gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(extern): krb5

Browse source
This commit is contained in:
arcnmx 2024-04-05 15:04:09 -07:00
parent 95e903697a
commit 6db8e4e304
13 changed files with 577 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/extern/misc/ipa.nix vendored Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
imports = [
../../nixos/ipa.nix
];
}

5
modules/extern/misc/netgroups.nix vendored Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
imports = [
../../nixos/network/netgroups.nix
];
}

5
modules/extern/misc/sssd.nix vendored Normal file
View file

@ -0,0 +1,5 @@
{ ... }: {
imports = [
../../nixos/sssd/sssd.nix
];
}

46
modules/extern/nixos/access.nix vendored Normal file
View file

@ -0,0 +1,46 @@
{
config,
lib,
gensokyo-zone,
...
}: let
inherit (lib.options) mkOption mkEnableOption;
cfg = config.gensokyo-zone.access;
accessModule = {
gensokyo-zone,
nixosConfig,
config,
...
}: {
options = with lib.types; {
tail = {
enable = mkEnableOption "tailscale access";
enabled = mkOption {
type = bool;
readOnly = true;
};
};
local.enable = mkEnableOption "local access";
};
config = {
tail.enabled = config.tail.enable && nixosConfig.services.tailscale.enable;
};
};
in {
options.gensokyo-zone.access = mkOption {
type = lib.types.submoduleWith {
modules = [accessModule];
specialArgs = {
inherit gensokyo-zone;
nixosConfig = config;
};
};
default = { };
};
config = {
lib.gensokyo-zone.access = {
inherit cfg accessModule;
};
};
}

