From 26662e1419fb2ad357018146e27a123e5f1a7ee1 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Tue, 17 Feb 2026 18:24:34 -0500 Subject: [PATCH 01/14] wip: yshtola build in progress --- flake.nix | 25 +++++ modules/machine/yshtola/configuration.nix | 93 +++++++++++++++++++ modules/machine/yshtola/default.nix | 6 ++ .../yshtola/hardware-configuration.nix | 0 4 files changed, 124 insertions(+) create mode 100644 modules/machine/yshtola/configuration.nix create mode 100644 modules/machine/yshtola/default.nix create mode 100644 modules/machine/yshtola/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 45f93d3..2a55f9e 100644 --- a/flake.nix +++ b/flake.nix @@ -162,6 +162,31 @@ # ]; }; + nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit userName userEmail; + hostname = "yshtola"; + role = "server"; + }; + modules = [ + myOverlays + ./modules/common + ./modules/machine/yshtola + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; }; + home-manager.backupFileExtension = "bak"; + home-manager.users.${userName}.imports = [ + ./home + ]; + } + ]; + }; + # generic non-NixOS Linux machine homeConfigurations."generic" = let hostname = builtins.getEnv "HOSTNAME"; diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix new file mode 100644 index 0000000..97c6488 --- /dev/null +++ b/modules/machine/yshtola/configuration.nix @@ -0,0 +1,93 @@ + +{ + pkgs, + userName, + ... +}: { + imports = [ + ../../pwrMgmt + ../../networking/core.nix + ../../networking/dns.nix + ../../virtualization/podman.nix + ]; + + # Enable flakes for NixOS + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Custom kernel/boot stuff + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.loader.systemd-boot.enable = true; # TODO: check on this + boot.loader.efi.canTouchEfiVariables = true; + + # Set your timezone + time.timeZone = "America/Detroit"; + + # Enable OpenSSH + services.openssh.enable = true; + + # Enable keyring + services.gnome.gnome-keyring.enable = true; + + # Enable GnuPG + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable SUID wrappers (some programs need them) + programs.mtr.enable = true; + + # Enable Polkit + security.polkit.enable = true; + + # Power management (see ../../pwrMgmt/default.nix) + pwrMgmt = { + enable = true; + cpuFreqGovernor = "performance"; + powertop.enable = false; + }; + + # Podman module (see ../../virtualization/podman.nix) + # podman = { + # enable = true; + # extraPackages = with pkgs; [ + # docker-credential-helpers + # toolbox + # cosign + # crane + # podman-tui + # podman-desktop + # ]; + # }; + + # Core networking module (see ../../networking/core.nix) + network = { + firewall.enable = true; + networkManager.enable = true; + }; + + # Add username to groups "wheel" and "video" - more may be added here later + users.users.${userName}.extraGroups = ["wheel" "video" "network"]; + + # fail2ban + services.fail2ban = { + + }; + + # Matrix server + services.matrix-tuwunel = { + + }; + + # LiveKit (MatrixRTC) + services.livekit = { + + }; + + # TURN/STUN server + services.coturn = { + + }; + + system.stateVersion = "25.11"; +} diff --git a/modules/machine/yshtola/default.nix b/modules/machine/yshtola/default.nix new file mode 100644 index 0000000..3c4d411 --- /dev/null +++ b/modules/machine/yshtola/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/modules/machine/yshtola/hardware-configuration.nix b/modules/machine/yshtola/hardware-configuration.nix new file mode 100644 index 0000000..e69de29 From bdf4d54e99a3093d702c04c85e3868e8862822cf Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Feb 2026 08:40:47 -0500 Subject: [PATCH 02/14] wip: build still in progress --- modules/machine/yshtola/configuration.nix | 34 +++++++++++++++++++---- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 97c6488..182b7f2 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -71,23 +71,45 @@ # fail2ban services.fail2ban = { - + enable = true; + package = pkgs.fail2ban; + maxretry = 5; + bantime = "3h"; + bantime-increment = { + enable = true; + rndtime = "10m"; + }; }; # Matrix server services.matrix-tuwunel = { - + enable = true; + package = pkgs.matrix-tuwunel; + settings = { + global = { + server_name = "wyattjmiller.com"; + allow_encryption = true; + allow_federation = true; + allow_registration = true; + }; + # TODO: figure out what goes here + }; }; # LiveKit (MatrixRTC) services.livekit = { - + enable = true; + package = pkgs.livekit; + openFirewall = true; + settings = { + # TODO: figure out what goes here + }; }; # TURN/STUN server - services.coturn = { - - }; + # services.coturn = { + # + # }; system.stateVersion = "25.11"; } From e7b2a1bc1e94daac956411af6f79895c2da8241d Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Feb 2026 14:57:21 -0500 Subject: [PATCH 03/14] wip: still in progress --- modules/machine/yshtola/configuration.nix | 129 ++++++++++++++++++---- 1 file changed, 109 insertions(+), 20 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 182b7f2..6fa1e52 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -7,8 +7,6 @@ imports = [ ../../pwrMgmt ../../networking/core.nix - ../../networking/dns.nix - ../../virtualization/podman.nix ]; # Enable flakes for NixOS @@ -47,25 +45,39 @@ powertop.enable = false; }; - # Podman module (see ../../virtualization/podman.nix) - # podman = { - # enable = true; - # extraPackages = with pkgs; [ - # docker-credential-helpers - # toolbox - # cosign - # crane - # podman-tui - # podman-desktop - # ]; - # }; - # Core networking module (see ../../networking/core.nix) network = { - firewall.enable = true; networkManager.enable = true; }; + # Firewall settings (fallback, upstream way of doing things) + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 3478 + 5349 + 7880 + 7881 + 8080 + ]; + + allowedUDPPorts = [ + 3478 + ]; + + allowedUDPPortRanges =[ + { + from = 49000; + to = 50000; + } + { + from = 50100; + to = 50200; + } + ]; + }; + # Add username to groups "wheel" and "video" - more may be added here later users.users.${userName}.extraGroups = ["wheel" "video" "network"]; @@ -90,7 +102,31 @@ server_name = "wyattjmiller.com"; allow_encryption = true; allow_federation = true; - allow_registration = true; + allow_registration = false; + allow_unstable_room_versions = false; + allow_experimental_room_versions = false; + encryption_enabled_by_default_for_room_type = "all"; + zstd_compression = true; + new_user_displayname_suffix = "✨"; + max_request_size = 1048575600; # 100MB in bytes, for file uploads + + address = [ + "127.0.0.1" + "::1" + ]; + port = [ 8008 ]; + + well_known = { + client = "https://chat.wyattjmiller.com"; + server = "chat.wyattjmiller.com:443"; + support_email = "wyatt@wyattjmiller.com"; + support_mxid = "@wymiller:wyattjmiller.com"; + + rtc_transports = { + type = "livekit"; + livekit_service_url = "https://rtc.wyattjmiller.com"; + }; + }; }; # TODO: figure out what goes here }; @@ -102,14 +138,67 @@ package = pkgs.livekit; openFirewall = true; settings = { + port = 7880; + room.auto_create = true; + rtc = { + use_external_ip = true; + }; # TODO: figure out what goes here }; }; + services.caddy = { + enable = true; + package = pkgs.caddy; + virtualHosts = { + "chat.wyattjmiller.com" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "chat.wyattjmiller.com:8443" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "rtc.wyattjmiller.com" = { + extraConfig = '' + @jwt_service { + path /sfu/get* /healthz* + } + + handle @jwt_service { + reverse_proxy localhost:8081 + } + + handle { + reverse_proxy localhost:7880 { + header_up Connection "upgrade" + header_up Upgrade {http.request.header.Upgrade} + } + } + ''; + }; + }; + }; + # TURN/STUN server - # services.coturn = { - # - # }; + services.coturn = { + enable = true; + no-cli = false; + no-tcp-relay = false; + realm = "turn.wyattjmiller.com"; + min-port = 49000; + max-port = 50000; + + # TODO: fill out this extraConfig option a bit more with denial of private IP addresses + extraConfig = '' + verbose + no-multicast-peers + ''; + }; system.stateVersion = "25.11"; } From aea71bb49beb2676f080f7b806a9b66025548049 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Feb 2026 19:55:43 -0500 Subject: [PATCH 04/14] wip: ready for hardware configuration --- modules/machine/yshtola/configuration.nix | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 6fa1e52..2f962fd 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -21,7 +21,11 @@ time.timeZone = "America/Detroit"; # Enable OpenSSH - services.openssh.enable = true; + services.openssh = { + enable = true; + PermitRootLogin = "no"; + PasswordAuthentication = "no"; + }; # Enable keyring services.gnome.gnome-keyring.enable = true; @@ -79,7 +83,13 @@ }; # Add username to groups "wheel" and "video" - more may be added here later - users.users.