1
0
Fork 0
forked from emily/nixfiles

crime: fix config

This commit is contained in:
emily 2024-11-12 18:03:31 +01:00
parent dc91b774a4
commit 650a206aa4
Signed by untrusted user: emily
GPG key ID: F6F4C66207FCF995
8 changed files with 353 additions and 146 deletions

View file

@ -39,7 +39,7 @@ in {
]; ];
settings = { settings = {
PermitRootLogin = "prohibit-password"; PermitRootLogin = "no";
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;

View file

@ -4,24 +4,18 @@
../../profiles/headless.nix ../../profiles/headless.nix
../../profiles/kartoffel.nix ../../profiles/kartoffel.nix
../../profiles/lxc.nix ../../profiles/lxc.nix
../../services/arrs
../../services/jellyfin.nix
../../services/nginx.nix ../../services/nginx.nix
./nginx.nix
]; ];
networking.hostName = "crime"; networking.hostName = "crime";
systemd.network.networks."98-eth-default" = { systemd.network.networks."98-eth-default" = {
address = [ address = [
"2a0f:be01:0:100::1337/128" "2a0f:be01:0:100::b00b:a/128"
"2a0f:be01:0:100::1338/128"
]; ];
}; };
security.acme.certs = { security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
"fentanyl.trade" = { extraDomainNames = [ "frotti.ng" "watch.kyouma.net" ]; };
"crime.kyouma.net" = {};
};
services.jellyfin.enable = true; kyouma.nginx.defaultForbidden = "fentanyl.trade";
services.sonarr.enable = true;
services.radarr.enable = true;
services.prowlarr.enable = true;
} }

View file

@ -1,114 +0,0 @@
{ pkgs, ... }:
let
landingPage = pkgs.writeTextDir "index.html" ''
<!DOCTYPE html>
<html>
<head>
<title>crime.kyouma.net</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to crime.kyouma.net!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>Sonarr
<a href="https://crime.kyouma.net/sonarr">crime.kyouma.net/sonarr</a><br/>
Radarr
<a href="https://crime.kyouma.net/radarr">crime.kyouma.net/radarr</a><br/>
Prowlarr
<a href="https://crime.kyouma.net/prowlarr">crime.kyouma.net/prowlarr</a></p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
'';
extraConfig = ''
add_header Strict-Transport-Security $hsts_header;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "same-origin" always;
'';
proxyConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
'';
jellyAddr = "[::1]";
jellyWeb = {
forceSSL = true;
#http3 = true;
#quic = true;
inherit extraConfig;
locations = {
"= /".return = "302 https://$host/web/";
"/" = {
proxyPass = "http://${jellyAddr}:8096";
extraConfig = ''
${proxyConfig}
proxy_buffering on;
'';
};
"= /web/" = {
proxyPass = "http://${jellyAddr}:8096/web/index.html";
extraConfig = proxyConfig;
};
"/socket" = {
proxyPass = "http://${jellyAddr}:8096";
proxyWebsockets = true;
extraConfig = proxyConfig;
};
};
};
in {
services.nginx = {
virtualHosts = {
"fentanyl.trade" = jellyWeb // {
enableACME = true;
};
"frotti.ng" = jellyWeb // {
useACMEHost = "fentanyl.trade";
};
};
};
kyouma.nginx.virtualHosts = {
"watch.kyouma.net" = { redirectTo = "fentanyl.trade"; };
"redirect" = {
default = true;
reuseport = true;
useACMEHost = "fentanyl.trade";
extraConfig = ''
return 403;
'';
};
"crime.kyouma.net" = {
listenAddresses = [ "[2a0f:be01:0:100::1338]" ];
locations = {
"/".root = landingPage;
"/sonarr/" = {
proxyPass = "http://127.0.0.1:8989";
recommendedProxySettings = true;
};
"/radarr/" = {
proxyPass = "http://127.0.0.1:7878";
recommendedProxySettings = true;
};
"/prowlarr/" = {
proxyPass = "http://127.0.0.1:9696";
recommendedProxySettings = true;
};
};
};
};
}

