwarden hash` +## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token +## If not set, the admin panel is disabled +## New Argon2 PHC string +## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$` +## Also, use single quotes (') instead of double quotes (") to enclose the string when needed +# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78' +## Old plain text string (Will generate warnings in favor of Argon2) +# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp + +## Enable this to bypass the admin panel security. This option is only +## meant to be used with the use of a separate auth layer in front +# DISABLE_ADMIN_TOKEN=false + +## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. +# ADMIN_RATELIMIT_SECONDS=300 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. +# ADMIN_RATELIMIT_MAX_BURST=3 + +## Set the lifetime of admin sessions to this value (in minutes). +# ADMIN_SESSION_LIFETIME=20 + +## Allowed iframe ancestors (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors +## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets +## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value. +## Multiple values must be separated with a whitespace. +# ALLOWED_IFRAME_ANCESTORS= + +## Allowed connect-src (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src +## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature +## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value. +## Multiple values must be separated with a whitespace. And only HTTPS values are allowed. +## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld" +# ALLOWED_CONNECT_SRC="" + +## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. +# LOGIN_RATELIMIT_SECONDS=60 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. +## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. +# LOGIN_RATELIMIT_MAX_BURST=10 + +## BETA FEATURE: Groups +## Controls whether group support is enabled for organizations +## This setting applies to organizations. +## Disabled by default because this is a beta feature, it contains known issues! +## KNOW WHAT YOU ARE DOING! +# ORG_GROUPS_ENABLED=false + +## Increase secure note size limit (Know the risks!) +## Sets the secure note size limit to 100_000 instead of the default 10_000. +## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! +## KNOW WHAT YOU ARE DOING! +# INCREASE_NOTE_SIZE_LIMIT=false + +## Enforce Single Org with Reset Password Policy +## Enforce that the Single Org policy is enabled before setting the Reset Password policy +## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available. +## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy. +# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false + +######################## +### MFA/2FA settings ### +######################## + +## Yubico (Yubikey) Settings +## Set your Client ID and Secret Key for Yubikey OTP +## You can generate it here: https://upgrade.yubico.com/getapikey/ +## You can optionally specify a custom OTP server +# YUBICO_CLIENT_ID=11111 +# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA +# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify + +## Duo Settings +## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. +## Otherwise users will need to configure it themselves. +## Create an account and protect an application as mentioned in this link (only the first step, not the rest): +## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account +## Then set the following options, based on the values obtained from the last step: +# DUO_IKEY= +# DUO_SKEY= +# DUO_HOST= +## After that, you should be able to follow the rest of the guide linked above, +## ignoring the fields that ask for the values that you already configured beforehand. +## +## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. +## Duo no longer supports this, but it still works for some integrations. +## If you aren't sure, leave this alone. +# DUO_USE_IFRAME=false + +## Email 2FA settings +## Email token size +## Number of digits in an email 2FA token (min: 6, max: 255). +## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! +# EMAIL_TOKEN_SIZE=6 +## +## Token expiration time +## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. +# EMAIL_EXPIRATION_TIME=600 +## +## Maximum attempts before an email token is reset and a new email will need to be sent. +# EMAIL_ATTEMPTS_LIMIT=3 +## +## Setup email 2FA regardless of any organization policy +# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false +## Automatically setup email 2FA as fallback provider when needed +# EMAIL_2FA_AUTO_FALLBACK=false + +## Other MFA/2FA settings +## Disable 2FA remember +## Enabling this would force the users to use a second factor to login every time. +## Note that the checkbox would still be present, but ignored. +# DISABLE_2FA_REMEMBER=false +## +## Authenticator Settings +## Disable authenticator time drifted codes to be valid. +## TOTP codes of the previous and next 30 seconds will be invalid +## +## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), +## we allow by default the TOTP code which was valid one step back and one in the future. +## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. +## You can disable this, so that only the current TOTP Code is allowed. +## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. +## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. +# AUTHENTICATOR_DISABLE_TIME_DRIFT=false + +########################### +### SMTP Email settings ### +########################### + +## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. +## To make sure the email links are pointing to the correct host, set the DOMAIN variable. +## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory +# SMTP_HOST=smtp.domain.tld +# SMTP_FROM=vaultwarden@domain.tld +# SMTP_FROM_NAME=Vaultwarden +# SMTP_USERNAME=username +# SMTP_PASSWORD=password +# SMTP_TIMEOUT=15 + +## Choose the type of secure connection for SMTP. The default is "starttls". +## The available options are: +## - "starttls": The default port is 587. +## - "force_tls": The default port is 465. +## - "off": The default port is 25. +## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). +# SMTP_SECURITY=starttls +# SMTP_PORT=587 + +# Whether to send mail via the `sendmail` command +# USE_SENDMAIL=false +# Which sendmail command to use. The one found in the $PATH is used if not specified. +# SENDMAIL_COMMAND="/path/to/sendmail" + +## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. +## Possible values: ["Plain", "Login", "Xoauth2"]. +## Multiple options need to be separated by a comma ','. +# SMTP_AUTH_MECHANISM= + +## Server name sent during the SMTP HELO +## By default this value should be is on the machine's hostname, +## but might need to be changed in case it trips some anti-spam filters +# HELO_NAME= + +## Embed images as email attachments +# SMTP_EMBED_IMAGES=true + +## SMTP debugging +## When set to true this will output very detailed SMTP messages. +## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! +# SMTP_DEBUG=false + +## Accept Invalid Certificates +## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! +## Only use this as a last resort if you are not able to use a valid certificate. +## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. +# SMTP_ACCEPT_INVALID_CERTS=false + +## Accept Invalid Hostnames +## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! +## Only use this as a last resort if you are not able to use a valid certificate. +# SMTP_ACCEPT_INVALID_HOSTNAMES=false + +####################### +### Rocket settings ### +####################### + +## Rocket specific settings +## See https://rocket.rs/v0.5/guide/configuration/ for more details. +# ROCKET_ADDRESS=0.0.0.0 +## The default port is 8000, unless running in a Docker container, in which case it is 80. +# ROCKET_PORT=8000 +# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} + + +# vim: syntax=ini diff --git a/modules/services/vaultwarden/env.template b/modules/services/vaultwarden/env.template new file mode 100644 index 0000000..80eb475 --- /dev/null +++ b/modules/services/vaultwarden/env.template @@ -0,0 +1,581 @@ +# shellcheck disable=SC2034,SC2148 +## Vaultwarden Configuration File +## Uncomment any of the following lines to change the defaults +## +## Be aware that most of these settings will be overridden if they were changed +## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . +## +## By default, Vaultwarden expects for this file to be named ".env" and located +## in the current working directory. If this is not the case, the environment +## variable ENV_FILE can be set to the location of this file prior to starting +## Vaultwarden. + +#################### +### Data folders ### +#################### + +## Main data folder +# DATA_FOLDER=data + +## Individual folders, these override %DATA_FOLDER% +# RSA_KEY_FILENAME=data/rsa_key +# ICON_CACHE_FOLDER=data/icon_cache +# ATTACHMENTS_FOLDER=data/attachments +# SENDS_FOLDER=data/sends +# TMP_FOLDER=data/tmp + +## Templates data folder, by default uses embedded templates +## Check source code to see the format +# TEMPLATES_FOLDER=data/templates +## Automatically reload the templates for every request, slow, use only for development +# RELOAD_TEMPLATES=false + +## Web vault settings +# WEB_VAULT_FOLDER=web-vault/ +# WEB_VAULT_ENABLED=true + +######################### +### Database settings ### +######################### + +## Database URL +## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 +# DATABASE_URL=data/db.sqlite3 +## When using MySQL, specify an appropriate connection URI. +## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html +# DATABASE_URL=mysql://user:password@host[:port]/database_name +## When using PostgreSQL, specify an appropriate connection URI (recommended) +## or keyword/value connection string. +## Details: +## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html +## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING +# DATABASE_URL=postgresql://user:password@host[:port]/database_name + +## Enable WAL for the DB +## Set to false to avoid enabling WAL during startup. +## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, +## this setting only prevents Vaultwarden from automatically enabling it on start. +## Please read project wiki page about this setting first before changing the value as it can +## cause performance degradation or might render the service unable to start. +# ENABLE_DB_WAL=true + +## Database connection retries +## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely +# DB_CONNECTION_RETRIES=15 + +## Database timeout +## Timeout when acquiring database connection +# DATABASE_TIMEOUT=30 + +## Database max connections +## Define the size of the connection pool used for connecting to the database. +# DATABASE_MAX_CONNS=10 + +## Database connection initialization +## Allows SQL statements to be run whenever a new database connection is created. +## This is mainly useful for connection-scoped pragmas. +## If empty, a database-specific default is used: +## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;" +## - MySQL: "" +## - PostgreSQL: "" +# DATABASE_CONN_INIT="" + +################# +### WebSocket ### +################# + +## Enable websocket notifications +# ENABLE_WEBSOCKET=true + +########################## +### Push notifications ### +########################## + +## Enables push notifications (requires key and id from https://bitwarden.com/host) +## Details about mobile client push notification: +## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification +# PUSH_ENABLED=false +# PUSH_INSTALLATION_ID=CHANGEME +# PUSH_INSTALLATION_KEY=CHANGEME + +# WARNING: Do not modify the following settings unless you fully understand their implications! +# Default Push Relay and Identity URIs +# PUSH_RELAY_URI=https://push.bitwarden.com +# PUSH_IDENTITY_URI=https://identity.bitwarden.com +# European Union Data Region Settings +# If you have selected "European Union" as your data region, use the following URIs instead. +# PUSH_RELAY_URI=https://api.bitwarden.eu +# PUSH_IDENTITY_URI=https://identity.bitwarden.eu + +##################### +### Schedule jobs ### +##################### + +## Job scheduler settings +## +## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), +## and are always in terms of UTC time (regardless of your local time zone settings). +## +## The schedule format is a bit different from crontab as crontab does not contains seconds. +## You can test the the format here: https://crontab.guru, but remove the first digit! +## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK +## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri" +## "0 30 * * * * " +## "0 30 1 * * * " +## +## How often (in ms) the job scheduler thread checks for jobs that need running. +## Set to 0 to globally disable scheduled jobs. +# JOB_POLL_INTERVAL_MS=30000 +## +## Cron schedule of the job that checks for Sends past their deletion date. +## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. +# SEND_PURGE_SCHEDULE="0 5 * * * *" +## +## Cron schedule of the job that checks for trashed items to delete permanently. +## Defaults to daily (5 minutes after midnight). Set blank to disable this job. +# TRASH_PURGE_SCHEDULE="0 5 0 * * *" +## +## Cron schedule of the job that checks for incomplete 2FA logins. +## Defaults to once every minute. Set blank to disable this job. +# INCOMPLETE_2FA_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Defaults to hourly (3 minutes after the hour). Set blank to disable this job. +# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *" +## +## Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Defaults to hourly (7 minutes after the hour). Set blank to disable this job. +# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *" +## +## Cron schedule of the job that cleans old events from the event table. +## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. +# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" +## Number of days to retain events stored in the database. +## If unset (the default), events are kept indefinitely and the scheduled job is disabled! +# EVENTS_DAYS_RETAIN= +## +## Cron schedule of the job that cleans old auth requests from the auth request. +## Defaults to every minute. Set blank to disable this job. +# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. +## Defaults to every minute. Set blank to disable this job. +# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" + +######################## +### General settings ### +######################## + +## Domain settings +## The domain must match the address from where you access the server +## It's recommended to configure this value, otherwise certain functionality might not work, +## like attachment downloads, email links and U2F. +## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs +## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy +## Details: +## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS +## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples +## For development +# DOMAIN=http://localhost +## For public server +# DOMAIN=https://vw.domain.tld +## For public server (URL with port number) +# DOMAIN=https://vw.domain.tld:8443 +## For public server (URL with path) +# DOMAIN=https://domain.tld/vw + +## Controls whether users are allowed to create Bitwarden Sends. +## This setting applies globally to all users. +## To control this on a per-org basis instead, use the "Disable Send" org policy. +# SENDS_ALLOWED=true + +## HIBP Api Key +## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key +# HIBP_API_KEY= + +## Per-organization attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per organization. +## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. +# ORG_ATTACHMENT_LIMIT= +## Per-user attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further attachments. +# USER_ATTACHMENT_LIMIT= +## Per-user send storage limit (KB) +## Max kilobytes of send storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further sends. +# USER_SEND_LIMIT= + +## Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +# TRASH_AUTO_DELETE_DAYS= + +## Number of minutes to wait before a 2FA-enabled login is considered incomplete, +## resulting in an email notification. An incomplete 2FA login is one where the correct +## master password was provided but the required 2FA step was not completed, which +## potentially indicates a master password compromise. Set to 0 to disable this check. +## This setting applies globally to all users. +# INCOMPLETE_2FA_TIME_LIMIT=3 + +## Disable icon downloading +## Set to true to disable icon downloading in the internal icon service. +## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external +## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons +## will be deleted eventually, but won't be downloaded again. +# DISABLE_ICON_DOWNLOAD=false + +## Controls if new users can register +# SIGNUPS_ALLOWED=true + +## Controls if new users need to verify their email address upon registration +## Note that setting this option to true prevents logins until the email address has been verified! +## The welcome email will include a verification link, and login attempts will periodically +## trigger another verification email to be sent. +# SIGNUPS_VERIFY=false + +## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time +## an email verification link has been sent another verification email will be sent +# SIGNUPS_VERIFY_RESEND_TIME=3600 + +## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification +## email will be re-sent upon an attempted login. +# SIGNUPS_VERIFY_RESEND_LIMIT=6 + +## Controls if new users from a list of comma-separated domains can register +## even if SIGNUPS_ALLOWED is set to false +# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org + +## Controls whether event logging is enabled for organizations +## This setting applies to organizations. +## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. +# ORG_EVENTS_ENABLED=false + +## Controls which users can create new orgs. +## Blank or 'all' means all users can create orgs (this is the default): +# ORG_CREATION_USERS= +## 'none' means no users can create orgs: +# ORG_CREATION_USERS=none +## A comma-separated list means only those users can create orgs: +# ORG_CREATION_USERS=admin1@example.com,admin2@example.com + +## Invitations org admins to invite users, even when signups are disabled +# INVITATIONS_ALLOWED=true +## Name shown in the invitation emails that don't come from a specific organization +# INVITATION_ORG_NAME=Vaultwarden + +## The number of hours after which an organization invite token, emergency access invite token, +## email verification token and deletion request token will expire (must be at least 1) +# INVITATION_EXPIRATION_HOURS=120 + +## Controls whether users can enable emergency access to their accounts. +## This setting applies globally to all users. +# EMERGENCY_ACCESS_ALLOWED=true + +## Controls whether users can change their email. +## This setting applies globally to all users +# EMAIL_CHANGE_ALLOWED=true + +## Number of server-side passwords hashing iterations for the password hash. +## The default for new users. If changed, it will be updated during login for existing users. +# PASSWORD_ITERATIONS=600000 + +## Controls whether users can set or show password hints. This setting applies globally to all users. +# PASSWORD_HINTS_ALLOWED=true + +## Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured and password hints are allowed. +## Not recommended for publicly-accessible instances because this provides +## unauthenticated access to potentially sensitive data. +# SHOW_PASSWORD_HINT=false + +######################### +### Advanced settings ### +######################### + +## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" +## Set to the string "none" (without quotes), to disable any headers and just use the remote IP +# IP_HEADER=X-Real-IP + +## Icon service +## The predefined icon services are: internal, bitwarden, duckduckgo, google. +## To specify a custom icon service, set a URL template with exactly one instance of `{}`, +## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. +## +## `internal` refers to Vaultwarden's built-in icon fetching implementation. +## If an external service is set, an icon request to Vaultwarden will return an HTTP +## redirect to the corresponding icon at the external service. An external service may +## be useful if your Vaultwarden instance has no external network connectivity, or if +## you are concerned that someone may probe your instance to try to detect whether icons +## for certain sites have been cached. +# ICON_SERVICE=internal + +## Icon redirect code +## The HTTP status code to use for redirects to an external icon service. +## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). +## Temporary redirects are useful while testing different icon services, but once a service +## has been decided on, consider using permanent redirects for cacheability. The legacy codes +## are currently better supported by the Bitwarden clients. +# ICON_REDIRECT_CODE=302 + +## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") +## Default: 2592000 (30 days) +# ICON_CACHE_TTL=2592000 +## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") +## Default: 2592000 (3 days) +# ICON_CACHE_NEGTTL=259200 + +## Icon download timeout +## Configure the timeout value when downloading the favicons. +## The default is 10 seconds, but this could be to low on slower network connections +# ICON_DOWNLOAD_TIMEOUT=10 + +## Block HTTP domains/IPs by Regex +## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. +## Useful to hide other servers in the local network. Check the WIKI for more details +## NOTE: Always enclose this regex withing single quotes! +# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' + +## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. +## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block +# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true + +## Client Settings +## Enable experimental feature flags for clients. +## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". +## +## The following flags are available: +## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. +## - "autofill-v2": Use the new autofill implementation. +## - "browser-fileless-import": Directly import credentials from other providers without a file. +## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) +## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. +## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. +## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) +## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) +# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials + +## Require new device emails. When a user logs in an email is required to be sent. +## If sending the email fails the login attempt will fail!! +# REQUIRE_DEVICE_EMAIL=false + +## Enable extended logging, which shows timestamps and targets in the logs +# EXTENDED_LOGGING=true + +## Timestamp format used in extended logging. +## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime +# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" + +## Logging to Syslog +## This requires extended logging +# USE_SYSLOG=false + +## Logging to file +# LOG_FILE=/path/to/log + +## Log level +## Change the verbosity of the log output +## Valid values are "trace", "debug", "info", "warn", "error" and "off" +## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests +## For a specific module append a comma separated `path::to::module=log_level` +## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" +# LOG_LEVEL=info + +## Token for the admin interface, preferably an Argon2 PCH string +## Vaultwarden has a built-in generator by calling `vaultwarden hash` +## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token +## If not set, the admin panel is disabled +## New Argon2 PHC string +## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$` +## Also, use single quotes (') instead of double quotes (") to enclose the string when needed +# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78' +## Old plain text string (Will generate warnings in favor of Argon2) +# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp + +## Enable this to bypass the admin panel security. This option is only +## meant to be used with the use of a separate auth layer in front +# DISABLE_ADMIN_TOKEN=false + +## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. +# ADMIN_RATELIMIT_SECONDS=300 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. +# ADMIN_RATELIMIT_MAX_BURST=3 + +## Set the lifetime of admin sessions to this value (in minutes). +# ADMIN_SESSION_LIFETIME=20 + +## Allowed iframe ancestors (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors +## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets +## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value. +## Multiple values must be separated with a whitespace. +# ALLOWED_IFRAME_ANCESTORS= + +## Allowed connect-src (Know the risks!) +## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src +## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature +## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value. +## Multiple values must be separated with a whitespace. And only HTTPS values are allowed. +## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld" +# ALLOWED_CONNECT_SRC="" + +## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. +# LOGIN_RATELIMIT_SECONDS=60 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. +## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. +# LOGIN_RATELIMIT_MAX_BURST=10 + +## BETA FEATURE: Groups +## Controls whether group support is enabled for organizations +## This setting applies to organizations. +## Disabled by default because this is a beta feature, it contains known issues! +## KNOW WHAT YOU ARE DOING! +# ORG_GROUPS_ENABLED=false + +## Increase secure note size limit (Know the risks!) +## Sets the secure note size limit to 100_000 instead of the default 10_000. +## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! +## KNOW WHAT YOU ARE DOING! +# INCREASE_NOTE_SIZE_LIMIT=false + +## Enforce Single Org with Reset Password Policy +## Enforce that the Single Org policy is enabled before setting the Reset Password policy +## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available. +## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy. +# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false + +######################## +### MFA/2FA settings ### +######################## + +## Yubico (Yubikey) Settings +## Set your Client ID and Secret Key for Yubikey OTP +## You can generate it here: https://upgrade.yubico.com/getapikey/ +## You can optionally specify a custom OTP server +# YUBICO_CLIENT_ID=11111 +# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA +# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify + +## Duo Settings +## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. +## Otherwise users will need to configure it themselves. +## Create an account and protect an application as mentioned in this link (only the first step, not the rest): +## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account +## Then set the following options, based on the values obtained from the last step: +# DUO_IKEY= +# DUO_SKEY= +# DUO_HOST= +## After that, you should be able to follow the rest of the guide linked above, +## ignoring the fields that ask for the values that you already configured beforehand. +## +## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. +## Duo no longer supports this, but it still works for some integrations. +## If you aren't sure, leave this alone. +# DUO_USE_IFRAME=false + +## Email 2FA settings +## Email token size +## Number of digits in an email 2FA token (min: 6, max: 255). +## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! +# EMAIL_TOKEN_SIZE=6 +## +## Token expiration time +## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. +# EMAIL_EXPIRATION_TIME=600 +## +## Maximum attempts before an email token is reset and a new email will need to be sent. +# EMAIL_ATTEMPTS_LIMIT=3 +## +## Setup email 2FA regardless of any organization policy +# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false +## Automatically setup email 2FA as fallback provider when needed +# EMAIL_2FA_AUTO_FALLBACK=false + +## Other MFA/2FA settings +## Disable 2FA remember +## Enabling this would force the users to use a second factor to login every time. +## Note that the checkbox would still be present, but ignored. +# DISABLE_2FA_REMEMBER=false +## +## Authenticator Settings +## Disable authenticator time drifted codes to be valid. +## TOTP codes of the previous and next 30 seconds will be invalid +## +## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), +## we allow by default the TOTP code which was valid one step back and one in the future. +## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. +## You can disable this, so that only the current TOTP Code is allowed. +## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. +## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. +# AUTHENTICATOR_DISABLE_TIME_DRIFT=false + +########################### +### SMTP Email settings ### +########################### + +## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. +## To make sure the email links are pointing to the correct host, set the DOMAIN variable. +## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory +# SMTP_HOST=smtp.domain.tld +# SMTP_FROM=vaultwarden@domain.tld +# SMTP_FROM_NAME=Vaultwarden +# SMTP_USERNAME=username +# SMTP_PASSWORD=password +# SMTP_TIMEOUT=15 + +## Choose the type of secure connection for SMTP. The default is "starttls". +## The available options are: +## - "starttls": The default port is 587. +## - "force_tls": The default port is 465. +## - "off": The default port is 25. +## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). +# SMTP_SECURITY=starttls +# SMTP_PORT=587 + +# Whether to send mail via the `sendmail` command +# USE_SENDMAIL=false +# Which sendmail command to use. The one found in the $PATH is used if not specified. +# SENDMAIL_COMMAND="/path/to/sendmail" + +## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. +## Possible values: ["Plain", "Login", "Xoauth2"]. +## Multiple options need to be separated by a comma ','. +# SMTP_AUTH_MECHANISM= + +## Server name sent during the SMTP HELO +## By default this value should be is on the machine's hostname, +## but might need to be changed in case it trips some anti-spam filters +# HELO_NAME= + +## Embed images as email attachments +# SMTP_EMBED_IMAGES=true + +## SMTP debugging +## When set to true this will output very detailed SMTP messages. +## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! +# SMTP_DEBUG=false + +## Accept Invalid Certificates +## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! +## Only use this as a last resort if you are not able to use a valid certificate. +## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. +# SMTP_ACCEPT_INVALID_CERTS=false + +## Accept Invalid Hostnames +## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! +## Only use this as a last resort if you are not able to use a valid certificate. +# SMTP_ACCEPT_INVALID_HOSTNAMES=false + +####################### +### Rocket settings ### +####################### + +## Rocket specific settings +## See https://rocket.rs/v0.5/guide/configuration/ for more details. +# ROCKET_ADDRESS=0.0.0.0 +## The default port is 8000, unless running in a Docker container, in which case it is 80. +# ROCKET_PORT=8000 +# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} + + +# vim: syntax=ini From 391308692923c76c6a98f94707801c1604b2ddaa Mon Sep 17 00:00:00 2001 From: korenstin Date: Sun, 25 May 2025 18:54:40 +0200 Subject: [PATCH 08/41] configuration backup et secret --- hosts/vm/vaultwarden/default.nix | 1 + .../default.nix => vaultwarden.nix} | 0 modules/services/vaultwarden/env.template | 581 ------------------ secrets.nix | 7 +- secrets/common/root.age | Bin 1451 -> 1561 bytes secrets/restic/vaultwarden/base-password.age | Bin 0 -> 1125 bytes secrets/restic/vaultwarden/base-repo.age | Bin 0 -> 983 bytes {modules/services => secrets}/vaultwarden/env | 0 secrets/vaultwarden/env.age | Bin 0 -> 27762 bytes 9 files changed, 7 insertions(+), 582 deletions(-) rename modules/services/{vaultwarden/default.nix => vaultwarden.nix} (100%) delete mode 100644 modules/services/vaultwarden/env.template create mode 100644 secrets/restic/vaultwarden/base-password.age create mode 100644 secrets/restic/vaultwarden/base-repo.age rename {modules/services => secrets}/vaultwarden/env (100%) create mode 100644 secrets/vaultwarden/env.age diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix index f2f2fd6..18e2c6e 100644 --- a/hosts/vm/vaultwarden/default.nix +++ b/hosts/vm/vaultwarden/default.nix @@ -6,6 +6,7 @@ ./networking.nix ../../../modules + ../../../modules/services/vaultwarden.nix ]; networking.hostName = "vaultwarden"; diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden.nix similarity index 100% rename from modules/services/vaultwarden/default.nix rename to modules/services/vaultwarden.nix diff --git a/modules/services/vaultwarden/env.template b/modules/services/vaultwarden/env.template deleted file mode 100644 index 80eb475..0000000 --- a/modules/services/vaultwarden/env.template +++ /dev/null @@ -1,581 +0,0 @@ -# shellcheck disable=SC2034,SC2148 -## Vaultwarden Configuration File -## Uncomment any of the following lines to change the defaults -## -## Be aware that most of these settings will be overridden if they were changed -## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . -## -## By default, Vaultwarden expects for this file to be named ".env" and located -## in the current working directory. If this is not the case, the environment -## variable ENV_FILE can be set to the location of this file prior to starting -## Vaultwarden. - -#################### -### Data folders ### -#################### - -## Main data folder -# DATA_FOLDER=data - -## Individual folders, these override %DATA_FOLDER% -# RSA_KEY_FILENAME=data/rsa_key -# ICON_CACHE_FOLDER=data/icon_cache -# ATTACHMENTS_FOLDER=data/attachments -# SENDS_FOLDER=data/sends -# TMP_FOLDER=data/tmp - -## Templates data folder, by default uses embedded templates -## Check source code to see the format -# TEMPLATES_FOLDER=data/templates -## Automatically reload the templates for every request, slow, use only for development -# RELOAD_TEMPLATES=false - -## Web vault settings -# WEB_VAULT_FOLDER=web-vault/ -# WEB_VAULT_ENABLED=true - -######################### -### Database settings ### -######################### - -## Database URL -## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 -# DATABASE_URL=data/db.sqlite3 -## When using MySQL, specify an appropriate connection URI. -## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html -# DATABASE_URL=mysql://user:password@host[:port]/database_name -## When using PostgreSQL, specify an appropriate connection URI (recommended) -## or keyword/value connection string. -## Details: -## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html -## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING -# DATABASE_URL=postgresql://user:password@host[:port]/database_name - -## Enable WAL for the DB -## Set to false to avoid enabling WAL during startup. -## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, -## this setting only prevents Vaultwarden from automatically enabling it on start. -## Please read project wiki page about this setting first before changing the value as it can -## cause performance degradation or might render the service unable to start. -# ENABLE_DB_WAL=true - -## Database connection retries -## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely -# DB_CONNECTION_RETRIES=15 - -## Database timeout -## Timeout when acquiring database connection -# DATABASE_TIMEOUT=30 - -## Database max connections -## Define the size of the connection pool used for connecting to the database. -# DATABASE_MAX_CONNS=10 - -## Database connection initialization -## Allows SQL statements to be run whenever a new database connection is created. -## This is mainly useful for connection-scoped pragmas. -## If empty, a database-specific default is used: -## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;" -## - MySQL: "" -## - PostgreSQL: "" -# DATABASE_CONN_INIT="" - -################# -### WebSocket ### -################# - -## Enable websocket notifications -# ENABLE_WEBSOCKET=true - -########################## -### Push notifications ### -########################## - -## Enables push notifications (requires key and id from https://bitwarden.com/host) -## Details about mobile client push notification: -## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification -# PUSH_ENABLED=false -# PUSH_INSTALLATION_ID=CHANGEME -# PUSH_INSTALLATION_KEY=CHANGEME - -# WARNING: Do not modify the following settings unless you fully understand their implications! -# Default Push Relay and Identity URIs -# PUSH_RELAY_URI=https://push.bitwarden.com -# PUSH_IDENTITY_URI=https://identity.bitwarden.com -# European Union Data Region Settings -# If you have selected "European Union" as your data region, use the following URIs instead. -# PUSH_RELAY_URI=https://api.bitwarden.eu -# PUSH_IDENTITY_URI=https://identity.bitwarden.eu - -##################### -### Schedule jobs ### -##################### - -## Job scheduler settings -## -## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), -## and are always in terms of UTC time (regardless of your local time zone settings). -## -## The schedule format is a bit different from crontab as crontab does not contains seconds. -## You can test the the format here: https://crontab.guru, but remove the first digit! -## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK -## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri" -## "0 30 * * * * " -## "0 30 1 * * * " -## -## How often (in ms) the job scheduler thread checks for jobs that need running. -## Set to 0 to globally disable scheduled jobs. -# JOB_POLL_INTERVAL_MS=30000 -## -## Cron schedule of the job that checks for Sends past their deletion date. -## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. -# SEND_PURGE_SCHEDULE="0 5 * * * *" -## -## Cron schedule of the job that checks for trashed items to delete permanently. -## Defaults to daily (5 minutes after midnight). Set blank to disable this job. -# TRASH_PURGE_SCHEDULE="0 5 0 * * *" -## -## Cron schedule of the job that checks for incomplete 2FA logins. -## Defaults to once every minute. Set blank to disable this job. -# INCOMPLETE_2FA_SCHEDULE="30 * * * * *" -## -## Cron schedule of the job that sends expiration reminders to emergency access grantors. -## Defaults to hourly (3 minutes after the hour). Set blank to disable this job. -# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *" -## -## Cron schedule of the job that grants emergency access requests that have met the required wait time. -## Defaults to hourly (7 minutes after the hour). Set blank to disable this job. -# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *" -## -## Cron schedule of the job that cleans old events from the event table. -## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. -# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" -## Number of days to retain events stored in the database. -## If unset (the default), events are kept indefinitely and the scheduled job is disabled! -# EVENTS_DAYS_RETAIN= -## -## Cron schedule of the job that cleans old auth requests from the auth request. -## Defaults to every minute. Set blank to disable this job. -# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" -## -## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. -## Defaults to every minute. Set blank to disable this job. -# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" - -######################## -### General settings ### -######################## - -## Domain settings -## The domain must match the address from where you access the server -## It's recommended to configure this value, otherwise certain functionality might not work, -## like attachment downloads, email links and U2F. -## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs -## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy -## Details: -## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS -## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples -## For development -# DOMAIN=http://localhost -## For public server -# DOMAIN=https://vw.domain.tld -## For public server (URL with port number) -# DOMAIN=https://vw.domain.tld:8443 -## For public server (URL with path) -# DOMAIN=https://domain.tld/vw - -## Controls whether users are allowed to create Bitwarden Sends. -## This setting applies globally to all users. -## To control this on a per-org basis instead, use the "Disable Send" org policy. -# SENDS_ALLOWED=true - -## HIBP Api Key -## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key -# HIBP_API_KEY= - -## Per-organization attachment storage limit (KB) -## Max kilobytes of attachment storage allowed per organization. -## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. -# ORG_ATTACHMENT_LIMIT= -## Per-user attachment storage limit (KB) -## Max kilobytes of attachment storage allowed per user. -## When this limit is reached, the user will not be allowed to upload further attachments. -# USER_ATTACHMENT_LIMIT= -## Per-user send storage limit (KB) -## Max kilobytes of send storage allowed per user. -## When this limit is reached, the user will not be allowed to upload further sends. -# USER_SEND_LIMIT= - -## Number of days to wait before auto-deleting a trashed item. -## If unset (the default), trashed items are not auto-deleted. -## This setting applies globally, so make sure to inform all users of any changes to this setting. -# TRASH_AUTO_DELETE_DAYS= - -## Number of minutes to wait before a 2FA-enabled login is considered incomplete, -## resulting in an email notification. An incomplete 2FA login is one where the correct -## master password was provided but the required 2FA step was not completed, which -## potentially indicates a master password compromise. Set to 0 to disable this check. -## This setting applies globally to all users. -# INCOMPLETE_2FA_TIME_LIMIT=3 - -## Disable icon downloading -## Set to true to disable icon downloading in the internal icon service. -## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external -## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons -## will be deleted eventually, but won't be downloaded again. -# DISABLE_ICON_DOWNLOAD=false - -## Controls if new users can register -# SIGNUPS_ALLOWED=true - -## Controls if new users need to verify their email address upon registration -## Note that setting this option to true prevents logins until the email address has been verified! -## The welcome email will include a verification link, and login attempts will periodically -## trigger another verification email to be sent. -# SIGNUPS_VERIFY=false - -## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time -## an email verification link has been sent another verification email will be sent -# SIGNUPS_VERIFY_RESEND_TIME=3600 - -## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification -## email will be re-sent upon an attempted login. -# SIGNUPS_VERIFY_RESEND_LIMIT=6 - -## Controls if new users from a list of comma-separated domains can register -## even if SIGNUPS_ALLOWED is set to false -# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org - -## Controls whether event logging is enabled for organizations -## This setting applies to organizations. -## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. -# ORG_EVENTS_ENABLED=false - -## Controls which users can create new orgs. -## Blank or 'all' means all users can create orgs (this is the default): -# ORG_CREATION_USERS= -## 'none' means no users can create orgs: -# ORG_CREATION_USERS=none -## A comma-separated list means only those users can create orgs: -# ORG_CREATION_USERS=admin1@example.com,admin2@example.com - -## Invitations org admins to invite users, even when signups are disabled -# INVITATIONS_ALLOWED=true -## Name shown in the invitation emails that don't come from a specific organization -# INVITATION_ORG_NAME=Vaultwarden - -## The number of hours after which an organization invite token, emergency access invite token, -## email verification token and deletion request token will expire (must be at least 1) -# INVITATION_EXPIRATION_HOURS=120 - -## Controls whether users can enable emergency access to their accounts. -## This setting applies globally to all users. -# EMERGENCY_ACCESS_ALLOWED=true - -## Controls whether users can change their email. -## This setting applies globally to all users -# EMAIL_CHANGE_ALLOWED=true - -## Number of server-side passwords hashing iterations for the password hash. -## The default for new users. If changed, it will be updated during login for existing users. -# PASSWORD_ITERATIONS=600000 - -## Controls whether users can set or show password hints. This setting applies globally to all users. -# PASSWORD_HINTS_ALLOWED=true - -## Controls whether a password hint should be shown directly in the web page if -## SMTP service is not configured and password hints are allowed. -## Not recommended for publicly-accessible instances because this provides -## unauthenticated access to potentially sensitive data. -# SHOW_PASSWORD_HINT=false - -######################### -### Advanced settings ### -######################### - -## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" -## Set to the string "none" (without quotes), to disable any headers and just use the remote IP -# IP_HEADER=X-Real-IP - -## Icon service -## The predefined icon services are: internal, bitwarden, duckduckgo, google. -## To specify a custom icon service, set a URL template with exactly one instance of `{}`, -## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. -## -## `internal` refers to Vaultwarden's built-in icon fetching implementation. -## If an external service is set, an icon request to Vaultwarden will return an HTTP -## redirect to the corresponding icon at the external service. An external service may -## be useful if your Vaultwarden instance has no external network connectivity, or if -## you are concerned that someone may probe your instance to try to detect whether icons -## for certain sites have been cached. -# ICON_SERVICE=internal - -## Icon redirect code -## The HTTP status code to use for redirects to an external icon service. -## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). -## Temporary redirects are useful while testing different icon services, but once a service -## has been decided on, consider using permanent redirects for cacheability. The legacy codes -## are currently better supported by the Bitwarden clients. -# ICON_REDIRECT_CODE=302 - -## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") -## Default: 2592000 (30 days) -# ICON_CACHE_TTL=2592000 -## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") -## Default: 2592000 (3 days) -# ICON_CACHE_NEGTTL=259200 - -## Icon download timeout -## Configure the timeout value when downloading the favicons. -## The default is 10 seconds, but this could be to low on slower network connections -# ICON_DOWNLOAD_TIMEOUT=10 - -## Block HTTP domains/IPs by Regex -## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. -## Useful to hide other servers in the local network. Check the WIKI for more details -## NOTE: Always enclose this regex withing single quotes! -# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' - -## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. -## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block -# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true - -## Client Settings -## Enable experimental feature flags for clients. -## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". -## -## The following flags are available: -## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. -## - "autofill-v2": Use the new autofill implementation. -## - "browser-fileless-import": Directly import credentials from other providers without a file. -## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) -## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. -## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. -## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) -## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) -# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials - -## Require new device emails. When a user logs in an email is required to be sent. -## If sending the email fails the login attempt will fail!! -# REQUIRE_DEVICE_EMAIL=false - -## Enable extended logging, which shows timestamps and targets in the logs -# EXTENDED_LOGGING=true - -## Timestamp format used in extended logging. -## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime -# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" - -## Logging to Syslog -## This requires extended logging -# USE_SYSLOG=false - -## Logging to file -# LOG_FILE=/path/to/log - -## Log level -## Change the verbosity of the log output -## Valid values are "trace", "debug", "info", "warn", "error" and "off" -## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests -## For a specific module append a comma separated `path::to::module=log_level` -## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" -# LOG_LEVEL=info - -## Token for the admin interface, preferably an Argon2 PCH string -## Vaultwarden has a built-in generator by calling `vaultwarden hash` -## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token -## If not set, the admin panel is disabled -## New Argon2 PHC string -## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$` -## Also, use single quotes (') instead of double quotes (") to enclose the string when needed -# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78' -## Old plain text string (Will generate warnings in favor of Argon2) -# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp - -## Enable this to bypass the admin panel security. This option is only -## meant to be used with the use of a separate auth layer in front -# DISABLE_ADMIN_TOKEN=false - -## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. -# ADMIN_RATELIMIT_SECONDS=300 -## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. -# ADMIN_RATELIMIT_MAX_BURST=3 - -## Set the lifetime of admin sessions to this value (in minutes). -# ADMIN_SESSION_LIFETIME=20 - -## Allowed iframe ancestors (Know the risks!) -## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors -## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets -## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value. -## Multiple values must be separated with a whitespace. -# ALLOWED_IFRAME_ANCESTORS= - -## Allowed connect-src (Know the risks!) -## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src -## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature -## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value. -## Multiple values must be separated with a whitespace. And only HTTPS values are allowed. -## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld" -# ALLOWED_CONNECT_SRC="" - -## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. -# LOGIN_RATELIMIT_SECONDS=60 -## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. -## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. -# LOGIN_RATELIMIT_MAX_BURST=10 - -## BETA FEATURE: Groups -## Controls whether group support is enabled for organizations -## This setting applies to organizations. -## Disabled by default because this is a beta feature, it contains known issues! -## KNOW WHAT YOU ARE DOING! -# ORG_GROUPS_ENABLED=false - -## Increase secure note size limit (Know the risks!) -## Sets the secure note size limit to 100_000 instead of the default 10_000. -## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! -## KNOW WHAT YOU ARE DOING! -# INCREASE_NOTE_SIZE_LIMIT=false - -## Enforce Single Org with Reset Password Policy -## Enforce that the Single Org policy is enabled before setting the Reset Password policy -## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available. -## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy. -# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false - -######################## -### MFA/2FA settings ### -######################## - -## Yubico (Yubikey) Settings -## Set your Client ID and Secret Key for Yubikey OTP -## You can generate it here: https://upgrade.yubico.com/getapikey/ -## You can optionally specify a custom OTP server -# YUBICO_CLIENT_ID=11111 -# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA -# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify - -## Duo Settings -## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. -## Otherwise users will need to configure it themselves. -## Create an account and protect an application as mentioned in this link (only the first step, not the rest): -## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account -## Then set the following options, based on the values obtained from the last step: -# DUO_IKEY= -# DUO_SKEY= -# DUO_HOST= -## After that, you should be able to follow the rest of the guide linked above, -## ignoring the fields that ask for the values that you already configured beforehand. -## -## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. -## Duo no longer supports this, but it still works for some integrations. -## If you aren't sure, leave this alone. -# DUO_USE_IFRAME=false - -## Email 2FA settings -## Email token size -## Number of digits in an email 2FA token (min: 6, max: 255). -## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! -# EMAIL_TOKEN_SIZE=6 -## -## Token expiration time -## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. -# EMAIL_EXPIRATION_TIME=600 -## -## Maximum attempts before an email token is reset and a new email will need to be sent. -# EMAIL_ATTEMPTS_LIMIT=3 -## -## Setup email 2FA regardless of any organization policy -# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false -## Automatically setup email 2FA as fallback provider when needed -# EMAIL_2FA_AUTO_FALLBACK=false - -## Other MFA/2FA settings -## Disable 2FA remember -## Enabling this would force the users to use a second factor to login every time. -## Note that the checkbox would still be present, but ignored. -# DISABLE_2FA_REMEMBER=false -## -## Authenticator Settings -## Disable authenticator time drifted codes to be valid. -## TOTP codes of the previous and next 30 seconds will be invalid -## -## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), -## we allow by default the TOTP code which was valid one step back and one in the future. -## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. -## You can disable this, so that only the current TOTP Code is allowed. -## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. -## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. -# AUTHENTICATOR_DISABLE_TIME_DRIFT=false - -########################### -### SMTP Email settings ### -########################### - -## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. -## To make sure the email links are pointing to the correct host, set the DOMAIN variable. -## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory -# SMTP_HOST=smtp.domain.tld -# SMTP_FROM=vaultwarden@domain.tld -# SMTP_FROM_NAME=Vaultwarden -# SMTP_USERNAME=username -# SMTP_PASSWORD=password -# SMTP_TIMEOUT=15 - -## Choose the type of secure connection for SMTP. The default is "starttls". -## The available options are: -## - "starttls": The default port is 587. -## - "force_tls": The default port is 465. -## - "off": The default port is 25. -## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). -# SMTP_SECURITY=starttls -# SMTP_PORT=587 - -# Whether to send mail via the `sendmail` command -# USE_SENDMAIL=false -# Which sendmail command to use. The one found in the $PATH is used if not specified. -# SENDMAIL_COMMAND="/path/to/sendmail" - -## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. -## Possible values: ["Plain", "Login", "Xoauth2"]. -## Multiple options need to be separated by a comma ','. -# SMTP_AUTH_MECHANISM= - -## Server name sent during the SMTP HELO -## By default this value should be is on the machine's hostname, -## but might need to be changed in case it trips some anti-spam filters -# HELO_NAME= - -## Embed images as email attachments -# SMTP_EMBED_IMAGES=true - -## SMTP debugging -## When set to true this will output very detailed SMTP messages. -## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! -# SMTP_DEBUG=false - -## Accept Invalid Certificates -## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! -## Only use this as a last resort if you are not able to use a valid certificate. -## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. -# SMTP_ACCEPT_INVALID_CERTS=false - -## Accept Invalid Hostnames -## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! -## Only use this as a last resort if you are not able to use a valid certificate. -# SMTP_ACCEPT_INVALID_HOSTNAMES=false - -####################### -### Rocket settings ### -####################### - -## Rocket specific settings -## See https://rocket.rs/v0.5/guide/configuration/ for more details. -# ROCKET_ADDRESS=0.0.0.0 -## The default port is 8000, unless running in a Docker container, in which case it is 80. -# ROCKET_PORT=8000 -# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} - - -# vim: syntax=ini diff --git a/secrets.nix b/secrets.nix index b14e26f..d8face9 100644 --- a/secrets.nix +++ b/secrets.nix @@ -27,6 +27,7 @@ let redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; + vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; hosts = { inherit @@ -38,6 +39,7 @@ let redite thot two + vaultwarden ; }; @@ -50,6 +52,7 @@ let "redite" "thot" "two" + "vaultwarden" ]; # Groupes @@ -62,6 +65,7 @@ let neo thot two + vaultwarden ]; acme = [ @@ -105,11 +109,12 @@ in ) ) { } (remove "thot" hostnames) // builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) { - "secrets/common/root.age".publicKeys = remove apprentix all; "secrets/apprentix/root.age".publicKeys = [ apprentix ]; + "secrets/common/root.age".publicKeys = remove apprentix all; "secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ]; "secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ]; "secrets/neo/database_extra_config.age".publicKeys = [ neo ]; "secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ]; "secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ]; + "secrets/vaultwarden/env.age".publicKeys = [ vaultwarden ]; } diff --git a/secrets/common/root.age b/secrets/common/root.age index b518bc750cd0ca041c0b3701590c467a3bb9e9d9..3978639cf685de44e33345934fc5f03cd874b0f4 100644 GIT binary patch literal 1561 zcmZY9sqf?j6bEqDtQd=76GU+&&5s__YYe2O;;NPcJUuzK)}~T}1xPAaVFJ$9L=I}vWo#a{)wuPLT-K1n*pTaOH(mYP*-s~g zO;4uUu0&+kQdK0YL6Dwa9w41jvub#(<<^CaX`qCCE=$SVBot~C9VXpWGi4FaP14aC zZ@P_zD42FS3uw7{qF+_bs7gUN@wdI_LY*F+6A!