${userName}.extraGroups = ["wheel" "video" "network"]; + users.users.${userName} = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com" + ]; + extraGroups = ["wheel" "video" "network"]; + }; # fail2ban services.fail2ban = { @@ -109,6 +119,9 @@ zstd_compression = true; new_user_displayname_suffix = "✨"; max_request_size = 1048575600; # 100MB in bytes, for file uploads + database_path = "/var/lib/tuwunel"; + database_backup_path = "/var/lib/tuwunel/database_backups"; + database_backups_to_keep = 2; address = [ "127.0.0.1" @@ -128,11 +141,10 @@ }; }; }; - # TODO: figure out what goes here }; }; - # LiveKit (MatrixRTC) + # LiveKit (Matrix RTC) services.livekit = { enable = true; package = pkgs.livekit; @@ -143,10 +155,10 @@ rtc = { use_external_ip = true; }; - # TODO: figure out what goes here }; }; + # Reverse proxy services.caddy = { enable = true; package = pkgs.caddy; From f2ae159c67961f99680fc0c3596b753d979c7d87 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Mon, 23 Feb 2026 21:53:20 -0500 Subject: [PATCH 05/14] wip: added configuration changes to tuwunel, livekit, lk-jwt-service --- home/packages/linux.nix | 16 +-- modules/machine/yshtola/configuration.nix | 107 +++++++++++++----- .../yshtola/hardware-configuration.nix | 35 ++++++ 3 files changed, 112 insertions(+), 46 deletions(-) diff --git a/home/packages/linux.nix b/home/packages/linux.nix index 79436a2..e06b684 100644 --- a/home/packages/linux.nix +++ b/home/packages/linux.nix @@ -1,18 +1,4 @@ { lib, pkgs, isNixOS ? true, ... }: lib.mkIf pkgs.stdenv.isLinux { - home.packages = with pkgs; [ - imv - xdg-utils - ] ++ lib.optionals isNixOS [ - betterdiscordctl - vesktop - xfce.thunar - pavucontrol - godot - aseprite - zathura - gpu-screen-recorder - gpu-screen-recorder-gtk - inetutils - ]; + } diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 2f962fd..e774ec6 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -3,19 +3,25 @@ pkgs, userName, ... -}: { +}:let + livekitKeyFile = "/var/lib/livekit/livekit.key"; + matrixRegistrationTokenFile = "/var/lib/matrix.key"; +in { imports = [ ../../pwrMgmt - ../../networking/core.nix ]; # Enable flakes for NixOS nix.settings.experimental-features = ["nix-command" "flakes"]; + nix.settings = { + download-buffer-size = 134217728; # 128 MiB in bytes + }; + # Custom kernel/boot stuff boot.kernelPackages = pkgs.linuxPackages_latest; - boot.loader.systemd-boot.enable = true; # TODO: check on this - boot.loader.efi.canTouchEfiVariables = true; + # boot.loader.systemd-boot.enable = true; # TODO: check on this + # boot.loader.efi.canTouchEfiVariables = true; # Set your timezone time.timeZone = "America/Detroit"; @@ -23,8 +29,8 @@ # Enable OpenSSH services.openssh = { enable = true; - PermitRootLogin = "no"; - PasswordAuthentication = "no"; + settings.PermitRootLogin = "no"; + settings.PasswordAuthentication = false; }; # Enable keyring @@ -49,32 +55,34 @@ powertop.enable = false; }; - # Core networking module (see ../../networking/core.nix) - network = { - networkManager.enable = true; - }; - # Firewall settings (fallback, upstream way of doing things) networking.firewall = { enable = true; allowedTCPPorts = [ + 80 + 443 + 8448 3478 5349 7880 7881 8080 + 8081 ]; allowedUDPPorts = [ 3478 + 8448 ]; allowedUDPPortRanges =[ - { + # TURN UDP relays + { from = 49000; to = 50000; } + # { from = 50100; to = 50200; @@ -109,17 +117,17 @@ package = pkgs.matrix-tuwunel; settings = { global = { - server_name = "wyattjmiller.com"; + server_name = "chat.wyattjmiller.com"; allow_encryption = true; allow_federation = true; - allow_registration = false; + allow_registration = true; + registration_token = matrixRegistrationTokenFile; allow_unstable_room_versions = false; allow_experimental_room_versions = false; - encryption_enabled_by_default_for_room_type = "all"; + # encryption_enabled_by_default_for_room_type = false; zstd_compression = true; new_user_displayname_suffix = "✨"; max_request_size = 1048575600; # 100MB in bytes, for file uploads - database_path = "/var/lib/tuwunel"; database_backup_path = "/var/lib/tuwunel/database_backups"; database_backups_to_keep = 2; @@ -133,22 +141,39 @@ client = "https://chat.wyattjmiller.com"; server = "chat.wyattjmiller.com:443"; support_email = "wyatt@wyattjmiller.com"; - support_mxid = "@wymiller:wyattjmiller.com"; + support_mxid = "@wymiller:chat.wyattjmiller.com"; - rtc_transports = { + rtc_transports = [{ type = "livekit"; livekit_service_url = "https://rtc.wyattjmiller.com"; - }; + }]; }; }; }; }; + # TURN/STUN server + services.coturn = { + enable = true; + no-cli = false; + no-tcp-relay = false; + realm = "turn.wyattjmiller.com"; + min-port = 49000; + max-port = 50000; + + # TODO: fill out this extraConfig option a bit more with denial of private IP addresses + extraConfig = '' + verbose + no-multicast-peers + ''; + }; + # LiveKit (Matrix RTC) services.livekit = { enable = true; package = pkgs.livekit; openFirewall = true; + keyFile = livekitKeyFile; settings = { port = 7880; room.auto_create = true; @@ -169,7 +194,7 @@ reverse_proxy localhost:8008 ''; }; - "chat.wyattjmiller.com:8443" = { + "chat.wyattjmiller.com:8448" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 @@ -196,20 +221,40 @@ }; }; - # TURN/STUN server - services.coturn = { + # LiveKit JWT service + services.lk-jwt-service = { enable = true; - no-cli = false; - no-tcp-relay = false; - realm = "turn.wyattjmiller.com"; - min-port = 49000; - max-port = 50000; + port = 8080; + livekitUrl = "wss://rtc.wyattjmiller.com"; + keyFile = livekitKeyFile; + # settings = { + # keys = { + # "2rew2444" = "aAssWw18asef3fa5ldehHhjunlijj8x="; + # }; + # }; + }; - # TODO: fill out this extraConfig option a bit more with denial of private IP addresses - extraConfig = '' - verbose - no-multicast-peers + # Generate LiveKit key if it doesn't exist + systemd.services.livekit-key = { + before = [ + "lk-jwt-service.service" + "livekit.service" + ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + livekit + coreutils + gawk + ]; + script = '' + echo "Key missing, generating key" + echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + unitConfig.ConditionPathExists = "!${livekitKeyFile}"; }; system.stateVersion = "25.11"; diff --git a/modules/machine/yshtola/hardware-configuration.nix b/modules/machine/yshtola/hardware-configuration.nix index e69de29..7f5f6fd 100644 --- a/modules/machine/yshtola/hardware-configuration.nix +++ b/modules/machine/yshtola/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial; + ''; + boot.loader.grub.forceInstall = true; +# boot.loader.grub.enable = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + fileSystems."/" = + { device = "/dev/sda"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/sdb"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} From 7e0d58c0971f8bc61a6242cfb645a465034cdf19 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Mon, 23 Feb 2026 21:29:11 -0600 Subject: [PATCH 06/14] wip: modified livekit-key service --- modules/machine/yshtola/configuration.nix | 30 +++++++++++++---------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index e774ec6..6032b42 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -1,4 +1,3 @@ - { pkgs, userName, @@ -236,25 +235,30 @@ in { # Generate LiveKit key if it doesn't exist systemd.services.livekit-key = { - before = [ - "lk-jwt-service.service" - "livekit.service" - ]; + before = [ "lk-jwt-service.service" "livekit.service" ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - livekit - coreutils - gawk - ]; + path = with pkgs; [ coreutils openssl ]; script = '' - echo "Key missing, generating key" - echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" + set -eu + + if [ -f "${livekitKeyFile}" ]; then + exit 0 + fi + + install -d -m 0700 "$(dirname "${livekitKeyFile}")" + + API_KEY="$(openssl rand -hex 8)" + API_SECRET="$(openssl rand -hex 32)" + + # keyFile format for nixpkgs services.livekit.keyFile: + # a YAML map of apiKey -> apiSecret (no surrounding "keys:" key) + umask 077 + printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}" ''; serviceConfig = { Type = "oneshot"; User = "root"; }; - unitConfig.ConditionPathExists = "!