View file

@ -0,0 +1,58 @@
{ lib, pkgs, ... }: {
users.groups.crime = {};
services = {
prowlarr.enable = true;
} // lib.genAttrs [ "sonarr" "radarr" ] (_: {
enable = true;
group = "crime";
});
systemd.services = lib.genAttrs [ "radarr" "sonarr" ] (_: {
wants = [ "rclone-mezzomix.service" ];
serviceConfig.UMask = "0002";
});
systemd.mounts = lib.singleton {
description = "rclone mount";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" "radarr.service" "sonarr.service" ];
where = "/mnt/mezzomix";
what = "mezzomix@otos.feralhosting.com:private/rtorrent/data";
type = "fuse.sshfs";
options = "_netdev,rw,nosuid,allow_other,default_permissions,follow_symlinks,identityfile=/etc/keys/ssh_host_ed25519_key";
};
systemd.automounts = lib.singleton {
name = "mnt-mezzomix.automount";
where = "/mnt/mezzomix";
wantedBy = [ "multi-user.target" ];
automountConfig.TimeoutIdleSec = 0;
};
environment.systemPackages = [ pkgs.sshfs ];
programs.ssh.ciphers = [ "aes256-ctr" ];
kyouma.nginx.virtualHosts = {
"crime.kyouma.net" = {
verifyClientCert = true;
locations = {
"/".root = ./landingPage.html;
"/sonarr/" = {
proxyPass = "http://127.0.0.1:8989";
recommendedProxySettings = true;
};
"/radarr/" = {
proxyPass = "http://127.0.0.1:7878";
recommendedProxySettings = true;
};
"/prowlarr/" = {
proxyPass = "http://127.0.0.1:9696";
recommendedProxySettings = true;
};
};
};
};
security.acme.certs."crime.kyouma.net" = {};
}

View file

@ -0,0 +1,27 @@
<!DOCTYPE html>
<html>
<head>
<title>crime.kyouma.net</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to crime.kyouma.net!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>Sonarr
<a href="https://crime.kyouma.net/sonarr">crime.kyouma.net/sonarr</a><br/>
Radarr
<a href="https://crime.kyouma.net/radarr">crime.kyouma.net/radarr</a><br/>
Prowlarr
<a href="https://crime.kyouma.net/prowlarr">crime.kyouma.net/prowlarr</a></p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

View file

@ -0,0 +1,41 @@
{ lib, ... }: {
users.groups.crime = {};
services.jellyfin = {
enable = true;
group = "crime";
};
systemd.services.jellyfin.serviceConfig.UMask = lib.mkForce "0002";
kyouma.nginx.virtualHosts = {
"watch.kyouma.net".redirectTo = "fentanyl.trade";
"fentanyl.trade" = {
serverAliases = lib.singleton "frotti.ng";
locations = {
"= /".return = "302 https://$host/web/";
"/" = {
proxyPass = "http://[::1]:8096";
recommendedProxySettings = true;
extraConfig = ''
proxy_buffering on;
'';
};
"= /web/" = {
proxyPass = "http://[::1]:8096";
recommendedProxySettings = true;
};
"/socket" = {
proxyPass = "http://[::1]:8096";
recommendedProxySettings = true;
proxyWebsockets = true;
};
};
};
};
security.acme.certs."fentanyl.trade".extraDomainNames = [
"frotti.ng"
"watch.kyouma.net"
];
}