371
modules/extern/nixos/krb5.nix vendored Normal file
View file

@ -0,0 +1,371 @@
{
config,
options,
lib,
gensokyo-zone,
pkgs,
...
}: let
inherit (gensokyo-zone.lib) mkAlmostOptionDefault mapOptionDefaults mapAlmostOptionDefaults;
inherit (lib.options) mkOption mkEnableOption;
inherit (lib.modules) mkIf mkMerge mkBefore mkAfter mkDefault mkOptionDefault;
inherit (lib.lists) optional;
inherit (lib.strings) toUpper;
inherit (gensokyo-zone.lib) unmerged;
cfg = config.gensokyo-zone.krb5;
krb5Module = {
gensokyo-zone,
nixosConfig,
nixosOptions,
config,
pkgs,
...
}: let
inherit (gensokyo-zone.lib) unmerged mkBaseDn;
inherit (nixosConfig.gensokyo-zone) access;
enabled = {
krb5 = nixosConfig.security.krb5.enable;
ipa = config.ipa.enable && nixosConfig.security.ipa.enable;
sssd = config.sssd.enable && nixosConfig.services.sssd.enable;
};
in {
options = with lib.types; {
enable = mkEnableOption "kerberos settings";
domain = mkOption {
type = str;
default = gensokyo-zone.lib.domain;
};
realm = mkOption {
type = str;
default = toUpper config.domain;
};
ca = {
trust = mkEnableOption "trust CA" // {
default = true;
};
pem = mkOption {
type = path;
};
};
host = mkOption {
type = str;
default = config.ipa.host;
};
ldap = {
host = mkOption {
type = str;
default = "ldap.${config.domain}";
example = "ldap.local.${config.domain}";
};
urls = mkOption {
type = listOf str;
default = [ "ldaps://${config.ldap.host}" ];
};
baseDn = mkOption {
type = str;
default = mkBaseDn config.domain;
};
bind = {
dn = mkOption {
type = str;
default = "uid=peep,cn=sysaccounts,cn=etc,${config.ldap.baseDn}";
};
passwordFile = mkOption {
type = path;
};
passwordFileKrb5 = mkOption {
type = path;
example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
${config.bind.dn}#{HEX}616e6f6e796d6f7573
''}";
};
passwordFileSssdEnv = mkOption {
type = path;
example = lib.literalExpression "\${pkgs.writeText "ldap.kdb5" ''
${"SSSD_AUTHTOK_" + replaceStrings [ "." ] [ "_" ] (toUpper config.domain)}=verysecretpassword
''}";
};
};
};
db = {
backend = mkOption {
type = enum [ "kldap" "ipa" ];
default = "kldap";
};
};
logLevel = mkOption {
type = str;
default = "NOTICE";
};
authToLocalNames = mkOption {
type = attrsOf str;
default = { };
example = {
"arc@${config.realm}" = "arc";
};
};
sssd = {
enable = mkEnableOption "sssd";
pam.enable = mkEnableOption "PAM";
backend = mkOption {
type = enum [ "ipa" "ldap" ];
default = {
ipa = "ipa";
kldap = "ldap";
}.${config.db.backend};
};
};
ntp = {
enable = mkEnableOption "ntp" // {
default = true;
};
servers = mkOption {
type = listOf str;
example = [ config.ipa.host ];
default = [ "2.fedora.pool.ntp.org" ];
};
};
nfs = {
enable = mkEnableOption "nfs";
debug.enable = mkEnableOption "nfs debug logs";
};
ipa = {
enable = mkEnableOption "IPA";
httpHost = mkOption {
type = str;
default = "freeipa.${config.domain}";
};
host = mkOption {
type = str;
default = "idp.${config.domain}";
};
};
set = {
krb5Settings = mkOption {
