Update, add ovh-server, redo relay
This commit is contained in:
parent
938e957003
commit
0e1e344862
15 changed files with 499 additions and 49 deletions
|
@ -95,8 +95,8 @@ jobs:
|
||||||
ssh-add
|
ssh-add
|
||||||
env | grep SSH
|
env | grep SSH
|
||||||
cd /etc/nixos/git
|
cd /etc/nixos/git
|
||||||
git commit -am '[ACTIONS] Flake Update (`date +%Y-%m-%d`)'
|
git -c commit.gpgsign=false commit -am '[ACTIONS] Flake Update (`date +%Y-%m-%d`)' \
|
||||||
git push
|
&& git push
|
||||||
"
|
"
|
||||||
|
|
||||||
- if: success()
|
- if: success()
|
||||||
|
|
|
@ -11,6 +11,7 @@ keys:
|
||||||
- &piaware-rpi4 4216b645667670a6130bb95a72a56f8269cd0818
|
- &piaware-rpi4 4216b645667670a6130bb95a72a56f8269cd0818
|
||||||
- &backups-rpi4 8b37122bb46dc98c208002d65e94778ecd94bd4e
|
- &backups-rpi4 8b37122bb46dc98c208002d65e94778ecd94bd4e
|
||||||
- &bakersfield-rpi4 c93d5c2da5efe4ba4103c8f571faa392f202eed4
|
- &bakersfield-rpi4 c93d5c2da5efe4ba4103c8f571faa392f202eed4
|
||||||
|
- &ovh_server
|
||||||
- &quitman-rpi4
|
- &quitman-rpi4
|
||||||
- &nixos-desktop
|
- &nixos-desktop
|
||||||
- &nuc-server
|
- &nuc-server
|
||||||
|
@ -68,7 +69,12 @@ creation_rules:
|
||||||
- *albert
|
- *albert
|
||||||
- *framework-server
|
- *framework-server
|
||||||
|
|
||||||
# Machines
|
# Hosts:;
|
||||||
|
- path_reges: secrets\/hosts\/ovh-server\.yaml$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *albert
|
||||||
|
|
||||||
- path_regex: secrets\/hosts\/frankfurt-linode-01\.yaml$
|
- path_regex: secrets\/hosts\/frankfurt-linode-01\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
|
|
80
flake.lock
80
flake.lock
|
@ -186,11 +186,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719864345,
|
"lastModified": 1720056646,
|
||||||
"narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=",
|
"narHash": "sha256-BymcV4HWtx2VFuabDCM4/nEJcfivCx0S02wUCz11mAY=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533",
|
"rev": "64679cd7f318c9b6595902b47d4585b1d51d5f9e",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -776,11 +776,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719827385,
|
"lastModified": 1720042825,
|
||||||
"narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=",
|
"narHash": "sha256-A0vrUB6x82/jvf17qPCpxaM+ulJnD8YZwH9Ci0BsAzE=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "391ca6e950c2525b4f853cbe29922452c14eda82",
|
"rev": "e1391fb22e18a36f57e6999c7a9f966dc80ac073",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -894,11 +894,11 @@
|
||||||
"xdph": "xdph"
|
"xdph": "xdph"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719949580,
|
"lastModified": 1720213509,
|
||||||
"narHash": "sha256-Ht6ZUjQ6HO9vllB0CxeGgLYUzZCw9Q/2Aaq21Og+3hM=",
|
"narHash": "sha256-LXj38Y3H0+/YhOtz6tGrqgd6p9AyGFeq6EwLgYsE1KQ=",
|
||||||
"owner": "hyprwm",
|
"owner": "hyprwm",
|
||||||
"repo": "Hyprland",
|
"repo": "Hyprland",
|
||||||
"rev": "8bb75a223db3ea9471d05d74fbed3328334a9f78",
|
"rev": "cc98594c3aed0b542e03818371a4636f549f80e1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1019,11 +1019,11 @@
|
||||||
"nixpkgs": "nixpkgs_3"
|
"nixpkgs": "nixpkgs_3"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719982578,
|
"lastModified": 1720205505,
|
||||||
"narHash": "sha256-NBI3jN7NH784t+6XiEWvfIzxZnCqOBLCIIe9mbXHJ10=",
|
"narHash": "sha256-KqGnYAKWxwRgWxc/78HbL3PHeuDJOSS/9+Pkm5doUk8=",
|
||||||
"owner": "Jovian-Experiments",
|
"owner": "Jovian-Experiments",
|
||||||
"repo": "Jovian-NixOS",
|
"repo": "Jovian-NixOS",
|
||||||
"rev": "b4b7577219500b93d60d9d85781a8b6aeeff672c",
|
"rev": "fdcaab38857f221eea20a0073f891feb36ea8e99",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1202,11 +1202,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719841141,
|
"lastModified": 1720055043,
|
||||||
"narHash": "sha256-WOyohxFJJdfDvEB7N3eTcX44lNU2rZes1inHsyHL7mM=",
