Massive revamp, Jellyfin->Plex

config/hosts/chen.nix

@@ -10,6 +10,7 @@ with lib;
     profiles.network
     services.kattv2
     services.dnscrypt-proxy
+    users.arc
   ];
 
   # Terraform
@@ -67,11 +68,9 @@ with lib;
       userControlled.enable = false;
       interfaces = singleton "wlp1s0";
     };
-    interfaces.enp0s20u1.ipv4.addresses = singleton {
+    interfaces.enp0s20u1 = {
-      inherit (config.network.addresses.private.nixos.ipv4) address;
+      useDHCP = true;
-      prefixLength = 24;
     };
-    defaultGateway = config.network.privateGateway;
   };
 
   network = {
@@ -79,7 +78,7 @@ with lib;
       private = {
         enable = true;
         nixos = {
-          ipv4.address = "192.168.1.34";
+          ipv4.address = "192.168.1.196";
         };
       };
     };

config/hosts/daiyousei.nix

@@ -1,4 +1,4 @@
-{ config, tf, meta, kw, pkgs, lib, ... }: with lib; {
+{ config, inputs, tf, meta, kw, pkgs, lib, ... }: with lib; {
   imports = with meta; [
     profiles.hardware.aarch64
     profiles.hardware.oracle.ubuntu
@@ -13,13 +13,12 @@
     services.syncplay
     services.filehost
     services.keycloak
-    services.vikunja
-    services.tt-rss
     services.openldap
     services.mail
     services.hedgedoc
     services.website
     services.dnscrypt-proxy
+    services.daiyousei-access
     services.vaultwarden
     services.weechat
     services.znc

config/hosts/koishi.nix

@@ -21,6 +21,27 @@
       };
     };
 
+    programs.ssh.extraConfig = ''
+Host daiyousei-build
+        HostName daiyousei.kittywit.ch
+        Port 62954
+        User root
+  '';
+
+  nix.buildMachines = [ {
+	 hostName = "daiyousei-build";
+	 system = "aarch64-linux";
+	 # systems = ["x86_64-linux" "aarch64-linux"];
+	 maxJobs = 100;
+	 speedFactor = 1;
+	 supportedFeatures = [ "benchmark" "big-parallel" "kvm" ];
+	 mandatoryFeatures = [ ];
+	}] ;
+	nix.distributedBuilds = true;
+	# optional, useful when the builder has a faster internet connection than yours
+	nix.extraOptions = ''
+		builders-use-substitutes = true
+	'';
     fileSystems = {
       "/" = {
         device = "/dev/disk/by-uuid/31bfd91b-bdba-47a9-81bf-c96e0adc88e3";
@@ -69,7 +90,6 @@
       prefixLength = 24;
       };
       }; */
-      defaultGateway = config.network.privateGateway;
     };
 
     network = {
@@ -77,7 +97,7 @@
         private = {
           enable = true;
           nixos = {
-            ipv4.address = "192.168.1.3";
+            ipv4.address = "192.168.1.121";
           };
         };
       };

config/hosts/marisa.nix

@@ -59,11 +59,6 @@
     };
   };
 
-  services.owncast = {
-    enable = true;
-    port = 8082;
-  };
-
   network = {
     addresses.public = {
       enable = true;

config/hosts/ran.nix

@@ -10,6 +10,7 @@ with lib;
     profiles.network
     services.kattv
     services.dnscrypt-proxy
+    users.arc
   ];
 
