diff --git a/.sops.yaml b/.sops.yaml index 0d1fc03..31d016a 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -30,7 +30,7 @@ creation_rules: - *user_oysteikt # Host specific secrets - + - path_regex: secrets/bekkalokk/[^/]+\.yaml$ key_groups: - age: @@ -66,7 +66,7 @@ creation_rules: - *user_pederbs_bjarte pgp: - *user_oysteikt - + - path_regex: secrets/bicep/[^/]+\.yaml$ key_groups: - age: diff --git a/hosts/bekkalokk/services/gitea/ci.nix b/hosts/bekkalokk/services/gitea/ci.nix index 5533cba..0b59b31 100644 --- a/hosts/bekkalokk/services/gitea/ci.nix +++ b/hosts/bekkalokk/services/gitea/ci.nix @@ -15,9 +15,9 @@ let enable = true; name = "git-runner-${name}"; url = "https://git.pvv.ntnu.no"; labels = [ - "debian-latest:docker://node:18-bullseye" - "ubuntu-latest:docker://node:18-bullseye" - ]; + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:18-bullseye" + ]; tokenFile = config.sops.secrets."gitea/runners/${name}".path; }; }; diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php b/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php index dfed59b..bf2cd7b 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php +++ b/hosts/bekkalokk/services/idp-simplesamlphp/authpwauth.php @@ -112,7 +112,7 @@ class PwAuth extends \SimpleSAML\Module\core\Auth\UserPassBase array_shift($groups); array_shift($groups); array_pop($groups); - + $info = posix_getpwnam($uid); $group = $info['gid']; if (!in_array($group, $groups)) { diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/config.php b/hosts/bekkalokk/services/idp-simplesamlphp/config.php index 09f3c2f..f5fbe06 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/config.php +++ b/hosts/bekkalokk/services/idp-simplesamlphp/config.php @@ -58,7 +58,7 @@ $config = [ /* * The following settings are *filesystem paths* which define where * SimpleSAMLphp can find or write the following things: - * - 'cachedir': Where SimpleSAMLphp can write its cache. + * - 'cachedir': Where SimpleSAMLphp can write its cache. * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging * handler other than `file`. * - 'datadir': Storage of general data. diff --git a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix index f0b3924..894d573 100644 --- a/hosts/bekkalokk/services/idp-simplesamlphp/default.nix +++ b/hosts/bekkalokk/services/idp-simplesamlphp/default.nix @@ -22,62 +22,62 @@ let # openssl req -newkey rsa:4096 -new -x509 -days 365 -nodes -out idp.crt -keyout idp.pem "metadata/saml20-idp-hosted.php" = pkgs.writeText "saml20-idp-remote.php" '' '__DEFAULT__', - 'privatekey' => '${config.sops.secrets."idp/privatekey".path}', - 'certificate' => '${./idp.crt}', - 'auth' => 'pwauth', - ); - ?> + $metadata['https://idp.pvv.ntnu.no/'] = array( + 'host' => '__DEFAULT__', + 'privatekey' => '${config.sops.secrets."idp/privatekey".path}', + 'certificate' => '${./idp.crt}', + 'auth' => 'pwauth', + ); + ?> ''; "metadata/saml20-sp-remote.php" = pkgs.writeText "saml20-sp-remote.php" '' [ - [ - 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', - 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp', - ], - [ - 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', - 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp', - ], - ], - 'AssertionConsumerService' => [ - [ - 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', - 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp', - 'index' => 0, - ], - [ - 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', - 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp', - 'index' => 1, - ], - ], - ]; - '')) - (lib.concatStringsSep "\n") - ]} - ?> + ${ lib.pipe config.services.idp.sp-remote-metadata [ + (map (url: '' + $metadata['${url}'] = [ + 'SingleLogoutService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect', + 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp', + ], + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP', + 'Location' => '${url}module.php/saml/sp/saml2-logout.php/default-sp', + ], + ], + 'AssertionConsumerService' => [ + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST', + 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp', + 'index' => 0, + ], + [ + 'Binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', + 'Location' => '${url}module.php/saml/sp/saml2-acs.php/default-sp', + 'index' => 1, + ], + ], + ]; + '')) + (lib.concatStringsSep "\n") + ]} + ?