feat(jupiter): enable sunshine streaming

[johnae]

Summary

• Enable sunshine on jupiter mirroring the neptune setup (enable, autoStart, capSysAdmin = false, openFirewall).
• Add render/video/uinput to the admin user's extraGroups (sunshine needs uinput for input injection).

Test plan

• nix eval .#nixosConfigurations.jupiter.config.system.build.toplevel.drvPath succeeds locally
• After merge: confirm sunshine.service is active on jupiter and the web UI on port 47990 is reachable over tailscale

[claude]

Claude finished @johnae's task —— View job

---

Pull Request Review

Review Tasks

• Check for repository-specific guidelines (CLAUDE.md)
• Examine the changes in jupiter.nix
• Review neptune configuration for consistency
• Analyze security implications
• Assess code quality and best practices
• Evaluate test coverage

Code Review Feedback

✅ Positive Aspects

1. Consistency with Neptune: The sunshine service configuration exactly mirrors the neptune setup (configurations/nixos/x86_64-linux/neptune.nix:45-50), ensuring consistency across similar hosts.

2. Security-conscious configuration: Setting capSysAdmin = false is a good security practice, limiting the service's capabilities and reducing the attack surface.

3. Proper user permissions: Adding the necessary groups (render, video, uinput) to the admin user follows the principle of least privilege - only granting what's needed for sunshine to function.

4. Clean code structure: The changes maintain the existing code style and organization of the configuration file.

🔍 Observations and Recommendations

1. Security Considerations:

   • ✅ openFirewall = true is necessary for the service but ensure you understand this opens port 47990 on all network interfaces
   • ✅ The service will be accessible over tailscale (trusted interface) as noted in line 94: networking.firewall.trustedInterfaces = ["tailscale0"]
   • ⚠️ Consider documenting which ports sunshine opens (typically 47989-47990 TCP, 47998-48000 UDP) for future reference

2. Group Permissions:

   • ✅ uinput group is correctly added for input injection capability
   • ✅ render and video groups are standard for GPU acceleration access
   • These match exactly with neptune's configuration (configurations/nixos/x86_64-linux/neptune.nix:195)

3. Service Configuration:

   • ✅ autoStart = true ensures the service starts on boot, which is appropriate for a streaming server
   • The configuration is minimal and focused, which is good

📋 Test Coverage

The test plan is appropriate:

• ✅ Local nix evaluation check is a good first step
• ✅ Post-merge verification of service status and web UI accessibility is practical
• 💡 Consider adding to the test plan:
  • Verify the service starts without errors: systemctl status sunshine.service
  • Confirm the expected ports are open: ss -tlnp | grep 47990
  • Test input injection works correctly (manual testing with a client)

🎯 Overall Assessment

APPROVED - The changes are well-structured, consistent with existing configurations, and follow security best practices. The implementation correctly mirrors the neptune setup while maintaining jupiter's specific configuration needs.

No bugs or critical issues were identified. The PR accomplishes its stated goal cleanly and effectively.