type = unmerged.type;
default = {};
};
sssdSettings = mkOption {
type = unmerged.type;
default = {};
};
ipaSettings = mkOption {
type = unmerged.type;
default = {};
};
nfsSettings = mkOption {
type = unmerged.type;
default = {};
};
};
};
config = {
ca.pem = let
caPem = pkgs.fetchurl {
name = "${config.ipa.host}.ca.pem";
url = "https://${config.ipa.httpHost}/ipa/config/ca.crt";
sha256 = "sha256-PKjnjn1jIq9x4BX8+WGkZfj4HQtmnHqmFSALqggo91o=";
};
in mkOptionDefault caPem;
ldap = {
urls = mkMerge [
(mkIf access.local.enable (mkOptionDefault (mkBefore [
"ldaps://ldap.local.${config.domain}"
])))
(mkIf enabled.ipa (mkOptionDefault (mkBefore [
"ldaps://${config.ipa.host}"
])))
(mkIf access.tail.enabled (mkOptionDefault (mkAfter [
"ldap://ldap.tail.${config.domain}"
])))
];
bind = let
inherit (nixosConfig.sops) secrets;
in mkIf (nixosOptions ? sops.secrets && secrets ? gensokyo-zone-krb5-passwords) {
passwordFileKrb5 = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-passwords.path;
passwordFile = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-krb5-peep-password.path;
passwordFileSssdEnv = mkOptionDefault nixosConfig.sops.secrets.gensokyo-zone-sssd-passwords.path;
};
};
db.backend = mkIf enabled.ipa (mkAlmostOptionDefault "ipa");
set = {
krb5Settings = {
enable = mkAlmostOptionDefault true;
gensokyo-zone = {
enable = mkAlmostOptionDefault true;
host = mkAlmostOptionDefault config.host;
canonHost = mkAlmostOptionDefault config.ipa.host;
domain = mkAlmostOptionDefault config.domain;
realm = mkAlmostOptionDefault config.realm;
ca.cert = mkAlmostOptionDefault config.ca.pem;
db.backend = mkAlmostOptionDefault config.db.backend;
ldap = {
baseDn = mkAlmostOptionDefault config.ldap.baseDn;
urls = mkAlmostOptionDefault config.ldap.urls;
bind = mapAlmostOptionDefaults {
dn = config.ldap.bind.dn;
passwordFile = config.ldap.bind.passwordFileKrb5;
};
};
authToLocalNames = mkAlmostOptionDefault config.authToLocalNames;
};
};
sssdSettings = let
servers = optional access.local.enable "idp.local.${config.domain}"
++ [ "_srv" ];
backups = mkMerge [
(mkIf access.tail.enabled (mkAlmostOptionDefault [ "freeipa.tail.${config.domain}" ]))
(mkIf access.local.enable (mkAlmostOptionDefault [ "freeipa.local.${config.domain}" ]))
];
in mkIf config.sssd.enable {
enable = mkAlmostOptionDefault true;
gensokyo-zone = {
backend = mkAlmostOptionDefault config.sssd.backend;
krb5.servers = {
servers = servers ++ [ config.host ];
inherit backups;
};
ipa.servers = {
servers = servers ++ [ config.ipa.host ];
inherit backups;
};
ldap = {
bind.passwordFile = mkAlmostOptionDefault config.ldap.bind.passwordFile;
uris.backups = mkIf access.tail.enabled (mkAlmostOptionDefault (mkAfter [
"ldaps://ldap.tail.${config.domain}"
]));
};
};
environmentFile = mkIf (config.sssd.backend == "ldap") (mkAlmostOptionDefault
config.ldap.bind.passwordFileSssdEnv
);
services = {
ifp.enable = mkAlmostOptionDefault true;
pam.enable = mkIf (!config.sssd.pam.enable) (mkDefault false);