> ''; "config/authsources.php" = pkgs.writeText "idp-authsources.php" '' array( - 'core:AdminPassword' - ), + 'admin' => array( + 'core:AdminPassword' + ), 'pwauth' => array( - 'authpwauth:PwAuth', - 'pwauth_bin_path' => '${lib.getExe pwAuthScript}', - 'mail_domain' => '@pvv.ntnu.no', + 'authpwauth:PwAuth', + 'pwauth_bin_path' => '${lib.getExe pwAuthScript}', + 'mail_domain' => '@pvv.ntnu.no', ), ); - ?> + ?> ''; "config/config.php" = pkgs.runCommandLocal "simplesamlphp-config.php" { } '' @@ -108,7 +108,7 @@ in List of urls point to (simplesamlphp) service profiders, which the idp should trust. :::{.note} - Make sure the url ends with a `/` + Make sure the url ends with a `/` ::: ''; }; @@ -132,7 +132,7 @@ in owner = "idp"; group = "idp"; }; - }; + }; users.groups."idp" = { }; users.users."idp" = { @@ -199,9 +199,9 @@ in ''; }; "^~ /simplesaml/".extraConfig = '' - rewrite ^/simplesaml/(.*)$ /$1 redirect; - return 404; - ''; + rewrite ^/simplesaml/(.*)$ /$1 redirect; + return 404; + ''; }; }; }; diff --git a/hosts/bekkalokk/services/kerberos/pam.nix b/hosts/bekkalokk/services/kerberos/pam.nix index 91e3181..d82b3bd 100644 --- a/hosts/bekkalokk/services/kerberos/pam.nix +++ b/hosts/bekkalokk/services/kerberos/pam.nix @@ -885,9 +885,9 @@ let # Create a limits.conf(5) file. makeLimitsConf = limits: pkgs.writeText "limits.conf" - (concatMapStrings ({ domain, type, item, value }: - "${domain} ${type} ${item} ${toString value}\n") - limits); + (concatMapStrings ({ domain, type, item, value }: + "${domain} ${type} ${item} ${toString value}\n") + limits); limitsType = with lib.types; listOf (submodule ({ ... }: { options = { @@ -935,8 +935,8 @@ let })); motd = if config.users.motdFile == null - then pkgs.writeText "motd" config.users.motd - else config.users.motdFile; + then pkgs.writeText "motd" config.users.motd + else config.users.motdFile; makePAMService = name: service: { name = "pam.d/${name}"; @@ -976,20 +976,20 @@ in item = "maxlogins"; value = "4"; } - ]; + ]; - description = lib.mdDoc '' - Define resource limits that should apply to users or groups. - Each item in the list should be an attribute set with a - {var}`domain`, {var}`type`, - {var}`item`, and {var}`value` - attribute. The syntax and semantics of these attributes - must be that described in {manpage}`limits.conf(5)`. + description = lib.mdDoc '' + Define resource limits that should apply to users or groups. + Each item in the list should be an attribute set with a + {var}`domain`, {var}`type`, + {var}`item`, and {var}`value` + attribute. The syntax and semantics of these attributes + must be that described in {manpage}`limits.conf(5)`. - Note that these limits do not apply to systemd services, - whose limits can be changed via {option}`systemd.extraConfig` - instead. - ''; + Note that these limits do not apply to systemd services, + whose limits can be changed via {option}`systemd.extraConfig` + instead. + ''; }; security.pam.services = mkOption { @@ -1507,8 +1507,8 @@ in runuser = { rootOK = true; unixAuth = false; setEnvironment = false; }; /* FIXME: should runuser -l start a systemd session? Currently - it complains "Cannot create session: Already running in a - session". */ + it complains "Cannot create session: Already running in a + session". */ runuser-l = { rootOK = true; unixAuth = false; }; } // optionalAttrs config.security.pam.enableFscrypt { # Allow fscrypt to verify login passphrase diff --git a/hosts/bekkalokk/services/mediawiki/default.nix b/hosts/bekkalokk/services/mediawiki/default.nix index 61cb6bc..fab75ac 100644 --- a/hosts/bekkalokk/services/mediawiki/default.nix +++ b/hosts/bekkalokk/services/mediawiki/default.nix @@ -199,7 +199,7 @@ in { extraConfig = '' location ~ ^/simplesaml/(?.