|
"narHash": "sha256-SKizewU4UeYrkZWPUjur8EoxscGoNb0pGcrNL4YzAIg=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixos-generators",
|
"repo": "nixos-generators",
|
||||||
"rev": "140dcc2b9a0eb87ba5e9011076a1a7af19179ab1",
|
"rev": "168b220231a70e47cc1f0919048fa5914415fb18",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1279,27 +1279,27 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-stable_2": {
|
"nixpkgs-stable_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719663039,
|
"lastModified": 1719720450,
|
||||||
"narHash": "sha256-tXlrgAQygNIy49LDVFuPXlWD2zTQV9/F8pfoqwwPJyo=",
|
"narHash": "sha256-57+R2Uj3wPeDeq8p8un19tzFFlgWiXJ8PbzgKtBgBX8=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "4a1e673523344f6ccc84b37f4413ad74ea19a119",
|
"rev": "78f8641796edff3bfabbf1ef5029deadfe4a21d0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"ref": "release-23.11",
|
"ref": "release-24.05",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719848872,
|
"lastModified": 1720031269,
|
||||||
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
|
"narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
|
"rev": "9f4128e00b0ae8ec65918efeba59db998750ead6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1316,11 +1316,11 @@
|
||||||
"nixpkgs": "nixpkgs_6"
|
"nixpkgs": "nixpkgs_6"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719983871,
|
"lastModified": 1720275269,
|
||||||
"narHash": "sha256-+CtRYC7IixKUobzqnzlPCEhfCPmMhOPzBPix4kx855o=",
|
"narHash": "sha256-B/WPzq9nPffFqgIBs/V8eVErdBZ/gFB18TVEjbm0OgE=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nixpkgs-wayland",
|
"repo": "nixpkgs-wayland",
|
||||||
"rev": "a61cab0e5ec097e1d46b9a3c6d5e3f2eea456062",
|
"rev": "e9d5643137c2ffb928d84e713fc15782ba7c7b22",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1363,11 +1363,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_4": {
|
"nixpkgs_4": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719838683,
|
"lastModified": 1720110830,
|
||||||
"narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
|
"narHash": "sha256-E5dN9GDV4LwMEduhBLSkyEz51zM17XkWZ3/9luvNOPs=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
|
"rev": "c0d0be00d4ecc4b51d2d6948e37466194c1e6c51",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1394,11 +1394,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_6": {
|
"nixpkgs_6": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719848872,
|
"lastModified": 1720031269,
|
||||||
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
|
"narHash": "sha256-rwz8NJZV+387rnWpTYcXaRNvzUSnnF9aHONoJIYmiUQ=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
|
"rev": "9f4128e00b0ae8ec65918efeba59db998750ead6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1500,11 +1500,11 @@
|
||||||
},
|
},
|
||||||
"nur": {
|
"nur": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719981089,
|
"lastModified": 1720276401,
|
||||||
"narHash": "sha256-2M5yTK6i/rzYLNilhr7wYzykhRVzaNs3frxqcpxBIwQ=",
|
"narHash": "sha256-tWBXMGxAnR/iroW0JEVA1esOp6Ln0C7GhQ0AshxPqP4=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "NUR",
|
"repo": "NUR",
|
||||||
"rev": "ffd44bb409a81a84c2e9ea1236c1108ecff9dd90",
|
"rev": "fe3c458e7673f38d69542a3b9f66df01ff81c73c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1601,11 +1601,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719875930,
|
"lastModified": 1720168075,
|
||||||
"narHash": "sha256-jQmdWLxRP6BzOxRF8hQEhDD7UKw7UrnYbmaAPOSaXWY=",
|
"narHash": "sha256-Nb/8+zrOPbU9EBMterwQPTUonqwj6Czd0CCCNM4SROA=",
|
||||||
"owner": "pjones",
|
"owner": "pjones",
|
||||||
"repo": "plasma-manager",
|
"repo": "plasma-manager",
|
||||||
"rev": "7e062fcd669e261fb06cf54fe0ef2e46c3db8e83",
|
"rev": "71c3fb6eb0767923335662aa33a06f983c2fbeae",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -1742,11 +1742,11 @@
