pocket accept cors

2025-12-07 23:35:28 +01:00 · 2025-10-04 02:23:05 +02:00 · 2025-10-04 02:23:05 +02:00 · 134fe2e279
commit 134fe2e279
parent e70aee4ab6
10 changed files with 320 additions and 219 deletions
--- a/aliases.nix
+++ b/aliases.nix
@ -1,19 +1,27 @@
-{pkgs, ...} : {
+{ pkgs, ... }: {
  programs.fish = {
    enable = true;

-    shellAliases = { 
-      nrb = "sudo nixos-rebuild switch --flake /etc/nixos --impure"; 
+    shellAliases = {
+      nrb = "sudo nixos-rebuild switch --flake /etc/nixos --impure";
      ni = "nvim /etc/nixos/configuration.nix";
-      bat="upower -i /org/freedesktop/UPower/devices/battery_BAT0| grep -E 'state|percentage'";
-      gpu="nvidia-smi -q | grep -i 'draw.*W'";
-      wifi="sudo nmtui";
-      all="sudo chmod -R a+rwx ./*";
-      ng="cd /etc/nginx/ && sudo nvim .";
-      copy="xclip -sel clip";
-      pubkey="cat ~/.ssh/id_ed25519.pub | copy";
-      up="docker compose up -d";
-      down="docker compose down";
+      bat =
+        "upower -i /org/freedesktop/UPower/devices/battery_BAT0| grep -E 'state|percentage'";
+      gpu = "nvidia-smi -q | grep -i 'draw.*W'";
+      wifi = "sudo nmtui";
+      all = "sudo chmod -R a+rwx ./*";
+      ng = "cd /etc/nginx/ && sudo nvim .";
+      copy = "xclip -sel clip";
+      pubkey = "cat ~/.ssh/id_ed25519.pub | copy";
+      up = "docker compose up -d";
+      down = "docker compose down -t 0";
+      inspect = "nix edit nixpkgs#$1";
+      fe = "nix develop";
+      fed = "nvim flake.nix";
+      cdn = "cd /etc/nixos";
+      cpu =
+        "sudo turbostat --quiet --show PkgWatt --interval 1 --num_iterations 1 | awk 'NR==2{print $1}'";
+
    };

    interactiveShellInit = ''
@ -24,6 +32,6 @@
          end
        docker exec -it $argv[1] sh
            end
-        '';
-    };
-    }
+    '';
+  };
+}
--- a/configuration.nix
+++ b/configuration.nix
@ -2,13 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  ...
-}:
+{ config, pkgs, lib, inputs, ... }:

 {
  imports = [
@ -26,6 +20,7 @@

    ./users.nix
    ./networking/caddy.nix
+    ./modules/buildCache.nix

    # ./modules/de.nix
    ./modules/displayOff.nix
@ -72,17 +67,11 @@
    settings = {
      nix-path = lib.mapAttrsToList (n: _: "${n}=flake:${n}") inputs;
      flake-registry = ""; # optional, ensures flakes are truly self-contained
-      experimental-features = [
-        "nix-command"
-        "flakes"
-        "pipe-operators"
-      ];
+      experimental-features = [ "nix-command" "flakes" "pipe-operators" ];
    };
  };

-  services.openssh = {
-    enable = true;
-  };
+  services.openssh = { enable = true; };

  programs.neovim = {
    enable = true;
@ -92,9 +81,7 @@

  home-manager = {
    extraSpecialArgs = { inherit inputs; };
-    users = {
-      "botserver" = import ./home.nix;
-    };
+    users = { "botserver" = import ./home.nix; };
  };

  # Root uses the exact same module
--- a/hardware-configuration.nix
+++ b/hardware-configuration.nix
@ -1,27 +1,13 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  pkgs,
-  modulesPath,
-  ...
-}:
+{ config, lib, pkgs, modulesPath, ... }:

 {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

-  boot.initrd.availableKernelModules = [
-    "nvme"
-    "xhci_pci"
-    "ahci"
-    "usbhid"
-    "usb_storage"
-    "sd_mod"
-  ];
+  boot.initrd.availableKernelModules =
+    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
@ -34,38 +20,50 @@
  fileSystems."/boot" = {
    device = "/dev/disk/by-uuid/1DC7-70A2";
    fsType = "vfat";
-    options = [
-      "fmask=0077"
-      "dmask=0077"
-    ];
+    options = [ "fmask=0077" "dmask=0077" ];
  };