+?\.php)(?/.*)?$ { include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; + fastcgi_pass unix:${config.services.phpfpm.pools.mediawiki.socket}; fastcgi_param SCRIPT_FILENAME ${simplesamlphp}/share/php/simplesamlphp/public/$phpfile; # Must be prepended with the baseurlpath diff --git a/hosts/bekkalokk/services/mediawiki/simplesaml-config.php b/hosts/bekkalokk/services/mediawiki/simplesaml-config.php index 2148899..6ecfe90 100644 --- a/hosts/bekkalokk/services/mediawiki/simplesaml-config.php +++ b/hosts/bekkalokk/services/mediawiki/simplesaml-config.php @@ -58,7 +58,7 @@ $config = [ /* * The following settings are *filesystem paths* which define where * SimpleSAMLphp can find or write the following things: - * - 'cachedir': Where SimpleSAMLphp can write its cache. + * - 'cachedir': Where SimpleSAMLphp can write its cache. * - 'loggingdir': Where to write logs. MUST be set to NULL when using a logging * handler other than `file`. * - 'datadir': Storage of general data. diff --git a/hosts/bekkalokk/services/webmail/roundcube.nix b/hosts/bekkalokk/services/webmail/roundcube.nix index a320a34..82d2356 100644 --- a/hosts/bekkalokk/services/webmail/roundcube.nix +++ b/hosts/bekkalokk/services/webmail/roundcube.nix @@ -4,7 +4,7 @@ with lib; let cfg = config.services.roundcube; domain = "webmail.pvv.ntnu.no"; -in +in { services.roundcube = { enable = true; diff --git a/hosts/bekkalokk/services/website/default.nix b/hosts/bekkalokk/services/website/default.nix index 2513987..0689603 100644 --- a/hosts/bekkalokk/services/website/default.nix +++ b/hosts/bekkalokk/services/website/default.nix @@ -21,8 +21,8 @@ in { services.idp.sp-remote-metadata = [ "https://www.pvv.ntnu.no/simplesaml/" "https://pvv.ntnu.no/simplesaml/" - "https://www.pvv.org/simplesaml/" - "https://pvv.org/simplesaml/" + "https://www.pvv.org/simplesaml/" + "https://pvv.org/simplesaml/" ]; services.pvv-nettsiden = { @@ -43,7 +43,7 @@ in { 'idp' => 'https://idp.pvv.ntnu.no/', ), ); - ''; + ''; }; }; diff --git a/hosts/bekkalokk/services/website/fetch-gallery.nix b/hosts/bekkalokk/services/website/fetch-gallery.nix index 9b72977..fba76a9 100644 --- a/hosts/bekkalokk/services/website/fetch-gallery.nix +++ b/hosts/bekkalokk/services/website/fetch-gallery.nix @@ -46,7 +46,7 @@ in { while IFS= read fname; do # Skip this file if an up-to-date thumbnail already exists if [ -f ".thumbnails/$fname.png" ] && \ - [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ] + [ "$(date -R -r "$fname")" == "$(date -R -r ".thumbnails/$fname.png")" ] then continue fi @@ -54,7 +54,7 @@ in { echo "Creating thumbnail for $fname" mkdir -p $(dirname ".thumbnails/$fname") convert -define jpeg:size=200x200 "$fname" -thumbnail 300 -auto-orient ".thumbnails/$fname.png" ||: - touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png" + touch -m -d "$(date -R -r "$fname")" ".thumbnails/$fname.png" done <<< "$images" ''; diff --git a/hosts/bicep/services/matrix/coturn.nix b/hosts/bicep/services/matrix/coturn.nix index a8d2c94..572fc21 100644 --- a/hosts/bicep/services/matrix/coturn.nix +++ b/hosts/bicep/services/matrix/coturn.nix @@ -26,7 +26,7 @@ "turns:turn.pvv.ntnu.no:5349?transport=tcp" "turns:turn.pvv.ntnu.no:5349?transport=udp" - + "turns:turn.pvv.ntnu.no:3478?transport=udp" "turns:turn.pvv.ntnu.no:3478?transport=tcp" "turn:turn.pvv.ntnu.no:3478?transport=udp" @@ -69,7 +69,7 @@ tls-listening-port = 443; alt-tls-listening-port = 5349; - + listening-port = 3478; min-port = 49000; @@ -116,7 +116,7 @@ #total-quota=1200 ''; }; - + networking.firewall = { interfaces.enp6s0f0 = let range = with config.services.coturn; [ { diff --git a/hosts/bicep/services/matrix/default.nix b/hosts/bicep/services/matrix/default.nix index 8d6f564..e7cc45f 100644 --- a/hosts/bicep/services/matrix/default.nix +++ b/hosts/bicep/services/matrix/default.nix @@ -12,6 +12,6 @@ ./discord.nix ]; - + } diff --git a/hosts/bicep/services/matrix/synapse.nix b/hosts/bicep/services/matrix/synapse.nix index 0906cf5..11f9649 100644 --- a/hosts/bicep/services/matrix/synapse.nix +++ b/hosts/bicep/services/matrix/synapse.nix @@ -141,7 +141,7 @@ in { services.redis.servers."".enable = true; - + services.nginx.virtualHosts."matrix.pvv.ntnu.no" = lib.mkMerge [ { kTLS = true; diff --git a/hosts/bicep/services/mysql.nix b/hosts/bicep/services/mysql.nix index 7092f43..fc9d706 100644 --- a/hosts/bicep/services/mysql.nix +++ b/hosts/bicep/services/mysql.nix @@ -15,12 +15,12 @@ mysqld = { # PVV allows a lot of connections at the same time max_connect_errors = 10000; - bind-address = values.services.mysql.ipv4; - skip-networking = 0; + bind-address = values.services.mysql.ipv4; + skip-networking = 0; - # This was needed in order to be able to use all of the old users - # during migration from knakelibrak to bicep in Sep. 2023 - secure_auth = 0; + # This was needed in order to be able to use all of the old users + # during migration from knakelibrak to bicep in Sep. 2023 + secure_auth = 0; }; }; diff --git a/hosts/bikkje/configuration.nix b/hosts/bikkje/configuration.nix index 160a42a..1c9c173 100644 --- a/hosts/bikkje/configuration.nix +++ b/hosts/bikkje/configuration.nix @@ -35,10 +35,10 @@ # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 useHostResolvConf = mkForce false; }; - + system.stateVersion = "23.11"; services.resolved.enable = true; }; }; -}; \ No newline at end of file +}; diff --git a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json index 8b2bd86..967d1f5 100644 --- a/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json +++ b/hosts/ildkule/services/monitoring/dashboards/node-exporter-full.json @@ -23187,4 +23187,4 @@ "uid": "rYdddlPWk", "version": 9, "weekStart": "" -} \ No newline at end of file +} diff --git a/hosts/ildkule/services/monitoring/dashboards/postgres.json b/hosts/ildkule/services/monitoring/dashboards/postgres.json index 6724373..232582e 100644 --- a/hosts/ildkule/services/monitoring/dashboards/postgres.json +++ b/hosts/ildkule/services/monitoring/dashboards/postgres.json @@ -3164,4 +3164,4 @@ "title": "PostgreSQL Database", "uid": "000000039", "version": 1 -} \ No newline at end of file +} diff --git a/hosts/ildkule/services/monitoring/grafana.nix b/hosts/ildkule/services/monitoring/grafana.nix index f1190dc..381a786 100644 --- a/hosts/ildkule/services/monitoring/grafana.nix +++ b/hosts/ildkule/services/monitoring/grafana.nix @@ -35,7 +35,7 @@ in { name = "Ildkule Prometheus"; type = "prometheus"; url = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}"; - isDefault = true; + isDefault = true; } { name = "Ildkule loki"; @@ -56,13 +56,13 @@ in { url = "https://raw.githubusercontent.com/matrix-org/synapse/develop/contrib/grafana/synapse.json"; options.path = dashboards/synapse.json; } - # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged - # { - # name = "MySQL"; - # type = "file"; - # url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json"; - # options.path = dashboards/mysql.json; - # } + # TODO: enable once https://github.com/NixOS/nixpkgs/pull/242365 gets merged + # { + # name = "MySQL"; + # type = "file"; + # url = "https://raw.githubusercontent.com/prometheus/mysqld_exporter/main/mysqld-mixin/dashboards/mysql-overview.json"; + # options.path = dashboards/mysql.json; + # } { name = "Postgresql"; type = "file"; diff --git a/hosts/ildkule/services/monitoring/loki.nix b/hosts/ildkule/services/monitoring/loki.nix index b19524c..ce8a550 100644 --- a/hosts/ildkule/services/monitoring/loki.nix +++ b/hosts/ildkule/services/monitoring/loki.nix @@ -58,7 +58,7 @@ in { }; limits_config = { - allow_structured_metadata = false; + allow_structured_metadata = false; reject_old_samples = true; reject_old_samples_max_age = "72h"; }; diff --git a/hosts/ildkule/services/monitoring/prometheus/postgres.nix b/hosts/ildkule/services/monitoring/prometheus/postgres.nix index