diff --git a/machines/eve/configuration.nix b/machines/eve/configuration.nix index 86e7fcca2..d909c0796 100644 --- a/machines/eve/configuration.nix +++ b/machines/eve/configuration.nix @@ -42,6 +42,7 @@ ./modules/goatcounter.nix ./modules/grafana.nix ./modules/harmonia.nix + ./modules/mtls-cache.nix ./modules/knot ./modules/mastodon-hnbot.nix ./modules/n8n diff --git a/machines/eve/modules/mtls-cache.nix b/machines/eve/modules/mtls-cache.nix new file mode 100644 index 000000000..bce65082f --- /dev/null +++ b/machines/eve/modules/mtls-cache.nix @@ -0,0 +1,69 @@ +{ + config, + pkgs, + ... +}: +{ + # mTLS binary cache for testing nix client certificate authentication + # See: https://github.com/NixOS/nix/pull/13030 + # + # Usage with nix (once PR is merged): + # nix-store --store https://cache2.thalheim.io?tls-certificate=/path/to/client.crt&tls-private-key=/path/to/client.key -r /nix/store/... + + # Generate CA and client certificates using clan vars + clan.core.vars.generators.mtls-cache = { + files = { + # CA certificate and key - nginx needs to read the CA cert + ca-cert.owner = "nginx"; + ca-key.secret = true; + # Client certificate and key (for testing) + client-cert = { }; + client-key.secret = true; + }; + + runtimeInputs = [ pkgs.openssl ]; + + script = '' + # Generate CA key and certificate + openssl ecparam -genkey -name prime256v1 -out "$out/ca-key" + openssl req -new -x509 -days 3650 -key "$out/ca-key" -out "$out/ca-cert" \ + -subj "/CN=cache2.thalheim.io CA" + + # Generate client key and certificate + openssl ecparam -genkey -name prime256v1 -out "$out/client-key" + openssl req -new -key "$out/client-key" -out /tmp/client.csr \ + -subj "/CN=nix-client" + openssl x509 -req -in /tmp/client.csr \ + -CA "$out/ca-cert" -CAkey "$out/ca-key" -CAcreateserial \ + -out "$out/client-cert" -days 3650 + rm -f /tmp/client.csr + ''; + }; + + # Nginx virtual host with mTLS + services.nginx.virtualHosts."cache2.thalheim.io" = { + useACMEHost = "thalheim.io"; + forceSSL = true; + + # mTLS configuration + extraConfig = '' + ssl_client_certificate ${config.clan.core.vars.generators.mtls-cache.files.ca-cert.path}; + ssl_verify_client on; + ''; + + # Proxy to harmonia (same backend as cache.thalheim.io) + locations."/".extraConfig = '' + proxy_pass http://127.0.0.1:5000; + proxy_set_header Host $host; + proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Pass client certificate info to backend (optional, for logging/debugging) + proxy_set_header X-SSL-Client-Verify $ssl_client_verify; + proxy_set_header X-SSL-Client-DN $ssl_client_s_dn; + ''; + }; +} diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve b/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-cert/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/secret