Initial

03e2106f · Dustin Michael Frisch · 03e2106f · 03e2106f · 03e2106f · 03e2106f
Verified Commit 03e2106f authored 7 months ago by Dustin Michael Frisch
--- a/.gitignore
+++ b/.gitignore
+.direnv
+.envrc
+/result
--- a/.sops.yaml
+++ b/.sops.yaml
+keys:
+  - &admin_fooker 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
+  - &server_ldap age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7
+creation_rules:
+  - path_regex: secrets/.*$
+    key_groups:
+    - pgp:
+      - *admin_fooker
+      age:
+      - *server_ldap
--- a/disk.nix
+++ b/disk.nix
+{
+  disko.devices = {
+    disk = {
+      main = {
+        device = "/dev/disk/by-diskseq/1";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/flake.lock
+++ b/flake.lock
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1728673344,
+        "narHash": "sha256-O0QVhsj9I/hmcIqJ4qCqFyzvjYL+dtzJP0C5MFd8O/Y=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "ff0a471763faaaca1859fd6de80f44fa0fce91a6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "latest",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "ldap-sync": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1705328305,
+        "narHash": "sha256-PPc16Obzg53YVLSMP2pCOXBF6+q7/BIG6FF7EiI0st8=",
+        "ref": "refs/heads/main",
+        "rev": "49edeafeaf7fbadbfe59e4763223593cab989317",
+        "revCount": 14,
+        "type": "git",
+        "url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1729684354,
+        "narHash": "sha256-yQcvyCyqsgGJtMg1D14+RYdeH6MSmvbPzsCaaztgMn8=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "962f7b27ee7c7ae4648bd7c4e6e8429eddc56100",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1729357638,
+        "narHash": "sha256-66RHecx+zohbZwJVEPF7uuwHeqf8rykZTMCTqIrOew4=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "bb8c2cf7ea0dd2e18a52746b2c3a5b0c73b93c22",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1729265718,
+        "narHash": "sha256-4HQI+6LsO3kpWTYuVGIzhJs1cetFcwT7quWCk/6rqeo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ccc0c2126893dd20963580b6478d1a10a4512185",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "flake-utils": "flake-utils",
+        "ldap-sync": "ldap-sync",
+        "nixpkgs": "nixpkgs",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1729669122,
+        "narHash": "sha256-SpS3rSwYcskdOpx+jeCv1lcZDdkT/K5qT8dlenCBQ8c=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "a4c33bfecb93458d90f9eb26f1cf695b47285243",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
+{
+  description = "LDAP server for unix env in HS-Fulda";
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "github:NixOS/nixpkgs";
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    sops-nix.url = "github:Mic92/sops-nix";
+    ldap-sync = {
+      type = "git";
+      url = "https://gogs.informatik.hs-fulda.de/fooker/ldap-sync.git";
+      flake = false;
+    };
+  };
+  outputs = { self, flake-utils, nixpkgs, disko, sops-nix, ... }@inputs: {
+    nixosConfigurations.ldap = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        disko.nixosModules.disko
+        sops-nix.nixosModules.sops
+        ./hardware.nix
+        ./disk.nix
+        ./network.nix
+        ./system.nix
+        ./ldap.nix
+        {
+          _module.args = {
+            inherit inputs;
+          };
+          system.stateVersion = "24.05";
+          disko.devices.disk.main.imageSize = "20G";
+          sops = {
+            defaultSopsFormat = "yaml";
+          };
+        }
+      ];
+    };
+    devShells = flake-utils.lib.eachDefaultSystemPassThrough (system: {
+      ${system}.default =
+        let
+          pkgs = nixpkgs.legacyPackages.${system};
+        in
+        pkgs.mkShell {
+          buildInputs = with pkgs; [
+            bash
+            git
+            sops
+          ];
+        };
+    });
+  };
+}
--- a/hardware.nix
+++ b/hardware.nix
+{ modulesPath, ... }:
+{
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+  ];
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.initrd.systemd.enable = true;
+  boot.initrd.availableKernelModules = [
+    "uhci_hcd"
+    "ehci_pci"
+    "ata_piix"
+    "mptsas"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+  nixpkgs.hostPlatform = "x86_64-linux";
+  hardware.enableRedistributableFirmware = true;
+  hardware.cpu.intel.updateMicrocode = true;