};
};
ipaSettings = mkIf config.ipa.enable (mapAlmostOptionDefaults {
enable = true;
certificate = config.ca.pem;
basedn = config.ldap.baseDn;
domain = config.domain;
realm = config.realm;
server = config.ipa.server;
# TODO: dyndns?
overrideConfigs = {
sssd = mkAlmostOptionDefault false;
krb5 = mkAlmostOptionDefault false;
};
});
nfsSettings = mkIf config.nfs.enable {
${if nixosOptions ? services.nfs.settings then "settings" else null} = mkMerge [
{
gssd = mapOptionDefaults {
#use-machine-creds = false;
avoid-dns = true;
preferred-realm = config.realm;
};
}
(mkIf config.nfs.debug.enable {
mountd.debug = mkOptionDefault "all";
exportfs.debug = mkOptionDefault "all";
exportd.debug = mkOptionDefault "all";
general.idmap-verbosity = mkOptionDefault 3;
idmapd = mapOptionDefaults {
verbosity = 3;
idmap-verbosity = 3;
};
gssd = mapOptionDefaults {
verbosity = 3;
rpc-verbosity = 3;
};
})
];
${if nixosOptions ? services.nfs.settings then null else "extraConfig"} = mkMerge [
''
[gssd]
#use-machine-creds = false
avoid-dns = true
preferred-realm = ${config.realm}
''
(mkIf config.nfs.debug.enable ''
[mountd]
debug = all
[exportfs]
debug = all
[exportd]
debug = all
[general]
idmap-verbosity = 3
[idmapd]
verbosity = 3
idmap-verbosity = 3
[gssd]
verbosity = 3
rpc-verbosity = 3
'')
];
idmapd.settings = mkIf false {
#General.Domain = mkForce config.domain;
#Local-Realms = concatStringsSep "," [ config.realm nixosConfig.networking.domain ];
#Translation.Method = mkForce (concatStringsSep "," [ "static" "nsswitch" ]);
};
};
};
};
};
in {
imports = [
./access.nix
../misc/sssd.nix
../misc/ipa.nix
../misc/netgroups.nix
../../nixos/krb5/genso.nix
../../nixos/sssd/genso.nix
];
options.gensokyo-zone.krb5 = mkOption {
type = lib.types.submoduleWith {
modules = [krb5Module];
specialArgs = {
inherit gensokyo-zone pkgs;
inherit (gensokyo-zone) inputs;
nixosConfig = config;
nixosOptions = options;
};
};
default = { };
};
config = {
security = {
krb5 = mkIf cfg.enable (unmerged.merge cfg.set.krb5Settings);
ipa = mkIf cfg.enable (unmerged.merge cfg.set.ipaSettings);
pki.certificateFiles = mkIf (cfg.enable && cfg.ca.trust && !cfg.ipa.enable) [
cfg.ca.pem
];
};
services.sssd = mkIf cfg.enable (unmerged.merge cfg.set.sssdSettings);
services.nfs = mkIf cfg.enable (unmerged.merge cfg.set.nfsSettings);
services.ntp.enable = mkIf (cfg.enable && cfg.ntp.enable) (mkAlmostOptionDefault true);
networking = {
timeServers = mkIf (cfg.enable && cfg.ntp.enable) cfg.ntp.servers;
};
${if options ? sops.secrets then "sops" else null}.secrets = let
sopsFile = mkDefault ../secrets/krb5.yaml;
in mkIf cfg.enable {
gensokyo-zone-krb5-passwords = mkIf (cfg.db.backend == "kldap") {
inherit sopsFile;
};
gensokyo-zone-krb5-peep-password = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
gensokyo-zone-sssd-passwords = mkIf (cfg.sssd.backend == "ldap") {
inherit sopsFile;
};
};
lib.gensokyo-zone.krb5 = {
inherit cfg krb5Module;
};
};
}