   # Terraform
@@ -53,11 +54,7 @@ with lib;
   networking = {
     hostId = "9f89b327";
     useDHCP = false;
-    interfaces.enp1s0.ipv4.addresses = singleton {
+    interfaces.enp1s0.useDHCP = true;
-      inherit (config.network.addresses.private.nixos.ipv4) address;
-      prefixLength = 24;
-    };
-    defaultGateway = config.network.privateGateway;
   };
 
   network = {
@@ -65,7 +62,7 @@ with lib;
       private = {
         enable = true;
         nixos = {
-          ipv4.address = "192.168.1.32";
+          ipv4.address = "192.168.1.215";
         };
       };
     };

config/hosts/yukari.nix

@@ -2,9 +2,6 @@
   imports = with meta; [
     profiles.hardware.rm-310
     profiles.network
-    profiles.gui
-    users.kat.guiFull
-    services.jellyfin
     services.ha
     services.nextcloud
     services.kattv-ingest
@@ -15,6 +12,9 @@
     services.transmission
     services.tvheadend
     services.zfs
+    services.plex
+    services.kubernetes
+    users.arc
   ];
 
   deploy.tf = {
@@ -89,7 +89,10 @@
   networking = {
     hostId = "3ef9a419";
     useDHCP = false;
-    interfaces.eno1.useDHCP = true; /*.ipv4.addresses = singleton {
+    interfaces.eno1 = {
+      useDHCP = true;
+      tempAddress = "disabled";
+    }; /*.ipv4.addresses = singleton {
       inherit (config.network.addresses.private.nixos.ipv4) address;
       prefixLength = 24;
     };

config/modules/nixos/disables.nix

@@ -0,0 +1,2 @@
+{ inputs, ... }: {
+}

config/modules/nixos/network.nix

@@ -91,7 +91,7 @@ in
     };
     privateGateway = mkOption {
       type = types.str;
-      default = "192.168.1.254";
+      default = "192.168.1.1";
     };
     tf = {
       enable = mkEnableOption "Was the system provisioned by terraform?";
@@ -184,7 +184,6 @@ in
         else if cfg.addresses.private.enable then "${cfg.addresses.private.prefix}.${cfg.dns.domain}" else "");
       }
       (mkIf cfg.addresses.private.enable {
-        defaultGateway = mkDefault cfg.privateGateway;
       })
       ];
 

config/profiles/base/access.nix

@@ -25,12 +25,12 @@
     hashedPassword =
       "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
     openssh.authorizedKeys.keys = with pkgs.lib;
-      concatLists (mapAttrsToList
+      [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDkeBFF4xxZgeURLzNHcvUFxImmkQ3pxXtpj3mtSyHXB kat@koishi" ] ++ (concatLists (mapAttrsToList
         (name: user:
           if elem "wheel" user.extraGroups then
             user.openssh.authorizedKeys.keys
           else
             [ ])
-        config.users.users);
+        config.users.users));
   };
 }

config/services/access.nix

@@ -17,21 +17,8 @@
     cname = { inherit (config.network.addresses.public) target; };
   };
 
-  deploy.tf.dns.records.services_home = {
-    inherit (config.network.dns) zone;
-    domain = "home";
-    cname = { inherit (config.network.addresses.public) target; };
-  };
-
   services.nginx.virtualHosts = mkMerge [
     {
-      "cast.${config.network.dns.domain}" = {
-        forceSSL = true;
-        enableACME = true;
-        locations = {
-          "/".proxyPass = "http://127.0.0.1:8082";
-        };
-      };
       "cloud.${config.network.dns.domain}" = {
         forceSSL = true;
         enableACME = true;
@@ -39,26 +26,13 @@
           "/".proxyPass = "http://cloud.int.kittywit.ch:80/";
         };
       };
-      "home.${config.network.dns.domain}" = {
-        forceSSL = true;
-        enableACME = true;
-        locations = {
-          "/" = {
-            proxyPass = "http://home.int.kittywit.ch:80/";
-            extraConfig = ''
-              proxy_set_header Upgrade $http_upgrade;
-              proxy_set_header Connection "upgrade";
-            '';
-          };
-        };
-      };
       "media.${config.network.dns.domain}" = {
         forceSSL = true;
         enableACME = true;
         locations = {
-          "/jellyfin/".proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/";
+          "/jellyfin/".proxyPass = "http://[${meta.network.nodes.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]:8096/jellyfin/";
           "/jellyfin/socket" = {
-            proxyPass = "http://${meta.network.nodes.yukari.network.addresses.wireguard.nixos.ipv4.address}:8096/jellyfin/";
+            proxyPass = "http://[${meta.network.nodes.yukari.network.addresses.yggdrasil.nixos.ipv6.address}]:8096/jellyfin/";
             extraConfig = ''
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";