+}
--- a/ldap.nix
+++ b/ldap.nix
+{ pkgs, lib, config, inputs, ... }:
+with lib;
+let
+  baseDN = concatMapStringsSep ","
+    (part: "dc=${part}")
+    (splitString "." "informatik.hs-fulda.de");
+  ldap-sync =
+    let
+      wrapped = pkgs.callPackage inputs.ldap-sync { };
+      env = pkgs.runCommand "ldap-sync-env" { } ''
+        mkdir -p $out
+        ln -s ${config.sops.secrets."ldap/sync/config".path} $out/ldap-sync.properties
+      '';
+    in
+    pkgs.runCommand "ldap-sync-wrapper"
+      {
+        nativeBuildInputs = [ pkgs.makeWrapper ];
+      } ''
+      mkdir -p $out/bin
+      makeWrapper "${wrapped}/bin/ldap-sync" $out/bin/ldap-sync \
+        --chdir "${env}"
+    '';
+in
+{
+  services.openldap = {
+    enable = true;
+    package = (pkgs.openldap.overrideAttrs (final: prev: {
+      configureFlags = prev.configureFlags ++ [
+        "--enable-overlays"
+        "--enable-remoteauth"
+        "--enable-spasswd"
+        "--with-cyrus-sasl"
+      ];
+      doCheck = false;
+    })).override {
+      cyrus_sasl = pkgs.cyrus_sasl.override {
+        enableLdap = true;
+      };
+    };
+    urlList = [ "ldap:///" "ldaps:///" ];
+    settings = {
+      attrs = {
+        olcLogLevel = "config ACL stats stats2 trace";
+        olcTLSCertificateFile = config.sops.secrets."ldap/tls/crt".path;
+        olcTLSCertificateKeyFile = config.sops.secrets."ldap/tls/key".path;
+        olcTLSCRLCheck = "none";
+        olcTLSVerifyClient = "never";
+        olcTLSProtocolMin = "3.1";
+        olcSaslHost = "localhost";
+        olcSaslSecProps = "none";
+        olcSizeLimit = "unlimited";
+      };
+      children = {
+        "cn=schema".includes = [
+          "${config.services.openldap.package}/etc/schema/core.ldif"
+          "${config.services.openldap.package}/etc/schema/cosine.ldif"
+          "${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
+          "${config.services.openldap.package}/etc/schema/nis.ldif"
+        ];
+        "olcDatabase={1}mdb" = {
+          attrs = {
+            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+            olcDatabase = "{1}mdb";
+            olcDbDirectory = "/var/lib/openldap/db";
+            olcSuffix = baseDN;
+            olcRootDN = "cn=root,${baseDN}";
+            olcRootPW.path = config.sops.secrets."ldap/root/password".path;
+            olcAccess = [
+              # Custom access rules for userPassword attributes
+              ''{0}to attrs=userPassword
+                  by self read
+                  by anonymous auth
+                  by * none
+              ''
+              # Synced is managed by sync
+              ''{1}to dn.subtree="ou=synced,ou=users,dc=informatik,dc=hs-fulda,dc=de"
+                  by dn.base="cn=sync,dc=informatik,dc=hs-fulda,dc=de" manage
+                  by * break
+              ''
+              # Allow login to read users
+              ''{2}to dn.subtree="ou=users,dc=informatik,dc=hs-fulda,dc=de"
+                  by dn.base="cn=login,dc=informatik,dc=hs-fulda,dc=de" read
+                  by self read
+                  by * break
+              ''
+              # Prevent access
+              ''{3}to *
+                  by * none
+              ''
+            ];
+          };
+          children = {
+            "olcOverlay={0}remoteauth" = {
+              attrs = {
+                objectClass = [ "olcOverlayConfig" "olcRemoteAuthCfg" ];
+                olcOverlay = "{0}remoteauth";
+                olcRemoteAuthTLS = "starttls=yes tls_cacert=\"/etc/ssl/certs/ca-certificates.crt\"";
+                olcRemoteAuthDNAttribute = "seeAlso";
+                olcRemoteAuthDomainAttribute = "associatedDomain";
+                olcRemoteAuthDefaultDomain = "upstream";
+                olcRemoteAuthDefaultRealm = "file://${config.sops.secrets."ldap/upstream".path}";
+                olcRemoteAuthRetryCount = "3";
+                olcRemoteAuthStore = "false";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+  systemd.services.openldap = {
+    environment = {
+      SASL_PATH = pkgs.writeTextFile {
+        name = "openldap-sasl-path";
+        destination = "/slapd.conf";
+        text = ''
+          pwcheck_method: saslauthd
+          saslauthd_path: /var/run/saslauthd/mux
+          mech_list: GSSAPI EXTERNAL PLAIN NTLM
