From f87164088f614a6a7b1053700c966c2a6c8c204a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?= Date: Mon, 9 Jun 2025 05:02:01 +0200 Subject: [PATCH] feat: add kanidm module --- SwarselSystems.org | 255 +++++++++++++- index.html | 455 +++++++++++++++++++------ modules/nixos/server/immich.nix | 4 +- modules/nixos/server/kanidm.nix | 170 +++++++++ modules/nixos/server/monitoring.nix | 35 +- modules/nixos/server/paperless.nix | 38 ++- profiles/nixos/localserver/default.nix | 1 + secrets/certs/secrets.yaml | 12 +- secrets/winters/secrets.yaml | 14 +- 9 files changed, 854 insertions(+), 130 deletions(-) create mode 100644 modules/nixos/server/kanidm.nix diff --git a/SwarselSystems.org b/SwarselSystems.org index d6979f7..c1e36d8 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -4055,6 +4055,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a emacs = lib.mkDefault true; freshrss = lib.mkDefault true; jenkins = lib.mkDefault false; + kanidm = lib.mkDefault true; }; }; }; @@ -7383,7 +7384,9 @@ Here we just define some aliases for rebuilding the system, and we allow some in port = 3001; openFirewall = true; mediaLocation = "/Vault/Eternor/Immich"; - environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003"; + environment = { + IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003"; + }; }; @@ -7425,7 +7428,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in :END: #+begin_src nix :tangle modules/nixos/server/paperless.nix - { lib, config, ... }: + { lib, pkgs, config, ... }: { options.swarselsystems.modules.server.paperless = lib.mkEnableOption "enable paperless on server"; config = lib.mkIf config.swarselsystems.modules.server.paperless { @@ -7434,8 +7437,14 @@ Here we just define some aliases for rebuilding the system, and we allow some in extraGroups = [ "users" ]; }; - - sops.secrets.paperless_admin = { owner = "paperless"; }; + sops.secrets = { + paperless_admin = { owner = "paperless"; }; + kanidm-paperless-client = { + owner = "paperless"; + group = "paperless"; + mode = "440"; + }; + }; services.paperless = { enable = true; @@ -7453,9 +7462,35 @@ Here we just define some aliases for rebuilding the system, and we allow some in invalidate_digital_signatures = true; pdfa_image_compression = "lossless"; }; + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON { + openid_connect = { + OAUTH_PKCE_ENABLED = "True"; + APPS = [ + rec { + provider_id = "kanidm"; + name = "Kanidm"; + client_id = "paperless"; + # secret will be added dynamically + #secret = ""; + settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration"; + } + ]; + }; + }; }; }; + # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS + systemd.services.paperless-web.script = lib.mkBefore '' + oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) + export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$( + ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \ + --compact-output \ + --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret' + ) + ''; + services.nginx = { virtualHosts = { "scan.swarsel.win" = { @@ -7809,7 +7844,7 @@ This manages backups for my pictures and obsidian files. } #+end_src -**** monitoring +**** monitoring (Grafana) :PROPERTIES: :CUSTOM_ID: h:a31c7192-e11d-4a26-915d-1bbc38e373d3 :END: @@ -7818,6 +7853,9 @@ This section exposes several metrics that I use to check the health of my server #+begin_src nix :tangle modules/nixos/server/monitoring.nix { self, lib, config, ... }: + let + grafanaDomain = "status.swarsel.win"; + in { options.swarselsystems.modules.server.monitoring = lib.mkEnableOption "enable monitoring on server"; config = lib.mkIf config.swarselsystems.modules.server.monitoring { @@ -7829,6 +7867,11 @@ This section exposes several metrics that I use to check the health of my server prometheusadminpass = { owner = "grafana"; }; + kanidm-grafana-client = { + owner = "grafana"; + group = "grafana"; + mode = "440"; + }; }; users = { @@ -7854,7 +7897,7 @@ This section exposes several metrics that I use to check the health of my server { name = "prometheus"; type = "prometheus"; - url = "https://status.swarsel.win/prometheus"; + url = "https://${grafanaDomain}/prometheus"; editable = false; access = "proxy"; basicAuth = true; @@ -7879,10 +7922,30 @@ This section exposes several metrics that I use to check the health of my server settings = { security.admin_password = "$__file{/run/secrets/grafanaadminpass}"; server = { + domain = grafanaDomain; + root_url = "https://${grafanaDomain}"; http_port = 3000; - http_addr = "127.0.0.1"; + http_addr = "0.0.0.0"; protocol = "http"; - domain = "status.swarsel.win"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + icon = "signin"; + allow_sign_up = true; + #auto_login = true; + client_id = "grafana"; + client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}"; + scopes = "openid email profile"; + login_attribute_path = "preferred_username"; + auth_url = "https://sso.swarsel.win/ui/oauth2"; + token_url = "https://sso.swarsel.win/oauth2/token"; + api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo"; + use_pkce = true; + use_refresh_token = true; + # Allow mapping oauth2 roles to server admin + allow_assign_grafana_admin = true; + role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"; }; }; }; @@ -7966,6 +8029,7 @@ This section exposes several metrics that I use to check the health of my server locations = { "/" = { proxyPass = "http://localhost:3000"; + proxyWebsockets = true; extraConfig = '' client_max_body_size 0; ''; @@ -8212,6 +8276,181 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as } #+end_src +**** kanidm + +#+begin_src nix :tangle modules/nixos/server/kanidm.nix + { self, lib, pkgs, config, ... }: + let + certsSopsFile = self + /secrets/certs/secrets.yaml; + kanidmDomain = "sso.swarsel.win"; + kanidmPort = 8300; + in + { + options.swarselsystems.modules.server.kanidm = lib.mkEnableOption "enable kanidm on server"; + config = lib.mkIf config.swarselsystems.modules.server.kanidm { + + users.users.kanidm = { + group = "kanidm"; + isSystemUser = true; + }; + + users.groups.kanidm = { }; + + sops.secrets = { + "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + }; + + services.kanidm = { + package = pkgs.kanidmWithSecretProvisioning; + enableServer = true; + serverSettings = { + domain = kanidmDomain; + origin = "https://${kanidmDomain}"; + tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; + tls_key = config.sops.secrets.kanidm-self-signed-key.path; + bindaddress = "0.0.0.0:${toString kanidmPort}"; + trust_x_forward_for = true; + }; + enableClient = true; + clientSettings = { + uri = config.services.kanidm.serverSettings.origin; + verify_ca = true; + verify_hostnames = true; + }; + provision = { + enable = true; + adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path; + idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path; + groups = { + "immich.access" = { }; + "paperless.access" = { }; + "forgejo.access" = { }; + "forgejo.admins" = { }; + "grafana.access" = { }; + "grafana.editors" = { }; + "grafana.admins" = { }; + "grafana.server-admins" = { }; + }; + persons = { + swarsel = { + present = true; + mailAddresses = [ "leon@swarsel.win" ]; + legalName = "Leon Schwarzäugl"; + groups = [ + "immich.access" + "paperless.access" + "grafana.access" + "forgejo.access" + ]; + displayName = "Swarsel"; + }; + }; + systems = { + oauth2 = { + immich = { + displayName = "Immich"; + originUrl = [ + "https://shots.swarsel.win/auth/login" + "https://shots.swarsel.win/user-settings" + "app.immich:///oauth-callback" + "https://shots.swarsel.win/api/oauth/mobile-redirect" + ]; + originLanding = "https://shots.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-immich.path; + preferShortUsername = true; + enableLegacyCrypto = true; # can use RS256 / HS256, not ES256 + scopeMaps."immich.access" = [ + "openid" + "email" + "profile" + ]; + }; + paperless = { + displayName = "Paperless"; + originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/"; + originLanding = "https://scan.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-paperless.path; + preferShortUsername = true; + scopeMaps."paperless.access" = [ + "openid" + "email" + "profile" + ]; + }; + forgejo = { + displayName = "Forgejo"; + originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback"; + originLanding = "https://swagit.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-forgejo.path; + scopeMaps."forgejo.access" = [ + "openid" + "email" + "profile" + ]; + # XXX: PKCE is currently not supported by gitea/forgejo, + # see https://github.com/go-gitea/gitea/issues/21376. + allowInsecureClientDisablePkce = true; + preferShortUsername = true; + claimMaps.groups = { + joinType = "array"; + valuesByGroup."forgejo.admins" = [ "admin" ]; + }; + }; + grafana = { + displayName = "Grafana"; + originUrl = "https://status.swarsel.win/login/generic_oauth"; + originLanding = "https://status.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-grafana.path; + preferShortUsername = true; + scopeMaps."grafana.access" = [ + "openid" + "email" + "profile" + ]; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "grafana.editors" = [ "editor" ]; + "grafana.admins" = [ "admin" ]; + "grafana.server-admins" = [ "server_admin" ]; + }; + }; + }; + }; + }; + }; + }; + + systemd.services.kanidm.serviceConfig.RestartSec = "30"; + + services.nginx = { + virtualHosts = { + "sso.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://localhost:${toString kanidmPort}"; + }; + }; + extraConfig = '' + proxy_ssl_verify off; + ''; + }; + }; + }; + }; + } +#+end_src + *** Darwin :PROPERTIES: :CUSTOM_ID: h:ac0cd8b3-06cf-4dca-ba73-6100c8fedb47 diff --git a/index.html b/index.html index 3927544..6f88df0 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -263,9 +263,9 @@
  • 3.1.4.3. Home-manager only (default non-NixOS)
  • 3.1.4.4. ChaosTheatre (Demo Physical/VM)
    • @@ -305,7 +305,7 @@
  • 3.2.1.27. fhs
  • 3.2.1.28. swarsel-displaypower
  • 3.2.1.29. swarsel-mgba
    • -
  • 3.2.1.30. sshrm
    • +
  • 3.2.1.30. sshrm
  • 3.2.2. Overlays (additions, overrides, nixpkgs-stable)
    • @@ -313,28 +313,28 @@ @@ -379,7 +379,7 @@
  • 3.3.1.22.3. enable GVfs
  • 3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL
  • 3.3.1.22.5. power-profiles-daemon
    • -
  • 3.3.1.22.6. SwayOSD
    • +
  • 3.3.1.22.6. SwayOSD
  • 3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules @@ -425,12 +425,13 @@
  • 3.3.2.18. transmission
  • 3.3.2.19. syncthing
  • 3.3.2.20. restic
    • -
  • 3.3.2.21. monitoring
    • +
  • 3.3.2.21. monitoring (Grafana)
  • 3.3.2.22. Jenkins
  • 3.3.2.23. Emacs elfeed (RSS Server)
  • 3.3.2.24. FreshRSS
  • 3.3.2.25. forgejo (git server)
  • 3.3.2.26. Anki Sync Server
    • +
  • 3.3.2.27. kanidm
  • 3.3.3. Darwin @@ -445,11 +446,11 @@
  • 3.3.4.3. VmWare
  • 3.3.4.4. Auto-login
  • 3.3.4.5. nswitch-rcm
    • -
  • 3.3.4.6. Framework
    • -
  • 3.3.4.7. AMD CPU
    • -
  • 3.3.4.8. AMD GPU
    • -
  • 3.3.4.9. Hibernation
    • -
  • 3.3.4.10. BTRFS
    • +
  • 3.3.4.6. Framework
    • +
  • 3.3.4.7. AMD CPU
    • +
  • 3.3.4.8. AMD GPU
    • +
  • 3.3.4.9. Hibernation
    • +
  • 3.3.4.10. BTRFS
  • 3.3.4.11. work
  • 3.3.4.12. Minimal Install
    • @@ -498,7 +499,7 @@
  • 3.4.1.29.1. gnome-keyring
  • 3.4.1.29.2. KDE Connect
  • 3.4.1.29.3. Mako
    • -
  • 3.4.1.29.4. SwayOSD
    • +
  • 3.4.1.29.4. SwayOSD
  • 3.4.1.29.5. yubikey-touch-detector
    • @@ -523,7 +524,7 @@ @@ -701,7 +702,7 @@ @@ -710,7 +711,7 @@