config/services/daiyousei-access.nix

@@ -0,0 +1,24 @@
+
+{ config, lib, meta, ... }: with lib; {
+  deploy.tf.dns.records.services_home = {
+    inherit (config.network.dns) zone;
+    domain = "home";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  services.nginx.virtualHosts = {
+      "home.${config.network.dns.domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/" = {
+            proxyPass = "http://home.int.kittywit.ch:80/";
+            extraConfig = ''
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection "upgrade";
+            '';
+          };
+        };
+      };
+    };
+}

config/services/ha.nix

@@ -1,21 +1,51 @@
 { config, ... }: {
-  services.home-assistant = {
+  services = {
+    home-assistant = {
       enable = true;
       config = null;
       extraComponents = [
         "zha"
         "esphome"
+        "apple_tv"
+        "spotify"
         "met"
         "default_config"
+        "cast"
+        "jellyfin"
         "google"
         "google_assistant"
         "google_cloud"
         "google_translate"
         "homekit"
+        "mqtt"
         "zeroconf"
         "luci"
       ];
     };
+    mosquitto = {
+      enable = true;
+      persistence = true;
+      listeners = [ {
+        acl = [ "pattern readwrite #" ];
+        omitPasswordAuth = true;
+        settings.allow_anonymous = true;
+      } ];
+    };
+    zigbee2mqtt = {
+      enable = true;
+      settings = {
+        homeassistant = true;
+        permit_join = true;
+        frontend = {
+          port = 8072;
+        };
+        serial = {
+          port = "tcp://192.168.1.149:8888";
+          adapter = "ezsp";
+        };
+      };
+    };
+  };
 
   deploy.tf.dns.records.services_internal_home = {
     inherit (config.network.dns) zone;

config/services/jellyfin.nix

@@ -15,11 +15,31 @@
     };
   };
 
+  systemd.services = {
+      jellyfin-socat =
+        let
+          service = lib.singleton "jellyfin.service";
+        in
+        {
+          after = service;
+          bindsTo = service;
+          serviceConfig = {
+            DynamicUser = true;
+          };
+          script =
+            let
+              port = toString 8096;
+              addr = config.network.addresses.yggdrasil.nixos.ipv6.address;
+            in "${pkgs.socat}/bin/socat TCP6-LISTEN:${port},bind=${addr},fork TCP4:localhost:${port}";
+        };
+      };
+
   network.firewall = {
     public.tcp.ranges = [{
       from = 32768;
       to = 60999;
     }];
+    public.tcp.ports = [ 8096 ];
     private.tcp = {
       ports = [
         8096

config/services/kattv-ingest.nix

@@ -68,12 +68,13 @@ let
     }
     "h264parse"
   ];
-  rtmpsink = [
+  tcpserversink = [
     "flvmux"
     queue_data
     {
-      element.rtmp2sink = {
+      element.tcpserversink = {
-        location = "rtmp://localhost:1935/stream/kattv";
+        port = 8989;
+        host = config.network.addresses.yggdrasil.nixos.ipv6.address;
       };
     }
   ];
@@ -93,26 +94,12 @@ let
     videoconvert_cpu
     encode_high
 
