From 650a206aa49e2cbb33e46faaac0867716122db7e Mon Sep 17 00:00:00 2001 From: emily Date: Tue, 12 Nov 2024 18:03:31 +0100 Subject: [PATCH] crime: fix config --- config/common/openssh.nix | 2 +- config/hosts/crime/configuration.nix | 16 +-- config/hosts/crime/nginx.nix | 114 --------------- config/services/arrs/default.nix | 58 ++++++++ config/services/arrs/landingPage.html | 27 ++++ config/services/jellyfin.nix | 41 ++++++ modules/nginx/default.nix | 49 ++++--- modules/nginx/kyouma_Root_CA.pem | 192 ++++++++++++++++++++++++++ 8 files changed, 353 insertions(+), 146 deletions(-) delete mode 100644 config/hosts/crime/nginx.nix create mode 100644 config/services/arrs/default.nix create mode 100644 config/services/arrs/landingPage.html create mode 100644 config/services/jellyfin.nix create mode 100644 modules/nginx/kyouma_Root_CA.pem diff --git a/config/common/openssh.nix b/config/common/openssh.nix index 08db182..740de64 100644 --- a/config/common/openssh.nix +++ b/config/common/openssh.nix @@ -39,7 +39,7 @@ in { ]; settings = { - PermitRootLogin = "prohibit-password"; + PermitRootLogin = "no"; PasswordAuthentication = false; KbdInteractiveAuthentication = false; diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix index f3e45ce..6ed42ac 100644 --- a/config/hosts/crime/configuration.nix +++ b/config/hosts/crime/configuration.nix @@ -4,24 +4,18 @@ ../../profiles/headless.nix ../../profiles/kartoffel.nix ../../profiles/lxc.nix + ../../services/arrs + ../../services/jellyfin.nix ../../services/nginx.nix - ./nginx.nix ]; networking.hostName = "crime"; systemd.network.networks."98-eth-default" = { address = [ - "2a0f:be01:0:100::1337/128" - "2a0f:be01:0:100::1338/128" + "2a0f:be01:0:100::b00b:a/128" ]; }; - security.acme.certs = { - "fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; }; - "crime.kyouma.net" = {}; - }; + security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - services.jellyfin.enable = true; - services.sonarr.enable = true; - services.radarr.enable = true; - services.prowlarr.enable = true; + kyouma.nginx.defaultForbidden = "fentanyl.trade"; } diff --git a/config/hosts/crime/nginx.nix b/config/hosts/crime/nginx.nix deleted file mode 100644 index 693d4e7..0000000 --- a/config/hosts/crime/nginx.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ pkgs, ... }: -let - landingPage = pkgs.writeTextDir "index.html" '' - - - - crime.kyouma.net - - - -

Welcome to crime.kyouma.net!

-

If you see this page, the nginx web server is successfully installed and - working. Further configuration is required.

- -

Sonarr - crime.kyouma.net/sonarr
- Radarr - crime.kyouma.net/radarr
- Prowlarr - crime.kyouma.net/prowlarr

- -

Thank you for using nginx.

