Compare commits

...

45 Commits

Author SHA1 Message Date
Lukáš Kucharczyk b43560720e
README: add Radarr 2021-06-21 13:47:31 +02:00
Lukáš Kucharczyk 5e5cb703a6
authelia: radarr=two_factor 2021-06-21 13:09:40 +02:00
Lukáš Kucharczyk 9c50a6dcaf
radarr: add related vars 2021-06-21 13:09:25 +02:00
Lukáš Kucharczyk 2269007083
radarr: add nginx conf 2021-06-21 13:09:11 +02:00
Lukáš Kucharczyk 6ebb25af72
radarr: add role 2021-06-21 13:08:59 +02:00
Lukáš Kucharczyk b8364d8163
README: sort alphabetically 2021-06-21 12:02:32 +02:00
Lukáš Kucharczyk 7a0a240ad8
readme: add portainer 2021-06-21 12:02:00 +02:00
Lukáš Kucharczyk 2a8b5464e6
jellyfin, nginx, openldap: do not restart 2021-06-21 11:55:06 +02:00
Lukáš Kucharczyk e43907992a
openldap: remove cruft 2021-06-21 11:55:05 +02:00
Lukáš Kucharczyk 6638b4d357
openldap: move above portainer 2021-06-21 11:55:04 +02:00
Lukáš Kucharczyk bdb6b109af
docker: add convenience packages 2021-06-21 11:55:03 +02:00
Lukáš Kucharczyk 17a5d0550d
authelia: secure portainer, keycloak, allow local 2021-06-21 11:55:02 +02:00
Lukáš Kucharczyk 45f14658e4
portainer: allow access to ldap 2021-06-21 11:55:01 +02:00
Lukáš Kucharczyk a13a7adf67
nginx: make sure https redirect works 2021-06-21 11:55:00 +02:00
Lukáš Kucharczyk 069314f9d6
minor: fix space 2021-06-21 11:54:59 +02:00
Lukáš Kucharczyk c418b61ede
Improve networks
Create a single external network called "external".
Create container-specific networks.
Only a few containers need access to these.
So far: openldap, postgres.
2021-06-21 11:54:58 +02:00
Lukáš Kucharczyk f5824a5ffe
portainer: copy nginx conf 2021-06-21 11:54:57 +02:00
Lukáš Kucharczyk 1ad9787b17
portainer: add nginx-internal network 2021-06-21 11:54:56 +02:00
Lukáš Kucharczyk 2593c84400
Set portainer to one_factor 2021-06-21 11:54:55 +02:00
Lukáš Kucharczyk 6b70fa2587
portainer: add nginx conf 2021-06-21 11:54:54 +02:00
Lukáš Kucharczyk 6702afc8f7
portainer: add main task 2021-06-21 11:54:53 +02:00
Lukáš Kucharczyk 7a17b16980
portainer: add role to playbook 2021-06-21 11:54:52 +02:00
Lukáš Kucharczyk a464d287b7
Fix error introduced in 9cf68c4fda 2021-06-21 09:53:25 +02:00
Lukáš Kucharczyk 1df2e68180 nginx: log subrequests 2021-06-21 06:14:19 +00:00
Lukáš Kucharczyk d72ee10d04
README: add authelia 2021-06-20 21:58:10 +02:00
Lukáš Kucharczyk 9cf68c4fda
authelia: set everything to bypass for now 2021-06-20 21:54:32 +02:00
Lukáš Kucharczyk 90d1065f53
vault: change keycloak admin 2021-06-20 21:53:45 +02:00
Lukáš Kucharczyk a465111aa7
authelia: move proxy config up 2021-06-20 21:53:20 +02:00
Lukáš Kucharczyk 13c9974b4d
Fix authelia-*.conf
The example at https://www.authelia.com/docs/deployment/supported-proxies/nginx.html
does not seem to work. Updated with code from:
https://github.com/linuxserver/docker-swag/blob/master/root/defaults/authelia-server.conf
https://github.com/linuxserver/docker-swag/blob/master/root/defaults/authelia-location.conf
2021-06-20 20:58:09 +02:00
Lukáš Kucharczyk ff90202646
provision.sh: add fish hashbang 2021-06-20 20:57:30 +02:00
Lukáš Kucharczyk 171ef655f8
general: add provision.sh 2021-06-20 20:37:06 +02:00
Lukáš Kucharczyk 3ee7f94194
minor: add missing semicolon 2021-06-20 20:35:08 +02:00
Lukáš Kucharczyk 8658efa4d9
minor: add space around variable 2021-06-20 19:44:58 +02:00
Lukáš Kucharczyk 3d353c4b84
general: add show-pass.sh 2021-06-20 19:43:37 +02:00
Lukáš Kucharczyk f73272ac91
keycloak: enable authelia interstitial 2021-06-20 19:39:46 +02:00
Lukáš Kucharczyk 3d06cf48b8
authelia: add configuration.yml 2021-06-20 19:39:31 +02:00
Lukáš Kucharczyk 851f5ac25e
authelia: add more nginx configuration 2021-06-20 19:38:53 +02:00
Lukáš Kucharczyk c45df9911f
authelia: add the nginx configuration 2021-06-20 19:38:28 +02:00
Lukáš Kucharczyk c19bd16a41
authelia: add the main task 2021-06-20 19:38:06 +02:00
Lukáš Kucharczyk 763b6993fc
Add authelia role to playbook 2021-06-20 19:37:45 +02:00
Lukáš Kucharczyk b7c3a3af8a
openldap: disable debug logging 2021-06-20 18:19:18 +02:00
Lukáš Kucharczyk da527acb17
openldap: remove more cruft 2021-06-20 18:18:44 +02:00
Lukáš Kucharczyk d38701a0e9
openldap: remove cruft 2021-06-20 18:18:21 +02:00
Lukáš Kucharczyk 6fca397d25
openldap: move admin password to vault 2021-06-20 18:16:10 +02:00
Lukáš Kucharczyk 592273fc5b
List OpenLDAP in README 2021-05-18 23:18:11 +02:00
27 changed files with 385 additions and 95 deletions

