Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • lupa/compose.libre.sh
  • libre.sh/compose.libre.sh
  • ecobytes/compose.libre.sh
  • jordan.mitchell/compose.libre.sh
  • timothee/compose.libre.sh
5 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 194 additions and 446 deletions
deploy/approve-certs.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/sh
for i in `deploy/list-sites.sh $1`; do
echo "Approving combined cert for $i";
cp ../orchestration/TLS/combined/$i.pem ../orchestration/TLS/approved-certs/$i.pem;
scp ../orchestration/TLS/approved-certs/$i.pem root@$1:/data/server-wide/haproxy/approved-certs/
done
deploy/check-cert.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/sh
if [ $# -eq 2 ]; then
CA=$2
else
CA="startssl"
fi
echo "CA is $CA"
echo Some information about cert ../orchestration/TLS/cert/$1.cert:
openssl x509 -text -in ../orchestration/TLS/cert/$1.cert | head -50 | grep -v ^\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
#echo Some information about chain cert ../orchestration/TLS/chain/$2.pem:
#openssl x509 -text -in ../orchestration/TLS/chain/$2.pem
#echo Some information about key ../orchestration/TLS/key/$1.key:
#openssl rsa -text -in ../orchestration/TLS/key/$1.key
cat ../orchestration/TLS/cert/$1.cert ../orchestration/TLS/chain/$CA.pem ../orchestration/TLS/key/$1.key > ../orchestration/TLS/combined/$1.pem
echo Running a test server on port 4433 on this server now \(please use your browser to check\):
openssl s_server -cert ../orchestration/TLS/combined/$1.pem -www
deploy/default-ca deleted 100644 → 0
View file @ e4c81100
startssl
deploy/deploy.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/sh
if [ $# -ge 1 ]; then
SERVER=$1
else
echo "Usage: sh ./deploy/deploy.sh server [folder [branch [user]]]"
exit 1
fi
if [ $# -ge 2 ]; then
FOLDER=$2
else
FOLDER="./data/"
fi
if [ $# -ge 3 ]; then
BRANCH=$3
else
BRANCH="master"
fi
if [ $# -ge 4 ]; then
USER=$4
else
USER="core"
fi
if [ -e "${FOLDER}server-wide/haproxy/approved-certs/${SERVER}.pem" ]; then
DEFAULTSITE=$SERVER
else
echo "Please make sure ${FOLDER}server-wide/haproxy/approved-certs/${SERVER}.pem exists, then retry"
exit 1
fi
echo "Hoster data folder is $FOLDER"
echo "Infrastructure branch is $BRANCH"
echo "Remote user is $USER"
echo "Default site is $DEFAULTSITE"
scp -r $FOLDER $USER@$SERVER:/data
scp ./deploy/onServer.sh $USER@$SERVER:
ssh $USER@$SERVER sudo mkdir -p /var/lib/coreos-install/
scp cloud-config $USER@$SERVER:/var/lib/coreos-install/user_data
ssh $USER@$SERVER sudo sh ./onServer.sh $BRANCH $DEFAULTSITE
deploy/forget-server-fingerprint.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/sh
ssh-keygen -R $1
deploy/list-sites.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/sh
cd ../orchestration/per-server/$1/sites
for i in *; do
echo $i
done
deploy/onServer.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/sh
echo Starting etcd:
/usr/bin/coreos-cloudinit --from-file=/var/lib/coreos-install/user_data
echo Cloning the indiehosters repo into /data/indiehosters:
mkdir /data
cd /data
git clone https://github.com/indiehosters/indiehosters.git
cd indiehosters
echo Checking out $1 branch of the IndieHosters indiehosters:
git checkout $1
git pull
echo Running the server setup script:
sh scripts/setup.sh $2
doc/deploying-a-server.md deleted 100644 → 0
View file @ e4c81100
# Deploying a server
## Before you start
Make sure you read [getting started](getting-started-as-a-hoster.md) first.
### Prepare your orchestration data
* Get a CoreOS server, for instance from [RackSpace](rackspace.com) or [Vultr](vultr.com).
* If you didn't add your public ssh key during the order process (e.g. through your IaaS control panel or a cloud-config file),
scp your laptop's public ssh key (probably in `~/.ssh/id_rsa.pub`) to `.ssh/authorized_keys` for the remote user
you will be ssh-ing and scp-ing as (the default remote user of our deploy scripts is 'core').