-
-
-
-
-
  fileSystems."/mnt/stolenFromSister" = {
    device = "/dev/disk/by-uuid/8f2c41c0-84bb-40ee-a3f8-b1bbd378d5d7";
-    fsType = "ext4";                # or "btrfs", "xfs", etc.
-      options = [ "nofail" "x-systemd.automount"];         # don't block boot if the disk is missing
+    fsType = "ext4"; # or "btrfs", "xfs", etc.
+    options = [
+      "nofail"
+      "x-systemd.automount"
+    ]; # don't block boot if the disk is missing
  };

  fileSystems."/mnt/OtherStolenDriveFromSister" = {
    device = "/dev/disk/by-uuid/fc16759c-24fc-46d6-99fe-865068605f46";
-    fsType = "ext4";                # or "btrfs", "xfs", etc.
-      options = [ "nofail" "x-systemd.automount"];         # don't block boot if the disk is missing
+    fsType = "ext4"; # or "btrfs", "xfs", etc.
+    options = [
+      "nofail"
+      "x-systemd.automount"
+    ]; # don't block boot if the disk is missing
  };

+  fileSystems."/mnt/disk3" = {
+    device = "/dev/disk/by-partuuid/54084a5e-2c7f-4ec9-8ee7-9ede76c79f40";
+    fsType = "ext4";
+    options = [ "nofail" "x-systemd.automount" ];
+  };
+
+  fileSystems."/mnt/disk4" = {
+    device = "/dev/disk/by-partuuid/9df16012-ef2f-4091-aa24-632d98e6be51";
+    fsType = "ext4";
+    options = [ "nofail" "x-systemd.automount" ];
+  };
+
+  # fileSystems."/mnt/disk5" = {
+  #   device = "/dev/disk/by-partuuid/3610155d-6d3d-4be1-9e50-7a638ccbf98c";
+  #   fsType = "ext4";
+  #   options = [ "nofail" "x-systemd.automount" ];
+  # };
+
  systemd.tmpfiles.rules = [
    "d /mnt/stolenFromSister/jelly/ 0755 starr starr -"
    "d /mnt/OtherStolenDriveFromSister/downloads/ 0755 starr starr -"
  ];

-
-
-
-
  swapDevices = [ ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -77,5 +75,6 @@
  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.amd.updateMicrocode =
+    lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/home.nix
+++ b/home.nix
@ -1,9 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-{
+{ pkgs, lib, ... }: {
  imports = [ ./modules/nvim.nix ];

  # packages only for this user
--- a/modules/buildCache.nix
+++ b/modules/buildCache.nix
@ -0,0 +1,38 @@
+{ pkgs, ... }: {
+  services.harmonia = {
+    enable = true;
+    signKeyPaths = [ "/var/lib/secrets/harmonia.secret" ];
+    settings = {
+      bind = "0.0.0.0:5444";
+      workers = 4;
+    };
+  };
+
+  imports = [ ./../networking/networkSetup.nix ];
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."cache.deprived.dev" = {
+      extraConfig = ''
+        reverse_proxy localhost:5444
+
+        header {
+          # Cache control for nix store paths
+          Cache-Control "public, max-age=31536000, immutable"
+          
+          # CORS headers if needed
+          Access-Control-Allow-Origin "*"
+          Access-Control-Allow-Methods "GET, HEAD, OPTIONS"
+        }
+
+        # Optional: Enable compression
+        encode gzip
+
+        # Optional: Logging
+        log {
+          output file /var/log/caddy/cache.log
+        }
+      '';
+    };
+  };
+}
--- a/modules/customPackages/shreddit/shreddit.nix
+++ b/modules/customPackages/shreddit/shreddit.nix
@ -0,0 +1,25 @@
+{ lib, pkgs, rustPlatform }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "shreddit";
+  version = "1.1.1"; # pick the crate version you want
+
+  src = pkgs.fetchCrate {
+    inherit pname version;
+    sha256 =
+      "sha256-ERcQZ7LLR9kfI1WMCr70EopmuPmK4Y7eXnhM7djvEI4="; # fill after first build
+  };
+
+  cargoHash =
+    "sha256-9s6wmB4YqKmyHKDS2b5keEYFDBerpdQxtNY1wVqGDxg="; # fill after first build
+
+  nativeBuildInputs = [ pkgs.pkg-config ];
+  buildInputs = [ pkgs.openssl ];
+
+  meta = with lib; {
+    description = "Shreddit CLI (Rust crate)";
+    license = licenses.mit; # adjust if needed
+    mainProgram = "shreddit";
+  };
+}
+
--- a/modules/nvim.nix
+++ b/modules/nvim.nix
@ -1,9 +1,4 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, lib, pkgs, ... }:

 with lib;
 let
@ -56,8 +51,7 @@ let
    "NIX_LD_LIBRARY_PATH=${config.home.profileDirectory}/lib/nvim-depends/lib"
    "PKG_CONFIG_PATH=${config.home.profileDirectory}/lib/nvim-depends/pkgconfig"
  ];
-in
-{
+in {
  home.packages = with pkgs; [
    patchelf
    nvim-depends-include
@ -65,11 +59,9 @@ in
    nvim-depends-pkgconfig
    ripgrep
  ];
-  home.extraOutputsToInstall = ["nvim-depends"];
-  home.shellAliases.nvim =
-    (concatStringsSep " " buildEnv)
-    + " SQLITE_CLIB_PATH=${pkgs.sqlite.out}/lib/libsqlite3.so "
-    + "nvim";
+  home.extraOutputsToInstall = [ "nvim-depends" ];
+  home.shellAliases.nvim = (concatStringsSep " " buildEnv)
+    + " SQLITE_CLIB_PATH=${pkgs.sqlite.out}/lib/libsqlite3.so " + "nvim";

  programs.neovim = {
    enable = true;
@ -97,12 +89,12 @@ in
    extraLuaPackages = ls: with ls; [ luarocks ];
  };

-  # Screw declarative here
-  xdg.configFile."nvim".source = builtins.fetchGit {
-    url = "https://github.com/MagicBOTAlex/NVimConfigs";
-    ref = "master";   # change if the default branch is different
-    # submodules = true;  # uncomment if needed
-  };
+  # # Screw declarative here
+  # xdg.configFile."nvim".source = builtins.fetchGit {
+  #   url = "https://github.com/MagicBOTAlex/NVimConfigs";
+  #   ref = "master";   # change if the default branch is different
+  #   # submodules = true;  # uncomment if needed
+  # };

  # xdg.configFile."nvim".source = pkgs.fetchFromGitHub {
  #   owner = "MagicBOTAlex";
--- a/networking/caddy.nix
+++ b/networking/caddy.nix
@ -1,135 +1,176 @@
-{pkgs, ... } : {
-  imports = [
-    ./networkSetup.nix
-  ];
+{ pkgs, ... }: {
+  imports = [ ./networkSetup.nix ];

  services.caddy.virtualHosts."immich.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:2283
+      reverse_proxy * 127.0.0.1:2283
    '';
  };

-
  services.caddy.virtualHosts."ha.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:8123
+      reverse_proxy * 127.0.0.1:8123
    '';
  };

  services.caddy.virtualHosts."jelly.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:8096
-    '';
-  };
-
-
-  services.caddy.virtualHosts."pocket.deprived.dev" = {
-    extraConfig = ''
-        reverse_proxy * 127.0.0.1:5500
+      reverse_proxy * 127.0.0.1:8096
    '';
  };