- - - ''; - extraConfig = '' - add_header Strict-Transport-Security $hsts_header; - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header Referrer-Policy "same-origin" always; - ''; - proxyConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; - ''; - jellyAddr = "[::1]"; - jellyWeb = { - forceSSL = true; - #http3 = true; - #quic = true; - inherit extraConfig; - - locations = { - "= /".return = "302 https://$host/web/"; - "/" = { - proxyPass = "http://${jellyAddr}:8096"; - extraConfig = '' - ${proxyConfig} - proxy_buffering on; - ''; - }; - "= /web/" = { - proxyPass = "http://${jellyAddr}:8096/web/index.html"; - extraConfig = proxyConfig; - }; - "/socket" = { - proxyPass = "http://${jellyAddr}:8096"; - proxyWebsockets = true; - extraConfig = proxyConfig; - }; - }; - }; -in { - services.nginx = { - virtualHosts = { - "fentanyl.trade" = jellyWeb // { - enableACME = true; - }; - "frotti.ng" = jellyWeb // { - useACMEHost = "fentanyl.trade"; - }; - }; - }; - kyouma.nginx.virtualHosts = { - "watch.kyouma.net" = { redirectTo = "fentanyl.trade"; }; - "redirect" = { - default = true; - reuseport = true; - useACMEHost = "fentanyl.trade"; - extraConfig = '' - return 403; - ''; - }; - "crime.kyouma.net" = { - listenAddresses = [ "[2a0f:be01:0:100::1338]" ]; - locations = { - "/".root = landingPage; - "/sonarr/" = { - proxyPass = "http://127.0.0.1:8989"; - recommendedProxySettings = true; - }; - "/radarr/" = { - proxyPass = "http://127.0.0.1:7878"; - recommendedProxySettings = true; - }; - "/prowlarr/" = { - proxyPass = "http://127.0.0.1:9696"; - recommendedProxySettings = true; - }; - }; - }; - }; -} diff --git a/config/services/arrs/default.nix b/config/services/arrs/default.nix new file mode 100644 index 0000000..ebfecb8 --- /dev/null +++ b/config/services/arrs/default.nix @@ -0,0 +1,58 @@ +{ lib, pkgs, ... }: { + + users.groups.crime = {}; + + services = { + prowlarr.enable = true; + } // lib.genAttrs [ "sonarr" "radarr" ] (_: { + enable = true; + group = "crime"; + }); + systemd.services = lib.genAttrs [ "radarr" "sonarr" ] (_: { + wants = [ "rclone-mezzomix.service" ]; + serviceConfig.UMask = "0002"; + }); + + systemd.mounts = lib.singleton { + description = "rclone mount"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" "radarr.service" "sonarr.service" ]; + + where = "/mnt/mezzomix"; + what = "mezzomix@otos.feralhosting.com:private/rtorrent/data"; + type = "fuse.sshfs"; + options = "_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,identityfile=/etc/keys/ssh_host_ed25519_key"; + }; + systemd.automounts = lib.singleton { + name = "mnt-mezzomix.automount"; + where = "/mnt/mezzomix"; + wantedBy = [ "multi-user.target" ]; + + automountConfig.TimeoutIdleSec = 0; + }; + environment.systemPackages = [ pkgs.sshfs ]; + programs.ssh.ciphers = [ "aes256-ctr" ]; + + + kyouma.nginx.virtualHosts = { + "crime.kyouma.net" = { + verifyClientCert = true; + locations = { + "/".root = ./landingPage.html; + "/sonarr/" = { + proxyPass = "http://127.0.0.1:8989"; + recommendedProxySettings = true; + }; + "/radarr/" = { + proxyPass = "http://127.0.0.1:7878"; + recommendedProxySettings = true; + }; + "/prowlarr/" = { + proxyPass = "http://127.0.0.1:9696"; + recommendedProxySettings = true; + }; + }; + }; + }; + security.acme.certs."crime.kyouma.net" = {}; +} diff --git a/config/services/arrs/landingPage.html b/config/services/arrs/landingPage.html new file mode 100644 index 0000000..e32b0ec --- /dev/null +++ b/config/services/arrs/landingPage.html @@ -0,0 +1,27 @@ + + + +crime.kyouma.net + + + +

Welcome to crime.kyouma.net!

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

Sonarr +crime.kyouma.net/sonarr
+Radarr +crime.kyouma.net/radarr
+Prowlarr +crime.kyouma.net/prowlarr

+ +

Thank you for using nginx.