+        '';
+      };
+    };
+  };
+  systemd.services."ldap-sync" = {
+    script = "${ldap-sync}/bin/ldap-sync";
+    startAt = "hourly";
+  };
+  sops.secrets."ldap/root/password" = {
+    sopsFile = ./secrets/ldap.yaml;
+    owner = "openldap";
+  };
+  sops.secrets."ldap/upstream" = {
+    sopsFile = ./secrets/ldap.yaml;
+    owner = "openldap";
+  };
+  sops.secrets."ldap/tls/key" = {
+    sopsFile = ./secrets/ldap.tls.key;
+    format = "binary";
+    owner = "openldap";
+  };
+  sops.secrets."ldap/tls/crt" = {
+    sopsFile = ./secrets/ldap.tls.crt;
+    format = "binary";
+    owner = "openldap";
+  };
+  sops.secrets."ldap/sync/config" = {
+    sopsFile = ./secrets/ldap.yaml;
+  };
+  networking.firewall.allowedTCPPorts = [
+    22
+    389
+    636
+  ];
+}
--- a/network.nix
+++ b/network.nix
+{
+  networking = {
+    hostName = "ldap-linuxlab";
+    domain = "informatik.hs-fulda.de";
+    useDHCP = false;
+    interfaces."eth0" = {
+      ipv4.addresses = [ {
+        address = "10.32.31.25";
+        prefixLength = 24;
+      } ];
+      ipv6.addresses = [ {
+        address = "2001:638:301:201f::25";
+        prefixLength = 64;
+      } ];
+    };
+    defaultGateway = {
+      address = "10.32.31.1";
+      interface = "eth0";
+    };
+    defaultGateway6 = {
+      address = "2001:638:301:201f::1";
+      interface = "eth0";
+    };
+    nameservers = [
+      "10.0.0.53"
+    ];
+    nftables.enable = true;
+  };
+}
--- a/readme.md
+++ b/readme.md
+## Build disk image
+```bash
+nix build .#nixosConfigurations.ldap.config.system.build.diskoImages
+```
+## Updates
+Run the following command and deploy afterwards
+```bash
+nix flake update
+```
+## Deploy
+```bash
+nix build .#nixosConfigurations.ldap.config.system.build.toplevel
+nix copy --to ssh://root@<ip-of-target> .#nixosConfigurations.ldap.config.system.build.toplevel
+ssh root@<ip-of-target> "$(nix path-info .#nixosConfigurations.ldap.config.system.build.toplevel)/bin/switch-to-configuration switch"
+```
--- a/secrets/ldap.tls.crt
+++ b/secrets/ldap.tls.crt
+{
+	"data": "ENC[AES256_GCM,data:qAAyvNe+HobjwIVWc05sHJSk6qkSM8ZAPhYsQp8Z4qQGw0BpoZyNJAuyws40QIUmMtOWVDGn0jxZzMAaV+q5kot4ZESVtzWBB0ti7zZo6ktsxMD5N8KtnU9JW3YoWKyBn5NLN7dLaDs+tRET3CHX4wWSd2klArp/v/1OvPBB5mLyCS5QfFBLXJEuRIphkCJdbeTiAOcTHBcQlhMpnDe9TVo0rssxyF+A7hRIq4EyXoHwGkHsgryq7VF9iq0RTy6quAYWbBfujve5IA3BxSL+RxGSq8+i8LWaQtynEchl2siFK3pPeKNZSjvhD+iQTXE94aIHw/JGXkt/kDXKuOb+e55jXfysyV1kyfimR2FbSCuRKCwJq/XktKmI+na+K9Maf5Jx99AyPKDPJrZndfKGJhIid2YxWkOrPF1bvqAmb/7pdFcCDlnWfuzzfGdoeXBx0xAE5IxrhzcpzJTZYeXO8vnfT4CECx2w8PPUfeFRXjssCDV8LaSqjz/T/fuXitjaOzHFtQEqoaKGG6omPAKwzbSrnuqCTR7zdGz5+J7hAcV0QSteGN9uW1pf5NDVL0izAqmOLPMgyhT+2GPM58bn5lfWw3Fz5iTKJqLBc8ViWqgwbDrvvKgl90gpP1qR/y1QR9Fiqtv9ZBvekWRT/O0VBDknaORfyWyYhY1Vkun3cLnIr6UsI20o0QWwp8D96rumqWMXYwx7ZjkxbVqZSBFvorC25K3H7utEuFrG561EsCwhxYkVd1PDcMxa6NqLldLmJhMET+G3xi8gtikfgFcIqxfZjn/BI9yD0Ry+OmnlB9L1A4zy8+DYr4JidwU0tlhE/LLWN2AwxIrbdKCGddhs1J7YbPT6vBLOhl/fKsY4HQRMCArj6XjgSSlI4lZGLIu0HvQvD8Isv9hCvO9ff7CAnQcw/krUyzaJA1ctksgA0B/HQIWGaMBSfYiNtRY//SCYkQNVb1UPcj/gDsUiQvD5ERPqhn0N/RL9sGrJa3EttrG4Ny96GseuWK/7PKYIZuHmoTwxMqvxZda2fRjR9LWYu4x7yhilDtfec/glAfOuw5B87OsHe16lHqndlhzfrkdPeoa0LbH8euDBk0kVi1tknIrNMc4PnuSebAZJ1FA6xCpbcUBaposCIMqqq7BIr7rMVItvEb332ZE3OjDjbvpkXucQnS1eVzbfeLEDkgwmmNcs0tHNoU7E0pZAeCGbQ7twOPVelWxNe/iJsZdK3BBXJpbGLQJLzaPnUnf8qW8HWaCrI9C4lVabhs1jnDeOyacLYt0BqcBefhgyhHFrItGyIifB2+WY8Px4ABUCAHhHla5BXB3353uLuBrU2YQAI4YAYg0E/A6L972qbyBpkjhMbNIjPMJq4J6ix5YvLDJvLQ91kATOUkilUHpkiD4p4dPA3xvDJndqic+ToQzoTkFx9aBMVgPF3qc03kwOAjkh12JROdZrI3yuzjbCRRTK5LIHQzDt4aixLB59izxB4vv+UoRErx+wr+t8n1lZ7iClkVjVjS2O0ufZiAEet/4cUEaH8ieZPw25NvHjanlBmYPq2Ib2Plu70D8qNrJc9yW4YudUTpf39V+IJWJuiPKD1yJLZmKtv+wyi5wbMWvAy1QNCtuql7Bu4SOOPn1PO5MxXUkeynVuoHe4PVz5MED4vR8EFLXidnJVM3LJPIeQ7YmZ1M5duzrrfC8BbjzPj0Oi2z7FkY1t8mzgFzmvS14AlrW+7smktkT14YUSJIFMGQ6BqNz5BllTsOBSqP//OVr8mAamxmw/jEA4TsdQqRr1JRNBkKWD5s7RT74eAVmjgOItEll98QQFxfcFnPQ/i/LKZqd0gqhU5p+5fqtQwGTe83iIpAwsysTDQnAcWIUfLihQ2sGXtes0c3KUVkkX7g5RQNDyFIdbGDFXZjGXvY3MV5gti6aswvPlHFNZy1H7jwVkKmx4i4XORHlqZ859MlFucb+uk1AZLkmONGOSblaRWWsq0vQyP8yp68MYUF7Z3o5p76bcsHnbXbA8nRGtAtJywLEAS6avHz1IBtiDglzQ+6VA3z8KMHE7zHjxYBjK7fglzMU/ODdMxRYlCg0Nxf5ZELXLv70HTxF/wnfddWgAZ9gcPZcARZMtEbbhempEevjhjWScauGCJd0B7/lBpKc+7bwBdXZz0olVJOEbzOf8TKijnNnLdTCIC+2PA6bmw+caEFQU3KJiObqi9qiec/xXd3jjt8wMh5oivvYjApU1klchbdePTwzNWfI6gKvhc14I5