* Give the new server a name (in this example, we call the server 'k3')
* Add k3 to your /etc/hosts with the right IP address
* If you have used this name before, run `./deploy/forget-server-fingerprint.sh k3`
* From the root folder of this repository, run `sh ./deploy/deploy.sh k3 ./data/ master root` (where `./data/` should contain
`server-wide/postfix/`
and `server-wide/haproxy/approved-certs/k3.pem`; see the existing folder `data/` in this repo for an example of what the email forwards and
TLS certificate files should look like).
* Add the default site by following the 'Adding a website to your server' instructions below with domain name k3 instead of example.com
* The rest should be automatic!
### Adding a website to your server
* For each site you want to deploy on the server, e.g. example.com, do the following:
* Does example.com already exist as a domain name?
* If yes, then find out to what extent it's currently in use (and needs to be migrated with care). There are a few options:
* Transfer the domain into your DNR account
* Set up DNS hosting for it and ask the owner to set authoritative DNS to the DNS servers you control
* Ask the user to keep DNR and DNS control where it is currently, but to switch DNS when it's ready at the new server, and every time
you add or remove an IP address (not a good idea, unless the user insists that they prefer this option)
* In any case, you will probably need access to the hostmaster@example.com email address, for the StartSSL process *before*
the final DNS switch. You could also ask them to tell you the verification code that arrives there, but that has to be done
in real time, immediately when you click 'verify' in the StartSSL UI. If they forward the email the next day, then the token
will already have expired.
* If no, register it (at Namecheap or elsewhere).
* Decide which image to run as the user's main website software (in version 0.1 only 'nginx' is supported)
* If you already have some content that should go on there, and which is compatible with the image you chose,
put it in a public git repository somewhere.
* Unless there is already a TLS certificate at `./data/server-wide/haproxy/example.com.pem` get one
(from StartSSL or elswhere) for example.com and concatenate the certificate
and its unencrypted private key into `indiehosters/user-data/example.com/tls.pem`
* Make sure the TLS certificate is valid (use `scripts/check-cert.sh` for this).
* Now run `deploy/add-site.sh k3 example.com ../hoster-data/TLS/example.com.pem https://github.com/someone/example.com.git root`.
It will make sure the server is in the correct state, and git pull and scp the user data and the
approved cert into place, start a container running the image requested, update haproxy config, and restart the haproxy container.
* Test the site using your /etc/hosts. You should see the data from the git repo on both http and https.
* Switch DNS and monitoring.
doc/developing-dockerfiles-and-infrastructure.md deleted 100644 → 0
View file @ e4c81100
# Developing Dockerfiles and infrastructure
## Developing Dockerfiles
To develop Dockerfiles, you can use a server that's not serving any live domains, use `docker` locally on your laptop, or use the `vagrant up` instructions to run the infrastructure inside vagrant.
## Developing infrastructure
To develop the infrastructure, create a branch on this repo and specify that branch at the end of the deploy command, for instance:
```bash
sh ./deploy/deploy.sh k4 dev
```
That will deploy a server at whatever IP address "k4" points to in your /etc/hosts, using the "dev" branch of https://github.com/indiehosters/indiehosters.
## Testing new Dockerfiles in the infrastructure
To test the infrastructure with a changed Dockerfile, you need to take several steps:
* Develop the new Dockerfiles as described above at "Developing Dockerfiles"
* When you're happy with the result, publish this new Dockerfile onto the docker hub registry under your own username (e.g. michielbdejong/haproxy-with-http-2.0)
* Now create a branch on the infrastructure repo (e.g. "dev-http-2.0")
* In this branch, grep for the Dockerfile you are updating, and replace its name with the experimental one everywhere:
* the `docker pull` statement in scripts/setup.sh
* the `docker run` statement in the appropriate systemd service file inside unit-files/
* Push the branch to the https://github.com/indiehosters/indiehosters repo (if you don't have access to that, you will have to edit
`deploy/onServer.sh` to use a different repo, to which you do have access).
* Now deploy a server from your experimental infrastructure branch (which references your experimental Docker image), as described above at "Developing infrastructure"
doc/getting-started-as-a-hoster.md deleted 100644 → 0
View file @ e4c81100
Getting started as an IndieHosters hoster
===========
# Prerequisites
Each IndieHoster is an entirely autonomous operator, without any infrastructural ties to other IndieHosters.
These scripts and docs will help you run and manage servers and services as an IndieHoster, whether you're
certified as a branch of the IndieHosters franchise or not.
