{ config, lib, pkgs, inputs, ... }: let derekUid = config.users.users.bearded_dragonn.uid; openWebuiPort = config.services.open-webui.port; sillytavernPort = config.services.sillytavern.port; enableForDerek = { enable = true; users = "bearded_dragonn"; }; in { sops.secrets = lib.mkIf config.my.secureHost { derek-password.neededForUsers = true; }; my = { stylix = enableForDerek; emacs = enableForDerek; apps = { art = enableForDerek; gaming = enableForDerek; multimedia.videoEditing = enableForDerek; }; dev = { nix = enableForDerek; python = enableForDerek; sh = enableForDerek; }; shell = { exercism = enableForDerek; tools = enableForDerek; multimedia = enableForDerek; }; }; services = { tailscale.enable = true; sunshine = { enable = true; autoStart = false; capSysAdmin = true; openFirewall = true; }; }; networking.nftables = { enable = true; tables.local-uid-block = { family = "inet"; content = '' chain output { type filter hook output priority 0; policy accept; meta skuid ${toString derekUid} ip daddr 127.0.0.1 tcp dport { ${toString openWebuiPort}, ${toString sillytavernPort} } drop meta skuid ${toString derekUid} ip6 daddr ::1 tcp dport { ${toString openWebuiPort}, ${toString sillytavernPort} } drop } ''; }; }; users.users.bearded_dragonn = { uid = 1002; isNormalUser = true; createHome = true; hashedPasswordFile = lib.mkIf config.my.secureHost config.sops.secrets.derek-password.path; hashedPassword = lib.mkIf (!config.my.secureHost) "$6$s4kbia4u7xVwCmyo$LCN7.Ki2n3xQOqPKnTwa5idwOWYeMNTieQYbLkiiKcMFkFmK76BjtNofJk3U7yRmLGnW3oFT433.nTRq1aoN.1"; packages = builtins.attrValues { inherit (pkgs) bottles vscode nextcloud-client warp handbrake ; inherit (inputs.prem2resolve.packages.x86_64-linux) prem2resolve; }; extraGroups = [ "audio" "video" "input" "games" ]; }; }