~)YQkF^XRT!RKI z4^c9y)w+`OM-sdsi?DV2rgSMtLi6ib;afy8O6gLkn*#Mh7)H?jC^q`_FwJ176prf9 zi|F7)z#n(oon*PuKJt$>NNCr12CRvo4&h!%@3A=FbnT|VC(>kyXdL0yhHs*O()M;& z-0$zyB)nC;I%K3eh3aWJZ^lJF9M(i#@j;_j~gX1U4wyfQZdP3p)bXA0#=Z8sj~t>yOI^_tOAm`297w%+8{ z=F>xq;sg-SY_y#L`rf$Ng){T!WDFi_8T;vqts%c2*nQ8OYDCRw zy|Mm(*%HcM76ZU(=xRdCbhNoT@-FbARD{e@0~NNOkgqAX7L$8LJ2a0rl9c4PesI_T zyoQXG@~1Uc*D|b5@VOwmDGYVCoq9_U-rA4@l$&u1n3OCrU(MBSMCV3@HczMx#OYc&MJ63yUfI5*lb1RY-(m540zF%QMezgL*`PCH$+gg zlQ08K{rWkzXV+tki%Nl^WtAkeR)x~Lxw)$T@mQXrIM6Vf+LVOh^Jp<71~Td* zbw^je^jQ|t@#My-bPoL45L-DH*I%A>(R5_W_*b$)_@^`H~i zM5(G+j5hrYN?n!iOl_KbMLw-(f+8J}pedU%-RU2ECzXUo{n)>|t6)+EMYQ z1(|wLHZ84(=&gv-&{x>a5#z=#?{;Dr2#79w%2>(-Uyo&fL|962 zY-~(0`_>{>@LYrBZcP`!VBJ32mqG*Q5qKU0FS{t=Q#~Cc>*99-J6YQKz~H! zCNtqK=wy+!v?^EPYQm`_$jRFH$HTQ#$&QuioT;8`2CFIv3vl$&xIK6~UfR`c$unZs zx>re;dL||Fl;OM};@-pKTQ1lTa2VII;8w5Y9rE zKi6)lSuGBL8l|K}Y!zyvoju0B=9JmU+c480Wp~m7s+sc+JPO_w-aOjJ+I2%AuA`m;?LH;T{j}Hi9oz(~MYR>L?ap=az@&4)+!^3Bj4zS0R;|g3(RYDqBaV8Lh39sO>NohN-?0( z|16R>pxu*IfnlKEePW%aT)mHL0Mb*S&tt`ht`0xA(Jw-YRHeBYH@Dg_UBpdEQWN?V zp<>-NWCgXC#)mHDocO(S&XEpV;WzG4MaAU)G{p%|bAcTNPN4Lmcjv2OIFCHYC{dC3 z+yD}>iC=@7?V!5m;xV$r3XR1@yF##ygND(e0mB3j%pWUoIVe5;d}kU|x@iu? zrQ7xCY`T88W?Dq{b0`+4rSlpYHH(&4SUT&lg>|pN<~GuSK3sCJW+dqf>nR2fkboz< zi_h3|Fq-h;cHU{|3cis|whB*P0GuaCo63+_94&>K3%2hg7|H`)mD6UwA~BSMWkhHR z7jMkiKPRMt-aqyJx}$;J=ksrW zewlLmC!hZH(PzR}yKlZI*YVfiU%z$vBqf0D$ogq@hJj8a!-6;>ZKXP)O~>M-pwV>e!BJ$BCW8iDRHBhaD$z?D$BW zcoNdYxpreh9Mi@aoshWtKp%=2FxaX|eF2HFqf7`y2SaFk=n$Y)+eAxwq<_Ir-&d~7 zL0PX_gO1ZM^dZBl1HF(hIO4Z$H7M7@2oj3<^Jbr8UBBJ*SUyBX70W^62$5`w1%`)- zw8m8P{bXM?9hblpNL+<%A5*go%5Dot0klL&BI@;Kf`PjY-1a=htY|`|DoU~xGdjk9 zTBp$qcESkimtDLHxqhsvfvLR5VXRxIqcUT|Q96y+w7B7bP^N2yB)%!+TCu2=uzjV3 z9*CDpm|aVj8iWMIBpr0}<&r9jKp%>v(+UzH%N>m@2>-KCoCWwbtHZWrE}BiMjN@r7 z1=NKBT9ElJ9Egd%l*x4&V1R~dCP;>Typ?DubTy;5dp00IQJ$7lHraAu-PR;nkqsx_ zaybf@is1T-beOF5Gkz~+ijYvDgj^tGvAUg4hctn!6#6~4K~_P$==B^F?o%bGl0Y0=#(_du4nL=5N`P@l#E3L0!5n$oa*Ef0s%zeK?sJUK$=Q)+?)|e zsr>>=W7YKt}FV&ql}umjh}l1qCYE*qF((RV;7T?SX?EL{5~sHd+!gzO|MB zot43eY9?uf!7wf7lBG1v2$1Pwq-JXzE)DF0qGRhdSxjLL=EuxlyI3>?$U<16n^!aj zun3(ghmj7)6M~l;tHKqDl1;JXi>EB2iJ(Zap<6Xf>K60KbdK-1{XFQ>fovp~s==-* z6cA*sEg1A;dZfW}$e81hlrDt5sLF?GaTG4QF`J1qG(9NGL;*Ll2JM^Je>^_4viI1g zPwr^3joGJ1&nv^PE`)1i@7{>qyT5T|Qkj2f;C<=~^QXTChxe&mbImtULP zquhOadTV9cxc&pTT;2HV)S>gc_E8UmcWz5gy~r&cFdn>&Uum6s{NlB} z(%C$*{K1kn`S5dV z2fT5R6pti6ylX>!YVq?WW#r}@_4^;U#=l)nK?~PLFI_+SY2NHgPwdY99A8)+dTQ_2 zGaGlFJbusj_oHW?7q&k0&kQ#Fq%wYLSMj%77moIj5&M_PW1C-EeWUTRe|FRDt2ais ny_#{zARh5sX8Z^aG zSDn%>+a@(cNE<5Mm;5f2$Gtt2!fiJkYQkY*hb3Mz^HJVfE;&=SXz;I=$5k^Y85Z@S z2q=gOYjNp^!pf?Nb#GVWSWg=(f!|nGG>O%_e7Vwin1hZP1 zSkAB=Zp?28Y9=7w!ofO#gAth>b^xZBIAD3Tmne~kV{+p3fYTjED%CFV(<{nk*Q-r5 zDA#Vb(Mx8^Zxbt7jkG)zTs~=&b8BTSGt(~=y{0#vNJDCj<~FeeCuxU}vU1+a9c@|_ zo@;?ZBXwX}t5!)>hMxaV8({Is577vC^&T>RbA?ZS}2r0AZ;A+MY{zpTUlvjT1S}8yW9pyGsY7DMe7>L z?WQCU>&dLIo!0!RCTs`LoffC zUzcxOdhX19PrP^X*e9hcp8wz^Kf0jZzWN}1c=79}!EZNTd-l?c_-9w{x_Rp>^RKgK zo5_b)|2TK|j|b$N@08ZN@$ikef~S6Z^6mc7H|4cQp1(kSd+pUPUi$dpg)7Ieoc!_w Zot&9I`oPtn?|q-T_>lC><6mFg{{y-KO&Qo=Wl_B&vvW-m@RoS&XoOPUCfwnBF^13FRVhYw4Qp#|;ERqtY%x+ey%96~gn$D`;;v%l1ta9QW zKyz&t8#a0qb8dQBMGGrsDUbjCMHw~;b59i#cTaa9r?a)Hm#v4Sstmx?&6UH9)m+I* zS&iFH)S+Yr4DtmcwnmQ?YI5>;iDS5f@cuH_c znCdV~aB7Han`->8Cd+KCYGFkpDdVKB?!sbW!s;O{ZqCNeAtDO21hR=aNQ(iu9o2Lt zls)9xT$HRt*@1A%ELz%9Zfq7hE*=sZ=ll)W1-i>{}XlZt|h_*Mb1`!r7AbdGTWt@34jkg)c@TkqL+?>CX2_lx(8n&o z>@a7{D4tYtubUIZI`)^8y_gCFtAG9ajG-KjI^NkCn!4^U(hf>t!!}4&N~?euhrC^2 zd9C&oP6pRvuFy%f;gvpJGNGx@8RzvmI3J)mv0x6`~2Sg|cv1 zcylHpn&mYT3Esinm0FdyC!tJ6YVeF6xSBKkM(5+?vuGtXuPyEEV+e+e8984@*Z9)bcR# zCYDX`43#g;`!?b?Dd@yUacjNcaIOQyLwrVNr@MvqMFUqZh@?;%Ydjy+99p9I4$5PD zV90x44&XBtDbz01J>!764ituy?VgXn#S9d*k6TVC#h2?_M-^}L05`8ekbgD3mrKkq ze4+gEuv+Gcf=PC<0w+;euHG^8nXB15S0Bi1LJtZfKiT#HZtpZouMo~ckR;FLr8U@~ z$`3Xp27m*%aDmO_ow1<6sVHGKVhmW9U#t@M7l!bU~%bKq!t7s0TL9_-73~|^vI#W`J zD|4o^yCY-kDEkb%wj;b=v_HIQ9G=-CA}5K!^Qapt-4R6J~bv zc9s8Qm}mjMG@|gZto9h#;s?he*i@c?seOl#I=FWOWH-tq`a9i`k9M>GLy%|!IJPnB z@?)D&=s^!qRPuRM10L6}`rTgp%Ww;Vx~SOWCTQRN(xEn&?P1lHK7t}bJxx6n?G8n2 z@Gjw#{H;EN*y8oFCrVGvoE-oizB({r1Y>3DtypW<2Z%X$t_*XTn}`0yfNz^mK=H8y zH}6z|&S@kweYbIi0aJB)h*1EL;^gb6W(dEQMQh#{IfFEh7ZsmGCprcop>%;WaAs%n4PhmZ339VXX zUh>|ITFgP%`I@yqRii~Vs2@Wr+Y+%QO9wU@bek=`)9t%;%fV-+>*x$vd=zmBi?HUa zLB^BMpAcXlXsMTX;V>fEI%mVBy>L+3s>GrGLnBFi*TvPnu1ad1rWmsERgW2cp4p&M zz5sqaF2FpxFu&6D3YXiW&{ceeO%#>$EU3Ojl%VekpKf^S=F~OSG#vY;SjxK^WHM{O>| z+JE_!Uqis=_xs%Gxe&s<;N!nxY*LhUF-jms28xf{(T`vhhP~{;uL)g;%^kYm0*N^B zXRmN2C}ng;T2aYi_v{g#K@zhg?FKK$Pv?%JByjmSrvE}6In`LGXc48pC=AOT@eMdM zyj2m$!|9pEF6h+b{Fv{$UHetZL* z;u0Bu4jJDP`#=6Uc9@t1DF?&mcYo`DFNP zbcZevtbw!^kP7AfkeK+rNlL7jP7{0eZs*Dsr*GN21s6&@-Hd z`IOjGbd@lkZMAQj{A8nva~~Uo1DkDHTDznt{_!^#>XOeRY9yF(CQA0v4xpLiTX<}p zJ(0BF=PTN35dxb}^IQ!s?Pbn;(CGgx_(wsshMZAs14tnu6CeM?JwMP#a#y8?)VM}QvKTL#t}H!CLvD#Ssqlx zPA!a5`1_GWLNBt!5=A{+Yev&=SfRuAJ@xzjWI)$m;i)zg&2JE9*El_mY%zt1Z+bK^ z&OG^D%PbL1O7cql&Rq=gwzIoS}*w~2Ie&BKx zee8~Up63D(BXrP|(fp3zORW3>sYPvPhoQw}8B-Ut3Sm8-TO4zIIDB*Kah^8j!N9CL zLN~AP=eJ=;&cp7xT2nI|srffH=fDl=F^v&P{0=>|E5gp`Q0@!0mIH>0IN{>yGj;-2 z1|$z(Eu}!oQEO|1ok598jf^>xoiS;j_jiXoD1_5CaCwejlkhqj)|f_DQ5O%q~f#A36B;=a!K&)i|L) zg7!cFo6=pSoK)%?sRbb;kv}qw!Ir4SakxLQViw9Vg=|PHBMV(h7ch7J#Lkum=dyAv zU7|1sIInU|9LJrfu2$xOcARRKKmI_gP)~w+mgBnq3NUkyO!acOq2J9MMY8ig#VDZg z>RuP^keX~8F0?yjg}Wfr=Lyp-uOG zfH*?$3^W?gBtKd0&p{^3)e>y`ODBh|#?y{@7~U2Vjio z!L<ybXBcB|Gj%cMNN5KRqyAm4|1lX8xlo#2%<~vtA=5i(?%7CA zjq*qpvtPcF{F^@q>YU5A z80oYu*+Hu|u{M1+jojq@jw$_%EAv|#F-mT_{oZ=VZ;Evm(nj#)jcfL-#knu~8--s}oz za)c~IuJ@^n>4uQ*87*LVqz42P*xr!)ai>J>=eA;-tX z6SnL`j%6g`?jsc9jM4^~?_Fh^ZBL$9oz|LQW5`d6x;Lv(d_o#U1?V~hgF}Z*EUxAjhQ}8VP51L&?3O_ta zGF*ZMoU3m)?-g|Zo~^52>3*ndL5*jrJu2(+yJU<`6a&O&qi4s_rY@6X&J15W3u4Zj z^-#5ev-kng5nT@bJ;>KD9I`cXx8u$YfA%&03{$9BV3nUqayH5!xUg-&ixW03X_;X8 zGixjfkDbB*2#>1J;av7mwn?SKueCgjZ;YlLD{*amh9zH8@;w5Y`13?VkjfCS41EF` zxR$xRr6Mt1P#1;^>Z+_CuDoepSUid9&k((we?EnOhmiD8ci~tXu%K7klF6*1C;k~7 zy&-f7P%evC7gb~NgTfns{0Hvb|nlhA_^eQj?Ej8Z5Em%LZce< zA?A<$2EBO$w^*em+@k0>p;}~cVbulyz8Jk4p{dqcHdV*t3k^H%RRJxHpycpLL&mhF zBKLlufO?XMnd7@+SHB5O!ima9R?yx?cx+4z!R$V9^N82n>EXJgf%?_5fE5+oS&sT7 z5KQ%ZdJ+C54~IAu(*??7&BCkFl66??2A(Tudso;OBTPHq?FA)10u5r=8z|pE~O#D8`gsaK-$Rq&dy-2A9dn=bGQ+J znh4$!#w{V7dF#GzvNM9@9T_R2KhGeL31{6($k?Z>NLr5(!}2&fM1vP}#c+7-*Dshd zZ^EgOH7C#N^it;0!GnO;>1!%iASB>IECG(y-WL><8;W8Co0nO{@VW$hv>Wam*BpWVf{#G-utoLdif@YpQ*qWkgw$gwzR_akghoCG1ngVtY(GKSS=u# zf0(We6I$WC``7`?He4vY;>=6mS8~%3MJh`j9fQBe{t-t08HsksE902b<%;Bxf$UPA z+pi;t$Uz{H{}}2Iu-vxJAis=6f#Kkn(ENzVSkhF%0^IbXP4)>Wq2Eme4S>*6V_acN`&`pHV z8a)&vAXG5|KHS;=HO+_b7T2c)1TgfP6^c^i_HLoL=tG-wAuvqn@afl*wK|eeZJi5V zKU~f{!Sv2CBRG8HTtCcUcUbe9B%u_bN5Yk>58$o(4_>$tT&GOV2~MSLcPei-F#0)n zW50*V#){fG}%!ISqS0uW1xRnpzTnp zpe-6I#eTIkz`;ofFu*~C<93ZI0miS$UYw3@Qn71e5U<+}nL1Ylm<=RUIfrq5(!#W$ z-LsBCR{Xy;N6iTC{i!>h;K zAaA&Y)By-qPpa42=Ad>oSvMb)=JrCG*2!5|W6$r|PJMc;v~|>8d6$dA+=losuqNYy z98Ic`3ejVhy{vDGTAGa!em6`j7x&+IT;qnEeCMqA$2e{cWEm5F?#tM;*NplBydS2N zudkhtpSYCdb*7;WTe14{LQM>v<;*RKc9}giJ81Sr@Gdb@m-E${TWI*$5ur`O_z-Hu zt5d?RS<)PL%YOnB`fe_XuOVBq&W(rw=W%vfJ+6;e$rhHy5Cy;55G4dTTC9|!g;rCS zVewwxL4XBs2Zg7_hqF2b;(=PTGE$BkpD+7`1s1Zk>Hkz(MfrB@C!*18r$?_jmD3rF zqdNH=^s1rmmFs;d@Zx35k~9GetG!t4g>jj$#>CWYc%By7T@~C7LXq6tkgm2r zkFQCD84syeI4RSbbmgCL%;)6kScc^Qp&U+jTBq%4o=>)^``>oz?h_)2ZT~_cXQk@> zXz#{Tnr`E;$(qLkBT*?!>xmZ(Ke8emo)+?8_b|ZS&wrR}1zb>(^bWNwN-Rr)M%mS$ z&hGylGUH(buZTH6Mi)Uiu#V4=Z9ekavmC~Tb*%P- z=Qw*FQ*G82o-(Slw;fhBb47pVm3NJFT{86xN~Fp$DXpb~g`D@Gd=EydSlKZrI`bQ<)@U$G_r>{v20^ZJWZBagM5R;ag#5yC zLSBZ(FT;?G;p3Is3xJs6!n2>PxnBerF0sN#`wxMS31|&7>|EG#cwsoHLNQT&T2m2k z1k~S}xU?||f6BmU6;fsnL=F;hmpAi@A7#pT(fS(6%x|c0FbPeQ>#VnQE!gQvMS^m< zxzt4XHXiGr&<(<3Vx103PvI)EhXqGx`z(v17sX`ySW->SbA7a@nN<*;v%BO~943KU z58af(^+gH)1KQk$?~U)?j#q;aKScUrU**YbiQHe0XOKuU;hitT{5bTqNnAL==(wIU z>Lze=D46osnhWwxm>+@T8nw;XP0Q(hd&>bi`(^$>ncGkd4kkKVAH&YvoG0v`k%M+5 zX3dXbi&iCTa}k+Og`G%>qaThwm;)QtFUgelZ5=yF?p&TQX<5=PdfS)(ZfIxPEQh7b z(r>PSe=&=u6$xVi>-SIX{e>}=qIGV?4&zc}2D6s_} zaG9JK=2UIrW>H#*2$!-FN7Ec%k>ENKCUr6kd{gk^05Fp)qTsImlH`pNx9zsg?xTIgov)2DYPY(ShmfA0qyv$zHeK5tpv0C5OoUIuH+?_r5&=R_0PIPZ% zLp%dC_VDk?wp{vPYrN@%0jh@}6sK1H;ehXxFxJT5N_ObgW4%`))%hbqnaXPgUO&`% z>lQ5DayZ5X?sw1anDkR;9%q6N3GluiTAzy^#PJ_kcokC?-*BwKUKw6@Kosz}=33-zm< z9H9nUD1v?nH|$T1VZX2QYq*RShZ@3{rHq5J!I%BE`IFZx;hc{kRMq4kNP zR8fHVrE!2NtyGI|oo&S!*`qw~p3TQBr_^QP=^}bPP-7OM(^smQ*!)DWJY#g6r0ttiw@m_MzDaO=@q^tkUQy~-qCcB=Q!D`Knl zlM87gndqMn zx2882`Xyx<_dkV-{+T=B1g(sUINZo|naK_f|C$95;?O40NS2qO>5%*h2ww2U=qjTI zF`=Op$;{6~tqHJ&g#{w87>d*(kSF%>)m29KkHolE_Tb@?WZ;wxKj8KKNpS3T1z=r!NoV(3N2=v&McTa+iAfG__AIrOy=>V%M)UBQvRB0dK}n! zL_5{D^`7}4eJAUc_-!)-z~qXW;?b%y`VF+R41@vo+O4f2R-!)gUO>nYH~{whNWRtC z|W{IOvhECK|4 zGRKD7wmvw}(>3w8-R%lZ3l#flFI_gH&M9e=YI0tKz3ClCy^zal{e?FcInn*RgxpjU z6D{kha;CN$oXXiY{_K6!vzNl}^O{jQtMEDR_@I?5l)+-i$#B}&c`3$Jnj1x?ro zP@$@6tg;hy^!J%$DZ+juz6vq&7k`UK`wehuBnyI?8i>U5J!yA-ZpRh8Yx7s&b&9vQ zGn5tnnIF0yq|@^d9mVjI`bXXHyM&HVvR?>wRsY5w=dcfXc=yKl@IvD_6e{xmDfw3> z6CK`SxaIVbFEybqaiD*Ks^zFD0}%bjsRPz{NfIg{*~^#Vr85dKLKIapcdvrvK<>P3 zQb7g$Voq(HjWIBZsqIqMr{SlAl01VV=yqzquLwaVInm~OueX;|<}{|ZbHmyCn|TBc z1MCFX2HYdQs4^#X?tCSzUPRAl^PoLR8kI3ryN?A|d5Hr)QM7O83r<|&dRK4?)wxml z-Weo31_BAyRCNxqLGAtELKmr%$i2Rv%;Shfn(#j|UL~rt zVdUEWFgrgZY$E}P@E@D(3ytC9)Sz7E8M@H~ACjBeI*b#EpCNLPHvY^m*#Z?vVw){4 z(Uv9;GuvTlvPi?4+XpX5mmij8&9e%X+4mbk`q6*M$w#-L5DT7W*`3cpK|7l>J}|bg zWU9hyM$CT3VmYK;(UuzR->T$$x-O?xA2-j2r79E?z5VNTzLGN6K)8ww2 zF8*7^pHl~{nj`imUNI$<@!JBn{l+I#lP4dgNHn{?NX!q(g9VDVRH^qz8L3)h8872T zK_~CqI~OcER=p~WTkkc)4HsRa8z2&CxmeJ3rYw|lK_lrpmy(lXI;;K-KV)|2CTewz z=i3uv0|Ti4S{QvytsKK| z$=^inQ+(nXQ_H7OWJ4)xb;*QEn5)@pzd9n*bn!DRP$Q#=<#=Ve@&kR|uerlrwDRFtE&y*uo*^S+-@ib-SGHTjYY#8egfP7>!%5P4;#=@L?4l@)F10Fi~MY>^~ zfI}$jOZijwxe47KXyyrlh1pj#rgF67wt)||I8|xw^+=pn>z7Oo8u(|1S_r)QyURJ= zhrzz5Kn+WMW0}N^^OMNh(8*brgGLLjP|^pQu)irFZb!ZvVrjoIvlIBd0S6?+b?_My zf(_BpTZv^+35C@9*QlXUX++qSf4ew)K61$a@HmmsFWgkPoosz?IC6p`nbazR>c)vC z9G{BSaBo7_;YyvNfE$89Uno+i?#Hyxo-tqh(CUq&ij8*qX~T{Z}> zo_nsTgO-Iu;@%9IQw%1IK;G%aA`dyK0AV-M662Ec*!6I-8fvpM3zdns8Hkn%K@2*# zZ>W{R5E}5-h5?bs5OAlFidrzJzeRNgQ)5@50s{srKYnN5aZWk#^_`asqdgo*EGm zg}xAyoxye)p{-_?XU*$Jp<{;JZwBt3{yq2+K5=8+tF2n*_r^bQ&g9R-C-%npJ7Tv4 zyMsr!MwnonA&a!HC_bHz?1(xw%~F*ROv;b;hsydF*dZ9^-{>v@H(uVR1`i)XNn`!G z+C%-hc^~gZ(aaoV562Pk-eRY@Y;q(nX6SfCX_~(vxZhY|+xR=FOQiEkbK9^1BW_Ir zF71!yFo7s&W)0zB0klvq8ny_eb=P#`(O;pwuU73X-99pi^ z*4nH5i+DvX(M%K5rlw|gI!Fpw*f#QB z?raSwmxJgf?TAt) z^+|T(S3wC)pML#07@2CuZImWV&-`~Jd^LrED*o(lHAhWR;~<+O%!dKm11|V;OHnnIBL0C*}4<=@Bm-{~1115(50laBryTk#XaH zF{VsFR^~Bwtdb4lBVaLHVCapHN~xX{Y={MzgWq~Y6pW&(KDMA%72^zJtO27_KL}{O4IipK%QwR=pwf_k0b9%2;4=~)rh;g2IK&p-iJa83=Lw`LTGf}L zDqN-}X1kiYeJroR6kGY5X<5`iKZ}TYE+kU%%}NIYg6zFk+A^fEKxIMR%%&L%Jy%_p z2H1O{vjJ>~m}A;jfhX4!1P`>!Y93gJrr*)QhvSWnq{u0Ux1G43=&c*{9w^JnA}g`-mrZbdD~e{V|hG-crW`57m*%$4BTYK;4KYY zKs>&)AjBNhjJyl%E17SP@6KEm>T&GZ{cSh|hVi`#&|3`VpchaP^Ih)Z%yUcvmkIBK zzw3<*1SnOlAxt&Qv_CX9aV|5#MD%*UNS(WbX*!UfyY6T?cc?K8mf@jYh7dh4j+GWUJqC2p$wldIa#96wMRI!h~Tv+v9`t9Z{Fu{qF|( ze3XSniGz}ESd}iH)s+6^`0%aZ9R412b~6y0*NUcakHnJfqF#fY7Y-Pg5uK~s#nzuz zz*45Zv^uq(UT^=-wCYRXh7wSeh`D1Pyicn?Ynv4g_v|)c6n;6k-uHnLKD{pUHJ$>t z8o8yWI1qR>yvwr_kPR>zX?qvN8;h4xZE+J&r$d2oLcW zKZZ_5346ExDStQ8yIzzqRJ8c?rcB}KA5fi7l=4Uwqusr+VCE8#kF)U}Z7!onOD&y= zv2nrACpsh^W#b=r3cFR17{ZDuIf`=>{9q6cDDvnzE0)NOX$fE63={xY@Wv6Se~(_R zHJqU5rZ%*qV;d&B&~n1&@1T1yxBQn6nIkII+zA(HpDJ6|Rfv_+Ig3k1w+VfYz@Eqo z>V#^WI)UQtL{WIc)U<#qkeY~EwO~q3*B{P1qDX_3cpvJ-VK-a{0$vCp3l|H{lKNe_@zeAo zN%)PRS$^t+AuY|BG(YsHOwDTrI#p;zLl_5}H0`@zCX(MkFWLH z8AQMFk7GoQcF3$JIO9JU*I+PV*k>lgm+ZR3ox@q+ha$$h!m5h{YO(sBK2|0@7$9GM zuc_E$ucqqKwsaa;b+{Hdo)S*07 zbqtZy5-$VdBlN-?W~C8MNunfHr$F|P_2PT5<-AsTRJ?o9pP>@_K5_OHA-mxH>+{q!H7;(`H&F;KReFqqO^eLQj9k_!U%X{)`TAT7 zp(ebu^=|+Lwd&I zK%-#T_~exxaGSRapzk#-`EA6I39lEvD!TB`^osD?)on+b)+=H| zYyCj##|IV-`7MSlm#L_AG#87aTmLX#_B0-i6k3u9R#6UqBuFr_(BMwHfDl~ufN0w* ze>_J=K|LBF)kj-0D)uQs>M@kNgi6Bg%#2a0Kq(XtDq=u;!cis)%=NUA6#jGB1b&*^ zD05z=#|J@ji+zx_wjVS(cUT(X^o}pVSWtN)Y*xAAbQK1WKB*@1V$^&WodfV~vI+PZ zqIIgC;P*$WK#wWi*r18C|AqSl*te@VbD9HdYI z(c*W2D9QKd2MBh86iS3wro9~azl?-=`Nmu^p~>Ch&l7BYCZ7QGnCRA z)JJ<%!mm3q*Z<8WL4I<_k8bld#Hwa6$mqd|q=Qoj4{;ht8-A!J0VfLT`8^hY+l_XB zG}pnV!(Q+XAI zdZU|{kjrvMci28tepz#uS`#kK!NJ!l?QZrFMyB90OlVA>Q#<_r8*=sBObJ1fuzY$2NRRz*l2lZd@yIL3rmKu(mEhL*A}trU^2Am}~#@t`|; zZ0H=h+dpjWUcH+DYNakS6k!z+3dL-AJ5MOHXY}Qbw_v{=J{?X7k?o1COEEhBRb!-W3K*qZ*ebGlPq;Negtiv-8)xX(uZ-c$OnqL zD-~)L_Lfs$v_Z36 zZ6#?j`7EM^$`H;AM`evkib)HrZ90Vnh~!&w%e}k7D`h{z)VgyP(wfS09KEu@z~}CU zcLN8kBOevphdOvvQE$*K@o?gzDzTphdD|OZ>cM=!Elp1vPvPIm0yjehuo|U<2%qTl z7>e0mR%-R_%uo1Wk30hK1(?0nU=Va~djWN~H081LotO=07DrH>!xbF)>S6UodTS=B zn5arJV1?1~P~j}rW5Lt>7w?2_PVGoIEVPM?RlKwFLgP_vrnZh=5+^AtN0~OvKYpt5 zl9Bc>R2k9Po$Z9(D3E^lFb3B^+@p#$aWm(Vm<8sq zhO>I`?$qM?7&lEc<;gZ(yQ#f2P_u0nTHK(J?FekYhEnMn} zt}V1bOJ(pz=WWs}WXx|FN2`@((5edf;{gl^!$yyK**&@W49}nw_I-&?e}g*+8fi_y zG0vs8g<8LM%k}LpGb*M_&`02~Tf_t>OhG~6VguUyUfPP%U_OK3Ex$~l-*v%twgLUqJR z0XzB;1Ci(UFeWP%tL7dn$}hdS>Cygt+X2fZ7F>)?Q^NgC!4%q$^}xq)T5(F@T+oP) z1yCyB_>#mTTv6y^9B;RylIV-Yx3@i%>2ee!%O+dNvrY=oh8?jlR4*rE8V z&wt6+!k;CkcmLLAu<~6yIra0%xv)0*Jw8(Hs%rD6_C974ix)DBh9rHp=@F3uLTpgd zl<7Pxhz2ch%@e%3GK>qxq@O7%a_1^1=40nuqbvW2&ZHG@Iiinq%zm+Xl{bKD_U-EW zI}U|a55*GywV-a~dJMCo*um`-*J`0sy^YW?VoO)n`SgqqNRYAaI^Yn#uS4*4Z^Io- zRD#tdj)2O@%b7&#nrJaoafNRaLVDExI*Lx(=+SXhvr7GfQ^XW_D||;wq||5R)gRt~ zURU0!I!kFrMpDadVF+`l^$L9 z<})O8Vz{ou+En{j4h{cQV_J8fskF+j6^9p8jK&XMWVQ@DPXDc$`s6Tl%gaZdXEAhie5{_^h57Z*%d3>XFKha8xGt?vy@=CFesUX zp4xMNe;w*0(eC?!pEA2DRBuLDazYPYuUw5Wo<`gH3eg>3R#gH7o|yOftR{DPIriAI@I3^kZWh|qIx z5SUwufj-J9l;6!Yn}f`)PCmlkNg4HYV=<>bm^h&CaO8mYfF>(r z+h&5aU{dJ7?sF#r!S-iEe`rt;g<&%~2SB!eV~2xUb&i22l~oYwF+M@7?64FV=n-d> zi0anYAbI(AsV{pZoI!wvz+8;(L>3)c(}%0hk*Efnlq1d_0LNfEa+;-%UVqQ7VP*>v zSKZ27Ate(#+;)hk2uZW<5X}fhZj(^lX8|wk>~1pu4s;$(^wi9v9?nG80y5FV9#DL& z;M3`?RnCk__RIp|GUn4ptkICPa(3PiGYK(3a^meUlWJSrLom3*< zc4s#$S-jA6!C{Y_JX=vmv#nI>P75d7wc$o?(m7oZzs9o`btSrYx2q;Oj7Q&a z_g?bkt(`~NYE?B?QZnSGIlx$qE@t!ym&)!$wzu}OeOoT}eK2;L=|=3k2g-QE{S~Vh z9P|gfdrjjJvaXLJLgp>f*U{15Xr@38eMlw0MS`%|!8W(=Y6eI?jMKZ1w!crsl@#Cn z5w{`Df9FxSaXUSlUd{7Z&84{3a;bfsNALGmG^DUtwOeugCUEl3waZHAg22Fkmb1C- zHRa_+`-7ebTM_S0i?vn(8ZPcO6uZf837rD9Zj;dp`dfasvAm$G_Tr~_(Id5X8Y0v~ zDwFFggx5hJ3YnDjq2J>HiE&qdq5Zt*oHE>R`sVc$2Wlcwrdl!2b@X34h0fDoH}$7K z4zmv7gJqdmQ>B<5iY)Wv$6NNP_>)ICthIXi=Qe3_d#pkiP?}rIwc==qMgjlU>4BG) zivCc$;h2U?ZrvH|RN;4$h5Yk4eHdBq6F~?^f7;o+={7;3od4wFv&*hTaBcvk-xKwaiBKXsIPE>6%gP$5ByAM{UWlZD2b=%C3qU5tfMJ_ox-L+lY3%Q9=!WS# zaMIIK?&|Q5)q8_u&9Mhp7LM#&*iPPw?`9@-U&~R~`dem#!c1@Ww!5!Pbg2b#x8H6x zX~yk)@P3hCRxNFZ$UGwN?ou}wp-O>J7`3QuczZzaD5C8BbqqdQ9g)DA+AgbE|8W&i zh;$yU80!s6EYV|tywEPKeZ;0Ojiuazp~h=(^nU>sEa}spYFAbuj~Yy$0m#~$pd;J! zZhKk-nz!+k#MDWH{2y{U3gsuR z8^8g$cGA`>!-Cn%!t5szhS?~SMTzs=q_~K{4%9;D1MGZ;qqiMt~UZdy1|I_X^^Ds?ORu*r0e%gl*8%*KQob60~cu z;nI}0f=@t2H@PA?mkvvM>uWKoHYTb8@)4x>2=%)V%CzeB#$xzu*Fh!JL!y&>kJ{Q| ziyf{x`8<9iHrI*u*_XCv7Rd_GF1-1VuWz}%?(r<;v^ zsqre$lvwz^D;Q%>CZ!d13My*kIKSIK>CkhvQ9;y~+$(wCmTXxFha;K`hWM7-X&}s| zXANmp5DdIV$sA6!cw09zQFkh)YetpBwiVjVBJX&tlS-j_8_yj?HMc$dVz%vB=>Nq^t?P>%shg$EXjT zf>Ajon-NqLF`@M=fZ?>A{HHFPZo2|rU-{CG59%`O-V=1y_ijIDVgcO$1oEMd_Hin<7Xq99RooAR!r zud&JCG4sHnn9=&{bYAEF`M4)609%nB`b3xy@kz_RXxY ze{DatL**yF5d0`Nd_bhRu^g4sLCjn%rGBHez^BImd}H4{MU2k4wU+#%TOFC`wv6b0 zG+YARsuIiEUt2i<@BZw^b>~sXLwTzJHYJ!^^NKl1^W4kEJX9?rk;|x%jO}ia zJzc6UL}G)<)UsiBoZ)j3QHT6fxUVo1yNo+=GlBlfu$bzEOC*XmuglIO;3xCYE^*r; zoFbN<5+gU2IeT|wOuGBrQb7%lB z9w#=0CsbC11h;5hn!R{&srWXZB=Bu!tw zS>LH0=tT;P@ECg7dHkA%{O9|N4laz#G+%)|o+@&V)%!Wbe3eqU_^#?!2zitdw2)kx zR?A)-bsU3t$NxT6$aIom#H|2jP5nABpy~JEVcOsk_SB}$Sl4_XG^Th#zrMg-)o-%J_)1p6?rfZ2zAB^S!^P3 zyy*H980Rf#T`)Y(%P!ond*=+XiTCu$87cnES>ZJztRCCn0u+Kk7B4t)s8qXseX%*9 z#HutVEC;0mt|L=W;-tJzk~@=rvv+PZ!<^S;I11fDAWYYu&GZ2RFtEqY)*Py95y>!6 zRqhPy%<{c-7?~Q9iv%`Vkr}F2p8B$ejdt@Qg61ePyZn(>$&cpf+R?A-cV5QrT3IoM zMN{%V92T62Lwt<=44F zLAJ9G9(2tnx|@{Lb z?TYED`TDzXhC(3eNy{F)42O1nW5Qq9cpaI}%+S>?;a85f{%Hxx&%fO*8wrP`gK=!S z4xf@i>>wMH`29ZMNh08DQDf_o}S&0k;KyNIjivYaX%jEh5@FX zzH^Q^`547&JjUv<6kf!qnw6l6)6siJ=uWTSk?H88!apW_)Q6CDn+E%bkeBIS#7WO# zLodNe3_{*AKjO?e#jUKnUnV6eA(L;;mD@VN&=NwgP{H6SP2WedBxg_I0q3B=(DfGb zxIUWODo(LU0r>P`hV;*^J-&+T71J*#?3!zjl)m~-rnSqvTN@@k$egaWb4x{C1*HW1 z!8Um>^3Yd%`83!w#x1nY=*+k8YqB_Exd#3)VaS*T_9WIf%d|qu7o9$3d9U+QcZsEA z(Jf;lkBFV`R@x@lQT|BTW8@LSb8Yiznj^3nL6vtiWP981tdn2BGURwGYCx5RZNUFm z_83#oTVwAq!twyCZDRvt!IM)A5GlVXG-TnS*KEwnmNu=iap}`@)rK{i0!eXt0U?&r zaTWeeEXyN*!j!e2OgKuC*Jlk|Cq(Pys-MC~A4}++nq3g}`e(+M&gY-ttL4<*o|2Og zoFjuxr8|)kW0`tf*n9W8Gd`}@r$HBbk#r%)eu>QY@Ix=BGNH~StV2NGH0U|aEM>(o zV|#6jdey!~$%|w;y!FD?`v5>#mw|)dV4f<}1)k2;GX3RSD_P7~hKSAPw}sV|=l;h! zUupg8oPc}_9m0RP8S;4q#VGy;r{?avn_e|+^?TC$ul{h~Ht9~fioOD3sUo0zJsN#( zFE??R%7%=PDAqiRxi;0N*+QLD320qf(qbdyN&TK31DyrMXMBf>(fhPA!wzBx(wqxu z#m>WGCc_y@>e3;A%CIwE(9heiTd15)*OKi`ZD7`?tTaMX)++l;CPZ%ER190*Ht(N^ zY^n*@d;5*=CcbY4sgXsmh@2U$%@hR*vqSTU24rfjAINPkbn?9JTNPH~|90%c*9{_(@3W}=i%XeqWbHz0#;@Ie z9Ww+MBNbacc8VwCFQoKVUDJr6?_ZnT5!3EGNLBnWZyi4^dG;0c-iJ!bd{`f-5%#FN z(73>5>OBuRHxJ}RPVy({n6esc5v~(Rp>w6;6ZY|(y&x48b%oUBqjGd z%LD-p#CZ&e_&rhV%~Cxkez9t1Pk(1}_B{qA7l<4%D=o37w@=fd_hfx-wDnELpbEa% zmFVbMTY!MV#F9j!G5wjGj1tUB_LZyKk6jLl>a7XG$r5sy0PAtS!>@gGjyUqv z`B@j9Tj{5>r)#$X09_qRqsoa^L8ptz*$vg&EaWUI`Sv$KgS3vZ^s!1*-INo|)SRCF{RZ(6&omf2RWY6vIoaTxkC=?9f!N*2KK*ra2vJS0G*+Qg& zHbJ6pXQ}IFmyJp1;+CYmd~F^g_e-Cagcn7B{K{Dq^?C=-57c+n5Px9`j$4uIhJZ;S84h{<4Z|9PE)7^cj7 z2Tn#&Q(cd@D_*U+L3O$))@|t~@`A6(%2_@LEA9fnb8iL=^QCb3^)8VX#5&``@E0mM zoH77bFo;5!iicAyubuMw(dy^5j`)q~d;BlcrTY8*uwoPC(>qgf4g}@BmR4SlxO3;X zk|5q6)BG@gid0EYXN9&y^-*#7L3u2DK}k~lvYoaeZg5tWMo;vlz*Sf2ktTrZve7o! zx!K%F(RURD3gdVbrH7!XH03S?g)!e>hLl7_#(1*O4zUPoo%u-CNMY+0-+zM;18K9h z(;*`es|EADqb%K`)En=NmVxTPlq}TS&(=pKs_sWtzFEj_TG2(5d9LlZT}Zwfq3Si; z%cds@>W44^zqWrQbv}DS9k;;6BW0zoZ5K2KE&}ngZ{Wv_y|<=GLKR{SB-WVaNl=)D z_07Fkjh*50Yb%+A+wTG2=WkS!n=nX-^X$LE3dbA>)cSMYFg{icumJDPt<-VouHa_& z2>79sQcZiVw5x34c*EoTGD*)Dd6J+Nth`Ow>Q{hKu1&@8Nb4cUclh>MjPg^(I45|x zp=<cWgrgAxsA zo8HDX7r?OFlO@<*dTjF31FKEMD4AIx+uU>*Xjl1ts+3*ZET)~dbK&DVq2C{K>!o&_ z@dYttAh-(L0qe$qVn7kDljPWDH}I%E`P=Z?35^d0xgHbJ*nm>JJ!0sWX7vEbV^&7i zH8Qt^%6>Xl;nl_vy-r02Lz-O&8Ice7c30LUey6}6ZtrV&#GcbL8qJT>xyrDo4H!KA&&8JKLw%eYyo}-S8YQW3nI8% z;%KuFHjIIg!uGk`;@dxMrX?B6E%Aq8)mQ@_PdZvKm9RiYtd+%SQ+=PoPo^j*JM6^8 zj9euJ+FpOnIL_IMG>WTo6R11d0>Bt3xXwjf?06$H!Q=@`<=4QeWOx4y1D3Gk`OVls z#kbPGZ<_&$KGFG_U|<0zhaFMgFlN>F5^ju8w>9&Cn$RMn(-jB$x>jeIP4@Y8k$WO$A#3T>j?i+tcXNs1$m8rA^v z?+%JrxH+5KH!IQMg_VX%5}%1O+fwKpAu$SA-TPZNQq{e5coy=!qjxf?mq;TcNu%>A zRN*xI626+ffR~?B7M_ttF3A3(SU&BUU}CHHmnO5ebcyTUiZ=)dSa3*8fwZ{Ee|IMs zR>Nj9%;b@AOa4`>?*_fz?tqAOo6g)#m9G|m(`6Xd#*6$%KltXNgWjG7P6Ak$IkSqg znwxD}Qc!Sq_ZF|RcC?>uxS6&{aJr%j^;gN0o`xC)3t^e`ku%bQOyeFy_IXOr|b7Q|-i1SSg%> z+{y7xW-iQb>Si|`{fl*m~a6|IBTcj}IWSM+3FgwG7@69KOr--&&z za7s*hab3Pj^2AFnBk`(ym}BorSqxvDs?cF9-$$>y6CF+4o)Du)`mb0KM26!Hf*49?YUTzus?d6>IK_m-puG{;xu?F=i<(Pr+UjWMx_kbPt1 zNR5)8$vM?uuHgy#+aSKA%r?RRDMiwhNEpu*e_;NDSzqkLTb3jBSv`wny}528NUrqg zB+&d2@9oVw4AL|>!fc;u?#BHVb#?Wi&<0bW1Dguc>>4a9jj5SG%WJ!|zl0(8c8^r! z+!SgZ1ts1=)}WccEq&eJeP1j#m+sKM^wc=T<*`r(IDs8(YESrU&ZJdC=%6H}ZX(w0 zO?ATnO;1n`yZpM)H5EC_L06N#SE_eRVq|Hv$L(>;ZZI=N6c z4CE2r6*W+;(z!#d-#uP+D{DIN?!JX+W6~ZZBxUun$KLJ?u?(7}tcdxQznul0vgf%p z*LnjP-Yd4c1#7{Au>B*?HwL^xOZFzR^1S>8>=Ur)_uq~XMoahLgMheMt$2^kXF|q@ z2C(05QhkXasRvalnm(O3+>a%x=qL6lF5g$tN)FCBR3IB^!We&I@fpt$h)9v=8lj*# zN|jgXM)96ygTU-Iv2=!~E2L^sE$=GF4`174(Y}CJe*hx&TX&;@$j9@Uc&%JYx^ggU zhs_pGjL)+r^T^c~u1Ersc9zY2o z;HbEhpuFCSx|VvigzA>7w>Em61AX|zQR4eG{9+XGDQiVPICUp;RSL{+-a6;=`3tv6I(YV}j%t;kV` zN%q-sq~R|d=jE9DmA-vH>Cn*}NCOo@L8G+5V~a3^eiZ{RTSn}uG5~OPZoHD_;p`4w z6=1Hqg+c>!WXz;l&6Axj?CV*BI7+)T|0eSk2=H4!HgX{En}kZBoN6BPia?7Dq0_(f zpo%FsNnUN`wK;swaEFZp-GI<7Kvva`f|%EV5quMb_y*Xi}S) zTzPS```U!(b*UZahdJ8%glVEcEYU%$!C(U17=H6&{||>b)XR-Iu9YQZUNt|6HKgcl zxVTmnWCjtFUnVsKJ9ks;q|)!iI}OU_RR}@e zv{2fQ=@Lg844JKUb0~a|G6hpX<_)WLjXwpco_1o8fE320Y8uHBDB|5gqsyi-Ry@SA z-^ZgjeixI(p05|AU9WB*?xt&5hv(U(V-PEY{>(rZw~2U*n5bMuf_CVQtaqnq?XuJq)mmE-x{ojvow=-xS{S1?y9?#zn;!e#sV>qPV&SBrb-!QcKmuDY= zCjW6;-M(}#K<%2gA)7JH@&WXjVWIC#THF$IxI}02Fb8-3df5qsQ#|CaQ+XK!w*zq9 zOjF!ZAf8C=4o0tg-w5#0c~$oh%sc=e*ATe6;_g zgG(TYf}2WhaFlYp-x$5q9-|G2$9__yI1~c=FXuUMuu(OnGEP*0vy<2XUNJhTFE-D2 zWBIy16b`b+kiczSlsI#&M~_^0#{;46KX0YhvQ53uNDQ_)h3sqb)d2*sd($F5A;9l> z7hvX1yfv0C8(Dd*hVAp?#0wO2o;|&AUA~^+%&~+8OaZ!N7BXRw;0S5(Kr@LI-Fi`) znz1(aK?fT^$DQK`pHab6;{8mONL_lu{jM|h3t^90=2U&G%fUf|MU@6$F%hHhLUc3< zRRH=9f^9vM{TPwdX=w`xW^EEV?>6)4&hpFhR}yd?;F<#BK z^@oV7anU&Ah*KoXkr^f4;r=1JV?8f#umc0!*a%h|TaT{4?ADIMAtEY7YD_NGVIsH} zo?v5;JNC4A-qg13`RxT0r@JZ}ltm~A-vZ}Ec##_vz<3J?+???_kEQc9wLYsy_l$m? zl|)9eU9e}-7W5O{A1A5wj%W@>Jv&hdc6*!THe<#9?#y8@n2d#3>#y+jpEEc&UeTAL3{wOg_`tCkPL1RTwOy{*aI9Q z5XW-Cl4As~LRgT;$2`K@`~biF*bph@KWg9LHYTr2)vz}mR=xth zVi?Qy_WuIh;eYW7q7AkN+N?&!S#O*9;By|TSyx@@){!!QUcOet z&Q@24IR16pUjELmPeK#WXV?jho;A&p1y@WCrbE>iLZVp=sos;iOxzFIs(4s@LiUa} zrjBuHT7=vLQFnZDy*`uY-~ZOxZ??grQzm!Np;`oa@?uxgY29U+k!;K%-|Jwyk`(lz zGf;?6UlRNEoIlfBvQrtMY(@0!7xsTuJL|=GBvXSyUL2#V*3eK3`L0@z#z#;Q5e0u= z_!79bX=rE}&0Q(&=rCkx(armR9FubaDz$@nz>Vm9(hujuO+aOR9wt>c@k#wxyQiN7 zBqAXKKkU)_pRH7%vC$jnQ7PS5OfoHjGP0j;_nHNk$PPgROvGjHN+T%rh^i{%zUhI< zI|mYw&9Rlm`vlhL8=1k*XRu{JbZSMW2?N^7jW7JDlJgT$jPS4Cq*Vg7TA(D>RB36b zmD~hZtlUDSvZ=Q&scq#tKV0&ABG=ge@Y+r0b({r5jG|~X;8psWlSC2JY}mpstsgx5 zhk;+H+3aiP#=TB?G3%bh#BcRc%>~o|s}5h!hEJ2PA2FoQtReVG7g+FpTqwsuehKnd zQ_AzHwStD0S5#VWm+CL#1t##A(u(YVHdk;}`LAUo|6oepDu-U&7&#rq^U^sFKSR77_^eYh==JMHSp{ z&k5iJDyb;v5l@5ulcG&wr^WU!r%}0Uj49Ez3B|ySMR9&)aA&nb=`QZbdm_#ge=TQ> zj@&~MDdgy+`xrgp&zoqzlUPPs{nH?tf|HFo{vLz2Y7*JbgntkcH#XHYd&L@#K2n3* zmJ$q_GKRIQmNv0IoVCh0+z)wZjMx=yj*#c?gk?sky+{6_|3& zcT*dq*Tpo-Oyp#qVVDXvF0Av&x5SjI37~anbR%g$mPOt7cJxYcQtM=;MDvv$;YCR< zgun~X%g|82BcDg;9}aHrY4Rc&a{S)~+CO*|;#o1SwWg57F?%N<7?#IHeZB18Rtz@X zd=(nK_C54A$9|RVJ5R%;4VIKKQfY&udw?f%0ceW$0pkp37R>wnq>7sB3Iw7@GDoX9 zZ*-~@D-Y@s1F3%8!puSVz0)B7aFC-3g;qe)G(H}1HNsA@FA}E0(3dx?hDw(_x+!I< z{OCoj=wM1JXx9e2%}yd^=yP)8r~H|tiK=tOZwvMiXdo};u)1cgM2`?OpgB?z`+vAA!$G** zigqI*7*wvfH>sn-Z(;gL`C}HT|Nk@@e2fbwf*n;z==V4El@@8_i~_NeNtY`9z-{oG zA{L}-G49qen$lTK%ACvY7Ve=m&b z{>dXz0m_p>wY&(%)9#Xs;)9gHbDB9s@2CZit?CJ&?4r4dHVpKvpp!^TGF6zRh)e4o zom|o0Y6IArfxADl?gD*T*Dm_>xRrBVgEXOx`_|QUw?@`_zhY_IS8B@covEzfX7$E# ze#s{&z9>c4VWBQ97lo=P&Wz8v*&9o>?K2{G z?KBF4!W|`nHPL#j-Jm1MJM@>{bDo2Zs)Z)tO}ay$_i4aTYMs)ekmQnzamWb7x zPCFnno_pDN6S&Q?&p*^21bH~X={TFVaFqfl@%~%VlQs%jr@T6Zy9kgMUbkUpGZqm| zHau-pR&SW#4_-=V0ruYQglTLzkKUYjPYg~9%|eD$>ZFM;`|3MwKKE9pHU9+{d9|4b zY${ES^yCu0>w1zU%+i=SKaF#sBByIs`7@O@Cobi*Md#}O6tC3Xal^%Vea2OTNTcsY zouixqHjvFg*7}!i(-;$v)3CONnDm%rQ|qmm+=<#(+XrGu{0GquYLfv{q1SsGtF*OA z$TNrEJzJ@d$_T1SgFC)UDXa8V~c zE}CKoTH6Od5*b(SjQE6BkVV|~xfGlop`QDWZKPg=KF2tsn*xr`j2oD0lzaY5z}A8(MK~W~9ha2K2C}T6^7um~APUVPzC54m$+6a^VHDnlG1e5Q&@UvX!-*r1<2c_qz9^VvKMKDM z+k-&ppVW3n789^Eyf<%rXDw#7-nCwR<5U~A_(;c6)&TrJ%?;G$?4RyV73sOnO?iLXDt9OtXL%-z8 zdjj_Cxu~t*rj$eG{l`OUs7-}^HcJAl!e{w-iP{z~1ojG-rH0sa_uAF))<@+v%6jk) zsP-6uUN)lN%TykN%jQ1q7x(CS2jUn4Kmv)<&Z^)Hx24G&{eJvs6ZGLeTcwHJ?A05S zKD~|o3fJnP!JJZd1#=;A!Ein`K8~8B<%PV5>A{0Ob>S0Kf^A9-M3xra8zPVxsLdbf z1Q}jc*x_i5mZx&IGp2`2`yfmVhJdZa(k?v7(DerGgzqLXE83lOHey=VETBs`@anlk z?GFIuss@i)hqu_6AwWND{*&V-iu!2~NreWec-(-`OfPgU)Mrhve_p)Vd(5NfuhVGZ zj=jGF!Xg@cu)D66crlMMB27=VURi@1e=QhK;5xefzq$o2HUk+R~5D}v+N@~ z5>>W7&2R8Wj7ZYig<9>YrxyD5ny=IXIY(SpGk4NTb^anUl;-4ja7lu?5`4Y2Xyc(c zgchMLYN(y5xc6)PR8Rx3q99mfzHkq>O*ZVWyBkoL|r}m=_Jt$_ix?20jaOvWddi5eGS)-N+;C*32VM z4F-ipqc;s_0IRxa`~PGMQ6@D>7{YQ~T1`szx*>N&-vMoFy3v;=KCWyEa4USlksySc z;vh~!8tq?)rV;UNI#E!dM3E>&==A_9{7v3>(i^`73el%%&cd-C^*|K2f=D_X3; z*8a^>;OG<=5sa8ax8a~CEr*g+m%aTm+L*1WC(5~!wG=+6?ztI>Lk_t)IIZ4r&y=2f zi1uX#`SFy==-m9-8~EYf)AA4Ti32O^Ug2(a&Cxl5wfs4zDPIV*OkXTh)IFOxnnM_bejHw$X1iKqnde%**#mq7->8Gl@@#zl6$B<4w`=Mo?Qzln0 znfFV{6`sE*ejM0`-JpC%K5D9h8F!A!%U?H>7XZ!9vB-vGw4_%LeXDSb*|0-LVsj0& z;10Ddf4i?P6;wAapQD@x$mObgyb)zg0U7YH@=1&<;N{S|c-GoCQHgJW&h0JjFIN+m z3rk1QakG*y6vsgn*pqB8lW{*HE0H^6Jx8dqdgg=E zj8?3ZG7LyR*v@tUQKM;whv%$uk!@YjNjIzR1Otlf)A! ztS6n>$M5YU6i`|Kc(2l$3CshS0Yl4P@kCTTo&F#C{e$(axp=D0*w6rE5AIK(*=K9K zvZ=3p8xx>GEm+L@YOXcRDh9XBpI(I#&bnD<6sG#&ZgrLkq%Ir&P266;O9AN$Rsjf3sBN3CZ$S80}#4-S1m37O~92Q@gPEvKf-8|K>?x|c@y)uTEnNXrL~02n zL+3+8-I^70BD%v!Q7Eo0kQ72R4z+u(^^bF@k3s9kTJ^nks>b?mf*xio=+C|wI0Pkk z=dPh*p$x^m+T`F~$e&X_dK1;S5o$uX0Hm5Iq;?lXQxfg?0M)aX{ZmwaPRUw!AJf+O zsl>FXMM@qsXw$-Ob<@qB(#YZ&SCs(R5BRycm1yK*CkRAMMyWP4voMOZ-W}443scAs z4?8=U z_tt5mi)!CpajN}LTZwo>e<7DKXy1~DA($N-(&do%{)T&w2 zQBPTyNhB0C!f&}cs0$g~g$wdYEp8vk>n_8Rs#1|{;auloxz3n*o6^`?!4oCfVfRwd z8q7o$ zIQW+aK5$R?z8j&@5v$%H(Sy6WxMPg|kYH^4_pB(*polyZlftwvv*i#NcHKP|Mq)|t zL=X7wYm9OqGTsRb$$c|a42~H=^}U7bh1+{#-ytm`p>n)K+~U-3P}v=tdp^4L&Ruy0 z{UtUfv*E?a1fiSIuhOB)ABbJ~Nxmj0ezZZ*=L!-L0F?7`fGmH2KQOw|{IKufcf(7A o!YaI#pudoJ*$a>}wGZW}u+e Date: Sun, 25 May 2025 21:06:43 +0200 Subject: [PATCH 09/41] Configuration vaultwarden --- modules/services/vaultwarden.nix | 13 +- secrets/vaultwarden/env | 581 ------------------------------- secrets/vaultwarden/env.age | Bin 27762 -> 2693 bytes 3 files changed, 11 insertions(+), 583 deletions(-) delete mode 100644 secrets/vaultwarden/env diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 9adfcc9..1a27dd8 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -1,11 +1,20 @@ -{ ... }: +{ config, pkgs, ... }: { + age.secrets = { + env = { + file = ../../secrets/vaultwarden/env.age; + }; + }; + environment.systemPackages = with pkgs; [ + postfix + ]; + services.vaultwarden = { enable = true; dbBackend = "postgresql"; backupDir = "/var/backup/vaultwarden"; - environmentFile = "/etc/nixos/modules/services/vaultwarden/env"; #fichier de configuration de vaultwarden, peut être la seed pour la mettre ailleur + environmentFile = config.age.secrets.env.path; }; } diff --git a/secrets/vaultwarden/env b/secrets/vaultwarden/env deleted file mode 100644 index 80eb475..0000000 --- a/secrets/vaultwarden/env +++ /dev/null @@ -1,581 +0,0 @@ -# shellcheck disable=SC2034,SC2148 -## Vaultwarden Configuration File -## Uncomment any of the following lines to change the defaults -## -## Be aware that most of these settings will be overridden if they were changed -## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . -## -## By default, Vaultwarden expects for this file to be named ".env" and located -## in the current working directory. If this is not the case, the environment -## variable ENV_FILE can be set to the location of this file prior to starting -## Vaultwarden. - -#################### -### Data folders ### -#################### - -## Main data folder -# DATA_FOLDER=data - -## Individual folders, these override %DATA_FOLDER% -# RSA_KEY_FILENAME=data/rsa_key -# ICON_CACHE_FOLDER=data/icon_cache -# ATTACHMENTS_FOLDER=data/attachments -# SENDS_FOLDER=data/sends -# TMP_FOLDER=data/tmp - -## Templates data folder, by default uses embedded templates -## Check source code to see the format -# TEMPLATES_FOLDER=data/templates -## Automatically reload the templates for every request, slow, use only for development -# RELOAD_TEMPLATES=false - -## Web vault settings -# WEB_VAULT_FOLDER=web-vault/ -# WEB_VAULT_ENABLED=true - -######################### -### Database settings ### -######################### - -## Database URL -## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 -# DATABASE_URL=data/db.sqlite3 -## When using MySQL, specify an appropriate connection URI. -## Details: https://docs.diesel.rs/2.1.x/diesel/mysql/struct.MysqlConnection.html -# DATABASE_URL=mysql://user:password@host[:port]/database_name -## When using PostgreSQL, specify an appropriate connection URI (recommended) -## or keyword/value connection string. -## Details: -## - https://docs.diesel.rs/2.1.x/diesel/pg/struct.PgConnection.html -## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING -# DATABASE_URL=postgresql://user:password@host[:port]/database_name - -## Enable WAL for the DB -## Set to false to avoid enabling WAL during startup. -## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, -## this setting only prevents Vaultwarden from automatically enabling it on start. -## Please read project wiki page about this setting first before changing the value as it can -## cause performance degradation or might render the service unable to start. -# ENABLE_DB_WAL=true - -## Database connection retries -## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely -# DB_CONNECTION_RETRIES=15 - -## Database timeout -## Timeout when acquiring database connection -# DATABASE_TIMEOUT=30 - -## Database max connections -## Define the size of the connection pool used for connecting to the database. -# DATABASE_MAX_CONNS=10 - -## Database connection initialization -## Allows SQL statements to be run whenever a new database connection is created. -## This is mainly useful for connection-scoped pragmas. -## If empty, a database-specific default is used: -## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;" -## - MySQL: "" -## - PostgreSQL: "" -# DATABASE_CONN_INIT="" - -################# -### WebSocket ### -################# - -## Enable websocket notifications -# ENABLE_WEBSOCKET=true - -########################## -### Push notifications ### -########################## - -## Enables push notifications (requires key and id from https://bitwarden.com/host) -## Details about mobile client push notification: -## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification -# PUSH_ENABLED=false -# PUSH_INSTALLATION_ID=CHANGEME -# PUSH_INSTALLATION_KEY=CHANGEME - -# WARNING: Do not modify the following settings unless you fully understand their implications! -# Default Push Relay and Identity URIs -# PUSH_RELAY_URI=https://push.bitwarden.com -# PUSH_IDENTITY_URI=https://identity.bitwarden.com -# European Union Data Region Settings -# If you have selected "European Union" as your data region, use the following URIs instead. -# PUSH_RELAY_URI=https://api.bitwarden.eu -# PUSH_IDENTITY_URI=https://identity.bitwarden.eu - -##################### -### Schedule jobs ### -##################### - -## Job scheduler settings -## -## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), -## and are always in terms of UTC time (regardless of your local time zone settings). -## -## The schedule format is a bit different from crontab as crontab does not contains seconds. -## You can test the the format here: https://crontab.guru, but remove the first digit! -## SEC MIN HOUR DAY OF MONTH MONTH DAY OF WEEK -## "0 30 9,12,15 1,15 May-Aug Mon,Wed,Fri" -## "0 30 * * * * " -## "0 30 1 * * * " -## -## How often (in ms) the job scheduler thread checks for jobs that need running. -## Set to 0 to globally disable scheduled jobs. -# JOB_POLL_INTERVAL_MS=30000 -## -## Cron schedule of the job that checks for Sends past their deletion date. -## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. -# SEND_PURGE_SCHEDULE="0 5 * * * *" -## -## Cron schedule of the job that checks for trashed items to delete permanently. -## Defaults to daily (5 minutes after midnight). Set blank to disable this job. -# TRASH_PURGE_SCHEDULE="0 5 0 * * *" -## -## Cron schedule of the job that checks for incomplete 2FA logins. -## Defaults to once every minute. Set blank to disable this job. -# INCOMPLETE_2FA_SCHEDULE="30 * * * * *" -## -## Cron schedule of the job that sends expiration reminders to emergency access grantors. -## Defaults to hourly (3 minutes after the hour). Set blank to disable this job. -# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 3 * * * *" -## -## Cron schedule of the job that grants emergency access requests that have met the required wait time. -## Defaults to hourly (7 minutes after the hour). Set blank to disable this job. -# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *" -## -## Cron schedule of the job that cleans old events from the event table. -## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start. -# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *" -## Number of days to retain events stored in the database. -## If unset (the default), events are kept indefinitely and the scheduled job is disabled! -# EVENTS_DAYS_RETAIN= -## -## Cron schedule of the job that cleans old auth requests from the auth request. -## Defaults to every minute. Set blank to disable this job. -# AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *" -## -## Cron schedule of the job that cleans expired Duo contexts from the database. Does nothing if Duo MFA is disabled or set to use the legacy iframe prompt. -## Defaults to every minute. Set blank to disable this job. -# DUO_CONTEXT_PURGE_SCHEDULE="30 * * * * *" - -######################## -### General settings ### -######################## - -## Domain settings -## The domain must match the address from where you access the server -## It's recommended to configure this value, otherwise certain functionality might not work, -## like attachment downloads, email links and U2F. -## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs -## To use HTTPS, the recommended way is to put Vaultwarden behind a reverse proxy -## Details: -## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-HTTPS -## - https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples -## For development -# DOMAIN=http://localhost -## For public server -# DOMAIN=https://vw.domain.tld -## For public server (URL with port number) -# DOMAIN=https://vw.domain.tld:8443 -## For public server (URL with path) -# DOMAIN=https://domain.tld/vw - -## Controls whether users are allowed to create Bitwarden Sends. -## This setting applies globally to all users. -## To control this on a per-org basis instead, use the "Disable Send" org policy. -# SENDS_ALLOWED=true - -## HIBP Api Key -## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key -# HIBP_API_KEY= - -## Per-organization attachment storage limit (KB) -## Max kilobytes of attachment storage allowed per organization. -## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. -# ORG_ATTACHMENT_LIMIT= -## Per-user attachment storage limit (KB) -## Max kilobytes of attachment storage allowed per user. -## When this limit is reached, the user will not be allowed to upload further attachments. -# USER_ATTACHMENT_LIMIT= -## Per-user send storage limit (KB) -## Max kilobytes of send storage allowed per user. -## When this limit is reached, the user will not be allowed to upload further sends. -# USER_SEND_LIMIT= - -## Number of days to wait before auto-deleting a trashed item. -## If unset (the default), trashed items are not auto-deleted. -## This setting applies globally, so make sure to inform all users of any changes to this setting. -# TRASH_AUTO_DELETE_DAYS= - -## Number of minutes to wait before a 2FA-enabled login is considered incomplete, -## resulting in an email notification. An incomplete 2FA login is one where the correct -## master password was provided but the required 2FA step was not completed, which -## potentially indicates a master password compromise. Set to 0 to disable this check. -## This setting applies globally to all users. -# INCOMPLETE_2FA_TIME_LIMIT=3 - -## Disable icon downloading -## Set to true to disable icon downloading in the internal icon service. -## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external -## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons -## will be deleted eventually, but won't be downloaded again. -# DISABLE_ICON_DOWNLOAD=false - -## Controls if new users can register -# SIGNUPS_ALLOWED=true - -## Controls if new users need to verify their email address upon registration -## Note that setting this option to true prevents logins until the email address has been verified! -## The welcome email will include a verification link, and login attempts will periodically -## trigger another verification email to be sent. -# SIGNUPS_VERIFY=false - -## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time -## an email verification link has been sent another verification email will be sent -# SIGNUPS_VERIFY_RESEND_TIME=3600 - -## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification -## email will be re-sent upon an attempted login. -# SIGNUPS_VERIFY_RESEND_LIMIT=6 - -## Controls if new users from a list of comma-separated domains can register -## even if SIGNUPS_ALLOWED is set to false -# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org - -## Controls whether event logging is enabled for organizations -## This setting applies to organizations. -## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings. -# ORG_EVENTS_ENABLED=false - -## Controls which users can create new orgs. -## Blank or 'all' means all users can create orgs (this is the default): -# ORG_CREATION_USERS= -## 'none' means no users can create orgs: -# ORG_CREATION_USERS=none -## A comma-separated list means only those users can create orgs: -# ORG_CREATION_USERS=admin1@example.com,admin2@example.com - -## Invitations org admins to invite users, even when signups are disabled -# INVITATIONS_ALLOWED=true -## Name shown in the invitation emails that don't come from a specific organization -# INVITATION_ORG_NAME=Vaultwarden - -## The number of hours after which an organization invite token, emergency access invite token, -## email verification token and deletion request token will expire (must be at least 1) -# INVITATION_EXPIRATION_HOURS=120 - -## Controls whether users can enable emergency access to their accounts. -## This setting applies globally to all users. -# EMERGENCY_ACCESS_ALLOWED=true - -## Controls whether users can change their email. -## This setting applies globally to all users -# EMAIL_CHANGE_ALLOWED=true - -## Number of server-side passwords hashing iterations for the password hash. -## The default for new users. If changed, it will be updated during login for existing users. -# PASSWORD_ITERATIONS=600000 - -## Controls whether users can set or show password hints. This setting applies globally to all users. -# PASSWORD_HINTS_ALLOWED=true - -## Controls whether a password hint should be shown directly in the web page if -## SMTP service is not configured and password hints are allowed. -## Not recommended for publicly-accessible instances because this provides -## unauthenticated access to potentially sensitive data. -# SHOW_PASSWORD_HINT=false - -######################### -### Advanced settings ### -######################### - -## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" -## Set to the string "none" (without quotes), to disable any headers and just use the remote IP -# IP_HEADER=X-Real-IP - -## Icon service -## The predefined icon services are: internal, bitwarden, duckduckgo, google. -## To specify a custom icon service, set a URL template with exactly one instance of `{}`, -## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. -## -## `internal` refers to Vaultwarden's built-in icon fetching implementation. -## If an external service is set, an icon request to Vaultwarden will return an HTTP -## redirect to the corresponding icon at the external service. An external service may -## be useful if your Vaultwarden instance has no external network connectivity, or if -## you are concerned that someone may probe your instance to try to detect whether icons -## for certain sites have been cached. -# ICON_SERVICE=internal - -## Icon redirect code -## The HTTP status code to use for redirects to an external icon service. -## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). -## Temporary redirects are useful while testing different icon services, but once a service -## has been decided on, consider using permanent redirects for cacheability. The legacy codes -## are currently better supported by the Bitwarden clients. -# ICON_REDIRECT_CODE=302 - -## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") -## Default: 2592000 (30 days) -# ICON_CACHE_TTL=2592000 -## Cache time-to-live for icons which weren't available, in seconds (0 is "forever") -## Default: 2592000 (3 days) -# ICON_CACHE_NEGTTL=259200 - -## Icon download timeout -## Configure the timeout value when downloading the favicons. -## The default is 10 seconds, but this could be to low on slower network connections -# ICON_DOWNLOAD_TIMEOUT=10 - -## Block HTTP domains/IPs by Regex -## Any domains or IPs that match this regex won't be fetched by the internal HTTP client. -## Useful to hide other servers in the local network. Check the WIKI for more details -## NOTE: Always enclose this regex withing single quotes! -# HTTP_REQUEST_BLOCK_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$' - -## Enabling this will cause the internal HTTP client to refuse to connect to any non global IP address. -## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block -# HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS=true - -## Client Settings -## Enable experimental feature flags for clients. -## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". -## -## The following flags are available: -## - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. -## - "autofill-v2": Use the new autofill implementation. -## - "browser-fileless-import": Directly import credentials from other providers without a file. -## - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) -## - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. -## - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. -## - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) -## - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) -# EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials - -## Require new device emails. When a user logs in an email is required to be sent. -## If sending the email fails the login attempt will fail!! -# REQUIRE_DEVICE_EMAIL=false - -## Enable extended logging, which shows timestamps and targets in the logs -# EXTENDED_LOGGING=true - -## Timestamp format used in extended logging. -## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime -# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f" - -## Logging to Syslog -## This requires extended logging -# USE_SYSLOG=false - -## Logging to file -# LOG_FILE=/path/to/log - -## Log level -## Change the verbosity of the log output -## Valid values are "trace", "debug", "info", "warn", "error" and "off" -## Setting it to "trace" or "debug" would also show logs for mounted routes and static file, websocket and alive requests -## For a specific module append a comma separated `path::to::module=log_level` -## For example, to only see debug logs for icons use: LOG_LEVEL="info,vaultwarden::api::icons=debug" -# LOG_LEVEL=info - -## Token for the admin interface, preferably an Argon2 PCH string -## Vaultwarden has a built-in generator by calling `vaultwarden hash` -## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token -## If not set, the admin panel is disabled -## New Argon2 PHC string -## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$` -## Also, use single quotes (') instead of double quotes (") to enclose the string when needed -# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78' -## Old plain text string (Will generate warnings in favor of Argon2) -# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp - -## Enable this to bypass the admin panel security. This option is only -## meant to be used with the use of a separate auth layer in front -# DISABLE_ADMIN_TOKEN=false - -## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in. -# ADMIN_RATELIMIT_SECONDS=300 -## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. -# ADMIN_RATELIMIT_MAX_BURST=3 - -## Set the lifetime of admin sessions to this value (in minutes). -# ADMIN_SESSION_LIFETIME=20 - -## Allowed iframe ancestors (Know the risks!) -## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors -## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets -## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value. -## Multiple values must be separated with a whitespace. -# ALLOWED_IFRAME_ANCESTORS= - -## Allowed connect-src (Know the risks!) -## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src -## Allows other domains to URLs which can be loaded using script interfaces like the Forwarded email alias feature -## This adds the configured value to the 'Content-Security-Policy' headers 'connect-src' value. -## Multiple values must be separated with a whitespace. And only HTTPS values are allowed. -## Example: "https://my-addy-io.domain.tld https://my-simplelogin.domain.tld" -# ALLOWED_CONNECT_SRC="" - -## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. -# LOGIN_RATELIMIT_SECONDS=60 -## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. -## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. -# LOGIN_RATELIMIT_MAX_BURST=10 - -## BETA FEATURE: Groups -## Controls whether group support is enabled for organizations -## This setting applies to organizations. -## Disabled by default because this is a beta feature, it contains known issues! -## KNOW WHAT YOU ARE DOING! -# ORG_GROUPS_ENABLED=false - -## Increase secure note size limit (Know the risks!) -## Sets the secure note size limit to 100_000 instead of the default 10_000. -## WARNING: This could cause issues with clients. Also exports will not work on Bitwarden servers! -## KNOW WHAT YOU ARE DOING! -# INCREASE_NOTE_SIZE_LIMIT=false - -## Enforce Single Org with Reset Password Policy -## Enforce that the Single Org policy is enabled before setting the Reset Password policy -## Bitwarden enforces this by default. In Vaultwarden we encouraged to use multiple organizations because groups were not available. -## Setting this to true will enforce the Single Org Policy to be enabled before you can enable the Reset Password policy. -# ENFORCE_SINGLE_ORG_WITH_RESET_PW_POLICY=false - -######################## -### MFA/2FA settings ### -######################## - -## Yubico (Yubikey) Settings -## Set your Client ID and Secret Key for Yubikey OTP -## You can generate it here: https://upgrade.yubico.com/getapikey/ -## You can optionally specify a custom OTP server -# YUBICO_CLIENT_ID=11111 -# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA -# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify - -## Duo Settings -## You need to configure the DUO_IKEY, DUO_SKEY, and DUO_HOST options to enable global Duo support. -## Otherwise users will need to configure it themselves. -## Create an account and protect an application as mentioned in this link (only the first step, not the rest): -## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account -## Then set the following options, based on the values obtained from the last step: -# DUO_IKEY= -# DUO_SKEY= -# DUO_HOST= -## After that, you should be able to follow the rest of the guide linked above, -## ignoring the fields that ask for the values that you already configured beforehand. -## -## If you want to attempt to use Duo's 'Traditional Prompt' (deprecated, iframe based) set DUO_USE_IFRAME to 'true'. -## Duo no longer supports this, but it still works for some integrations. -## If you aren't sure, leave this alone. -# DUO_USE_IFRAME=false - -## Email 2FA settings -## Email token size -## Number of digits in an email 2FA token (min: 6, max: 255). -## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! -# EMAIL_TOKEN_SIZE=6 -## -## Token expiration time -## Maximum time in seconds a token is valid. The time the user has to open email client and copy token. -# EMAIL_EXPIRATION_TIME=600 -## -## Maximum attempts before an email token is reset and a new email will need to be sent. -# EMAIL_ATTEMPTS_LIMIT=3 -## -## Setup email 2FA regardless of any organization policy -# EMAIL_2FA_ENFORCE_ON_VERIFIED_INVITE=false -## Automatically setup email 2FA as fallback provider when needed -# EMAIL_2FA_AUTO_FALLBACK=false - -## Other MFA/2FA settings -## Disable 2FA remember -## Enabling this would force the users to use a second factor to login every time. -## Note that the checkbox would still be present, but ignored. -# DISABLE_2FA_REMEMBER=false -## -## Authenticator Settings -## Disable authenticator time drifted codes to be valid. -## TOTP codes of the previous and next 30 seconds will be invalid -## -## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), -## we allow by default the TOTP code which was valid one step back and one in the future. -## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. -## You can disable this, so that only the current TOTP Code is allowed. -## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. -## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. -# AUTHENTICATOR_DISABLE_TIME_DRIFT=false - -########################### -### SMTP Email settings ### -########################### - -## Mail specific settings, set SMTP_FROM and either SMTP_HOST or USE_SENDMAIL to enable the mail service. -## To make sure the email links are pointing to the correct host, set the DOMAIN variable. -## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory -# SMTP_HOST=smtp.domain.tld -# SMTP_FROM=vaultwarden@domain.tld -# SMTP_FROM_NAME=Vaultwarden -# SMTP_USERNAME=username -# SMTP_PASSWORD=password -# SMTP_TIMEOUT=15 - -## Choose the type of secure connection for SMTP. The default is "starttls". -## The available options are: -## - "starttls": The default port is 587. -## - "force_tls": The default port is 465. -## - "off": The default port is 25. -## Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 (submissions) is used for encrypted submission (Implicit TLS). -# SMTP_SECURITY=starttls -# SMTP_PORT=587 - -# Whether to send mail via the `sendmail` command -# USE_SENDMAIL=false -# Which sendmail command to use. The one found in the $PATH is used if not specified. -# SENDMAIL_COMMAND="/path/to/sendmail" - -## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. -## Possible values: ["Plain", "Login", "Xoauth2"]. -## Multiple options need to be separated by a comma ','. -# SMTP_AUTH_MECHANISM= - -## Server name sent during the SMTP HELO -## By default this value should be is on the machine's hostname, -## but might need to be changed in case it trips some anti-spam filters -# HELO_NAME= - -## Embed images as email attachments -# SMTP_EMBED_IMAGES=true - -## SMTP debugging -## When set to true this will output very detailed SMTP messages. -## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting! -# SMTP_DEBUG=false - -## Accept Invalid Certificates -## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! -## Only use this as a last resort if you are not able to use a valid certificate. -## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead. -# SMTP_ACCEPT_INVALID_CERTS=false - -## Accept Invalid Hostnames -## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks! -## Only use this as a last resort if you are not able to use a valid certificate. -# SMTP_ACCEPT_INVALID_HOSTNAMES=false - -####################### -### Rocket settings ### -####################### - -## Rocket specific settings -## See https://rocket.rs/v0.5/guide/configuration/ for more details. -# ROCKET_ADDRESS=0.0.0.0 -## The default port is 8000, unless running in a Docker container, in which case it is 80. -# ROCKET_PORT=8000 -# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} - - -# vim: syntax=ini diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age index 270a4465f88b57144f09eb8b193c9d8706c02bcc..89d30a9cc410272fd689c9cb1d94cb67e26d9468 100644 GIT binary patch literal 2693 zcmZ9|`CkhR0|4+IsWhn+@+dV#YSz}yh6lUvwX1gUQQO+lT3fp}Nt7p%t0Z*LAtpL_ z(t|E3mB*D(dF09wIr2~xdV1gY$Jbx*{d~R>r5r5R$_(~oQ-V$#t}`ehmIwfN4bW&* zf#vZqBr*a6_MPJAw}tN9nk7s2HUoinV4LmuF*%q&A#1(XvTMwOf?d|7pny7H~2Qi2};4 zcp2OZ#G(`$Hk<+B3)GavXsSjK#YV(Lb9E>Y1pz{3O*DG7;> zz?#_6$vim^Ll;tXW}8_b1yxEBL@eJ5;#oCz443(T77EXRu>Wgqf(zmeWK%qxCrsj^ zaS&;85{;8ch8j_zM7*AZ#nGiaK3^=BlMnzcC^ABY<8Y$QHf4-F0%X^4%tk1aOd_bY z7ClzVrV{x^41}vDM*h4=g%RUz93Vx;iqVr8EGC1DBf-c*3)&LHW2x*?MwH%WGJ{lj zCCy(0ya_tNtS5LRwFcNvPSfrzoC~&J>q2}@}HYGqoQ_)dM7)D`X ziHtI%ObCKv?J6i$fYAw&YI`C*g3mAr#3rN$`?E%7sd!{7(2msWBq+O;fT0luYJ#2? zZHX5VVB|=PCW0*_Y?3haC|d%Jh!G+HY@-S)hT143Zj^*Vibq+E(QFg~ZK6e^g|uX` zC7NOpGlfuyCX(~BCKocXCM*zyByxCkLVSdYuLWtDb{j$uryHmsp(zr_R1lItR;*lS zq*)TRRzQ?d$gtA5N;*iP15tPe76zn2(ZxKe(iCsR+s$O65Jj~Tm3%T000x7BGNMj} zkFjYfQmO&QRLkrlgkEGzij1(qbTDyDk}R5tf$A`5u0jbgWKz%adeyCYJ6tb47=piP zksjGtoYv#Man5z$io!hnUx_3jrKF;jGuW*@KA-k6dnj(_tMi=bfs}-ZZ-2d?r4>>$ zL;X~19|D%F*Sozs@fV=vkYROw_GeZs@wcx|S07CJrrx$a{R(Ki>~T}&#nJZAJcYju z6*a;8j*L`1WoKwf_Ukc$ZQT3Ezbw*)FD+SChUBKnWkt-7)R+%(xl-sDhNVKT6I{;D%>vZnWb#U=HcmUjb`eGBoEt2T{#1c`2h%=l+#0Vp;rf7M23_`0oQ6Va|g+tTZr zeeY-WuHvKsU10g>Z&m%BTb{8GdZ}$&z*v}PAl^qe^y89Be(QOyS3nTYAJKH^*SW=^ z3~ZLDOrHAY*bik;d?bdvzYs%J#K#Uo800Vdvh#~{hl(x~r7^Uw@taQ->~HB$uVg!1MAE5RPx_+D!@B}LP@%E_-@;(H zY+dp7tLgr7tW)A(3v_35`2yboH95bvW8z4W%U%K! zSv`E-I<4uLXDE1OLHGFFgOSzmH6>f`!kr~0U-}k)`x2OS;l(_nrikD_y=(-#{a!@U zv`|0#TpK&y#?L( zLj5B!EI4GiLXPW;Y`R}a>vce|-i+zm@sSno>j9Ht3Vl0In*TYECVkD6sXq zc@M4#PRfM)mR8D^DE)d~#=3(pXQNk8>pOp$k9uR*&dG^`9M&vj04tl5J&uxhlZJkNi&MS=G@{*CSi=IQClCzViIw-l|8*sUv9n zxiC?~c2SGpg>@@dW3v&Y+P5pGgB&+k??xuY9?W$@azQIPyDQvwIq2XuLRebDtXWPs z%NECgeCIQ_?wp6tY?&pjPCaV$gZ$dbqM-^=yzdNS0>`(U0cU9lYC#5Ttn*PYyq*u7!TIr1LI52rowR==3rcPp-(82WWp zszt_`Gz^!+>H8E z%nmL`bJADuZWi!ex1LYGb`nGg={bI$*|GiD+e=$~FnxokykC?I{20f7XZ!6#)fiJ3 z82CoqITx;~8-Wlqb0rjKt5* zg0GRYmtQT-3IXKa=;YQs^Q(BD(-Qn|JLR=$5;~wcT}}O}s5ZyCo(X*!=tCqA^k@pu zA;r0a&RvBpy&tX&$j}TJq5ki` z^`w<8*{my`F%~Q4bu-*a)e-JX)E1HO;xPGbf^V0v-YgXh!eSA5!3S!0d! zIJO^4q9EJ)avJ;1OGZaF4nF>vx>j2EXx=`5so0jF+e*-Pg^dk)F$gMtAlfkUwWQV&1+f?`5M1CarUi;gI_|&CmKE)N_S4NcZP3ylTkujb)rh#8+v>2 sWlI5!ylDOCtkUpZ`e6Ubn#O}#?asZFYm+DQ5SlS6A3i!-DtvtKKWYJ-Gynhq literal 27762 zcmZ77Q*b3*(&Qo=Wl_B&vvW-m@RoS&XoOPUCfwnBF^13FRVhYw4Qp#|;ERqtY%x+ey%96~gn$D`;;v%l1ta9QW zKyz&t8#a0qb8dQBMGGrsDUbjCMHw~;b59i#cTaa9r?a)Hm#v4Sstmx?&6UH9)m+I* zS&iFH)S+Yr4DtmcwnmQ?YI5>;iDS5f@cuH_c znCdV~aB7Han`->8Cd+KCYGFkpDdVKB?!sbW!s;O{ZqCNeAtDO21hR=aNQ(iu9o2Lt zls)9xT$HRt*@1A%ELz%9Zfq7hE*=sZ=ll)W1-i>{}XlZt|h_*Mb1`!r7AbdGTWt@34jkg)c@TkqL+?>CX2_lx(8n&o z>@a7{D4tYtubUIZI`)^8y_gCFtAG9ajG-KjI^NkCn!4^U(hf>t!!}4&N~?euhrC^2 zd9C&oP6pRvuFy%f;gvpJGNGx@8RzvmI3J)mv0x6`~2Sg|cv1 zcylHpn&mYT3Esinm0FdyC!tJ6YVeF6xSBKkM(5+?vuGtXuPyEEV+e+e8984@*Z9)bcR# zCYDX`43#g;`!?b?Dd@yUacjNcaIOQyLwrVNr@MvqMFUqZh@?;%Ydjy+99p9I4$5PD zV90x44&XBtDbz01J>!764ituy?VgXn#S9d*k6TVC#h2?_M-^}L05`8ekbgD3mrKkq ze4+gEuv+Gcf=PC<0w+;euHG^8nXB15S0Bi1LJtZfKiT#HZtpZouMo~ckR;FLr8U@~ z$`3Xp27m*%aDmO_ow1<6sVHGKVhmW9U#t@M7l!bU~%bKq!t7s0TL9_-73~|^vI#W`J zD|4o^yCY-kDEkb%wj;b=v_HIQ9G=-CA}5K!^Qapt-4R6J~bv zc9s8Qm}mjMG@|gZto9h#;s?he*i@c?seOl#I=FWOWH-tq`a9i`k9M>GLy%|!IJPnB z@?)D&=s^!qRPuRM10L6}`rTgp%Ww;Vx~SOWCTQRN(xEn&?P1lHK7t}bJxx6n?G8n2 z@Gjw#{H;EN*y8oFCrVGvoE-oizB({r1Y>3DtypW<2Z%X$t_*XTn}`0yfNz^mK=H8y zH}6z|&S@kweYbIi0aJB)h*1EL;^gb6W(dEQMQh#{IfFEh7ZsmGCprcop>%;WaAs%n4PhmZ339VXX zUh>|ITFgP%`I@yqRii~Vs2@Wr+Y+%QO9wU@bek=`)9t%;%fV-+>*x$vd=zmBi?HUa zLB^BMpAcXlXsMTX;V>fEI%mVBy>L+3s>GrGLnBFi*TvPnu1ad1rWmsERgW2cp4p&M zz5sqaF2FpxFu&6D3YXiW&{ceeO%#>$EU3Ojl%VekpKf^S=F~OSG#vY;SjxK^WHM{O>| z+JE_!Uqis=_xs%Gxe&s<;N!nxY*LhUF-jms28xf{(T`vhhP~{;uL)g;%^kYm0*N^B zXRmN2C}ng;T2aYi_v{g#K@zhg?FKK$Pv?%JByjmSrvE}6In`LGXc48pC=AOT@eMdM zyj2m$!|9pEF6h+b{Fv{$UHetZL* z;u0Bu4jJDP`#=6Uc9@t1DF?&mcYo`DFNP zbcZevtbw!^kP7AfkeK+rNlL7jP7{0eZs*Dsr*GN21s6&@-Hd z`IOjGbd@lkZMAQj{A8nva~~Uo1DkDHTDznt{_!^#>XOeRY9yF(CQA0v4xpLiTX<}p zJ(0BF=PTN35dxb}^IQ!s?Pbn;(CGgx_(wsshMZAs14tnu6CeM?JwMP#a#y8?)VM}QvKTL#t}H!CLvD#Ssqlx zPA!a5`1_GWLNBt!5=A{+Yev&=SfRuAJ@xzjWI)$m;i)zg&2JE9*El_mY%zt1Z+bK^ z&OG^D%PbL1O7cql&Rq=gwzIoS}*w~2Ie&BKx zee8~Up63D(BXrP|(fp3zORW3>sYPvPhoQw}8B-Ut3Sm8-TO4zIIDB*Kah^8j!N9CL zLN~AP=eJ=;&cp7xT2nI|srffH=fDl=F^v&P{0=>|E5gp`Q0@!0mIH>0IN{>yGj;-2 z1|$z(Eu}!oQEO|1ok598jf^>xoiS;j_jiXoD1_5CaCwejlkhqj)|f_DQ5O%q~f#A36B;=a!K&)i|L) zg7!cFo6=pSoK)%?sRbb;kv}qw!Ir4SakxLQViw9Vg=|PHBMV(h7ch7J#Lkum=dyAv zU7|1sIInU|9LJrfu2$xOcARRKKmI_gP)~w+mgBnq3NUkyO!acOq2J9MMY8ig#VDZg z>RuP^keX~8F0?yjg}Wfr=Lyp-uOG zfH*?$3^W?gBtKd0&p{^3)e>y`ODBh|#?y{@7~U2Vjio z!L<ybXBcB|Gj%cMNN5KRqyAm4|1lX8xlo#2%<~vtA=5i(?%7CA zjq*qpvtPcF{F^@q>YU5A z80oYu*+Hu|u{M1+jojq@jw$_%EAv|#F-mT_{oZ=VZ;Evm(nj#)jcfL-#knu~8--s}oz za)c~IuJ@^n>4uQ*87*LVqz42P*xr!)ai>J>=eA;-tX z6SnL`j%6g`?jsc9jM4^~?_Fh^ZBL$9oz|LQW5`d6x;Lv(d_o#U1?V~hgF}Z*EUxAjhQ}8VP51L&?3O_ta zGF*ZMoU3m)?-g|Zo~^52>3*ndL5*jrJu2(+yJU<`6a&O&qi4s_rY@6X&J15W3u4Zj z^-#5ev-kng5nT@bJ;>KD9I`cXx8u$YfA%&03{$9BV3nUqayH5!xUg-&ixW03X_;X8 zGixjfkDbB*2#>1J;av7mwn?SKueCgjZ;YlLD{*amh9zH8@;w5Y`13?VkjfCS41EF` zxR$xRr6Mt1P#1;^>Z+_CuDoepSUid9&k((we?EnOhmiD8ci~tXu%K7klF6*1C;k~7 zy&-f7P%evC7gb~NgTfns{0Hvb|nlhA_^eQj?Ej8Z5Em%LZce< zA?A<$2EBO$w^*em+@k0>p;}~cVbulyz8Jk4p{dqcHdV*t3k^H%RRJxHpycpLL&mhF zBKLlufO?XMnd7@+SHB5O!ima9R?yx?cx+4z!R$V9^N82n>EXJgf%?_5fE5+oS&sT7 z5KQ%ZdJ+C54~IAu(*??7&BCkFl66??2A(Tudso;OBTPHq?FA)10u5r=8z|pE~O#D8`gsaK-$Rq&dy-2A9dn=bGQ+J znh4$!#w{V7dF#GzvNM9@9T_R2KhGeL31{6($k?Z>NLr5(!}2&fM1vP}#c+7-*Dshd zZ^EgOH7C#N^it;0!GnO;>1!%iASB>IECG(y-WL><8;W8Co0nO{@VW$hv>Wam*BpWVf{#G-utoLdif@YpQ*qWkgw$gwzR_akghoCG1ngVtY(GKSS=u# zf0(We6I$WC``7`?He4vY;>=6mS8~%3MJh`j9fQBe{t-t08HsksE902b<%;Bxf$UPA z+pi;t$Uz{H{}}2Iu-vxJAis=6f#Kkn(ENzVSkhF%0^IbXP4)>Wq2Eme4S>*6V_acN`&`pHV z8a)&vAXG5|KHS;=HO+_b7T2c)1TgfP6^c^i_HLoL=tG-wAuvqn@afl*wK|eeZJi5V zKU~f{!Sv2CBRG8HTtCcUcUbe9B%u_bN5Yk>58$o(4_>$tT&GOV2~MSLcPei-F#0)n zW50*V#){fG}%!ISqS0uW1xRnpzTnp zpe-6I#eTIkz`;ofFu*~C<93ZI0miS$UYw3@Qn71e5U<+}nL1Ylm<=RUIfrq5(!#W$ z-LsBCR{Xy;N6iTC{i!>h;K zAaA&Y)By-qPpa42=Ad>oSvMb)=JrCG*2!5|W6$r|PJMc;v~|>8d6$dA+=losuqNYy z98Ic`3ejVhy{vDGTAGa!em6`j7x&+IT;qnEeCMqA$2e{cWEm5F?#tM;*NplBydS2N zudkhtpSYCdb*7;WTe14{LQM>v<;*RKc9}giJ81Sr@Gdb@m-E${TWI*$5ur`O_z-Hu zt5d?RS<)PL%YOnB`fe_XuOVBq&W(rw=W%vfJ+6;e$rhHy5Cy;55G4dTTC9|!g;rCS zVewwxL4XBs2Zg7_hqF2b;(=PTGE$BkpD+7`1s1Zk>Hkz(MfrB@C!*18r$?_jmD3rF zqdNH=^s1rmmFs;d@Zx35k~9GetG!t4g>jj$#>CWYc%By7T@~C7LXq6tkgm2r zkFQCD84syeI4RSbbmgCL%;)6kScc^Qp&U+jTBq%4o=>)^``>oz?h_)2ZT~_cXQk@> zXz#{Tnr`E;$(qLkBT*?!>xmZ(Ke8emo)+?8_b|ZS&wrR}1zb>(^bWNwN-Rr)M%mS$ z&hGylGUH(buZTH6Mi)Uiu#V4=Z9ekavmC~Tb*%P- z=Qw*FQ*G82o-(Slw;fhBb47pVm3NJFT{86xN~Fp$DXpb~g`D@Gd=EydSlKZrI`bQ<)@U$G_r>{v20^ZJWZBagM5R;ag#5yC zLSBZ(FT;?G;p3Is3xJs6!n2>PxnBerF0sN#`wxMS31|&7>|EG#cwsoHLNQT&T2m2k z1k~S}xU?||f6BmU6;fsnL=F;hmpAi@A7#pT(fS(6%x|c0FbPeQ>#VnQE!gQvMS^m< zxzt4XHXiGr&<(<3Vx103PvI)EhXqGx`z(v17sX`ySW->SbA7a@nN<*;v%BO~943KU z58af(^+gH)1KQk$?~U)?j#q;aKScUrU**YbiQHe0XOKuU;hitT{5bTqNnAL==(wIU z>Lze=D46osnhWwxm>+@T8nw;XP0Q(hd&>bi`(^$>ncGkd4kkKVAH&YvoG0v`k%M+5 zX3dXbi&iCTa}k+Og`G%>qaThwm;)QtFUgelZ5=yF?p&TQX<5=PdfS)(ZfIxPEQh7b z(r>PSe=&=u6$xVi>-SIX{e>}=qIGV?4&zc}2D6s_} zaG9JK=2UIrW>H#*2$!-FN7Ec%k>ENKCUr6kd{gk^05Fp)qTsImlH`pNx9zsg?xTIgov)2DYPY(ShmfA0qyv$zHeK5tpv0C5OoUIuH+?