gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

Massive revamp, Jellyfin->Plex

Browse source
This commit is contained in:
kat witch 2022-04-07 14:58:32 +01:00 committed by kat
parent 155a4c7620
commit 5c72cf5d95
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
26 changed files with 359 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

9
config/hosts/chen.nix
View file

@ -10,6 +10,7 @@ with lib;
profiles.network
services.kattv2
services.dnscrypt-proxy
users.arc
];
# Terraform
@ -67,11 +68,9 @@ with lib;
userControlled.enable = false;
interfaces = singleton "wlp1s0";
};
interfaces.enp0s20u1.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
interfaces.enp0s20u1 = {
useDHCP = true;
};
defaultGateway = config.network.privateGateway;
};
network = {
@ -79,7 +78,7 @@ with lib;
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.34";
ipv4.address = "192.168.1.196";
};
};
};

5
config/hosts/daiyousei.nix
View file

@ -1,4 +1,4 @@
{ config, tf, meta, kw, pkgs, lib, ... }: with lib; {
{ config, inputs, tf, meta, kw, pkgs, lib, ... }: with lib; {
imports = with meta; [
profiles.hardware.aarch64
profiles.hardware.oracle.ubuntu
@ -13,13 +13,12 @@
services.syncplay
services.filehost
services.keycloak
services.vikunja
services.tt-rss
services.openldap
services.mail
services.hedgedoc
services.website
services.dnscrypt-proxy
services.daiyousei-access
services.vaultwarden
services.weechat
services.znc

62
config/hosts/koishi.nix
View file

@ -21,19 +21,40 @@
};
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/31bfd91b-bdba-47a9-81bf-c96e0adc88e3";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/89A2-ED28";
fsType = "vfat";
};
};
programs.ssh.extraConfig = ''
Host daiyousei-build
HostName daiyousei.kittywit.ch
Port 62954
User root
'';
swapDevices =
[ { device = "/dev/disk/by-uuid/96952382-7f56-46b5-8c84-1f0130f68b63"; }
nix.buildMachines = [ {
hostName = "daiyousei-build";
system = "aarch64-linux";
# systems = ["x86_64-linux" "aarch64-linux"];
maxJobs = 100;
speedFactor = 1;
supportedFeatures = [ "benchmark" "big-parallel" "kvm" ];
mandatoryFeatures = [ ];
}] ;
nix.distributedBuilds = true;
# optional, useful when the builder has a faster internet connection than yours
nix.extraOptions = ''
builders-use-substitutes = true
'';
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/31bfd91b-bdba-47a9-81bf-c96e0adc88e3";
fsType = "xfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/89A2-ED28";
fsType = "vfat";
};
};
swapDevices =
[ { device = "/dev/disk/by-uuid/96952382-7f56-46b5-8c84-1f0130f68b63"; }
];
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
@ -59,17 +80,16 @@
hostId = "dddbb888";
useDHCP = false;
/* wireless = {
enable = true;
userControlled.enable = true;
interfaces = singleton "wlp3s0";
enable = true;
userControlled.enable = true;
interfaces = singleton "wlp3s0";
};
interfaces = {
wlp3s0.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};
wlp3s0.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};
}; */
defaultGateway = config.network.privateGateway;
};
network = {
@ -77,7 +97,7 @@
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.3";
ipv4.address = "192.168.1.121";
};
};
};

5
config/hosts/marisa.nix
View file

@ -59,11 +59,6 @@
};
};
services.owncast = {
enable = true;
port = 8082;
};
network = {
addresses.public = {
enable = true;

9
config/hosts/ran.nix
View file

@ -10,6 +10,7 @@ with lib;
profiles.network
services.kattv
services.dnscrypt-proxy
users.arc
];
# Terraform
@ -53,11 +54,7 @@ with lib;
networking = {
hostId = "9f89b327";
useDHCP = false;
interfaces.enp1s0.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};
defaultGateway = config.network.privateGateway;
interfaces.enp1s0.useDHCP = true;
};
network = {
@ -65,7 +62,7 @@ with lib;
private = {
enable = true;
nixos = {
ipv4.address = "192.168.1.32";
ipv4.address = "192.168.1.215";
};
};
};