# Hoster data
If you're used to working with git as a versioning tool, then it's a good idea to make `hoster-data` and
`billing` into (private!) git repos where you keep track of what you're doing, including e.g. TLS certificates, so
that you can track changes over time, and search the history to resolve mysteries when they occur. You may also use a different
versioning system, or just take weekly and daily backups (but then it's probably a good idea to retain the weeklies for a couple
of years, and even then it will not be as complete as a history in a versioning system).
The hoster-data is about what each one of your servers *should* be doing at this moment.
This is fed into CoreOS (systemd -> etcd -> confd -> docker) to make sure the server actually starts and keeps doing these things,
and also into monitoring, to make sure you get alerted when a server misbehaves.
You probably also want to keep track of Domain Name Registration, Transport
Layer Security, Monitoring, and Domain Name System services which you are probably getting from
third-party service providers, alongside the services which
you run on your own servers.
Note that although it's probably inevitable that you resell DNR and TLS services from some third party, and your monitoring would ideally
also run on a system that's decoupled from your actual servers, you may not be reselling DNS
hosting. If you host DNS for your customer on server-wide bind services that directly read data from files on the per-user data folders,
then DNS data will be considered user-data for you.
# User data
User data is data owned by one of your users. Which human owns which site is something you can administer
by hand somehow in the `billing` folder.
All user data is *untrusted* from your point of view, it is not owned by you as a hoster,
and users may change it at any time (and then probably contact you for a backup whenever they mess up!). It makes sense to give users
only read-only access to this data by default, and have a big "Are you sure? Warranty will be void!" warning before they can activate
write-access to their own data (and then probably trigger an extra backup run just before allowing them to edit their own raw data).
This is how some operating systems on user devices also deal with this.
But in the end, the user, and not you, owns this data, and they can do with it what they want, at their own risk.
Just like a mailman is not supposed to open and read letters, you also should treat each user's data as a closed envelope
which you never open up, unless in the following cases:
* There may be things you need to import from specific files on there (like a user-supplied TLS certificate or DNS zone)
* When running backups, you sometimes can't avoid seeing some of the modified filenames flying by (depending on the backup software)
* After explicit permission of the user, when this is useful for tech support (e.g. fix a corrupt mysql database for them)
In version 0.1 no user data exists because the TLS cert is part of the hoster-data, and so are the secondary email address to forward
to and the git repository to pull the website content from. We don't need to back up users' websites, because they are already versioned
and backed up in the git repository from which we're pulling it in.
# Backups
Your user-data, hoster-data, and billing folders together contain all the critical data
of your operations as an IndieHoster, from start to finish, so make sure you don't
ever lose it, no matter what calamity may strike. Once a month, put a copy of it on a USB stick, and put that in a physically safe place.
You may give a trusted person an emergency key to your infrastructure, in case you walk under a bus. Think about the risk of data loss and
establish an emergency recovery plan for when, for instance, the hard disk of your laptop or of one of your servers die.
Make sure you often rsync the live data from each of your servers to somewhere else, and store snapshots of it
regularly. Users *will* contact you sooner or later asking for "the backup from last Tuesday"
and they will expect you to have one.
# Basic digital hygiene
At the same time, be careful who may obtain access to your critical data. Is your laptop really safe? Does the NSA have access to the servers you run?
Someone may plant a Trojan on a computer in an internet cafe from where you access your Facebook account, access your gmail account
for which you use the same password, reset your RackSpace password and restore a backup from your Cloud Files to somewhere else.
Make a diagram of how your laptop talks to your USB sticks and your servers. Then make a diagram of the services you use and to which
email addresses they send password reset emails. Draw a perimeter of trust in both diagrams, and start taking some basic measures to
keep your daily operations secure.
Don't mix accounts and email addresses which you may
use from other computers, and keep your IndieHosters passwords and accounts separate from your other passwords and accounts, and reset
them every few months. It might even
make sense to dual-boot your laptop or boot from a live disk which resets on boot to make sure everything you do with IndieHosters data
is done in a sterile environment. Ubuntu has a 'guest account' option on the login screen which maybe also be handy for this.
Also: lock your screen when walking away from your laptop, and think about what someone could do with it if they were to steal your bag,
or your smartphone.
# Do I have to use this?
As an IndieHoster you can of course use any infrastructure and scripts you want, as long as it doesn't change the format of each user-data folder, so that
your customers can still migrate at will between you and other IndieHosters. However, you might find some of the scripts in this repo
helpful at some point, and we hope you contribute any features you add to it back upstream to this repo.
