diff --git a/.gitignore b/.gitignore index 37cc43db..7d1b43f7 100644 --- a/.gitignore +++ b/.gitignore @@ -31,6 +31,7 @@ result *.log out .secret +terraform/**/*.pem # Local .terraform directories **/.terraform/* diff --git a/flake.lock b/flake.lock index 621c2aca..b9b4e4e7 100644 --- a/flake.lock +++ b/flake.lock @@ -314,6 +314,26 @@ "type": "github" } }, + "nixpkgs-terraform-providers-bin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1679532506, + "narHash": "sha256-ZyWIpRVdlzash46WWQUb2fqFuFWQAvjAhGbpF9qU06U=", + "owner": "nix-community", + "repo": "nixpkgs-terraform-providers-bin", + "rev": "dc01babcab88fa95ac00cd4796909545edf0f66f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs-terraform-providers-bin", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1678230755, @@ -365,6 +385,7 @@ "flake-utils": "flake-utils_3", "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs_2", + "nixpkgs-terraform-providers-bin": "nixpkgs-terraform-providers-bin", "rust-overlay": "rust-overlay_2", "terranix": "terranix" } diff --git a/flake.nix b/flake.nix index b334ddaa..a364928c 100644 --- a/flake.nix +++ b/flake.nix @@ -38,6 +38,12 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + # fixed derivation for terraform packages + nixpkgs-terraform-providers-bin = { + url = "github:nix-community/nixpkgs-terraform-providers-bin"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; nixConfig = { @@ -47,305 +53,347 @@ }; # inputs and systems are know ahead of time -> we can evalute all nix -> flake make nix """statically typed""" - outputs = { self, nixpkgs, devenv, rust-overlay, crane, flake-utils, terranix, nixos-generators } @ inputs: - flake-utils.lib.eachDefaultSystem (system: - let - - overlays = [ (import rust-overlay) ]; - pkgs = import nixpkgs { - inherit system overlays; - }; - - # not optimal as not all packages requires this, - # but many build.rs do - so we add little bit slowness for simplificaiton and reproduceability - rust-native-build-inputs = with pkgs; [ clang pkg-config gnumake ]; + outputs = { self, nixpkgs, devenv, rust-overlay, crane, flake-utils, terranix, nixos-generators, nixpkgs-terraform-providers-bin } @ inputs: + let + per_system = flake-utils.lib.eachDefaultSystem (system: + let + + overlays = [ (import rust-overlay) ]; + pkgs = import nixpkgs { + inherit system overlays; + }; - # reusable env for shell and builds - rust-env = with pkgs; { - LD_LIBRARY_PATH = pkgs.lib.strings.makeLibraryPath [ - pkgs.stdenv.cc.cc.lib - pkgs.llvmPackages.libclang.lib - ]; - LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib"; - PROTOC = "${pkgs.protobuf}/bin/protoc"; - ROCKSDB_LIB_DIR = "${pkgs.rocksdb}/lib"; - RUSTUP_TOOLCHAIN = "nightly-2022-12-20"; # could read from toml for dylint - }; + # not optimal as not all packages requires this, + # but many build.rs do - so we add little bit slowness for simplificaiton and reproduceability + rust-native-build-inputs = with pkgs; [ clang pkg-config gnumake ]; + + # reusable env for shell and builds + rust-env = with pkgs; { + LD_LIBRARY_PATH = pkgs.lib.strings.makeLibraryPath [ + pkgs.stdenv.cc.cc.lib + pkgs.llvmPackages.libclang.lib + ]; + LIBCLANG_PATH = "${pkgs.llvmPackages.libclang.lib}/lib"; + PROTOC = "${pkgs.protobuf}/bin/protoc"; + ROCKSDB_LIB_DIR = "${pkgs.rocksdb}/lib"; + RUSTUP_TOOLCHAIN = "nightly-2022-12-20"; # could read from toml for dylint + }; - darwin = pkgs.lib.optionals pkgs.stdenv.isDarwin (with pkgs.darwin.apple_sdk; [ - frameworks.Security - ]); - - common-attrs = rust-env // { - buildInputs = with pkgs; [ openssl zstd ]; - nativeBuildInputs = with pkgs; - rust-native-build-inputs ++ [ openssl ] ++ darwin; - doCheck = false; - cargoCheckCommand = "true"; - src = rust-src; - }; + darwin = pkgs.lib.optionals pkgs.stdenv.isDarwin (with pkgs.darwin.apple_sdk; [ + frameworks.Security + ]); + + common-attrs = rust-env // { + buildInputs = with pkgs; [ openssl zstd ]; + nativeBuildInputs = with pkgs; + rust-native-build-inputs ++ [ openssl ] ++ darwin; + doCheck = false; + cargoCheckCommand = "true"; + src = rust-src; + }; - common-wasm-attrs = common-attrs // rec { - # really would could read it from Cargo.toml and reuse in here and in CI publish script as refactoring - pname = "golden-gate-runtime"; - cargoExtraArgs = "--package ${pname} --target wasm32-unknown-unknown --no-default-features --features=aura,with-rocksdb-weights"; - RUSTFLAGS = - "-Clink-arg=--export=__heap_base -Clink-arg=--import-memory"; - version = "0.1.0"; - }; + common-wasm-attrs = common-attrs // rec { + # really would could read it from Cargo.toml and reuse in here and in CI publish script as refactoring + pname = "golden-gate-runtime"; + cargoExtraArgs = "--package ${pname} --target wasm32-unknown-unknown --no-default-features --features=aura,with-rocksdb-weights"; + RUSTFLAGS = + "-Clink-arg=--export=__heap_base -Clink-arg=--import-memory"; + version = "0.1.0"; + }; - common-native-release-attrs = common-attrs // rec { - cargoExtraArgs = "--package ${pname}"; - pname = "golden-gate-node"; - version = "0.1.0"; - }; + common-native-release-attrs = common-attrs // rec { + cargoExtraArgs = "--package ${pname}"; + pname = "golden-gate-node"; + version = "0.1.0"; + }; - # calls `cargo vendor` on package deps - common-wasm-deps = - craneLib.buildDepsOnly (common-wasm-attrs // { }); - common-native-release-deps = - craneLib.buildDepsOnly (common-native-release-attrs // { }); - - - # rust used by ci and developers - rust-toolchain = - pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml; - craneLib = (crane.mkLib pkgs).overrideToolchain rust-toolchain; - - # do not consier target to be part of source - rust-src = pkgs.lib.cleanSourceWith { - src = pkgs.lib.cleanSource ./.; - filter = pkgs.nix-gitignore.gitignoreFilterPure - (name: type: - # nix files are not used as part of build - ( - (type == "regular" && pkgs.lib.strings.hasSuffix ".nix" name) - == false - && - (type == "directory" && ".github" == name) == false - && (type == "directory" && "terraform" == name) == false - - # risky, until we move code into separate repo as rust can do include_str! as doc, but good optimization - && (type == "regular" && pkgs.lib.strings.hasSuffix ".md" name) == false + # calls `cargo vendor` on package deps + common-wasm-deps = + craneLib.buildDepsOnly (common-wasm-attrs // { }); + common-native-release-deps = + craneLib.buildDepsOnly (common-native-release-attrs // { }); + + + # rust used by ci and developers + rust-toolchain = + pkgs.rust-bin.fromRustupToolchainFile ./rust-toolchain.toml; + craneLib = (crane.mkLib pkgs).overrideToolchain rust-toolchain; + + # do not consier target to be part of source + rust-src = pkgs.lib.cleanSourceWith { + src = pkgs.lib.cleanSource ./.; + filter = pkgs.nix-gitignore.gitignoreFilterPure + (name: type: + # nix files are not used as part of build + ( + (type == "regular" && pkgs.lib.strings.hasSuffix ".nix" name) + == false + && + (type == "directory" && ".github" == name) == false + && (type == "directory" && "terraform" == name) == false + + # risky, until we move code into separate repo as rust can do include_str! as doc, but good optimization + && (type == "regular" && pkgs.lib.strings.hasSuffix ".md" name) == false + ) ) - ) - [ ./.gitignore ] ./.; - }; + [ ./.gitignore ] ./.; + }; - golden-gate-runtime = craneLib.buildPackage (common-wasm-attrs // { - installPhase = '' - mkdir --parents $out/lib - cp ./target/wasm32-unknown-unknown/release/wbuild/${common-wasm-attrs.pname}/golden_gate_runtime.compact.compressed.wasm $out/lib - ''; - src = rust-src; - cargoArtifacts = common-wasm-deps; - }); - - golden-gate-node = craneLib.buildPackage (common-native-release-attrs // { - src = rust-src; - cargoArtifacts = common-native-release-deps; - nativeBuildInputs = common-native-release-attrs.nativeBuildInputs ++ [ pkgs.git ]; # parity does some git hacks in build.rs - }); - - - # really need to run as some points: - # - light client emulator (ideal for contracts) - # - multi node local fast (fast druation low security) - # - multi local slow (duration and security as in prod) - # - here can apply above to remote with something if needed (terranix/terraform-ng works) - # for each - # - either start from genesis - # - of from fork (remote prod data) - # all with - archieval and logging enabled - - single-fast = pkgs.writeShellApplication rec { - name = "single-fast"; - text = '' - ${pkgs.lib.meta.getExe golden-gate-node} --dev - ''; - }; + golden-gate-runtime = craneLib.buildPackage (common-wasm-attrs // { + installPhase = '' + mkdir --parents $out/lib + cp ./target/wasm32-unknown-unknown/release/wbuild/${common-wasm-attrs.pname}/golden_gate_runtime.compact.compressed.wasm $out/lib + ''; + src = rust-src; + cargoArtifacts = common-wasm-deps; + }); + + golden-gate-node = craneLib.buildPackage (common-native-release-attrs // { + src = rust-src; + cargoArtifacts = common-native-release-deps; + nativeBuildInputs = common-native-release-attrs.nativeBuildInputs ++ [ pkgs.git ]; # parity does some git hacks in build.rs + }); + + + # really need to run as some points: + # - light client emulator (ideal for contracts) + # - multi node local fast (fast druation low security) + # - multi local slow (duration and security as in prod) + # - here can apply above to remote with something if needed (terranix/terraform-ng works) + # for each + # - either start from genesis + # - of from fork (remote prod data) + # all with - archieval and logging enabled + + single-fast = pkgs.writeShellApplication rec { + name = "single-fast"; + text = '' + ${pkgs.lib.meta.getExe golden-gate-node} --dev + ''; + }; - # we do not use existing Dotsama tools as they target relay + parachains - # here we can evolve into generating arion/systemd/podman/k8s output (what ever will fit) easy - multi-fast = pkgs.writeShellApplication rec { - name = "multi-fast"; - text = '' - WS_PORT_ALICE=''${WS_PORT_ALICE:-9988} - WS_PORT_BOB=''${WS_PORT_BOB:-9989} - WS_PORT_CHARLIE=''${WS_PORT_CHARLIE:-9990} - ( ${pkgs.lib.meta.getExe golden-gate-node} --chain=local --rpc-cors=all --alice --tmp --ws-port="$WS_PORT_ALICE" &> alice.log ) & - ( ${pkgs.lib.meta.getExe golden-gate-node} --chain=local --rpc-cors=all --bob --tmp --ws-port="$WS_PORT_BOB" &> bob.log ) & - ( ${pkgs.lib.meta.getExe golden-gate-node} --chain=local --rpc-cors=all --charlie --tmp --ws-port="$WS_PORT_CHARLIE" &> charlie.log ) & - echo https://polkadot.js.org/apps/?rpc=ws://127.0.0.1:"$WS_PORT_ALICE"#/explorer - ''; - }; + # we do not use existing Dotsama tools as they target relay + parachains + # here we can evolve into generating arion/systemd/podman/k8s output (what ever will fit) easy + multi-fast = pkgs.writeShellApplication rec { + name = "multi-fast"; + text = '' + WS_PORT_ALICE=''${WS_PORT_ALICE:-9988} + WS_PORT_BOB=''${WS_PORT_BOB:-9989} + WS_PORT_CHARLIE=''${WS_PORT_CHARLIE:-9990} + ( ${pkgs.lib.meta.getExe golden-gate-node} --chain=local --rpc-cors=all --alice --tmp --ws-port="$WS_PORT_ALICE" &> alice.log ) & + ( ${pkgs.lib.meta.getExe golden-gate-node} --chain=local --rpc-cors=all --bob --tmp --ws-port="$WS_PORT_BOB" &> bob.log ) & + ( ${pkgs.lib.meta.getExe golden-gate-node} --chain=local --rpc-cors=all --charlie --tmp --ws-port="$WS_PORT_CHARLIE" &> charlie.log ) & + echo https://polkadot.js.org/apps/?rpc=ws://127.0.0.1:"$WS_PORT_ALICE"#/explorer + ''; + }; - lint = pkgs.writeShellApplication rec { - name = "lint"; - text = '' - ${pkgs.lib.meta.getExe pkgs.nodePackages.markdownlint-cli2} "**/*.md" "#.devenv" "#target" - ''; - }; + lint = pkgs.writeShellApplication rec { + name = "lint"; + text = '' + ${pkgs.lib.meta.getExe pkgs.nodePackages.markdownlint-cli2} "**/*.md" "#.devenv" "#target" + ''; + }; - tf-init = pkgs.writeShellApplication rec { - name = "tf-init"; - text = '' - # here you manually obtain login key - aws configure - ''; - }; + tf-init = pkgs.writeShellApplication rec { + name = "tf-init"; + text = '' + # here you manually obtain login key + aws configure + ''; + }; - # can use envvars override to allow run non shared "cloud" for tests - age-pub = "age1a8k02z579lr0qr79pjhlneffjw3dvy3a8j5r4fw3zlphd6cyaf5qukkat5"; - cloud-tools = with pkgs; [ - awscli2 - terraform - sops - age - ]; - nixos-node-vm-ami = nixos-generators.nixosGenerate { - system = "x86_64-linux"; - modules = [ - { - nixpkgs.overlays = [ - (_: _: { - substrate-node = golden-gate-node; - }) - ]; - } - # ./configuration.nix - ] ++ [ ({ ... }: { amazonImage.sizeMB = 16 * 1024; }) ] - ; - format = "amazon"; - }; - tf-apply = pkgs.writeShellApplication rec { - name = "tf-apply"; - runtimeInputs = cloud-tools; - text = '' - # send variables to terraform - TF_VAR_DOMAIN_NAME=ggchain.technology - TF_VAR_VALIDATOR_NAME=ggchain - export TF_VAR_DOMAIN_NAME - export TF_VAR_VALIDATOR_NAME - - cd ./terraform - # generate terraform input from nix - cp --force ${tf-config} config.tf.json + # can use envvars override to allow run non shared "cloud" for tests + age-pub = "age1a8k02z579lr0qr79pjhlneffjw3dvy3a8j5r4fw3zlphd6cyaf5qukkat5"; + cloud-tools = with pkgs; [ + awscli2 + terraform + sops + age + nixos-rebuild + ]; + + # seldom to change node image to terraform onto cloud as template + node-image = nixos-generators.nixosGenerate { + system = "x86_64-linux"; + modules = [ + { + nixpkgs.overlays = [ + (_: _: { + substrate-node = golden-gate-node; + }) + ]; + } + ./flake/nixos-amazon.nix + ] ++ [ ({ ... }: { amazonImage.sizeMB = 16 * 1024; }) ] + ; + format = "amazon"; + }; + tf-apply = pkgs.writeShellApplication rec { + name = "tf-apply"; + runtimeInputs = cloud-tools; + text = '' + # send variables to terraform + TF_VAR_DOMAIN_NAME=ggchain.technology + TF_VAR_VALIDATOR_NAME=ggchain + TF_VAR_NODE_IMAGE="$(find ${node-image} -type f -name '*.vhd')" + export TF_VAR_DOMAIN_NAME + export TF_VAR_VALIDATOR_NAME + export TF_VAR_NODE_IMAGE + + cd ./terraform + # generate terraform input from nix + cp --force ${tf-config} config.tf.json - # silly check to avoid providers rechek all the time (nixified version would be more robust) - if [[ ! -d .terraform/providers ]]; then - terraform init --upgrade - fi + # silly check to avoid providers rechek all the time (nixified version would be more robust) + if [[ ! -d .terraform/providers ]]; then + terraform init --upgrade + fi - # decrypt secret state (should run only on CI eventually for safety) - # if there is encrypted state, decrypt it - if [[ -f terraform.tfstate.sops ]]; then - # uses age, so can use any of many providers (including aws) - sops --decrypt --age ${age-pub} terraform.tfstate.sops > terraform.tfstate - fi + # decrypt secret state (should run only on CI eventually for safety) + # if there is encrypted state, decrypt it + if [[ -f terraform.tfstate.sops ]]; then + # uses age, so can use any of many providers (including aws) + sops --decrypt --age ${age-pub} terraform.tfstate.sops > terraform.tfstate + fi - # apply state to cloud, eventually should manually approve in CI - terraform apply -auto-approve - # encrypt update state back and push it (later in CI special job) - sops --encrypt --age ${age-pub} terraform.tfstate > terraform.tfstate.sops - # seems good idea to encrypt backup here too - ''; - }; + # apply state to cloud, eventually should manually approve in CI + terraform apply -auto-approve + # encrypt update state back and push it (later in CI special job) + sops --encrypt --age ${age-pub} terraform.tfstate > terraform.tfstate.sops + # seems good idea to encrypt backup here too + ''; + }; - tf-config = terranix.lib.terranixConfiguration { - inherit system; - modules = [ ./flake/terraform.nix ]; - }; - in - rec { - packages = flake-utils.lib.flattenTree { - inherit golden-gate-runtime golden-gate-node single-fast multi-fast tf-config tf-apply lint nixos-node-vm-ami; - node = golden-gate-node; - runtime = golden-gate-runtime; - default = golden-gate-runtime; - # we should prune 3 things: - # - running process - # - logs/storages of run proccess - # - system prunce of nix cache/oci images - prune-running = pkgs.writeShellApplication rec { - name = "prune-running"; - text = '' - pkill golden-gate-nod - ''; + tf-config = terranix.lib.terranixConfiguration { + inherit system; + modules = [ ./flake/terraform.nix ]; + }; + in + rec { + + packages = flake-utils.lib.flattenTree { + inherit golden-gate-runtime golden-gate-node single-fast multi-fast tf-config tf-apply lint node-image; + node = golden-gate-node; + runtime = golden-gate-runtime; + default = golden-gate-runtime; + # we should prune 3 things: + # - running process + # - logs/storages of run proccess + # - system prunce of nix cache/oci images + prune-running = pkgs.writeShellApplication rec { + name = "prune-running"; + text = '' + pkill golden-gate-nod + ''; + }; }; - }; - devShells = { - default = devenv.lib.mkShell { - inherit inputs pkgs; - modules = - let - - dylib = { - buildInputs = with pkgs; [ openssl ] ++ darwin; - nativeBuildInputs = rust-native-build-inputs; - doCheck = false; - }; - rust-deps = pkgs.makeRustPlatform { - inherit pkgs; - # dylint needs nightly - cargo = pkgs.rust-bin.beta.latest.default; - rustc = pkgs.rust-bin.beta.latest.default; - }; - cargo-dylint = with pkgs; rust-deps.buildRustPackage (rec { - pname = "cargo-dylint"; - version = "2.1.5"; - src = fetchCrate { - inherit pname version; - sha256 = "sha256-kH6dhUFaQpQ0kvzNyLIXjFAO8VNa2jah6ZaDO7LQKO0="; - }; + devShells = { + default = devenv.lib.mkShell { + inherit inputs pkgs; + modules = + let - cargoHash = "sha256-YvQI3H/4eWe6r2Tg8qHJqfnw/NpuGHtkRuTL4EzF0xo="; - cargoDepsName = pname; - } // dylib); - dylint-link = with pkgs; rust-deps.buildRustPackage (rec { - pname = "dylint-link"; - version = "2.1.5"; - src = fetchCrate { - inherit pname version; - sha256 = "sha256-oarEYhv0i2wAPmahx0vgWN3kmfEsK3s6D3+qkOqF9pc="; + dylib = { + buildInputs = with pkgs; [ openssl ] ++ darwin; + nativeBuildInputs = rust-native-build-inputs; + doCheck = false; }; - - cargoHash = "sha256-pMr9hddHAIyIclHRpxqdUaHphjSAVDnvfNjWGDA2EM4="; - cargoDepsName = pname; - } // dylib); - # can `cargo-contract` and nodejs ui easy here - in - [ - { - packages = with pkgs; - [ - rust-toolchain - binaryen - llvmPackages.bintools - dylint-link - nodejs-18_x - nodePackages.markdownlint-cli2 - ] - ++ rust-native-build-inputs ++ darwin ++ cloud-tools; - env = rust-env; - # can do systemd/docker stuff here - enterShell = '' - echo ggshell - ''; - - # GH Codespace easy to run (e.g. for Mac users, low spec machines or Frontend developers or hackatons) - devcontainer.enable = true; - } - ]; + rust-deps = pkgs.makeRustPlatform { + inherit pkgs; + # dylint needs nightly + cargo = pkgs.rust-bin.beta.latest.default; + rustc = pkgs.rust-bin.beta.latest.default; + }; + cargo-dylint = with pkgs; rust-deps.buildRustPackage (rec { + pname = "cargo-dylint"; + version = "2.1.5"; + src = fetchCrate { + inherit pname version; + sha256 = "sha256-kH6dhUFaQpQ0kvzNyLIXjFAO8VNa2jah6ZaDO7LQKO0="; + }; + + cargoHash = "sha256-YvQI3H/4eWe6r2Tg8qHJqfnw/NpuGHtkRuTL4EzF0xo="; + cargoDepsName = pname; + } // dylib); + dylint-link = with pkgs; rust-deps.buildRustPackage (rec { + pname = "dylint-link"; + version = "2.1.5"; + src = fetchCrate { + inherit pname version; + sha256 = "sha256-oarEYhv0i2wAPmahx0vgWN3kmfEsK3s6D3+qkOqF9pc="; + }; + + cargoHash = "sha256-pMr9hddHAIyIclHRpxqdUaHphjSAVDnvfNjWGDA2EM4="; + cargoDepsName = pname; + } // dylib); + # can `cargo-contract` and nodejs ui easy here + in + [ + { + packages = with pkgs; + [ + rust-toolchain + binaryen + llvmPackages.bintools + dylint-link + nodejs-18_x + nodePackages.markdownlint-cli2 + ] + ++ rust-native-build-inputs ++ darwin ++ cloud-tools; + env = rust-env; + # can do systemd/docker stuff here + enterShell = '' + echo ggshell + ''; + + # GH Codespace easy to run (e.g. for Mac users, low spec machines or Frontend developers or hackatons) + devcontainer.enable = true; + } + ]; + }; + }; + } + ); + in + per_system // { + nixosConfigurations = + let + # nixos config for one and only one system + # so it is invere of packages (packages for all systems) + system = "x86_64-linux"; + overlays = [ + (import rust-overlay) + (_: _: { + golden-gate-node = per_system.packages.