zOrOokheaeJgZoU6I2aE5HvwubQI4VgkY9pkSyLisLKh2h5f5hp1ywaim1SO1EGOgHvYTzryD4iGpJeeQMHAVv/HI/PXTwhOWl9nnTGl0bLk/sXvsZAl/pu5sfAu9+Aqm4O1J1diq59Yj54n7SIrNidOkXJfoqi09/w/5RGZcAyVggMTFiYgiQXdZFzi0Je6QKzBPqX3ktBEO8Fz1S0AB08W/21rpPNhNIIvsUnbRa9t//+bQCdbc+Wftc0EZYY9sgKiPeHkQHtAlQLSXvd+aQBM7Sy51vOvp8rQNe0hllDeGg+zHzMksx51ha1tmUMRdRw325+1C+Ni/pqRJQMikxnZbfV0xDYli37oXfPs2RYnraChIVzYAj+uxYY7Z7pdpwlEOJJDLn7Ub3kZ0CHKOuKegcVsuFnj9pfWtDyD1Pn8ysP6kGLFEtl2WC7b0aSlCpm+q4GvbCnICthXbF+MhET3Fe7fFy0yMawu30NFod4Pvqy9As+i77iKBsrhUGEt76hDa1BhXDLmF7ZwhVZnM0Qbo+AubebO0q+4qhm+R+W4OZCczpXVpnbBmmSIjbal7nuAIq8rrXmwWKMcLdOIoxu46JteAP8WgaO+Zkhgk6NhzDccnAMH4XSDuyasBCbmeIN1uYGkN9by9K4TfqRjWMoITAASPUD771r9CIuf/8leWaj0X8eING9RLs5T7twNLtrtPeIHwj8iIw9zLpo8wa2oBdY/4Yf9+ypwLcDd1UAE2AqFfhoQEzLEdY8aw/CEJtVyy7b/HgaQfv2YFL1byoRxw/bxFmWK+lHP46KwdO2uAVT0m7OQX8VHO90aKcQ7zmffkrO/eZD1VPIOpwu9dJkeTqPHvqSS0+9X0QzSpgJk0nxXM0SgJfYugYQV3YsvEcpywGadyquzKhRW46ORissVvSoaiJ1MOb4VX8RyE/tRhwimi00fC1rjpAUgrmpRvB9htsMjCpExlmBUh90D8lX0XM/+x8sYbFHDpvGbnhAD+Dw6P5McTwIdKEv71EZsbScXvqZaxBtCBh8NlEk5RTKFxIBRITSyS9TyJb6ZDoItvKAoXOFVy7aIBm/JYB3X2jYfdgxl/XpleBeRQlbhql993cBMhPfPuTxAN+t6zoKE8K3Wl//1o/7vuczZ0N7/eSY3I0IYuIifeTWPL+Q7KMKOR82YdBufeEm83uEk6D1zJz7UaqnPNYcb903DvptB1cRUtI7ME5+vYDPJz9pT5Wfy6zzBXgfufNUO/JsLr+0vOJSdCpYi+uD3TK7VPHr3MicQ9M6GvrjtHXiMBOVGt1U+HSCjtV2Q/eibuOJeMqk3ljKg0xlMV+LOowI1YP2OjKTxSucA9SAJJkNNzOUMcp8ODF25JjJIHWXY9z0GCEwNc+3x5KIwWJNUZXvPp2wrw83Ndph7QUbQPR6kKfpE83PylPcnhz3gf+A+TuW5TDhjnEnNB+tE1PQ437nks4AJK3DWY6QZdyu5hUu0W5VA8MRrheSac+TRDgsn28rXPcUZNNCyG1m9d5UKLN2l6oO0MPatrCT1TMGLPrrcEoz8bq/XPm7S0gY7Xp9wlitHjupLaBhTzhRb1IsM7tcxT5NtjR4pZdlgh/W2rGBTuDvMYdQ1g1L5cJ28IYQKKR5SvVa9tLClMhBH50i8ycYUEbVTXMl9vTYGrVGgMRsCZbpE8GVmOsTQE8ajqkKIssyjNlpvEOSVtlHjpq7QlAd4nDTA9dOhtoH3EKb/LSOvZh7HIfTJSijL83SfkYBBXLDJX1c7PN5Md/78y1hqHEoQlU3H48IZOKmLwss4OnheOj/934QUrpkKkEQbGPsmTMaeX4dnNsfKd5Zeto7pzavoE13KmcwUjm4i890IQgELJ/lka0rMt1/HoDk4zOOFOknb44SqC7gGpx6OehTo3dKJjGv30MQa54651E07v3FyT+pscjpSGwHtuFQQNI1FVwaJa5hJTvRiGT8HyoQXv1IpOHCl4END0M8Fa7d3e6iqdc0Wc1L/9kj3hLcEqofEgKvTiXA56IOAk4HlCiRdECCFo04Y/HjaQdhIku2U93xsjKRzTSZWyLtPiqsl9gYueqoP5i2gVzLJyuMx2F0Zsj7G7Vmwaro4bUDbMAC4AE7TUZCXx1i3qGMaJEDf++qAhcuZF2orVwckwKjEcg6xNJhs/+dZYP+E3wrmzRE2LHvr1D6cFOfWxwMMi4D4kr8kfATn5u8Tq+OvlJBK2CVFAZcJm5oz4ImXznAzvj5XxuBy/iByM6nu62io9isY793K0ITmq6PYnA5vnZPNF+E8wzX+Mdxc4a6kSaC6XDxwxCzjK466tEyH+KadVGX75mfO1prHiy7tV6h5r4x51DOctMOnWM9jEIoKQ+4xuTXo+CUtwykti/QacS4ooVsynbQmklF2ZIAkf2gQxCLnISQV1EjQciUJe5dfqe0BmeaAyw+ZFe94q98zb62YTNR1ytIp2v6i7NeOavAAlPpdtzrP8y/CLoXnL6oPiW1tNqBNliW4uyVTPQxooC8PEMyR5TYdpOCCxe2GRcbHw6kk7AS9iDN0QZF+g529Rm4ObeT6lqvTKUD/vIYcF4jsMJ1zbfAodtJKlwOtHNYzbxDhzH6SWY00rpXadiaZ2C5oID0lH3fsoI2w0bHsAiIF/C+zDQhOfvqkf0GNqdagdHgp1R9Z3HVi7IF9WRzaJa04eU2AJyTt44F4h+T3fHHKUGistwmQDDWelCzqLP1ZYD7g77kO7G2wxDAOcIFzC33P7lklWpgXf0AXvJZUGZLvoYxL0SQGL7zOOSOFLjTFRkYR1CfnVgrUSVCGYsNMCdnDbUwFbegA9vnVNhCq3hxNMfaE2Nbm9qRUNoyUiXVSWYxJQq6G+zVQOoNU1nmSHbO/khyScuWhlY+4mZ2uAx7h+n65qC+RZlgPJQtgW7xFxc4R4Isosex4R+JX8h9R4zmu/IPxzASV1mwjo8wwLpL0e66GPXA+/DyQiYKWuiAb6zfHjpbXfi20lnEkvbceR0K1FgEXBwt6I5bu6P3/I6fyKiM/HVNOHnB4bbzogg8wDsnv4T+zfNJCLL/7dbn5InFZRjFZzpsWwkkjq+XeGRQvHJgH01xFkQWoSTCqn5AYn+/MioMEGHvG22eAuQCYgj4roHMYeTjCFPJEloRPPU7Nn3MggC2A65dcdK1/ap3cPNV6TPsfYq82KEYmQNvebJgfBGM7DSjodOqkbKN3P1GZWjmkhwbCFJdYyL/PEXm4dCYqcgZsK+lMMj4RgI4gb4sUn7c2SBCHuAxFeGxxkiBK0unv19/MKm1N1nkyVFEjhW231q2C2Y5YnmPliSEuQdRvPXbl5VvX2Pmvl9KJ90mNCT4JZR+5dCyu4AMBWEPsbVR9Yisufh2mDO9fAAowZLrzKOvtN/mX3T2BE7vhv8L2UiETohU5IQy5ktbU1xTZq/1JhDqEPRYId76EQ9dgk1hAGPrjoa4cRoliJZFjwCh7LFvpMBCGBcuchBdOuMKVIgbGwLtzhQSQdOYPXsk/qjPrDu8RAVXPMP06wIXr0D7cpQPQlRNwq3pBGEzxcuLJxp8mpqEXwLNfVIppqW3GOphp6aunL+moz1LKuEHRMOs13Lff3oxdaOcx3oLtZY/q1lncJ/qAoFyoeo/TXM2pYY00kZFjnS+8i2dZgbsvwnWOqHxKOriH5UZ24VF30QGpMBv5XT1To1bxp8oq8Xg0SYdoMWlbs37Gmm/1Dwdtk/cHM0iq38Kmdd7RDmq7KmpIS9o56m11a2w9fqt78qZwWiwM+sKkrg9fSR0kEFkv1wddTNBfSRXqSN/CBPAypMTFVbEtRihsHfafrSubsjr1ftA1HsubwTfBrDrlBRNta5ElPk9z6WZ2IHqVT3MYJrDIpvYcdld8JtDvphMo/ELMggC5FI5T1ncOqlcTTHmU9WGRrKA9RsXCUhQJ690DrWjdBoTTSo+GC7zSJfjRsvXVMQIIfmI0xVVLg0r89G4c9DCVuf+hNwuiN1GzQFRfpA/gkXBy/iIX+y6w9fDk7s/JvZRkPmgQaw63KSewvvd6SAxWfxKWK52aOz9KcjH3PdFcbMf9oRlXPCe5jWC4E3gcfX9ZL2D0Sn7pWpq63TIgkFc1fdNhuDADJH4/lD+tdGkLjkMHFq/LhQc8TTDmS+c7ErDQAJBcaQ9O2rJ3cNfi8rHs2kpCKm5jGzsD3Cfs813ACI3CCrAWIugFDK3p08tiMx+kB8om0YlH4Tpzo/4RkqrKhUy94r7lFjNN5zeXaqkJf3TsGlzSlOEVZMrkAWa7gw/z11zLvQ8DMLSVs/UaT5qS2lt3ejXtRl0bWF4h0isjfX+jIIVzPWC9o0i/l6OAvce