  services.caddy.virtualHosts."seer.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:5055
+      reverse_proxy * 127.0.0.1:5055
+    '';
+  };
+
+  services.caddy.virtualHosts."penpot.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:5544
+    '';
+  };
+
+  services.caddy.virtualHosts."api.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:6333
+    '';
+  };
+
+  services.caddy.virtualHosts."pocket.deprived.dev" = {
+    extraConfig = ''
+      # Match allowed origins
+      @allowedOrigin header_regexp Origin ^https?://(localhost(:[0-9]+)?|deprived\.dev|([a-z0-9-]+\.)*deprived\.dev)$
+      @preflight method OPTIONS
+
+      # Preflight: answer directly
+      handle @preflight {
+        header {
+          -Access-Control-Allow-Origin
+          -Access-Control-Allow-Methods
+          -Access-Control-Allow-Headers
+          -Access-Control-Allow-Credentials
+          -Vary
+        }
+        header @allowedOrigin {
+          Access-Control-Allow-Origin "{http.request.header.Origin}"
+          Access-Control-Allow-Methods "GET,POST,PUT,PATCH,DELETE,OPTIONS"
+          Access-Control-Allow-Headers "*"
+          Access-Control-Allow-Credentials "true"
+          Vary "Origin"
+        }
+        respond 204
+      }
+
+      # Actual requests: proxy, strip upstream CORS, then set ours
+      handle {
+        reverse_proxy 127.0.0.1:3433 {
+          header_down -Access-Control-Allow-Origin
+          header_down -Access-Control-Allow-Methods
+          header_down -Access-Control-Allow-Headers
+          header_down -Access-Control-Allow-Credentials
+          header_down -Vary
+        }
+        header @allowedOrigin {
+          Access-Control-Allow-Origin "{http.request.header.Origin}"
+          Access-Control-Allow-Credentials "true"
+          Vary "Origin"
+        }
+      }
+    '';
+  };
+
+  services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
+    extraConfig = ''
+      encode zstd gzip
+
+      @preflight method OPTIONS
+      handle @preflight {
+        header {
+          Access-Control-Allow-Origin "{http.request.header.Origin}"
+          Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+          Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
+          Access-Control-Allow-Credentials "true"
+          Access-Control-Max-Age "600"
+          Vary "Origin"
+        }
+        respond 204
+      }
+
+      @protected not method OPTIONS
+      basicauth @protected {
+        alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
+      }
+
+      reverse_proxy 127.0.0.1:8800
+
+      header {
+        Access-Control-Allow-Origin "{http.request.header.Origin}"
+        Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
+        Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
+        Access-Control-Allow-Credentials "true"
+        Vary "Origin"
+      }
+    '';
+  };
+
+  services.caddy.virtualHosts."lyrics.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:7444
+    '';
+  };
+
+  services.caddy.virtualHosts."zhenss.deprived.dev" = {
+    extraConfig = ''
+      reverse_proxy * 127.0.0.1:8388
+    '';
+  };
+
+  services.caddy.virtualHosts."direct.stream.deprived.dev" = {
+    extraConfig = ''
+      @allowKey {
+        query key=0c156f3d-dc1d-489f-866e-69e306249e92
+      }
+
+      route {
+        handle @allowKey {
+          reverse_proxy http://127.0.0.1:3344
+        }
+
+        respond "Forbidden" 403
+      }
    '';
  };

  services.caddy.virtualHosts."development.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:5550
+      reverse_proxy * 127.0.0.1:5173
    '';
  };

