From a94389bdccfa639e0877fab164fe89d5f75aee8c Mon Sep 17 00:00:00 2001
From: Remy Moll <me@moll.re>
Date: Fri, 4 Oct 2024 12:11:23 +0200
Subject: [PATCH] use authelia as login source
---
.../monitoring/grafana-auth.sealedsecret.yaml | 16 ++++
apps/monitoring/grafana.values.yaml | 24 ++++++
apps/monitoring/kustomization.yaml | 1 +
.../authelia/authelia-ldap.sealedsecret.yaml | 16 ++++
.../authelia/authelia-oidc.sealedsecret.yaml | 16 ++++
infrastructure/authelia/authelia.values.yaml | 83 +++++++++++++++++++
infrastructure/authelia/ingress.yaml | 17 ++++
infrastructure/authelia/kustomization.yaml | 30 +++++++
.../lldap-credentials.sealedsecret.yaml | 18 ++++
infrastructure/authelia/lldap.deployment.yaml | 54 ++++++++++++
infrastructure/authelia/lldap.ingress.yaml | 0
infrastructure/authelia/lldap.pvc.yaml | 11 +++
infrastructure/authelia/lldap.service.yaml | 10 +++
infrastructure/authelia/namespace.yaml | 4 +
kluster-deployments/authelia/application.yaml | 18 ++++
.../authelia/kustomization.yaml | 4 +
kluster-deployments/kustomization.yaml | 1 +
17 files changed, 323 insertions(+)
create mode 100644 apps/monitoring/grafana-auth.sealedsecret.yaml
create mode 100644 infrastructure/authelia/authelia-ldap.sealedsecret.yaml
create mode 100644 infrastructure/authelia/authelia-oidc.sealedsecret.yaml
create mode 100644 infrastructure/authelia/authelia.values.yaml
create mode 100644 infrastructure/authelia/ingress.yaml
create mode 100644 infrastructure/authelia/kustomization.yaml
create mode 100644 infrastructure/authelia/lldap-credentials.sealedsecret.yaml
create mode 100644 infrastructure/authelia/lldap.deployment.yaml
create mode 100644 infrastructure/authelia/lldap.ingress.yaml
create mode 100644 infrastructure/authelia/lldap.pvc.yaml
create mode 100644 infrastructure/authelia/lldap.service.yaml
create mode 100644 infrastructure/authelia/namespace.yaml
create mode 100644 kluster-deployments/authelia/application.yaml
create mode 100644 kluster-deployments/authelia/kustomization.yaml
diff --git a/apps/monitoring/grafana-auth.sealedsecret.yaml b/apps/monitoring/grafana-auth.sealedsecret.yaml
new file mode 100644
index 0000000..400a548
--- /dev/null
+++ b/apps/monitoring/grafana-auth.sealedsecret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+ creationTimestamp: null
+ name: grafana-auth
+ namespace: monitoring
+spec:
+ encryptedData:
+ client_secret: AgCcKsnS3u2eI+fNVC9hAZ3QRFOHFErAzs5aQgX51CSdJwM03SZUoTyrDi5JPcHUVyS3MbevFH5piMhDTARMI3bLOjYlcwMbpf77JCPa7o95Y9asA/FW3lXicYt3biN9xBXJBz7Ws3fVRtEzyf6DmbGedT9gaX8aPwrUVbP19RdyJiuu76oB1A/jdUkX4K+X6kVvmoP/BWdypk/kdQJrzBNt00DIXF4NHfYey36AuhpBtqYZs4faA/tBXMXLE4RxPNtcHwNfVjnRj3v3qzNufD1fnweJvLq2UfLMrQjoR9XDVnM0zkpautylkI7yrvcoEH7ljnf6b1FMogOEZUfH1BIdqTd/WwrrlCqE58OPfJWthIfN+pQ8LvdHsGo3jc9gXvfXS2cStyhP06eTZ4D79kG+RtDQGOsD/Wpx7EcM6hbB3+dIjcs3wEAIGjpIVtY9JayW8YeRnFApMuhDST1+hscm+LdoGvaSTlAuGzv9BbVrPX/Fo9XKeYHlbG/x71Er+vF8WbW0wUa46MHLvbEy376XIdJDYi+vjl4eqznZ6YhvPbawhoKXT8ZcKUcUAjVcMue/O/jCSPZplbn3vdSCeqPTiqVqDw9PTMIeWFUepgPMxiGpFRAqdwIecFBnYItq0dXoGlFrZpo0S6AECgZjxzUR5EgdkdPlDDs2CN+d9yP7f2S+gmL7AIlQr74NW1GrTGw2x/rD4IJhunh7
+ template:
+ metadata:
+ creationTimestamp: null
+ name: grafana-auth
+ namespace: monitoring
+ type: Opaque
diff --git a/apps/monitoring/grafana.values.yaml b/apps/monitoring/grafana.values.yaml
index c140449..196b923 100644
--- a/apps/monitoring/grafana.values.yaml
+++ b/apps/monitoring/grafana.values.yaml
@@ -16,6 +16,12 @@ serviceMonitor:
##
enabled: false
+envValueFrom:
+ AUTH_GRAFANA_CLIENT_SECRET:
+ secretKeyRef:
+ name: grafana-auth
+ key: client_secret
+
ingress:
enabled: false
@@ -67,3 +73,21 @@ grafana.ini:
default_theme: dark
unified_alerting:
enabled: false
+ analytics:
+ check_for_updates: false
+ server:
+ domain: grafana.kluster.moll.re
+ root_url: https://grafana.kluster.moll.re
+ auth.generic_oauth:
+ name: Authelia
+ enabled: true
+ allow_sign_up: true
+ client_id: grafana
+ client_secret: ${AUTH_GRAFANA_CLIENT_SECRET}
+ scopes: openid profile email groups
+ auth_url: https://auth.kluster.moll.re/api/oidc/authorization
+ token_url: https://auth.kluster.moll.re/api/oidc/token
+ api_url: https://auth.kluster.moll.re/api/oidc/authorization/userinfo
+ tls_skip_verify_insecure: true
+ auto_login: true