b/vars/per-machine/eve/mtls-cache/ca-cert/secret new file mode 100644 index 000000000..19be0dee0 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-cert/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:9IdsUQqMCnSqPG3mGzR+0Z/iSHswE20bu98GyQI80WuW/pVdWEsQsz2RKd0WLpBfWhTRGvfdsW5aVuAyqCu+jAweM0aaf5pwSWvHDRhcl4JzTpZ4TqrJnZ3M+liN4knECQg8+rzuALgyoGKvB8FH5IsnpbCAM95hwJD1AsxlnWu0zkVsQi79KmFO2uCZ4V4V5z+rV47u4LvRaP/SP373fav/5z5d/ykrE40ZTQ5/4taNqfB23OQd+VR1LsUh6rS/COLmoSnw+u08d/IVYpvwQXeBGv5abuTUowP7ueeNj74UMYp2618bHDKMNa9ZIgHY8XYts0MsjdsB4TOl/K12KqoL0XdmwcoPVTp1J13LU/pT53DrDnQ4Vp6kBHakaBZwr5OlacmytGuCmm2V1fcHjkPlvfX5lWCB2DAQlJ2zokfQcSGA5fL5zP2RQQyJ0BCu0YRN0WcJyep6ME7UW9oVAXtz/amBe/sQyt8q9jLJmkIELDPmUNdaU2WoQcWroftygKbJ+RZssopiFjw89rwTSOzp+P2qFnY/NdU87eysQcEmG1mEBth8XyKJWY5pHf9DraMs73djEMc9p33EV/3k11VUbYYYuL6k0qBS7oKj3MkUMS2mtYbGpMY9hmM3rIR0SIdyaVApgFObYcEtM2NYBd0KWF+WM7TQmZI1SRNj++vqIQkbAD71i0qTtISa0Jrwk+pJxduHygtJTO7GF1d2C/glm9SejvLWzUBcBAYo63lC5vRK7EYI2/teW08SV9BfxYs+3wfGToFwr2Kr4/aLS1Y0Hk7FtpOiFLLta6RIxe21Vrs=,iv:Upo6s3M652KrWe25zLsevJkNBR+xBkkyklamk0BVq58=,tag:GXoBy15/4vzczAyx/X+L4A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBReUFpWlY2aFhuSXo0V3pY\neE94S04xVjZabWxHRnMyZHlGNWl2cGxrdHdzClNqakNPbUJRWDFFK2hmRjl5NkdP\nQnVNamF1ODJEVllzd3dhWnVQMHI5Q1kKLS0tIFE5eHJ1Sjc0QUhPSHg5SjQrbnhs\nbFZSK3h0ZFFyVWc5c3dmMk9JYWdkZFEKvxEHeHmqUxRVzFdRBTnG9Ua89FfFIZNR\nrWWp/cnGu72RLP9TXLqRaf86XXF9AfR7ZiE/MmrtERp/jtvDoOfHCQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjL1VHaG1lM1gzdE11WHpz\nMThQL05SMU5tL1hsWUtSTzR6bDJnYlZwc0JBCmhwQTA3T250YWRTbUNxVk9raHFJ\nSE9qZUV3RjdBNXM2OFFvcUYvZ1htTEkKLS0tIGROcGR5bUpHN251bkRrZVdQK0E2\nc3IvU2tqMDdYN251SG82NGJvMlIvNXcKMpge6JRlEKl7ZNay6fAGhtO9fCwfhULt\nEFd78tIUcANvpG6ltAqtKcT6kTLHZFjX646Fv7i+2IN98JySYaIvKA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZXNIVDhaZTkySTFqNXlm\ndllDUzloeXErZ04xZFVmVm9ZZ05yM1ZySWhrClAwTTM4dnZjNFNIcmlrQzh6SmZp\nY1RVTnpYRVhXQVlJd005N0RaY1NHY2MKLS0tIGF6Q2dKSGx5UHJPcU5DbklCTjdn\nR1NObHNjV0lVaU81N2VRSUFSbGQyN3MK5ytoOYfw/SV7n6cuFKYqcfSGNhwh+r2Q\nKnU3Qib36H0LQyZQ/4TX4xEpmsnVsBZsR0yhHtzJVl6s0uMgzLthAw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:18Z", + "mac": "ENC[AES256_GCM,data:iZzaBmrEKX9eivoOPjf4LTViclHAZA/qfg8WW/aC+trb04M0r2Qho2oNWLa+DAWrK9rzT4Qd39Iw6ZsSIq4AKrHnO4XDaHBjPp0v+Hi1VJuPYr39gqO7TbhvZJQq6Am9qVP+xkXH2MPb6U3+Xf3bPERyid+FfBQcFBv/5Gp9p88=,iv:5TIgqcuEsQEtd3z+mmAMCmqhuIiyvYVQ/XPldw712VU=,tag:d8tgaQSyZDq9JjKPN2uV8g==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg b/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-cert/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/ca-key/machines/eve b/vars/per-machine/eve/mtls-cache/ca-key/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-key/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/ca-key/secret