-    rtmpsink
+    tcpserversink
   ];
 in
-{
+  {
-  services.nginx.appendConfig = ''
-    rtmp {
-      server {
-        listen [::]:1935 ipv6only=off;
-        application stream {
-          live on;
-
-          allow publish all;
-          allow play all;
-        }
-      }
-    }
-  '';
-
   network.firewall = {
-    private.tcp.ports = singleton 1935;
+    private.tcp.ports = [ 1935 8989 8990 ];
     public.tcp.ports = [ 4953 1935 ];
   };
 

config/services/kattv2-ingest.nix

@@ -68,12 +68,13 @@ let
     }
     "h264parse"
   ];
-  rtmpsink = [
+  tcpserversink = [
     "flvmux"
     queue_data
     {
-      element.rtmp2sink = {
+      element.tcpserversink = {
-        location = "rtmp://localhost:1935/stream/kattv2";
+        port = 8990;
+        host = config.network.addresses.yggdrasil.nixos.ipv6.address;
       };
     }
   ];
@@ -93,7 +94,7 @@ let
     videoconvert_cpu
     encode_high
 
-    rtmpsink
+    tcpserversink
   ];
 in
 {

config/services/kubernetes.nix

@@ -0,0 +1,123 @@
+{ config, pkgs, lib, ... }:
+{
+  # Set some necessary sysctls
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.forwarding" = 1;
+    "net.ipv4.conf.all.forwarding" = 1;
+    # k8s opens a LOT of files, raise the total number of openable files so we don't end up getting issues in userspace
+    "fs.inotify.max_user_instances" = 16384;
+    "vm.max_map_count" = 524288;
+    "vm.swappiness" = 10;
+  };
+
+  systemd.services.containerd = {
+    path = with pkgs; [ containerd kmod zfs runc iptables ];
+  };
+
+  virtualisation.containerd.settings = {
+    plugins."io.containerd.grpc.v1.cri" = {
+      cni.bin_dir = "/opt/cni/bin";
+    };
+  };
+
+  # disable creating the CNI directory (calico will make it for us)
+  environment.etc."cni/net.d".enable = false;
+
+  # Firewalling must be disabled for kubes.
+  networking.firewall.enable = false;
+  networking.nftables.enable = lib.mkForce false;
+
+  # Useful utilities.
+  environment.systemPackages = [
+    # kubectl_ppc
+    pkgs.kubectl pkgs.kubetail
+  ];
+
+  # Kubernetes configuration.
+  services.kubernetes = {
+    # because fuck PKI honestly
+    easyCerts = true;
+    roles = ["master" "node"];
+    flannel.enable = false;
+    # where can we contact the (an) apiserver?
+    apiserverAddress = "https://yukari.int.kittywit.ch:6443";
+    # where can we contact the orchestrator?
+    masterAddress = "yukari.int.kittywit.ch";
+
+    #Â ipv4 cidr should be before ipv6 otherwise apps that make assumptions break horribly when binding to ipv4 interfaces and then attempting to contact themselves over ipv6
+    clusterCidr = "172.18.0.0/16,fc00:abc1::/48";
+
+    # define dns separately
+    addons.dns.enable = false;
+    #Â dns on ipv6 though
+    #addons.dns.clusterIp = "fc00:abc0::254";
+    #Â define newer coredns
+    #addons.dns.coredns = {
+    #    # AMD64 version.
+    #    # TODO upgrade to 1.8 (requires a new configmap)