View file

@ -10,21 +10,30 @@
add_header Referrer-Policy "same-origin" always; add_header Referrer-Policy "same-origin" always;
''; '';
createHost = vhostName: vhostCfg: { createHost = vhostName: vhostCfg: {
extraConfig = lib.optionalString (builtins.hasAttr "extraConfig" vhostCfg) (vhostCfg.extraConfig + "\n" + extraConfig); extraConfig = lib.optionalString (vhostCfg ? "extraConfig") (
vhostCfg.extraConfig + "\n" + extraConfig
) + lib.optionalString (
if (vhostCfg ? "verifyClientCert") then
vhostCfg.verifyClientCert
else false
) ''
ssl_client_certificate ${./kyouma_Root_CA.pem};
ssl_verify_client on;
ssl_verify_depth 1;
'';
forceSSL = true; forceSSL = true;
#kTLS = true;
http3 = true; http3 = true;
quic = true; quic = true;
} // } //
lib.optionalAttrs (!(builtins.hasAttr "useACMEHost" vhostCfg)) { lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) {
enableACME = true; enableACME = true;
} // } //
lib.optionalAttrs (builtins.hasAttr "redirectTo" vhostCfg) { lib.optionalAttrs (vhostCfg ? "redirectTo") {
enableACME = false; enableACME = false;
useACMEHost = vhostCfg.redirectTo; useACMEHost = vhostCfg.redirectTo;
globalRedirect = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo;
} // } //
(builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" ]); (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" ]);
in { in {
options = { options = {
@ -39,21 +48,21 @@ in {
}; };
config = { config = {
services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) ( services.nginx.virtualHosts = lib.optionalAttrs (cfg.virtualHosts != null) (
builtins.mapAttrs (createHost) cfg.virtualHosts) // builtins.mapAttrs (createHost) cfg.virtualHosts
lib.optionalAttrs (cfg.defaultForbidden != null) { ) // lib.optionalAttrs (cfg.defaultForbidden != null) {
"redirect" = { "redirect" = {
quic = true; quic = true;
http3 = true; http3 = true;
# reuseport has to be specified on the quic listener # reuseport has to be specified on the quic listener
# when using worker_processes auto; # when using worker_processes auto;
reuseport = true; reuseport = true;
default = true; default = true;
forceSSL = true; forceSSL = true;
useACMEHost = cfg.defaultForbidden; useACMEHost = cfg.defaultForbidden;
extraConfig = '' extraConfig = ''
return 403; return 403;
''; '';
};
}; };
};
}; };
} }