|
||||||
"nixpkgs-stable": "nixpkgs-stable_2"
|
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1719873517,
|
"lastModified": 1720187017,
|
||||||
"narHash": "sha256-D1dxZmXf6M2h5lNE1m6orojuUawVPjogbGRsqSBX+1g=",
|
"narHash": "sha256-Zq+T1Bvd0ShZB9XM+bP0VJK3HjsSVQBLolkaCLBQnfQ=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "a11224af8d824935f363928074b4717ca2e280db",
|
"rev": "1b11e208cee97c47677439625dc22e5289dcdead",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -35,7 +35,9 @@
|
||||||
presharedKeyFile = "/run/secrets/preshared_key";
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
persistentKeepalive = 5;
|
persistentKeepalive = 5;
|
||||||
allowedIPs = [ "10.100.0.1/32" ];
|
allowedIPs = [ "10.100.0.1/32" ];
|
||||||
endpoint = "172.234.84.222:51820"; # osaka-linode-01
|
# endpoint = "172.234.84.222:51820"; # osaka-linode-01
|
||||||
|
# endpoint = "172.232.204.45:51820"; # milan-linode-01
|
||||||
|
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -5,6 +5,7 @@
|
||||||
../../common/services/podman.nix
|
../../common/services/podman.nix
|
||||||
./containers/derp.nix
|
./containers/derp.nix
|
||||||
./firewall.nix
|
./firewall.nix
|
||||||
|
./wireguard.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
||||||
|
|
79
nixos/hosts/frankfurt-linode-01/wireguard.nix
Normal file
79
nixos/hosts/frankfurt-linode-01/wireguard.nix
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
{ hostname, pkgs, ... }: {
|
||||||
|
|
||||||
|
# Allow these hosts to directly communicate with their hostnames
|
||||||
|
networking.extraHosts = ''
|
||||||
|
10.100.0.1 ${hostname}
|
||||||
|
10.100.0.3 backups-rpi4
|
||||||
|
10.100.0.2 headscale.sysctl.io
|
||||||
|
'';
|
||||||
|
|
||||||
|
# 10.100.0.2 framework-server
|
||||||
|
# 10.100.0.2 git.sysctl.io
|
||||||
|
# 10.100.0.2 loki.sysctl.io
|
||||||
|
# 10.100.0.2 telegraf.sysctl.io
|
||||||
|
# '';
|
||||||
|
|
||||||
|
networking.firewall.allowedUDPPorts = [ 51820 ];
|
||||||
|
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
# Set up the secrets file:
|
||||||
|
sops.secrets."wireguard_key" = {
|
||||||
|
owner = "root";
|
||||||
|
sopsFile = ../../../secrets/hosts/${hostname}.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."preshared_key" = {
|
||||||
|
owner = "root";
|
||||||
|
sopsFile = ../../../secrets/wireguard.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Wireguard Forwarder
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
"net.ipv4.ip_forward" = true;
|
||||||
|
"net.ipv4.conf.all.forwarding" = 1;
|
||||||
|
"net.ipv4.conf.default.forwarding" = 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces = {
|
||||||
|
"wireguard0" = {
|
||||||
|
ips = [
|
||||||
|
"10.100.0.1/24"
|
||||||
|
"10.100.1.1/24"
|
||||||
|
];
|
||||||
|
listenPort = 51820;
|
||||||
|
privateKeyFile = "/run/secrets/wireguard_key";
|
||||||
|
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
|
||||||
|
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
|
||||||
|
peers = [
|
||||||
|
{ # framework-server / ovh-server
|
||||||
|
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
allowedIPs = [ "10.100.0.2/32" ];
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
}
|
||||||
|
{ # backups-rpi4
|
||||||
|
publicKey = "cqocpMyY8Z0Jl0hoAdghn3dR3VhkkOYyeSwW6UKk9Fs=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
allowedIPs = [ "10.100.0.3/32" ];
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
}
|
||||||
|
{ # framewrk-server docker:wg-enshrouded
|
||||||
|
publicKey = "ucV6LgUwSbEyyxPlS83OayFPK6ysQKu6cVBV97S07mI=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
allowedIPs = [ "10.100.1.2/32" ];
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
}
|
||||||
|
{ # framewrk-server docker:wg-mailserver
|
||||||
|