View File

@ -12,10 +12,14 @@ homelab.
=== Containers
* NGINX
* Authelia
* Jellyfin
* PostgreSQL
* Keycloak
* NGINX
* OpenLDAP
* Portainer
* PostgreSQL
* Radarr
=== Testing
To run locally, specify the inventory file with `-i hosts`.

View File

@ -14,3 +14,8 @@ tz: "Europe/Prague"
media:
tv: "{{ data_folder }}/media/tv"
movies: "{{ data_folder }}/media/movies"
downloads:
nzb: "{{ data_folder }}/downloads/nzb"
torrent: "{{ data_folder }}/downloads/torrent"
torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
music: "{{ data_folder }}/downloads/music"

View File

@ -3,10 +3,13 @@
roles:
- docker
- nginx
- jellyfin
- openldap
- portainer
- jellyfin
- postgres
- authelia
- keycloak
- radarr
vars_files:
- vault/certs/{{ base_domain }}.yml
- vault/passwords.yml

2
provision.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/env fish
ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision

View File

@ -0,0 +1,39 @@
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ data_folder }}/authelia"
- name: copy configuration.yml
template:
src: "configuration.yml.j2"
dest: "{{ data_folder }}/authelia/configuration.yml"
mode: "755"
- name: run container
docker_container:
name: "authelia"
image: "authelia/authelia"
ports:
- "9091:9091"
networks:
- name: external
- name: openldap
volumes:
- "{{ data_folder }}/authelia:/config"
- name: copy nginx endpoint conf
template:
src: "authelia-endpoint.conf.j2"
dest: "{{ data_folder }}/nginx/snippets/authelia-endpoint.conf"
mode: "755"
- name: copy nginx auth conf
template:
src: "authelia-auth.conf.j2"
dest: "{{ data_folder }}/nginx/snippets/authelia-auth.conf"
mode: "755"
- name: copy nginx conf
template:
src: "authelia.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -0,0 +1,11 @@
auth_request /authelia/api/verify;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
error_page 401 =302 https://$http_host/authelia/?rd=$target_url;