11
config/hosts/yukari.nix
View file

@ -2,9 +2,6 @@
imports = with meta; [
profiles.hardware.rm-310
profiles.network
profiles.gui
users.kat.guiFull
services.jellyfin
services.ha
services.nextcloud
services.kattv-ingest
@ -15,6 +12,9 @@
services.transmission
services.tvheadend
services.zfs
services.plex
services.kubernetes
users.arc
];
deploy.tf = {
@ -89,7 +89,10 @@
networking = {
hostId = "3ef9a419";
useDHCP = false;
interfaces.eno1.useDHCP = true; /*.ipv4.addresses = singleton {
interfaces.eno1 = {
useDHCP = true;
tempAddress = "disabled";
}; /*.ipv4.addresses = singleton {
inherit (config.network.addresses.private.nixos.ipv4) address;
prefixLength = 24;
};

2
config/modules/nixos/disables.nix Normal file
View file

@ -0,0 +1,2 @@
{ inputs, ... }: {
}

3
config/modules/nixos/network.nix
View file

@ -91,7 +91,7 @@ in
};
privateGateway = mkOption {
type = types.str;
default = "192.168.1.254";
default = "192.168.1.1";
};
tf = {
enable = mkEnableOption "Was the system provisioned by terraform?";
@ -184,7 +184,6 @@ in
else if cfg.addresses.private.enable then "${cfg.addresses.private.prefix}.${cfg.dns.domain}" else "");
}
(mkIf cfg.addresses.private.enable {
defaultGateway = mkDefault cfg.privateGateway;
})
];

4
config/profiles/base/access.nix
View file

@ -25,12 +25,12 @@
hashedPassword =
"$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
openssh.authorizedKeys.keys = with pkgs.lib;
concatLists (mapAttrsToList
[ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ] ++ (concatLists (mapAttrsToList
(name: user:
if elem "wheel" user.extraGroups then
user.openssh.authorizedKeys.keys
else
[ ])
config.users.users);
config.users.users));
};
}

30
config/services/access.nix
View file

@ -17,21 +17,8 @@
cname = { inherit (config.network.addresses.public) target; };
};
deploy.tf.dns.records.services_home = {
inherit (config.network.dns) zone;
domain = "home";
cname = { inherit (config.network.addresses.public) target; };
};
services.nginx.virtualHosts = mkMerge [
{
"cast.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/".proxyPass = "http://127.0.0.1:8082";
};
};
"cloud.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
@ -39,26 +26,13 @@
"/".proxyPass = "http://cloud.int.kittywit.ch:80/";
};
};
"home.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://home.int.kittywit.ch:80/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};
"media.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/jellyfin/".proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/";
"/jellyfin/".proxyPass = "http://[${meta.network.nodes.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]:8096/jellyfin/";
"/jellyfin/socket" = {
proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/";
proxyPass = "http://[${meta.network.nodes.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]:8096/jellyfin/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

24
config/services/daiyousei-access.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, meta, ... }: with lib; {
deploy.tf.dns.records.services_home = {
inherit (config.network.dns) zone;
domain = "home";
cname = { inherit (config.network.addresses.public) target; };
};
services.nginx.virtualHosts = {
"home.${config.network.dns.domain}" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://home.int.kittywit.ch:80/";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
};
};
};
}