+ use_pkce: true
\ No newline at end of file
diff --git a/apps/monitoring/kustomization.yaml b/apps/monitoring/kustomization.yaml
index fe9e2d0..293b1b1 100644
--- a/apps/monitoring/kustomization.yaml
+++ b/apps/monitoring/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
- namespace.yaml
- grafana.ingress.yaml
- grafana-admin.sealedsecret.yaml
+ - grafana-auth.sealedsecret.yaml
# grafana dashboards are provisioned from a git repository
# in the initial bootstrap of the app of apps, the git repo won't be available, so this sync will initially fail
- https://git.kluster.moll.re/remoll/grafana-dashboards//?timeout=10&ref=main
diff --git a/infrastructure/authelia/authelia-ldap.sealedsecret.yaml b/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
new file mode 100644
index 0000000..66c0cec
--- /dev/null
+++ b/infrastructure/authelia/authelia-ldap.sealedsecret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+ creationTimestamp: null
+ name: authelia-ldap
+ namespace: authelia
+spec:
+ encryptedData:
+ ldap.yml: AgCPQ1ANVJUXZEU/OIWnracsskky0YhXXpnqfkmUqo9v00rmxgk/ByftZlBUkm4PVnczqmZzzb0HFMJUD8xYEe6oBntfvYjrGIIVsVj917XmqPPi0Ws22M5xq40XBZ000YuhxGxWzXesx/sadXBPEkWvVAcrlS9P7+PMqamSqaPdHeY5GKPHGsnY7BIDUqCq9oxcODmqiMeajJX/vFJGGcjU8eKMzt39mXk1dUriq53ELh/az4kN9lt3NhUmW3iZbt4+jwLd9q3b7jMEcNwdGprdI2WZ+KaZAt3x0Ujcaip15PP14aVbMOvb2BYD/pP3w6SXrj2PjIBJLzjuKqV75vFujr1pzeiiwSBdSX5n1UWfWvssGsv9qxehEzVR/wsr5lO+Wg1MAq4UMVPT/eJpPZzuybIrZpzZ/Nb5O1F4EqfixTvjqJLEQo79Hqyc/WISDgOJe6sQZgecs2mJ8dk+MLx7u+m20Pw5AmDMLoBzKfmn5Eh+vvtJqqNuParbtURniM398kosy+hR2+8TmqJ2cwXIi5/gANyunEOrfd5CbBG8RoftejB5uQWIP0mUi1fFSqc+PTuG9GWUv1H3W4kYu7l8efpnWTT37XV1d5leIh9yQJlwmU/UQH2FbhTKYCKNk+fVoKDSFdldxAYeJql/YKwXIbaP8/mT7ZTxF1X0G5mCq1uTzBVgY1Q7Qlh0TleQmRZcVe06bnIqh25A2Ry9gmirpKy8MPpeBro19ukbxBmylsX75+ui0S9ZTBypDa1dLOKNCXOyvYoVzdCRDt+kOTCAcyYY3hxGxTLuDdlKNn6Od5bfMhsfSrscrlc/1TRhHzWHiSIJ33DqDRB0WNG4Yd2Pm4T/upj8xsLO1fffzVquTJIY2rPE9SNa6G5LyXy+exffJAeGSg7ugML0JmHqTBbczKdKO8fIfvwsIdeC/TcRu2fkMp3sNPl4uoJBvWhd4D1nERfkI5u9Syilyi1CbAckqwgXhd/N2P+zrbCnw2/gC4POnYnXNdCrqGysxVG73ryAupS4eGvN0leXIo3hqrjeZsBxfGCFnGaWHTkIhfwaIsKI1sXiCj+O0seWQu7LON2l2X7z6QH/BBnzBWD3+RxpA4elaIvPuK6Mp0InftEmP4SkoKWkIuv9d2xFhWVG9DET2CJQown7n53OELEveLVZA9TGdfaC0Ld36S7ghhA9ehUX3muH1XqtURwU1n5hTNsbDNuiV+wE1D0uDlEiGVDzfy7yNlVHPKlxEA4RdelShisbaFWU5xr8chPXnOCK9KrYClNRdnjFsyqT/isBxKjMAg+11/ZlFiuvQyUzUVyjqBYDOVjLlMi9hqHBpLs/LNkb6UuOMRtX2/bBTQt9g5dtWgFzQ3oTdwhkJt2EGxztS7SWXixYD5Ar/wCX6C7fdlvUAAMzRK+m8UlT5CdjPvhTiEJd0GhdtqPj0yEuAUPpmpdOhGD3lD5Fa8n7Bsvn6LDIVOB/Hsc3mPngAo+4MwIXsB95SHQovU06LPft5ME6JWmR4Mm9IIsRSD95a/QCNa411LiLBXp6LtO9ze/x9ZXHht+gWlT8NVRwHywEyo38IXQmawwOI0k6ksxIQFMcu0M1tsxpt+OM/d/bB+xVQwcw5kZpYvu3p+xpBgJ4BEaTPXirXRIjDB0vPuSF7SJBF2Tx/v7oLJDAtNaO8CUufmRwg/aoREaoMhg/n0WEIctDrf0KJLiFSzmIg12rKwjWw9yf5NEeTo/pno5dYKf/mbaHGpFcL6rHkye+U+cpRCxAIuanQihinmMc9zWub3kdS54XcPKQvHADwkUTAHMzYXpjEAnRv5lkhqO7SAerzZO5+ziL4OCcGFskhrUHh4gXqgEbWdWRcPvy8EqgNTHcwBYbrMO2g+K3KQpfZRTCH7ADeQVGj3wdrphkj8gVofTCQisLWr7BjWfvgMgwGwCyaaqxJv8fo8ma3PhVfymnpY08vjWQHT/55fNZ7Il/MCIMU7EZMi/iDu+MtNZPU+Ao4vTplADiS1ghQBupIizLh9SQ5/fzCZBpr64Kvcj6Dnrj3Ctby8JO3Gih1k34oagE6QDo7icvd9SdR+CE9rY4D7kesZvsptiyqenlqEREq8m72Cs+nNFzR8wW2BlbDTgnZ3l/cbGTcL3KeEum1/GnM/lEyCJfvt81FvrFNwYbeE5Un9Dvrltmleiq1oFrG2oaxCNc3iu44YgcydkDO88s6n4r8oQlYI1txvsHKDT+P66Au8x4B+mLu0zYV2fT3h9KRb4cn9NC7N3QHK5BW/hUSqU+k1h/ZkT+graYGMN6IRqlde5SfKtNDgeq0EP/KIpG52/63P9NTZUPtA0EYoKSkySPUNY47tKwYpRiTCVA827dAYU1c0S25C5V3ng5mpO1sRgSZDovJaLg1S3Bd/B4AfgLTqP/HXMg+OJAcoxHnZVl3rV9Ta5TEKHb96W72dsu/uBFXRbfVrbUPqOfo/snrJ9VCNpYmZP9K/U2TgmryZH8q3VKSBQExoYuFpDq9023rNSLbMVgLoaWqbruA93RcyJyFU6VRRqnOIhxHX8UK4JWkHsgMhdjNNHfgER+ZYFXuo2e572U/Yl40HlbVlM2vfL7AcW4yC5R0QIHFngGRmoqONfZPDyLCRSiZLhLqMzr1sH/ousJLqjtN4Wg3YWZ8w8Ha+V6rQ0TrF4lJEUwaL2Qb+GzR3ZND5mUDgZsfmS9GeObSEWyuJ/K2RvHX7qf0xZsVxHPQBxpAzXabqGHpWHbab+qHOKJelyn29sNNYdqx2+1KKx/XkeXmYTcBFx15qs+Zb9uulfsnuJ8hGeabsg+LD5XOl8/Wjq4iYTScO21p/ed+ecC/0HvWkC4N07StwsMedlblazvu+Iij9xq1vhFij/U5O15oU1ri4JfSkDkYbu6IWtxp71XkPj+IvrF9gaZBuL1dJu0NHYKytCoHfXnloEbFgWfIQRwZg9wrtdffz4RnwKONHQepRm183BAqji3dmWJ3XhAdlz4Ea3Kwt0b1sL/LU+EbieEMOlkq/gbjG+G8GyhlCW4ftaV1Zh91qCWvZnXh7lvAXBcDyjP0sn4qS+TwEAbkg5wKfTcIVw8ILH+Us5RRSBbQ5SnBuzk3anEsoe81VfeGCr87E4NdRgUwxYBZnlwhw5VUsTQv3Msl5oOuLuI++DLLE2OEiT9IyE0RyZCo/a+TBoPTsd/JuAdrFtzhrAAUX4PiY