b/vars/per-machine/eve/mtls-cache/ca-key/secret new file mode 100644 index 000000000..cedf57bb2 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-key/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:S/OEZkYq+8mradRB3fcjKqWBD5hWdXSNz/V3XBVoTE/ojsl6o6OOvUCzvNQGdwfUGr/ooPkZmxqQXRY8qwqagUAbAQVKQZCcR8BzRFk9TmSs5OtckuFe7/CK0pnuMES46lqhLsKicUu9DQy0pfj1GBJF0P6sbC/BJ3Xp7Ih5oqBJwJEPBiwVnL9HsrmnJwoGmBNwco1iHIbpee7+EKe0PtXuGz7b1BqOyl0biLcQvpoGHKGJKziki5txuuBLkBMI4WjIJyaqBFpbX/UMkpjaxTh5kiUaWG3++gDMu58dB+wOTvNsMvPiMkElKHaHJYUWiWD/4E/ELO/+wb1pyp7UXCwH+cfvbreCGb//5w+eHwiji3sFHKmEi1c81uBwmT1yakgFgbDfb1/jUR8tRyA=,iv:hWtRVY9M/tXksrAveGT3oWQYn7Xiz/937M/gyERLvRo=,tag:45/YPpnz6M5hrDNblBkhjw==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGeHo1QWgwNjltQ0FCL0RP\nS1B6dFI1M3RGZHZWbWtqNUE0ajdyTFdFM2tvClp1SlR4SklQOTM2MzV3bHYvdFBr\ncCszSUlwc2VYRU9kZVBhNDR4aEF6Q0kKLS0tIHVsVU1mSEluOHJpMHJZTmVEeVAy\nLzR2bWhGRHNRQzNub1p0VGlsOVY4bzgKFXC+UT6YeIVEj7sm9kz1FzeYRcA41MFK\nThPfnxKOiAW79RuRoXk0Spne8yPFe7XRUs+ZkBH8C06Am4N948BwCA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGUEVhcEhnSnJwbEVnaUZy\nT0NaS3JDSGpJZEpoTS9jSTdHQ0lHd0NOZFRJCjMyeEhZV0VHZDNYOTN6bGxRcXhT\nVlJMaFdBd0EyVkN4OTU2bzdTc1Z3OXcKLS0tIHRIR2Y4ekpqaWFHNmEwcngzSk54\nbnZKVks2a1FlalpIWWNJcXB2Y2NkZUEKqKCxy7LB8iLKwRqiSl68L1BiFnmZnPw1\nRLDxy6jfwMx5zeWfwM+iHsHMneO5IfI/9hu7JLB9i/EUx5oC2WCYmQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEbjJoTHFDUSs5N1AySkZV\nRjNnNjlVQ3hNcitqdUR2bUttaGhvMDJJVlNNCjBOcEZ2MXBDekx6M3NQSXdiZFFG\nZjE3ZnVKczBLUTg4bXRDVzl5aURnTzgKLS0tIDNmYk9aeFNPN2w2bVRkSURzVFZa\nRS9iWXF3cHNOSG5QZFczTXZhVExKMWcKEyPjDAtq4pEJEhbba/cnpL4G0nMO6VBw\nxS+3KmtHUZYd7CkRJoiFRZqpQ9RPWSCfsEXnN8c7LZ+TTaJ/LCJGdA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:19Z", + "mac": "ENC[AES256_GCM,data:dHqLqyvmXqHDDXbkfVc9ugxYTaU0gJa76QEm+XpF8sGD2T3cEPrhTJUqucjxYjFoVltsbAQ4CS8QCIIhI5ydZTOW5onKdlZzyilQsuNpw8gQUYxoLVGmS0fVT0k0INczCFr/t5nQs91vVohG0FJJhs1LnOGiDuEtsgKd3KcbuKI=,iv:81X1YwBfz+wh6BA1oboPMZd22rtAIRucYdrbVD/JD3Q=,tag:iCCI3d/slGhdRo0Kaosilg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/ca-key/users/joerg b/vars/per-machine/eve/mtls-cache/ca-key/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/ca-key/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-cert/machines/eve b/vars/per-machine/eve/mtls-cache/client-cert/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-cert/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-cert/secret b/vars/per-machine/eve/mtls-cache/client-cert/secret new file mode 100644 index 000000000..31ba769e4 