a99aed1..5cde1b2 100644 --- a/hosts/ildkule/services/monitoring/prometheus/postgres.nix +++ b/hosts/ildkule/services/monitoring/prometheus/postgres.nix @@ -38,7 +38,7 @@ in { }; systemd.services.prometheus-postgres-exporter-knakelibrak.serviceConfig = let - localCfg = config.services.prometheus.exporters.postgres; + localCfg = config.services.prometheus.exporters.postgres; in lib.recursiveUpdate config.systemd.services.prometheus-postgres-exporter.serviceConfig { EnvironmentFile = config.sops.secrets."keys/postgres/postgres_exporter_knakelibrak_env".path; ExecStart = '' diff --git a/misc/rust-motd.nix b/misc/rust-motd.nix index 968d3ef..ddc59dd 100644 --- a/misc/rust-motd.nix +++ b/misc/rust-motd.nix @@ -32,7 +32,7 @@ color = "red"; command = "hostname | ${pkgs.toilet}/bin/toilet -f mono9"; }; - + service_status = { Accounts = "accounts-daemon"; Cron = "cron"; @@ -40,16 +40,16 @@ Matrix = "matrix-synapse"; sshd = "sshd"; }; - + uptime = { prefix = "Uptime: "; }; - + # Not relevant for server # user_service_status = { # Gpg-agent = "gpg-agent"; # }; - + filesystems = let inherit (lib.attrsets) attrNames listToAttrs nameValuePair; inherit (lib.lists) imap1; @@ -61,7 +61,7 @@ getName = i: v: if (v.label != null) then v.label else ""; in imap1Attrs' (i: n: v: nameValuePair (getName i v) n) fileSystems; - + memory = { swap_pos = "beside"; # or "below" or "none" }; @@ -70,14 +70,14 @@ inherit (lib.lists) imap1; inherit (lib.attrsets) filterAttrs nameValuePair attrValues listToAttrs; inherit (config.users) users; - + normalUsers = filterAttrs (n: v: v.isNormalUser || n == "root") users; userNPVs = imap1 (index: user: nameValuePair user.name index) (attrValues normalUsers); in listToAttrs userNPVs; last_run = {}; }; - + toml = pkgs.formats.toml {}; in toml.generate "rust-motd.toml" cfg; diff --git a/modules/snakeoil-certs.nix b/modules/snakeoil-certs.nix index 12d7084..b98d127 100644 --- a/modules/snakeoil-certs.nix +++ b/modules/snakeoil-certs.nix @@ -36,10 +36,10 @@ in type = lib.types.str; default = "${name}.key"; }; - subject = lib.mkOption { - type = lib.types.str; - default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; - }; + subject = lib.mkOption { + type = lib.types.str; + default = "/C=NO/O=Programvareverkstedet/CN=*.pvv.ntnu.no/emailAddress=drift@pvv.ntnu.no"; + }; }; })); }; @@ -54,16 +54,16 @@ in mkdir -p $(dirname "${value.certificate}") $(dirname "${value.certificateKey}") if ! ${openssl} x509 -checkend 86400 -noout -in ${value.certificate} then - echo "Regenerating '${value.certificate}'" - ${openssl} req \ - -newkey rsa:4096 \ - -new -x509 \ - -days "${toString value.daysValid}" \ - -nodes \ - -subj "${value.subject}" \ - -out "${value.certificate}" \ - -keyout "${value.certificateKey}" \ - ${lib.escapeShellArgs value.extraOpenSSLArgs} + echo "Regenerating '${value.certificate}'" + ${openssl} req \ + -newkey rsa:4096 \ + -new -x509 \ + -days "${toString value.daysValid}" \ + -nodes \ + -subj "${value.subject}" \ + -out "${value.certificate}" \ + -keyout "${value.certificateKey}" \ + ${lib.escapeShellArgs value.extraOpenSSLArgs} fi chown "${value.owner}:${value.group}" "${value.certificate}" chown "${value.owner}:${value.group}" "${value.certificateKey}" diff --git a/users/amalieem.nix b/users/amalieem.nix index 44ac53c..d1b26d3 100644 --- a/users/amalieem.nix +++ b/users/amalieem.nix @@ -3,10 +3,10 @@ { users.users.amalieem = { isNormalUser = true; - extraGroups = [ "wheel" ]; + extraGroups = [ "wheel" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsMtFIj4Dem/onwMoWYbosOcU4y7A5nTjVwqWaU33E1 amalieem@matey-aug22" ]; }; -} \ No newline at end of file +} diff --git a/users/jonmro.nix b/users/jonmro.nix index 6053da2..345d16f 100644 --- a/users/jonmro.nix +++ b/users/jonmro.nix @@ -3,7 +3,7 @@ { users.users.jonmro = { isNormalUser = true; - extraGroups = [ "wheel" "drift" "nix-builder-users" ]; + extraGroups = [ "wheel" "drift" "nix-builder-users" ]; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"