/SC4Dm+UduaVsFXY8huOGOehn8XICS1SjcYAg1zL4kPOTMxAQmO7oqf2V6RpUsNEe5sTEH0adNgdGl7YwTggfinA/lpKoQtMB+9gi746Pfenfn9GUGs7SPFQ4pUe5/6BJOT2Z69w598ThlKivw6eisPWAWrj2WYoAD0ts/+ncZXLiJD8CEli7aOH6xuHlt8rk/CP834ydaByn0jq3ULKnyUyF90YHx6JPwxd1RO7daMY5QrPS1AvaAhE6JC+irKE8zwVZQxtpsoCw/bChWXvuB1mUguamFW6Pbt+dy/MR1OWRS1FiYsMkdmsYYnIY/Qa6lCMMWAkuELL7YYYVkVn80SAZGiuNpkeNQdZUAfsWnoKOirX7cqYTuoHJIMEMlLeDEm5hV63lkJdrHdy5yRn7JDuDOQLqXCrTIGxGHBhrpUoCtQg6lBaULLTq26h5WZSwoPQbExAozfpQBZHirQDT0OjW+ajxvcMx5VT70mEU9JTWaXgqLeSLEqy792GcfLNgkwlA9e3a1L4U0TNpZgBygvk9Wujll2mkVyG+EyeCLEkngH7aXxl1k4uFSpIEef1wl9WXK9R/eTd3rtxL8zGVSn/PqX1UiYAyIw7bA/uqNRtWWoWpC+guLDC7juQJcP4ExUNfzIhSoEWxTnfxl535WRIwZW3IZX5QY/p7xDjUhG+rNtgdmjC6ieTgaa9J6eFauxusb4iMlD2UoRnJ1xQ7oCz1quLyleLC4VEKQ2qlLJmWtk3Xu3tlCeHl5/JSsTurts45/EFyGhxNK4VQtJ4elMColm7VJDttfiiy4uaBsr4jqrL22hY9VVt9wdAwvevh0b4vdOnDylU80XZYLJ4//oHq1DIlwbYcbaCXgOreNmXN7WEd+70iRK2Bp3WIZtqEGWe0y0U2dEMJCBqMHMf9ilKppJ93isox0mvU8jdfgKnSXkPfvuOr5TLcKY0W6DH4Bjn00Sjot8HtNtRG6mqCjgeXjxaobSUz8BDObx+LS+PqziDV+0c6FyP9m3fpr3iyk8BsuRMpgL7pllE2Rsiy/v/YQQZcDp7G3cTpd+/D2imJIWJcAaap6fP9mICuHK497Vrc+3Wa9lHtCgCk4JKtAYLTNE3bkeQr4D2ZTnWI2IDRR7ImTkPdXlCUERYzqVAPiv7huhwf+Htstn4Lb8xg2/nYlJDdh41Gx/kdx7Pf4WczOQ0+I28LHI/+FVyPPDVk4GwQS8uU6znfyvxJlowZ0KdCS1d5pkbTSApixoG2HX1CuTId8DTQBn613xgg4oGFX9cUJEEK4lSDa9zwR27MO0H5G0mnMKJqiNqqzQmVAn+irwbeYLmLmuvXnP/+1RmM8R6D7+5hDGfnl4iW/4n2JkcHAD5gdu+MGl+aeBYc74pgAf2uXtsmewfq5FaIgWrLSa9lJQyNlFU8z0ZKC5xNRraq8Z99iIXvyXKWIS1Bo6gdrlDPzAzwyzzdwGkgr+jCkpeFcF3UwCPltqVEq9miIUg62baOdo1pPsX/H+8q5fRk3PhCBpkhgnWc2rlIsC4IJBvchXFlp0GFOYO+yVjjK0i83btBmmOaKdz23fVPEmNhr+k0ciuM/0KuvWPYJ3xiPYMCZF+LY4dTYbIVlkk1pBV8eeH+EEqOqw+x+NEHGA+4ixwOQvOxFcfk/0asUzfyGI3mLfWpNItc4crUAokEqkUmUEOcIT2x+EpIfObYZ9TLrA/me8QOHIE/4kLsuedzgVgEVVur+KZrn0Oy4LaEfirOf6mQaIt1fwIkoOPTgAwpGioCX2xL3uDxSE0x/Aq/OV0dv0df4VCLx49J3oTIgZbI96PWklaGC+rZHFqFcoUFLvN3ueHkzgQsjdreBoRulEpuWKgVSPoEbRPegw7VV7oGlPXrd2hILIvEX1+fc4XC97oypYYSNneypoaNfS89rFm0vo6H7xWxIaRTwnE6Lz1vnXDeLco2QJLM45UivWY/OpR0+Ej3bnXGbzIyaUuJQOR9H6teOmHtb3Vw5r3qmMDuLBu38GGhved1i6MbbkEOveWcIRM9xRHzlYIUfFIap+X3QEpDDKaw03FUMY/jO9YsOEtoG5G72eQ9fDN/OQxf37ejsq7UVfa2EaZ8gqB/+vunreWBazb2TA6droy/iYsta54UTIUq7l62yEjtSxkSrfv+pYURsQXmIjY3mGAUR8/Fh8xKSr3o2XcqezVN6LzHuzpTW0oOs9Or12bccm38EwdtxONVOQ1pg9MQyjKEtoQ3IXRMUNSKx8+FicCmWulmSBOdxBQBtYHVmS455hvajyYCCef3Om0cKrZOg9G7fLA2gqZyZHpcpoSZneXGo35gXs0svISuOV2D23T06n35Y5H1ipttFLlt0pMwAEIvN0Aq/5EWQl3QBhTypd79xZZQor+eCKSeQrYpmjuZI/B40RSdMp8k/zhMN0/kDIhaWcho48PnM8H57MGD14d1iWIdzDUtrByHsO52JuFMgA4NNi8zdgXarOjzk1TjDVmZouS7bR25htsJgxFemL52wr6STA/1CrLp+wjwzhTPw5zCOkBMhf5sDshOei/jAw1rahIXhKYHs93WK0Pj2DI3SdCHsp1UwTX3iChexVNd1hMys1dgWYLsEJJOpJ7gUIeTROFJib3Gou0QRAsEC7vzJoxhT0kBr+qWLV7aaW61pkhHylMRucXmhqbK2VG+pXaiZgxdbx5tnyUF/
+ template:
+ metadata:
+ creationTimestamp: null
+ name: authelia-ldap
+ namespace: authelia
+ type: Opaque
diff --git a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
new file mode 100644
index 0000000..cf063d2
--- /dev/null
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+ creationTimestamp: null
+ name: authelia-oidc
+ namespace: authelia
+spec:
+ encryptedData:
+ oidc.yml: AgA48TAg5f8/6ef9cX2F6lnUfQvAR5AWF4wEkNWvykKIkc7dm+oNOEo4xuMdbGtwZfg5j5XYrroiXAk7dbdFOscmDydK2r4euV5empfLcfDYEYU4ClL4R4rGA5ZYU7z+8HwYmICxvIuactCiQKk48VkApqQyK8PPWeM7k5tiCrhnaQX7dhs19dY1uDrZaDxwAokbBobCAvJhdahI+FwRcYicbsiY+LbWmMM5yNxQ5NXkQrXoJ0rprOSOOso68jOD3OetcT4aqStlHXIjnf8rjWIWAiiJ2Osqpnocf2KsuhvYljMcJ6Nl/6MXLth/TJ8CqzOsQc6JEkPuSnXcmMLFCD6IHtHksTF4V0NJ+20nTw3Arf2033drOcb7H+iKdHRP6wI5I2cvqHqHIQDXHXXI++vn1DJU1e4j1bxgtJbfsdGIwbCKLpvJMWgD5E02MVWM36KIrjtPJKczdrFDpDXHynpvA19S7BYgO58i1YIvtAOqapSjsKDEkRsTn6Dq7fYf5aPPJkoHtHU/zZfHfMG0RfTsV0ur18oZUtCwylNBChEIrDb0VPy8YzIReXe8mmqUanwIEH4xNfzVbPd19vTKe1Hmw4DkrWtWYUSLcBqBVgT/lVG5V5Qgvf0TNr21OiN+RHj9W2VjpcU1SEMpNE/dSsdguorgPrTzGYmWx/HmxrEfuaaVUqVhqjDXPXnZLv/w5hjg1/TsJo4v4unAh7WLDtMuhsFT9mKQkrRQ3Uv7Lo4yJg6H0QDG/0V9+0/vxTW15gCT3ctdhl1cvjYsyCTl3DaWtq2ZLeU4pjfH8BybVNzSRcfLt0tauneDGj+aM80xQ2REa9X9FecO+Bbkdvno8hFWqjZPa4CTBdYy/gyU6Nm6gTgtZzcY3DW6KS5+maY8kIK6eL/vrZfO3gyFz9A9w/SL4Hwwmp4e+Pd91sjvuH7Z1EZBBIoO0k49PrhH1O0lvtoUlrH95XGdHeyrlOv9kQk6IDzSXQydO8cm2Nkyh5BYKSqqvHsHOChG4jB+zM9QEUH+YWqHp8VLZJKU9JRDyRhxaK0n/mjbx/gzvL9KPhMzWc6f1mCOqt/zBtBYz4UW/WdQrzu3dRq1ipCxPsAR6HW7y437eRneEsi4F6/k4eBanWCa+u+JHSJJbFQ7S+byPFRRmlJURWDF+rLYRP9iOAQPh0ksjytemAvQO79NEH0mGgjF+F5nDTfwAWKD5eRlW1aEx0V/4fjwunHtKPrSoay5mk1DP41gObXa2CPufZh6HnWU/3/QyvzePKGRY7TIWfytrfVJIoiLcVsvLlFmdY5XOT+EaZtf32GuYiC7Q2zVcB/LGyBVWIjPklXAr8ZZJy0W6yyEBlj+HNjMrnv//WKnZhHDyR0Q3tbRGEBMowwAs+2mA6DqtMVxy/6/QBy6lxpOrRKKZfpTfJ57v5EWP0YMFvMqI0sfM3/LURNbqQcG6M8o+lHdsSAxjxg34VfeK9lTCc2srIEn7EqXdMFeHKjd9ODya4Y/bdKx9t5qe5HrNlWB+m/UB3cN8lfWg5tgOTDtE2JG+IR44Qz3VNA4vSPjcP8zED2eFsa/2X/z/l2gnT4QsY34df8zVUrBdTSuA8Co5kNctxwSLORf6sEiCGmJvwaHsBRCRHls1BVR8AR9tn1WFykg4st4ETI6Zw5n+x1SnEYPhtRfR+0dGQU+ICMTdpI6AvvJaAIim5b7MTMoIlsRVD3Uuegw7goQXHedx+P6SYRQYnx7ihtGkLAsdAw4Tk2TgIQAaLat/4YVKSm8+QTNhJRzEAjXNTngrIBgyq5JLun/9cwwsReNZISQm90lL7q6tLD0s36brz4iME5em26GORBOJ6c7vQQVG1HWqyYyBUu+N3HOuh14EnjQCTn4M6tvHQy7vsUOVpMm4Bv14BD0xqGqzkACuHb7d/OIA7yAUfCUxzMJm4luj3LGnsLTTLMTnD+VBAWIGTbv45qRn1HS6euKEK4Vi3SFl3XKaKn1mRN5A+MSHeQFcYhtUPIGSD9SNZ2xRXaAJLZOHQC/UKeR/9n/ynrej6MWt8anD0ie+STxUQPq74BCywPR8p8es2ggvZ7ZwYfuVNQsNYUdaXMp89hUhqgu1EmWE7hbAPcDBbkZRwKaoFzCT6zWBO6bx6jauKFva7uPUkfmSjSPj4xAgOvEO1zGJ9J4b7I9s5mugdmHPo1Yvi6lC6r1m8k6G1idQT+z++r6c62j+o4oJ1tzVPsiTAXR4DbR40KWqWhYHEF092sSvfSMrvtWp9xuCLwq+Fz3a0h3ySurtbSYjCIY1H/YcLl1Vu5+W/gSlDCY+8cNhHOXSLLqR3PSxEqZXOYIDNBPtukwW+JsptMgKB/88EZhO1XlVnNjVIzFmYzLKvckwYTaDXLn805bt3ImFXuM0flPr7A2zOk+UpVP07HJFnpQHirfhv1Jj+VZkCQE1/zmKQm8soaNnjW6PL+LpKB6YAa+hd+Ih2r1FmbQGojXs/MUuecN4s5z2U1YCBRexoHpOK6DpPJug3H31wsZyArI+1Fir+E8sayDvxNU8NpNmQYsVTBZd0Qv0mhF3IfDYlqIhVUmOirScOXXLGxOE3M9oAuoaW3w56xSecmL0TioiAJJRfKD8WJH5n3EVpL0cTtjN16fkGQtajzYnbe89WOW1ZRNYmZP8ET/UWognfOXwgdIL+O4zKv+nxMaoZdyiSA9xt6FWYjt/4JHhay1RM2WHzfuhoYSanXwIcrjwLZw5vlFgm+sFPtAApMOlJ6mTV6caV4Hl6/WTKmMVzfpSBXKEWbS3gh+t/YFX24zzSuL5R17gn0u7EP48XFu7bWeKAj/5mhDzesYoT48kpo7IId2PvkmgNa5GAjod6N+OhWdF4e+4rV2Zk9RFMzkFrQ3J3iF0SAbjOfaTYAPQnkJZV1BRjbK5CjbDP0Qhx+2gvOTax8MataK+tWV6EtBAr2+Ik35xNB9ZzXYN66d0k2IqzEwzOmHDiSgUDRbApKC52gVq6cElevqxIKlkVIP5pBXuLUaZ85fsEuO4ToKm5oIU/1XJuhWPU1opArfbmoselnR9DbXjwgqeSXZTA3vL9hLSIyP/qbFAhRiBaTuxHp/dT2CytgThJz0971ZA//d7LD1eQlP1a4YovWWakR9LFp/AJ75tIlqfdLsjPqn4Ax+voGRTvN7OX3Ns/HPzwWPfqRbmuObcpEtDTNWqfjs7NPRr1woxBX0CuU/htAK4g89Fs/OUDB8O90OUadsRBXfrgKVPL7QM95jGvo8FRqCAjqLIdg11Czc634M5pm0u4YNAuY7lkkOM+teJOTqoOxTBSJhi0mmDMen6ahD6oCunA7MIwsxI0wQhmJCa5Nrpt2ctrKTTzdEYw0vL7fH042lCpjyb56BoKIkvv4R2R6p0bAmb90jeX7ELstvxy/evxOCwhCyOGAgbspcwMjtSm6C7hclcDnlY38tWXdPWFM9MMvHyvWNXBQA7nWZVVNp81MgFmgqhuKiTGueVWdNtcjUNl8XXH2HLySGHzpm9Q16G67PHgxkYitJO8rrZ8ADRVGvRG+LFyLrEWcx5OLAT56Q59wzO5FhSGBKY8LhOr7lKXvMGTPmg87hkRA70hvJLGbb1z3cHDE/hxK9IIu9JMb++Uhm6gSOakAmruiAaydvv8R689tu0VSKE2MIO2NT/9r682IKIyF64TVBPsDDVR0dGuiqyqjmPW39bkzbp6XS4OjcAgyA+blJCKxOmaPHmLsBwfFXhIUPUz1Mcq6X4qG4tVsGXPN75r1u6Bydiv/kdvo7v8LvCopmk2Xr99W8E1t4CHTL1FtS2EK0rnORkVjMi2HZRui9860TD8wJBaBc4Fa321R5Kgd0tcjSkwEsCZ4YXAcXsHqh79q+QQwNfah3rSMqKPpvgaQV+0k+FaIOtm+upXJ4C5l/V5SUcKGGpC7KBGVed8VQpVb6VN5RxPqcN4wfZGI5gNVrfIXrsRFB9oH411+Q1hHsJUeEtTvFYEHbdly6eMIXljMYeYaX0V+YRjdwFvpe8spYT2bzrqxaZ4YLA2vtMrCeTHCHYYapOXVb7AZrXeCAsPCk65xojB7WAdIJqifIK0NjQ0T3xv6agawjT120fkdorkesDU8Fw3Ocx8QH28By6AC/bmH1gcNGUB7tp3ANLA+gXu1SFlowJi+cdW6kiY6w0zsCJcZkTHbaKmPX9bIBpU3r9sPY0gDq+nn6wlwrPb0suAmGBnKWqs5+vz43vkik9+fwOt/wuaBOT82H4H1Dyrcdnj9OxRLZjTJjPtodUylLYmvNnmRDqltQs3HmmtehGUZQuPKvFFTX/nQIJlPove5Fh7Hr6WKQtJKw49XVyzh3jLqj/KWoviUCB/SYtdU3rf+IvTae45f6E0dWOCv3Z9rqof86mzkEHg7SD61BpkSXp7cSVcHVVbafwIRkSr5HqYPtUBBYXJlUwPTTz4zy4QeMGAU5lw4c5Wq0a4OdqPxxFF+x7snFFycYcVlL+prPh2JglZ/GvVDpAxE2PTiD/FYQE648uUqvPLYCHa42GOWT+NHKbzV5QX1SUlt86i5oL0as0Ys+CQB8+RVEqsTGZVliFk931UHmjIDWzg8KXITp3McVEl8R/dID7LeFh8oqFH8hKCbPCVbnh0TYKPNYApRF6mBBNNkevNwsU5p+bwVxXOcrjV2Xxt6C4XFnAzE91oxbFCQxO/BFOYGd2gvrH7jeNGHE80rvMqrONa+irRJg3ViMKNENCq5R2cr74ilWiulvGEPjewhhbqkYwqVj8ORUmWEicAv2h6rhhyNAbOS3LL9wGw/dOAm6x8NAxRfAXwxjtUOkETpqWZWiZ6VUvDwOu6eEGyebC0vvNhHRcSvnYph7OmVAI5Eiy1fZj6hYIyhZAqb5drZNzk7CQ5It4dEQtAo9DjjxLiolAQYcGv2O2sVCgegLB9Lmj0nTw2FOT53EdSsCn7dbb7SoolmVdZ0MfCZFlY+sYo8xmAohYpM/Buv8FO8ym2E0HQf8nzI1kJrdQE7BoZ8eJ1NlU5aUa5jIXzO4R32qMRCk/lXkuN7Mz+Tbh7KHzz57+JaCongqycQ06tnE7Dr8vx6T8WNpgwz5lbeJxDV6tvV4bU6zAZxZNxSh884gpURgpfgjaTopfAGoaCe3T1P3Zi/enE4Q7CS3THACnpguegYQq7EGzg7KFRLrvtBfFZ1ag+muJaCHfdba//5QPMjtQ7s2hyE+15VYKu7aIlWCHlNU+hcqZ4OvU2Csc+bGIYBjTyvd7sBLUZXl7EmiVlCfFmknRsjyrdokBxAfEvoNl1FBJcq+q5r9pMH5wKOTUCSmAnDpyWrRtvllCp7MnxQUyUbIukbCD0WixY44+uLjrSTtr6+HFOwBERlC0ds8v0/vVVWlFcKvqL4UaQYDDxTwgogWMcXMk2RF/HeXLpNA929UEEz/ND1k9VcbQeYX8hXMub0b2xEhc9n2VKax0LHBfIWvb3wf3dpqQdoBVBZNYzyQFQmNchM1NOBHuVhJsCJjtKDYM9HmF13sURQF21NauW8XjIz4gcKavoqJdLX2XNy1bRoGAsQ2ooli+FPgORC67D2vVLz2TCKlGb+npSm8K5Jo5zH4BbDHs9OjM79zpx0UimBHIkR4qcsEnoAt18wwsCi2eWzu45FOM5b0lyuZ2pMr7o3fJd+SxGPFFTrwd06BpZlRmtDjSrJfO9+tY8MYiMIXDOBeEffib1gcov20JyO+mWzt1W8hz8ImW1p+jLVYy5MC6Uiy5kN/EchKmeFTlo0K/wve/FrHDBEjdg1NSAIm2QzL9ArwM3yJiQLkoQwtVdJo51Di3oLaHlZE/c8w3AVUxtZMc5ivPj6fSxv8+XnMoryjOqcio8K+yn11F4XwHmHggT0tRRzPse6KA/b2/9k2I0ulBjiaT2dHAXMNO+tIyO5kSM+jQcr7b0k7jTc6WICgDhczquJjiqwjYBvrYXjvApn5LIp+kZbSq4fDvQMBcOBn8Qs4JczF2PrKtB2yVyDAUFKL1cYvvaQ4HE7XtH+8VqiG0g94E6tt3hkdNJhveIGdDxMsLFTb8x9eoNyIsR8ZDAqTu0Vf0LUGIoJ2+s5m/yq9i8itOWt1VbEedTEvGnS2grUb8o2b0Fq19mzfcTg/A21ugSdPyusiIaA5BfrEp62C76OZMR3ZfyTFqnpy9oEqhfeZSqjKr+GwtYtPUQdoLBgmAd5WJUCiQMdCYlhQXRfgynOvN2d10ewCUtTXbe7M9JG/liN0oHAemMDEZVYNX3VpoR0ibRY5g6XBQ9wfEsqi07EbZT15heC8KqismuoG00EGunyQTUVkRcfzZ/Zf6egshwy10JPQRZFYuf6e8AQ6gckv/rJRzYzlUOGPfPgRLaYinuvNMwQYKdQ1EnqAsxDMKLzS1+CEC4I3wbb5bw5VAO3NHQUvesP2CqYdJlqLkI9mQK1OqRCZxyhf21JtSyMz4l55PUEQwZtI7gqt1jpg6oh3QiZ8TmA9WCcpkvrCsaXC9a6YQ7rGpz9RWmnQyJomv8K+WLSS8Md0F8vAqktAE2M0yi4xiWNYN4t58y0Ysb7zeaTgOa4OF+BNPnKjAa5iOpD6aZPE92g6WKHBuvKj1gItsNoCdCMw2SAJ5iXtqhjd/xP59FMlyyRctzAvk6XK4q2f/Vdv9Kqj+P4LAsCUwR5r060F1BFYXARy1fSLPqXuI/79Oz/EatYKHM7kOwsX4uSNeESAmGT5ZbwqACQ21oINlMD2XJjcwTB7WORbdBqljABoSRjl5QEv/HLRuD/MSyXGV9KA65BvW+a+trCTWf/ItmfL1lDsHTHyGK53Gl4zecpCi01uVA3ZIGabwUmX1FCZ9oiqTS6PiHAq9aaNcXPLu7D+aj3wYGPZHn6Y1F0tKNId/jrfcVQ6J0Srcl/6JhlPnkPuOTGxb5rL0KaU+GYsX6/M7e4cqj7RifRlvcqKG0bzTKN5O2Nvx+zxowfXckZu/RLo7SgAEbfdxYANZij3NIHcKM8FxBcc3v4q4A6Ko3jOd2ekGYMd2Wyw7h798IeiEE+RTjIywwWiKICQ+zAteq33Z48rd3VATp61s1kfcvHRRAPZjs/93v233oy4tI5zM2tI85fEFty3roGrDGvtONUjykXjnJrbGNb6jOtfEV79BWNsSe+znXt2U7DZAKOgdZHBu2mCsE9AMAiQfJrXTIZBZEEuyCDsQmMjTAJxT60R3mnr5N8iwLVpE43PRDQgJC3nqNCjASFxI1tpmVIFlZ4dG/iFbh7lqqMJWYFwkzbLa7EwrttAGlp2i1vU/aWEtrKJETjPbpEyfikKYl4t59wdWrMBHtFXj8S4WSmaTWBvsaQLnnjFikv29I9uRYy43haoGtnpG4sYw6DYPOZjiXnd96WReQ9EJdrDwpt06bGnpLnp8Ym9afj73e0qMzpTqWKASpk9cCOQ8q6B3lEMTIg5XeB4RCq6ooKun4SJATT/Brm7trdGVcffGdsJiUH/z8SeycHyq0MGZ6gbq7pPNRD9dQe3l4r6Qw9dDHsI6YnxFVYwWyEKheTF3Ol9HzP7rWLhUn0jUYBkIjW9XVNawsu4llooxWwTiBOav4nDC87/ilna4arWSs6iJOZiGBS0gUyJMtsQFCAwz8eldBSoZpP/LntlN4IqWTw1BkmPl3mnnxM9c89se7Jd0bD7cX34G7SenRiJ4AGjSaL5V2np07BbBieKpfJS+HNGPH5e1ugkvQIYjy7GMe+R1I9XHWYUdbRvuU0L7/gzpvCMdWa0onrp+sbDPvRtXbakQkHsPE7RzAlX0R70wY6lbom202cQu27jrNASIQd/3Cr1VF4A9DJOj2BwokwrfE7yCRw55e8TxP1GRyz+8r6RlzuKWUsjSxjY6yuCGeeB3VyDoLI7TsdewokBqaPn3er6LopBmtBCzd4dRnVxmVrQ8eDYX+iMgGZhYeCTL16/Xwa2KAtEuL7DEaXNtOH1XwKrfmPZSG+SIFlOPRfSN03LgT4Wc1biQdxH3W/OVG0/JdFIbg9vvrIEMZSRhoUOd9k3QREtQ7DQn7utcU6Yps3s4S4KnPn21deyqw2FWT1Co5GSONf/mxauB7Z+VWKV/grGkIun333i7t26siBpc7mKwb9vEqkPtLHwTr9TAAZzPKvaKvTozhqeUNsZYPLbf5m0W49bFLnn2dI0C1isTpCeVoeTflML/h6C1t5J5hv2hmSbiGrTk4Hks6whHFXwc/4dZPpXbHsEXhgpZ/M+WOTnMSmK07C3YZzWCAFGVI1WIL1iv7JGUbJ2HNN2XicHQJ9GdFFosZhecgVsCopM8TFFoBJ0LBJUKzegwOT02P9IFvGPOSxW4RXQYrIvrqamI6gleV6Sg34mYd8KI/yu9NZRKAbV9pgE2G7V/FFKvfCMpK5wLc3O++bCF1thbQGkf07OIxwJDB1pEzpo+j/7a5CYFrWmV1t39CE/VJrOzpLXf0uO3U+qvctsUEpAblEtfDCC7tAtnPk4NNqhwHrab7SM+hjK+qWa74FYA5PWVUiM0hwruW/8qEli2BnkaRIDSfH7wfcKwokbKw++GU+eWlxBgQ+JraSGMz4UhaBujRCS8uV+4KkRepT9Z0anrORiyOU9aUzlvOog1vhkRIYWZSWUVb/17GEAgiiN/q3mV0ntwxBNbInlxtWDiW8UiQU9GMESn1Fl3c8nsVfi4yp/UZlghh1XWXr5WQzvlDcHlVMv6jDmeIXCeaijtXD/IZkKuPF0wRUSASabS7kSXfImTp6MFbWZ9Zgc4/L+Ls/MZuiJJ3EccUdKqRMB/nzxmjUO7x0RxMdX2sRKhdRNi26WrNn/7hMxrlJaE3tEG0dTTO+zDkZ7yywJ9pDfSTfx1z+KsGsVBvPN5PS9+Z2cUZcaOHlvWUfmdhsi1/9kM94vWrr2il6EMQ2Wot33BhiEqv1zKMYIYVoyE1Iq6xbvNCL4ySQj0fUUmRoKBi67v/YvKNN8LobiKolUJvz9cIjLKCUvEjyfCYinZN+93mYsp3VRVgWW2CwoB+stetgsVrlLqU8ZV+JCg8X1fvSb36D6u/yIsgOT+fIuDNssw/sd5UmYzHzNg7Vj8tEceN7GQeDQwS7sKK2y0uYGCjLlZ4ya29R/0+zjnMRER8SPUC8usjlzvzlhkLUxvRhS8ckec9kFmwlmsXgLFDSWs5XPjFA1Vdsvy+KrP5gllAHJ1S/9qprusXxhZAQRxRAoFvYtmmqo+L9oTipkJnjvTSA+SqgUaWxcAP421Id0MddgQXaNCnkQrWVLtwrUGI+rpjaxiGGFKkauSx/jT9y5WEGz1XTW2MXO+2Nn+jlS4gdoiQbWQc+31DaNpz6naVFRPg9KAKkyqwER5zGzxOW642hjGh8f7gXL72AFxJ+YwCkzY/dksU2eNoOWmBojfQKiOeRjBg/4DvdaY/15BTuP2yRWO7CWle9F0t36SZYxf+XEIe0LpHFa0AF+mLMQy0nxMw0OKj5+n3Jgyq/dFbHt6J2ScMylLhUHUJcV6AUn6Rpb7Ni/PPYaqYbHKBc3GB+kKMGziBZXIaYyGmMWZOVftcHHqlKvRQ1bPK0R0v9dRtW6+3CJla4ASSvarOzIE7Ir5KSgql4RF49erHkYSZ6MM4Fg3WwTNoi77QvBOfEN7LBO8XxEvYqZ4GH0V+lbvHnKtppKqpfMz6WRDoE29KcM//Rv56dJLHSkBFvzKqW7qzN3qo4kyIvlJucBGzs3QF2BOK8yBC07XDYNdXQgj3giiZpwEBnRp1352AzS4nQaf8JLoerFVESfbFLx5BKiYxLQ0/Umq5fNfADDlZpvDJFFHNnnb0UVTjUrV2iE/BvIHt2HNGbW68wYqSAgoRTd96DpqwRMxhUeJIYVhP7WT1acUM57jOOnI9gJ9feQ/vLDB9bdSeXUjU+eRHTUtrl+eBlX4gedUeV1msxIwNR/+02ev7/WENNSSH2w0FEbryym7+kMttcEZMnLkvpWgpkZpaBELMO+Pk5VnI07YpGt/kosSezqpAmQ4ikIf9hxlfamIS96djx7RTs+x341rxIBKaGIVO0MqcwtF5lgMv1oC0yoc25FZJ3qnbpQRu1fduhCmn97hv2wPGq4811C4JdsUfXyvIQFyELvY/BGURaAroa9NYTJjepoPjKjIZj+t91aL5rMN0ItJ9RCGibbBaDrnT3hj89T5mmojeSwcT05LW2nao9aFku3+QXvF9xZuTXECbq1PLFPynq5yDzpqt6M7/ZtnD3jUtk+bcVD8E6neo0GDouVUo27oYW+JZeRkJK7mPoVfjUu7E/0oZGRyElWlgBY9+Gj3nkV/fN0yzKD2/6ctPa5NDLqxkZpi5tGp2d4BMstU3Pkpfv75GFX53bI2tIXpnLOfLcKps5JYpR7GkVYMvCVcO+oMrCZpQuc9ARYubzZFvIlCwFDL89AMDVCbG4RrBrN2qF/RpMKapLJ0jbANlET6GYKk+6uL7nzF3IS63HPkcJh973jKUY18NwMm5kwWa1vC1UeIveYLC2ABZ9oYAZT/TNvPIuKawpJrZD/jfZSn6HzynzPwXwjKpYo6aIjPim+cQhYr0DdMuA/sVoctEUdrAb9Vjrq7zAZbDJ3SMPolyGlEh4CJvxZW/4OI/ezBHiASa1tIUaLj3KnmzvKDM9xc7H+uoXl2nUKeZ4WZBorySZGxw/ikKq970yHYeenHTIz4mmw5vNeWGlwerQ4Lk83SrxUCqtrrwzHfBlysD9xqLA7EoIIEZGnrrsodi5J4SM1EktY7gyTxzznuIQnkwUyaMBniineThwzwE7kw24xoK24cLEEJms2TqZabbbY1T3i80diUxNjtWcKCuzJLcCX+xFvQvOAhRzVJuF+5l4GFqYb51PkCOyLjq8uvd3uP8J57zf6ZI6ioE2gKqXt/HiCrAylL1iiyLAqHrYcgblOjJ9SaGf78GB027CQ45PN1mjVdbD3bK4ZThuOi+fjyAeP+7L2SLLjQYp6jOjPk+pHDPJYo86Qz9PHiYnLdSGvOfsmnP9PzdQymNlSPsmpohAKGWl0FXgC7CSOCM7tpzowkz/uZai7aE3evbX2ssHwvXDgIE7Zo7MGbvJsycUMAvHgQXwnEVcDN8W2ueSxlUNMqCOO/KnPjhJxGgFq61O7STR5hhVG3i+q311GmctiOsadkDkjIXGv5SW6/GxnTPygRJiYQBono3R2MSCuA2zQ2JWSxUGhoTf76VZ5aC4hwln+65jAk0kVHyuh9ST/unj8ejQeQVpLVBPqIECYyfZGwwpfqSVmZyURCWDIVHSKzD+13SYVoC82vSrYCyrD98rvlFn5+hmPbnEL64JIj9knR5+rwJOeNbgFeuut8PK3UFA/bY5WQFpcXQiCz/+FvTjw9/vrg+zhxhdJlffb4CjcH/A5itr39GyaP4SxcjBdJ8LPMBCBQgiJej9wmneT84l/EbdBi1QfelXB+wAPpP6UiWQuapF4y8S9/zv26ks8B7Tl7RW/bEIcF8JFVIIbmZt9EGfkKlayXy1lM5187841UchP7HsdHoCfQcjruq5T0+iRqiKfJmNzfGghaPGQ29JCSRYp4/jb+Kp5ZdFqvLmWjc61qvAmxU15dKvlWPP2o6Yoe7Y4AyoR7vsVwW8LVyNTsJO4WEHGNvVE6dQx+UeAyJBLxBtE2Gi/i0z+tN2ngQoC14ivjvSXd7X71wRpouc2Lsc3/dqBJGYyEdgvrzolBv9Hg/xbYttPcxQDizadhK4TkkO1L3uV8jDxzKg+qohvVNFDbhMXqOyseL+nHhW3VaZbiHPYOP1MuKZveN1Fdq+OjBSDMfO4dzfEU2IAEIXoEPmvqkxoh45vq1tmz8D6boCTBLIj3VP5ul8AoO1JdAKdJ5CUsfo27wzQ6rYQw5rSTWXhCwiAceOyuFl4SuyWj8gBST+wIGYbNticgRuNlD3D9C3N0W0ty8j0COcP1q1gsWMgFbfGm8p5cT/yxHzco2Qfd7MPga+XLLlJWk9trrPEC+BebGEhWBBc93tYpFJbhmETlCsedjlxaReNmoSVyQ8xhDsWUP7TGTOa8l6f2KC/8sdWHJk7XfJdaZQqQPG7SNuHJNTGL8VVH0R0buMpsQAio2efmuDbjtkHeQY5xPPj9ggVfHe/sIUQ5P9VyLnjypnHzAS0H1d9Bz94NOHyIxiDYyOZwXkM8LWfmmC4sdiXLsGZK00NDXXYglExHiRE4+3npws4awV/8GY09eybwocXzJcpLe9b9msD1LSPKr5SlK6sX7SuuHM23IuG9jBU3F1N/neBd37su6TJxyePmzubNCnkPFkb1d9Ffe0LRQkKFX1nq6DmkYsRDg6qXOnxr4SqQUQMi7Ylu9VKmo7YifcE6AIL4nxJn0vnzeSj0mZe/hLChuLodjblCaanyXmeAS0Y3HiSemTEA+3LvXfj3Qm+eXxwIy3F4a5FDiCW9zJQDYB2xWVx1NX7KOuS1aefSpwsyvPKBt0W6G31cvZOnMegaFRC5kNq8glWkwH9EpgdPPK3piGTsgikYSRqEbPQwkDWGoYNMnyddwSRwDGcD5tc1wN1NWQFrkp3dW7sVyefvcHrsyHzZ3JwMjhcqbA3Jxvfq/Vkn6SK2ov1SgsYBCa6UxAGkoR4VkNUZnUhPbUJH0YZ64NzZVZMrdVyxGwt1m2vP91ye1pE/XdyfeMCJL+JMWpFw6O9hmk6wze9wCLJUxQcMG2UYr4JVBJQ0Hd6c/gkVLBZlm8oyjlxxo+UaNcaBDhGtb9sb6AF37QTLKZzPdtVI/1K4Li67VwppXZrl4SDao1FEYDXr2TRb6cjns7y7spiqOPGTTtJ5Vc6NGBmAG3r+7GbxHbbeJprYWIdtoXvQEMnQe6lX/CxpoazUKDz6erM17nfQMILrOrDOKCRG4W+QROOVfHuxyAhbEc+8IHYHcN3egup5woZgXoEJRnNkFCMUQZq3VjWfMOWRQMwEubWQmQXy1B+ci4s9YX1GGwm0nKNLx6xRG4=
+ template:
+ metadata:
+ creationTimestamp: null
+ name: authelia-oidc
+ namespace: authelia
+ type: Opaque
diff --git a/infrastructure/authelia/authelia.values.yaml b/infrastructure/authelia/authelia.values.yaml
new file mode 100644
index 0000000..5d37fda
--- /dev/null
+++ b/infrastructure/authelia/authelia.values.yaml
@@ -0,0 +1,83 @@
+
+ingress:
+ enabled: false
+
+
+pod:
+ kind: 'Deployment'
+ replicas: 1
+ extraVolumes:
+ - name: config-ldap
+ secret:
+ secretName: authelia-ldap
+ - name: config-oidc
+ secret:
+ secretName: authelia-oidc
+ extraVolumeMounts:
+ - name: config-ldap
+ mountPath: /extra-config/ldap.yml
+ readOnly: true
+ - name: config-oidc
+ mountPath: /extra-config/oidc.yml
+ readOnly: true
+
+
+##
+## Authelia Config Map Generator
+##
+configMap:
+
+ # Enable the configMap source for the Authelia config.
+ # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