Thanks for taking the time to read through these general considerations - the next topic is [deploying a server](deploying-a-server.md)! :)
importers/gitpuller.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash
cd /data/per-user/$USER/$APP/data/www-content && git pull
importers/mysql.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash
if [ ! -d "/data/per-user/$USER/mysql/data" ]; then
mkdir -p /data/per-user/$USER/mysql/data
echo MYSQL_PASS=`echo $RANDOM ${date} | md5sum | base64 | cut -c-10` > /data/per-user/$USER/mysql/.env
fi
importers/nginx.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash
if [ ! -e "/data/per-user/$USER/nginx/data/www-content/index.html" ]; then
if [ -e "/data/per-user/$USER/nginx/data/GITURL" ]; then
git clone `cat /data/per-user/$USER/nginx/data/GITURL` /data/per-user/$USER/nginx/data/www-content
cd /data/per-user/$USER/nginx/data/www-content && git checkout master
else
mkdir -p /data/per-user/$USER/nginx/data/www-content
echo Hello $USER > /data/per-user/$USER/nginx/data/www-content/index.html
fi
fi
importers/wordpress-subdir.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash
if [ ! -d "/data/per-user/$USER/wordpress-subdir/data" ]; then
cd /data/per-user/$USER/
tar xvzf /data/indiehosters/blueprints/wordpress.tgz
fi
cat /data/per-user/$USER/mysql/.env | sed s/MYSQL_PASS/DB_PASS/ > /data/per-user/$USER/wordpress-subdir/.env
if [ ! -e "/data/per-user/$USER/wordpress-subdir/data/www-content/index.html" ]; then
if [ -e "/data/per-user/$USER/wordpress-subdir/data/GITURL" ]; then
git clone `cat /data/per-user/$USER/wordpress-subdir/data/GITURL` /data/per-user/$USER/wordpress-subdir/data/www-content
cd /data/per-user/$USER/wordpress-subdir/data/www-content && git checkout master
else
mkdir -p /data/per-user/$USER/wordpress-subdir/data/www-content
echo Hello $USER > /data/per-user/$USER/wordpress-subdir/data/www-content/index.html
fi
fi
importers/wordpress.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash
if [ ! -d "/data/per-user/$USER/wordpress/data" ]; then
cd /data/per-user/$USER/
tar xvzf /data/indiehosters/blueprints/wordpress.tgz
fi
cat /data/per-user/$USER/mysql/.env | sed s/MYSQL_PASS/DB_PASS/ > /data/per-user/$USER/wordpress/.env
install.linux.sh 0 → 100755
View file @ 408b8f91
#!/bin/bash
#This script is tested on Debian 12
#Current version of libre.sh to be installed
LIBRE_VERSION=1.2
# System env vars : can be overrided by a values.env file next to this install file
### CONFIG : Specify you template repo ROOT without training slash (Optional) or comment if you want to supply full url for apps
APP_REPO_URL="lab.libreho.st/libre.sh/compose"
## domain handling
### CONFIG : change to your domain vendor ( namecheap, ovh , scaleway, )
DOMAIN_SERVER=namecheap
### Namecheap specific
NAMECHEAP_URL="namecheap.com"
NAMECHEAP_API_USER="pierreo"
NAMECHEAP_API_KEY=
### ovh specific (WIP)
OVH_URL="eu.api.ovh.com"
OVH_API_USER=""
OVH_API_KEY=
### Scaleway specific (WIP)
SCALEWAY_URL=""
SCALEWAY_API_USER=""
SCALEWAY_API_KEY=
### TODO : change your settings
IP="curl -s http://icanhazip.com/"
FirstName="Pierre"
LastName="Ozoux"
Address=""
PostalCode=""
Country="Portugal"
Phone="+351.967184553"
EmailAddress="pierre@ozoux.net"
City="Lisbon"
CountryCode="PT"