publicKey = "5C1ft3LIGmyFwi00pyLeYjvJpqHLTQFNMRlXlva6uEI=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
allowedIPs = [ "10.100.1.3/32" ];
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
../../common/services/podman.nix
|
../../common/services/podman.nix
|
||||||
./containers/derp.nix
|
./containers/derp.nix
|
||||||
./firewall.nix
|
./firewall.nix
|
||||||
./wireguard.nix
|
# ./wireguard.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ pkgs, ... }: {
|
{ hostname, pkgs, ... }: {
|
||||||
|
|
||||||
# Allow these hosts to directly communicate with their hostnames
|
# Allow these hosts to directly communicate with their hostnames
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
10.100.0.1 osaka-linode-01
|
10.100.0.1 ${hostname}
|
||||||
10.100.0.3 backups-rpi4
|
10.100.0.3 backups-rpi4
|
||||||
10.100.0.2 headscale.sysctl.io
|
10.100.0.2 headscale.sysctl.io
|
||||||
'';
|
'';
|
||||||
|
@ -19,7 +19,7 @@
|
||||||
# Set up the secrets file:
|
# Set up the secrets file:
|
||||||
sops.secrets."wireguard_key" = {
|
sops.secrets."wireguard_key" = {
|
||||||
owner = "root";
|
owner = "root";
|
||||||
sopsFile = ../../../secrets/hosts/osaka-linode-01.yaml;
|
sopsFile = ../../../secrets/hosts/${hostname}.yaml;
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets."preshared_key" = {
|
sops.secrets."preshared_key" = {
|
||||||
|
@ -47,7 +47,7 @@
|
||||||
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
|
postSetup = ''${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o enp0s4 -j MASQUERADE'';
|
||||||
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
|
postShutdown = ''${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o enp0s4 -j MASQUERADE'';
|
||||||
peers = [
|
peers = [
|
||||||
{ # framework-server
|
{ # framework-server / ovh-server
|
||||||
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
|
publicKey = "trHvfNtQ7HKMiJjxEXo2Iubq5G6egjx7gHiBlDmJ5Ek=";
|
||||||
presharedKeyFile = "/run/secrets/preshared_key";
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
allowedIPs = [ "10.100.0.2/32" ];
|
allowedIPs = [ "10.100.0.2/32" ];
|
||||||
|
|
30
nixos/hosts/ovh-server/containers.nix
Normal file
30
nixos/hosts/ovh-server/containers.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
|
||||||
|
let
|
||||||
|
libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
|
||||||
|
in {
|
||||||
|
|
||||||
|
containers = {
|
||||||
|
rdesktop = libx.mkContainer { hostname = "rdesktop"; ip = "2"; desktop = "plasma6"; unfree = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
# Networking config
|
||||||
|
networking.bridges.nix-br0.interfaces = [];
|
||||||
|
|
||||||
|
# Add an IP address to the bridge interface.
|
||||||
|
networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
|
||||||
|
|
||||||
|
# Firewall commands allowing traffic to go in and out of the bridge interface
|
||||||
|
# (and to the guest LXD instance). Also sets up the actual NAT masquerade rule.
|
||||||
|
networking.firewall.extraCommands = ''
|
||||||
|
iptables -A INPUT -i nix-br0 -j ACCEPT
|
||||||
|
|
||||||
|
# These three technically aren't needed, since by default the FORWARD and
|
||||||
|
# OUTPUT firewalls accept everything everything, but lets keep them in just
|
||||||
|
# in case.
|
||||||
|
iptables -A FORWARD -o nix-br0 -j ACCEPT
|
||||||
|
iptables -A FORWARD -i nix-br0 -j ACCEPT
|
||||||
|
iptables -A OUTPUT -o nix-br0 -j ACCEPT
|
||||||
|
|
||||||
|
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 ! -d 192.168.2.0/24 -j MASQUERADE
|
||||||
|
'';
|
||||||
|
}
|
77
nixos/hosts/ovh-server/cron.nix
Normal file
77
nixos/hosts/ovh-server/cron.nix
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
{ pkgs, ... }: {
|
||||||
|
services.cron = {
|
||||||
|
enable = true;
|
||||||
|
systemCronJobs = [
|
||||||
|
# Backups to nuc-docker01
|
||||||
|
