From 91b0e8d037a5f8589512b6a90b419e1698eb01a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 12:23:41 +0100 Subject: [PATCH 1/7] Move rspamd to nas --- config/nixos-8gb-fsn1-1.nix | 1 - config/nutty-noon.nix | 1 + config/services/rspamd.nix | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 46f125b2..998b0dec 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -20,7 +20,6 @@ ./services/minio.nix ./services/loki.nix ./services/reverse-proxy.nix - ./services/rspamd.nix ]; boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ]; diff --git a/config/nutty-noon.nix b/config/nutty-noon.nix index c0755420..a1cde23d 100644 --- a/config/nutty-noon.nix +++ b/config/nutty-noon.nix @@ -11,6 +11,7 @@ nixos-hardware.nixosModules.common-cpu-amd nixos-hardware.nixosModules.common-gpu-amd nixos-hardware.nixosModules.common-pc-ssd + ./services/rspamd.nix ]; hardware.cpu.amd.updateMicrocode = true; boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp" ]; diff --git a/config/services/rspamd.nix b/config/services/rspamd.nix index 45e73a41..e0cb2ebf 100644 --- a/config/services/rspamd.nix +++ b/config/services/rspamd.nix @@ -26,11 +26,11 @@ workers = { normal = { includes = [ "$CONFDIR/worker-normal.inc" ]; - bindSockets = [ "[::1]:11332" ]; + bindSockets = [ "*:11332" ]; }; controller = { includes = [ "$CONFDIR/worker-controller.inc" ]; - bindSockets = [ "[::1]:11334" ]; + bindSockets = [ "*:11334" ]; }; }; }; -- 2.47.0 From dd980613e91009193c1df7525d3730d8c3dfec92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 12:44:32 +0100 Subject: [PATCH 2/7] enable redis for rspamd --- config/services/rspamd.nix | 92 +++++++++++++++++++++++++------------- 1 file changed, 61 insertions(+), 31 deletions(-) diff --git a/config/services/rspamd.nix b/config/services/rspamd.nix index e0cb2ebf..19758804 100644 --- a/config/services/rspamd.nix +++ b/config/services/rspamd.nix @@ -1,38 +1,68 @@ { config, ... }: { - services.rspamd = { - enable = true; - locals."dkim_signing.conf".text = '' - domain { - darkkirb.de { - selector = "dkim"; - path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}"; - } - miifox.net { - selector = "dkim"; - path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}"; - } - chir.rs { - selector = "dkim"; - path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}"; - } - } - allow_hdrfrom_mismatch = true; - allow_hdrfrom_mismatch_sign_networks = true; - allow_username_mismatch = true; - use_domain = "header"; - sign_authenticated = true; - use_esld = true; - ''; - workers = { - normal = { - includes = [ "$CONFDIR/worker-normal.inc" ]; - bindSockets = [ "*:11332" ]; + services = { + rspamd = { + enable = true; + locals = { + "dkim_signing.conf".text = '' + domain { + darkkirb.de { + selector = "dkim"; + path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}"; + } + miifox.net { + selector = "dkim"; + path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}"; + } + chir.rs { + selector = "dkim"; + path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}"; + } + } + allow_hdrfrom_mismatch = true; + allow_hdrfrom_mismatch_sign_networks = true; + allow_username_mismatch = true; + use_domain = "header"; + sign_authenticated = true; + use_esld = true; + ''; + "redis.conf" = builtns.toJSON { + servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}"; + }; }; - controller = { - includes = [ "$CONFDIR/worker-controller.inc" ]; - bindSockets = [ "*:11334" ]; + workers = { + normal = { + includes = [ "$CONFDIR/worker-normal.inc" ]; + bindSockets = [ "*:11332" ]; + }; + controller = { + includes = [ "$CONFDIR/worker-controller.inc" ]; + bindSockets = [ "*:11334" ]; + }; }; + }; + redis.servers.rspamd = { + enable = true; + bind = "127.0.0.1"; + databases = 1; + port = 6380; + }; + nginx.virtualHosts."rspamd.int.chir.rs" = + let + listenIPs = (import ../../utils/getInternalIP.nix config).listenIPs; + listenStatements = lib.concatStringsSep "\n" (builtins.map (ip: "listen ${ip}:443 http3;") listenIPs) + '' + add_header Alt-Svc 'h3=":443"'; + ''; + in + { + listenAddresses = listenIPs; + sslCertificate = "/var/lib/acme/int.chir.rs/cert.pem"; + sslCertificateKey = "/var/lib/acme/int.chir.rs/key.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:11334/"; + proxyWebsockets = true; + }; + }; }; sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; }; sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; }; -- 2.47.0 From e7688afb83a9cf5b81d1e0f1038eb56973037b2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 12:45:12 +0100 Subject: [PATCH 3/7] expose rspamd webui --- zones/int.chir.rs.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/zones/int.chir.rs.nix b/zones/int.chir.rs.nix index 3c9a34a3..2923b5ee 100644 --- a/zones/int.chir.rs.nix +++ b/zones/int.chir.rs.nix @@ -8,7 +8,7 @@ in SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 11; + serial = 12; }; NS = [ "ns1.chir.rs." @@ -247,6 +247,7 @@ in backup.CNAME = [ (ttl zoneTTL (cname "nas")) ]; hydra.CNAME = [ (ttl zoneTTL (cname "nas")) ]; mastodon.CNAME = [ (ttl zoneTTL (cname "nas")) ]; + rspamd.CNAME = [ (ttl zoneTTL (cname "nas")) ]; _acme-challenge = delegateTo [ "ns1.chir.rs." "ns2.chir.rs." -- 2.47.0 From c5028ed6a05a4648171b65c4e1776ca6789ba65b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 15:35:32 +0100 Subject: [PATCH 4/7] and rspamd config --- config/services/rspamd.nix | 161 ++++++++++++++++++++++++++++++++----- 1 file changed, 143 insertions(+), 18 deletions(-) diff --git a/config/services/rspamd.nix b/config/services/rspamd.nix index 19758804..d6a6ae8d 100644 --- a/config/services/rspamd.nix +++ b/config/services/rspamd.nix @@ -1,31 +1,151 @@ -{ config, ... }: { +{ config, lib, ... }: +{ services = { + # TODO: Antivirus + rspamd = { enable = true; locals = { - "dkim_signing.conf".text = '' - domain { - darkkirb.de { + "dkim_signing.conf".text = builtins.toJSON { + domain = { + "darkkirb.de" = { selector = "dkim"; path = "${config.sops.secrets."services/rspamd/dkim/darkkirb.de".path}"; - } - miifox.net { + }; + "miifox.net" = { selector = "dkim"; path = "${config.sops.secrets."services/rspamd/dkim/miifox.net".path}"; - } - chir.rs { + }; + "chir.rs" = { selector = "dkim"; path = "${config.sops.secrets."services/rspamd/dkim/chir.rs".path}"; - } - } - allow_hdrfrom_mismatch = true; - allow_hdrfrom_mismatch_sign_networks = true; - allow_username_mismatch = true; - use_domain = "header"; - sign_authenticated = true; - use_esld = true; - ''; - "redis.conf" = builtns.toJSON { + }; + }; + }; + "dmarc.conf".text = builtins.toJSON { + actions = { + reject = "reject"; + quarantine = "quarantine"; + softfail = "add_header"; + }; + }; + "greylist.conf".text = builtins.toJSON { + greylist_min_score = 0; + }; + "hfilter.conf".text = builtins.toJSON { + helo_enabled = true; + hostname_enabled = true; + url_enabled = true; + from_enabled = true; + rcpt_enabled = true; + mid_enabled = true; + }; + "history.conf".text = builtins.toJSON { + nrows = 1000; + subject_privacy = true; + }; + "milter.conf".text = builtins.toJSON { + use = [ + "authentication-results" + "fuzzy-hashes" + "spam-header" + "stat-signature" + "x-rspamd-queue-id" + "x-rspamd-result" + "x-rspamd-server" + "x-rspamd-bar" + "x-spam-status" + ]; + }; + "mx_check.conf".text = builtins.toJSON { + enabled = true; + }; + "neural.conf".text = builtins.toJSON { + enabled = true; + rules = { + LONG = { + train = { + max_trains = 5000; + max_usages = 200; + max_iterations = 25; + learning_rate = 0.01; + }; + symbol_spam = "NEURAL_SPAM_LONG"; + symbol_ham = "NEURAL_HAM_LONG"; + ann_expire = "365d"; + }; + SHORT = { + train = { + max_trains = 5000; + max_usages = 2; + max_iterations = 25; + learning_rate = 0.01; + }; + symbol_spam = "NEURAL_SPAM_SHORT"; + symbol_ham = "NEURAL_HAM_SHORT"; + ann_expire = "30d"; + }; + }; + }; + "neural_group.conf".text = builtins.toJSON { + symbols = { + NEURAL_SPAM_LONG = { + weight = 3.0; # sample weight + description = "Neural network spam (long)"; + }; + NEURAL_HAM_LONG = { + weight = -3.0; # sample weight + description = "Neural network ham (long)"; + }; + NEURAL_SPAM_SHORT = { + weight = 2.0; # sample weight + description = "Neural network spam (short)"; + }; + NEURAL_HAM_SHORT = { + weight = -1.0; # sample weight + description = "Neural network ham (short)"; + }; + }; + }; + "phishing.conf".text = builtins.toJSON { + openphish_enabled = true; + }; + "reputation.conf".text = builtins.toJSON { + rules = { + ip_reputation = { + selector.type = "ip"; + backend.type = "redis"; + symbol = "IP_REPUTATION"; + }; + spf_reputation = { + selector.type = "spf"; + backend.type = "redis"; + symbol = "SPF_REPUTATION"; + }; + dkim_reputation = { + selector.type = "dkim"; + backend.type = "redis"; + symbol = "DKIM_REPUTATION"; + }; + asn_reputation = { + selector.type = "generic"; + selector.selector = "asn"; + backend.type = "redis"; + symbol = "ASN_REPUTATION"; + }; + country_reputation = { + selector.type = "generic"; + selector.selector = "country"; + backend.type = "redis"; + symbol = "COUNTRY_REPUTATION"; + }; + }; + }; + "replies.conf".text = builtins.toJSON { + expire = "7d"; + symbol = "REPLY"; + }; + "redis.conf".text = builtins.toJSON { servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}"; }; }; @@ -46,6 +166,10 @@ bind = "127.0.0.1"; databases = 1; port = 6380; + settings = { + maxmemory = "500mb"; + maxmemory-policy = "volatile-ttl"; + }; }; nginx.virtualHosts."rspamd.int.chir.rs" = let @@ -67,4 +191,5 @@ sops.secrets."services/rspamd/dkim/darkkirb.de" = { owner = "rspamd"; }; sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; }; sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; }; + networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ]; } -- 2.47.0 From 5decac7cbfc48535140effd782707a4ba879f4e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 15:37:09 +0100 Subject: [PATCH 5/7] integrate rspamd with postfix --- config/services/postfix.nix | 4 ++-- config/services/rspamd.nix | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/config/services/postfix.nix b/config/services/postfix.nix index cf0cb437..2f7f8542 100644 --- a/config/services/postfix.nix +++ b/config/services/postfix.nix @@ -32,8 +32,8 @@ virtual_alias_maps = "pgsql:/run/secrets/services/postfix/virtual_alias_maps.cf"; virtual_mailbox_domains = "pgsql:/run/secrets/services/postfix/virtual_mailbox_domains.cf"; virtual_transport = "lmtp:unix:/run/dovecot2/lmtp"; - #smtpd_milters = "inet:localhost:11332"; - #non_smtpd_milters = "inet:localhost:11332"; + smtpd_milters = "inet:rspamd.int.chir.rs:11332"; + non_smtpd_milters = "inet:rspamd.int.chir.rs:11332"; disable_vrfy_command = "yes"; smtpd_banner = "mail.chir.rs ESMTP NO UCE NO UBE NO RELAYCLIENT=yes YES OwO"; message_size_limit = "20971520"; diff --git a/config/services/rspamd.nix b/config/services/rspamd.nix index d6a6ae8d..04111ccf 100644 --- a/config/services/rspamd.nix +++ b/config/services/rspamd.nix @@ -192,4 +192,8 @@ sops.secrets."services/rspamd/dkim/miifox.net" = { owner = "rspamd"; }; sops.secrets."services/rspamd/dkim/chir.rs" = { owner = "rspamd"; }; networking.nameservers = lib.mkForce [ "fd0d:a262:1fa6:e621:b4e1:8ff:e658:6f49" ]; + networking.firewall.interfaces."wg0".allowedTCPPorts = [ + 11332 + 11334 + ]; } -- 2.47.0 From 1185c485a511b26be30dc28099bc2607ee724fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 21:23:33 +0100 Subject: [PATCH 6/7] services.redis.rspamd -> services.redis.servers.rspamd --- config/services/rspamd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/services/rspamd.nix b/config/services/rspamd.nix index 04111ccf..525d042a 100644 --- a/config/services/rspamd.nix +++ b/config/services/rspamd.nix @@ -146,7 +146,7 @@ symbol = "REPLY"; }; "redis.conf".text = builtins.toJSON { - servers = "${config.services.redis.rspamd.bind}:${toString config.services.redis.rspamd.port}"; + servers = "${config.services.redis.servers.rspamd.bind}:${toString config.services.redis.servers.rspamd.port}"; }; }; workers = { -- 2.47.0 From 465c83a06c3b3cb088e3dbf94d2eec5a4431899d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Thu, 