+    #    #Â (1.7 removes upstream directive, should just be a case of removing that)
+    #    imageName = "coredns/coredns";
+    #    imageDigest = "sha256:2044ffefe18e2dd3d6781e532119603ee4e8622b6ba38884dc7ab53325435151";
+    #    finalImageTag = "1.6.9";
+    #    sha256 = "0j5gj82jbqylapfrab61qdhm4187pqphyz244n31ik05wd5l8n17";
+    #};
+
+    apiserver = {
+      # address to advertise the apiserver at, must be reachable by the rest of the cluster
+      advertiseAddress = "192.168.1.154";
+      #Â privileged pods are required to run cluster services like MetalLB and longhorn
+      allowPrivileged = true;
+      # bind to ipv4 & ipv6
+      bindAddress = "::";
+      # needed otherwise we end up with a cert that isn't valid for ipv6
+      extraSANs = [ "172.19.0.1" "fc00:abc0::1" ];
+      serviceClusterIpRange = "172.19.0.0/16,fc00:abc0::/112";
+      # allow all ports (this is a really bad idea don't do this with untrusted workloads)
+      extraOpts = "--service-node-port-range=1-65535";
+      #extraOpts = "--service-node-port-range=1-65535";
+      enableAdmissionPlugins = [
+        "NamespaceLifecycle" "LimitRanger" "ServiceAccount" "TaintNodesByCondition" "Priority" "DefaultTolerationSeconds"
+        "DefaultStorageClass" "StorageObjectInUseProtection" "PersistentVolumeClaimResize" "RuntimeClass" "CertificateApproval" "CertificateSigning"
+        "CertificateSubjectRestriction" "DefaultIngressClass" "MutatingAdmissionWebhook" "ValidatingAdmissionWebhook" "ResourceQuota"
+      ];
+    };
+    controllerManager = {
+      # bind to localhost ipv6
+      bindAddress = "::1";
+      extraOpts = "--service-cluster-ip-range=172.19.0.0/16,fc00:abc0::/64 --node-cidr-mask-size-ipv4=24 --node-cidr-mask-size-ipv6=64";
+    };
+    kubelet = {
+      featureGates = [ "NodeSwap" ];
+      clusterDns = "fc00:abc0::254";
+      networkPlugin = "cni";
+     cni.configDir = "/etc/cni/net.d";
+      nodeIp = "192.168.1.154,2a00:23c7:c5ad:6e00::c2e";# "10.0.0.1,2a02:8010:61d0:beef:428d:5cff:fe4e:6a2c";
+      extraOpts = ''
+        --root-dir=/var/lib/kubelet \
+        --fail-swap-on=false \
+        --cni-bin-dir=/opt/cni/bin \
+      '';
+    };
+    proxy = {
+      # bind to ipv6
+      bindAddress = "::";
+    };
+  };
+
+systemd.services.kubelet = {
+    preStart = pkgs.lib.mkForce ''
+      ${lib.concatMapStrings (img: ''
+        echo "Seeding container image: ${img}"
+        ${if (lib.hasSuffix "gz" img) then
+          ''${pkgs.gzip}/bin/zcat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''
+        else
+          ''${pkgs.coreutils}/bin/cat "${img}" | ${pkgs.containerd}/bin/ctr -n k8s.io image import -''
+        }
+      '') config.services.kubernetes.kubelet.seedDockerImages}
+      ${lib.concatMapStrings (package: ''
+        echo "Linking cni package: ${package}"
+        ln -fs ${package}/bin/* /opt/cni/bin
+      '') config.services.kubernetes.kubelet.cni.packages}
+      '';
+  };
+}