_r5&=R_0PIPZ% zLp%dC_VDk?wp{vPYrN@%0jh@}6sK1H;ehXxFxJT5N_ObgW4%`))%hbqnaXPgUO&`% z>lQ5DayZ5X?sw1anDkR;9%q6N3GluiTAzy^#PJ_kcokC?-*BwKUKw6@Kosz}=33-zm< z9H9nUD1v?nH|$T1VZX2QYq*RShZ@3{rHq5J!I%BE`IFZx;hc{kRMq4kNP zR8fHVrE!2NtyGI|oo&S!*`qw~p3TQBr_^QP=^}bPP-7OM(^smQ*!)DWJY#g6r0ttiw@m_MzDaO=@q^tkUQy~-qCcB=Q!D`Knl zlM87gndqMn zx2882`Xyx<_dkV-{+T=B1g(sUINZo|naK_f|C$95;?O40NS2qO>5%*h2ww2U=qjTI zF`=Op$;{6~tqHJ&g#{w87>d*(kSF%>)m29KkHolE_Tb@?WZ;wxKj8KKNpS3T1z=r!NoV(3N2=v&McTa+iAfG__AIrOy=>V%M)UBQvRB0dK}n! zL_5{D^`7}4eJAUc_-!)-z~qXW;?b%y`VF+R41@vo+O4f2R-!)gUO>nYH~{whNWRtC z|W{IOvhECK|4 zGRKD7wmvw}(>3w8-R%lZ3l#flFI_gH&M9e=YI0tKz3ClCy^zal{e?FcInn*RgxpjU z6D{kha;CN$oXXiY{_K6!vzNl}^O{jQtMEDR_@I?5l)+-i$#B}&c`3$Jnj1x?ro zP@$@6tg;hy^!J%$DZ+juz6vq&7k`UK`wehuBnyI?8i>U5J!yA-ZpRh8Yx7s&b&9vQ zGn5tnnIF0yq|@^d9mVjI`bXXHyM&HVvR?>wRsY5w=dcfXc=yKl@IvD_6e{xmDfw3> z6CK`SxaIVbFEybqaiD*Ks^zFD0}%bjsRPz{NfIg{*~^#Vr85dKLKIapcdvrvK<>P3 zQb7g$Voq(HjWIBZsqIqMr{SlAl01VV=yqzquLwaVInm~OueX;|<}{|ZbHmyCn|TBc z1MCFX2HYdQs4^#X?tCSzUPRAl^PoLR8kI3ryN?A|d5Hr)QM7O83r<|&dRK4?)wxml z-Weo31_BAyRCNxqLGAtELKmr%$i2Rv%;Shfn(#j|UL~rt zVdUEWFgrgZY$E}P@E@D(3ytC9)Sz7E8M@H~ACjBeI*b#EpCNLPHvY^m*#Z?vVw){4 z(Uv9;GuvTlvPi?4+XpX5mmij8&9e%X+4mbk`q6*M$w#-L5DT7W*`3cpK|7l>J}|bg zWU9hyM$CT3VmYK;(UuzR->T$$x-O?xA2-j2r79E?z5VNTzLGN6K)8ww2 zF8*7^pHl~{nj`imUNI$<@!JBn{l+I#lP4dgNHn{?NX!q(g9VDVRH^qz8L3)h8872T zK_~CqI~OcER=p~WTkkc)4HsRa8z2&CxmeJ3rYw|lK_lrpmy(lXI;;K-KV)|2CTewz z=i3uv0|Ti4S{QvytsKK| z$=^inQ+(nXQ_H7OWJ4)xb;*QEn5)@pzd9n*bn!DRP$Q#=<#=Ve@&kR|uerlrwDRFtE&y*uo*^S+-@ib-SGHTjYY#8egfP7>!%5P4;#=@L?4l@)F10Fi~MY>^~ zfI}$jOZijwxe47KXyyrlh1pj#rgF67wt)||I8|xw^+=pn>z7Oo8u(|1S_r)QyURJ= zhrzz5Kn+WMW0}N^^OMNh(8*brgGLLjP|^pQu)irFZb!ZvVrjoIvlIBd0S6?+b?_My zf(_BpTZv^+35C@9*QlXUX++qSf4ew)K61$a@HmmsFWgkPoosz?IC6p`nbazR>c)vC z9G{BSaBo7_;YyvNfE$89Uno+i?#Hyxo-tqh(CUq&ij8*qX~T{Z}> zo_nsTgO-Iu;@%9IQw%1IK;G%aA`dyK0AV-M662Ec*!6I-8fvpM3zdns8Hkn%K@2*# zZ>W{R5E}5-h5?bs5OAlFidrzJzeRNgQ)5@50s{srKYnN5aZWk#^_`asqdgo*EGm zg}xAyoxye)p{-_?XU*$Jp<{;JZwBt3{yq2+K5=8+tF2n*_r^bQ&g9R-C-%npJ7Tv4 zyMsr!MwnonA&a!HC_bHz?1(xw%~F*ROv;b;hsydF*dZ9^-{>v@H(uVR1`i)XNn`!G z+C%-hc^~gZ(aaoV562Pk-eRY@Y;q(nX6SfCX_~(vxZhY|+xR=FOQiEkbK9^1BW_Ir zF71!yFo7s&W)0zB0klvq8ny_eb=P#`(O;pwuU73X-99pi^ z*4nH5i+DvX(M%K5rlw|gI!Fpw*f#QB z?raSwmxJgf?TAt) z^+|T(S3wC)pML#07@2CuZImWV&-`~Jd^LrED*o(lHAhWR;~<+O%!dKm11|V;OHnnIBL0C*}4<=@Bm-{~1115(50laBryTk#XaH zF{VsFR^~Bwtdb4lBVaLHVCapHN~xX{Y={MzgWq~Y6pW&(KDMA%72^zJtO27_KL}{O4IipK%QwR=pwf_k0b9%2;4=~)rh;g2IK&p-iJa83=Lw`LTGf}L zDqN-}X1kiYeJroR6kGY5X<5`iKZ}TYE+kU%%}NIYg6zFk+A^fEKxIMR%%&L%Jy%_p z2H1O{vjJ>~m}A;jfhX4!1P`>!Y93gJrr*)QhvSWnq{u0Ux1G43=&c*{9w^JnA}g`-mrZbdD~e{V|hG-crW`57m*%$4BTYK;4KYY zKs>&)AjBNhjJyl%E17SP@6KEm>T&GZ{cSh|hVi`#&|3`VpchaP^Ih)Z%yUcvmkIBK zzw3<*1SnOlAxt&Qv_CX9aV|5#MD%*UNS(WbX*!UfyY6T?cc?K8mf@jYh7dh4j+GWUJqC2p$wldIa#96wMRI!h~Tv+v9`t9Z{Fu{qF|( ze3XSniGz}ESd}iH)s+6^`0%aZ9R412b~6y0*NUcakHnJfqF#fY7Y-Pg5uK~s#nzuz zz*45Zv^uq(UT^=-wCYRXh7wSeh`D1Pyicn?Ynv4g_v|)c6n;6k-uHnLKD{pUHJ$>t z8o8yWI1qR>yvwr_kPR>zX?qvN8;h4xZE+J&r$d2oLcW zKZZ_5346ExDStQ8yIzzqRJ8c?rcB}KA5fi7l=4Uwqusr+VCE8#kF)U}Z7!onOD&y= zv2nrACpsh^W#b=r3cFR17{ZDuIf`=>{9q6cDDvnzE0)NOX$fE63={xY@Wv6Se~(_R zHJqU5rZ%*qV;d&B&~n1&@1T1yxBQn6nIkII+zA(HpDJ6|Rfv_+Ig3k1w+VfYz@Eqo z>V#^WI)UQtL{WIc)U<#qkeY~EwO~q3*B{P1qDX_3cpvJ-VK-a{0$vCp3l|H{lKNe_@zeAo zN%)PRS$^t+AuY|BG(YsHOwDTrI#p;zLl_5}H0`@zCX(MkFWLH z8AQMFk7GoQcF3$JIO9JU*I+PV*k>lgm+ZR3ox@q+ha$$h!m5h{YO(sBK2|0@7$9GM zuc_E$ucqqKwsaa;b+{Hdo)S*07 zbqtZy5-$VdBlN-?W~C8MNunfHr$F|P_2PT5<-AsTRJ?o9pP>@_K5_OHA-mxH>+{q!H7;(`H&F;KReFqqO^eLQj9k_!U%X{)`TAT7 zp(ebu^=|+Lwd&I zK%-#T_~exxaGSRapzk#-`EA6I39lEvD!TB`^osD?)on+b)+=H| zYyCj##|IV-`7MSlm#L_AG#87aTmLX#_B0-i6k3u9R#6UqBuFr_(BMwHfDl~ufN0w* ze>_J=K|LBF)kj-0D)uQs>M@kNgi6Bg%#2a0Kq(XtDq=u;!cis)%=NUA6#jGB1b&*^ zD05z=#|J@ji+zx_wjVS(cUT(X^o}pVSWtN)Y*xAAbQK1WKB*@1V$^&WodfV~vI+PZ zqIIgC;P*$WK#wWi*r18C|AqSl*te@VbD9HdYI z(c*W2D9QKd2MBh86iS3wro9~azl?-=`Nmu^p~>Ch&l7BYCZ7QGnCRA z)JJ<%!mm3q*Z<8WL4I<_k8bld#Hwa6$mqd|q=Qoj4{;ht8-A!J0VfLT`8^hY+l_XB zG}pnV!(Q+XAI zdZU|{kjrvMci28tepz#uS`#kK!NJ!l?QZrFMyB90OlVA>Q#<_r8*=sBObJ1fuzY$2NRRz*l2lZd@yIL3rmKu(mEhL*A}trU^2Am}~#@t`|; zZ0H=h+dpjWUcH+DYNakS6k!z+3dL-AJ5MOHXY}Qbw_v{=J{?X7k?o1COEEhBRb!-W3K*qZ*ebGlPq;Negtiv-8)xX(uZ-c$OnqL zD-~)L_Lfs$v_Z36 zZ6#?j`7EM^$`H;AM`evkib)HrZ90Vnh~!&w%e}k7D`h{z)VgyP(wfS09KEu@z~}CU zcLN8kBOevphdOvvQE$*K@o?gzDzTphdD|OZ>cM=!Elp1vPvPIm0yjehuo|U<2%qTl z7>e0mR%-R_%uo1Wk30hK1(?0nU=Va~djWN~H081LotO=07DrH>!xbF)>S6UodTS=B zn5arJV1?1~P~j}rW5Lt>7w?2_PVGoIEVPM?RlKwFLgP_vrnZh=5+^AtN0~OvKYpt5 zl9Bc>R2k9Po$Z9(D3E^lFb3B^+@p#$aWm(Vm<8sq zhO>I`?$qM?7&lEc<;gZ(yQ#f2P_u0nTHK(J?FekYhEnMn} zt}V1bOJ(pz=WWs}WXx|FN2`@((5edf;{gl^!$yyK**&@W49}nw_I-&?e}g*+8fi_y zG0vs8g<8LM%k}LpGb*M_&`02~Tf_t>OhG~6VguUyUfPP%U_OK3Ex$~l-*v%twgLUqJR z0XzB;1Ci(UFeWP%tL7dn$}hdS>Cygt+X2fZ7F>)?Q^NgC!4%q$^}xq)T5(F@T+oP) z1yCyB_>#mTTv6y^9B;RylIV-Yx3@i%>2ee!%O+dNvrY=oh8?jlR4*rE8V z&wt6+!k;CkcmLLAu<~6yIra0%xv)0*Jw8(Hs%rD6_C974ix)DBh9rHp=@F3uLTpgd zl<7Pxhz2ch%@e%3GK>qxq@O7%a_1^1=40nuqbvW2&ZHG@Iiinq%zm+Xl{bKD_U-EW zI}U|a55*GywV-a~dJMCo*um`-*J`0sy^YW?VoO)n`SgqqNRYAaI^Yn#uS4*4Z^Io- zRD#tdj)2O@%b7&#nrJaoafNRaLVDExI*Lx(=+SXhvr7GfQ^XW_D||;wq||5R)gRt~ zURU0!I!kFrMpDadVF+`l^$L9 z<})O8Vz{ou+En{j4h{cQV_J8fskF+j6^9p8jK&XMWVQ@DPXDc$`s6Tl%gaZdXEAhie5{_^h57Z*%d3>XFKha8xGt?vy@=CFesUX zp4xMNe;w*0(eC?!pEA2DRBuLDazYPYuUw5Wo<`gH3eg>3R#gH7o|yOftR{DPIriAI@I3^kZWh|qIx z5SUwufj-J9l;6!Yn}f`)PCmlkNg4HYV=<>bm^h&CaO8mYfF>(r z+h&5aU{dJ7?sF#r!S-iEe`rt;g<&%~2SB!eV~2xUb&i22l~oYwF+M@7?64FV=n-d> zi0anYAbI(AsV{pZoI!wvz+8;(L>3)c(}%0hk*Efnlq1d_0LNfEa+;-%UVqQ7VP*>v zSKZ27Ate(#+;)hk2uZW<5X}fhZj(^lX8|wk>~1pu4s;$(^wi9v9?nG80y5FV9#DL& z;M3`?RnCk__RIp|GUn4ptkICPa(3PiGYK(3a^meUlWJSrLom3*< zc4s#$S-jA6!C{Y_JX=vmv#nI>P75d7wc$o?(m7oZzs9o`btSrYx2q;Oj7Q&a z_g?bkt(`~NYE?B?QZnSGIlx$qE@t!ym&)!$wzu}OeOoT}eK2;L=|=3k2g-QE{S~Vh z9P|gfdrjjJvaXLJLgp>f*U{15Xr@38eMlw0MS`%|!8W(=Y6eI?jMKZ1w!crsl@#Cn z5w{`Df9FxSaXUSlUd{7Z&84{3a;bfsNALGmG^DUtwOeugCUEl3waZHAg22Fkmb1C- zHRa_+`-7ebTM_S0i?vn(8ZPcO6uZf837rD9Zj;dp`dfasvAm$G_Tr~_(Id5X8Y0v~ zDwFFggx5hJ3YnDjq2J>HiE&qdq5Zt*oHE>R`sVc$2Wlcwrdl!2b@X34h0fDoH}$7K z4zmv7gJqdmQ>B<5iY)Wv$6NNP_>)ICthIXi=Qe3_d#pkiP?}rIwc==qMgjlU>4BG) zivCc$;h2U?ZrvH|RN;4$h5Yk4eHdBq6F~?^f7;o+={7;3od4wFv&*hTaBcvk-xKwaiBKXsIPE>6%gP$5ByAM{UWlZD2b=%C3qU5tfMJ_ox-L+lY3%Q9=!WS# zaMIIK?&|Q5)q8_u&9Mhp7LM#&*iPPw?`9@-U&~R~`dem#!c1@Ww!5!Pbg2b#x8H6x zX~yk)@P3hCRxNFZ$UGwN?ou}wp-O>J7`3QuczZzaD5C8BbqqdQ9g)DA+AgbE|8W&i zh;$yU80!s6EYV|tywEPKeZ;0Ojiuazp~h=(^nU>sEa}spYFAbuj~Yy$0m#~$pd;J! zZhKk-nz!+k#MDWH{2y{U3gsuR z8^8g$cGA`>!-Cn%!t5szhS?~SMTzs=q_~K{4%9;D1MGZ;qqiMt~UZdy1|I_X^^Ds?ORu*r0e%gl*8%*KQob60~cu z;nI}0f=@t2H@PA?mkvvM>uWKoHYTb8@)4x>2=%)V%CzeB#$xzu*Fh!JL!y&>kJ{Q| ziyf{x`8<9iHrI*u*_XCv7Rd_GF1-1VuWz}%?(r<;v^ zsqre$lvwz^D;Q%>CZ!d13My*kIKSIK>CkhvQ9;y~+$(wCmTXxFha;K`hWM7-X&}s| zXANmp5DdIV$sA6!cw09zQFkh)YetpBwiVjVBJX&tlS-j_8_yj?HMc$dVz%vB=>Nq^t?P>%shg$EXjT zf>Ajon-NqLF`@M=fZ?>A{HHFPZo2|rU-{CG59%`O-V=1y_ijIDVgcO$1oEMd_Hin<7Xq99RooAR!r zud&JCG4sHnn9=&{bYAEF`M4)609%nB`b3xy@kz_RXxY ze{DatL**yF5d0`Nd_bhRu^g4sLCjn%rGBHez^BImd}H4{MU2k4wU+#%TOFC`wv6b0 zG+YARsuIiEUt2i<@BZw^b>~sXLwTzJHYJ!^^NKl1^W4kEJX9?rk;|x%jO}ia zJzc6UL}G)<)UsiBoZ)j3QHT6fxUVo1yNo+=GlBlfu$bzEOC*XmuglIO;3xCYE^*r; zoFbN<5+gU2IeT|wOuGBrQb7%lB z9w#=0CsbC11h;5hn!R{&srWXZB=Bu!tw zS>LH0=tT;P@ECg7dHkA%{O9|N4laz#G+%)|o+@&V)%!Wbe3eqU_^#?!2zitdw2)kx zR?A)-bsU3t$NxT6$aIom#H|2jP5nABpy~JEVcOsk_SB}$Sl4_XG^Th#zrMg-)o-%J_)1p6?rfZ2zAB^S!^P3 zyy*H980Rf#T`)Y(%P!ond*=+XiTCu$87cnES>ZJztRCCn0u+Kk7B4t)s8qXseX%*9 z#HutVEC;0mt|L=W;-tJzk~@=rvv+PZ!<^S;I11fDAWYYu&GZ2RFtEqY)*Py95y>!6 zRqhPy%<{c-7?~Q9iv%`Vkr}F2p8B$ejdt@Qg61ePyZn(>$&cpf+R?A-cV5QrT3IoM zMN{%V92T62Lwt<=44F zLAJ9G9(2tnx|@{Lb z?TYED`TDzXhC(3eNy{F)42O1nW5Qq9cpaI}%+S>?;a85f{%Hxx&%fO*8wrP`gK=!S z4xf@i>>wMH`29ZMNh08DQDf_o}S&0k;KyNIjivYaX%jEh5@FX zzH^Q^`547&JjUv<6kf!qnw6l6)6siJ=uWTSk?H88!apW_)Q6CDn+E%bkeBIS#7WO# zLodNe3_{*AKjO?e#jUKnUnV6eA(L;;mD@VN&=NwgP{H6SP2WedBxg_I0q3B=(DfGb zxIUWODo(LU0r>P`hV;*^J-&+T71J*#?3!zjl)m~-rnSqvTN@@k$egaWb4x{C1*HW1 z!8Um>^3Yd%`83!w#x1nY=*+k8YqB_Exd#3)VaS*T_9WIf%d|qu7o9$3d9U+QcZsEA z(Jf;lkBFV`R@x@lQT|BTW8@LSb8Yiznj^3nL6vtiWP981tdn2BGURwGYCx5RZNUFm z_83#oTVwAq!twyCZDRvt!IM)A5GlVXG-TnS*KEwnmNu=iap}`@)rK{i0!eXt0U?&r zaTWeeEXyN*!j!e2OgKuC*Jlk|Cq(Pys-MC~A4}++nq3g}`e(+M&gY-ttL4<*o|2Og zoFjuxr8|)kW0`tf*n9W8Gd`}@r$HBbk#r%)eu>QY@Ix=BGNH~StV2NGH0U|aEM>(o zV|#6jdey!~$%|w;y!FD?`v5>#mw|)dV4f<}1)k2;GX3RSD_P7~hKSAPw}sV|=l;h! zUupg8oPc}_9m0RP8S;4q#VGy;r{?avn_e|+^?TC$ul{h~Ht9~fioOD3sUo0zJsN#( zFE??R%7%=PDAqiRxi;0N*+QLD320qf(qbdyN&TK31DyrMXMBf>(fhPA!wzBx(wqxu z#m>WGCc_y@>e3;A%CIwE(9heiTd15)*OKi`ZD7`?tTaMX)++l;CPZ%ER190*Ht(N^ zY^n*@d;5*=CcbY4sgXsmh@2U$%@hR*vqSTU24rfjAINPkbn?9JTNPH~|90%c*9{_(@3W}=i%XeqWbHz0#;@Ie z9Ww+MBNbacc8VwCFQoKVUDJr6?_ZnT5!3EGNLBnWZyi4^dG;0c-iJ!bd{`f-5%#FN z(73>5>OBuRHxJ}RPVy({n6esc5v~(Rp>w6;6ZY|(y&x48b%oUBqjGd z%LD-p#CZ&e_&rhV%~Cxkez9t1Pk(1}_B{qA7l<4%D=o37w@=fd_hfx-wDnELpbEa% zmFVbMTY!MV#F9j!G5wjGj1tUB_LZyKk6jLl>a7XG$r5sy0PAtS!>@gGjyUqv z`B@j9Tj{5>r)#$X09_qRqsoa^L8ptz*$vg&EaWUI`Sv$KgS3vZ^s!1*-INo|)SRCF{RZ(6&omf2RWY6vIoaTxkC=?9f!N*2KK*ra2vJS0G*+Qg& zHbJ6pXQ}IFmyJp1;+CYmd~F^g_e-Cagcn7B{K{Dq^?C=-57c+n5Px9`j$4uIhJZ;S84h{<4Z|9PE)7^cj7 z2Tn#&Q(cd@D_*U+L3O$))@|t~@`A6(%2_@LEA9fnb8iL=^QCb3^)8VX#5&``@E0mM zoH77bFo;5!iicAyubuMw(dy^5j`)q~d;BlcrTY8*uwoPC(>qgf4g}@BmR4SlxO3;X zk|5q6)BG@gid0EYXN9&y^-*#7L3u2DK}k~lvYoaeZg5tWMo;vlz*Sf2ktTrZve7o! zx!K%F(RURD3gdVbrH7!XH03S?g)!e>hLl7_#(1*O4zUPoo%u-CNMY+0-+zM;18K9h z(;*`es|EADqb%K`)En=NmVxTPlq}TS&(=pKs_sWtzFEj_TG2(5d9LlZT}Zwfq3Si; z%cds@>W44^zqWrQbv}DS9k;;6BW0zoZ5K2KE&}ngZ{Wv_y|<=GLKR{SB-WVaNl=)D z_07Fkjh*50Yb%+A+wTG2=WkS!n=nX-^X$LE3dbA>)cSMYFg{icumJDPt<-VouHa_& z2>79sQcZiVw5x34c*EoTGD*)Dd6J+Nth`Ow>Q{hKu1&@8Nb4cUclh>MjPg^(I45|x zp=<cWgrgAxsA zo8HDX7r?OFlO@<*dTjF31FKEMD4AIx+uU>*Xjl1ts+3*ZET)~dbK&DVq2C{K>!o&_ z@dYttAh-(L0qe$qVn7kDljPWDH}I%E`P=Z?35^d0xgHbJ*nm>JJ!0sWX7vEbV^&7i zH8Qt^%6>Xl;nl_vy-r02Lz-O&8Ice7c30LUey6}6ZtrV&#GcbL8qJT>xyrDo4H!KA&&8JKLw%eYyo}-S8YQW3nI8% z;%KuFHjIIg!uGk`;@dxMrX?B6E%Aq8)mQ@_PdZvKm9RiYtd+%SQ+=PoPo^j*JM6^8 zj9euJ+FpOnIL_IMG>WTo6R11d0>Bt3xXwjf?06$H!Q=@`<=4QeWOx4y1D3Gk`OVls z#kbPGZ<_&$KGFG_U|<0zhaFMgFlN>F5^ju8w>9&Cn$RMn(-jB$x>jeIP4@Y8k$WO$A#3T>j?i+tcXNs1$m8rA^v z?+%JrxH+5KH!IQMg_VX%5}%1O+fwKpAu$SA-TPZNQq{e5coy=!qjxf?mq;TcNu%>A zRN*xI626+ffR~?B7M_ttF3A3(SU&BUU}CHHmnO5ebcyTUiZ=)dSa3*8fwZ{Ee|IMs zR>Nj9%;b@AOa4`>?*_fz?tqAOo6g)#m9G|m(`6Xd#*6$%KltXNgWjG7P6Ak$IkSqg znwxD}Qc!Sq_ZF|RcC?>uxS6&{aJr%j^;gN0o`xC)3t^e`ku%bQOyeFy_IXOr|b7Q|-i1SSg%> z+{y7xW-iQb>Si|`{fl*m~a6|IBTcj}IWSM+3FgwG7@69KOr--&&z za7s*hab3Pj^2AFnBk`(ym}BorSqxvDs?cF9-$$>y6CF+4o)Du)`mb0KM26!Hf*49?YUTzus?d6>IK_m-puG{;xu?F=i<(Pr+UjWMx_kbPt1 zNR5)8$vM?uuHgy#+aSKA%r?RRDMiwhNEpu*e_;NDSzqkLTb3jBSv`wny}528NUrqg zB+&d2@9oVw4AL|>!fc;u?#BHVb#?Wi&<0bW1Dguc>>4a9jj5SG%WJ!|zl0(8c8^r! z+!SgZ1ts1=)}WccEq&eJeP1j#m+sKM^wc=T<*`r(IDs8(YESrU&ZJdC=%6H}ZX(w0 zO?ATnO;1n`yZpM)H5EC_L06N#SE_eRVq|Hv$L(>;ZZI=N6c z4CE2r6*W+;(z!#d-#uP+D{DIN?!JX+W6~ZZBxUun$KLJ?u?(7}tcdxQznul0vgf%p z*LnjP-Yd4c1#7{Au>B*?HwL^xOZFzR^1S>8>=Ur)_uq~XMoahLgMheMt$2^kXF|q@ z2C(05QhkXasRvalnm(O3+>a%x=qL6lF5g$tN)FCBR3IB^!We&I@fpt$h)9v=8lj*# zN|jgXM)96ygTU-Iv2=!~E2L^sE$=GF4`174(Y}CJe*hx&TX&;@$j9@Uc&%JYx^ggU zhs_pGjL)+r^T^c~u1Ersc9zY2o z;HbEhpuFCSx|VvigzA>7w>Em61AX|zQR4eG{9+XGDQiVPICUp;RSL{+-a6;=`3tv6I(YV}j%t;kV` zN%q-sq~R|d=jE9DmA-vH>Cn*}NCOo@L8G+5V~a3^eiZ{RTSn}uG5~OPZoHD_;p`4w z6=1Hqg+c>!WXz;l&6Axj?CV*BI7+)T|0eSk2=H4!HgX{En}kZBoN6BPia?7Dq0_(f zpo%FsNnUN`wK;swaEFZp-GI<7Kvva`f|%EV5quMb_y*Xi}S) zTzPS```U!(b*UZahdJ8%glVEcEYU%$!C(U17=H6&{||>b)XR-Iu9YQZUNt|6HKgcl zxVTmnWCjtFUnVsKJ9ks;q|)!iI}OU_RR}@e zv{2fQ=@Lg844JKUb0~a|G6hpX<_)WLjXwpco_1o8fE320Y8uHBDB|5gqsyi-Ry@SA z-^ZgjeixI(p05|AU9WB*?xt&5hv(U(V-PEY{>(rZw~2U*n5bMuf_CVQtaqnq?XuJq)mmE-x{ojvow=-xS{S1?y9?#zn;!e#sV>qPV&SBrb-!QcKmuDY= zCjW6;-M(}#K<%2gA)7JH@&WXjVWIC#THF$IxI}02Fb8-3df5qsQ#|CaQ+XK!w*zq9 zOjF!ZAf8C=4o0tg-w5#0c~$oh%sc=e*ATe6;_g zgG(TYf}2WhaFlYp-x$5q9-|G2$9__yI1~c=FXuUMuu(OnGEP*0vy<2XUNJhTFE-D2 zWBIy16b`b+kiczSlsI#&M~_^0#{;46KX0YhvQ53uNDQ_)h3sqb)d2*sd($F5A;9l> z7hvX1yfv0C8(Dd*hVAp?#0wO2o;|&AUA~^+%&~+8OaZ!N7BXRw;0S5(Kr@LI-Fi`) znz1(aK?fT^$DQK`pHab6;{8mONL_lu{jM|h3t^90=2U&G%fUf|MU@6$F%hHhLUc3< zRRH=9f^9vM{TPwdX=w`xW^EEV?>6)4&hpFhR}yd?;F<#BK z^@oV7anU&Ah*KoXkr^f4;r=1JV?8f#umc0!*a%h|TaT{4?ADIMAtEY7YD_NGVIsH} zo?v5;JNC4A-qg13`RxT0r@JZ}ltm~A-vZ}Ec##_vz<3J?+???_kEQc9wLYsy_l$m? zl|)9eU9e}-7W5O{A1A5wj%W@>Jv&hdc6*!THe<#9?#y8@n2d#3>#y+jpEEc&UeTAL3{wOg_`tCkPL1RTwOy{*aI9Q z5XW-Cl4As~LRgT;$2`K@`~biF*bph@KWg9LHYTr2)vz}mR=xth zVi?Qy_WuIh;eYW7q7AkN+N?&!S#O*9;By|TSyx@@){!!QUcOet z&Q@24IR16pUjELmPeK#WXV?jho;A&p1y@WCrbE>iLZVp=sos;iOxzFIs(4s@LiUa} zrjBuHT7=vLQFnZDy*`uY-~ZOxZ??grQzm!Np;`oa@?uxgY29U+k!;K%-|Jwyk`(lz zGf;?6UlRNEoIlfBvQrtMY(@0!7xsTuJL|=GBvXSyUL2#V*3eK3`L0@z#z#;Q5e0u= z_!79bX=rE}&0Q(&=rCkx(armR9FubaDz$@nz>Vm9(hujuO+aOR9wt>c@k#wxyQiN7 zBqAXKKkU)_pRH7%vC$jnQ7PS5OfoHjGP0j;_nHNk$PPgROvGjHN+T%rh^i{%zUhI< zI|mYw&9Rlm`vlhL8=1k*XRu{JbZSMW2?N^7jW7JDlJgT$jPS4Cq*Vg7TA(D>RB36b zmD~hZtlUDSvZ=Q&scq#tKV0&ABG=ge@Y+r0b({r5jG|~X;8psWlSC2JY}mpstsgx5 zhk;+H+3aiP#=TB?G3%bh#BcRc%>~o|s}5h!hEJ2PA2FoQtReVG7g+FpTqwsuehKnd zQ_AzHwStD0S5#VWm+CL#1t##A(u(YVHdk;}`LAUo|6oepDu-U&7&#rq^U^sFKSR77_^eYh==JMHSp{ z&k5iJDyb;v5l@5ulcG&wr^WU!r%}0Uj49Ez3B|ySMR9&)aA&nb=`QZbdm_#ge=TQ> zj@&~MDdgy+`xrgp&zoqzlUPPs{nH?tf|HFo{vLz2Y7*JbgntkcH#XHYd&L@#K2n3* zmJ$q_GKRIQmNv0IoVCh0+z)wZjMx=yj*#c?gk?sky+{6_|3& zcT*dq*Tpo-Oyp#qVVDXvF0Av&x5SjI37~anbR%g$mPOt7cJxYcQtM=;MDvv$;YCR< zgun~X%g|82BcDg;9}aHrY4Rc&a{S)~+CO*|;#o1SwWg57F?%N<7?#IHeZB18Rtz@X zd=(nK_C54A$9|RVJ5R%;4VIKKQfY&udw?f%0ceW$0pkp37R>wnq>7sB3Iw7@GDoX9 zZ*-~@D-Y@s1F3%8!puSVz0)B7aFC-3g;qe)G(H}1HNsA@FA}E0(3dx?hDw(_x+!I< z{OCoj=wM1JXx9e2%}yd^=yP)8r~H|tiK=tOZwvMiXdo};u)1cgM2`?OpgB?z`+vAA!$G** zigqI*7*wvfH>sn-Z(;gL`C}HT|Nk@@e2fbwf*n;z==V4El@@8_i~_NeNtY`9z-{oG zA{L}-G49qen$lTK%ACvY7Ve=m&b z{>dXz0m_p>wY&(%)9#Xs;)9gHbDB9s@2CZit?CJ&?4r4dHVpKvpp!^TGF6zRh)e4o zom|o0Y6IArfxADl?gD*T*Dm_>xRrBVgEXOx`_|QUw?@`_zhY_IS8B@covEzfX7$E# ze#s{&z9>c4VWBQ97lo=P&Wz8v*&9o>?K2{G z?KBF4!W|`nHPL#j-Jm1MJM@>{bDo2Zs)Z)tO}ay$_i4aTYMs)ekmQnzamWb7x zPCFnno_pDN6S&Q?&p*^21bH~X={TFVaFqfl@%~%VlQs%jr@T6Zy9kgMUbkUpGZqm| zHau-pR&SW#4_-=V0ruYQglTLzkKUYjPYg~9%|eD$>ZFM;`|3MwKKE9pHU9+{d9|4b zY${ES^yCu0>w1zU%+i=SKaF#sBByIs`7@O@Cobi*Md#}O6tC3Xal^%Vea2OTNTcsY zouixqHjvFg*7}!i(-;$v)3CONnDm%rQ|qmm+=<#(+XrGu{0GquYLfv{q1SsGtF*OA z$TNrEJzJ@d$_T1SgFC)UDXa8V~c zE}CKoTH6Od5*b(SjQE6BkVV|~xfGlop`QDWZKPg=KF2tsn*xr`j2oD0lzaY5z}A8(MK~W~9ha2K2C}T6^7um~APUVPzC54m$+6a^VHDnlG1e5Q&@UvX!-*r1<2c_qz9^VvKMKDM z+k-&ppVW3n789^Eyf<%rXDw#7-nCwR<5U~A_(;c6)&TrJ%?;G$?4RyV73sOnO?iLXDt9OtXL%-z8 zdjj_Cxu~t*rj$eG{l`OUs7-}^HcJAl!e{w-iP{z~1ojG-rH0sa_uAF))<@+v%6jk) zsP-6uUN)lN%TykN%jQ1q7x(CS2jUn4Kmv)<&Z^)Hx24G&{eJvs6ZGLeTcwHJ?A05S zKD~|o3fJnP!JJZd1#=;A!Ein`K8~8B<%PV5>A{0Ob>S0Kf^A9-M3xra8zPVxsLdbf z1Q}jc*x_i5mZx&IGp2`2`yfmVhJdZa(k?v7(DerGgzqLXE83lOHey=VETBs`@anlk z?GFIuss@i)hqu_6AwWND{*&V-iu!2~NreWec-(-`OfPgU)Mrhve_p)Vd(5NfuhVGZ zj=jGF!Xg@cu)D66crlMMB27=VURi@1e=QhK;5xefzq$o2HUk+R~5D}v+N@~ z5>>W7&2R8Wj7ZYig<9>YrxyD5ny=IXIY(SpGk4NTb^anUl;-4ja7lu?5`4Y2Xyc(c zgchMLYN(y5xc6)PR8Rx3q99mfzHkq>O*ZVWyBkoL|r}m=_Jt$_ix?20jaOvWddi5eGS)-N+;C*32VM z4F-ipqc;s_0IRxa`~PGMQ6@D>7{YQ~T1`szx*>N&-vMoFy3v;=KCWyEa4USlksySc z;vh~!8tq?)rV;UNI#E!dM3E>&==A_9{7v3>(i^`73el%%&cd-C^*|K2f=D_X3; z*8a^>;OG<=5sa8ax8a~CEr*g+m%aTm+L*1WC(5~!wG=+6?ztI>Lk_t)IIZ4r&y=2f zi1uX#`SFy==-m9-8~EYf)AA4Ti32O^Ug2(a&Cxl5wfs4zDPIV*OkXTh)IFOxnnM_bejHw$X1iKqnde%**#mq7->8Gl@@#zl6$B<4w`=Mo?Qzln0 znfFV{6`sE*ejM0`-JpC%K5D9h8F!A!%U?H>7XZ!9vB-vGw4_%LeXDSb*|0-LVsj0& z;10Ddf4i?P6;wAapQD@x$mObgyb)zg0U7YH@=1&<;N{S|c-GoCQHgJW&h0JjFIN+m z3rk1QakG*y6vsgn*pqB8lW{*HE0H^6Jx8dqdgg=E zj8?3ZG7LyR*v@tUQKM;whv%$uk!@YjNjIzR1Otlf)A! ztS6n>$M5YU6i`|Kc(2l$3CshS0Yl4P@kCTTo&F#C{e$(axp=D0*w6rE5AIK(*=K9K zvZ=3p8xx>GEm+L@YOXcRDh9XBpI(I#&bnD<6sG#&ZgrLkq%Ir&P266;O9AN$Rsjf3sBN3CZ$S80}#4-S1m37O~92Q@gPEvKf-8|K>?x|c@y)uTEnNXrL~02n zL+3+8-I^70BD%v!Q7Eo0kQ72R4z+u(^^bF@k3s9kTJ^nks>b?mf*xio=+C|wI0Pkk z=dPh*p$x^m+T`F~$e&X_dK1;S5o$uX0Hm5Iq;?lXQxfg?0M)aX{ZmwaPRUw!AJf+O zsl>FXMM@qsXw$-Ob<@qB(#YZ&SCs(R5BRycm1yK*CkRAMMyWP4voMOZ-W}443scAs z4?8=U z_tt5mi)!CpajN}LTZwo>e<7DKXy1~DA($N-(&do%{)T&w2 zQBPTyNhB0C!f&}cs0$g~g$wdYEp8vk>n_8Rs#1|{;auloxz3n*o6^`?!4oCfVfRwd z8q7o$ zIQW+aK5$R?z8j&@5v$%H(Sy6WxMPg|kYH^4_pB(*polyZlftwvv*i#NcHKP|Mq)|t zL=X7wYm9OqGTsRb$$c|a42~H=^}U7bh1+{#-ytm`p>n)K+~U-3P}v=tdp^4L&Ruy0 z{UtUfv*E?a1fiSIuhOB)ABbJ~Nxmj0ezZZ*=L!-L0F?7`fGmH2KQOw|{IKufcf(7A o!YaI#pudoJ*$a>}wGZW}u+e Date: Mon, 26 May 2025 22:03:27 +0200 Subject: [PATCH 10/41] vaultwarden: ajout postfix au service systemd --- modules/services/vaultwarden.nix | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 1a27dd8..121822a 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -6,15 +6,14 @@ file = ../../secrets/vaultwarden/env.age; }; }; - environment.systemPackages = with pkgs; [ - postfix - ]; services.vaultwarden = { - enable = true; - dbBackend = "postgresql"; - backupDir = "/var/backup/vaultwarden"; - environmentFile = config.age.secrets.env.path; + enable = true; + dbBackend = "postgresql"; + environmentFile = config.age.secrets.env.path; + }; + + systemd.services.vaultwarden = { + path = with pkgs; [ postfix ]; }; } - From a5ee12226c81906c28a1faac9e34188c4b1d43c7 Mon Sep 17 00:00:00 2001 From: RatCornu Date: Mon, 26 May 2025 22:46:37 +0200 Subject: [PATCH 11/41] vaultwarden: ajout nginx --- modules/services/vaultwarden.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 121822a..718beda 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -1,6 +1,10 @@ { config, pkgs, ... }: { + imports = [ + ./nginx.nix + ]; + age.secrets = { env = { file = ../../secrets/vaultwarden/env.age; @@ -13,6 +17,13 @@ environmentFile = config.age.secrets.env.path; }; + services.nginx.virtualHosts."vaultwarden.crans.org" = { + locations."/" = { + proxyPass = "http://localhost:8222"; + proxyWebsockets = true; + }; + }; + systemd.services.vaultwarden = { path = with pkgs; [ postfix ]; }; From b9a15c0d87500e5021a37b3f5bba56d90f18fd2c Mon Sep 17 00:00:00 2001 From: korenstin Date: Thu, 29 May 2025 17:44:33 +0200 Subject: [PATCH 12/41] Whitelist de crans.org --- secrets/vaultwarden/env.age | Bin 2693 -> 2707 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age index 89d30a9cc410272fd689c9cb1d94cb67e26d9468..6d799b5011caf4ab527b74c5bf6f17161ba04468 100644 GIT binary patch literal 2707 zcmZ9}`9IVN1HkcY#X2@ZOZOm^mB!4ND@9|Niy7t~Dr4^ZKE5;4N|$nkXls?0c10~A zu_Z-`B2%br(xqtSNLrPiRQB2D$EUyG{d#>qJc%eoq!#F{TBA&(Ua!$hz-EX`NCe1W zkcNnaP&gcd1~GJ&_&5N>GV*LRV^UN+5>Q~oNl`p(C?VKJH&TT$@n~^OG){t`7_mAC zk(TI!F`1}}XcUyiVeq85C<;u-k}!-Cg@&qP+Mo~)R%s*XWI}{E%H{^p>PC9 z1YiX)0EAJAVZmyhnF=8#*-Q|%&Z@J75;(CU0zn%rFbRZIwT>!>gJl5B;vxVzY@SuZ zWAa!wl~SkWge3}8dJ`{L&bLZQNDdi-;mJgJtcW4`KMR4411J1zfl&ZKm_)RS1Qre! zhp-Wos8DOX4knXH0V_sgmSQL|B8V0+abPZdFhxuZ<(W9hSUFo72RE8AdOpnp$5Lf_ z0IHK2_*B|Zv91fX=a9)i=yCGhnG5i~KH!i&++4NL*sOv5LjVkNOsv=T-AS|fpF zG?4^kw6cT63O$w@$G2c;aj{}HjS!EG=9m*W!NC+UoJb^?5{+cDKnb{j<4I_$(89!+ z%ZwCgPAWMhwVGijpNEW2kIvjDScB#)R1@d@)C-v?4hyqDUV`x6;u6 zPQxd$6)pt0NzByXuu77|B0#gE2x2f%s#MU~v;;T@MwXD28nYfwj4~KeE+HWyAh1rF zB&4COYfxUa)=KHIj35 z+@SiWE3c)!vMA0sUke&jJdHU1+z1Wa`siU?MAd_*sb{jCr}m6~c=mpKRpQOYbZ$B+ zj6bs@($WWMfB*6M+b239x1jLRixa+^377Xc5ZyvxNk^DWi`ab+pj^@Rb1wq<{9T<*Zs9&$b<09W&KfOmE#k6IpGCY_O@Qe z40ZQ5?&w@I+4=14+!H?mP}q^r>xMYfE$MII>;FTy`r1DAdsHs>h~R$u1>1SxpzE54 zp3xJH*J<}6w>ovb+RE~{XcqM$;~ESOK3+|x^s>7x>qiCGr(*r%rc#Y)$L&G+>0Q31 zjf|xY@}<_^hQjqK$T6p(&yLk2{PFr}CdVY*0`~GI)UVDzUX+R(IP@-t=DXtcRcQHC z-o}r=&}s!kw}m@`_C_17{93UAOUAm@YkZ$omJGMqJ*w72(Flx6Z|e$d%b_bYO>lYd zMCZ;&9D^HB&W3@<+x7%yNb>?C^Kb9`$0@C6qzg87%l5SGT*7a3IB8>oLrT(#2e;;J zMZtPKO6>ic0#?p;)nT_RjKaa(TjuFM27JOMlfK1V8e2uTJHC-R&hcnTSvvdv<*8T8 zDX%(v{4>6^psXrZ+Uncf%_ZBzvKFVOk;1n(sYd+Us2PhHM{^1!?-UmAuBPGp(ES-C z)TK|4AG~e^uSAA4*yQ(Wuc(XvTG@7Wl3x1R*wJbp*3I8@e!^LhQu`d|R@+H&!N<-) zn>^Exavi>}b-#85a?3e!?lGNTGQPU6W+*tP*KwkdH#p^~a9zrcZHEuP*|h51!T{3D zw&EzCz=ohD57BS86}XPx?btYX`yeZNaG+ud_2tK)oSa`r{|v%R2JJZcAtGs_Vt&W~ z+`k~Ypn1Z+I#wLlclLNRTpor}`{B#@0Q|n077Gs!zm)S?j_#RDJ2d`#xMAUUIGIGo zuVSp?ms z*_E);y^;>6OnstZ>#97);Js@bha@xS)--LeJ{>7rGk}wDFZhUVs57%T7h++PMF*NS zs=mLRJZDf&emAtb>9c-EgdMx^y6%}+V@ zL0@_I;`Fw%+O*?G(wqs&aEVWV%sxxpkzcT2wG`oA>*iJ75VNRg-vv)SE^uXi`Ndf| zs1D(}V5B8y@biHksfPK9{Vj)sXP)PS)s^s}GqRMo+CmgOI;G72n=$R-=8|{nzWy3~ zIWGI~-J!*nvkLLY(KCVCQ|58{&X7yHmh=ptvuB^Tm)AEAu*M98uvhq+1-n8Y*p~o) zqyAM>$XI|Ij9c@t;?zKd&@WRSZ z1qeDG=kUl7a!|up!PDag(@auED{XUqAlm_?cv71wO!*loCfhi zkP?|!>yvi%OvsffM`C7s&ozN+G&MRavoPWoqdIdcT=Dmp-`C_T%UXQc)ww_C|8OIH zVh+OFJF|oyVh}s7%?Oa41g`Qt(iE3wp37TR^ZrB@_MLtG-oelD&HiOY>|GZhpPcm9 zJ9U>ejLxa_tmhxQ@!HQbV)v2nwxm*Le^lM{n0VD4vjF(d=wIPolilvztOK>bvi=Kf Ch`3h( literal 2693 zcmZ9|`CkhR0|4+IsWhn+@+dV#YSz}yh6lUvwX1gUQQO+lT3fp}Nt7p%t0Z*LAtpL_ z(t|E3mB*D(dF09wIr2~xdV1gY$Jbx*{d~R>r5r5R$_(~oQ-V$#t}`ehmIwfN4bW&* zf#vZqBr*a6_MPJAw}tN9nk7s2HUoinV4LmuF*%q&A#1(XvTMwOf?d|7pny7H~2Qi2};4 zcp2OZ#G(`$Hk<+B3)GavXsSjK#YV(Lb9E>Y1pz{3O*DG7;> zz?#_6$vim^Ll;tXW}8_b1yxEBL@eJ5;#oCz443(T77EXRu>Wgqf(zmeWK%qxCrsj^ zaS&;85{;8ch8j_zM7*AZ#nGiaK3^=BlMnzcC^ABY<8Y$QHf4-F0%X^4%tk1aOd_bY z7ClzVrV{x^41}vDM*h4=g%RUz93Vx;iqVr8EGC1DBf-c*3)&LHW2x*?MwH%WGJ{lj zCCy(0ya_tNtS5LRwFcNvPSfrzoC~&J>q2}@}HYGqoQ_)dM7)D`X ziHtI%ObCKv?J6i$fYAw&YI`C*g3mAr#3rN$`?E%7sd!{7(2msWBq+O;fT0luYJ#2? zZHX5VVB|=PCW0*_Y?3haC|d%Jh!G+HY@-S)hT143Zj^*Vibq+E(QFg~ZK6e^g|uX` zC7NOpGlfuyCX(~BCKocXCM*zyByxCkLVSdYuLWtDb{j$uryHmsp(zr_R1lItR;*lS zq*)TRRzQ?d$gtA5N;*iP15tPe76zn2(ZxKe(iCsR+s$O65Jj~Tm3%T000x7BGNMj} zkFjYfQmO&QRLkrlgkEGzij1(qbTDyDk}R5tf$A`5u0jbgWKz%adeyCYJ6tb47=piP zksjGtoYv#Man5z$io!hnUx_3jrKF;jGuW*@KA-k6dnj(_tMi=bfs}-ZZ-2d?r4>>$ zL;X~19|D%F*Sozs@fV=vkYROw_GeZs@wcx|S07CJrrx$a{R(Ki>~T}&#nJZAJcYju z6*a;8j*L`1WoKwf_Ukc$ZQT3Ezbw*)FD+SChUBKnWkt-7)R+%(xl-sDhNVKT6I{;D%>vZnWb#U=HcmUjb`eGBoEt2T{#1c`2h%=l+#0Vp;rf7M23_`0oQ6Va|g+tTZr zeeY-WuHvKsU10g>Z&m%BTb{8GdZ}$&z*v}PAl^qe^y89Be(QOyS3nTYAJKH^*SW=^ z3~ZLDOrHAY*bik;d?bdvzYs%J#K#Uo800Vdvh#~{hl(x~r7^Uw@taQ->~HB$uVg!1MAE5RPx_+D!@B}LP@%E_-@;(H zY+dp7tLgr7tW)A(3v_35`2yboH95bvW8z4W%U%K! zSv`E-I<4uLXDE1OLHGFFgOSzmH6>f`!kr~0U-}k)`x2OS;l(_nrikD_y=(-#{a!@U zv`|0#TpK&y#?L( zLj5B!EI4GiLXPW;Y`R}a>vce|-i+zm@sSno>j9Ht3Vl0In*TYECVkD6sXq zc@M4#PRfM)mR8D^DE)d~#=3(pXQNk8>pOp$k9uR*&dG^`9M&vj04tl5J&uxhlZJkNi&MS=G@{*CSi=IQClCzViIw-l|8*sUv9n zxiC?~c2SGpg>@@dW3v&Y+P5pGgB&+k??xuY9?W$@azQIPyDQvwIq2XuLRebDtXWPs z%NECgeCIQ_?wp6tY?&pjPCaV$gZ$dbqM-^=yzdNS0>`(U0cU9lYC#5Ttn*PYyq*u7!TIr1LI52rowR==3rcPp-(82WWp zszt_`Gz^!+>H8E z%nmL`bJADuZWi!ex1LYGb`nGg={bI$*|GiD+e=$~FnxokykC?I{20f7XZ!6#)fiJ3 z82CoqITx;~8-Wlqb0rjKt5* zg0GRYmtQT-3IXKa=;YQs^Q(BD(-Qn|JLR=$5;~wcT}}O}s5ZyCo(X*!=tCqA^k@pu zA;r0a&RvBpy&tX&$j}TJq5ki` z^`w<8*{my`F%~Q4bu-*a)e-JX)E1HO;xPGbf^V0v-YgXh!eSA5!3S!0d! zIJO^4q9EJ)avJ;1OGZaF4nF>vx>j2EXx=`5so0jF+e*-Pg^dk)F$gMtAlfkUwWQV&1+f?`5M1CarUi;gI_|&CmKE)N_S4NcZP3ylTkujb)rh#8+v>2 sWlI5!ylDOCtkUpZ`e6Ubn#O}#?asZFYm+DQ5SlS6A3i!-DtvtKKWYJ-Gynhq From 7e3c87d8bb67101a83ccd0ceb49fdb5c934ab283 Mon Sep 17 00:00:00 2001 From: korenstin Date: Thu, 29 May 2025 17:58:13 +0200 Subject: [PATCH 13/41] Rechiffrement pour pigeonmoelleux --- secrets.nix | 6 ++- secrets/acme/env.age | 41 ++++++++++--------- secrets/apprentix/root.age | 34 +++++++-------- secrets/common/root.age | Bin 1561 -> 1671 bytes secrets/neo/appservice_irc_db_env.age | Bin 698 -> 1134 bytes secrets/neo/coturn_auth_secret.age | Bin 643 -> 1079 bytes secrets/neo/database_extra_config.age | Bin 751 -> 1187 bytes secrets/neo/ldap_synapse_password.age | 28 ++++++++----- secrets/neo/note_oidc_extra_config.age | Bin 1335 -> 1555 bytes secrets/restic/apprentix/base-password.age | Bin 1125 -> 1235 bytes secrets/restic/apprentix/base-repo.age | Bin 979 -> 1089 bytes secrets/restic/client_env.age | Bin 1525 -> 1745 bytes secrets/restic/jitsi/base-password.age | Bin 1125 -> 1235 bytes secrets/restic/jitsi/base-repo.age | 35 ++++++++-------- secrets/restic/livre/base-password.age | Bin 1125 -> 1235 bytes secrets/restic/livre/base-repo.age | 36 ++++++++-------- secrets/restic/neo/base-password.age | Bin 1125 -> 1235 bytes secrets/restic/neo/base-repo.age | Bin 967 -> 1077 bytes secrets/restic/redite/base-password.age | Bin 1125 -> 1235 bytes secrets/restic/redite/base-repo.age | Bin 973 -> 1083 bytes secrets/restic/two/base-password.age | 38 +++++++++-------- secrets/restic/two/base-repo.age | Bin 967 -> 1077 bytes secrets/restic/vaultwarden/base-password.age | Bin 1125 -> 1235 bytes secrets/restic/vaultwarden/base-repo.age | Bin 983 -> 1093 bytes secrets/vaultwarden/env.age | Bin 2707 -> 2817 bytes 25 files changed, 119 insertions(+), 99 deletions(-) diff --git a/secrets.nix b/secrets.nix index d8face9..b2665f4 100644 --- a/secrets.nix +++ b/secrets.nix @@ -6,7 +6,8 @@ let korenstin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh26Ejn/syhvReixauY8i85+XD8P9RRJrPQGEyAQ07l klin@nixos"; lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHW62pK9A6E8pEwmSnTp6oKXac+bbOJ4VkPvNLa11No8 lyessaadi@crans.org"; lzebulon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJRSBsRgd/ITK2An7q1VXoeDPbcydR3FkQjHoO+1tAAO lzebulon@archframe"; - pigeonmoelleux = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHa+ptSTNG4mnGUEGSkHTNDzyUGeiMnaWS2nDvJwrYTp ratcornu@skryre"; + pigeonmoelleux_0 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHa+ptSTNG4mnGUEGSkHTNDzyUGeiMnaWS2nDvJwrYTp ratcornu@skryre"; + pigeonmoelleux_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA41j5jdFj18OSHONx4QN9mMT+oBmtdwb1vstNavGOnz ratcornu@vrrtkin"; nounous = [ aeltheos_0 @@ -14,7 +15,8 @@ let korenstin lyes lzebulon - pigeonmoelleux + pigeonmoelleux_0 + pigeonmoelleux_1 ]; # Machines diff --git a/secrets/acme/env.age b/secrets/acme/env.age index 14cc6d0..35b0750 100644 --- a/secrets/acme/env.age +++ b/secrets/acme/env.age @@ -1,21 +1,22 @@ age-encryption.org/v1 --> ssh-ed25519 iTd7eA SOdizgV+LHwgOVZlLWlW0ywVXHEzmGjBTEAbpbSGBAs -4AO1uVgvA+jkpgKrdFZD0BIMRmxGbKavfYZdpgDh79c --> ssh-ed25519 /Gpyew Tl0BGQR5Y2gEVRT08vx0LOouwZgGeB8w51r8Opt2Mgg -tsmtuQPnV7LM1ZByAsVyDrRwl4TkwQ9qioHR0/dDraw --> piv-p256 ewCc3w A4seXIEIpFDXUUNnAgrnx4vYhbw3ii8lBg9SpWiGJLte -LInyfV4f0sPsJcK4qbzmPQBcyxFimDleNujC8sNSu0k --> piv-p256 6CL/Pw At0UITcGiU6NQ28t3wAHlStnvfuQNvRUg7lOluxRo+a4 -Tw7/nTlZjKVEwsAWrnsFZ61v4S2olIKsYyGbQC0GI7o --> ssh-ed25519 I2EdxQ bFTORPs47D3JQEXa1i1Zv6gm39Jbqh6UwrwWrYtuLnM -jX28nZJ3WbfC30eq1Q0VCSmrBbrm3Nog96aWrxAsI5s --> ssh-ed25519 J/iReg F+xTdDl1YK0XT5NMudO9Oz+tMrOU/CDX85NbTcMxPTs -rTFkioHgePRwCLeKhqeVGYewnxCcgl+05YM6re30WEo --> ssh-ed25519 GNhSGw cMADVhvNtNaMO/bKWpB9riONTiukhJqeNarPa+zuE18 -X2XeVei3FHNwHZ4q+MxYQHkQx4qgjtxVtwRdv1dFo7s --> ssh-ed25519 eXMAtA VjP7gBICaF5BeCYYt9wXhY0WEkEU1SfVvCrl5MmvhDY -s6x46ikGHX15DFuwjo/q3+Ldx/hFriUT9dZ4iVJyG7Q ---- NoHZglVeoiTggX8013Hj4PAlZVFkKOc1kAheXoT5QhE -iFE -dPU0;*1+8`fP1(FN~7/'tMb -Cen&Ux7C+S l4 i]ҙo3OQF>?S>$Fv-UGϯL*ڮbo>˴zeak ssh-ed25519 iTd7eA a8H1iSFJQ99fdY5aIyZoedRVuB66+pIpgw3doydu6FA +HRvZs07ovO1e34AsJbC9d2ybMqB/DjQGZlkEvdTUsBg +-> ssh-ed25519 /Gpyew hcs5lB9WNAV33HPEI/xwa0zWiR+2XE/8hHqB6BMQXSU +K+9qcpVXJFJdzKROYtegcBAPr6yx2J8kQp8SdXGp1oA +-> piv-p256 ewCc3w A2IOcgyuo9gjutoV70398qJMjEbiTeELmuIUkujshdxi +0filLXpTkxcN+puPhkngFBGe60mchnuEBEkB1kd3ySo +-> piv-p256 6CL/Pw A+0V9DCKaD3H8FECcIytIkQJ+xpFcy2ma+JBQLeYRXSJ +aZeNEaLTh3uEQvDkkBwDtg83aANDxoUnuP1EqCdTtZg +-> ssh-ed25519 I2EdxQ WtsOCvaqwhLG9eZTeTb9fAOnChQxdoH73/EQeQnWtmc +GRjvVMl01FRGLQ13BPtx78H2pqXmrx3l2bl/WUCLiSM +-> ssh-ed25519 J/iReg 310sd0jMY18VVcSs4tktB7zDvcEQYGQi4EL7+xAEy1I +/DfwBYxAWBIv4Qp3FHeYkOSqxzICFtmxSSvqPH7Plho +-> ssh-ed25519 GNhSGw liOl4P4Vm5ohFhgyeAggjuy1pazAn5QOdLJ3z0/6uQw +pkPOUwJ6ZFfvmxOPuDTLOy2T3FLTUHjb8LSKbxx5Mjo +-> ssh-ed25519 eXMAtA 99UxNpHUc/0mSB6P1cdaDl3T0eD+EpyWSGx7cMtXWUk +PHr3c/QmO677qku1MfmjA2UkLfl/JnE7tN+GQjbuhlY +-> ssh-ed25519 5hXocQ LhyO1Zawf/VcIFGVJ95mDmlRJqTQcWRNvFGD9zphPSM +2rD6RbsGNu2TSsTbkBgyAuLpoYsQQwwaROkszopMBfg +--- XqQJ6u0HrdjbuQ+kw1+B6xKQFaLR7rY3kIS890N6coA +1mp23 c(epGLaK/dKY,Y*n},kkkZ@lby?Ѓ.R;J j_{/ՃGtN)!>*$=lNpj /ڈ>0O!G1 5U&/av1H&=0jΐ \~)qot~ +ŶGy~$c(Cs&mhj?mR \ No newline at end of file diff --git a/secrets/apprentix/root.age b/secrets/apprentix/root.age index 24017e6..c88217e 100644 --- a/secrets/apprentix/root.age +++ b/secrets/apprentix/root.age @@ -1,17 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 cZNEGg uRRHS8/vsv+HdtnzBv030V6t4t+D83BTvbo+urA6KEE -3vyBxkv2OvKW2yxZicgTn7DB/5qHwNOKgrRl+EaEYyc --> piv-p256 ewCc3w A9gVVQvR4Z/GQKf7CAE6Y19sLs6YO1BNrIls5Hy2QUnp -CKjuobW9dTvAQ8m6k29Ft5vlyf1ukqEhsrbwkZLcFlc --> piv-p256 6CL/Pw A2bbIwJfcbIlsfR5tJZopMXQaWrYXTl4z3JrMWzYWNuq -9zcXc9usX7F2qaEasnQZzS0dqNg6UqrB4krvCzMRhzk --> ssh-ed25519 I2EdxQ y4c0Z4xxhJMXH2Ej2AXNyfRdowqqn7xDpKdMSE8K1G0 -FIByr72GUA6XcPtNIy58DPsI7RCyFO1MZrQjqgbFEFk --> ssh-ed25519 J/iReg 0IUi0nvIQ0EP+kYxIEw2B5WgY9vP0BIIw+xE/j+XaTU -1ovtzwIE13/etKz1mMT2slbq6ZJ1JpSoOHeIBphlgbU --> ssh-ed25519 GNhSGw gefnPCvWFMMRUdL6yXOG580b/pQxzqpqJ/5nsSsIAmI -zjIjQiO/1wjteJmkmPKP62zDyZJkbaievkV//dXiEGU --> ssh-ed25519 eXMAtA uKvtz/zyt2UCWuuzI3sQerCwjzU2+4bNawRCzFA4YBY -ezDyL9NgmIZuyX06Suc64viWNXVEImIU4kH2AH3lD74 ---- 0m8XP8zS+MqhBXxgykk1n3TvAFtwxcQmHm8lzl+8Nd4 -{3' ssh-ed25519 cZNEGg hx2K+BJ2BE5shiuYVL8lNDebSXOslE+D11wInEU5AC0 +/Voe2mVa0VBiowquOfiCqBwbsNWKlqJw19Rshncmb08 +-> piv-p256 ewCc3w Atur1opHkIZnyRdfVcSPmXJ6pnC8KRSoTDTgRdpXhQ0a +BeNHX/8DygcMRjv+BYCMJEbx+yUiiOz1yRQ4WdpCkEA +-> piv-p256 6CL/Pw An/25v/ZffNknCs1+Z9oUHEa9sltmBbaCGw5zGtPlS6X +Mp3IpX/1m45V1PVIxnh50hp4ymL3VjCnDZ9+n+pjoro +-> ssh-ed25519 I2EdxQ MFQL0HlTcYBeQe5W+cAegZNrtvYh67YfaeQk5lKBkxI +6YtFHaJBmdC05zaeCNRUEOx+XdAy/KSSJbIFDAjqk4I +-> ssh-ed25519 J/iReg pRxUVtZLA7OlkbjZPNJY+PcWBiwu0qOUymXTACmOGws +wLOQy84hbkdjSiqywOU+fAoZkUg84cdUP5mmehv1Les +-> ssh-ed25519 GNhSGw oSRxaxlY2LyuB5QBkfQ+vIpmI6uFCCi2l4IqPrQxWgk +ePpTSXekzXDwSUZj6drtsvlnaKxPjgu+j5afvNsKbQk +-> ssh-ed25519 eXMAtA v6zL1bc8aR2fgESNZcmTtGPk5pjVj0UGiBd3SjqGLzc +amsA5x2C5dQBzqL1uu6popDmDkKEhm4WPeK0J361vNQ +-> ssh-ed25519 5hXocQ DPduJx7pfwr8FqMTXEPq3zXBhyElZTj3Ouy0d3S8RnI +m8K+tCRbGmnf6IkkPAa+scmGmiEy8QAvJppj0lvHYXs +--- Oelwm56/V9NDvorDKW+xqISHYjsqEs6HG/pYf5qTX94 +Ğuŕ{ %i[V4kX+d 'B<{h%P)m=`Է^I \ No newline at end of file diff --git a/secrets/common/root.age b/secrets/common/root.age index 3978639cf685de44e33345934fc5f03cd874b0f4..b00783c30c1e943b8e4351460e64d3334258fba3 100644 GIT binary patch literal 1671 zcmZY9JImw*6b9g8yRos2r+!`^rnMpE9CYelbUGDe$Jy=<+KR_(3w6wDn zYq1a(WWnt$#2+A*iXg5QBH#Xj^YEVYa-1l52uiPA>OQH;_o_D9jr+~R`#{&l4}lLM z$esY843XprunPC;2xA|5VMVd$30|Zc8Dn;9>g&C3-GvfBktvFR!8bQmxE7_qDB8}a z^R0{1InUs<{Oe@IEJ%c$M0$Z=XAXeUZ$LxZxeknGqx%Xiz5a%($2 z=2xv_(>ugN^*UIZV%FJXZFj1dU;H4YPCBA-iPHB zt6*$x45{Y$pxgEsNjhS+>?TmRwzimGV9&3uqC~f%1fI7?!FsG+NbbBRf%ud`-K0(x zyj8=9#4MK5H0qQpVMkx8LhszfHEtHu8P=wQ4)ks|B!^}e=TfBfsY6qyb;`SlRd*(- z&O#k0al36^(V9TaCI!HqNpe)e43uoFIkZ^X{-95|9d27uV{7=7kBQjorN5sxMjl(5 zA4baIriK?D=cmC}Ot+H5e$@5-EVLm4@}?NyoFLCRWE(Dw3{34*;!(NwJXxe`wMrfBh_h9va60lPnf$BO z$@ox12nqxf?ZFd3;v}rfvuMnO)>OQltR&rFQn|}xTM+k{iK1JG!YyUJvm3$BFL{s| zlh3o~-Nc#&a`qCkPqQ21%~o+YvLMB@i)$YKx!QjgN?&%@msTQc4IVhUwx3n)eAN~y zIFMoYx*2489-U)0|5|nT|!feZBcb!&}9mbi}s6+UeVytUVh=mjE*RQ>A?qMv93O$17NNb2ndhwxQ648+#`V78edK zLr|zt>t}0$+1ad8gN=*@@k$>9QzUy5pxon_{?oogpEeCk`$)GKZ7pLia$|gpDo&@B z=Ma)G@eMLD(m>Jmu`@uZr({SOZ>`#aqHvE2HEQT^&}OF^D;j*94T;UlQvi&w1Glo8 zS=h}*+f1lsuj{cK`b0d)Re4S&*e&*V?gUSpe3%KM5J~4e40~&B`vq4p22QV5WS@=L zyTXQS_3^&DRGWu~2Vh5gt-mtYAk4Px%cn7uJ%8}7LB}0kRJ9ib%orUyYIm&Kyz}u3 zhyUiQr^N5yKmSDd1GeD}8(-%6jA V%Lm^-JO2FXpX?W3|C+u&{|!cVDxClT literal 1561 zcmZY9sqf?j6bEqDtQd=76GU+&&5s__YYe2O;;NPcJUuzK)}~T}1xPAaVFJ$9L=I}vWo#a{)wuPLT-K1n*pTaOH(mYP*-s~g zO;4uUu0&+kQdK0YL6Dwa9w41jvub#(<<^CaX`qCCE=$SVBot~C9VXpWGi4FaP14aC zZ@P_zD42FS3uw7{qF+_bs7gUN@wdI_LY*F+6A!~)YQkF^XRT!RKI z4^c9y)w+`OM-sdsi?DV2rgSMtLi6ib;afy8O6gLkn*#Mh7)H?jC^q`_FwJ176prf9 zi|F7)z#n(oon*PuKJt$>NNCr12CRvo4&h!%@3A=FbnT|VC(>kyXdL0yhHs*O()M;& z-0$zyB)nC;I%K3eh3aWJZ^lJF9M(i#@j;_j~gX1U4wyfQZdP3p)bXA0#=Z8sj~t>yOI^_tOAm`297w%+8{ z=F>xq;sg-SY_y#L`rf$Ng){T!WDFi_8T;vqts%c2*nQ8OYDCRw zy|Mm(*%HcM76ZU(=xRdCbhNoT@-FbARD{e@0~NNOkgqAX7L$8LJ2a0rl9c4PesI_T zyoQXG@~1Uc*D|b5@VOwmDGYVCoq9_U-rA4@l$&u1n3OCrU(MBSMCV3@HczMx#OYc&MJ63yUfI5*lb1RY-(m540zF%QMezgL*`PCH$+gg zlQ08K{rWkzXV+tki%Nl^WtAkeR)x~Lxw)$T@mQXrIM6Vf+LVOh^Jp<71~Td* zbw^je^jQ|t@#My-bPoL45L-DH*I%A>(R5_W_*b$)_@^`H~i zM5(G+j5hrYN?n!iOl_KbMLw-(f+8J}pedU%-RWryK=+8Hx(d$9Vx?L=Zv5M{gkW_~`L3`0)Mlo7h&(^37-+CT`&0 zA4E2o!IjzxAda1yHA8S5rT~x+*H#W7Cfvsh8ePY>+VWSRz?3fQ)eT2bVId01Zk7Z$~liaW+whNwzF^18~b}UD%pEai?inmfzauxYsEp)S5h~NZZ<&25u z038XQCW7d~E6@NHY%=8Wz-SaC(+>F{CT1wswwl8vW4qG|PBZmtU`hy*3k`1?+Cr7Y ze7=lR(ZIa9iX;ZQN#kZw_LDG+HibOM$4Fjs_40A&G`IoFv$*;f@iQJ%DAH*2siNq+Ldg zPFSrZ4jDNajdXLMrA&v)$O5uaZOJSuASE?9)sI!e;f52j2}7AO)^^`ND4T4{>rYy| zV)@iMWOtXW)qq0PV@^q{F{_xmOem>^Wq~LaEeg|Be=%+kB7WlPlQIk{XP-ZI{?K>t z9fzP_k1$(THy*!Qrcdqvr1Bd0;sbAgyvcr>Zf>LU#Xo|(l8p<$+$<|jt*{o?#6Z{MNtwRJ!A%w-gh|*qtIJWa z5w6#0NbnGeumMs2Bpm5tu}Xq1k4Ky3OwGuply(D(q-=NdT2p1Rdb3J5aYA5J4obONbRHJvkiAG6 zMc~&f$1Xqh^P#u>WQ?59j?I{p#F2eJ+P|>ZGq*nQZ#A?bZ2Y)5Hjn`pM$h*@KE)h< z^w+*~bb4*p+tUrwtH0Uk3iz?Rr={Ea?ZGprKVRFwI(5TB9LI4GAJH7gGl=3KSRcJ9)HH39rXmMP)BJCnr2Vx?5G4PaKW&pVNs}g^ zI4FplhljTb_uwMvaHx|m>VbnExSR?Oy58M#;4L?(kE74c-{Hmg{jq$n?Zr-3r$v~= zuOyj|lql4`+{*Ky?YUhXM+Ys0OKY!cl^tQ10Am$;BeEZjC0eF+$3d;_aETe^*;R8j zyHaLoX9SJm5E(A)g;Bsp>=4UHSNHqOsUlz{+13l{fC4L$j21EWpO%JYJMH2`%d3V? zuWC^TW|ONXSQNSK_Ta584-Q$17Bkr^nn_&OD~c@Bvf<_%2`bs4kfyu=dIwRUI+)c& zTU78;OpO8uE@uvP_fo|$L1vg(-Dl*eJf0_uE4p*wO9YD;xp zA(feA$!bj{1%%b5<|qXttO)B9nIqh|Z|ec?jkyjak%4%y{6&fJYNw8}((dBbXjuq7 zN~A%PJA}sWr)75ykIri%5^A2`VnN9)jCix(S1edKIEm*)=3!l9*JE^kiVR%C^2I}E z%s7xR4kuO^$Zx2p4%E$IMC)sbcTj$#_1S7f#6_ zb|zBQirhW&o2QSdf@-Pgw(_^Ng#)s$_Hm~x1%V8tmBnaVWEt>rq7128q~Ruqh7nAM zGY36uyhnD!13hun7TQb)QyXU!OaunkFM;7& zv?C)Z3}fZaRGoga$RIp z*X9Q=nK!`kSC_6`NPpeIPxNoTdvY&tODFHV3|)WW+41L(|2g~nuQxxr^6iZ;uH5O(BS&=w;#v-gLyac{M?pq-mP8P17c6)1{)=rg=13lQe0Xq^Di< z;z7m`1TTUjf90KU3 z4PR92@U)vW98;AC5tA0`Q+M1Gr9#sn2I&+b6go%dw1Zn2X8MT;2Hpg1Cmv@D1GQ83 zErTzx6@1V@m*i}mPK%o6mv!4Q%B>K{F;Oc);wlwa+7!-;Lxdw`gwHnd*cMQP@kg}U z;;gW0)DCW}V99I@wrjjzX9Kk)21*}ENCi<*Hje02A+<=!k5`kGh(oxhz)}F7RS3N) z*UXF=iP?%7m3g`uEy>zSPp{>QlP;4FJzcVK!#lX?D>Z6Nfpnge1d38gV!|~lp6*Ff zHOdd@YFkwVNAg&n)rZBp5mFRjIdaJo;7G7Uw^HJQ2<@jcRp>W1(^P1UC#^{jfHynup_Aab_+m*KFJNv(H z{5}42@8~SM|7Gs=pT^mp+0M?g#t<%-i+CPn-G!0lO~rF*h~kwlX?2Z(M019tC!mgDGoW7N z`GBm5fF>Ktg2<6G6g3xijiItMoHQD71K}5`*_;hJI2sK*8BP!VemF}r=pW4;#|0NI zqj@8t^iq;1EUazdK-b8G3Y4J~8DMNxvg#Z^k}c396gcZZKGtK1F_K#~iq%GKa>=I}*9A2e`}@h4L_VE$*JR0CXnWM#ZV&2dH?PVjD62Gc$da{>!Z zF|lcOOhNW%7*g?_S+`~8*tXI#g{Cc1SQiwc?DM_#CGgW&37za4Z>SzTcy5f2gWyUvFepX>PiuUa<$8 z8kUANq7wy+$d9|Dx=XimpwS@9noRfunw65G(s5vm7?epblawTIgJw(MIM!z!zO`Lr zMN4LreCX8#RWw{;;;BHVK0$3l(9xDF!x=s=!lB?hZQqb>r^@6IECn7NN5M&rHQbrh z3{8*5M7&mCgb1qio9$GQ2$UEI$#%`?3q(ldiwr^tEnzNN;;_^R1Y4Z*P}YumNLn<4 zk%h#qlBZf}wUp!{L5i|br_0D=tfV=P3c+9?g)x97j!1g8wy?W(zEQzS&UUSA^&P#H z*V(?S;VLH9yP;9iHKGP2b7`PgMkSm9g2}-3`g2^M2Gb-bsIVi>%OfwGOB%{pwueK^ zVjQqNPn$#w$LrK<1(30VL=MT}LEV^|?#b;tx_ zt86Ds&baY#jk#k#3H*-y`2B(C#_{!sr;_iEzFApu9i-9T`OA(VU0XY{@h$)E6)9O; zKDY7q2bZ17?Bs*n`yL-Y@y_PC%j?aDZ(Q0zUf%ou-szr;uRMQ$^Zo;1Q(yjQ<+B&U zmsh-{@YJO{VE@it_U`Um&+a^%tK8&IUq7SJhnEjt+j@P+>HE(d;ckDUeceAa`)U8p z&#(S`p+ETenE2I+b@MIq3)@+L>_l$suY332t6g2%bN<+cv%6j-j}-UC_$qQ}bNA>6 zq=)~u@hQCVE4B6E!Ka=sAN}(1#anmX(x1CudhWRV$sfC}U)j3GojmYrap}y;-)1bK A-2eap literal 751 zcmZ9_-AfYz008hJ3L8cc`jD0Fr5>7Vx1Be)u<~}hyKTDLZXb8s3c}r8`?&MIym{UQ zV);^35|)*qsT4I$dWoQdf()yd!0ZEj5JE~Lq6gE&DCynbKk#eKadu8*R72JZl6Y8B zbB+$D#eU4%-k!H}tP6siUaJF_4NkY3D#esEn#&Psoshj0%6NQHFck5}!9pr1B|t}x z%iux1!)Uj_olK`QplA({m}hxBE~ikX9!#~k+cAf$m2n}aALdL{O3LKME$BkoPSP6k z@GjbnLh({E)QscJZ7wjzda^|n^OBU9jS4gc;E@7|1360+)RYKC3ra{01j9P!Zs8L+ zN^o?#8Io-Uhyh5%WH})p2R3dvk&olLHB#S@k>nT{bfV6DiYL9QyH!ehbAhlUjAYEH z&iUjv$rc7&utg-yW=C6xkxS4D67>Tx2o-n{BmyZk-xf(_3fZ(RP10ro3~t=GR2bG^ zYs92c9M^eBie>x&MPU&(VT%Dmkyi-Nt*aSFlBG!_A%GqWiwPN1g5V?q8gS7B4bvB( zNxdaV>2XHnAfGEwgSO&nH6mH;cDoe|7t-N~|JwQYgM*8o zlXX*18>=tq6A!yb4^CAHKXc2MUo~F2G1-KpwM74un`QUFP^J4>_40|6wZqN>+*tRH z>FuGV$(~VRsIPXSYI>Ks=iPvFJUk%(aMT=KGN}e`^BHO7l=eG%t80FxC$Lg{(=<0q zR6OoKkFV8XfcXV06Z-Qt>=$-1Hu84UwgtD(dUvK*=^kk+&3xNBzB;V1vE8#P<#qqw of3pquu8sAQQ;z~mrP}?-)pT$9+=rc`_qD~jmzEc|w|wvV4-U{ARsaA1 diff --git a/secrets/neo/ldap_synapse_password.age b/secrets/neo/ldap_synapse_password.age index d1b0851..a9b10a6 100644 --- a/secrets/neo/ldap_synapse_password.age +++ b/secrets/neo/ldap_synapse_password.age @@ -1,11 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew GGtk6DYlauerByL2ia9uqYRRnwqwn+oeZZUfRpDzhh8 -OJ0qDoPCz5FXCXDOHJyGlcYhBRvMPIyrDuTXVR6pYiE --> ssh-ed25519 I2EdxQ rHELcLTEsfu0sL3Aw2c290Zf9EmdOIO5gmhLS6lRMiU -AKX6RMwbLn3J1IKsjSTfxn0u/XlT0W76JKXfcfMCkqc --> ssh-ed25519 GNhSGw LPx7cnjBfMcDwZ4hqfP6y++D2FVtlYbzMxfVkfF86hY -QjXtb0IX9wtvCw1ms4A+kG4Nx6URhIT9e2nzyRSpI0U --> ssh-ed25519 eXMAtA sB1Ew2t6yjQoYW6OpH/bFCo5PO+a23nF/OrCrl9d+iY -73LkKS8y0bYR+hGPVjHxHc6VDZ5mscAMPfLwS+a0slo ---- B5T496c9WhW9A7EzOhy7vshIjNFgTr/kfW1mi5Cc5fc -MZϖD7Up{Z~*Xѐ \ No newline at end of file +-> ssh-ed25519 /Gpyew 8DFDxGaZWao+vO9qxc7f5O477lK7RnGI1RDBIxySpz8 +TKZsz+XOy3O7Ev8Uel7RzQw53eTPe8/6IltBLCx7dDI +-> piv-p256 ewCc3w AuDjekUccsQysWccrX2KIlqqSy482h9dmBM+N2599B6s +X3ZD4NEdRmIVtNNHUtMcpWsa7Z6gSSxfNjMbQfdw5VE +-> piv-p256 6CL/Pw AmuREh4r0wVcpltIZjXTI4LqmHz6bKMCJk3FOPShnwBP +q6es8bKoU9dXIWegdY8418Nq9QLjEf4Xmn4RUMozV1U +-> ssh-ed25519 I2EdxQ 0hXF3v4y5kSEZdR4eg/TZbcRjHQMyT3iu7ucYoBm/FE +aj/i/gRRPMdOFG0urrG5bcT6NGgXQ0IdT4IUoLhLrHo +-> ssh-ed25519 J/iReg K9SLwdDMWuUpyRM26ysJHATmVk8rsfi90NZ8Z+h5XnM +0yQ+b1augkDHdCVWPI9uvq1IzgOBwQ23S/Fp54lVce0 +-> ssh-ed25519 GNhSGw 0/k4x4mxXWKyqhwg2LeFIau8Zdx0ebPPYWfcppGEfUo +njIid8JCI+41KyhIzQTj4T4DKmQ2GxRRrN6P1U6ywFc +-> ssh-ed25519 eXMAtA m9yyWKx2xE55CHRgeEyTrft3dZUkJjmWdZh+M1Nf73g +97B5ztSgE1BXzNDnu0ZM+oowj8wEkxWYoiNEs5qXhGs +-> ssh-ed25519 5hXocQ 1Z8OfB3R7un6+JGu4MeBe2lzvf4kIRS8L1TUJ1JAygM +GmkDdKbrUgaF1aOYKRJCFTC4gIdvoYzmIhGoHbOWOW4 +--- 9wriBEhA/Kil1/4DRfn0Lj8KXVxU01JOtzdY34HkP1I +Qʋ;qz[86=m$c~{BGvxRMBUWAVb6n*ex(O zv|LhZ%4uOl#meTGPF7(e6}E-+iL_3M@z#iJ_iNm^TrhCBk5xm2PZCL_jJv|TXtM$| z%f$31D8ZpYhXwZQGL%D8fiY5WTQYhV<$?&FM?4Y}auENq5HksSZdg9rB^1$AUglaH zIYxk4wxWac4iJNE_Nq+bWD#{6g;b2dfGR|iNI{eY(XHWP5NdMkV#0*Sj-2Uf+U5o;>{Y&hq5uRO37DBewjAXfr2qnh$|VZU*|3omWgh^=+$TPr!$@jc#s;le9Zhd=VKJ&)t zNbi%&fyPVgv(r!LI0vf-A43zG564&aW0#Mu z-PGE@+_t0rnGHuA*DmJ{cfDWw-TKzL)}7lLdV4^BI12adL0>w-BKKM>E(6ze$ zz>%v*?_Rs}joSJ}uTN>j8^)e9{cwIP79Y2+bHT~QBi-MxymTSWJ5?KJFV}8*Y0XpT zdw%JD&p4o4bK8`~zZq(zzjoCQ_-b=Iu5}1U*R*e`-+N0|2egu}nEHR5I(_#;BTGks z+^o+6i_G7QRIdyVt%9Q8wVmCLx5m#cycpv`ziS@XAd@D}+K0S*348SdTz=L&wJ{x5 z9{X+UuKq5tp=@yrYeeCY3`Rv~gv{cam delta 1290 zcmZY4|5H;1003~w19gei0y4}Z=jH4jJ<8|?aTYJJ?58u>UphfUGcUpH%m})Et-s)NpW4}Nf-SEl zBvD-{sIb^^nZxXYIW;P0QC83EX&pe>1Gv|1;3Pn#yc{!!1&AICK;bfjUR2_dBXXxR z^(=9h@agr(V=(U3E0wL#)W^({27dm4qyEGhuQS0QR}<`mmw%Ag^pv`c~(D4>;6 zQCn1JG1=gF6jqj-xBfOS;VuK6V%V=YlNOnnWjWGLnUst^RHXF~VxvqPH>hxFfOYYr zu)tNQ8;yAaWa_V!g7kRs8QG9A>he4gdrtxk4?V zc9ffiEMa3Y0>;%4Y!3K%kw0P7#2MU+`#`w?(8hr%S;3H6na#th1wbI8paT(^1u9nY zv_^#E00CJ{xxCe;0ce*L;apUNHPc}Df1Jj^;F_3FA~!qTY;i~dI<@5{aolA@#9`j6 zha`S`RKqF(R{~=|73?!&c7fkdszX{|kPL<@(6CCbi!xRVkI4W^6)TYxT5>`L4iHIA zTD0W9J12!Id8LrTq%IFoWRqb`X-uIeT(UxjCRG4P5;nO}fkZ(@Ohx!mg;gzxg~>t~ zEK5icT~Url9e1*FpI;t8%qRiKIIqhS(kL*!j55YRRFIvWEp#IhuZ#3xxd7~T;-MhH z+bU4lM*9>nE^?RAg$k@fO8X=*SR(j-MSd!Fy&c>8pvU)eHFfx2d!2;c zl8SHxOX`itYHk8LbnA;38<+zZdwiW}>S%XwEhoBBTsbuKS~8))nCx2MK+seAkO z?}A^y-@+A~ELuLP>&?m%E*<-MC;aaF<+A(n1NUzCKvrll15I4boR^XT@A+oJHQ<<= z%I@6v^~e3^=xH-f-E2rIo%}l;UfMqVh&=5JWga`0wscW-n4tjdm6C%Vkf7ZKy%M)aR|WgH>~R&^a2efNs~ zhfZ{pJ^G24V1K$(ocOf5zk6h2AF!+;?ff&)_*;^T{>L>AXgf~?Rf|l?wT7ANf4qCS zee9^=^5)}J9V_Q}TeEI4`A5c9!jtv)S`M}~ZByP#ym~ja+!LHpy}jXFO?!n+odS$1 zPkpy~2^8+?JpZ`yQe(bbl0-EGUZAgy1a?URKpQ}_>-4`0KjqFj}yz-rXV^{sNTcGtTt)VHW9onKl&qS(ll+8CS{zqO`D`?^P^3g zG}9r2Dd#2%JDtkrkfDqrj)`!xhp{>EVNRKd1Mvno+-*#Bf=^?pb3S^1!3Vy4TUs~K zwK}7z;~BQ~oITQ#6DXFLi;u^8qN}FTX$XsVn&n(Ui%0drAhJms4oXTT7ebBks3}d= z1{ImZUVtdR+xHq3fFMFV7Fczk0tW7g>L3&-7OyryQAKSPuE0l_A+=<-P?OV+rk6Shq8j0+uZs zH5MTSn{Af6f>53`(m_)QaJ(to!`Qf4Y)(r|dZgrO&NiUpK$f6@4*_));*@R#OjRW$ zLJXzx+KO~4r-nkjo)!^X4lyi?bu)ud@3nE;;U^K1t2TVQQzPVbL9tCvwd`15615r& zLxhHt9rG9h`Wcqtm9?0zxsCn@)2iOqShhu57_>)&_JXC{TWC2seGI9_od91`{RC zaL~0{p{&;mLEHuDN{`UcJWA&?2&2dm#NcGR3wb;v@F+ZL<4g^JDB3b(h$_hg3l2>e z8-#F(M(wsa!ksk35v?jXbugU^a0040wy;*~${gFGiYZ$&PE4_S`D`E=V*LJegmrCuc*4$)eU?FIu+L6W_wNtkQ3 zv@Y8nAwD!}N(%zqzLXu(#fe+x9rgb6DAb)Gp`1r^tQ5+9gsSB2m{!NEycl#qt5U8` z0MHp*b{Zbz5iYa}MXIegT0pIik0(MWmPjPx2wB9+6(4UDvzZp1kg-b=E`4yM@y@Zuix0hMo;Tk*xU#b2<~jdI{*`~u>{b7m{dn_V^T%dCed)KN zx0$Vgn~L-AU0=V=_P)QM9hlkh`m5UKU*1^VeRu!6Uu=2e+S?n$nKR$&-wC_E-h94& z@6hkn1!(Zv^0uuzSHT-+qtgejY*;?@)7%?(cYc#O?A^Qc%c;kK1?6(;;ma?q+&XG~ za;5U~oi`)!^bB+J`HdUa=SA_v%k8Qnv GF8UX=nYo|< literal 1125 zcmZ9~-;3J>0KjpPJ-8m5vbo{8$<-Z$X{~9}CQWb0N!qk&(xkm6mo$x_v`Lz#X_K@` z+O#0M-A-?N5r0jl;)CLY8#0ld%6@RS;a;4A;LtgpcTC*rqv#xZJ5J9>?=Sekmv2Q= z!>TEF`nIcE=95-O1G-=!JP~x9dRSE;7zPtTS<0sgEyxh58l1AgVylV@rh_<5nBjFC zf)!s65quPlBNC#c^~#_ZfCOjrK@uEIH?kdQ_H z(`>yPwjme^s=bsP?FBK@>rDa?ty@uzxXa}`IfRkeXvf7h-Oq^)4)HQ+Ig{W7o(pi8 zt=3IYceAxdL?e{8Q_D`#7ER+Q({7eJ1sq`&ma{u4>wgxKqJhZ`%SU5k!3625Oh8f} z$8%_sV3LGN@#S0|Pem{Z^EA(kighiZvVe#nG8#>!6NbdcIxe75c^U!@uicdq&FPkU z&QuAL2xD_a5=tw6G1%!vrM8oD~ z$l(3RW{t?#IieTLF@PxwI!jlkvK*11V7h^-tV1-@#(-7(rXxdHqu|RW-U%SC=lgB5 z)2JIBQl5+$#Xi{rEtrHQ9*A&7LS)JUs47i2wpmj}26M3>L53Oz)+*tY(l;P(fKYU~ zYG(k6q#;D)<%*HjA7@$UaWRNQ zHhv6;gN`EgQyIPF#X&IOGh$apTB(Q?CO>MBkOAiPq}lu zp3vWU>h6WzW4C4&Czf{n{@LNZL+JP3gH&YqH|o|~gVkQUyZ*-P!@>7Qg@v!~e*V|UzUs-HkG^#6?-$1I3#>e_@8IIj%E+nMvAs8k jUnWl==xdAZ_VzzX`^6nwra@!o*cY8&Z~U_Dk+FXPCt#R& diff --git a/secrets/restic/apprentix/base-repo.age b/secrets/restic/apprentix/base-repo.age index 2343af3dbabd368101a217c94f27dce27f04ab33..59d8e9a454cd560db28122eca4a046e7d8298432 100644 GIT binary patch literal 1089 zcmZA0IjH0W7zgmqVzjW(732xQqtG~Ja?E6+AY^jQWHLvN$s~alXL3%C$(>As*a)(f zh@uFJ7OSuii!EN~irBdzShxtQc8iJ@7P|X%OW#`QE5GW;|NH*m#?9AxYK@EgEq>1~`sCSA{C{e16dB`bPX$&gu8d(STv}9Lx6Qn-??3yys z8X%L<8rx~B;^;s%_9{Ldvb##72!mHdtW>wPjN&3Sj2gu3*vnvv;*89oLRN*OCMnRC zLWf%>8^TkI)?qL4BGwT7rT9N>x{gn~E0MNP=9!Ig(7 zp$hU))B3RE-V2Ilc3x&n(WQA<+gJp2sMSgU(=3fgXdki6LQC5E{1zt&V;w}Gfh`3r zBWAs3P+t(Rq}oz)doaaOOjk>IrxU_#0%E@J1)YI%SZ%C$(k8?ZTt&u#-Wx3kt^77> z@nL(&Yre=1W}+JEnTI;hDw>x`c}c{LJ}8o|zM+}xA78h|+~tY-8ibO+JQ zQ@2dZE>qIS=c2HwT+t&m%_aPjBjCCdQ*~rg>>_RF=>{g$XtZ2Gk+YMw!6reWCKZfQ z<+A;B{BJ}4+ecfQkp&58inTP$Cw7(4kmg zPL_$9^G$}OaV^2Mge`C$tUPOnmb6kkN#bBW4zA8;>w8*kiU1acGY=LCX^!E_lp{kg zmYm!!odQnl-gwQe?3#sas=vZI$lj}BV%Rd1$dP=D#HBK7$)3fCJ2nq-=IqRz%9j?u z9Co_hF3^HfLGV2vJ$s_8q855oap>rPhnkiXy66YBfQ=i$&*(|#1NmfsSzUke5&SrF z`{~y&UAyZ!uU&olfkb^`^3>6LUuM7keBma0(ZBzj_wW30MgQe?+4<^Y?Xlvecdk7M ze|!AhE73`B@%$hxrJ$?IzaP&QK`r*mt o>5qRt3;bF=^49OK9$$DSIR5+1Th-T}+zRe|c6a|Ucazxu0|JeD+5i9m literal 979 zcmZY5%j?^8003|=B4&c@vRxDlBBHgw=KD?4rpO#=nxuKQO`0a@t$8$Qn^)5`Fa3cY zJPbU{jR}gdAu79y%!4r8MNz?vpfC|U>3oBNI4{1A&cEOTpQY!v+{jL=BwNSPQJi}1 z93ZWy8vDK9avg}{px>|;GR=C8L6hGs^sS`?FzyfrO-CF~ZNh*W%UeqFaUxn8ZfRCk zK_K~TI1stiw*5j07xNV(ZAR))*ozbyW^-^zcRjy2ID2vy|EneIyp=$_+i(lY#)<~n zXVe2M^OT7-TC-BjJxqf!l%0`1DVug}#!}$K0Ai!b3fZpuDyMQ$@XM;!vMXuDI~xyV7xgB#6Fj<1zExJ-$$tGx0LqpS=AzE<= zZ^4yvm^oe?PGgYpsgYM*$6bPbLhg53#x3ADVB0;aN#3ckvahm5qaQ>$Mf7SA0@>S| zO{r6loLQ`m7;89|uoB%ZtS~P9WLqF6UFo&lQ9JBxz#g2^NfPLAx{s|!WphVD+GQ{> zPYs;^-=u3uWJWgT11yd_h*>d1_3bK6%s9a@3{50>kTf^i;DIsbSk9giNZ}L=HSdI~ z;MWB^mqOEZ)&kImR+6MSkkNV;cQeTus2q72~Hd zZ|SwWcT7A$M^g|Z@4a^YtCwFgPkeXj^oK<2=*1f+quVDgocZO83(T!o!i&MxC$By7 z&`G=*U4Bfz`O#hH@45TR^>^-l?T_B`zpJ00yZ!JF zr{3)-B=x|XZ{K|4WBR$Lzx{@DUj6iRaqj-J@N87Sb$-`AK0cN%3eWgo-+1t+OE28_ Rc=GGBAN=^J@&0eG{|%BEQt73zoJ*9soQlO9Cy;z98Cp|76w?fE(U_&+@VC(P5k^b$AowJYn( zXX+*g2Y7Y&IiPKeyEH*?9Hs%J!Zkeyd?DClTM?GH>VjUebYEqy*R>uUsg|ol%y3q- zorrmeC#`U`0dKBxQZLFDr>LEK9h;mWQ&FpN>x^D4XkEy&}5a>@)E97_V7?E@YXXJpl*|RP%)~+bSgSsdCe=k{1mfPz}dz|g0=p{ZAjUm%)<(q zLpKAv>7eLfAyA>c&YhSws@}|p^C-P>d9=*@eqZ zb(wSNp0^nZ7R$0@?>Fu?Vk02cs-h;=^4V0nI^YH3z!|=n3(iQ}WC===T$dy|Wks2`P#-luC*3f=2HvbUSCsV7*KXlh7zp>vD1VqDz<=;$nxaFM(- z)|$kLF#JQtwu^MIaXLZ>3E_-5L^jI%v|FlHqX9%SkrlCKsf`OO0}3rHn-ziCq7y>s zVtjMNj6a;(a>?rzS{2zebU1h8oqfqb65QmpILn)hq3%;_+`5`9th>ohu!q^~+oUTa zK%ZQdi7?Hy8hJA-!CCHgVwj-{g2xSkcWjLH=X5+Tmb#McXR9_hWCcJVY*(yscq|l=j#6~f>pr% zz10mz&#vTLzl-!fL4XkZ1!Q_ z!M>C=H8&}1S+FXhF$02vbkea9`L18;otS zgJ8N<9B&omepV+ovwHCxe}DYxmw=bwl0IMpU;Wp!e|q~9{BNiqedt?HpZ@m8{!f4P z;L@7+Wh33uYUYf`R|Y?&%E@t4}bRg br+2i(j;vhIMSqfYnzwmz2Kou(!8~Ke`{1w+}Rft zw#yEJJ1N3WI@w7OMQ{htiXf;L+3=w5AnH8&^Dp@D<$-78dnaDv6vwOz)8x6d@WBQi zoV);(WpLuT2!_D~fW(+6`G8{kdDBq3DSo4lFN@x$7YE9)p0l8O$HMV`Q+$kp4e1ST!DzJ6B~|)~$K!pRX5F6>!2)QRS4+7 zwo?`#2YX&7p{7MaouTx>*caqRA|zI*^lq`=d)cPMW{#Rd$#^3=LdeiKo+TQl#HY0d z$#XCX%ta_Nk1pRc$8IBMt4Rg*<_1p?mshk%%XAv4x|Qx*ia+pC++lZS;WfKR z)>}t%!T{VCiz5}QyG`C%jR+8?r0&oqSEnnh$`pvKee1v&LW8cxy-fbwmW9nphG010 zwUjez0kRk#B8$nGXju3Sz4b~vhO>H-2WkY{E=|haNC|=st#$c8kEs5@A#StgUBu=> zf`V3U85ujBPSGIUBPKU(7TL~d|7+pY0+jDrombQ(g%uq{@T|Ztl zh|_5NICmI%6Aw&|l*?#WP+G2RDGfcU4Z7GfyfhVtplW%$-H;3+2VX1p>CJd#=5`8T z35lx|eWlf&&oe0!TeBh~Rny4rx-t>EiwcNlP2GSe1E1h0YKua++e?+C&Iu7tcbK8= z#sQ&88$>?tnn1KiSfroU1Tb8AK0td=%XS-Uye^M)p)JSbaA+O6n3mE2LzshD4VMAI zZ7~HMpkVxY1u0F`sRnXFdq zktZb;#LCo)_D&j2XhuUoFIXY zlsMQWoN{#NDnHMdS&S(K!VkVY^A_{;#T&(q_s-D2ZoYZmdOiK^#v6D4{&rrR1Ae^x z;xiYoK5^~#m7m{qC)rEkpWnZK;Zfk(uO2x6$475ni!K{)KNbD(&L^+F_V`WZ{Fj69 S`08!%VFiyb&tCa!dg~vH+W;H@ diff --git a/secrets/restic/jitsi/base-password.age b/secrets/restic/jitsi/base-password.age index ae8ba8aff1c5c49d52d2310fd387df536a73cba8..44d3dabae59df1fb59bfee4dbff4f25c7fd645ff 100644 GIT binary patch literal 1235 zcmZ9|?aR~z008g=F}lZ~FJTbsNbJRNZnt~e0w3CTx4YeKcYD3tEz$1wcH8c5yWQQh z?V<+)qa+MW$`ItCLbElz^ppVrDqqGlEf~AR>VD|E{=P&rduWcDgW1t1G zKeoNWW-qXyxl|%K3yenHq@g3(YzhNxNzWTNptYx3DXLj8iZl#&+VHum?H5{n&uBTS zF!HC9GSOlD3R(0LxGROibeP7PAkh|uoKnki!pN()2@}-ONnSx);*_Qa6tm72TDQpy=PKQr%)sb0`71dM|Bmy=_cn)h* zIXLukMNleh9ayOZO|UU()avR;P@9eH5XI2{Svit{xPPsbU{69Qln0}p46_Z*RQmK# zV+NKm^`cRV*S&HbYwM`wR1;%5<6@E-KoQ1pX}>iI4X><|vCG+dH~@wExMRXlL*pTS z`67)J^@syQ@uPK#+X>j z%gqtQkZhorpfobZ8l{3RrM3JVip+`4)^e=^*@9sKEh^P3E8V(hWF=0kQdnB;r)mww z5%8WRckqyNY2Tum3>7Bks;=2gmxyAVnUE4D;ju|549fHe?ilKJ9j;iXrVbti0lZu* z)w*IS1Ond6l)$dSFa=sp6+ulY_=BFu!(=`q$KqI4Yc^8zWyeAjEyk-8($pGxni~gj(q88k;5jXqwOZQxj*2f+qNtp)5~{tATCT-1IPn zt)c1oSp-k4@ULS_YPjw0z0{EfHT%f?kHE>V_8cM}exg%;Z`C3^c>l+ZVPTUz>eu;ng?YHR0*wt4_9z)A*MA*MFMacri!M zzq@b2+`K#Itvmqsf0uxKaBA>O>#Z~AfBA57@X22nFVow<7S2U0yEEK(Fmq#r&2M__l?)+2z3t!=2If7wYSFZ~j*OnBDmawC3`r)id|F+RWC&56r7#_Kw517Vj%D0J literal 1125 zcmZ9~`-|HI0KoAd#*h^~w%a)$+|CNZkXX~Em$cQnvq{q=y(Degq>nhgOVc!M)1*z( zJQ}8m3hG30r~5%1V~#nU+z&d%Q{nD(Cmv1?K@fzwp*ZJ;ird7;{orH%==}vB`0|xh zC88LzHS7=CJ>%}4rGjoO6xkED?N&r-KrkFjh1+~1p`^o@FnREN1z`3y7>d}H%R6`=~f`R73=~Oh^M!SAK!GdhbBYQvswcre_*=3lo;aJng z|I_+yH`0e-B&>Lt9QVTMj%LE0YCuAIiXf~ZUMK`LJZp<&Kiw#&3jI=6094-8TJ&_t zjH3a-G7uE4T5MEnxU^z05}Rj)nCxhtY!wO!$d%0`N&U}4Fd8gevx2PeT83mBK4F@K z!5gtmnnN5Nk4G!*OrnuN-J%!hhC?}_xL$S?tAqt$G};+NS;go=qKo@g6d;;VD(^x_ zgFvB{?|2(4QV`zoxiIf|4i>GrW+M;yjI9rts@ODDpiF6XxHk>!v8IPqyJEG9WXxjam+D7Zo+^mlU!nW~vDYp=Ck$ z6E;Y)K~Yc%s2mz9uFBIy3FCN+>v99ZZ$%xmBw(CXD)q#HF-!;u zkwfya-bRgJTP4B^6S~aTB$I{H0n>Gac6?wt*+!$7g`>JrsmHrONfVQ*kwTde6$j&j z7IUWyH7izSJH0H$P^F+r*UW6z%HvWxS*M9=l1OPAHKod=2k9^%s+KiPYdU9l`AWY? zX)@oG@SH^UkbEaTG+BbH#K}r6=!H@(N=h~`AOIv!z*2GnmtvsO#(66fbjo(aQwF(W zlFoINYd=OJVLX!wSh3!8Vj2Q*exL2cIA)mi` z|H<}a>r+qezHjm354Vd4X6mCKeRXQ-?^{0I2cOKn{-gdN_1Yr2G`Iil6L*Y0gztHC zeR=8h!ENWx-Q+x%N_mrw#%E!F#PB0gnBN1!==PegF{=l9N0bQhVJ?ok=mJJ diff --git a/secrets/restic/jitsi/base-repo.age b/secrets/restic/jitsi/base-repo.age index b8e765a..efc311d 100644 --- a/secrets/restic/jitsi/base-repo.age +++ b/secrets/restic/jitsi/base-repo.age @@ -1,17 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 iTd7eA ktPtHZZ/+e2knf7YT58/ejjo4yqOerXJQ14JfU9ILBQ -NUJFutka+8RGBXsW/gn+y2zS68D6yHJo8KqjLjwfDq4 --> piv-p256 ewCc3w A2IoLrli9N3qyiZvxKQLZg/LXIS2OqtoDKyeAbGPb+us -tmNIdJqzDAuNCQkl2Jq3u5amzYpfePJotzn2vzc/mAw --> piv-p256 6CL/Pw ArfivG/h3oKHEhIFlE073h1XppcVmWjsv3U+zB56j8Db -jxqzWk0I8/om/lrduJzTTL7rnNcX6nLFZLP56yVx1Uk --> ssh-ed25519 I2EdxQ Do2vvD+CNF7MDtZiYyIHILuGlGJWE7+cPKU+5qd0nBM -LdsMG37dzisNjfZ/Fduuckc0GC0jSfbD3rlmSUBKGi4 --> ssh-ed25519 J/iReg ulKX+/TFErYoLbdfUoqFDFw89yKCHTnJsvAVXoVN6EQ -3+9rqrAt1nqDrNJzAHU+NU/b+0sLJxTovSDa0tPBda0 --> ssh-ed25519 GNhSGw GevFYiD6G0GG+Vvnsbb7xZ5T+ysZwJ7ZRTDcjMCe500 -tsG1aNZdpxdnVhpbV9atHptidXZ8dvLI6ht7SlEWDT4 --> ssh-ed25519 eXMAtA 2Ebl9bg/Nt+m3M+TyoXIH43tfliZQ7kroGf2QOnyaVE -Zng4Ci0raemfl2xjK1dPd8uxlvX3Qd/ycI4f1DoJfiE ---- WNg4DqhbLUxAUSRgmbA2JrOhHKSUk09U7OQFN6g9mPg -Es {fKdr@qX \)H5e?LG)5_In=I=LHI)Y~FP^i5ޠ.#O&#v)(hA =_6'cGrXn \ No newline at end of file +-> ssh-ed25519 iTd7eA uRrBI9CzlE7xB9xZzh2tR9rhhcO8ECV0vcutdGUVxC8 +yap+Mg5Ym0Yo1H0+TKDaojKzmnoNofHqVrYK9gbkSyA +-> piv-p256 ewCc3w Ay7iGAUKVd0RFNHOkZ+SiBWBd1PIwCOVkcQ8EcLdfjcT +M+rII7rd/Nj+aE7NGNKM4zbEAkBpaWMwrSd3YDVCjPU +-> piv-p256 6CL/Pw A8UmdQQuWgttNdgGh08IF6AnNmbeK1KTqQ4ln1ER7xm8 +mTSK68h8V7vRoRMHAg4rC+V7oUXZ5IDjvjUW1jUIMl8 +-> ssh-ed25519 I2EdxQ rN6TtZQJJp5cQkE5ZMwWJs2+bWUSbEp38hlJZlzMUAo +a87eqROq47yNH6f7g+ZZ4THNgzvV5qqDoIkc9fik0wE +-> ssh-ed25519 J/iReg DhQaCrBS1lQGFOOnLg2rICE7uPw+9/nJV52Xu7EydQM +YN11U8v11KH8CjYjQv9EqphNlxCUohqn4IqUWRCechQ +-> ssh-ed25519 GNhSGw +CauAMGluNGn7ghPdeY/JgeTyWNIxITvL6daUdRw+hY +XgVJiyzDjltfSSdelUSoueHZASUHDEf3r0ch4tMLKj8 +-> ssh-ed25519 eXMAtA B4H6SVG3mYZZ+RrOXXo/DEB19XRWiGuHLb7mZ8ATghI +3puinvyt1PmZKZRHCFbQUxg1czzSLaKgfbIdUPOp/mk +-> ssh-ed25519 5hXocQ 4ag4hWaM6nah0wb7QhdyIQYvQ2Czp+AC0WYI//k6NHw +XXcsQk+CJYhhKu9JeNf9IXlh/pfUmF3LWpw2JGhUA14 +--- h6qtHaw3GwCzXMMRBBeq5nbhrCuCC2IloLHM/10OQaE +uQ:mw Is#u ;R{JN&m%d@ș gk` qhKϪ/Y/]܂&sF^K3sEn +d`sA+o5(~x1Bq-lChoAlbGtuIE~{F*drn)D%0 zRmT(&+??W@>BiU#A2t;y=r)AmIdnQF>U@~o#x{p?QzuMh3WxZF^QHF}eBjHsp@TT+ zwFZ$p>NvgooPmz`C=}lq8xD;)(2^L2QZWM?sxlqR0+tH=E)VjupT%;DE;Z{Jzu4@y zJ&;8PmW4DqtqwP7R)&gESd&{-8OaNXQ}$%FJ)P(Up=p^QM^qF`*2nE4Hin0y^`GW; z{J5LM@E8b~)^re~9k?&|ffsqSM&cbp5XgE^Vz?yN(9$xGv2B5z0Lb0wAAygVvmNXOqGMFN?P_& zg0;Jn09$yWmhV&PTCG}uF^>^Q0SL{GOD@%NNT&q!813i%vM5ui-A@~)=r;OcI8tSw zL(MuTw{vb5sRxlMu|^Hj)P$4Ki9|G89jO-Ig;hD-$4FC`s2Q@(sv6AJSvI4i%y6m3 z7mQgxhyi~FE_TN)H60NwQ}EDac8rul6tpo`BKg*IuGma74Uwoi5L~hyQ8QE%PcsTy zw}M%+GS8}bT8mNl&h>oS(Wb({lx-srYGy05RRta2h!v+;;Nnxpm z8C9nx$AnQnn-oJ72g{fb>wHe`*_5R6Y@10-v_2#LQVBe*`&Vc3f>f#%#E`hBVt)uHN zP!C?aJbU@!d)Msv>Wf#^TX5l_S8m+DW5WlZJ@Mn`r*2(5oqBZgxt*WvnmfGf>_lzi z*q)UW<%2)D-yB$%+4S+dPfpzo9lLtZGUBxplk+Ry#>eBMb6cu=pE_`+dS~~ZLsO}J z@wtVy-+#36#Xqlq_Jp>3+v9wxbZ|ZK+x)j1ZeO?cSA@Lln!V>XKcL)Hc0QduE$m(& zS>(Bel?$gI*^W9B=b=078-8!!7LDFqb$Qd5lZ(80zsMZ_@W}C_XP>|7yY25Bd29c+ J$6`ck;a}TIySM-V literal 1125 zcmZ9}?Tgz40LO7AKHREv?2v(SLY<;$*K3kCO*8RE+oWleHcis!zzwfSnlx!1+B8o^ zRK$m!a_)R!4xcuh&p5fs&P}HxZgNhzp@<9)++Iv4GMIudHk{mic%}CjeE9x;GqMzw z3}Fyh!>(yengcoJf}!YC*tV6ZBtkF@qG1KL8*DmEgQ_eP8=0I07T`9C12nDJ7S&KP zY%_o@%4yZSfGW9u1`p|!qsDx{JPLSD(j$1*>B78%lJTk~r=X6=isd0W=mSt-|D#!5 zH)=s}GAwynA?}6KaIaO*=Qy3Rq{VkkQoR3Z>8l4LWE)v=P1rUkUv!UmUrK4Do&6_=h!pL5|uvU|rrSvczZtJyzP5Yo0_ZY$&QUo9+j-*nC*O@<9Q`!9@Y2>F#MkEEn0|8q%Ax7gZ?`U4 zvrAuF%S-1X95OzRJbHf9kzGH|Z&+S5aFTOu{`4Q`#$p>C-KR-szyBA8I zZP_@nRk=2Q^!D-F%2O-PT)ywji)YZ~{^_NMhWBid{)G1)o|@eE`JQd{+K%dCWv!m6LZ*ym;RW$*?6vfg(uG6bw8sV@66q_JB4gsU0nW(<3C>eye>Xqox| diff --git a/secrets/restic/livre/base-repo.age b/secrets/restic/livre/base-repo.age index 3fe67cd..39575ea 100644 --- a/secrets/restic/livre/base-repo.age +++ b/secrets/restic/livre/base-repo.age @@ -1,18 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 h5sWQA /nZh6IZdBtv3woGAynnhXZXtNfKDODEoYCpVmHHhmyg -/UN8RBQr+0Wu5rPzFosqsmmiAAj8Etqx4eyzhLzcQ5g --> piv-p256 ewCc3w A8r4CYBN30fKpvBBaWomaepl0fxZwpUajIh0+BAmwjko -P/qLiF22BlrNlkT2EsxXCBBh6al8OaTtL6IVHHmeemU --> piv-p256 6CL/Pw A9H4fgwM3EmBo50xdWhNuWOnJjFFMigtrBQ4a0Rvx8N4 -jes6k2hlyuX5Ech5qTiChseaVI3YIzXG3p3UpWHylB8 --> ssh-ed25519 I2EdxQ LPJmQ47OOrMu88w16HV3GsJTpTcoG1Ug27BRCMrWSCw -OLgC8l7K9qOV5QA27uzPFIgMd+Ho2L/WyIUYCZEam4w --> ssh-ed25519 J/iReg 911LIrz86R1AWVKra7YkM3YwWKSOgkNHtFAgDNRYWB0 -J6DWXqaDVN3Z1LVo7LgqpjjBVjR2L2P1TZULu1FMeo8 --> ssh-ed25519 GNhSGw MQk3YSEF9jJjgH0M49LhlJzvcqdbBU2aqVpnxeJeZ2A -c6xqYIkdFIAx/wqAEeIoR3GrHsmReSDbzt9jtRPKsMs --> ssh-ed25519 eXMAtA KvWo6kdZcf3pjDZXTPXhHsGPrzE+wVai15ZT7tjia1U -be3K3ljtE1l/AAQ79l6D50SRJvLmVsT5lfY901Zyej0 ---- zfk/PCQfQSmHRlvwG50i/sHtPD5MXBuFfIKmPH6sbiM -W1O2_ݲ# c\SX *Z}Y-Y'䷺3 " kcU;Vnřm(5ȓ - 0n%hZj9O;Ch6QcgoTfDc \ No newline at end of file +-> ssh-ed25519 h5sWQA UVA54f4ih1Y7DeHl8JaR5xx4aNZmYSWBH3rSDVx+V30 +9DkQJ8hh6vLIzHy1Jh7evdTC0IxJfZ8h5Dna95mhGdM +-> piv-p256 ewCc3w AnSKSHNZoIlAOaJ8yuHASConbMyE5Xe9pYBRZTH1Bmpp +tDvSbnzs1MmYGD2ADjrPcQ2/CnYbgFKAFgx+LCwSKwg +-> piv-p256 6CL/Pw Akuc2AE0t7UEi2cc7MKsELdEJI9j1HArytxKs8ALhhkF +CtYo5aBfkeUEdeB8WtD6+aJntmUOLgV3c0YqiIa7mqc +-> ssh-ed25519 I2EdxQ vHAuEyr61iU2FNZ0a7qoGxMrdwhTsxyJY5md5decugs +XeUhYGi/sPLQ1S60TL752+w0A4esESNwa9nb3dyy6T8 +-> ssh-ed25519 J/iReg ukrGz/sElgVRVYZezBP9zbK85owb+6SieNmx2+6LQUE +cal2YERpuidS4flDyOd0p/wendfr2RNPtTP9MXxAxtM +-> ssh-ed25519 GNhSGw BndztlGUOHgsxE5gpUZXjipFnKijFm9C6iu4MZGymFo +hD3xvuydadnbTClB/Oe48zyLXgk21fYdSPlLiZIG7TM +-> ssh-ed25519 eXMAtA dM6ndCAczkhAmvKTP/ZKPN8hvun6VQdzZbDfJ5VApWo +REcIqzrOHyO/Rloldxvxp2y1kTk/nKrD1WPDFrX78nw +-> ssh-ed25519 5hXocQ QW1soBQzuSD0UyTagoTswDdLi0Clw8YUV41wvGtIpDs +z4YXC79z4YoJrOq3HRISGWotcoq/6bR99dKd/PimHlQ +--- i2Rl65MgbXq5oGglcGefPDQ6yWdi6+Nl4/SYTCvYZq8 + zl[={ +:ȏ3@HcAhpgdߌ̲ptn#E:!dA'X?<ڶdl&ʂ ]+A9䗜hp. 5 ~b \ No newline at end of file diff --git a/secrets/restic/neo/base-password.age b/secrets/restic/neo/base-password.age index 15a51e346196b06bb16f1ae8ae3e33dd221c7b17..d445971964c11a0ed18bddff2e45f0411b666a52 100644 GIT binary patch literal 1235 zcmZ9~|H~5v90zbMshIjh6lOo93&ZM}dv4p^ZMTH*cDvo~xv$&p+nt%uecRn_yWMT~ zW!pvafT)OQNNO4cW<^Hi<8Kj4luDvdX&5N>Lr_T&k_lpAVNd;3&mZvN#pnHg%Z8rR z`|5Dw`j*q5c7_HJrenz$3kd@+=)Jl8;GtJ-5jVpB+m?TY*4oY$W*#f z#E)tST5S2SPVqJ&Sx(Fr0?6tN{CXn{ve~>ck!cq7IH{wNRRaf`eiQ^c?pFdN^^fLS zVbaaO*|I4>7NY@v!SYNb?Sot$Ndvu74nx|t zs6QTe)1cYoEE8?w7Fw+GBMoL!v3lU=sukNXd6{eu(Jv-FchCa zX)Y%*ER6ZMUL?4LR|kVg5Mx$5gLa^1zfxc)qM>O01m7@91**XiXb;fy$SBO=5X+zl zv{)lpQy@n1uokt{LKiNkU}r`k&7u%>Rbn)Za)w8?D|va`8ic*nFlwqXk5;uo5$*x@ zKwii|0lGrRQ*0Td>Rr)e)24%Sq)cPl@ZW{}caM6DL47oCharWKa$zXgsrrmu){uf= z6RCDc5kbTd-Uucc(8Wo$V#I=mTj{zu16mCrg0Vpf)KJDrgF`Yj8Banw6%7CjRh1x+ z#lOL3%TX(FC6mDqcRgfE{Vq0wZ1xdbH(`4mGaN?uuu>K0DZwU$J$`@>5rzzPU*`{NDNvTTkDz zkDppy+Ijf})4yJPXW5qre!K7h{?x~xU*4oX@@ZnT_~VuO-ty6dHxe5!-g*9v^;~Mr JuGe=Q`x_brx2^yH literal 1125 zcmZ9|`-|HI0KoC#4p{Mt)7#O%etgVn_efkqiNdok$2LjSKK6Nb7`71$)#!1 zbPg29ft)CeLt$(pGQ`t$J|@Q@+=lmq3~}njos*&Lhs`IBF&{rD8_plSzu?37D{E>@ zwHj{dc)D%vvRw`I8dvjh8~3D0M=r<% zEQgshg3%WYMKb*^SFFj^Vx|Oj*n%)A&tf8jXCUf-7MdkN_Ldc|YLpk38U+FECyY8Y zs0T!mtFvTN(p5TF;;XaiL3&`Dj1dw0a1JfZwc3hJ*@x20)2jg6UL% z9;I#62)ZQ@L9`;52)3ql(@=u9`ZKmerP@Fr!LzDM1XVZKsHrt7<7J{2WhSgZlU>uL?LmnNlCvg* zqdLbiqLS)@j+yFWWw{I>xd__{LdirGPnoPRoK>BxxU@Djem-9=<;2*D@ ze{b{d&$o>g;RpA8{LIwOlb3_T#&35nZk3Ox%nSbUvFDJimrv((ms=W=MsJM zuk7`^A3hvTY?`vYpfTA$^};>s!LPCh_emG#U)#I5-&d!#=Qrl|rfBnRnKSv&T^TW*8tB;xeOXAwXzXc+e0RR91 diff --git a/secrets/restic/neo/base-repo.age b/secrets/restic/neo/base-repo.age index c17d4f116e0d38d359c0138d775824dae2150540..ef64cac96c32bd875aa15a38162c0159ad7a27c8 100644 GIT binary patch literal 1077 zcmZ9|Nvq=o0KjoU1t%h2^f0#^gh67>(yW3@nx;vbCQZ{UO>_=TlO}DGW^1zzB96#A zISeR+7eRzkQ3Sm_KY$1WgW}!O;6X)rjEV=J7ssRT6a4=CmtoKg_N$`J4x4oUd|HHX zg#x{oz_N^bfsYXc%7CztwLuLU!?8c|Av)aH-L^02a7x1B5Em8a$hRS?Z}FjIO|5xX zuYhBpfH#KAP^~x5s&&2eGF`yz?J6&P(F*4)%@rmKnK{hq|FmpV^)ieg!Jy_={TgKH zvX4|wvA45aV!1St=Xsnd3`;SgiWl1vI!2-a!8KmH2ZmnUk2dl~2~1SC5k@uRev*cX zHf9Y+&Pi52LUe4x9E|+WBDo2yJ+Pv3T`r-7M^G9z5j;M z44NGJK-#ye6=ylxE?ajD!;mgEYZ6qf+5x|dbehEdR4O`|&BBWpC5-o*8Q7$3$`d}* zxYC^0P&pfQOa8zqr4q-mtC8ZCsCJeELv{!xT1iB;UrFr2iHL?k#=&wdE8>xs78+&1 zo*=*^!{U30zo?DjjUI&H?8qM{%RV~I>wp&Ae7T@^`^xP)#vhM^!(_N-OO0qSgEN7F zG=*ZlQ4K^KcqnI^DNEaa#7NjEEGUv<52FU^{E>~O7d1hR=0XjU44%V&!Wq?Sn&U{w z$-9AN>Zrm=m@`vT%A68iwdRdJ4Qx!!vgf54Cz@MirJtzouB-Ke$C)(9DOQne6w+`B zS>hM9V4<)F7Nn0#WLYE1^!!n?(*0vHBordHh8BcGIK?jxU8PVh1Z@!@8dS98BA$hF z0xF};j%(eST?U!0$m)(>uc{p^h!09)^P)yXi*z*uL+Cgqct{qP+3ehPnU=?6d^pijg+L9BTj3z`Z*05P1`^Q|R0&1~tCr&+@*la^OK(E&W zl_|PFs=?kV-EO|1*}5f7bK*hf*51`>H7kyB$=Ap*h-SbY_p3*4e*F~t@^`mS?k2bY zx_9-A6_)s8=Z>$6wyo);$%>(`3QFJ>S8`egm_4e6PimoL4SzfiyP Y=oe>yzcF5xr{K1|_sXp&u*cPZ0bvko$^ZZW literal 967 zcmZ9|Nz2>>0DxhTN+F&^qz6Stq?HnFI>^#1S?NOu80g>V zRn@NVxd@KKR1X^EN3ZD}0TYLH~f&dFp=;D>E>jDd2u zP`Yp(#YtimpihT#vf`5xV<3G4byAIrX#!$FwoCZ47bS#uTeU}5VgtdFwcjgXCP}LV z-8(vxEJ_&W3e5F7gPhx@uQVQdRL<dPM@OU|y1&4G- zES$5N3Sr~IBJd6(`4TI8>P+1H}54>SZR!FQd z1}p8!Dx`)Sh_<-NFpOtI=>&43c1iP~aaJ46cKWF45rb)I70zUodTUB-h&AuQ?RXe6 zzF%97fmJBDBqL%t3>*OFu!*@0QV3IrV=`YwslFjP4VQE3C7fE}JJcCH}_Rx)|TXE3<{eHhEY*|E+>A|43Hp&=L+8Qe66k#u|b$zH}(l$9x zK7gPm4uJf__M2NTJs3NWpW=eq*BAP?t@oeD&tLrH?>B#r=ij~Y@>TBHx8#Sy`MKEBj!KYRO9{oB*GKKT6?`SZJ9T)+P4kCU4tadqw0?;k$5fBn(F3=vA= diff --git a/secrets/restic/redite/base-password.age b/secrets/restic/redite/base-password.age index b83837c2ca405db6804a67e7b8936df2aa01cfac..35d1b35d48d278ce5903264e0dd3cf58e36ba588 100644 GIT binary patch literal 1235 zcmZ9}+pp6E0LO8XV@}BQ7(frA4>E{ipp33v*RB$XTi4y%ZtJ@477j_b-q&_(*L7<# zA&44HOeA;-4+@b)iJHje7&KAhgDBz!6NouL0w#haM8#u_NWcWqCp~|`C*R*sP^5@t zbsWF%YCUU1&rv`R3Pm=D2Lm-CiEum);bFCEn1y6`0O-tk9PPJ#O+;G$V60jYCg`>> zL{yqelQk&-HO&bK7zs52aLgw21ZM@V!qs4m&o%9SBG6>WH`S;LTY^18GIcaJ_($t& zUZfAl(XcckIUTghIi(bK(5 zDXz&zDU0V*)l`>(WmZ)vs~AlcOcbc4bHxl;;3(vO7D~`y`Hp2&H3F!JgpBqC)DqLJ zegPWw$h2bjhXCmetQZA39W3nz{g72^CsIbA(c?in(5nJMx6^jf;~j^HTZGa~-0^U% z!2{#w!WHu{DUR82!R$BvK-J<{JVvuz8}o`XYL#Th&Ik@SCWQ}+S&lM_ ze!e4TJcdnWRo;Z)W=4Y0vYf)`Ml_@k6;ntL85{6&itN-oMO#O!W{Y=9gHarGl`@qa zm}N>+qYK-zMU~5r!fYV`D4*oiEZi|_Y0<)gR)f`gF0Q(bAmsrB1d0u`Nd~lqEOT%PTF79Jywk>bKffGbwiOzB<%AAIY!b{weENIAXRSCGLrXn zMaMxL%gc17G-&w%EmXurX!ma`w(NXY`1{h@bOa8pZ9?;XE-9lx^t@W$i) z^#>l@oX$USnHcozD7(KjF7fRl?!XXEm#3bXzGxnq|n zL*IRF(;v4_{-zb@JHm>qlNHS$htxd-C|)z9rwU-|^8Y;g^TED=RlW QA@76sA77S#`<0o$0nVSflmGw# literal 1125 zcmZ9|>yOg}008hD5;O}Uhv1n=WJma5GH2Iz?KY#Fy>9Kcw(Dcvx>l5Qx31mRtzFk! zAAy7*5eP965_}O(E}BRHUkQnd(O`TWfuIru^aJKVM365kK|dJr@zMJWe#uYOwYb)s zasu0JS-nRrM+b&rB)&d67#MM_0U-#Oi5jBWEn-oZ7}!O@6+<=%)pVFtLMNsPg6)8W zpmX%F>ZVl{&Gz~1AYveV-ZDyp)0s-?3DOLPRXdLx|F=+_2DpDM1W>?|G^D&5UlW8u8Ho`< zo{?L)>eKSD)X*%+&&9fmRxd`NCf#J{3~PXtESI~@p2#W8G%vC#wZ*X&E@6h$>)ynyl!4 zA#5^kNh1Z>tl-6JUcyP3P0FxMnI@$IovgJ`D*`P+)1xRWXEblRRxkBETTC!yr-XV^ zjA-+YDU>)Mn3fcgmhgNf5vgH80clMF4J;6AW+T>i+_IJ_Y+K^~Aq!$~>mF%p~C7@1K3)6kqwjajH^H3oCBXrm5syqD2()i&O?i&L_$^8qHw ztb+-~CN2des;D#qG>CL0Yqo7M$bvyH%(vSK#qa5G6IZ%mZxZe%IT}kq0}Gw1+d(=K zkH@2FO4R#R-=KuH%)oF8uBTD5=Qg~y?`q{{nPSVh;HCXE(~10Co4xe6;?ABX@7(;! z;T3-#ef3u6;+i?)%DUdnp^MkXx7){e{dV`}HS1=cy14_}zGC-Jmv6uR?qB;}c=_mC ziDgUDUyq!h*}3Cn&iT<)?mhE`@cz-uPo&uAM^I$#*+&l`D^JBH9(d!xqT1!FcZ{N2 z8lQePa{bL$uF{X6AHD8w`tl%ikX^j|3^a4!5AQ7c{nEC1ec8kx@~yeq&!PFfyTapR zOTXVUTX=8&^xmysJxTm}Zf4clwd?Va{9yITZA*q5znwd|Z)WM06Bc*jF8S2K7r`4l zllhI`#Pm(#(;tuBym6>AatwU!mklc)yf8X;c>nEZ#y`Ag@&0qG!IzE!-97e4tF~y5 m?ViYDymMrH!}7!N6P3NsJ`BO%9Z4*D2*1WX_x4uq{(k@zkC})7 diff --git a/secrets/restic/redite/base-repo.age b/secrets/restic/redite/base-repo.age index 2f4c34137b063b14abb4f118ea92600532f08dd9..2f072c69d677f292f8e58b7eff3948e3416b4d6a 100644 GIT binary patch literal 1083 zcmZ9~%ZuCu0LSrzw?Xy~=*8%1C5(B$5QRJ@ubD|EnPl@ogiMl2GRY*fNoF!LSWm4U zJn60MLA;4lJSc*7Es7S36hu%_p(m}6gGjAKuoSJHbpL`6zaQTqiTiOG*1J`kRpk>^ zoj@C;*MAylnzSEBC_x|$kXpr3WdYY08e}hvImk@#bnml}zXm0$(UI5-y&8mvj#Up8 znn2i|H?B;ql}#?5@AEM_Y~-*)xRjU}dOMFb9NffUIe;j-$p6t+*`~ij2@;4qKEyhJ zt!2zQE*el~Aq91FlY$~C<{V0sv?vYPidqL*Q;;bsf<2<%$4(Y!Y?3Tnoh4EeD<`m@ z@m@mKFs-ppFwW=GJ>S~@vq*jfO&(aS>(kL*btx;f15{3k}Xd+ zv2iUJ`fjn(cxaI5J8xd7fuQEY(zdDX20~f72fG%s-l7hTq^vbJ%?