28 Apr 2022 21:37:02 +0100 Subject: [PATCH 7/7] move sops secrets --- secrets/nas.yaml | 9 +++++++-- secrets/nixos-8gb-fsn1-1.yaml | 9 ++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/secrets/nas.yaml b/secrets/nas.yaml index 9115260d..0e1e0140 100644 --- a/secrets/nas.yaml +++ b/secrets/nas.yaml @@ -18,6 +18,11 @@ services: s3: key_id: ENC[AES256_GCM,data:zb6l+BVvjvwrFAuFvuTn89qWyb9scwSQgA==,iv:ZIqMAM2m+TLooWRKy0JDEh1Cz7dEqhc9u1fJr/YJsRo=,tag:u9cxbL+0VBrzM7w2tCXrVg==,type:str] secret_key: ENC[AES256_GCM,data:F67XmNAgVIRpTKooQBDtk9BAKv6oD/p+Poos62ox8A==,iv:oU4KKjTjFoeNkLngiMPkqGqINKm6nHf8HyD7C4BmFXc=,tag:5zJCkejgW7preo0f80Zf3w==,type:str] + rspamd: + dkim: + darkkirb.de: ENC[AES256_GCM,data:BWh1VbxBjMKMLPsFHrLIHWZGyzy8bJGYC22f1FXPWxy4WD23tfXuFMiM5TOjSgd7/7nImpndtYMXqKwyoAePGtGhpk6xogH9ObeuVisOvI8HnDZS2uuSxqWA9qA3fmP867DCDl4h3eeclpUburidCDuS4ZriA467fbvbLynX5EqntnWmrWZdTnnXs7WTAL+4ePj6optoL33BgLOvh7PREyLfzgaoBrMhJdW4mBp6XNfIbuY9JH5sUXKV4rNHDBZNoBi6UJXK69futQ+Q6Dj95OKE7l8iY/HfpF7nt1Lb9Prr1wyCQdfEd233NfUgfz6EomuKbhu3bUKau3wwIxF0qAnU+gW1BxMPzDOAS9Pm8XByJ4R9H6gHuTyleCDyq2t1TfJe7FtbIE3I9HsvrpqHGt1NETtwXrdK508PI3WrLGJusCND8KpRA0G4NMazQNPrvrFlQcQcTRe7QmZv3SLNqB4OemWSlS4uDwDYyxeaMnaKqgrwX3emRlIrrKk/eEGyCFG+FtBqsLlAiGHNE44kfjQQCrqNLFgYPWeTzgnpO0uwscYmCik6xFlpxn/0EEUtFnfOcRq3rCt9NNMX4zpJk+lFTu21LG42whDvxw4EpskLWYtdfHwob2o3IbrzuL1R7WknKMvn02asVLmn5YlOgX4dJA6J9eT17Omeq08VUnAxuOEDOZENNKMIxzoEoX90ZkjpHYqyCwJ/1ITZ1WXAaFnp8ow+wySVOYFCnw5x16A6GpDzz1rDZnXr4DY39W/yXabD9M4EAdRZHuJPEbnww5XR3n5NgYxvA9sQsKsgu4j0erJWda31Jwko6YXvJ6jMG8iySMzaD9UHZhtp3+E0kTgMzJB5gVCXuG90AUWQ4+ODK/9yO0aswi6pTakQr/y3k/XbKi85Ndt7YqhOYJZxuZdnWa519Q1Bsnyr64bbfQrRjCWeDl150G18/u5FES9dSgB0nHxIdvu8M/Xhgk0dCiQiGNWNF6XFfFFgTBu0uw8x5fIGgMrV2pp6OKUmz7Ty/UGH30c8BCTECAsafWi4WCAfpxOu5PXC9oi8QOjJegW/tetGK9S2G8+jFQvvONdQImB6IC0zzaW7BKipa3IVdc4KYtZ9NxxNKp6X2GcXEF2l6spmcZOtSeDNgKXHQE7b9wViGSdjj5KQK5RuMsxO4BAeGuLB+3jGNGiK3RijhjAIEvlSOIVoipf1lu+9QYa4wBmCOQ==,iv:uvRzwnbFMKT6EKGBfxst7CCD+uu0n/pYrjEtcHF2TIA=,tag:v4sWaO5ek6su907Z/RRPtw==,type:str] + miifox.net: ENC[AES256_GCM,data:nDkVZKozQVUZNODB5i7Eow4KH7GE8Pc2vh6UEah5t8DlZZvoi/lCIppwkaQA68WmXOK4tOii/KLJRhxdHqbHQF2D1LPfPRWJ4zHxjShcBlaNMWRGubycwmhljJURGteWbTd+kKueQd6JpWx3N+MzczAX2rIVqwahXuMyninWt1BVYRDNVTUs7PByVtnw1/Eo2pOjdj1OYowdo5ku87NZpNwyCu3pQfflH0TN3jL2W36Utvmk6m4ZgC2S1u/tNlzGDau3CLhb05rpkh5vb5Kv067rPF+ijELb9v+rjvGQNpwztzbxg6p+5rLZSSTvWwBYgKnLldbaUVxApJXCBSWwTUC8uu0VR78Wzn+sC0l/aE9SGudk1skiVQHK/nR6AppNvVzFQl99gWOWwJNHgHpLvYfTT39ECyfzYcvhFU8/7N8HpAs4/rOb6v4fUPfcqnaHEWE++J7Zw7v7IEFpxIBd8M45DrOUfGNGubfwI95/8XZJPGfNNvTloUv+RCQgiZcDaGRnKim5S22XdXyT4NiYMZq631FtQDsG8cstwqmmqedLPAjYLQoSuCr4PeRAtOs6Y+fJdzBYMqugCIvE21aEq38pWXKkRl8U7/dn12Ec9Gp7aJE/bP1/aHbzlbbJN9uIaL1veIPiU1Kk0zA75G6UqULOwSeCQMFRoHG5RBJ/weErgSayqR2TiQX04PUhIEr+YjDYO3367S3uWO5HmGTUhm1BM4qLlBKIEDmQElS34NzproAbnUVr5yeaHPNOkKkBTSRNBGjuaIQ4whUX5d3UUaEFYkDg3I2wsRtIfHQkX4F/K7T6rYrbZOK7ZHHmM2K5x5+gJnE/jvNSS99kasLd33eySw5p+Dyk0ZHM9DvFFKZ97C354IquVxh6Cs69fTYfeQvh7CRDxsHSh+0qHVbORAoXYk32/bFZaMtonnliL7u2kU41zLtMrxF56DDmBKVz1uZrYxdyKJXITOijU85gGPfauTcAXVdN9//rvddl6DIIQEJi2y8HnsQo/j/4i7rckrjB4v7lHJiCRnW7yfeKK06JgKsjONYMPpj5ooZ2cEpmnrXWXLyQnUm/4+LiXWPjjxeuijVxmKj2kmq+ZIEQfNCTppz5+3d+X80jIwyNJFyj+0bR62LLNVZFvCXtwAgatZS7Zgsa+sRRtdZ4WhIyeRHOvWxpYKIJSkoxntljlhg9Ek2c54Y9wDA7xTtBMLYYZ/RaWg==,iv:WUqqrEQUGAuoCMJcb4suQKIr3FPG83lrM6u5alzSctk=,tag:vT6VqlnOuMSIXGSW5Islww==,type:str] + chir.rs: ENC[AES256_GCM,data:sQnsfllMKiKJFGmhuaEP4gMpXM0Kx8+xJmrhoBIu1jq5fy7P0Bm/hryskKm98QXRCcK2bRmrdKGZ9XQSDtwSjBW+SX541Abated4ZqS/l5G48sW3QalWIdkYFg0Cc+1Ugn+i1XOjxt+yDS6yXVmAWLon6xYAp0s1G5AUZ5RG3bxMhYaFy9DwWRKkvrQ+/dCieYbtIfm8PXIh99PjdtxQpS1UlfvuqaZWfLYaa/GeeoCrsJfC9uC9rk+9YXMrDDdvQdq3ZFbv1RmoqTWJZWz0UxFvKqOLDF7gAnLG77O2XAWeHxJ/YHNJgGkAgpmssKXw55EM7E9YvFzmODg1PI1L6OXTnU9E86UzdqCTUbxPFcP9ACg51ABZMaRu0Cerz2qwO0CCRVaS6tUDK8zJcxHxlqHW+piZ3rnvWsn/qdacM4d9liheYHZsaOcUEijk+Z+ESrXKiYsuQg3aMV5HlaFzNLuGiPo5AS6oA3wmIFSKi1vpxB0gjb9CPrzpBdZWb+fVVHvu+CgxdKEmbosYxZuCauHriRvrQIUmtWSCS/LGvwJRjl+b4biyjdijIGp/zcpkulLa7Ap8Py9FopxS6FNL6ql7RboxIwdKv/NRBHDl3Dh6mHtKcWB8YLowW+6yJTnGV6kJ1HP6RuoiZ57FSI10bEqQ24SkeGgaULZo8BQqBATd79JzJHAMFrcFHHZEH698qVE144ueFgsuny7siVuWf0UWiVq2VNxqsyPqxtVDqctl3x7ll8kNDx2CK38a3THpN/cB/2Q0nt6rM9Tgpux8yhwnQXjOhTpujkmnLeQcVLNFEeFa/xbG96kF8j4m5MfEoO4+e3DWMnGqm2n7W91d++3/KAL5949ItS1GPLmMPMa7mntar91JiwzN0NDe11bcwGmrV1QlX6banUjeJV0s+brElR72zu9NI80go8xnMztzpC5G7XK40jyD/9rnVDFO9FweQumeDaBysSs5AKsnvo8GfR+2kcUGhJavi8ze3DZN+G/1ioYl0SOSGL2MCqZMs061qDlIB5b9Q6kwhd/t8om1DndoYAuMNIL4XCnNxYuGSQdPgPy6vaKPT15jeTBfux+MaosMEOmJy76mL0ZAMYItWXoIH2o7RdUSfyZKzlpzu8X7umRWXVQ/gkAXcqmaYIaHUN1L+anQwLlH+c0fekW+UIW89oWkTDfKK+RDRYnudm4hNSfQk+ZX3oOK7LszZKte7Q==,iv:REakVWfw/PW9k8pCpvuDwjUdWVVFgzsGR3476uXjbko=,tag:vd5ZacLILKx5Dl4KG8ZdOA==,type:str] security: restic: password: ENC[AES256_GCM,data:n+M6pfe0YrONaYo3HSnijHxhThg=,iv:0J2t+58tYRJD1GmnJa8w30U+RwOl67eWeHhvLk0eeks=,tag:ivuZqpGrU7ZHFZ4IiMvxBw==,type:str] @@ -48,8 +53,8 @@ sops: WnV3QWxtalIzWFdoQmpDTmJsNGdNOW8K++rFGXy0G6Gcu2gQwSP6xfXInQ/y5nh5 2oGp8sfOLFWnNI4SWL0ChP47K3C/9ysUHwQnUYPbRafZ/4X6cN40ZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-04-26T09:09:07Z" - mac: ENC[AES256_GCM,data:rkUKL4ctiymKsh0XN/Y/agP0DkSKaf8fCoOy0sIiz2YNDXufRuxG2VVYq3l3VAqEHFnSo/owaIQYSBzyS9mVTlgxZWZr+ENilR/jGZzenYF+vd/t983EKzJUVCc9lpxYswSz0NeToM3hCbcQIVNvKtahQMYpWwFd/he6wP0bsZc=,iv:LK4H+/ZfrSxIrXMT/Xqwzg5r/6+V+wAkMWIrMatNc0k=,tag:Zhk7Csl7Pj9+L5kgeF+wnw==,type:str] + lastmodified: "2022-04-28T20:36:41Z" + mac: ENC[AES256_GCM,data:9ivESeylU2vmyhdZfJVHhmSd792C8zDjIlyG8jF4Ktu/Pm2hM/eMsy4E86EjCb1h+K+8cq33e6Qp5BHamlo/Y3WDip2yD+se4zoHRAnZixFD/cxNSrXuY3DxL0TQ69jruNuyPRaopRZkN+dOmFIlyjYjr+MKE/tDlesNvOXYLB4=,iv:qsG2E8CpD2gl/3VgS8gcKQ0rkfc7rB3Mv7j15UDiykg=,tag:exAR3Ck3Ihte+zUCAEekxg==,type:str] pgp: - created_at: "2022-04-24T10:34:20Z" enc: | diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index fea8f27b..78e798b1 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -32,11 +32,6 @@ services: virtual_alias_domains.cf: ENC[AES256_GCM,data:1wMqormP9Mj1wef/J1l5Dnkp7NbbUX0xT9RbxtHH5DdBZb9rPOedtY5wQ9LukGNQiRm863EhIfgsJ4IRij9LOApHb9Do3mJmBIYyjJlzf6vj7Ap5yuy5+m8y12Aj6LpnjxZf0JkWLKbt0e36Rf2ex6RCI0MCFMWw5tMy2riioWNo/I2LCpsmmGSzLk9oc74Fei6wD8Aj5x4=,iv:0D5uBmkWD2aPbFGXSIb1VNQL2TA3QlzLSwYkIpFJfI0=,tag:kN/LAKmaPHRXW9c8Idokbg==,type:str] virtual_alias_maps.cf: ENC[AES256_GCM,data:FgHuBbf2e/3Fq8A2WY0n8XWMjohpkHUsZdddG44PLHY4//UdFeWUzcGUyJ4G4RsqEZo3thTOPxMzkXEV+eWThtdDzEtw+njdFAzltP0HRM3VtKn0LhXVP4SvyAKwGAFtCPz3R/EiutHhOv5o/4NmbRQrWByIPvWMZCfTO1NYz/P6,iv:jYMHwhCSGMdUgolGxHJxPTaUu5U0Z3uc/+JHUNPjKXo=,tag:88THWp6r3SDNSd77uUBEbw==,type:str] virtual_mailbox_domains.cf: ENC[AES256_GCM,data:mu0oxzRVddXcue7e7XHuulAYgJDpKA+TZd5l7jPzK8xRHxdfzD+fsqm/Kl/bDWGAOlXsltbiBoaIruddywhAOGWwSgMJ8iu2NMx1u1aMvBC2qI4usfjVhp9N0jOkWmIG8YAgYgQaA6qhQorJFXeJjDNX86J5JNBdKAxwQFk20+fOZ1MtVg==,iv:5llgcXLkoRzXwHIDvwZ1qRTf/TBwMgjsxfNGo9I7Blc=,tag:AcCz4LJxacYVButRO/zl9A==,type:str] - rspamd: - dkim: - darkkirb.de: ENC[AES256_GCM,data:DMDRuQw8CYnbkMpfiJU2KXb4XL1D3DscMCGwfrp9fh+BAD5rE1wKYznW9d3GaFnpbp0lo54oeNxLdNNniHUIC4sCDZ+ZC++BEszGKuUztOR5CYEf3pTMvblX81ug67UVC9n46FkYW1LSkTE4wkijK9FuaFb41NsHSn+MHXYbWHisFwnVhM7OHB0n/h5t5st13CQD99FSSWMrW4K+2yC6TM4RJ5Q5k8cyDtYehY05govdxOJzkbR1NEywXdItbq3B1ytISD60dUT4mzag1NGCoGq8SPcaCGro7mTiRHb1ukLBXIPnP3lJv/OE1cpkx4Jq4smbjpIezcSltknNQNsjHYabeSI6aA2P4Tcqg+ZTaVDlxJiur1y26mlqW4guyQ84CONdtmk3pIKN803NmLSXnXIwuphOBkBQ4qH5BL8rsIYqcRClJ6Sbg+qzpwpjbYJSFH0GVyCAwrpR24g88dF0/dvkRqd2uIDSXzecj2/Yy9Xpy643E4F2NPVzZ717tCVZam5CCsGiM2hcLIAh9V6+1kqeK6RZquAJmIBlW3MIRi0XjvLAFf5ujjeFI0dciTsTqTk5L0oNl6pGdUX2HW0beULKlyq+YBDe+h1E+Uh2sUA3z/1ladaBxHvZqjAGOiPtOsZc0zoc4S8nTVY9WX0tjPAfmYD/K1gi6J3v0ZMY/laeVxBRhsq96N4rBPujsdM/P9VnVbHziv90U6kJzE0MqKHdkMVETVKU0ppgIIMLnNt1B8VXzcTBtXxSjSzxdmlRHiiOvhQZiQ5NpUI4N8d5OHn8qa7YaaDnYnDMY3UWLamx54Uo1ZMTjChpbCNhY8pylmW7o6htdYo4xys3MaM1QSeyh5EQSCS4Z7a++nrLLBF5hPSccgUUK10pWbcY+3DupZw65UHqsxuGTUE6CR0OQEL4GfOZPLKxLgjCLNkcSnYyVLWCjarSWzMPPDidLkvlwtQfrnwOQnecfeOpXx1mtBAeu/lRuIVR5SLLbjz0bxEpQtDr3GRM2GTtlwTbcpuoBd0fp71h84YMvPAxlHrE8Rc1oLUuNMA53/QhcxlHJodHuUlfPldp7yIJ88usO0x7M+I73zT2u0j/iD1FA12t2eDpISZxrxhLtJDQMLipk3HNwDOnWBCN6sFBgI793BLaj/AWPoysAb5aDA9Ngr0gE7NEFUACOMmKQiJ4UNjtknTW5NooT4wteUAxXy1pPS6HUg7UiQ==,iv:4Q6feGSN5cg0qRsiSGGoYcmZkUzEYu+gBEDamWIeysE=,tag:nuTbDStPrgY8QYeFWumPrg==,type:str] - miifox.net: ENC[AES256_GCM,data:jKaLHITYtL9T2bIivaaTNjzhkKEQwBs12fsEF4kjruBSGnZz7BipWAOKwQnN58g9rJ56AHHBBWyHhLxrxj8FWitppxPZctX3okta80MHWydn0C85Ok6EdAJgy48HFocZXYgNAQuWH3R7trT3HSe2uXMQlAY90J9NtmB49xV5xWPl389CDecFq6ze+Hoif5GV83eFu8BhNn/QKz8o2YKbIiOUKWzIccgpF5xBGubDXFnlLucXm8kaYJ+rMFgkjj/0+gGtqb1M49yVQXaXWpns15xyWYzjOPCI6CtcrCVkNQ6K8i9e0aZh3TJwbjmAKgP2506zu2z02Ew/2c/E+TyzQj5YD/jNSibdene5K1Kg/miCexJjCnKnqaOqk53gU9Uez8NObSVB9ZN3hoD8R6XlHSeDiOuI/KxRpAWxqTuOGUM84ustp/wdf07kk0X6SuaYUZ0BT8/2WBgGJv8YwcjgG/1MxoULOmNzMb/frLkguD14zp8O/lmlaZFhka62v8ajeBqH0YoD+XdLwTcVa3WR6rs8Zpji41qSwWNaLlqTmD/ONz7hMYNLkIwG+4536YoJJzYxpisDZsEJy4ZBO28iaqG6wZxqfPFM2nSfkGKAZMzlCJL5pAvvuiV0GH0o1JnpGhzkCk713JbzpKyKHZ/shb1YfhGPELyzgGdktsD1HbS3f57LtCZAZ/EY+UPrRiDgWUnx49c0clBnmZBfkwc2BX7pJegMf2hLWrck2bFsJGedhL2QHoFR5khi4JcCLTeYTcNLzRRdJ+kHJjofm7Vkcu2AtoScappWcTDsjFapdedSj5warn0tGBNSml7XfodXHZkE5D7bYlCCNwB94xInrns36T2bOmu3C99/ZS45yDCOfexoWRERNM76fu5UKyERMsxqfyUEKhJ6aJKBXUpHYAUXybqDbkDvuHCckPbl2Mat2/d/KfoBgZ+GAMitIK1lu43cQF/gJQBYz/j5VRfXO4Vod3lWow7FlNtd6FBfzIykWAwZKuUSDfJLYf/DmUqI2BDyuHtHbkDFCpZL7TsyBVFWRmQyt7meeOS3OIJ01/jC/pOLyQMGoSjptIcBiTnXFd1jdPlSj/vawTi5Uch2hLgIgHZlwKtnxNfJ7HAz1AYKMEjaUYwMKRfttX8V4aDEqKVQ6AGjDM1RDiphpfBZPwXk4gepZB5MdSP9RQ1TZFdDaTxhbkIpshsUxbDE52xcV3tV7A==,iv:w9x4/SYJTuGAc6CdQ0VaEAFbTbgesOPNAEIqgaKvzXI=,tag:Jpyr69XQkLQoJBhX/EG4bQ==,type:str] - chir.rs: ENC[AES256_GCM,data:vu/JBtOJDRAxrESSU9/9O95Kyjl7LHyXE1/5JEF/AXhX/aW2tBYTKA1Lt8HYV+k2YLJOmN6EhO2V7y/by4my+SeNuxuyLHun3+K0o83N7a5Abir3YbL8m4tw4yXT7CVmDo3GOVqHPwPd1kYS2AjRVtZEffMCoSSfg+vtcDiFEg1N9OzddMIlh83gr8TRAdGdbvrMNIf2G1FhlU8mQli9IRTJXY8/gvm0aCV+fThiZyWYUTwLZAJ4B4KLQ3AEpBExmZW7QpeYNgTxqSn9I12jPJwRBQS7oFCQR+TDyuSOSET7abyPHNd8UWhr+jdi6596rp0HCBP8PZoUIjCu1DH/4Oo9ojS0lM+6ckoLg5X5ve3CZUv/MdFgrLXoUc8ofoP8m+ku6Z3NOx2+gigb//z/w7XnhW/7P6TiTgZIn4eDUl2ziJyFZ+azhVRsKCRXCW1y9qUei9aBUKsG6QMAUy0O+ZTcYZvW+waKMsbl9lGXs1BTMMmSuqgYGVEyf9MM8DNS402TirHYckFv63PLISiDc7ET3o26WD3rTqtk6113vDEMcuSSTz9YIBQMKD8sjl+kHMfEZNhgo/E70PRWebBusX2OpsYlEFWsAiYjbFJrKS++AFhwM19DVWE1V6FLXvmhwpEH8WPue3OwQFtiepYcgix+RUF9SAJihyNyIBbwO+yGrYftHW/7M4OoLf1nZtKV+b1NjYiraIRlmJ7Lmyt3b5FLAp8zdpDtmhGKbk1xRYPbXCl0aXdLPHRZKz1xQ9PqCOcBYJ6VZX3Siv81BJIQ6WBU7sLlI9IZ6dlX122In1aMpQ+dLRLyqwl2ys0vZucoDN2jQmZORX1zfv+z0JA6JxMSEa2aGHAjFlQysUKtPsGfdaugo3UifRdbC5eRWfF7RGD5WtlDH8+/pqxd4hNVT+2I7y1s0HMrH6KSzaSuWbjwF/S0dGLEXqYFbIH1YbOGMrCLRYbZaYmAyCAFpRY6q+wV5tqORU/UTaDVoTRSbOuKnBE/tSknLQ8YLGDmhLs3Eakhx5LRKtqBmrrmfhR29jmLOUviGPVdaXA8LNoXZ/YwvWLeFNY4Q1GATr3K7sOHFnyhHuXSPb2XXcltJG18YXVCawhiZN+fbvyW9XXTFKF+da3XYy7u2fR+8BfZqEsX1zV1+gBq3fzwtR6d/t7nyz7IW3Rc8PCsPm96p9+/pGpues7see4rBI4QcZAUL+Wi4ybXNw==,iv:ysIGIB15/5sc7ycg6oNYohqd1XbT6zy26YUqgVbezP0=,tag:gQj5PdFxaTcnXoIPR7yDfQ==,type:str] dns: named-keys: ENC[AES256_GCM,data:iEQR1cBxq1H58CCzA02MDCXHT1xEvFawTjW7XkPUYXnxt48tOSsCm8VQDM6q2+oi0MikZ846dgD7P19xhmsF84JBY7OMn1v6BdnTxCu1JwNMnFQlAvmOAVDU0e2sawqmcdOsUIFR01MRPheU/G0Qb5V5Vymwi6VgVEfsHpgVe8Gj0WKLEML9C/TnJsLXDiKWbgktjMOs,iv:gJamBEa/QAzPCm6tiUiQqRR18l6dwhIqq8ffMbde178=,tag:RKLogb8O02hRuwjeuybPXw==,type:str] de: @@ -77,8 +72,8 @@ sops: N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-04-24T10:49:45Z" - mac: ENC[AES256_GCM,data:DCPWnxNjzEq95x8CaxrSeMQaMwIjIiKEo0KVBSivODoGBUYv9CFz1XDkUXqdxr7WO8Ag1OzXGPWpltJvwzyHanI2TC5m3Y14iJP09H2bMtSkAHLx5uDAv3SlpYSjHNRtTZ/INPVScuTx+duGkUyGRIKd8SFbM6Z+6YH2PXPV/cE=,iv:nMrIVbSeB8teZsErymSRUzpCC+zUWbtdUZvZtL3Jujw=,tag:UGxJI8Zt3qyH++iUJvwouA==,type:str] + lastmodified: "2022-04-28T20:36:29Z" + mac: ENC[AES256_GCM,data:Q4uNgHUAF9jkpOmKnJcpZGwLiOjTMNnngIBMUrIt/GkUsS2R7W/Burz8iVHCuXuasxYmMjt9lLsS0YChI/F5BwkQPqpiOGyTqH1fpNKQ6WjzNcKqG3RToQ1nPzJBrzz0oKPIc2ykH7GQGttmOogUr1xf43BeQyuDgFnx9Zb1wgw=,iv:owYIrS7G0Iea7xj1itutU0bh+WWZz4r6GyckEcrlEpA=,tag:6FdMLhCYAQKA23P2u3VWCw==,type:str] pgp: - created_at: "2022-02-02T17:50:42Z" enc: | -- 2.47.0