    -This file has 62779 words spanning 16469 lines and was last revised on 2025-06-09 03:26:38 +0200. +This file has 63503 words spanning 16708 lines and was last revised on 2025-06-09 12:45:18 +0200.

    @@ -763,7 +764,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 03:26:38 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 12:45:18 +0200)

    @@ -2802,8 +2803,8 @@ This is just a demo host. It applies all the configuration found in the common p I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configuration to run in a virtualized environment. I also enable qemuGuest for a smoother experience when testing on QEMU.

    -
    -
    3.1.4.4.1. Main configuration
    +
    +
    3.1.4.4.1. Main configuration
    { self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2882,8 +2883,8 @@ in
    -
    -
    3.1.4.4.2. NixOS dummy options configuration
    +
    +
    3.1.4.4.2. NixOS dummy options configuration
    _:
@@ -2893,8 +2894,8 @@ in
    -
    -
    3.1.4.4.3. home-manager dummy options configuration
    +
    +
    3.1.4.4.3. home-manager dummy options configuration
    _:
@@ -4671,8 +4672,8 @@ appimageTools.wrapType2 {
    -
    -
    3.2.1.30. sshrm
    +
    +
    3.2.1.30. sshrm

    This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually. @@ -4829,8 +4830,8 @@ in

    -
    -
    3.2.3.1.1. Personal
    +
    +
    3.2.3.1.1. Personal
    { lib, config, ... }:
@@ -4897,8 +4898,8 @@ in
    -
    -
    3.2.3.1.2. Chaostheatre
    +
    +
    3.2.3.1.2. Chaostheatre
    { lib, config, ... }:
@@ -4962,8 +4963,8 @@ in
    -
    -
    3.2.3.1.3. toto
    +
    +
    3.2.3.1.3. toto
    { lib, config, ... }:
@@ -4995,8 +4996,8 @@ in
    -
    -
    3.2.3.1.4. Work
    +
    +
    3.2.3.1.4. Work
    { lib, config, ... }:
@@ -5017,8 +5018,8 @@ in
    -
    -
    3.2.3.1.5. Framework
    +
    +
    3.2.3.1.5. Framework
    { lib, config, ... }:
@@ -5039,8 +5040,8 @@ in
    -
    -
    3.2.3.1.6. AMD CPU
    +
    +
    3.2.3.1.6. AMD CPU
    { lib, config, ... }:
@@ -5061,8 +5062,8 @@ in
    -
    -
    3.2.3.1.7. AMD GPU
    +
    +
    3.2.3.1.7. AMD GPU
    { lib, config, ... }:
@@ -5083,8 +5084,8 @@ in
    -
    -
    3.2.3.1.8. Hibernation
    +
    +
    3.2.3.1.8. Hibernation
    { lib, config, ... }:
@@ -5105,8 +5106,8 @@ in
    -
    -
    3.2.3.1.9. BTRFS
    +
    +
    3.2.3.1.9. BTRFS
    { lib, config, ... }:
@@ -5127,8 +5128,8 @@ in
    -
    -
    3.2.3.1.10. Local Server
    +
    +
    3.2.3.1.10. Local Server
    { lib, config, ... }:
@@ -5169,6 +5170,7 @@ in
           emacs = lib.mkDefault true;
           freshrss = lib.mkDefault true;
           jenkins = lib.mkDefault false;
+          kanidm = lib.mkDefault true;
         };
       };
     };
@@ -5180,8 +5182,8 @@ in
    -
    -
    3.2.3.1.11. OCI Sync Server
    +
    +
    3.2.3.1.11. OCI Sync Server
    { lib, config, ... }:
@@ -5238,8 +5240,8 @@ in
    -
    -
    3.2.3.2.1. Personal
    +
    +
    3.2.3.2.1. Personal
    { lib, config, ... }:
@@ -5296,8 +5298,8 @@ in
    -
    -
    3.2.3.2.2. Chaostheatre
    +
    +
    3.2.3.2.2. Chaostheatre
    { lib, config, ... }:
@@ -5349,8 +5351,8 @@ in
    -
    -
    3.2.3.2.3. toto
    +
    +
    3.2.3.2.3. toto
    { lib, config, ... }:
@@ -5370,8 +5372,8 @@ in
    -
    -
    3.2.3.2.4. Work
    +
    +
    3.2.3.2.4. Work
    { lib, config, ... }:
@@ -5391,8 +5393,8 @@ in
    -
    -
    3.2.3.2.5. Framework
    +
    +
    3.2.3.2.5. Framework
    { lib, config, ... }:
@@ -5413,8 +5415,8 @@ in
    -
    -
    3.2.3.2.6. Darwin
    +
    +
    3.2.3.2.6. Darwin
    { lib, config, ... }:
@@ -5432,8 +5434,8 @@ in
    -
    -
    3.2.3.2.7. Local Server
    +
    +
    3.2.3.2.7. Local Server
    { lib, config, ... }:
@@ -6966,8 +6968,8 @@ Most of the time I am using power-saver, however, it is good to be
    -
    -
    3.3.1.22.6. SwayOSD
    +
    +
    3.3.1.22.6. SwayOSD
    { lib, pkgs, config, ... }:
@@ -8673,7 +8675,9 @@ in
       port = 3001;
       openFirewall = true;
       mediaLocation = "/Vault/Eternor/Immich";
-      environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
+      environment = {
+        IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003";
+      };
     };
 
 
@@ -8715,7 +8719,7 @@ in
 
    3.3.2.17. paperless
    
 
    
 
    
-
    { lib, config, ... }:
+
    { lib, pkgs, config, ... }:
 {
   options.swarselsystems.modules.server.paperless = lib.mkEnableOption "enable paperless on server";
   config = lib.mkIf config.swarselsystems.modules.server.paperless {
@@ -8724,8 +8728,14 @@ in
       extraGroups = [ "users" ];
     };
 
-
-    sops.secrets.paperless_admin = { owner = "paperless"; };
+    sops.secrets = {
+      paperless_admin = { owner = "paperless"; };
+      kanidm-paperless-client = {
+        owner = "paperless";
+        group = "paperless";
+        mode = "440";
+      };
+    };
 
     services.paperless = {
       enable = true;
@@ -8743,9 +8753,35 @@ in
           invalidate_digital_signatures = true;
           pdfa_image_compression = "lossless";
         };
+        PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
+        PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON {
+          openid_connect = {
+            OAUTH_PKCE_ENABLED = "True";
+            APPS = [
+              rec {
+                provider_id = "kanidm";
+                name = "Kanidm";
+                client_id = "paperless";
+                # secret will be added dynamically
+                #secret = "";
+                settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration";
+              }
+            ];
+          };
+        };
       };
     };
 