config/services/murmur.nix

@@ -97,7 +97,7 @@ in
       Type = if forking then "forking" else "simple";
       PIDFile = mkIf forking "/run/murmur/murmurd.pid";
       EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
-      ExecStart = "${cfg.package}/bin/murmurd -ini ${config.secrets.files.murmur-config.path}";
+      ExecStart = "${cfg.package}/bin/mumble-server -ini ${config.secrets.files.murmur-config.path}";
       Restart = "always";
       RuntimeDirectory = "murmur";
       RuntimeDirectoryMode = "0700";

config/services/plex.nix

@@ -0,0 +1,7 @@
+{ config, ... }: {
+  services = {
+    plex = {
+      enable = true;
+    };
+  };
+}

config/services/synapse.nix

@@ -154,7 +154,8 @@ CONFIG = {
     config.secrets.files.mautrix-telegram-env.path;
   services.matrix-synapse = {
     enable = true;
-    logConfig = ''
+    settings = {
+      log_config = pkgs.writeText "nya.yaml" ''
       version: 1
       formatters:
         precise:
@@ -179,7 +180,6 @@ CONFIG = {
         level: WARNING
         handlers: [console]
     '';
-    settings = {
       server_name = config.network.dns.domain;
       app_service_config_files = [
         "/var/lib/matrix-synapse/telegram-registration.yaml"
@@ -187,8 +187,8 @@ CONFIG = {
         "/var/lib/matrix-synapse/whatsapp-registration.yaml"
       ];
       max_upload_size = "512M";
-      rc_messages_per_second = mkDefault "0.1";
+      rc_messages_per_second = mkDefault 0.1;
-      rc_message_burst_count = mkDefault "25.0";
+      rc_message_burst_count = mkDefault 25;
       public_baseurl = "https://${config.network.dns.domain}";
       url_preview_enabled = mkDefault true;
       enable_registration = mkDefault false;
@@ -196,9 +196,10 @@ CONFIG = {
       report_stats = mkDefault false;
       dynamic_thumbnails = mkDefault true;
       allow_guest_access = mkDefault true;
+      suppress_key_server_warning = mkDefault true;
       listeners = [{
         port = 8008;
-        bind_address = "::1";
+        bind_addresses = [ "::1" ] ;
         type = "http";
         tls = false;
         x_forwarded = true;
@@ -207,20 +208,19 @@ CONFIG = {
           compress = false;
         }];
       }];
+      saml2_config = {
+        sp_config.metadata.remote = [ {
+          url = "https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor";
+        } ];
+        config_path = config.secrets.files.saml2-config.path;
+        user_mapping_provider = {
+          config = {};
+        };
+        password_config = {
+          enabled = false;
+        };
+      };
     };
-    extraConfig = ''
-      suppress_key_server_warning: true
-      saml2_config:
-        sp_config:
-          metadata:
-            remote:
-              - url: https://auth.kittywit.ch/auth/realms/kittywitch/protocol/saml/descriptor
-        config_path: "${config.secrets.files.saml2-config.path}"
-        user_mapping_provider:
-          config:
-        password_config:
-          enabled: false
-    '';
   };
 
   services.mautrix-telegram = {

config/tf

@@ -1 +1 @@
-Subproject commit 2ad93ea38ae53603ec670ca30a307033da37248d
+Subproject commit 736c050ee87fd11137f75112c0548174ec654036

config/users/arc/default.nix

@@ -6,6 +6,7 @@
         users.users.arc = {
           uid = 1001;
           isNormalUser = true;
+          extraGroups = [ "wheel" ];
           openssh.authorizedKeys.keys = [
             "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ8Z6briIboxIdedPGObEWB6QEQkvxKvnMW/UVU9t/ac mew-pgp"
           ];

config/users/kat/gui/firefox/default.nix

@@ -76,15 +76,14 @@ let
     "breakpad.reportURL" = "";
     "beacon.enabled" = false;
     "browser.search.geoip.url" = "";
-    "browser.search.region" = "CA";
+    "browser.search.region" = "UK";
-    "browser.search.suggest.enabled" = false;
+    "browser.search.suggest.enabled" = true;
     "browser.search.update" = false;
     "browser.selfsupport.url" = "";
     "extensions.getAddons.cache.enabled" = false;
     "extensions.pocket.enabled" = true;
     "geo.enabled" = false;
     "geo.wifi.uri" = false;
-    "keyword.enabled" = false;
     "media.getusermedia.screensharing.enabled" = false;
     "media.video_stats.enabled" = false;
     "device.sensors.enabled" = false;

config/users/kat/gui/nextcloud.nix

@@ -0,0 +1,13 @@
+{ config, pkgs, ... }: {
+  services = {
+    nextcloud-client = {
+      enable = true;
+    };
+    gnome-keyring = {
+      enable = true;
+    };
+  };
+  home.packages = [
+    pkgs.gnome3.seahorse
+  ];
+}