View file

@ -0,0 +1,192 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
47:94:9e:44:65:f4:61:f8:aa:b3:c1:7b:86:38:21:d9:88:a5:88:f0
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=kyouma Root CA
Validity
Not Before: Jun 21 14:02:26 2024 GMT
Not After : Jun 21 14:02:26 2044 GMT
Subject: CN=kyouma Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (7680 bit)
Modulus:
00:f9:d0:a3:4b:d9:77:e3:ec:b4:46:8e:3f:1f:a4:
39:22:60:d8:ad:e9:1e:fe:ad:17:f8:30:d6:f6:fa:
e9:62:f7:36:25:07:e9:6c:83:91:42:0f:e2:53:f1:
ca:70:da:26:7d:bf:bb:1d:d5:4d:5e:99:82:99:39:
97:f3:c3:7d:f9:0d:08:e8:d4:ae:fc:45:88:98:8e:
a3:bc:2a:bd:16:67:32:59:08:59:eb:a8:de:a6:a7:
77:9d:f9:1a:c6:7f:76:92:3d:d7:56:74:2b:a3:5a:
97:8f:05:ab:3b:dc:92:61:2e:7f:95:b1:5c:04:da:
1e:2e:b9:de:7b:16:b2:85:b4:b4:5a:48:34:9a:bb:
18:0d:0a:0a:34:91:f8:8f:f3:79:46:a6:c4:ee:aa:
93:88:03:cf:43:a2:ba:1e:bc:65:f1:78:d8:ce:d8:
2b:fb:db:33:d6:37:ad:d4:9d:44:38:ff:b5:0d:dc:
08:61:2c:fb:f0:86:b2:ef:ff:a8:4f:63:28:13:49:
f8:21:4e:cb:22:98:54:de:e7:b4:e2:b6:14:c9:c5:
59:04:82:04:a2:39:3c:61:f5:91:99:ff:ac:6e:80:
9a:d2:22:7d:51:fb:ad:a3:6a:4c:14:a8:e3:28:d9:
22:ac:c8:3d:34:17:5a:40:ce:8d:3c:52:e7:e1:e9:
d4:75:0d:3f:b8:dd:d3:d2:56:25:92:fa:75:87:81:
fe:59:4a:82:53:d5:e7:03:39:c0:07:84:73:70:d0:
fc:fe:3f:06:e0:f9:0f:59:22:74:05:13:65:58:5a:
a8:1d:7b:52:4f:47:ed:be:26:57:47:49:57:d5:7f:
34:c7:3c:0f:55:d4:17:57:8a:0e:bb:f5:3a:c7:77:
f1:7d:06:49:a9:a8:dd:18:0e:a2:97:52:c8:49:e5:
39:c7:31:5d:07:c3:58:ed:8e:ae:c7:7c:1b:db:8d:
dc:a0:c3:e3:f5:c0:98:35:cf:fc:92:a0:a6:f3:0f:
b1:18:95:c0:01:eb:1d:96:8d:02:7b:9a:dc:29:5d:
59:f1:2a:dc:53:0e:6b:2b:6b:5d:36:03:a1:bd:e4:
e6:b4:1f:5a:66:67:13:4a:2c:7f:56:c9:75:5c:fe:
42:20:24:51:18:bb:ea:30:12:8f:88:d1:ad:fe:eb:
59:92:8d:1e:be:ff:3e:6e:f2:5a:d9:8c:20:f4:35:
ed:bc:01:47:21:d3:10:b9:5d:fe:6a:8e:e0:a3:e3:
e5:6f:ac:8b:fc:61:d0:75:a8:a3:92:1f:2c:cc:c1:
15:17:36:3b:05:ab:58:76:be:63:9d:30:5d:ed:7d:
83:0c:b7:24:8f:10:a8:90:02:ee:68:81:05:cd:d9:
4f:2e:cc:ef:97:62:d1:75:6b:82:f3:d0:34:56:d3:
59:7e:d9:d3:7d:93:ce:1b:17:de:fd:18:4b:e6:50:
72:77:88:60:dd:ff:5e:95:05:61:fe:d8:31:dd:34:
1e:e1:6d:61:1e:80:73:05:3e:3b:22:c2:34:07:48:
9b:0e:06:8d:a6:81:c4:4d:e9:4d:5d:df:e1:04:cd:
5b:85:6e:b2:12:aa:1b:cd:bd:4e:7e:53:ea:59:49:
af:11:70:b3:11:87:0f:af:2f:99:ce:e9:69:db:6d:
d0:5a:14:1a:95:2f:2f:db:bf:36:62:e1:99:ff:7c:
b8:b9:5c:4e:79:33:61:ee:db:4b:6f:40:7d:49:b2:
6e:e1:65:9d:f6:45:fe:27:14:24:82:5d:f6:a4:38:
01:ac:47:54:da:b6:02:c1:ad:79:71:b6:93:64:ec:
a4:06:7b:d6:5e:1c:da:7f:40:16:47:65:47:24:2a:
8b:77:32:49:89:c4:9f:26:d4:f9:a6:ba:e6:42:aa:
74:fd:7e:1e:d1:75:95:5c:5c:d8:d4:bb:75:05:79:
10:7a:df:5a:2b:69:9b:75:28:cb:b5:4e:48:3e:a3:
aa:21:04:95:8f:62:3b:46:2f:07:d0:9e:1c:50:9b:
3d:ba:6d:1f:c2:a0:41:7f:47:43:57:ef:92:31:47:
4a:a2:91:65:43:5c:c1:2b:fd:26:2d:be:41:a7:98:
7a:8f:52:89:5f:81:ff:48:7d:04:2a:b8:4d:50:91:
f5:af:18:33:44:f2:55:5f:68:87:33:d8:e6:4f:5d:
b9:92:ca:06:51:f3:e0:b1:5b:6f:a0:52:fe:6e:98:
22:01:5f:c2:fb:45:59:02:67:62:6f:74:2b:79:62:
e7:5a:13:a8:db:fd:a2:64:b1:0b:49:2f:f4:61:35:
a0:b6:12:2c:ec:24:19:9f:0c:14:85:05:b5:e1:c1:
9e:4e:87:a4:88:c9:79:65:1d:12:ac:89:e6:bc:ed:
6b:58:90:fd:95:40:3f:2e:ba:ff:b8:52:5d:60:98:
32:b9:20:38:a5:08:da:a1:fc:38:89:3c:f1:de:38:
cf:60:d8:69:a1:4b:88:51:f7:31:b8:fc:56:dc:56:
3a:7a:39:c5:03:23:2a:8f:fa:ab:92:7a:b6:37:da:
c1:9f:55:e7:31:b1:c5:be:31:60:08:c2:33:30:ec:
cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
7B:C0:C6:7B:04:C4:66:0C:CD:32:FF:B0:6F:E1:D9:51:FD:1C:EE:B7
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
58:b3:2d:00:8e:c2:72:5b:ed:91:8e:3c:98:66:6a:e4:61:c3:
0f:d1:51:98:0c:64:79:3d:01:ac:8a:38:7f:af:fc:80:31:83:
86:a8:79:b9:0f:18:6d:2e:3a:ef:0a:c0:b1:30:39:7e:a4:3d:
ed:4e:35:3e:9e:f1:a3:29:dd:cc:01:1e:62:6b:ed:5b:77:31:
b3:4c:91:1d:69:70:20:44:87:e0:37:17:a0:ba:c4:e5:57:c5:
90:1a:f2:1e:0d:ac:aa:30:11:c3:da:1c:3f:3a:28:b5:6d:12:
ac:45:b6:6c:f0:b2:b2:6e:f0:55:33:8e:29:10:ac:9e:61:ac:
35:ec:ed:c7:e3:51:c2:86:52:10:7a:9c:f6:22:5d:65:65:18:
62:b7:e9:6e:be:64:46:db:dc:15:45:eb:1a:42:45:83:d7:aa:
dd:63:24:4a:ed:b9:d5:35:86:27:22:33:6a:26:4b:32:0a:15:
75:18:19:58:e9:6b:b4:84:ac:00:a3:78:d3:9d:7d:25:3c:5e:
51:7f:01:ca:90:d1:40:2b:d2:45:e1:4f:fb:6e:8d:2e:cc:04:
07:34:07:91:c6:8c:4f:a5:e4:7d:dd:78:0f:b0:9d:01:9d:6e:
89:16:6d:3a:94:dd:38:57:bc:49:c2:e1:b5:aa:54:8f:d1:8b:
13:db:35:2f:d1:80:5e:45:fb:53:60:61:d5:c3:e1:9c:21:60:
a3:83:34:e6:9e:bc:86:70:fe:36:8b:35:55:28:e0:f4:b0:81:
ed:37:59:0e:7a:f6:a7:66:a1:b6:36:45:30:95:c8:80:d6:40:
a9:12:bf:47:b1:33:09:fa:89:d4:9f:c2:57:75:6a:47:dd:87:
3f:b3:d1:3d:13:bc:5e:82:ea:5f:3a:dc:46:35:1e:1f:83:40:
1c:1d:5e:ba:37:18:a3:75:2f:60:a7:84:67:9b:79:17:ad:fb:
2a:5b:d8:84:5d:f2:ff:cc:81:4c:08:e4:17:ec:b7:cf:ac:4c:
0f:91:8a:4c:fa:91:ed:24:39:f9:04:3a:18:b0:b1:c3:57:ed:
9b:f1:cf:ab:bf:07:f1:52:ef:57:de:0a:76:e7:e4:c4:5f:69:
93:71:0c:d4:3f:23:12:55:8c:3d:e6:79:b3:3c:5e:86:ac:1f:
5e:7f:ec:96:d8:da:4d:c9:40:32:ee:b5:cb:6e:86:27:49:45:
e6:89:30:80:fa:ba:ef:21:42:92:ba:f8:a7:51:16:61:04:13:
da:87:ac:c5:9c:c0:19:55:80:2d:4a:32:bb:30:12:0b:49:15:
ec:1e:5b:23:d4:d2:a3:4e:c6:22:19:bc:e2:ba:23:67:88:4c:
54:d0:bf:10:61:91:d9:eb:f7:d7:bc:89:ee:83:0d:a3:2c:81:
a4:c2:38:58:c3:50:b7:fe:3f:f2:bc:a2:f0:52:9d:04:1f:c2:
85:bd:d6:06:77:30:7b:90:3d:29:92:dc:41:a9:40:4b:bb:7c:
b7:91:07:65:2b:03:af:e4:a0:18:ab:a5:76:00:bc:10:e8:21:
41:c7:d7:53:80:41:21:67:af:fe:d1:9d:14:4c:a9:7e:16:1d:
4b:61:a4:f4:b1:e8:88:fe:c4:f1:60:3e:6d:d5:a9:90:14:3e:
95:5d:7d:f0:7b:1e:af:5f:80:63:a8:ce:b1:a7:a1:b2:9a:10:
f7:d9:e7:00:fa:33:d7:61:c9:35:b1:c2:c9:60:0b:a5:1d:08:
a8:b2:1d:56:15:b8:b9:5e:36:b3:df:6a:76:6c:5e:9d:a7:e5:
54:dc:1a:6c:c3:34:f2:c2:c6:ee:7a:68:49:a3:41:d6:54:34:
78:c9:2b:d2:d2:52:94:23:35:d7:c4:bf:c6:e0:21:18:4f:7a:
7a:be:e8:ab:34:fa:f7:4d:1a:4b:3c:37:e9:5f:1c:76:b1:6d:
96:70:f5:f5:db:b4:15:ba:2c:71:25:80:b3:98:4a:d3:1a:8d:
0e:69:24:de:e3:0c:38:64:82:6e:54:d1:74:47:e5:e5:69:b1:
c1:04:12:72:8a:3f:71:c0:9f:dc:db:ba:0e:e8:3d:52:4a:23:
56:04:9b:8c:eb:4f:62:19:7f:f5:bd:1e:48:d9:7f:89:84:3c:
8d:f5:67:21:d6:81:ee:5a:cd:fa:c2:53:60:a0:97:1e:80:a2:
dc:96:89:e6:99:d9:9d:48:23:a0:07:9a:02:06:29:04:eb:03:
79:06:6b:a0:41:98:d2:8f:2d:b4:e3:cb:c2:5e:78:74:a1:92:
29:c9:7d:07:03:ca:3f:8c:f5:71:f0:c4:7d:6a:1b:ac:33:37:
4f:03:54:44:46:b6:76:1c:55:8a:7d:7b:e5:58:4e:a9:f8:e1:
fe:7b:f3:a2:f8:e6:3b:e0:0b:5d:47:a8:b7:aa:f8:f3:c0:65:
b0:e4:1c:22:8f:9e:b9:d1:8f:a6:4a:a4:28:6f:6c:27:31:49:
58:c0:4d:80:3b:e3:e2:22:aa:ec:4e:ba:a5:0d:9e:b8:17:8c:
6b:4e:2d:37:6a:cc:f3:2d:0d:6b:34:b4:00:eb:ce:31:0e:a5:
c4:85:cd:1e:16:0b
-----BEGIN CERTIFICATE-----
MIIIgjCCBKqgAwIBAgIUR5SeRGX0Yfiqs8F7hjgh2YiliPAwDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwOa3lvdW1hIFJvb3QgQ0EwHhcNMjQwNjIxMTQwMjI2WhcN
NDQwNjIxMTQwMjI2WjAZMRcwFQYDVQQDDA5reW91bWEgUm9vdCBDQTCCA+IwDQYJ
KoZIhvcNAQEBBQADggPPADCCA8oCggPBAPnQo0vZd+PstEaOPx+kOSJg2K3pHv6t
F/gw1vb66WL3NiUH6WyDkUIP4lPxynDaJn2/ux3VTV6Zgpk5l/PDffkNCOjUrvxF
iJiOo7wqvRZnMlkIWeuo3qand535GsZ/dpI911Z0K6Nal48FqzvckmEuf5WxXATa
Hi653nsWsoW0tFpINJq7GA0KCjSR+I/zeUamxO6qk4gDz0Oiuh68ZfF42M7YK/vb
M9Y3rdSdRDj/tQ3cCGEs+/CGsu//qE9jKBNJ+CFOyyKYVN7ntOK2FMnFWQSCBKI5
PGH1kZn/rG6AmtIifVH7raNqTBSo4yjZIqzIPTQXWkDOjTxS5+Hp1HUNP7jd09JW
JZL6dYeB/llKglPV5wM5wAeEc3DQ/P4/BuD5D1kidAUTZVhaqB17Uk9H7b4mV0dJ