55
modules/extern/nixos/kyuuto.nix vendored
View file

@ -15,7 +15,11 @@
...
}: let
inherit (gensokyo-zone.lib) unmerged domain;
setFilesystemOptions = mkMerge [
inherit (nixosConfig.gensokyo-zone) access;
enabled = {
krb5 = nixosConfig.gensokyo-zone.krb5.enable or false;
};
setFilesystemOptions = [
(mkIf config.nfs.enable config.nfs.fstabOptions)
(mkIf config.smb.enable config.smb.fstabOptions)
(mkIf config.automount.enable config.automount.fstabOptions)
@ -23,21 +27,26 @@
in {
options = with lib.types; {
enable = mkEnableOption "kyuuto";
media.enable =
mkEnableOption "/mnt/kyuuto-media"
// {
media = {
enable = mkEnableOption "/mnt/kyuuto-media" // {
default = true;
};
transfer.enable =
mkEnableOption "/mnt/kyuuto-transfer"
// {
krb5.enable = mkEnableOption "krb5" // {
default = enabled.krb5;
};
};
transfer = {
enable = mkEnableOption "/mnt/kyuuto-transfer" // {
default = true;
};
krb5.enable = mkEnableOption "krb5" // {
default = enabled.krb5;
};
};
shared.enable = mkEnableOption "/mnt/kyuuto-shared";
domain = mkOption {
type = str;
};
local.enable = mkEnableOption "LAN";
automount = {
enable =
mkEnableOption "systemd automount"
@ -75,18 +84,18 @@
config = {
domain = mkMerge [
(mkOptionDefault (
if config.local.enable
if access.local.enable
then "local.${domain}"
else domain
))
(mkIf nixosConfig.services.tailscale.enable (
(mkIf access.tail.enabled (
mkDefault
"tail.${domain}"
))
];
nfs.fstabOptions = [
"noauto"
"nfsvers=4"
#"nfsvers=4"
"soft"
"retrans=2"
"timeo=60"
@ -105,7 +114,7 @@
device = mkMerge [
(mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media")
(mkIf config.smb.enable (
if config.smb.user != null && config.local.enable
if config.smb.user != null && access.local.enable
then ''\\smb.${config.domain}\kyuuto-media''
else if config.smb.user != null
then ''\\smb.${config.domain}\kyuuto-media-global''
@ -116,28 +125,42 @@
(mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3")
];
options = setFilesystemOptions;
options = mkMerge (setFilesystemOptions ++ [
(mkIf config.media.krb5.enable [
"sec=krb5"
(mkIf config.nfs.enable "nfsvers=4")
])
]);
};
"/mnt/kyuuto-transfer" = mkIf config.transfer.enable {
device = mkMerge [
(mkIf config.nfs.enable "nfs.${config.domain}:/mnt/kyuuto-media/transfer")
(mkIf (config.smb.enable && config.local.enable) ''\\smb.${config.domain}\kyuuto-transfer'')
(mkIf (config.smb.enable && access.local.enable) ''\\smb.${config.domain}\kyuuto-transfer'')
];
fsType = mkMerge [
(mkIf config.nfs.enable "nfs4")
(mkIf config.smb.enable "smb3")
];
options = setFilesystemOptions;
options = mkMerge (setFilesystemOptions ++ [
(mkIf config.media.krb5.enable [
(if access.local.enable || access.tail.enabled then "sec=sys:krb5" else "sec=krb5")
#(mkIf config.nfs.enable "nfsvers=3")
])
]);
};
"/mnt/kyuuto-shared" = mkIf (config.shared.enable && config.smb.enable) {
device = mkIf (config.smb.user != null) ''\\smb.${config.domain}\shared'';
fsType = "smb3";
options = setFilesystemOptions;
options = mkMerge setFilesystemOptions;
};
};
};
};
in {
imports = [
./access.nix
];
options.gensokyo-zone.kyuuto = mkOption {
type = lib.types.submoduleWith {
modules = [kyuutoModule];