(@boUypCIYn3x zMSlftM}nDmED@g7R46m!1Xx$g>%3a6xlX< zlge}k2F;j(u`UrUgi(aVr+zf|#H7=PTII~_GAoQ($ez_CEuBgopihT01xLuBBzcM( zkkmHJq^gBI@5q`lmSzP^t>7Rx6uaJba-0(zrHt1o5jtfu&>9BrysBoR1bo2Ip-yxd zlI707h5Wb2*d4Pi3#^kSSW@Q3)l9Kl?;Km-%{;suur@A9?E=k?V0Pff=?H;)OaDkz zEW?u+Xxu@{N*$ZkR;9L%$InN!GMi1ek$03bjAxwPMx<^P8h}6*JA~)UX39;ia)OD$ zd@xtD+ULTyHaeQd&BWL-#skOefRK(2M=9fpa1FSA71rY)s;BR8#`%5pA*Y4i@_L0L+U*Em)HwaXC6aWAK literal 973 zcmZ9J&CA<#0LMMZke-|eF9RvNNvwHkk|r1Bm$Z3%@}8z`dYNtB+q^z$o22MThCD|P zPTWC3#!wjQPCHByr-)7v^rC_%6*mt~1bG-J;xkYB`~{!y=kr~Je$UU`!?xJOdG>UE z7{WWW(|e{{RZ-9PFoHnoZZu9(33P*+HxMD(QYK>?rEDOQ>sr}@JS<%gaTrsC=0k-@ zrc&f|bVpKbqULNb-(nSpqPiBO)L~)>EQ;?jSphNLPyJS@@CURa-t`KMAiI9ey8XHf z3VTw(xFgT&lG`mAk^)VROx=D{gqc2-##JWz!J!J$OzKcXGgNC6q(0E;flTu)#Cnxh zkaDy%X4rfrkB50{6`TbA$0Au7)=yYT&H|Z|XNb2PQs~^rC#fclb>l*feBY7!08t-INec1+eB3|UZYt8&!#E0o(WLREE7R}`_4*BISM=0J{J4NotqS&Kd`hjBqJ0ob*l)5KbZ|JFdwc-D{20ZoC>EKS<_%Xeic(}WOQpeJ*tDBwYRBSKv+S9% z$0W-NmdI(EKU2U4bkV4S@ktpiFuzfh$VNP}l+6JeWbCZZlg(Dk@l--Z+crA=2!=$9 zX2(&6YH=ZK@fB8XwpQSCtaA{oh!bcY8>Wkp5*|m4io4+hRd*j=8j_$BmA0^IS z`1&E}!uL17dE)gepMP=p-m~Xlehoc$ ssh-ed25519 qeMkwQ rHm8PBJzgu5JUR8LDwtfYKC1G9nNTp/RDhBwcE3gpX4 -bffg24UPtdd592oqZmRE5vBeLOawd06Ly1oQpPFWV54 --> piv-p256 ewCc3w AqnnaM/0jDUtsn5Pd2kOwNYccVX3qwh/fC9c2Xkn9oM6 -RZcY6yFcGTR5OkUFJ7NXHNZkfP2gHwixfR2jD8j6F7U --> piv-p256 6CL/Pw A/wYBpm+pSebrFJQaHAi6s160F6q66ZqNv4U0CPF/rqm -uyfoXqTdchDgdWLTtxiyr2GT9coVTcY0TodoPAXtOEY --> ssh-ed25519 I2EdxQ a0dWSVEUmhLbJ2kfXjvjDvRMtuCtRktm2m1pbTQpgzE -M3EgtQZw7Nyg/KfuD8R+Txji3PO/vQA2EtnXe25sHKw --> ssh-ed25519 J/iReg eoIguFRQZYm6dEUzz+BhblhT+e/auOZD8Sia/h6/yw8 -SFPkrWh++D7drO68mYpTSdYuarXtxuba4/ExYyjTcJw --> ssh-ed25519 GNhSGw +WPoU/HXAEyMS6IfdjhwX/GvoQMLxRyNKkpeN3tgu2U -gWP4dU+yBPsc01w4ORdjelYZGm8yQ9ad+4odR8zv7Cc --> ssh-ed25519 eXMAtA geKWTCA1dU7CyiQFpuILO0zuppQLpgL9ckTuj3f2IUc -3z/xc0qlMttG/bMY7C+W3cEB1AQCkunbTExhU0V4QFA ---- oBKJY7LxTDs/My0AHe1ctI8ZXl0ns/AoCdCpEJq3/aU -<:*oS[nl L2$77yB;a/roTT"}B -0>jDL~Ā5(a(UvRrqCԹ5Z(Xs=2ۏ"i(Ju{\W /Nݯ/{{igǛ7Fg[ Pv#)ɔzQu\ 47w3zcÝrRQ' -v6VUƣ1[3- \ No newline at end of file +-> ssh-ed25519 qeMkwQ lhh6bd23FH3Hn404o9sJl+KImq+RXNRZFqPKJcZQ7GI +S2BQK34VYZGSSeKOqelBfcKxB0HbxK9ewRexg/PE36M +-> piv-p256 ewCc3w Am4uoXzdmiXDC+qZJVVZNc/FrN59U33cUi2D9+9mAI79 +oFKbEIomM3OfoPDIqRI8I1tAfN4bgfQOMgoZJp2OZvg +-> piv-p256 6CL/Pw AnSOSCc21ekFkc5p7W8fBOciNqfBn+wbn5KHVndgNjdV +EWq20DFhf9b1Cf7ARSSMrndiMcE3DinSNfeR5Uu+KLY +-> ssh-ed25519 I2EdxQ jrt85s0g6aCA/gs+UCzcV7Pkt703Fs145MPfus8P7Cg +GmBwegl6mmT1WOSMVzpH+V0mXPdW0aC76SSVPGGHBIk +-> ssh-ed25519 J/iReg 7Z2Ttvl8MDnwELutnNJUtMSe+DK7VhrDEtwmBTaI72M +PPEXp8cT0MfViIxP6TZX4NaIbU/cncfmRVx+/gP2ztg +-> ssh-ed25519 GNhSGw ET5WTttkMHIjv3P3c/PFDv0GJyf8SjanS3hLHsu9QVM +6FolJs4qL+NPlTRQzSJXt6PucFfZBAWqa32tD627IuY +-> ssh-ed25519 eXMAtA lMbetQOb1LaoGTgTOyM5VBiOZkKY9VI2roJVkTxwXSc +G07M8nFdtHrSHSBMBWDFPcGbBEVn1qWO8xHIV38YBXs +-> ssh-ed25519 5hXocQ SrxklvHG54MV6CbAvAiW28oTkj4XZmeAWipOwtvz6Gs +XdO/tq4NzjOg6GJ8nzKzxY1SvCbFxpfVtOs6hrXexuo +--- 12HUkojZ27/Vd1c/fWLlS6dS2uljdEMAt5tf9KfpRwg +QFW7@r(UXCGUWK6伯YL40.Gb%#vg3RYtSCoIRJʡH~FC/|%/i+CAG|/N6 +2ddK.+Ã{lؙýxSI6xs +cKdxl)Is/`Pl;@zE{==K?;?4_4sZ Ǻ^7$tjCFt1,-/A *;~A|n] |p \ No newline at end of file diff --git a/secrets/restic/two/base-repo.age b/secrets/restic/two/base-repo.age index b45143f46d0ad140ab742aab87bf661e35b5a0a3..e010244078930e25bfdb244b9fcfacc05083c5d7 100644 GIT binary patch literal 1077 zcmZ9|%gfsY008h^zJpOj!3VNS55mCGC25m3LHHzT(k5-vBu&yZ!GU?dA5GGxi4Fu2 zym*)|R1`s{hoP{Gh{D)OJnU2SG-0rl*D>(w!N<|>FZjXF^xc7**=1YQVV+&iOCLPI zz~Ho3Rl&e@hA0Z-y`9U)jnq>;jbX{M3sw4v&|#~3B~*?m))EQ~^$;&yE~hCMi|7Ud zrdA*t2WUH1*5skYOfqRJO@Vho-RdhyY&ve28wd?$0`i|$goi;fM8`e1ncAbKM`ZJ4 zB-l_j=QTP+Fym+$DJy!)aA*w`h0$q&G5fhgU^)j(qiDHW(d~xWb9IGy&145|Qe@SE z>!Jb;6I|-X1VN|@wEt&~ryMB$Ywb1=S+X>U9j)Bz3Zl(2&M5bADTB^vI*)5NT(EE~ zI8Y8)%-+VTNP_#axiTVu=}a(uHKFm;4)OzCj1w+R;0fWS{P{(8NIOTV*T`#h#>K~Y z*9Od5PZ$*TLb`^*VyTEE7x;5DLK9Do(;Vmuq@WZ~)vAbLXtA7sz8)No=9fYOZ^!KE;RI(AU;#AjJTkU_0_qA$`I0 z+%SoDF2zKNjnxu{w9cZB@8^^jBVCZu=QT9g=C;&J7L;VmAv6LFBTSm*L1`n9_4=-p zj69y)aC~DIvV=xH1b7|EuQRSg?Z^@LB<84;W>FPirt2}r(vIXIG#3|+Hf?~xV9XY}5&i5bv zbn*1>YZrbvdy{#1v;T|o`#Ya~`u0`j-H(B5CtqB@M16Pv)+ZlazIFfUlfQm@eSiJe YFaLP&ts5_VMPI#m=e5tn=T0vD1JP=2l>h($ literal 967 zcmZ9|%j?^8008ib;vx7z5YfXR@Vkhi=Fui?mfuT^_rZT!5>=gqq8Sv_g5RxC zt^gRL(spC7Eko!gisdc`Z!-XEB0`>;GEBUN@X-M6*)u_avWJ(oJH}7~CfE4j=8zM8DW0 z#GVRm5?NZJq|VyeaS!l?;qKSsFjkHgzjj$m23R2Fi>Ma%5)^i47bnzc-OSNLPRtmw zXXv3Z+*f=GcckDCcn<0cPBlFu-H);`o*KMOAerlmMJh)OF)qVIQN1}nC;_H+DI1E# zGL3pkWTN=MwfoIB{wTZj7d%>Ou90h(OGRg4b5?l5_s#b;-+w!0C2$a zWS_7uj&UKg3bvk#V>ehQ3x(Ix;~asF+jV+ zuM0gjv{%d~Hrmocp1S7!b@Og>OZ(xC;w1aUcz@!(q(6K5?e$L|-23|7@9)-6TzZ9i zk9zIpkM93?{+-)j{rw4lr}O3?_rE#1aD3zF@{3PDd2}VZa&qs&Pj5f-@yWy8wJ!$e zp1XSP=FjQp+2fa;t7ZP^^v~b5UvHl$A9=rhdE@lX?u8Gy4?nwfeKcU6k8XYU)?@zw DQBzLm diff --git a/secrets/restic/vaultwarden/base-password.age b/secrets/restic/vaultwarden/base-password.age index 927f9b1b76cdb37fc6165e9481fe6965b022e450..e2d9fc1aa4e6db2e54992f8785775cadcbaafc2b 100644 GIT binary patch literal 1235 zcmZ9}{mT;t0Kjoj%34o`gpl@>vrvjL@3!4;cZ%A*ZFkRhx7~Kzy_m+H+wFGS?ryu+ z-67@=X;CIch*msQiYUetLPh;3Sy2knFGXf#q)=i-_F&ly)zgnXf58X7-?px$HA{7( zk!RS}Cfm`0Ad^UMOS*0^t#z{bdomL^6jE85uH&qv_<$ZjjdHDCC{H+00COl?=|QqFitYcjkrAXv z**u)oLPE`jNlbUWfUM+aU7)E10z}gm%JH0TAuW1F0(4Lv!zgaZaa$QC7=#jIHA{yn zB_;SGm7)nzap8(5T1^o%iIiJ#9K$c65%oU{CMrN}(E>W$$Yi^IgnPXijlgt-WmL!q z$68S6)3OkgjssL9k44~w7Iq;Cjd}!m5Emxk5|!Kvc??I_}bn zOqS|Q_#~R`E4rrlSve~DVL3l$Bhf9#)s{FO)@O@llGN(#*sOIjY{IHA!=~wnIyz`^ zW~+gb-6qGH1%-!eniO|swwFOhg4}1JrP>T&)HOXB8*k^Cu%W)bHp&$b(;te1F&we5mZNIPK8K~nKW8eb`T~EDIO6MUSgTv5Z8)s zqhMJ?GiETA^w^P-7o>vPvTSW}(Nay5Sj@wcB#I9Uep`?@wq25#42lUsoEtznv?2}^ zG>dq!9h4{zv-reVDUS`4SJZZaGYN*~fd)5Z2Pq`xacN@81VO8i20^X>F4giq$yWJf zJ`)LpA<2g0SeAQ3RE&ppDdmeSpgD_mX5CN#t1SuW(|m$$>NW{5UL*}tI;V_)vQGy> zYNkDbWV=Il!YHwgAAb=cV>AN_4AU1`Jl|8 zb(D1z)919Q$6i>q^5`{WYkTLy)~hT2n7lF>PyYh%xNi&e#07t0_3WN~YWu4nk6zqg zdS?E{17~-i`s{S=`0)+vPU_{y!#BOXo7H#CoxzEXx1SE~dB1T&xa-QDg80UI;nl(B zQ|GrY=(|4OkKMacn_9k0Jh}JVpO){q^!3@7FaNWB(~&m6a(r{$fy%A)vwIkP+FADc z$FFTDeG#m=&0mjQSIrmcV^i;;$3Dc?UHf~PIQP!s6I<5SzSMtx$-d(zw6OZYYlqfe zJvhHFb9C8-`KEf{{3DmeRde;Lo4%R8{_vy2yEisB+?cz+xbg5uAAI^`bng1aGl!yu z=fzC%t;*BemM2zQz2Bev+1!gflzF>-=C50R_~g6Mnk!GuT}pp%YX^T@k@<7C*!UMH CJhp29 literal 1125 zcmZ9|*>Bqf0D$ogq@hJj8a!-6;>ZKXP)O~>M-pwV>e!BJ$BCW8iDRHBhaD$z?D$BW zcoNdYxpreh9Mi@aoshWtKp%=2FxaX|eF2HFqf7`y2SaFk=n$Y)+eAxwq<_Ir-&d~7 zL0PX_gO1ZM^dZBl1HF(hIO4Z$H7M7@2oj3<^Jbr8UBBJ*SUyBX70W^62$5`w1%`)- zw8m8P{bXM?9hblpNL+<%A5*go%5Dot0klL&BI@;Kf`PjY-1a=htY|`|DoU~xGdjk9 zTBp$qcESkimtDLHxqhsvfvLR5VXRxIqcUT|Q96y+w7B7bP^N2yB)%!+TCu2=uzjV3 z9*CDpm|aVj8iWMIBpr0}<&r9jKp%>v(+UzH%N>m@2>-KCoCWwbtHZWrE}BiMjN@r7 z1=NKBT9ElJ9Egd%l*x4&V1R~dCP;>Typ?DubTy;5dp00IQJ$7lHraAu-PR;nkqsx_ zaybf@is1T-beOF5Gkz~+ijYvDgj^tGvAUg4hctn!6#6~4K~_P$==B^F?o%bGl0Y0=#(_du4nL=5N`P@l#E3L0!5n$oa*Ef0s%zeK?sJUK$=Q)+?)|e zsr>>=W7YKt}FV&ql}umjh}l1qCYE*qF((RV;7T?SX?EL{5~sHd+!gzO|MB zot43eY9?uf!7wf7lBG1v2$1Pwq-JXzE)DF0qGRhdSxjLL=EuxlyI3>?$U<16n^!aj zun3(ghmj7)6M~l;tHKqDl1;JXi>EB2iJ(Zap<6Xf>K60KbdK-1{XFQ>fovp~s==-* z6cA*sEg1A;dZfW}$e81hlrDt5sLF?GaTG4QF`J1qG(9NGL;*Ll2JM^Je>^_4viI1g zPwr^3joGJ1&nv^PE`)1i@7{>qyT5T|Qkj2f;C<=~^QXTChxe&mbImtULP zquhOadTV9cxc&pTT;2HV)S>gc_E8UmcWz5gy~r&cFdn>&Uum6s{NlB} z(%C$*{K1kn`S5dV z2fT5R6pti6ylX>!YVq?WW#r}@_4^;U#=l)nK?~PLFI_+SY2NHgPwdY99A8)+dTQ_2 zGaGlFJbusj_oHW?7q&k0&kQ#Fq%wYLSMj%77moIj5&M_PW1C-EeWUTRe|FRDt2ais nyC zR1iGPhw)?JK@dbQo;E@B;to4Z=1GwaFHVFV)Polp>dATZ=U?#peBMW!^>Cd9<)PTe zd3GT$H&BE0hA;H1DjKd==xBt{{RQY|O50!P^J$VMOhUx#m=Ww4o{lZCl0z5C)7H;7 z!d_T-JEF+co{fV6p4SR|q?f+YkfA~sS|W2?H=c!|foQEkZ%D9rh~>Xp5jVpE9TEL? z%LQ25XW}$P4r-2Q9WI+&G)A(4IaSwNg4RaZ2Dp1*?jn?Ig&6Kd4XG(?0q_FJSPsG2 zW`fxTLTdt*&0B0H8YZ83w$j4Ee=LGiApL=r&nQH7alF|0unww5Ynzz>lcqCOeVU-H zP#O5bMn9^kvNvMAe2L9Po2AFa*uXT`S9NI%xzNBxG3)r)COtFuMWVt_SCmkG)fs&V zGiHn9aTq(=xF)JZ9(4YEH`+74z*I;w)=hmurHd-wO1%W8;ZTVfX>8*(t%!)hnu{{S zIXd?0Dg*c`%}TUZCj@m`lcCsLZ~DMum0Wg|k-RF$PQ@P6cHQrSv}c(PLovl58b=BKR3d+ag4 zFoOvYygBl}l50n0_Dmnmozl}>7{pZ6O{rWKgw=$VFt*79%%%9$8gLCLRBy8E6#-Qe zyEtk%DMb=l^0slV()J1&Dde1~Ct>ZcTb82p8FTvED01?^=!0|=1m+Q0ivzH>)8k`{ zl6*}ilIemSsBuyQ6F^f7PL@W`*>Z@5tSUCGsg=0wpokY|dL}1=Aa)4Ugvky^$T{F? zsW%)B`y9G2SFVo|*rpkEWR9ejws&MHldKZ5?dZY23FT-;2bR5epT08qup#hE-#z>1 zE7#ATKU~LdhZw!Ndgsmhr-(-)8GQdk_VANK^0z;}ITL>J+Am++y?3LtZr0s z=5Kw}Jb&@R*s!b3i__h|junR}Pxm#@9_4D!U^@1Ok#6?t)P literal 983 zcmZY6%d6vL0LEc&!#EjGaG|3cGaHpDHTO#u4yNfPX_6*s(~~BG(0;kLNt(1xzO)Jh z2NVTC@UjryxNtEz2rd*iu3R{R2XQG5f(nAe2p$Fo)Q#iP<6rRbd*4~;H~kE(clkD6 zWlyixAyyGc^8np!qNeYW3`4X~tEhDqqKuJdEzVeUt?iy7icKa>_#{zARh5sX8Z^aG zSDn%>+a@(cNE<5Mm;5f2$Gtt2!fiJkYQkY*hb3Mz^HJVfE;&=SXz;I=$5k^Y85Z@S z2q=gOYjNp^!pf?Nb#GVWSWg=(f!|nGG>O%_e7Vwin1hZP1 zSkAB=Zp?28Y9=7w!ofO#gAth>b^xZBIAD3Tmne~kV{+p3fYTjED%CFV(<{nk*Q-r5 zDA#Vb(Mx8^Zxbt7jkG)zTs~=&b8BTSGt(~=y{0#vNJDCj<~FeeCuxU}vU1+a9c@|_ zo@;?ZBXwX}t5!)>hMxaV8({Is577vC^&T>RbA?ZS}2r0AZ;A+MY{zpTUlvjT1S}8yW9pyGsY7DMe7>L z?WQCU>&dLIo!0!RCTs`LoffC zUzcxOdhX19PrP^X*e9hcp8wz^Kf0jZzWN}1c=79}!EZNTd-l?c_-9w{x_Rp>^RKgK zo5_b)|2TK|j|b$N@08ZN@$ikef~S6Z^6mc7H|4cQp1(kSd+pUPUi$dpg)7Ieoc!_w Zot&9I`oPtn?|q-T_>lC><6mFg{{y-KOdtm39)1(m>VdwKnx6<5`%%6#1FJHLj*03s*oBr zIFdmoP$89EVk#m{trJkR^l&{ng&-gUth_je8VWHBB6ws2O2jrONCu%0Nu)@uBrGCK zB8MwehCfLcXHI@QKzTT56h^bAVJQrPfen)ZY(fzchEZGeLaiV@_#4ca-LSi0I}&X ziUJqNAlV=U0bd^mCgX7m6&FX+=tx>5OM}xOm~=b>2WRjBd>cc9;Hkr@cvv8Xgb8Iz z$c8w!lug1ijbgsu92;h~VPpib+AISE2M2>vxM@<0E;*HomoT_`B~qldn&XrPqe;#t zvdnU=4QYhIs7e!th6QxpV}*!%?Jp|_L&iIoB?~X+_Sf7$r28J}S6j4v>+>nb+fL{3 z-UZlrnS1T+@6=20a?j3nv&R{n>Ak#r!?f(hZC&CJUd_26Mp>!B+tpqX?4Px;+@W#B z4fy7?k1EZBv&C_yjj9_LfRQs$Sv#VB*y7JzTGOOic_>qS;q0kvqWp=q-45y1F@(;s zjHd6eZ(`1`Z{Owcc6IDX>*0mtUhZ%F98?``V$Sdu2azBb!wL4Qev+S%{QYaVZ^ITu;o z616nS5^7jKk=JvEb$iF$B*^n7#QtI6C%vWl-tB-L>ziQf_td-Xkwy&-5FnSm#(l27 z{d1zJg6{D6apRH^<=GX+4Uz$?fQ`PToAqXGnZEhz#KjkJOJg>biOs)Wi-%5}nL~KD zl5X3c4yyDv0`A{|$x)x9{@$Y}O;+{sGF!t~M}t1x`sG^j5Z{+j4q6co)*8y-90>K*fsVN(#{!T25de7|u4V@XiCB_lq4 zY0NZS-kOuP#l;sM?%~Ef;mDmb+s6S;$F9TIrJaDCYkyo7i#D!_3Z1^!m$lLUN`nRsn*MSKmR`JwJb4J$maz!PzW2}*sJkmYKnxR6=QcFCA7ZQig z_#T?pav=Ai>A*wNHsj7_kL?A+m+MM1U}cXwIPqr|v?BUmbxHwlDcg02T~ zHl}^LS)Cl(;k#(j>JwVcfZI!q`_VQ;RgDj3wCMdhwr3uAxQJuSq`N)Rvj_a2+gwCf z=X&q2SeYwRm*zPuj6H>ozwdq^z43Ts6tG1!2bgb6^;(E7%e<({b<^E=N?(|5+j5PT zQR!qsOnp8#yP)NnK*uOwPxM?48+Ev_~HF$qWp>qSKU^T zpBJy)8&!7V^aH=<>9F~mdwt}EDNL#kj_r^xsq)`RLb85~nfvaK+OpA!+5}Lr3%+x7 z{zJEqu8v*bB_B>PK5N(`FDsYo#`mqc(&bUvRFxp4YykpXSBdMse~nQJI*vB<%&v`o z0jGKZz820j_kWJX{I&7wGIJdg@M2SuO{H0$4Nvaqx>DH6^X>pXRm_)clPZ?N}W7`dO(Q`!Fsv~Orr?}-MN(=QXZ9GDZ3(DW?mYm;^0*a>P_BWvheoWN!y>_@R%_T=>ejAEBn1jTe<|L$7RlVGK z7&{4r{axCh?%~w4>=_q4fOmUmK11!kwS8~s z-ri%U61Vkagx?S9?7D@l$!^?=uy676owm8xdC@#ItU5gjS71GCPi(KOWKz`iN%<4c zu6n*>Oxv}VoAXZkeZmn4@!4_8QXISu`<`bmZyJ8lE_=5++NJx+2k)XWzyVyX8)qQn zv=@2ZvMEZz&OdU-<^)kKQ{7%7#GMLx-p2&Eul)G40K=(^#}Yp2>N^ImgFK@HBPMgt zr}VjnJGvdk727hpGefrktKAy_)y-k{)<^CqS_=9h-ln40^2Y&PU0*mozPqG&4D@1i zoQi+Yp=NaNg3B5RZ=_E;1PypPwsLd+_OQBo%WR*DDb8#|u_XAainRE3ZDY&g?A1kE zA0Y=53W`e!xGJ*e3vcei=+efijVq)9o{H<#Bce zfI4QPS~nj%K5Mwy{@Oa2_`dr9t}JVj`dH&u-9Gz>wfV+d(csJ9Zr+IXf1`1Z+SyiNp0(Sg57gymfKF{a>0S5fD?|cK`nph z$2^&9JkoY@AMvw~4}sl1y~jGwixR)DQ0NM!KS(SwX<1DhIA(P4WA-R^ECFxr@wNY; zFT!2^cy?A3(K=S&d3=x;cZ>3HFdR3qb=zUp4B^|;R@Ie1l3x)~Yj&3(lbw9y{pLw7 nNILiI>)HK@-u4yd;>6i+0bSo#h?kPWn!y2oX-XVbqJc%eoq!#F{TBA&(Ua!$hz-EX`NCe1W zkcNnaP&gcd1~GJ&_&5N>GV*LRV^UN+5>Q~oNl`p(C?VKJH&TT$@n~^OG){t`7_mAC zk(TI!F`1}}XcUyiVeq85C<;u-k}!-Cg@&qP+Mo~)R%s*XWI}{E%H{^p>PC9 z1YiX)0EAJAVZmyhnF=8#*-Q|%&Z@J75;(CU0zn%rFbRZIwT>!>gJl5B;vxVzY@SuZ zWAa!wl~SkWge3}8dJ`{L&bLZQNDdi-;mJgJtcW4`KMR4411J1zfl&ZKm_)RS1Qre! zhp-Wos8DOX4knXH0V_sgmSQL|B8V0+abPZdFhxuZ<(W9hSUFo72RE8AdOpnp$5Lf_ z0IHK2_*B|Zv91fX=a9)i=yCGhnG5i~KH!i&++4NL*sOv5LjVkNOsv=T-AS|fpF zG?4^kw6cT63O$w@$G2c;aj{}HjS!EG=9m*W!NC+UoJb^?5{+cDKnb{j<4I_$(89!+ z%ZwCgPAWMhwVGijpNEW2kIvjDScB#)R1@d@)C-v?4hyqDUV`x6;u6 zPQxd$6)pt0NzByXuu77|B0#gE2x2f%s#MU~v;;T@MwXD28nYfwj4~KeE+HWyAh1rF zB&4COYfxUa)=KHIj35 z+@SiWE3c)!vMA0sUke&jJdHU1+z1Wa`siU?MAd_*sb{jCr}m6~c=mpKRpQOYbZ$B+ zj6bs@($WWMfB*6M+b239x1jLRixa+^377Xc5ZyvxNk^DWi`ab+pj^@Rb1wq<{9T<*Zs9&$b<09W&KfOmE#k6IpGCY_O@Qe z40ZQ5?&w@I+4=14+!H?mP}q^r>xMYfE$MII>;FTy`r1DAdsHs>h~R$u1>1SxpzE54 zp3xJH*J<}6w>ovb+RE~{XcqM$;~ESOK3+|x^s>7x>qiCGr(*r%rc#Y)$L&G+>0Q31 zjf|xY@}<_^hQjqK$T6p(&yLk2{PFr}CdVY*0`~GI)UVDzUX+R(IP@-t=DXtcRcQHC z-o}r=&}s!kw}m@`_C_17{93UAOUAm@YkZ$omJGMqJ*w72(Flx6Z|e$d%b_bYO>lYd zMCZ;&9D^HB&W3@<+x7%yNb>?C^Kb9`$0@C6qzg87%l5SGT*7a3IB8>oLrT(#2e;;J zMZtPKO6>ic0#?p;)nT_RjKaa(TjuFM27JOMlfK1V8e2uTJHC-R&hcnTSvvdv<*8T8 zDX%(v{4>6^psXrZ+Uncf%_ZBzvKFVOk;1n(sYd+Us2PhHM{^1!?-UmAuBPGp(ES-C z)TK|4AG~e^uSAA4*yQ(Wuc(XvTG@7Wl3x1R*wJbp*3I8@e!^LhQu`d|R@+H&!N<-) zn>^Exavi>}b-#85a?3e!?lGNTGQPU6W+*tP*KwkdH#p^~a9zrcZHEuP*|h51!T{3D zw&EzCz=ohD57BS86}XPx?btYX`yeZNaG+ud_2tK)oSa`r{|v%R2JJZcAtGs_Vt&W~ z+`k~Ypn1Z+I#wLlclLNRTpor}`{B#@0Q|n077Gs!zm)S?j_#RDJ2d`#xMAUUIGIGo zuVSp?ms z*_E);y^;>6OnstZ>#97);Js@bha@xS)--LeJ{>7rGk}wDFZhUVs57%T7h++PMF*NS zs=mLRJZDf&emAtb>9c-EgdMx^y6%}+V@ zL0@_I;`Fw%+O*?G(wqs&aEVWV%sxxpkzcT2wG`oA>*iJ75VNRg-vv)SE^uXi`Ndf| zs1D(}V5B8y@biHksfPK9{Vj)sXP)PS)s^s}GqRMo+CmgOI;G72n=$R-=8|{nzWy3~ zIWGI~-J!*nvkLLY(KCVCQ|58{&X7yHmh=ptvuB^Tm)AEAu*M98uvhq+1-n8Y*p~o) zqyAM>$XI|Ij9c@t;?zKd&@WRSZ z1qeDG=kUl7a!|up!PDag(@auED{XUqAlm_?cv71wO!*loCfhi zkP?|!>yvi%OvsffM`C7s&ozN+G&MRavoPWoqdIdcT=Dmp-`C_T%UXQc)ww_C|8OIH zVh+OFJF|oyVh}s7%?Oa41g`Qt(iE3wp37TR^ZrB@_MLtG-oelD&HiOY>|GZhpPcm9 zJ9U>ejLxa_tmhxQ@!HQbV)v2nwxm*Le^lM{n0VD4vjF(d=wIPolilvztOK>bvi=Kf Ch`3h( From 7508137e40d42647539dd6e4aa4de7f4bfab36a3 Mon Sep 17 00:00:00 2001 From: korenstin Date: Thu, 29 May 2025 18:30:23 +0200 Subject: [PATCH 14/41] Ajout admin token --- secrets/vaultwarden/env.age | Bin 2817 -> 2951 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age index f3a5d82f7d092b209b2f79280ae649767f7a78b8..d2d5d0e9ae192dc971ded2bb706ab16a82510da6 100644 GIT binary patch literal 2951 zcmZ9|`CAMK0|4L>HjyJoay1e~JI&op2-956)!b)VJI&P`&3%)jBx!AulCqhQE|erH zDMzVIg)W3Bd{%OYqN9YYI7F``8GuX@oeF&J&($VdF7!z$Y=>!xw7zrbKP_S|o zT?mhH=%6uHeYn}Cg^5f!8wkP{OWAlF6)TIyb7^KaU&r~Mrc+peIw&FpAhlw|Fe?Bp zr;zzf5(5TSBLqT~QG*YnYj{cr35t-|bOyOmsf|$U;#9G*QiKPQstrO2h;j-)4i!hW zi}Y+5j2Z*O*wC?N17A(TV0iKnshDO2Q~%Ej!B9Z-f2~+ns6!NomeCcEa12T;7Rb@z zp*A`xQfCxHDIk^H$QBX_2DF&N^}w3B77<&khojh1v@!wkf+WF%Lt_;&W)TzRVJ8G3^cI`~Y81(oa*CNM zMPW50B{7o4pyOg01g6qLq8OD18BYAOMu?1M5v%~bkQf0~>a9YxMWz=sq-G%#%{Ov2 zQl^P+k*QQl3mK)v*bH1I+QSrTp-Z(vQmvE?hKCYDwIr%mL1i!mdX<$AV&UQ(9F5fh zVMFD(pEW6;iZ-DEQWH}PmBBQaSVAaW!jC}Vg)%mqXON%?2D(hlaexpyl@tv9x7C9W z#US`%i%BYzLzGmgjA{WHa9klB3=v4lbS&AZ9^0i_HKyHT!k!&Re zON!$$^kSVYhJ?4X7#s**AvM9p9J|9x<5^$`jm_v0#FIM2Fr-6mB?<7xIF(YQ=Ne5i zmO+II?>A8$h0X9ZTv0#HDIpH#u#9*R?3)nEI3=XG~ zsAwLCuAq~x9-JoTsJc&**~q<>Bc<+{5Z;#@4vF_GaQQ3f+Ld42qLGjpBICW6wU>_9 zR1YTSQNQ1Jzf9iL#OtRubRYWUpUn3f`O+#N?QIfvvW$z!` z6YuUJI-2I>$LE!D2ig*&RIF>CKkvM8tn=WI-n-Ck?fI^;%X=AAWVY#BtNdy1PKmc% zt`_bOueCa%72W&bM+-KhpROVp30}pwo#U6ZTkEq1dP@SC5+1$vw_(zZD3EMze;@7f z{G|uS8*JnLr*{2-wjABEnVNeeB`p71H{(a*R|4^A*Q71(=d&+$S2D&p*=rS+k3R4A z)BSf=b=s`ax%r9~2#{Z_y$A35&hGQN_wi(0YwdSnyFgdq9-R@vlBB4bT_a7)N6K9_ z!%J2OJ=UbR-vVy?9A+5zB#d@gm2C;LlFvFaMoa!P=gwGWU609Dc@VP9hHLnm z-fg}aa$AV1Ep<-&s!j2Fn3l4@^XfwWtEMhc$?Az02`{_7bvI;Zo^8#L`vb3& zihMj^{QF7lVeK`wENT!6}4wR}80# zt3z6{Kk^#|DW?l>`qY(A?JdZdQhNMR67EjR?aADhqWWo%P$he-rql-b;;)0hB{6up zbio%(J6 zc;vlT*e;J2<9A}9m)}_GkBu%9i!fQ9J*_tbj%F4Q)mbg}yMFJv5u8N#L=CQBdVu7! zl1q!Y=9ZlJWl>^N;`Mf{@3j{@do#Y3l66FLxlh%wxY09@EZ=pw*6m{Xqy_uxQ;#&f zSnC3*^L(+pZO4~^BW0Z>)C*#Nt45K{l=Y8AJX26o1Di=R)=s$k@_#g;i@7 zl`D@XjK4XSW?x0oLgF3kiUPTn3pgzWKb8iNk}8#7IPAvS;0OF- z@fTUw@bb{>S!Q40-Y06w=R5wJPNhc?sL}Pwk9c>SW8OO!`T9Sc;3V}I)tm;SP(JlJ zo8LCnDg^MtqQJvv;%#BO$|gNsLh4_m%co7=ATi(Mon*8W@=oV?)_r59ak?g5XNCDS zx;XQgheDg9=iEC#Pd6Vh#{J+*`Q{GWwW2Vp8hh&qHT0j4?ks(MsyOfReC*0|NjaGp z23t!<{Km+aN;b#|cxZcQ+=(36ImL3t`^uA@z^xO}Fd76&GGh9kN8^6K=8IhBFcjYYBdmu5dZwuF&VI4RR- zcjwFnKA$2gd=3oYW?jr;JURFzW4@%~p5)7o=WBQEcP{Ku^sE|L$kedzuSr04NB35; zr;WJWYx>x(8Qyd{pnd52J6+M!08v@{M4zd3AJ%=d?C|(Juji#QQ$qgmgXZ!zb%ob4 zS3kpuwNuHOxijxnyNy20IWe%z4>&v$wTkA=$)+t|H|01r(KStIq%GPyYyXoPes=2i zXKT)lN}f-@x$W(IXEsIc`ew?`jL7KIftbumGvAzjGb;;)e_a*U)+9LDkua3uxM5u~ z_iD38>Z0L_wCCvfLuow|sxU-mmslN zkD!h58nSWwXXlN_?wj77s43nUYTJQ4@vt=f+}hE&ufVhYFI<8GTGH?Ux z5fATF6IJaW%{woT#8}Piy^(rpXW4Yy(`UQai)*~nE4~7Pyu-$iXGzY-$qo^>P?ohv UY!5qgVQ^_?JJZ9Nbl#`;zj%QuYXATM literal 2817 zcmZY5X*d)J1Hkc;qM_+PN@VDEjhQiql+1mPxy=mHnENpIVI-9f?UGt&m(s30tx1Pu zE1hnYBi&oh3Q6~-LwNW7`1XGOfA~GmUnr9VOEe;bO=nVQH6dDq3~Ye_f}=r3qdZt5 zhQi^HNDy0}8cVT)U?jdwlLk$bDg-tf4V9(=%LG!4Ku6&vqqLzWJUmuQfysn0Fg6sR zMoZb^SPk98RfDN`x**OP&bIQXU_IB0SHe+vGo4AG$V_;Jjrddtm39)1(m>VdwKnx6<5`%%6#1FJHLj*03s*oBr zIFdmoP$89EVk#m{trJkR^l&{ng&-gUth_je8VWHBB6ws2O2jrONCu%0Nu)@uBrGCK zB8MwehCfLcXHI@QKzTT56h^bAVJQrPfen)ZY(fzchEZGeLaiV@_#4ca-LSi0I}&X ziUJqNAlV=U0bd^mCgX7m6&FX+=tx>5OM}xOm~=b>2WRjBd>cc9;Hkr@cvv8Xgb8Iz z$c8w!lug1ijbgsu92;h~VPpib+AISE2M2>vxM@<0E;*HomoT_`B~qldn&XrPqe;#t zvdnU=4QYhIs7e!th6QxpV}*!%?Jp|_L&iIoB?~X+_Sf7$r28J}S6j4v>+>nb+fL{3 z-UZlrnS1T+@6=20a?j3nv&R{n>Ak#r!?f(hZC&CJUd_26Mp>!B+tpqX?4Px;+@W#B z4fy7?k1EZBv&C_yjj9_LfRQs$Sv#VB*y7JzTGOOic_>qS;q0kvqWp=q-45y1F@(;s zjHd6eZ(`1`Z{Owcc6IDX>*0mtUhZ%F98?``V$Sdu2azBb!wL4Qev+S%{QYaVZ^ITu;o z616nS5^7jKk=JvEb$iF$B*^n7#QtI6C%vWl-tB-L>ziQf_td-Xkwy&-5FnSm#(l27 z{d1zJg6{D6apRH^<=GX+4Uz$?fQ`PToAqXGnZEhz#KjkJOJg>biOs)Wi-%5}nL~KD zl5X3c4yyDv0`A{|$x)x9{@$Y}O;+{sGF!t~M}t1x`sG^j5Z{+j4q6co)*8y-90>K*fsVN(#{!T25de7|u4V@XiCB_lq4 zY0NZS-kOuP#l;sM?%~Ef;mDmb+s6S;$F9TIrJaDCYkyo7i#D!_3Z1^!m$lLUN`nRsn*MSKmR`JwJb4J$maz!PzW2}*sJkmYKnxR6=QcFCA7ZQig z_#T?pav=Ai>A*wNHsj7_kL?A+m+MM1U}cXwIPqr|v?BUmbxHwlDcg02T~ zHl}^LS)Cl(;k#(j>JwVcfZI!q`_VQ;RgDj3wCMdhwr3uAxQJuSq`N)Rvj_a2+gwCf z=X&q2SeYwRm*zPuj6H>ozwdq^z43Ts6tG1!2bgb6^;(E7%e<({b<^E=N?(|5+j5PT zQR!qsOnp8#yP)NnK*uOwPxM?48+Ev_~HF$qWp>qSKU^T zpBJy)8&!7V^aH=<>9F~mdwt}EDNL#kj_r^xsq)`RLb85~nfvaK+OpA!+5}Lr3%+x7 z{zJEqu8v*bB_B>PK5N(`FDsYo#`mqc(&bUvRFxp4YykpXSBdMse~nQJI*vB<%&v`o z0jGKZz820j_kWJX{I&7wGIJdg@M2SuO{H0$4Nvaqx>DH6^X>pXRm_)clPZ?N}W7`dO(Q`!Fsv~Orr?}-MN(=QXZ9GDZ3(DW?mYm;^0*a>P_BWvheoWN!y>_@R%_T=>ejAEBn1jTe<|L$7RlVGK z7&{4r{axCh?%~w4>=_q4fOmUmK11!kwS8~s z-ri%U61Vkagx?S9?7D@l$!^?=uy676owm8xdC@#ItU5gjS71GCPi(KOWKz`iN%<4c zu6n*>Oxv}VoAXZkeZmn4@!4_8QXISu`<`bmZyJ8lE_=5++NJx+2k)XWzyVyX8)qQn zv=@2ZvMEZz&OdU-<^)kKQ{7%7#GMLx-p2&Eul)G40K=(^#}Yp2>N^ImgFK@HBPMgt zr}VjnJGvdk727hpGefrktKAy_)y-k{)<^CqS_=9h-ln40^2Y&PU0*mozPqG&4D@1i zoQi+Yp=NaNg3B5RZ=_E;1PypPwsLd+_OQBo%WR*DDb8#|u_XAainRE3ZDY&g?A1kE zA0Y=53W`e!xGJ*e3vcei=+efijVq)9o{H<#Bce zfI4QPS~nj%K5Mwy{@Oa2_`dr9t}JVj`dH&u-9Gz>wfV+d(csJ9Zr+IXf1`1Z+SyiNp0(Sg57gymfKF{a>0S5fD?|cK`nph z$2^&9JkoY@AMvw~4}sl1y~jGwixR)DQ0NM!KS(SwX<1DhIA(P4WA-R^ECFxr@wNY; zFT!2^cy?A3(K=S&d3=x;cZ>3HFdR3qb=zUp4B^|;R@Ie1l3x)~Yj&3(lbw9y{pLw7 nNILiI>)HK@-u4yd;>6i+0bSo#h?kPWn!y2oX-XVb Date: Thu, 29 May 2025 19:26:20 +0200 Subject: [PATCH 15/41] vaultwarden: remove postfix --- modules/services/vaultwarden.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 718beda..2b79a57 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -23,8 +23,4 @@ proxyWebsockets = true; }; }; - - systemd.services.vaultwarden = { - path = with pkgs; [ postfix ]; - }; } From a8061ccb3793e0f5af4b73215f57b7f4adf719bf Mon Sep 17 00:00:00 2001 From: RatCornu Date: Thu, 29 May 2025 19:31:47 +0200 Subject: [PATCH 16/41] vaultwarden: add nullmailer to systemd service --- modules/crans/nullmailer.nix | 1 + modules/services/vaultwarden.nix | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/modules/crans/nullmailer.nix b/modules/crans/nullmailer.nix index 23bb4ef..fdc6aaa 100644 --- a/modules/crans/nullmailer.nix +++ b/modules/crans/nullmailer.nix @@ -4,6 +4,7 @@ services.nullmailer = { enable = true; + setSendmail = true; config = { remotes = '' smtp.adm.crans.org smtp diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 2b79a57..7b7367e 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, ... }: { imports = [ @@ -14,7 +14,26 @@ services.vaultwarden = { enable = true; dbBackend = "postgresql"; + environmentFile = config.age.secrets.env.path; + config = { + SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail"; + }; + }; + users.users.vaultwarden.extraGroups = [ "nullmailer" ]; + + systemd.services.vaultwarden = { + path = [ "/run/wrappers" ]; + serviceConfig = { + NoNewPrivileges = lib.mkForce false; + PrivateUsers = lib.mkForce false; + SystemCallFilter = lib.mkForce [ "@system-service" ]; + RestrictAddressFamilies = [ + "AF_LOCAL" + "AF_NETLINK" + ]; + ReadWritePaths = [ "/var/spool/nullmailer/" ]; + }; }; services.nginx.virtualHosts."vaultwarden.crans.org" = { From e9c99d2241318d49e36a7c1bbd5af62a9842aa03 Mon Sep 17 00:00:00 2001 From: RatCornu Date: Thu, 29 May 2025 19:48:20 +0200 Subject: [PATCH 17/41] vaultwarden: add port in config --- modules/services/vaultwarden.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 7b7367e..4cb76a3 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -17,6 +17,7 @@ environmentFile = config.age.secrets.env.path; config = { + ROCKET_PORT = 8222; SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail"; }; }; @@ -38,7 +39,7 @@ services.nginx.virtualHosts."vaultwarden.crans.org" = { locations."/" = { - proxyPass = "http://localhost:8222"; + proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}"; proxyWebsockets = true; }; }; From 31e7762cfd270d7fa2eaaf5aae7bd8c457e18f42 Mon Sep 17 00:00:00 2001 From: lzebulon Date: Sun, 8 Jun 2025 17:41:45 +0200 Subject: [PATCH 18/41] add a gitlab-ci --- .gitlab-ci.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..f68151e --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +image: nixos/nix:latest + +before_script: + - echo "experimental-features= nix-command flakes" >> /etc/nix/nix.conf + - nix-daemon & + +nix-flake-check: + stage: test + script: + - nix flake check From 7637667ed7fc1057e878c8ec5ec4cb198223b882 Mon Sep 17 00:00:00 2001 From: lzebulon Date: Sun, 8 Jun 2025 17:47:52 +0200 Subject: [PATCH 19/41] fix typo --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f68151e..2c0db60 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,7 +1,7 @@ image: nixos/nix:latest before_script: - - echo "experimental-features= nix-command flakes" >> /etc/nix/nix.conf + - echo "extra-experimental-features = nix-command flakes" >> /etc/nix/nix.conf - nix-daemon & nix-flake-check: From 7d0b47ab3d1c0d811667afec03b44abf6bd3cbfd Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 14 Jun 2025 15:37:13 +0200 Subject: [PATCH 20/41] accepte que jitsi a libolm --- modules/services/jitsi.nix | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/modules/services/jitsi.nix b/modules/services/jitsi.nix index 7490187..1356890 100644 --- a/modules/services/jitsi.nix +++ b/modules/services/jitsi.nix @@ -1,12 +1,19 @@ -{...}: +{ ... }: { + # il y a une faille de secu mais c'est pas exploitable + # libolm : https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802 + nixpkgs.config.permittedInsecurePackages = [ + "jitsi-meet-1.0.8043" + ]; + + services.jitsi-meet = { enable = true; hostName = "jitsi.crans.org"; config = { # vient de l'ancienne config liveStreamingEnable = true - liveStreaming.enabled = true; + liveStreaming.enabled = true; }; }; @@ -25,7 +32,7 @@ config = { xmpp = { - trusted-domains = ["recoder.jitsi.crans.org"]; + trusted-domains = [ "recoder.jitsi.crans.org" ]; }; }; }; @@ -33,5 +40,5 @@ services.prometheus.exporters.jitsi = { enable = true; }; - + } From ab20269f92885bb5628e5de27c5ae2ec59280fb1 Mon Sep 17 00:00:00 2001 From: lzebulon Date: Sat, 14 Jun 2025 16:14:59 +0200 Subject: [PATCH 21/41] fix add longer timeout --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2c0db60..ccfac76 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,6 +5,7 @@ before_script: - nix-daemon & nix-flake-check: + timeout: 1h stage: test script: - nix flake check From cedff82836ace55ce6e8bfebb3dfe135661e0948 Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 8 Jun 2025 15:53:33 +0200 Subject: [PATCH 22/41] Factorisation en un module crans --- flake.nix | 15 +- hosts/physiques/thot/default.nix | 7 + hosts/vm/apprentix/default.nix | 28 ++-- hosts/vm/apprentix/networking.nix | 65 --------- hosts/vm/jitsi/default.nix | 14 +- hosts/vm/jitsi/networking.nix | 53 ------- hosts/vm/livre/default.nix | 11 +- hosts/vm/livre/networking.nix | 53 ------- hosts/vm/neo/default.nix | 14 +- hosts/vm/neo/networking.nix | 62 -------- hosts/vm/redite/default.nix | 11 +- hosts/vm/redite/networking.nix | 65 --------- hosts/vm/two/default.nix | 15 +- hosts/vm/two/networking.nix | 65 --------- hosts/vm/vaultwarden/default.nix | 11 +- hosts/vm/vaultwarden/networking.nix | 53 ------- modules/crans/default.nix | 49 ++++--- modules/crans/home.nix | 21 +-- modules/crans/monitoring.nix | 49 +++++-- modules/crans/networking.nix | 218 +++++++++++++++++++++++++++- modules/crans/packages.nix | 21 +++ modules/crans/restic_client.nix | 94 ++++++++---- modules/crans/ssh.nix | 11 ++ modules/crans/users.nix | 101 ++++++++----- modules/crans/virtualisation.nix | 6 + modules/default.nix | 23 ++- modules/services/default.nix | 5 + 27 files changed, 566 insertions(+), 574 deletions(-) delete mode 100644 hosts/vm/apprentix/networking.nix delete mode 100644 hosts/vm/jitsi/networking.nix delete mode 100644 hosts/vm/livre/networking.nix delete mode 100644 hosts/vm/neo/networking.nix delete mode 100644 hosts/vm/redite/networking.nix delete mode 100644 hosts/vm/two/networking.nix delete mode 100644 hosts/vm/vaultwarden/networking.nix create mode 100644 modules/crans/packages.nix create mode 100644 modules/crans/ssh.nix create mode 100644 modules/crans/virtualisation.nix create mode 100644 modules/services/default.nix diff --git a/flake.nix b/flake.nix index e4d64c4..5ae51e2 100644 --- a/flake.nix +++ b/flake.nix @@ -34,7 +34,10 @@ flake = with nixpkgs.lib; { nixosConfigurations = let - baseModules = [ agenix.nixosModules.default ]; + baseModules = [ + ./modules + agenix.nixosModules.default + ]; in { apprentix = nixosSystem { @@ -71,12 +74,12 @@ specialArgs = inputs; modules = [ ./hosts/vm/two ] ++ baseModules; }; - - vaultwarden = nixosSystem { - specialArgs = inputs; - modules = [ ./hosts/vm/vaultwarden ] ++ baseModules; + + vaultwarden = nixosSystem { + specialArgs = inputs; + modules = [ ./hosts/vm/vaultwarden ] ++ baseModules; + }; }; - }; }; perSystem = diff --git a/hosts/physiques/thot/default.nix b/hosts/physiques/thot/default.nix index ed4cee3..6caac2d 100644 --- a/hosts/physiques/thot/default.nix +++ b/hosts/physiques/thot/default.nix @@ -39,5 +39,12 @@ restic ]; + crans = { + enable = true; + + networking.adm.enable = false; + resticClient.enable = false; + }; + system.stateVersion = "24.05"; } diff --git a/hosts/vm/apprentix/default.nix b/hosts/vm/apprentix/default.nix index 945f8e0..6feeef0 100644 --- a/hosts/vm/apprentix/default.nix +++ b/hosts/vm/apprentix/default.nix @@ -1,17 +1,27 @@ -{ config, lib, ... }: +{ ... }: { imports = [ ./hardware-configuration.nix - ./networking.nix - - ../../../modules ]; boot.loader.grub.devices = [ "/dev/sda" ]; networking.hostName = "apprentix"; + crans = { + enable = true; + + networking = { + id = 50; + srvNat.enable = true; + }; + + homeNounou.enable = false; + + users.root.passwordFile = ../../../secrets/apprentix/root.age; + }; + security.sudo.extraRules = [ { groups = [ "_user" ]; @@ -19,15 +29,5 @@ } ]; - age.secrets = { - root-passwd-hash.file = ../../../secrets/apprentix/root.age; - }; - - users.users.root = { - hashedPasswordFile = config.age.secrets.root-passwd-hash.path; - }; - - crans.home_nounou.enable = false; - system.stateVersion = "24.11"; } diff --git a/hosts/vm/apprentix/networking.nix b/hosts/vm/apprentix/networking.nix deleted file mode 100644 index 548d59a..0000000 --- a/hosts/vm/apprentix/networking.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - - ipv4 = { - addresses = [ - { - address = "172.16.10.150"; - prefixLength = 24; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "fd00::10:0:ff:fe01:5010"; - prefixLength = 64; - } - ]; - }; - - }; - - ens19 = { - - ipv4 = { - addresses = [ - { - address = "172.16.3.150"; - prefixLength = 24; - } - ]; - routes = [ - { - address = "0.0.0.0"; - via = "172.16.3.99"; - prefixLength = 0; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "2a0c:700:3::ff:fe01:5003"; - prefixLength = 64; - } - ]; - routes = [ - { - address = "::"; - via = "2a0c:700:3::ff:fe00:9903"; - prefixLength = 0; - } - ]; - }; - - }; - }; - }; -} diff --git a/hosts/vm/jitsi/default.nix b/hosts/vm/jitsi/default.nix index 51e86f3..db3f4f1 100644 --- a/hosts/vm/jitsi/default.nix +++ b/hosts/vm/jitsi/default.nix @@ -3,9 +3,7 @@ { imports = [ ./hardware-configuration.nix - ./networking.nix - ../../../modules ../../../modules/services/jitsi.nix ../../../modules/services/acme.nix ]; @@ -13,5 +11,17 @@ networking.hostName = "jitsi"; boot.loader.grub.devices = [ "/dev/vda" ]; + crans = { + enable = true; + + networking = { + id = 63; + srv = { + enable = true; + ipv4 = "185.230.79.15"; + }; + }; + }; + system.stateVersion = "24.11"; } diff --git a/hosts/vm/jitsi/networking.nix b/hosts/vm/jitsi/networking.nix deleted file mode 100644 index 4a18bf0..0000000 --- a/hosts/vm/jitsi/networking.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - - ipv4 = { - addresses = [{ - address = "172.16.10.163"; - prefixLength = 24; - }]; - }; - - ipv6 = { - addresses = [{ - address = "fd00::10:0:ff:fe01:6310"; - prefixLength = 64; - }]; - }; - - }; - - ens19 = { - - ipv4 = { - addresses = [{ - address = "185.230.79.15"; - prefixLength = 26; - }]; - routes = [{ - address = "0.0.0.0"; - via = "185.230.79.62"; - prefixLength = 0; - }]; - }; - - ipv6 = { - addresses = [{ - address = "2a0c:700:2::ff:fe01:6302"; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - via = "2a0c:700:2::ff:fe00:9902"; - prefixLength = 0; - }]; - }; - - }; - }; - }; -} diff --git a/hosts/vm/livre/default.nix b/hosts/vm/livre/default.nix index 19e40b1..bdee797 100644 --- a/hosts/vm/livre/default.nix +++ b/hosts/vm/livre/default.nix @@ -3,9 +3,7 @@ { imports = [ ./hardware-configuration.nix - ./networking.nix - ../../../modules ../../../modules/services/nginx.nix ../../../modules/services/stirling.nix ]; @@ -13,6 +11,15 @@ networking.hostName = "livre"; boot.loader.grub.devices = [ "/dev/sda" ]; + crans = { + enable = true; + + networking = { + id = 40; + srvNat.enable = true; + }; + }; + services.nginx.virtualHosts = { "pdf.crans.org" = { locations."/" = { diff --git a/hosts/vm/livre/networking.nix b/hosts/vm/livre/networking.nix deleted file mode 100644 index ae7302c..0000000 --- a/hosts/vm/livre/networking.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - - ipv4 = { - addresses = [{ - address = "172.16.10.140"; - prefixLength = 24; - }]; - }; - - ipv6 = { - addresses = [{ - address = "fd00::10:0:ff:fe01:4010"; - prefixLength = 64; - }]; - }; - - }; - - ens19 = { - - ipv4 = { - addresses = [{ - address = "172.16.3.140"; - prefixLength = 24; - }]; - routes = [{ - address = "0.0.0.0"; - via = "172.16.3.99"; - prefixLength = 0; - }]; - }; - - ipv6 = { - addresses = [{ - address = "2a0c:700:3::ff:fe01:4003"; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - via = "2a0c:700:3::ff:fe00:9903"; - prefixLength = 0; - }]; - }; - - }; - }; - }; -} diff --git a/hosts/vm/neo/default.nix b/hosts/vm/neo/default.nix index 5b51a68..5b7ff25 100644 --- a/hosts/vm/neo/default.nix +++ b/hosts/vm/neo/default.nix @@ -3,9 +3,7 @@ { imports = [ ./hardware-configuration.nix - ./networking.nix - ../../../modules ../../../modules/services/matrix.nix ../../../modules/services/synapse-admin.nix ]; @@ -14,5 +12,17 @@ networking.hostName = "neo"; + crans = { + enable = true; + + networking = { + id = 41; + srv = { + enable = true; + ipv4 = "185.230.79.5"; + }; + }; + }; + system.stateVersion = "24.11"; } diff --git a/hosts/vm/neo/networking.nix b/hosts/vm/neo/networking.nix deleted file mode 100644 index 363ead7..0000000 --- a/hosts/vm/neo/networking.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - ipv4 = { - addresses = [ - { - address = "172.16.10.141"; - prefixLength = 24; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "fd00::10:0:ff:fe01:4110"; - prefixLength = 64; - } - ]; - }; - }; - - ens19 = { - ipv4 = { - addresses = [ - { - address = "185.230.79.5"; - prefixLength = 26; - } - ]; - routes = [ - { - address = "0.0.0.0"; - via = "185.230.79.62"; - prefixLength = 0; - } - ]; - }; - ipv6 = { - addresses = [ - { - address = "2a0c:700:2::ff:fe01:4102"; - prefixLength = 64; - } - ]; - routes = [{ - address = "::"; - via = "2a0c:700:2::ff:fe00:9902"; - prefixLength = 0; - }]; - }; - }; - }; - - firewall = { - enable = true; - }; - }; -} diff --git a/hosts/vm/redite/default.nix b/hosts/vm/redite/default.nix index 4921d62..12a85a3 100644 --- a/hosts/vm/redite/default.nix +++ b/hosts/vm/redite/default.nix @@ -3,14 +3,21 @@ { imports = [ ./hardware-configuration.nix - ./networking.nix - ../../../modules ../../../modules/services/libreddit.nix ]; networking.hostName = "redite"; boot.loader.grub.devices = [ "/dev/sda" ]; + crans = { + enable = true; + + networking = { + id = 39; + srvNat.enable = true; + }; + }; + system.stateVersion = "23.11"; } diff --git a/hosts/vm/redite/networking.nix b/hosts/vm/redite/networking.nix deleted file mode 100644 index 8ec9ca3..0000000 --- a/hosts/vm/redite/networking.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - - ipv4 = { - addresses = [ - { - address = "172.16.10.139"; - prefixLength = 24; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "fd00::10:0:ff:fe01:3910"; - prefixLength = 64; - } - ]; - }; - - }; - - ens19 = { - - ipv4 = { - addresses = [ - { - address = "172.16.3.139"; - prefixLength = 24; - } - ]; - routes = [ - { - address = "0.0.0.0"; - via = "172.16.3.99"; - prefixLength = 0; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "2a0c:700:3::ff:fe01:3903"; - prefixLength = 64; - } - ]; - routes = [ - { - address = "::"; - via = "2a0c:700:3::ff:fe00:9903"; - prefixLength = 0; - } - ]; - }; - - }; - }; - }; -} diff --git a/hosts/vm/two/default.nix b/hosts/vm/two/default.nix index a2f6c54..c1758e0 100644 --- a/hosts/vm/two/default.nix +++ b/hosts/vm/two/default.nix @@ -3,13 +3,22 @@ { imports = [ ./hardware-configuration.nix - ./networking.nix - - ../../../modules ]; networking.hostName = "two"; boot.loader.grub.devices = [ "/dev/sda" ]; + crans = { + enable = true; + + networking = { + id = 35; + srvNat = { + enable = true; + interface = "ens19"; + }; + }; + }; + system.stateVersion = "23.11"; } diff --git a/hosts/vm/two/networking.nix b/hosts/vm/two/networking.nix deleted file mode 100644 index 1840458..0000000 --- a/hosts/vm/two/networking.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - - ipv4 = { - addresses = [ - { - address = "172.16.10.135"; - prefixLength = 24; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "fd00::10:0:ff:fe01:3510"; - prefixLength = 64; - } - ]; - }; - - }; - - ens19 = { - - ipv4 = { - addresses = [ - { - address = "172.16.3.135"; - prefixLength = 24; - } - ]; - routes = [ - { - address = "0.0.0.0"; - via = "172.16.3.99"; - prefixLength = 0; - } - ]; - }; - - ipv6 = { - addresses = [ - { - address = "2a0c:700:3::ff:fe01:3503"; - prefixLength = 64; - } - ]; - routes = [ - { - address = "::"; - via = "2a0c:700:3::ff:fe00:9903"; - prefixLength = 0; - } - ]; - }; - - }; - }; - }; -} diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix index 18e2c6e..e231698 100644 --- a/hosts/vm/vaultwarden/default.nix +++ b/hosts/vm/vaultwarden/default.nix @@ -3,14 +3,21 @@ { imports = [ ./hardware-configuration.nix - ./networking.nix - ../../../modules ../../../modules/services/vaultwarden.nix ]; networking.hostName = "vaultwarden"; boot.loader.grub.devices = [ "/dev/sda" ]; + crans = { + enable = true; + + networking = { + id = 59; + srvNat.enable = true; + }; + }; + system.stateVersion = "24.05"; } diff --git a/hosts/vm/vaultwarden/networking.nix b/hosts/vm/vaultwarden/networking.nix deleted file mode 100644 index 5e870b4..0000000 --- a/hosts/vm/vaultwarden/networking.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces = { - ens18 = { - - ipv4 = { - addresses = [{ - address = "172.16.10.159"; - prefixLength = 24; - }]; - }; - - ipv6 = { - addresses = [{ - address = "fd00::10:0:ff:fe01:5910"; - prefixLength = 64; - }]; - }; - - }; - - ens19 = { - - ipv4 = { - addresses = [{ - address = "172.16.3.159"; - prefixLength = 24; - }]; - routes = [{ - address = "0.0.0.0"; - via = "172.16.3.99"; - prefixLength = 0; - }]; - }; - - ipv6 = { - addresses = [{ - address = "2a0c:700:3::ff:fe01:5903"; - prefixLength = 64; - }]; - routes = [{ - address = "::"; - via = "2a0c:700:3::ff:fe00:9903"; - prefixLength = 0; - }]; - }; - - }; - }; - }; -} diff --git a/modules/crans/default.nix b/modules/crans/default.nix index a86b3ca..cac4a63 100644 --- a/modules/crans/default.nix +++ b/modules/crans/default.nix @@ -1,5 +1,10 @@ -{ pkgs, ... }: +{ lib, config, ... }: +let + cfg = config.crans; + + inherit (lib) mkEnableOption mkIf; +in { imports = [ ./age.nix @@ -10,32 +15,28 @@ ./restic_client.nix ./monitoring.nix ./nullmailer.nix + ./packages.nix + ./ssh.nix ./users.nix + ./virtualisation.nix ]; - services.qemuGuest.enable = true; - boot.kernelParams = [ "console=ttyS0,115200" ]; - - services.openssh = { - enable = true; + options.crans = { + enable = mkEnableOption "Configuration commune à toutes les machines du Crans"; }; - nixpkgs.config.allowUnfree = true; - - # Enable some utility programs. - programs.git.enable = true; - programs.htop.enable = true; - programs.neovim.enable = true; - programs.screen.enable = true; - programs.tmux.enable = true; - programs.vim.enable = true; - - environment.systemPackages = with pkgs; [ - bat - fd - helix - nfs-utils - ripgrep - shelldap - ]; + config = mkIf cfg.enable { + crans = { + homeNounou.enable = lib.mkDefault true; + monitoring.enable = true; + networking = { + enable = true; + adm.enable = lib.mkDefault true; + }; + resticClient.enable = lib.mkDefault true; + users = { + ldap.enable = true; + }; + }; + }; } diff --git a/modules/crans/home.nix b/modules/crans/home.nix index 0ae6c23..e95fbed 100644 --- a/modules/crans/home.nix +++ b/modules/crans/home.nix @@ -1,24 +1,17 @@ -{ - pkgs, - lib, - config, - ... -}: +{ lib, config, ... }: let - cfg = config.crans.home_nounou; + cfg = config.crans.homeNounou; + + inherit (lib) mkEnableOption mkIf; in { - options.crans.home_nounou = { - enable = lib.mkOption { - type = lib.types.bool; - default = true; - description = "Monter les home nounous"; - }; + options.crans.homeNounou = { + enable = mkEnableOption "Monter /home_nounou."; }; - config = lib.mkIf cfg.enable { + config = mkIf cfg.enable { fileSystems.home_nounou = { mountPoint = "/home_nounou"; device = "172.16.10.1:/pool/home"; diff --git a/modules/crans/monitoring.nix b/modules/crans/monitoring.nix index bea4865..18862cf 100644 --- a/modules/crans/monitoring.nix +++ b/modules/crans/monitoring.nix @@ -1,17 +1,44 @@ -{ config, ... }: -{ - services.prometheus.exporters = { - node = { - enable = true; - port = 9100; +{ config, lib, ... }: - openFirewall = true; - }; +let + cfg = config.crans.monitoring; + + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; +in + +{ + options.crans.monitoring = { + enable = mkEnableOption "Monitoring prometheus de la machine."; nginx = { - enable = config.services.nginx.enable; - port = 9117; - scrapeUri = "http://[::1]:6424/stub_status"; + enable = mkOption { + type = types.bool; + default = config.services.nginx.enable; + example = true; + description = "Monitoring de Nginx par prometheus."; + }; + }; + }; + + config = mkIf cfg.enable { + services.prometheus.exporters = { + node = { + enable = true; + port = 9100; + + openFirewall = true; + }; + + nginx = { + enable = cfg.nginx.enable; + port = 9117; + scrapeUri = "http://[::1]:6424/stub_status"; + }; }; }; } diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index 1e3644b..4d9a1e8 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -1,10 +1,216 @@ -{ lib, ... }: +{ lib, config, ... }: + +let + cfg = config.crans.networking; + + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; +in { - # Les interfaces ne sont pas déclarées ici : elles sont propres à chaque VM. - networking = { - useDHCP = false; - firewall.enable = lib.mkDefault false; - nameservers = [ "172.16.10.128" ]; + options.crans.networking = { + enable = mkEnableOption "Configuration réseaux commune à toutes les machines du Crans."; + + id = mkOption { + type = types.int; + example = "35"; + description = "Le numéro de la VM dans Proxmox (sans le `1` devant)."; + }; + + adm = { + enable = mkEnableOption "Configuration du VLAN adm."; + + interface = mkOption { + type = types.str; + default = "ens18"; + example = "ens20"; + description = "Nom de l'interface réseau sur laquelle est située le VLAN adm."; + }; + }; + + srv = { + enable = mkEnableOption "Configuration du VLAN srv."; + + interface = mkOption { + type = types.str; + default = "ens18"; + example = "ens19"; + description = "Nom de l'interface réseau sur laquelle est située le VLAN srv."; + }; + + ipv4 = mkOption { + type = types.str; + example = "185.230.79.1"; + description = "Adresse IPv4 de la machine."; + }; + }; + + srvNat = { + enable = mkEnableOption "Configuration du VLAN srv-nat."; + + interface = mkOption { + type = types.str; + default = "ens19"; + example = "ens20"; + description = "Nom de l'interface réseau sur laquelle est située le VLAN srv-nat."; + }; + }; + + san = { + enable = mkEnableOption "Configuration du VLAN san."; + + interface = mkOption { + type = types.str; + example = "ens19"; + description = "Nom de l'interface réseau sur laquelle est située le VLAN san."; + }; + }; + }; + + config = mkIf cfg.enable { + networking = + { + useDHCP = false; + firewall.enable = lib.mkDefault false; + nameservers = [ "172.16.10.128" ]; + } + // + # Configuration du VLAN adm + ( + if cfg.adm.enable then + { + interfaces."${cfg.adm.interface}" = { + ipv4.addresses = [ + { + address = "172.16.10.1${toString cfg.id}"; + prefixLength = 24; + } + ]; + + ipv6.addresses = [ + { + address = "fd00::10:0:ff:fe01:${toString cfg.id}10"; + prefixLength = 64; + } + ]; + }; + } + else + { } + ) + // + # Configuration du VLAN srv + ( + if cfg.srv.enable then + { + firewall.enable = true; + + interfaces."${cfg.srv.interface}" = { + ipv4 = { + addresses = [ + { + address = cfg.srv.ipv4; + prefixLength = 26; + } + ]; + routes = [ + { + address = "0.0.0.0"; + via = "185.230.79.62"; + prefixLength = 0; + } + ]; + }; + ipv6 = { + addresses = [ + { + address = "2a0c:700:2::ff::fe01:${toString cfg.id}02"; + prefixLength = 64; + } + ]; + routes = [ + { + address = "::"; + via = "2a0c:700:2::ff:fe00:9902"; + prefixLength = 0; + } + ]; + }; + }; + } + else + { } + ) + + // + # Configuration du VLAN srv-nat + ( + if cfg.srvNat.enable then + { + interfaces."${cfg.srvNat.interface}" = { + ipv4 = { + addresses = [ + { + address = "172.16.3.1${toString cfg.id}"; + prefixLength = 24; + } + ]; + routes = [ + { + address = "0.0.0.0"; + via = "172.16.3.99"; + prefixLength = 0; + } + ]; + }; + + ipv6 = { + addresses = [ + { + address = "2a0c:700:3::ff:fe01:${toString cfg.id}03"; + prefixLength = 64; + } + ]; + routes = [ + { + address = "::"; + via = "2a0c:700:3::ff:fe00:9903"; + prefixLength = 0; + } + ]; + }; + }; + } + else + { } + ) + // + # Configuration du VLAN san + ( + if cfg.san.enable then + { + interfaces."${cfg.san.interface}" = { + ipv4.addresses = [ + { + address = "172.16.4.1${toString cfg.id}"; + prefixLength = 24; + } + ]; + + ipv6.addresses = [ + { + address = "fd00::4:0:ff:fe01:${toString cfg.id}10"; + prefixLength = 64; + } + ]; + }; + } + else + { } + ); }; } diff --git a/modules/crans/packages.nix b/modules/crans/packages.nix new file mode 100644 index 0000000..1f2d4cd --- /dev/null +++ b/modules/crans/packages.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: + +{ + programs.git.enable = true; + programs.htop.enable = true; + programs.neovim.enable = true; + programs.screen.enable = true; + programs.tmux.enable = true; + programs.vim.enable = true; + + environment.systemPackages = with pkgs; [ + bat + coreutils-full + fd + helix + inetutils + nfs-utils + ripgrep + shelldap + ]; +} diff --git a/modules/crans/restic_client.nix b/modules/crans/restic_client.nix index d99c252..920c2ec 100644 --- a/modules/crans/restic_client.nix +++ b/modules/crans/restic_client.nix @@ -1,36 +1,74 @@ -{ config, ... }: +{ config, lib, ... }: + +let + cfg = config.crans.resticClient; + + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; +in { - age.secrets = { - restic-base-env.file = ../../secrets/restic/client_env.age; - restic-base-repo.file = ../../secrets/restic/${config.networking.hostName}/base-repo.age; - restic-base-password.file = ../../secrets/restic/${config.networking.hostName}/base-password.age; + options.crans.resticClient = { + enable = mkEnableOption "Configuration générale pour le client restic."; + + additionalPaths = mkOption { + type = types.listOf types.path; + default = [ ]; + example = [ "/backup" ]; + description = "Chemins à backuper en plus de ceux par défaut."; + }; + + additionalExcludes = mkOption { + type = types.listOf types.path; + default = [ ]; + example = [ "/var/lib//cache" ]; + description = "Chemins à exclure des backups en plus de ceux par défaut."; + }; + + when = mkOption { + type = types.str; + default = "00:00"; + example = "05:42"; + description = "À quelle heure faire les backups."; + }; }; - services.restic.backups = { - base = { - exclude = [ - "/var/cache" - "/var/lib/lxcfs" - ]; - initialize = true; - passwordFile = config.age.secrets.restic-base-password.path; - repositoryFile = config.age.secrets.restic-base-repo.path; - environmentFile = config.age.secrets.restic-base-env.path; - paths = [ - "/etc" - "/var" - ]; - timerConfig = { - OnCalendar = "00:00"; - RandomizedDelaySec = "6h"; + config = mkIf cfg.enable { + age.secrets = { + restic-base-env.file = ../../secrets/restic/client_env.age; + restic-base-repo.file = ../../secrets/restic/${config.networking.hostName}/base-repo.age; + restic-base-password.file = ../../secrets/restic/${config.networking.hostName}/base-password.age; + }; + + services.restic.backups = { + base = { + initialize = true; + passwordFile = config.age.secrets.restic-base-password.path; + repositoryFile = config.age.secrets.restic-base-repo.path; + environmentFile = config.age.secrets.restic-base-env.path; + paths = [ + "/etc" + "/var" + ] ++ cfg.additionalPaths; + exclude = [ + "/var/cache" + "/var/lib/lxcfs" + ] ++ cfg.additionalExcludes; + timerConfig = { + OnCalendar = cfg.when; + RandomizedDelaySec = "6h"; + }; + pruneOpts = [ + "--keep-daily 2" + "--keep-weekly 2" + "--keep-monthly 2" + "--keep-yearly 1" + ]; }; - pruneOpts = [ - "--keep-daily 2" - "--keep-weekly 2" - "--keep-monthly 2" - "--keep-yearly 1" - ]; }; }; } diff --git a/modules/crans/ssh.nix b/modules/crans/ssh.nix new file mode 100644 index 0000000..3bea073 --- /dev/null +++ b/modules/crans/ssh.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + services.openssh = { + enable = true; + + settings = { + PermitRootLogin = "yes"; + }; + }; +} diff --git a/modules/crans/users.nix b/modules/crans/users.nix index 1425d94..68e27e4 100644 --- a/modules/crans/users.nix +++ b/modules/crans/users.nix @@ -1,50 +1,75 @@ { config, lib, ... }: -{ - users = { - mutableUsers = false; +let + cfg = config.crans.users; + inherit (lib) + mkEnableOption + mkOption + types + ; +in + +{ + options.crans.users = { ldap = { - enable = true; - base = "dc=crans,dc=org"; - server = "ldaps://ldap-adm.adm.crans.org/"; - daemon = { - enable = true; - extraConfig = '' - ldap_version 3 - tls_reqcert allow - map passwd loginShell /run/current-system/sw/bin/bash - ''; + enable = mkEnableOption "Authentification par le LDAP adm."; + }; + + root = { + passwordFile = mkOption { + type = types.path; + default = ../../secrets/common/root.age; + example = ../../secrets/apprentix/root.age; + description = "Fichier chiffré par age contenant le mot de passe root."; }; }; }; - security.sudo = { - enable = true; - extraConfig = '' - Defaults passprompt_override - Defaults passprompt="[sudo] mot de passe pour %p sur %h: " - ''; - extraRules = [ - { - groups = [ "_user" ]; - runAs = "root:ALL"; - commands = [ "NOPASSWD:/usr/bin/qm list" ]; - } - { - groups = [ "_nounou" ]; - commands = [ "ALL" ]; - } - ]; - }; + config = { + age.secrets.root-passwd-hash = { + file = cfg.root.passwordFile; + }; - age.secrets.root-passwd-hash = { - file = lib.mkDefault ../../secrets/common/root.age; - }; + users = { + mutableUsers = false; - users.users.root = { - hashedPasswordFile = lib.mkDefault config.age.secrets.root-passwd-hash.path; - }; + users.root = { + hashedPasswordFile = config.age.secrets.root-passwd-hash.path; + }; - services.openssh.settings.PermitRootLogin = "yes"; + ldap = { + enable = cfg.ldap.enable; + base = "dc=crans,dc=org"; + server = "ldaps://ldap-adm.adm.crans.org/"; + daemon = { + enable = true; + extraConfig = '' + ldap_version 3 + tls_reqcert allow + map passwd loginShell /run/current-system/sw/bin/bash + ''; + }; + }; + }; + + security.sudo = { + enable = true; + extraConfig = '' + Defaults passprompt_override + Defaults passprompt="[sudo] mot de passe pour %p sur %h: " + ''; + extraRules = [ + { + groups = [ "_user" ]; + runAs = "root:ALL"; + commands = [ "NOPASSWD:/usr/bin/qm list" ]; + } + { + groups = [ "_nounou" ]; + commands = [ "ALL" ]; + } + ]; + }; + }; } diff --git a/modules/crans/virtualisation.nix b/modules/crans/virtualisation.nix new file mode 100644 index 0000000..7018e4a --- /dev/null +++ b/modules/crans/virtualisation.nix @@ -0,0 +1,6 @@ +{ ... }: + +{ + services.qemuGuest.enable = true; + boot.kernelParams = [ "console=ttyS0,115200" ]; +} diff --git a/modules/default.nix b/modules/default.nix index 1515e9b..6a72322 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -3,10 +3,25 @@ { imports = [ ./crans + ./services ]; - nix.settings.experimental-features = [ - "flakes" - "nix-command" - ]; + nix = { + settings = { + experimental-features = [ + "flakes" + "nix-command" + ]; + auto-optimise-store = true; + }; + }; + + nixpkgs.config = { + allowUnfree = true; + }; + + boot.tmp = { + useTmpfs = true; + cleanOnBoot = true; + }; } diff --git a/modules/services/default.nix b/modules/services/default.nix new file mode 100644 index 0000000..d8147ea --- /dev/null +++ b/modules/services/default.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + +} From 2136a2a1b205cfbeea6c914a691b856063efd36a Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 8 Jun 2025 17:02:08 +0200 Subject: [PATCH 23/41] Simplification de secrets.nix --- secrets.nix | 119 +++++++++++++++-------------------- secrets/acme/.gitkeep | 0 secrets/apprentix/.gitkeep | 0 secrets/cephiroth/.gitkeep | 0 secrets/common/.gitkeep | 0 secrets/jitsi/.gitkeep | 0 secrets/livre/.gitkeep | 0 secrets/neo/.gitkeep | 0 secrets/redite/.gitkeep | 0 secrets/restic/.gitkeep | 0 secrets/thot/.gitkeep | 0 secrets/two/.gitkeep | 0 secrets/vaultwarden/.gitkeep | 0 13 files changed, 51 insertions(+), 68 deletions(-) create mode 100644 secrets/acme/.gitkeep create mode 100644 secrets/apprentix/.gitkeep create mode 100644 secrets/cephiroth/.gitkeep create mode 100644 secrets/common/.gitkeep create mode 100644 secrets/jitsi/.gitkeep create mode 100644 secrets/livre/.gitkeep create mode 100644 secrets/neo/.gitkeep create mode 100644 secrets/redite/.gitkeep create mode 100644 secrets/restic/.gitkeep create mode 100644 secrets/thot/.gitkeep create mode 100644 secrets/two/.gitkeep create mode 100644 secrets/vaultwarden/.gitkeep diff --git a/secrets.nix b/secrets.nix index b2665f4..7957792 100644 --- a/secrets.nix +++ b/secrets.nix @@ -1,4 +1,11 @@ let + inherit (import { }) lib; + inherit (lib) + attrsets + filesystem + lists + path + ; # Nounous aeltheos_0 = "age1yubikey1qvn7t9hplvnr2w8nsfezfqudz8gq3v8sq99dkdpzmm4a74rng5qgz4v6wzt"; @@ -21,80 +28,52 @@ let # Machines - apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix"; - cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos"; - jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi"; - livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre"; - neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo"; - redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; - thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; - two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; - vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; - hosts = { - inherit - apprentix - cephiroth - jitsi - livre - neo - redite - thot - two - vaultwarden - ; + apprentix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCJV6jqQWEYuwi+OJ9r/4TbBN/cK9NvYWNiJhpFzcc7 root@apprentix"; + cephiroth = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOsBGkhiu6l3jeo15cQHMu3dPyL025zXPV2ZH02EDYEt root@nixos"; + jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi"; + livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre"; + neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo"; + redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; + thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; + two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; + vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; }; - hostnames = [ - "apprentix" - "cephiroth" - "jitsi" - "livre" - "neo" - "redite" - "thot" - "two" - "vaultwarden" - ]; + hostnames = attrsets.mapAttrsToList (host: _: host) hosts; # Groupes - all = [ - apprentix - cephiroth - jitsi - livre - neo - thot - two - vaultwarden - ]; + all = attrsets.mapAttrsToList (_: key: key) hosts; acme = [ - jitsi - neo + hosts.jitsi + hosts.neo ]; - # Secrets - - commonSecrets = [ "restic/client_env" ]; - - acmeSecrets = [ "acme/env" ]; - # Fonctions utilitaires - remove = el: list: builtins.filter (x: el != x) list; + listFilesRelative = dir: map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir); genAttrs = paths: groups: - builtins.foldl' ( - acc: secret: acc // { "secrets/${secret}.age".publicKeys = groups ++ nounous; } - ) { } paths; + builtins.foldl' (acc: secret: acc // { "${secret}".publicKeys = groups ++ nounous; }) { } paths; + + # Secrets + + commonSecrets = (listFilesRelative ./secrets/common) ++ [ + "./secrets/restic/client_env" + ]; + + acmeSecrets = listFilesRelative ./secrets/acme; in -(genAttrs commonSecrets (remove apprentix all)) +# Secrets communs à toutes les machines (sauf apprentix) +(genAttrs commonSecrets (lists.remove hosts.apprentix all)) +# Secrets pour ACME // (genAttrs acmeSecrets acme) +# Secrets pour restic // builtins.foldl' ( acc: name: acc @@ -104,19 +83,23 @@ in in genAttrs [ - "restic/${name}/base-repo" - "restic/${name}/base-password" + "./secrets/restic/${name}/base-repo" + "./secrets/restic/${name}/base-password" ] [ key ] ) -) { } (remove "thot" hostnames) -// builtins.mapAttrs (name: value: { publicKeys = value.publicKeys ++ nounous; }) { - "secrets/apprentix/root.age".publicKeys = [ apprentix ]; - "secrets/common/root.age".publicKeys = remove apprentix all; - "secrets/neo/appservice_irc_db_env.age".publicKeys = [ neo ]; - "secrets/neo/coturn_auth_secret.age".publicKeys = [ neo ]; - "secrets/neo/database_extra_config.age".publicKeys = [ neo ]; - "secrets/neo/note_oidc_extra_config.age".publicKeys = [ neo ]; - "secrets/neo/ldap_synapse_password.age".publicKeys = [ neo ]; - "secrets/vaultwarden/env.age".publicKeys = [ vaultwarden ]; -} +) { } (lists.remove "thot" hostnames) +// attrsets.foldlAttrs ( + outacc: host: key: + let + secrets = listFilesRelative (path.append ./secrets host); + in + outacc + // builtins.foldl' ( + acc: secret: + acc + // { + "${secret}".publicKeys = [ key ] ++ nounous; + } + ) { } secrets +) { } hosts diff --git a/secrets/acme/.gitkeep b/secrets/acme/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/apprentix/.gitkeep b/secrets/apprentix/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/cephiroth/.gitkeep b/secrets/cephiroth/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/common/.gitkeep b/secrets/common/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/jitsi/.gitkeep b/secrets/jitsi/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/livre/.gitkeep b/secrets/livre/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/neo/.gitkeep b/secrets/neo/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/redite/.gitkeep b/secrets/redite/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/restic/.gitkeep b/secrets/restic/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/thot/.gitkeep b/secrets/thot/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/two/.gitkeep b/secrets/two/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/vaultwarden/.gitkeep b/secrets/vaultwarden/.gitkeep new file mode 100644 index 0000000..e69de29 From ef566ac562f3909b43ae9dd5714e4ed0feb94b9c Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 22 Jun 2025 15:59:26 +0200 Subject: [PATCH 24/41] Commentaires PR --- modules/crans/networking.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index 4d9a1e8..ca183cf 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -16,7 +16,7 @@ in enable = mkEnableOption "Configuration réseaux commune à toutes les machines du Crans."; id = mkOption { - type = types.int; + type = types.str; example = "35"; description = "Le numéro de la VM dans Proxmox (sans le `1` devant)."; }; @@ -203,7 +203,7 @@ in ipv6.addresses = [ { - address = "fd00::4:0:ff:fe01:${toString cfg.id}10"; + address = "fd00::4:0:ff:fe01:${toString cfg.id}04"; prefixLength = 64; } ]; From f8bb89c39d3f069160bacde06ddbda4ab1ac4e21 Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 22 Jun 2025 16:09:07 +0200 Subject: [PATCH 25/41] =?UTF-8?q?Mise=20=C3=A0=20jour=20hosts/vm/README.md?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/vm/README.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/hosts/vm/README.md b/hosts/vm/README.md index 58279f3..85e788b 100644 --- a/hosts/vm/README.md +++ b/hosts/vm/README.md @@ -2,14 +2,30 @@ Voici la liste des machines virtuelles sur NixOS ainsi que leur utilisation (par ordre alphabétique). +## apprentix + +Machine des apprenti⋅e⋅s sous NixOS. Toustes les apprenti⋅e⋅s ont le droit de sudo (les home-nounous ne sont donc pas montés). + +## jitsi + +Serveur jitsi (vidéoconférence), accessible à . + +## livre + +Serveur stirling (manipulation de PDF). + ## neo -Serveur Matrix (encore non déployé). +Serveur Matrix et bridge IRC <-> Matrix. ## redite -Serveur libreddit, accessible à https://redite.crans.org. +Serveur redlib (client WEB alternatif pour Reddit), accessible à . ## two -Serveur NixOS de test. Vous pouvez vous en servir comme base pour la configuration d'une nouvelle machine. \ No newline at end of file +Serveur NixOS de test. Vous pouvez vous en servir comme base pour la configuration d'une nouvelle machine. + +## vaultwarden + +Serveur vaultwarden (gestionnaire de mots de passe), accessible à . From 997d665535fc026caab670111354cad46056debe Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 22 Jun 2025 18:25:08 +0200 Subject: [PATCH 26/41] =?UTF-8?q?Factorisation=20et=20d=C3=A9placements=20?