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-cert/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:GLpCJ38v4aeGaHt/HvUxuhc5vZ1wo67u0B+LyNYnPLTETfPcZQVwTXXdXAlXxgV0+aYfcxcFEPZlx3tFOO37zgYUuKSfUq+SFz8VWtXCG9iAw6R2DRmIR6yJ3gOZF12Y65zQ+gXnIdjGc/Q0kDN69cZxh8zuHPwOFMpMZOIOyabM/OVemXT48Pr5/2isRRdR0kHok+hre4Qkod8/Vbhsu70sWVJBXwPwXCtXlk4ZPI3QzrAxDvOo08ctE5byamsJuFYrjF4UtmXkvH/I0yU0DPgXA5/Cms3siS8D8e6owkBj+Ai/8H761o7pFHFVyKGiKivrZJehgGUYasVl7lV3ZBUJx4m0mpPah1RQMPF2dnkusyuG1rgflt0M/0D0EOziVr8d8qDx5aGtZWpzg7oI4UQZByUM3Dj+LiPuvGMgE5rlV22WP8uDPls53+DhF5WJysCjpoW2WtTeUOwqt1datm89ncr3agvuJNzlGE6PY/EJHLy8yvcQTGmsyD6Y84c3GqmhdLpgMnltm9GV4PXVyS8U2dHL6yYoGBK+3LGFTQ5GX5CTLrvq9+fdPSrJ68TS3BOOf+fKYHUaDKkEnmPkfCORxMiJmuJ8Gvuv3Pprv/ExaQU8BYA8IBjYlVuOvEdGNC6dhVJCpnewg8SbYbZB6Tpu2Iq9mMiSiowSKz3kPrWkgz4z3/vYmWbCIDLQqXORFnkQZmL/mjSyb1x86f9KKgHy5E/km46+atmHPUHrD5SB8sOrlacVx/t8Q4lvBw==,iv:XyKhUawB6oXDKdIS7dggjZa8YWvhwMDDauf1W1HncxU=,tag:R6eWoEt+OPn0XVZ/BlolwA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4blI2K3BaNGd2MG5hQ1Aw\nbWg2WWpKRm5aaG5VdUhseDB2NjJsd3p0Z1JBClEzWEswSHRYRUZJQ1l1NnhQTGMr\nTDdNbWRXblhjL2toMTNNODJBSkVyVDQKLS0tIDlMOUFaczl6VkdiVmg2SFF1ajI1\nVldnc2Q1WWUvdVhWZmh6NWZQdWhBYjAKPqL/Oswdf1iR6JWUllbxihm9dFefyx41\nFNh40Ie3WnXngPz5KRRccCO99psqy7qqLjrAqFOZg9m9JP25jYJPxQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwWS8rU2lHTnRVNGdKVTlh\naG9BamlHVWlDM09HQWtUNnlqWVFJNGpWNVVvCnc0b1JHVXJXdlc3MEpJb3dZckFT\nMXA4SUtxNXlZbjBEWWZHa1ZLa3I3eUkKLS0tIHcrMzlBaG1BVy9LRGVzbURzSjh0\nK2Z3Y2J0VFhsWXRwWGlLQ05ldHc1dGsKOH5tkuhvzOMNuZwu1xabrRWroNZfFAi4\nvC4Zg715I5AjfJHd/QcYMxg1LacCRE+l9L4PCe1pEVxi4wjsGVZZFQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUVhQN2dDeGNVSmhoK05u\nTTNsbVRmZjd5QUVlanpnV2UybFp3eVhRckdFClRxNm1YUFJ4NmFwSHI5THhvUGdt\ncFNaT3ZRZ0ppanBLb0g1WnVIanJMS1UKLS0tIC81bXRRTkJmZnJUL1hRQ0duNnVz\nM05nN1pGRFRQTG03czJOZ1FRNGw5OXcKrMkVJWBIzMvl2ZKzsWIdb5eDWyUCXfYs\nojpyqyKpKxDTvg3l1Drt9cEmVmBf8yDa0udBCBbkSTF2LE8C9CqDnA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:19Z", + "mac": "ENC[AES256_GCM,data:pM1r5i1J6S5S+tUhxOdVhtZAcPPWAdi/cUrszNN9VHA79TMGLiJSkAY9mIrDT8f0fO8te8VNkd7rDGehO1G0BsKdDHnnkzTm66hd4WpJQmHE2GDQmkjBuizfNEItjOnZ6LawLEmTNGblMSUgQ/7ktNor3i54Lka+9S+NQt6+NQQ=,iv:kD/+zTZ7OS5zlcKdTbqKwttBb71HjCWjZNmMWZNdzz4=,tag:IRKkKkQIFofQjxJqLvvPww==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/client-cert/users/joerg b/vars/per-machine/eve/mtls-cache/client-cert/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-cert/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-key/machines/eve b/vars/per-machine/eve/mtls-cache/client-key/machines/eve new file mode 120000 index 000000000..85c11f4db --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-key/machines/eve @@ -0,0 +1 @@ +../../../../../../sops/machines/eve \ No newline at end of file diff --git a/vars/per-machine/eve/mtls-cache/client-key/secret