## Backup
BACKUP_DESTINATION=root@xxxxx:port
### CONFIG : Change your mail settings.
## SMTP
MAIL_USER=
MAIL_PASS=
MAIL_HOST=mail.indie.host
MAIL_PORT=587
MAIL_SECURITY=
# Default admin emails for apps
ADMIN_EMAIL=support@ekimia.fr
### TODO : source a setting file is present to override defaults
echo "-------- Welcome to libre.sh $LIBRE_VERSION installer"
echo "---- sourcing local values.env file if present"
source values.env
# STEP add kernel parameter
# STEP Define environnement
echo "-------- setting up system variables"
echo "APP_REPO_URL=${APP_REPO_URL}" >> /etc/environment
echo "LIBRE_VERSION=${LIBRE_VERSION}" >> /etc/environment
echo "MAIL_USER=${MAIL_USER}" >> /etc/environment
echo "MAIL_PASS=${MAIL_PASS}" >> /etc/environment
echo "MAIL_HOST=${MAIL_HOST}" >> /etc/environment
echo "MAIL_PORT=${MAIL_PORT}" >> /etc/environment
echo "MAIL_SECURITY=${MAIL_SECURITY}" >> /etc/environment
echo "ADMIN_EMAIL=${ADMIN_EMAIL}" >> /etc/environment
# STEP Install Docker
name="docker.io"
# TODO : Fix a version for docker ?
dpkg -s $name &> /dev/null
if [ $? -ne 0 ]
then
echo "$name not installed"
apt-get update
# curl -fsSL https://get.docker.com -o get-docker.sh
# sh get-docker.sh
apt install -y $name
echo "-------- Native docker installed "
else
echo "$name already installed"
fi
# STEP "install docker-compose"
echo "-------- Install native docker-compose "
# TODO : Fix a version for docker compose ?
#mkdir -p /opt/bin &&\
#dockerComposeVersion=$(curl -s https://api.github.com/repos/docker/compose/releases/latest|grep tag_name|cut -d'"' -f4) &&\
#curl -L https://github.com/docker/compose/releases/download/$dockerComposeVersion/docker-compose-`uname -s`-`uname -m` > /opt/bin/#docker-compose &&\
#chmod +x /opt/bin/docker-compose
apt install -y docker-compose
# STEP "install git"
echo "-------- Install git"
distro=$( ( lsb_release -ds || cat /etc/*release || uname -om ) 2>/dev/null | head -n1 | cut -d " " -f1)
if [[ "$distro" == "Ubuntu" || "$distro" == "Debian" ]]; then
apt-get install -y git
elif [[ "$distro" == "CentOS" || "$distro" == "AlmaLinux" || "$distro" == "Rocky" || "$distro" == "Fedora" ]]; then
yum install -y git
elif [[ "$distro" == "openSUSE" ]]; then
zypper install git
elif [[ "$distro" == "Arch" ]]; then
pacman -S git
elif [[ "$distro" == "Mageia" ]]; then
urpmi git
fi
# STEP install Libre.sh
echo " ---Removing previous install --- "
rm -rf /libre.sh
echo "-------- installing libre.sh"
git clone https://lab.libreho.st/libre.sh/compose.libre.sh.git /libre.sh
mkdir -p /{data,system}
mkdir -p /data/trash
mkdir -p /data/domains
cp /libre.sh/unit-files/* /etc/systemd/system && systemctl daemon-reload
systemctl enable web-net.service
systemctl start web-net.service
mkdir -p /opt/bin
cp /libre.sh/utils/* /opt/bin/
# STEP add /opt/bin path
echo "-------- updating PATH"
cat > /etc/profile.d/libre.sh <<EOF
export PATH=$PATH:/opt/bin
EOF
chmod 644 /etc/profile.d/libre.sh
bash /etc/profile.d/libre.sh
#TODO : reload profile to use libre right away
migrations/update-oo.sh 0 → 100644
View file @ 408b8f91
#!/bin/bash -eux
# Verify they are all in sync with git, if not, print the domain name.
for oo in `ls -d ./oo-*`;do
cd $oo
if ! git diff --exit-code --quiet; then
echo $oo
fi
cd ..
done
# Update all oo
for oo in `ls -d ./oo-*`;do
cd $oo
libre update
cd ..
done
scripts/activate-user.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash -eux
if [ $# -ge 2 ]; then
DOMAIN=$1
IMAGE=$2
else
echo "Usage: sh /data/indiehosters/scripts/activate-user.sh domain image [gitrepo]"