= =?UTF-8?q?services?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- flake.nix | 5 - hosts/physiques/thot/default.nix | 12 +- hosts/physiques/thot/nginx.nix | 15 ++ hosts/vm/README.md | 2 +- hosts/vm/apprentix/default.nix | 2 +- hosts/vm/jitsi/default.nix | 10 +- hosts/vm/jitsi/hardware-configuration.nix | 30 ++-- hosts/vm/jitsi/jitsi.nix | 26 ++++ hosts/vm/livre/default.nix | 16 +- hosts/vm/livre/hardware-configuration.nix | 32 ++-- .../services => hosts/vm/livre}/stirling.nix | 12 ++ hosts/vm/neo/default.nix | 13 +- .../vm/neo}/matrix-appservice-irc.nix | 9 +- {modules/services => hosts/vm/neo}/matrix.nix | 17 +- hosts/vm/neo/synapse-admin.nix | 29 ++++ hosts/vm/redite/default.nix | 5 +- .../vm/redite/redlib.nix | 2 +- hosts/vm/two/default.nix | 2 +- hosts/vm/vaultwarden/default.nix | 5 +- .../vm/vaultwarden/hardware-configuration.nix | 31 ++-- .../vm/vaultwarden}/vaultwarden.nix | 23 +-- modules/README.md | 2 +- modules/crans/README.md | 36 ++++- modules/crans/networking.nix | 14 +- modules/services/acme.nix | 42 +++-- modules/services/coturn.nix | 147 +++++++++++------- modules/services/default.nix | 7 +- modules/services/jitsi.nix | 44 ------ modules/services/nginx.nix | 6 +- modules/services/restic.nix | 45 ++++-- modules/services/synapse-admin.nix | 28 ---- 31 files changed, 405 insertions(+), 264 deletions(-) create mode 100644 hosts/physiques/thot/nginx.nix create mode 100644 hosts/vm/jitsi/jitsi.nix rename {modules/services => hosts/vm/livre}/stirling.nix (50%) rename {modules/services => hosts/vm/neo}/matrix-appservice-irc.nix (99%) rename {modules/services => hosts/vm/neo}/matrix.nix (92%) create mode 100644 hosts/vm/neo/synapse-admin.nix rename modules/services/libreddit.nix => hosts/vm/redite/redlib.nix (75%) rename {modules/services => hosts/vm/vaultwarden}/vaultwarden.nix (64%) delete mode 100644 modules/services/jitsi.nix delete mode 100644 modules/services/synapse-admin.nix diff --git a/flake.nix b/flake.nix index 5ae51e2..c212442 100644 --- a/flake.nix +++ b/flake.nix @@ -85,11 +85,6 @@ perSystem = { config, pkgs, ... }: { - treefmt = { - projectRootFile = "flake.nix"; - programs.nixpkgs-fmt.enable = true; - }; - devShells = { default = pkgs.callPackage ./devshells/default.nix { inherit (inputs) agenix; }; }; diff --git a/hosts/physiques/thot/default.nix b/hosts/physiques/thot/default.nix index 6caac2d..ba780fa 100644 --- a/hosts/physiques/thot/default.nix +++ b/hosts/physiques/thot/default.nix @@ -4,10 +4,7 @@ imports = [ ./hardware-configuration.nix ./networking.nix - - ../../../modules - ../../../modules/services/nginx.nix - ../../../modules/services/restic.nix + ./nginx.nix ]; networking.hostId = "bbdd1133"; @@ -44,6 +41,13 @@ networking.adm.enable = false; resticClient.enable = false; + + services = { + resticServer = { + enable = true; + port = 4242; + }; + }; }; system.stateVersion = "24.05"; diff --git a/hosts/physiques/thot/nginx.nix b/hosts/physiques/thot/nginx.nix new file mode 100644 index 0000000..aa721d0 --- /dev/null +++ b/hosts/physiques/thot/nginx.nix @@ -0,0 +1,15 @@ +{ config, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts = { + "${config.networking.hostName}.adm.crans.org" = { + locations."/" = { + proxyPass = "http://${config.services.restic.server.listenAddress}"; + }; + }; + }; + }; +} diff --git a/hosts/vm/README.md b/hosts/vm/README.md index 85e788b..a0a6fc4 100644 --- a/hosts/vm/README.md +++ b/hosts/vm/README.md @@ -16,7 +16,7 @@ Serveur stirling (manipulation de PDF). ## neo -Serveur Matrix et bridge IRC <-> Matrix. +Serveur Matrix, bridge IRC <-> Matrix et interface admin pour synapse, accessible à . ## redite diff --git a/hosts/vm/apprentix/default.nix b/hosts/vm/apprentix/default.nix index 6feeef0..da714e4 100644 --- a/hosts/vm/apprentix/default.nix +++ b/hosts/vm/apprentix/default.nix @@ -13,7 +13,7 @@ enable = true; networking = { - id = 50; + id = "50"; srvNat.enable = true; }; diff --git a/hosts/vm/jitsi/default.nix b/hosts/vm/jitsi/default.nix index db3f4f1..9a78eea 100644 --- a/hosts/vm/jitsi/default.nix +++ b/hosts/vm/jitsi/default.nix @@ -3,9 +3,7 @@ { imports = [ ./hardware-configuration.nix - - ../../../modules/services/jitsi.nix - ../../../modules/services/acme.nix + ./jitsi.nix ]; networking.hostName = "jitsi"; @@ -15,12 +13,16 @@ enable = true; networking = { - id = 63; + id = "63"; srv = { enable = true; ipv4 = "185.230.79.15"; }; }; + + services = { + acme.enable = true; + }; }; system.stateVersion = "24.11"; diff --git a/hosts/vm/jitsi/hardware-configuration.nix b/hosts/vm/jitsi/hardware-configuration.nix index 8bc6d1b..15779d2 100644 --- a/hosts/vm/jitsi/hardware-configuration.nix +++ b/hosts/vm/jitsi/hardware-configuration.nix @@ -1,22 +1,34 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/66101184-15ad-4859-addf-95040bac1145"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/66101184-15ad-4859-addf-95040bac1145"; + fsType = "ext4"; + }; swapDevices = [ ]; diff --git a/hosts/vm/jitsi/jitsi.nix b/hosts/vm/jitsi/jitsi.nix new file mode 100644 index 0000000..71f46a1 --- /dev/null +++ b/hosts/vm/jitsi/jitsi.nix @@ -0,0 +1,26 @@ +{ ... }: + +{ + services.jitsi-meet = { + enable = true; + hostName = "jitsi.crans.org"; + + config = { + liveStreaming.enabled = true; + }; + }; + + services.jitsi-videobridge = { + enable = true; + openFirewall = true; + }; + + services.prometheus.exporters.jitsi = { + enable = true; + port = 9700; + }; + + nixpkgs.config.permittedInsecurePackages = [ + "jitsi-meet-1.0.8043" + ]; +} diff --git a/hosts/vm/livre/default.nix b/hosts/vm/livre/default.nix index bdee797..abeded5 100644 --- a/hosts/vm/livre/default.nix +++ b/hosts/vm/livre/default.nix @@ -1,11 +1,9 @@ -{ config, ... }: +{ ... }: { imports = [ ./hardware-configuration.nix - - ../../../modules/services/nginx.nix - ../../../modules/services/stirling.nix + ./stirling.nix ]; networking.hostName = "livre"; @@ -15,18 +13,10 @@ enable = true; networking = { - id = 40; + id = "40"; srvNat.enable = true; }; }; - services.nginx.virtualHosts = { - "pdf.crans.org" = { - locations."/" = { - proxyPass = "http://localhost:${toString config.services.stirling-pdf.environment.SERVER_PORT}"; - }; - }; - }; - system.stateVersion = "24.11"; } diff --git a/hosts/vm/livre/hardware-configuration.nix b/hosts/vm/livre/hardware-configuration.nix index 66ff281..04493d3 100644 --- a/hosts/vm/livre/hardware-configuration.nix +++ b/hosts/vm/livre/hardware-configuration.nix @@ -1,22 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/9fed1492-e7b2-4ec2-a5f4-8825bf8e89a0"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/9fed1492-e7b2-4ec2-a5f4-8825bf8e89a0"; + fsType = "ext4"; + }; swapDevices = [ ]; @@ -30,4 +43,3 @@ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } - diff --git a/modules/services/stirling.nix b/hosts/vm/livre/stirling.nix similarity index 50% rename from modules/services/stirling.nix rename to hosts/vm/livre/stirling.nix index fe958e5..a18fe97 100644 --- a/modules/services/stirling.nix +++ b/hosts/vm/livre/stirling.nix @@ -10,4 +10,16 @@ SYSTEM_DEFAULTLOCALE = "fr-FR"; }; }; + + services.nginx = { + enable = true; + + virtualHosts = { + "pdf.crans.org" = { + locations."/" = { + proxyPass = "http://localhost:${toString config.services.stirling-pdf.environment.SERVER_PORT}"; + }; + }; + }; + }; } diff --git a/hosts/vm/neo/default.nix b/hosts/vm/neo/default.nix index 5b7ff25..53dcee1 100644 --- a/hosts/vm/neo/default.nix +++ b/hosts/vm/neo/default.nix @@ -3,9 +3,9 @@ { imports = [ ./hardware-configuration.nix - - ../../../modules/services/matrix.nix - ../../../modules/services/synapse-admin.nix + ./matrix.nix + ./matrix-appservice-irc.nix + ./synapse-admin.nix ]; boot.loader.grub.devices = [ "/dev/sda" ]; @@ -16,12 +16,17 @@ enable = true; networking = { - id = 41; + id = "41"; srv = { enable = true; ipv4 = "185.230.79.5"; }; }; + + services = { + acme.enable = true; + coturn.enable = true; + }; }; system.stateVersion = "24.11"; diff --git a/modules/services/matrix-appservice-irc.nix b/hosts/vm/neo/matrix-appservice-irc.nix similarity index 99% rename from modules/services/matrix-appservice-irc.nix rename to hosts/vm/neo/matrix-appservice-irc.nix index 6352c7c..0540c42 100644 --- a/modules/services/matrix-appservice-irc.nix +++ b/hosts/vm/neo/matrix-appservice-irc.nix @@ -1,7 +1,8 @@ -{ config -, pkgs -, lib -, ... +{ + config, + pkgs, + lib, + ... }: let diff --git a/modules/services/matrix.nix b/hosts/vm/neo/matrix.nix similarity index 92% rename from modules/services/matrix.nix rename to hosts/vm/neo/matrix.nix index f360537..5345f8e 100644 --- a/modules/services/matrix.nix +++ b/hosts/vm/neo/matrix.nix @@ -1,35 +1,28 @@ { config, ... }: { - imports = [ - ./acme.nix - ./coturn.nix - ./matrix-appservice-irc.nix - ./nginx.nix - ]; - age.secrets = { ldap_synapse_password = { - file = ../../secrets/neo/ldap_synapse_password.age; + file = ../../../secrets/neo/ldap_synapse_password.age; owner = "matrix-synapse"; }; database_extra_config = { - file = ../../secrets/neo/database_extra_config.age; + file = ../../../secrets/neo/database_extra_config.age; owner = "matrix-synapse"; }; note_oidc_extra_config = { - file = ../../secrets/neo/note_oidc_extra_config.age; + file = ../../../secrets/neo/note_oidc_extra_config.age; owner = "matrix-synapse"; }; appservice_irc_db_env = { - file = ../../secrets/neo/appservice_irc_db_env.age; + file = ../../../secrets/neo/appservice_irc_db_env.age; }; coturn_auth_secret = { - file = ../../secrets/neo/coturn_auth_secret.age; + file = ../../../secrets/neo/coturn_auth_secret.age; owner = "turnserver"; }; }; diff --git a/hosts/vm/neo/synapse-admin.nix b/hosts/vm/neo/synapse-admin.nix new file mode 100644 index 0000000..193b29b --- /dev/null +++ b/hosts/vm/neo/synapse-admin.nix @@ -0,0 +1,29 @@ +{ pkgs, ... }: + +let + synapse-admin_over = pkgs.synapse-admin-etkecc.overrideAttrs (_: { + yarnBuildFlags = "--base=/admin"; + }); + synapse-admin = synapse-admin_over.withConfig { + restrictBaseUrl = [ + "https://matrix.crans.org" + ]; + asManagedUsers = [ + "^@ircbot:crans\\.org$" + ]; + }; +in +{ + services.nginx = { + enable = true; + + virtualHosts = { + "matrix.crans.org" = { + locations."/admin/".alias = synapse-admin + "/"; + locations."=/admin".extraConfig = '' + return 301 /admin/; + ''; + }; + }; + }; +} diff --git a/hosts/vm/redite/default.nix b/hosts/vm/redite/default.nix index 12a85a3..481bc0c 100644 --- a/hosts/vm/redite/default.nix +++ b/hosts/vm/redite/default.nix @@ -3,8 +3,7 @@ { imports = [ ./hardware-configuration.nix - - ../../../modules/services/libreddit.nix + ./redlib.nix ]; networking.hostName = "redite"; @@ -14,7 +13,7 @@ enable = true; networking = { - id = 39; + id = "39"; srvNat.enable = true; }; }; diff --git a/modules/services/libreddit.nix b/hosts/vm/redite/redlib.nix similarity index 75% rename from modules/services/libreddit.nix rename to hosts/vm/redite/redlib.nix index 35157b7..e569cf6 100644 --- a/modules/services/libreddit.nix +++ b/hosts/vm/redite/redlib.nix @@ -1,7 +1,7 @@ { ... }: { - services.libreddit = { + services.redlib = { openFirewall = true; port = 80; enable = true; diff --git a/hosts/vm/two/default.nix b/hosts/vm/two/default.nix index c1758e0..70bf30b 100644 --- a/hosts/vm/two/default.nix +++ b/hosts/vm/two/default.nix @@ -12,7 +12,7 @@ enable = true; networking = { - id = 35; + id = "35"; srvNat = { enable = true; interface = "ens19"; diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix index e231698..f63b05e 100644 --- a/hosts/vm/vaultwarden/default.nix +++ b/hosts/vm/vaultwarden/default.nix @@ -3,8 +3,7 @@ { imports = [ ./hardware-configuration.nix - - ../../../modules/services/vaultwarden.nix + ./vaultwarden.nix ]; networking.hostName = "vaultwarden"; @@ -14,7 +13,7 @@ enable = true; networking = { - id = 59; + id = "59"; srvNat.enable = true; }; }; diff --git a/hosts/vm/vaultwarden/hardware-configuration.nix b/hosts/vm/vaultwarden/hardware-configuration.nix index 9b113d6..3854e59 100644 --- a/hosts/vm/vaultwarden/hardware-configuration.nix +++ b/hosts/vm/vaultwarden/hardware-configuration.nix @@ -1,22 +1,35 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/c97aeccd-b88a-407e-a08d-f821a3f34936"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/c97aeccd-b88a-407e-a08d-f821a3f34936"; + fsType = "ext4"; + }; swapDevices = [ ]; diff --git a/modules/services/vaultwarden.nix b/hosts/vm/vaultwarden/vaultwarden.nix similarity index 64% rename from modules/services/vaultwarden.nix rename to hosts/vm/vaultwarden/vaultwarden.nix index 4cb76a3..a8bf1fa 100644 --- a/modules/services/vaultwarden.nix +++ b/hosts/vm/vaultwarden/vaultwarden.nix @@ -1,13 +1,9 @@ { config, lib, ... }: { - imports = [ - ./nginx.nix - ]; - age.secrets = { - env = { - file = ../../secrets/vaultwarden/env.age; + vaultwarden-env = { + file = ../../../secrets/vaultwarden/env.age; }; }; @@ -15,12 +11,13 @@ enable = true; dbBackend = "postgresql"; - environmentFile = config.age.secrets.env.path; + environmentFile = config.age.secrets.vaultwarden-env.path; config = { ROCKET_PORT = 8222; SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail"; }; }; + users.users.vaultwarden.extraGroups = [ "nullmailer" ]; systemd.services.vaultwarden = { @@ -37,10 +34,14 @@ }; }; - services.nginx.virtualHosts."vaultwarden.crans.org" = { - locations."/" = { - proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}"; - proxyWebsockets = true; + services.nginx = { + enable = true; + + virtualHosts."vaultwarden.crans.org" = { + locations."/" = { + proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + proxyWebsockets = true; + }; }; }; } diff --git a/modules/README.md b/modules/README.md index fb791c0..9d49acf 100644 --- a/modules/README.md +++ b/modules/README.md @@ -12,4 +12,4 @@ Le dossier [`crans`](crans) contient tous les services/programmes communs à tou ## Services -Le dossier [`services`](services) contient tous les services/programmes utilisés par un nombre restreint de machines. On peut y déclarer deux types de configurations : les configurations directement inscrites car seront toujours utilisées de la même façon, et les configurations mettant en place un système d'options et de configuration générée pour avoir plus de granularités. Cette seconde utilisation est plus complexe à mettre en place et nécessite une meilleure compréhension de `nix`. +Le dossier [`services`](services) contient tous les services/programmes utilisés par un nombre restreint de machines. On y déclare les configurations mettant en place un système d'options et de configuration générée pour avoir plus de granularités. diff --git a/modules/crans/README.md b/modules/crans/README.md index cc78b77..fd9a209 100644 --- a/modules/crans/README.md +++ b/modules/crans/README.md @@ -2,9 +2,15 @@ Ce dossier contient tous les modules commun à la majorité des machines virtuelles du Crans. On y retrouve par exemple les utilisateurices, les `home_nounou`, etc. +Ces modules sont présentés sous forme d'option (si besoin), afin de pouvoir contrôler la présence ou l'absence de certains services. + ## `default.nix` -Le fichier [`default.nix`](default.nix), comme tous les autres du même nom, importe tous les autres fichiers du dossier. De plus, il déclare des programmes utiles à avoir en permanence, tels que `ssh`, `git`, `nvim`, ... +Le fichier [`default.nix`](default.nix), comme tous les autres du même nom, importe tous les autres fichiers du dossier. De plus, il déclare des programmes utiles à avoir en permanence, tels que `ssh`, `git`, `nvim`, ... et importe les options par défaut qui sont utile pour la majorité des machines. + +## `age.nix` + +Le fichier [`age.nix`](age.nix) contient la configuration commune d'agenix (voir [`../../secrets/README.md`](../../secrets/README.md)). ## `home.nix` @@ -14,18 +20,38 @@ Le fichier [`home.nix`](home.nix) monte les `home_nounou` par NFS à partir de ` Le fichier [`locale.nix`](locale.nix) déclare simplement les locales à utiliser. +## `monitoring.nix` + +Le fichier [`monitoring.nix`] déploie une instance prometheus avec un exporteur node contactable sur le port `9100` par défaut, ainsi qu'un exporteur nginx (si pertinent) sur le port `9117`. + ## `networking.nix` -Le fichier [`networking.nix`](networking.nix) a moins d'utilité que ce à quoi on pourrait s'attendre : comme chaque machine possède sa propre configuration réseau, les seules choses communes à déclarer sont : la non-utilisation de DHCP, la non-utilisation d'un pare-feu par défault ainsi que l'ajout d'un serveur DNS. +Le fichier [`networking.nix`](networking.nix) contient toute la configuration réseau des machines : l'option `crans.networking.id` permet de configurer la majorité du réseau automatiquement (il faut alors déployer interface par interface). ## `ntp.nix` Le fichier [`ntp.nix`](ntp.nix) active simplement le NTP (Network Time Protocol) en ajoutant le serveur `ntp.adm.crans.org` comme serveur de temps. -## `sops.nix` +## `nullmailer.nix` -Le fichier [`sops.nix`](sops.nix) déclare l'utilisation de `sops` dans la configuration (voir [ce `README.md`](../../secrets/README.md) pour plus de détails) et importe la clef publique SSH de la machine pour pouvoir l'utiliser dans la gestion des secrets. +Le fichier [`nullmailer.nix`](nullmailer.nix) déploie un client SMTP sur chaque serveur afin de pouvoir envoyer des mails en le nom du Crans. + +## `packages.nix` + +Le fichier [`packages.nix`](packages.nix) contient la liste des programmes installés par défaut sur les machines du Crans. + +## `restic_client.nix` + +Le fichier [`restic_client`](restic_client.nix) permet de configurer un client restic sur chaque machine pour faire des backups et les envoyer sur le serveur thot. + +## `ssh.nix` + +Le fichier [`ssh.nix`](ssh.nix) contient la configuration SSH pour toutes les machines. ## `users.nix` -Le fichier [`users.nix`](users.nix) configure les `_users` à partir du LDAP d'administration, et configure les droits pour que les `_nounou` aient les accès `sudo`. Il configure également le user `root` en lui donnant son mot de passe haché à travers un fichier `sops`. +Le fichier [`users.nix`](users.nix) configure les `_users` à partir du LDAP d'administration, et configure les droits pour que les `_nounou` aient les accès `sudo`. Il configure également le user `root` en lui donnant son mot de passe haché à travers un fichier `age`. + +## `virtualisation.nix` + +Le fichier [`virtualisation.nix`](virtualisation.nix) contient des paramètres utiles pour la virtualisation (pour les VM en priorité donc). diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index ca183cf..a376fb2 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -86,14 +86,14 @@ in interfaces."${cfg.adm.interface}" = { ipv4.addresses = [ { - address = "172.16.10.1${toString cfg.id}"; + address = "172.16.10.1${cfg.id}"; prefixLength = 24; } ]; ipv6.addresses = [ { - address = "fd00::10:0:ff:fe01:${toString cfg.id}10"; + address = "fd00::10:0:ff:fe01:${cfg.id}10"; prefixLength = 64; } ]; @@ -128,7 +128,7 @@ in ipv6 = { addresses = [ { - address = "2a0c:700:2::ff::fe01:${toString cfg.id}02"; + address = "2a0c:700:2::ff::fe01:${cfg.id}02"; prefixLength = 64; } ]; @@ -155,7 +155,7 @@ in ipv4 = { addresses = [ { - address = "172.16.3.1${toString cfg.id}"; + address = "172.16.3.1${cfg.id}"; prefixLength = 24; } ]; @@ -171,7 +171,7 @@ in ipv6 = { addresses = [ { - address = "2a0c:700:3::ff:fe01:${toString cfg.id}03"; + address = "2a0c:700:3::ff:fe01:${cfg.id}03"; prefixLength = 64; } ]; @@ -196,14 +196,14 @@ in interfaces."${cfg.san.interface}" = { ipv4.addresses = [ { - address = "172.16.4.1${toString cfg.id}"; + address = "172.16.4.1${cfg.id}"; prefixLength = 24; } ]; ipv6.addresses = [ { - address = "fd00::4:0:ff:fe01:${toString cfg.id}04"; + address = "fd00::4:0:ff:fe01:${cfg.id}04"; prefixLength = 64; } ]; diff --git a/modules/services/acme.nix b/modules/services/acme.nix index 236ddb0..1b90021 100644 --- a/modules/services/acme.nix +++ b/modules/services/acme.nix @@ -1,24 +1,36 @@ -{ config, ... }: +{ config, lib, ... }: + +let + cfg = config.crans.services.acme; + + inherit (lib) mkEnableOption mkIf; +in { - age.secrets = { - acme-env.file = ../../secrets/acme/env.age; + options.crans.services.acme = { + enable = mkEnableOption "Activer les certificats ACME via let's encrypt."; }; - security.acme = { - acceptTerms = true; - - defaults = { - email = "root@crans.org"; - dnsPropagationCheck = false; + config = mkIf cfg.enable { + age.secrets = { + acme-env.file = ../../secrets/acme/env.age; }; - certs."crans.org" = { - domain = "*.crans.org"; - dnsProvider = "rfc2136"; - # Contient le serveur à contacter avec le protocole - # et le mot de passe - environmentFile = config.age.secrets.acme-env.path; + security.acme = { + acceptTerms = true; + + defaults = { + email = "root@crans.org"; + dnsPropagationCheck = false; + }; + + certs."crans.org" = { + domain = "*.crans.org"; + dnsProvider = "rfc2136"; + # Contient le serveur à contacter avec le protocole + # et le mot de passe + environmentFile = config.age.secrets.acme-env.path; + }; }; }; } diff --git a/modules/services/coturn.nix b/modules/services/coturn.nix index 8382c11..e1bc36e 100644 --- a/modules/services/coturn.nix +++ b/modules/services/coturn.nix @@ -1,59 +1,100 @@ -{ config, ... }: +{ config, lib, ... }: + +let + cfg = config.crans.services.coturn; + + inherit (lib) + mkEnableOption + mkOption + mkIf + types + ; +in { - services.coturn = { - enable = true; - no-cli = true; - no-tcp-relay = true; - min-port = 49000; - max-port = 50000; - use-auth-secret = true; - static-auth-secret-file = config.age.secrets.coturn_auth_secret.path; - realm = "crans.org"; - cert = "/var/lib/acme/crans.org/full.pem"; - pkey = "/var/lib/acme/crans.org/key.pem"; - extraConfig = '' - verbose - no-multicast-peers - denied-peer-ip=0.0.0.0-0.255.255.255 - denied-peer-ip=10.0.0.0-10.255.255.255 - denied-peer-ip=100.64.0.0-100.127.255.255 - denied-peer-ip=127.0.0.0-127.255.255.255 - denied-peer-ip=169.254.0.0-169.254.255.255 - denied-peer-ip=172.16.0.0-172.31.255.255 - denied-peer-ip=192.0.0.0-192.0.0.255 - denied-peer-ip=192.0.2.0-192.0.2.255 - denied-peer-ip=192.88.99.0-192.88.99.255 - denied-peer-ip=192.168.0.0-192.168.255.255 - denied-peer-ip=198.18.0.0-198.19.255.255 - denied-peer-ip=198.51.100.0-198.51.100.255 - denied-peer-ip=203.0.113.0-203.0.113.255 - denied-peer-ip=240.0.0.0-255.255.255.255 - denied-peer-ip=::1 - denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff - denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 - denied-peer-ip=100::-100::ffff:ffff:ffff:ffff - denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff - denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff - ''; + options.crans.services.coturn = { + enable = mkEnableOption "Coturn, un serveur TURN open-source."; + + secretFile = mkOption { + type = types.path; + default = config.age.secrets.coturn_auth_secret.path; + description = "Fichier contenant le secret de configuration du serveur."; + }; + + fqdn = mkOption { + type = types.str; + default = "crans.org"; + description = "Domaine pour lequel le serveur coturn est configuré."; + }; + + certFile = mkOption { + type = types.path; + default = "/var/lib/acme/${cfg.fqdn}/full.pem"; + description = "Fichier contenant le certificat associé au FQDN."; + }; + + keyFile = mkOption { + type = types.path; + default = "/var/lib/acme/${cfg.fqdn}/key.pem"; + description = "Fichier contenant la clef associé au FQDN."; + }; }; - networking.firewall = { - allowedTCPPorts = [ - 3478 - 5349 - ]; - allowedUDPPorts = [ - 3478 - 5349 - ]; - allowedUDPPortRanges = [ - { - from = config.services.coturn.min-port; - to = config.services.coturn.max-port; - } - ]; + config = mkIf cfg.enable { + services.coturn = { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = cfg.secretFile; + realm = cfg.fqdn; + cert = cfg.certFile; + pkey = cfg.keyFile; + extraConfig = '' + verbose + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + denied-peer-ip=::1 + denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff + denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255 + denied-peer-ip=100::-100::ffff:ffff:ffff:ffff + denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff + ''; + }; + + networking.firewall = { + allowedTCPPorts = [ + 3478 + 5349 + ]; + allowedUDPPorts = [ + 3478 + 5349 + ]; + allowedUDPPortRanges = [ + { + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + } + ]; + }; }; } diff --git a/modules/services/default.nix b/modules/services/default.nix index d8147ea..9c1cafb 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -1,5 +1,10 @@ { ... }: { - + imports = [ + ./acme.nix + ./coturn.nix + ./nginx.nix + ./restic.nix + ]; } diff --git a/modules/services/jitsi.nix b/modules/services/jitsi.nix deleted file mode 100644 index 1356890..0000000 --- a/modules/services/jitsi.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ ... }: -{ - # il y a une faille de secu mais c'est pas exploitable - # libolm : https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802 - nixpkgs.config.permittedInsecurePackages = [ - "jitsi-meet-1.0.8043" - ]; - - - services.jitsi-meet = { - enable = true; - hostName = "jitsi.crans.org"; - - config = { - # vient de l'ancienne config liveStreamingEnable = true - liveStreaming.enabled = true; - }; - }; - - services.jitsi-videobridge = { - enable = true; - - #xmppConfigs."localhost" = { - # port = 5347; - #}; - - openFirewall = true; - }; - - services.jicofo = { - enable = true; - - config = { - xmpp = { - trusted-domains = [ "recoder.jitsi.crans.org" ]; - }; - }; - }; - - services.prometheus.exporters.jitsi = { - enable = true; - }; - -} diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix index e05c89a..b15423d 100644 --- a/modules/services/nginx.nix +++ b/modules/services/nginx.nix @@ -1,9 +1,7 @@ -{ ... }: +{ lib, config, ... }: { - services.nginx = { - enable = true; - + services.nginx = lib.mkIf config.services.nginx.enable { recommendedProxySettings = true; recommendedOptimisation = true; diff --git a/modules/services/restic.nix b/modules/services/restic.nix index 9f0d302..5e6c8dd 100644 --- a/modules/services/restic.nix +++ b/modules/services/restic.nix @@ -1,19 +1,42 @@ -{ config, ... }: +{ config, lib, ... }: + +let + cfg = config.crans.services.resticServer; + + inherit (lib) + mkEnableOption + mkIf + mkOption + types + ; +in { - services.restic.server = { - enable = true; + options.crans.services.resticServer = { + enable = mkEnableOption "Serveur de backups restic."; - dataDir = "/backups"; - listenAddress = "localhost:4242"; - privateRepos = true; + dataDir = mkOption { + type = types.path; + default = "/backups"; + example = "/var/backups"; + description = "Dossier dans lequel les backups seront effectuées."; + }; + + port = mkOption { + type = types.int; + default = 8080; + example = 4242; + description = "Port sur lequel le serveur restic écoute."; + }; }; - services.nginx.virtualHosts = { - "${config.networking.hostName}.adm.crans.org" = { - locations."/" = { - proxyPass = "http://${config.services.restic.server.listenAddress}"; - }; + config = mkIf cfg.enable { + services.restic.server = { + enable = true; + + dataDir = cfg.dataDir; + listenAddress = "localhost:${toString cfg.port}"; + privateRepos = true; }; }; } diff --git a/modules/services/synapse-admin.nix b/modules/services/synapse-admin.nix deleted file mode 100644 index 9e2f298..0000000 --- a/modules/services/synapse-admin.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, ... }: - -let - synapse-admin_over = pkgs.synapse-admin-etkecc.overrideAttrs (_: { yarnBuildFlags = "--base=/admin"; }); - synapse-admin = synapse-admin_over - .withConfig { - restrictBaseUrl = [ - "https://matrix.crans.org" - ]; - asManagedUsers = [ - "^@ircbot:crans\\.org$" - ]; - }; -in -{ - imports = [ - ./nginx.nix - ]; - - services.nginx.virtualHosts = { - "matrix.crans.org" = { - locations."/admin/".alias = synapse-admin + "/"; - locations."=/admin".extraConfig = '' - return 301 /admin/; - ''; - }; - }; -} From d2ec7cddf1f1373b8a4966efabc64d19001e604b Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 22 Jun 2025 18:37:08 +0200 Subject: [PATCH 27/41] Ajout lien pdf.crans.org --- hosts/vm/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/vm/README.md b/hosts/vm/README.md index a0a6fc4..1e4607b 100644 --- a/hosts/vm/README.md +++ b/hosts/vm/README.md @@ -12,7 +12,7 @@ Serveur jitsi (vidéoconférence), accessible à . ## livre -Serveur stirling (manipulation de PDF). +Serveur stirling (manipulation de PDF), accessible à . ## neo From 11c19d92a4cedd2f50634ed3cf6ec42e32e54f07 Mon Sep 17 00:00:00 2001 From: RatCornu Date: Sun, 22 Jun 2025 18:45:06 +0200 Subject: [PATCH 28/41] =?UTF-8?q?Suppression=20horaire=20par=20d=C3=A9faul?= =?UTF-8?q?t=20sur=20le=20client=20restic?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/vm/apprentix/default.nix | 2 ++ hosts/vm/jitsi/default.nix | 2 ++ hosts/vm/livre/default.nix | 2 ++ hosts/vm/neo/default.nix | 2 ++ hosts/vm/redite/default.nix | 2 ++ hosts/vm/two/default.nix | 2 ++ hosts/vm/vaultwarden/default.nix | 2 ++ modules/crans/restic_client.nix | 1 - 8 files changed, 14 insertions(+), 1 deletion(-) diff --git a/hosts/vm/apprentix/default.nix b/hosts/vm/apprentix/default.nix index da714e4..81e5c14 100644 --- a/hosts/vm/apprentix/default.nix +++ b/hosts/vm/apprentix/default.nix @@ -17,6 +17,8 @@ srvNat.enable = true; }; + resticClient.when = "01:23"; + homeNounou.enable = false; users.root.passwordFile = ../../../secrets/apprentix/root.age; diff --git a/hosts/vm/jitsi/default.nix b/hosts/vm/jitsi/default.nix index 9a78eea..f04f286 100644 --- a/hosts/vm/jitsi/default.nix +++ b/hosts/vm/jitsi/default.nix @@ -20,6 +20,8 @@ }; }; + resticClient.when = "02:34"; + services = { acme.enable = true; }; diff --git a/hosts/vm/livre/default.nix b/hosts/vm/livre/default.nix index abeded5..042d63c 100644 --- a/hosts/vm/livre/default.nix +++ b/hosts/vm/livre/default.nix @@ -16,6 +16,8 @@ id = "40"; srvNat.enable = true; }; + + resticClient.when = "03:45"; }; system.stateVersion = "24.11"; diff --git a/hosts/vm/neo/default.nix b/hosts/vm/neo/default.nix index 53dcee1..f845f57 100644 --- a/hosts/vm/neo/default.nix +++ b/hosts/vm/neo/default.nix @@ -23,6 +23,8 @@ }; }; + resticClient.when = "04:56"; + services = { acme.enable = true; coturn.enable = true; diff --git a/hosts/vm/redite/default.nix b/hosts/vm/redite/default.nix index 481bc0c..f4cf49f 100644 --- a/hosts/vm/redite/default.nix +++ b/hosts/vm/redite/default.nix @@ -16,6 +16,8 @@ id = "39"; srvNat.enable = true; }; + + resticClient.when = "06:18"; }; system.stateVersion = "23.11"; diff --git a/hosts/vm/two/default.nix b/hosts/vm/two/default.nix index 70bf30b..b280e43 100644 --- a/hosts/vm/two/default.nix +++ b/hosts/vm/two/default.nix @@ -18,6 +18,8 @@ interface = "ens19"; }; }; + + resticClient.when = "07:29"; }; system.stateVersion = "23.11"; diff --git a/hosts/vm/vaultwarden/default.nix b/hosts/vm/vaultwarden/default.nix index f63b05e..26cfe43 100644 --- a/hosts/vm/vaultwarden/default.nix +++ b/hosts/vm/vaultwarden/default.nix @@ -16,6 +16,8 @@ id = "59"; srvNat.enable = true; }; + + resticClient.when = "04:44"; }; system.stateVersion = "24.05"; diff --git a/modules/crans/restic_client.nix b/modules/crans/restic_client.nix index 920c2ec..b0b3228 100644 --- a/modules/crans/restic_client.nix +++ b/modules/crans/restic_client.nix @@ -31,7 +31,6 @@ in when = mkOption { type = types.str; - default = "00:00"; example = "05:42"; description = "À quelle heure faire les backups."; }; From 259aa15db814ccd6e28a21bf854d44bb4b418e2c Mon Sep 17 00:00:00 2001 From: lzebulon Date: Sun, 22 Jun 2025 18:54:47 +0200 Subject: [PATCH 29/41] Add --no-build to nix flake check (faster CI) --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ccfac76..21dcae4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,4 +8,4 @@ nix-flake-check: timeout: 1h stage: test script: - - nix flake check + - nix flake check --no-build From b2cb4caa6f651f115d81d58f539e33ea96ed2f7e Mon Sep 17 00:00:00 2001 From: lzebulon Date: Sun, 22 Jun 2025 19:26:39 +0200 Subject: [PATCH 30/41] Ajout de -vvv pour voir que quelque chose se passe --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 21dcae4..5fc7339 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,4 +8,4 @@ nix-flake-check: timeout: 1h stage: test script: - - nix flake check --no-build + - nix flake check --no-build -vvv From 644216378f64f30dcfb02056b84d2f5fae1b7cbb Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Wed, 25 Jun 2025 16:57:50 +0200 Subject: [PATCH 31/41] =?UTF-8?q?Corrections=20probl=C3=A8mes=20r=C3=A9sea?= =?UTF-8?q?ux?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/crans/networking.nix | 70 +++++++++++++----------------------- 1 file changed, 24 insertions(+), 46 deletions(-) diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index a376fb2..46e3b17 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -72,18 +72,21 @@ in }; config = mkIf cfg.enable { - networking = - { - useDHCP = false; - firewall.enable = lib.mkDefault false; - nameservers = [ "172.16.10.128" ]; - } - // - # Configuration du VLAN adm - ( - if cfg.adm.enable then - { - interfaces."${cfg.adm.interface}" = { + networking = { + useDHCP = false; + firewall.enable = lib.mkDefault false; + nameservers = [ "172.16.10.128" ]; + + interfaces = + lib.attrsets.mapAttrs' + (interface: conf: { + name = cfg."${interface}".interface; + value = conf; + }) + ( + lib.attrsets.filterAttrs (interface: _: cfg."${interface}".enable) { + # Configuration du VLAN adm + adm = { ipv4.addresses = [ { address = "172.16.10.1${cfg.id}"; @@ -98,18 +101,9 @@ in } ]; }; - } - else - { } - ) - // - # Configuration du VLAN srv - ( - if cfg.srv.enable then - { - firewall.enable = true; - interfaces."${cfg.srv.interface}" = { + # Configuration du VLAN srv + srv = { ipv4 = { addresses = [ { @@ -141,17 +135,9 @@ in ]; }; }; - } - else - { } - ) - // - # Configuration du VLAN srv-nat - ( - if cfg.srvNat.enable then - { - interfaces."${cfg.srvNat.interface}" = { + # Configuration du VLAN srv-nat + srvNat = { ipv4 = { addresses = [ { @@ -184,16 +170,9 @@ in ]; }; }; - } - else - { } - ) - // - # Configuration du VLAN san - ( - if cfg.san.enable then - { - interfaces."${cfg.san.interface}" = { + + # Configuration du VLAN san + san = { ipv4.addresses = [ { address = "172.16.4.1${cfg.id}"; @@ -209,8 +188,7 @@ in ]; }; } - else - { } - ); + ); + }; }; } From 6f8c5a7cafdadda9988983c07a53f6858fca447e Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Wed, 25 Jun 2025 17:07:55 +0200 Subject: [PATCH 32/41] Ajout commentaire fonctionnement interfaces --- modules/crans/networking.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index 46e3b17..0696806 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -77,13 +77,21 @@ in firewall.enable = lib.mkDefault false; nameservers = [ "172.16.10.128" ]; + # La configuration des interfaces se fait de la manière suivante : + # elle est écrite de manière générique pour toutes les machines, puis + # on filtre pour ne garder que les interfaces activées. nix fait de + # l'évaluation paresseuse donc ça fonctionne bien ! interfaces = + # On change le nom des interfaces de "adm", "srv", ... pour leur vrai + # nom (on ne le met pas directement pour faire fonctionner le filter + # plus bas). lib.attrsets.mapAttrs' (interface: conf: { name = cfg."${interface}".interface; value = conf; }) ( + # On filtre sur les interfaces activées lib.attrsets.filterAttrs (interface: _: cfg."${interface}".enable) { # Configuration du VLAN adm adm = { From a255229ceb3983b664bbca8e62b76e6ce91ec845 Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Wed, 25 Jun 2025 17:13:40 +0200 Subject: [PATCH 33/41] =?UTF-8?q?Fix=20interface=20par=20d=C3=A9faut=20de?= =?UTF-8?q?=20srv?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/crans/networking.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index 0696806..97f7c4e 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -37,8 +37,8 @@ in interface = mkOption { type = types.str; - default = "ens18"; - example = "ens19"; + default = "ens19"; + example = "ens20"; description = "Nom de l'interface réseau sur laquelle est située le VLAN srv."; }; From 02ab2c3aecdf95de9824f79f3afd3dbaf614f98b Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Wed, 25 Jun 2025 17:37:21 +0200 Subject: [PATCH 34/41] Correction secrets.nix --- secrets.nix | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/secrets.nix b/secrets.nix index 7957792..702bf51 100644 --- a/secrets.nix +++ b/secrets.nix @@ -62,7 +62,7 @@ let # Secrets commonSecrets = (listFilesRelative ./secrets/common) ++ [ - "./secrets/restic/client_env" + "./secrets/restic/client_env.age" ]; acmeSecrets = listFilesRelative ./secrets/acme; @@ -74,21 +74,21 @@ in # Secrets pour ACME // (genAttrs acmeSecrets acme) # Secrets pour restic -// builtins.foldl' ( - acc: name: - acc - // ( - let - key = hosts.${name}; - in - genAttrs - [ - "./secrets/restic/${name}/base-repo" - "./secrets/restic/${name}/base-password" - ] - [ key ] - ) -) { } (lists.remove "thot" hostnames) +// attrsets.foldlAttrs ( + outacc: host: key: + let + secrets = listFilesRelative (path.append ./secrets/restic host); + in + outacc + // builtins.foldl' ( + acc: secret: + acc + // { + "${secret}".publicKeys = [ key ] ++ nounous; + } + ) { } secrets +) { } (lib.filterAttrs (host: _: host != "thot" && host != "cephiroth") hosts) +# Secrets spécifiques à chaque VM // attrsets.foldlAttrs ( outacc: host: key: let From 1b0736d17f2005e0f29bef6176f00493f866460b Mon Sep 17 00:00:00 2001 From: pigeonmoelleux Date: Thu, 26 Jun 2025 10:09:49 +0200 Subject: [PATCH 35/41] Rekeying agenix --- secrets.nix | 9 ++- secrets/acme/env.age | Bin 1304 -> 1304 bytes secrets/apprentix/root.age | 36 +++++------ secrets/common/root.age | 62 ++++++++++--------- secrets/neo/appservice_irc_db_env.age | 40 ++++++------ secrets/neo/coturn_auth_secret.age | 38 ++++++------ secrets/neo/database_extra_config.age | Bin 1187 -> 1187 bytes secrets/neo/ldap_synapse_password.age | 36 +++++------ secrets/neo/note_oidc_extra_config.age | Bin 1555 -> 1555 bytes secrets/restic/apprentix/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/apprentix/base-repo.age | 38 ++++++------ secrets/restic/client_env.age | 62 ++++++++++--------- secrets/restic/jitsi/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/jitsi/base-repo.age | Bin 1081 -> 1081 bytes secrets/restic/livre/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/livre/base-repo.age | 38 ++++++------ secrets/restic/neo/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/neo/base-repo.age | Bin 1077 -> 1077 bytes secrets/restic/redite/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/redite/base-repo.age | 37 +++++------ secrets/restic/two/base-password.age | 39 ++++++------ secrets/restic/two/base-repo.age | Bin 1077 -> 1077 bytes secrets/restic/vaultwarden/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/vaultwarden/base-repo.age | Bin 1093 -> 1093 bytes secrets/vaultwarden/env.age | Bin 2951 -> 2951 bytes 25 files changed, 221 insertions(+), 214 deletions(-) diff --git a/secrets.nix b/secrets.nix index 702bf51..bc603e8 100644 --- a/secrets.nix +++ b/secrets.nix @@ -5,6 +5,7 @@ let filesystem lists path + strings ; # Nounous @@ -40,8 +41,6 @@ let vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; }; - hostnames = attrsets.mapAttrsToList (host: _: host) hosts; - # Groupes all = attrsets.mapAttrsToList (_: key: key) hosts; @@ -53,7 +52,11 @@ let # Fonctions utilitaires - listFilesRelative = dir: map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir); + listFilesRelative = + dir: + lists.filter (f: strings.hasSuffix ".age" f) ( + map (p: path.removePrefix ./. p) (filesystem.listFilesRecursive dir) + ); genAttrs = paths: groups: diff --git a/secrets/acme/env.age b/secrets/acme/env.age index 35b075042a5899f29fe20f573665ba37877ce800..d16172e90df8d0b9c75c0152269cf2b8de697314 100644 GIT binary patch literal 1304 zcmZ9~Td3Ov00v+mj&l}7aAP_|%y23*o|87WrZ}g$wN0Dm(j-lq;V?;aX_}^&v?ocu zAvpHnU>qOzFxgc&LxiD-B7%qMeAqyT&dF4ep)hq&ZfWHB^FRlhiVyyXp=*hDMJY@YLC=LA7!2 zrU2T?G;`5g^eI(iT)`k(3=ct53}5w3K@==Z!z_f!SyGb=#5~OUMA{EnM4rM8YC^%3 zHMP47QXiWjM2{D`HRq6w-^^}y8~0b2$1sKiZb~~y3Xt=fEzL(AIEx20m=?UEtIv8a z!&<&A(lrZ(GZ8~|wH*o7!YC#%2+TOL>1s(-8iL$HF1DyzkjyeVF6MO5@_2hfPwM}- zaGHmtO$%e~i4`;(GgJ*L7^out0uTEOhL212OfhvNtth#dYx7cEC}Q|fOK{(m$qpUj z60gmS#VlnO4p}9d`V4GH6J_dD)pBv`iX6=LG8rI2T++*>-lW<9L$d|t!hq6ABR9Hb z4k3A2B+`~abpzaB3%pE*P8`uHA4^S+H4`S02BW4cXtE{si%&6R&4kT@>)`0qL z*9XYSICk9}$LAfg9@S`2ZNNdV)hs1*Dj84|8i*EEK`~Gn6`GB?qBJ}qh4HbcMghsK z675m~P2{eXkRe-lUAk{2#^&-{wVDtpwG@!;mK?gmlp=IOg)6AgWZ4-`m6R+JZLZjC zsxS%K1}3)Af08$&3LAl{xCG#95_S)1kj zlt^^AW9Es<`hKrgiPNnb78oN(2I4TyBfHyn=&~Xheh2pOmZyk|Zh#OOX=RhloK{Cw z!%~TY*Fc#L%=2Y0l`9K!8al0nk;fv68IC?7=z;IclR-U@2AkUQ^5*?VI@hNm#McZ{ zid+&huvEcgw!M%7IAK{qy6%d~Iz#dT#@IfB$;#{M*V~zpech{O~ey{fW-) za~Gcf=J@*lI`e(`@a56xSMcG@!@-H~KG=KzGY|f_R;R(&V%sJisrE_LsxcZt%;Gr*}MC&l~BrCUEQ9qcj+{ri=lE+(&AGxV!3 cw>=j8as34IfOOP8_3!-L;qANc=7?YZ11V&^EC2ui literal 1304 zcmZXT+p81>9LEv!P+LY=qJhE+BIL=l)IrqHRU(!b#Iq=0cEo~AyA?&cI0Mmseny1ztv%BR-Y|Nd^a?P z8i5N_G)rN&Y>R$b);o+3dH6pxe-zLAa1qTLNkv1FJPy}*ZJ0$KHngJ9Yn4C*D^J+E zMfFFDL2+(WYub?&n0h+OfrF95b$rE6wMM~@1k)Z5X@W6O(ACUwL=lutK(>x#viCn0 zTHyd;ja2|!7+G0TNu*k)sft$1!kR6zh193D40hE5ONgA&l{zw;Q+q~(QaQy$B1()& z+a?k+9F`FkZ;+|i97h5~O)9z)_HMISgDE`~^X)L;E3rCBOpd{fo?<9{Y=HCQiYcbL zS1lm`B^u(m9lBbMk*v5?cR+}i7*2!`LI~4RxeEJ}jyp{e2ktvSyIJ8za{bn3EHILc zVIG0NKnJaQ7b>?}nj9>Ic1V4yffmR1!1A(7Cnss zQRH=wMP?v?Mq-llZGmqlEZU<7v77QjL@FGg!3siiO0#P9%bdK_Pt#)Ex{YRZ>UfCf zF|3(3{AyDJKvyPE0n&7pbPxqJ$O7eOZJ9|+T0QKvn|4m9P7w_dT^=o!CUykX2d;&~ zO`97y06V5iVWYr^RzEVG?yV+^X2;XSJZEM+)KilI(9&u&(_*orOS+E4P83mVOO2Rj zNNnbt!deS>N}^IfU>Xsu$br(giD8CEobPo5QA`q5;_YDO`E_Ejwvzezd}kuEXarWL z`q~L%!A_t8fu>6$t#VRn+C}V|T*kl#s;zwss{!cK)g5#jvqw$D50LzuY-@VEv6R?sppN zU-7NGfFs{8uPpun@=xygiFtlK^uYOTZ*TnQV)5$L=7nD#yl-XKy3K&Pax*>#Rd<~^ z0N(k7_0_X?zkA1{m#%GDe&+PY*H(_5`t;>PXZK7ly|ek;z201SDEH0fv!9=1vbhhg i9QyY1Z#%U=HywRz_m%CHV3%uJCtlxr{NNT>y74z{g~X)* diff --git a/secrets/apprentix/root.age b/secrets/apprentix/root.age index c88217e..3a7bb07 100644 --- a/secrets/apprentix/root.age +++ b/secrets/apprentix/root.age @@ -1,19 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 cZNEGg hx2K+BJ2BE5shiuYVL8lNDebSXOslE+D11wInEU5AC0 -/Voe2mVa0VBiowquOfiCqBwbsNWKlqJw19Rshncmb08 --> piv-p256 ewCc3w Atur1opHkIZnyRdfVcSPmXJ6pnC8KRSoTDTgRdpXhQ0a -BeNHX/8DygcMRjv+BYCMJEbx+yUiiOz1yRQ4WdpCkEA --> piv-p256 6CL/Pw An/25v/ZffNknCs1+Z9oUHEa9sltmBbaCGw5zGtPlS6X -Mp3IpX/1m45V1PVIxnh50hp4ymL3VjCnDZ9+n+pjoro --> ssh-ed25519 I2EdxQ MFQL0HlTcYBeQe5W+cAegZNrtvYh67YfaeQk5lKBkxI -6YtFHaJBmdC05zaeCNRUEOx+XdAy/KSSJbIFDAjqk4I --> ssh-ed25519 J/iReg pRxUVtZLA7OlkbjZPNJY+PcWBiwu0qOUymXTACmOGws -wLOQy84hbkdjSiqywOU+fAoZkUg84cdUP5mmehv1Les --> ssh-ed25519 GNhSGw oSRxaxlY2LyuB5QBkfQ+vIpmI6uFCCi2l4IqPrQxWgk -ePpTSXekzXDwSUZj6drtsvlnaKxPjgu+j5afvNsKbQk --> ssh-ed25519 eXMAtA v6zL1bc8aR2fgESNZcmTtGPk5pjVj0UGiBd3SjqGLzc -amsA5x2C5dQBzqL1uu6popDmDkKEhm4WPeK0J361vNQ --> ssh-ed25519 5hXocQ DPduJx7pfwr8FqMTXEPq3zXBhyElZTj3Ouy0d3S8RnI -m8K+tCRbGmnf6IkkPAa+scmGmiEy8QAvJppj0lvHYXs ---- Oelwm56/V9NDvorDKW+xqISHYjsqEs6HG/pYf5qTX94 -Ğuŕ{ %i[V4kX+d 'B<{h%P)m=`Է^I \ No newline at end of file +-> ssh-ed25519 cZNEGg cCqVXLLrHvanTMqXfxGd0gjoMj51K9T8B8fJkQiUE3o +N8bANPITpOunRC0fLfqNLyfpd17xKduK9EtZPMaROpM +-> piv-p256 ewCc3w AxxJaGKhvBGfTAW6NMc0cIT7A66PGugB/OeM7wU/9Inw +Sg/yKPotg9CDeBGYkG3Pgz0RBJoz2Q7NRZCDzslR8Hs +-> piv-p256 6CL/Pw AzPWMMEuvSCThR+2/4nbYU6iMJhQXhxPuUwtf3P0TCLY +oEdhbI58aZd8ZinNiYBBgNzmWnowNBsxEQkSUOfU8gQ +-> ssh-ed25519 I2EdxQ 0RgVUxgyBpzBlc5UeLkDGo7VZUy6mPQFkxAw1Z6Rbm8 +lTk0OiozJ/0XrAnHkIVDC8939mtfla2iNPJLbvc10Lk +-> ssh-ed25519 J/iReg 0AxRISUbavlAC3HMApLzemQds2KbIqB2F0pj2unyFxo +iwJy44Hkk+Hjj9lN7BeNgv4eINkrKMUT3lrP1s42yR0 +-> ssh-ed25519 GNhSGw UjDNEUVLKgktYlvP1jM9Lt03J68NCS5J14ZzcbfBwD4 +2KxidMac4QtQlOC9npD1jhIs13AjUcRcY7R5jGzlbck +-> ssh-ed25519 eXMAtA BTDHGZ+pCtn+0g4Sqjw22QjqkTbypABDcp+SdsZkcUM +YPGwUfBFogZfFwcsVfTEI5ctJ6N6ugL01sVLyVLbaxA +-> ssh-ed25519 5hXocQ ZE1YjMEagjDGHpXnSRGxgkghVqvpHsMs2Mcvx/s5yi8 +G1P4PFbANHdZBuyDuJPkjHcrxyzefOB3MbvUOGyDpUw +--- DALPeLry56OdM4CXWsbdJIyWxywt6RmbCqM7HoCpCeg +$3֒ڠ<,!hj0юdJC^^Qr lB.U \U \ No newline at end of file diff --git a/secrets/common/root.age b/secrets/common/root.age index b00783c..f657bcd 100644 --- a/secrets/common/root.age +++ b/secrets/common/root.age @@ -1,31 +1,33 @@ age-encryption.org/v1 --> ssh-ed25519 2k5NOg YmbPaKvtfcfoBEHw3yNp5vhE+XVzUprbyBK0MDmmeD8 -SRKPmndyQT/dCl+b8Cvu5Vh2VOlpMd3x6Vvw0uO4iOQ --> ssh-ed25519 iTd7eA 3Rue4QGiodPqjeTKKM0qN88HKwCWkmwBMWkNjA/7TmA -Uk3I820rcpL5YlqcFkL6zdnNNoanI0qDi+mhMXKVxuE --> ssh-ed25519 h5sWQA 9zcxhz4bEox4G2dSRcXoQkPpwY54LT8ZVpSpvlsbgig -u7gerFg6oEW3AbJs+fBbpZhFlPTsEjU2J2pzuYTQXpk --> ssh-ed25519 /Gpyew ECbV0DgETfbvF+Q1SrjJlELMszd9jYr/531fnwhR0hY -WNpIJes+t7AAaMoy/w0VY+ZMlL3cdpYmn6+MN0H+FKY --> ssh-ed25519 LAIH1A hGk2swRwo3+RfgA7YEBTTBGjQfsCLomVsbibWSYDsWY -s24C/xWNaCDyaLmjCGs6jDranUM7oUDioHKphihr+qY --> ssh-ed25519 qeMkwQ 8awNaR9XeQkvpI6myrt4Vw8Zf+rMTEp3GlviMrVnd1w -WlhYTdfgQ4SRfLJ8JwudQXboOftvVV1xKrf50JXMe1k --> ssh-ed25519 TqxOLw dZt5AZcQquKWFaqw7ukmQvwDyTdXhgdEE/8vZste+1k -Oxl2ZWb35uDpaoMFQPtJAmjzozNsCaMxYpj3jvJXAik --> piv-p256 ewCc3w A8A3ROxMWx9TqoJOizACq7Nn/lhZKM17X66+2B8YQzUE -KdlLlekWwdJEH/wEXm5HciAtjkS5cxYmUWkej7TLbX4 --> piv-p256 6CL/Pw AiOTq8eaVT1xRTHPTyNe4AMlh3vIsbci8YjTr3pwMU97 -n9BKSF3ErIkUVCQi/7IXovV28vj7EbZw5Y89EHYEc7A --> ssh-ed25519 I2EdxQ iucWeurkE6h5oi0abTGcX6ARNczx5UAGDJ60TetbXxU -P5af2OXIgjrXs2NxZ0Uqn2n907oAl4eXcAl3GyS5l24 --> ssh-ed25519 J/iReg RHmuEjgm8BkXSmY/CSm79tBAEVKr1DAco89zCDqgJDo -xeZiAiICN9y9jdPpeV5HnksRnmZCDS6bp5bOlhIqRQM --> ssh-ed25519 GNhSGw uRhFkAlkmpm8fjaPYHCj3zrnauItBnZSKvBDhiacmEE -UXkvpqB6yIvtafeyb3eLuemR2rdkzm7ZkxRBuZ5vm9k --> ssh-ed25519 eXMAtA BbFvjDyTd4tjqqECd5syWrpO7b5SDdYBmGGzJI5A9X8 -5wDNuBCpFsW02tBO2QvSrRs0MKUgmRgqCfuTxaovoC0 --> ssh-ed25519 5hXocQ 7JpeboYqxK/xmrqw6YZzzFnutiM4OonHjN3bm1UIG3w -lux99mMAaHuu1Yzrty8Q7D3jPYgZHWhcP3WOYth1sLo ---- /CcrdzDPefk+EA7YxAtJ4cPesIFb6RZy50kDV2FTU7o -'aJ9ѓKhDJW$+| %Ԩ)Nny@FEjx \ No newline at end of file +-> ssh-ed25519 2k5NOg PuyFIx++EQB6LhrKUTSwRI/rDKZWWg2gkVRGMVQrhEA +aYydV+Ph/RL7IeXZEE8S+1WXMJ0AacJ6+MbBtomWqhM +-> ssh-ed25519 iTd7eA XlEYPySuo/PKgd1zeUy6/HOnnKDkKyJRhtT1ospAmQY +HzDt1YiYtrcquCWeYlOsYr3YhhG8MJ9TljVBLRBNPQY +-> ssh-ed25519 h5sWQA 5KifKrJwYVwQe1hW6o1BjpOAXyrTCaycrjgLyKSygCc +wSLtBJSiC0cr4BrAL8i9RRhZA8ZC37LtfrLA9cKzbVs +-> ssh-ed25519 /Gpyew Oq06K4RjI9izhx2PPPSRcf05k+WgVRBF4oA6YCJfMAg +jqtPBWyf9vZYnunQUi3a/ZGAP/2fx/KN/VqeZujUxog +-> ssh-ed25519 hTlmJA rduNY50g6IZgpYRmSS9GJqV8RPefRT4RBSBRYYOL0BI +WtKzp5BxjRPKypMT0CeXXRD8IygLjMbB0bMM82T0E2Y +-> ssh-ed25519 LAIH1A HO86dJfWvGiCV5AjSpoZMpM1tWfr8tnwkvhC3lsb2xM +Y0tr2ySsHGNfSCQYFHZaJAeV2YS1XvxmOpFK22h8asE +-> ssh-ed25519 qeMkwQ R5CijMftsKNSClF871ggg7PcTTRRY+L0zmPv7AP6Unk +hiTKMCFrJVUhSbEGrGGMvCgG04FsBGbVyZRdOqp4TXU +-> ssh-ed25519 TqxOLw IM8fkgZv+B5eTYZwpckuABGUiOXyPPAopnj5BBSx6Dw +HkxbM4AjhZ1KIaY6ugCztiGj29xQTL4kh+OnPyO5fSU +-> piv-p256 ewCc3w AgsDHsiNo69oTayVXasrpZK2Tjas294WpHbviaRDkfHd +1VV6e3FnC/r7u/gSNxuGgQ07saJA8lj4hVPqYIDfXHY +-> piv-p256 6CL/Pw Avyn7WzCr2reAVPhVYPCNZ8LxAIVVIR2vl/u/OV4WKtI +OkSywpxyrvsvyzTXC7T8ZD9kMuDPKk356RPrKcPZ4g4 +-> ssh-ed25519 I2EdxQ W3xXfPf3VlRhaNYKHBbopWxM1f2SPba/Caq9LrLwuBI +Y41/A9/vLKjUmlzXnNdBETqiruSJjSRQyQ+0nPkAnCo +-> ssh-ed25519 J/iReg moouU1scj2ordop9DERldP8mo3M1vbtfwfkerY3KQgM +oW1tff00Uxg85NvdgZqZvvSV4n/1neyQvvFMPxG1MNs +-> ssh-ed25519 GNhSGw kt24V7gegcXxhb+3WJYftAXCUYuOolI/n9m6OdjtS2s +AyhmFPQKcyTnSGALlQ9nB5oI1KJGlN7lqurksAAq/Fo +-> ssh-ed25519 eXMAtA wZ9ta9ezsprCH849EELDY9IJmHwpjqUE8+S4H1X1Ci8 +CLgkU1aQVZgVcKYMJk/8M7uXS+zieCM64nsZadkO6/M +-> ssh-ed25519 5hXocQ P3a5x4r7WhfBCpV7b2gi0d6hIcLbvefsCJu/YBpdmzY +6+RfKKdK00zY7aXbmNAeSruoaMA08Mptl7+P1jyn0UU +--- 01givh+zY0K5WX5OuosHbZ2V1cnutJfx1BBQOT+LHKg +9{9\7oy3!yra|*cUO96ϑ am&]$?.c How \ No newline at end of file diff --git a/secrets/neo/appservice_irc_db_env.age b/secrets/neo/appservice_irc_db_env.age index 61087d3..fbac516 100644 --- a/secrets/neo/appservice_irc_db_env.age +++ b/secrets/neo/appservice_irc_db_env.age @@ -1,21 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew 2c1R5xA3ysgTJnq/HCziDj7XhHT1Hv8V54UgOHourW8 -/NlGsMHUW8FUJIKxGG14CCVzKsMrDnvEbz35JucLiOM --> piv-p256 ewCc3w ArHjVI/3kjx3o3Hg8pG5oXBx8CKpGos6d34KeEUtvDPb -5AC7+ocL22wHBjbpgH+84nGzsuIX4jfkoegOF6gb4VI --> piv-p256 6CL/Pw A3Mz3pTCNLCC9vpdw+LD8SRlKALfLl7DN1ycAYWhs6xi -9bjpCFriJsDwGFx3HA8hFtfqlKXgoKOq0h2KTgBYpBA --> ssh-ed25519 I2EdxQ von0TonSTJiV5+N13iraMgCfhzPnITZ+M9d9QC6Dfio -EcAbxu4HdynI2Yw0csc1aiSXW66hN9M65jfuH2UIx+Q --> ssh-ed25519 J/iReg 4zFtaNqmnuPg0WI8jIAGNax0r6TOwOO2Qc43hFSAvA0 -xXqGtbQ6x+4l/SLVr+2jfLC7D1A47IXRAH0/wZQQHVA --> ssh-ed25519 GNhSGw Vd/lZOIPyAwrQWuFheuoDY18pwgx3BRS39vDWqModFM -nTILZ7swG5CINavzl/R3tY3UBymZnPXtBXVfB97bjq4 --> ssh-ed25519 eXMAtA b7V/kwqSf539kSNBZ1w6Xr4ezIT8hoR1QorI7LkzXnI -PUyaubPrhK5gDnjf/4HLYlkAeO09dW3o0402tV3Bhto --> ssh-ed25519 5hXocQ DCCJYc082KzrCW6eJtspCMtYYWcSVuCN9v8x0g3VlCk -/9LEFTnsT6hFUaIE10vOZVVzKSzEDJjRaJGOen9ypDA ---- xTWsFOu+sDOcWM6Oue4voILxJ94WTnkZKSrGaiWazpo -,۳<00'C~zu -/@_Du_3Mot ]_D7L9e`V f&&{ny]2NC$եfe\>C n^o|~wA[ʶԊD*tKi7˩xG~^e,3*ԥYeJ<}L -'d \ No newline at end of file +-> ssh-ed25519 /Gpyew oiueq/kpy8n/iSGh8nnCvMXn1ArLdp0B8Sr/zc+dPQc +3CCpb3SY5sKYl9KDTXbAgeDSonPc0m0BwFLJWLxxGlI +-> piv-p256 ewCc3w A4hnsq85ya4+SeJCh7hmpRHt1B73xNS9nV3CW/x/1beo +dAQIsw7vVN+Kv3vKEHCz85ImKV5AuG3F0IywtA8t8DQ +-> piv-p256 6CL/Pw An3unvmk/EQjUBkA3Hn8FDXfB367jlHJ4qMCUYC0Egmw +1g2cQlMsguOYyiXPO/9frbqiHSQzGhaOrneBoxP0OM0 +-> ssh-ed25519 I2EdxQ jJ/4pnzjGwwkYblptHKt8AsIVea26pVd5XpqqoPrjzQ +wa5pTx6WF74ChTRE0h0mrGf+agjZ/PbXjgmmIQ5WryQ +-> ssh-ed25519 J/iReg baeZG/Rtj6WcnE56gZJQUMXatdbYUkKwWM0xN521XHM +joEmhBM5kRXmfE4bH/N5ioBat4pYNUXstaTI/ZZfjtg +-> ssh-ed25519 GNhSGw CU2QnFssTK5ItonbVCFzvP4DiAIlnzZNxCF8rzGJpnM +Ri35ECruZlUR8qgMIzoTeuDW1IQD2ch3n5zEucBMBes +-> ssh-ed25519 eXMAtA 1uJa+lgJHfpfA5LktUo2DFA/3kzJa8vVjaO3qmxwp3I +JSmjw/9iF4QVdyE1OZ9EY9R8gVXUF576G2uKQxMNdok +-> ssh-ed25519 5hXocQ u8iHMYgWQfJn41y+AK+W5CAGL5uotgKlO3GezLb7egc +UdusHwDzpFsxfD9ZSslU+izrO4jCEHmMWzUAkZ51ruU +--- rxz0SqY76mfGmCS3oPJnKOlpmiIMu4LWnTZvlnglsZE +B\M +c"B`qw$塀a@MtS>7fmwqSp ]?(~.l:@M0ܙc^ə.k +N{֝^f5il xȢC;'J= f]eXM3},6Ǒ\ւ.شUJm \ No newline at end of file diff --git a/secrets/neo/coturn_auth_secret.age b/secrets/neo/coturn_auth_secret.age index 2ac1e90..7cd94c5 100644 --- a/secrets/neo/coturn_auth_secret.age +++ b/secrets/neo/coturn_auth_secret.age @@ -1,20 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew v0IqoUYfieE87jMKBLBXcc1amCW4Yvv0IRdRbwPS10E -M+i/CVbVYt+Ync6WjXQuurcwjUaormehyhAUf88jVn4 --> piv-p256 ewCc3w AxDlsQZUVtsbd3+mbL9xrp1tSLetzNnyyfA8vpvzGTlK -vFCIppHYU3xJIA04azjm1Iep4KKsgrtgabMzfPK44n0 --> piv-p256 6CL/Pw AlgXPmHKl4SX+ZBcgg5d1yyjIIW3ZbB/5jPDljjSedez -tbTih/OlT6sd3C1K7SdYFawUsHDTrbPf0ZaOH5+UFUA --> ssh-ed25519 I2EdxQ QddIpLDoWFRzwKh6a2AT1A+/FJ+XNLG6dn7bXhHeMG0 -K8hJxagVv4HQ0yjrvb25wEWtI3AJBUzsc6RFuOv2k+E --> ssh-ed25519 J/iReg FUvDVYnluuwFUVc585stre42Yq3DXHO/9dYagJx0MDc -IThjI+lcHpud7iXnvDULPUUVr97RV3SDLrFuATOlIww --> ssh-ed25519 GNhSGw V6svkQ6B/rpYGyyLbhZRJfZkzFRInYPvbUFeKGDsBDM -dO+b8Eq1E5JHULnDfIJAtugboMTSTtcvD/brJAwf8qE --> ssh-ed25519 eXMAtA Q1mwgmya5U87Q75c2KhhLUKfaDRm/WhHnoPCAyJB+zs -Cj+BiSc1v2kdOjkuZSCiNUnB6oRz05kAGH3PwJyz9eA --> ssh-ed25519 5hXocQ 1zO9Ob5Fo4JUYG7vUYdaBcL/1++4vqZQc7zVrNPyUEs -giGdiXDB4Q16y8qH19y+aq8bzZaG8xgFzDJ3QkbWqUw ---- 8z2WQTx5KtMtdNlIgkzUwKPatgX5sM19u60iUZCoxOo - _>eRb!PZ#ZU% pq+7Ņ"s-K"$ -MS}²+dã5Q ٟ+a: ŭ"+s %c/<RC~9Aͣ\IfqQ \ No newline at end of file +-> ssh-ed25519 /Gpyew t5XHS5ci2UuJYr7c10Msr+zfBfWTjGClnYkM565wPUA +hcjj+WPvjOp+PdJKHnb9AwYE8NAfudr1b/MC0m41OEk +-> piv-p256 ewCc3w Au9TM56jPaNaRFs3lZaVH94ZVoeKL93OKocn9Jt6BdEG +svbg1OfmTFBpjak1tgB3CNdoUVG6TkLhAtpMSB8mZPU +-> piv-p256 6CL/Pw Arkhx1n2Ko3TMCEgMqy1/2KK3iYI1Sd+PCnKyvmlnqX2 +kMaFudKtU4B5VlpIpfDHpHvmHyyPJJBWSQQ6JWTJc2A +-> ssh-ed25519 I2EdxQ 8RnUMwOXPN8AwfJVBhIqXiR58gWC6I2PZh4pYYEFv0o +8PjYugyCgXuGBiAjlLcbCEvJUomw1RNLVHaysIt8PIM +-> ssh-ed25519 J/iReg 1vSW1OEwB+sORjqwbEazCrH6q8x/KPtLtGzBUlpmJT4 +LY9HSBHJxOz1UU96Mf5Toht24D/MG09OyY/hR3Wdr2s +-> ssh-ed25519 GNhSGw Y8+cu7OdM+TY6qcrDjGA+sEe3ji1ICSan/bmRmVTCyc +lhMcdwMAWepMUiij28MBryKYTfulsPnZHdWW0X+DX1w +-> ssh-ed25519 eXMAtA pytExWidCIuxny3RWUxJ5vsyd3LUZ4m/tSbk51AvqUE +jWA9YWl830bJBfQK5yxXksUjc4p2S2j5Tnk/6FN3npM +-> ssh-ed25519 5hXocQ RBGSM/Fxgf+MlWZWT1BFfAx1Ec8Qmj8WBb+6lo/ECh0 +PRMInIp2K3oSR/qKQGCYW2joLC/Tubukt0BGQRya43M +--- g1gGX8nZGHSNA7e2vZMnoI+b/pyMUvCTvcxk1RAtixU +KyPW/[mרL;5b҄rxѠ37ByRH)6VՕ@uA#s X,''~"TaК $[+z,W,) +J(2oʍ( ( _ \ No newline at end of file diff --git a/secrets/neo/database_extra_config.age b/secrets/neo/database_extra_config.age index cbdd4cbdb34bd485f170c90da0440696d0f012f6..402057092c6f1974103be5d2f9e0065bd17658f4 100644 GIT binary patch literal 1187 zcmZ9|-|G_v003}E44P?HBw>UTB#kfge($?WzrwcrvAf;vZoBPnJ2lvDxBIo-@7rxB z6cweBl2A`!;zNQ&y+oQ6LiJ*WNj+pxiGE)qrEflbk@^})_1O0>_`s)c=mp)?!nq$? zp1aoz4PXl83J3C0WES)xjA0O-2WWq;r+IHysa5@AlTGY68Z^O40E{)0z`+5@wo=cW z^Agl|MkFnfIfg<;7(mZB03h^94-miw9kJR~OeW!}7^-0nfU8VMfqMF%=3CQ(4`ao= zo>ny^&6m*utBk_M@|YQwaIZ%t4JX2QE%f;&5A>Ka;edpv6N?m6&Y6i_Cu6>n!93|m zSR0x9RbV8v$C)y)dsHbaYcxz|gTx{KXBDd)ApUD*LE^?bifTi_MruY(0HR?)i5e&Z zp-p5iDPi3f!J~{l$hAl4kc$u}22(d=Y0xyCdWe@Q6}4I(A)zP|^FHT9^YTKpevyI6 z;jEd5yt>(~&E`|Jl{V}Y30;2Nw)Np$c2RKZEIQ)E5*3_KDxDlkf`$)joX7W>)NYbt z35FTF)2F8qfoB6}tZ7v$jTdTlZ@tC>R!cYXpyuFh9$T=9N+O^YTI^&Nz}BH2X3Lc* z8rW1161y|`qk(;BZtnZZh=Jeh{WtY+lmVyEVK5w=)tj&+h*$Y@c6 z6SX&3oSPQdY2j!h)kLtwDa?9J@ABoioR8^=-|15T3lzt&k1b+SFKDQ(k}yppdV+MM zaf-vTZ--Db7X>T`3<$R+Slw!)Ri6yilBb|}Xrh<~n*CYA5rWvBN{!xn4Kur**39!t zr{crPM9%_Bih-Fz$N*zZp=Ph^azaWKQD?>kAc1z$T*(|zc7z)gY}rGtt<94(tz>Fc zv>W0`A12mB<{L#^ODr^3C=~MS+(O(6n zGPlN<8;>2@P<{N!L4N<)T@Swb^~H-H{rdaWeHVV_?jBwFyYbBfPjjn>9@_f;lXp({ z(Gv$=+H(E)<;G{5e_H-w>s$6;x6UjX_s;+J%2{=%dh>hk*;8L$33l%|cNqPkL0yY( zo&4iRa{Hd@{e3w1?Hh#?N7gPKe!hL~^y;P0k)=;pS5{xRLO)_|+xOV+*Dlk$Hr{*r z^$p)usWs(^Q)f18yZ!Nwo7@fS!zJisy!q(f+snT+XP-R!=ccutZ(pa6wRf)Exhsp; z&K-YI*3LZ4de6Oje$V)egG-HTTaLfGjJ$LI8SiSeNj!1Py>W2=_V~T0z^^W>ErI_4 DC$OaS literal 1187 zcmZ9~ON-nD00(eSisPeVp@$x1RCEhrOeT{_Cf(9*UX#gWlG#b-l@x3?g#t<%-i+CPn-G!0lO~rF*h~kwlX?2Z(M019tC!mgDGoW7N z`GBm5fF>Ktg2<6G6g3xijiItMoHQD71K}5`*_;hJI2sK*8BP!VemF}r=pW4;#|0NI zqj@8t^iq;1EUazdK-b8G3Y4J~8DMNxvg#Z^k}c396gcZZKGtK1F_K#~iq%GKa>=I}*9A2e`}@h4L_VE$*JR0CXnWM#ZV&2dH?PVjD62Gc$da{>!Z zF|lcOOhNW%7*g?_S+`~8*tXI#g{Cc1SQiwc?DM_#CGgW&37za4Z>SzTcy5f2gWyUvFepX>PiuUa<$8 z8kUANq7wy+$d9|Dx=XimpwS@9noRfunw65G(s5vm7?epblawTIgJw(MIM!z!zO`Lr zMN4LreCX8#RWw{;;;BHVK0$3l(9xDF!x=s=!lB?hZQqb>r^@6IECn7NN5M&rHQbrh z3{8*5M7&mCgb1qio9$GQ2$UEI$#%`?3q(ldiwr^tEnzNN;;_^R1Y4Z*P}YumNLn<4 zk%h#qlBZf}wUp!{L5i|br_0D=tfV=P3c+9?g)x97j!1g8wy?W(zEQzS&UUSA^&P#H z*V(?S;VLH9yP;9iHKGP2b7`PgMkSm9g2}-3`g2^M2Gb-bsIVi>%OfwGOB%{pwueK^ zVjQqNPn$#w$LrK<1(30VL=MT}LEV^|?#b;tx_ zt86Ds&baY#jk#k#3H*-y`2B(C#_{!sr;_iEzFApu9i-9T`OA(VU0XY{@h$)E6)9O; zKDY7q2bZ17?Bs*n`yL-Y@y_PC%j?aDZ(Q0zUf%ou-szr;uRMQ$^Zo;1Q(yjQ<+B&U zmsh-{@YJO{VE@it_U`Um&+a^%tK8&IUq7SJhnEjt+j@P+>HE(d;ckDUeceAa`)U8p z&#(S`p+ETenE2I+b@MIq3)@+L>_l$suY332t6g2%bN<+cv%6j-j}-UC_$qQ}bNA>6 zq=)~u@hQCVE4B6E!Ka=sAN}(1#anmX(x1CudhWRV$sfC}U)j3GojmYrap}y;-)1bK A-2eap diff --git a/secrets/neo/ldap_synapse_password.age b/secrets/neo/ldap_synapse_password.age index a9b10a6..2fa3389 100644 --- a/secrets/neo/ldap_synapse_password.age +++ b/secrets/neo/ldap_synapse_password.age @@ -1,19 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew 8DFDxGaZWao+vO9qxc7f5O477lK7RnGI1RDBIxySpz8 -TKZsz+XOy3O7Ev8Uel7RzQw53eTPe8/6IltBLCx7dDI --> piv-p256 ewCc3w AuDjekUccsQysWccrX2KIlqqSy482h9dmBM+N2599B6s -X3ZD4NEdRmIVtNNHUtMcpWsa7Z6gSSxfNjMbQfdw5VE --> piv-p256 6CL/Pw AmuREh4r0wVcpltIZjXTI4LqmHz6bKMCJk3FOPShnwBP -q6es8bKoU9dXIWegdY8418Nq9QLjEf4Xmn4RUMozV1U --> ssh-ed25519 I2EdxQ 0hXF3v4y5kSEZdR4eg/TZbcRjHQMyT3iu7ucYoBm/FE -aj/i/gRRPMdOFG0urrG5bcT6NGgXQ0IdT4IUoLhLrHo --> ssh-ed25519 J/iReg K9SLwdDMWuUpyRM26ysJHATmVk8rsfi90NZ8Z+h5XnM -0yQ+b1augkDHdCVWPI9uvq1IzgOBwQ23S/Fp54lVce0 --> ssh-ed25519 GNhSGw 0/k4x4mxXWKyqhwg2LeFIau8Zdx0ebPPYWfcppGEfUo -njIid8JCI+41KyhIzQTj4T4DKmQ2GxRRrN6P1U6ywFc --> ssh-ed25519 eXMAtA m9yyWKx2xE55CHRgeEyTrft3dZUkJjmWdZh+M1Nf73g -97B5ztSgE1BXzNDnu0ZM+oowj8wEkxWYoiNEs5qXhGs --> ssh-ed25519 5hXocQ 1Z8OfB3R7un6+JGu4MeBe2lzvf4kIRS8L1TUJ1JAygM -GmkDdKbrUgaF1aOYKRJCFTC4gIdvoYzmIhGoHbOWOW4 ---- 9wriBEhA/Kil1/4DRfn0Lj8KXVxU01JOtzdY34HkP1I -Qʋ;qz[ ssh-ed25519 /Gpyew iB1+WuE82Roy418PVGF4Lngw732xXosKuNtJL6U1T0s +6SCVc01vzFrxoBSFMRNXUuWyIu1wdoSsrw/IxSDpqeI +-> piv-p256 ewCc3w AxIm6ntONhvwDIoNZv/brzzHkWx/XKuwVHLGJfVHdjp5 +POhBnU/wKo3nP0yWdIVUCrTHWh0HmQajERUfH/I5dQY +-> piv-p256 6CL/Pw A6sp9SZyOftzPW6pDMB81+j2ZoeJ3AWMkuuIjDtT0O1M +rg6EOjkkjwM9YQaeBzWBha4IO724zzAm40nRNvGm5AI +-> ssh-ed25519 I2EdxQ IbOeL910hNemBqTIryxk7LAbdXgMQcH6By5WWENk1GA +cxlM9754AcBv8EUFKSA0D2n7UKer/UyRMCVRP3EwXVg +-> ssh-ed25519 J/iReg Pqr06p88CJhWojV6dFeaUqslGNKMQ8KFZnrF76ncsDw +ALQVuk+qrdu5oI2/nhV653aSZrl8IOb6IBncYt0o1uA +-> ssh-ed25519 GNhSGw qlTw5ppkSeGo/sEYxpyRPM51xzdyir4wqstoYHd0EHQ +Fh03PWPyuJ+y5UDMZcgOyfxRFhyVzrU9hFBia1opszo +-> ssh-ed25519 eXMAtA PEYQX+73hYk20TverGL1sGuwyzIDfSSsR6HpSlWIfh8 +CPr0fJoMgGAE9kDhETUPvd6gZ27GqjOhigcDF9K1Vj8 +-> ssh-ed25519 5hXocQ KQleGmCMGB9i9o8SJPKAoYbU6t/UzLeDAdK7gpmG6Fg +YnKFt4hX0ZCbdj37jE3yk+yAZehsX+APwz5E5bqvB/k +--- P+9Jrq3E5YDaybtI3YNnzYQ2UvYJsTmp1jxyZKrQR9s +3 ЪdS$蔌*Zqkʃ ׿8*Oy& \ No newline at end of file diff --git a/secrets/neo/note_oidc_extra_config.age b/secrets/neo/note_oidc_extra_config.age index 49ed9a003c14ab8dffcf6fbecb18b9e84a9e62d2..3491106dec9e7a2c9e805b367b43aeac565943b4 100644 GIT binary patch literal 1555 zcmZY7{cjTm90qVf23tWg-ZoyB1_n;**4OJxT#&w8U)Hy4d%d>j7_`0X%Uy51ySCT6 z>O{7{78E8glNUiiq5@6^5@SR_f$*9kpb;2>APAWQ+#p2W5%EXo_YZhJd7ga3al9ID zjIsiqO{N=b(rjGH$wk$3#FAlHed7FxjbVjX3}SR0;&Olfln@p7SXDov&o zwwO?0Gpxsbb?U4YfxF~O=;Q}2Eg-lxhMY0veX`|7QLklrY3q)AE< z>3=mk$yL(|KrP1e#;7tc)@Q<(7ozub*h?IJ95*OmceI!m8VN}3G z3@im{lS!fX`$)S=6DVkKBj-U_ATP-L5i_5NIn;HUfHvxI{>M@q9a89p#j1>9EoL4a>r~S0c-}^d?x7*Xj&NAZ5ey z4nLq$CuAZ8;a1{Az@Y(?ZUAwlq%x$@tWqI{M953&^@75O#{jPzPYd8+txlTs;&Cw^ z_9H&n993wHR;Lb0f}qCBIy|H-Cyz)CtT_W%3nYZ`6cQEL>~T2d;*wg@30VDgkSebX zLJ7n~gp3AF2H|xMkk?