${system}.golden-gate-node; + }) + ]; + pkgs = import nixpkgs { + inherit system overlays; + }; + in + { + # so basically cp pasted config to remote node with node binry + node-test = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + { + nixpkgs.overlays = [ + (_: _: { + golden-gate-node = pkgs.golden-gate-node; + }) + ]; + } + ./flake/nixos-amazon.nix + ] + ++ [ ({ ... }: { environment.systemPackages = [ pkgs.golden-gate-node ]; }) ]; }; }; - } - ); + }; } diff --git a/flake/nixos-amazon.nix b/flake/nixos-amazon.nix index 31745fd8..6f9016bb 100644 --- a/flake/nixos-amazon.nix +++ b/flake/nixos-amazon.nix @@ -1,54 +1,63 @@ ({ pkgs, lib, config, options, specialArgs, modulesPath }: - let size = 100 * 1024; +let size = 100 * 1024; - in { - nix = { - package = pkgs.nixFlakes; - extraOptions = '' - experimental-features = nix-command flakes - sandbox = relaxed - ''; - - trustedUsers = [ "root" "dzmitry_lahoda_gmail_com" "admin" ]; +in { + system.stateVersion = "22.11"; + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + sandbox = relaxed + ''; + settings = { + trusted-users = [ "root" "admin" ]; + extra-substituters = [ "https://cache.nixos.org" "https://golden-gate-ggx.cachix.org" ]; + extra-trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "golden-gate-ggx.cachix.org-1:h2zGCI9FqxUS7HxnZJDHaJzbN4iTsWvBcETdd+/0ZD4=" ]; }; + domain = "ggchain.technology"; + }; - imports = - [ "${toString modulesPath}/virtualisation/amazon-image.nix" ]; - services.openssh.passwordAuthentication = lib.mkForce true; - services.openssh.permitRootLogin = lib.mkForce "yes"; + imports = + [ "${toString modulesPath}/virtualisation/amazon-image.nix" ]; + services.openssh.passwordAuthentication = lib.mkForce true; + services.openssh.permitRootLogin = lib.mkForce "yes"; - security.acme.defaults.email = "dzmitry@lahoda.pro"; - security.acme.acceptTerms = true; - services.nginx.enable = true; - services.nginx.virtualHosts."composablefi.tech" = { - addSSL = true; - enableACME = true; - #root = "/var/www/composablefi.tech"; - root = pkgs.runCommand "testdir" { } '' - mkdir "$out" - echo hello world > "$out/index.html" - ''; - locations."/" = { - proxyPass = "http://127.0.0.1:9988"; - proxyWebsockets = true; - }; + security = { + acme = { + defaults.email = "dzmitry@lahoda.pro"; + acceptTerms = true; }; - services.nginx.virtualHosts.localhost = { - root = pkgs.runCommand "testdir" { } '' - mkdir "$out" - echo hello world > "$out/index.html" - ''; + }; + services.nginx.enable = true; + services.nginx.virtualHosts."ggchain.technology" = { + #addSSL = true; + #enableACME = true; + #root = "/var/www/ggchain.technology"; + root = pkgs.runCommand "testdir" { } '' + mkdir "$out" + echo hello world > "$out/index.html" + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:9988"; + proxyWebsockets = true; }; - services.nginx.logError = "stderr debug"; + }; + services.nginx.virtualHosts.localhost = { + root = pkgs.runCommand "testdir" { } '' + mkdir "$out" + echo hello world > "$out/index.html" + ''; + }; + services.nginx.logError = "stderr debug"; - networking.firewall = { - enable = true; - allowedTCPPorts = [ 80 443 8080 8443 5000 5001 3000 9988 9944 9933]; - allowedTCPPortRanges = [{ - from = 9000; - to = 40000; - }]; - }; + networking.firewall = { + enable = true; + allowedTCPPorts = [ 80 443 8080 8443 5000 5001 3000 9988 9944 9933 ]; + allowedTCPPortRanges = [{ + from = 80; + to = 40000; + }]; + }; - environment.systemPackages = [ pkgs.git ]; - }) \ No newline at end of file + environment.systemPackages = [ pkgs.git ]; +}) diff --git a/flake/terraform.nix b/flake/terraform.nix index 8bc4ee2b..27f2c222 100644 --- a/flake/terraform.nix +++ b/flake/terraform.nix @@ -1,3 +1,8 @@ +# just link i used to steal config +# https://zimbatm.com/notes/deploying-to-aws-with-terraform-and-nix +# https://xeiaso.net/blog/paranoid-nixos-aws-2021-08-11 +# https://github.com/dzmitry-lahoda/web3nix +# security setup of some resources basically low to speed up, needs iterations of hardening { config, lib, options, specialArgs }: let var = options.variable; @@ -6,6 +11,8 @@ let tags = { tool = "terranix"; }; + disk_size_in_gb = 84; + instance_type = "t3.xlarge"; in rec { variable = { @@ -14,6 +21,9 @@ rec { DOMAIN_NAME = { type = "string"; }; + NODE_IMAGE = { + type = "string"; + }; # assuming that it can be run by other validators VALIDATOR_NAME = { @@ -31,9 +41,11 @@ rec { output = { # output = { instance_ip_addr = { value = "aws_instance\&.server\&.private_ip"; } ; } ; } node_public_dns = { - value = "\${resource.aws_instance.node.public_dns}"; + value = "\${resource.aws_instance.node-test.public_dns}"; }; - node_public_ip = { value = "\${resource.aws_instance.node.public_ip}"; }; + node_public_ip = { value = "\${resource.aws_instance.node-test.public_ip}"; }; + + ssh = { value = "ssh -i ./terraform/id_rsa.pem root@\${resource.aws_instance.node-test.public_dns}"; }; }; # just for running some machines, here will be nixos-generators based VM uploaded to S3 with running validator @@ -51,10 +63,187 @@ rec { owners = [ "099720109477" ]; # Canonical }; }; + + # Permissions for the AWS instance + aws_iam_policy_document = { + machine = { + statement = { + sid = "1"; + # not secure + actions = [ + "s3:ListAllMyBuckets" + "s3:GetBucketLocation" + "s3:ListBucket" + "s3:GetObject" + "s3:GetBucketLocation" + ]; + + resources = [ + "arn:aws:s3:::*" + ]; + }; + }; + }; + }; resource = { + # generate a SSH key-pair + tls_private_key = { + machine = { + algorithm = "RSA"; + }; + }; + + # Record the SSH public key into AWS + aws_key_pair = { + machine = { + key_name = "centralization-risk-\${var.VALIDATOR_NAME}"; + public_key = "\${tls_private_key.machine.public_key_openssh}"; + }; + }; + + # Store the private key locally. This is going to be used by the deploy_nixos module below + # to deploy NixOS. + local_file = { + machine_ssh_key = { + sensitive_content = "\${tls_private_key.machine.private_key_pem}"; + filename = "id_rsa.pem"; + file_permission = "0600"; + }; + }; + + aws_security_group = { + machine = { + name = "\${var.VALIDATOR_NAME}"; + }; + }; + + # A bunch of rules for the group + aws_security_group_rule = { + machine_ingress_ssh = { + description = "non secure access via all ports"; + type = "ingress"; + from_port = 0; + to_port = 65535; + protocol = "tcp"; + cidr_blocks = [ "0.0.0.0/0" ]; + security_group_id = "\${aws_security_group.machine.id}"; + }; + machine_egress_all = { + description = "Allow to connect to the whole Internet"; + type = "egress"; + from_port = 0; + to_port = 0; + protocol = "-1"; + cidr_blocks = [ "0.0.0.0/0" ]; + security_group_id = "\${aws_security_group.machine.id}"; + }; + }; + + # A bunch of IAM resources needed to give permissions to the instance + aws_iam_role = { + machine = { + name = "\${var.VALIDATOR_NAME}"; + + assume_role_policy = '' + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] + } + ''; + }; + vmimport = { + name = "vmimport"; + assume_role_policy = '' + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { "Service": "vmie.amazonaws.com" }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals":{ + "sts:Externalid": "vmimport" + } + } + } + ] + } + ''; + }; + + }; + + aws_iam_role_policy = { + machine = { + name = "\${var.VALIDATOR_NAME}"; + role = "\${aws_iam_role.machine.name}"; + policy = "\${data.aws_iam_policy_document.machine.json}"; + }; + + vmimport_policy = { + name = "vmimport"; + role = "\${aws_iam_role.vmimport.id}"; + policy = '' + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:GetObject", + "s3:GetBucketLocation" + ], + "Resource": [ + "''${aws_s3_bucket.deploy.arn}", + "''${aws_s3_bucket.deploy.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetBucketLocation", + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject", + "s3:GetBucketAcl" + ], + "Resource": [ + "''${aws_s3_bucket.deploy.arn}", + "''${aws_s3_bucket.deploy.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "ec2:ModifySnapshotAttribute", + "ec2:CopySnapshot", + "ec2:RegisterImage", + "ec2:Describe*" + ], + "Resource": "*" + } + ] + } + ''; + }; + + }; + + aws_s3_bucket = { - terraform-backend = { + deploy = { # just for testing bucket = "new-just-some-storage-\${var.VALIDATOR_NAME}"; inherit tags; @@ -64,14 +253,29 @@ rec { aws_instance = { node = { ami = "\${data.aws_ami.node.id}"; - instance_type = "t3.micro"; + inherit instance_type; inherit tags; associate_public_ip_address = true; credit_specification = { cpu_credits = "unlimited"; }; + key_name = "\${aws_key_pair.machine.key_name}"; + }; + node-test = { + ami = "\${aws_ami.nixos_21_05.id}"; + inherit instance_type; + security_groups = [ + "\${aws_security_group.machine.name}" + ]; + key_name = "\${aws_key_pair.machine.key_name}"; + inherit tags; + associate_public_ip_address = true; + root_block_device = { + volume_size = disk_size_in_gb; + }; }; + }; aws_route53domains_registered_domain = { @@ -80,9 +284,48 @@ rec { inherit tags; }; }; - }; + aws_s3_bucket_object = { + nixos_21_05 = { + bucket = "\${aws_s3_bucket.deploy.bucket}"; + key = "nixos-\${var.VALIDATOR_NAME}.vhd"; + + source = "\${var.NODE_IMAGE}"; + }; + }; + aws_ebs_snapshot_import = { + nixos_21_05 = { + disk_container = { + format = "VHD"; + user_bucket = { + s3_bucket = "\${aws_s3_bucket.deploy.bucket}"; + s3_key = "\${aws_s3_bucket_object.nixos_21_05.key}"; + }; + }; + role_name = "\${aws_iam_role.vmimport.name}"; + }; + }; + + aws_ami = { + nixos_21_05 = { + name = "nixos_21_05"; + architecture = "x86_64"; + virtualization_type = "hvm"; + root_device_name = "/dev/xvda"; + ena_support = true; + sriov_net_support = "simple"; + + ebs_block_device = { + device_name = "/dev/xvda"; + snapshot_id = "\${aws_ebs_snapshot_import.nixos_21_05.id}"; + volume_size = disk_size_in_gb; + delete_on_termination = true; + volume_type = "gp3"; + }; + }; + }; + }; backend = { diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index adcbc198..048571b0 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -22,3 +22,41 @@ provider "registry.terraform.io/hashicorp/aws" { "zh:fe8c2eae8c367d2cb7cade250a8d5f6c411ac4a8214c46df0a1fd90d9eaf7152", ] } + +provider "registry.terraform.io/hashicorp/local" { + version = "2.4.0" + hashes = [ + "h1:R97FTYETo88sT2VHfMgkPU3lzCsZLunPftjSI5vfKe8=", + "zh:53604cd29cb92538668fe09565c739358dc53ca56f9f11312b9d7de81e48fab9", + "zh:66a46e9c508716a1c98efbf793092f03d50049fa4a83cd6b2251e9a06aca2acf", + "zh:70a6f6a852dd83768d0778ce9817d81d4b3f073fab8fa570bff92dcb0824f732", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:82a803f2f484c8b766e2e9c32343e9c89b91997b9f8d2697f9f3837f62926b35", + "zh:9708a4e40d6cc4b8afd1352e5186e6e1502f6ae599867c120967aebe9d90ed04", + "zh:973f65ce0d67c585f4ec250c1e634c9b22d9c4288b484ee2a871d7fa1e317406", + "zh:c8fa0f98f9316e4cfef082aa9b785ba16e36ff754d6aba8b456dab9500e671c6", + "zh:cfa5342a5f5188b20db246c73ac823918c189468e1382cb3c48a9c0c08fc5bf7", + "zh:e0e2b477c7e899c63b06b38cd8684a893d834d6d0b5e9b033cedc06dd7ffe9e2", + "zh:f62d7d05ea1ee566f732505200ab38d94315a4add27947a60afa29860822d3fc", + "zh:fa7ce69dde358e172bd719014ad637634bbdabc49363104f4fca759b4b73f2ce", + ] +} + +provider "registry.terraform.io/hashicorp/tls" { + version = "4.0.4" + hashes = [ + "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=", + "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", + "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", + "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", + "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5", + "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe", + "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e", + "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48", + "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8", + "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60", + "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e", + "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/config.tf.json b/terraform/config.tf.json index 32875bee..1d174363 100644 --- a/terraform/config.tf.json +++ b/terraform/config.tf.json @@ -15,14 +15,34 @@ "099720109477" ] } + }, + "aws_iam_policy_document": { + "machine": { + "statement": { + "actions": [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation", + "s3:ListBucket", + "s3:GetObject", + "s3:GetBucketLocation" + ], + "resources": [ + "arn:aws:s3:::*" + ], + "sid": "1" + } + } } }, "output": { "node_public_dns": { - "value": "${resource.aws_instance.node.public_dns}" + "value": "${resource.aws_instance.node-test.public_dns}" }, "node_public_ip": { - "value": "${resource.aws_instance.node.public_ip}" + "value": "${resource.aws_instance.node-test.public_ip}" + }, + "ssh": { + "value": "ssh -i ./terraform/id_rsa.pem root@${resource.aws_instance.node-test.public_dns}" } }, "provider": { @@ -31,6 +51,57 @@ } }, "resource": { + "aws_ami": { + "nixos_21_05": { + "architecture": "x86_64", + "ebs_block_device": { + "delete_on_termination": true, + "device_name": "/dev/xvda", + "snapshot_id": "${aws_ebs_snapshot_import.nixos_21_05.id}", + "volume_size": 42, + "volume_type": "gp3" + }, + "ena_support": true, + "name": "nixos_21_05", + "root_device_name": "/dev/xvda", + "sriov_net_support": "simple", + "virtualization_type": "hvm" + } + }, + "aws_ebs_snapshot_import": { + "nixos_21_05": { + "disk_container": { + "format": "VHD", + "user_bucket": { + "s3_bucket": "${aws_s3_bucket.deploy.bucket}", + "s3_key": "${aws_s3_bucket_object.nixos_21_05.key}" + } + }, + "role_name": "${aws_iam_role.vmimport.name}" + } + }, + "aws_iam_role": { + "machine": { + "assume_role_policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n },\n \"Effect\": \"Allow\",\n \"Sid\": \"\"\n }\n ]\n}\n", + "name": "${var.VALIDATOR_NAME}" + }, + "vmimport": { + "assume_role_policy": " {\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": { \"Service\": \"vmie.amazonaws.com\" },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {\n \"StringEquals\":{\n \"sts:Externalid\": \"vmimport\"\n }\n }\n }\n ]\n}\n", + "name": "vmimport" + } + }, + "aws_iam_role_policy": { + "machine": { + "name": "${var.VALIDATOR_NAME}", + "policy": "${data.aws_iam_policy_document.machine.json}", + "role": "${aws_iam_role.machine.name}" + }, + "vmimport_policy": { + "name": "vmimport", + "policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ListBucket\",\n \"s3:GetObject\",\n \"s3:GetBucketLocation\"\n ],\n \"Resource\": [\n \"${aws_s3_bucket.deploy.arn}\",\n \"${aws_s3_bucket.deploy.arn}/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetBucketLocation\",\n \"s3:GetObject\",\n \"s3:ListBucket\",\n \"s3:PutObject\",\n \"s3:GetBucketAcl\"\n ],\n \"Resource\": [\n \"${aws_s3_bucket.deploy.arn}\",\n \"${aws_s3_bucket.deploy.arn}/*\"\n ]\n },\n {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:ModifySnapshotAttribute\",\n \"ec2:CopySnapshot\",\n \"ec2:RegisterImage\",\n \"ec2:Describe*\"\n ],\n \"Resource\": \"*\"\n }\n ]\n }\n", + "role": "${aws_iam_role.vmimport.id}" + } + }, "aws_instance": { "node": { "ami": "${data.aws_ami.node.id}", @@ -39,18 +110,96 @@ "cpu_credits": "unlimited" }, "instance_type": "t3.micro", + "key_name": "${aws_key_pair.machine.key_name}", + "tags": { + "tool": "terranix" + } + }, + "node-test": { + "ami": "${aws_ami.nixos_21_05.id}", + "associate_public_ip_address": true, + "instance_type": "t3.micro", + "key_name": "${aws_key_pair.machine.key_name}", + "root_block_device": { + "volume_size": 42 + }, + "security_groups": [ + "${aws_security_group.machine.name}" + ], + "tags": { + "tool": "terranix" + } + } + }, + "aws_key_pair": { + "machine": { + "key_name": "centralization-risk-${var.VALIDATOR_NAME}", + "public_key": "${tls_private_key.machine.public_key_openssh}" + } + }, + "aws_route53domains_registered_domain": { + "nodes": { + "domain_name": "${var.DOMAIN_NAME}", "tags": { "tool": "terranix" } } }, "aws_s3_bucket": { - "terraform-backend": { + "deploy": { "bucket": "new-just-some-storage-${var.VALIDATOR_NAME}", "tags": { "tool": "terranix" } } + }, + "aws_s3_bucket_object": { + "nixos_21_05": { + "bucket": "${aws_s3_bucket.deploy.bucket}", + "key": "nixos-${var.VALIDATOR_NAME}.vhd", + "source": "${var.NODE_IMAGE}" + } + }, + "aws_security_group": { + "machine": { + "name": "${var.VALIDATOR_NAME}" + } + }, + "aws_security_group_rule": { + "machine_egress_all": { + "cidr_blocks": [ + "0.0.0.0/0" + ], + "description": "Allow to connect to the whole Internet", + "from_port": 0, + "protocol": "-1", + "security_group_id": "${aws_security_group.machine.id}", + "to_port": 0, + "type": "egress" + }, + "machine_ingress_ssh": { + "cidr_blocks": [ + "0.0.0.0/0" + ], + "description": "non secure access via all ports", + "from_port": 0, + "protocol": "tcp", + "security_group_id": "${aws_security_group.machine.id}", + "to_port": 65535, + "type": "ingress" + } + }, + "local_file": { + "machine_ssh_key": { + "file_permission": "0600", + "filename": "id_rsa.pem", + "sensitive_content": "${tls_private_key.machine.private_key_pem}" + } + }, + "tls_private_key": { + "machine": { + "algorithm": "RSA" + } } }, "terraform": { @@ -64,6 +213,9 @@ "DOMAIN_NAME": { "type": "string" }, + "NODE_IMAGE": { + "type": "string" + }, "VALIDATOR_NAME": { "description": "should be more than 3 but less then 12 symbols, only lower case letters", "type": "string" diff --git a/terraform/terraform.tfstate.sops b/terraform/terraform.tfstate.sops index 712eb6d7..db816b52 100644 --- a/terraform/terraform.tfstate.sops +++ b/terraform/terraform.tfstate.sops @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:,iv:t6TmCOHGW1urES0xet456BqeQUGCDx+9O1ss7j9dxZQ=,tag:7gvwtT3oAGMQtQhshKDl3w==,type:str]", + "data": "ENC[AES256_GCM,data:,iv:p/7oZ4iNNDWWzxFm9kpYO+OVAoc33shoxRcsaFgw8C4=,tag:MfVgYQjOkbTU38KULKesJQ==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,11 +8,11 @@ "age": [ { "recipient": "age1a8k02z579lr0qr79pjhlneffjw3dvy3a8j5r4fw3zlphd6cyaf5qukkat5", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZa0RPOU5QTHVCSmtDTFRQ\neFpBc0tOdDJQTnJTR2xrQjZyZ3QvWXJuTnh3CkdYelgvOE1UY3BIK2FwTVpNeTR3\nK25TQlFxMFUwSnhWNnB1S0pDVWZxYzQKLS0tIHgvMFJ0WjB0bWJod1BFS1lHa01l\nTWs5aWtPamRjcFN4M3c0bmxVcGNqVncK63d1D1oGJhCqz7vd5dMdOgdaCVfkkCTj\ncIzXr+4W9ZxX/vGoCtgJKVD1jhD8884wCQMV2pX1vdpjzx7AaWK8eQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSUEI0cEMrRmJ3d2N3VGtK\nblVaSG5KaFY0UVlFeHlRcFliK1gxWUJ1OEZBCmJXU1Q2QVZlTDhLdU1lODExTFVZ\nMXJVWGNyQW1qR042SDlQU3kzRlFTcWsKLS0tIElmMUdPaDJiTHBaTlpRRnVXOUNK\nQkt4R0NGOUVrWkVSTnRTNWR5cWJDVTAKcpA/nZJt960MLae6SiJAvnCWEKWE1nC2\nP8WkkT8HxSaI+DTDzfSjC58d2Eid1NTtHAIU7d8ISz7MxCpG5eQCUQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2023-03-22T23:55:35Z", - "mac": "ENC[AES256_GCM,data:qL/LZlf4B/2QoGKWo7e9arpNQxWzZXnELg5omLniJG2z349EucLMfcKl/oY5oQYezN5xTftEZbFZveuK1t/cAhgNBXF2lMVASn1RttdcHgeIHc6V5Z+QAohptBbQZdva2xiPqA4wYzsRfnfJyp/WNQcaazI+22CWk+woaC46ybc=,iv:i4ETrzLLTUEjSenfofs78VlwY8CfaR0QSJhD42HhCY0=,tag:1U5i48rGwYOd9dFX5ClG1Q==,type:str]", + "lastmodified": "2023-03-23T20:37:52Z", + "mac": "ENC[AES256_GCM,data:8HfeFdrm+eKuoAgJq+Ukxo1iYwoBlRFborfvsTVVyY0cU0fjRx64n2/5ppYAcong7RMkHHMg6Ervb7zcK1rXSb1xBfq1SzhtLf7y1E6j009OLiaQZ8vTTgCI3wTsaOYlJt/StKUWDOmnX3PrUAgw3aE7owVFCLJxl54uBYoislg=,iv:pF8b1JGq9ZZkspIqSy8/iQD2FIHG0AsuWq+TiZGCp/U=,tag:wcy5LqYa4Wpejfrp+U0J8g==,type:str]", "pgp": null, "unencrypted_suffix": "_unencrypted", "version": "3.7.3"