View File

@ -0,0 +1,47 @@
location ^~ /authelia {
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
}
location = /authelia/api/verify {
internal;
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401;
}
set $upstream_authelia authelia;
proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

View File

@ -0,0 +1,16 @@
server {
server_name auth.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name auth.{{ base_domain }};
listen 443 ssl http2;
location / {
include /etc/nginx/snippets/proxy.conf;
set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
proxy_pass $upstream_authelia;
}
}

View File

@ -0,0 +1,71 @@
host: 0.0.0.0
port: 9091
server:
read_buffer_size: 4096
write_buffer_size: 4096
path: "authelia"
log_level: debug
jwt_secret: somethingsomethingrandomrecret
default_redirection_url: https://{{ base_domain }}
authentication_backend:
disable_reset_password: false
ldap:
implementation: custom
url: ldap://openldap
start_tls: false
tls:
server_name: openldap
skip_verify: false
minimum_version: TLS1.2
base_dn: dc=kucharczyk,dc=xyz
username_attribute: uid
users_filter: ({username_attribute}={input})
groups_filter: (member={dn})
mail_attribute: mail
user: cn=admin,dc=kucharczyk,dc=xyz
password: {{ vault_openldap_admin_password }}
access_control:
default_policy: deny
networks:
- name: local
networks:
- 192.168.0.0/24
rules:
- domain: "*.{{ base_domain }}"
networks:
- local
policy: bypass
- domain: portainer.{{ base_domain }}
policy: one_factor
- domain: keycloak.{{ base_domain }}
policy: one_factor
- domain: radarr.{{ base_domain }}
policy: two_factor
session:
name: authelia_session
secret: somerandomsecret
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
domain: {{ base_domain }}
regulation:
max_retries: 3
find_time: 2m
ban_time: 99y
storage:
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
smtp:
username: kucharczyk.lukas@gmail.com
password: {{ vault_email_gmail_password }}
host: smtp.gmail.com
port: 587
sender: kucharczyk.lukas@gmail.com
subject: "[Authelia] {title}"
startup_check_address: test@authelia.com
disable_require_tls: false
tls:
skip_verify: false
minimum_version: TLS1.2

View File

@ -3,6 +3,9 @@
name:
- docker
- python-pip
- neovim
- fish
- curlie
state: present
update_cache: true
- name: start
@ -12,8 +15,9 @@
- name: add user to group
user:
name: lukas
groups: docker
groups: docker,wheel
append: true
shell: /usr/bin/fish
- name: install python docker
pip:
name:

View File

@ -12,7 +12,7 @@
name: 'jellyfin'
image: linuxserver/jellyfin
networks:
- name: nginx-internal
- name: external
volumes:
- "{{ data_folder }}/jellyfin:/config"
- "{{ media.tv }}:/data/tv"
@ -29,7 +29,6 @@
devices:
- /dev/dri:/dev/dri
state: started
restart: yes
- name: copy jellyfin nginx config
template:
src: jellyfin.conf.j2

View File

@ -1,6 +1,7 @@
server {
server_name "jellyfin.{{ base_domain }}";
listen 80;
return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;
}
server {

View File

@ -5,8 +5,9 @@
ports:
- "8080:8080"
networks:
- name: external
- name: postgres
- name: nginx-internal
- name: openldap
env:
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
@ -20,6 +21,6 @@
- name: copy nginx conf
template:
src: "keycloak.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name}}.{{ base_domain }}.conf"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -1,6 +1,7 @@
server {
server_name "keycloak.{{ base_domain }}";
listen 80;
return 301 https://$host$request_uri;
return 301 https://$server_name$request_uri;
}
server {
@ -13,8 +14,11 @@ server {
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
proxy_pass http://$keycloak:8080;
include /etc/nginx/snippets/authelia-auth.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