@fr_$mdtXW(MpCvEOg90dbfd#uARNzrlD97>{Kxz`Tq7-;#LH zsn6=gDK?zQajA%qb=9#9#^EwwGN;G6D5eB6q+6m9ge*kyXpAC7q=Y9jU?CWdAqf=| zhk3z}w1qf;k?AOx+W|pF#ubt{vn;M3+zm(s(@~F@a0?a}msWCNIZS(OjdqBP^YMTK z4rC=BFin7z4YH{j5Y&SrH7(DiIBVR6`X~dVaIjK!5GB-hT{01tSPU_%$-{bOVH=CS z`2Ol@aRDU_Iwl(7;(0EnB}jD~m1A*)fKf_`rF}p!nSjDhfwEw65mnQ*^~#J(s^cRj zO+Q)HH8NbgGc|l>-++0Vuqv`teR^EU!s~}SezL3?qE7t$Ud}0}x zwI4V&?P_~*)o~;}>H&DlMd zJ|6yNIXL*d3a8|rT>Dp?E0(2B2oxjQ2x^Mr{lYi2KmzM6MdQubmY{I zp3))uzbkthn|b%r1F}1By%H7D=C@;>VZ$f?K*jLS_z`MjSb|{O5yXI_G@l`Ms;W){-8n zE7{#Su55gbsq>ziJ^S6J%f)kQSFb%fQ0x8hd_CP-8hEhzi|1wLsxwQ_p{tdB{NCLU y!0q=2ioTiEP&s?sl_z)6HS-UzTkJ1YZ{2hUC#>HR-qW|6OGYd>Q<3@e4dp*Kep12! literal 1555 zcmZY7{d3a<90qV0=86=m$c~{BGvxRMBUWAVb6n*ex(O zv|LhZ%4uOl#meTGPF7(e6}E-+iL_3M@z#iJ_iNm^TrhCBk5xm2PZCL_jJv|TXtM$| z%f$31D8ZpYhXwZQGL%D8fiY5WTQYhV<$?&FM?4Y}auENq5HksSZdg9rB^1$AUglaH zIYxk4wxWac4iJNE_Nq+bWD#{6g;b2dfGR|iNI{eY(XHWP5NdMkV#0*Sj-2Uf+U5o;>{Y&hq5uRO37DBewjAXfr2qnh$|VZU*|3omWgh^=+$TPr!$@jc#s;le9Zhd=VKJ&)t zNbi%&fyPVgv(r!LI0vf-A43zG564&aW0#Mu z-PGE@+_t0rnGHuA*DmJ{cfDWw-TKzL)}7lLdV4^BI12adL0>w-BKKM>E(6ze$ zz>%v*?_Rs}joSJ}uTN>j8^)e9{cwIP79Y2+bHT~QBi-MxymTSWJ5?KJFV}8*Y0XpT zdw%JD&p4o4bK8`~zZq(zzjoCQ_-b=Iu5}1U*R*e`-+N0|2egu}nEHR5I(_#;BTGks z+^o+6i_G7QRIdyVt%9Q8wVmCLx5m#cycpv`ziS@XAd@D}+K0S*348SdTz=L&wJ{x5 z9{X+UuKq5tp=@yrYeeCY3`Rv~gv{cam diff --git a/secrets/restic/apprentix/base-password.age b/secrets/restic/apprentix/base-password.age index a68f73d3aef7d3ca77c07735372e888bcbb278c9..630b63e39122854d5aa622dbb9bee7cf8e1b5d3d 100644 GIT binary patch literal 1235 zcmZ9~|I5?_0LO8QNW32&Arm4ct}r9!J-gfPc3X(C?RMMl+3xn`ZreQ-a@*~8Uv}H> zcH8b|SWqM)6dF-sNI!`3U=Th)518&w6sA07h9B2lDAQMvAdhMio92K(;fWd>=)41!hobmD3n4jBxMy{YuEgbSSm*T-;fWf^ zi~58_ikQ(F2mN9QOXZ<%Q#MK$5?~pNbB7FZ7A;YytO=*oIL^;TW6;N&ylems z7V?dyFR~ET9E-_J3v2N_)E_Wr&*)+!3T%y_T-E~^1G9TTu1i*w5j5L@Yf-`Cl{iRw7>`11SR1i^Sqk6|BCOukEot&uw zV27X-fV;Q7ni&B40CXFJu)rq#80Qh$rV9N+RfW2FL2ULdBaQhGmBvU1k0YiIc{Y+~ zqNN&LZp(C(#GIO4g_{^MbUh8A)cR-~i$bA;_ZXKJbfp61dc_$AANPBSEDd3y$TVSw z8WX(e6eUx&9AYNV%VxUXvD;#=Yteo`wD6^xsqy#-Ps$=glT2TLl0%g1I@+(vxa20lwCX{Pt{1D& z1k0&lY?rvQ-NFOfV?8`)G&r+k>tIXj)e@;xDyeIhSj$Kj*wQ14C$g{@`Ejkp&EUP+ zNfmO18h|4v0mw`*aqx(+{9WJ-_{VW)^`mzSUu{?x%zXOHXJ;-itZ+9j-v1M~4cq(j z$-EXfcZwP;`U#F12O`X4TWDZ&mp5DEa`hNP>iJLv{@;aC#-`cW$ zan<3u_mb>)PaS=1>-F6q->z?d{N(1ZpZ#X#E5Cvl7WZ9z^@|_&d@?wqd0r?j>{#~Vi9-kGw;sB* zLOi?a%U$~h`t;0}3mbpGat)OqKK)~TtS_62clpOu>+D+Tqf-|SJn+lg-;&Y`+cFo$ JHRu!P{{}&yymJ5m literal 1235 zcmZ9~-;3J>0KjqFj}yz-rXV^{sNTcGtTt)VHW9onKl&qS(ll+8CS{zqO`D`?^P^3g zG}9r2Dd#2%JDtkrkfDqrj)`!xhp{>EVNRKd1Mvno+-*#Bf=^?pb3S^1!3Vy4TUs~K zwK}7z;~BQ~oITQ#6DXFLi;u^8qN}FTX$XsVn&n(Ui%0drAhJms4oXTT7ebBks3}d= z1{ImZUVtdR+xHq3fFMFV7Fczk0tW7g>L3&-7OyryQAKSPuE0l_A+=<-P?OV+rk6Shq8j0+uZs zH5MTSn{Af6f>53`(m_)QaJ(to!`Qf4Y)(r|dZgrO&NiUpK$f6@4*_));*@R#OjRW$ zLJXzx+KO~4r-nkjo)!^X4lyi?bu)ud@3nE;;U^K1t2TVQQzPVbL9tCvwd`15615r& zLxhHt9rG9h`Wcqtm9?0zxsCn@)2iOqShhu57_>)&_JXC{TWC2seGI9_od91`{RC zaL~0{p{&;mLEHuDN{`UcJWA&?2&2dm#NcGR3wb;v@F+ZL<4g^JDB3b(h$_hg3l2>e z8-#F(M(wsa!ksk35v?jXbugU^a0040wy;*~${gFGiYZ$&PE4_S`D`E=V*LJegmrCuc*4$)eU?FIu+L6W_wNtkQ3 zv@Y8nAwD!}N(%zqzLXu(#fe+x9rgb6DAb)Gp`1r^tQ5+9gsSB2m{!NEycl#qt5U8` z0MHp*b{Zbz5iYa}MXIegT0pIik0(MWmPjPx2wB9+6(4UDvzZp1kg-b=E`4yM@y@Zuix0hMo;Tk*xU#b2<~jdI{*`~u>{b7m{dn_V^T%dCed)KN zx0$Vgn~L-AU0=V=_P)QM9hlkh`m5UKU*1^VeRu!6Uu=2e+S?n$nKR$&-wC_E-h94& z@6hkn1!(Zv^0uuzSHT-+qtgejY*;?@)7%?(cYc#O?A^Qc%c;kK1?6(;;ma?q+&XG~ za;5U~oi`)!^bB+J`HdUa=SA_v%k8Qnv GF8UX=nYo|< diff --git a/secrets/restic/apprentix/base-repo.age b/secrets/restic/apprentix/base-repo.age index 59d8e9a..14169fa 100644 --- a/secrets/restic/apprentix/base-repo.age +++ b/secrets/restic/apprentix/base-repo.age @@ -1,20 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 cZNEGg 1IExuYocHQMUARzOIlb1wEMF4XYRF4wsKf3YyDzAuAE -jU/FpHsXSgO6LmXQnlZwiTZtTmqTHJ/ftFRH+TzW2Wk --> piv-p256 ewCc3w ApldHeqzV736VZnV7K8FivXC9ZJTQ4uVbwS37QC8my2c -ePkP37ESE3LrvlAXRT/bC38bEr81KdDY1hphmFZQjPQ --> piv-p256 6CL/Pw A1/F54DYuMTiegKSk2EmLtJc+Ow9SzZGuxmpCtAxwDY8 -gF4ws4resurPQgDJ1Xad9/xwVvL+qrqoB352dctXpzw --> ssh-ed25519 I2EdxQ y1dT+umEWWE3jLL4pvbCSzxcQBoDvP1iY9LMI+4jjhk -6TxUadoIzp98+UmZxDnZzG/Ujzmz78zxswJtrxcyA2Y --> ssh-ed25519 J/iReg eFS2Vj0srrjZZva71rL6SK+4hpr8Py8ywDtva0ESgQc -aSTyNlYJJTl2J8xRrYMlYJ2ynvzkfuWrJNfsvBLpw24 --> ssh-ed25519 GNhSGw 1GdlvMDIlg6mMhVbEzFPqAj7NQLavgQh9XXg9juG91w -oCwmcCFOqzNqa19VmBPU/mfiRbkap3/yqLZuVGrnKHk --> ssh-ed25519 eXMAtA XOzDKhoGWJufceYvYOYYBGj0Alk1dkCXK1LqC+R9Ojk -CFjSpPpVsJyr4qowR1wR4O7J+vhdi3uDTwfppf4j7+U --> ssh-ed25519 5hXocQ 4mlMh1Q9RN47TKGAlhoRfseuft1qw0HWGUewF/eC5U4 -2nhvo98zEImfRjdA7RumzA0dEQiFsl7EP1iGVJudJP8 ---- z+Rt9J0j3wsKrvCOYmvG3Bx7lXXs9YQjkwL4HyLjrDI -SnVW1"E)hf` pV#I%rF]j ΛڨYu -ǤXt^1ҩ|m0O:1$I/A1;+rEqL9K, v~*kv˥knG9b \ No newline at end of file +-> ssh-ed25519 cZNEGg TQEefBOBnvSoZ/Bccwr6tl0RCFwg/L82dGQXSQJoOUs +Y7uomZi8xQNYls5xPgIOZP1Ma11rf0/T9DeWPp/KGN8 +-> piv-p256 ewCc3w Ak1yL+6zBpExJqYmFYhxVxVEIXurfZfxa2eFNhHLFbNb +X9ERqgf8MDyY0KCngq/IVlXX67JMg1Uh7S9tDUBd80s +-> piv-p256 6CL/Pw AiyC5gaiyPwYJLfiHclfSenLLYulx/T+95PZUStw9ziR +GNNLL2SyzFSvJOwXvgIFaghNjW39F45KgQZr8ee8n1w +-> ssh-ed25519 I2EdxQ 0uPmcUi8BlTEgv2WfXvGMsa+/oyp3OIbnUyOkEN0ils +OI8tShR4LwHLHGkLhPfOqD0c5H/eTcaEE7NkMRryQao +-> ssh-ed25519 J/iReg 8k1XKoYlC6GXiESgzJ3YXscg+9WyXdGNAqFHZXvF4B0 +uoF0y2XzFg64LGOus9pXmHZR5SlXRBMFh2zcRTbgFhc +-> ssh-ed25519 GNhSGw 3SH0Iky19g2IFQjmHNjn2AS7/M0qE2+oWaLla/gT5HU +cRYnX77mUOmewPlp4DBStPcHA1Qvt4Otu6pPud3tG+Y +-> ssh-ed25519 eXMAtA YYFIiu0LTke0JUNixFyDUoU73ojzkK4YVcU3IO1Nmlw +cI3P0T/YQjM4rYixXKXCMOQzvdrPepc99ziaj/TpZPI +-> ssh-ed25519 5hXocQ iJu2kR9mztUq774/VyCVjFg6tuPxhCqnVUGe0AEZKl4 +eRAeDn4bMEXXa4zl8tHH0N40s7EBjhh+yPT4uk7805M +--- gtKc5W9yiqq5bswJNmnT25fR0Zux886cug365ZwLG1w + ~kқ * gȣG2h-nȡ #v*֡ K9 +aB.$$N83oQ _艟_qd_u煥~{ڠBB~k:|H7G \ No newline at end of file diff --git a/secrets/restic/client_env.age b/secrets/restic/client_env.age index 6c9746f..50dc96f 100644 --- a/secrets/restic/client_env.age +++ b/secrets/restic/client_env.age @@ -1,31 +1,33 @@ age-encryption.org/v1 --> ssh-ed25519 2k5NOg XGZP4EH1IDkn3p4ePkfsWtsW9bMSVO0AvmMfJH4W2WI -5Mr/qVQlMnLE588JVpwrg67eHNo5Sm3pS0+hKyIXjZE --> ssh-ed25519 iTd7eA e8azFJdubW6QdX028QsyiyveLwXC/keqUKAOo7ov1WU -LtJU9FPHPJsQ0OZ9VkVuIR5euMK34UuCnv2YKza+eCY --> ssh-ed25519 h5sWQA osdcvM48i4O8blpFNWitglcC8ZDTQBI1NulDB7KQ8RY -2yaVf/txYLO/hG8aT+gUcCQkuRgUusrx+d4x700XZ/M --> ssh-ed25519 /Gpyew ZN+vKCfaHbLDrJazqMVAmiVmEf7/hzzJC2k5VrHrG2k -k8xCSXCeIpU/n0D/y1nRz5AIEdzZi77+i73xfhhzv60 --> ssh-ed25519 LAIH1A SoRMAtJ5hai4Ose83POu2PTrarox1MI98veJaUqcNhw -qZ0jUzIGnIWm4sR6l6QXYfCszIYT59b26I2DQca2BL0 --> ssh-ed25519 qeMkwQ by6fhcNSMrV1Lv30zCCfhZRs3x26OHcqUHfFYlsizgo -3khfxvt5DqFUPiA0I1rg9HyKBnQMPeSwEVNKG+txTd4 --> ssh-ed25519 TqxOLw 9lVMAb4NRSrKByLZmKuO6vy0k01wB65tCc4umewmzSM -ITdmhUt3oMpht9jSiuJXSckM7yI7ZeUaOza2wruWV9A --> piv-p256 ewCc3w A14aX2GMEbTgkcGFLcUCbiL+zt7b2BnnIABfe4jevPM9 -91FMwVTbhwauvucF76Xl3X7fD+1PQHBAtuL58EsW/mk --> piv-p256 6CL/Pw AtvjWTogb40ZYcFhe+NBkBNmtTTFKxtlwn48XVpPWowy -8oPkdrBttDuOZIxFB/8WHoo0ufuFOp/oI7QHHh83Lkk --> ssh-ed25519 I2EdxQ ILSdic9OWDS68w6uK7FE5a0KyrjoXYxb4fFw3vS8/Hk -zD22ZiBw9N9H1+yXwQgc03J+t34d3h9l1yRx12zVqyM --> ssh-ed25519 J/iReg 5eIrm4COB80DxYnx0n7g2hrqhchZcw0zhn4AD+vdQQI -Yd0K7dNZwpeTTsvjKb7SrOwDaPQLVUS9IhrtQgWZkFs --> ssh-ed25519 GNhSGw su9SMmlH8f1K/7N1ggbGGTUm1zM/p0Whgjye87MaZWU -BEJwAlduPYI+rMCyZUYJKB7aRpsQlKr6HIh5hYpVxN8 --> ssh-ed25519 eXMAtA Yxo6gFb1CsRI39KU9/wR0u+VNYFvRsV1G96CwkFSdgE -27E7XV3aVNxppX4bfta/XQkVdxo/XGRCk0PUDWJyeww --> ssh-ed25519 5hXocQ NbomDCWlMeNi4X0Tw6TJ2q7LVLv/206DHScIr9ijrG0 -hQrBPaut1XIfroDxL+KGSkGrRZ680O7US3WGIJu3zCc ---- Dtvnt2AyqssEE3RYew+Zuq14E4YGRVkccEL2qssodTA -}( IR F8ͯXΞ6dhLKd}WǗIO-HϾE’ctЃԡO^8]n^*x+R#%g2 =*`j瀰~J \ No newline at end of file +-> ssh-ed25519 2k5NOg GTzTB/4oTPX4GgUXebUp2usW6WC03FgeIybP1NOsymE +svPuoccAmLBiQfEl3l6/eH2VKtNXAGYTVCKW8vGnN+0 +-> ssh-ed25519 iTd7eA dwEz38xlFx/R9iG9PEW1rEqBmE4IujE/9iLTI+ysnlk +3ymf3XrPE02XkQrV0+vNF4lSvxc8lTbST5SF8gpb9Wg +-> ssh-ed25519 h5sWQA /fcAuuCz6gErWLyqHzrEY0zMYQHCzd21ya1wv51Q1g4 +C5VNkPyq+4oN/JL767mvoAAm4a9+nceAyT1aY3F959I +-> ssh-ed25519 /Gpyew 6fUsrnunE+55NBgPhgVDr0GgLAVuO/ncjhcuEl+wvng +C1+3nI4vRf/aBKf85PSy1X/w2WwEL2hvAF5MrwDkcp8 +-> ssh-ed25519 hTlmJA PmmPxFrMv/CNG+SfWhCWozWCWQ3ZxfgCAkLsbA8N0x4 +wKMLwOlGFVnCL/DVNuPUK/XdWjMTY7bF1lNymm/WO/k +-> ssh-ed25519 LAIH1A cp21yYkJKWit4VF6CPwMOyQkegp5y0ENu1q3DfDPHAY +q0nZNYNlDnEBvD32+uSZbq9YByr3XxLWA1TX4bZI7dk +-> ssh-ed25519 qeMkwQ KLGoGQQNE5rdUu2gjhchtog4pLFrfKYB51uAygHFDAs +flkmCHwzWGnMc1cFhR4DLMR6CEzZp4gx4bfa9atoKh0 +-> ssh-ed25519 TqxOLw gd2mO+7HbN3l7rK/2efcrSvwj43BVsYUiOLA3TjVuBg +zMysEOlhKW08C+VoqABuBioQgeTMviHNYVJy2PwubqY +-> piv-p256 ewCc3w AgDTSzBYcuFF/fbq/1lGtVQJ/hGhvOl24P4efLsZhGC/ +3EcR6BYSpisJahe/S2XfuoGVYxkscTE70ARQ/g7OZIg +-> piv-p256 6CL/Pw Ak4ZBz69R8BE5uo1NI4s111shRKc9OnhcBtaBtKVerxg +nhaorLd83Eyuu/2Ax7+Zt6HocHi2yD7wsqWTUoq399o +-> ssh-ed25519 I2EdxQ oTcQa7k8nyGY4a0h/ETU459VTwY0hSk1nLFdX1wMWxc +XJtIDxpzEOm0IJnFBe+0hikyRoqiJvtPIHHaPtMrr5c +-> ssh-ed25519 J/iReg R/F7lVu5QNvDV2Y1EfBQ1oIthN1itQU26ilN8DEKLRk +e2f5qOFtfkFYlUlsL21kj3r3uGcl8V/e+rYhlF/DtFo +-> ssh-ed25519 GNhSGw ANpVIuphVMTrXFALS2SZ3ag2rNrGkVXXvH0KDcVypmc +EANJr+S/mknifOJcLDBjhuPfYhYzHrFKRQcUH/TYkBo +-> ssh-ed25519 eXMAtA gD3H0ikmih1XqxUrDtqakmWFRH1EaByqDn66Gm0pRwQ +ngC4vPlohbUHhDmW5Q52Gnz3DGxWgrFuZlX7ZWfR4Og +-> ssh-ed25519 5hXocQ /IINku5jrZKsCuf0WL+hGxR978pp8n2xFRbwfl8I53c +kaZspCtVYwA0nl02fQ9eYqA+ihmJF1USGZ1xmVictK0 +--- Kmzz4xXIiXpOLw6JrwHMnMUkq5GDhIKuGZRnr298dy8 +8HУ؏j䳠 +^&>nk3z^7/E1+Q%);~'ne ^mrۯ/phs`yGU45#M) >.yT4"Gǂm \ No newline at end of file diff --git a/secrets/restic/jitsi/base-password.age b/secrets/restic/jitsi/base-password.age index 44d3dabae59df1fb59bfee4dbff4f25c7fd645ff..e3bf58b91c5a634dfdbad7c2aab80a0ca0c1ef3f 100644 GIT binary patch literal 1235 zcmZY7|LYTV0LO8m5?Vx%MwXQ8iv_NEd*AK0TZJF)cDL>Bw$E*M+wFFiu>1aHyWO_? zvQ3mw`$7?jN__lOBw!6*s}NxP}#bv#)TGCg?$_hkhV70CuL0)%0a7bzsj z=ssxS9f6z)`4UPt5<|?Y_8?|zTMomAd^<|} zFq%v1aZyF$ByNLYL%?9FTg1IwZtM%wpiFQbBhY9Mm`hnAZzFUN&!*BJcA$`z|n{e}goA*R+M0C>An6Z0nwqCvt}>Q6lAKS8C=qr@1Lp-{UeZvPlo^l8Ca|$1N>GDRXq*Xq zHFn^_nYJrHQY{V}rlRL1%aj6+sX_nK7|7;zGnuPYB4%D3da+f&3t6pIHl!|6EjFdL zMOVvV7qeI~Re=mrO%O82BB6v2S^}y7Cnl4*QOJqndF>%qGHUU{Tu81->y7OC2H~ zmD|l&t071U@R=YUw40-D5sgr%b+e{RH9WwRJkQfc71s%@fufOHw{;if6(;BhdeO^N zOL7k`&nP?viF88Y+|-Dgr+m|xHO&@}3K9(u3aD4ZGf^>|bVViw5i`PX{nN<5>qjkV zpf-|J-{FT6m$D6A84EI5n2dVO8e>l3j2zB{7FMSChL#&mZ7h-F=PMYhWw~w+9}E3n zMag=0&|}bYT&zrJAm;^C81AVKp-Au~WWnFsRt$4LZu`jLi3^ z8c-T7+zK*@c=4WlUwh+XQTkWkq^J#7W(|azRT~HFcGM$yP2g7$R?AU#1 z`QkAFzD@f6httcppV;`oGY@UKc5eNbx3sVNFMYe?@`gRx%(7Kq&97rlt$BCqt(=>y zyz=>(BYUB*OB)|1-0I2JFV5agxt$+_;)OL&e6$aG>Qc|$`P1|mx9r1<3-0sLNG-E|$hxP9%?Rnx@VC+h9HU2CN@v|+jy-i)T7i7> zCb{kPeLMFX@Lh8!&plheW5dxGi479HV(X6QgDu~H(|>B$=g!7&9en=-X3zb1U*5F$ z8hj{q=L^bXS02AW%Cqywucg6v*C*S9MQ-zw)k_aFPJwNk<4N@DftP=KE_m+`U)_52 EFE(wtXaE2J literal 1235 zcmZ9|?aR~z008g=F}lZ~FJTbsNbJRNZnt~e0w3CTx4YeKcYD3tEz$1wcH8c5yWQQh z?V<+)qa+MW$`ItCLbElz^ppVrDqqGlEf~AR>VD|E{=P&rduWcDgW1t1G zKeoNWW-qXyxl|%K3yenHq@g3(YzhNxNzWTNptYx3DXLj8iZl#&+VHum?H5{n&uBTS zF!HC9GSOlD3R(0LxGROibeP7PAkh|uoKnki!pN()2@}-ONnSx);*_Qa6tm72TDQpy=PKQr%)sb0`71dM|Bmy=_cn)h* zIXLukMNleh9ayOZO|UU()avR;P@9eH5XI2{Svit{xPPsbU{69Qln0}p46_Z*RQmK# zV+NKm^`cRV*S&HbYwM`wR1;%5<6@E-KoQ1pX}>iI4X><|vCG+dH~@wExMRXlL*pTS z`67)J^@syQ@uPK#+X>j z%gqtQkZhorpfobZ8l{3RrM3JVip+`4)^e=^*@9sKEh^P3E8V(hWF=0kQdnB;r)mww z5%8WRckqyNY2Tum3>7Bks;=2gmxyAVnUE4D;ju|549fHe?ilKJ9j;iXrVbti0lZu* z)w*IS1Ond6l)$dSFa=sp6+ulY_=BFu!(=`q$KqI4Yc^8zWyeAjEyk-8($pGxni~gj(q88k;5jXqwOZQxj*2f+qNtp)5~{tATCT-1IPn zt)c1oSp-k4@ULS_YPjw0z0{EfHT%f?kHE>V_8cM}exg%;Z`C3^c>l+ZVPTUz>eu;ng?YHR0*wt4_9z)A*MA*MFMacri!M zzq@b2+`K#Itvmqsf0uxKaBA>O>#Z~AfBA57@X22nFVow<7S2U0yEEK(Fmq#r&2M__l?)+2z3t!=2If7wYSFZ~j*OnBDmawC3`r)id|F+RWC&56r7#_Kw517Vj%D0J diff --git a/secrets/restic/jitsi/base-repo.age b/secrets/restic/jitsi/base-repo.age index efc311d79970e5fcd402b9f2d37e4805a70267b1..f61afefb123f7db9fa097c4334f8092dce53b8cc 100644 GIT binary patch literal 1081 zcmZ9|&CA<#003aUcnBh>$UKcA2pgqK(lkv9D*T$}t4-c~Hc4~XX!G5s`EJq#(HAd* zr~?n;MG@x3gL+X!2XhFbIJ^uI5oPGX%RoGc2zqcHegA?7o^{|2yu>Nmtcud)Qd$IX zjY5NGdSw|7Ja>rW=%g3vF5!WmvN&cajfI(u@P`!vCy~+`Q$8ROLIq`0>@9noPUDQm zcF?p*35vjApyKt(j-hxtJ*)~m$V6qN5FUJF!6t~1qwdlFX<1YcvLQb1c@5=YO%LEz zt29(-hS@Fjy9uvDOW)wkgOnVjjo#){xEmj9iql)< z#1-_}!2-F7#(HJ)Ecl-_rUY2NXN4z+a#r*D#7Q{QL681ai=8qd{57|&N+-9}@!r`> z{6fc|El>%d>@*3NnWQU5&TPHM>YZ37-Y)d@^&&1v)W{nXCC@JML)twmy@Fm#xgAU< zHn7+&8>F1$+F=WVe!FKfb)HM=iJa&HOwkZi33a^nYG;Ei=?Ny5=0^0Hh~OJNfjQh* zNxHSnD%=%w_SkB+=P(POjt}xWglA4Wo2eWz zwfVD}XNjN!y{gl!j%4Lv=`5v1V;s8q5n139PnDAGdc5d3eievL=|&3F??j*IFZxlM zRtYYP8j&)!DT95RW;L*v_L9SnftPaZiTPD&EEFpxBhDC*J2zu?37>qTKFO#Skh@7G!STvkSS zO(2~Y(cKPq!k|Zz#0Xt40xD$CN-M|02(&Rv9mb=B+rr*n8V2S2mc(QVOR?@}OO^ z%yyi6mfVzj(03*#*vyUpSVJ(y=l@u=kp!w*ShV7EVWK(Ypi`W=~9Mk773OzPBsA#DS7kgI~ z#hmojElav`V~M*SwzLd=$>x0;#-bayvcY7CM^j;;&58kaRQTbFiZIt5EO;eqYm+RB zNhWOl(Q3WzHtcy##MfFFp%bWjpd9N&ta2x_Svrk+r2tr}nm5=8PeqgL*%iee164*G zg&+*NCJ2eA!N%FB^@uHUsKf_gWUxpFLSa}M2z{uY*Ej|0T!Ui3s~DM!D}_s`2+o7h z!Nn+C94$pS2#b0;3_K&y8Vov!9hu_#*iJU_ex>U{7#n(4g}lq?20vj}{j%%B!Csz9 zoBy2*ZJF6K=y<>nb(8BSj_YDtIkW8ypRi+MWNX%%tN7`XN?e**L{LEbd9_aK{4^_f$-LkyQkm3 zTcLkld-z-J!Oc%ah_+mal2}7*m$lraVv9s(LL16J1Vm_3t3&mi$&h~67VT^v9uFid(Lh`c6{x6= zdsKRWFSf!H{ic(J)x788v|%kx7Ej7nNR%^#>C(s&f)W)U)@SUo__<`g?oZ8IfCyMImiBu|;#Kne4<>*+3?KtQoTp-{sC%G9U>Md;G zQpq$b1gL5uLnb=%uS>pOjxIZqJbwDNgU8-^>2&eh+^H|t?_g5ruI{|={T2F|d%ya2 z)2BNwjk*5o>rd=E1B`wySqx#yR=mbT{}T73|5-`pK< zV@j9jsg2IwWq)p6imcw_oLPWxazFY#lX~XtWx+qTsA+o5(~x1Bq-lChoAlbGtuIE~{F*drn)D%0 zRmT(&+??W@>BiU#A2t;y=r)AmIdnQF>U@~o#x{p?QzuMh3WxZF^QHF}eBjHsp@TT+ zwFZ$p>NvgooPmz`C=}lq8xD;)(2^L2QZWM?sxlqR0+tH=E)VjupT%;DE;Z{Jzu4@y zJ&;8PmW4DqtqwP7R)&gESd&{-8OaNXQ}$%FJ)P(Up=p^QM^qF`*2nE4Hin0y^`GW; z{J5LM@E8b~)^re~9k?&|ffsqSM&cbp5XgE^Vz?yN(9$xGv2B5z0Lb0wAAygVvmNXOqGMFN?P_& zg0;Jn09$yWmhV&PTCG}uF^>^Q0SL{GOD@%NNT&q!813i%vM5ui-A@~)=r;OcI8tSw zL(MuTw{vb5sRxlMu|^Hj)P$4Ki9|G89jO-Ig;hD-$4FC`s2Q@(sv6AJSvI4i%y6m3 z7mQgxhyi~FE_TN)H60NwQ}EDac8rul6tpo`BKg*IuGma74Uwoi5L~hyQ8QE%PcsTy zw}M%+GS8}bT8mNl&h>oS(Wb({lx-srYGy05RRta2h!v+;;Nnxpm z8C9nx$AnQnn-oJ72g{fb>wHe`*_5R6Y@10-v_2#LQVBe*`&Vc3f>f#%#E`hBVt)uHN zP!C?aJbU@!d)Msv>Wf#^TX5l_S8m+DW5WlZJ@Mn`r*2(5oqBZgxt*WvnmfGf>_lzi z*q)UW<%2)D-yB$%+4S+dPfpzo9lLtZGUBxplk+Ry#>eBMb6cu=pE_`+dS~~ZLsO}J z@wtVy-+#36#Xqlq_Jp>3+v9wxbZ|ZK+x)j1ZeO?cSA@Lln!V>XKcL)Hc0QduE$m(& zS>(Bel?$gI*^W9B=b=078-8!!7LDFqb$Qd5lZ(80zsMZ_@W}C_XP>|7yY25Bd29c+ J$6`ck;a}TIySM-V diff --git a/secrets/restic/livre/base-repo.age b/secrets/restic/livre/base-repo.age index 39575ea..9b98be9 100644 --- a/secrets/restic/livre/base-repo.age +++ b/secrets/restic/livre/base-repo.age @@ -1,20 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 h5sWQA UVA54f4ih1Y7DeHl8JaR5xx4aNZmYSWBH3rSDVx+V30 -9DkQJ8hh6vLIzHy1Jh7evdTC0IxJfZ8h5Dna95mhGdM --> piv-p256 ewCc3w AnSKSHNZoIlAOaJ8yuHASConbMyE5Xe9pYBRZTH1Bmpp -tDvSbnzs1MmYGD2ADjrPcQ2/CnYbgFKAFgx+LCwSKwg --> piv-p256 6CL/Pw Akuc2AE0t7UEi2cc7MKsELdEJI9j1HArytxKs8ALhhkF -CtYo5aBfkeUEdeB8WtD6+aJntmUOLgV3c0YqiIa7mqc --> ssh-ed25519 I2EdxQ vHAuEyr61iU2FNZ0a7qoGxMrdwhTsxyJY5md5decugs -XeUhYGi/sPLQ1S60TL752+w0A4esESNwa9nb3dyy6T8 --> ssh-ed25519 J/iReg ukrGz/sElgVRVYZezBP9zbK85owb+6SieNmx2+6LQUE -cal2YERpuidS4flDyOd0p/wendfr2RNPtTP9MXxAxtM --> ssh-ed25519 GNhSGw BndztlGUOHgsxE5gpUZXjipFnKijFm9C6iu4MZGymFo -hD3xvuydadnbTClB/Oe48zyLXgk21fYdSPlLiZIG7TM --> ssh-ed25519 eXMAtA dM6ndCAczkhAmvKTP/ZKPN8hvun6VQdzZbDfJ5VApWo -REcIqzrOHyO/Rloldxvxp2y1kTk/nKrD1WPDFrX78nw --> ssh-ed25519 5hXocQ QW1soBQzuSD0UyTagoTswDdLi0Clw8YUV41wvGtIpDs -z4YXC79z4YoJrOq3HRISGWotcoq/6bR99dKd/PimHlQ ---- i2Rl65MgbXq5oGglcGefPDQ6yWdi6+Nl4/SYTCvYZq8 - zl[={ -:ȏ3@HcAhpgdߌ̲ptn#E:!dA'X?<ڶdl&ʂ ]+A9䗜hp. 5 ~b \ No newline at end of file +-> ssh-ed25519 h5sWQA 5tzo8ZIYdTzxoeazGzC1COFQLIH1xgxwSZYWshrCX24 +qe7hDx1J4NMPCpIFOQZFIkRG9GJ74rzcDzYQ+l5wsQI +-> piv-p256 ewCc3w Av0RDpfvdY4A6iMzRpLfEEjxfu0BrgQT3lNsSxms5+1Z +xsN/4JSnfF2JEiaSmDnnMFwPEZKah919LeE3zZC3ovk +-> piv-p256 6CL/Pw A3rShTU30UySod5nlXgGDQFbtwv1GKqSgWzyVUY+9nIB +P8bM8AEzTWdbzb6LfOait7qCcrZUWXA5GinamQm2V9k +-> ssh-ed25519 I2EdxQ s92P4q3rc7mnPCNetLAM5VM0rW5CX2El1ZuoRsXpZxk +CjYHau+p0ee1Q43QeqGPJPDg35pRrbenSxTE//gVS1A +-> ssh-ed25519 J/iReg EaXo5UCBnjvAWor5Yoi/Qxp0DBeA/i5kYv86bjXQP1U +V74njr+Co/ZYPRU6p+YyWQs4W40yV+oPPYbhTodG2RU +-> ssh-ed25519 GNhSGw 94SWVJ0KOjRWuZfEHjRS4Tso1mqD1chtaejPyIkzdh8 +Nne1exsd1yjxTm4+32Qn0/b219Yj6tANMRZlGjZeA0o +-> ssh-ed25519 eXMAtA wbDOhvP2+w0JdEnbUuWQxcZNVJ32m1wN31AOe/O3VW8 +BRHEfjcSpnNz55YLNqYQNl8bIA1XzxQ3wqoh+k/DuKs +-> ssh-ed25519 5hXocQ JhA00hvkl1CXlvWno9JnojJ1E2wLxiiPNggVwM/PMWg +01oo+JOBvRXSC3OqJSKuzjpvuMxUc/sRB+e5/DR6DzU +--- l/5h5BN/Xg8MD3uVUMN7R3Z9GpmeV/AExODs8HpAcvQ + + ΅p5_QxïI ϴd͢"9Į{s'ۮ+=2η0񝴝ױ{zΰz"{M '#n89.wd/aoRZ~uүgs`g/ \ No newline at end of file diff --git a/secrets/restic/neo/base-password.age b/secrets/restic/neo/base-password.age index d445971964c11a0ed18bddff2e45f0411b666a52..7b7e3a7470c4fc4c491dffaf952627560195edf5 100644 GIT binary patch literal 1235 zcmZY7>#Gz60LEd#F1SW%WEv?9VNea*+-G;Qvf110&VA0#-X<+~ZacHHduC>5FEbm6 zmC`9G3{K^TkP?edd7?fDL5T^K(Op6%G|)h#qOu50>rmFGvcKTr_wu&dX40J2`>{W8 zyy-i=ej6GgiR8UN7}`nGKnViL01)lR<`__2qSj%2fyvh~nDKZ>&QAI+*Y&iz%=@9D zz&Wqfk5P)26LiHXSryR7MW$_K)4@=W!9qc-Mov0XdPNe|LXN5%q$rR7)_iA_^ihHY z%yCY~#sGx~qf|vg-MoXby++j=h(%M4i?lsb$Dm<1%OH+xkzh6IUSh~ZB{edHK$cQ9 zX$&D{kPZy4t#F2(%P7jUt5b|@bX$1)KNgweAnB6TA5=TC5*U}7+(Cm#%RPR`Ny7oI zOf|wVn=@6s6%TmWhaRh7dGXlQR&i#)W3vSLmQB8R>kO7+Jx>A)n!)Vb%|H(a;50FK``)AY9fS zVBLbK#2SW$33q@Ac2yr`K!F;mrfW+kA(3{#XB8aopu0`Jo_EHtr?GzHpWD*#bni0rm#18D!P_sA66=TbkiUFpLZG|i9U9=p7 zxmIyfmlJody#3g^FQ3^0Cr>TgUE1`jGCi89)7QXbl2dxcVmC)-0SByu6yFpHlEsd$EkUQ-~NKSXQj6P z{#RzZ_q{v(aBkntkH2*8cxUs)vwPR9Kl$l~)4R?u``EeSkFQr*2fjUUYDMoF3j3+L zbMcce@42phXy#Vn9%QX`_>mK>qwKx(IoT{fKLc&JcE^!p->;VzCAuY~xBIyz&5wS)Wns-z4-zx_ G>c0RA^SKKE literal 1235 zcmZ9~|H~5v90zbMshIjh6lOo93&ZM}dv4p^ZMTH*cDvo~xv$&p+nt%uecRn_yWMT~ zW!pvafT)OQNNO4cW<^Hi<8Kj4luDvdX&5N>Lr_T&k_lpAVNd;3&mZvN#pnHg%Z8rR z`|5Dw`j*q5c7_HJrenz$3kd@+=)Jl8;GtJ-5jVpB+m?TY*4oY$W*#f z#E)tST5S2SPVqJ&Sx(Fr0?6tN{CXn{ve~>ck!cq7IH{wNRRaf`eiQ^c?pFdN^^fLS zVbaaO*|I4>7NY@v!SYNb?Sot$Ndvu74nx|t zs6QTe)1cYoEE8?w7Fw+GBMoL!v3lU=sukNXd6{eu(Jv-FchCa zX)Y%*ER6ZMUL?4LR|kVg5Mx$5gLa^1zfxc)qM>O01m7@91**XiXb;fy$SBO=5X+zl zv{)lpQy@n1uokt{LKiNkU}r`k&7u%>Rbn)Za)w8?D|va`8ic*nFlwqXk5;uo5$*x@ zKwii|0lGrRQ*0Td>Rr)e)24%Sq)cPl@ZW{}caM6DL47oCharWKa$zXgsrrmu){uf= z6RCDc5kbTd-Uucc(8Wo$V#I=mTj{zu16mCrg0Vpf)KJDrgF`Yj8Banw6%7CjRh1x+ z#lOL3%TX(FC6mDqcRgfE{Vq0wZ1xdbH(`4mGaN?uuu>K0DZwU$J$`@>5rzzPU*`{NDNvTTkDz zkDppy+Ijf})4yJPXW5qre!K7h{?x~xU*4oX@@ZnT_~VuO-ty6dHxe5!-g*9v^;~Mr JuGe=Q`x_brx2^yH diff --git a/secrets/restic/neo/base-repo.age b/secrets/restic/neo/base-repo.age index ef64cac96c32bd875aa15a38162c0159ad7a27c8..bc8eaddcf04d66cb31c67ea74c26cac3dc93c155 100644 GIT binary patch literal 1077 zcmZY5yX)h0003}@^N=_>$RWZ}5InK=(xgq&EJE^alQvEBXwx(act?`v*}R)HNf95& zEsm$7ia!u{ITwe+K?Mbu13?7AbND&vDfm2oEK z1nNE8+3)?HvqdosAv-XewNBmPcL#y21s%8xy_x6foS7L#%S#cRTKvM@bICZ29Ap!!Gv!YFTjTWhjPsoEq4JxKVB7{26Eengek&=2^Mb(E{ODztKgy;=DNWS zs~GXIqeXbAy^RQ&S^vkv0S`<6Sm^q&+9+gL<>MGf2jP5*RXf4T1+WkTTdi1{?2_|T zGL|qj&T>yqDk=}mJhjYzAsGfPrOIv?98fBt@ECPUC(VecKEF6aC)-BuxHOf=R=-*Z z4x3YbD~9*{7^aYgCJ_R?bPvAoTGd*YWf{uo8AqyC*Vq(l8qA_L&t@QDm>h6=#0|GW zGV%$cWDH(DuW@j&bi9r?E{Ad2rMPtxZ5xhn!%|huVp+!x0^rjcIm=>KU_tbpv{vdZ4b|Dtl+QMx|3uJk(|O^Q^BQ1b41tc z&ih(Ba|2hD=30wL2G33jm8Lw%V%5?j@NiWyDI=+Z(WEx1P3S0%#cp>s&|C>((u;nx)KH`Uyq!06CFl4kBs zwC;l06bi}utOio(I511HQDaw?qR2G*yCz5x!IQZ?0cMQ_Fg2P=F&8M@1nTvAoeeX_ zXWHf0R^HM%|>+%a{*LLfB-!PXy{PT+bZSRYpe!qL={mu86 XuKxJl&rh`X`xl(yW3@nx;vbCQZ{UO>_=TlO}DGW^1zzB96#A zISeR+7eRzkQ3Sm_KY$1WgW}!O;6X)rjEV=J7ssRT6a4=CmtoKg_N$`J4x4oUd|HHX zg#x{oz_N^bfsYXc%7CztwLuLU!?8c|Av)aH-L^02a7x1B5Em8a$hRS?Z}FjIO|5xX zuYhBpfH#KAP^~x5s&&2eGF`yz?J6&P(F*4)%@rmKnK{hq|FmpV^)ieg!Jy_={TgKH zvX4|wvA45aV!1St=Xsnd3`;SgiWl1vI!2-a!8KmH2ZmnUk2dl~2~1SC5k@uRev*cX zHf9Y+&Pi52LUe4x9E|+WBDo2yJ+Pv3T`r-7M^G9z5j;M z44NGJK-#ye6=ylxE?ajD!;mgEYZ6qf+5x|dbehEdR4O`|&BBWpC5-o*8Q7$3$`d}* zxYC^0P&pfQOa8zqr4q-mtC8ZCsCJeELv{!xT1iB;UrFr2iHL?k#=&wdE8>xs78+&1 zo*=*^!{U30zo?DjjUI&H?8qM{%RV~I>wp&Ae7T@^`^xP)#vhM^!(_N-OO0qSgEN7F zG=*ZlQ4K^KcqnI^DNEaa#7NjEEGUv<52FU^{E>~O7d1hR=0XjU44%V&!Wq?Sn&U{w z$-9AN>Zrm=m@`vT%A68iwdRdJ4Qx!!vgf54Cz@MirJtzouB-Ke$C)(9DOQne6w+`B zS>hM9V4<)F7Nn0#WLYE1^!!n?(*0vHBordHh8BcGIK?jxU8PVh1Z@!@8dS98BA$hF z0xF};j%(eST?U!0$m)(>uc{p^h!09)^P)yXi*z*uL+Cgqct{qP+3ehPnU=?6d^pijg+L9BTj3z`Z*05P1`^Q|R0&1~tCr&+@*la^OK(E&W zl_|PFs=?kV-EO|1*}5f7bK*hf*51`>H7kyB$=Ap*h-SbY_p3*4e*F~t@^`mS?k2bY zx_9-A6_)s8=Z>$6wyo);$%>(`3QFJ>S8`egm_4e6PimoL4SzfiyP Y=oe>yzcF5xr{K1|_sXp&u*cPZ0bvko$^ZZW diff --git a/secrets/restic/redite/base-password.age b/secrets/restic/redite/base-password.age index 35d1b35d48d278ce5903264e0dd3cf58e36ba588..96209231dd43eca78aae78a0e5764ee7bccab309 100644 GIT binary patch literal 1235 zcmZ9~`;XHE00(f5U~oQ=1Qk@sh(wX)u4}ihs}W^wZ{51JYu9#rbc(1j8Vj>)jFBfPCGyQ;oXnce~%z!6gl5qP|r98*WAkZ_Al1D`UXhSWW z7(#F^sYbY*iIN4ql5YZKzBSabnv#J=eufnY3h0*OxY}%wf^sBK5-p0NWhS`spiQ@F zEr4U#iU*xa!DWYquc46dRio+Bc*>2M}g zF=7$RVoX|v^L(8Zb6G}EfnLZRl;n{NYqeI_Xr}C znGoh{=?>m%6(y9G(?*RafOOF^8|55fOXXTHgFh-CubX_la0tAp$L`vAO|o3l1F~Yuj1=A#(2=)T zgZr(4%q97$SmoTVW}6V+@A?*1#|Ti?QfveO0FC7ubdMl&L~+cw6L^d0G^@RQ8s;oT z92*?TbGj=uqngyPY^Myw2#}$Qpo83c$;3pG7K9*+g;v1OO#$yU9D%QfRH_e^LK!ub zVLlW)RUh)rz(_d1Ke%M;nUmiib=F>E&#(PL-E-IHd!JaS54X(?x$o$=y%f1?_l{NU z@d|=o+djTB4{>|lSDL5LH|}2Z)$ZBTFW$KD(Mwz46AMe&7xL@FZ|2_Ge&y&d8{9AH zv%%vlza|IjJAaNa(7>dYNm%EYI)Ke_MFd8Kpb(&OF9gOkTDe0a8t zI|o8|?vlE0k9Gfu+H5>^_0fIQdn=C~EP=;1w)c@MFCI70o%`3H*!%u(ul@MLhIh~X zb!2wdyZMO!z`C9HegYp@v7ejFe!G0t!UvmYIy-M1zWniXyEgR>tUj{h^@U%T9sYTK zd1KQ#f8+K0ESMlV!m(kgW+2`dMs(<6+AJ=a#+q&b~hn}9hd{2wdduQKV IeeKZP-=-|Nh5!Hn literal 1235 zcmZ9}+pp6E0LO8XV@}BQ7(frA4>E{ipp33v*RB$XTi4y%ZtJ@477j_b-q&_(*L7<# zA&44HOeA;-4+@b)iJHje7&KAhgDBz!6NouL0w#haM8#u_NWcWqCp~|`C*R*sP^5@t zbsWF%YCUU1&rv`R3Pm=D2Lm-CiEum);bFCEn1y6`0O-tk9PPJ#O+;G$V60jYCg`>> zL{yqelQk&-HO&bK7zs52aLgw21ZM@V!qs4m&o%9SBG6>WH`S;LTY^18GIcaJ_($t& zUZfAl(XcckIUTghIi(bK(5 zDXz&zDU0V*)l`>(WmZ)vs~AlcOcbc4bHxl;;3(vO7D~`y`Hp2&H3F!JgpBqC)DqLJ zegPWw$h2bjhXCmetQZA39W3nz{g72^CsIbA(c?in(5nJMx6^jf;~j^HTZGa~-0^U% z!2{#w!WHu{DUR82!R$BvK-J<{JVvuz8}o`XYL#Th&Ik@SCWQ}+S&lM_ ze!e4TJcdnWRo;Z)W=4Y0vYf)`Ml_@k6;ntL85{6&itN-oMO#O!W{Y=9gHarGl`@qa zm}N>+qYK-zMU~5r!fYV`D4*oiEZi|_Y0<)gR)f`gF0Q(bAmsrB1d0u`Nd~lqEOT%PTF79Jywk>bKffGbwiOzB<%AAIY!b{weENIAXRSCGLrXn zMaMxL%gc17G-&w%EmXurX!ma`w(NXY`1{h@bOa8pZ9?;XE-9lx^t@W$i) z^#>l@oX$USnHcozD7(KjF7fRl?!XXEm#3bXzGxnq|n zL*IRF(;v4_{-zb@JHm>qlNHS$htxd-C|)z9rwU-|^8Y;g^TED=RlW QA@76sA77S#`<0o$0nVSflmGw# diff --git a/secrets/restic/redite/base-repo.age b/secrets/restic/redite/base-repo.age index 2f072c6..1fc6687 100644 --- a/secrets/restic/redite/base-repo.age +++ b/secrets/restic/redite/base-repo.age @@ -1,19 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 hTlmJA XZDs1zHFk+9P4hzZA/Zu+G7sO1eYcYr+0KWTrKI851A -YMoR3tHRBefzkM2KsHco1Bh5PQOtfeN4+ve+nE/78lk --> piv-p256 ewCc3w ArH3Tqls+HA/I2XkR7/dGeBW7NGNdhcAo7uaisl6h6F+ -5rzeWieiAggmtOA5hR3nP0ZiCYg6r08NAWaMkfSzCtU --> piv-p256 6CL/Pw AtXZ8dzJX7TcUa2HhdVglBj7+1el+Tu8NDm+MdnnHSlo -WBOmsYrKZEsiFGdHFlYfZDk5U6cO7TG1b3m4n+BHghM --> ssh-ed25519 I2EdxQ e4oHTYOR3MrDQOyjpNC/EgOyYflJaDJkKnUU7xv/2A8 -0XT1ux2W81hATfRRvAnyWMFzrBIDuKFZp/xLDRkwA5c --> ssh-ed25519 J/iReg uomqbGMQ28HZ3Q1dUDT+yxC8wW68vcpucIy/8UBIHUQ -PoRWEQ89RaQun1Nc02164SZdfYFgwNKNoWbUnilQbcA --> ssh-ed25519 GNhSGw OSKbI416an6C7BE67xciGot0YYVTb9TNTa9rI4+BKFw -xPqk5vIneu25cWngENs90wYor9dg+nil8cO5w31ikWk --> ssh-ed25519 eXMAtA ugsam7RvXNRFwuyWUOybY4nEAU4GGtj2iV0AEXehL10 -mZVFITQYG9/Mw/IpJMRoxJ7xWYCfL8IbbSxdYVh99YQ --> ssh-ed25519 5hXocQ D7ly1CCnsSBSTnP3FafEfJirZBctrQw884RgQz90eDA -XkJtG4bWX0I+jKrqhWXi/kH9LQaQj/kWnFycQ9JRc3w ---- crgTIhzpAT6j3UavdDLQWT6bS5D13qmZ1+JigZJhdxs -"|;ľmBPwcU}(l A~)tLυCk3}(\8^Fﭽ̇L!oZk25kLwgŒA؟G6=g0eD䙑6(ʨy \ No newline at end of file +-> ssh-ed25519 hTlmJA L8ylisvw6LsR52IPOy5yk8XrQWiYZzVTVM06wKK4O2o +Z8jpkaxmPZDFQ3NmO1HPmBwKDUBytda9neGUfxh0L60 +-> piv-p256 ewCc3w A/jTPTdavs7MDUVtjvEeEvwZlwNOzbyp8Lek90UAoIaw +duPJcCiIbpPWUQoQvFzmkAThyEtEHdZuf4QVEO6RXkc +-> piv-p256 6CL/Pw AnNRvokWbpEgYlgIHG5V7cDguNRMfg7lHaQxZdjZ2RWD +f9ZYtq6SQB0wMDaaKrTY+2xcTGxBoU6f63m7hk731TU +-> ssh-ed25519 I2EdxQ uh9OUdIKGWc/TfcqATX72iJ1BYwFUzEd35uwrYFQRwI +DwxNMU4V4hwc70f4jRlQbh6xezPRNn2T+lbkI77bU+c +-> ssh-ed25519 J/iReg uD81hZ8At1q5vA9IC5a8PhPHBBZIHQxAQ2+XRFzGFXY +Qswu/K18nHPT/FPStnBtPC8QpP9FO76t0t7K5Ry67O0 +-> ssh-ed25519 GNhSGw P5cAY0inQ3FtEKk2abI/t8P6Rg+TwHjQOWbOTXhfSys +bYHnKtBNPqe3CYI7i1yPhv+CtgJWfBuUTrWDDNddy3U +-> ssh-ed25519 eXMAtA zg5tTTXZFk+lcAvxCm6gdhN5j+k8n1jNhkoAhmtTJVQ +4NAe9ytki8jl1q9UF5GasjkpIVe/ymTzgWroIUGUQ2A +-> ssh-ed25519 5hXocQ 0EJXZWeP5/7myPDCKEuNgjyw26i3ElsD/1l4v+kXiCg +LPnJR+1lEE7SsEVWfr2Hxt8yuXVxf3SN42B3jZVq0gs +--- ySlNwZEEtYAM0gUcqLei1BAt4z1IQSId0rqF7B5bvzU +4/>aF_*8ȑz&*40K:m'I']i@SN[~lu-22%2> +/Rt5Gn;}Ň-ׇ i敘m[]B?2{ilJ)dVV`& \ No newline at end of file diff --git a/secrets/restic/two/base-password.age b/secrets/restic/two/base-password.age index a50a037..24684ed 100644 --- a/secrets/restic/two/base-password.age +++ b/secrets/restic/two/base-password.age @@ -1,21 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 qeMkwQ lhh6bd23FH3Hn404o9sJl+KImq+RXNRZFqPKJcZQ7GI -S2BQK34VYZGSSeKOqelBfcKxB0HbxK9ewRexg/PE36M --> piv-p256 ewCc3w Am4uoXzdmiXDC+qZJVVZNc/FrN59U33cUi2D9+9mAI79 -oFKbEIomM3OfoPDIqRI8I1tAfN4bgfQOMgoZJp2OZvg --> piv-p256 6CL/Pw AnSOSCc21ekFkc5p7W8fBOciNqfBn+wbn5KHVndgNjdV -EWq20DFhf9b1Cf7ARSSMrndiMcE3DinSNfeR5Uu+KLY --> ssh-ed25519 I2EdxQ jrt85s0g6aCA/gs+UCzcV7Pkt703Fs145MPfus8P7Cg -GmBwegl6mmT1WOSMVzpH+V0mXPdW0aC76SSVPGGHBIk --> ssh-ed25519 J/iReg 7Z2Ttvl8MDnwELutnNJUtMSe+DK7VhrDEtwmBTaI72M -PPEXp8cT0MfViIxP6TZX4NaIbU/cncfmRVx+/gP2ztg --> ssh-ed25519 GNhSGw ET5WTttkMHIjv3P3c/PFDv0GJyf8SjanS3hLHsu9QVM -6FolJs4qL+NPlTRQzSJXt6PucFfZBAWqa32tD627IuY --> ssh-ed25519 eXMAtA lMbetQOb1LaoGTgTOyM5VBiOZkKY9VI2roJVkTxwXSc -G07M8nFdtHrSHSBMBWDFPcGbBEVn1qWO8xHIV38YBXs --> ssh-ed25519 5hXocQ SrxklvHG54MV6CbAvAiW28oTkj4XZmeAWipOwtvz6Gs -XdO/tq4NzjOg6GJ8nzKzxY1SvCbFxpfVtOs6hrXexuo ---- 12HUkojZ27/Vd1c/fWLlS6dS2uljdEMAt5tf9KfpRwg -QFW7@r(UXCGUWK6伯YL40.Gb%#vg3RYtSCoIRJʡH~FC/|%/i+CAG|/N6 -2ddK.+Ã{lؙýxSI6xs -cKdxl)Is/`Pl;@zE{==K?;?4_4sZ Ǻ^7$tjCFt1,-/A *;~A|n] |p \ No newline at end of file +-> ssh-ed25519 qeMkwQ 2Fz8aDYIDM4eZsk3TcxqjH6Kyy5tbIpiQ6g51yn7HU0 +dXMgxq8IElRA2BUB+H0+lnEoIFe2cizdx7k06yyRGvs +-> piv-p256 ewCc3w An2qh9XolYIfS6raBPi+X1nyOSKoPW0cC6OW+d4zKKaf +dfqUOjj8hUSsQUM2kHbG4FZvRNwWHIWsJd3c2fl/tKU +-> piv-p256 6CL/Pw A+ICDRTOb8LluaCvm1E/HEn6eDP+g/HZAebym7Jo9KLN +ecoa4ESR81XuIpMAnpY20IV/6N0nonFKkXBa/GIXCQo +-> ssh-ed25519 I2EdxQ LRT9glvKVQYTmmgsDTL++iry57ydE4Yphee2pDiBxDg +8mBHDu0ZmjOnSURnDDN7VjKqv7eq5wwSsC8GFQkoowg +-> ssh-ed25519 J/iReg EHwvMpHVmSquZZ6ts4rt5nllU/LSKY53DMey27LS+z0 +zhAqrWORyT84M0gwp8RValaeE694edXO1EX8zhcQIlU +-> ssh-ed25519 GNhSGw MUSLnRY33yIGShVmeqvKN/mQoAHxkfcli4Tu4Z9at0I +J3eMRdvGpxF9AlWxG7YaZOPZ/HxyN4cbiG1Toi7oecc +-> ssh-ed25519 eXMAtA xaUyXSWWnSsnxiGRAYLw3jrAlpfmplmXZYll2S7tMCY ++9Tc+pj76OoGRdbzpREuSEPL5W/McmMjYYS0QsLRWlI +-> ssh-ed25519 5hXocQ aIZQeO+JBK8xcCqc6NEmIdisHHXaZWt0u+/Dl3jSpCM +L/x0DGRLHGCQjgAS8s4rvbdFCeCHti8hYpUo6M1L65k +--- 31mE0lPvIY4VVS/mzuZ/4M+/LkzmNQGyxKunni4DYPY + 8ďRNFShLg8n +2!; j ˳;iٱn+9Ic9KK&OoJmԄ6߂닒(k4y'A/LXv=+eϩ=1ChH$^[كumҨV% WֹNw.Oq9T.Xjs#GF||J\t.bGaMQZtia83'/0$ Em9u!6K@"iِV+Z< \ No newline at end of file diff --git a/secrets/restic/two/base-repo.age b/secrets/restic/two/base-repo.age index e010244078930e25bfdb244b9fcfacc05083c5d7..7527459889ee3105545e86df0225f664b668fdf9 100644 GIT binary patch literal 1077 zcmZY6z02bS0LSscM~4jJ=w=Qa#L`QXG;hisq)D14ZC;zENhb5&G->nNqz!VTpgsq8 z!lU3Sf*?1Dn}eW;gW#agB))(SB66sp2QCMmqmO^V=gaTs#^EsB`_-vvl6-$XuVSc$ zf#FTCt~bLlKrjrZz%rE5P6OQ|=VJ7%OXnf2pE!8FE$zzZB+-#Fv_iXMroy{uhL3m- zP%N^@3U(l;NG)c@L?-;EXkmOM!y&%u9Ik+puTJ2x0NZMh6U^p0djE{C8oo9k_ z8Z8=#5oK%y`KqT4R`twE6jq252#@vBwd2YR8wrSrWtP}l*>=%3j(TR0Q6<3+#4YJb zSfFpaUR)t46poSce=M9?KyaFwg3 z1KNpgALSG7ind^pG*2eyOsu^oS4=uy#|DL&jVfGSQ9!uhsDTA%;D!W+p{Ll> z{VAn`-AII#iVU#ztg{Wfo|5=6nYp|TDE2|MrBFBa4g>R*B>6SDMS^;_V6(z1PA=ov zIV8;UioU9eP@;!1$V+s9iwss^mR{&h72C@Jw=9mv%I$+gh>-fh-=_1_Ksi8%CdO_q z<<7G3mZ&^#OQV#kMcp~p^BMvtuWG!!S@Ip|X-!*BdACU%0W;&Nk8NB5 z6U}Vkrj3R-d1Cr46CXOQ1K11`;!1HiYG(%XV0-Mwv?xp!Z=%ked=6Uy#Z$RFSj6>J zEwm)Mp+TSJ8^1dytB4|)(xyaTLk(>mtuuW*Pw7^aE0?I*c|i*RtBzEy!zCtCquE3h zoN#xj4^GDEkq2v}wHvd+L>b$x@xR}&jg|WvNUbGp?Wlw0scPGh(U$q7ibcCG!h?Cz zC;Y*7F|VGuT}%R&&_J|24iaAXWoWCpHi1xa$LUQpO@nmTplJ$Ivq0Uaz;HMOL#dC_ zP*2Uch)={SiapFI*0Bzkox)J)@AhO`D3pPPMp60(i QmpPjo=NAuNdbeNv1M&-T8~^|S literal 1077 zcmZ9|%gfsY008h^zJpOj!3VNS55mCGC25m3LHHzT(k5-vBu&yZ!GU?dA5GGxi4Fu2 zym*)|R1`s{hoP{Gh{D)OJnU2SG-0rl*D>(w!N<|>FZjXF^xc7**=1YQVV+&iOCLPI zz~Ho3Rl&e@hA0Z-y`9U)jnq>;jbX{M3sw4v&|#~3B~*?m))EQ~^$;&yE~hCMi|7Ud zrdA*t2WUH1*5skYOfqRJO@Vho-RdhyY&ve28wd?$0`i|$goi;fM8`e1ncAbKM`ZJ4 zB-l_j=QTP+Fym+$DJy!)aA*w`h0$q&G5fhgU^)j(qiDHW(d~xWb9IGy&145|Qe@SE z>!Jb;6I|-X1VN|@wEt&~ryMB$Ywb1=S+X>U9j)Bz3Zl(2&M5bADTB^vI*)5NT(EE~ zI8Y8)%-+VTNP_#axiTVu=}a(uHKFm;4)OzCj1w+R;0fWS{P{(8NIOTV*T`#h#>K~Y z*9Od5PZ$*TLb`^*VyTEE7x;5DLK9Do(;Vmuq@WZ~)vAbLXtA7sz8)No=9fYOZ^!KE;RI(AU;#AjJTkU_0_qA$`I0 z+%SoDF2zKNjnxu{w9cZB@8^^jBVCZu=QT9g=C;&J7L;VmAv6LFBTSm*L1`n9_4=-p zj69y)aC~DIvV=xH1b7|EuQRSg?Z^@LB<84;W>FPirt2}r(vIXIG#3|+Hf?~xV9XY}5&i5bv zbn*1>YZrbvdy{#1v;T|o`#Ya~`u0`j-H(B5CtqB@M16Pv)+ZlazIFfUlfQm@eSiJe YFaLP&ts5_VMPI#m=e5tn=T0vD1JP=2l>h($ diff --git a/secrets/restic/vaultwarden/base-password.age b/secrets/restic/vaultwarden/base-password.age index e2d9fc1aa4e6db2e54992f8785775cadcbaafc2b..19b7f81b61afba09ca57449889387e6038a9b831 100644 GIT binary patch literal 1235 zcmZA0edrT)90zdaM;6mEjQEM5j1qiUbK7lqyQBK)-FCa%!#!-f-EAw1-R-;EZMVDI z?s0=OABZAJiZFvx|44--3^NNcN>F^l{z&PM1RoND$o^1*D1T|c`m26_e?IWy{r>Q2 zsUQjrWi+-N%``TcBQ@qFLeZJ9ZFi%f4Z&~%3k$=5EBWE7%@Sq_vOT8PQGvt;DMJ@Y z+m~bF7?_Gy4WzN&M1c>*L$P8p<9HZnn10*BaGOYC9im=wTM?@cRS{oeWQ1@LgrL-a zG)wcM76c<<;AfPiAI8mUO~+L`U`fhKf#RSm3KTDxL5zWg#z--UmOGX#51CL}C{iXR z8$tA@S?3UMT;_a`1!j+nXM8mdiw4k(HKa|Ioo?!X7LqB&_&ICL#=ExMF@|+M5M(R{ z(-s1?le(U$;A$3lQZi3wJ=TT_$ld>o(4bV6V;M2XR?!6AXgOVu9@A(C0+FgB>5UMR*4sne zFXlR99k9cRlH|>jIB%`s>~VsgAOYG-*gv~&7oU!j&yFP*ySe!>2A`pVV!FSgcRxq0GKDt+t_h7Ck<_cpQC!JGpiBHF@o_ zZ;v_$muw@pogJL|;kz%7cXIpB2df+E?la%tJ$LrVnVtKH{mo;~t=UJvyW+LI57yn^ zE*_hDW#OXh?n}<{^=~+tQ=h$k_bGn!rPQUpPrtKis|86tB-R0!P6TSESp)dwF{V^3qR#P Q`uv%~fv-PVGrRJ^-vqw9-~a#s literal 1235 zcmZ9}{mT;t0Kjoj%34o`gpl@>vrvjL@3!4;cZ%A*ZFkRhx7~Kzy_m+H+wFGS?ryu+ z-67@=X;CIch*msQiYUetLPh;3Sy2knFGXf#q)=i-_F&ly)zgnXf58X7-?px$HA{7( zk!RS}Cfm`0Ad^UMOS*0^t#z{bdomL^6jE85uH&qv_<$ZjjdHDCC{H+00COl?=|QqFitYcjkrAXv z**u)oLPE`jNlbUWfUM+aU7)E10z}gm%JH0TAuW1F0(4Lv!zgaZaa$QC7=#jIHA{yn zB_;SGm7)nzap8(5T1^o%iIiJ#9K$c65%oU{CMrN}(E>W$$Yi^IgnPXijlgt-WmL!q z$68S6)3OkgjssL9k44~w7Iq;Cjd}!m5Emxk5|!Kvc??I_}bn zOqS|Q_#~R`E4rrlSve~DVL3l$Bhf9#)s{FO)@O@llGN(#*sOIjY{IHA!=~wnIyz`^ zW~+gb-6qGH1%-!eniO|swwFOhg4}1JrP>T&)HOXB8*k^Cu%W)bHp&$b(;te1F&we5mZNIPK8K~nKW8eb`T~EDIO6MUSgTv5Z8)s zqhMJ?GiETA^w^P-7o>vPvTSW}(Nay5Sj@wcB#I9Uep`?@wq25#42lUsoEtznv?2}^ zG>dq!9h4{zv-reVDUS`4SJZZaGYN*~fd)5Z2Pq`xacN@81VO8i20^X>F4giq$yWJf zJ`)LpA<2g0SeAQ3RE&ppDdmeSpgD_mX5CN#t1SuW(|m$$>NW{5UL*}tI;V_)vQGy> zYNkDbWV=Il!YHwgAAb=cV>AN_4AU1`Jl|8 zb(D1z)919Q$6i>q^5`{WYkTLy)~hT2n7lF>PyYh%xNi&e#07t0_3WN~YWu4nk6zqg zdS?E{17~-i`s{S=`0)+vPU_{y!#BOXo7H#CoxzEXx1SE~dB1T&xa-QDg80UI;nl(B zQ|GrY=(|4OkKMacn_9k0Jh}JVpO){q^!3@7FaNWB(~&m6a(r{$fy%A)vwIkP+FADc z$FFTDeG#m=&0mjQSIrmcV^i;;$3Dc?UHf~PIQP!s6I<5SzSMtx$-d(zw6OZYYlqfe zJvhHFb9C8-`KEf{{3DmeRde;Lo4%R8{_vy2yEisB+?cz+xbg5uAAI^`bng1aGl!yu z=fzC%t;*BemM2zQz2Bev+1!gflzF>-=C50R_~g6Mnk!GuT}pp%YX^T@k@<7C*!UMH CJhp29 diff --git a/secrets/restic/vaultwarden/base-repo.age b/secrets/restic/vaultwarden/base-repo.age index 875d74af8b3c7182cb0d858250d6fc80672933a9..ed02333cb4d4362f5c4350e212a112e6194142cf 100644 GIT binary patch literal 1093 zcmZ9~Nvq=o00(eKWtdklF5rMTkWo>FzS=C!c2To6OSiOX)28Z^>`9wu-|?oRBYF`L z#FIynLGYlUI5#~g2nr9pD&s*B4}zx|P{)(LPw?Zv=&s$fLo;pS+>gR1qtxw}P^b44 zkY!%awqO*6NMM=NvvCD%p|u8+jn?-?d?xHvwmoEmpp$B?W1}+lJUX{AiO8)v(eW4E zL;%}ap2!YTvwTG|6rNctEzfPF$%K-yG$r&Zd$78##eUg~VH5-GiZPK2ppeCs7}-%F zFU!N2C9zl;`Ie9IT7l-oUYV|8T&q~y7j&Wn?qgv!2q7JWCo^_C0GlR}nMF53Bqg22 zb-^@fI%`Wu=Kg14%(yS#wn7urVK%Tueo8M=mkf}Nx5-Gxh)fcvNC~nP!V+rH2Rqa5 zh)CuV=g`}-hzHu-r1&_eDxw>T3ogLmXe#1|a%K3{*%n2Zv+6lu;6$vq`Al;()1lzP z#A-Nz@oed?H=F>$MLyc{2X>A!ZYNLi9hcG#Mh8do~+C^%TAWMg^*>Igvt%Lt=bDO9M3- zxstIPLN2o`P3MqQ=mf-Z#O*96EjWh<6US}(kgD1YTp0($3t`K|x&D^YL@OC< z&T95%Lgf_T??{o~DfZe!i@s@|)lhE}nR8%W)78`=<;5zFi3T=Pfthbv1qnPH zrG!ushOtlA<1P&iIt3(fVWkWkejjbLv9!lA*oxYukoBkvWOku6B2`qWp8fOwUJq#5 zowR4k;U=!wtMpe*mW&N2QvaOIw>m)`vS?aN0ekNyV=1&c)a`h%g=nH zeQR`|eX;xX?5~GDJ{-OG=l4G!9e>4~Kb4-oas1Kg<(2x!udf_GfBI!TE3d!7-u&T5 m8ND_A?Xd@;N4|LL(z#D{^>Fgi$(0)y@3qS3&R-or@Y>&h@oC}! literal 1093 zcmZY5&FkBA0LO9gFr|mVP=|ttiin5O<*|8~ASP*&CQZ^LZS#Z*zobo*CQb59nuq>C zR1iGPhw)?JK@dbQo;E@B;to4Z=1GwaFHVFV)Polp>dATZ=U?#peBMW!^>Cd9<)PTe zd3GT$H&BE0hA;H1DjKd==xBt{{RQY|O50!P^J$VMOhUx#m=Ww4o{lZCl0z5C)7H;7 z!d_T-JEF+co{fV6p4SR|q?f+YkfA~sS|W2?H=c!|foQEkZ%D9rh~>Xp5jVpE9TEL? z%LQ25XW}$P4r-2Q9WI+&G)A(4IaSwNg4RaZ2Dp1*?jn?Ig&6Kd4XG(?0q_FJSPsG2 zW`fxTLTdt*&0B0H8YZ83w$j4Ee=LGiApL=r&nQH7alF|0unww5Ynzz>lcqCOeVU-H zP#O5bMn9^kvNvMAe2L9Po2AFa*uXT`S9NI%xzNBxG3)r)COtFuMWVt_SCmkG)fs&V zGiHn9aTq(=xF)JZ9(4YEH`+74z*I;w)=hmurHd-wO1%W8;ZTVfX>8*(t%!)hnu{{S zIXd?0Dg*c`%}TUZCj@m`lcCsLZ~DMum0Wg|k-RF$PQ@P6cHQrSv}c(PLovl58b=BKR3d+ag4 zFoOvYygBl}l50n0_Dmnmozl}>7{pZ6O{rWKgw=$VFt*79%%%9$8gLCLRBy8E6#-Qe zyEtk%DMb=l^0slV()J1&Dde1~Ct>ZcTb82p8FTvED01?^=!0|=1m+Q0ivzH>)8k`{ zl6*}ilIemSsBuyQ6F^f7PL@W`*>Z@5tSUCGsg=0wpokY|dL}1=Aa)4Ugvky^$T{F? zsW%)B`y9G2SFVo|*rpkEWR9ejws&MHldKZ5?dZY23FT-;2bR5epT08qup#hE-#z>1 zE7#ATKU~LdhZw!Ndgsmhr-(-)8GQdk_VANK^0z;}ITL>J+Am++y?3LtZr0s z=5Kw}Jb&@R*s!b3i__h|junR}Pxm#@9_4D!U^@1Ok#6?t)P diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age index d2d5d0e9ae192dc971ded2bb706ab16a82510da6..c87a1685dc77cfe153cf44fae8be6b12d4c4cc4c 100644 GIT binary patch literal 2951 zcmZY8`CkkO0|xM|q)XdM=}>D(8C`Q9*(@_P_ubqRX_|YQ`)sBxDrMQW%N3DQNGB2- z5?bVpbuH^iMaYJvB6;`y@!j_?_dR+O0SF8n-m}$#5?XsfZ42! zlS!cn1SA2#F=jESc7Q{LG1)Z+7>`3?LIq%5riiFukcAm!iipS*a2X0AH-XP5I5j+p zx7fi|nqWdUo=&7OLCNZ5STabS!BVI-T9zFHN3o@HsKZJp(Fx%HY6g`p&HzOq0Wy1% z1ZD?djL?__lE{h>^RWUDj0nM6#U=qxmZ3&xQ4BT&5=_e=rm*NLD~jZeWrHOdMmd*& zg)uQHEUK8Jz}fUx2}|KLQ+Y_WPDzBqR9OUwBJ+PNWD*s`{KvA9(G-eAPZhzPc0#h0 z385jhN*z&e!Nll=47ih`QX!B+Hb=$ed#f`HMk!RNw`fF4kUm31rJ>9Sa7L2EO6KAT zd=Q3AkXVp%AqoNicZ(z_PMXC6@Zc5&mXF8)gOGZe1>?{pD|yKzObk@6LmABil#-;f z(gi#f4{G+d@Kf|yE)kBilT2AGgdA;r}!;NR=W} z0KjY|4y)A29a@!>jz+1GI+?|UH^O4L8Fr4D%#~xU<`@V|g;Wc@5jqqIE3`teU^hT4H}Ni}?a5jhf8Xkpxsa1tT&zz&aidFTsg; zDR2yi4z?<2|JGyz8peVFP~mnd2TC_`Wd^1R0Y}4?5Wbqvz}rlw7%3bg5RsfFxQfo! z+qvFEydjBUjge|GEIL^(RMO1|3jzs6bM+3Q6YMaU$O%@g-l1ed6#v!`N`YR&0;r5) zuGOiNTNA*r6gCN+iPVu%1RNP5AZcW1nvNycfedgo5(3eCgB5Bkhp9$dbUY1(M->~A zlF1a6SqqV&=*beMSu2L&k&I*>4#xG4i;Dv|)VwUaApwdtS}-`3+N`yscv2QRMj}ii z3W)+FnQB5|WdemzM)DShlmIh7A31pb-iSRNb3J~cwe$3@;Jsxv<;uDTD;|MuwkM;GcbB8FnqBZrUSDL42k4w*q z2yNfA9reCTiAZRiUfb1ixR3em9?!*Xkkv`N7w`*m|ASH8rB^bSs`5KuZ#5OVCxuqt zu~#gaJh!}iQ%h~#aMd|3Viq8v4-_H#Gv}d~@v(jXkL&Kw?SYtZGbav?9qg}4m>$}; z-RRX?zz(`6A1ObTmE(=5IEeA)|m&f}V`a~G^j?Kr-KZF5F)xWJ&{aBMa8 zN(J}+?XpQffu$Vsuy|qPpBuj~OTB+P_gKoxjqwjcWQ*kZqn5U3ZpFmSf3@w*e^1^B zIr%YWEOErm582V|#tQ*ID+lHl&Dg%1rk!1KDkOK!j+Vlllit~XFtAE;9s8mCu%*al zEN*%F^tGv~>iI3T(d|Wpkh7`I?d_f)$~)wTU0ybjf|F$W&CfjV1nqWGc32_4Qstgu z)YqCuPQ+6fW?|gr_wOim4|+#HrUr%Dd^dDV-T%pXbWUJ1Ye9ZDRqhh`n^BfILI@rb z4|+=6PXJ4mFAiVO6~?MJS5Mt}4UWH?|45Um>-8Ue@CPOO`hz*PkH}@gOBj%}roCq? zrNCL%QP<`f&vPxpF<{@#wUwKgykMV;ivAs;->>I{7~hx+ zpaP3uxMnlieN9RIsPTmXec(J=?8kjdB;6!e>FPp3OJGuIGTPTkCZIA5To+arn72`n#Z*WJ5#|9tXooZa97;447JNZDr_RZZd#|jwn zsSD1hKDu_=qd7SE^Z5-wd*7Bs?acQ2TJG{!)XLzKeVH4}-K%|+E%!PMw|oC8Vq9%z zK4V?hRnLK)C!C&hYEEiEfxco zn!ms1(s3_mYstI^%wh}wwGTtzSZxXT(Q_Q!>tk3(VMVZaE!Av zyrSowct{x)^kVZs39)|Wno+Hv((gA(%+E~D;UA)15d2?rbU*p@!^0ycBih9|kkNDg zEw4||4}X!ntjj;n@tEbC-8JV7u^8R2n|13^JUwExtt32sd(reO_E0{+x8vnfod+Qy zZL~Q+?0YJW>bL#tP3r2D*XLG>R7H|R%k9NC7u+bH$+9Wf#B$HhfQRqHLNU_F#GaT@ zC1{*8N*R=gZ~U`PloX%yJ}b!6-5?(R#&Hd-sN8@`&ph7V@F4bg4^SPjA??+YvWa&E zIq=@Y&XwO*h3uR$H$6(%_H?K4>hhZUV?lhMUAMy4Ct?x%Z9J18Of3;y(lKmO<`O9+);N)-|u}SC}Pl8 z;xgdcR`M8!n+hapn~>e7z94#78|JRM+*3Gi^Y?ig^_{2BLs-BlXkc)t@XU&{zwFMz zx9=T3v8=4GgO{;&QG@TT>nmhDXdj_`dR|ar6AV1?WbyYAz$Czlz4MYgKUTdgK15pm z;w|%S8bF84&)e9)*I!I`M$UeeKG4yrQ*?O^1|AnC0c<<7I50K!&g zPYI|x+NSa^phy~)Z6&HdN;I|gtDigpf5`i*tJYvC5%-3jNKtGn4ad4QkS%ZXzS1hb zI&;OB4s|x|(|AY^V>N*fnKd(g&rCFDnXx+ihkzARYj(uuPZaxDU2AUL$xY!z7dKaZ zo~PS-M%b#o?pQ)>4}V@;qn!VpsBwSs5r5aN#&w3Z7uExB%{$vM_8#Sq#LTWIl2+Zu zhpphR*um$c(E_ddK7neyz@ WFh)0i^!$BBc>k8-q1x5AT>k?d3HjyJoay1e~JI&op2-956)!b)VJI&P`&3%)jBx!AulCqhQE|erH zDMzVIg)W3Bd{%OYqN9YYI7F``8GuX@oeF&J&($VdF7!z$Y=>!xw7zrbKP_S|o zT?mhH=%6uHeYn}Cg^5f!8wkP{OWAlF6)TIyb7^KaU&r~Mrc+peIw&FpAhlw|Fe?Bp zr;zzf5(5TSBLqT~QG*YnYj{cr35t-|bOyOmsf|$U;#9G*QiKPQstrO2h;j-)4i!hW zi}Y+5j2Z*O*wC?N17A(TV0iKnshDO2Q~%Ej!B9Z-f2~+ns6!NomeCcEa12T;7Rb@z zp*A`xQfCxHDIk^H$QBX_2DF&N^}w3B77<&khojh1v@!wkf+WF%Lt_;&W)TzRVJ8G3^cI`~Y81(oa*CNM zMPW50B{7o4pyOg01g6qLq8OD18BYAOMu?1M5v%~bkQf0~>a9YxMWz=sq-G%#%{Ov2 zQl^P+k*QQl3mK)v*bH1I+QSrTp-Z(vQmvE?hKCYDwIr%mL1i!mdX<$AV&UQ(9F5fh zVMFD(pEW6;iZ-DEQWH}PmBBQaSVAaW!jC}Vg)%mqXON%?2D(hlaexpyl@tv9x7C9W z#US`%i%BYzLzGmgjA{WHa9klB3=v4lbS&AZ9^0i_HKyHT!k!&Re zON!$$^kSVYhJ?4X7#s**AvM9p9J|9x<5^$`jm_v0#FIM2Fr-6mB?<7xIF(YQ=Ne5i zmO+II?>A8$h0X9ZTv0#HDIpH#u#9*R?3)nEI3=XG~ zsAwLCuAq~x9-JoTsJc&**~q<>Bc<+{5Z;#@4vF_GaQQ3f+Ld42qLGjpBICW6wU>_9 zR1YTSQNQ1Jzf9iL#OtRubRYWUpUn3f`O+#N?QIfvvW$z!` z6YuUJI-2I>$LE!D2ig*&RIF>CKkvM8tn=WI-n-Ck?fI^;%X=AAWVY#BtNdy1PKmc% zt`_bOueCa%72W&bM+-KhpROVp30}pwo#U6ZTkEq1dP@SC5+1$vw_(zZD3EMze;@7f z{G|uS8*JnLr*{2-wjABEnVNeeB`p71H{(a*R|4^A*Q71(=d&+$S2D&p*=rS+k3R4A z)BSf=b=s`ax%r9~2#{Z_y$A35&hGQN_wi(0YwdSnyFgdq9-R@vlBB4bT_a7)N6K9_ z!%J2OJ=UbR-vVy?9A+5zB#d@gm2C;LlFvFaMoa!P=gwGWU609Dc@VP9hHLnm z-fg}aa$AV1Ep<-&s!j2Fn3l4@^XfwWtEMhc$?Az02`{_7bvI;Zo^8#L`vb3& zihMj^{QF7lVeK`wENT!6}4wR}80# zt3z6{Kk^#|DW?l>`qY(A?JdZdQhNMR67EjR?aADhqWWo%P$he-rql-b;;)0hB{6up zbio%(J6 zc;vlT*e;J2<9A}9m)}_GkBu%9i!fQ9J*_tbj%F4Q)mbg}yMFJv5u8N#L=CQBdVu7! zl1q!Y=9ZlJWl>^N;`Mf{@3j{@do#Y3l66FLxlh%wxY09@EZ=pw*6m{Xqy_uxQ;#&f zSnC3*^L(+pZO4~^BW0Z>)C*#Nt45K{l=Y8AJX26o1Di=R)=s$k@_#g;i@7 zl`D@XjK4XSW?x0oLgF3kiUPTn3pgzWKb8iNk}8#7IPAvS;0OF- z@fTUw@bb{>S!Q40-Y06w=R5wJPNhc?sL}Pwk9c>SW8OO!`T9Sc;3V}I)tm;SP(JlJ zo8LCnDg^MtqQJvv;%#BO$|gNsLh4_m%co7=ATi(Mon*8W@=oV?)_r59ak?g5XNCDS zx;XQgheDg9=iEC#Pd6Vh#{J+*`Q{GWwW2Vp8hh&qHT0j4?ks(MsyOfReC*0|NjaGp z23t!<{Km+aN;b#|cxZcQ+=(36ImL3t`^uA@z^xO}Fd76&GGh9kN8^6K=8IhBFcjYYBdmu5dZwuF&VI4RR- zcjwFnKA$2gd=3oYW?jr;JURFzW4@%~p5)7o=WBQEcP{Ku^sE|L$kedzuSr04NB35; zr;WJWYx>x(8Qyd{pnd52J6+M!08v@{M4zd3AJ%=d?C|(Juji#QQ$qgmgXZ!zb%ob4 zS3kpuwNuHOxijxnyNy20IWe%z4>&v$wTkA=$)+t|H|01r(KStIq%GPyYyXoPes=2i zXKT)lN}f-@x$W(IXEsIc`ew?`jL7KIftbumGvAzjGb;;)e_a*U)+9LDkua3uxM5u~ z_iD38>Z0L_wCCvfLuow|sxU-mmslN zkD!h58nSWwXXlN_?wj77s43nUYTJQ4@vt=f+}hE&ufVhYFI<8GTGH?Ux z5fATF6IJaW%{woT#8}Piy^(rpXW4Yy(`UQai)*~nE4~7Pyu-$iXGzY-$qo^>P?ohv UY!5qgVQ^_?JJZ9Nbl#`;zj%QuYXATM From b7f743d60e5f160612f52fe985e6fd6c6ef840cd Mon Sep 17 00:00:00 2001 From: korenstin Date: Sat, 1 Mar 2025 17:31:44 +0100 Subject: [PATCH 36/41] installation de periodique --- flake.nix | 5 ++ hosts/vm/periodique/default.nix | 15 ++++ .../vm/periodique/hardware-configuration.nix | 32 +++++++++ hosts/vm/periodique/networking.nix | 53 ++++++++++++++ secrets.nix | 1 + secrets/acme/env.age | Bin 1304 -> 1304 bytes secrets/apprentix/root.age | 37 +++++----- secrets/common/root.age | 67 +++++++++--------- secrets/neo/appservice_irc_db_env.age | 40 +++++------ secrets/neo/coturn_auth_secret.age | 38 +++++----- secrets/neo/database_extra_config.age | 39 +++++----- secrets/neo/ldap_synapse_password.age | 37 +++++----- secrets/neo/note_oidc_extra_config.age | Bin 1555 -> 1555 bytes secrets/periodique/.gitkeep | 0 secrets/restic/apprentix/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/apprentix/base-repo.age | 37 +++++----- secrets/restic/client_env.age | 67 +++++++++--------- secrets/restic/jitsi/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/jitsi/base-repo.age | Bin 1081 -> 1081 bytes secrets/restic/livre/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/livre/base-repo.age | 37 +++++----- secrets/restic/neo/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/neo/base-repo.age | Bin 1077 -> 1077 bytes secrets/restic/periodique/base-password.age | Bin 0 -> 1235 bytes secrets/restic/periodique/base-repo.age | Bin 0 -> 1091 bytes secrets/restic/redite/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/redite/base-repo.age | 37 +++++----- secrets/restic/two/base-password.age | 37 +++++----- secrets/restic/two/base-repo.age | 39 +++++----- secrets/restic/vaultwarden/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/vaultwarden/base-repo.age | Bin 1093 -> 1093 bytes secrets/vaultwarden/env.age | Bin 2951 -> 2951 bytes 32 files changed, 366 insertions(+), 252 deletions(-) create mode 100644 hosts/vm/periodique/default.nix create mode 100644 hosts/vm/periodique/hardware-configuration.nix create mode 100644 hosts/vm/periodique/networking.nix create mode 100644 secrets/periodique/.gitkeep create mode 100644 secrets/restic/periodique/base-password.age create mode 100644 secrets/restic/periodique/base-repo.age diff --git a/flake.nix b/flake.nix index c212442..635d62f 100644 --- a/flake.nix +++ b/flake.nix @@ -60,6 +60,11 @@ modules = [ ./hosts/vm/neo ] ++ baseModules; }; + periodique = nixosSystem { + specialArgs = inputs; + modules = [ ./hosts/vm/periodique ] ++ baseModules; + }; + redite = nixosSystem { specialArgs = inputs; modules = [ ./hosts/vm/redite ] ++ baseModules; diff --git a/hosts/vm/periodique/default.nix b/hosts/vm/periodique/default.nix new file mode 100644 index 0000000..e0a5ea4 --- /dev/null +++ b/hosts/vm/periodique/default.nix @@ -0,0 +1,15 @@ +{ config, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./networking.nix + + ../../../modules + ]; + + networking.hostName = "periodique"; + boot.loader.grub.devices = [ "/dev/sda" ]; + + system.stateVersion = "24.11"; +} diff --git a/hosts/vm/periodique/hardware-configuration.nix b/hosts/vm/periodique/hardware-configuration.nix new file mode 100644 index 0000000..07f0ec4 --- /dev/null +++ b/hosts/vm/periodique/hardware-configuration.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/ad1cdd57-44a2-4e1c-83c7-8810a567e0f7"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + # networking.interfaces.ens19.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/vm/periodique/networking.nix b/hosts/vm/periodique/networking.nix new file mode 100644 index 0000000..b8e6068 --- /dev/null +++ b/hosts/vm/periodique/networking.nix @@ -0,0 +1,53 @@ +{ ... }: + +{ + networking = { + interfaces = { + ens18 = { + + ipv4 = { + addresses = [{ + address = "172.16.10.118"; + prefixLength = 24; + }]; + }; + + ipv6 = { + addresses = [{ + address = "fd00::10:0:ff:fe01:1810"; + prefixLength = 64; + }]; + }; + + }; + + ens19 = { + + ipv4 = { + addresses = [{ + address = "172.16.3.118"; + prefixLength = 24; + }]; + routes = [{ + address = "0.0.0.0"; + via = "172.16.3.99"; + prefixLength = 0; + }]; + }; + + ipv6 = { + addresses = [{ + address = "2a0c:700:3::ff:fe01:1803"; + prefixLength = 64; + }]; + routes = [{ + address = "::"; + via = "2a0c:700:3::ff:fe00:9903"; + prefixLength = 0; + }]; + }; + + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index bc603e8..b7a9526 100644 --- a/secrets.nix +++ b/secrets.nix @@ -35,6 +35,7 @@ let jitsi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6jVMIZ5y2oXX9HOkw7r5UUjw95MlFaFuu7FnEC0Q8z root@jitsi"; livre = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVfKNokHG6ig32hhQxTep+fKFmKahlDClPrX/dP4/gb root@livre"; neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo"; + periodique = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTdfSIL3AWIv0mjRDam6E/qsjoqwJ8QSm1Cb0xqs1s1 root@periodique"; redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; diff --git a/secrets/acme/env.age b/secrets/acme/env.age index d16172e90df8d0b9c75c0152269cf2b8de697314..a550ebd3525b6edeeec568a7870a842c82acb1f0 100644 GIT binary patch literal 1304 zcmZY5%kR?!0KoAO^)me-h9G)SDk0%8f41w^Zat{9dvxn->$4c0_UNp#!%n^OJA__1LyN zZjXh8lh81B9f{4s>1+VXlMtg9Q+G1W;(AxE6x^ZHCqtuYnFA~es2 zKIn@LFUS|XyseE@Wul=ugpD19%WIO zW%ZHQ7nE!YOA|-Twb}~nwatcPmTYAnC5@!Y5ra}ao{6e68>wp2nb0GC|MW87Dvgjl@lPcY;;W`YYefri4QydV4 zv7}9vViiX^5dhFI2R<{cBzpRLZS(&MG325TvC(u zX1yKdQO-=_vTbx~Y)O;;cM`GXK;r?k8x~R0B}xnldbWZgYIBaKs*1&>TA!Bhw9vZU zEinTk&iO{r4n!C78;MNIH0DHnWro2HMW+2l$}W|z3c0J(Z1tB?fnDCcK<_CeC-1q{y?Fe-zYaf`13sJ9{Q9*&HV!U5d;Zp5 z?BJI86+gYPf_OJyJ3ADB%Li`VSib??dYRS_eqU5x`19SnuBEG+ZucHJ(p)`PyZBtR gy1sR||ID{?|KgK7$uHLJdhk*5%A41Yoq^u|2Q;q9;s5{u literal 1304 zcmZ9~Td3Ov00v+mj&l}7aAP_|%y23*o|87WrZ}g$wN0Dm(j-lq;V?;aX_}^&v?ocu zAvpHnU>qOzFxgc&LxiD-B7%qMeAqyT&dF4ep)hq&ZfWHB^FRlhiVyyXp=*hDMJY@YLC=LA7!2 zrU2T?G;`5g^eI(iT)`k(3=ct53}5w3K@==Z!z_f!SyGb=#5~OUMA{EnM4rM8YC^%3 zHMP47QXiWjM2{D`HRq6w-^^}y8~0b2$1sKiZb~~y3Xt=fEzL(AIEx20m=?UEtIv8a z!&<&A(lrZ(GZ8~|wH*o7!YC#%2+TOL>1s(-8iL$HF1DyzkjyeVF6MO5@_2hfPwM}- zaGHmtO$%e~i4`;(GgJ*L7^out0uTEOhL212OfhvNtth#dYx7cEC}Q|fOK{(m$qpUj z60gmS#VlnO4p}9d`V4GH6J_dD)pBv`iX6=LG8rI2T++*>-lW<9L$d|t!hq6ABR9Hb z4k3A2B+`~abpzaB3%pE*P8`uHA4^S+H4`S02BW4cXtE{si%&6R&4kT@>)`0qL z*9XYSICk9}$LAfg9@S`2ZNNdV)hs1*Dj84|8i*EEK`~Gn6`GB?qBJ}qh4HbcMghsK z675m~P2{eXkRe-lUAk{2#^&-{wVDtpwG@!;mK?gmlp=IOg)6AgWZ4-`m6R+JZLZjC zsxS%K1}3)Af08$&3LAl{xCG#95_S)1kj zlt^^AW9Es<`hKrgiPNnb78oN(2I4TyBfHyn=&~Xheh2pOmZyk|Zh#OOX=RhloK{Cw z!%~TY*Fc#L%=2Y0l`9K!8al0nk;fv68IC?7=z;IclR-U@2AkUQ^5*?VI@hNm#McZ{ zid+&huvEcgw!M%7IAK{qy6%d~Iz#dT#@IfB$;#{M*V~zpech{O~ey{fW-) za~Gcf=J@*lI`e(`@a56xSMcG@!@-H~KG=KzGY|f_R;R(&V%sJisrE_LsxcZt%;Gr*}MC&l~BrCUEQ9qcj+{ri=lE+(&AGxV!3 cw>=j8as34IfOOP8_3!-L;qANc=7?YZ11V&^EC2ui diff --git a/secrets/apprentix/root.age b/secrets/apprentix/root.age index 3a7bb07..bbffde0 100644 --- a/secrets/apprentix/root.age +++ b/secrets/apprentix/root.age @@ -1,19 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 cZNEGg cCqVXLLrHvanTMqXfxGd0gjoMj51K9T8B8fJkQiUE3o -N8bANPITpOunRC0fLfqNLyfpd17xKduK9EtZPMaROpM --> piv-p256 ewCc3w AxxJaGKhvBGfTAW6NMc0cIT7A66PGugB/OeM7wU/9Inw -Sg/yKPotg9CDeBGYkG3Pgz0RBJoz2Q7NRZCDzslR8Hs --> piv-p256 6CL/Pw AzPWMMEuvSCThR+2/4nbYU6iMJhQXhxPuUwtf3P0TCLY -oEdhbI58aZd8ZinNiYBBgNzmWnowNBsxEQkSUOfU8gQ --> ssh-ed25519 I2EdxQ 0RgVUxgyBpzBlc5UeLkDGo7VZUy6mPQFkxAw1Z6Rbm8 -lTk0OiozJ/0XrAnHkIVDC8939mtfla2iNPJLbvc10Lk --> ssh-ed25519 J/iReg 0AxRISUbavlAC3HMApLzemQds2KbIqB2F0pj2unyFxo -iwJy44Hkk+Hjj9lN7BeNgv4eINkrKMUT3lrP1s42yR0 --> ssh-ed25519 GNhSGw UjDNEUVLKgktYlvP1jM9Lt03J68NCS5J14ZzcbfBwD4 -2KxidMac4QtQlOC9npD1jhIs13AjUcRcY7R5jGzlbck --> ssh-ed25519 eXMAtA BTDHGZ+pCtn+0g4Sqjw22QjqkTbypABDcp+SdsZkcUM -YPGwUfBFogZfFwcsVfTEI5ctJ6N6ugL01sVLyVLbaxA --> ssh-ed25519 5hXocQ ZE1YjMEagjDGHpXnSRGxgkghVqvpHsMs2Mcvx/s5yi8 -G1P4PFbANHdZBuyDuJPkjHcrxyzefOB3MbvUOGyDpUw ---- DALPeLry56OdM4CXWsbdJIyWxywt6RmbCqM7HoCpCeg -$3֒ڠ<,!hj0юdJC^^Qr lB.U \U \ No newline at end of file +-> ssh-ed25519 cZNEGg OHQQ5F1ma1AbIoenKk2UoLnqWzRnScWz4sYR4/eIdVg +p3ANTawps0YNyVnvIexifpr8G2oZbby/zdUvzbA6hbM +-> piv-p256 ewCc3w Ajz3z77IwyebPTpBlX/cBN0kkdrfOjfQlWjxz7fxowe5 +4iE3zShV+rNitucgX2DJ99Yi5M1Gp8rbijg3MsRT5Bk +-> piv-p256 6CL/Pw A/JiEgls6VdU+goIrYfZkggfFhRqp/e0UjKmcVEfzTjA +QFHMbZ9da9CFL30YL90UUqp86P9heVNBraCa+m7DZoc +-> ssh-ed25519 I2EdxQ Ke2y227B+sYi6/5/O4os37DMPOGM1ATkWKYpLCpXvQY +VIhp5uKGHYE2mhv1xTMfOvxWbhYpC3eE82gkkHHDXt4 +-> ssh-ed25519 J/iReg vKbLENYkRIc9FupC77Y3Gs7Rj72O5zL/pyS/vP80Pzg +4ClQjVWogZsAj6Fng36FSTh9XjbZ4AleNVMP6F/fS60 +-> ssh-ed25519 GNhSGw YcQXzvHjZ9qco8LbMdwo6geUHgPWOm2gh8nDhbbFd3M +YD3YtJFORFg7ls98RPczL8k+Knfxm19wUiYgTTcUb4s +-> ssh-ed25519 eXMAtA pKQUDlA6tgllual2auq4Dmzk9YexP1zfY6v/zioVaCg ++kaRb19L47MItVwx8duaV2prNeGkN6HDEYNOmStsz+w +-> ssh-ed25519 5hXocQ 3KlHl5yNXS6+aiCGAHaO3+LUzi8fjSYQjkFM8tyWyTQ +qmwIPkMOwTpLoihBtKBLuACthnw4M76RreZCqdp0DkU +--- kl9NXKn0+sIA5/41/P0WBG/uajpGNPEz+hPSoJMolxY + +ai&%:GԪAOdwϣkVZ@sb6Ҙpa?v4K5)t \ No newline at end of file diff --git a/secrets/common/root.age b/secrets/common/root.age index f657bcd..8625a46 100644 --- a/secrets/common/root.age +++ b/secrets/common/root.age @@ -1,33 +1,36 @@ age-encryption.org/v1 --> ssh-ed25519 2k5NOg PuyFIx++EQB6LhrKUTSwRI/rDKZWWg2gkVRGMVQrhEA -aYydV+Ph/RL7IeXZEE8S+1WXMJ0AacJ6+MbBtomWqhM --> ssh-ed25519 iTd7eA XlEYPySuo/PKgd1zeUy6/HOnnKDkKyJRhtT1ospAmQY -HzDt1YiYtrcquCWeYlOsYr3YhhG8MJ9TljVBLRBNPQY --> ssh-ed25519 h5sWQA 5KifKrJwYVwQe1hW6o1BjpOAXyrTCaycrjgLyKSygCc -wSLtBJSiC0cr4BrAL8i9RRhZA8ZC37LtfrLA9cKzbVs --> ssh-ed25519 /Gpyew Oq06K4RjI9izhx2PPPSRcf05k+WgVRBF4oA6YCJfMAg -jqtPBWyf9vZYnunQUi3a/ZGAP/2fx/KN/VqeZujUxog --> ssh-ed25519 hTlmJA rduNY50g6IZgpYRmSS9GJqV8RPefRT4RBSBRYYOL0BI -WtKzp5BxjRPKypMT0CeXXRD8IygLjMbB0bMM82T0E2Y --> ssh-ed25519 LAIH1A HO86dJfWvGiCV5AjSpoZMpM1tWfr8tnwkvhC3lsb2xM -Y0tr2ySsHGNfSCQYFHZaJAeV2YS1XvxmOpFK22h8asE --> ssh-ed25519 qeMkwQ R5CijMftsKNSClF871ggg7PcTTRRY+L0zmPv7AP6Unk -hiTKMCFrJVUhSbEGrGGMvCgG04FsBGbVyZRdOqp4TXU --> ssh-ed25519 TqxOLw IM8fkgZv+B5eTYZwpckuABGUiOXyPPAopnj5BBSx6Dw -HkxbM4AjhZ1KIaY6ugCztiGj29xQTL4kh+OnPyO5fSU --> piv-p256 ewCc3w AgsDHsiNo69oTayVXasrpZK2Tjas294WpHbviaRDkfHd -1VV6e3FnC/r7u/gSNxuGgQ07saJA8lj4hVPqYIDfXHY --> piv-p256 6CL/Pw Avyn7WzCr2reAVPhVYPCNZ8LxAIVVIR2vl/u/OV4WKtI -OkSywpxyrvsvyzTXC7T8ZD9kMuDPKk356RPrKcPZ4g4 --> ssh-ed25519 I2EdxQ W3xXfPf3VlRhaNYKHBbopWxM1f2SPba/Caq9LrLwuBI -Y41/A9/vLKjUmlzXnNdBETqiruSJjSRQyQ+0nPkAnCo --> ssh-ed25519 J/iReg moouU1scj2ordop9DERldP8mo3M1vbtfwfkerY3KQgM -oW1tff00Uxg85NvdgZqZvvSV4n/1neyQvvFMPxG1MNs --> ssh-ed25519 GNhSGw kt24V7gegcXxhb+3WJYftAXCUYuOolI/n9m6OdjtS2s -AyhmFPQKcyTnSGALlQ9nB5oI1KJGlN7lqurksAAq/Fo --> ssh-ed25519 eXMAtA wZ9ta9ezsprCH849EELDY9IJmHwpjqUE8+S4H1X1Ci8 -CLgkU1aQVZgVcKYMJk/8M7uXS+zieCM64nsZadkO6/M --> ssh-ed25519 5hXocQ P3a5x4r7WhfBCpV7b2gi0d6hIcLbvefsCJu/YBpdmzY -6+RfKKdK00zY7aXbmNAeSruoaMA08Mptl7+P1jyn0UU ---- 01givh+zY0K5WX5OuosHbZ2V1cnutJfx1BBQOT+LHKg -9{9\7oy3!yra|*cUO96ϑ am&]$?.c How \ No newline at end of file +-> ssh-ed25519 2k5NOg HOeKe2eK/aS5I03IhDzGxNmTYjsl3voLEZzo1Eo6tU4 +5kDl8YdkXlldYxDAA9d7ZY7U7dDXK90gGlC0rZbKssM +-> ssh-ed25519 iTd7eA 4b9kmbrtMR0wqxGPp+zSinQkBrrpphUqDPU8znOKGgo +OLhmXA+tWFeIXvjHFPHxcqT4kI3u4ZjCkqQnh9jjl7U +-> ssh-ed25519 h5sWQA 0CdrNIrGvOV5MbbruvofVYSSvvFZTo2NKIe5ObGskRU +NV8yW4h53LbM4z7h65gX6gjZvSzrMES88+TigkNYsjI +-> ssh-ed25519 /Gpyew rzL9LqVqxaBtHpXV/J4waJtYKXMfYENvmPTOT71bxk0 ++BvI574uhXeYggaCsCdk41ngl9SmDDMEkIM6Y9gzVXc +-> ssh-ed25519 FtI9pg 8qEeHhQb1Si9kAxbeHOj2S5cAOxRKIxFI0CDBhRzLwc +Zm+ecEMJf+KybsIPZPhwm4IM1cyb3mu8OeuRebqecdA +-> ssh-ed25519 hTlmJA lumh1xqYQtE9dgi1IWy86u6BURcR+o2skd1Qv5VJYTg +58HTMO2z80oGNdAJbP5+8IBiHPyux6rZGd50jfG1xp4 +-> ssh-ed25519 LAIH1A hEZ2oJzLTpZjzKHohaTjjv7a2eZXa8sRioUY5doWVFo +63wnlO8v8zf25z+Thu7b/SbJxHcb9YXkhFlxAscgl9o +-> ssh-ed25519 qeMkwQ d7iWnCnWqlI4zahgvjgqsihXoyivln/FOCQqnYCwoyw +H0a0zCTE1cW5oW+aTJrtBnVGJLxsfjmGB3r9FyWl3UA +-> ssh-ed25519 TqxOLw ctsxZCLOpeALmB98dzyiEq2ZUOxAvxHUKSR7qbzTjwA +apaDGw8eBs0BNPoi0qC7FR2Otqr7m3vby2M7F3cbHbo +-> piv-p256 ewCc3w A8b7dyXfbD02u9w3dR6O5zI38vk5ugVqLDCENdcQfY/d +OETvwkXXQZWUeOiqpOn5IZ4c+EOAaZFFehWY9vGqCd0 +-> piv-p256 6CL/Pw AyHxDyxvA9gv4d5be5yXnGGavgeHITRV1x1gNiY5z/cz +zcXakgy9Hr1R3eXrgYI1t8RozOjlAdUh/lXS6siL/MI +-> ssh-ed25519 I2EdxQ hXSBASbQg06854UxXOGnTJBRMXiehol3KjIG+LU35wM +cUsysgvO/y3Kd/iDvkUPyHkiFS+J6gDKMMIXSi2Yr60 +-> ssh-ed25519 J/iReg z/L3B+/EL7fW2t3MFGDLn6+2YzxhQqitFabi7GVjsX8 +nHyC+TpPKb3Iqm+YKXt5otuO785f1T7E49hWCt6zOSE +-> ssh-ed25519 GNhSGw VDYQnBCfmDZbirQRkv/miOU31TYZafRxckltnbGdGi0 +j7reZzDf3SJTzN1q8xZY+LMdTncli/5ia9aBi8yt4Zk +-> ssh-ed25519 eXMAtA viKyTQHsrPGy0MLicGAR/CzOavCyTgsV5KNnydNRDDE +m68TXreCwUQnhWbBqxAZ0ujYcn4kXKmNb89/2+0OAuQ +-> ssh-ed25519 5hXocQ tHX/UfzefaF0YPdIUja4weKyEWv0LWIFaAnpLODMbDE +0ium7CQZBqQfH0s90ArJ+3FEp6EARZSqcet365TLyI0 +--- PUvC1MJkkbgfTeLAx3F6vSb3WzBmUX+QtR0on6Svvck +}sޭR*dv +u8aBc%*+<:&ڠjD^/~qͪ(F=g$ \ No newline at end of file diff --git a/secrets/neo/appservice_irc_db_env.age b/secrets/neo/appservice_irc_db_env.age index fbac516..45a9099 100644 --- a/secrets/neo/appservice_irc_db_env.age +++ b/secrets/neo/appservice_irc_db_env.age @@ -1,21 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew oiueq/kpy8n/iSGh8nnCvMXn1ArLdp0B8Sr/zc+dPQc -3CCpb3SY5sKYl9KDTXbAgeDSonPc0m0BwFLJWLxxGlI --> piv-p256 ewCc3w A4hnsq85ya4+SeJCh7hmpRHt1B73xNS9nV3CW/x/1beo -dAQIsw7vVN+Kv3vKEHCz85ImKV5AuG3F0IywtA8t8DQ --> piv-p256 6CL/Pw An3unvmk/EQjUBkA3Hn8FDXfB367jlHJ4qMCUYC0Egmw -1g2cQlMsguOYyiXPO/9frbqiHSQzGhaOrneBoxP0OM0 --> ssh-ed25519 I2EdxQ jJ/4pnzjGwwkYblptHKt8AsIVea26pVd5XpqqoPrjzQ -wa5pTx6WF74ChTRE0h0mrGf+agjZ/PbXjgmmIQ5WryQ --> ssh-ed25519 J/iReg baeZG/Rtj6WcnE56gZJQUMXatdbYUkKwWM0xN521XHM -joEmhBM5kRXmfE4bH/N5ioBat4pYNUXstaTI/ZZfjtg --> ssh-ed25519 GNhSGw CU2QnFssTK5ItonbVCFzvP4DiAIlnzZNxCF8rzGJpnM -Ri35ECruZlUR8qgMIzoTeuDW1IQD2ch3n5zEucBMBes --> ssh-ed25519 eXMAtA 1uJa+lgJHfpfA5LktUo2DFA/3kzJa8vVjaO3qmxwp3I -JSmjw/9iF4QVdyE1OZ9EY9R8gVXUF576G2uKQxMNdok --> ssh-ed25519 5hXocQ u8iHMYgWQfJn41y+AK+W5CAGL5uotgKlO3GezLb7egc -UdusHwDzpFsxfD9ZSslU+izrO4jCEHmMWzUAkZ51ruU ---- rxz0SqY76mfGmCS3oPJnKOlpmiIMu4LWnTZvlnglsZE -B\M -c"B`qw$塀a@MtS>7fmwqSp ]?(~.l:@M0ܙc^ə.k -N{֝^f5il xȢC;'J= f]eXM3},6Ǒ\ւ.شUJm \ No newline at end of file +-> ssh-ed25519 /Gpyew YVx7IZ+WDpGomt0tU3+KysRGtOidN460zNNLuT61HkA +ELYa1OqUFYqOqMrEyQIfUUWXWhYqCy0s9/SmOVFUvFA +-> piv-p256 ewCc3w AjjDfaGF/im0hTAtKcNCzEUi8hM0VJj05y1KA7Fsz+d1 +Tur19NeaxPBbPEN+6zAnOFvdGuQVC1VkbmHlfikHT0I +-> piv-p256 6CL/Pw A2dW6q45SBlXUKA5vTDDsXU4ZOSaAV2htfyMJcWTUpoO +h5yO5/9QNEOB872c2SdSbUZ7vRmYS1HTfqKJgZRwP8Q +-> ssh-ed25519 I2EdxQ toLPTW6TrKZx1K5y1mN3gODSFpVfT4KU31v5XjJOQ2s +Do/p+oK4axHDjSfTVWtcdZRQFt2OPps0n9cA4Tp6lBo +-> ssh-ed25519 J/iReg a4su4Gi/kohEXVXMZszlCWEQlkHNmLOH1t1P0Ssuqlc +03enelm16WI1AP4vAJbieDNGwFQSw52WeZ+isQhWQ8E +-> ssh-ed25519 GNhSGw 22EAbCwSIY3SirGolGVRzvRSE164PFD+MOnr0aJSqVQ +YMeQhP95Bi/e7oNri11/W86b0ALkSyuFJ+hptOUy61g +-> ssh-ed25519 eXMAtA sWsPopzbV8Ls82wmBwbnV5hCAlznq4TWO2paWn2RnRw +eDlZQr1F3FtuXDqc84vD3QUZzYNAsJe3L4Abw9Oqxnk +-> ssh-ed25519 5hXocQ u7/+FfeY9SwM1wuqeOHgsYpq/g/o10+8Q8AA5ODBWRk +mA1+vo/7nM3GyrL5UtdyOwpTHdVcZQ8mtVX6xuk9cmA +--- /cchAACEC4BclR+km+6nZZjLkIteeIG8kt974NLjwlw +IFb)HӂDH2Co c(xXgPiVG+!H5Yn4jIfJdMK5GՔף7_!oFlcݓ/UNsmMӱ|o3 +E@ +,2?J{?7M|S ѷVWӔ| 7l~2ı/lP \ No newline at end of file diff --git a/secrets/neo/coturn_auth_secret.age b/secrets/neo/coturn_auth_secret.age index 7cd94c5..96b8f11 100644 --- a/secrets/neo/coturn_auth_secret.age +++ b/secrets/neo/coturn_auth_secret.age @@ -1,20 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew t5XHS5ci2UuJYr7c10Msr+zfBfWTjGClnYkM565wPUA -hcjj+WPvjOp+PdJKHnb9AwYE8NAfudr1b/MC0m41OEk --> piv-p256 ewCc3w Au9TM56jPaNaRFs3lZaVH94ZVoeKL93OKocn9Jt6BdEG -svbg1OfmTFBpjak1tgB3CNdoUVG6TkLhAtpMSB8mZPU --> piv-p256 6CL/Pw Arkhx1n2Ko3TMCEgMqy1/2KK3iYI1Sd+PCnKyvmlnqX2 -kMaFudKtU4B5VlpIpfDHpHvmHyyPJJBWSQQ6JWTJc2A --> ssh-ed25519 I2EdxQ 8RnUMwOXPN8AwfJVBhIqXiR58gWC6I2PZh4pYYEFv0o -8PjYugyCgXuGBiAjlLcbCEvJUomw1RNLVHaysIt8PIM --> ssh-ed25519 J/iReg 1vSW1OEwB+sORjqwbEazCrH6q8x/KPtLtGzBUlpmJT4 -LY9HSBHJxOz1UU96Mf5Toht24D/MG09OyY/hR3Wdr2s --> ssh-ed25519 GNhSGw Y8+cu7OdM+TY6qcrDjGA+sEe3ji1ICSan/bmRmVTCyc -lhMcdwMAWepMUiij28MBryKYTfulsPnZHdWW0X+DX1w --> ssh-ed25519 eXMAtA pytExWidCIuxny3RWUxJ5vsyd3LUZ4m/tSbk51AvqUE -jWA9YWl830bJBfQK5yxXksUjc4p2S2j5Tnk/6FN3npM --> ssh-ed25519 5hXocQ RBGSM/Fxgf+MlWZWT1BFfAx1Ec8Qmj8WBb+6lo/ECh0 -PRMInIp2K3oSR/qKQGCYW2joLC/Tubukt0BGQRya43M ---- g1gGX8nZGHSNA7e2vZMnoI+b/pyMUvCTvcxk1RAtixU -KyPW/[mרL;5b҄rxѠ37ByRH)6VՕ@uA#s X,''~"TaК $[+z,W,) -J(2oʍ( ( _ \ No newline at end of file +-> ssh-ed25519 /Gpyew Et49nDjhbRkh06DFrGovieoWR5iNzBi1l7pTyD3j1jY +57vJaVyfHjtG2XAs+hE2LI/WbJzlE295CA49L9KjxWM +-> piv-p256 ewCc3w AoBV+dmdrW0Ow1h+ZkAXgY5MKwWiA9BXgXxIM5EMlyt8 +I55I5toyuydCL27xhLJWpqqj3ECc1meMI1Z850RZscU +-> piv-p256 6CL/Pw ApATHIfJbEKDjvo29B+7epLKoCd+gK80DrMjEyvdRArC +lzavhdArQYw0V/Z3qwppLqZR1OygpEg6JiCC4Q86W5s +-> ssh-ed25519 I2EdxQ /4eydVpTt7bBvW8FjSi/U3t1e2FAW+3JWIQ4uqxHTzA +jRHXSUf0w21NGSn0wtsh9qV2hRBxJ8NZ7dN0Ij9rtyQ +-> ssh-ed25519 J/iReg uIGoGuISQidI8jNgboWz1wFj+VFa7e1upAaRcghR3Fc +EvN8pLc7U2joOc5F3GF5bGZWjcZSe/RblJQjliRQ4l4 +-> ssh-ed25519 GNhSGw OcpDZOf1yyh1OGD5j2wF0DwOBux5W1SZBoXMKz8SKxk +HU/Tz0ptYe/nPubvX1oYUfmLy164Lem3GH/wU7GOY4w +-> ssh-ed25519 eXMAtA DQ481pQu0Oqz/2qXP8Od5X1xuCs7g7gfvebin1cXgC0 +yk1NFtpKdmPtI8rHu3daA606BN8bmY4cDrD7bXxd9K0 +-> ssh-ed25519 5hXocQ Uo5QaTldrw0/OwFD+dIo5rdXn9lUEy2fFkF0w7Tiems +c2RuQp7XU9G9Po4LW8wVExSVplduaETuBXbEQVPP9DM +--- vUHoNFNtL4s9rARCH6fWB3bi7AvFKD4co7pELtgOodo +-+Vk.?Eag?M /THju1W%d6ΧۢFU?'Jx.Z!