''0 0 * * * root rsync --delete -avr /Storage/Data/Docker/sysctl.io/ root@nuc-docker01:/Storage/Data/Docker/sysctl.io/''
|
||||||
|
''0 3 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/InstantUpload/ root@nuc-docker01:/Storage/Media/Pictures/InstantUpload/''
|
||||||
|
''0 5 * * * root rsync -avr /Storage/Data/Docker/sysctl.io/nextcloud/html/data/albert/files/Wallpapers/ root@nuc-docker01:/Storage/Media/Pictures/Wallpapers''
|
||||||
|
# Back up the docker containers monthly:
|
||||||
|
''@monthly root ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done''
|
||||||
|
# Set a random Pi-Hole password
|
||||||
|
''* * * * * root docker exec pihole sudo pihole -a -p $(openssl rand -hex 128)''
|
||||||
|
# Run the ClamAV scan
|
||||||
|
''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh''
|
||||||
|
# Archive Loki logs monthly
|
||||||
|
''@monthly root /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log''
|
||||||
|
# Run the Nextcloud cronjobs hourly
|
||||||
|
''@hourly root docker exec -uwww-data nextcloud php -f /var/www/html/cron.php''
|
||||||
|
# Run the Pixelfed scheduler
|
||||||
|
''* * * * * root docker exec pixelfed-app php artisan schedule:run''
|
||||||
|
# Update / CLean Mastodon caches
|
||||||
|
''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7''
|
||||||
|
''@daily root docker exec mastodon-web tootctl media remove --days 7 --prune-profiles''
|
||||||
|
''@daily root docker exec mastodon-web tootctl accounts prune''
|
||||||
|
''@daily root docker exec mastodon-web tootctl statuses remove --days 7''
|
||||||
|
''@daily root docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 7''
|
||||||
|
''@daily root docker exec mastodon-web tootctl preview_cards remove --days 7''
|
||||||
|
''@daily root docker exec mastodon-web tootctl media remove-orphans''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
# Old crontab:
|
||||||
|
# # At reboot, apply the ip_tables modprobe so Wireguard works
|
||||||
|
# @reboot /usr/sbin/modprobe ip_tables
|
||||||
|
#
|
||||||
|
# # At reboot, restart Docker. Otherwise, iptables / the firewall freaks out
|
||||||
|
# @reboot /usr/bin/systemctl stop docker; /usr/bin/systemctl start docker
|
||||||
|
#
|
||||||
|
# # Every day, get storage space for monitoring
|
||||||
|
# @daily source ~/.bashrc; for i in `ls /Storage/Data/Docker`; do echo echo "$(date): $(du -s /Storage/Data/Docker/$i)" | sed -e 's/\/Storage\/Data\/Docker\/\$i//' >> /root/sizes/$i.log; done
|
||||||
|
#
|
||||||
|
# # Clean up NextCloud files weekly to save space
|
||||||
|
# @weekly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php occ versions:cleanup
|
||||||
|
# DONE # Run the Nextcloud cronjobs hourly
|
||||||
|
# DONE @hourly source ~/.bashrc; /usr/bin/docker exec -uwww-data nextcloud php -f /var/www/html/cron.php
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# # Clear out Mastodon caches daily
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --days 1 --prune-profiles
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl accounts prune
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl statuses remove --days 1
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove --remove-headers --include-follows --days 0
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl preview_cards remove --days 1
|
||||||
|
# DONE @daily source ~/.bashrc; /usr/bin/docker exec mastodon-web tootctl media remove-orphans
|
||||||
|
#
|
||||||
|
# DONE # Run the Pixelfed scheduler
|
||||||
|
# DONE * * * * * /usr/bin/docker exec pixelfed-app php artisan schedule:run
|
||||||
|
#
|
||||||
|
# DONE # Run the ClamAV scan
|
||||||
|
# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/clamscan-cron.sh
|
||||||
|
#
|
||||||
|
# DONE # Set a random PiHole password every minute
|
||||||
|
# DONE * * * * * /usr/bin/docker exec pihole sudo pihole -a -p $(openssl rand -hex 128)
|