View File

@ -14,11 +14,11 @@
- name: generate self-signed certs
import_tasks: self-signed.yml
when: self_signed
- name: create nginx bridge network
- name: create external bridge network
docker_network:
name: nginx-internal
name: external
attachable: true
internal: true
internal: false
state: present
- name: copy nginx.conf
template:
@ -37,8 +37,7 @@
name: 'nginx'
image: nginx
networks:
- name: bridge
- name: nginx-internal
- name: external
volumes:
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
@ -54,4 +53,3 @@
NGINX_HOST: "{{ base_domain }}"
NGINX_PORT: '80'
state: started
restart: yes

View File

@ -14,6 +14,8 @@ http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_subrequest on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

View File

@ -0,0 +1,36 @@
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 172.17.0.0/16;
set_real_ip_from 172.18.0.0/16;
set_real_ip_from 172.19.0.0/16;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;

View File

@ -6,44 +6,27 @@
loop:
- "{{ data_folder }}/openldap"
- "{{ data_folder }}/openldap/data"
- "{{ data_folder }}/openldap/slapd.d"
- "{{ data_folder }}/openldap/ldifs"
# - name: copy slapd.conf
# template:
# src: slapd.conf.j2
# dest: "{{ data_folder }}/openldap/slapd.d/slapd.conf"
# mode: '0755'
- name: copy user ldif
template:
src: lukas.ldif.j2
dest: "{{ data_folder }}/openldap/ldifs/lukas.ldif"
mode: '0755'
- name: create network
docker_network:
name: openldap
attachable: true
internal: true
state: present
- name: run container
docker_container:
name: "openldap"
image: osixia/openldap
command: "--loglevel debug"
hostname: ldap.dev.local
hostname: openldap
networks:
# - name: bridge
- name: nginx-internal
- name: openldap
ports:
- "389:389"
- "636:636"
volumes:
- "{{ data_folder }}/openldap/data:/var/lib/ldap"
- "{{ data_folder }}/openldap/slapd.d:/etc/ldap/slapd.d"
- "{{ data_folder }}/openldap/ldifs:/container/service/slapd/assets/config/bootstrap/ldif/custom"
env:
LDAP_ORGANISATION: "Homelab"
LDAP_DOMAIN: "kucharczyk.xyz"
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
LDAP_ADMIN_PASSWORD: !vault |
$ANSIBLE_VAULT;1.1;AES256
35623735376134353839323136623133393035343162363366643632376262393539653736326431
6635373265313033653861393463633835333639346239650a303463323063373866316162616131
66356335346631386265363462353034393735366430636634643466376435313638303938363363
3838396139663964300a633931303135376566633363303336373937373138643564636263656233
6239
state: started
restart: yes

View File

@ -1,6 +0,0 @@
dn: dc=kucharczyk,dc=xyz
objectclass: top
objectclass: dcObject
objectclass: organization
dc: kucharczyk
o: Homelab

View File

@ -1,14 +0,0 @@
dn: uid=lukas,dc=kucharczyk,dc=xyz
uid: lukas
cn: lukas
givenName: Lukas
sn: Kucharczyk
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/lukas
uidNumber: 1000
gidNumber: 1000
userPassword: {SSHA}zsJllCeWKbz1we+L/gu/yt0hxeBdvJfT
mail: lukas@kucharczyk.xyz

View File

@ -1,16 +0,0 @@
# default config from /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
# custom config
allow bind_anon_dn
access to attrs=userPassword by * auth
access to * by * read
loglevel 256
database mdb
suffix "dc=kucharczyk, dc=xyz"
rootdn "cn=admin, dc=kucharczyk, dc=xyz"
rootpw {SSHA}sgIeW4kyz3t0OyfZ1IZjzEDDb31JI3xK
directory /var/lib/ldap

View File

@ -0,0 +1,19 @@
- name: run container
docker_container:
name: 'portainer'
image: portainer/portainer-ce
networks:
- name: external
- name: openldap
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
ports:
- "8000:8000"
- "9000:9000"
state: started
- name: copy nginx conf
template:
src: portainer.conf.j2
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -0,0 +1,20 @@
server {
server_name portainer.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name portainer.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://portainer:9000; # This example assumes a Docker deployment
proxy_pass $upstream;
}
}