exit 1
fi
mkdir -p /data/per-user/$DOMAIN/$IMAGE/data
if [ $# -ge 3 ]; then
GITREPO=$3
echo $GITREPO > /data/per-user/$DOMAIN/$IMAGE/data/GITURL
fi
# Start service for new site (and create the user). This will also enable the git puller.
systemctl enable $IMAGE@$DOMAIN.service
systemctl start $IMAGE@$DOMAIN.service
scripts/setup.sh deleted 100755 → 0
View file @ e4c81100
#!/bin/bash -eux
if [ $# -ge 1 ]; then
HOSTNAME=$1
else
echo "Usage: sh /data/indiehosters/scripts/setup.sh k1.you.indiehosters.net"
exit 1
fi
# Install cloud-config
if [ -f /tmp/vagrantfile-user-data ]; then
mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/vagrantfile-user-data
fi
# Pull relevant docker images
docker pull indiehosters/haproxy
docker pull indiehosters/confd
docker pull indiehosters/postfix-forwarder
docker pull indiehosters/nginx
docker pull indiehosters/mysql
docker pull indiehosters/wordpress
docker pull indiehosters/wordpress-subdir
# Install unit-files
cp /data/indiehosters/unit-files/* /etc/systemd/system
systemctl daemon-reload
# Activate default domain
sh /data/indiehosters/scripts/activate-user.sh $HOSTNAME nginx
etcdctl set /services/default '{"app":"nginx", "hostname":"'$HOSTNAME'"}'
# Configure and start HAproxy
mkdir -p /data/server-wide/haproxy/approved-certs
systemctl enable haproxy-confd.service
systemctl start haproxy-confd.service
systemctl enable haproxy.path
systemctl start haproxy.path
# Configure and start postfix
mkdir -p /data/server-wide/postfix
touch /data/server-wide/postfix/hostname
touch /data/server-wide/postfix/destinations
touch /data/server-wide/postfix/forwards
systemctl enable postfix.service
systemctl start postfix.service
scripts/unsecure-certs/example.dev.pem deleted 100644 → 0
View file @ e4c81100
-----BEGIN CERTIFICATE-----
MIIFjDCCA3QCCQDmo57ouPDhnTANBgkqhkiG9w0BAQUFADCBhzELMAkGA1UEBhMC
UFQxETAPBgNVBAgTCFBvcnR1Z2FsMQ8wDQYDVQQHEwZMaXNib24xFTATBgNVBAoT
DEluZGllSG9zdGVyczEUMBIGA1UEAxMLZXhhbXBsZS5kZXYxJzAlBgkqhkiG9w0B
CQEWGGNvbnRhY3RAaW5kaWVob3N0ZXJzLm5ldDAeFw0xNDEwMTAxNTA3MDVaFw0x
NTEwMTAxNTA3MDVaMIGHMQswCQYDVQQGEwJQVDERMA8GA1UECBMIUG9ydHVnYWwx
DzANBgNVBAcTBkxpc2JvbjEVMBMGA1UEChMMSW5kaWVIb3N0ZXJzMRQwEgYDVQQD
EwtleGFtcGxlLmRldjEnMCUGCSqGSIb3DQEJARYYY29udGFjdEBpbmRpZWhvc3Rl
cnMubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAm/gbDGFtfMzT