62
config/services/ha.nix
View file

@ -1,20 +1,50 @@
{ config, ... }: {
services.home-assistant = {
enable = true;
config = null;
extraComponents = [
"zha"
"esphome"
"met"
"default_config"
"google"
"google_assistant"
"google_cloud"
"google_translate"
"homekit"
"zeroconf"
"luci"
];
services = {
home-assistant = {
enable = true;
config = null;
extraComponents = [
"zha"
"esphome"
"apple_tv"
"spotify"
"met"
"default_config"
"cast"
"jellyfin"
"google"
"google_assistant"
"google_cloud"
"google_translate"
"homekit"
"mqtt"
"zeroconf"
"luci"
];
};
mosquitto = {
enable = true;
persistence = true;
listeners = [ {
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
} ];
};
zigbee2mqtt = {
enable = true;
settings = {
homeassistant = true;
permit_join = true;
frontend = {
port = 8072;
};
serial = {
port = "tcp://192.168.1.149:8888";
adapter = "ezsp";
};
};
};
};
deploy.tf.dns.records.services_internal_home = {

20
config/services/jellyfin.nix
View file

@ -15,11 +15,31 @@
};
};
systemd.services = {
jellyfin-socat =
let
service = lib.singleton "jellyfin.service";
in
{
after = service;
bindsTo = service;
serviceConfig = {
DynamicUser = true;
};
script =
let
port = toString 8096;
addr = config.network.addresses.yggdrasil.nixos.ipv6.address;
in "${pkgs.socat}/bin/socat TCP6-LISTEN:${port},bind=${addr},fork TCP4:localhost:${port}";
};
};
network.firewall = {
public.tcp.ranges = [{
from = 32768;
to = 60999;
}];
public.tcp.ports = [ 8096 ];
private.tcp = {
ports = [
8096

27
config/services/kattv-ingest.nix
View file

@ -68,12 +68,13 @@ let
}
"h264parse"
];
rtmpsink = [
tcpserversink = [
"flvmux"
queue_data
{
element.rtmp2sink = {
location = "rtmp://localhost:1935/stream/kattv";
element.tcpserversink = {
port = 8989;
host = config.network.addresses.yggdrasil.nixos.ipv6.address;
};
}
];
@ -93,26 +94,12 @@ let
videoconvert_cpu
encode_high
rtmpsink
tcpserversink
];
in
{
services.nginx.appendConfig = ''
rtmp {
server {
listen [::]:1935 ipv6only=off;
application stream {
live on;
allow publish all;
allow play all;
}
}
}
'';
{
network.firewall = {
private.tcp.ports = singleton 1935;
private.tcp.ports = [ 1935 8989 8990 ];
public.tcp.ports = [ 4953 1935 ];
};

9
config/services/kattv2-ingest.nix
View file

@ -68,12 +68,13 @@ let
}
"h264parse"
];
rtmpsink = [
tcpserversink = [
"flvmux"
queue_data
{
element.rtmp2sink = {
location = "rtmp://localhost:1935/stream/kattv2";
element.tcpserversink = {
port = 8990;
host = config.network.addresses.yggdrasil.nixos.ipv6.address;
};
}
];
@ -93,7 +94,7 @@ let
videoconvert_cpu
encode_high
rtmpsink
tcpserversink
];
in
{