`c> {IhjOG~?n|LL +292_MUY>8 \ No newline at end of file diff --git a/secrets/neo/database_extra_config.age b/secrets/neo/database_extra_config.age index 4020570..99f843c 100644 --- a/secrets/neo/database_extra_config.age +++ b/secrets/neo/database_extra_config.age @@ -1,19 +1,22 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew oxBHCp6QJujtsbQ0mq/lchD90bEJRwohyMS1akfEGSE -IF3f5/GxL//DemY/O0+e3iTC5VE2vPrZrH/2CIrF0ew --> piv-p256 ewCc3w A4bJWfr7AlIf89oYFuNks5McrpMQM/YIADk0DoeD7FIA -hujKEtMBz2MEkS5T3ypC/fOTlzWbjYF8zAcG2EzbukE --> piv-p256 6CL/Pw Azqunte44cdOj3HgtD/Pgg1uZqWODcmVLu85XRDM4Ijb -Tf4dLs3kt0wnrJG0hhkKr98BBZCAf3rPPDyaLksyA+s --> ssh-ed25519 I2EdxQ 1oKhXHxyvZRwNjw3rnMlTjedyVn40vk7kPmiPW9DWBU -4E0gp0cLoMaIwjQEr822IjUaGvsD9zbklccCFwt+HKo --> ssh-ed25519 J/iReg 0ck9TM5+jDBuO4BGPUzi/JK1Y5jVBssbjFY1OoxWWT4 -qBwniH3wOVax1nFbeth35T1JafWiq+LOJUVSYn8LOHM --> ssh-ed25519 GNhSGw BpFqKSWy1Sv1qPXVbzgRYt8gZvHMWszgJSEVmvrdzHg -t6UHkos576QleEI+zGPc2uZYb7yhi0UR94uSHP08LWI --> ssh-ed25519 eXMAtA tGmpUaF/J/6l2p575SYqNZR8OvwsGm3USlw92Vpjr1Q -sqJ0/bDnROiXCNRKmdZ8oW49rh45c0haxuLDOPTvSNY --> ssh-ed25519 5hXocQ MWUBp2WmezqFSt/xWDV/Igv1QYXnLOwF64kxIq0D4Uw -8hbFjs9gF2ijdcTcyuwwBzZs6jNPfeduimVMN69cui4 ---- Jyi3nBIpPaQU3uJO55xVsZqRxUxFsZOP9IZ/SOzLNEE -Ih\C{[M<$ɸ;LNL\ a4>݌N j=g胥Z!ZL)q']4NFsE(C;9L͋-{]^T3=~Gh;'G$CFWLi=1t .Qx !GT!VP֨Vc Jo:(l[=N3&os Pn[<t0ȶ=0 \ No newline at end of file +-> ssh-ed25519 /Gpyew NbI/n+xAaQRV6MS9Sv5lHfyqdteNNxcoSrauzBTpsz0 +zSE0oCQxOTwJNjzJMTsFA35H3i47vZ+FWQq0Kl2ufEM +-> piv-p256 ewCc3w A/VvQgYtbSbKx348z/YQ4pQexRMhMrb5JN8IJX5vAU7Y +Dakc6n+1rHOV3XJ61MW8HL298QTHXLXu0ry3mU6haEw +-> piv-p256 6CL/Pw AgvURHpzFjr3GxK8xY351vrwoGjVeR8VlvDk0GJGyA77 +NeUkSxeKUpPl0NLlbMuxQfMJsdl72J8JPz5fmDksslI +-> ssh-ed25519 I2EdxQ OucX6UlrN4JU857xV+nuQpJmvoG2Thnh6D1Cdc0CJys +I1Y3MUm4DfPgka7jrLnE/+13fIswc3mtCgnUGt0E6zg +-> ssh-ed25519 J/iReg j0QA0+/9jRgquXz8Dyux8Ho/aOqQ1YjYI6KQnVBtkhA +nSRI0W+0Mwp4R42JLvlxcadkj3JgNQQPDO/fazmgPvA +-> ssh-ed25519 GNhSGw BLvqTbJp29my+kM6zBtg/1d1t4KJCyUiyYAwwSIreVw +OI5YS2lLx1I0RMZ75wA+SWnggMLbwYC7dNmvZ/QXmXw +-> ssh-ed25519 eXMAtA dyaexe9MPyqeYyJ5Prreumimia7HYxuh7OPrQQqWgng +xdfqlMoRWG2b7HStlR8JxfJAikHbvoYqxwBgi3cNZxg +-> ssh-ed25519 5hXocQ bcEBZBfqQW/KxxJaYuz7R2kdgcC1AwXwNKdb+jkgOCQ +8J8p3D2uVY8LiKR3YyC4MJWfPGb7cqo8PYlohu5vo9M +--- ihUS4YDedVmTb+Bo88A3iLJpPnCYn6lsb0q1Kje2tQI +oJ6F +.]TMԓ**1va]FEJHr/(4$m2S3BGVbgiҤJ8P +pab/زP=z5f p_}F +u4IO~_tڙ"f< BwW[cmu\jw_5a'E9˒0ڦ$q92ӛ, \ No newline at end of file diff --git a/secrets/neo/ldap_synapse_password.age b/secrets/neo/ldap_synapse_password.age index 2fa3389..37e045c 100644 --- a/secrets/neo/ldap_synapse_password.age +++ b/secrets/neo/ldap_synapse_password.age @@ -1,19 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew iB1+WuE82Roy418PVGF4Lngw732xXosKuNtJL6U1T0s -6SCVc01vzFrxoBSFMRNXUuWyIu1wdoSsrw/IxSDpqeI --> piv-p256 ewCc3w AxIm6ntONhvwDIoNZv/brzzHkWx/XKuwVHLGJfVHdjp5 -POhBnU/wKo3nP0yWdIVUCrTHWh0HmQajERUfH/I5dQY --> piv-p256 6CL/Pw A6sp9SZyOftzPW6pDMB81+j2ZoeJ3AWMkuuIjDtT0O1M -rg6EOjkkjwM9YQaeBzWBha4IO724zzAm40nRNvGm5AI --> ssh-ed25519 I2EdxQ IbOeL910hNemBqTIryxk7LAbdXgMQcH6By5WWENk1GA -cxlM9754AcBv8EUFKSA0D2n7UKer/UyRMCVRP3EwXVg --> ssh-ed25519 J/iReg Pqr06p88CJhWojV6dFeaUqslGNKMQ8KFZnrF76ncsDw -ALQVuk+qrdu5oI2/nhV653aSZrl8IOb6IBncYt0o1uA --> ssh-ed25519 GNhSGw qlTw5ppkSeGo/sEYxpyRPM51xzdyir4wqstoYHd0EHQ -Fh03PWPyuJ+y5UDMZcgOyfxRFhyVzrU9hFBia1opszo --> ssh-ed25519 eXMAtA PEYQX+73hYk20TverGL1sGuwyzIDfSSsR6HpSlWIfh8 -CPr0fJoMgGAE9kDhETUPvd6gZ27GqjOhigcDF9K1Vj8 --> ssh-ed25519 5hXocQ KQleGmCMGB9i9o8SJPKAoYbU6t/UzLeDAdK7gpmG6Fg -YnKFt4hX0ZCbdj37jE3yk+yAZehsX+APwz5E5bqvB/k ---- P+9Jrq3E5YDaybtI3YNnzYQ2UvYJsTmp1jxyZKrQR9s -3 ЪdS$蔌*Zqkʃ ׿8*Oy& \ No newline at end of file +-> ssh-ed25519 /Gpyew +A7G/2a79VScR2EWxRwH48Tsv96JgqSXQJkoWmucH0U +09dv435I9zm7RT6/evgzXcSl1gRpIFPIE74ES5zSqNc +-> piv-p256 ewCc3w AydwzAVvlJQQykcKcrM2BxOicwS7e4ZG+t3Wd+9wyz07 +LQ0bZU1cQkROkEZrZr9PyMEnhCMi0b9+BgcG+PiJvps +-> piv-p256 6CL/Pw At4qtMZGID6EKvwKkGNd7FTWMn+mmmbdeuY7nAjtaPjk +6mHzefuannU0JK50JlLiWHulUFs5iv073LJregUL2Zo +-> ssh-ed25519 I2EdxQ H2MgML+9f4MNf4g/01+/V8n5UNNeEKL67MKaNTAcHWs +LWjC8FdlnDyImdiH+9nkN5g8Q5HLV9tOzzbuGZ7kpi8 +-> ssh-ed25519 J/iReg nAN+oNfJcN6+qrMBApMUUOhiE2TSDT0jCL7OD0zfrkQ +X5zSCWnsPvijGdLsYusg0JdjsFExv2vQguq/Uph3BRE +-> ssh-ed25519 GNhSGw G7OQfDkSwlvqc6ffJqzB7FMTRD9fA0oxT7VjdwMPbms +zdyQ0Xo+IjcW1TDetsijHbo2BhqIopga+bYy+3b6+0U +-> ssh-ed25519 eXMAtA hQQVOPa8pw1xieN09bTBDVol3PsgiqH4/Z0Rk037tQw +DjRJWFH+xtXPdXwb6bF1zHilcA4t65ZORGUKYWXX7yY +-> ssh-ed25519 5hXocQ slJCm8Hrse5zVlMc6kTOPcVuHpisFTjXfob/DAAgjDU +pebRHNQ1cUKkT7W3hl3x+Cf9Dc+YhHKgEsXXBRHrq3Q +--- EHUlBeA6vMSKMbct09Ouxn2EhqaG0AB/cMr4HEEFO9M +ĬV$# ' +["#ue&E8HyU;-4f$ \ No newline at end of file diff --git a/secrets/neo/note_oidc_extra_config.age b/secrets/neo/note_oidc_extra_config.age index 3491106dec9e7a2c9e805b367b43aeac565943b4..492f4c0cab58a6a1296a5de64d08bff8d2ff4b17 100644 GIT binary patch literal 1555 zcmZXS`)?Bk0DzV8N@c?dvN2v|5EwS4y|&kDC7bkdeO%Xe-Sv9cZWyk2x3;@Ju4}K? zR*^+bfGxn54Uhms7*4?OFyS#^I8a_ACIl1W0MWsQpuom!pdujplj2|S<@@rH0Y=J1 zsk#i848@}JV|4*p3J^)l#EC>u%FqfB1hitAnaePOSPyGZr;j8Ai^LcUJ0cK~c2R;Y z5R2(EiCP(pCjhr!Km%r65QXBf!lhJEDQz@ql3-{CRoF2Z5rQkz`mi>Rb0k-%=TWC6 z=>40N zi${(T6lIgsVIu+mrvaso<9u>$Ex~h0g!ZX;&QKQ$yi7x6p-Lto zwg@U6PDFy`F15lYM-;VmS{LyXW+&%O`Qj8>X^Vzql-i;)3ZgU|F}NulGBaw5g!Og- zaicX*O5mO0nmUa?9ZonQQqK7C^#9z$|3d+-2D^Ul<{c+NmNvG6qBxyrDH3}PP_bJ`5po9K7 z!MkP_KpSU6*g#Ck{3AAY!#7Q(nGUOGLhnf6r(nSUJ^=s18iDr!zfRAHiFe4 z6<{(O_Pr=6m5MV4olb!pJRAbjZdhg@XMFxA>=_kD(mQI{rIsoe4>w5O>j7#m` zY*Gr$?OgmuuA(~k^EV{)%CC-GSsNBnC?e}%9i?8Oj zwf=a5ZKa!=BprA*uYT9I39q!YKd#M*ANm?G%o?}F2WyV6e0%nu_1jvk(h(Au z^k{2GeB;ee&qDB|+noy+_wHp%Tlg|t_k+o%e#Uil==sMtSIwREFi{Y`zvRiu&FsGM z2jQmAM&t3qx}oz`b9P9F`|WYIg1akT5xyKl=|lFx!>O@>HiWj zO&r^4$nTr?OWU~jFBBD?8Z~vMW{r6Eq_R?AY-UUT;ruU%^-Bj0w|36wb`{?}Gw)0n zH*!?{M`%Z7?zOgVqwaLi&vOb7WS3qp&dq5auya$i$FI#B=-|2Cu7MWgYq*l`TWh|) zyZbkm`vEUGckWgr{OZ$3BMxx0Z*)o)h#H<2N~ne2k;*>0>f)6Z6{~ysg5Fb4*A36X zng*ASp)cq3sR#R3)gQbjdNXfFNkcx)z_NF*klScoNp!QQ>FP9TiGA$Jv;74-{{n>} BT2BA~ literal 1555 zcmZY7{cjTm90qVf23tWg-ZoyB1_n;**4OJxT#&w8U)Hy4d%d>j7_`0X%Uy51ySCT6 z>O{7{78E8glNUiiq5@6^5@SR_f$*9kpb;2>APAWQ+#p2W5%EXo_YZhJd7ga3al9ID zjIsiqO{N=b(rjGH$wk$3#FAlHed7FxjbVjX3}SR0;&Olfln@p7SXDov&o zwwO?0Gpxsbb?U4YfxF~O=;Q}2Eg-lxhMY0veX`|7QLklrY3q)AE< z>3=mk$yL(|KrP1e#;7tc)@Q<(7ozub*h?IJ95*OmceI!m8VN}3G z3@im{lS!fX`$)S=6DVkKBj-U_ATP-L5i_5NIn;HUfHvxI{>M@q9a89p#j1>9EoL4a>r~S0c-}^d?x7*Xj&NAZ5ey z4nLq$CuAZ8;a1{Az@Y(?ZUAwlq%x$@tWqI{M953&^@75O#{jPzPYd8+txlTs;&Cw^ z_9H&n993wHR;Lb0f}qCBIy|H-Cyz)CtT_W%3nYZ`6cQEL>~T2d;*wg@30VDgkSebX zLJ7n~gp3AF2H|xMkk?@fr_$mdtXW(MpCvEOg90dbfd#uARNzrlD97>{Kxz`Tq7-;#LH zsn6=gDK?zQajA%qb=9#9#^EwwGN;G6D5eB6q+6m9ge*kyXpAC7q=Y9jU?CWdAqf=| zhk3z}w1qf;k?AOx+W|pF#ubt{vn;M3+zm(s(@~F@a0?a}msWCNIZS(OjdqBP^YMTK z4rC=BFin7z4YH{j5Y&SrH7(DiIBVR6`X~dVaIjK!5GB-hT{01tSPU_%$-{bOVH=CS z`2Ol@aRDU_Iwl(7;(0EnB}jD~m1A*)fKf_`rF}p!nSjDhfwEw65mnQ*^~#J(s^cRj zO+Q)HH8NbgGc|l>-++0Vuqv`teR^EU!s~}SezL3?qE7t$Ud}0}x zwI4V&?P_~*)o~;}>H&DlMd zJ|6yNIXL*d3a8|rT>Dp?E0(2B2oxjQ2x^Mr{lYi2KmzM6MdQubmY{I zp3))uzbkthn|b%r1F}1By%H7D=C@;>VZ$f?K*jLS_z`MjSb|{O5yXI_G@l`Ms;W){-8n zE7{#Su55gbsq>ziJ^S6J%f)kQSFb%fQ0x8hd_CP-8hEhzi|1wLsxwQ_p{tdB{NCLU y!0q=2ioTiEP&s?sl_z)6HS-UzTkJ1YZ{2hUC#>HR-qW|6OGYd>Q<3@e4dp*Kep12! diff --git a/secrets/periodique/.gitkeep b/secrets/periodique/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/secrets/restic/apprentix/base-password.age b/secrets/restic/apprentix/base-password.age index 630b63e39122854d5aa622dbb9bee7cf8e1b5d3d..9bb9b5824e9637353ae23373897d10e338dd653e 100644 GIT binary patch literal 1235 zcmZ9~`LELi00(e?GBOfa^m9 z&d}&juk5>8a-5DOCgYx`C)7>`g3^V!BGDyWi$f7tpj}n(G7RVS@v;jK2uqP9pp1D@ zjta#PZg+dS38S@GT4h@8h6)M2fDWrJZWe1464XW}BektA40WWs3uD=mQmy@?ImS5Q zWT0GJ^)V&u#}Oxpf}&R-_>@9Xx&~4*J{2$#kcS|hMFzz#V{|B3FAYXPtWak=6mo; z>ZHP#2fEY@hjMCM5&MWALvu9(Vh5=yPZ@|FsL>+;#+zQf48#3Fw%(|Fq+Bwa03f91 zYmhGV6*eAb?4hXQW`${*a+o99u)twp4+kU)Eq20y5^~_MN;QWF8&gESMfb^CCXl$S znv%yQusdb*7MRWRXp2_-s#((tO}5_mVu?f|Znv#gzHH}#(9lr}P*O zX78!ZJKnf=N%ylq7QS@$hBxP4-cDCeK6}XI7Cn0N={@JtmmZ;io%-N#@%^c>`{Rw+ zB}FdJEWLlE`aPOXNYp51J`R!YG9$z5gGuRjIzRw^0?$(p~753*%`H5%7 zo0cD2|NGW+{B5HxTV9WzlqT<9ZM?nl<14|TC-PgDzQ}Iij-2YRpIiCV%<*@a6kvXC}TT?%J>Yu;@Isc-QP5x4#0LOAVXKFFa+ zcH8b|SWqM)6dF-sNI!`3U=Th)518&w6sA07h9B2lDAQMvAdhMio92K(;fWd>=)41!hobmD3n4jBxMy{YuEgbSSm*T-;fWf^ zi~58_ikQ(F2mN9QOXZ<%Q#MK$5?~pNbB7FZ7A;YytO=*oIL^;TW6;N&ylems z7V?dyFR~ET9E-_J3v2N_)E_Wr&*)+!3T%y_T-E~^1G9TTu1i*w5j5L@Yf-`Cl{iRw7>`11SR1i^Sqk6|BCOukEot&uw zV27X-fV;Q7ni&B40CXFJu)rq#80Qh$rV9N+RfW2FL2ULdBaQhGmBvU1k0YiIc{Y+~ zqNN&LZp(C(#GIO4g_{^MbUh8A)cR-~i$bA;_ZXKJbfp61dc_$AANPBSEDd3y$TVSw z8WX(e6eUx&9AYNV%VxUXvD;#=Yteo`wD6^xsqy#-Ps$=glT2TLl0%g1I@+(vxa20lwCX{Pt{1D& z1k0&lY?rvQ-NFOfV?8`)G&r+k>tIXj)e@;xDyeIhSj$Kj*wQ14C$g{@`Ejkp&EUP+ zNfmO18h|4v0mw`*aqx(+{9WJ-_{VW)^`mzSUu{?x%zXOHXJ;-itZ+9j-v1M~4cq(j z$-EXfcZwP;`U#F12O`X4TWDZ&mp5DEa`hNP>iJLv{@;aC#-`cW$ zan<3u_mb>)PaS=1>-F6q->z?d{N(1ZpZ#X#E5Cvl7WZ9z^@|_&d@?wqd0r?j>{#~Vi9-kGw;sB* zLOi?a%U$~h`t;0}3mbpGat)OqKK)~TtS_62clpOu>+D+Tqf-|SJn+lg-;&Y`+cFo$ JHRu!P{{}&yymJ5m diff --git a/secrets/restic/apprentix/base-repo.age b/secrets/restic/apprentix/base-repo.age index 14169fa..e01fbf1 100644 --- a/secrets/restic/apprentix/base-repo.age +++ b/secrets/restic/apprentix/base-repo.age @@ -1,20 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 cZNEGg TQEefBOBnvSoZ/Bccwr6tl0RCFwg/L82dGQXSQJoOUs -Y7uomZi8xQNYls5xPgIOZP1Ma11rf0/T9DeWPp/KGN8 --> piv-p256 ewCc3w Ak1yL+6zBpExJqYmFYhxVxVEIXurfZfxa2eFNhHLFbNb -X9ERqgf8MDyY0KCngq/IVlXX67JMg1Uh7S9tDUBd80s --> piv-p256 6CL/Pw AiyC5gaiyPwYJLfiHclfSenLLYulx/T+95PZUStw9ziR -GNNLL2SyzFSvJOwXvgIFaghNjW39F45KgQZr8ee8n1w --> ssh-ed25519 I2EdxQ 0uPmcUi8BlTEgv2WfXvGMsa+/oyp3OIbnUyOkEN0ils -OI8tShR4LwHLHGkLhPfOqD0c5H/eTcaEE7NkMRryQao --> ssh-ed25519 J/iReg 8k1XKoYlC6GXiESgzJ3YXscg+9WyXdGNAqFHZXvF4B0 -uoF0y2XzFg64LGOus9pXmHZR5SlXRBMFh2zcRTbgFhc --> ssh-ed25519 GNhSGw 3SH0Iky19g2IFQjmHNjn2AS7/M0qE2+oWaLla/gT5HU -cRYnX77mUOmewPlp4DBStPcHA1Qvt4Otu6pPud3tG+Y --> ssh-ed25519 eXMAtA YYFIiu0LTke0JUNixFyDUoU73ojzkK4YVcU3IO1Nmlw -cI3P0T/YQjM4rYixXKXCMOQzvdrPepc99ziaj/TpZPI --> ssh-ed25519 5hXocQ iJu2kR9mztUq774/VyCVjFg6tuPxhCqnVUGe0AEZKl4 -eRAeDn4bMEXXa4zl8tHH0N40s7EBjhh+yPT4uk7805M ---- gtKc5W9yiqq5bswJNmnT25fR0Zux886cug365ZwLG1w - ~kқ * gȣG2h-nȡ #v*֡ K9 -aB.$$N83oQ _艟_qd_u煥~{ڠBB~k:|H7G \ No newline at end of file +-> ssh-ed25519 cZNEGg Nlccs0f2Y+tAZuucnNzMSz22dgnFMOd0FyCUJa+33w4 +CZPU1BkxGDvaaB+0D6bX1aC5hbnewGsZlbGMcA8vB9s +-> piv-p256 ewCc3w AotAQEs3SY2TWrLrdHxM+yNFP5tuOlgHoZBjXvxP05Sd +6S6kGPJI2O9zqtdDi8WaNVNBvCpHeRKWHOIOhABk3U8 +-> piv-p256 6CL/Pw A4TXb9Qy/woxDSBTGwnYdPZs0km00wlYfLhoPpqcdS10 +VQ4DPWcWGajvCAGUAzqUESPix4q9h9J395HZ3aJ1j3M +-> ssh-ed25519 I2EdxQ 5WhO2QjJWafz2x2FR2sxnEjO2B55ZcJUYhefOYTBX1s +dm3J6VOocxHUpTCkuP9aXEvc0ZD8q875I7WyHOyEn2c +-> ssh-ed25519 J/iReg aWz3WK2d/Abh3ZQ2gxehf2hB48WEFom6zDAQOIBjJgE +mkRU9jHIPG2oGYVGMcv0qcca+yt2N6vKvjxPUETzCMI +-> ssh-ed25519 GNhSGw 9Bq6Z12us2Ff8eDO8bBL8R/4QeMxgltI/UBTDx9MsCk +MnhroVnSzbA5b3kfnTChrw43Oga9pqFzzFTWMYB/f5U +-> ssh-ed25519 eXMAtA atHAYPq5qXROeIOu30+OcS33GukjaxULkbTlBli4eEE +2kMozM1CVoaN5ua/SevxH4qsuDtDcux+7HRN2aug/X4 +-> ssh-ed25519 5hXocQ K+c4QqO+w3CUCrHe5HVarwHNDD+RknZVTO1Pw5W9RWs +2C4Fxp21Wc9ZDj06B0QLOWzvSAnHdnEMtQtlcraGa68 +--- ucbVnMMTZihSbRviwcGbyxwDcUUEnyeJCDj6d4dJVX0 +Axy2~~Ȅ'a#tdy%R*w}iK@uql.*DaUq4 %N+36߂k!.ȃ lXNA_t^QlŹi@ 9d5G) \ No newline at end of file diff --git a/secrets/restic/client_env.age b/secrets/restic/client_env.age index 50dc96f..d05a765 100644 --- a/secrets/restic/client_env.age +++ b/secrets/restic/client_env.age @@ -1,33 +1,36 @@ age-encryption.org/v1 --> ssh-ed25519 2k5NOg GTzTB/4oTPX4GgUXebUp2usW6WC03FgeIybP1NOsymE -svPuoccAmLBiQfEl3l6/eH2VKtNXAGYTVCKW8vGnN+0 --> ssh-ed25519 iTd7eA dwEz38xlFx/R9iG9PEW1rEqBmE4IujE/9iLTI+ysnlk -3ymf3XrPE02XkQrV0+vNF4lSvxc8lTbST5SF8gpb9Wg --> ssh-ed25519 h5sWQA /fcAuuCz6gErWLyqHzrEY0zMYQHCzd21ya1wv51Q1g4 -C5VNkPyq+4oN/JL767mvoAAm4a9+nceAyT1aY3F959I --> ssh-ed25519 /Gpyew 6fUsrnunE+55NBgPhgVDr0GgLAVuO/ncjhcuEl+wvng -C1+3nI4vRf/aBKf85PSy1X/w2WwEL2hvAF5MrwDkcp8 --> ssh-ed25519 hTlmJA PmmPxFrMv/CNG+SfWhCWozWCWQ3ZxfgCAkLsbA8N0x4 -wKMLwOlGFVnCL/DVNuPUK/XdWjMTY7bF1lNymm/WO/k --> ssh-ed25519 LAIH1A cp21yYkJKWit4VF6CPwMOyQkegp5y0ENu1q3DfDPHAY -q0nZNYNlDnEBvD32+uSZbq9YByr3XxLWA1TX4bZI7dk --> ssh-ed25519 qeMkwQ KLGoGQQNE5rdUu2gjhchtog4pLFrfKYB51uAygHFDAs -flkmCHwzWGnMc1cFhR4DLMR6CEzZp4gx4bfa9atoKh0 --> ssh-ed25519 TqxOLw gd2mO+7HbN3l7rK/2efcrSvwj43BVsYUiOLA3TjVuBg -zMysEOlhKW08C+VoqABuBioQgeTMviHNYVJy2PwubqY --> piv-p256 ewCc3w AgDTSzBYcuFF/fbq/1lGtVQJ/hGhvOl24P4efLsZhGC/ -3EcR6BYSpisJahe/S2XfuoGVYxkscTE70ARQ/g7OZIg --> piv-p256 6CL/Pw Ak4ZBz69R8BE5uo1NI4s111shRKc9OnhcBtaBtKVerxg -nhaorLd83Eyuu/2Ax7+Zt6HocHi2yD7wsqWTUoq399o --> ssh-ed25519 I2EdxQ oTcQa7k8nyGY4a0h/ETU459VTwY0hSk1nLFdX1wMWxc -XJtIDxpzEOm0IJnFBe+0hikyRoqiJvtPIHHaPtMrr5c --> ssh-ed25519 J/iReg R/F7lVu5QNvDV2Y1EfBQ1oIthN1itQU26ilN8DEKLRk -e2f5qOFtfkFYlUlsL21kj3r3uGcl8V/e+rYhlF/DtFo --> ssh-ed25519 GNhSGw ANpVIuphVMTrXFALS2SZ3ag2rNrGkVXXvH0KDcVypmc -EANJr+S/mknifOJcLDBjhuPfYhYzHrFKRQcUH/TYkBo --> ssh-ed25519 eXMAtA gD3H0ikmih1XqxUrDtqakmWFRH1EaByqDn66Gm0pRwQ -ngC4vPlohbUHhDmW5Q52Gnz3DGxWgrFuZlX7ZWfR4Og --> ssh-ed25519 5hXocQ /IINku5jrZKsCuf0WL+hGxR978pp8n2xFRbwfl8I53c -kaZspCtVYwA0nl02fQ9eYqA+ihmJF1USGZ1xmVictK0 ---- Kmzz4xXIiXpOLw6JrwHMnMUkq5GDhIKuGZRnr298dy8 -8HУ؏j䳠 +^&>nk3z^7/E1+Q%);~'ne ^mrۯ/phs`yGU45#M) >.yT4"Gǂm \ No newline at end of file +-> ssh-ed25519 2k5NOg oCoSvuig04J0bqxW9ryk4S6TnkRRchP+bXWtTsZ98lk +hm6XqFCIT2EvP+1CYn2tO0FzSBF0Wcrt+1TrNweP2DI +-> ssh-ed25519 iTd7eA pJ+QApRj9bSVtrj7/2nEtBA2g/hSwTBfYqhrlD9t8lo +NGAPiwoS6tb+0KPs+C+OvWPj94iUDmkBGI+L+UMBNUg +-> ssh-ed25519 h5sWQA 7UOfgC4/FnxiC0v6qyHTLpoXrPih/Sb5HzGwYEJSTSM +L88RjLC1u2ewxzSZBNMVAhPg/OQmHYsUCbyqqbWzyms +-> ssh-ed25519 /Gpyew rfZd2uUERa2oPoNRrEnyG9MYmPB495c/uGPGhVz9JG4 +tUeMFlQn0WDC1w7y+7JAxjN+GeqS91PomEjZ9iusdu0 +-> ssh-ed25519 FtI9pg IM9r5hs4PKbjhx94ogyG0J05L4IsOMpMnWaGxy4NfgY +JDUd9puiSwI17jF3PgTer1KIHM9t2qDzUzrM3WTM0Pc +-> ssh-ed25519 hTlmJA vpnPyNbj9f7faeb9ElSmyPd5AMEIaYKSWCJFuH1q5m0 +Yr1kKBEZdBsOfX+hQM6SnpFMdJmDOK4GjiBebI7lomY +-> ssh-ed25519 LAIH1A g+m9YytmlG79eGN7bvyYgWQU45EvOIMezRsGyr1FvnQ +vEKEQYapdlepe8jMgnlqMdN4IYJJBynbTPjLPeAVOsY +-> ssh-ed25519 qeMkwQ 29A7UcPPEqBZbFSkqyGc4YOsbE8NfIPCrXh9b1WyQVQ +5Z77Dmok1jcfZwOG48mUSMAGip/IqxaU4YxTNP5zUbE +-> ssh-ed25519 TqxOLw cc5B//e5x2khmMzdjUdjZ3GwFmt1JUpNNulb1B3NLD0 +Qf7a3WE8iDcxlfTVogrJQBL77l7RJJYbd/hEvygig0w +-> piv-p256 ewCc3w A2fnhjFUAVztnaQaWd0Kf2vVLbuQ9U6ucVZcd932p5dB +qA2vVwyOoEpCw7az4XZet+mDUczD5BWF4lO7SU24VMg +-> piv-p256 6CL/Pw A9sE/ddNV8qe0hRHl8izXUzBWqXK8iV6K8I1QNlqVdq2 +VpJzsTEF0+fVzA6jKU1evRBWwr8hW5SccnaEDCsVuAs +-> ssh-ed25519 I2EdxQ o+zsFhEJjqBXhv/LtDxvh9zC7R0+bH8RHTkZZOZMOUs +HjT9YRxGkHm+2Zxo/hMqFIPdWgLgyPG36U4RAERpZXQ +-> ssh-ed25519 J/iReg 9ZdkGpQ6YDbJxkRLNgQUAOFlp5/SomD575a/4JAzRns +msYLKsogs9YXASku5iw9FH0KqY0cnoKl48UcoC16XZ8 +-> ssh-ed25519 GNhSGw Yhv1VvNH4wLdn2nwQ8GS7QEwzgONyTFBbafCVsydMEc +9AojBC7pRQ68ebWKm5JlK4QrLTWkTd5w2ltdi3BDOiM +-> ssh-ed25519 eXMAtA 1G1qsmjn7N5rebjREjNWaOOvglBvXzmkTS0yA378HQ0 +sX/UhOyhNmtHOChkikjwtIrV4yrH4LIzHmqNoeNCfXM +-> ssh-ed25519 5hXocQ 1LAKC7PrAItcBHFr5RIgwGS6NXy8SKawbjaQRV7esn0 +alAjR/iLaHZS+5yadxyh5aZxzOveaqreHBf//7VaIhw +--- fZ/ATFhmdQrFHu7XjHG8VurX1OyP5zK0H1K0LhrTtk0 +ėP3GIzxPf>jmcI +W2 gkv2oEuydYqe=~ܐb^P{ӿԞTx@5'|SJ2Ĭ|,f: \ No newline at end of file diff --git a/secrets/restic/jitsi/base-password.age b/secrets/restic/jitsi/base-password.age index e3bf58b91c5a634dfdbad7c2aab80a0ca0c1ef3f..6524e112cb0cd2c421d13590bdfdd95013b604f8 100644 GIT binary patch literal 1235 zcmZ9|Td&gu003Y^!o?lng%B_roJxps&aP{_t`G@rx3yc_UAwhi)VQu)FI(4k>t&sZ z5)~6oP#~Bb2@*&!CL}5Z#1Jv?KztB6h7bh_;X!@iBFDf3UI=)3^!$P^`8t}KREOPB zY}If`C}u;1yKG<3fUSD-H}1wpr61tjGa5w5ruxt}K|O z7x63#TLZ%~SSpN-5IpO1ZineYutL&~!flIhxy`ZbmO`vtiY07ALPrT3tSe5phPbRm!l{wT!lWqkOo6Obh>{*mMFeXu zTr8&Z%A^(tGqOuSVm2p~1*=_E{f5#~_#)m02a!QAft-ezP~u2KE5?{Kmo*R_s#JL| zKthCu!fxPHBAZpC5-8HmY#WI3GH-X_g<1(P>Z%qeI}(8FC4?_e)sZ|Hq(%|sN-h+c z3PSf&3X1Ah4o1n^l#A)C%aEEk6^AA!!g98UK+_?cC=<;du2&?1K}NpWZ=~}czEGpe zdV>n%ma7c>iCl{s6QR?WVO-3#I<1mDk}`r{!~$bTM_4Asz%(A~)O_77BE-0rvv|_1 zb2T#~hPVoI2?tH3NpRB5A%WELTlPXt6*=6);{Z~ulNcf_76MNm5H;(<#~NXeG#o$*2q(M7vk zi!)3?pU5)Yj+}{$G+a<9q?`dtl2m_?f^C%ILT1th@gALzL4iv!Vjk|J3Pg!x4rte? zNpX;>OO3kdXDf7rVo8M|hDI1mCX?}^nZem!=mn5m$qguw6p8~gOPP~=6@(*}0*w)w zK-z%c(qi|QuRD8yojI~2S~)ybf3Ruo^!FcMdSPyGd)1OP>4gW{`uSJxzJ2ABw$E*M+wFFiu>1aHyWO_? zvQ3mw`$7?jN__lOBw!6*s}NxP}#bv#)TGCg?$_hkhV70CuL0)%0a7bzsj z=ssxS9f6z)`4UPt5<|?Y_8?|zTMomAd^<|} zFq%v1aZyF$ByNLYL%?9FTg1IwZtM%wpiFQbBhY9Mm`hnAZzFUN&!*BJcA$`z|n{e}goA*R+M0C>An6Z0nwqCvt}>Q6lAKS8C=qr@1Lp-{UeZvPlo^l8Ca|$1N>GDRXq*Xq zHFn^_nYJrHQY{V}rlRL1%aj6+sX_nK7|7;zGnuPYB4%D3da+f&3t6pIHl!|6EjFdL zMOVvV7qeI~Re=mrO%O82BB6v2S^}y7Cnl4*QOJqndF>%qGHUU{Tu81->y7OC2H~ zmD|l&t071U@R=YUw40-D5sgr%b+e{RH9WwRJkQfc71s%@fufOHw{;if6(;BhdeO^N zOL7k`&nP?viF88Y+|-Dgr+m|xHO&@}3K9(u3aD4ZGf^>|bVViw5i`PX{nN<5>qjkV zpf-|J-{FT6m$D6A84EI5n2dVO8e>l3j2zB{7FMSChL#&mZ7h-F=PMYhWw~w+9}E3n zMag=0&|}bYT&zrJAm;^C81AVKp-Au~WWnFsRt$4LZu`jLi3^ z8c-T7+zK*@c=4WlUwh+XQTkWkq^J#7W(|azRT~HFcGM$yP2g7$R?AU#1 z`QkAFzD@f6httcppV;`oGY@UKc5eNbx3sVNFMYe?@`gRx%(7Kq&97rlt$BCqt(=>y zyz=>(BYUB*OB)|1-0I2JFV5agxt$+_;)OL&e6$aG>Qc|$`P1|mx9r1<3-0sLNG-E|$hxP9%?Rnx@VC+h9HU2CN@v|+jy-i)T7i7> zCb{kPeLMFX@Lh8!&plheW5dxGi479HV(X6QgDu~H(|>B$=g!7&9en=-X3zb1U*5F$ z8hj{q=L^bXS02AW%Cqywucg6v*C*S9MQ-zw)k_aFPJwNk<4N@DftP=KE_m+`U)_52 EFE(wtXaE2J diff --git a/secrets/restic/jitsi/base-repo.age b/secrets/restic/jitsi/base-repo.age index f61afefb123f7db9fa097c4334f8092dce53b8cc..c735952e514cd9898ef0d794dba82b3a6e8f8bb1 100644 GIT binary patch literal 1081 zcmZY7NvPZe9LMq2i!vTW5D^qfwRkX&nQSwO2QianmL!v8lG$>oO!jS(Ofp$f5QGO- z^i;$mypuhvw1NjgLGkdgJ*psxdTXU1uZUNlN1x~a;luaOZ|mA!J2tZ>J@`rda+0}F z33s}$0(tIrZ41G1m;`*y8rT$o2N0F<^4jLB#R|c2Nh*{WLMe65SR9rOTP`&hl;btA z*l~D&UZdMVlZ4xmQ7NTQ&bZJ5HK(8ZM8u2OhE<#8L~yZxwbU=WDT4O_yP{3B0w^M9 zCh8#0dXcL~(x|8-f4!f9M1!K^iMLAmfYHlR-_7Kp6DaE1S5>eQ#>BGjj}pYS!Km>i z4(ex!P}OMRJCz0(eD6P2pB5nb%pwsHg~7hlhRDLnGiMO13wWS;9BB;IO~cS^s%gV` zy$y#QR7N8rah0h?!km?m{Bo2}cX|$s>*X{SVs`n0)Xw7FW6zl zl=~e^Q-OFeK`(WpX)wkEMq!8%ms|6k2xzerHz9gxN=!h-tbqhs6A?@`vzVC?&J-8H z-eG~X0$tAg`FU*$`E%O^T2*FZyH3U!2xFAFF|tZ9lS6^6C=CgT9cwS$F;gn35_V?7 z5CjPo-B*ZS4)}dyah_@^QrUw_O19+LxZE4tl_UrMYa7ixbyNXocnJ9a~zt-sp^ z4uKwxQF%b5kUkxR6Di-$$)1=yBhD-l2~t@FT6!2)%Vy{PV?Uf;|M24VCq8-m=4XFD zeB=0+lUv0%SHkZF>5X@8*R|XnW$)d3a6$iB|NZHYeV>Z_FQo^? zpLc#^?_c=t=JL%)PA)^&zPj?v=XXB3`^Dg|Bj-~6Ed0_d*PeU)($&$$7wacavmcKi cz5Nh%{QT~<@U45VpEOT>dvy9iCx7?qKQoPRr~m)} literal 1081 zcmZ9|&CA<#003aUcnBh>$UKcA2pgqK(lkv9D*T$}t4-c~Hc4~XX!G5s`EJq#(HAd* zr~?n;MG@x3gL+X!2XhFbIJ^uI5oPGX%RoGc2zqcHegA?7o^{|2yu>Nmtcud)Qd$IX zjY5NGdSw|7Ja>rW=%g3vF5!WmvN&cajfI(u@P`!vCy~+`Q$8ROLIq`0>@9noPUDQm zcF?p*35vjApyKt(j-hxtJ*)~m$V6qN5FUJF!6t~1qwdlFX<1YcvLQb1c@5=YO%LEz zt29(-hS@Fjy9uvDOW)wkgOnVjjo#){xEmj9iql)< z#1-_}!2-F7#(HJ)Ecl-_rUY2NXN4z+a#r*D#7Q{QL681ai=8qd{57|&N+-9}@!r`> z{6fc|El>%d>@*3NnWQU5&TPHM>YZ37-Y)d@^&&1v)W{nXCC@JML)twmy@Fm#xgAU< zHn7+&8>F1$+F=WVe!FKfb)HM=iJa&HOwkZi33a^nYG;Ei=?Ny5=0^0Hh~OJNfjQh* zNxHSnD%=%w_SkB+=P(POjt}xWglA4Wo2eWz zwfVD}XNjN!y{gl!j%4Lv=`5v1V;s8q5n139PnDAGdc5d3eievL=|&3F??j*IFZxlM zRtYYP8j&)!DT95RW;L*v_L9SnftPaZiTPD&EEFpxBh{ZJ$XO(ikLx`*v zp5^o&aE2xrz(8V6%yrudT|-b5&c@oPJI&!Sh{r*pDp3PeA;V;r(sEAT=yNrt(tv~! zUrUov!!2YZCy4{oHIxZ*h+fX73s$e7qC~Qr^Rs&BRRqh{(^12!@~yU!FF=25eJe=x z5fqE*VNOkkF&r_v*+8U0xl|U?t_WvR(oD#BMFMQ*X*(*o4lAP?(=>|;AX<73j1T+M z8r$i)I?IZFgoSxTMQWy-68mOU9Sla6QjKT+V_`W4WUpILN~5*07iZEAKQldu>&l?Y zdFet2?)Q0y3`+z{k9v7K$YDT8`w>G?S`Qr7@iM2DvK9&=uF{4I4be9O3Kt~GC6ze$ zkM-{rX{4YM5LHH!GR8;{z|~=-2ZQA@ zU5IS5(IycQ=glfqSDV@}9SvE@^_v*)4TI@M+Ax!KANo{h>084&`bTV zjjXl>GK}d~$X8rTE5f50$hFI17c57pikM18t43HwFvoIEaeIVB1Aa}XEe~S|Hq1~u8Zq(4W zEV%}s#ms(Cq=7^t5hK`24pF-;R~$*6K;<|_sa0l@GHr{5Q9>0h z6!NT%=Ig00@H5u$Y(LS8@0q9uc#V*j>Hbwwzoh z-2d9K_nvS@cZ{Zfy!QKZZ(qDNi}{l)J9l4QWvt!5S6=t!qMth_+mal2}7*m$lraVv9s(LL16J1Vm_3t3&mi$&h~67VT^v9uFid(Lh`c6{x6= zdsKRWFSf!H{ic(J)x788v|%kx7Ej7nNR%^#>C(s&f)W)U)@SUo__<`g?oZ8IfCyMImiBu|;#Kne4<>*+3?KtQoTp-{sC%G9U>Md;G zQpq$b1gL5uLnb=%uS>pOjxIZqJbwDNgU8-^>2&eh+^H|t?_g5ruI{|={T2F|d%ya2 z)2BNwjk*5o>rd=E1B`wySqx#yR=mbT{}T73|5-`pK< zV@j9jsg2IwWq)p6imcw_oLPWxazFY#lX~XtWx+qT ssh-ed25519 h5sWQA 5tzo8ZIYdTzxoeazGzC1COFQLIH1xgxwSZYWshrCX24 -qe7hDx1J4NMPCpIFOQZFIkRG9GJ74rzcDzYQ+l5wsQI --> piv-p256 ewCc3w Av0RDpfvdY4A6iMzRpLfEEjxfu0BrgQT3lNsSxms5+1Z -xsN/4JSnfF2JEiaSmDnnMFwPEZKah919LeE3zZC3ovk --> piv-p256 6CL/Pw A3rShTU30UySod5nlXgGDQFbtwv1GKqSgWzyVUY+9nIB -P8bM8AEzTWdbzb6LfOait7qCcrZUWXA5GinamQm2V9k --> ssh-ed25519 I2EdxQ s92P4q3rc7mnPCNetLAM5VM0rW5CX2El1ZuoRsXpZxk -CjYHau+p0ee1Q43QeqGPJPDg35pRrbenSxTE//gVS1A --> ssh-ed25519 J/iReg EaXo5UCBnjvAWor5Yoi/Qxp0DBeA/i5kYv86bjXQP1U -V74njr+Co/ZYPRU6p+YyWQs4W40yV+oPPYbhTodG2RU --> ssh-ed25519 GNhSGw 94SWVJ0KOjRWuZfEHjRS4Tso1mqD1chtaejPyIkzdh8 -Nne1exsd1yjxTm4+32Qn0/b219Yj6tANMRZlGjZeA0o --> ssh-ed25519 eXMAtA wbDOhvP2+w0JdEnbUuWQxcZNVJ32m1wN31AOe/O3VW8 -BRHEfjcSpnNz55YLNqYQNl8bIA1XzxQ3wqoh+k/DuKs --> ssh-ed25519 5hXocQ JhA00hvkl1CXlvWno9JnojJ1E2wLxiiPNggVwM/PMWg -01oo+JOBvRXSC3OqJSKuzjpvuMxUc/sRB+e5/DR6DzU ---- l/5h5BN/Xg8MD3uVUMN7R3Z9GpmeV/AExODs8HpAcvQ - - ΅p5_QxïI ϴd͢"9Į{s'ۮ+=2η0񝴝ױ{zΰz"{M '#n89.wd/aoRZ~uүgs`g/ \ No newline at end of file +-> ssh-ed25519 h5sWQA 0qY0ZLhtJjK3/xxMzoAHkfDp+0JB0/ifqZHi55bMdAo +7pp64AWviLGpX4/zzltb1Qms7/OvgozAN+X9XgXdGxI +-> piv-p256 ewCc3w Aiiqhsc26jTjn2D2ynQ/JZZZ0fB3DU930dKfesBuANL0 +m1J1YKJYP05dolLt84L/WQOLNIflNmeAkJi7IhqO/UY +-> piv-p256 6CL/Pw AoUq5eG3Qsnk+m+jdeTmT14o4ClWUh5y+frJSthoPIYR +UwGFNWxSpuUtA5oWrwrDGqwXa8uLRy/IxmHrFH7jkfg +-> ssh-ed25519 I2EdxQ HVCoxWULBNEOvMSMxqdV3wVV6d3FVRFZ1u+MbpHVF2s +V8SSlmpl/XYdR4rAHeEYgA17ZiOOo89Yfyl6TvUbFF0 +-> ssh-ed25519 J/iReg G3cKpGhUEfe18UuUyLRt89qmEoKmJxII5uOUHt1kbFI +/DpAfbOgyMRGitcsOM4jflG9C2RgX2yNGISZ9AmmDOo +-> ssh-ed25519 GNhSGw l5SifENR2cwNiLMrWd/mRExs0ea2s8p04SDgq9RD4U4 +OheYHaQfegLDL1GKpku84txxZM7ie03smKBDjVGEyh8 +-> ssh-ed25519 eXMAtA 6IhkdzT4rv8B4V1fCl74zH7APjq48LTtwjs+4IdB0T8 +zNoGG/NWK+TkoXMVJthlBOtFyI3tTFIF1ARVgSf5uRo +-> ssh-ed25519 5hXocQ R2MmhbfpUMKtqIrBRnX8UfcoaSHtBNzJw7mFpR9WZiI +RhqSntcuybm84bmML1mS3kRi/Sg7GARiA03+LkSqvc0 +--- NUxI31H9DJ0RF3ngbVQqagcOQrC3+5LsYZOdtTbRGQA +3%>@m3h"h{֯]X-OR6:6Ƃ5)ڐqVL͉TӵbФDmM/u:H؉<<%udRi1)Lf~*KVg>J2lX=-nOpm*2^wU zj2gU=phrkB5m9pzBPb|5NIVjV2H_|qh7jW;5J{APni!*r1iU}#`3pYzeSex|q>Nt6 zpY+4F*W2Lv7C1~NQjY*ZV5bZnM$vR00IB}O7y%5yx0$fYwL!(lG&GtBX#s(dT)9Zp zeG`$m*d7O7Dbnpsg2$V~AX|hmO=0llGzv3?2$$&CW@=_S8$wYRMswXJSQ3JNw0?V- z>cc1o7$c&Ei~u~Vcy*1+b1uUap{{G8nW2kDK3l|TS!7|*z>_p>!z7h2Cva%kW-$%v zl1QdEtTPqKip%ZH#K{+QGOa+A%MFugxuaBdP_xIAbtbXT;^JzGNk)gSaM_Y+Nvr zF$sr_SU|E!KQnGbY|-+2t!g*yqPZrSssCH?zn?K+yJlDbQnVOODQEJ9yoi?5F)@Sd zTqsWn9+lyw=lUil`4vY{VKvd|b~*({hNNb*&vn{VFhF8T#)?wS;-P}jo53d}OXQI% zAuirV@phdW0Trj=G+@!{DNc?k&_lyl<4z6hY77a}y3d#OmMSU;(!;HU$&)cS66qM` zgt`)GW^OdGT@tfG_!*MlB;aNBWXP!sS<6|Oo@VA zpDI+btXwpwy|zSxebGyFCWb^fLg2TGNfu(+0qz$la>l_Xc5^VJX=Xv4u8pG%E2@h% z)KRT$$O_~jj4LBAp{gC;oD>8+9;c0d ztHSVgB0bhauPh)j8j>C@@)Vgw_-reYN~Hi#x2io{w8r=lEXI1;P@qANHo>OTH%e8T zk?kgyVUkHAZY8{1&tBQOXI=fmOY+Ix?u#FtSh0KC(Tx|U{s6#PXJO02;SVn#OB^48 z&%M$UkNeth-(7j2bA87?smFY&?OJ&exRhv|S%3HWHy74DwAT2cX>Z=X@2O{}?m2Wg znqQS&_Qw3zKQ*-*_I?$gpIyCaV{mLm{preuSAp+QdGGP{r*7Wmo^G$vKAHdJl6UsN z?4KvEEj{$GedOvB?_67>LPyqrdT?&j$6vhs`_|>ZKC|>jNy>xwxmWf-fBE(;2d>_G zop^u$$(_y)eqq&_jW1x2J&rn`z4r4hP(wNW_6N(f+0XxYH07V0dvcrl;Oi%_yTlFe z{dlHy)BK(#b8BxKQ}-{A&jC}Lzu7*ubIH`HeRoz?eoN&K-Z7_ahB|NMwy$2@KYHK@ Ie>wN=Uyh@#Gz60LEd#F1SW%WEv?9VNea*+-G;Qvf110&VA0#-X<+~ZacHHduC>5FEbm6 zmC`9G3{K^TkP?edd7?fDL5T^K(Op6%G|)h#qOu50>rmFGvcKTr_wu&dX40J2`>{W8 zyy-i=ej6GgiR8UN7}`nGKnViL01)lR<`__2qSj%2fyvh~nDKZ>&QAI+*Y&iz%=@9D zz&Wqfk5P)26LiHXSryR7MW$_K)4@=W!9qc-Mov0XdPNe|LXN5%q$rR7)_iA_^ihHY z%yCY~#sGx~qf|vg-MoXby++j=h(%M4i?lsb$Dm<1%OH+xkzh6IUSh~ZB{edHK$cQ9 zX$&D{kPZy4t#F2(%P7jUt5b|@bX$1)KNgweAnB6TA5=TC5*U}7+(Cm#%RPR`Ny7oI zOf|wVn=@6s6%TmWhaRh7dGXlQR&i#)W3vSLmQB8R>kO7+Jx>A)n!)Vb%|H(a;50FK``)AY9fS zVBLbK#2SW$33q@Ac2yr`K!F;mrfW+kA(3{#XB8aopu0`Jo_EHtr?GzHpWD*#bni0rm#18D!P_sA66=TbkiUFpLZG|i9U9=p7 zxmIyfmlJody#3g^FQ3^0Cr>TgUE1`jGCi89)7QXbl2dxcVmC)-0SByu6yFpHlEsd$EkUQ-~NKSXQj6P z{#RzZ_q{v(aBkntkH2*8cxUs)vwPR9Kl$l~)4R?u``EeSkFQr*2fjUUYDMoF3j3+L zbMcce@42phXy#Vn9%QX`_>mK>qwKx(IoT{fKLc&JcE^!p->;VzCAuY~xBIyz&5wS)Wns-z4-zx_ G>c0RA^SKKE diff --git a/secrets/restic/neo/base-repo.age b/secrets/restic/neo/base-repo.age index bc8eaddcf04d66cb31c67ea74c26cac3dc93c155..5bc4c18420af442ba1d40f9b7535b8fba183138f 100644 GIT binary patch literal 1077 zcmZ9}xzF2l0LF1qphJXUs?fWcflF3!?D!NCkl2oM__pK379D)W{yFiH*s<3?dO%=}$jR3Oiu$afJ^ zqn++kP+7*^Fu(``WgtW-+OUE4%PlOero*+G(q+>)JGBnD+QK|8F7!4P*KI$Gllk_R)D%&U<3(;4eR$CXb_K$ z6^#2;l$M}wj76|(<-$(!Vv!2A$@catU9-~2Wpu6Mi=HZgf+5UN5n7_P#PvbC!z8>p z_HAl9+bT+`!UHmf@&8#QD&SO}CbwRCVSiZLsx-h}36eZo+M6U;i53EeiXEqN_z7rupNVD|-*Gcdr^%e+4oIJ5wQ$9kxhof(rSTrgW^CNg z=&}-)fSa7xrU=l(2r4ou#m5SbFea)f=9r3SJIY)h^JS_yB1aOUJYNVyPdx5*WPGI9 zYj;8A5v>OXrU`URs$vCdSxlAjh8>T3b~?o^(mt;Va%>0<#7qfvz`Ij@;)BR+S{JbE zMD1^9hZYtQJB(}x>+j%p4Cqd4A{fpBG{m`;FlkmJCK8oJ*$>$~AIocB ze(={j;`5ih7s~$0)k{xbd+*iD&ph_{#ly>w6rbFXzWd4j{;sd{D$RWZ}5InK=(xgq&EJE^alQvEBXwx(act?`v*}R)HNf95& zEsm$7ia!u{ITwe+K?Mbu13?7AbND&vDfm2oEK z1nNE8+3)?HvqdosAv-XewNBmPcL#y21s%8xy_x6foS7L#%S#cRTKvM@bICZ29Ap!!Gv!YFTjTWhjPsoEq4JxKVB7{26Eengek&=2^Mb(E{ODztKgy;=DNWS zs~GXIqeXbAy^RQ&S^vkv0S`<6Sm^q&+9+gL<>MGf2jP5*RXf4T1+WkTTdi1{?2_|T zGL|qj&T>yqDk=}mJhjYzAsGfPrOIv?98fBt@ECPUC(VecKEF6aC)-BuxHOf=R=-*Z z4x3YbD~9*{7^aYgCJ_R?bPvAoTGd*YWf{uo8AqyC*Vq(l8qA_L&t@QDm>h6=#0|GW zGV%$cWDH(DuW@j&bi9r?E{Ad2rMPtxZ5xhn!%|huVp+!x0^rjcIm=>KU_tbpv{vdZ4b|Dtl+QMx|3uJk(|O^Q^BQ1b41tc z&ih(Ba|2hD=30wL2G33jm8Lw%V%5?j@NiWyDI=+Z(WEx1P3S0%#cp>s&|C>((u;nx)KH`Uyq!06CFl4kBs zwC;l06bi}utOio(I511HQDaw?qR2G*yCz5x!IQZ?0cMQ_Fg2P=F&8M@1nTvAoeeX_ zXWHf0R^HM%|>+%a{*LLfB-!PXy{PT+bZSRYpe!qL={mu86 XuKxJl&rh`X`xl63^&eMso@QSIhKK z!4r!^&VVU_XwfKc)qS9Ws6D5U=U_psQ+7RVn_jzv!W5|{)AZQH93mi<9$NIsy+^*;40MSH3u?vly)#C9EfyjtTBE6tn8Ftx<1f`B5Ax};ZTJqpdW6kqZa8Y#IF5!A<4)5hX`oh{Qzls;M5#}NwKCKpq4ofvs-sd9?G-v8 zgta)REeg|FQK|^dU?|BQBcJw!LDNLF60a}Rv^tCT@rVnzh9wDOQ{&LdOt;ctKsRxv zSXBHTWjZdNtkonFfpaB60o-QbsKttgwSpk9i>c{MS2kPp{ISLaOBhTenfK*DaNErP zmPCwtPvIjXu1N-nagKud3O_buDx;#ZfHh1~O?jMFq7g=M3Shd;0^)Q|_xK!@9AP7v zHXMO#gaa;L&S_o>tck1*1r}05bdsq7(P%V6C^^^i{e;;HlVjFZNu^@(e52B4vVn%y zaWO~Hu~F5Ad>Q!d=cP|w?tQoIaCY&>D^4w63y{ZV!t009AMC$r=B=HZ50u7xo@Kd{ zH>_TD(VzPLI`-&e#~;#HPhLBENTUCCr{23~!&PAW*2t32r?wp3t)FaNxWhSS?b`n~ zK&*$p`Ekp;lY5sQUAO-F$;@o=rQ>TR7fqSVHkj#yatH_4PBX79)}vP|KmA&I;LMV< z=ZNIW`?hU7_g8rK+Y7u3-m+&Yal$x7u3~>#^UkF|uupIE_l@s8ziZvg56)f)PrtJN z$d?Bvo`3PpKdYB_Ebq_7Z=Klu#fPuHv0b}D%}rc7Fu8Gd-}&8#o?Ag|I#QU~x#O9` zdvBirwk~=9?nUeFeBt1UWjBAa^64`X55n)?_1w|~D%fH!Sy&3z z;}?}8^^4XH;?{uBH7ZU(Y$ur0)~fP1`UGbZEh=S`Q0(P?wAQ-#?4Mc|R-Ft&(6(EX zPQPvsb}0$FC!6sgXEYUQsl+OwZ>tj*_s&>HW z!oWbXY2%H`u1x?U^{?W8HyeYY>iTUGU**I~SK_g|!p1%|+4^Bh_Y=%Wv#F2B(O4qjbQ;2BNXlqHR-%6IZ;TX7nYt}|DK*2^ ziXn&dB~ht$4fiXXTA+YsELJ0T!tD1I?sl;lZW#_I#)tvin=na6VPwv{t*V-{x^GJn z8_)M82(mbDc=~;kt|bn(gLboD&`8#|)QV70DWL<-Vds7n5{zGwR@`G8cLz%~J8xz! zPnZ&DR^ZX5N|kwT;0wMt#Rb<4O1C0u^wMeTTV^7Q484$s_v>Fblb*6W|WGXECLZq8nK@9Hn*!{VhY4?OqR z`Sl++ejmJZ5qRU{PmNm_&i#1y?c(!SuU|WQ^UgQ#-~R33()Ei!FBgA4$!o_)uf5Ei vKm2}q_kwWci1_5@x#u7H=|S!X`n$(|z54D`H@-Z2;%xH8nS)245kLGJn?QFO literal 0 HcmV?d00001 diff --git a/secrets/restic/redite/base-password.age b/secrets/restic/redite/base-password.age index 96209231dd43eca78aae78a0e5764ee7bccab309..bf42ca0b70a8c18c2a8e97f9f2e05821e6ef24c7 100644 GIT binary patch literal 1235 zcmZ9|-;3J>0KoAvMMqT_oFE57I^4uv?V2=6o5*w|X_NHQHc6W{Y1B#6ruotIM}9PE z%Wdj|Zt6fbMQ%=TI~CLi1@9gv^9RG-)CYH`V}fvaC&MRoq7L@UIp?GI7kv1B>$(=# zx(#>K_sw2+XV29W0T_ut7WF(Mt~HYg0%B1^v^&#yG^Vvn9l`6dd0@mBkb*Y55OvhRldfB)JS>fPYQkyJ<&M)!Qi|dyq&`|sF)=k04r-16 zw7wa{`$;4f)k3lXg;Bg)LC`EF2@-(_1AuW5LaYUxFSW#>RyPH{8X8p|MV!8lM$&m* zL`V(@=pI>ZKnCWB*uXWJh6;=orN$;bjk3Xffz9RqXQjw|g1=>TV5#eO2H8x5HMyjp z*4wqV#gu?*7p)|TjM0Jsj1Ebz}onj$=FuTbU`l2$^qFEj4=n5RmW8&l*pkO zla!iBcKyX%GTR&q(W-19Lcm#>l#6;2AuEAU2dd4a&8D&fnsS}4?#i<}B-dJndIaya(dM8O%| z`tOA6HM(e&=`aeHDA1$Z_$WX!1QXbqPQ{e%Hra3StjmZ#=W)}ZI79=p7U{BB#>B=# zE$fXH3*e1Vum~xiaIhw4wnt^SIF=f$pJ|BRdQFoHxQ|B_s8z=?rwNLJrMf88NTd{` ztgA)dE40kCMwOi*5wu2{k&R@joYho@(`sn+5veW9@Q{N@C#>TV2q-npz?DuP?=V6i zUaujB+-nF?KkeB9F4r=nR#qC*&Y*>KYoa-zIH(v5Xf81LkhX?ISqvk-g~dFPO(TH~ zh)C5M4thN}fE3Bn1k4{W)heJWj#AeH1!7Pw z)?AsgInGa}7+i%T7hakAE^n9@R>i3z549TH`j^p z_?a_*s(0`H!P;~ec}O~c&*F*G8y=pU=YIY6&EsFpzehFBZCDC#Zk%0tdEX2BpO|>* z?AO0-TiUpWKd|Mei%X05?R_zQ{qV%hClizZ?D}-a^UM6U2X~!b(D#=n_wGA$YUj+- zy>b3WaQpEa@a*b#@bJRaZNzGH<*PT6D_53Zj~%*Ws(g9w>PaziJIzd@-FP!sD0@7beopSrR2#rbc(1j8Vj>)jFBfPCGyQ;oXnce~%z!6gl5qP|r98*WAkZ_Al1D`UXhSWW z7(#F^sYbY*iIN4ql5YZKzBSabnv#J=eufnY3h0*OxY}%wf^sBK5-p0NWhS`spiQ@F zEr4U#iU*xa!DWYquc46dRio+Bc*>2M}g zF=7$RVoX|v^L(8Zb6G}EfnLZRl;n{NYqeI_Xr}C znGoh{=?>m%6(y9G(?*RafOOF^8|55fOXXTHgFh-CubX_la0tAp$L`vAO|o3l1F~Yuj1=A#(2=)T zgZr(4%q97$SmoTVW}6V+@A?*1#|Ti?QfveO0FC7ubdMl&L~+cw6L^d0G^@RQ8s;oT z92*?TbGj=uqngyPY^Myw2#}$Qpo83c$;3pG7K9*+g;v1OO#$yU9D%QfRH_e^LK!ub zVLlW)RUh)rz(_d1Ke%M;nUmiib=F>E&#(PL-E-IHd!JaS54X(?x$o$=y%f1?_l{NU z@d|=o+djTB4{>|lSDL5LH|}2Z)$ZBTFW$KD(Mwz46AMe&7xL@FZ|2_Ge&y&d8{9AH zv%%vlza|IjJAaNa(7>dYNm%EYI)Ke_MFd8Kpb(&OF9gOkTDe0a8t zI|o8|?vlE0k9Gfu+H5>^_0fIQdn=C~EP=;1w)c@MFCI70o%`3H*!%u(ul@MLhIh~X zb!2wdyZMO!z`C9HegYp@v7ejFe!G0t!UvmYIy-M1zWniXyEgR>tUj{h^@U%T9sYTK zd1KQ#f8+K0ESMlV!m(kgW+2`dMs(<6+AJ=a#+q&b~hn}9hd{2wdduQKV IeeKZP-=-|Nh5!Hn diff --git a/secrets/restic/redite/base-repo.age b/secrets/restic/redite/base-repo.age index 1fc6687..0d6a34d 100644 --- a/secrets/restic/redite/base-repo.age +++ b/secrets/restic/redite/base-repo.age @@ -1,20 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 hTlmJA L8ylisvw6LsR52IPOy5yk8XrQWiYZzVTVM06wKK4O2o -Z8jpkaxmPZDFQ3NmO1HPmBwKDUBytda9neGUfxh0L60 --> piv-p256 ewCc3w A/jTPTdavs7MDUVtjvEeEvwZlwNOzbyp8Lek90UAoIaw -duPJcCiIbpPWUQoQvFzmkAThyEtEHdZuf4QVEO6RXkc --> piv-p256 6CL/Pw AnNRvokWbpEgYlgIHG5V7cDguNRMfg7lHaQxZdjZ2RWD -f9ZYtq6SQB0wMDaaKrTY+2xcTGxBoU6f63m7hk731TU --> ssh-ed25519 I2EdxQ uh9OUdIKGWc/TfcqATX72iJ1BYwFUzEd35uwrYFQRwI -DwxNMU4V4hwc70f4jRlQbh6xezPRNn2T+lbkI77bU+c --> ssh-ed25519 J/iReg uD81hZ8At1q5vA9IC5a8PhPHBBZIHQxAQ2+XRFzGFXY -Qswu/K18nHPT/FPStnBtPC8QpP9FO76t0t7K5Ry67O0 --> ssh-ed25519 GNhSGw P5cAY0inQ3FtEKk2abI/t8P6Rg+TwHjQOWbOTXhfSys -bYHnKtBNPqe3CYI7i1yPhv+CtgJWfBuUTrWDDNddy3U --> ssh-ed25519 eXMAtA zg5tTTXZFk+lcAvxCm6gdhN5j+k8n1jNhkoAhmtTJVQ -4NAe9ytki8jl1q9UF5GasjkpIVe/ymTzgWroIUGUQ2A --> ssh-ed25519 5hXocQ 0EJXZWeP5/7myPDCKEuNgjyw26i3ElsD/1l4v+kXiCg -LPnJR+1lEE7SsEVWfr2Hxt8yuXVxf3SN42B3jZVq0gs ---- ySlNwZEEtYAM0gUcqLei1BAt4z1IQSId0rqF7B5bvzU -4/>aF_*8ȑz&*40K:m'I']i@SN[~lu-22%2> -/Rt5Gn;}Ň-ׇ i敘m[]B?2{ilJ)dVV`& \ No newline at end of file +-> ssh-ed25519 hTlmJA NN+fdIZAAYh+A7hFaWXYOxmemjlzS24WNa9qWIS8jQ8 +lhVBAvY+TWg1yAJcrgvphoOKB06ETLyH+DLLAO/32bw +-> piv-p256 ewCc3w AtQ8DoBM3GwBCc+B70nQss2/lmirWJs845PrS6cyivYL +xrE8YMYKv7XTiMmu/Qh3W9j4KGkZIN61vnyBUbiRous +-> piv-p256 6CL/Pw Ak6Zjws9g8YrtUPyVQpJxPOL2yhEo1izmu00ODWO/9bN +9g/dmEHdJTKg8cB3xQs5cSXQUz7TkXQM//SCA8qFgqU +-> ssh-ed25519 I2EdxQ B1SaZxW/oOYTADdHLJ/CfE/ePpn5MauuQIV11P7ciWU +BCINmTI1TE7V5/9tIBUpHFBrzk5k5ycvrOFrmEGoHcw +-> ssh-ed25519 J/iReg a93JQXzEH0rzZL9BzI9GWdm+vfIthZj9KmYe/xkM3x0 +BNLZmF4I/B7bNzZUQ7C1VYUiI6AXN7aLaQ4b5pS/Qpw +-> ssh-ed25519 GNhSGw Z9bIU2D8d7oT6/k8AIUFk2GWlQ0kbpZIx6Mch6Zd9DU +ZWGrSOd/K5e0ZnFZvE8U4zLsBBKnTQUu6l+WAFrSIGA +-> ssh-ed25519 eXMAtA 1ZPBxg7vVPdFl/I9Xgty8H8X0HliAQte0D5VrgRJYgs +onOuCxlv73SpBqIZarKbXzUJ/dERBHfPTy5EacFRToU +-> ssh-ed25519 5hXocQ u/9fRCc+gz7Qo0020HYqkgeSk+joAGC9iRo1PpTTNWc +iFIduae61MdkkYBP42yf/59v8OySnNLXgypOS9Z+ib0 +--- 27DrzEcaoj5yEFstaty5e+q67L8kDi1hUN18k10kUAM +).M¦8-UH#c>SHF"I3-?cu?PssEB2SiU6z|-sBB-'rl~_glܦ# vdQuy4TPO \ No newline at end of file diff --git a/secrets/restic/two/base-password.age b/secrets/restic/two/base-password.age index 24684ed..8596242 100644 --- a/secrets/restic/two/base-password.age +++ b/secrets/restic/two/base-password.age @@ -1,20 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 qeMkwQ 2Fz8aDYIDM4eZsk3TcxqjH6Kyy5tbIpiQ6g51yn7HU0 -dXMgxq8IElRA2BUB+H0+lnEoIFe2cizdx7k06yyRGvs --> piv-p256 ewCc3w An2qh9XolYIfS6raBPi+X1nyOSKoPW0cC6OW+d4zKKaf -dfqUOjj8hUSsQUM2kHbG4FZvRNwWHIWsJd3c2fl/tKU --> piv-p256 6CL/Pw A+ICDRTOb8LluaCvm1E/HEn6eDP+g/HZAebym7Jo9KLN -ecoa4ESR81XuIpMAnpY20IV/6N0nonFKkXBa/GIXCQo --> ssh-ed25519 I2EdxQ LRT9glvKVQYTmmgsDTL++iry57ydE4Yphee2pDiBxDg -8mBHDu0ZmjOnSURnDDN7VjKqv7eq5wwSsC8GFQkoowg --> ssh-ed25519 J/iReg EHwvMpHVmSquZZ6ts4rt5nllU/LSKY53DMey27LS+z0 -zhAqrWORyT84M0gwp8RValaeE694edXO1EX8zhcQIlU --> ssh-ed25519 GNhSGw MUSLnRY33yIGShVmeqvKN/mQoAHxkfcli4Tu4Z9at0I -J3eMRdvGpxF9AlWxG7YaZOPZ/HxyN4cbiG1Toi7oecc --> ssh-ed25519 eXMAtA xaUyXSWWnSsnxiGRAYLw3jrAlpfmplmXZYll2S7tMCY -+9Tc+pj76OoGRdbzpREuSEPL5W/McmMjYYS0QsLRWlI --> ssh-ed25519 5hXocQ aIZQeO+JBK8xcCqc6NEmIdisHHXaZWt0u+/Dl3jSpCM -L/x0DGRLHGCQjgAS8s4rvbdFCeCHti8hYpUo6M1L65k ---- 31mE0lPvIY4VVS/mzuZ/4M+/LkzmNQGyxKunni4DYPY - 8ďRNFShLg8n -2!; j ˳;iٱn+9Ic9KK&OoJmԄ6߂닒(k4y'A/LXv=+eϩ=1ChH$^[كumҨV% WֹNw.Oq9T.Xjs#GF||J\t.bGaMQZtia83'/0$ Em9u!6K@"iِV+Z< \ No newline at end of file +-> ssh-ed25519 qeMkwQ kLwJ12Akgce8+spX5o+Q/UqfkEBEyD4OUxWVPOiLnSM +rdUSxS8F6WgFlpfK6A+USgl1EoQaGS5wS8pHSGS4ywo +-> piv-p256 ewCc3w A1zogfr9BXHIehnumNbpKBSKr48LFh2NePV49tsUdkh7 +iiyyDuQiwF+h/zJkfATm7FIuNQ8QzH0BsRgvnnU2i4s +-> piv-p256 6CL/Pw AkKjGOzxKjVoesmgTJEKeymMRV4U1V9j6VM5sXcu54t3 +PxqqupCqU0XO78nBwB6zP7Jlp8k1nbrBOCLyH9xS6dU +-> ssh-ed25519 I2EdxQ 4nnq0BMU0HUZe0U+wn5DBnRm2bqu0cFdpxHRGD7I0iU +J0vmlSV2KDp0m22dK3uN6/6C1/1yDywttDbilvCT3AI +-> ssh-ed25519 J/iReg KVei3fNRrShvjuqMciyqCk2Hfy/HuqMuUz7t4HL/Bkg +rdc1hsddDLDBnBgTMIn4jwqgp07Dx/Jm9ncNwuJSr+A +-> ssh-ed25519 GNhSGw g2tr85Fxz368+vRqUvuXO85+f0NL1j+Q/wkzyGl+GV4 +sWoykVsRhDPbj4/KvyRTH8n5S7q7OlzXlxmS0tpbmMU +-> ssh-ed25519 eXMAtA DW7qlQZ0XoNp5s4NtJHbRm4x7DVYLWyW6qLwcmtuLEI +ybsEDiF2ZeGOuM36hU2+bP3aqAdrHvJjQXTtT2zK8mI +-> ssh-ed25519 5hXocQ qPLx/wZEHwHOhK6rAOGhQ3TQx5DBEb/QAsqtoDphvx4 +54ea+DCy9+fDoPyVNldvLo/4CwKebqaTLXXYS4USMaE +--- 6HEphClv3rqphYx3BoRqwLiaHIqSm9zQGeBGVb3XM+0 + /״ mBRH =9H3]eq9]-1wS>q672?R \eS2c+Ai OoHL2kziGA^X+1U7|L #RbD_j ssh-ed25519 qeMkwQ axEa5AHwkKeARyE1KjqYrcEMJZMl3r3wxlP1mfH60GE -OX8plpD+Nk2sJlTBN7ctpv16UN1e6hwZJqZSW0EWpvQ --> piv-p256 ewCc3w AolIOy0Lt/CJN50/cPbQ+UsHXiODIfi/6gRqaYgrVetM -f7SliYQqvwfjgfzC+l9q7D+Jj8bM5dRjwzJU23/e424 --> piv-p256 6CL/Pw A+t7IMD1DwrRcb32x2tC1h7ACJPmNzRGRz5Op/eUoPVZ -6pDRk3OZFZSW7aUAX1J8VyVEZBXnQNrCk4WgT95VtPI --> ssh-ed25519 I2EdxQ pET6TM/eebOYFnykAdm0J/Or8d5WHwYTYsF86xiHaGY -OYuPYMeRTnZC1GrMMcs8j2dsmLDlpXpyaCZYo/IKorA --> ssh-ed25519 J/iReg GMAd6JC5p5XRpRtrgYS+ESpxTUazdue28RucjkKkT3E -R/BTmKMoZSpbS3N4vqTqMrLsvthZyJlab84Yibbt768 --> ssh-ed25519 GNhSGw bQtvqFGatiZI5VgFc5haI5JVl+aktQ6toiVcvCguwQw -Dl5IgrOZE9mVdKdjxw4AJIFObBPHZoK1Xd9G9oN+Lgs --> ssh-ed25519 eXMAtA cDGtcwxiUf97CqY9JcQ3TQWfWlR4KkAvJNra7sDKpAI -DP0PQw6MCfPfHBJIZemusuZlERfb1Q8Xm4DdBO4YDTI --> ssh-ed25519 5hXocQ 9WMQWZP+SyrvveCQSoBrgJYzpeuVyRBGuYa5bsBawg8 -XIt/AN4diGRcN/jQaY729gwERtfFkdkmt3kk19HdPnk ---- eMzfkeRkVgpgy7Ufgb5TqDzMvhd5/jrRsC3CIgA7T5U -xY9~f+y5sz0 -zh~җŒ|G*ܫ>!ERkiRPN=nPJfoxg8Qa$Ө!:Ybލ;ӐfGX.ko(lZh=`zL \ No newline at end of file +-> ssh-ed25519 qeMkwQ /keb+Ra7ey8R57qBRtU5VNvXsUBGlP/D3xmu7ShrFi8 +0cLRMQ+nT3uZO59LHNNQLo8lmQsBWuyPEcsnGzSyaeo +-> piv-p256 ewCc3w AiuuJefLgWkM5EzXWGAx0sAhGii/a4yXx1a0N62QpEEA +jC3Gph2c0qfsXdivztaOGxqwyH8YaDp8JNsBxYvxmAw +-> piv-p256 6CL/Pw A3TNn97Bkf89T3gdh2nOVg8gGJS+YTdxMsT8x7MSwZU7 +sr4NvxEW9NYmROFwmgGSFAkEodrUTxCEX9YKhhzaI/w +-> ssh-ed25519 I2EdxQ +Vw5lZB0bpthF5TkdHCsxhw+2VDh6Se7moPZn42R8gQ +w+hRvGIAehIRIuPzvGtZmSWPUxlmrJtRiq1Vphl/bfw +-> ssh-ed25519 J/iReg XmBVKUHnA7HbC8eQHRg1Kw52dAYlkXmi3t8CfOVY+hk +lJTLuekWjOTY62hJNpi/fwlyRnWEi1jqGZRVFHbkYHY +-> ssh-ed25519 GNhSGw vQvGrEIBipBdgoK2nFm+TygkTBwNrFybwwP7j0w9sA0 +/qQmQ2iB7zXPy0ZStN7cbTNoVdjHYtBjGiKt6Qvj9co +-> ssh-ed25519 eXMAtA G4LmMcFCSHgu9nUKVoryCm1EAgw/8r/udi8ioP80D3E +AzFf/on9+O+xrx6CQNrt49kRw4M/9dLywhc7lKW+p4w +-> ssh-ed25519 5hXocQ ZIdUDfleb27LFxg2t4d3LXtqE/wJ8Vbie0+fZDAnKWs +VUOTStUwbfFsgKiX5GEgxlYMnSHpXrq85UEC884y314 +--- bHL/tQMiSDfTBt6slaaOwE4r2ORKV0YuhUzqoC9Ea+g +B)b,} + 2( +ۃUc!} VjWPlk 2"sn T}j _d/%J,Tr%ͽrCEtD` IDO$0L \ No newline at end of file diff --git a/secrets/restic/vaultwarden/base-password.age b/secrets/restic/vaultwarden/base-password.age index 19b7f81b61afba09ca57449889387e6038a9b831..34cd4866065c13fb078bbdf5081be455b03b3769 100644 GIT binary patch literal 1235 zcmZ9}{mT;t0KoCG!rX(3Vc7#Ei$b3~9=E&Oy)5E^?Y7-s?)`S#?MbA&+wE?*+ugRi zXLlP#5|{{DBpKo(Mu8d%_Ch^bnb->vzCe~wX&OCbKM201LGk-Juv#a0Rx6p|+s+>V(~znt~AnhwU1pd;e&i zW`Dc`A!t+&2n`ORDNOS!REfdsWUbz)XT2<@S*5<$>vxi%)R_!1%YfSauuk$?1SG_Q zI%JZq97$S~QY+h1Ds+Ri)y44)&49M4n{-QZLM8P-3ni!+cgu>~Vkr}sC~%6-fNCS? z6kQh8sBXg;@}kt1rLZ8f)kZ(oqauAA5aCKaloUs;l?z6QC}Lhlh?ZSW$i5NxVzSPv znyOa*wfJ~pPM?$W)v8StgeGAb zO`(<#_@X;-P)HI>`|bQ%Y|wTO(dEe zp2!t*(tM3%Opy$tikT&ZlG*}`wm%G0UAJ8rf@r3#!Onn`bFRST^(jn4da@hw6HvLM zbgi1$Wtd5;KzmYL%6N4rsAPyhFNjKjqA-w034Fe$%XG?5MQiO^Q|Az?s))CmSiD)7 zL>ZM&gh&cON-euUu#lC>xnWg`Fu6AEvqhk(<0uQXDb`2$GBgF5Z3kD2jN8aCjXd9B zV{$NGLrmG#_$V85I9C~94$M{QDZi9VRmz~N*9<9BHytkkl7of-@{Vob5rd$eu8~4T z*o6tdm?g4Y3dl2hEoI_ysFx&4WIO}NV8ytljgLnuv|#x*>~#eX1zNHzDN3Bj1{m8) z=kgYxgt&Au;WyHn6_0#7@xhlPyMEobdfEEJ_dc~?^-5C`N&x~-hPhMLP z|LW{2eBpk1urU7YYu_AN**f+0ZA*loTT2hVwC(M|u^7GX`k@nZ+DL9u?Vf{|Ry>GV z2OhhA^Tc~C_m!n@i90SCN(yR?k_K2 Qxcbodle0IrDL1*l0U=+%L;wH) literal 1235 zcmZA0edrT)90zdaM;6mEjQEM5j1qiUbK7lqyQBK)-FCa%!#!-f-EAw1-R-;EZMVDI z?s0=OABZAJiZFvx|44--3^NNcN>F^l{z&PM1RoND$o^1*D1T|c`m26_e?IWy{r>Q2 zsUQjrWi+-N%``TcBQ@qFLeZJ9ZFi%f4Z&~%3k$=5EBWE7%@Sq_vOT8PQGvt;DMJ@Y z+m~bF7?_Gy4WzN&M1c>*L$P8p<9HZnn10*BaGOYC9im=wTM?@cRS{oeWQ1@LgrL-a zG)wcM76c<<;AfPiAI8mUO~+L`U`fhKf#RSm3KTDxL5zWg#z--UmOGX#51CL}C{iXR z8$tA@S?3UMT;_a`1!j+nXM8mdiw4k(HKa|Ioo?!X7LqB&_&ICL#=ExMF@|+M5M(R{ z(-s1?le(U$;A$3lQZi3wJ=TT_$ld>o(4bV6V;M2XR?!6AXgOVu9@A(C0+FgB>5UMR*4sne zFXlR99k9cRlH|>jIB%`s>~VsgAOYG-*gv~&7oU!j&yFP*ySe!>2A`pVV!FSgcRxq0GKDt+t_h7Ck<_cpQC!JGpiBHF@o_ zZ;v_$muw@pogJL|;kz%7cXIpB2df+E?la%tJ$LrVnVtKH{mo;~t=UJvyW+LI57yn^ zE*_hDW#OXh?n}<{^=~+tQ=h$k_bGn!rPQUpPrtKis|86tB-R0!P6TSESp)dwF{V^3qR#P Q`uv%~fv-PVGrRJ^-vqw9-~a#s diff --git a/secrets/restic/vaultwarden/base-repo.age b/secrets/restic/vaultwarden/base-repo.age index ed02333cb4d4362f5c4350e212a112e6194142cf..c3c14abe75c9c0535b64731c939f36e0b7c2db6d 100644 GIT binary patch literal 1093 zcmZ9~&CA;a0LO7qd=7E$;11&DF`z@XTJzStAr70DCTW@`Y0@@{3~BS;q)nQ%c`4#R zQLj4OMGw0OUQ~9F=io(TjDgc#MEwI4VMkHCOvUL*pTFS4@5gr$`dxqH7Hz(Zv(58a z5keILbT5Hr8FhUR#c_lN&26KOY7pxsIUC7+2p6W|%0Nv)YLI@@j+?c@nWevW0(NbX z{HhHBQ;Th!jUjnvM@=k>ma>Pkx!hZ0N*FEc$;2Z@8O^F8oBX5Yan;RHoB;irb+H=k zCly)RLkq1OWqCa}##kbr0>et;sx&|N2{lxwd9<3>6TzA-HH?CK z2;Pw+gVh5g^@8lQHiY7dAA<9k$RlN5j5a(Iz#P-lY+YsGZ6WRRK58#H&K(`dBw+eH zaPSex=_osaQaMC)M7S>9oq{@@MSwVmgGICUT8>m7L-^C0FpdnN1}Uspi(>;GX#C6$ zY6?euqA_Vaoxxadr5+AD&t-=~O{_9Nqqzk}mVIQflCvh^GKUkWJ@FYl zY@plif{^H7O0p6>W6xxq6s>wbsxyft)ey{Sl_>@)T3N0-r8uYLaI zt?O4VDxmS6`S$nFlh|+Z;T!*hAMTHD)=wWjmz>FzS=C!c2To6OSiOX)28Z^>`9wu-|?oRBYF`L z#FIynLGYlUI5#~g2nr9pD&s*B4}zx|P{)(LPw?Zv=&s$fLo;pS+>gR1qtxw}P^b44 zkY!%awqO*6NMM=NvvCD%p|u8+jn?-?d?xHvwmoEmpp$B?W1}+lJUX{AiO8)v(eW4E zL;%}ap2!YTvwTG|6rNctEzfPF$%K-yG$r&Zd$78##eUg~VH5-GiZPK2ppeCs7}-%F zFU!N2C9zl;`Ie9IT7l-oUYV|8T&q~y7j&Wn?qgv!2q7JWCo^_C0GlR}nMF53Bqg22 zb-^@fI%`Wu=Kg14%(yS#wn7urVK%Tueo8M=mkf}Nx5-Gxh)fcvNC~nP!V+rH2Rqa5 zh)CuV=g`}-hzHu-r1&_eDxw>T3ogLmXe#1|a%K3{*%n2Zv+6lu;6$vq`Al;()1lzP z#A-Nz@oed?H=F>$MLyc{2X>A!ZYNLi9hcG#Mh8do~+C^%TAWMg^*>Igvt%Lt=bDO9M3- zxstIPLN2o`P3MqQ=mf-Z#O*96EjWh<6US}(kgD1YTp0($3t`K|x&D^YL@OC< z&T95%Lgf_T??{o~DfZe!i@s@|)lhE}nR8%W)78`=<;5zFi3T=Pfthbv1qnPH zrG!ushOtlA<1P&iIt3(fVWkWkejjbLv9!lA*oxYukoBkvWOku6B2`qWp8fOwUJq#5 zowR4k;U=!wtMpe*mW&N2QvaOIw>m)`vS?aN0ekNyV=1&c)a`h%g=nH zeQR`|eX;xX?5~GDJ{-OG=l4G!9e>4~Kb4-oas1Kg<(2x!udf_GfBI!TE3d!7-u&T5 m8ND_A?Xd@;N4|LL(z#D{^>Fgi$(0)y@3qS3&R-or@Y>&h@oC}! diff --git a/secrets/vaultwarden/env.age b/secrets/vaultwarden/env.age index c87a1685dc77cfe153cf44fae8be6b12d4c4cc4c..fb105b196b9bc3a9d7a1c3fd6d4550bd9ec6b7e3 100644 GIT binary patch literal 2951 zcmZ9~_dnH(1IO_s$srmyC5=;ERL0qklZ-Ps%bAXIoKxsH<8y}NOy_W9G^EhFPGpo4 zQEAZBLf2Q(x+SBbp@Ae)PKD}wzdwHa3!ab1>-`o25?@K8NSC59$kmB{Y8?PE!a%;k zV7*@ED-pv{C>RFJ(Izt@Okg&bpf=+oBMee8-CG5fbM-U^o-6ZLo4ujoW?57iO)OJl zWdJe^3W5q?Dy{@V2hd8nT7wcBq6|6-Rv?2xwFy!Rl|_}YDao)XRZ5ipf0{;a^wq#o z{$Pm-FG85WSY@~Xg{Gh&e1tp+V`ghGLOvNo&;tyPkQvPYQY1Jg5k)nSX&f$y%9m*5 zNCHR7;Y0ls)oO|~EWkgS4T;8c!wAU|z?&{rsQ6*x2&U=(EPs3ig!!+9)=|A_k^aeg zs#zg6(4!$3L>SJWLrCGHY4~UgH-JIo089X@qEJB*d>WF4#)QRd61|~U3~vn{1^6?flQ9YtO=ph6CllcW z6I+K*QJ~CX7{eRKp@9Sv16r&Fpfp4T2Fi$5CW|6*6sk@rW>86F6E2a4F%XPN3}^tG z|GP$k$k`GAj7y=3iKYY*ix@9Q#T!t91dIyDAxktA5}p$oKuSbP;S@4mKnV{38PT`^ zxe^UiG7uE9fyKhpm3%xDD~lj$^)vxTq%)D!3^FlNMnL|q5$Uo>q6tilr^D4aEre2(SXKu;E!2s#510O83=1RRt6yC#XIVGUR?3Cp5$>1H{V%aAbWWHr}c&1R5|Xaf!k08}K0 z#gQV22}*1tkq^?)B?$I>b)kXjxBQqnsHy=jTQo$jL~)THA2`xyon5 zx)sh?T4?BBy)V~4^Y8h2!}#mVnIh}gYb>u1M=qp;Hk+v0%KG=SjO%RXE0QE`p=8GM zdpOX&eCx$S1>h+HvE-5D>T*() zH8zpdU3H{7@!iw;PLCAHAA7zDLT(M_eEB}`4}jSFqOHRH^*(XNhcA&fsU*@?JW0RF z>1;y#eajS&&K11bZ)ULeR}|~RmsSo?kF5S7)b9ExhwahcYB>delpnMLLQ~9q`FhbG z2Cl>0JFg1XcK7TN23_!6VuU@CP5)e8^Om*qE2_r>nPPv#F)6IG;VN=u{La_w8*_s) zn;ILs9~&`dR+8G(5pvQiGT_Ia*As5r1HPSUhBz(brS(!6`DavI z{mT%`^_D2R2EoOUSi(%FnD;MW=hpgV7Di@oXzYE{n9DsH_-;4bGw5c?vxzp?NXYWX z6%JrC(pEn)tjTuq|LT(bBzq2LNIG=I00Cs(9VHJj*&jP*7uo1S*#?{OA9M4aMuqcC z@sH!ImSUOsN}!T!-C>@6^nmzwO#6XnlvN=+`^~)*kF%h3#{;WLpP#6U_V$&xUTbgt zFdE1E$67Vw0G<&z8dIn3Y7Bp-rIA-mdbK~B^h6pUxhm}?^K6(I?^Kn%%a+r=g|cxb2mK(Y7MK?4-%%Np$a>|y9ouNW1Sdv1T+ zvy&*`tW0!_D_gpt>Zsb@TGv-}=}>cKT}{@k;)|;6(d;hP8D}TSFn3*d_FYZyNayuT z)QZWH?Nf@NF0DS>PCpvtey|UA?QG0g8>?UBb#1Hml(Xv(#^zLcQpP+0TVXo$bL1|t z6pC^7Da!#sAI@$JW{QnLqANqKDRG~Det=4^ajOdwnc9~Rro8{KK)8ckpjK7CgEcN0 zht%D&%Zat<{Nf~o389PH_$ydrlOFp!<~s-jNqzDS^Y>d5XI14=McWH`#U2h{)r~It zyKoELUH-l~ccic9i>TCjR@1-lJ2e(nnq%cj-)|0`xnbCW-g^B$#0~1_{mZh9fJ!>p zM^+s(R#O#8eL%jo7X|k%zyGOl*G0396Ld-Z6gTx{YgypRW4G=z21s<@Fa15WvD#_z z%20H~mXJjwqZ6@noW>aQ$0l*%$1#J<66gJQa6Qdyx26ZecG_n2Y8|fI=PYae=v6ft zFjz2N+-=>um^d_4c5ZE;k@+XmCJ|h{WrR9d=cYe7~HWhW_82dht=bi%ls#=G(1>% z-mYUMrhs#$$mQBn1{#li%?EC%$&0ONbNlMo?%kXtyzdH~wQKijeQXTt5=YWZbVH@V zrpDiP>W_<}^$4>dOW^-;6ZQ}LO|*@?xf{ND3;TtAKqYzRYnL}+d!c8AypKm}mrJW! ztJYQ6=Ix}`q%k`9!4(9Vmz-t`*3(dbhTKT)TA z2QH--KB#oZmz{5RFe`YL_Qrm95$mv#VVhfN*Zb%%TACH<4i9e)vfaD%>C$&I_GBCe zmzvwGZK=mkc8acaH5fL~F)cy)nD0XYW9i3@EpSNbB9Db%j6#QR4a}R0PwCYeR&ZiD z{e(=R33R#rr2g}oppA>Co*+xh;x{w59Nlb`y+RDsK=QnrCR+Imvho}~=Iyb2Jp4V_ zc|*yq%!6^z_T!VY)-D(7y*f{?{5CM;3^SPetsLs&lEbGSYyFFc>`u~P1#!@;Lt}&f z&Vzrq9IRCf>(V1bm6W@o@nufW*h{XoGz>Nc>D6p5Joij})z>-AHl>89pk;5XPF|kw zXR!SED|!1=&l#+IOTVe};3mDTsBqrhKSeb)$Gy%ORJ$974_(WsUE-#8CAG8np8;pq z*KE_=Y-%m5yzHXX%I`&Cx)>f^tn8Houa2wF^NO+AY5O$$?;m)#yJuZL@-TbSahMix z`O84a`rtpZW61o`Rfr^ve4GeUa&0xYtJS&lb;gt+B(n1c@w=KipCveZdp8ruSk9|2cQ a1&7bA$xYqcS`VLkOnS&=Mt1(ZMgIi=t{jR0 literal 2951 zcmZY8`CkkO0|xM|q)XdM=}>D(8C`Q9*(@_P_ubqRX_|YQ`)sBxDrMQW%N3DQNGB2- z5?bVpbuH^iMaYJvB6;`y@!j_?_dR+O0SF8n-m}$#5?XsfZ42! zlS!cn1SA2#F=jESc7Q{LG1)Z+7>`3?LIq%5riiFukcAm!iipS*a2X0AH-XP5I5j+p zx7fi|nqWdUo=&7OLCNZ5STabS!BVI-T9zFHN3o@HsKZJp(Fx%HY6g`p&HzOq0Wy1% z1ZD?djL?__lE{h>^RWUDj0nM6#U=qxmZ3&xQ4BT&5=_e=rm*NLD~jZeWrHOdMmd*& zg)uQHEUK8Jz}fUx2}|KLQ+Y_WPDzBqR9OUwBJ+PNWD*s`{KvA9(G-eAPZhzPc0#h0 z385jhN*z&e!Nll=47ih`QX!B+Hb=$ed#f`HMk!RNw`fF4kUm31rJ>9Sa7L2EO6KAT zd=Q3AkXVp%AqoNicZ(z_PMXC6@Zc5&mXF8)gOGZe1>?{pD|yKzObk@6LmABil#-;f z(gi#f4{G+d@Kf|yE)kBilT2AGgdA;r}!;NR=W} z0KjY|4y)A29a@!>jz+1GI+?|UH^O4L8Fr4D%#~xU<`@V|g;Wc@5jqqIE3`teU^hT4H}Ni}?a5jhf8Xkpxsa1tT&zz&aidFTsg; zDR2yi4z?<2|JGyz8peVFP~mnd2TC_`Wd^1R0Y}4?5Wbqvz}rlw7%3bg5RsfFxQfo! z+qvFEydjBUjge|GEIL^(RMO1|3jzs6bM+3Q6YMaU$O%@g-l1ed6#v!`N`YR&0;r5) zuGOiNTNA*r6gCN+iPVu%1RNP5AZcW1nvNycfedgo5(3eCgB5Bkhp9$dbUY1(M->~A zlF1a6SqqV&=*beMSu2L&k&I*>4#xG4i;Dv|)VwUaApwdtS}-`3+N`yscv2QRMj}ii z3W)+FnQB5|WdemzM)DShlmIh7A31pb-iSRNb3J~cwe$3@;Jsxv<;uDTD;|MuwkM;GcbB8FnqBZrUSDL42k4w*q z2yNfA9reCTiAZRiUfb1ixR3em9?!*Xkkv`N7w`*m|ASH8rB^bSs`5KuZ#5OVCxuqt zu~#gaJh!}iQ%h~#aMd|3Viq8v4-_H#Gv}d~@v(jXkL&Kw?SYtZGbav?9qg}4m>$}; z-RRX?zz(`6A1ObTmE(=5IEeA)|m&f}V`a~G^j?Kr-KZF5F)xWJ&{aBMa8 zN(J}+?XpQffu$Vsuy|qPpBuj~OTB+P_gKoxjqwjcWQ*kZqn5U3ZpFmSf3@w*e^1^B zIr%YWEOErm582V|#tQ*ID+lHl&Dg%1rk!1KDkOK!j+Vlllit~XFtAE;9s8mCu%*al zEN*%F^tGv~>iI3T(d|Wpkh7`I?d_f)$~)wTU0ybjf|F$W&CfjV1nqWGc32_4Qstgu z)YqCuPQ+6fW?|gr_wOim4|+#HrUr%Dd^dDV-T%pXbWUJ1Ye9ZDRqhh`n^BfILI@rb z4|+=6PXJ4mFAiVO6~?MJS5Mt}4UWH?|45Um>-8Ue@CPOO`hz*PkH}@gOBj%}roCq? zrNCL%QP<`f&vPxpF<{@#wUwKgykMV;ivAs;->>I{7~hx+ zpaP3uxMnlieN9RIsPTmXec(J=?8kjdB;6!e>FPp3OJGuIGTPTkCZIA5To+arn72`n#Z*WJ5#|9tXooZa97;447JNZDr_RZZd#|jwn zsSD1hKDu_=qd7SE^Z5-wd*7Bs?acQ2TJG{!)XLzKeVH4}-K%|+E%!PMw|oC8Vq9%z zK4V?hRnLK)C!C&hYEEiEfxco zn!ms1(s3_mYstI^%wh}wwGTtzSZxXT(Q_Q!>tk3(VMVZaE!Av zyrSowct{x)^kVZs39)|Wno+Hv((gA(%+E~D;UA)15d2?rbU*p@!^0ycBih9|kkNDg zEw4||4}X!ntjj;n@tEbC-8JV7u^8R2n|13^JUwExtt32sd(reO_E0{+x8vnfod+Qy zZL~Q+?0YJW>bL#tP3r2D*XLG>R7H|R%k9NC7u+bH$+9Wf#B$HhfQRqHLNU_F#GaT@ zC1{*8N*R=gZ~U`PloX%yJ}b!6-5?(R#&Hd-sN8@`&ph7V@F4bg4^SPjA??+YvWa&E zIq=@Y&XwO*h3uR$H$6(%_H?K4>hhZUV?lhMUAMy4Ct?x%Z9J18Of3;y(lKmO<`O9+);N)-|u}SC}Pl8 z;xgdcR`M8!n+hapn~>e7z94#78|JRM+*3Gi^Y?ig^_{2BLs-BlXkc)t@XU&{zwFMz zx9=T3v8=4GgO{;&QG@TT>nmhDXdj_`dR|ar6AV1?WbyYAz$Czlz4MYgKUTdgK15pm z;w|%S8bF84&)e9)*I!I`M$UeeKG4yrQ*?O^1|AnC0c<<7I50K!&g zPYI|x+NSa^phy~)Z6&HdN;I|gtDigpf5`i*tJYvC5%-3jNKtGn4ad4QkS%ZXzS1hb zI&;OB4s|x|(|AY^V>N*fnKd(g&rCFDnXx+ihkzARYj(uuPZaxDU2AUL$xY!z7dKaZ zo~PS-M%b#o?pQ)>4}V@;qn!VpsBwSs5r5aN#&w3Z7uExB%{$vM_8#Sq#LTWIl2+Zu zhpphR*um$c(E_ddK7neyz@ WFh)0i^!$BBc>k8-q1x5AT>k?d3 Date: Sat, 1 Mar 2025 18:05:30 +0100 Subject: [PATCH 37/41] Ajout element-web --- hosts/vm/periodique/default.nix | 3 ++- modules/services/element.nix | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 modules/services/element.nix diff --git a/hosts/vm/periodique/default.nix b/hosts/vm/periodique/default.nix index e0a5ea4..f5ac28e 100644 --- a/hosts/vm/periodique/default.nix +++ b/hosts/vm/periodique/default.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ ... }: { imports = [ @@ -6,6 +6,7 @@ ./networking.nix ../../../modules + ../../../modules/services/element.nix ]; networking.hostName = "periodique"; diff --git a/modules/services/element.nix b/modules/services/element.nix new file mode 100644 index 0000000..114d58e --- /dev/null +++ b/modules/services/element.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: + +{ + imports = [ + ./nginx.nix + ]; + + services.nginx.virtualHosts = { + "element.crans.org" = { + root = pkgs.element-web.override { + conf = { + default_server_config = { + "m.homeserver" = { + base_url = "https://crans.org"; + server_name = "crans.org"; + }; + }; + default_theme = "light"; + features = { + feature_video_rooms = true; + feature_group_calls = true; + feature_element_call_video_rooms = true; + }; + }; + }; + }; + }; +} From d1490196138f3a524ff8156a31882a78bfcbdc72 Mon Sep 17 00:00:00 2001 From: RatCornu Date: Fri, 27 Jun 2025 19:42:52 +0200 Subject: [PATCH 38/41] =?UTF-8?q?Mise=20=C3=A0=20niveau=20p=C3=A9riodique?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts/vm/periodique/default.nix | 16 ++++++++++++---- hosts/vm/periodique/element.nix | 28 ++++++++++++++++++++++++++++ modules/services/element.nix | 28 ---------------------------- 3 files changed, 40 insertions(+), 32 deletions(-) create mode 100644 hosts/vm/periodique/element.nix delete mode 100644 modules/services/element.nix diff --git a/hosts/vm/periodique/default.nix b/hosts/vm/periodique/default.nix index f5ac28e..e59b98a 100644 --- a/hosts/vm/periodique/default.nix +++ b/hosts/vm/periodique/default.nix @@ -2,15 +2,23 @@ { imports = [ + ./element.nix ./hardware-configuration.nix - ./networking.nix - - ../../../modules - ../../../modules/services/element.nix ]; networking.hostName = "periodique"; boot.loader.grub.devices = [ "/dev/sda" ]; + crans = { + enable = true; + + networking = { + id = "18"; + srvNat.enable = true; + }; + + resticClient.when = "02:56"; + }; + system.stateVersion = "24.11"; } diff --git a/hosts/vm/periodique/element.nix b/hosts/vm/periodique/element.nix new file mode 100644 index 0000000..518da13 --- /dev/null +++ b/hosts/vm/periodique/element.nix @@ -0,0 +1,28 @@ +{ pkgs, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts = { + "element.crans.org" = { + root = pkgs.element-web.override { + conf = { + default_server_config = { + "m.homeserver" = { + base_url = "https://matrix.crans.org/"; + server_name = "crans.org"; + }; + }; + default_theme = "light"; + features = { + feature_video_rooms = true; + feature_group_calls = true; + feature_element_call_video_rooms = true; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/services/element.nix b/modules/services/element.nix deleted file mode 100644 index 114d58e..0000000 --- a/modules/services/element.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, ... }: - -{ - imports = [ - ./nginx.nix - ]; - - services.nginx.virtualHosts = { - "element.crans.org" = { - root = pkgs.element-web.override { - conf = { - default_server_config = { - "m.homeserver" = { - base_url = "https://crans.org"; - server_name = "crans.org"; - }; - }; - default_theme = "light"; - features = { - feature_video_rooms = true; - feature_group_calls = true; - feature_element_call_video_rooms = true; - }; - }; - }; - }; - }; -} From 890e6fb2373b0363f34e8f6471ff312ddb3b02f2 Mon Sep 17 00:00:00 2001 From: korenstin Date: Sat, 28 Jun 2025 18:27:29 +0200 Subject: [PATCH 39/41] Reverseproxy --- flake.nix | 5 + hosts/vm/README.md | 4 + hosts/vm/reverseproxy/default.nix | 34 +++ .../reverseproxy/hardware-configuration.nix | 33 +++ hosts/vm/reverseproxy/reverseproxy.nix | 198 ++++++++++++++++++ modules/crans/networking.nix | 2 +- modules/services/default.nix | 1 + modules/services/reverseproxy.nix | 177 ++++++++++++++++ secrets.nix | 2 + secrets/acme/env.age | Bin 1304 -> 1414 bytes secrets/apprentix/root.age | Bin 1004 -> 1004 bytes secrets/common/root.age | 72 +++---- secrets/neo/appservice_irc_db_env.age | 39 ++-- secrets/neo/coturn_auth_secret.age | Bin 1079 -> 1079 bytes secrets/neo/database_extra_config.age | Bin 1187 -> 1187 bytes secrets/neo/ldap_synapse_password.age | 38 ++-- secrets/neo/note_oidc_extra_config.age | Bin 1555 -> 1555 bytes secrets/restic/apprentix/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/apprentix/base-repo.age | 36 ++-- secrets/restic/client_env.age | Bin 1965 -> 2075 bytes secrets/restic/jitsi/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/jitsi/base-repo.age | Bin 1081 -> 1081 bytes secrets/restic/livre/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/livre/base-repo.age | Bin 1081 -> 1081 bytes secrets/restic/neo/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/neo/base-repo.age | 36 ++-- secrets/restic/periodique/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/periodique/base-repo.age | Bin 1091 -> 1091 bytes secrets/restic/redite/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/redite/base-repo.age | 38 ++-- secrets/restic/reverseproxy/base-password.age | Bin 0 -> 1235 bytes secrets/restic/reverseproxy/base-repo.age | Bin 0 -> 1095 bytes secrets/restic/two/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/two/base-repo.age | 38 ++-- secrets/restic/vaultwarden/base-password.age | Bin 1235 -> 1235 bytes secrets/restic/vaultwarden/base-repo.age | Bin 1093 -> 1093 bytes secrets/vaultwarden/env.age | Bin 2951 -> 2951 bytes 37 files changed, 604 insertions(+), 149 deletions(-) create mode 100644 hosts/vm/reverseproxy/default.nix create mode 100644 hosts/vm/reverseproxy/hardware-configuration.nix create mode 100644 hosts/vm/reverseproxy/reverseproxy.nix create mode 100644 modules/services/reverseproxy.nix create mode 100644 secrets/restic/reverseproxy/base-password.age create mode 100644 secrets/restic/reverseproxy/base-repo.age diff --git a/flake.nix b/flake.nix index 635d62f..8785258 100644 --- a/flake.nix +++ b/flake.nix @@ -70,6 +70,11 @@ modules = [ ./hosts/vm/redite ] ++ baseModules; }; + reverseproxy = nixosSystem { + specialArgs = inputs; + modules = [ ./hosts/vm/reverseproxy ] ++ baseModules; + }; + thot = nixosSystem { specialArgs = inputs; modules = [ ./hosts/physiques/thot ] ++ baseModules; diff --git a/hosts/vm/README.md b/hosts/vm/README.md index 1e4607b..84466b6 100644 --- a/hosts/vm/README.md +++ b/hosts/vm/README.md @@ -22,6 +22,10 @@ Serveur Matrix, bridge IRC <-> Matrix et interface admin pour synapse, accessibl Serveur redlib (client WEB alternatif pour Reddit), accessible à . +## reverseproxy + +Serveur qui héberge un reverseproxy et une instance de anubis. + ## two Serveur NixOS de test. Vous pouvez vous en servir comme base pour la configuration d'une nouvelle machine. diff --git a/hosts/vm/reverseproxy/default.nix b/hosts/vm/reverseproxy/default.nix new file mode 100644 index 0000000..cc37e51 --- /dev/null +++ b/hosts/vm/reverseproxy/default.nix @@ -0,0 +1,34 @@ +{ pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + + ./reverseproxy.nix + ]; + + networking.hostName = "reverseproxy"; + boot.loader.grub.devices = [ "/dev/sda" ]; + + users.users."nginx".home = "/var/lib/nginx"; + users.users."anubis".extraGroups = [ "nginx" ]; + + crans = { + enable = true; + + networking = { + id = "51"; + srvNat.enable = true; + srv = { + enable = true; + interface = "ens20"; + ipv4 = "185.230.79.42"; + }; + }; + + resticClient.when = "03:42"; + + }; + + system.stateVersion = "25.05"; +} diff --git a/hosts/vm/reverseproxy/hardware-configuration.nix b/hosts/vm/reverseproxy/hardware-configuration.nix new file mode 100644 index 0000000..f512116 --- /dev/null +++ b/hosts/vm/reverseproxy/hardware-configuration.nix @@ -0,0 +1,33 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/c4c2de17-2965-4c0a-b4c5-7d518712c9aa"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + # networking.interfaces.ens19.useDHCP = lib.mkDefault true; + # networking.interfaces.ens20.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/vm/reverseproxy/reverseproxy.nix b/hosts/vm/reverseproxy/reverseproxy.nix new file mode 100644 index 0000000..c3315cc --- /dev/null +++ b/hosts/vm/reverseproxy/reverseproxy.nix @@ -0,0 +1,198 @@ +{ pkgs, ... }: + +let + anubisBotsMirror = pkgs.writeText "anubis_bots_mirror.yaml" + '' + - name: whitelist-crans + action: ALLOW + remote_addresses: + - 185.230.79.0/22 + - 2a0c:700::/32 + - 46.105.102.188/32 + - 2001:41d0:2:d5bc::/128 + + - name: no-user-agent-string + action: DENY + expression: userAgent == "" + + - name: ban-gpt + user_agent_regex: ".*gpt.*" + action: DENY + + - name: ban-bot + user_agent_regex: ".*(b|B)ot.*" + action: DENY + + - name: ban-WebKit + action: DENY + expression: + all: + - userAgent.startsWith("Mozilla") + - userAgent.matches("AppleWebKit") + - userAgent.matches("Safari") + - userAgent.matches("Chrome") + + - name: ban-Barkrowler + user_agent_regex: ".*Barkrowler.*" + action: DENY + ''; + anubisMirror = pkgs.writeText "anubis_mirror.json" + '' + { + "bots": [ + { + "import": "${anubisBotsMirror}" + }, + { + "name": "allow-repo", + "path_regex": "^...*", + "action": "ALLOW" + }, + { + "name": "deny-other", + "path_regex": ".*", + "action": "ALLOW" + } + ] + } + ''; + antibot = pkgs.writeText "antibot.yaml" + '' + - name: whitelist-crans + action: ALLOW + remote_addresses: + - 185.230.79.0/22 + - 2a0c:700::/32 + - 46.105.102.188/32 + - 2001:41d0:2:d5bc::/128 + + - name: no-user-agent-string + action: DENY + expression: userAgent == "" + + - name: ban-gpt + user_agent_regex: ".*gpt.*" + action: DENY + + - name: ban-bot + user_agent_regex: ".*(b|B)ot.*" + action: DENY + + - name: ban-WebKit + action: CHALLENGE + expression: + all: + - userAgent.startsWith("Mozilla") + - userAgent.matches("AppleWebKit") + - userAgent.matches("Safari") + - userAgent.matches("Chrome") + + - name: ban-Barkrowler + user_agent_regex: ".*Barkrowler.*" + action: DENY + ''; + anubisChallenge = pkgs.writeText "anubis_challenge.json" + '' + { + "bots": [ + { + "import": "${antibot}" + }, + { + "name": "challenge-other", + "path_regex": "^*", + "action": "CHALLENGE" + } + ] + } + ''; + anubisMirrors = pkgs.writeText "anubis_mirrors.json" + '' + { + "bots": [ + { + "import": "${antibot}" + }, + { + "name": "deny-other", + "path_regex": ".*cdimage-.*", + "action": "ALLOW" + }, + { + "name": "allow-repo", + "path_regex": "^...*", + "action": "ALLOW" + }, + { + "name": "deny-other", + "path_regex": ".*", + "action": "CHALLENGE" + } + ] + } + ''; +in { + crans = { + reverseProxy = { + enable = true; + virtualHosts = { + "eclat" = { + anubisConfig = "${anubisMirror}"; + httpOnly = true; + target = "172.16.10.104"; + }; + "eclats" = { + anubisConfig = "${anubisMirrors}"; + target = "172.16.10.104"; + }; + "install-party" = { + anubisConfig = "${anubisChallenge}"; + target = "/var/www/install-party.crans.org"; + serverAliases = [ + "i-p" + "adopteunmanchot" + "adopteunpingouin" + ]; + }; + "lists" = { + anubisConfig = "${anubisChallenge}"; + target = "172.16.10.110"; + }; + "mediawiki" = { + anubisConfig = "${anubisChallenge}"; + target = "172.16.10.144"; + serverAliases = [ + "mediakiwi" + ]; + }; + "mirrors" = { + anubisConfig = "${anubisMirrors}"; + target = "172.16.10.104"; + }; + "mirror" = { + anubisConfig = "${anubisMirror}"; + httpOnly = true; + target = "172.16.10.104"; + }; + "perso" = { + anubisConfig = "${anubisChallenge}"; + target = "172.16.10.31"; + serverAliases = [ + "clubs" + ]; + }; + "wiki" = { + anubisConfig = "${anubisChallenge}"; + target = "[fd00::10:0:ff:fe01:6110]"; # l'ipv4 marche pas + serverAliases = [ + "wikipedia" + ]; + }; + }; + }; + + services = { + acme.enable = true; + }; + }; +} diff --git a/modules/crans/networking.nix b/modules/crans/networking.nix index 97f7c4e..42b43fa 100644 --- a/modules/crans/networking.nix +++ b/modules/crans/networking.nix @@ -130,7 +130,7 @@ in ipv6 = { addresses = [ { - address = "2a0c:700:2::ff::fe01:${cfg.id}02"; + address = "2a0c:700:2::ff:fe01:${cfg.id}02"; prefixLength = 64; } ]; diff --git a/modules/services/default.nix b/modules/services/default.nix index 9c1cafb..5c91cc2 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -6,5 +6,6 @@ ./coturn.nix ./nginx.nix ./restic.nix + ./reverseproxy.nix ]; } diff --git a/modules/services/reverseproxy.nix b/modules/services/reverseproxy.nix new file mode 100644 index 0000000..177093c --- /dev/null +++ b/modules/services/reverseproxy.nix @@ -0,0 +1,177 @@ +{ pkgs, lib, config, ... }: + +let + cfg = config.crans.reverseProxy; + + allowAll = pkgs.writeText "allow_all.json" + '' + { + "bots": [ + { + "name": "allow_all", + "path_regex": ".*", + "action": "ALLOW" + } + ] + } + ''; + inherit (lib) + cartesianProduct + literalExpression + mapAttrs + mapAttrs' + mkEnableOption + mkIf + mkOption + nameValuePair + substring + types + ; +in + +{ + options.crans.reverseProxy = { + enable = mkEnableOption "Configuration du reverseproxy."; + + virtualHosts = mkOption { + type = types.attrsOf ( + types.submodule { + options = { + serverAliases = mkOption { + type = types.listOf types.str; + default = [ ]; + example = [ + "everything" + "voyager" + ]; + description = '' + Déclaration des alias. + ''; + }; + + target = mkOption { + type = types.str; + default = ""; + description = '' + Indique la destination. Il peut s'agir du chemin vers des fichiers statiques. + ''; + example = "172.16.10.128:8000"; + }; + + anubisConfig = mkOption { + type = types.str; + default = ""; + description = '' + Chemin du fichier de configuration + ''; + example = "/var/www/anubis.conf"; + }; + + httpOnly = mkOption { + type = types.bool; + default = false; + description = '' + Interdit les connexions en ssh + ''; + example = "true"; + }; + }; + } + ); + default = {}; + example = literalExpression '' + { + "framadate" = { + host = "176.16.10.128:8000"; + serverAliases = [ + "everything" + "voyager" + ] + }; + }; + ''; + description = "Déclaration des machines."; + }; + }; + + config = { + systemd.services = mapAttrs ( + vhostName: vhostConfig: { + wantedBy = [ "multi-user.target" ]; + } + ) cfg.virtualHosts; + + services = mkIf cfg.enable { + anubis = { + defaultOptions.group = "nginx"; + instances = mapAttrs ( + vhostName: vhostConfig: { + enable = true; + settings = { + BIND = "/run/anubis/anubis-${vhostName}.sock"; + BIND_NETWORK = "unix"; + TARGET = "unix:///run/nginx/nginx-${vhostName}.sock"; + COOKIE_DOMAIN = "crans.org"; + REDIRECT_DOMAINS = "${vhostName}.crans.org"; + SOCKET_MODE = "0660"; + POLICY_FNAME = + if (vhostConfig.anubisConfig == "") + then allowAll + else vhostConfig.anubisConfig; + }; + } + ) cfg.virtualHosts; + }; + + nginx = + let + domaines = [ + "crans.org" + "crans.fr" + "crans.eu" + ]; + redirectConfig = mapAttrs ( + vhostName: vhostConfig: { + locations = mkIf ((substring 0 1 vhostConfig.target) != "/") { + "/favicon.ico".root = "/var/www/logo/"; + "/".proxyPass = "http://${vhostConfig.target}"; + }; + root = mkIf ((substring 0 1 vhostConfig.target) == "/") vhostConfig.target; + listen = [ + { addr = "unix:/run/nginx/nginx-${vhostName}.sock"; } + ]; + } + ) cfg.virtualHosts; + aliasConfig = mapAttrs' ( + vhostName: vhostConfig: nameValuePair (vhostName + "-alias") { + enableACME = !vhostConfig.httpOnly; + forceSSL = !vhostConfig.httpOnly; + rejectSSL = vhostConfig.httpOnly; + serverName = "${vhostName}.crans.fr"; + serverAliases = let + aliases = cartesianProduct { + name = vhostConfig.serverAliases; + domaine = domaines; + }; + in [ + "${vhostName}.crans.eu" + ] ++ map (value: value.name + "." + value.domaine) aliases; + globalRedirect = "${vhostName}.crans.org"; + } + ) cfg.virtualHosts; + anubisConfig = mapAttrs' ( + vhostName: vhostConfig: nameValuePair (vhostName + "-anubis") { + enableACME = !vhostConfig.httpOnly; + forceSSL = !vhostConfig.httpOnly; + rejectSSL = vhostConfig.httpOnly; + locations."