+euris/yIGA/ebmCOs1F37y/ujMIY+XCp2RUOrnQpBoU1PgFCuhOJQzZorCrKy7QmjbARJKUprqiMHE5wD0NZqHuiyUT6q6z0SKJuUsio8gvSzJ3lx0TUrtVgf93+oyKzOXvySvpgvWKpysQ3ysnuj/ydRsliIEGjfsHYMLSoTf5eFMU2E7d8mpSa4FGSYO1KmiD41jO/jlolDI4PLGp7A4RMH0NAeehYO3lihNZoZwD5RrmA4MbkusCfvCo376OEjVcXYWEjc1YbncZ4BJCwhKSyTNL6dHQJWpHWSmhFOxlRvOb5va9jsujuDCZCnNeV6xaxUNJNTkEoOC3AfXw2+fnsWVrZA397N+0Lzy84zQb2ikmtvnNzwz9UVMzh00rUNsd8bDUESqNR6xsIWDT+bVUrlPnO34mF7lhuZmomXRTEIIzjobxp1tssEGT5yHIMvRqFHWGy3eDsa5q2tmqtcpzW+oWfR/jMs9XIxZxLz8BtWwt/xEG03oGnz7wYE/kQVDmr7h6mogy1bQ3JtWfpHpeESXC0RquNb5Dpdm/AAyagBlkTITeYuzOBFH9jDJd+35l7wTSEwGX1wzle/yEjcX6GCayy6t6cgPzoKgIqCvjIyCiftJnFa+Bh0Szzt+DwD8Mbaj4lZaQfHBjxfMUKCk4B01VDm7RWIJXFgCUv4GyNLFUaZCorq8qqHzPPn/XAxNY8Cq7TZlRXde2Ze1Nhebq36WQQti1q/zuqe4Op0s1s1GYu5ncmKMXprRv4qHNanc1sGBhxyepy/GuvMXp6uCP3CgnhXX7KcUypFOzmcTWfZlQtzvEKSeU/EAzdoEkf8FkGb5wC/aZ9xQXe7PNkJD+vbxheL9rtOVu1IK0cefbqLsxcUHBapP2QsPYAMU5Oqr+KcLaNJkcUX3u9MjDbwK+JbuVCzjCis8YMp6IlDCt/cURfey/mNsR/PGEVBAs+txudc6+r5WtbyOtlJGJtLKdFq6ZCxv4vaTZch+6wdeczDCL0d8Ct7hMHNr5div4mvIoC2t2OOZ9X9eZ8m6k70NDUAkGfa0/7FgfxO/x6nkQPNrkrB03ZpVv/o2GiW1tGMQPmvi+kTO/mgbEVR/6p1VyaspxaJN9eSiyL3VDExa/TMUZfBuUoNXgfeUZlYL/HWhIn8ddcyOcsKmGwgroY7r02bfVcP/To53ZuYQ9CLYbgtQgHdcbFd5BUM0zJf0wYb9yr/lhcaCHnPWftJCEzsXAPeOjAAvyHhCohQGxdVgLgZDtI9UFqOXrr5VZrwZSHRHh5+84hsB9q7pNdGFozAOWk0Q9wVijO6WhOSGUxt2b0CDs5EqN7cplJZfRjcK3ECjW1cfDrcVxc1ETMMq/ABhPH7xOYq1a+G/WBaDeiPFZ7Wd2Nz7W5L6CkIRhJOUWABeTWUZkjPeVUCSFDx2QjtRkd1dV+fLxEhsC/Va5LyXIdGnNpkz8JmeIyhwe1up/Wfe7QfVrRsnX+xvAb3qMxjyl52+sf6OItWHaFZEDIDql4QLrShupJI6cIVrc9APLcsGXpOgMDetdK06l6+x6qro9pdCQ7Ne141JyBxukGoMlYw0FB43cGeTP7ihNfEkNVbMWUlPgAGgAvlwIcfsCWLAs6LizpZEVG8TDXnacvKj55PVf3z1ykbGiQ9v/1QNgN1ISJniMKKXPHg/pG+0wJK/6YN+0lLLOPM9N/0cJ049J8UsweZv7lyYdyMxHlEMpk3/WNDLoLM1D3Rr12jLZIeb8XgaKNGxmnElDcuI6HKL72W9odPJYkv4XArVoA6AOY298FRg3AKvpAy6Tz9R8ft2ZEgJnSaq4Opnwet2FKIGA5cDeSIvGTLLg6/yNz0NVPOl5iyHIL5oG7Q5o6s/iPfA69IhnJDU7o+8ZRLDdlH6l5DehtVy7c29W0bIrNm9dLgrpZw8yEQT/xH2KZxC1p9Fnlf9VX7urL/34Nqhj7tp9RetzQtlysAsQvY/oerk06iHZ7f3Lpx/s0kG19aAAVVNWSOTBHmBYqjFlehi1KwIzp3XWP+b4h/qgap3qYxZtg1p7eY/6vV6YmqEWaTV4cW05P5JsfDr3q9mo75YJ+dPvuQLlF6o1iASyrr9NQuS97Rp1GPXwDf/HOCrHD1RdsrKz11csgRNUmqPBdKZDxIkXAtNLOYUGqOEOC9ON4Aa5Wg9S6FGMtCwmAjLKwpdjFhuMIe4pWbW2n3nRmvlANWCBbC3SK4d9M8mqaSYUjR4wspglXOaIqBQt8/rmPsb8PPRbMxLeOMK3pwgHltpnuJOlj7GMkL7XeKV7Bm2acKJTgmgMbrqzb/kTcFyfL6ch7BGD4tklEZSfjySIIZ5JcBwD19fjMo4HlQLFX6WLyqPirCy2fb912dmHfeW3kqX5qp5zVXKk9ooniY7BlrMeLC97ksec8YUcxjnVSdhhgLQRUx5tnhogA/CtLI0hIBa+prqCt7WtaaA8JnWmy/Mukyztb0zMbNi1IVV0ORXNG8BAD+nKlugKa8tzBVwVOKJKivW1cMKRf2wXDQOl/+w+NAm3wBnauoYKt3m0O57GVEIIS+I4MpS0V44YsTwN2EZYrRzPaCyolMBb98pLnUqc/UR9LvGs9KiAIKrC2aToRIpIjzcwFHPL5AKMGQMaStn+kwYb/S8pU9IpTY+hOqcGlrB6NZzbpKiwH0YSpu1M0QF22i9fPhcdp6zoJksaxjGJciJ0RmxziXzjYaJbdYbDXhbdobsj+T5rQx6Ldgmy+9RI6v6BxtxhZLzZWfN6aYRlkcvt4eqzOVvCk5uQlRGCzw01eY/UlcS7dGGIP4xSLHNmYh+hJdAoubl+3EvlNHZuKJCdbHmDaJ6Z0e+d7wgDRc7rlDjBnuSzoDTF3pps5HP54x6JoLYNYbNt4Xs3kFVqWde+aqSIy0pMYaVROiTkxHYHRj8cwRQYnkpbNxe4QQzpDfEhsmxL7ApbEq/mor+Jk93D8M+J0/shR6eIVQ2U1/jOLBi7eiKb2uJshLY33A3t8cncxIowET5EtNLpH94aezidr67jFp8fSLH2RHmHi2ABJJpMJjvBLPKo7/xPcSRwktgJBhgyG4DLhG+ICQ3kBuPwy08w9rs88Coijo7P9Mt0NAtuzIlnBlGOaDcGpqNgMalTA0AhCdI1+NIVXUMthDVUtxOowx9qAk/b1bvgLcjy5wOPW89hxc7IVkdwGvk3WAkPSkQV87/ho9m6MX4Mhsr7oRWMfl+MGqnCVOV5XkeGdfYY2TY2Fmot,iv:k7tjyQc7k+pkK/xzN0+xhN7OMxbD499+iFq5cOO1P/s=,tag:8FIHjVq1jKYjRa+QUQvoag==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUS9ac0U5OEpkQlVLQXdF\nQTkvZVJaSTlUNE5rUW9KVC8rUUxkc3VtNmlnCk0zanZWWmRkT3RmZzZ1YVlnVFRT\nUnBDOG9nUUxsdVo5Ti9OR2NSY0M2SDAKLS0tIGpVZWpXN3UxME4rV1JnOVpDa21E\nbEYwV0VtTmdxTDREL3lwTEtRZWx3L3MKLfgN5UKqsm3UfQcmECNVKIDQekqK5weB\n5ggGPYXBx1yTOx2cuHnBUUturUmZg9N0rH5Sb1EVXFLAnV1QZYAbBA==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-10-23T13:43:39Z",
+		"mac": "ENC[AES256_GCM,data:+EuHBBTU4BQSskZahMNKWly/OOYdNpyMi3FsYoP4aty1MdFtcnoNeC3VtZPQrouxA3Ljeml83i6OEPI/J9S9BlQH7fKK5ihWtcYlsX0q9jMNs+aYaWAu143GUkdSIhTmxceT4tYaQucdvsnOyopW+px8JJ7TOfoajGbmbOpxFsI=,iv:xav2lFC9MIuh3Px7BzZUAd0Gcc16rqD+tXIDfFAUj6w=,tag:UtCNgGIcGI3zcIXfTtdk5Q==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-10-23T13:43:10Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQgAipqKiqD+RberNUseSBC30DAIF1evEcUFjCJlKW1uOsmW\nLx4QnsrCF5ppQFT+pBOJaHnKNz/Qnd29DjdB9s55vzkbh3+n+P/7CPQ2W7HVN7rr\nMg+2ojHz6GWAmfpBXbuz1a/wUVl84W3a2679mNYgVfAz3e4k0O4h6lrObO2QTnit\noFRXE5TeDPfWlHBR9OhoFVQXXiYCoq6bbjfIjfo4BYzdVn3FzQRo6SO9z9AEUj9R\nESWgMhAeze4tSFa0X2vW55vXTsswYktGXGxxXeq8cIudi3mQiH5WbcjZlagDHjK3\nh4bO3Dk1C4I/ZBFK3Xln3Lb0VHhw8zfCF/L1L+iCNtJcAYHs8klptO2NR3ND1CQU\netGlfSPdyr6mQIFOpi3Xoi5G06BiKgxms9Neu7h63Rd4h5lqddU15NSHq8BA25r4\nF9FmXeCaEXcL5XpUNqGDYgcZFmC4h9/YeIfdAbs=\n=rj+P\n-----END PGP MESSAGE-----",