+    # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
+    systemd.services.paperless-web.script = lib.mkBefore ''
+      oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
+      export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$(
+        ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \
+          --compact-output \
+          --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret'
+                     )
+    '';
+
     services.nginx = {
       virtualHosts = {
         "scan.swarsel.win" = {
@@ -9104,7 +9140,7 @@ in
 
    
 
    
 
    
-
    3.3.2.21. monitoring
    
+
    3.3.2.21. monitoring (Grafana)
    
 
    
 
    
 This section exposes several metrics that I use to check the health of my server. I need to expand on the exporters section at some point, but for now I have everything I need.
@@ -9112,6 +9148,9 @@ This section exposes several metrics that I use to check the health of my server
 
 
    
 
    { self, lib, config, ... }:
+let
+  grafanaDomain = "status.swarsel.win";
+in
 {
   options.swarselsystems.modules.server.monitoring = lib.mkEnableOption "enable monitoring on server";
   config = lib.mkIf config.swarselsystems.modules.server.monitoring {
@@ -9123,6 +9162,11 @@ This section exposes several metrics that I use to check the health of my server
       prometheusadminpass = {
         owner = "grafana";
       };
+      kanidm-grafana-client = {
+        owner = "grafana";
+        group = "grafana";
+        mode = "440";
+      };
     };
 
     users = {
@@ -9148,7 +9192,7 @@ This section exposes several metrics that I use to check the health of my server
               {
                 name = "prometheus";
                 type = "prometheus";
-                url = "https://status.swarsel.win/prometheus";
+                url = "https://${grafanaDomain}/prometheus";
                 editable = false;
                 access = "proxy";
                 basicAuth = true;
@@ -9173,10 +9217,30 @@ This section exposes several metrics that I use to check the health of my server
         settings = {
           security.admin_password = "$__file{/run/secrets/grafanaadminpass}";
           server = {
+            domain = grafanaDomain;
+            root_url = "https://${grafanaDomain}";
             http_port = 3000;
-            http_addr = "127.0.0.1";
+            http_addr = "0.0.0.0";
             protocol = "http";
-            domain = "status.swarsel.win";
+          };
+          "auth.generic_oauth" = {
+            enabled = true;
+            name = "Kanidm";
+            icon = "signin";
+            allow_sign_up = true;
+            #auto_login = true;
+            client_id = "grafana";
+            client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}";
+            scopes = "openid email profile";
+            login_attribute_path = "preferred_username";
+            auth_url = "https://sso.swarsel.win/ui/oauth2";
+            token_url = "https://sso.swarsel.win/oauth2/token";
+            api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo";
+            use_pkce = true;
+            use_refresh_token = true;
+            # Allow mapping oauth2 roles to server admin
+            allow_assign_grafana_admin = true;
+            role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
           };
         };
       };
@@ -9260,6 +9324,7 @@ This section exposes several metrics that I use to check the health of my server
             locations = {
               "/" = {
                 proxyPass = "http://localhost:3000";
+                proxyWebsockets = true;
                 extraConfig = ''
                   client_max_body_size 0;
                 '';
@@ -9516,6 +9581,184 @@ It serves both a Greader API at 
+
    3.3.2.27. kanidm
    
+
    
+
    
+
    { self, lib, pkgs, config, ... }:
+let
+  certsSopsFile = self + /secrets/certs/secrets.yaml;
+  kanidmDomain = "sso.swarsel.win";
+  kanidmPort = 8300;
+in
+{
+  options.swarselsystems.modules.server.kanidm = lib.mkEnableOption "enable kanidm on server";
+  config = lib.mkIf config.swarselsystems.modules.server.kanidm {
+
+    users.users.kanidm = {
+      group = "kanidm";
+      isSystemUser = true;
+    };
+
+    users.groups.kanidm = { };
+
+    sops.secrets = {
+      "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+      "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; };
+    };
+
+    services.kanidm = {
+      package = pkgs.kanidmWithSecretProvisioning;
+      enableServer = true;
+      serverSettings = {
+        domain = kanidmDomain;
+        origin = "https://${kanidmDomain}";
+        tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
+        tls_key = config.sops.secrets.kanidm-self-signed-key.path;
+        bindaddress = "0.0.0.0:${toString kanidmPort}";
+        trust_x_forward_for = true;
+      };
+      enableClient = true;
+      clientSettings = {
+        uri = config.services.kanidm.serverSettings.origin;
+        verify_ca = true;
+        verify_hostnames = true;
+      };
+      provision = {
+        enable = true;
+        adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path;
+        idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path;
+        groups = {
+          "immich.access" = { };
+          "paperless.access" = { };
+          "forgejo.access" = { };
+          "forgejo.admins" = { };
+          "grafana.access" = { };
+          "grafana.editors" = { };
+          "grafana.admins" = { };
+          "grafana.server-admins" = { };
+        };
+        persons = {
+          swarsel = {
+            present = true;
+            mailAddresses = [ "leon@swarsel.win" ];
+            legalName = "Leon Schwarzäugl";
+            groups = [
+              "immich.access"
+              "paperless.access"
+              "grafana.access"
+              "forgejo.access"
+            ];
+            displayName = "Swarsel";
+          };
+        };
+        systems = {
+          oauth2 = {
+            immich = {
+              displayName = "Immich";
+              originUrl = [
+                "https://shots.swarsel.win/auth/login"
+                "https://shots.swarsel.win/user-settings"
+                "app.immich:///oauth-callback"
+                "https://shots.swarsel.win/api/oauth/mobile-redirect"
+              ];
+              originLanding = "https://shots.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-immich.path;
+              preferShortUsername = true;
+              enableLegacyCrypto = true; # can use RS256 / HS256, not ES256
+              scopeMaps."immich.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+            };
+            paperless = {
+              displayName = "Paperless";
+              originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/";
+              originLanding = "https://scan.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-paperless.path;
+              preferShortUsername = true;
+              scopeMaps."paperless.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+            };
+            forgejo = {
+              displayName = "Forgejo";
+              originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback";
+              originLanding = "https://swagit.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-forgejo.path;
+              scopeMaps."forgejo.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+              # XXX: PKCE is currently not supported by gitea/forgejo,
+              # see https://github.com/go-gitea/gitea/issues/21376.
+              allowInsecureClientDisablePkce = true;
+              preferShortUsername = true;
+              claimMaps.groups = {
+                joinType = "array";
+                valuesByGroup."forgejo.admins" = [ "admin" ];
+              };
+            };
+            grafana = {
+              displayName = "Grafana";
+              originUrl = "https://status.swarsel.win/login/generic_oauth";
+              originLanding = "https://status.swarsel.win/";
+              basicSecretFile = config.sops.secrets.kanidm-grafana.path;
+              preferShortUsername = true;
+              scopeMaps."grafana.access" = [
+                "openid"
+                "email"
+                "profile"
+              ];
+              claimMaps.groups = {
+                joinType = "array";
+                valuesByGroup = {
+                  "grafana.editors" = [ "editor" ];
+                  "grafana.admins" = [ "admin" ];
+                  "grafana.server-admins" = [ "server_admin" ];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+
+    systemd.services.kanidm.serviceConfig.RestartSec = "30";
+
+    services.nginx = {
+      virtualHosts = {
+        "sso.swarsel.win" = {
+          enableACME = true;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/" = {
+              proxyPass = "https://localhost:${toString kanidmPort}";
+            };
+          };
+          extraConfig = ''
+            proxy_ssl_verify off;
+          '';
+        };
+      };
+    };
+  };
+}
+
    
+
    
+
    
+
    
 
    
 
    
 
    3.3.3. Darwin
    
@@ -9728,8 +9971,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
    -
    -
    3.3.4.6. Framework
    +
    +
    3.3.4.6. Framework

    This holds configuration that is specific to framework laptops. @@ -9767,8 +10010,8 @@ This holds configuration that is specific to framework laptops.

    -
    -
    3.3.4.7. AMD CPU
    +
    +
    3.3.4.7. AMD CPU
    { lib, config, ... }:
@@ -9784,8 +10027,8 @@ This holds configuration that is specific to framework laptops.
    -
    -
    3.3.4.8. AMD GPU
    +
    +
    3.3.4.8. AMD GPU
    { lib, config, ... }:
@@ -9807,8 +10050,8 @@ This holds configuration that is specific to framework laptops.
    -
    -
    3.3.4.9. Hibernation
    +
    +
    3.3.4.9. Hibernation
    { lib, config, ... }:
@@ -9839,8 +10082,8 @@ This holds configuration that is specific to framework laptops.
    -
    -
    3.3.4.10. BTRFS
    +
    +
    3.3.4.10. BTRFS
    { lib, config, ... }:
@@ -12788,8 +13031,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
    -
    -
    3.4.1.29.4. SwayOSD
    +
    +
    3.4.1.29.4. SwayOSD
    { lib, config, ... }:
@@ -14038,8 +14281,8 @@ in
    -
    -
    3.4.4.3. Framework
    +
    +
    3.4.4.3. Framework

    This holds configuration that is specific to framework laptops. @@ -17879,8 +18122,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore

    -
    -

    6.3. tridactyl theme

    +
    +

    6.3. tridactyl theme

    @@ -18377,7 +18620,7 @@ sync USER HOST:

    Author: Leon Schwarzäugl

    -

    Created: 2025-06-09 Mo 03:26

    +

    Created: 2025-06-09 Mo 12:45

    Validate

    diff --git a/modules/nixos/server/immich.nix b/modules/nixos/server/immich.nix index b3b5696..4ea8be8 100644 --- a/modules/nixos/server/immich.nix +++ b/modules/nixos/server/immich.nix @@ -14,7 +14,9 @@ port = 3001; openFirewall = true; mediaLocation = "/Vault/Eternor/Immich"; - environment.IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003"; + environment = { + IMMICH_MACHINE_LEARNING_URL = lib.mkForce "http://localhost:3003"; + }; }; diff --git a/modules/nixos/server/kanidm.nix b/modules/nixos/server/kanidm.nix new file mode 100644 index 0000000..c9bc4ed --- /dev/null +++ b/modules/nixos/server/kanidm.nix @@ -0,0 +1,170 @@ +{ self, lib, pkgs, config, ... }: +let + certsSopsFile = self + /secrets/certs/secrets.yaml; + kanidmDomain = "sso.swarsel.win"; + kanidmPort = 8300; +in +{ + options.swarselsystems.modules.server.kanidm = lib.mkEnableOption "enable kanidm on server"; + config = lib.mkIf config.swarselsystems.modules.server.kanidm { + + users.users.kanidm = { + group = "kanidm"; + isSystemUser = true; + }; + + users.groups.kanidm = { }; + + sops.secrets = { + "kanidm-self-signed-crt" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-self-signed-key" = { sopsFile = certsSopsFile; owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-idm-admin-pw" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-immich" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-paperless" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-forgejo" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + "kanidm-grafana" = { owner = "kanidm"; group = "kanidm"; mode = "440"; }; + }; + + services.kanidm = { + package = pkgs.kanidmWithSecretProvisioning; + enableServer = true; + serverSettings = { + domain = kanidmDomain; + origin = "https://${kanidmDomain}"; + tls_chain = config.sops.secrets.kanidm-self-signed-crt.path; + tls_key = config.sops.secrets.kanidm-self-signed-key.path; + bindaddress = "0.0.0.0:${toString kanidmPort}"; + trust_x_forward_for = true; + }; + enableClient = true; + clientSettings = { + uri = config.services.kanidm.serverSettings.origin; + verify_ca = true; + verify_hostnames = true; + }; + provision = { + enable = true; + adminPasswordFile = config.sops.secrets.kanidm-admin-pw.path; + idmAdminPasswordFile = config.sops.secrets.kanidm-idm-admin-pw.path; + groups = { + "immich.access" = { }; + "paperless.access" = { }; + "forgejo.access" = { }; + "forgejo.admins" = { }; + "grafana.access" = { }; + "grafana.editors" = { }; + "grafana.admins" = { }; + "grafana.server-admins" = { }; + }; + persons = { + swarsel = { + present = true; + mailAddresses = [ "leon@swarsel.win" ]; + legalName = "Leon Schwarzäugl"; + groups = [ + "immich.access" + "paperless.access" + "grafana.access" + "forgejo.access" + ]; + displayName = "Swarsel"; + }; + }; + systems = { + oauth2 = { + immich = { + displayName = "Immich"; + originUrl = [ + "https://shots.swarsel.win/auth/login" + "https://shots.swarsel.win/user-settings" + "app.immich:///oauth-callback" + "https://shots.swarsel.win/api/oauth/mobile-redirect" + ]; + originLanding = "https://shots.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-immich.path; + preferShortUsername = true; + enableLegacyCrypto = true; # can use RS256 / HS256, not ES256 + scopeMaps."immich.access" = [ + "openid" + "email" + "profile" + ]; + }; + paperless = { + displayName = "Paperless"; + originUrl = "https://scan.swarsel.win/accounts/oidc/kanidm/login/callback/"; + originLanding = "https://scan.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-paperless.path; + preferShortUsername = true; + scopeMaps."paperless.access" = [ + "openid" + "email" + "profile" + ]; + }; + forgejo = { + displayName = "Forgejo"; + originUrl = "https://swagit.swarsel.win/user/oauth2/kanidm/callback"; + originLanding = "https://swagit.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-forgejo.path; + scopeMaps."forgejo.access" = [ + "openid" + "email" + "profile" + ]; + # XXX: PKCE is currently not supported by gitea/forgejo, + # see https://github.com/go-gitea/gitea/issues/21376. + allowInsecureClientDisablePkce = true; + preferShortUsername = true; + claimMaps.groups = { + joinType = "array"; + valuesByGroup."forgejo.admins" = [ "admin" ]; + }; + }; + grafana = { + displayName = "Grafana"; + originUrl = "https://status.swarsel.win/login/generic_oauth"; + originLanding = "https://status.swarsel.win/"; + basicSecretFile = config.sops.secrets.kanidm-grafana.path; + preferShortUsername = true; + scopeMaps."grafana.access" = [ + "openid" + "email" + "profile" + ]; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "grafana.editors" = [ "editor" ]; + "grafana.admins" = [ "admin" ]; + "grafana.server-admins" = [ "server_admin" ]; + }; + }; + }; + }; + }; + }; + }; + + systemd.services.kanidm.serviceConfig.RestartSec = "30"; + + services.nginx = { + virtualHosts = { + "sso.swarsel.win" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + locations = { + "/" = { + proxyPass = "https://localhost:${toString kanidmPort}"; + }; + }; + extraConfig = '' + proxy_ssl_verify off; + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/server/monitoring.nix b/modules/nixos/server/monitoring.nix index 13444ca..f80f50f 