/".proxyPass = "http://unix:/run/anubis/anubis-${vhostName}.sock"; + serverName = "${vhostName}.crans.org"; + } + ) cfg.virtualHosts; + in { + enable = true; + virtualHosts = redirectConfig // aliasConfig // anubisConfig; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index b7a9526..dbec4ca 100644 --- a/secrets.nix +++ b/secrets.nix @@ -37,6 +37,7 @@ let neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGfSvxqC2PJYRrxJaivVDujwlwCZ6AwH8hOSA9ktZ1V root@neo"; periodique = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTdfSIL3AWIv0mjRDam6E/qsjoqwJ8QSm1Cb0xqs1s1 root@periodique"; redite = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwfVmR3NjZf6qkDlTSiyo39Up5nSNUVW7jYDWXrY8Xr root@redite"; + reverseproxy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOx/lUQE6naP3EBy81sr93X8ktZmivU09ACx6T43Odhb root@reverseproxy"; thot = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFKNg1b8ft1L55+joXQ/7Dt2QTOdkea8opTEnq4xrhPU root@thot"; two = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpaGf8A+XWXBdNrs69RiC0qPbjPHdtkl31OjxrktmF6 root@nixos"; vaultwarden = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICn6vfDlsZVU6TEWg9vTgq9+Fp3irHjytBTky7A4ErRM root@vaultwarden"; @@ -49,6 +50,7 @@ let acme = [ hosts.jitsi hosts.neo + hosts.reverseproxy ]; # Fonctions utilitaires diff --git a/secrets/acme/env.age b/secrets/acme/env.age index a550ebd3525b6edeeec568a7870a842c82acb1f0..72ebb92fc372af3526f5832fd7344fce75f75d5f 100644 GIT binary patch literal 1414 zcmZY7@9Pr<0LO8Qgj&CR&;tX7eWCh7=e*r*_lqdH+wJal+it&Zx7!uL?)P@PU%TyY zyHE?#f*uH2T1HTb(U%@b5tyh{LYf8^SV$q2s2QY0gh+*uJ?!gW@Z$a9Gq8-D;c1ga zFdh2dW`AOVF_g(Yk&PldXXr43Kty&Z>X<=hS*=k)xgypnkI5cCPFbQpCD~Y$C``xoxvtjcR1p`AVza+mV@sMOli4PsH08WcSVWH~VXa!Jkz_u~?6c!tt=&Cc}=E{Ley5HL!WpB9H=C<~c%VFp5Odc8rje?-*>K zDxj#T@Dyl-Fvh8Qg2(`}>QFJ8plMP|?OCCI6M{W$7#p>I5RDdGti$4j(V%vI^@^jvL(bu#QV5-EUzzAGRxBv%98#iT*1 zLUg1y7^T>q*<{8=niSSdJ1t1|VM8f|lbT9W5;FFnNfb{7lpKpjnv5X%mNr(fJ8Y5- z7JLE%NMYEs;e?EdUaMUXEmj4oh34ueX(m0}S4^Cy`k7iS@ESrs#c&HG@Osa76t9x+ zHl-dg6N!lBK+Kuaa>C)x>Lm@iPEN_JVw7pBNc);Fo;pOMF>1rZ8f%ts#xiA@t}7GY zp6S&=*Y0OV02?HcJL~g84956^ar%o`SELlE`g4IG=~Sm>A(__4{%Q@eWnXJ$p<)w- zXCAhg*h0lKgoWTv^+}p1DKxZO2->kh&_GOyhn!5M&DCd3Q7GsV&RT3!5p54gYwE!A zZNM}&fhvexS2XP^p2_8M*)r0>+8wH1l9UcFD{$y)xNfx|Ep~%hI_U$JDtTQY7OTaK zcK@ce?|lBx6ghJ2uG{u(IeUWboaRsMbT4(zR7ICkTKJ70p{3b#-G-n{(c_eY=Fu=$VuyMi|_1E)VZci;tl z|Gwo{;-5F3ihlfQ>5&ibdE*+sZ|CcSr8B3m9KKrEa_J)f=fTV3yNA~uZ*w8DVe2!6 zttVHu?cVeQKwV$|QGVBn_R_h1FW=a9_s5yX&L95Z$hGjrce_}5wM>&N3g->vy&=bE?AJio*H K=K7b(eb&D+Me%t6 literal 1304 zcmZY5%kR?!0KoAO^)me-h9G)SDk0%8f41w^Zat{9dvxn->$4c0_UNp#!%n^OJA__1LyN zZjXh8lh81B9f{4s>1+VXlMtg9Q+G1W;(AxE6x^ZHCqtuYnFA~es2 zKIn@LFUS|XyseE@Wul=ugpD19%WIO zW%ZHQ7nE!YOA|-Twb}~nwatcPmTYAnC5@!Y5ra}ao{6e68>wp2nb0GC|MW87Dvgjl@lPcY;;W`YYefri4QydV4 zv7}9vViiX^5dhFI2R<{cBzpRLZS(&MG325TvC(u zX1yKdQO-=_vTbx~Y)O;;cM`GXK;r?k8x~R0B}xnldbWZgYIBaKs*1&>TA!Bhw9vZU zEinTk&iO{r4n!C78;MNIH0DHnWro2HMW+2l$}W|z3c0J(Z1tB?fnDCcK<_CeC-1q{y?Fe-zYaf`13sJ9{Q9*&HV!U5d;Zp5 z?BJI86+gYPf_OJyJ3ADB%Li`VSib??dYRS_eqU5x`19SnuBEG+ZucHJ(p)`PyZBtR gy1sR||ID{?|KgK7$uHLJdhk*5%A41Yoq^u|2Q;q9;s5{u diff --git a/secrets/apprentix/root.age b/secrets/apprentix/root.age index bbffde01dbd945f9cc53d21fbd5f99fa4a697315..97706aef90355a432bc2fb2afc0fdac99824cb8c 100644 GIT binary patch literal 1004 zcmZY6%gWqj0LF0brZ&%Gs#9slYE)UOeTlPVUpcU4sXuK$#KbZfWjmU437703C5?^8?)X$tDU3n#MUe z@K2HqV0N}tloEW?W|6Hwxv_E^PHfp*1%K4(vH+lDBVV713_!u6dHs+}qppzm7>r;q zWL(QvjGH2P=ft7CJq)7$P*~DOtx3mCL(mKyO+r9UFi)qs0lL_qE@j1BRkLZ*xVce2 zd*d$WQw{uW&&GI`amEC(X@n2z&|-_Ijs(_=ikg&hcBL?yul%9fW6p@T!d=FK|5%K0 zMD>3y)V-kYVs=;DsLNm+D@H2?JvTzr^K?X#+q6TqX{vFYg7!2*O&2gtYMyF_N zTAMd=xx08h?{aPprPgz11h9`++!Inb8?fvK>J_PWeWVF3%V1GvTiQ}p;>~XKdZ856*KB5$+vT^rO8?iNFO8fux?kiV?UK*0d`_ zyVFFQHV|=){?{g-lCwO)*UGEX{h|saV|Er9U!vfwBSmmK7e&|YEk>>Ox!pa*i5fbt zqh(m3Fd+&Js4-7~>YPTC4#(ZWR=1fn=wcV}1Ba68zyxYn-R44u*-$Ikl%(lG-VrepVz3k)dyku$P8Qw5*Vzu)U z&U>uU$)yeqc%b5t2TSi>GW593%d2|c9l1J22Tchz3rAFWENS(?x&V^Pr_{a0=iX5r zwr~ym!7=j(8S^B0Z`2Dp9ZO>cwZ^YJwApN6Vb&hjEmy{-gourFWm9rI&nL`BJCmE_ z;N#nUHv2f*Loc5E_|*sgne(Rj>DNELefit(?dPAo#lQIT%h%GYufMThf2w@e)A#33 XyuW`=Uc7IC{8}iqyn?$qyOS=ygu973 zlY>z=6CHFo(@DIH{-5AWz8K`Iyi0FSI97f4aeo8&L?EkA(P1c8c}6k}A)x8m+9?3F zRo7)?;t~^LqV;*FH)PNo-SxP5-61_L^bmP8o@-eM5J-uZAJ1@DN7gg!CM|zd1-$VJ z*`Jf-i7#0&Es4mMiTR%ft7!#EhDGyPN~swY>xEi4PMe>3;`ngWp73;It(zvh6?R>? z?Xi9=T=D4VoI&VnM=ggk#BNqK-cxWQw|hZ|D#j!f$lsEx29!B?KC@~5XR(rjJO5hv zzS@CyV8blHK(F1R;@kjG$fb9Mc)kv5{gQ^eV)1Jcab?v^&O#Ool59}x$Pm^+aD_bU z2xT5xn_Dc!*oE7k`}F0aM((nQi|RS~BuQ?A4N=A73~tl?Kyh2su@#dL{pP4g(2(G1 zaw85NlTM0L97&zZ6b&a;C*Lw?fll zWxP1B>zA5hl?P=;qtrbulUkpJYufWhVrFyCf;>=xbF?ocDEV$%CW)L;CK7F_Xxz)T zCj+h>1m1Jf#o!xE?~2ET5aytYfbXY4LJu#s{A7xwh(g^BwynsHpl$DQOUCyry}c}r z5akbtSc-_9@TKa*SON&v#9l%O2F;n;7|stqyT>63Z&t1}7OQS|k!4>F6*dywh55cYK1nfV4d`CjSZT};530d>*Gej?{N(k%h@eh=^XmK z*|(1fd5gsFeyu+G>-{$$exkhjM*Q*%`|oUi@6YeQ`lSiae|$b9Z`mJSfBpJ982|X$ SZ_@|#&p+wEGw;5AHU0x(K~2m6 diff --git a/secrets/common/root.age b/secrets/common/root.age index 8625a46..f7dff4d 100644 --- a/secrets/common/root.age +++ b/secrets/common/root.age @@ -1,36 +1,38 @@ age-encryption.org/v1 --> ssh-ed25519 2k5NOg HOeKe2eK/aS5I03IhDzGxNmTYjsl3voLEZzo1Eo6tU4 -5kDl8YdkXlldYxDAA9d7ZY7U7dDXK90gGlC0rZbKssM --> ssh-ed25519 iTd7eA 4b9kmbrtMR0wqxGPp+zSinQkBrrpphUqDPU8znOKGgo -OLhmXA+tWFeIXvjHFPHxcqT4kI3u4ZjCkqQnh9jjl7U --> ssh-ed25519 h5sWQA 0CdrNIrGvOV5MbbruvofVYSSvvFZTo2NKIe5ObGskRU -NV8yW4h53LbM4z7h65gX6gjZvSzrMES88+TigkNYsjI --> ssh-ed25519 /Gpyew rzL9LqVqxaBtHpXV/J4waJtYKXMfYENvmPTOT71bxk0 -+BvI574uhXeYggaCsCdk41ngl9SmDDMEkIM6Y9gzVXc --> ssh-ed25519 FtI9pg 8qEeHhQb1Si9kAxbeHOj2S5cAOxRKIxFI0CDBhRzLwc -Zm+ecEMJf+KybsIPZPhwm4IM1cyb3mu8OeuRebqecdA --> ssh-ed25519 hTlmJA lumh1xqYQtE9dgi1IWy86u6BURcR+o2skd1Qv5VJYTg -58HTMO2z80oGNdAJbP5+8IBiHPyux6rZGd50jfG1xp4 --> ssh-ed25519 LAIH1A hEZ2oJzLTpZjzKHohaTjjv7a2eZXa8sRioUY5doWVFo -63wnlO8v8zf25z+Thu7b/SbJxHcb9YXkhFlxAscgl9o --> ssh-ed25519 qeMkwQ d7iWnCnWqlI4zahgvjgqsihXoyivln/FOCQqnYCwoyw -H0a0zCTE1cW5oW+aTJrtBnVGJLxsfjmGB3r9FyWl3UA --> ssh-ed25519 TqxOLw ctsxZCLOpeALmB98dzyiEq2ZUOxAvxHUKSR7qbzTjwA -apaDGw8eBs0BNPoi0qC7FR2Otqr7m3vby2M7F3cbHbo --> piv-p256 ewCc3w A8b7dyXfbD02u9w3dR6O5zI38vk5ugVqLDCENdcQfY/d -OETvwkXXQZWUeOiqpOn5IZ4c+EOAaZFFehWY9vGqCd0 --> piv-p256 6CL/Pw AyHxDyxvA9gv4d5be5yXnGGavgeHITRV1x1gNiY5z/cz -zcXakgy9Hr1R3eXrgYI1t8RozOjlAdUh/lXS6siL/MI --> ssh-ed25519 I2EdxQ hXSBASbQg06854UxXOGnTJBRMXiehol3KjIG+LU35wM -cUsysgvO/y3Kd/iDvkUPyHkiFS+J6gDKMMIXSi2Yr60 --> ssh-ed25519 J/iReg z/L3B+/EL7fW2t3MFGDLn6+2YzxhQqitFabi7GVjsX8 -nHyC+TpPKb3Iqm+YKXt5otuO785f1T7E49hWCt6zOSE --> ssh-ed25519 GNhSGw VDYQnBCfmDZbirQRkv/miOU31TYZafRxckltnbGdGi0 -j7reZzDf3SJTzN1q8xZY+LMdTncli/5ia9aBi8yt4Zk --> ssh-ed25519 eXMAtA viKyTQHsrPGy0MLicGAR/CzOavCyTgsV5KNnydNRDDE -m68TXreCwUQnhWbBqxAZ0ujYcn4kXKmNb89/2+0OAuQ --> ssh-ed25519 5hXocQ tHX/UfzefaF0YPdIUja4weKyEWv0LWIFaAnpLODMbDE -0ium7CQZBqQfH0s90ArJ+3FEp6EARZSqcet365TLyI0 ---- PUvC1MJkkbgfTeLAx3F6vSb3WzBmUX+QtR0on6Svvck -}sޭR*dv -u8aBc%*+<:&ڠjD^/~qͪ(F=g$ \ No newline at end of file +-> ssh-ed25519 2k5NOg cR5ohdfnKc3NNlGxdVDsLe+jAmLBIfOiaGfFAPPmrTg +848H6k08p4PzbkD+c4AdtGAK0D3fxFFOEzrvqvFDgbg +-> ssh-ed25519 iTd7eA AWwcHOwmn5hHn3POEFF5pJpvWJ8lcbrMe3n3JqBfyX8 +D2PdIh6BFBocjfNeDLY6f9Th0yixTBp7V6sMVEzoXjY +-> ssh-ed25519 h5sWQA pWqJ5nuVHkg6rFvGn+8tkdH/cKQ/xwIMED/giZeCOGY +GOKAPL951GOkyQxM2SEst9Yv7Omhp+y22zW/Vbu0x0Q +-> ssh-ed25519 /Gpyew kRpo5sKEN283fFQpr2ML9GuhpugiqRsQ0Ezc4BjBKlQ +8hKJmmgoNapIruh1hc+EUyB/uZVKvtZrocPPd68naMk +-> ssh-ed25519 FtI9pg Ieby+KtL7TViX81m58F+y1Ll3aZubWndFBOpVEEr5jQ +JhpUwA+U5ppm+SCPzQ0JNA/hjGGUGd+6xpDenjPsnt8 +-> ssh-ed25519 hTlmJA HTUuHAiK0jRB86m9kxk+K/U9b7cnTLwJ6DizUhpNOjw +T6VuoPzd196TizLAJgi4xa4pMXlF8nzrbQMENRbRlY0 +-> ssh-ed25519 GCcVXA 9mjW03T5ockAAAtZtVjIZTIYOXwaCeG4nAK+K/97EDs +yYYVpyomBECUSw+huUaX7p9TdBclUukd0m1tZbrOP/0 +-> ssh-ed25519 LAIH1A 6aYzD3onWE/lZE22Y+ZRcXqZX8ODq8gM84fvtIuG3ws +kuNjmtOxsCC6xpsMpDN+d5/nmKgKo5Q2n/NvVEJGqVk +-> ssh-ed25519 qeMkwQ UkTD2aRW1DcE1pwwcUY5jdzFry47IOfrgcFeb/7U0iE +0K3bYslOGMvhvD52C/OYKWLCSD/GFYUnbAMNGOwJ4O4 +-> ssh-ed25519 TqxOLw ucyZoaPMI+iC/lC8fdZlSwL70ScqA/18rFgZKGrWbw0 +fNLP3zECUQUOz33Rf2XZLHiY4uSt6oc0z5U7x0GBmtc +-> piv-p256 ewCc3w AocWW7SEg3MVI/sCjCHu9obVVVVbFcfFazpmTTR+PRMj +498jlz/DJgqzZxmvF6sRHruaOK9ssXpuM1UfbZwzWE0 +-> piv-p256 6CL/Pw Au/taJ3kM3uj06PdSgUPHC6UVCCOYDbMY2m2Eofbi63V +9NRjQxdkGM6lNnRvqWyR7ugweuvw4R6oCG2Qm8JBPuk +-> ssh-ed25519 I2EdxQ nek4QEs28RjB5LmGI8QmI+PovaBsP20H58HLft9t314 +7kD4VKhSe8GVI6G5nEEB9S75nqiWcw2KIq5yXQW6pkM +-> ssh-ed25519 J/iReg NaSxlV2jBjaEHjddB2x5wiUfu8dqzgPOKB1vaRo8cUY +b2Wak21uSh9FEcCsXAc9zjuakI0B7e2D4j1EmyKHCS4 +-> ssh-ed25519 GNhSGw /0K7Q0S2PLsIa4gFjFpwcXYHhRuDdRJH16FMX2/tJhs +ti7iUykOROYtos8+jPlQoyCur3hhgZumzzaqHwE/k/g +-> ssh-ed25519 eXMAtA wx6srIjvJ9E+lZzvg6jvtAVmTg/0B6x6f1zv8D6LuEE +iFjLVZ/c/pevSRzoBUee07TX2/tVFUThvvP6Bek4LIQ +-> ssh-ed25519 5hXocQ an1+7W1qN6bEdGXBfio99DzkTcZC6gEOm2ZQe11x5Us +cbPU+Ih4aUVSOOveg/mQnV57Tn8boE4CKusOag5ZgNU +--- Ya9fvOnvystGbDpL8ti3cqD4sNIaMNF1Yv8OuviMgjI +Vj&qnZ6#;8BCGE1Wsb +4. 0cjA]I#M \ No newline at end of file diff --git a/secrets/neo/appservice_irc_db_env.age b/secrets/neo/appservice_irc_db_env.age index 45a9099..e7635bd 100644 --- a/secrets/neo/appservice_irc_db_env.age +++ b/secrets/neo/appservice_irc_db_env.age @@ -1,21 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew YVx7IZ+WDpGomt0tU3+KysRGtOidN460zNNLuT61HkA -ELYa1OqUFYqOqMrEyQIfUUWXWhYqCy0s9/SmOVFUvFA --> piv-p256 ewCc3w AjjDfaGF/im0hTAtKcNCzEUi8hM0VJj05y1KA7Fsz+d1 -Tur19NeaxPBbPEN+6zAnOFvdGuQVC1VkbmHlfikHT0I --> piv-p256 6CL/Pw A2dW6q45SBlXUKA5vTDDsXU4ZOSaAV2htfyMJcWTUpoO -h5yO5/9QNEOB872c2SdSbUZ7vRmYS1HTfqKJgZRwP8Q --> ssh-ed25519 I2EdxQ toLPTW6TrKZx1K5y1mN3gODSFpVfT4KU31v5XjJOQ2s -Do/p+oK4axHDjSfTVWtcdZRQFt2OPps0n9cA4Tp6lBo --> ssh-ed25519 J/iReg a4su4Gi/kohEXVXMZszlCWEQlkHNmLOH1t1P0Ssuqlc -03enelm16WI1AP4vAJbieDNGwFQSw52WeZ+isQhWQ8E --> ssh-ed25519 GNhSGw 22EAbCwSIY3SirGolGVRzvRSE164PFD+MOnr0aJSqVQ -YMeQhP95Bi/e7oNri11/W86b0ALkSyuFJ+hptOUy61g --> ssh-ed25519 eXMAtA sWsPopzbV8Ls82wmBwbnV5hCAlznq4TWO2paWn2RnRw -eDlZQr1F3FtuXDqc84vD3QUZzYNAsJe3L4Abw9Oqxnk --> ssh-ed25519 5hXocQ u7/+FfeY9SwM1wuqeOHgsYpq/g/o10+8Q8AA5ODBWRk -mA1+vo/7nM3GyrL5UtdyOwpTHdVcZQ8mtVX6xuk9cmA ---- /cchAACEC4BclR+km+6nZZjLkIteeIG8kt974NLjwlw -IFb)HӂDH2Co c(xXgPiVG+!H5Yn4jIfJdMK5GՔף7_!oFlcݓ/UNsmMӱ|o3 -E@ -,2?J{?7M|S ѷVWӔ| 7l~2ı/lP \ No newline at end of file +-> ssh-ed25519 /Gpyew CfIsypY8RtS9xiEz41Os6yTEJ0jLyq9abLnmD1BmIxo +kY6DRThZg1hsZsy5NtIwvronzqY+DntxMi/oJU2Lj1I +-> piv-p256 ewCc3w Axo2RjgPlDAGnV1KDiFwrKyYeb0ScsjaQ0ayZqWEusHm +FSPAP9v5jXgaus25xR94woquDnz6CCPawXpzUxgLBEw +-> piv-p256 6CL/Pw AxaFajLGlSPKOL3C13kdA5txo3XzaGyyJrEDeR5EGZFX +qNSby8foc3TUeMRkbLGEf/KhGMftfDdVs0yF/RJ0LBk +-> ssh-ed25519 I2EdxQ pz+wkE+wVN4zQgM6zlOECWXzsGXNjhqEItmTGPKleBk +24kTeX0aj4LWrOlEyhKCd4vj3+d0Rr3xynC4yiS3E04 +-> ssh-ed25519 J/iReg oYbqvVH3yyGrJHgruNtIDRlhqVyetK5o85RpxYR1NiQ +5k+78ZQsox92gUGw8JDHsK2dE09vMskLO5QDCAX4C2s +-> ssh-ed25519 GNhSGw rVguQoCqPt7EcodF4+4QLkb3LZcfIRu7PqdhR2W/QgM +xTHsVt8uQldI+l+dWaOmLIkFAnkal6wlNwqsrG8JoHg +-> ssh-ed25519 eXMAtA UcfI5tfsqs9wCacaTfH4U5E1kD7Mvk4kkruSbiwQngs ++mWFtbwsLW9fGGo4VKPc1JT2Cz66XBoVHNbunZyc2qQ +-> ssh-ed25519 5hXocQ CrXLt0QWY5gKVYRpjoE2ipTkI99bOsz3e2RlHxdQlyY +aUrsUJgVtCCSyh49XXINzxTlCtFVD9vESoHSu2GK2oU +--- yw1hzyJgwgfb66dS4w4uuY9v4Dvtvjis/aURt3Uaa9c +0.z.`uF/sF7"RKDm 0ReB_?э+?eոG7Rv(d֎"F>>6IM0@ ^Ʀ +珴JBV`>{:jt[y6շt2I5 N8H֔N0ja@j?p}W \ No newline at end of file diff --git a/secrets/neo/coturn_auth_secret.age b/secrets/neo/coturn_auth_secret.age index 96b8f11915729837bcfe4b17d3d6cbd07b17b37c..b0493c1e5cfb6dab654c2e88e19bf51950feeb22 100644 GIT binary patch literal 1079 zcmZY5$*bc80Dy5B@Ddz7>P5*xgdx~LPIJM= z00G-G^U`vTORmjKV$3!iv1(Inn4J<+b$3d}QE5!hF}Q4u zSvg#L-KkJ@g1D{1p}k-`-dT3#uB4oV0*KwFu)}eRw|XhJ`&7zKnKa*a&`8rfh_6>Q z8(Idj-9pkujfdk^5P}tipq;?vydgGQ*z~ocbNO|IwWgVKIIm-eF)_n-9<1&FaZemY zk=@k2Bw_GDwdGW!5YgmGlxkskIp6N#*Bis)HhAi3EIS=+Ch z868mxCe6A!@6y?#U)Z5ws0ScP7`4^WnHl@WMwrm3t^^xRbfwhYKoEp-HOg6GYjlkM3Nohe;t?v?DNbD5?UDc-oR#0Cl|gvL%KukA=%v z6Kd4Yk(sof6@Jy*lD1*Jd4Tc=s@K%THas#*PX#@zsupymx)?fEFX7cr zAPjlSxDNtd&*n&AHd;}+XasAN6nr}{0|C=|$x?~N&6hEhOc<~B5t3837%&(NKnSG^ zVUkb$aFwx1vUF-RBU`iQVu2*QC~^7$B@04!^th)f->m`G7wA=<=r- VH~1TV>-^^{Z$A0@+ujTJ{sDw4Zr=a^ literal 1079 zcmZ9~z02ct0Kjn^L@bUvoWl_ZaVUL~UtXGIc^>lKv}w|$O_OHP=B0V*OVTv2RU8i- zZcqo&;f6;+5N}lE5Oq)xgabKFIK=UUhtoyS#X~$t`xkuR%Xb+Dy%N-s!0!kAcgVPE%cg%O`rDN3_lGRTxs%K6=JL?L`WPK37d z4JPM0o8z*Id?wcyH8O`CY+q-YvUd!iwP7ZN{b9^;xK8yg;&56~Mg_moAs7!@f1b?> z(q$`)5|e2Rn^*w?RAj6!Hne0NFZa!0c4Rto^56y+pMA5k~j+gwlM%22IHw$dC+IRp7=u;MpOEblNpg#UdN|+esl) z`Jlx7CDTXxtV+4t1@7@VPr7#F(<9_mBO*KXbjVBzeL36sd5yqYE%IGoPKn&Ncl5>- zT686@MWiNYaj-pfJk%)ljI>Q!q9-Y?SX4b1n&~{-_~lZVm8|Uw`g}5>`6u`HdQfE! zQdLw71wYU^V{n81%3?7$CYeec@wk_gnV=M*milSuTCaO+{?Xm_+4J`=ggeWd;lpnp zJbiKN`|)2NJ_pYp50bCS&)@k2eDR|7_SMUN|L(^h-2d+C@$Z*EUta%F{KNny}zlDPlXxI^5jLX)4nm3IL z9*kl+BdKdhlEX`Gz%>jB0S6;?PT@R6YhBizMX3*)ww{h{r#hZSB?IPcpd6>BUblKy zY7aoAH&z(E+sHRF*-`RRFj9h{l*uK?VSV<07FK7#&XyHPYSGI;)kGQIBvVq(kBu1& z`?9Mc83s{y0L~r4X-rTCAo>HUf!isL;-cU1p;8T_RZLh$tfrgx6lBDwL`Moos1t6# zNWp}j3c1k)lYK@CG(?&*tmW8+=|NxU6~hFs3+;MV3)x{U z1S5%=!ySIWlWa;r8n6;}ovs{IF>z{wa=QWP`M8NRd?Re@%Yq+rs*>^@8bWKtc8%oB z9+~8Lxkqv_$(7)lnDKoQp5Zp@`+=OUU|60JbExL4HZe1dY4>uK9H)RbIJ$hoA_ z79!Ih6RsDO{bnH8BGD=%COs_Y?Q9?-q{dH;vPf9KwC$FtzS5aNoYUf{IImfHMa4$3 z)SMe3(?igjgLY85KBRy`p^$4v4g!0&lX`~SR2gnIux+{u+D=9pA~mXjR2*sf5}l3+ z;Kc9m%9jpaoc{LLg;4A{+?Dk`R~L?* zc<~|W{K}~-@U0g{xBj_(NgSvqJ6vcwzIl@dofOYSN@a literal 1187 zcmZY7>#G!X0LF2IN?0f@^Ubkh2%&I0&TZ$iP{Hiw?9Oj@W@mQxHm5}9wzIQ4_uaWI zbO9x#G)jpGePLmeSR@r;#DSt0Wd+r#@Pbg01%@DadZ7uC^{VVI_`vgg71LNWTrJG} zndQ0Lz0ibXG`ILDG@XtX4ILv0vS6)*Z2 zK|)4S*6;*k;9e}6@=TS~Mv52cIV_6>Uo_G-H{wE-06fit0TDA@O3qc3iAK74G_1FJ z_yCY7*Qe`EtVoNU`k*<8kTAoYE;&-F$$u=e+=PW2mKk^3b$`Az4)I#rpi>zq&^S!I z+PG)5>7E@|CP)p`GKQjZywROVsnO{Af{pM^Tjiou9CBc)+Y|<9Ak2xOQ<+SsHhc4m zELPQ15o$%+fb7~KUjSX2pweF6jYJkr(6X)}WspsCEGpw%*C|wnf;myB zaoBXLa2~~n>@?AEXI3`dZf%BC$+>y624Jggn9vvz86*!E$89r+26MWSMJZkPV5Jp^ zs63WgvLU*?(rhwfa<0^7k$xWG62H(cV4xY>six?YF%C>#6opC)9x8Lk6k_IPt;Ua} zS^|}tanMnLj}@IPKjFxEX=cKxj?M}VP|mtmCNoJQv7ymRaxIpSCCqN7D2ueYWr|3c zywrD1lWVGpT&8s1iI-t<;0*qG?cY5b1CE(7ke(?CrThYj-QsQ_g(_G zeOwRW2Mb#dz3yO}_euNl!=>HN9XY;t;f~tg-UjvTmkXw~dSuW3cTcVR9qj(~jX!8% zOYT!&Ilii1d-FZ`#F=-5XW#$qksDDTy>z?3diBcAyIy|c%F^1&TvXV_UOlyG&r=s# zE9Y-H{p69Iv$fR=S1%s>@!TsfUA+I`eXGNVuS1`&-%v{Wk7>_*=sbNo+Vl3~;{%tI z@9%l>&y}4UUs$=DIJ2t!eC+xI)#8?uyS~`J4_SZi=vSNG+WJdS#D4qs;6rCWIS+mF E7u|!Yf&c&j diff --git a/secrets/neo/ldap_synapse_password.age b/secrets/neo/ldap_synapse_password.age index 37e045c..0aba78b 100644 --- a/secrets/neo/ldap_synapse_password.age +++ b/secrets/neo/ldap_synapse_password.age @@ -1,20 +1,20 @@ age-encryption.org/v1 --> ssh-ed25519 /Gpyew +A7G/2a79VScR2EWxRwH48Tsv96JgqSXQJkoWmucH0U -09dv435I9zm7RT6/evgzXcSl1gRpIFPIE74ES5zSqNc --> piv-p256 ewCc3w AydwzAVvlJQQykcKcrM2BxOicwS7e4ZG+t3Wd+9wyz07 -LQ0bZU1cQkROkEZrZr9PyMEnhCMi0b9+BgcG+PiJvps --> piv-p256 6CL/Pw At4qtMZGID6EKvwKkGNd7FTWMn+mmmbdeuY7nAjtaPjk -6mHzefuannU0JK50JlLiWHulUFs5iv073LJregUL2Zo --> ssh-ed25519 I2EdxQ H2MgML+9f4MNf4g/01+/V8n5UNNeEKL67MKaNTAcHWs -LWjC8FdlnDyImdiH+9nkN5g8Q5HLV9tOzzbuGZ7kpi8 --> ssh-ed25519 J/iReg nAN+oNfJcN6+qrMBApMUUOhiE2TSDT0jCL7OD0zfrkQ -X5zSCWnsPvijGdLsYusg0JdjsFExv2vQguq/Uph3BRE --> ssh-ed25519 GNhSGw G7OQfDkSwlvqc6ffJqzB7FMTRD9fA0oxT7VjdwMPbms -zdyQ0Xo+IjcW1TDetsijHbo2BhqIopga+bYy+3b6+0U --> ssh-ed25519 eXMAtA hQQVOPa8pw1xieN09bTBDVol3PsgiqH4/Z0Rk037tQw -DjRJWFH+xtXPdXwb6bF1zHilcA4t65ZORGUKYWXX7yY --> ssh-ed25519 5hXocQ slJCm8Hrse5zVlMc6kTOPcVuHpisFTjXfob/DAAgjDU -pebRHNQ1cUKkT7W3hl3x+Cf9Dc+YhHKgEsXXBRHrq3Q ---- EHUlBeA6vMSKMbct09Ouxn2EhqaG0AB/cMr4HEEFO9M -ĬV$# ' -["#ue&E8HyU;-4f$ \ No newline at end of file +-> ssh-ed25519 /Gpyew oaVD79l3EZWfSVKb8XpqWAV8NKXySVAPbWLoT1UA52A ++kOAxHr3zaV5i0JpQAtlAdU95Q9M3rJqGtIJ8XvPbkQ +-> piv-p256 ewCc3w AivgKvbuHgMuIJkXqo2/Cp3IF5MJAbfxKBMngMbKvQq/ +OKe5ZZH1BcR02enuqgNYQR1xUk4nwHnHUwFeWNa1+Eg +-> piv-p256 6CL/Pw A9Tk3dUEE9IL2Mke3E3mOe19oqDS9YTDZK3yRV75eJX4 +8qCQHjVWgfLk99WfT1694g3DvCozGbfYrf/cvsWygGU +-> ssh-ed25519 I2EdxQ iD7bG+gD5EB6IKt37N5wBIK+gykxKX08nBJmqUMIKyE +xs5EhKazMdwtYiBh8DWyZfp9N6oHUXKAUwJ3ipGnoUo +-> ssh-ed25519 J/iReg z+J9LYzBpAmrk+qs/bKM+dWZADzaCG1Zn2++aqngiUI +ZKj2uEEtSxI+VZmFMTIs/YCN27Dzaez55OHcRRcXGGg +-> ssh-ed25519 GNhSGw QiKR6ruzN9obAMMWEX1SJP6cuWG+zPer1EOEOubWcyQ +EGxT2dlZg9SBCH7MI6HygE6bgeyM2Njj+bfc9HVHAHU +-> ssh-ed25519 eXMAtA iD5onNylX7xPzgCZDnbio6+5GtbuO9lXDE+mwVb/jlU +rdadtpwMGEAwZOhYId9xeryALddEK3T4DQP6dfgSYN4 +-> ssh-ed25519 5hXocQ bhNzIK/vKeNNpqhZA9dEtHOlfYQ4sZpwF4Xy2Xm+yA4 +pD1xgl7iR1nYEjt7TcMQC2WzBlaMukoMNwBgomm0zzo +--- tMEzkXbsknws8FNrhwbH30AMAvDUtmI+IiQwUYCTLfs +׿[Gl +"7BMػr6X5Md D2sYǪ vE[p \ No newline at end of file diff --git a/secrets/neo/note_oidc_extra_config.age b/secrets/neo/note_oidc_extra_config.age index 492f4c0cab58a6a1296a5de64d08bff8d2ff4b17..4e0abde1eaf296202dfdcfaaeb7c2e4842e294ed 100644 GIT binary patch literal 1555 zcmZY6`*YI-0KjoU23&cmfDTaX-42FyGfmc{t&X{*O`E1o(>Cqa7KXG*mZoi*KGG)w zGCZHW1m@wXaL9NF9-BNoRA3wrl{X9&xG_LMUc-SXr>7@~KZ<|B=kEIr34Ar5VAI8< zBFc&9<+K3gKvi{}I+KZ1^Be@jpivE2lSMwSwn93m28K*oFREu6olZQXH!y}k0^xwH zfwY*dJfs5&w`sDwBjZ~=-`BYV77t&ip)kR-h(%tNPXJxvPkqQ>oj>`?;K{;MU$ zTy+wH5jCGTu{C)$iqIGk(1-M9g+TSD6e2cIC5_gBdx~Zt>aj2`qeqhLNi7D+s^+`` zCnY=`p=>&nq$31v9!mg7M8y0E8}j246-Ox};6}s$wGfj7a6PbKh4#kaC}x3^;UX9> z<$@F@H0BsDpP(ti=n)#cu@o58G6_J1B80>uIBVvKLZTEj>4WjSL5}Aoq?xcA(k>YB za)l6?%S3DsSF}MmS8%Ik4`V=}7-;h9=yW`0X!K$l#!3q*ip{z4ybtv_=$zn(?U11I zvK}EpX52Eh~N(RFL%qY6WDWfzsLc8Q9b(+!!d^?w>1@yo1R?FSP&#@HCJ;|87H<z!E!S2ZJH7AnM27R;^@ogSQv+AQ&8+Ns2KNCB2?IY$X(OK9E|e(d(L#cLt{MEUJi4C)-7R!ELwPf5+{p(wQ zxLtX_ZNR?C&wTRgrNwu*ym{%5@`0~(2%F`OC-R1^%ig-xdO`Jd#XD%3#U86$InHa%JU$Sxh$^>YPuwQks+ zFOT1u{Kkbr_j_&7+kNl!%^e+ISq9uKlgT58-FpMe`JRQ$=ECKU-+G!LmcPmP`9 z?p|HnyR&L^clqkaw9}s4xA&szgP^dt;y`vrX#3)7`sNYi1n#fOGxKK+mL`NY{VV<5r%voRut>fMUYd5Et(sxI(Rt-$ z)r*s+bm>~#dQ$D!{-f{y`1?V3>d(xYs>{1qv(cw(y=~78u@P?#EU(&k#@uqSGkO|7 zrVvf*m(K}r*CyYq*fej~2lH<192u*8{eo&==Pv5m^FyysoU`YP+mndzqoyIJ>z8a> rBvdYSgB!SBvhL>AY2>%lK3eMw9o=7d`zjG4`>ziU?VH-oETsPdcAr$d literal 1555 zcmZXS`)?Bk0DzV8N@c?dvN2v|5EwS4y|&kDC7bkdeO%Xe-Sv9cZWyk2x3;@Ju4}K? zR*^+bfGxn54Uhms7*4?OFyS#^I8a_ACIl1W0MWsQpuom!pdujplj2|S<@@rH0Y=J1 zsk#i848@}JV|4*p3J^)l#EC>u%FqfB1hitAnaePOSPyGZr;j8Ai^LcUJ0cK~c2R;Y z5R2(EiCP(pCjhr!Km%r65QXBf!lhJEDQz@ql3-{CRoF2Z5rQkz`mi>Rb0k-%=TWC6 z=>40N zi${(T6lIgsVIu+mrvaso<9u>$Ex~h0g!ZX;&QKQ$yi7x6p-Lto zwg@U6PDFy`F15lYM-;VmS{LyXW+&%O`Qj8>X^Vzql-i;)3ZgU|F}NulGBaw5g!Og- zaicX*O5mO0nmUa?9ZonQQqK7C^#9z$|3d+-2D^Ul<{c+NmNvG6qBxyrDH3}PP_bJ`5po9K7 z!MkP_KpSU6*g#Ck{3AAY!#7Q(nGUOGLhnf6r(nSUJ^=s18iDr!zfRAHiFe4 z6<{(O_Pr=6m5MV4olb!pJRAbjZdhg@XMFxA>=_kD(mQI{rIsoe4>w5O>j7#m` zY*Gr$?OgmuuA(~k^EV{)%CC-GSsNBnC?e}%9i?8Oj zwf=a5ZKa!=BprA*uYT9I39q!YKd#M*ANm?G%o?}F2WyV6e0%nu_1jvk(h(Au z^k{2GeB;ee&qDB|+noy+_wHp%Tlg|t_k+o%e#Uil==sMtSIwREFi{Y`zvRiu&FsGM z2jQmAM&t3qx}oz`b9P9F`|WYIg1akT5xyKl=|lFx!>O@>HiWj zO&r^4$nTr?OWU~jFBBD?8Z~vMW{r6Eq_R?AY-UUT;ruU%^-Bj0w|36wb`{?}Gw)0n zH*!?{M`%Z7?zOgVqwaLi&vOb7WS3qp&dq5auya$i$FI#B=-|2Cu7MWgYq*l`TWh|) zyZbkm`vEUGckWgr{OZ$3BMxx0Z*)o)h#H<2N~ne2k;*>0>f)6Z6{~ysg5Fb4*A36X zng*ASp)cq3sR#R3)gQbjdNXfFNkcx)z_NF*klScoNp!QQ>FP9TiGA$Jv;74-{{n>} BT2BA~ diff --git a/secrets/restic/apprentix/base-password.age b/secrets/restic/apprentix/base-password.age index 9bb9b5824e9637353ae23373897d10e338dd653e..10ca63dcefc75fa414bc29619f3708b5738e2cd4 100644 GIT binary patch literal 1235 zcmZY7+p81>0LO7mJmErcC{7aOap?~0ad+pkyYrAZJF`18yE}WEo!yxcwB5PyoY}eT z?A$7g=piI5yI3GX22vJTA{O{i9ju2gb~v1uQ>KY{DGEt@Ftjl1sq8QK@cr@YtMZ&Y z65Yu5bZfN9a@Dk-P0Vdhj>p=ZECDc_MUtXWFA-{zm4ptR7KM&h=Qu?c#tPeLlTxV< zG}(ro!>rIUGV_rLl+^@ixI>xZ`m{&{lN_V4^M)0L{dBHTgPV{eMvT^oWF^aC>ff5J z`*St`=aO=OiC~aKO^amPW(KO2UBS0a!4>N{2C3FD1a`AZjj;Lr2(JXqjxbCBJQrJi zy-kcv3BZYg-2-Z&)9hC>92TQMqbDF0#`i#&AOFY7VYPJgrWF??+1JcmNy55;S}nm~ zwm{*NB5ikEvFwE!2#3XvG4K#6k%zp=xIQpUDy48O+^4F%&&ESMqBTn`uuMfOIyI)) z2Wy2}SEPWF6tMq^`3%<*xn71u3N=SW=LQw3%0xp5RQ9O+9Woxn!jdELSQ%<(%6(xCFa42TZArbDNDW7HWc6pV0GuQV8n zw`xRPV~8LL;9~4&iB89iI38z;Lm9&nBPBUH!0|n25~Y*~d=bvr#{LdCknL>t;Rs+Weo!cRT88J-)op_>MOs!*Lds0{KC=ef9!wxd2Ri+UDtoc_w=H@;4>ei zmkwV^o&S;EWK4A)xd9#B_cY)f9(lWdIWx2ShX?z=o?fJc`>!8Z*v7tl=hoh}g$pNv znZ{2iKD+IMBj!(h_v)|@Fzi)HAaNwy|?l8jlcb?dJ zhB%S7o;$wvtGiBJrmU&2m#?ncaBa^m9 z&d}&juk5>8a-5DOCgYx`C)7>`g3^V!BGDyWi$f7tpj}n(G7RVS@v;jK2uqP9pp1D@ zjta#PZg+dS38S@GT4h@8h6)M2fDWrJZWe1464XW}BektA40WWs3uD=mQmy@?ImS5Q zWT0GJ^)V&u#}Oxpf}&R-_>@9Xx&~4*J{2$#kcS|hMFzz#V{|B3FAYXPtWak=6mo; z>ZHP#2fEY@hjMCM5&MWALvu9(Vh5=yPZ@|FsL>+;#+zQf48#3Fw%(|Fq+Bwa03f91 zYmhGV6*eAb?4hXQW`${*a+o99u)twp4+kU)Eq20y5^~_MN;QWF8&gESMfb^CCXl$S znv%yQusdb*7MRWRXp2_-s#((tO}5_mVu?f|Znv#gzHH}#(9lr}P*O zX78!ZJKnf=N%ylq7QS@$hBxP4-cDCeK6}XI7Cn0N={@JtmmZ;io%-N#@%^c>`{Rw+ zB}FdJEWLlE`aPOXNYp51J`R!YG9$z5gGuRjIzRw^0?$(p~753*%`H5%7 zo0cD2|NGW+{B5HxTV9WzlqT<9ZM?nl<14|TC-PgDzQ}Iij-2YRpIiCV%<*@a6kvXC}TT?%J>Yu;@Isc-QP5x4#0LOAVXKFFa+ ssh-ed25519 cZNEGg Nlccs0f2Y+tAZuucnNzMSz22dgnFMOd0FyCUJa+33w4 -CZPU1BkxGDvaaB+0D6bX1aC5hbnewGsZlbGMcA8vB9s --> piv-p256 ewCc3w AotAQEs3SY2TWrLrdHxM+yNFP5tuOlgHoZBjXvxP05Sd -6S6kGPJI2O9zqtdDi8WaNVNBvCpHeRKWHOIOhABk3U8 --> piv-p256 6CL/Pw A4TXb9Qy/woxDSBTGwnYdPZs0km00wlYfLhoPpqcdS10 -VQ4DPWcWGajvCAGUAzqUESPix4q9h9J395HZ3aJ1j3M --> ssh-ed25519 I2EdxQ 5WhO2QjJWafz2x2FR2sxnEjO2B55ZcJUYhefOYTBX1s -dm3J6VOocxHUpTCkuP9aXEvc0ZD8q875I7WyHOyEn2c --> ssh-ed25519 J/iReg aWz3WK2d/Abh3ZQ2gxehf2hB48WEFom6zDAQOIBjJgE -mkRU9jHIPG2oGYVGMcv0qcca+yt2N6vKvjxPUETzCMI --> ssh-ed25519 GNhSGw 9Bq6Z12us2Ff8eDO8bBL8R/4QeMxgltI/UBTDx9MsCk -MnhroVnSzbA5b3kfnTChrw43Oga9pqFzzFTWMYB/f5U --> ssh-ed25519 eXMAtA atHAYPq5qXROeIOu30+OcS33GukjaxULkbTlBli4eEE -2kMozM1CVoaN5ua/SevxH4qsuDtDcux+7HRN2aug/X4 --> ssh-ed25519 5hXocQ K+c4QqO+w3CUCrHe5HVarwHNDD+RknZVTO1Pw5W9RWs -2C4Fxp21Wc9ZDj06B0QLOWzvSAnHdnEMtQtlcraGa68 ---- ucbVnMMTZihSbRviwcGbyxwDcUUEnyeJCDj6d4dJVX0 -Axy2~~Ȅ'a#tdy%R*w}iK@uql.*DaUq4 %N+36߂k!.ȃ lXNA_t^QlŹi@ 9d5G) \ No newline at end of file +-> ssh-ed25519 cZNEGg bcq2jdSV1iE6alm6V4KPX9MJUGF1MwIKVczTCKp0VGw ++MCRVeS46FKPHMH6VeSQ1P9aCU6+LmYtTlgdnHP8TUw +-> piv-p256 ewCc3w A34SQY8XltI0bXv5WNFztuk5eBbUiT2Vqmue4xRUTn1D +r76a0kI7G68qf7onVGAq4S5Z32DR6BEmCrSUZ+oYg8A +-> piv-p256 6CL/Pw Am45lx4DKBrRYWaDQA6F+5aN83+RTyPOuls06IuN0wR7 +39yE14NK9KhezDSFADfvIIzFoxEgUDV6REtb4ztpS1s +-> ssh-ed25519 I2EdxQ TYjJ2+ItmyRRzJLeQxNsyEtDy3GKsE7+X2EtqhEDmWI +6D3WNy7XUrRphd4qSeCJpgxIvuUsaO5Ip2geK22DnbI +-> ssh-ed25519 J/iReg lmLKh/Sl9ZCMmLsfsh7jx9GdUbB49w/zrYtSM4YfaGE +tOtKJkQrqI/xgVfLf64FCjsnJTxjj5YuXk1EmjXD79E +-> ssh-ed25519 GNhSGw UnFhELQY7g4PgkSJNXEFHIeeKwlW9NiUQmrQTY4KuCw +F7buN8iYpM0CkswV+O/jyMG73SjD6hY+AjULp7t1WCI +-> ssh-ed25519 eXMAtA 2n2v9JWA4s7b91DyfaYau/cCx06JgNKeqlBXquSJYUA +ToeRSuVsb9pLmZQxYKTxIEF/i3XTZDAM6MqBuEidClY +-> ssh-ed25519 5hXocQ s1XTnL4QkBRhW9SRQt0KrOj6gQRhfZm139UYGe7t2TM +tT5EdRyoilgWlZ8X6qfEB1Fe6GQ1f8V4gFvwFweal2E +--- bjfHy+S+lcKqOAt/hnbXDtlbDz02YuRsce6XM4KMwXg +HeL[1qrr`趘RIp) 8^Av_6xy+.d3d38Y%̡=2Ce|p%>[tW9]8Q9i#3T \ No newline at end of file diff --git a/secrets/restic/client_env.age b/secrets/restic/client_env.age index d05a7652662fea717f4611914e11651d3ccf4b15..77d12cb098818fe94957928fd308135c8c2e3ed5 100644 GIT binary patch literal 2075 zcmZYAyUXkd83u4yT#HeQwG%~R;R=RtGr1>)tGP~+NhXtfGTnT+Osh{bZitrR~kEav$Tv)jS*E;hHTToSU4J#_&3++{56Cc4-{+qze!}$jB2h zyX#v`9AvsV0i$u*--n=I$q}xGeWhop%jA@W6lt?dnNajF2r>4;?!>H`2-*v{hgVSD zxSF7FgfGM8%uIensKgdCCW#$FZQahrt(Mwlr7*x%as(A_cX@H>mSVV5$8LdmJOEKea?MM|lv`6hB7^m&=U%oWNb@~KH~xX|?( zKv9o_K`uLPE{|rYi*$}lL3p&VfVh(Vwo-#=6f7fR7izVo3fyjJJ>+Cj;{8d@Kt%V~ z+Q#Kj+u_HCORb0r`i_@xv#E?M!3+?pg9cvZC2(B4%bXnnQn6<;tQE5XtO;^PIlwK@}SBKp56__A!=f~?ySJ*iA-)v1b-8BeK0P)O)=mS-b$MY6OTM68l zY<(XUr%^k>4IQmDeHV(LvG}^d`a^dXUOIDRMTF2Pn6*fC86VT@@th zNrhHi9N*pb3)N^B$|1E{ypEIaHIf>-RDZ#biBsS1Oh$z0VgTpEKqH0cth@EmFXe}3 zw>F$f*?QZgM>XIoJcWqXV|7$pP56MG(v~fwJ?9$=N?8IG;pXg+3+J7^xc4!0MjPk; zVBBg7l$r4fFrgwZYt5$)n-Yn=hf`FOvV&Ihq_<#=4ux&wRs;GxBCiEwYL3m^YMWhZZDxQFQzzexov}mEa*Or3-SYt@(Q6`w zI-jXs@hY7C3yRFzsy_FEz*}^16{)6db~R^(D43~iC35*iO`vQ$)M_8X%~Q>eeT^9y zU|j|5gq)}VVX-t8^&F-pMllt*EXQVZnPH;9yW->o!g_VyA?$G7Z;5%+>UE|#{-RyD zHaF#+G!5{PkjaY7_9Na1x7qO2uR{aCiIGVKqyVF8Pv5(~Dqov~$6Y4o=q^c+BrvYZ zHJdpJTSX_zw4x-mjyhY7evm>1;R&uM>h7gSt3rGD2cDC_;Pjx~-2vxfETo}-c!&gT z`v?sxd<~NKxsiL*aEQcCP#qQ2Sp+gxF9UCX>7%dn|9XD<@@Jm?`@8JVzx%HL*$=$% z(vx4m_w4)q7vA@gSHJbSe?}kvQ1IGUK7m~IAAawTKl$d@UU~w({ndZ``_bc{y1)JN z%hjV#vv0lkNY0-7%U@r7^2%fAjgNi)m0x{>|M+jd{rabV_KP=u^o6fKc?Wzh`@yTv myakQ#e6jiEC*Sr=qxURAYLsj=GLe9IGpnf(&QnjqHb=6b6tI? z?owccRu3<)`#yU}Vi-jsVhvwVMNQW=U7O?eoPvl5hV9KIy7_{bJFB`FMwDrr@aPU! z?-O`&S!Lz!*s`=>!OW;_Alj?oK?T{xq*&06x?uxZoiZgFych1ZvlU|rxo*UbPBunP zgr+leIR?NLGf*U)0+~5k)X8hJuGkX;UeqgvBenBXo4X<0fCsJL&>MAhwVXiC_P)GO zoUoBLwoEB@daq?@@9N|lv(-~dBLG|7&NMjg+L^bcrapGsIRnfP^)?;OZ5z7FT=w@Gz%_F+t-F&S!&jRz0=U*{#psx7 z<_Os#116PYda3Uv20G-2}w6UkeyY`CN~2}r9;CijW+wU4jh zy~Yj#(WGlZCOS0h5$zD>*^NNzbml-2L?uM%Rk@KXH{fnFqMTB1CGPE*Xs%~-5+E#R zw_0i?9dr#1vlgSI%m{&Z zFkMLOPgt;Z8T`DDZpF!R>a-JeO2V)LGepq~V<2P3 zIei}Q^k1zxj}Hxu?$*gfN84#l!lx?BS(|j0p$hcCjlshS9vvyX>V&iE2?f=$}mH_R!Mf401$BKiu z378ptfuEP7y-;p@Jm6<%cfbWmSBln&TX^L(;?i3T3vN!%LhkZ|4JD&Nxl@N{E^0= zGj804FE_A%tAR{zSwV~4R7z)!+wN?{AQ_|akNW-1MBr>B>6-B43)kp7Zy$=ciy%!$E4lBWYf)=y@Vo9z3)j7*+M5KyW*%X=r!! z@q3L^GLxIuUN%C`sPM=n#T8slI?kDx&P+?HDzn8>VQ`|IevV}(S`lQOQ#95X`VLP* z_fVo@aX|D=vfPUmqZ3>V@p((_)w6uBB}bVY$Th@4ZC~aUrl4IC<_421ZlJ1TT2SM0 zDKC}@&g2%uc^zE!N5Ib1IaA7kSLy6>zU0#&bPh6iJR%7TU$#n}DD>(0f`(?tI?~sW zL>_2N>qudUD4y+5Lr5pi+$qNyHxI!S=7DZFSkhPEDk#X@0M1gt`{o9ngZMUQXyD%# zbxeY`OL*!80GJa9+4Jvzcvzo&fV9}GjP;J?uh=o?Io!E+M@XHY7kL1A=m1JtXAKu{ z_4XJ3seR*XTki4Sz9{_gQ_CAK-LywfPcQ%B)%=|@`layi$14~9-H+b$+UMU$fBTPb zKl{#4{_@Goo4^0TtM7YrgzHZ;-@X3&(fsJ$*n9HYSAP8GZ?(xse)fqk|MA_={ryWX zz5iMGG411j`s??9_115mzVq0+J^AR9U!Wg&<@G18f9C1;OcDOdrJRC? z7DV%ou=t7`l5R$F97-`H0qDHThC!0(U=NRAB!*n$25~1toDV{~^AOyvNA(!J- zFIkkth*4ChU*fQYT5dZEP_uM0khK~MhQ8_hIp#Yvsu&-*~rXz zA_+HInpuogSkJpmL|9xQl4F4(<(xKylBzG;aL^nWRanRbby4>aA7Qb6PjMrWLF7bw zakr#d^E5f09oa#Lkpq`<88RcZ2Z}%H59wAUF8pnBGH$VCm`$iApcOma3Q0|2=BQEuEI|fb zAE5JIT`&7NwwOVLSXr-py8$et{pOw>?}G2GUbDShxUuf)@omdv!W+x+`g0F?0;r%#f~2jQ?+B#?97)-h0Xefx!0cBeCxRI z-NjOB<)`b6pdcRw(5=)idF^rhWY2X$F5%6^p$*07(epyi!Z-*-<|u@o9ycw-@N?n z?BNR^J^j)KHOJpPIQIP957Fn3Ui;+G;kB>ad~ntK>Bo1homU%c&htyB-rhH}dUn;` zeYeYJ?@EPvWPj8jySaUS#oE^|{dD4w+keepda{4|yrypbtg&_dpSf_;u8HI+d9dZ~ NxrdLw^ZN%Y{|43kzHa~k literal 1235 zcmZ9|Td&gu003Y^!o?lng%B_roJxps&aP{_t`G@rx3yc_UAwhi)VQu)FI(4k>t&sZ z5)~6oP#~Bb2@*&!CL}5Z#1Jv?KztB6h7bh_;X!@iBFDf3UI=)3^!$P^`8t}KREOPB zY}If`C}u;1yKG<3fUSD-H}1wpr61tjGa5w5ruxt}K|O z7x63#TLZ%~SSpN-5IpO1ZineYutL&~!flIhxy`ZbmO`vtiY07ALPrT3tSe5phPbRm!l{wT!lWqkOo6Obh>{*mMFeXu zTr8&Z%A^(tGqOuSVm2p~1*=_E{f5#~_#)m02a!QAft-ezP~u2KE5?{Kmo*R_s#JL| zKthCu!fxPHBAZpC5-8HmY#WI3GH-X_g<1(P>Z%qeI}(8FC4?_e)sZ|Hq(%|sN-h+c z3PSf&3X1Ah4o1n^l#A)C%aEEk6^AA!!g98UK+_?cC=<;du2&?1K}NpWZ=~}czEGpe zdV>n%ma7c>iCl{s6QR?WVO-3#I<1mDk}`r{!~$bTM_4Asz%(A~)O_77BE-0rvv|_1 zb2T#~hPVoI2?tH3NpRB5A%WELTlPXt6*=6);{Z~ulNcf_76MNm5H;(<#~NXeG#o$*2q(M7vk zi!)3?pU5)Yj+}{$G+a<9q?`dtl2m_?f^C%ILT1th@gALzL4iv!Vjk|J3Pg!x4rte? zNpX;>OO3kdXDf7rVo8M|hDI1mCX?}^nZem!=mn5m$qguw6p8~gOPP~=6@(*}0*w)w zK-z%c(qi|QuRD8yojI~2S~)ybf3Ruo^!FcMdSPyGd)1OP>4gW{`uSJxzJ2A6d4BQ zpdiQ~CWdWvHmGUnJVvz&>#vwxYsSnHhpR=!V1qu-?RnCRsvd;PJu)>Eo5~i`72-YAR*24N-=r#-RxpS|)YQUzBmdt+W;}F}0Vj z7+#2IH8CG47ra;n7sMtBG=U2O(qE11dP5SKG+2Db=*DT8% zIB@B#H=J*Dn(qHJ1qpTFx58vv(Yl2U7&gR_G>$|i7n zX~eZ4^B^1R>ROjmKCoTUVa#aK=?=0{>6z3a)JKjpI^QO$fgzSHIip3rTgb?W*gGBr z?9M)#g}Q4kqui^z0LFsYb1RDOWl*%?V?lxwwb%DUc$-C8C-V#vjcJ(F8QAekYxR^s=3r$6w%Yn&=K6p{?DH*C%VOeW{~%#s7rHqZi!-cDQ2*|5Vi)#NWpNtp~ewt9EvKdi5Wx3H~+lSxp(i5`0b4cez|q! z9pdYgSB~!wKDo{=E>h3GcWvlj{NUZoPki?9)h8eN=)s&iI(j31{Q7s-9<}~{k-Pk} z^&0-gN%qoXZ-4sLg)iUy@bsr#{_*Z#Pdy^vy!6A%AHRyf|GL}l-MSzCYV0nZoPKkB e`poatoo8RTDn5NT{QkD^`5$kEzg+oO!jS(Ofp$f5QGO- z^i;$mypuhvw1NjgLGkdgJ*psxdTXU1uZUNlN1x~a;luaOZ|mA!J2tZ>J@`rda+0}F z33s}$0(tIrZ41G1m;`*y8rT$o2N0F<^4jLB#R|c2Nh*{WLMe65SR9rOTP`&hl;btA z*l~D&UZdMVlZ4xmQ7NTQ&bZJ5HK(8ZM8u2OhE<#8L~yZxwbU=WDT4O_yP{3B0w^M9 zCh8#0dXcL~(x|8-f4!f9M1!K^iMLAmfYHlR-_7Kp6DaE1S5>eQ#>BGjj}pYS!Km>i z4(ex!P}OMRJCz0(eD6P2pB5nb%pwsHg~7hlhRDLnGiMO13wWS;9BB;IO~cS^s%gV` zy$y#QR7N8rah0h?!km?m{Bo2}cX|$s>*X{SVs`n0)Xw7FW6zl zl=~e^Q-OFeK`(WpX)wkEMq!8%ms|6k2xzerHz9gxN=!h-tbqhs6A?@`vzVC?&J-8H z-eG~X0$tAg`FU*$`E%O^T2*FZyH3U!2xFAFF|tZ9lS6^6C=CgT9cwS$F;gn35_V?7 z5CjPo-B*ZS4)}dyah_@^QrUw_O19+LxZE4tl_UrMYa7ixbyNXocnJ9a~zt-sp^ z4uKwxQF%b5kUkxR6Di-$$)1=yBhD-l2~t@FT6!2)%Vy{PV?Uf;|M24VCq8-m=4XFD zeB=0+lUv0%SHkZF>5X@8*R|XnW$)d3a6$iB|NZHYeV>Z_FQo^? zpLc#^?_c=t=JL%)PA)^&zPj?v=XXB3`^Dg|Bj-~6Ed0_d*PeU)($&$$7wacavmcKi cz5Nh%{QT~<@U45VpEOT>dvy9iCx7?qKQoPRr~m)} diff --git a/secrets/restic/livre/base-password.age b/secrets/restic/livre/base-password.age index e9d889818ff4095e40b27c468b3fb4a4ab5d423d..8cbb8757d3758639a7e04a88e920d8acb9dea83a 100644 GIT binary patch literal 1235 zcmZY7|H~5v0LO9lp)X9$5`@x%iQ$7>^S0aVb~6(1cH7;)-FDx%3D$kv-R-vB-EOyU zKh-b7lMo0}V40<2W@-LlB3SxZQ4|kJ->^h8@*#Y}3?kuq9?-HM)4$*a@6Sgz^oZV3 zyCb(}Ii1Z;*8uymP-JV^_sxi|L5V~x6*d#T#9-kL0clL!Q^w`IN7ikfba+mM$3UG@ zRI20AvQn{%j&Iu|G~@zAtqaI7;FoYt$+=FyD#kz(_nM4nM0s80q0~TZHUPW!pXOTq zhzlieRmOv1vqgl&b}m}e z0~~4aqLj=FDB0+Zm3q*pjg~~Kx*i4duG(l2-r#>0k}iUkyH+d?IRscx>444FG!+qH z&y?C)M+u^Ef~XTfIxoi)jMYvDAxH0-FakEs{3z=K2${;(g}`dsj4sJVqa@{|=3s=B z2Ck3YTQLV^v>_7?SiS7`%ebxjWTM|ivt1k)vxF%&1C+w?PGG>S(@zpgIulZ9v5OaD zoh)?1JNMOV$oKH)h02OLLcW4AdP>hZg z;XaL|O^zId`GT8E(z=Wlz=CPBWem0wq*HCuibGjQgQhizH-XMB*uK zz@o8u29430C1eDKmm~)l;XX0uiyftzzfaSvC9H>q+l=Q_0@HRSKr_oZy2lGH|U$Z1hXyrQ-{sOz;P zh^t!BK%+HO7}sM~24t%BHct*!!x4>8BoYbdZL+RJadwn7Qy!JDv}l^Epxzj$$_mc~ z4njE^TZ;Az)lz77>gVC=$2VNQc58O;F?7irsU^;dqx09^D?Ihu!s*4GKkWd%nA#{D zVY}a1)U!2>wefP$>7nUzvId=266~LX)ORq1? zY&d%O(pyiQoQ>>m@49o_oxgDM$@7PiO?#F-+dE#F%iY??Z9B2%ol}qfIX5$X{gu!E zKK0>|5O#et5i7kssjl0!;?Y^>>O-u`&q`Wu_StR0*<`^;6LJauX3ux)=f6JMZUr+5&7bd8`idR2d+`Ia?dkX#I;pD{^-<>z9=&GeNTMr!iAh!1RbJLc2 K<9iHPJNYlu_`|RO literal 1235 zcmZY6{p%A20LO78ExEo>{ZJ$XO(ikLx`*v zp5^o&aE2xrz(8V6%yrudT|-b5&c@oPJI&!Sh{r*pDp3PeA;V;r(sEAT=yNrt(tv~! zUrUov!!2YZCy4{oHIxZ*h+fX73s$e7qC~Qr^Rs&BRRqh{(^12!@~yU!FF=25eJe=x z5fqE*VNOkkF&r_v*+8U0xl|U?t_WvR(oD#BMFMQ*X*(*o4lAP?(=>|;AX<73j1T+M z8r$i)I?IZFgoSxTMQWy-68mOU9Sla6QjKT+V_`W4WUpILN~5*07iZEAKQldu>&l?Y zdFet2?)Q0y3`+z{k9v7K$YDT8`w>G?S`Qr7@iM2DvK9&=uF{4I4be9O3Kt~GC6ze$ zkM-{rX{4YM5LHH!GR8;{z|~=-2ZQA@ zU5IS5(IycQ=glfqSDV@}9SvE@^_v*)4TI@M+Ax!KANo{h>084&`bTV zjjXl>GK}d~$X8rTE5f50$hFI17c57pikM18t43HwFvoIEaeIVB1Aa}XEe~S|Hq1~u8Zq(4W zEV%}s#ms(Cq=7^t5hK`24pF-;R~$*6K;<|_sa0l@GHr{5Q9>0h z6!NT%=Ig00@H5u$Y(LS8@0q9uc#V*j>Hbwwzoh z-2d9K_nvS@cZ{Zfy!QKZZ(qDNi}{l)J9l4QWvt!5S6=t!qMt5!G!MsF!h?Gz#`dP0Mu=&Y$stWne;+ljVMh_jT{>nY9(3``II){;%xP7tgQxfN}r z6+~`zd^&bYXSOPfQ9c$NJyYYUzphPLazQl#EMh)%>ykHHEVlw9cxoeIBJ7yLsd{?V z7s~+jE27iO9WAvrK}z-E%KDGhr=^bi&^iWeMC*xj8I>d)83&zU2M5ZuZE0VVNPlQ#ht@A*w-b4p|2Y1pVFj?jTS z0$~tQV=n}^Oz3PTt_NAXACfq>4AR&_wqVZLU@6O{=Tp-yym1J5ox&Cp z>N9@SieOY-Wm=A-V*%A9lbG}?3G`_o+j!C=MpMl6r2%X%qUwAbC;L;bf-;)yI;5X3 zX`iXL0|Q71a|pw3e5hA&Ny)uwln;ybocBlzb z(UY-1nZttB^UiDTd`#vfRB3!@4YM-l^jYSPV>mNI-QdM>X1nW%?&juT1B!hxFzi-2 zmr1Z$YZ0Z#bwtPTdO5($rsrhTK6B`iW28;Ks={UdKMnKeJ6nT%gsvr-!w)-auq#o| z7>lY<5)o6WK__bruv(CA*o%k5s^yvMnn5aSQs!FFpp@E=bfh63P2H@xZfgC zI%h$v-EKopB$1gKrcEIh?pBue7=rzj*K3FR${@#S6E-E8I_C{!{eddiV0}503u=W|wp5 literal 1081 zcmZY6&5Pr70LF0;y!7Bf4|);8!XBj5ytnBvET&EK*1Sx9Y0@;{p?Oc6G)a@RNxdxM z+u%VDBI-dFQSs)%5k%nr2DwT4z`d0Zp>tL5>omt$lf^7msG z-$Qg97g6bA{nc!>!5FOFXs~G8HWG|*#u(y=Hx2x9RMU!tbW&7A7gKR@f{tVPo+ht3Q_DllxX?6r|7LTDe(w)9%XiXXy+jGGd&}jfiZ! z!B*6(C_51rpkwSgR+%??UK5;2m)EF24A6T zhZQ<7lhc8thOG>^xN=KXCRRbh4aXP=Ev!{ILAQr=nlfs3QR9?I=k`!S>Txhp0OszM zSdzDM4^F|PDG`5(l~j%pIujN{zz_z}Q6qoBFSWoAB}PKIX}+#0qG}pj9>hL^m+5rG ztW0jwM$|>kw`97ap}r8Uy~B*y?x+!AqQN*B5C?uhpR5Xkl4jL@Rdxx%8zD2Qb5Jsl zgO&NTJ6mU#Y>HKsjMR#41-zQE0*lhX4E2Dl!T;LG$jV#|0+^gePLLb&v?_${2y86M z2;6L`^VLW>i2Fgx=3qFtW1$10Lf=$w-8v~nIH@e5sgAEf4C~>5qd`m~cvo8M#m>F| zTdxNxMkC-TKV(D%u=pl)Os!akuBvUvc$bvQg{^wk%mJK6cbiH?6g`;)VOqotP~h5iAlM{>9T diff --git a/secrets/restic/neo/base-password.age b/secrets/restic/neo/base-password.age index 8aeaa91ab30036b3a73324fa2ceb4dfcac24829c..6e8ece2ad8e0e26480ca05608079597ffd889997 100644 GIT binary patch literal 1235 zcmZY7|LYS49LI4o!Wa~WA1EzhkQg%N?Y6tyouF~sZnwMbw!7VJ_XYdpZFjr7ZTID~ z-R^d?vPexLBDH=fDh)o`Cj}{pDEgr+CTO39MH9FiSpB0N#xUPKY`eEr-Oz6 zXr2`$y)=x(^)TPggmE0Hx2PP~9|K*L$XYJwfkty8(}I>32&<^)GzEhuW1XU#NNfUB z8|@%Bk__7-`7xxx5;`H#NiJ1s4rg$>MWoZUvd7CB^*;;AR{(awatbJ6Y6ib>4Gq_Q zYmkD6WUkFBoLHu{@(5MiKu*R2PGe#L#k*GMH^n?CbP`C`1F}re>(;=Q<=ORmxnetb zW#~xl((u}fRGQGnT)Z}fTKt3|+dV++cKDex&ceZ5@6cP^=w_>bP_IR zq;8OiP#;4&zM6H4lo9ID2*u4_tgI-Ws}@s>zdKoDC)lUY}uyI#aCjb&naKd{C?U8Y60rD6{azMyA*E7?5;ho=SFc z${tJoKGFv=B9ln9o2k5{njL~Kw9s6x&k(RMkmTz$U1D$_k8_h0GfXsaXej#K6rWIt zTr*WxW=8#P;0zo=v3ZQr0m#m$VvwKqtxOrz+k=t?s+m^S21}f)IU_ABq;10DFm^bW zv8;SuN!XO!HWzn{3K3$mK*L^C&K4t%LbGzWFSMvaq15mc)g>gYu`nhBk9poe)G(%- z?v4F{Tqz6H-pFj`D-{dYN~F`MMG*pIDz;p2#FEKm+(aj;I1-~?m~zJeB;g&QS0nw_ zs9M0w6S?3p2_x^;SVWLxx18No_)0c*-9IH@2QO?8w|!ef&CgeVedmYSbGP4PFMjdW zbMw<%p(`iOztDeZ|CYNBzjEcigWPKe)*d;2`NT^{zNnT6b^7?+rDkmBvxlPf4}bYn ze#4UZqstEc$V$uJKXB9CeQ4$C#p|X{-?;Zp^<75Tj$T~Kg`2QLo1cI3-pk+Z{_T&~ zpIh|^4Qg+nT(|9qrHl40ediF|JX!eFhyN^XrZ#}bq>iaGJ>OE(kIu^XKYHK+9 zY;SToO)hykdSc@T_FIj;d-#*nYmJ-z_wHB(&ThJJmWl02f3xG(i+|2N@abQVo%&_h zgX}XuA1Pj%yJFOiZhZXXiz}w*LEzW9gPVV!z3u9noq6Tl=@p;Uki(~z)3dI2nAoyp Q<-Q%#)clF_7v``24WpC6`2YX_ literal 1235 zcmZ9}+pp6E0LO8`OUUp7B0+L|XuJ^}qg}gp8zIK7>)Lf~*KVg>J2lX=-nOpm*2^wU zj2gU=phrkB5m9pzBPb|5NIVjV2H_|qh7jW;5J{APni!*r1iU}#`3pYzeSex|q>Nt6 zpY+4F*W2Lv7C1~NQjY*ZV5bZnM$vR00IB}O7y%5yx0$fYwL!(lG&GtBX#s(dT)9Zp zeG`$m*d7O7Dbnpsg2$V~AX|hmO=0llGzv3?2$$&CW@=_S8$wYRMswXJSQ3JNw0?V- z>cc1o7$c&Ei~u~Vcy*1+b1uUap{{G8nW2kDK3l|TS!7|*z>_p>!z7h2Cva%kW-$%v zl1QdEtTPqKip%ZH#K{+QGOa+A%MFugxuaBdP_xIAbtbXT;^JzGNk)gSaM_Y+Nvr zF$sr_SU|E!KQnGbY|-+2t!g*yqPZrSssCH?zn?K+yJlDbQnVOODQEJ9yoi?5F)@Sd zTqsWn9+lyw=lUil`4vY{VKvd|b~*({hNNb*&vn{VFhF8T#)?wS;-P}jo53d}OXQI% zAuirV@phdW0Trj=G+@!{DNc?k&_lyl<4z6hY77a}y3d#OmMSU;(!;HU$&)cS66qM` zgt`)GW^OdGT@tfG_!*MlB;aNBWXP!sS<6|Oo@VA zpDI+btXwpwy|zSxebGyFCWb^fLg2TGNfu(+0qz$la>l_Xc5^VJX=Xv4u8pG%E2@h% z)KRT$$O_~jj4LBAp{gC;oD>8+9;c0d ztHSVgB0bhauPh)j8j>C@@)Vgw_-reYN~Hi#x2io{w8r=lEXI1;P@qANHo>OTH%e8T zk?kgyVUkHAZY8{1&tBQOXI=fmOY+Ix?u#FtSh0KC(Tx|U{s6#PXJO02;SVn#OB^48 z&%M$UkNeth-(7j2bA87?smFY&?OJ&exRhv|S%3HWHy74DwAT2cX>Z=X@2O{}?m2Wg znqQS&_Qw3zKQ*-*_I?$gpIyCaV{mLm{preuSAp+QdGGP{r*7Wmo^G$vKAHdJl6UsN z?4KvEEj{$GedOvB?_67>LPyqrdT?&j$6vhs`_|>ZKC|>jNy>xwxmWf-fBE(;2d>_G zop^u$$(_y)eqq&_jW1x2J&rn`z4r4hP(wNW_6N(f+0XxYH07V0dvcrl;Oi%_yTlFe z{dlHy)BK(#b8BxKQ}-{A&jC}Lzu7*ubIH`HeRoz?eoN&K-Z7_ahB|NMwy$2@KYHK@ Ie>wN=Uyh@ ssh-ed25519 /Gpyew uXq+MfJBkPm8swwZrPvdDvV2bDhpRym/ZeMGqys9BSI -j+YqicDZ4bihNJ7l8KdVkto+si2y2Hs0rCiP1OSu9pQ --> piv-p256 ewCc3w AhHSf+4ctgmsivwSWdryNpYm4pWmGYTC0uP8vCMFa9RQ -cLbPGip95TFpeVLVX4RAmr2M4wzcY7JKqOOmP+A6h+4 --> piv-p256 6CL/Pw As8p7SSauNa84TXKGtPw/R7RSv4Rcsw5i6QtiLm3Dt4e -6yEs/0Wz88KUPmqVRjtvnajydqb5g6RKHDIDltXE0Dc --> ssh-ed25519 I2EdxQ ql80kds5JxVbwiQSyn4iYM8Gd97hZZtZEIiwEc9gK2E -anQR86o7Dx/36CQefEsoaNpDVQEb6CnCh3n8stGXiDI --> ssh-ed25519 J/iReg pnMm4HO8/9T1OOTH7hKr7TXzEsmOZLD65LNUWGBbLz0 -N4FOYkaW7og8RdS2QG8h6PLtivNLmOHlCHF0YmJ4V6Y --> ssh-ed25519 GNhSGw 9J51AEaJRIcigTwyaiCkjP3qKxy+L/YegYZ23r+yHi8 -yT/24Ci1e4DfGIwfF9gLOWs3eCoeDen/w7uBUjxMTRw --> ssh-ed25519 eXMAtA eBsWiM0mKL4xYkI5IFjkLy6/qYTBRhoNAyE3iTd1Ez0 -R7T+pCgYRjHtmj/NTKYPQ6cd8WWC14y8aLDMT/kZ0aM --> ssh-ed25519 5hXocQ bOEbEcSTnUwrMUJ2VZNu1FPG8hNOUGIID/CscM+mRWY -18iZ/TdpvAeACn6oYu7pCjNc/lpONZBqt2NjufP/OMI ---- t+VOF1H5amjBbo1np9PvCtidQNXVEva9j6eByQd9Qkk -ZzQ;]/tG9l!jן 8UahXгLbs3?ɪ]@()x&pMao/\'Og8 Mc% \ No newline at end of file +-> ssh-ed25519 /Gpyew mx+zUDoJlBkJG4GUEJpTmF+7cekgNMAqGf8L/hLKdAM +TBwEFgEWExFwuINvzdrfck6mnBCIpUAekZdTBlX2jyw +-> piv-p256 ewCc3w AtCGtCqOkpF5bFUtuAiYe84lT+1G6MxDNkRU2pUqk18B +3/G5szghCSHCvmiCc7/y8hOZyanfbU71VI1P/CQ4g8Q +-> piv-p256 6CL/Pw AmvS4ErSMMakjmPgkc6uuAW93uB7dkmLzwIWLnfELyXc +0LzlaXihUe55n4gSERN2IyQvjBZ1sbBO/sg3QuLSiaQ +-> ssh-ed25519 I2EdxQ cwwjiEWrJhC3QlZxbCEGjVBPf3jlpjgroeDBzHh+NXQ +V9avgV8Fey4NRK1SYZNUThYncU7zfKU14U5EvQ2kasg +-> ssh-ed25519 J/iReg BbZPEVsU+QcuK+R7O/iyM5QynQ01ve5mpYOmGS7T/Qs +VN2037c3niLVO/wCpl2aJag5yoH04Xs5sFRwNgf9Szk +-> ssh-ed25519 GNhSGw LGM6jIDcmvJJjst+IZGZtIFqopu3VA5pJsX30LKh7BI +cHv8yBQWrrZGnfP+/iN5kboEQHR5fBCNWXkEED7f8vg +-> ssh-ed25519 eXMAtA RXk5YHqqh9G8XIlFcm1yFHjEN7yRQwjT3+OIAu7JHj4 +xNZVF7sCfEIGU6fFrPutCks7b+ZYrXXmPrmsm68Iqjc +-> ssh-ed25519 5hXocQ sCyqDVxD7B/hHT69Cwr+eI/kYI61Ea7fW974qrv9+hc +WyHRkS/KyupY1/REGTrOuVsCkAUgOZdZBDNU66fq3X4 +--- ySHYrP5bMWtiO3uer5Updjm5yAOeuX9fnUFKH4vwUSc + ">lJ!]@l)yCp>Ἑk'#h7|n aa*Mǻck2)o>LD>VOGIX/1c!QsMTS)dEuc>Ry(Z_ \ No newline at end of file diff --git a/secrets/restic/periodique/base-password.age b/secrets/restic/periodique/base-password.age index 466e931983f00d4ef48013a3657ebd8efabd47f5..395572e9ca05e6ec9d6134cb6e359bd77fc835ea 100644 GIT binary patch literal 1235 zcmZ9~-;dJ-00;2k4?<>?#GnBpW&tD+q|XcGVA^NG8EGVu4lcA)_#85=p%gker4M(w60v0H@YNydKZMVwx!Z zquHhxw-X2&)qFxp`cd4a^jxouRdB1*_Fx=W2ZMatMTcC56?Bv>TVc0TX93fekw^`f zs$rT+3cwc^0DhXvV={wQEImg~8hSzEW{;+=r5onrJ5yU{KR)2%auyc#Ls| zDKEy45ps2lbb?faQnaYL{Uljs&7c)RF~XNZ+{&_m+-Sq74>Bkc1{4EH43terkh0L= zP$NGo3Z=ly;M%w^hYC_rGJ2k&1iFH`vfz~&dkC)93V7b-ahrn9l+J4W#!S80=(gub*FY5+t1_5}C7A_yEJoRSumGgJc?wkF5{=O~if53m7IJ|A=#+|1xM|N(VzxwX* zuP*zovf0@@_0{opwGa54qxBblx@n!c;XHQj=op0N_wC>QY+?P@FP9$tXny;>b06-* z9$4A+&Hkm88#^xU|N7kY6IZWLEAt0(_dj3yjr9(_75@J4!RZS#nG8^$+xFSnH4}U9 zdcjV$CEhsR8=pAg5cf>Pi+fhKEN63^&eMso@QSIhKK z!4r!^&VVU_XwfKc)qS9Ws6D5U=U_psQ+7RVn_jzv!W5|{)AZQH93mi<9$NIsy+^*;40MSH3u?vly)#C9EfyjtTBE6tn8Ftx<1f`B5Ax};ZTJqpdW6kqZa8Y#IF5!A<4)5hX`oh{Qzls;M5#}NwKCKpq4ofvs-sd9?G-v8 zgta)REeg|FQK|^dU?|BQBcJw!LDNLF60a}Rv^tCT@rVnzh9wDOQ{&LdOt;ctKsRxv zSXBHTWjZdNtkonFfpaB60o-QbsKttgwSpk9i>c{MS2kPp{ISLaOBhTenfK*DaNErP zmPCwtPvIjXu1N-nagKud3O_buDx;#ZfHh1~O?jMFq7g=M3Shd;0^)Q|_xK!@9AP7v zHXMO#gaa;L&S_o>tck1*1r}05bdsq7(P%V6C^^^i{e;;HlVjFZNu^@(e52B4vVn%y zaWO~Hu~F5Ad>Q!d=cP|w?tQoIaCY&>D^4w63y{ZV!t009AMC$r=B=HZ50u7xo@Kd{ zH>_TD(VzPLI`-&e#~;#HPhLBENTUCCr{23~!&PAW*2t32r?wp3t)FaNxWhSS?b`n~ zK&*$p`Ekp;lY5sQUAO-F$;@o=rQ>TR7fqSVHkj#yatH_4PBX79)}vP|KmA&I;LMV< z=ZNIW`?hU7_g8rK+Y7u3-m+&Yal$x7u3~>#^UkF|uupIE_l@s8ziZvg56)f)PrtJN z$d?Bvo`3PpKdYB_Ebq_7Z=Klu#fPuHv0b}D%}rc7Fu8Gd-}&8#o?Ag|I#QU~x#O9` zdvBirwk~=9?nUeFeBt1UWjBAa^64`X55n)?6$ z1i=SU*kQPvP7o&^6b4h=Kp9@P>rP%2e0bE8=w)Mv4V_0H|AN>1^D%+jad-BAi|s7)Iw-6zRRt`8)IGMP$O-2#=NWv&fWiGUbi(V;?_ z8;nHKy4@O7@}6I6OgQ2S(wFE84t$^4P6$X?EH|z@O@n;N^JAe3|J4%z&`D6d-*(HP zjg@U`YetBPfyH{8CaAzT5fBGkt&y4u*BkLJBU<#1Nk~H&;H_ys@_I7?%af@GkHc9j;1jMMIih;*ds7wP`s*XUc@_wsf)&DU}@K3j)fFyju(%vtXSa zqe#6tUt~QwqEyXVLUndlo523U1#Qi!!?ABV&2mGsdw(y_nPe$VY*?QG5IKxeP|9IR z^+Tp?O=Q=Uh=SO}SVUBovF29wXp>{4uwJO^M$!+tJP%3FOYO57Cwfb+Y>&&jhN(EM zXv~m^DZ26Ce5}l3T=m2qjZ$bD7km?7Jw9u(Y(v2%8EugfUs$xCRQ)iODXHwnbl|gU z6$-JzQ0WW>XEj%!Q90G#=s|*76EjO4jOwOyV#2RH4cJ~u8WtMuC<-qssOds0yM-%b zP(d4jn0VTZT%F$z8&!&w8e0vDGR^`<#2E!M?cx8n;hrAba$7ayi54U#W9ajP1fFKH zT5({t$re@Ma)k;JFePpv1E93TBxN%!X;c!iA>5hSP8RSDX6=cf5&#xk?kqrNs7Nn* ztxl)YMs$6;#YjDr?Jb{M8p>5(35hv(p!)~Y$jw7o((CCUGvwAMSM?7s{Brx|@B8yN z{=6iDqvGW^ZvpI?Kd!)UJdgZ_eERiw^$C2p^Vhkfm)_>SI9a}T{Nne=S6-C{!D)1S z;oTP=J^SOevis)I>E o-PM=l;)CaqpO3D-f8+kmhZy$py(j0MeDjug`Pb9GPpqH*0httfiU0rr literal 1091 zcmZY6-K*OK7{_syF{I+_1w|~D%fH!Sy&3z z;}?}8^^4XH;?{uBH7ZU(Y$ur0)~fP1`UGbZEh=S`Q0(P?wAQ-#?4Mc|R-Ft&(6(EX zPQPvsb}0$FC!6sgXEYUQsl+OwZ>tj*_s&>HW z!oWbXY2%H`u1x?U^{?W8HyeYY>iTUGU**I~SK_g|!p1%|+4^Bh_Y=%Wv#F2B(O4qjbQ;2BNXlqHR-%6IZ;TX7nYt}|DK*2^ ziXn&dB~ht$4fiXXTA+YsELJ0T!tD1I?sl;lZW#_I#)tvin=na6VPwv{t*V-{x^GJn z8_)M82(mbDc=~;kt|bn(gLboD&`8#|)QV70DWL<-Vds7n5{zGwR@`G8cLz%~J8xz! zPnZ&DR^ZX5N|kwT;0wMt#Rb<4O1C0u^wMeTTV^7Q484$s_v>Fblb*6W|WGXECLZq8nK@9Hn*!{VhY4?OqR z`Sl++ejmJZ5qRU{PmNm_&i#1y?c(!SuU|WQ^UgQ#-~R33()Ei!FBgA4$!o_)uf5Ei vKm2}q_kwWci1_5@x#u7H=|S!X`n$(|z54D`H@-Z2;%xH8nS)245kLGJn?QFO diff --git a/secrets/restic/redite/base-password.age b/secrets/restic/redite/base-password.age index bf42ca0b70a8c18c2a8e97f9f2e05821e6ef24c7..3da9a83a9f7221310755e9ca6e0c86e46b91ea18 100644 GIT binary patch literal 1235 zcmZY7|I5?_0LO9gNy=GhTJi`XrwKyWwY%GH&n~6d?c43PyWQ@#`}P=dx7%&I-FEwS z+wBPq5;PP2p&~FStW+KdOU)oie=vQbM9WfAqqF~_p{s&H3P?N^^E@q~bkmtkDjU zLBdXFkeCwUG8D$JR5?ednI>0@teJ{{av0fD2g$A!O4%ex@jVhmY>j8^WX1x7dLfX< z1T56rySA?|aYO0aTIb5XQsG^n08P#IaHL|3Uq zJqBA?kx7%?u@HlxsyzkgWXl;Uz2vy!x};T=$YRlS>sCLXa!J7yMlz2G7%?EEX1lov#B!(k{vr{oT}5Zl1X)-0>oOm<_I;LGb&ckM7crQK!GF_ml2oe3wG6k zT6II=B;U;k#VW_!DT+q)8&>Rt#Gm;(BquNQ(F)0&j^))f9 zcQ|w?usF#yVF7sX@cVau`SeI@?Y-a39h@EByuEey!hw}LRz!>3T}Nl};-nl$kczAyGzINx6>_lhXo0pAE=oNbT&G#xNiN_8B zN4M;h24^Q8@&4YB`2Od$YcdaAe|psmfgXOiERzTD#d*Zb+|&reA!AJ~585BB7f z7jJwtcW7DnLho_n=A+QIB|Gwa_EpYqn?8H(#jDdxuYG%F%iiQc{2sJ>>#O67*Z=?{tt`BzJDj!(%<4bqs*E37sc=h00C-%NP`3%48*t_TFH}1dkC3R_b z)&1vUtIy}J&b>WxxctSc>He`_m$;^|ID7iH+g~5wda=Ig2C!&d^|>YLsgGCe-oxci LE3fSSp)~vlM9R8{ literal 1235 zcmZ9|-;3J>0KoAvMMqT_oFE57I^4uv?V2=6o5*w|X_NHQHc6W{Y1B#6ruotIM}9PE z%Wdj|Zt6fbMQ%=TI~CLi1@9gv^9RG-)CYH`V}fvaC&MRoq7L@UIp?GI7kv1B>$(=# zx(#>K_sw2+XV29W0T_ut7WF(Mt~HYg0%B1^v^&#yG^Vvn9l`6dd0@mBkb*Y55OvhRldfB)JS>fPYQkyJ<&M)!Qi|dyq&`|sF)=k04r-16 zw7wa{`$;4f)k3lXg;Bg)LC`EF2@-(_1AuW5LaYUxFSW#>RyPH{8X8p|MV!8lM$&m* zL`V(@=pI>ZKnCWB*uXWJh6;=orN$;bjk3Xffz9RqXQjw|g1=>TV5#eO2H8x5HMyjp z*4wqV#gu?*7p)|TjM0Jsj1Ebz}onj$=FuTbU`l2$^qFEj4=n5RmW8&l*pkO zla!iBcKyX%GTR&q(W-19Lcm#>l#6;2AuEAU2dd4a&8D&fnsS}4?#i<}B-dJndIaya(dM8O%| z`tOA6HM(e&=`aeHDA1$Z_$WX!1QXbqPQ{e%Hra3StjmZ#=W)}ZI79=p7U{BB#>B=# zE$fXH3*e1Vum~xiaIhw4wnt^SIF=f$pJ|BRdQFoHxQ|B_s8z=?rwNLJrMf88NTd{` ztgA)dE40kCMwOi*5wu2{k&R@joYho@(`sn+5veW9@Q{N@C#>TV2q-npz?DuP?=V6i zUaujB+-nF?KkeB9F4r=nR#qC*&Y*>KYoa-zIH(v5Xf81LkhX?ISqvk-g~dFPO(TH~ zh)C5M4thN}fE3Bn1k4{W)heJWj#AeH1!7Pw z)?AsgInGa}7+i%T7hakAE^n9@R>i3z549TH`j^p z_?a_*s(0`H!P;~ec}O~c&*F*G8y=pU=YIY6&EsFpzehFBZCDC#Zk%0tdEX2BpO|>* z?AO0-TiUpWKd|Mei%X05?R_zQ{qV%hClizZ?D}-a^UM6U2X~!b(D#=n_wGA$YUj+- zy>b3WaQpEa@a*b#@bJRaZNzGH<*PT6D_53Zj~%*Ws(g9w>PaziJIzd@-FP!sD0@7beopSrR2# ssh-ed25519 hTlmJA NN+fdIZAAYh+A7hFaWXYOxmemjlzS24WNa9qWIS8jQ8 -lhVBAvY+TWg1yAJcrgvphoOKB06ETLyH+DLLAO/32bw --> piv-p256 ewCc3w AtQ8DoBM3GwBCc+B70nQss2/lmirWJs845PrS6cyivYL -xrE8YMYKv7XTiMmu/Qh3W9j4KGkZIN61vnyBUbiRous --> piv-p256 6CL/Pw Ak6Zjws9g8YrtUPyVQpJxPOL2yhEo1izmu00ODWO/9bN -9g/dmEHdJTKg8cB3xQs5cSXQUz7TkXQM//SCA8qFgqU --> ssh-ed25519 I2EdxQ B1SaZxW/oOYTADdHLJ/CfE/ePpn5MauuQIV11P7ciWU -BCINmTI1TE7V5/9tIBUpHFBrzk5k5ycvrOFrmEGoHcw --> ssh-ed25519 J/iReg a93JQXzEH0rzZL9BzI9GWdm+vfIthZj9KmYe/xkM3x0 -BNLZmF4I/B7bNzZUQ7C1VYUiI6AXN7aLaQ4b5pS/Qpw --> ssh-ed25519 GNhSGw Z9bIU2D8d7oT6/k8AIUFk2GWlQ0kbpZIx6Mch6Zd9DU -ZWGrSOd/K5e0ZnFZvE8U4zLsBBKnTQUu6l+WAFrSIGA --> ssh-ed25519 eXMAtA 1ZPBxg7vVPdFl/I9Xgty8H8X0HliAQte0D5VrgRJYgs -onOuCxlv73SpBqIZarKbXzUJ/dERBHfPTy5EacFRToU --> ssh-ed25519 5hXocQ u/9fRCc+gz7Qo0020HYqkgeSk+joAGC9iRo1PpTTNWc -iFIduae61MdkkYBP42yf/59v8OySnNLXgypOS9Z+ib0 ---- 27DrzEcaoj5yEFstaty5e+q67L8kDi1hUN18k10kUAM -).M¦8-UH#c>SHF"I3-?cu?PssEB2SiU6z|-sBB-'rl~_glܦ# vdQuy4TPO \ No newline at end of file +-> ssh-ed25519 hTlmJA FwyYHqXJq8FnP/kKDOyZYMsEpOVVvdxcPka7dxH9TEg +hKPhAZz5/6DP1ugpv3bHOZrbSoVs0hpZSP8kycw0hds +-> piv-p256 ewCc3w A0NZ/VH4wQ07JGUjRnD2QU7VlrG4zMeVzHa7g46Av+jU +qCXVqCAtOikfPENz7RJpy0PTdTw1tAwusSWh1iDlVT0 +-> piv-p256 6CL/Pw Awzu5nbYg4GuVnEloOsPVwQ47BicdnAb4sS1mG+0w/Hg +CeDZkaghyrRT4Qokg6dTkDLrwND4mix7dhFgMEXzsRo +-> ssh-ed25519 I2EdxQ MrZNzDREuwEhfu7lU21VsJ02Q9orNM0TPB87viA78XM +NSlPC8lW9U2ppLIGySpmU0HJpemN+GUA74RBFhnhroY +-> ssh-ed25519 J/iReg ZWPGgqUI89NVHp7iLK37iRdwBGroJ0pDxI3ZMeIJ/Ak +PxJTCoNmF/c741FTeXYsjUjogf4/ZLZU56IoEKHX140 +-> ssh-ed25519 GNhSGw k4VJGNkwALEyUJfqoWNjm7gVS4EL1PDQtigjrJyKJ0Y +f35rY9JCJSiEkXEC8E9O2e8RqikKHL4WG91y+Q/0Dxw +-> ssh-ed25519 eXMAtA 4exKSkUZbK6IGNqms3oXHZjqxdanDxruBIWzlWkud18 +fikqarrrB2wEAS8b033Cp2QpAGxy1SGju6wcfcpgWPo +-> ssh-ed25519 5hXocQ A7y23nvH1k2eh9YhzkDfTX8BTsds6HJfTzEPgP7A10g +CXq+VQurL+CrAZKu9ycJp/iSz/S8CTP8F00OAhNzuwg +--- TZLMHnfF4+CThKdhjtmeSzB/66o6MEV6r4Fh5CzEkCA +j`3H1TCZ6/zR+qрȲÜ QFK׳8,oH,PDnfnTI\Yn +ﵖk +f M0Y`.\{ԍ%Ʋkp \ No newline at end of file diff --git a/secrets/restic/reverseproxy/base-password.age b/secrets/restic/reverseproxy/base-password.age new file mode 100644 index 0000000000000000000000000000000000000000..297fd73635b8057bd45266a6f1d3f8de9730fb2f GIT binary patch literal 1235 zcmZ9}+pp6E0LO74=Yg}BAYOO@VIfgt=IGjO?M8^&cJ12k(sf-gYe4O~w!3s|cj_;H0bP^H?_xC}iQCd`5<`gEvDc}Q0BRs>S( z5F*fAS?wXJZmSVc7f zA`BfKFeIp7FEDJEuF(VvvTzQ>Lyn+^bYLK9dZnhzC3K8N*_7lckeuXUpbH0lY@8`N zuGMj>9m-4FHt4h!DoNB6x>t(G1=(w+J22CB^B@&~S%xv135J{?Ocka&SW>N~GKyt5 z47yTFw`5!6qB&3Tbx3cuWp-2{bBl4#!PT$%6aDVpj`(IAaotS###L~>FAGe;HUG;^( zL+yQX@Xz0Vxq8n8-h1N12Z^0?pIz92ZR#(dS-0iXqq7Ugmd~K8_ut&~`}z4JzaBfZ zZ@L|!(08r7kFEav!KtYiUcMb$I=OlM^tJmxWOl6=&K@d0v-|CR-#It#9liL|!Ur#X zG!MOY^X@BqclGz*zkF%koz0UqspEbjhQG70XPF$79{O0XkxxF4m)k*gW^w-V2J6;U LWaiq=?VJAs;&HkO literal 0 HcmV?d00001 diff --git a/secrets/restic/reverseproxy/base-repo.age b/secrets/restic/reverseproxy/base-repo.age new file mode 100644 index 0000000000000000000000000000000000000000..6a068c8d7159127d434cd8e63c5b654791151763 GIT binary patch literal 1095 zcmZ9|&8yo4008iTo&paxQF-8{ZakHhE^R&=L?vmOk2Yz(^OB-MnxtvcHc6YWHhNOf ziMSp1z=MY;cytJRf;S&BQ4d~xFmUdq2fvtX7mtcQkG{X)2R|q9TYl`Ww`m?G@s(s9 zfMo}0z1YaIS6%E^DJTJ9N0IpJ_2^ zMM+Y17Hv(`n~?#QPR^uQ|9=+N6F~XYs@s9wZL3};=9t@=$S!LxoLH`6S{q>*GoD&f zCJ7F@)-+&X({WJvqb=(#RNUqQ;;ZaddyGup1IclU^hk@M`9%I2@J!+Op*#N>wlj!{|0`Put#1 zq^J14SDn>-OC)o$0cv$V&vIi`S~wwMGc!3Y@>3rrls?OEd#fyHXWWXx4Fj0lUUNf0 z_%`dq&KgC!#H5%YIAaU8n)%savShSw;#Z)aoYl~omAFd7({ur<<4G-bR-QYxR27_; zIyYR!d=4+qGmZMBR|Wju+&vrgU6vk&&w| z&}y|Bvo2DoiJXG=z-?psq;>>FqAC{_HK!|SO(Z~83eOiMfdIPp;M^nkcRsyw_2}gA z+;=a$^44z$&)&W8=kZ_1uU`BE_^WD3Te)Jsp)xp=d-gy1nU&86-mtOuxKm79ji_1&9J3sO9@7wDq!iUcT wH$Q)HV|nd^>dn3Lk6(H3;IUsnDcUOV literal 0 HcmV?d00001 diff --git a/secrets/restic/two/base-password.age b/secrets/restic/two/base-password.age index 85962421655380345521fb8e932386be93663c8b..45621404467ba26abbe37b1a697b7bd4f44f531a 100644 GIT binary patch literal 1235 zcmZA0?T^z00LO8}$Lu61qKGDDXox0bbX%VVk*@2ybzRr4UDxe}xwhMFZP#{NyLFur zG`!)2_>c>pCY-^CXh<}OFCa#Oyb&%rMG}mP@gW)`2t-~GFeIFMzV!ZrPx8(0r?#5$ zrla@6u5Y-`X1Cu0hRH~LTh#N~@n$0h!$~~aYZk3Qh>D;g=4*%#4nuCl4@3iZL|t+~ zBR}8+yFxQMZec7H1G7{FDyWSqG!#`dY+%Cytqn0PumT^HF@|dllRAO4$||SItoNVR zHHPtS3Pz&MfYiYtN?M4HS#L^vFzQwNXd2Bc&2f zbn(EzRBaKUNG$|omR*HqBAQYsbViau%VoV%JqM+($ z(hzMy%PZznRAVGWu`Jq7PsLQwV=7kG9241?khfH)W_DRq!emHI5cm{TaLHn%UY0=z zX`-gbR|$!u5d`a!$xh9qc(M$mX}DCBvpt^jO73!v0gQ696&)z54MSj8M8bX*f$9y% z>qDrn!yPJ5;_W1_FmTy7OLjUD2@8CtRFm91o`Hc5uTiqE55ZHgQ_F8HSp3^KW(PQ8L?W)Wrj>fw`024PkW)2aU*@Um*K-! zK?VA~0YuOVss+Y!n&KLRRIZL8qnHkXOd3(@)N-w<6bYY*_8HRBT6wP22 z4l!^;&h6|nJI4qnpY@n{7|h#gZXbre>wLz1mGy&}*S0xP+6 zK#=tvL}jI}%^I~tWaZ+H*Y;hzv}P;c*!wwu_Up)*9rL&RymMyrp{GovclehRYWBpj zecR7>R$Q*XcV+eS9C_t|J=441ycI6LyZ-h&<IYPS&nH z@y4?{@eRE9_|faDc5^SBJN}ouZo_TsKU%o|t4ohe;1`3F6KjO~UVVC!tIQ3zT$(sL zgKoF4T)Y2M=DTBSg9E33SMDv&Jb3-f)$cTKD$}zsKl#NE z3wNAO)4S$3oZ5Z($lDKJoZRv{uyuZN`_(DEWrrb@3yoI;5jO80|F?!oqnFm z$23-zqe-P!HF!%ZCx&fVilj_|nCun?PKP5%K$f}#IByFLM#4iWt39;_{}`dp8xjw7z8*qUc{>!m!W z#b#MlFd0^|Jwhqtp4#$pY=kCik?Z&x-@Vyeb{OascMdo*=!^c zZTWVKMI_&jgd}EJE<}}Oh?S=_NCrX+rzuM`k*4cItwP(0SdpRAMaYm7B`7cll7euw z1DOcY=1{*vfJ6=k;h2uY(THvugCJK&$>Qy_5@?88H_0iQfp#k5P||~*@0MFe?B@Ci z+lfJTA^P$-J;GQXr25^3&04VTwc9kmP>AZ*%S8+8g>Kh@(sTrt%&gU_gnmgH0_5#9 zrlLzsnCv2>VFoWmW0c4Mf#}MCuU0cS(19vE+*^1{*dNEt0ALg>;Z53cU-3kpt~GlY z$OW-jXEPQqrQLLOFjfbVDM2HrX_oIWsi|dhL?-FUv^x-{Al0roxQA6nCAKM=Sd^xf zP5fj$Nw|F2GDkk2FDBxqm#2*aGNmz9zl;*Pi~!9V+HlGCkPS*bL9LJK$e7ERcbLR= z)ouw%x5h_cIF)BZwyJZ)kgPJgfYya*VZMA56iCk<*|ehv5thI)tpU)vI16-WyA~^z zK|A1W5X*&})^rxO?#|JF)$Vm$K~JC(-H42Ol`3 z&3xj1kli}{S?a;x<`=`^<=6iDMLND=$Eqvt+${0t-Y?QyzC<>P6EpXI^Yjw!#@Soa zBBb>PaP{n6I}VVqUNx5Ps@fM>{v)J6|Mz&g!H_4OQLh8=ck-|IY)!AYu$iBDc>CS2 zoEDq(kI$~Y*n55Mop&GKxbCr|m-c*qVfm8dZ~Zf^&aeLd#Y1P-oL~0o%NtJ}xlW;n z$JY){{P0tI>7&s5+1Z=n>`wCM;+Ye|hhKet^xL`pPh!u_>|S&1^x>5|R_^PN^Uk&V zmkZg$+dkee!8^}Czhc+E3487KE4vHRGwWBoC;wD7zd#?O8uivwYacoA5V-Bqfm7?~ Fe*pkky7vG8 diff --git a/secrets/restic/two/base-repo.age b/secrets/restic/two/base-repo.age index ca8fb65..8de1bb7 100644 --- a/secrets/restic/two/base-repo.age +++ b/secrets/restic/two/base-repo.age @@ -1,21 +1,19 @@ age-encryption.org/v1 --> ssh-ed25519 qeMkwQ /keb+Ra7ey8R57qBRtU5VNvXsUBGlP/D3xmu7ShrFi8 -0cLRMQ+nT3uZO59LHNNQLo8lmQsBWuyPEcsnGzSyaeo --> piv-p256 ewCc3w AiuuJefLgWkM5EzXWGAx0sAhGii/a4yXx1a0N62QpEEA -jC3Gph2c0qfsXdivztaOGxqwyH8YaDp8JNsBxYvxmAw --> piv-p256 6CL/Pw A3TNn97Bkf89T3gdh2nOVg8gGJS+YTdxMsT8x7MSwZU7 -sr4NvxEW9NYmROFwmgGSFAkEodrUTxCEX9YKhhzaI/w --> ssh-ed25519 I2EdxQ +Vw5lZB0bpthF5TkdHCsxhw+2VDh6Se7moPZn42R8gQ -w+hRvGIAehIRIuPzvGtZmSWPUxlmrJtRiq1Vphl/bfw --> ssh-ed25519 J/iReg XmBVKUHnA7HbC8eQHRg1Kw52dAYlkXmi3t8CfOVY+hk -lJTLuekWjOTY62hJNpi/fwlyRnWEi1jqGZRVFHbkYHY --> ssh-ed25519 GNhSGw vQvGrEIBipBdgoK2nFm+TygkTBwNrFybwwP7j0w9sA0 -/qQmQ2iB7zXPy0ZStN7cbTNoVdjHYtBjGiKt6Qvj9co --> ssh-ed25519 eXMAtA G4LmMcFCSHgu9nUKVoryCm1EAgw/8r/udi8ioP80D3E -AzFf/on9+O+xrx6CQNrt49kRw4M/9dLywhc7lKW+p4w --> ssh-ed25519 5hXocQ ZIdUDfleb27LFxg2t4d3LXtqE/wJ8Vbie0+fZDAnKWs -VUOTStUwbfFsgKiX5GEgxlYMnSHpXrq85UEC884y314 ---- bHL/tQMiSDfTBt6slaaOwE4r2ORKV0YuhUzqoC9Ea+g -B)b,} - 2( -ۃUc!} VjWPlk 2"sn T}j _d/%J,Tr%ͽrCEtD` IDO$0L \ No newline at end of file +-> ssh-ed25519 qeMkwQ Bi93rI91LBDaaY/yPJDhvx2Xz4Sc3N/QHCuaSIvY4H4 +SEm6Su5gjKvSF6vyl/M80LMS2+JuzllJ9h8R9LWyaK0 +-> piv-p256 ewCc3w AtUZadXsE0CuZPNJg+Rqbbh8cxna7+y2VGVa/lH/N7dh +O7V0wXiK0qncQ6bagJEgzWsUQ5i/K1nibxy97pmDgRc +-> piv-p256 6CL/Pw A0WY0KqpmfB91+nNKnda1hudfI0OHxGi+AEBSTyoYBg9 +l9aGu0kEMfK5g99UADmGN7v9T4c9VPOB2ucmoN+Lry8 +-> ssh-ed25519 I2EdxQ QcTXfmdoGtiGnnBsh8iA7BMhMGUdGz753VGTbnM81zg +HOAA19NC/kbQcpCvpBEhxZvIFQbJNlbW3SsC5D8er8A +-> ssh-ed25519 J/iReg rCs+36Az9gPC0z0bZOkY64kqAQLTRJNIGDPeeAsLLQo +E6i/Tio41CtWvQpwPjgVN+RLyHUb2StBsT65LMnSgTM +-> ssh-ed25519 GNhSGw 8iGHolR8qo6hHIVqLWtOGtrqQwk5lHT9hZA9MtW2vz4 +vPyPAHUkRWVRr1oZ8kzR5Tu2d6Q16hpjPajv5TxJEOU +-> ssh-ed25519 eXMAtA l6mcO5XxwwQaTrfwd32ANLFma+GlwFbqlBNo+sI7/jo +VwjyfbUz//5bbDfCsTy9azFspvykY1+am2TDbajulJU +-> ssh-ed25519 5hXocQ VGfJz+xp5kUTIGLNKE3p4bneECJ8lhETRxZoYq/MaX4 +apxhOfB0uEWMtEoT7oSfWkN66swG0XuN/eK1hWPd6p8 +--- hEoLlgb5t9ASMlVBOu4/QoBBRr5551YqDw5C3vQJ6C8 +5G3M&4sS='N]?ZU:|/?9XǣH~yRz0Q/7ʀwV+ɢ\(cޥ7>}'1Sg5g&ij> \ No newline at end of file diff --git a/secrets/restic/vaultwarden/base-password.age b/secrets/restic/vaultwarden/base-password.age index 34cd4866065c13fb078bbdf5081be455b03b3769..cb0999a2c6d6c9d0607f6cbc04a1feb92f737919 100644 GIT binary patch literal 1235 zcmZY7+pp6E0LO7-OvFW_5{bb`oM13e=hk-ZRvt*&uIsvP>$^qbQI-4kn_8h@2BKC`KZI;{(SiFB)(0@}&3|eDeL}rxz&@~7_KrCMOLasE9OSD7gND>8D$M@PAgOqK}qFkdt zwg?=l!wojurSVETTVrAtHxM{ypu&x;47!L0F?;svu;!U{4l#>2J+7 zgMVk8MzqSB3fPC~Q6KJvX#&r9%zrGDEG4UdSr~{64YQ+#03tD(Lw^ID5;FehEswiDMGpcr&4fVY=Ef$ z&yN3o2wmw2^f)di6#2j(Sj#9iZ4B;XnHzuVnSWh}2BmjNOko^ky zzc!@PbW}b*=+%ly6_N&mBooC^PXMhdpYlAemDk!PoJbU}-&14Rlm=Svge}Vi z+eR_BLMuFMa!#dF6OF(mDV&SINkN^EsaPVBhLARaziT41ImVSQK37Q8;f| zK(eNDt*{J|`5|t^E=;peZ$YlKt6y!n`qt9ZryeN&zVRqCH@LFq;Mxam(t&A_Pu literal 1235 zcmZ9}{mT;t0KoCG!rX(3Vc7#Ei$b3~9=E&Oy)5E^?Y7-s?)`S#?MbA&+wE?*+ugRi zXLlP#5|{{DBpKo(Mu8d%_Ch^bnb->vzCe~wX&OCbKM201LGk-Juv#a0Rx6p|+s+>V(~znt~AnhwU1pd;e&i zW`Dc`A!t+&2n`ORDNOS!REfdsWUbz)XT2<@S*5<$>vxi%)R_!1%YfSauuk$?1SG_Q zI%JZq97$S~QY+h1Ds+Ri)y44)&49M4n{-QZLM8P-3ni!+cgu>~Vkr}sC~%6-fNCS? z6kQh8sBXg;@}kt1rLZ8f)kZ(oqauAA5aCKaloUs;l?z6QC}Lhlh?ZSW$i5NxVzSPv znyOa*wfJ~pPM?$W)v8StgeGAb zO`(<#_@X;-P)HI>`|bQ%Y|wTO(dEe zp2!t*(tM3%Opy$tikT&ZlG*}`wm%G0UAJ8rf@r3#!Onn`bFRST^(jn4da@hw6HvLM zbgi1$Wtd5;KzmYL%6N4rsAPyhFNjKjqA-w034Fe$%XG?5MQiO^Q|Az?s))CmSiD)7 zL>ZM&gh&cON-euUu#lC>xnWg`Fu6AEvqhk(<0uQXDb`2$GBgF5Z3kD2jN8aCjXd9B zV{$NGLrmG#_$V85I9C~94$M{QDZi9VRmz~N*9<9BHytkkl7of-@{Vob5rd$eu8~4T z*o6tdm?g4Y3dl2hEoI_ysFx&4WIO}NV8ytljgLnuv|#x*>~#eX1zNHzDN3Bj1{m8) z=kgYxgt&Au;WyHn6_0#7@xhlPyMEobdfEEJ_dc~?^-5C`N&x~-hPhMLP z|LW{2eBpk1urU7YYu_AN**f+0ZA*loTT2hVwC(M|u^7GX`k@nZ+DL9u?Vf{|Ry>GV z2OhhA^Tc~C_m!n@i90SCN(yR?k_K2 Qxcbodle0IrDL1*l0U=+%L;wH) diff --git a/secrets/restic/vaultwarden/base-repo.age b/secrets/restic/vaultwarden/base-repo.age index c3c14abe75c9c0535b64731c939f36e0b7c2db6d..885f483ffaf2b190989cecdf8ec14390d4a1e664 100644 GIT binary patch literal 1093 zcmZY5yUXJQ003~|YQ%CRqf*<^xz#sUzyYI?6D)PsReK2fB zz~Cvcs=|TqAvivofZFc37Fux6(lX_!3rlh1PMgjdRim||FejhFqHna#yd)r54%#gt4`KtXRRTQCi=?CNI98FaX*&oc1CU> znUMf(>jomTK*#jHYZamHU3clrUFIc(ZqgJg#-5(Trm*d~dlxxm?j2=t)i_uzDSB&W z_OTO;n1>gE6xdW1GI_U|kR9n($`r4)0uYfriIee+3(~FA1gTf@v(#SbElkWgf0r)y znTClGjiCCy+Hx2vegGcUJD!^f)jlf`9X=kdqS0CnUa!YI%~L8-=D32uR_)3hfP0Wa zPivN!F-qWhE36DMp2IpaQ5dX}h&hWIJQOsGNW52LSE0(bAP-wjzRSsyTF>d_f?qh> zK4PYt*3Vf??s`S1uzEf`j?@-_w1W|8TDM+7hj5Hg=#mTdWQFjv#>$tYkut_RvfCXh z=043g#c4eSQy;<2W(0KvpVZ?n>ZZ`dA#8kmPznNV*POr1HQNhgl>_2T6{1m#iHk&vpI225WE5Z~aH=OA@-Y~mw5)aM7mBDc5&#D!T15cjf%n<%hhh zWBrdeUcTFXaO;^LsVAO1LH$6v^1$7XFCNS#??&~@^4(KXWtaJ{{d?xb{GHv literal 1093 zcmZ9~&CA;a0LO7qd=7E$;11&DF`z@XTJzStAr70DCTW@`Y0@@{3~BS;q)nQ%c`4#R zQLj4OMGw0OUQ~9F=io(TjDgc#MEwI4VMkHCOvUL*pTFS4@5gr$`dxqH7Hz(Zv(58a z5keILbT5Hr8FhUR#c_lN&26KOY7pxsIUC7+2p6W|%0Nv)YLI@@j+?c@nWevW0(NbX z{HhHBQ;Th!jUjnvM@=k>ma>Pkx!hZ0N*FEc$;2Z@8O^F8oBX5Yan;RHoB;irb+H=k zCly)RLkq1OWqCa}##kbr0>et;sx&|N2{lxwd9<3>6TzA-HH?CK z2;Pw+gVh5g^@8lQHiY7dAA<9k$RlN5j5a(Iz#P-lY+YsGZ6WRRK58#H&K(`dBw+eH zaPSex=_osaQaMC)M7S>9oq{@@MSwVmgGICUT8>m7L-^C0FpdnN1}Uspi(>;GX#C6$ zY6?euqA_Vaoxxadr5+AD&t-=~O{_9Nqqzk}mVIQflCvh^GKUkWJ@FYl zY@plif{^H7O0p6>W6xxq6s>wbsxyft)ey{Sl_>@)T3N0-r8uYLaI zt?O4VDxmS6`S$nFlh|+Z;T!*hAMTHD)=wWjmz>8PwZl2w{5mb+Gcidb|2wUI?;hrq$uR6M2bQw z=^%*?6i=Z@hn^Br>H7Bj^Vh$hf8MXx=kpOr#2~R+q_f5wWE!=ae*f=;^$ReN=e2swwmk?PzT!f8HAdtb#0E6iNw0M~b6c0rpfnqaG z1TzCMNCXtl(F;W=rkE7Zj(|$gB%uY*X0hYJ;8g?~Qzez#tTwKN9!CYBVWDx%2$Vq} zj}6d5t)bFbA(DudnaKn^nS>1!Y2{!QP7$vaaZ&%zLgL6^`ftmKgm7sL9^0Ui(QRx4 zkw{r(FiVwk7LgUNHKL4qC&5`Y0Eifu%!hL0h^g=@rGgVu@(jpuf>vM$#86}TENG%1oSm{2q#R!2tbN;bTR~v#hJ85 zH55&Nu-E{Cm@MT>HC6s;D2giU>Q>^ z0qQ03G6mbB;sqEe0eY6g09MdKr~;x59U_yX`SC&v@{h1%dr}a zFc=>ji3D?yECg9aW5-393`~TYhyoxG29_b5gpujsaTJ0sjHJaO88R&|4h5r_AzY@8 zfF+2iN-_<~_)`;eDHsC=D1+0)GNctoVPN$FH8Nhn7HZIRW2{%ka}^At&P?Y9;1paFUB!cF`E2+qadAUZaN7V?_Y1%$SWV-MX3TxbFUD({%tdr9-u$7g5Hw_-> z$!qc3Bi7|4dmi@o_bI%vepy+q#NqW(h&+P0EXK!yT{P$f@ZR9og@4f_H-2Dz6fdPV zJUz~HGW6BVpXz>pZA;;H26#BBW)-pLHJtv#t0wqB^xg)s0waiK{nQ`2=x^|c4)EZ>(FNA; z9=RT=?*k8ZZBBLH@;*HTKi-lZ>=X{Go%751rg^n<^VqegvP<=j^T+1pD)Xqa%MmC{Eg9C}&y|fv|62P(+sNk~BX4S^%J%Mk3>r_geq5OneXnAu z4%T7&N@?kBa(}w5lB*h1_)VQd5{@@`Ri_uGxL1EA@B(!WaoSDg;-cu*ynCBl3`hNE zz2BT=CCw-!?QhTBdav%tiS{mE*htBT<+VcSnd?XVR9qk5I~LG*R<*vj_UpCi674le zv%oJVV&M|y=^p>W<|_cC$HshX*Tc0@oEwc_kMwq{q90+^@7As_Cex!6r;z>vG@kca zyrggGGrK|*VcVV8^PS5uBbB=Rz*`HDDHGl!&$lHPw6VUvF@KouDjK=i7U@-YH?Mmr zZpRXMjkm2z>A;o_q)tpel}G3}TMPa+^Vy!HEtYxt`N&x<%n6^t^Q%&MEx`*qTw;6M zzgdzVb$JpG*M0od<<@`-b{PCm|DMc)$S24l(|~FKkUC^TE-I^{;ia%2c&AX;(Xsd9iQ2 zswWSQAB>w5LH=@Vus#0zJV4*&yP)Cj`8JU>>h`VYzZwF$fzuP+M$;VX{ZqD1OC{y? zd%ZlikobIQR!Gp9cBU*7t$i{+52oyCdR%|9O$l-c_FvbTUhRnoP1%~{{+fyD#iRMz zg>cepLK6>j@~#JpSd^S|XtUQjzK?&Biyf{01pRv3f}%~=n(w&e5*Jq{ej&F$PO)#S zx{};R^GjMb*LIisc}SG=Y>{x>nlZolkZ*Ixo7JthOk8nR`rf&fhi-52PR#>;slFK0 zr)!`6M$l9@fP1nJCcNJ{{5EH~)hjvS?Cosr!KAbxm#)v^o%og4$aQTUC&H%f5udSd zeNQ=i+380l<>;s9<$I5r!J9T2kb+u&xSZTk&c}8gIsr+3Ia_>*a3m^j}&j&t( zzFnL@efRy|y4l04o5rRVo&GKpO^QkjCKm3NWktmZOH#H`V`nVdKxNj+$w?T^cj1(? zzhd7^mL$Rv2OKoWOZ^=o9v#Qm{&IMw|Fq%1O2*`XqvK1j7V`H^dV8m#dIaG%Q0nMK zdkd6J7%k8mJJd}3?WdAwHC^3QwWX~T!mYDFs|=6%d#t^b>1U*(uYlQ3<0G!`yu#9| z>>ZrzU1%8qW;uqE-t=VF%_G@Bm<*eKm8g@cpTzZpYPJ-`o25?@K8NSC59$kmB{Y8?PE!a%;k zV7*@ED-pv{C>RFJ(Izt@Okg&bpf=+oBMee8-CG5fbM-U^o-6ZLo4ujoW?57iO)OJl zWdJe^3W5q?Dy{@V2hd8nT7wcBq6|6-Rv?2xwFy!Rl|_}YDao)XRZ5ipf0{;a^wq#o z{$Pm-FG85WSY@~Xg{Gh&e1tp+V`ghGLOvNo&;tyPkQvPYQY1Jg5k)nSX&f$y%9m*5 zNCHR7;Y0ls)oO|~EWkgS4T;8c!wAU|z?&{rsQ6*x2&U=(EPs3ig!!+9)=|A_k^aeg zs#zg6(4!$3L>SJWLrCGHY4~UgH-JIo089X@qEJB*d>WF4#)QRd61|~U3~vn{1^6?flQ9YtO=ph6CllcW z6I+K*QJ~CX7{eRKp@9Sv16r&Fpfp4T2Fi$5CW|6*6sk@rW>86F6E2a4F%XPN3}^tG z|GP$k$k`GAj7y=3iKYY*ix@9Q#T!t91dIyDAxktA5}p$oKuSbP;S@4mKnV{38PT`^ zxe^UiG7uE9fyKhpm3%xDD~lj$^)vxTq%)D!3^FlNMnL|q5$Uo>q6tilr^D4aEre2(SXKu;E!2s#510O83=1RRt6yC#XIVGUR?3Cp5$>1H{V%aAbWWHr}c&1R5|Xaf!k08}K0 z#gQV22}*1tkq^?)B?$I>b)kXjxBQqnsHy=jTQo$jL~)THA2`xyon5 zx)sh?T4?BBy)V~4^Y8h2!}#mVnIh}gYb>u1M=qp;Hk+v0%KG=SjO%RXE0QE`p=8GM zdpOX&eCx$S1>h+HvE-5D>T*() zH8zpdU3H{7@!iw;PLCAHAA7zDLT(M_eEB}`4}jSFqOHRH^*(XNhcA&fsU*@?JW0RF z>1;y#eajS&&K11bZ)ULeR}|~RmsSo?kF5S7)b9ExhwahcYB>delpnMLLQ~9q`FhbG z2Cl>0JFg1XcK7TN23_!6VuU@CP5)e8^Om*qE2_r>nPPv#F)6IG;VN=u{La_w8*_s) zn;ILs9~&`dR+8G(5pvQiGT_Ia*As5r1HPSUhBz(brS(!6`DavI z{mT%`^_D2R2EoOUSi(%FnD;MW=hpgV7Di@oXzYE{n9DsH_-;4bGw5c?vxzp?NXYWX z6%JrC(pEn)tjTuq|LT(bBzq2LNIG=I00Cs(9VHJj*&jP*7uo1S*#?{OA9M4aMuqcC z@sH!ImSUOsN}!T!-C>@6^nmzwO#6XnlvN=+`^~)*kF%h3#{;WLpP#6U_V$&xUTbgt zFdE1E$67Vw0G<&z8dIn3Y7Bp-rIA-mdbK~B^h6pUxhm}?^K6(I?^Kn%%a+r=g|cxb2mK(Y7MK?4-%%Np$a>|y9ouNW1Sdv1T+ zvy&*`tW0!_D_gpt>Zsb@TGv-}=}>cKT}{@k;)|;6(d;hP8D}TSFn3*d_FYZyNayuT z)QZWH?Nf@NF0DS>PCpvtey|UA?QG0g8>?UBb#1Hml(Xv(#^zLcQpP+0TVXo$bL1|t z6pC^7Da!#sAI@$JW{QnLqANqKDRG~Det=4^ajOdwnc9~Rro8{KK)8ckpjK7CgEcN0 zht%D&%Zat<{Nf~o389PH_$ydrlOFp!<~s-jNqzDS^Y>d5XI14=McWH`#U2h{)r~It zyKoELUH-l~ccic9i>TCjR@1-lJ2e(nnq%cj-)|0`xnbCW-g^B$#0~1_{mZh9fJ!>p zM^+s(R#O#8eL%jo7X|k%zyGOl*G0396Ld-Z6gTx{YgypRW4G=z21s<@Fa15WvD#_z z%20H~mXJjwqZ6@noW>aQ$0l*%$1#J<66gJQa6Qdyx26ZecG_n2Y8|fI=PYae=v6ft zFjz2N+-=>um^d_4c5ZE;k@+XmCJ|h{WrR9d=cYe7~HWhW_82dht=bi%ls#=G(1>% z-mYUMrhs#$$mQBn1{#li%?EC%$&0ONbNlMo?%kXtyzdH~wQKijeQXTt5=YWZbVH@V zrpDiP>W_<}^$4>dOW^-;6ZQ}LO|*@?xf{ND3;TtAKqYzRYnL}+d!c8AypKm}mrJW! ztJYQ6=Ix}`q%k`9!4(9Vmz-t`*3(dbhTKT)TA z2QH--KB#oZmz{5RFe`YL_Qrm95$mv#VVhfN*Zb%%TACH<4i9e)vfaD%>C$&I_GBCe zmzvwGZK=mkc8acaH5fL~F)cy)nD0XYW9i3@EpSNbB9Db%j6#QR4a}R0PwCYeR&ZiD z{e(=R33R#rr2g}oppA>Co*+xh;x{w59Nlb`y+RDsK=QnrCR+Imvho}~=Iyb2Jp4V_ zc|*yq%!6^z_T!VY)-D(7y*f{?{5CM;3^SPetsLs&lEbGSYyFFc>`u~P1#!@;Lt}&f z&Vzrq9IRCf>(V1bm6W@o@nufW*h{XoGz>Nc>D6p5Joij})z>-AHl>89pk;5XPF|kw zXR!SED|!1=&l#+IOTVe};3mDTsBqrhKSeb)$Gy%ORJ$974_(WsUE-#8CAG8np8;pq z*KE_=Y-%m5yzHXX%I`&Cx)>f^tn8Houa2wF^NO+AY5O$$?;m)#yJuZL@-TbSahMix z`O84a`rtpZW61o`Rfr^ve4GeUa&0xYtJS&lb;gt+B(n1c@w=KipCveZdp8ruSk9|2cQ a1&7bA$xYqcS`VLkOnS&=Mt1(ZMgIi=t{jR0 From f80e801516eac97d95c797143b96eb19bc9918fa Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 28 Jun 2025 22:34:23 +0200 Subject: [PATCH 40/41] fix: activation du monitoring jitsi --- hosts/vm/jitsi/jitsi.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hosts/vm/jitsi/jitsi.nix b/hosts/vm/jitsi/jitsi.nix index 71f46a1..a2e63e1 100644 --- a/hosts/vm/jitsi/jitsi.nix +++ b/hosts/vm/jitsi/jitsi.nix @@ -13,6 +13,8 @@ services.jitsi-videobridge = { enable = true; openFirewall = true; + # pour le monitoring + colibriRestApi = true; }; services.prometheus.exporters.jitsi = { From 436158439189724299c47d0bd4cdf37c62c04e2c Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Sat, 28 Jun 2025 23:09:32 +0200 Subject: [PATCH 41/41] =?UTF-8?q?suppression=20-vvv=20pour=20r=C3=A9duire?= =?UTF-8?q?=20la=20taille=20des=20artifacts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5fc7339..21dcae4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,4 +8,4 @@ nix-flake-check: timeout: 1h stage: test script: - - nix flake check --no-build -vvv + - nix flake check --no-build