+				"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}
\ No newline at end of file
--- a/secrets/ldap.tls.key
+++ b/secrets/ldap.tls.key
+{
+	"data": "ENC[AES256_GCM,data:kX2fP6oI4d4ssW+XDv5lF1dn7zAOEH1Qg+tY1AlKkRiWnQmKt5ik2ot6/jcoq9w2hv3Rnrh4Zb6Ndy/OJi3JzPb8Je+lOKC8nTekYz7ZTqdO8CKfONmGaMJO9crR6bJrIXkw3GLd8m14wmFg2tYSYOz918t91BTNpujcDS0t4VpNdgRjX7TFq4+SOOO0oqQDyuXrnK830NvUranO4tNkFCRzIuW0nMeXqE8lehp9wPfJJ9vhNXk8nizgQaazvtjl2An34BQeZFHp7ff+C6XrLoFFX0CkewAkwZ9EUVFzJwShrKjRGgdTqd9u6CuuP02UQrxyfyj8MqRThnyTtZ3GPFGcO6bsPEfQav5PjdhAuoM3XTqLkYIsoyNK+XGNmYy7lEn+optXJxfpzEt1TT7uSftyCsJ13fQOG1JsXNaGrORagSp0ngDyOVMFMZTWDpavB+hweV1ITeMqN6pukWGtYCW/KRpBWDxUQUZGXTdLyt8SL+LZZgPzgLuKxWwmwsbjTZh01EB32VdRfiSSEano8nhM+Z1Xq+Zxpf7PwCrv1CXBHkcj+j856ywE1+J2KayI3mzOB6zV1Hauw/HuIvw4Y9a7QNk1YwWn21XBJtI0Qc8luV8cJCGryElOJUXXF+RE5QveHKX4QOPXZ4kUib6qZqN9BsPmnEskJq8seKGdfufFLuqUNEdaGKwrK3zH9BFKTLk2sA7JRaMsSlOwFNF+HcK6Sjyn46ZWRRCX6fmdHaJv2ECHVVeZdlFY5x2TZz5LQB4XALKcTXyvlwoytrboGm2S4X1qwqfpUSSd4WIQ3l+Ygtd9MwbcazwDjlASVDU7mFQEElWS//KV1VZjr5KrT0ZCCdLMdwA7BooUqk9q/nePvuW7hssvFNw+GiiGKGDgVPlxMRY6NaVv59/k5lw0x40HOXWs9LuhhvQ51KQtMyIKMygWsJ6IQYyZrhf8c4T9K+llt5CUrUQr3OFh1mhhancw0n9Uvnn5npV4Ig17+di9EhPWDbVbYSoGm4r4SD6aR8BBFQ1Q1yeFsoBGJnm2b3N/l0xyw94H6fD4dDw+BROH6LpbpcMAZGK/WTn1vrgMjbLWpJUa4T2gBkYzDt67lETygQ8iYhFBW+U0TvK4Dh8VSJFiA4T3UpAgl/+LN2TjFogkHbhYuMDYXChr9mcJ+rhq5ztd0HQw9Wi1xsC7w/PPSV25aOfpXq9PucYkb1WU0MT0qyU/T9jrMqs2FzkG5J8L/dzll92ZbXgzKE+017MA+YXFulPKd4oio1qFXYKa9n9KPTRCE4uq6tBfuPQ/JtQFuzd8j3pds6oM0hiuuSujqk5Ci5Tj9/fAjk0jM4RcTsHRtOUoS/JFyzTmJ9B4sWBDzB+GD1QfKAJaVgmmEULLEhNpaB6DtUTXAp/9zm041LWlk+XzL3f2gwPvPTxKm64cOQPoDbyQk8ZV1+5KqrleEc1lyj1nL+RXf8CO93Y5IWZg855cY5EugKlwCeL2zR647JD/Yn9BjbsCp5DVjo+VjwEDBcYgCBHbvK6HHt6T2SEYcCUTmLpVpXaTPBYXL8xsanABAixlcdgtk4X1ZoNqEnS0+HBwdZBwDtwF2OPDOJHbtozOGdA/aqpxamjm0tfcaPf/1I4S6pHUONZ2J/o3bDKf2RITMoDMeC8G3w9tHrqWzYs6iWbFz/vTsYw622KrkFMAwO14zBwyUoG6R7o160hy7T6R/KKUyw7M+b1yKRFNuuhFEATNC4BhG60N0nyWfKdFP3cMeJEG8OMCzl4M/xHXX9Y81GTK1Yd1vpR3IhGo2wDWwiXEUic4r7gD8paEkgvXefOqIVBg7eE7MMofOk45sEKmD11h0ao5scEQ3ObtkVP8iJlH5tQ52r1vlSHnvCvbwNX5rurH6JqvU0/bH2JhcbkGvvFWIExn+8usmuJFy1ffJ2gOS5Z1AMJHsQJ+0bmny26BgN76zVJHJ0PLAUjY+M0PsgyxZTNJJUqc72h+4AF2nTSbdzlkAaxS92g7xxkZCRNnVgI04nDkqbxu12ej8y1kB1p3s1JWoI63bsflkI9boPqAWNYqlBRHnZT5v+/SOXq3RCOvsTbiBi/Mq2PGQs4YVXh2iE/AxtORUqGkg5slXsb7AmogXSn+U+EscwopMm1NknREmNFMGYvOU5PffBspW+3JRbRsTUymRLcHyUN1p1NhIyWQ9Kdxs9LJx6eKDoi7duYYokmK0isQj8fndgjwwguyjN4VLxsud7W/57O5izOO0C0N/G/mKbhe9ZCRxcLhfvwJq6EEWiTyf9DLQcO8A988JPzMU/oJTpKPkt/9JjK9P2imPKNQMKrV+09+lC3ZqYEP0kRrSCnVvcB1XPiaXLfr2CkO0U48xMHf52A238BtcTGO1rSNU3FkWiHVu3U+rW9woW7y8/f1F4sVy4xzFKnyYvVSrTyLIEW9d7sUX6m70of2bxvWkVcU/m2SYe5MPVyvdLTy1KbllKbA6mLPqGeGMDVbHRsc7Pyht5hZda6ahZCuadaCsU1klkmof2OhpLy9Lzq0rNJ3eMmxrqnNfCe35HWOK9iEA9O52kLbhmmo+K0jDsC3hoc1Bsu03754rePapLFi4oRtxw2ahLpVTfNEgHGNguJSUUpKV28pvVhN133+Bysod9KrJxYtjWzjJpaf2U2sbyb2IUSwPLCGsUe6whCZwVLI53qeUgBIq/i7eBWwhMezvjUU6i08V1oQPBTq+3QNOTg8qVdLETYAiApO+9wsZ+7ko8QbV+hfCWiHepFSSVw8mmsooiOZucs3TRrw6e7skEOzrrQKDwbnltP4h0oW0KRStF10VhH6GqsNv5gusKhMVQ85q5HjbDmR1mhL6Weg1olrAhDiFSqSqTRqrLfU96UPQ99wUo+Z/x/XftnYthK3AePGgNJc9OoSewTvQtYWj4GWTES46fft9RqjCgUi5RudlOsDE876jQTsIMb70+TicGZn6cTaj49ECmUFwG6pq0ZqzYkgNFTVahrLPWQoV3HjhO95SczAAwK+gf9a/11h5Doa+3ViqJ/GC6r/5nhzmFC6nP+fsM041SiVtlQcQdFmu7EKOcDk9h+MZijh0J4Ta93/XbCUTEpvXKB8uscLa2jsocMyyy+THjwDY3XXdN9asKi+XDYQ87WN3bX2h3rfm0QuwBdqosApiCtt5a73GUXxyGIPogOHf/cOrZhIu7x+mJfkjLO2gtGspkvZ8dDZolff2LTTNJ/+ne9MJN6bowzWsY8isTCtvRugAdytKOdJ/gkkTUAVP/2+rQNTX0BBgQgJzIqBMLu+FDT4Sc3ySCqnqPpgQJqiH5y9faLdx4p23ZKxh4WSc0zqidHkibFvMzsouXMDNgKVeRuExWCPZyNrNl6c6220oIjmExUIlvmNDOFaeAedN+tMljJiORL70XI63ebwkNfc/BFwFr2kG1J96bNXHgGXmdAZ2Xt2+Do+MGWFuP52B2rk9Q/pF4XYTWjGSAJNzWyMfs4Z5eG6J2vNN0JWYXnu8tEeXzCXwmarYrxafoblBEVzbt0UON2TwzCqkk3G33k3wWwPZLuvnW5muCtyK9bDTmOIaaPlWPyQ0g/c29tlNKRtfSGGT71B/LT895S85G0p4mahUj7KPchCeB0xRsnd3xQQCzBoOUGgIn3b61pYjL/kLyO4Znr15L84o1osXsW+OzvbTD2yxn7KND6iG+7OaqCyt9TwYZN94dMl+0c0thmNrluhaJ3VioYacC+TJG9GhoE4GCZP4hz6urw5I0CLNtKLv+botrCvAq+daAE9dt/8GcZDkT9GBGidmyX12v03pkOpkOx8mLffE/Ccl9Mt6//sK5t019Q/myIt+i5YTrHGerAdWQTFdxQj3LG6xbWf9BRPU81Z