68
modules/extern/secrets/krb5.yaml vendored Normal file
View file

@ -0,0 +1,68 @@
gensokyo-zone-krb5-passwords: ENC[AES256_GCM,data:59sSVI2bZGotSymwZCv/eTxLOMUI4e+yJb8IbMJaMq1ZM2OZjLfYQ2lTghRgJU33r0lpg8tTlWI8JY+6ZqRl33wWzRqKUlS5T5M2lXKtD+8Cs5K5tVOva2kLBMz9fhL9wIFHb4wo0JY7giR0TZl5W5ztgU7DBQ0FkrO9,iv:CSZnTsSQOsHaAv6zFXCnotUF2zYtWnYxwc6Y/i4XG54=,tag:hlu7hJVIs2GV7gy4n48cMw==,type:str]
gensokyo-zone-sssd-passwords: ENC[AES256_GCM,data:CVIsArY97xbxVKozCNcdz9RgXF4NS3IFQTW6cdiv9CfQrMLcbnIXsWDTB5xe3LIMFXcXJR2ah00ZsJDm,iv:BQ76MfF6wBfU1Y7Pfud2Ld7ZyFNmxnDqJ2fKhjQoD9A=,tag:BhgRO65qaR2pV4S0q03cJg==,type:str]
gensokyo-zone-krb5-peep-password: ENC[AES256_GCM,data:6d8A5zZRdMzPZp5Hex54xm7/YJUtuQ9nWWJO+Fxa3Yo=,iv:LD1yBPfmxbxAwlTP3O+2muTb7/EbVSwAjrs6t5s+kos=,tag:ic2W/ITl6sb9O0Mii5AXUA==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ua5dukhxsmztpwqrcd25zyvdqhww565dn3uj5mqm7evg9khfjfnq66zywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQ3hiZFRSWlAwc2Y1ekFr
MDVhZFBBeVJkYTdzS29hSkFFTVRLNDllV2dRCmtLZjN2SmZ4M3duOU1yMmVLUGZT
eGJDamk4UlMrWDNCNzhwMlltQ3cwdHMKLS0tIG5DSGxQSmlmSkcwcGUwOU91TERD
SkJ2eWZGNEcwNThSMFAwVm9TazAycmMKJ2eFKHIjQZ9Tyx7OYL1PWUOrp0AtkoPc
3dvPspyBxNKJIM+8i2g6562zDKKufq/q0dILgs90UG0HinM3BRq4fg==
-----END AGE ENCRYPTED FILE-----
- recipient: age19wwvlh83p4a3t76j8wzcmh2ns9w348ttff5n9h3zwnmxhm3vtgyqg7qh6x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMGJTMld5aXlLaTI1NTBp
WjlyQWJ6Z1NRQlRLM0JaNkdaeDVVZ0JUbGpNCjY5QlU1N1BySmVDNlV4RmV0bTVX
R2hSVHRiNlNOZzNlbnBuK3Y5RlEwaDQKLS0tIFVqSWovN0F4QkNIOVBtZTlmc2Yy
OThVOVdkQ0I5U1YrN0prYnR5Mmptd0kKSP/JvDw+bjg2SSQk0gK2EIbyF/b4QSrY
kDKbUVYqH4EM6uw3hnvKKdwl91WyyH1zm0BOtyNzCgmxjCZ4wI5TYw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-06T20:44:34Z"
mac: ENC[AES256_GCM,data:DFQ5W8Nqp1TKlqSx4oKnkCNZE+ziWk0s+TBx5veemtsvCHcdy4Dtv00x1ROT7ZnKTRbQJ8EBXuztUhZPDlnoNMGpDt/1400VWGoDg7BBr+x/NF+CSC9DtjvnjjLd1Wl8UebVWoGywRYddCbMoqtPvm0wVIy3SEI/WlDGlroRJRE=,iv:fJ+fVoMlR5DPz3iTPsdmWBLl3owlCI0BYmNfc9+7WH8=,tag:7rDV7kZK1uso7cgRooV//w==,type:str]
pgp:
- created_at: "2024-04-06T17:38:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//WvYYZXtRwXR9GM2SJ/k+EnElquVY9GM4BvEa/JDxAX6p
eQDOeaI7xmzCJtQ2w5yH/9yPcxuMAi60e82T1ljDKjZl731pAWKTHX43EU0CSO9N
rST9dtSeG+Tf54JP+HAQ9IS/CFuQFaa7KGQLfodvkSFkt143o+WjQjDYF+THzNjx
5b/V7MBmgYoDodyBeeXkQUhCfml5YLHJ0iBLhS1Xy1KGSYxdOkl/nZXd5zpj5fSe
i4P+RGS9EOvBIjACgPFGZ9X5eUhOL3COZ9Wyi+lAZ7tZqEFfrzDGI8FqT3nSflPK
g2ZKxJTBSPrtRLD1xcggWOq5Yejh+JsYuDEow4nj3vqGrivavUiwJn+hunhaZLJX
zHSnWSTSPAdtgUUM0F7N3LdhvP+zpMjiU0vq7UCNY6OdgUbjd1DO6mojAIt+AMlm
ZlPhqhuu+FavfK15UOKoBaps18INA5VCt2TqWVVxMGk5F0BHW/mq44yTeOwDtD7Q
WZgPwOjeg2qydqOO2XJgS7lAuA2mkOjXVtcPes/HBnUDdGUWzmVXsD0dxXBqXcBU
yrJctTNS0nJGUc7UyPX2480JL+68OqfvVtilACESnB3SwJ24Euy1OzfA3tx5iHp3
6GYatPBcS8GRHWBAzDznjjqkc7JPK4qvseuUYNQO3RMlkAOfEr0ONsAQtUkJSMzS
XAFC3rDeVEw/jRyMyrP1Nz3BiElZXmLk6AHrcCcglRqwIPGhbwoO9Wlnta9CscXY
gqP694TxAIGeWwxoDRY6xRE37h12thPDiPGDzGTkBIuc4x5BxzoOPuaXQmlc
=NcIp
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-04-06T17:38:14Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf+LzjSKdSQROup2RE7quznXApdflWyJ1yeit4xAWJkXLFj
thmaOqH/oJe7tEP03LQMrNHJnwAwc0rhbStEQHR60HGpHEPlSnWdZgG2dxrtxeTw
dd3hrKUzt+SmDpvbxzqwvwS34bmflDs/xnPpVcubIFHuUSjILvyS817hgkHS+FKM
eNJNY5UnOKGCSX7zb9B0DmSk7DknlhjyaGsCMQcTRqTugzwfosKQRODrulRpw4S8
O/trlc43g9qazsArkosvNWKj/zvUUC2fEVWuP7dM6KRD8kk/CYotBjwIycSPMiXs
uOBe3UQ0ez7vd59GdUkf61A3eNc3U7towIeyLXpWotJcAY8YADhHJBG7Uhkpme2y
wjHHZNP7//8jAsQj17QAwhnh4ibeP73q5A9IR2AKPmJgbI5seNaTgEyDYOH6Xu86
THvp1wtor0XZHHpGyqlYbxUdLCJPed5cLH6nG8I=
=IX81
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1