View File

@ -0,0 +1,34 @@
- name: ensure directories exist
file:
path: "{{ item }}"
state: directory
mode: '0755'
loop:
- "{{ data_folder }}/radarr"
- "{{ media.tv }}"
- "{{ media.movies }}"
- "{{ downloads.nzb }}"
- name: run container
docker_container:
name: "{{ role_name }}"
image: "linuxserver/radarr"
networks:
- name: external
env:
"TZ": "{{ tz }}"
"PUID": "{{ puid }}"
"PGID": "{{ pgid }}"
"UMASK": "022"
volumes:
- "{{ data_folder }}/radarr:/config"
- "{{ downloads.nzb }}:/downloads"
- "{{ media.movies }}:/movies"
ports:
- "7878:7878"
state: started
- name: copy nginx conf
template:
src: "{{ role_name }}.conf.j2"
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
mode: "755"
notify: reload nginx

View File

@ -0,0 +1,20 @@
server {
server_name {{ role_name }}.{{ base_domain }};
listen 80;
return 301 https://$server_name$request_uri;
}
server {
server_name {{ role_name }}.{{ base_domain }};
listen 443 ssl http2;
include /etc/nginx/snippets/authelia-endpoint.conf;
location / {
include /etc/nginx/snippets/proxy.conf;
include /etc/nginx/snippets/authelia-auth.conf;
set $upstream http://{{ role_name }}:7878;
proxy_pass $upstream;
}
}

2
show-pass.sh Executable file
View File

@ -0,0 +1,2 @@
#!/bin/env fish
ansible-vault view --vault-password-file (pass show ansible-homelab | psub) vault/passwords.yml

View File

@ -1,14 +1,19 @@
$ANSIBLE_VAULT;1.1;AES256
32656133366339323166343734353434356561306461363033383266373733646161323166353438
3537666138666438373366353530626339303866353162340a386539353333323835383237356566
66636133383662333334396162323637393335336463316235386334353930616238623133613636
6535613536633662340a386333373465613466303137643232356664363233326561653235656263
63316130346236376235623632356364353538306439616362313837303438363736316137346237
36623333643062626532383439663730653139633836613636343232323437643564643531336661
34386135386437656135616536356538663731336261393636396562666337616462323330623732
65363536383238376166393563636532353336306335613131653261333662613965633265333462
30353564316435636330623434623832623463336231393630616266336435646434303963353665
63616631313863303838613362343538663236656235353966306231643132633938373935646466
63333036376136353831653236663631343761303830336461326264316563643037363935623731
38393037396530346232656366626535363539653462393663653739653935376436333934616562
3931
35356537316639386637316365393533643061363734323630393363313237643935666639653963
3734376266353938653631323266663139306335646635660a373233663964623335663366333434
34386136656530386639646234316238326132616131616632346537613963636637393839613661
6366326639643632320a386436316165343166366134633464393461653434323934326238313430
39323439306637306134326635323138616337646336653238636539643538613664303764303661
39636661353538393532663937396363656664613334383261336664336237356366663334633430
36356235383930653835393439373737623036613565313131626462363034303062323662663832
66613833613336646633383835653161386363386136663764653734313763383231626434393864
63313061346335383933623630396336336561633938613237643238616531343766613734666132
32306362616131396266656162653563356137383239616464306662643032623438373764306361
32363133626662633435626232653061373831626563323861626635383039613136303632613335
61363265316534653033393763646565393330633063323634353932353936303638356433306362
65383938306637333765383263653939633964613230613835326630313761323561376162646439
62323035323634323766393233326363383364653531306432663263303831623936616139306639
64303863386265343165666435363761653464386366636366323261353731643263356635383536
66326666616339653731633530663161363933383334376238313637356331663431336433643338
64313861306161373538363332663363623131303561373237326436373838393965306663333835
3764356534323963303832653964666431626538316361613137