nVZaPBQNl7SqMUMhTlDoR2C24W53QPslLuqBGkatbBs+9jWKGm2XPWeuK0uC2ot6
fIie72wghFepmzIdAb7SU0lpFVw49dk1nGVHIqwbFA3G6pYL7hY5ocD4HziNKnuj
ZA42a+rjpYl3zx/4GgcWnNyuawlsIMI8rdvuv5Mg77fGaVSXriJKQ1nTJ/Z65CDU
U6c9vzXSGkye3i0gv/8tZ0VA8xgV9FoXsLWhP7NLWDAh5+X/4aJpIFjvwzYSJLBr
3O9siP17NZuJI+7zB6KVlBeoSt2Dmt3k7fG2YrpwTzFlFBMr4Hq6T+wp+Q2J1JQP
Jm1s3lr2vJwmLVKlUspgT+zpuTAsUHOv2xxmbb+8k8ZE5II9IzAcE85C75bvL3An
fG0xQlF2+dOcXgvYFtRyeJ8fCIEjQBkOoUJq4H2inTwM2IYo060FF32jEVgFB5ZP
xuEsxEOGusUmOFsm8dIwaXv/WCPXopt1EGKFcNZWLSMC0jX0d4jZP74D1K0u4VPV
/kkQS6lUCK4qrq6tNm1R4TQlquefbfcwEhE8hVyUGcyDX6FOCL5z4lXal3gyUgbC
B50WrOST4hShb8+cWngcvDTO78kLg/OhqYZZVbpAshcF60sugEYke0xGNArWMQMU
5uxaWqPA3/gA3u4rJfWhLOwFIU+4ewsCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEA
JiUIK43wZ6PHYrinKZu1wgDSbL7g3mNxSf2NiTMbu11J0JvypJc19DZHoSq5S0XH
yalW9Xeml9U8u/zHaciTwAaxWyj/gzqWyLBbd1xHTmdx+WvoG+OjcnYJYelrFzDH
bd4XumR+oHBXUsCiCIyF0d4gJZRUH8OxpDN/dD828FlcmMaeaPBl/xLm1G5ZXnPE
KNA8VR6ylo4w4HayQCjXI6qef29Y9I2Jvt9lREEpR5YoEnc1aj1ZJofeEzISfmhm
3D2BiI2Hx6mMlBwE95D+c9HZZAQyvdPyUdcTto7dOiJUGGt3EqhBRPebhe0HNlj8
L5h2/w1zChlQKWoFCZ4Uz6AJeibvPMZTEgihWtNWPyRAbjWL39GH1Emb/0m8ydaR
NmQEFL9VApMAsUm0mNHjWZQOTL5PYwgfKloXWMJ+rCd9N54sUUj5tt+Zc7G4irUN
Lnu8fYAaFC2BljANwQdy0H7pkVCYBcwwqvtKsrhX+FBGukkUjMo43FWep+fA82BU
uU6mlnPKm9vRYHC9gkKJejzFNgDZaC7p+xiwOO53oY/mFPgEVoCWwO0zAc1AXaZV
mJkkeYhRWpqmuxvqP+tpXFSfHu2Ee/RKBrrowWDOad3IlWuV7gt7Bo5ZBj+iqbPf
Km1Y5oFRF+Kp1NoIL527LHGj7dDV8eXinRIb7CPtbL4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEAm/gbDGFtfMzTnVZaPBQNl7SqMUMhTlDoR2C24W53QPslLuqB
GkatbBs+9jWKGm2XPWeuK0uC2ot6fIie72wghFepmzIdAb7SU0lpFVw49dk1nGVH
IqwbFA3G6pYL7hY5ocD4HziNKnujZA42a+rjpYl3zx/4GgcWnNyuawlsIMI8rdvu
v5Mg77fGaVSXriJKQ1nTJ/Z65CDUU6c9vzXSGkye3i0gv/8tZ0VA8xgV9FoXsLWh
P7NLWDAh5+X/4aJpIFjvwzYSJLBr3O9siP17NZuJI+7zB6KVlBeoSt2Dmt3k7fG2
YrpwTzFlFBMr4Hq6T+wp+Q2J1JQPJm1s3lr2vJwmLVKlUspgT+zpuTAsUHOv2xxm
bb+8k8ZE5II9IzAcE85C75bvL3AnfG0xQlF2+dOcXgvYFtRyeJ8fCIEjQBkOoUJq
4H2inTwM2IYo060FF32jEVgFB5ZPxuEsxEOGusUmOFsm8dIwaXv/WCPXopt1EGKF
cNZWLSMC0jX0d4jZP74D1K0u4VPV/kkQS6lUCK4qrq6tNm1R4TQlquefbfcwEhE8
hVyUGcyDX6FOCL5z4lXal3gyUgbCB50WrOST4hShb8+cWngcvDTO78kLg/OhqYZZ
VbpAshcF60sugEYke0xGNArWMQMU5uxaWqPA3/gA3u4rJfWhLOwFIU+4ewsCAwEA
AQKCAgBGDvYnY4QIsQDFBcrWfbN1V4OzSRIm2ZTcqwa60CHlIGqdXlzLbr/rdXmc
ooP8RwnOXUoQzIRkoo5MbhnmNc2NZMscmTAKXqqfGrSHEbvMQtsf+yYu3tvy8BVP
vkJxma4diE5rx70xPgQwp2muo/3Jl6wnb5bEKjbwEviNv9fABz+2YLond3Et/IC1