+ disabled: false
+ key: 'configuration.yml'
+ # do not use a pre-existing configMap
+ # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
+ extraConfigs:
+ - /extra-config/ldap.yml
+ - /extra-config/oidc.yml
+
+ session:
+ cookies:
+ - name: authelia_session
+ domain: auth.kluster.moll.re
+ storage:
+ encryption:
+ key: 'supersecretstorage'
+ local:
+ enabled: true
+ file: /config/db.sqlite3
+ notifier:
+ filesystem:
+ enabled: true
+ filename: /config/notification.txt
+
+
+
+
+##
+## Authelia Secret Configuration.
+##
+secret:
+
+ disabled: false
+
+ existingSecret: ''
+
+
+certificates:
+ # don't use the pre-existing secret
+ existingSecret: ''
+
+##
+## Authelia Persistence Configuration.
+##
+## Useful in scenarios where you need persistent storage.
+## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
+## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
+## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
+##
+persistence:
+ enabled: true
+ storageClass: 'nfs-client'
+
diff --git a/infrastructure/authelia/ingress.yaml b/infrastructure/authelia/ingress.yaml
new file mode 100644
index 0000000..b0f8a28
--- /dev/null
+++ b/infrastructure/authelia/ingress.yaml
@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+ name: authelia-ingressroute
+
+spec:
+ entryPoints:
+ - websecure
+ routes:
+ - match: Host(`auth.kluster.moll.re`)
+ kind: Rule
+ services:
+ - name: authelia
+ port: 80
+
+ tls:
+ certResolver: default-tls
diff --git a/infrastructure/authelia/kustomization.yaml b/infrastructure/authelia/kustomization.yaml
new file mode 100644
index 0000000..3ce13e3
--- /dev/null
+++ b/infrastructure/authelia/kustomization.yaml
@@ -0,0 +1,30 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: authelia
+
+resources:
+ - namespace.yaml
+ # # As a user management tool, we use LDAP, more specifically, ligh ldap
+ - lldap-credentials.sealedsecret.yaml
+ - lldap.pvc.yaml
+ - lldap.deployment.yaml
+ - lldap.service.yaml
+ # Authelia itself is installed as a helm chart
+ - authelia-ldap.sealedsecret.yaml
+ - authelia-oidc.sealedsecret.yaml
+ - ingress.yaml
+
+
+images:
+ - name: lldap
+ newName: nitnelave/lldap
+ newTag: latest
+
+
+helmCharts:
+ - name: authelia
+ releaseName: authelia
+ version: 0.9.6
+ repo: https://charts.authelia.com
+ valuesFile: authelia.values.yaml
diff --git a/infrastructure/authelia/lldap-credentials.sealedsecret.yaml b/infrastructure/authelia/lldap-credentials.sealedsecret.yaml
new file mode 100644
index 0000000..4b6a87b
--- /dev/null
+++ b/infrastructure/authelia/lldap-credentials.sealedsecret.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+ creationTimestamp: null
+ name: lldap-credentials
+ namespace: authelia
+spec:
+ encryptedData:
+ base-dn: AgBC27VFLsDFHQ6qMN3kbyilhgRwa++hJ5uDsBOqtemO4mOj3nw3/79SJRrO4201zeFq54WJaG5tRHS4SaB5+hYMjdZKqtgTE5Cl9amKIXsfZOzHQ8bKj//WJZYgfmfPxDm5tVdElvF0CGJQMf4SbN52F4V5ujnl2x/j2Qu6gyoJdTaa8lRRIOewXrgOc16lGuAmgVIFB3KR9SEOiSQb2sJxi4tbBPvu0qcLnnfq8/roWouqlfNycanf+Smgc23P112U4ZcirF/oSoeYjUxSy/yxRMrfSzrcxjLPMeb0hyHgsKpFc17YghBt6Ofqx/JOeb4rCZUAGe2PJYoNg6EvGNlgiL02h5TqPF0GfZ02QLiEVK+jUkrEZGMEqEl97iw8juVW3fFJQpcZxyA4eZWAN2ocH7LjDg/UaPvjaZzXbkkva92X1g9LXFCukbMXYoR6QrRI4AyjLWdAHRlBm1M/7w0x5SH3uh05MR3Su0uhRgwreKxJGndd02SsWYs3I9+xM4RjzIs//aNYvhoUgeMzvhIjda8Jut4HzCTqcycIwxkE9aIUlSAgcS+0HrLuvMb236F5OROz2kwx187KlZn6FlK5vDO3m1pWQwmq2E2q0oRhg2mOJDSexzKwzaTkvOdtNiEOWgitYkML93L9I+9scDd3RbIfA5ejOKu5+JR+8cxpwvO5puURvyzI4BTZcTSj+Jnm6MK0pl6tJgfHtgt/
+ jwt-secret: AgCI0LA/Y2ZTUl1VZax9Wqd5DxC9OFDe3NfWH9Mr85N5xbF6X5oe49fjW0GTjBE2cytN4aCUy+Gu5kAuo2qgfF1p5XyFY42Tg8q8fyF+LMN0Uu3JlgyA1D3ql0ePc5kNKxD8TRsfcWZOX/KtIWiZxceQ4YJi+OY/7llso3ZiGRCwzV1pXPoFd7A9dSA0qbUklpFI/58VkAUJ1HSel5oCx0JUfxZZAHQaCo72ZPqhbAskOZ4ofH1hzq66NJG5VbOhtBWkPDi4e82OOgT1VqiOiVOUC3w0GAvt6S1SD5P3N2FRqUbRag02rETnja/uahRKDHvLJG82zHXDVGxt5aZQ7bKRYe93gizCaZ4mTfAgrEaz9ys3ywRNr8UL7Cda18YWghvyOqDJSNePn6tUsntc2wA5rRhkPV3NKEhi0Tskqalc8zKXTf4MrX1WJSKw2D8i2l1B6Z7/UhjncAZKaAz7pky33QlitaDtp4Jg4k/ERcqcODB8jG+7oW17At96tXpiqCu6LUki4gkMrtsojRyaVHhl12w4XjVUHW9DyyzELlUT3CluF42wN9zyqDuyhPsuuIr4JrrhNrjvhFU6dcWppvjOvaZMIBvHH5A77F7LDVoCcLwYlrqmpnpxmateeIQHC8IId2JcFlg5CbD3abN9CjtUpoK8ZDRiEt3ULNkyOZ7z1hSfwa9TpJ//HkpWoXsO1b16+ZcNUdM=