100644 --- a/modules/nixos/server/monitoring.nix +++ b/modules/nixos/server/monitoring.nix @@ -1,4 +1,7 @@ { self, lib, config, ... }: +let + grafanaDomain = "status.swarsel.win"; +in { options.swarselsystems.modules.server.monitoring = lib.mkEnableOption "enable monitoring on server"; config = lib.mkIf config.swarselsystems.modules.server.monitoring { @@ -10,6 +13,11 @@ prometheusadminpass = { owner = "grafana"; }; + kanidm-grafana-client = { + owner = "grafana"; + group = "grafana"; + mode = "440"; + }; }; users = { @@ -35,7 +43,7 @@ { name = "prometheus"; type = "prometheus"; - url = "https://status.swarsel.win/prometheus"; + url = "https://${grafanaDomain}/prometheus"; editable = false; access = "proxy"; basicAuth = true; @@ -60,10 +68,30 @@ settings = { security.admin_password = "$__file{/run/secrets/grafanaadminpass}"; server = { + domain = grafanaDomain; + root_url = "https://${grafanaDomain}"; http_port = 3000; - http_addr = "127.0.0.1"; + http_addr = "0.0.0.0"; protocol = "http"; - domain = "status.swarsel.win"; + }; + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + icon = "signin"; + allow_sign_up = true; + #auto_login = true; + client_id = "grafana"; + client_secret = "$__file{${config.sops.secrets.kanidm-grafana-client.path}}"; + scopes = "openid email profile"; + login_attribute_path = "preferred_username"; + auth_url = "https://sso.swarsel.win/ui/oauth2"; + token_url = "https://sso.swarsel.win/oauth2/token"; + api_url = "https://sso.swarsel.win/oauth2/openid/grafana/userinfo"; + use_pkce = true; + use_refresh_token = true; + # Allow mapping oauth2 roles to server admin + allow_assign_grafana_admin = true; + role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"; }; }; }; @@ -147,6 +175,7 @@ locations = { "/" = { proxyPass = "http://localhost:3000"; + proxyWebsockets = true; extraConfig = '' client_max_body_size 0; ''; diff --git a/modules/nixos/server/paperless.nix b/modules/nixos/server/paperless.nix index 04b931a..9b00db2 100644 --- a/modules/nixos/server/paperless.nix +++ b/modules/nixos/server/paperless.nix @@ -1,4 +1,4 @@ -{ lib, config, ... }: +{ lib, pkgs, config, ... }: { options.swarselsystems.modules.server.paperless = lib.mkEnableOption "enable paperless on server"; config = lib.mkIf config.swarselsystems.modules.server.paperless { @@ -7,8 +7,14 @@ extraGroups = [ "users" ]; }; - - sops.secrets.paperless_admin = { owner = "paperless"; }; + sops.secrets = { + paperless_admin = { owner = "paperless"; }; + kanidm-paperless-client = { + owner = "paperless"; + group = "paperless"; + mode = "440"; + }; + }; services.paperless = { enable = true; @@ -26,9 +32,35 @@ invalidate_digital_signatures = true; pdfa_image_compression = "lossless"; }; + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_SOCIALACCOUNT_PROVIDERS = builtins.toJSON { + openid_connect = { + OAUTH_PKCE_ENABLED = "True"; + APPS = [ + rec { + provider_id = "kanidm"; + name = "Kanidm"; + client_id = "paperless"; + # secret will be added dynamically + #secret = ""; + settings.server_url = "https://sso.swarsel.win/oauth2/openid/${client_id}/.well-known/openid-configuration"; + } + ]; + }; + }; }; }; + # Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS + systemd.services.paperless-web.script = lib.mkBefore '' + oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path}) + export PAPERLESS_SOCIALACCOUNT_PROVIDERS=$( + ${pkgs.jq}/bin/jq <<< "$PAPERLESS_SOCIALACCOUNT_PROVIDERS" \ + --compact-output \ + --arg oidcSecret "$oidcSecret" '.openid_connect.APPS.[0].secret = $oidcSecret' + ) + ''; + services.nginx = { virtualHosts = { "scan.swarsel.win" = { diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix index 7baf20b..544b53d 100644 --- a/profiles/nixos/localserver/default.nix +++ b/profiles/nixos/localserver/default.nix @@ -36,6 +36,7 @@ emacs = lib.mkDefault true; freshrss = lib.mkDefault true; jenkins = lib.mkDefault false; + kanidm = lib.mkDefault true; }; }; }; diff --git a/secrets/certs/secrets.yaml b/secrets/certs/secrets.yaml index 9ce1a6a..c1a54d8 100644 --- a/secrets/certs/secrets.yaml +++ b/secrets/certs/secrets.yaml @@ -1,10 +1,8 @@ sweden-aes-128-cbc-udp-dns-crl-verify.pem: ENC[AES256_GCM,data:5je4QCI3aR6jpE0O+0ssm/ZxrrgNL62XFF9XIh3mkwSKOMq3vz9H4xsDbDjnKxnZdMi7ogIEtAizbga7kuhyD3CuPlFX08poVFvALbjG95bdblphUQpKx2AN1wxpKUjLlt9DsU9sjdtCkVB8NEMwt9+CyJzyvT7ZgJYemM47Ts1gxlKvo4Vh5lHrpUWJ9Q0lHwW1J0PrAe5EBTkVc4/StdhKRgKAYnQKCAfVdrNe5SHSIqqjGvb3+5fjnwwIRE/5g6Zmn6nSpbsD7XNMDdrS1aPMLylY02sTd9BF6ZTfw2AqYbr9WSzTmMoc0Z1gMmwQX22rgvjuq0rf38Mx4TQRCCC2dPNnmSxQa5eyYfIKp3Y71Mnp07c1AVYQDOq/8Db71gapavudIV2F/iIOeJKpHmGB2HvI1bVKYfvccOdyVPZu3T+qrBHrr6kj0+PJed27tihMbVKkPTELwQJFFTAtQJcG/F2W6WEaYgu4ap51cGXOMm4SF2ANL+bSSl8mQcyOU/N69WXbfKFpHO4tV+me1lnuJwl/YcukZnzqrYvA0BwrfNHnIyyApUyqB2cLxLAJ6cH2ixceNC22j5P8s2DBBan68NJFewTqgEoyPJdbtBvHTVRM0CRHekGBjtUznwrB74iXI/BvddfAWk006f6vbja2IJ1BcE9GHG74ZEYUIag5BErQ6Rds2+pBnr+xh9wjJsYeLLiKATkvjM/4pCND+RwKLpHNlyUxw7mBeJJAsfE4EZC8ZP5Mb8bq0G2Suxe20YgIWvx4M2RskJlAX/XJcQSJqLBVb29altiOiVEcdzZRDpGPqJwPr0iWGSQuXJ2VOZFRyqRu2JxFa/DCnxVyk9fbqTMKnh7jROdh7gS7++1MGrdzg/hJw9Q0uD1bLVo472i4s2wJqt/VYYc+/3UHR0kmt2ftSiux/lSb/+gmGk5onOyWZKLmkFEYG++MJVRksXTjn1xnFT1CFmQ8c+/qWUqSmcbHuAg2btCzlpuOuANYSRmmMbFTTkMkYjKDRKrQD/CmbW52cVUIm93WuELQIJ1Ri02XVM2pwoZfnKr3VY0y4yLXSylWLnXJDydDZv0ZmfU9Gyi77M88VCzYlQX6SSpRJ/r+cjdscauXzxo4BNVxjRgvNGOe4DkAeKXy50N79sw/WMY=,iv:b4QKl9Qr2reO3kgZ4Ls1vKyz5tKAP93s9pZe4UihwW4=,tag:Xe5jcylBt4D2jhc+ZkCRWw==,type:str] sweden-aes-128-cbc-udp-dns-ca.pem: ENC[AES256_GCM,data:G2IiEee0cVH/7fZbaGDiyyE4iphqlhsLCaWOwznl11k/rDximnc8B1y3vT9C7eZcQ9Cj0XB9C5tzeVP3Cqhq4wxOP5bqDCYvoBG6ZzMxsDXM9OcvWe6Cxv94C+t7bHwL89yroDhfz08I/YMiCc0HGXTlf1aAVyD0NBh+LM20Q3Bh1Xhpl3gITf1Xs7BJxpHDXCAEku7ufnIxZb4aTWwWn4DGG6NmzQt2we39/pW17s7/1rM7Jo6BljfqmMBLyLry004tn1tvzXjqOY64SLl0h4ufLrAIFoxg+nsnc4ymNYTuR/4eh0JzeJaNNSqZjXT7aVhTKV36HRV9vMkXIHCC83kfHLU9rB8gtb9b+pPDaSDO25yYaNS1+VkMEZNRtpq9A3Nag25z2qpIOVfRLZgIj4ScWsD+5PIwRnwn9M+hRGfYsblhf1fYtYUQnByl5K4Lh/MycMFdp8JKJMedVKRzlHNhWqDqu1zpiYTFK5wiZ+PJVshh4zzIaFbvmrHZINzVsAmhNGQBptUW2oFe+Py/c1zGpWJkZ4fk4PlhppiQ5zr4r82p3fFK0JtbSbAhprzUkgwu2nPwzFcplKDGlT/a4FpmUgYjIgNEWRjBDqk8hrMLgHayiQaZ3D2EH5FlWiKpO+kx/np/hPj7gIPMs+5IDGtFfMESlJ+wM7bxZOkk0DyNvfJkPBlJa7d8imv7XIw9hTu5ii8cfqha1rBfx8P1hy9kSq5kGqO8x8NA50Ynktrl7uu/qLJiUkSdR3bdfakWXid8wjh79saY1OXc83cooCW9DRNuFP9+murzbA+hYXvc6dr5fFvsk5mH6oVzqudgFD1UD6s16+9xwN39Z0qVloLpaZbUN5Jbl83Y0MxhzeNOL1cu2fGx8O2Pt7XsmhMs+RstGIORSjFPiGkVT3ejUJ9icIMcTVkzvT+8lW97purrJqmMUmuUEtReLFYdt8NNSLVpyZdVWhnuLlUbO05HzAOUgqKmcLoK8eTJlTkkB3qlB4LtjUKvaLKm2HD5hV3RUiEoec3rQhRsOjXox92iIdct3l2YK7TWU+xxZoM2PlajWfDVm88r+jUhckUmIuZaGNAyGWFtju3de/x1vvdsSvkjibV1eh8w1CKNU3rC38eTdLLMpAgpel/KsHk9+GyHOg/LOocUeb5BDb7NE34SHpC8LTUCYq7mh3PbyoDGkErmi4OI2qSrZzaONUcU1/nBOXYyixPfhZqa47mCTd6Czcc7d7izI+c06UXvd1lxyxDZoIpBYoIBgKBNuSE6Ek83PHx2eShI5PIZ5o+R1TbR+LRYkYLJLyxQbiFL6SIRMngTNHvSFlbTIB1RXxBhTO6RX/dBt1ZM08Ga6NCgpSbsRiuFGOS54TSi9s54b1DCWgNs3CDAoFAtkvWWr0N9uk3IvcxpDMpR5Tw5DmKk21I/gsRWfQqr3bUYcI95upQ0N6Z7li3vjUwQd7mQ7vOzteKjZitAa0VBr8gfz7DOYXJaRfzFkcdZS54O/dWCr2N8A0CcgXfUEpXanc7JR7qiYwqv4GJZ47ZcjD5uVwqbrcdXj97v4LBV+zYf49LBq2OwqssgOJ2F3N9j2PR7x4+O3Xp4aw7V7pLii4/W/LxBED++b3dUvIX2+Mv19mpU5GIX+EyXLe1Ds6pEHFW3mbKEBOdPv5iQML2qhCIsjfw6v8Flge0xaK/Ex+LY/zBtIFv4rMpDVwtkDBYEeQAmSAFPLoPxz+l7Q7xkVbgnW1vwHqt7fZ9zhoTU26y00nX/B74rLxTNLoHcoyoErmpuAJeg+53P9vvXj0F7lx5EgQaybckgx8svhrWpX+BlrZXz9clTp9DGZsZg+Uy7k5/Fc3sFZ7Y4Vatwx2e3SH6vV3g15BLjEbnM3a7e3TfUKGxUVi7bZG2Z5z+9w3aF1zuAH/tZZNO4Dgv7PoGtU4/uxzzW88dPMH+oU9M/LueepyAtIJ/AbH8b5GMCl9/TiWUsP3FZlhuDH9hf2bHaZ2Vv5trj9Y31C87RbLKGueOfY6S7GyQXbHuEygZqxI+4OPw1oBcPHh/+7twL5ltLZj/NUQSjGKcoxHhTvOoE8pjNNTDtMX9WHqiyCiy8mM7qEuSdXm48UwFB0R897kYZoa5mZoSgj3WfjkqY2yu8wmXQx2ArSeHxF/9u88+d90pRgF9LcjLzO76/aGqlkbitBCOF7wtNuMj9mAYr84Yp4/PeNxPTiYaG0hj2ysjZhL8awnt5Ua6O83TPY8obU7G98xeYO5dl4B62TbdXwrqO+0NH0k0VZWEHA1TQbbn3DKXgWl1ehr6qKZKo+vuKzUFgjEU7EKIjnuXlv5AHsdsbKul1x4mtN0lGRGpc8xB0EzFfsxRzkb8LBjZjm13HsD54KayEnZHVKtKscMAYf1+VzasHLAQJzLXQNrSTqsfknhWZ0bkRdBr5bT+4V0mU3G02Us4WqhlBfGuuot5K5z+OUy0rsC1uvgl92Q6wR/a44ikPs4b60wyRYlxStfAPM3Kqw3hQAdAw5fpPT54yE5eHF9kU3zdo2XMKhxmhV2+i1eHauPCp88xEVTNLiR22rSDwoYMdDikZIyihdWH8dZfpq2bbCDnCscAuELJD3H0+3nFeM3RvtMx+l4ySSD3cj9tyhSwKTvvvPzsbanlo0S/82LJU5hDaM9C2vDtl/EYSsYN216J0hpxDTMwZQQ5NN2JNI1qm,iv:DcPiMfGUlnOZXuULOujLhY1qhN5sUbpWX25bexN3OKc=,tag:/i7U8WVqlFdP4DGwx7SxKA==,type:str] +kanidm-self-signed-crt: ENC[AES256_GCM,data:1+dM8NdsKcuqlCAbQBF7+gnVbeKbc6Gtr9AaBId/ehJjHDkHm4Ptg2pVSvkapjJE5TKTAOWF17lRuKgVpCfPxATBUu6RCrvnJHRcUyQiS9wuGRAlQBWICv2ygtfx6ODGaBuLEzAulxGHT69UG7IgB7XH6bPPqTNDPKduRw35KMYMpCsH/9kVpIAWp5r0hCDL9zGUnBrGyclpdwDtbowW0j5qOoCYrcj2OvQMzr9gNvOLKiIaEBnXV95WkSUbt9RSrE476Ib4uH3aXtoWkkGeZTEiFXAhf8cqVV2xP2tpJWEgl781L9Gno6D7r3A/doF8wA9GSByS4IdOJqUpEHK1+6Txl0WrkK/h9LEqHrIaTgyzz35wMXlVeBFYFsmrmZZCZHsIaPhHRoAJxfzxrz/kThBsfhaH8G5QiiRtn8DZynopSPSj5XEsN8tZvWARfiNvNLEH9RKZgtyodoxIc6+jGCQl2Pg2oKP7YWb7Xza/zVN8ZKF2dpHzPrrxUObu275Tte9PiOXKvHVSlcBZsqom6Cd8WaI0Cwsd46sZUo0nV1FBAPyYAf329D1yauwF0S+SsHR+wQxo7pAigVjTpp3CwwiKUBhf4Pnov646+idXZNbPpAHDkhuaQM1JXkxo8EFYR13lIYvlSnPC8YwzSYHyMhV9h7GZKwUwC8988Jn1vxA1Iju7s2biJMndWT0z4522iMx6Quy7Imn78Pq4V5gYanuaDiDOJyD8na18l3BNdU8+Y+8d0hM55FlquypeR+fdp9DhGQToQb6RJzMFVurvtQIvDJzyciNbx/ha+OthI1IflhiCICNhIG4vZp5RCGLNj0ZL/nV/F9wC/JxUSIiTNSpqpI1cRfCDlKooWHLryNj73I0GfeliZFNNAoQHw506bOZD4dIOi6MleqqGOPEopKS+7c8mVTIGEXARtW1UTa40zYri8q/WIV4QkiaMBMCv8giLy3CiTPucmjOlV94KjVMU/ZnEO6BPnMWGJ2MuEzF8i27DvEH3hDdrCiRvCLwyd5xdSoVL1xv41LqhBLS0kUT8pJW3zuSAYw1IGhB201X+qvEtWa+3V19VoF9oHyBh4mwvYtJxaCq1LTVfwrw8xg0pDYP8uIpbHYIClovcZ2OtVVlIZGOKeCRrOKLClbA0cS0ZrEF0S5LO3cTwLyUlHC0GrMsZzwW2JH3mShxTvTrU4ryVaYObW0nqymeCUYZn5mxVCq3Hl2MwEX0cmB6NWAweLzDc9ngiu3w07bO2czgXZjREZrPvbQ+CFmfP6XFiguTCF0qdQJ4g31oGyDWbuK1tl/mpmnnUc02/BfZkpKB7q5FY6Ig0PsvwAyuHuARAo8uBPaNFPJp1rfkmNRZ1gIb2pL0KWG6+QQt0aoZ6/f4DSsUDKlnkTyUtSGqrwg3RJA9dBeOKkikfWtbOB6tOnA4PLnxXyEzw+s4cc3H03jxRsP72TF2qVrSJLSKYpD/Gm3ULdhqWlOO42fMAowh8Dx5w6mlXHBBxtigVfZy0Fu1Y+4lB7OnPpvCGPjX22FJlgb7cIufX2ksNGOwOV+sysI8zgJCNRRrol4vTHNsVnp1B++64Z7MYjVX7mIdffzKY4jdV8RgqJLHavn1d+dKG5NxkzPXOJtrTemZfGbuSWROEjH6MdcF45NgwCY3eakWMazeo0pGJWaBIMixN2J/XzMWhEgopO4+zrp7fDV36lqV2MUySOeRZsXFOHejxTG+OHTTa00RZxsZzvzpVzQqN5hhVeQPUCLwPurJdYnuYs7hr8leQOAVxLglqs/OnbhaCWyMKRDkqPx1baY45ytCdmp8IBCzFrIbbAvRA72xUNwHCKGf4RY9QhsyrFTltyRBVPaVG0LJhVxMbtf25gYgSyooPANcUm4BI5EvdFAJx1i9xnfGzgh/JEx8eZic7Cu9xryUbuL0n95HocJAmRu0+MTUuiFlMxIfnvB1K6I3J6KJIojd+6FMCb5k8QRESCR6TK3PtsuCpBj9oJF8g/rMfKeX8reSZn1aBtI7XHqKGxk2I7lYh5wqa07nIKQkB5FRcNUJ/tQQt+mUZDxW27ELX6Oh3JLZysSMw+Y08mT/1AwF+kqA5aHjpAxUBwQQfcn+WUxu9usNE6HdXjrrrSuIVWS9m0BloIUt/MIOPHiRYNW9wx5A5SJwdLSN0G2r9VD/2a7YguXjtDSCLxiVTzoKodhXir/U868CvCprhYZrFT8po3GeNOOb5psrNpaFeI6uWJzoNn0fren9fD+eZk+HFgZVi5aT6CNy9fYYtDv16vyapSTowmmcn3OjtTeSOe2oHfkfe4TeP1BMNx8263jmCeYLipPm+mGyHHnb3cBHWgDZX3QfMlVoFKUm9p+aDiKoA6YFqmy1+9r7EvZ9QCQ66UIxMYt7e5wL4P8ukmttG90GQFNKNA86OMd4nOrtsl4c+PNCbYRxYf0qyc0ad2wyyReHvwDKOoIRSbwkVTxZrSTZA0wXW2y7ddW3K1Ld2+qBSPtIYHTHM5w==,iv:LIuJpGoxOCBX73ZyjIUl9mYVA0wcRdue8EJyfqQzcK0=,tag:5W2UVbOH3Lma99lVxDdkNw==,type:str] +kanidm-self-signed-key: ENC[AES256_GCM,data:IIi2LK13Tskk7V6jALsVYOYKgNobhUlmai1z9PwohkUUbXYpmvaB8yu56lssUb/xX9cdFHghDM8YHhS0FOe44ugDexisZRXhyxWIenGRRTJM99/RWEO4Ew04ZFWAMrCUFdDHuSThNhaLyuEm291cp0iA05W9Z/G7i3ymKlqE8Wg6HkcaxkuSek10S74SYAABbfrz/8KfZQdfN1fl8i+0UD8/n42XpT1wU45CldZfDuRjOmsRaDwDDgXageFhsN2oJuZQjA3060sMom+/DUDHPam3eYYKE9ulNcrPhJKFzB0r5RJYnLZEY+wtiYI6YMZs2x5aXAvuh+dmjD8rVWTQb9ZuuJlMvVv0PInORojMs/LyJNsxC/Rv48wY8lCIkalfAVa8TkGiptiX02kNELOsWlBuPzawynzNi6tFRn0gHQl1wSrjOJi9oPRiiV5Ru1ufmDCivHOoJlDoPZ9fqTnMf14tdUPAlSRgAho9d6yke0t0/7y0QIEQClOMaUF+xdJ+pJxXY4puesCPcw9f7R068tFNINNz42xCvSEP2VgSEa2lvFs7Uw0OKf6QZ+cFxuM85CWPE/58kShKLz0GNo1t509+sZC9aazbpsvTMacedo+m+D9aiPiX4dmkT0VK75JXlX5WEUkFL/p8ZVQ/z3m1yvtXv56iPO0mgvGHHAPy2i8khfa1hqwnFO+Z2JiG2Bcydf2I7fW3rBOQZbBINd5YVMm8qN3f7notptLP4GY+vAWm67+FwdF/YFVVseXmqipGvhjx7bw07WasBC6Cscaw3FDRDEx3LYckdfEO928Edq3G2G+Wme5uYwzvHB9fqW3w9UoFS9j5cYumbbFjPCsQUK5PZmKa4hhg4eFnn0jcUTl7/rs213iFsHWxHmzOgVlo2iIkc1eDlKGvdJRY+zqOPnwJiiqxbE3P8kpH5FObmEqY57+eUT/g1bEaqFRYEH6Wq3kONujQrTZipCyor9ai4+bYhGI4SdxEpA6eQfcyFljofNiTbDAfURjvGtLkvY1pUpimyafoYU1EIOuB+aBlIR9XE7baiX7PnidSWqhMqS5ua/eLSYmRgFAxWmpyMNPXbMj/7CL7MSaDZvIvbyXW5nHm+RzjFYU7HzP6nl0WeURUsnvY9maYJOVPsN/1p/vrQ1ezTXFGhPmiHX1K4NunVZ8bGo7bU7OO7T3e+xcrkGjZQIlZA7FpLrYwF3kIwy1WdSOUIKF4EKNvmmJr+yYq2Mkaw6dd4hua+50hGzePGYrnYBJHYTeQhhjXd+uU30bFJ7y+WmABts4oJCEoU8wScgZ3Cds0ZKu5lCgxxBGcz4P3oMagSct400WiMHZ0VQIHb1V4+prjhVJVm5hcxgfVXFEJOA44zkmD/XIsqla2CFEpL9AEoIPyBOZFY+RUnLZ/oPVGJzVfL4XvDdji0Wcvaw7FpKu5KUYs1vxloVDsMpNUJNK4snvB63ppitm7uYF5sVD+1rLAWIs8SdT+zo7bq5mUFUBSS9ZypAKQbdcprqn4myZ62CFHJbgyAxwX0fnPcvn3YBJmCuZBm9+zCNuFr1fYOhcwY+YLiXuel1UeEfmFjTU4EDiELY34EUdhxh/PqTirvBtU7JEdeOZXInHSqILOqzWsfQ4Qp6pTDQum4Qt2aRWWg0ls4b4ublXrTaz0gKoQlfyRNQN1F6d6+dYU6O4If8VRBs5TKnJ2GxJaky2XCJW7AdtnOy3XdDv+avKwFJ1yDp1rwi9iVTUI9djmJohEBCiXDEp3gzHBtNoReZV0Fo435whb4jA3NmoJEvyZpaDSQm+lF46glxDye7dvsp6WsFL9vOLiYcED/RrlRBQpI63eVRBCslNT/4tQVSiYzxnLnDpMyVmXPIBmcV3fe94on1Uvn0J1r5Jvl8GPKuZ5BZ8rqN/psxoKVuBToUTJJZu+78T+sT1cPsn0S3rOCZp+sWn0fZ64NQzaxgH8M6G5epBj8ZDY2SSbLNUa0Gj93lPoYOYWVUIUROcKuhgbWw7JFgWIe6c+jF8yQ/BOJigLr2mLeIterVlXyILZbQEm0AkV+bu9nt0QUDWiRL4h80BVu0jycgTksCyy7zRrz09fzkjrWuFmPZ0rEr3E0dJCV5uZeF7P/GKuvLTdwwn8Imb9r6oNFhCdBvVeGD2V4XzJxzf0kem45aAYwWWSMELPCzHTSvxUMUjo6tzvILeuLYrr8ztE9pim7ZIOA9xKTfQ5LF9XTBpYTfC2+aSmPNnfxnR0gbniLPb/XYur7iGM658WwPkh+1I+VaSyUBWl4HitQGa5q5T/bfSDMe+SxczcsGibIA24iCUwCSVo/jrhcGaGVVVldTFQ+nj5jD1hMVsuzvKe4MyTyHvubjYgjK39qXmLX2NInvgz7FfVLwwPzEh5LDmK3Nl46aHqRISK95BH2PusnP1z0HA+375fVsoIxmbQT7QRbovsmIf2vEU/6EB32DeyLjRIe/2lmTsfBgpm0ju7tRRNMHe61YZBC8Ed6QuTKvHp5bFmXntMQUAoRqyQQe4XFzCHago8guAdV1UkPMcFdZxN8L2D96EXKO3dpF4+6fnCo/c/yQ5+sMhwzzJYE/gV1gOJkyraxJofjUCr6+tzF99HM7x5YFzkJGhtpHtnLGXRwml7wlKH45o0MIXrNmeE6lIX29lw0wMPyq1WYF3tZ63csRzXw8HS6/zukFKM2D6r5sOz1D8zZ3AamEkQm4axsiz45pxgzwxq8uCi4kU14vFr5QOQ0n/DYr5KSUVmsSHokCfyf769NDTRhE6SZDTEjx9mJ0uzB7VAKXI+pKUd9gJhLJcsrjVF+HoDIhoYY8h9Llm+lfhKmiS/eqmo0CbPzwYQM9LljL1V7L7ydel3wxcOrRWISQF5j52KhIT4TiVQKciCH3cvgXJzJGpnjMZzeuhHEvyFhWeLmfqCGqSq74j8alwGrPPy389ofw3lQ7Lkh3F4obz2YYoFfs+6ZhFA1kKNNbf191qskiIJFbYvaKbnASfGa7iw/W0VnC7/unNswozb+q9ur3L47ZeusPUD6ZJfAqxyabmCRpCFkfpuGgxnprzB6wECD5GLp02SnZUqRS++jXoKrMBaLtj2wnyPO8m+V5BZHaqWSUzc7yDN808ttxTCHBITQds62rDqmRhvxceT6NmWrt+ztM369M2k9WNp7BcfcExVdtdfmq0nt9Ykox0IisJKyVn5k7By4WEz3rGdIkFLPTN2SGlSs63olEFd9MYM/JePFIUicnZ7fQAh87ZwYnlzbmD7KwolcM3s+B4y+dYyjpUPAcyF6qcc7Z+6Jh+Kqr6WKl3b6K726xe7XJYpYgw3pwSigzdidknDNNicu0wHRll/BpZJ2VJkes8OBpJIun2Z0WTe6aG8b3tbwMfRG4aleoImJGwWDKZQ6o4aVR0awZifVaJ4/xgX2bjPCPVY5nOEh13aNzUW1itKw20dDIb1I5fSaRP0YLVX5uHpzGFbcLW+nySTibuRph8EeYF0yrVjuoO+KPvr7InAA7zENCmJsDjkjnd9g+WR4wm73oE68/wpBCtlFGXxuhLP5RfdM7zEzK83iQksq4Eaa/xd/lV8qBAG63wolgk3spL9ZSJwe/5lHafM7aKznKuSPU8gz3X8dMeeCKEffXUQCcsBVacNKL4EVPz6KdjZQixUkOG0JDCFcAU3YfquS9SwvfbiO7x6d7rv0kQqMEexx6j+UYV5udTyPkmfz4IEvqsmU2zjIvgUEqeM2t8+I4V7PW676gbbDfQJiRqTrKhiPw7/ZDtPwxOPOKUwT3UMaOZ7i/6gLucdivJMMWAe799tK24ZQQS4ELI1xsKiRRidB7vHOMIkCYj5QdZbLqFSyR3bCLq/EolmMDWnA0yKCsY3UtrCaYVdpaNKDM0bdMhNuXXypy8wJdFr2C4juB1kUYyAA/LTskZYbyQV80b+vq8dKc5W3b5Q13Chm/wGRlisBmi8NhYXtJL8j72L/3K82bbwhHc+VLwmffxYq/zl0XZrMc/ZlLhoKHOGEDMe33SXhRDOUxchDTsblSnbybvW6EGs2IZqp1IYi3YtWkfoo2qHvnVa1OgNlpaAs7vMZ95wmvWJO3SDIJpAkGufDcgi8MPw1AyU2BLFI2PAcY9/x83jPtimVTJ2yTysC3eBZFaYPyaK0xWlAVtk+FR6oN5CvZwu/zKLNd73VOZAL2/4cMZq9PB598MLIrY+Ear2oFoINzLqv0NxUIaX/380P2327ZoUBpb5kSxyI/oAge1PjgnmV+FiInNom49YoehMRDNSCEk9n5gFghcX8VmM6DRemXKIZlj46ZXz9b1os3gc79BiHLY2OyazwP7xQGJO7/kcNJLI/wzPuVHDdqPcI3sk+IU=,iv:p7TGpmls39IYix0rHgeeV+ngkQkXybrUtKQCOF+M8rk=,tag:lNmUlYzd/zxvCfpk50TXTw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: - recipient: age16lnmuuxfuxxtty3atnhut8wseppwnhp7rdhmxqd5tdvs9qnjffjq42sqyy enc: | @@ -42,8 +40,8 @@ sops: ME9BMzQ3TmZmUW5aVG1Oa3hTNzdnd1EKFqMrQnP/5Nw654EJYTLjziDmffrr2Ryj 5L9weh8fRKopPOPEXwPDULjxCL0G1AipFXwUgk+zJY8dJugDHvsmuA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-16T23:56:59Z" - mac: ENC[AES256_GCM,data:bo8SHGmkNGQqR8nnlIKvAMzd+4vWJ19u9Kga2U1mOEYKMCyZ2nTXju6e327ppmx6KJUnzzieS7F8myE/5jzfd1+LyAN7QlL1xixtyLZH784Eh3c3Rd3sXKO/Tuj00gSsz8PsXzq8VK5RdR6NggxhMM6l3Mji4mTQibEzFQ0XPwo=,iv:6mAVBuMwxkO/ms0O/lpLEAg9lzVtZywMbwhL7diB4Z4=,tag:oGnwY5Ikc8qOrwNyiWqtGg==,type:str] + lastmodified: "2025-06-09T01:43:52Z" + mac: ENC[AES256_GCM,data:pzzSwJ7kxIg4cmnS67DmXz26EKxLKzUtSFJ7vmlAdGphspYrwrRKHeKp/Rrpr15YMLUafXK9QAxeQQEIF6tQPtSLkHgYIb8xIaSRmNOR44OtWoiGBZWgTuFhQ1g2Po2Pn4EKQ2t9obPXxPA9I7EhPhIbqFepM37OQz6TX5SPEoE=,iv:UeX221QNsS6bYsETqRCDgVBNpgSX2RXUv8qWeMKWgYo=,tag:pbOUUcIhvNWv1HM6ti/FUw==,type:str] pgp: - created_at: "2024-12-29T00:45:42Z" enc: |- @@ -77,4 +75,4 @@ sops: -----END PGP MESSAGE----- fp: 4BE7925262289B476DBBC17B76FD3810215AE097 unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.10.2 diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml index 7a55f1a..f8d8295 100644 --- a/secrets/winters/secrets.yaml +++ b/secrets/winters/secrets.yaml @@ -16,6 +16,7 @@ dnstoken: ENC[AES256_GCM,data:mRVmT1B1xzQWLRjwJUPBoYKSzr4Np3BJiV7psARFKcOZJlBAW3 dnstokenfull: ENC[AES256_GCM,data:nIFYEO0KMXWBQyLsfM0v7xPSCbmW9Z4qKiGVh38b3mhWklYdMtarqQ==,iv:aQfxbBolEpMkfWHC+5/c5a/xiDhlz8BfJuuKicjVCzo=,tag:LoDgjcR6/VwKVy8DubLdew==,type:str] #ENC[AES256_GCM,data:ZbWnE+gcmtR47A==,iv:a/WxLMGb2Y+lenUfUk8c73o/QUB6ImBVRUkHQjfWoq8=,tag:7FHXVb7qBGSXv3oO5f2M1w==,type:comment] paperless_admin: ENC[AES256_GCM,data:IbZxJzscc2z77RTYTBt5ZdCgtEgTSq5k0A==,iv:lrmP3rOLMuV04H+E0nsKF+KhNKAGHCFyaQnT+gg0wM0=,tag:lNbMYqAdjn0K1AhJKvhB9w==,type:str] +kanidm-paperless-client: ENC[AES256_GCM,data:1lpf9LzAZeAe0ZJiXPE6KRDZxhi24CQmoA==,iv:eZKA/2JJzojPDJc/I8V4tw9tA7zK9Y7wrpgLww7sigg=,tag:YjlH+hHdzJHqMBdkxTZVwQ==,type:str] #ENC[AES256_GCM,data:+dReUV9p,iv:gmVwWra3sP+9I0KVxzTXGzdbZEyRiT7p2BwE34ZDttM=,tag:jse7bGtSva6llqjSOCY/KA==,type:comment] mpdpass: ENC[AES256_GCM,data:OXDL8eyfBpX2gXB8aODahA5wNK7laaCQUg==,iv:zSQUtu1j+Z7SnYMA3jNvIFbG9LEbiB7uJ4y9xEmnvJY=,tag:ZKgtccYWT/k4q6Qc2y5WEg==,type:str] #ENC[AES256_GCM,data:pn5jSPCWhDl+,iv:f7dyv+83dT3azAuY+/+6i/KzX2a4JIEi+PLeYamORmg=,tag:c5doNQBt6A7fRXl26dWsEg==,type:comment] @@ -33,7 +34,9 @@ vpnloc: ENC[AES256_GCM,data:U8ModKho4vSHnMo9BOE978V6ZlMeQEoLaFW/,iv:Sw06YsWSZ4tG #ENC[AES256_GCM,data:yp7ApA4YLSk=,iv:O/SQxKe9EWqExHbeKsTXvbst0pjCxy3yiOjmeCVjmdY=,tag:RMkAOLOLCodnPSDEuImwRw==,type:comment] swarseluser: ENC[AES256_GCM,data:XvmOHYFNhb/bAYAZ/kmUWbbmRy/WrxSYri/Y5k+SH4N7ZIjuZDHOkWk93ERFuTb77HvhbPX/NRQraUoJoFsxGGg5co/gJnyfRg==,iv:J50PeDcC4PM3+yQ/YQNb8TW4kubwi2kjjSFU0RVFM30=,tag:ydLYkz1YKyguGZZZD/JcLA==,type:str] nextcloudadminpass: ENC[AES256_GCM,data:ZOCsu4/ijfheBfY9ZR5DBXSB,iv:bNlTLKQblnt2eYJqVgXwCaGAyAw2yhlb9Whsz0LBhm4=,tag:VQAWP/b8IghzXDFLJxXZ4Q==,type:str] +#ENC[AES256_GCM,data:dyEwvFDSvI0=,iv:4LPFthS73mIYQt6MRLBTeNxCwKnJGc7sNFJfZCpMU3Y=,tag:X2mBwG1++2gcFIOi/xIgFA==,type:comment] grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/Las9eucBeYnpwG5DM9gJg8bfU=,tag:/LZqwuPWQyjSZURnsqq3hA==,type:str] +kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,iv:p0y/UyIrFBTvWZKHbfdOSEpbMun7dZ8FyB5W7VS0oSY=,tag:+jKD+d9cRGKJkapGYxUEnw==,type:str] prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str] #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment] fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str] @@ -41,6 +44,13 @@ fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+N resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str] resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str] resticsecretaccesskey: ENC[AES256_GCM,data:j57l4p5viLZ2yL/KDrQpq1Dov69kpCRgzS4uEHgh4A==,iv:CYTxd4Vy1V+aW6EdaEOIma5vyDRL/VR6MlHqmAM1JQI=,tag:zLl0UZ50uN8YIrL+nOfurg==,type:str] +#ENC[AES256_GCM,data:rdFEksmLPA==,iv:JKhyW30sCngf1/wFv8HLPesiz61QjAGhcBuoIw3CUDk=,tag:MaMJ8V5uqV1uFokLzmTJ7g==,type:comment] +kanidm-admin-pw: ENC[AES256_GCM,data:cpSl4syzCcl8wohuNpZhwKZvY4x/YuSZUA==,iv:HmhoNL5IKMh4FMe69AcnviybQRXdZRwaNiZ10vRUbwA=,tag:VUgttt/1pcQtcCqR9Vea1A==,type:str] +kanidm-idm-admin-pw: ENC[AES256_GCM,data:nfDLBctWIBUn1iyidczfn37ncINlfXjf4g==,iv:0nVO9bTOZ/PEe9rFUhXZ74AbStsAoDDhRWsM4cPvB+s=,tag:hM4+x7TpLctDpdotVhx7RQ==,type:str] +kanidm-immich: ENC[AES256_GCM,data:is5Zx9FE9Qb/cajv6ZQU6B/0iKUgbBCp/g==,iv:vBU6wcrsO862oKgxdGfpOZXC/GJDhY9Rki2nLIy4IoM=,tag:6jNRNdQr/czoSihSQ+cHQg==,type:str] +kanidm-paperless: ENC[AES256_GCM,data:bJJC20q8aJVzmIMXAHWvOoH652lSCFXDNg==,iv:0ctoPwxzMD1cSpZ7DyjOv9qP+cYt0MJsk2cfuzft3n8=,tag:KX1MtgOvcMxt1QHhAcXWcg==,type:str] +kanidm-forgejo: ENC[AES256_GCM,data:zw0LcfNJw4q28l1E9q58D9bTKtl/CjGA3w==,iv:fYRGasFiM7PXeP5sWW6whj10CUKIqCfhIYQCNZjxQGo=,tag:sxQJa+ItPA+L3keWZ34SJA==,type:str] +kanidm-grafana: ENC[AES256_GCM,data:61PEA1fBcaRy8+x0dn9WrH9P0D+NOkbeZw==,iv:kbR3JWzHsmsef+VlFGciZmyforxJCdvzHijvGFvFwpk=,tag:K+6baLIKy0L37KrJEQUgPg==,type:str] sops: age: - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63 @@ -52,8 +62,8 @@ sops: MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-24T16:09:43Z" - mac: ENC[AES256_GCM,data:K6x8RdvbXEQMBMnhXL1vnD9urEGgsm+bg5WVIBExvML0ptkIX88AIXF9GPaOFdPJ7idKRrXe1euajGyDJZTZeM95auvEuw8Dyb3xC/2l21X9pAOlWQwhWNlilUu/G/JO56lXTxeIGS7qA1oUYRYGRyZYICbYssymcH/urcKGPZE=,iv:4QCTjTb1vs/7xWyvGC1eARMqaFAgkzKBsnxQIWv06gk=,tag:by8DbsqBHYbe3Xe+EbDIRA==,type:str] + lastmodified: "2025-06-09T02:48:48Z" + mac: ENC[AES256_GCM,data:hHoWSuoIweKC/l/27aTOtn6A3qvlsFpHjoCnx2QtQrSUKvaHCeGnnv9U71hK56GW2OyL9fEfjfTNn7fZR5jQnjlZrwQAtFiXDaUMKT90QtHsZj87RBYmGKLdSpOSGrnimywGivAbJp2yWLQ8WnwnD0LwkYpylSUFOgiGD5W62cA=,iv:QYqCcbfL4x310InrMtTY8gdUpgqxcB85nbBKHLFltLA=,tag:fIV7PAY7hJCTEkEWcoq15g==,type:str] pgp: - created_at: "2024-12-17T16:24:32Z" enc: |-