Q3g2kdSF2E1PABpHaq+1O8QypXxQr+YUqnSxiW/dmXAJQeJqtiU6DPv3XxQS8tvo
DJoZwhgynYBlUV5o+I4a2bkI98NmWw0JBQZJgbBqqw2/Qy0gXVe9wftI8bINAIUE
tW/aD4as68oWwwwMXs1HV5O1dWqqrncx9SGNUSO+oqZPzjPBUtGpBj8sBOA6AgaU
ohnUhx4NLd3KEl+3yLgyv16VsW3XkOCCdtEwKfhLMfPM95LtOx0z1YsGP2DHQIb1
Q7lv81n5YCThIBxiRbDi46GgOAFukORb7rKfzu18qxiWyLLJ79QyONCdDZWU2jgA
8t3Fwzv28nXIetfxoRj8v0+B3NPxWS2StZ8Gltj/zVdbqiUyAU4TeV655la9bI2R
5NEQWW0q66BdJsSEnJ+6etM3yvaJ6rGw0Fz28JJuIwmc2uod14MgXFv3/ylg3bBK
Ddhuaw78iOz+hYq2rOk6xGB1q+HTTc61bFe1iKouTrVKT2jBoQKCAQEAyzfVyfzv
NS43ZcEe/MC+S8+zbjoxsS6b57hB6+lyokz2/YmliTpsmMgHnPSAWDUtXanGQjFY
IsDpt3r1x9wyOuNblKN4Xj/LqK+8ZS+qIwmFc84r9b7I8Evm3YOsYkUSRoroDhz1
eU09Df0YdLJaSTcJTvMm2LX+h3Yy6UTkHAg8nxI3PDF4SonV4QSf1LDWw1HGPiLv
quBPHGOrgcXvEpNOuOCzjmW90LKrRyk1V1rX9F+8e+Dr1rWpJKLFYVz6DgB5NFEI
rlz3PaZwQSdaeTMURt2Z9MErC3GHtGc+saf1vLdhQjoD2KAwG9FsqdtiaGX86Qh0
3Llblry0FkOHQwKCAQEAxHqkuAWS9DOcZPTs4VlQHItnHI+qRcp8hQZtz/8R204O
x8IbmMc7BQLLNKZj8yOP13d1uL+2RB3wJON6Z+GzfwLPG5ZuaklZv1j0c1r6/WZf
E9AMxO3IgC0o5tYxfB9JIPUfDbm7fpm2EZvlIK//29m5iC5Ii6E9PIbWenTjXpvy
NjDzRJDXoEa7lDzY0nKdwiiDrK+Hfte2CkS+4ESQALw8l84B8EPJ9mXFiFR4l6CG
ZlI8uLdb/FraChC1qgOknonEGS7WLwfxKhXoEo2X0cTDjR7awUtrXVB0yfpEGzsu
gxvmDMKudwBGM6BotkLuE337t44gUajiG/GB7syMmQKCAQEAuHespzfkY9/aBZHy
cPj9RI/7jplgtjda6lLF9EHq/wziP2+NRi40mdMppf4D6w4KajVMdJWaLaH0Bcum
A5AMQIxVe22QO+2pDyzG1QsZY8imzWJfYSmX+RjNLlLyThno5wP8daMv6LaGL4aJ
hpTHhCJjXrk1kA5UR96xhDI25oNLlBHS9d7qFK9d6G5sL4N+z7oRPCI2cGRBK8IF
0z07MR9qnEPMefw8+47UDzqG4w7hbUDiNYkMS9CHA2yFw0XE7qTbYPQV70EQZXQJ
/fqdE9ucEl/h+tzGGBMsXkRCEr4mQPItZRKIn0F5qibGfsFYaO/7TgWRHzNawk/1
ISiXRQKCAQBGXBkSoURf2P+fk6okhORQZId3TedO+NUgmg3HF3OgklJurI9PZcE3
6Sk14IQYdNq08V2h3F18BTCTNTcHbmbmC+541aUSwNO31zYq/SC2j+tqX+3Cs9hC
NmnYSEoORfHdMIp/UszW6Fqv8aDa1MwOQejT4KcwAXy5aRvzXFpz7eqOB3eGTUw6
ZDoWOrf2nP7robCNrYobHUpeYQHts//Rk5crUaWWEeCIMSfMy1soCV830ylViKwT
McG1KwizKnzQHUuxLPmce/6b8J5bzoLYptrUdYEnCUgYcZBxKAMtsULVxq7aUPlD
OkDpif8VjeBN8Kass+PU+mKGWTULfAq5AoIBAQCRd1bJmD/nAB90B19yzat7i1eZ
r6BUpMQ6vTMDA/u9uxn7A92kcZ6PFIPN3ez4ThIgSonAQHBKQYIblrDgPEQ/ixqe
YoKmvVQg5/fEXcpBZbKy3oNr437ZDWShbkPVsV7SvIsye3ckFQf/ASSOtKLY6E2Z
YQC1S9lXaIv7LOpZpIbGnrQuw/uXkuuW682vIjOsS+zGaq+UdLHVv0ZcTqbbmurh
HaWktTlH8htMK65JgvRv2Ze4a+xe83vCtinmK45yFdFJvkyVkTGGtE7wVeKaCyH/
2PRNVB8SMzV2lmvsr0jXi7FS8slvxzsLeMbLe+sYStIhatOYoBggnhSi/p9j
-----END RSA PRIVATE KEY-----