123
config/services/kubernetes.nix Normal file
View file

@ -0,0 +1,123 @@
{ config, pkgs, lib, ... }:
{
# Set some necessary sysctls
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.conf.all.forwarding" = 1;
# k8s opens a LOT of files, raise the total number of openable files so we don't end up getting issues in userspace
"fs.inotify.max_user_instances" = 16384;
"vm.max_map_count" = 524288;
"vm.swappiness" = 10;
};
systemd.services.containerd = {
path = with pkgs; [ containerd kmod zfs runc iptables ];
};
virtualisation.containerd.settings = {
plugins."io.containerd.grpc.v1.cri" = {
cni.bin_dir = "/opt/cni/bin";
};
};
# disable creating the CNI directory (calico will make it for us)
environment.etc."cni/net.d".enable = false;
# Firewalling must be disabled for kubes.
networking.firewall.enable = false;
networking.nftables.enable = lib.mkForce false;
# Useful utilities.
environment.systemPackages = [
# kubectl_ppc
pkgs.kubectl pkgs.kubetail
];
# Kubernetes configuration.
services.kubernetes = {
# because fuck PKI honestly
easyCerts = true;
roles = ["master" "node"];
flannel.enable = false;
# where can we contact the (an) apiserver?
apiserverAddress = "https://yukari.int.kittywit.ch:6443";
# where can we contact the orchestrator?
masterAddress = "yukari.int.kittywit.ch";
#Â ipv4 cidr should be before ipv6 otherwise apps that make assumptions break horribly when binding to ipv4 interfaces and then attempting to contact themselves over ipv6
clusterCidr = "172.18.0.0/16,fc00:abc1::/48";
# define dns separately
addons.dns.enable = false;
#Â dns on ipv6 though
#addons.dns.clusterIp = "fc00:abc0::254";
#Â define newer coredns
#addons.dns.coredns = {
# # AMD64 version.
# # TODO upgrade to 1.8 (requires a new configmap)
# #Â (1.7 removes upstream directive, should just be a case of removing that)
# imageName = "coredns/coredns";
# imageDigest = "sha256:2044ffefe18e2dd3d6781e532119603ee4e8622b6ba38884dc7ab53325435151";
# finalImageTag = "1.6.9";
# sha256 = "0j5gj82jbqylapfrab61qdhm4187pqphyz244n31ik05wd5l8n17";
#};
apiserver = {
# address to advertise the apiserver at, must be reachable by the rest of the cluster
advertiseAddress = "192.168.1.154";
#Â privileged pods are required to run cluster services like MetalLB and longhorn
allowPrivileged = true;
# bind to ipv4 & ipv6
bindAddress = "::";
# needed otherwise we end up with a cert that isn't valid for ipv6
extraSANs = [ "172.19.0.1" "fc00:abc0::1" ];
serviceClusterIpRange = "172.19.0.0/16,fc00:abc0::/112";
# allow all ports (this is a really bad idea don't do this with untrusted workloads)
extraOpts = "--service-node-port-range=1-65535";
#extraOpts = "--service-node-port-range=1-65535";
enableAdmissionPlugins = [
"NamespaceLifecycle" "LimitRanger" "ServiceAccount" "TaintNodesByCondition" "Priority" "DefaultTolerationSeconds"
"DefaultStorageClass" "StorageObjectInUseProtection" "PersistentVolumeClaimResize" "RuntimeClass" "CertificateApproval" "CertificateSigning"
"CertificateSubjectRestriction" "DefaultIngressClass" "MutatingAdmissionWebhook" "ValidatingAdmissionWebhook" "ResourceQuota"
];
};
controllerManager = {
# bind to localhost ipv6
bindAddress = "::1";
extraOpts = "--service-cluster-ip-range=172.19.0.0/16,fc00:abc0::/64 --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=64";
};
kubelet = {
featureGates = [ "NodeSwap" ];
clusterDns = "fc00:abc0::254";
networkPlugin = "cni";
cni.configDir = "/etc/cni/net.d";
nodeIp = "192.168.1.154,2a00:23c7:c5ad:6e00::c2e";# "10.0.0.1,2a02:8010:61d0:beef:428d:5cff:fe4e:6a2c";
extraOpts = ''
--root-dir=/var/lib/kubelet \
--fail-swap-on=false \
--cni-bin-dir=/opt/cni/bin \
'';
};
proxy = {
# bind to ipv6
bindAddress = "::";
};
};
systemd.services.kubelet = {
preStart = pkgs.lib.mkForce ''
${lib.concatMapStrings (img: ''
echo "Seeding container image: ${img}"
${if (lib.hasSuffix "gz" img) then
''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''
else
''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''
}
'') config.services.kubernetes.kubelet.seedDockerImages}
${lib.concatMapStrings (package: ''
echo "Linking cni package: ${package}"
ln -fs ${package}/bin/* /opt/cni/bin
'') config.services.kubernetes.kubelet.cni.packages}
'';
};
}