||||||
|
#
|
||||||
|
# NOT NEEDED # back up crontab:
|
||||||
|
# NOT NEEDED # 0 0 * * * /usr/bin/crontab -l > /Storage/Data/Temporary/crontab
|
||||||
|
#
|
||||||
|
# # Back up and delete local copies of Loki logs monthly
|
||||||
|
# DONE @monthly source ~/.bashrc; /Storage/Data/docker-compose/sysctl.io/scripts/backup-logs.sh >> /Storage/Data/Temporary/log_backups.log
|
||||||
|
#
|
||||||
|
# DONE # Back up the docker containers weekly:
|
||||||
|
# DONE @weekly source ~/.bashrc; ssh nuc-docker01 "rm -rf /Storage/Backups/Docker/sysctl.io/*"; for i in $(docker ps --format '{{.Names}}'); do docker export $i | gzip -cf | ssh root@nuc-docker01 "cat > /Storage/Backups/Docker/sysctl.io/$i.tar.gz"; done
|
||||||
|
#
|
||||||
|
# # Set up DERP relay certs for headscale-derp:
|
||||||
|
# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/certs/\*.sysctl.io.crt /Storage/Data/Docker/letsencrypt/certs/certs/derp.sysctl.io.crt
|
||||||
|
# DONE @hourly cp /Storage/Data/Docker/letsencrypt/certs/private/\*.sysctl.io.key /Storage/Data/Docker/letsencrypt/certs/private/derp.sysctl.io.key
|
63
nixos/hosts/ovh-server/default.nix
Normal file
63
nixos/hosts/ovh-server/default.nix
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
{ hostname, inputs, config, lib, pkgs, modulesPath, system, ... }: {
|
||||||
|
imports = [
|
||||||
|
inputs.nixos-hardware.nixosModules.framework-13th-gen-intel
|
||||||
|
(modulesPath + "/installer/scan/not-detected.nix")
|
||||||
|
# ../../common/modules/secureboot.nix
|
||||||
|
../../common/modules/boot.nix
|
||||||
|
../../common/modules/udev-rules.nix
|
||||||
|
../../common/modules/builder.nix
|
||||||
|
../../common/services/fwupd.nix
|
||||||
|
# ../../common/modules/ssh-luks.nix
|
||||||
|
../../common/services/docker.nix
|
||||||
|
../../common/services/tailscale-autoconnect.nix
|
||||||
|
./containers.nix
|
||||||
|
./disks.nix
|
||||||
|
./wireguard.nix
|
||||||
|
./cron.nix
|
||||||
|
./firewall.nix
|
||||||
|
];
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
inputs.deploy-rs.packages.${system}.deploy-rs
|
||||||
|
pkgs.distrobox
|
||||||
|
];
|
||||||
|
|
||||||
|
# backups-rpi4 cron job to back up sysctl.io's Docker files
|
||||||
|
# osaka-linode-01 cron job to copy certs for the DERP relay
|
||||||
|
# milan-linode-01 cron job to copy certs for the DERP relay
|
||||||
|
# frankfurt-linode-01 cron job to copy certs for the DERP relay
|
||||||
|
|
||||||
|
# TODO: Update servers that point here
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp2wgqFcr0LGaUXbom88/zK2631pysePUWIaCMljT0K root@backups-rpi4''
|
||||||
|
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKkNFdEcYIrjss1Nz0tU/AX89hUMmxB/Vabvsa7A6E2K root@osaka-linode-01''
|
||||||
|
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIORCrD/ZWXbAfi5eIN8b9dwuvMuPPTgpMiIFh1WagXV2 root@milan-linode-01''
|
||||||
|
''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBGXiWUR2T5HXQ4g/En+eJ9K6GSokl3tEK7RZcYb+0UA root@frankfurt-linode-01''
|
||||||
|
];
|
||||||
|
services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "thunderbolt" "sd_mod" "uas" ];
|
||||||
|
boot.initrd.kernelModules = [ "r8152" ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = with config.boot.kernelPackages; [ acpi_call ];
|
||||||
|
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
||||||
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||||
|
|
||||||
|
# Set your time zone.
|
||||||
|
time.timeZone = "Europe/Warsaw";
|
||||||
|
|
||||||
|
# Set the networking hostname:
|
||||||
|
networking.hostName = hostname;
|
||||||
|
networking.firewall.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
services.tailscale.extraUpFlags = [
|
||||||
|
"--advertise-exit-node"
|
||||||
|
"--advertise-routes=10.2.0.0/24"
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.kernel.sysctl = {