+ + diff --git a/config/services/jellyfin.nix b/config/services/jellyfin.nix new file mode 100644 index 0000000..5452cfe --- /dev/null +++ b/config/services/jellyfin.nix @@ -0,0 +1,41 @@ +{ lib, ... }: { + + users.groups.crime = {}; + + services.jellyfin = { + enable = true; + group = "crime"; + }; + + systemd.services.jellyfin.serviceConfig.UMask = lib.mkForce "0002"; + + kyouma.nginx.virtualHosts = { + "watch.kyouma.net".redirectTo = "fentanyl.trade"; + "fentanyl.trade" = { + serverAliases = lib.singleton "frotti.ng"; + locations = { + "= /".return = "302 https://$host/web/"; + "/" = { + proxyPass = "http://[::1]:8096"; + recommendedProxySettings = true; + extraConfig = '' + proxy_buffering on; + ''; + }; + "= /web/" = { + proxyPass = "http://[::1]:8096"; + recommendedProxySettings = true; + }; + "/socket" = { + proxyPass = "http://[::1]:8096"; + recommendedProxySettings = true; + proxyWebsockets = true; + }; + }; + }; + }; + security.acme.certs."fentanyl.trade".extraDomainNames = [ + "frotti.ng" + "watch.kyouma.net" + ]; +} diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index b9d827c..e861390 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -10,21 +10,30 @@ add_header Referrer-Policy "same-origin" always; ''; createHost = vhostName: vhostCfg: { - extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); + extraConfig = lib.optionalString (vhostCfg ? "extraConfig") ( + vhostCfg.extraConfig + "\n" + extraConfig + ) + lib.optionalString ( + if (vhostCfg ? "verifyClientCert") then + vhostCfg.verifyClientCert + else false + ) '' + ssl_client_certificate ${./kyouma_Root_CA.pem}; + ssl_verify_client on; + ssl_verify_depth 1; + ''; forceSSL = true; - #kTLS = true; http3 = true; quic = true; } // - lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { + lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) { enableACME = true; } // - lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { + lib.optionalAttrs (vhostCfg ? "redirectTo") { enableACME = false; useACMEHost = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo; } // - (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); + (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" ]); in { options = { @@ -39,21 +48,21 @@ in { }; config = { services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) ( - builtins.mapAttrs (createHost) cfg.virtualHosts) // - lib.optionalAttrs (cfg.defaultForbidden != null) { - "redirect" = { - quic = true; - http3 = true; - # reuseport has to be specified on the quic listener - # when using worker_processes auto; - reuseport = true; - default = true; - forceSSL = true; - useACMEHost = cfg.defaultForbidden; - extraConfig = '' - return 403; - ''; - }; + builtins.mapAttrs (createHost) cfg.virtualHosts + ) // lib.optionalAttrs (cfg.defaultForbidden != null) { + "redirect" = { + quic = true; + http3 = true; + # reuseport has to be specified on the quic listener + # when using worker_processes auto; + reuseport = true; + default = true; + forceSSL = true; + useACMEHost = cfg.defaultForbidden; + extraConfig = '' + return 403; + ''; }; + }; }; } diff --git a/modules/nginx/kyouma_Root_CA.pem b/modules/nginx/kyouma_Root_CA.pem new file mode 100644 index 0000000..f6a042f --- /dev/null +++ b/modules/nginx/kyouma_Root_CA.pem @@ -0,0 +1,192 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 47:94:9e:44:65:f4:61:f8:aa:b3:c1:7b:86:38:21:d9:88:a5:88:f0 + Signature Algorithm: sha256WithRSAEncryption + Issuer: CN=kyouma Root CA + Validity + Not Before: Jun 21 14:02:26 2024 GMT + Not After : Jun 21 14:02:26 2044 GMT + Subject: CN=kyouma Root CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (7680 bit) + Modulus: + 00:f9:d0:a3:4b:d9:77:e3:ec:b4:46:8e:3f:1f:a4: + 39:22:60:d8:ad:e9:1e:fe:ad:17:f8:30:d6:f6:fa: + e9:62:f7:36:25:07:e9:6c:83:91:42:0f:e2:53:f1: + ca:70:da:26:7d:bf:bb:1d:d5:4d:5e:99:82:99:39: + 97:f3:c3:7d:f9:0d:08:e8:d4:ae:fc:45:88:98:8e: + a3:bc:2a:bd:16:67:32:59:08:59:eb:a8:de:a6:a7: + 77:9d:f9:1a:c6:7f:76:92:3d:d7:56:74:2b:a3:5a: + 97:8f:05:ab:3b:dc:92:61:2e:7f:95:b1:5c:04:da: + 1e:2e:b9:de:7b:16:b2:85:b4:b4:5a:48:34:9a:bb: + 18:0d:0a:0a:34:91:f8:8f:f3:79:46:a6:c4:ee:aa: + 93:88:03:cf:43:a2:ba:1e:bc:65:f1:78:d8:ce:d8: + 2b:fb:db:33:d6:37:ad:d4:9d:44:38:ff:b5:0d:dc: + 08:61:2c:fb:f0:86:b2:ef:ff:a8:4f:63:28:13:49: + f8:21:4e:cb:22:98:54:de:e7:b4:e2:b6:14:c9:c5: + 59:04:82:04:a2:39:3c:61:f5:91:99:ff:ac:6e:80: + 9a:d2:22:7d:51:fb:ad:a3:6a:4c:14:a8:e3:28:d9: + 22:ac:c8:3d:34:17:5a:40:ce:8d:3c:52:e7:e1:e9: + d4:75:0d:3f:b8:dd:d3:d2:56:25:92:fa:75:87:81: + fe:59:4a:82:53:d5:e7:03:39:c0:07:84:73:70:d0: + fc:fe:3f:06:e0:f9:0f:59:22:74:05:13:65:58:5a: + a8:1d:7b:52:4f:47:ed:be:26:57:47:49:57:d5:7f: + 34:c7:3c:0f:55:d4:17:57:8a:0e:bb:f5:3a:c7:77: + f1:7d:06:49:a9:a8:dd:18:0e:a2:97:52:c8:49:e5: + 39:c7:31:5d:07:c3:58:ed:8e:ae:c7:7c:1b:db:8d: + dc:a0:c3:e3:f5:c0:98:35:cf:fc:92:a0:a6:f3:0f: + b1:18:95:c0:01:eb:1d:96:8d:02:7b:9a:dc:29:5d: + 59:f1:2a:dc:53:0e:6b:2b:6b:5d:36:03:a1:bd:e4: + e6:b4:1f:5a:66:67:13:4a:2c:7f:56:c9:75:5c:fe: + 42:20:24:51:18:bb:ea:30:12:8f:88:d1:ad:fe:eb: + 59:92:8d:1e:be:ff:3e:6e:f2:5a:d9:8c:20:f4:35: + ed:bc:01:47:21:d3:10:b9:5d:fe:6a:8e:e0:a3:e3: + e5:6f:ac:8b:fc:61:d0:75:a8:a3:92:1f:2c:cc:c1: + 15:17:36:3b:05:ab:58:76:be:63:9d:30:5d:ed:7d: + 83:0c:b7:24:8f:10:a8:90:02:ee:68:81:05:cd:d9: + 4f:2e:cc:ef:97:62:d1:75:6b:82:f3:d0:34:56:d3: + 59:7e:d9:d3:7d:93:ce:1b:17:de:fd:18:4b:e6:50: + 72:77:88:60:dd:ff:5e:95:05:61:fe:d8:31:dd:34: + 1e:e1:6d:61:1e:80:73:05:3e:3b:22:c2:34:07:48: + 9b:0e:06:8d:a6:81:c4:4d:e9:4d:5d:df:e1:04:cd: + 5b:85:6e:b2:12:aa:1b:cd:bd:4e:7e:53:ea:59:49: + af:11:70:b3:11:87:0f:af:2f:99:ce:e9:69:db:6d: + d0:5a:14:1a:95:2f:2f:db:bf:36:62:e1:99:ff:7c: + b8:b9:5c:4e:79:33:61:ee:db:4b:6f:40:7d:49:b2: + 6e:e1:65:9d:f6:45:fe:27:14:24:82:5d:f6:a4:38: + 01:ac:47:54:da:b6:02:c1:ad:79:71:b6:93:64:ec: + a4:06:7b:d6:5e:1c:da:7f:40:16:47:65:47:24:2a: + 8b:77:32:49:89:c4:9f:26:d4:f9:a6:ba:e6:42:aa: + 74:fd:7e:1e:d1:75:95:5c:5c:d8:d4:bb:75:05:79: + 10:7a:df:5a:2b:69:9b:75:28:cb:b5:4e:48:3e:a3: + aa:21:04:95:8f:62:3b:46:2f:07:d0:9e:1c:50:9b: + 3d:ba:6d:1f:c2:a0:41:7f:47:43:57:ef:92:31:47: + 4a:a2:91:65:43:5c:c1:2b:fd:26:2d:be:41:a7:98: + 7a:8f:52:89:5f:81:ff:48:7d:04:2a:b8:4d:50:91: + f5:af:18:33:44:f2:55:5f:68:87:33:d8:e6:4f:5d: + b9:92:ca:06:51:f3:e0:b1:5b:6f:a0:52:fe:6e:98: + 22:01:5f:c2:fb:45:59:02:67:62:6f:74:2b:79:62: + e7:5a:13:a8:db:fd:a2:64:b1:0b:49:2f:f4:61:35: + a0:b6:12:2c:ec:24:19:9f:0c:14:85:05:b5:e1:c1: + 9e:4e:87:a4:88:c9:79:65:1d:12:ac:89:e6:bc:ed: + 