config/users/kat/nixos.nix

@@ -6,6 +6,7 @@
     isNormalUser = true;
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCocjQqiDIvzq+Qu3jkf7FXw5piwtvZ1Mihw9cVjdVcsra3U2c9WYtYrA3rS50N3p00oUqQm9z1KUrvHzdE+03ZCrvaGdrtYVsaeoCuuvw7qxTQRbItTAEsfRcZLQ5c1v/57HNYNEsjVrt8VukMPRXWgl+lmzh37dd9w45cCY1QPi+JXQQ/4i9Vc3aWSe4X6PHOEMSBHxepnxm5VNHm4PObGcVbjBf0OkunMeztd1YYA9sEPyEK3b8IHxDl34e5t6NDLCIDz0N/UgzCxSxoz+YJ0feQuZtud/YLkuQcMxW2dSGvnJ0nYy7SA5DkW1oqcy6CGDndHl5StOlJ1IF9aGh0gGkx5SRrV7HOGvapR60RphKrR5zQbFFka99kvSQgOZqSB3CGDEQGHv8dXKXIFlzX78jjWDOBT67vA/M9BK9FS2iNnBF5x6shJ9SU5IK4ySxq8qvN7Us8emkN3pyO8yqgsSOzzJT1JmWUAx0tZWG/BwKcFBHfceAPQl6pwxx28TM3BTBRYdzPJLTkAy48y6iXW6UYdfAPlShy79IYjQtEThTuIiEzdzgYdros0x3PDniuAP0KOKMgbikr0gRa6zahPjf0qqBnHeLB6nHAfaVzI0aNbhOg2bdOueE1FX0x48sjKqjOpjlIfq4WeZp9REr2YHEsoLFOBfgId5P3BPtpBQ== yubikey5"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII74JrgGsDQ6r7tD7+k3ykxXV7DpeeFRscPMxrBsDPhz kat@goliath"
     ];
     shell = pkgs.zsh;
     extraGroups = [ "wheel" "video" "systemd-journal" "plugdev" "bird2" "vfio" "input" "uinput" ];

outputs.nix

@@ -13,13 +13,34 @@
         functor = {
           enable = true;
           external = [
-            (import (inputs.arcexprs + "/modules")).nixos
             (import (inputs.katexprs + "/modules")).nixos
             (import (inputs.impermanence + "/nixos.nix"))
             (import inputs.anicca).modules.nixos
             (inputs.tf-nix + "/modules/nixos/secrets.nix")
             (inputs.tf-nix + "/modules/nixos/secrets-users.nix")
-          ];
+          ] ++ (with (import (inputs.arcexprs + "/modules")).nixos; [
+      nix
+      systemd
+      dht22-exporter
+      glauth
+      modprobe
+      kernel
+      crypttab
+      mutable-state
+      common-root
+      pulseaudio
+      wireplumber
+      alsa
+      yggdrasil
+      bindings
+      matrix-appservices
+      matrix-synapse-appservices
+      display
+      filebin
+      mosh
+      base16 base16-shared
+      doc-warnings
+    ]);
         };
       };
       "modules/home" = {

trusted/flake.lock

@@ -413,12 +413,12 @@
         ]
       },
       "locked": {
-        "narHash": "sha256-2cZ6237JhyatPQObd0Q2FVqoXnXYDcKiCpzWxkF5eRk=",
+        "narHash": "sha256-iIgsdGTiWzoKHHFU9wXFHzHfFEGpJVEozC7HsByyu2U=",
-        "path": "/nix/store/zkwg2mlqw200n2v8170738q69lk45yj2-source",
+        "path": "/nix/store/9gsq8y8c6advmzmh5jbkqdgclc8s1ivs-source",
         "type": "path"
       },
       "original": {
-        "path": "/nix/store/zkwg2mlqw200n2v8170738q69lk45yj2-source",
+        "path": "/nix/store/9gsq8y8c6advmzmh5jbkqdgclc8s1ivs-source",
         "type": "path"
       }
     },