|
||||||
|
"net.ipv4.ip_forward" = true;
|
||||||
|
};
|
||||||
|
}
|
85
nixos/hosts/ovh-server/disks.nix
Normal file
85
nixos/hosts/ovh-server/disks.nix
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
{
|
||||||
|
imports = [ ../../common/services/snapper.nix ];
|
||||||
|
|
||||||
|
# extra configs not present in the standard config above
|
||||||
|
services.snapper.configs.Storage = {
|
||||||
|
TIMELINE_CREATE = true;
|
||||||
|
TIMELINE_CLEANUP = true;
|
||||||
|
SUBVOLUME = "/Storage";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.btrfs.autoScrub.enable = true;
|
||||||
|
services.btrfs.autoScrub.interval = "weekly";
|
||||||
|
|
||||||
|
disko.devices.disk.nvme0 = {
|
||||||
|
type = "disk";
|
||||||
|
device = "/dev/nvme0n1";
|
||||||
|
content = {
|
||||||
|
type = "gpt";
|
||||||
|
partitions = {
|
||||||
|
BOOT = {
|
||||||
|
priority = 1;
|
||||||
|
name = "BOOT";
|
||||||
|
start = "0%";
|
||||||
|
end = "550MiB";
|
||||||
|
type = "EF00";
|
||||||
|
content = {
|
||||||
|
type = "filesystem";
|
||||||
|
format = "vfat";
|
||||||
|
# https://github.com/nix-community/disko/issues/527
|
||||||
|
mountOptions = [ "umask=0077" ];
|
||||||
|
mountpoint = "/boot";
|
||||||
|
};
|
||||||
|
}; # partition 1 (ESP)
|
||||||
|
LUKS-ROOT = {
|
||||||
|
start = "550MiB";
|
||||||
|
end = "100%";
|
||||||
|
content = {
|
||||||
|
type = "luks";
|
||||||
|
name = "ROOT";
|
||||||
|
extraOpenArgs = [ "--allow-discards" ];
|
||||||
|
content = {
|
||||||
|
type = "btrfs";
|
||||||
|
extraArgs = [ "-f" ];
|
||||||
|
subvolumes = {
|
||||||
|
"/root" = {
|
||||||
|
mountpoint = "/";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # root
|
||||||
|
"/home" = {
|
||||||
|
mountpoint = "/home";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # home
|
||||||
|
"/nix" = {
|
||||||
|
mountpoint = "/nix";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # nix
|
||||||
|
"/Storage" = {
|
||||||
|
mountpoint = "/Storage";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # Storage
|
||||||
|
# SNAPSHOT SUBVOLS
|
||||||
|
"/root/.snapshots" = {
|
||||||
|
mountpoint = "/.snapshots";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # root
|
||||||
|
"/home/.snapshots" = {
|
||||||
|
mountpoint = "/home/.snapshots";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # home
|
||||||
|
"/nix/.snapshots" = {
|
||||||
|
mountpoint = "/nix/.snapshots";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # nix
|
||||||
|
"/Storage/.snapshots" = {
|
||||||
|
mountpoint = "/Storage/.snapshots";
|
||||||
|
mountOptions = [ "compress=zstd" "noatime" ];
|
||||||
|
}; # Storage
|
||||||
|
}; # subvolumes
|
||||||
|
}; # content.content
|
||||||
|
}; # content
|
||||||
|
}; # partition 2 (/ BTRFS)
|
||||||
|
}; # partitions
|
||||||
|
}; # content
|
||||||
|
}; # disko.devices.disk.nvme0
|
||||||
|
} # root
|
30
nixos/hosts/ovh-server/firewall.nix
Normal file
30
nixos/hosts/ovh-server/firewall.nix
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
{ ... }: {
|
||||||
|
networking = {
|
||||||
|
firewall = {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [
|
||||||
|
53 # DNS
|
||||||
|
80 # HTTP
|
||||||
|
443 # HTTPS
|
||||||
|
42420 # Vintage Story
|
||||||
|
25565 # Minecraft
|
||||||
|
1443 # Headscale DERP (tcp)
|
||||||
|
25 # Mailserver
|
||||||
|
143 # Mailserver
|
||||||
|
465 # Mailserver
|
||||||
|
587 # Mailserver
|
||||||
|
993 # Mailserver
|
||||||
|
4190 # Mailserver
|
||||||
|
5696 # dsm-kmip server
|
||||||
|
3389 # RDP
|
||||||
|
4443 # Jitsi
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
53 # DNS (udp)
|
||||||
|
10000 # Jitsi Meet (udp)
|
||||||
|
15636 # Enshrouded - Game
|
||||||
|
15637 # Enshrouded - Query Port
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
44
nixos/hosts/ovh-server/wireguard.nix