+ ldap-user-pass: AgBX8ryuZX2fr6CZDaYOR54I445RNY123jp5LpyYLtB4QQljzmD6CC9BIOP5eju46cu5q/GoMSRdz5OthSLXfUB+I0iRrq+yI4bWpckpcrecNa0eJn0PAbWoI+T4gfAbkOxLLz1+yfG8J2PKqwZGVmpBqSBaqw1PQnkj8HggP05YtU8kfmH8W+Gi6c5mOBOL6RtIOgWW0pHgz1OZRKLKgyb70D+suvK1Xw9cKehkNoWtbmS9YvB+2lXZpWPW96Bw1mYnilEWr5WgMRz5aYYShe7/yf9OaFHfHpORgH42dpt+nvMSb5fY8nYVjEm6cYyS/mRm7H5cuBYwj5XnghAAoSIhX1B2KxIhbLh+yvFo+y1tdZB+q7sbJHFTegqRXi/eVvM3qkqTxksxhw9kGvCT/v7vRlS6jXHNTk1wS/Ka40Sv2AHaKlg/cMLQGZZur2LJcCZW6UVZwc2uqpJuszm1RwNX7hiTe+Pj1nCE+Iu/nHJrsk4SVEVcsRGOCAQjXwCXqbkuCz8dqZvCHVYBa2qIZTEd4gTXPjabaabudUzAXRiBg1SHLTVwz4HszUY3yfKASNdpYSxZwHTDt/BTENC8NJyT0Y48Daw26uS3U+87Ntsoe0gruccamhoKPdZlzA9Pl1hoD/GEryhVCLbuUhHC02qGo7WhjPaDZ/Cguu906e6qR4bq78PqBMiz6XllZgrZ0QMshT8/ubo9Bh7HxUD0aw==
+ template:
+ metadata:
+ creationTimestamp: null
+ name: lldap-credentials
+ namespace: authelia
+ type: Opaque
diff --git a/infrastructure/authelia/lldap.deployment.yaml b/infrastructure/authelia/lldap.deployment.yaml
new file mode 100644
index 0000000..8ad6cd9
--- /dev/null
+++ b/infrastructure/authelia/lldap.deployment.yaml
@@ -0,0 +1,54 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: lldap
+ name: lldap
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: lldap
+ strategy:
+ type: Recreate
+ template:
+ metadata:
+ labels:
+ app: lldap
+ spec:
+ containers:
+ - env:
+ - name: GID
+ value: "1001"
+ - name: LLDAP_JWT_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: lldap-credentials
+ key: jwt-secret
+ - name: LLDAP_LDAP_BASE_DN
+ valueFrom:
+ secretKeyRef:
+ name: lldap-credentials
+ key: base-dn
+ - name: LLDAP_LDAP_USER_PASS
+ valueFrom:
+ secretKeyRef:
+ name: lldap-credentials
+ key: ldap-user-pass
+ - name: TZ
+ value: Europe/Berlin
+ - name: UID
+ value: "1001"
+ image: lldap
+ name: lldap
+ ports:
+ - containerPort: 3890
+ - containerPort: 17170
+ volumeMounts:
+ - mountPath: /data
+ name: lldap-data
+ restartPolicy: Always
+ volumes:
+ - name: lldap-data
+ persistentVolumeClaim:
+ claimName: lldap-data
diff --git a/infrastructure/authelia/lldap.ingress.yaml b/infrastructure/authelia/lldap.ingress.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/infrastructure/authelia/lldap.pvc.yaml b/infrastructure/authelia/lldap.pvc.yaml
new file mode 100644
index 0000000..8ce4f3f
--- /dev/null
+++ b/infrastructure/authelia/lldap.pvc.yaml
@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+ name: lldap-data
+spec:
+ storageClassName: "nfs-client"
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 1Gi
diff --git a/infrastructure/authelia/lldap.service.yaml b/infrastructure/authelia/lldap.service.yaml
new file mode 100644
index 0000000..95e0bc3
--- /dev/null
+++ b/infrastructure/authelia/lldap.service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: lldap
+spec:
+ selector:
+ app: lldap
+ ports:
+ - port: 3890
+ targetPort: 3890
diff --git a/infrastructure/authelia/namespace.yaml b/infrastructure/authelia/namespace.yaml
new file mode 100644
index 0000000..0a074bd
--- /dev/null
+++ b/infrastructure/authelia/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: placeholder
diff --git a/kluster-deployments/authelia/application.yaml b/kluster-deployments/authelia/application.yaml
new file mode 100644
index 0000000..da84b01
--- /dev/null
+++ b/kluster-deployments/authelia/application.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: authelia-application
+ namespace: argocd
+spec:
+ project: infrastructure
+ source:
+ repoURL: git@github.com:moll-re/bootstrap-k3s-infra.git
+ targetRevision: main
+ path: infrastructure/authelia
+ destination:
+ server: https://kubernetes.default.svc
+ namespace: authelia
+ syncPolicy:
+ automated:
+ prune: true
+ selfHeal: true
diff --git a/kluster-deployments/authelia/kustomization.yaml b/kluster-deployments/authelia/kustomization.yaml
new file mode 100644
index 0000000..977dcfe
--- /dev/null
+++ b/kluster-deployments/authelia/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - application.yaml
diff --git a/kluster-deployments/kustomization.yaml b/kluster-deployments/kustomization.yaml
index 7f63bf9..faa811e 100644
--- a/kluster-deployments/kustomization.yaml
+++ b/kluster-deployments/kustomization.yaml
@@ -21,6 +21,7 @@ resources:
- external-dns/
- external-services/
- prometheus/application.yaml
+ - authelia/
# simple apps
- adguard/