6b:58:90:fd:95:40:3f:2e:ba:ff:b8:52:5d:60:98: + 32:b9:20:38:a5:08:da:a1:fc:38:89:3c:f1:de:38: + cf:60:d8:69:a1:4b:88:51:f7:31:b8:fc:56:dc:56: + 3a:7a:39:c5:03:23:2a:8f:fa:ab:92:7a:b6:37:da: + c1:9f:55:e7:31:b1:c5:be:31:60:08:c2:33:30:ec: + cf + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 7B:C0:C6:7B:04:C4:66:0C:CD:32:FF:B0:6F:E1:D9:51:FD:1C:EE:B7 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 58:b3:2d:00:8e:c2:72:5b:ed:91:8e:3c:98:66:6a:e4:61:c3: + 0f:d1:51:98:0c:64:79:3d:01:ac:8a:38:7f:af:fc:80:31:83: + 86:a8:79:b9:0f:18:6d:2e:3a:ef:0a:c0:b1:30:39:7e:a4:3d: + ed:4e:35:3e:9e:f1:a3:29:dd:cc:01:1e:62:6b:ed:5b:77:31: + b3:4c:91:1d:69:70:20:44:87:e0:37:17:a0:ba:c4:e5:57:c5: + 90:1a:f2:1e:0d:ac:aa:30:11:c3:da:1c:3f:3a:28:b5:6d:12: + ac:45:b6:6c:f0:b2:b2:6e:f0:55:33:8e:29:10:ac:9e:61:ac: + 35:ec:ed:c7:e3:51:c2:86:52:10:7a:9c:f6:22:5d:65:65:18: + 62:b7:e9:6e:be:64:46:db:dc:15:45:eb:1a:42:45:83:d7:aa: + dd:63:24:4a:ed:b9:d5:35:86:27:22:33:6a:26:4b:32:0a:15: + 75:18:19:58:e9:6b:b4:84:ac:00:a3:78:d3:9d:7d:25:3c:5e: + 51:7f:01:ca:90:d1:40:2b:d2:45:e1:4f:fb:6e:8d:2e:cc:04: + 07:34:07:91:c6:8c:4f:a5:e4:7d:dd:78:0f:b0:9d:01:9d:6e: + 89:16:6d:3a:94:dd:38:57:bc:49:c2:e1:b5:aa:54:8f:d1:8b: + 13:db:35:2f:d1:80:5e:45:fb:53:60:61:d5:c3:e1:9c:21:60: + a3:83:34:e6:9e:bc:86:70:fe:36:8b:35:55:28:e0:f4:b0:81: + ed:37:59:0e:7a:f6:a7:66:a1:b6:36:45:30:95:c8:80:d6:40: + a9:12:bf:47:b1:33:09:fa:89:d4:9f:c2:57:75:6a:47:dd:87: + 3f:b3:d1:3d:13:bc:5e:82:ea:5f:3a:dc:46:35:1e:1f:83:40: + 1c:1d:5e:ba:37:18:a3:75:2f:60:a7:84:67:9b:79:17:ad:fb: + 2a:5b:d8:84:5d:f2:ff:cc:81:4c:08:e4:17:ec:b7:cf:ac:4c: + 0f:91:8a:4c:fa:91:ed:24:39:f9:04:3a:18:b0:b1:c3:57:ed: + 9b:f1:cf:ab:bf:07:f1:52:ef:57:de:0a:76:e7:e4:c4:5f:69: + 93:71:0c:d4:3f:23:12:55:8c:3d:e6:79:b3:3c:5e:86:ac:1f: + 5e:7f:ec:96:d8:da:4d:c9:40:32:ee:b5:cb:6e:86:27:49:45: + e6:89:30:80:fa:ba:ef:21:42:92:ba:f8:a7:51:16:61:04:13: + da:87:ac:c5:9c:c0:19:55:80:2d:4a:32:bb:30:12:0b:49:15: + ec:1e:5b:23:d4:d2:a3:4e:c6:22:19:bc:e2:ba:23:67:88:4c: + 54:d0:bf:10:61:91:d9:eb:f7:d7:bc:89:ee:83:0d:a3:2c:81: + a4:c2:38:58:c3:50:b7:fe:3f:f2:bc:a2:f0:52:9d:04:1f:c2: + 85:bd:d6:06:77:30:7b:90:3d:29:92:dc:41:a9:40:4b:bb:7c: + b7:91:07:65:2b:03:af:e4:a0:18:ab:a5:76:00:bc:10:e8:21: + 41:c7:d7:53:80:41:21:67:af:fe:d1:9d:14:4c:a9:7e:16:1d: + 4b:61:a4:f4:b1:e8:88:fe:c4:f1:60:3e:6d:d5:a9:90:14:3e: + 95:5d:7d:f0:7b:1e:af:5f:80:63:a8:ce:b1:a7:a1:b2:9a:10: + f7:d9:e7:00:fa:33:d7:61:c9:35:b1:c2:c9:60:0b:a5:1d:08: + a8:b2:1d:56:15:b8:b9:5e:36:b3:df:6a:76:6c:5e:9d:a7:e5: + 54:dc:1a:6c:c3:34:f2:c2:c6:ee:7a:68:49:a3:41:d6:54:34: + 78:c9:2b:d2:d2:52:94:23:35:d7:c4:bf:c6:e0:21:18:4f:7a: + 7a:be:e8:ab:34:fa:f7:4d:1a:4b:3c:37:e9:5f:1c:76:b1:6d: + 96:70:f5:f5:db:b4:15:ba:2c:71:25:80:b3:98:4a:d3:1a:8d: + 0e:69:24:de:e3:0c:38:64:82:6e:54:d1:74:47:e5:e5:69:b1: + c1:04:12:72:8a:3f:71:c0:9f:dc:db:ba:0e:e8:3d:52:4a:23: + 56:04:9b:8c:eb:4f:62:19:7f:f5:bd:1e:48:d9:7f:89:84:3c: + 8d:f5:67:21:d6:81:ee:5a:cd:fa:c2:53:60:a0:97:1e:80:a2: + dc:96:89:e6:99:d9:9d:48:23:a0:07:9a:02:06:29:04:eb:03: + 79:06:6b:a0:41:98:d2:8f:2d:b4:e3:cb:c2:5e:78:74:a1:92: + 29:c9:7d:07:03:ca:3f:8c:f5:71:f0:c4:7d:6a:1b:ac:33:37: + 4f:03:54:44:46:b6:76:1c:55:8a:7d:7b:e5:58:4e:a9:f8:e1: + fe:7b:f3:a2:f8:e6:3b:e0:0b:5d:47:a8:b7:aa:f8:f3:c0:65: + b0:e4:1c:22:8f:9e:b9:d1:8f:a6:4a:a4:28:6f:6c:27:31:49: + 58:c0:4d:80:3b:e3:e2:22:aa:ec:4e:ba:a5:0d:9e:b8:17:8c: + 6b:4e:2d:37:6a:cc:f3:2d:0d:6b:34:b4:00:eb:ce:31:0e:a5: + c4:85:cd:1e:16:0b +-----BEGIN CERTIFICATE----- +MIIIgjCCBKqgAwIBAgIUR5SeRGX0Yfiqs8F7hjgh2YiliPAwDQYJKoZIhvcNAQEL +BQAwGTEXMBUGA1UEAwwOa3lvdW1hIFJvb3QgQ0EwHhcNMjQwNjIxMTQwMjI2WhcN +NDQwNjIxMTQwMjI2WjAZMRcwFQYDVQQDDA5reW91bWEgUm9vdCBDQTCCA+IwDQYJ +KoZIhvcNAQEBBQADggPPADCCA8oCggPBAPnQo0vZd+PstEaOPx+kOSJg2K3pHv6t +F/gw1vb66WL3NiUH6WyDkUIP4lPxynDaJn2/ux3VTV6Zgpk5l/PDffkNCOjUrvxF +iJiOo7wqvRZnMlkIWeuo3qand535GsZ/dpI911Z0K6Nal48FqzvckmEuf5WxXATa +Hi653nsWsoW0tFpINJq7GA0KCjSR+I/zeUamxO6qk4gDz0Oiuh68ZfF42M7YK/vb +M9Y3rdSdRDj/tQ3cCGEs+/CGsu//qE9jKBNJ+CFOyyKYVN7ntOK2FMnFWQSCBKI5 +PGH1kZn/rG6AmtIifVH7raNqTBSo4yjZIqzIPTQXWkDOjTxS5+Hp1HUNP7jd09JW +JZL6dYeB/llKglPV5wM5wAeEc3DQ/P4/BuD5D1kidAUTZVhaqB17Uk9H7b4mV0dJ +V9V/NMc8D1XUF1eKDrv1Osd38X0GSamo3RgOopdSyEnlOccxXQfDWO2Orsd8G9uN +3KDD4/XAmDXP/JKgpvMPsRiVwAHrHZaNAnua3CldWfEq3FMOaytrXTYDob3k5rQf +WmZnE0osf1bJdVz+QiAkURi76jASj4jRrf7rWZKNHr7/Pm7yWtmMIPQ17bwBRyHT +ELld/mqO4KPj5W+si/xh0HWoo5IfLMzBFRc2OwWrWHa+Y50wXe19gwy3JI8QqJAC +7miBBc3ZTy7M75di0XVrgvPQNFbTWX7Z032TzhsX3v0YS+ZQcneIYN3/XpUFYf7Y +Md00HuFtYR6AcwU+OyLCNAdImw4GjaaBxE3pTV3f4QTNW4VushKqG829Tn5T6llJ +rxFwsxGHD68vmc7padtt0FoUGpUvL9u/NmLhmf98uLlcTnkzYe7bS29AfUmybuFl +nfZF/icUJIJd9qQ4AaxHVNq2AsGteXG2k2TspAZ71l4c2n9AFkdlRyQqi3cySYnE +nybU+aa65kKqdP1+HtF1lVxc2NS7dQV5EHrfWitpm3Uoy7VOSD6jqiEElY9iO0Yv +B9CeHFCbPbptH8KgQX9HQ1fvkjFHSqKRZUNcwSv9Ji2+QaeYeo9SiV+B/0h9BCq4 +TVCR9a8YM0TyVV9ohzPY5k9duZLKBlHz4LFbb6BS/m6YIgFfwvtFWQJnYm90K3li +51oTqNv9omSxC0kv9GE1oLYSLOwkGZ8MFIUFteHBnk6HpIjJeWUdEqyJ5rzta1iQ +/ZVAPy66/7hSXWCYMrkgOKUI2qH8OIk88d44z2DYaaFLiFH3Mbj8VtxWOno5xQMj +Ko/6q5J6tjfawZ9V5zGxxb4xYAjCMzDszwIDAQABo0IwQDAdBgNVHQ4EFgQUe8DG +ewTEZgzNMv+wb+HZUf0c7rcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwDQYJKoZIhvcNAQELBQADggPBAFizLQCOwnJb7ZGOPJhmauRhww/RUZgMZHk9 +AayKOH+v/IAxg4aoebkPGG0uOu8KwLEwOX6kPe1ONT6e8aMp3cwBHmJr7Vt3MbNM +kR1pcCBEh+A3F6C6xOVXxZAa8h4NrKowEcPaHD86KLVtEqxFtmzwsrJu8FUzjikQ +rJ5hrDXs7cfjUcKGUhB6nPYiXWVlGGK36W6+ZEbb3BVF6xpCRYPXqt1jJErtudU1 +hiciM2omSzIKFXUYGVjpa7SErACjeNOdfSU8XlF/AcqQ0UAr0kXhT/tujS7MBAc0 +B5HGjE+l5H3deA+wnQGdbokWbTqU3ThXvEnC4bWqVI/RixPbNS/RgF5F+1NgYdXD +4ZwhYKODNOaevIZw/jaLNVUo4PSwge03WQ569qdmobY2RTCVyIDWQKkSv0exMwn6 +idSfwld1akfdhz+z0T0TvF6C6l863EY1Hh+DQBwdXro3GKN1L2CnhGebeRet+ypb +2IRd8v/MgUwI5Bfst8+sTA+Rikz6ke0kOfkEOhiwscNX7Zvxz6u/B/FS71feCnbn +5MRfaZNxDNQ/IxJVjD3mebM8XoasH15/7JbY2k3JQDLutctuhidJReaJMID6uu8h +QpK6+KdRFmEEE9qHrMWcwBlVgC1KMrswEgtJFeweWyPU0qNOxiIZvOK6I2eITFTQ +vxBhkdnr99e8ie6DDaMsgaTCOFjDULf+P/K8ovBSnQQfwoW91gZ3MHuQPSmS3EGp +QEu7fLeRB2UrA6/koBirpXYAvBDoIUHH11OAQSFnr/7RnRRMqX4WHUthpPSx6Ij+ +xPFgPm3VqZAUPpVdffB7Hq9fgGOozrGnobKaEPfZ5wD6M9dhyTWxwslgC6UdCKiy +HVYVuLleNrPfanZsXp2n5VTcGmzDNPLCxu56aEmjQdZUNHjJK9LSUpQjNdfEv8bg +IRhPenq+6Ks0+vdNGks8N+lfHHaxbZZw9fXbtBW6LHElgLOYStMajQ5pJN7jDDhk +gm5U0XRH5eVpscEEEnKKP3HAn9zbug7oPVJKI1YEm4zrT2IZf/W9HkjZf4mEPI31 +ZyHWge5azfrCU2Cglx6AotyWieaZ2Z1II6AHmgIGKQTrA3kGa6BBmNKPLbTjy8Je +eHShkinJfQcDyj+M9XHwxH1qG6wzN08DVERGtnYcVYp9e+VYTqn44f5786L45jvg +C11HqLeq+PPAZbDkHCKPnrnRj6ZKpChvbCcxSVjATYA74+IiquxOuqUNnrgXjGtO +LTdqzPMtDWs0tADrzjEOpcSFzR4WCw== +-----END CERTIFICATE-----