Normal file
44
nixos/hosts/ovh-server/wireguard.nix
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
{ ... }: {
|
||||||
|
|
||||||
|
# Allow these hosts to directly communicate with their hostnames
|
||||||
|
networking.extraHosts = ''
|
||||||
|
10.100.0.1 osaka-linode-01
|
||||||
|
10.100.0.2 framework-server
|
||||||
|
'';
|
||||||
|
|
||||||
|
networking.firewall.interfaces.wireguard0.allowedTCPPorts = [ 22 ];
|
||||||
|
|
||||||
|
# Set up the secrets file:
|
||||||
|
sops.secrets."wireguard_key" = {
|
||||||
|
owner = "root";
|
||||||
|
sopsFile = ../../../secrets/hosts/framework-server.yaml;
|
||||||
|
};
|
||||||
|
sops.secrets."preshared_key" = {
|
||||||
|
owner = "root";
|
||||||
|
sopsFile = ../../../secrets/wireguard.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Wireguard Forwarder
|
||||||
|
networking.wireguard = {
|
||||||
|
enable = true;
|
||||||
|
interfaces = {
|
||||||
|
"wireguard0" = {
|
||||||
|
ips = [ "10.100.0.2/24" ];
|
||||||
|
listenPort = 51820;
|
||||||
|
privateKeyFile = "/run/secrets/wireguard_key";
|
||||||
|
# Testing
|
||||||
|
peers = [
|
||||||
|
{ # osaka-linode-01
|
||||||
|
publicKey = "yPZ3EmmIqCkReXf1DRTxzVaKQ2k+ifGmYJHji5nnMmE=";
|
||||||
|
presharedKeyFile = "/run/secrets/preshared_key";
|
||||||
|
persistentKeepalive = 5;
|
||||||
|
allowedIPs = [ "10.100.0.1/32" ];
|
||||||
|
# endpoint = "172.234.84.222:51820"; # osaka-linode-01
|
||||||
|
# endpoint = "172.232.204.45:51820"; # milan-linode-01
|
||||||
|
endpoint = "172.105.76.221:51820"; # frankfurt-linode-01
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
33
secrets/hosts/ovh-server.yaml
Normal file
33
secrets/hosts/ovh-server.yaml
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
tailscale_key: ENC[AES256_GCM,data:5hiD/rr51T20IfB3cvZTEbq7rCYrgyuyC0Qf/meJvjMPv9icw7RL8068+9OHQ5ui,iv:es966UYBmaD1/k7ImCQFsep3fukzbthCSpdQvYJfRJk=,tag:kKGuWxbPAO03in2lakViKw==,type:str]
|
||||||
|
wireguard_key: ENC[AES256_GCM,data:VZnRhMQJFqQ0TeaTJAZQpMC8sZUXQnr0kPHvLOz/GuhEzZbHhs7UX6Dqadc=,iv:qYe6Gecc+HCL4VWpv8MRMc1LR0PvxGqTPE4X5z1r7LM=,tag:UP9RoVeO94JfPlnIsc/7cA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age: []
|
||||||
|
lastmodified: "2024-07-07T01:01:40Z"
|
||||||
|
mac: ENC[AES256_GCM,data:SWodY4LBR+SCDfWnATuEMJQE56jHcKd8deIXKBCUHGwsKKkxXZ1tODnY4RMEoy/r97/Rd2fCHN+0rC4TQ0/I2n2SHOp7biHR7D/dw79shVSVthzYYk6RV9fHNgeMmEg69agEIYyIN5vpO9xSpYy2NkRuNKFSK1MKYoXtUwoJfEc=,iv:MokMAgmEnbBkTSIA11aE/KmWYChUlBfIHOcSuNknovA=,tag:VzoFPRHVoHJdWCHQ6FiyXA==,type:str]
|
||||||
|
pgp:
|
||||||
|
- created_at: "2024-07-07T01:00:34Z"
|
||||||
|
enc: |-
|
||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
hQIMAwAAAAAAAAAAAQ/+NEqO1RibIRBj8jSoOem0lMbUILbLj3RREsY9dBT5ipGC
|
||||||
|
Hi/gZSy0LsPi3WZgSNE1AFoy+g/zEBEWRNQcy5nIB0B/XUPiucP3WRsucKNckB0H
|
||||||
|
F4tK9kLvWpOPTejn67r14QTbhIZyy1sHAKi+xQ29R6vuLs9eTy1MeMqcsMzfaCG2
|
||||||
|
a2nBGUqRryhHHe+6Pu3R3iPxYVlujyLUeEE85oO9+onrsNu/7G71JZaAi24/iLr4
|
||||||
|
QoqH3Auy5qBUio4DMWwO2emns1496B6q5MfAdhBB7wPHoJwsDvLqZ3TiIMuD5So6
|
||||||
|
UU3JDuLf8qCj+PUozpMy80sDR6tVc1sWTAmmP0nsd+NqAKnmAh6Gw88+ib16wH0l
|
||||||
|
HwDedoDaEBh+Ii4L0JFyyiCWaRi2SMm3ctnZ8kEixvwec2N6O4mO4nnvmVlbCWxp
|
||||||
|
GSS1Of8o7LZt5UJRXywVf+qHJJaq4h72NogUehwp7c+NLlRA/RKjRyT5LMxzTjpW
|
||||||
|
kDUmhd5ApPdAlLvY6K8OtOZVa5nixdbonjQ+AmP7UL5NR47DH23CZqQMFib3Zg4R
|
||||||
|
+HI4XSzEaQYON1+Q4Hjm1R8rr3AKQT9zDYB9RQ/9McWguBAjYeFkMwQ5QSpcXSvm
|
||||||
|
aYYsKj5V1Vg2LNNqOLGorgPf2FVyw/tRA6MzFl8c556Q987Gmt69UNem8AI2o1fS
|
||||||
|
XgHT8wU887w8rz+xgabJ4BgtrDLvhCSdUAG9vNmeNa2843nM8dmdfZ6V5FohVcAD
|
||||||
|
/3k4XXZUj8zxYw/H5IfE9tHqhsnvNxw+xTzrV+i44EMgZAWVrrwC6vXp2AYWhQg=
|
||||||
|
=twlA
|
||||||
|
-----END PGP MESSAGE-----
|
||||||
|
fp: 4A89D6B44B7E423B647C7AE848FBC3335A26DED6
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
Loading…
Reference in a new issue