-services.caddy.virtualHosts."spotify.api.deprived.dev" = {
-  extraConfig = ''
-    encode zstd gzip
-
-    # --- CORS: preflight (OPTIONS) ---
-    @preflight {
-      method OPTIONS
-      header Origin *
-      header Access-Control-Request-Method *
-    }
-    handle @preflight {
-      header {
-        Access-Control-Allow-Origin "{http.request.header.Origin}"
-        Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-        Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
-        Access-Control-Allow-Credentials "true"
-        Access-Control-Max-Age "600"
-        Vary "Origin"
-      }
-      respond 204
-    }
-
-    # --- Auth: protect everything except OPTIONS ---
-    @protected {
-      not method OPTIONS
-    }
-    basicauth @protected {
-      alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
-    }
-
-    # --- Reverse proxy: strip upstream CORS so we don't end up with duplicates ---
-    reverse_proxy 127.0.0.1:6666 {
-      header_down -Access-Control-Allow-Origin
-      header_down -Access-Control-Allow-Methods
-      header_down -Access-Control-Allow-Headers
-      header_down -Access-Control-Allow-Credentials
-      header_down -Vary
-    }
-
-    # --- CORS: set headers on actual responses (only when Origin is present) ---
-    @cors header Origin *
-    header @cors {
-      Access-Control-Allow-Origin "{http.request.header.Origin}"
-      Access-Control-Allow-Credentials "true"
-      # Optionally expose any headers your frontend needs to read:
-      # Access-Control-Expose-Headers "Content-Type, Content-Length, Date"
-      Vary "Origin"
-    }
-  '';
-};
-
-
-services.caddy.virtualHosts."spotify.playing.deprived.dev" = {
-  extraConfig = ''
-    encode zstd gzip
-
-    @preflight method OPTIONS
-    handle @preflight {
-      header {
-        Access-Control-Allow-Origin "{http.request.header.Origin}"
-        Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-        Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
-        Access-Control-Allow-Credentials "true"
-        Access-Control-Max-Age "600"
-        Vary "Origin"
-      }
-      respond 204
-    }
-
-    @protected not method OPTIONS
-    basicauth @protected {
-      alice $2a$14$GbqQnETcOz5fNEbS06Y0E.HxRIIgPKAK7OMijT1Bv63h3V6S/gwRG
-    }
-
-    reverse_proxy 127.0.0.1:8800
-
-    header {
-      Access-Control-Allow-Origin "{http.request.header.Origin}"
-      Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
-      Access-Control-Allow-Headers "{http.request.header.Access-Control-Request-Headers}"
-      Access-Control-Allow-Credentials "true"
-      Vary "Origin"
-    }
-  '';
-};
-
-  services.caddy.virtualHosts."lyrics.deprived.dev" = {
+  services.caddy.virtualHosts."internal.deprived.dev" = {
    extraConfig = ''
-        reverse_proxy * 127.0.0.1:7444
-    ''; 
+      # Only allow GET + POST
+      @not_allowed {
+        not method GET POST
+      }
+      respond @not_allowed 405
+
+      # Auth (same as before): require auth for non-POST (i.e., GET)
+      @protected {
+        not method POST
+      }
+      basicauth @protected {
+        git $2a$14$VlDba5ipUmRYKPYmjPql8.pa8vO7cYsmUf26cXzTk.MbHoRA/ZKJy
+      }
+
+      # /backup → 127.0.0.1:3435
+      @backup path /backup*
+      reverse_proxy @backup 127.0.0.1:3435
+
+      # everything else → 127.0.0.1:3322
+      reverse_proxy * 127.0.0.1:3322
+
+    '';
  };
 }
--- a/programs.nix
+++ b/programs.nix
@ -1,4 +1,4 @@
-{pkgs,...} : {
+{ pkgs, ... }: {
  environment.systemPackages = with pkgs; [
    neovim
    wget
@ -13,6 +13,17 @@
    nixfmt-tree
    ffmpeg-full
    borgbackup
+    p7zip
+    vtk
+    immich-cli
+    parted
+    toybox
+    gitoxide
+    (pkgs.callPackage ./modules/customPackages/shreddit/shreddit.nix { })
+    busybox
+    linuxKernel.packages.linux_6_12.turbostat
+    linuxKernel.packages.linux_6_12.cpupower
+
  ];

  programs.starship.enable = true;
--- a/users.nix
+++ b/users.nix
@ -1,16 +1,12 @@
-{pkgs, ...}: {
+{ pkgs, ... }: {
  users.users.botserver = {
    isNormalUser = true;
    description = "botserver";
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-      "docker"
-      "starr"
-    ];
-    packages = with pkgs; [
-      #  thunderbird
-    ];
+    extraGroups = [ "networkmanager" "wheel" "docker" "starr" ];
+    packages = with pkgs;
+      [
+        #  thunderbird
+      ];

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhiPhFbCi64NduuV794omgS8mctBLXtqxbaEJyUo6lg botalex@DESKTOPSKTOP-ENDVV0V"
@ -19,16 +15,25 @@
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfQLOKUnOARUAs8X1EL1GRHoCQ0oMun0vzL7Z78yOsM nixos@nixos"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJw1ckvXz78ITeqANrWSkJl6PJo2AMA4myNrRMBAB7xW zhentao2004@gmail.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA0K0fj9fJAgBrajHQJWRe0lKkmyjOUAjVn5S5zsVAQL redux@solituboks"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhcUZbIMX0W27l/FMF5WijpdsJAK329/P008OEAfcyz botmain@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyZOZlcQBmqSPxjaGgE2tP+K7LYziqjFUo3EX12rGtf botlap@nixos"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHo3J4vGo2eWzwXU2K6kaom8pmElX+PaAuasH5BWQ9v7 root@nixos"
    ];
  };

-  users.users.starr = {
-      isNormalUser = true;
-      description = "For jellyfin";
-      extraGroups = [
-          "starr"
-        ];
-    };
+  users.motd = "Server DEPRIVED of good internet";

-  users.groups."starr" = {};
+  users.users.starr = {
+    isNormalUser = true;
+    description = "For jellyfin";
+    extraGroups = [ "starr" ];
+  };
+
+  users.users.builder = {
+    isNormalUser = true;
+    description = "For test case building and such";
+    extraGroups = [ "docker" ];
+  };
+
+  users.groups."starr" = { };
 }