b/vars/per-machine/eve/mtls-cache/client-key/secret new file mode 100644 index 000000000..7413ea08a --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-key/secret @@ -0,0 +1,22 @@ +{ + "data": "ENC[AES256_GCM,data:uk5Xxk0HjXLTU+RJLcYd34H+kovch+OfIiSoHHbab1CyJs6BcHReHADkWyWQd5CdBd69MYYtDQPG0Kt2X2ChbfxBXm3CubihfkAAu8PQ0Lgpv+mVZDtwP88J1kNY++dsv8aP2TRPhBesuodPUfb4YuO0bNpkDH4Unji09NrdSM4W0qAYWyxM1h2EVC5PQVyrVQSuxevb7p5hZF5tA5clYGGvjz/YC4rlGae6DMZ51XZiIx1KSNKXTmC8hGNDnFx9x7qQwvjHPaEAgsNJCPHEw1ZuTh8ua83XMJXkUiAxAtiEa6FBzxr2gwgyowbOiJazloiy0/TRDNaD7begNq3Gu0hC7DDF+wUXDBsK5Sw0k1W7RC1cs8r8ARGZV3rXTLgeyA9Xa44YyyGNIuif0ro=,iv:FajR192MaT40xCiSFferxW3EMDMw7816CpiE6G8qnhM=,tag:zCYYBucnasQhwKwRfIYR0A==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17n64ahe3wesh8l8lj0zylf4nljdmqn28hvqns2g7hgm9mdkhlsvsjuvkxz", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuSitPeXVYWEoxd0F1d0p5\nZ2dkaDVNT2krZzRFYWwrNkpxUVZuYjRKbFhnCm9rc0xsNmVNcW1VVlJ0Y1ZGdEpj\nUnBweTg0N0J4eEhzVTEydzMwUUpXN2MKLS0tIDNtSG9wVmg2TVFPNFVtcVVWcWxa\nYXU2RWVweWFMbGMvS1VVcU4yVzVYSGsKJDOXIX7AxutZCKelowWOInMX7zB/lb02\nu800sbwDn64nQQg0/QbvWKJG9efnm036RbMoYMLQRHQkhodW+uJIZw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1hjm3aujg9e79f5yth8a2cejzdjg5n9vnu96l05p70uvfpeltnpms7yy3pp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2amNMVHBVRVhRR3I5Smx3\nMUJhSnk0aTVFR1NTTjFLalBRQzhGd0xNTVVzCmJwL1RNSGY0dFFKa0dEMkYwRGpK\nWCtaVmNORjlPZnZPL3haY2ladUQvTXcKLS0tIGtiQXdYRjA4M3hjZFAwZytnbWti\nMS9Qa21NbHRLNFBDNUhNcldDMWpNNEEK8SE4IdBVMDE/gtGpxprWM5sg12Ig9XZU\n63duV+8Ws5VJCYJ6Pj95vHUPjgvFxAPQhVFJlAHLo0+qCBG4d5WnMA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1nnm255ah9wa4gpsaq0v023a75lnmlcxszt9lc6az3mtwzxgrucfq45rp7h", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBb1l3Z2NIbHNXMkxOeFVj\nclczcFhydHk4WnFFYmVVZk1GM2s0bTJKZ0FZClYzWmExMW1GSi8wZUhGTnB0Q1VS\nWU5YNC9scit0a3RhclNLVzNpOXdUaUkKLS0tIDdhSXdnNnJuTjh4R3JsSm4xMjJI\ndDNxVVNlTmk1OFE2ZEloVUlmRnRCY1UKcPlERhq8eECYLGHAF6JiHzw1qJKKXBgj\noGxAGS/LdgpsuZRq9UbsuQ2AFgeoPemVxAED+HNiOJ+TidZtHCycBg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2026-01-25T13:48:19Z", + "mac": "ENC[AES256_GCM,data:RxWTiPQaQoTwruaVtxuK3LrSPzPOgSWsOcGQq4eHBKCBNZ+gYkj+uTM1idTeza2Vhg8T4Y+JIOIjYdvbtgoFNcPHqqU+YqH/AV+S5W0xb3uatnIm+85IXmGwayTGtuyVblxp3ig+P0VyF+14cGQF2GqBJbJK3DzlzZzjYryCvEA=,iv:LHEGopEMv/hE1FJnSgjh5u1tlB9+8CRrRkczEfa5fuo=,tag:F8lNDrKVQZ+yxiXUZDVYHg==,type:str]", + "version": "3.11.0" + } +} diff --git a/vars/per-machine/eve/mtls-cache/client-key/users/joerg b/vars/per-machine/eve/mtls-cache/client-key/users/joerg new file mode 120000 index 000000000..5d6658fc6 --- /dev/null +++ b/vars/per-machine/eve/mtls-cache/client-key/users/joerg @@ -0,0 +1 @@ +../../../../../../sops/users/joerg \ No newline at end of file