diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix
index 187f301..56b9c72 100644
--- a/modules/machine/yshtola/configuration.nix
+++ b/modules/machine/yshtola/configuration.nix
@@ -10,6 +10,14 @@
   supportEmail = "wyatt@wyattjmiller.com";
   livekitKeyFile = "/var/lib/livekit/livekit.key";
   matrixRegistrationTokenFile = "/var/lib/matrix.key";
+  mastodonFqdn = "social.wyattjmiller.com";
+  mastodonSecretsDir = "/var/lib/mastodon/secrets";
+
+  # After deploying Mastodon, register an OAuth application at
+  # https://social.wyattjmiller.com/settings/applications and write the
+  # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
+  mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
+  mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
 in {
   imports = [
     ../../pwrMgmt
@@ -114,6 +122,25 @@ in {
     };
   };
 
+  # Mastodon service — social.wyattjmiller.com
+  services.mastodon = {
+    enable = true;
+    localDomain = mastodonFqdn;
+    configureNginx = false;
+    secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
+    otpSecretFile = "${mastodonSecretsDir}/otp_secret";
+    vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
+    vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
+    # Configure SMTP after initial deploy via mastodonSecretsDir or a separate
+    # NixOS secrets manager (sops-nix / agenix).
+    smtp = {
+      host = "mail.wyattjmiller.com";
+      port = 25;
+      fromAddress = "notifications@${mastodonFqdn}";
+      authenticate = false;
+    };
+  };
+
   # Matrix server
   services.matrix-tuwunel = {
     enable = true;
@@ -150,6 +177,28 @@ in {
             livekit_service_url = "https://${rtcFqdn}";
           }];
         };
+
+        # Mastodon as OIDC provider for Matrix login.
+        # Mastodon 4.3+ exposes OpenID Connect discovery at
+        # https://<domain>/.well-known/openid-configuration.
+        #
+        # REQUIRED RUNTIME SETUP (once, after first Mastodon deploy):
+        #   1. Visit https://social.wyattjmiller.com/settings/applications
+        #   2. Create a new application with the redirect URI:
+        #        https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
+        #      and scopes: read:accounts
+        #   3. Write the Application ID  → /var/lib/tuwunel/mastodon-oauth-client-id  (chmod 400, owned by tuwunel)
+        #      Write the Client Secret   → /var/lib/tuwunel/mastodon-oauth-client-secret
+        #   4. nixos-rebuild switch (or restart tuwunel.service)
+        oidc_providers = [
+          {
+            issuer = "https://${mastodonFqdn}";
+            id = "oidc-mastodon";
+            client_id_file = mastodonOauthClientIdFile;
+            client_secret_file = mastodonOauthClientSecretFile;
+            scopes = ["openid" "read:accounts"];
+          }
+        ];
       };
     };
   };
@@ -174,6 +223,20 @@ in {
     enable = true;
     package = pkgs.caddy;
     virtualHosts = {
+      "${mastodonFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+
+          @streaming path /api/v1/streaming*
+          handle @streaming {
+            reverse_proxy localhost:4000
+          }
+
+          handle {
+            reverse_proxy localhost:3000
+          }
+        '';
+      };
       "${matrixFqdn}" = {
         extraConfig = ''
           encode zstd gzip
@@ -265,6 +328,49 @@ in {
         User = "root";
       };
     };
+
+    mastodon-secrets-gen = {
+      before = [ "mastodon-web.service" "mastodon-sidekiq-0.service" "mastodon-streaming.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ruby_3_4 ];
+      script = ''
+        set -eu
+
+        dir="${mastodonSecretsDir}"
+        install -d -m 0750 -o mastodon -g mastodon "$dir"
+
+        gen_hex() {
+          local f="$1"
+          if [ ! -f "$f" ]; then
+            umask 077
+            openssl rand -hex 64 | install -o mastodon -g mastodon -m 0400 /dev/stdin "$f"
+          fi
+        }
+
+        gen_hex "$dir/secret_key_base"
+        gen_hex "$dir/otp_secret"
+
+        if [ ! -f "$dir/vapid_private_key" ]; then
+          umask 077
+          ruby -ropenssl -rbase64 -e '
+            key = OpenSSL::PKey::EC.generate("prime256v1")
+            priv = Base64.urlsafe_encode64(key.private_key.to_s(2).rjust(32, "\x00"), padding: false)
+            pub  = Base64.urlsafe_encode64(key.public_key.to_bn.to_s(2), padding: false)
+            File.write(ARGV[0], priv)
+            File.write(ARGV[1], pub)
+          ' \
+            "$dir/vapid_private_key" \
+            "$dir/vapid_public_key"
+          chown mastodon:mastodon "$dir/vapid_private_key" "$dir/vapid_public_key"
+          chmod 0400 "$dir/vapid_private_key" "$dir/vapid_public_key"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        RemainAfterExit = true;
+      };
+    };
   };
 
   system.stateVersion = "25.11";