9XqLO+KNnzdA18cGlxMAlR0Fodq8iVCtO9c7uS5XgkSFdNOWdhAw2we6qMmBp/pwDtZUxdeepj7TQfVynx//lT1tg7WOxd3nf0V9U94759Vvz7r7wvREwcjqa4AjJLoUQGfhddpmOd4ycqxreqx1MCKqY+E3kU36zedB7eO/P2hD6OkFDFacZUBXzIw+csTwT0ehSv6zHGSPvF1H0gXzjgoB6CgDznPfRLWnGBfBggK2O3CIjP9wjzs4hXlP14U+0KL9sycPfV32WDTLzLIzyhek4CpVT5nUMLz5uXgkCdiIW6yYs3e46+eZKkXC21bVh7O6PVvwsJci5gZAz3PGM7Bpgqz0WbSItVAJpkOqCNivdim88vD+CT/m9sIppz9USqCMOfx9/UplwXbVtfSUQXPlIRprDIV1vJWka3oY2uN0oz1VPDHgN5VJ4PSO1mnQPmFg4B/hPoNCo2HVu49DrQL86uuAw6xkfL0=,iv:dQC+JMRPyNFqbIYRSDMBXEmTVK5QmRbBpEYXG+06l+M=,tag:brQ2Fl9jtvmlT5N/gaN4jA==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzeHJIMVM4N3Fmek5YK0Q2\nSUVkZjNTZDVSWm94R1pJM0VmQzFBRXc5ZWtzCmNKcGx4bUs3S1Q0Z3UvZzZnVG5E\ncXZ5ckh3bW9aOVJiQUVwWkhuOURId1EKLS0tIEVJTXkvNzd3MmhqUHNlOWhUNUpD\nZ1RIaFM3KzJEV3hIYzhpRHdnUWNqdlUKYrwm7YzhziAcj+m/T+8KNlsbbvBPTomG\nFY0gVbcWg91K4LKBom/bKZqv+mFoy1q+Yg/sjHwEnENeFNofxw1sIg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-10-23T13:42:58Z",
+		"mac": "ENC[AES256_GCM,data:BUQmiBa481d2vggylNYkIKBuOg579REAnxMxX/je+IOvGwx/ODC7W0Zm+bzUYtNa/hmvW4fxwmA8VBHNUPgHrmI7zbNQlXdegg3QcXabr0jr3tqcFkLU7LeOt72tCRSGiZSZ3Pz0GXLzhZo9u+t1d/NVVO3p6ZFp/8Ta5fxq0ns=,iv:8PZROLEwl9wdVXsEMMBNKkbnlboeZQiVKDvjiyGJW38=,tag:d+y/GgHHgcSS8SGqIiPs8g==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-10-23T13:42:46Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA5ntoryXZPD4AQf/bkqUTlPJyz9V389jPm1Y+G0WFPU9MpatGvcPbHrp0c6P\npfEjIoAbi7BO5jxrPL1Qca1QrxWTNqaFqQgtK87CWWY4yJ+I4Er+aAJ9VPvH1xk2\nmdDRxRjPm+Bt/QPT/RGyUK/ZHM4NlOdiU+JHAwcPR/+KG9F4G5KMKmrUA9HO8hBm\nlRHzrM2E+9Y+Eh1Az53CMwA6OXz0mx+/tRLuWjydQ5uLTzqV+HdDdegGdw4Cr6nb\n8wqwWhDRCoo/DhCJPVsbKAwCpjdQzPQgTx9gm2bH0pDVyE76OgOIiAEZDThamyVM\n+eJcs8Ydt2cSFXoH2nnxtyd3lL+rAuq1WbKeCtq5atJeAVpct1B3RMvv2M1TdZSR\nLUs0f8Kj3JP8iCtj07NBVD6+izRgHXH7cMVautDCfD6ojooXOZ4s38o1B0PECwx7\nYrwb+Vb0kHLYTXcQbWnCx8ox9OdWfOSZDBOqt88hMg==\n=saB9\n-----END PGP MESSAGE-----",
+				"fp": "3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}
\ No newline at end of file
--- a/secrets/ldap.yaml
+++ b/secrets/ldap.yaml
+ldap:
+    root:
+        username: ENC[AES256_GCM,data:h6YGYg==,iv:QaCy9dRJNnI4UiQwgeboAxl8XZ+xGyYK8mLyybLNyF4=,tag:PQpKFwltnyRvmYJbPoGxvQ==,type:str]
+        password: ENC[AES256_GCM,data:3np5tR14nxbZe0hlX0Wd4/kDNRb3z3y3z13SyqTY3wE=,iv:yXz45Tsfof0U2JljSRxuUICRjNZ1U3YD4IlXsU4E0/o=,tag:XABl21e6uaj96ApLcRMSpA==,type:str]
+    upstream: ENC[AES256_GCM,data:KT6x/jm+p9+3e69yWE/hUMWlNrVuecUK3TcnRdqOJWA=,iv:n5P8NE7xUkOz68g/OcemnpZdEjT8aSEgzC4AS0kyStc=,tag:r+gEb4DIzdyBAsavBucvFQ==,type:str]
+    sync:
+        config: ENC[AES256_GCM,data:sgobPqiTsGDNfJKvIYiv+6E3s8Ipfog+2EVgz16ZPMwIU6u1id6cxPnE0nnCQcGVKc80owHmy/zYPzsPF7bHhSebGgZN8dN/xnP1xStIssqRP3XhSitNIMREImHs7iKT7f1/Km9CfZxm2WL2XPlaalK/oC/VJ9TiKcJjjnKuQvFbk1Ph2Pe2wPnd6/tZ8/EPGpRm1s+28YzaxWABFjLG/VEdrCJt45rOxpFXDXzQN/3iIRc7EM/CGQZEoJLky2QBd5597UuB9DBU7mkRUPv9JO7euMX9KH8CAYvHutOMpzEaD/LoRMmZxhpBhn3jQGj/uIyr13nJynQ39xkh58UYsENgyTMeAtr7MBzUDuAe1FC7f1NPbKpNuhaab25IqVwnGoOGOj5B8JcWZR1hDU5OTsp5xLTQn3K/SlWeii79EGwgS/pmtyCziQqtd+oS46dnWJupS5ESoU3gdXDvgzNnJsD3qCqrgY+pw3bcQY9D5HhhLdkYByiAbVgtTDVO9EZDxeyHG0APq1J3rkEZxTGunlx9M/wVWD2h/lVsY45KCD+0S9ukhxcEM89LTlI5jeiKbt689uPp6WjmfFo4sdFFm0XbpxTew1YXXORFC+nyM/nh9IhK3G9Jo2LvRDoX0XeZkH+Zmy8J5BZ7kwpdw6de8KEnpj+jyxFD15D5gQfGQC8vfiKA0yNoKdUNGPkkF4vRCFoJLIRnqJfmqWmXcW4E8BjiQId8nx6QGDty+i5HJnYktR7AvK61Q8VMjTYsT12Uwk9Buqn5AbC1Z7pwM7CgiRR7hpUIRYAlB6VBuqXK0xBqSqRIlT5izSyjCRz2W+njeWhPrKF4rSglzHr0/wB3lwpBF7VEOBuvItxhuTpdhZdN3RTAqehj/KRuPx1vdLKdH8s9xTx6leHvaBnVQJ4jCcO8wTMrHXVmGUPtZ852OIQpKjeLQqzSs9mDK/jT0zz5gQXChBiYIP+2XOVFuyoSqTKkMBf0zuPqcq8ZD9gSYc53/XWNGUFGWvzlb/PvnfkKnaetOlyIYelAgm0Tb9VNye1HPODxXnZ1DXhZwGw7CLfxtavu8PrmiQDZwD8FbOWwyDoQA+6rCijZ2gHnoyDP,iv:uX/5gv+bQEKXZPVJDXiBajaWasxmh/mZZq66UNaKe3Q=,tag:kvAZYD+kqcWtc/Oo+ym20g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3cld3OWl1aGhXVVBNVU1V
+            a2ZyUXYzZVpxRDRlRWNudWxyVk1DbVBTL1dFCjArL1dHYWMxWmRxWi85UXF6THZj
+            M0VTd1ZzL0VuelZhc2R3dDhwT3gyWkUKLS0tIEUwTERSZm5oQi9Mby9GK2lIbHN0
+            ZWpqODU3OFV5aFJtbWw1Z1RoZkFOWFkKx5XiXqHILOWKgsGawnIX402AzwmWOWz9
+            vZW2P/jP+HHDZOIae6seh1MNkBvlxu5wMSkwMTvrirBEtb0lkVbBmg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-23T15:39:50Z"
+    mac: ENC[AES256_GCM,data:x2XnbLAAWuCudb9C71I11Hmigh8sQE6lsy4YM5qg2IYRBrOnh+90MblMNAqlj5PX5/c2qg9wlRRpkCTtjcSDtur8j0dnbwQ1gg1AcwB0SWoG0QI1ynFZOJ/aCDeqcRK52AdSkrgz/wRSN2WpPX4O+hNvDRVASIyhumZQb6rrHRU=,iv:uBGxIZdwyGebtNCkpvLlVG1Wg1DdL00rJFxZjbbCV50=,tag:pg41so3tG+no/JaDA/SJMg==,type:str]