2
config/services/murmur.nix
View file

@ -97,7 +97,7 @@ in
Type = if forking then "forking" else "simple";
PIDFile = mkIf forking "/run/murmur/murmurd.pid";
EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
ExecStart = "${cfg.package}/bin/murmurd -ini ${config.secrets.files.murmur-config.path}";
ExecStart = "${cfg.package}/bin/mumble-server -ini ${config.secrets.files.murmur-config.path}";
Restart = "always";
RuntimeDirectory = "murmur";
RuntimeDirectoryMode = "0700";

7
config/services/plex.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, ... }: {
services = {
plex = {
enable = true;
};
};
}

36
config/services/synapse.nix
View file

@ -154,7 +154,8 @@ CONFIG = {
config.secrets.files.mautrix-telegram-env.path;
services.matrix-synapse = {
enable = true;
logConfig = ''
settings = {
log_config = pkgs.writeText "nya.yaml" ''
version: 1
formatters:
precise:
@ -179,7 +180,6 @@ CONFIG = {
level: WARNING
handlers: [console]
'';
settings = {
server_name = config.network.dns.domain;
app_service_config_files = [
"/var/lib/matrix-synapse/telegram-registration.yaml"
@ -187,8 +187,8 @@ CONFIG = {
"/var/lib/matrix-synapse/whatsapp-registration.yaml"
];
max_upload_size = "512M";
rc_messages_per_second = mkDefault "0.1";
rc_message_burst_count = mkDefault "25.0";
rc_messages_per_second = mkDefault 0.1;
rc_message_burst_count = mkDefault 25;
public_baseurl = "https://${config.network.dns.domain}";
url_preview_enabled = mkDefault true;
enable_registration = mkDefault false;
@ -196,9 +196,10 @@ CONFIG = {
report_stats = mkDefault false;
dynamic_thumbnails = mkDefault true;
allow_guest_access = mkDefault true;
suppress_key_server_warning = mkDefault true;
listeners = [{
port = 8008;
bind_address = "::1";
bind_addresses = [ "::1" ] ;
type = "http";
tls = false;
x_forwarded = true;
@ -207,20 +208,19 @@ CONFIG = {
compress = false;
}];
}];
saml2_config = {
sp_config.metadata.remote = [ {
url = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor";
} ];
config_path = config.secrets.files.saml2-config.path;
user_mapping_provider = {
config = {};
};
password_config = {
enabled = false;
};
};
};
extraConfig = ''
suppress_key_server_warning: true
saml2_config:
sp_config:
metadata:
remote:
- url: https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor
config_path: "${config.secrets.files.saml2-config.path}"
user_mapping_provider:
config:
password_config:
enabled: false
'';
};
services.mautrix-telegram = {

2
config/tf

@ -1 +1 @@
Subproject commit 2ad93ea38ae53603ec670ca30a307033da37248d
Subproject commit 736c050ee87fd11137f75112c0548174ec654036

1
config/users/arc/default.nix
View file

@ -6,6 +6,7 @@
users.users.arc = {
uid = 1001;
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
];

5
config/users/kat/gui/firefox/default.nix
View file

@ -76,15 +76,14 @@ let
"breakpad.reportURL" = "";
"beacon.enabled" = false;
"browser.search.geoip.url" = "";
"browser.search.region" = "CA";
"browser.search.suggest.enabled" = false;
"browser.search.region" = "UK";
"browser.search.suggest.enabled" = true;
"browser.search.update" = false;
"browser.selfsupport.url" = "";
"extensions.getAddons.cache.enabled" = false;
"extensions.pocket.enabled" = true;
"geo.enabled" = false;
"geo.wifi.uri" = false;
"keyword.enabled" = false;
"media.getusermedia.screensharing.enabled" = false;
"media.video_stats.enabled" = false;
"device.sensors.enabled" = false;

13
config/users/kat/gui/nextcloud.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, pkgs, ... }: {
services = {
nextcloud-client = {
enable = true;
};
gnome-keyring = {
enable = true;
};
};
home.packages = [
pkgs.gnome3.seahorse
];
}

1
config/users/kat/nixos.nix
View file

@ -6,6 +6,7 @@
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath"
];
shell = pkgs.zsh;
extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];