V9V/NMc8D1XUF1eKDrv1Osd38X0GSamo3RgOopdSyEnlOccxXQfDWO2Orsd8G9uN
3KDD4/XAmDXP/JKgpvMPsRiVwAHrHZaNAnua3CldWfEq3FMOaytrXTYDob3k5rQf
WmZnE0osf1bJdVz+QiAkURi76jASj4jRrf7rWZKNHr7/Pm7yWtmMIPQ17bwBRyHT
ELld/mqO4KPj5W+si/xh0HWoo5IfLMzBFRc2OwWrWHa+Y50wXe19gwy3JI8QqJAC
7miBBc3ZTy7M75di0XVrgvPQNFbTWX7Z032TzhsX3v0YS+ZQcneIYN3/XpUFYf7Y
Md00HuFtYR6AcwU+OyLCNAdImw4GjaaBxE3pTV3f4QTNW4VushKqG829Tn5T6llJ
rxFwsxGHD68vmc7padtt0FoUGpUvL9u/NmLhmf98uLlcTnkzYe7bS29AfUmybuFl
nfZF/icUJIJd9qQ4AaxHVNq2AsGteXG2k2TspAZ71l4c2n9AFkdlRyQqi3cySYnE
nybU+aa65kKqdP1+HtF1lVxc2NS7dQV5EHrfWitpm3Uoy7VOSD6jqiEElY9iO0Yv
B9CeHFCbPbptH8KgQX9HQ1fvkjFHSqKRZUNcwSv9Ji2+QaeYeo9SiV+B/0h9BCq4
TVCR9a8YM0TyVV9ohzPY5k9duZLKBlHz4LFbb6BS/m6YIgFfwvtFWQJnYm90K3li
51oTqNv9omSxC0kv9GE1oLYSLOwkGZ8MFIUFteHBnk6HpIjJeWUdEqyJ5rzta1iQ
/ZVAPy66/7hSXWCYMrkgOKUI2qH8OIk88d44z2DYaaFLiFH3Mbj8VtxWOno5xQMj
Ko/6q5J6tjfawZ9V5zGxxb4xYAjCMzDszwIDAQABo0IwQDAdBgNVHQ4EFgQUe8DG
ewTEZgzNMv+wb+HZUf0c7rcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AQYwDQYJKoZIhvcNAQELBQADggPBAFizLQCOwnJb7ZGOPJhmauRhww/RUZgMZHk9
AayKOH+v/IAxg4aoebkPGG0uOu8KwLEwOX6kPe1ONT6e8aMp3cwBHmJr7Vt3MbNM
kR1pcCBEh+A3F6C6xOVXxZAa8h4NrKowEcPaHD86KLVtEqxFtmzwsrJu8FUzjikQ
rJ5hrDXs7cfjUcKGUhB6nPYiXWVlGGK36W6+ZEbb3BVF6xpCRYPXqt1jJErtudU1
hiciM2omSzIKFXUYGVjpa7SErACjeNOdfSU8XlF/AcqQ0UAr0kXhT/tujS7MBAc0
B5HGjE+l5H3deA+wnQGdbokWbTqU3ThXvEnC4bWqVI/RixPbNS/RgF5F+1NgYdXD
4ZwhYKODNOaevIZw/jaLNVUo4PSwge03WQ569qdmobY2RTCVyIDWQKkSv0exMwn6
idSfwld1akfdhz+z0T0TvF6C6l863EY1Hh+DQBwdXro3GKN1L2CnhGebeRet+ypb
2IRd8v/MgUwI5Bfst8+sTA+Rikz6ke0kOfkEOhiwscNX7Zvxz6u/B/FS71feCnbn
5MRfaZNxDNQ/IxJVjD3mebM8XoasH15/7JbY2k3JQDLutctuhidJReaJMID6uu8h
QpK6+KdRFmEEE9qHrMWcwBlVgC1KMrswEgtJFeweWyPU0qNOxiIZvOK6I2eITFTQ
vxBhkdnr99e8ie6DDaMsgaTCOFjDULf+P/K8ovBSnQQfwoW91gZ3MHuQPSmS3EGp
QEu7fLeRB2UrA6/koBirpXYAvBDoIUHH11OAQSFnr/7RnRRMqX4WHUthpPSx6Ij+
xPFgPm3VqZAUPpVdffB7Hq9fgGOozrGnobKaEPfZ5wD6M9dhyTWxwslgC6UdCKiy
HVYVuLleNrPfanZsXp2n5VTcGmzDNPLCxu56aEmjQdZUNHjJK9LSUpQjNdfEv8bg
IRhPenq+6Ks0+vdNGks8N+lfHHaxbZZw9fXbtBW6LHElgLOYStMajQ5pJN7jDDhk
gm5U0XRH5eVpscEEEnKKP3HAn9zbug7oPVJKI1YEm4zrT2IZf/W9HkjZf4mEPI31
ZyHWge5azfrCU2Cglx6AotyWieaZ2Z1II6AHmgIGKQTrA3kGa6BBmNKPLbTjy8Je
eHShkinJfQcDyj+M9XHwxH1qG6wzN08DVERGtnYcVYp9e+VYTqn44f5786L45jvg
C11HqLeq+PPAZbDkHCKPnrnRj6ZKpChvbCcxSVjATYA74+IiquxOuqUNnrgXjGtO
LTdqzPMtDWs0tADrzjEOpcSFzR4WCw==
-----END CERTIFICATE-----