+    pgp:
+        - created_at: "2024-10-23T13:36:04Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+            hQEMA5ntoryXZPD4AQgAlPaof4Xuuq4D4J+b4KCa4HEh98ez1IYwn3b6x+8X2nyJ
+            BtV0KWf3R0OzD+KQTc93/LdHOowJ77iybzXtdCK9WZYfeBDzbpAXZrvzVL1xTPV8
+            o39m99VGx92l5vc4hqsaQmqORs1lMc82Uham/dJVt2Ly/0mJPaaoCo0YPSvLqdGB
+            ls3+tLUu76iD89eKtkYAM787EVRJpT5sZxfnKxKSoa2S1oAqj3H6OxfWnvXuUYNt
+            qiRaCZATrUHWnp1hM/Wi7eTMHNikKSKRIB3zZ2OJspX5LEWdB+bK/JDRSN6QJM20
+            SqMdIXcj7aBAKUN1GdKjF0kTw6Zj4hgseeOItaHIwtJeAUIFaFfPsshCNKB+pRKv
+            LkbfytPmWklHUcM3Y2X7JKco2CLNHL9+yFJxjfPsM4DbzgpT3gQ8woHbTD0bSXWC
+            XVGj4DuqEMRD8vJile6gbTZX2y7qZ5xdFlIVCLbG7w==
+            =t24P
+            -----END PGP MESSAGE-----
+          fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/secrets/root.yaml
+++ b/secrets/root.yaml
+root:
+    password: ENC[AES256_GCM,data:jRFQQV37t3q9LR77Y7Kb53WyqAhmuBiBFabp6DghGU3nSeHtI5YR3XeWP5h1UoPjj690EVHdE3Tz99jMJAl0EH7r4HrxzWEdRw==,iv:PdkPRKbm320PoaiHumQ2Dp/hswaiRFVv9qWVPDYdh3g=,tag:vmLJjAlvVhSZdf4rhVbemA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15787rncs5y0amtf3pp4wwt9nya94x2hyk5xaq4etzadvw756mg0qpzfpe7
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3MFEwK1N2a3pnUkxYbWJx
+            Q0hITURYNDQ0WkV5aExsc2k5YVlqblY5cEgwCjlTckp1bDRSWTdYZ1Q2bWM0MXZt
+            V3d4Zit4ZVBnMUpBdXI5OXBER3Qrcm8KLS0tIEppL3JWeEJrNEpoV2J0eFM2bXA0
+            OUZKTThWTjdLaWcyL3BvSHBWa3JJNHcKnKf/g3ecf2rTUXjpka+Cq/UQYcQyZm+D
+            l0qiW6kshYAH2syrKYQ79aPNELuJ+hJIkifRDRcqJQP9jC/x7eBmAw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-23T12:49:25Z"
+    mac: ENC[AES256_GCM,data:sLMTdp2dZBeKKicETMyAZMN2FIbgJ282CAKLz57cK7lQrhiM5w1pMaYZp1imxTJYuRCL9mTlH0Zc5Jr3vHPQBVv8lzgqeOu4amponPlLPUa4TZX/FX04sQ/oKocO3wcOl9q7KJSNfur0ZEiFbpXC2KuNopAHCsO4KxHuixVtwlA=,iv:OBMURehlz5Mx4N6UbIDqdBewYwElgX18rHkc7NwDFpc=,tag:HLouzr4jhOFS6zgcuss3WA==,type:str]
+    pgp:
+        - created_at: "2024-10-23T13:36:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+            hQEMA5ntoryXZPD4AQf+P8g3YQx4KBqRc6ZqUxGH9U50RkB7QwhNkxDNpOCc1Msv
+            kUrMFCVO0OG5SMxSNgDSQA9GZNqL4/ovvP36zHoVx87xZd9jHlsLZmbMx7AVMXxA
+            +6PXej34NHYnNhXIIROapQajRqYyH4MEbdi7RVHayetrPifpUi3LDyCEZA3LozzS
+            WvoGKpaDMM9v2VyjvFguI9skDbs+1QDMogmuLeObVMVnzldCH37wKvVcPD9HslGW
+            6RlCopM+tMgTltfi3CkOKmwyqgGK3XOxIfoG43AfHm76nrNv3hMrQUpDhwawPdNt
+            p2kK81rlP3yMkp3WvlUsVdJMVReTyxSZPmsGflfpO9JeAdcnuP2qGTtWTvuo76Jz
+            eLCb/6GaCxQuohfhBZ5P4Lor/NsPmsGQwuyA/1Jwp3YALPbK6CYy0gY+FEK+kvXH
+            RJSkR4Ds/fYEDz1Aa9GHQinm+JJ8NL3zGL6RDta+xQ==
+            =o20C
+            -----END PGP MESSAGE-----
+          fp: 3237CA7A1744B4DCE96B409FB4C3BF012D9B26BE
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1
--- a/system.nix
+++ b/system.nix
+{ pkgs, config, inputs, ...}:
+{
+  time.timeZone = "Europe/Berlin";
+  console.keyMap = "de";
+  nix.nixPath = [
+    "nixpkgs=${inputs.nixpkgs}"
+  ];
+  users.mutableUsers = false;
+  users.users."root" = {
+    hashedPasswordFile = config.sops.secrets."root/password".path;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAyA8xe6Ej6DpzYSFlyhf3P3QIE1spZAETSa3G/zJ4BjXxO0S4jKsA+Qah6mua2ZIWiRXF6o9JCYsdFKndn1uAzRrHwUk9LCspiI3bsl+EwrBhUbWYnMj2Atp9vMB1SJ6i6RKvDg1YZuvxi4H23MYs3B5a3TBRTlveBxGtZ8Q/YtVDwdW/v1WNAxYe2bz/LFxPNPry6REdGXCuA4cz5s/+ilhRvFQKHbJwC+/SxJIcTY6RAvOFh9wfus2NF0FaEPkwwLLDwxaMOaALwmzGmiBIi/XF3qnSYyPScmEwuq03jmM8qPhJHUHEaxp/cLkjqDWtu+SziEBJ3fu/y/A+vqBS9w== christianpape"
+    ];
+    packages = with pkgs; [
+      vim
+      wget
+      curl
+      tmux
+      fd
+      ripgrep
+      htop
+      iotop
+      iftop
+      file
+    ];
+  };
+#  system.autoUpgrade = {
+#    enable = true;
+#    
+#    flake = inputs.self.outPath;
+#    flags = [
+#      "--update-input" "nixpkgs"
+#    ];
+#
+#    dates = "02:00";
+#    randomizedDelaySec = "45min";
+#  };
+  services.haveged.enable = true;
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "without-password";
+  };
+  networking.firewall.allowedTCPPorts = [
+    22
+  ];
+  sops.secrets."root/password" = {
+    sopsFile = ./secrets/root.yaml;
+    neededForUsers = true;
+  };
+}