${livekitKeyFile}"; }; system.stateVersion = "25.11"; From 14dbc1363e20e96a8bb7234b06a852bcd1b09e8c Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Mon, 23 Feb 2026 22:30:45 -0500 Subject: [PATCH 07/14] things happened --- modules/machine/yshtola/configuration.nix | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index e774ec6..2065dc3 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -207,7 +207,7 @@ in { } handle @jwt_service { - reverse_proxy localhost:8081 + reverse_proxy localhost:8080 } handle { @@ -225,13 +225,8 @@ in { services.lk-jwt-service = { enable = true; port = 8080; - livekitUrl = "wss://rtc.wyattjmiller.com"; + livekitUrl = "ws://127.0.0.1:7880"; keyFile = livekitKeyFile; - # settings = { - # keys = { - # "2rew2444" = "aAssWw18asef3fa5ldehHhjunlijj8x="; - # }; - # }; }; # Generate LiveKit key if it doesn't exist From 6b586d80ab5ede803fac72d142ce5d4fa23eaa07 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Tue, 24 Feb 2026 00:08:30 -0500 Subject: [PATCH 08/14] final touches to matrix, livekit, lk-jwt-service --- modules/machine/yshtola/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 25f3c06..2a042a3 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -72,6 +72,7 @@ in { allowedUDPPorts = [ 3478 + 7881 8448 ]; @@ -224,7 +225,7 @@ in { services.lk-jwt-service = { enable = true; port = 8080; - livekitUrl = "ws://127.0.0.1:7880"; + livekitUrl = "wss://rtc.wyattjmiller.com"; keyFile = livekitKeyFile; }; From b3954838d25dd9ea49f82f52b741bfa63aaa0b72 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Tue, 24 Feb 2026 00:42:55 -0500 Subject: [PATCH 09/14] modularized yshtola pulled out the FQDNs and repeating strings that i don't need repeated --- modules/machine/yshtola/configuration.nix | 108 ++++++++++++---------- 1 file changed, 59 insertions(+), 49 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 2a042a3..187f301 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -2,7 +2,12 @@ pkgs, userName, ... -}:let +}: let + # INFO: set these to your liking + matrixFqdn = "chat.wyattjmiller.com"; + rtcFqdn = "rtc.wyattjmiller.com"; + + supportEmail = "wyatt@wyattjmiller.com"; livekitKeyFile = "/var/lib/livekit/livekit.key"; matrixRegistrationTokenFile = "/var/lib/matrix.key"; in { @@ -19,8 +24,6 @@ in { # Custom kernel/boot stuff boot.kernelPackages = pkgs.linuxPackages_latest; - # boot.loader.systemd-boot.enable = true; # TODO: check on this - # boot.loader.efi.canTouchEfiVariables = true; # Set your timezone time.timeZone = "America/Detroit"; @@ -117,14 +120,13 @@ in { package = pkgs.matrix-tuwunel; settings = { global = { - server_name = "chat.wyattjmiller.com"; + server_name = matrixFqdn; allow_encryption = true; allow_federation = true; allow_registration = true; registration_token = matrixRegistrationTokenFile; allow_unstable_room_versions = false; allow_experimental_room_versions = false; - # encryption_enabled_by_default_for_room_type = false; zstd_compression = true; new_user_displayname_suffix = "✨"; max_request_size = 1048575600; # 100MB in bytes, for file uploads @@ -138,36 +140,20 @@ in { port = [ 8008 ]; well_known = { - client = "https://chat.wyattjmiller.com"; - server = "chat.wyattjmiller.com:443"; - support_email = "wyatt@wyattjmiller.com"; - support_mxid = "@wymiller:chat.wyattjmiller.com"; + client = "https://${matrixFqdn}"; + server = "${matrixFqdn}:443"; + support_email = supportEmail; + support_mxid = "@wymiller:${matrixFqdn}"; rtc_transports = [{ type = "livekit"; - livekit_service_url = "https://rtc.wyattjmiller.com"; + livekit_service_url = "https://${rtcFqdn}"; }]; }; }; }; }; - # TURN/STUN server - services.coturn = { - enable = true; - no-cli = false; - no-tcp-relay = false; - realm = "turn.wyattjmiller.com"; - min-port = 49000; - max-port = 50000; - - # TODO: fill out this extraConfig option a bit more with denial of private IP addresses - extraConfig = '' - verbose - no-multicast-peers - ''; - }; - # LiveKit (Matrix RTC) services.livekit = { enable = true; @@ -188,19 +174,19 @@ in { enable = true; package = pkgs.caddy; virtualHosts = { - "chat.wyattjmiller.com" = { + "${matrixFqdn}" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 ''; }; - "chat.wyattjmiller.com:8448" = { + "${matrixFqdn}:8448" = { extraConfig = '' encode zstd gzip reverse_proxy localhost:8008 ''; }; - "rtc.wyattjmiller.com" = { + "${rtcFqdn}" = { extraConfig = '' @jwt_service { path /sfu/get* /healthz* @@ -230,30 +216,54 @@ in { }; # Generate LiveKit key if it doesn't exist - systemd.services.livekit-key = { - before = [ "lk-jwt-service.service" "livekit.service" ]; - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ coreutils openssl ]; - script = '' - set -eu + systemd.services = { + matrix-registration-token-gen = { + before = [ "tuwunel.service" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ coreutils openssl ]; + script = '' + set -eu - if [ -f "${livekitKeyFile}" ]; then - exit 0 - fi + if [ -f "${matrixRegistrationTokenFile}" ]; then + exit 0 + fi - install -d -m 0700 "$(dirname "${livekitKeyFile}")" + install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")" - API_KEY="$(openssl rand -hex 8)" - API_SECRET="$(openssl rand -hex 32)" + TOKEN="$(openssl rand -hex 32)" - # keyFile format for nixpkgs services.livekit.keyFile: - # a YAML map of apiKey -> apiSecret (no surrounding "keys:" key) - umask 077 - printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}" - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + umask 077 + printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + livekit-key-gen = { + before = [ "lk-jwt-service.service" "livekit.service" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ coreutils openssl ]; + script = '' + set -eu + + if [ -f "${livekitKeyFile}" ]; then + exit 0 + fi + + install -d -m 0700 "$(dirname "${livekitKeyFile}")" + + API_KEY="$(openssl rand -hex 8)" + API_SECRET="$(openssl rand -hex 32)" + + umask 077 + printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; }; }; From 9fe67f2b977b82c926b025f470a831cd58eae1b8 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Tue, 24 Feb 2026 01:00:06 -0500 Subject: [PATCH 10/14] updated machine module readme --- modules/machine/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/machine/README.md b/modules/machine/README.md index 216232e..315a8cc 100644 --- a/modules/machine/README.md +++ b/modules/machine/README.md @@ -10,6 +10,10 @@ I like Final Fantasy, alright? Isn't everyone supposed to have a hobby? These are named after Final Fantasy VII characters. -### Servers/Network Infrastructure +### Servers/Network Infrastructure (bare metal) These are named after Final Fantasy summons. There is some infrastructure missing here like my routers and switches that I also name after summons. + +### Servers/Network Infrastructure (virtual machines) + +These are named after Final Fantasy XIV Online characters (currently, these are named after the Scions of the Seventh Dawn). From 098478fa0f0a05ceef0cc5d30a0ff4760a3abb7b Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Mar 2026 11:42:59 -0400 Subject: [PATCH 11/14] added login quotes --- home/shell.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/home/shell.nix b/home/shell.nix index 7b07646..f8266c1 100644 --- a/home/shell.nix +++ b/home/shell.nix @@ -62,7 +62,9 @@ "If you’ve brought your ivory standard, I’ll be happy to tell you where you can stick it" \ "Speeches? Oh, yes, I love them. There's nothing like a good exposition when you're having trouble sleeping!" \ "Somehow, the boy just isn't very buoyant" \ - "I am...not interested, little sun. Try again when you have become a man" + "I am...not interested, little sun. Try again when you have become a man" \ + "I am rightousness! And rightousness shall previal!" \ + "Ahhh such bliss!" set choose_meme (random)"%"(count $memes) From eb26a93944dc025dbcd6d42adb843f99fef87faf Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Mon, 23 Mar 2026 20:21:52 -0400 Subject: [PATCH 12/14] modified linux home packages why did i ever get rid of this in the first place? --- home/packages/linux.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/home/packages/linux.nix b/home/packages/linux.nix index e06b684..7cc2912 100644 --- a/home/packages/linux.nix +++ b/home/packages/linux.nix @@ -1,4 +1,15 @@ { lib, pkgs, isNixOS ? true, ... }: lib.mkIf pkgs.stdenv.isLinux { - + home.packages = with pkgs; [ + imv + xdg-utils + ] ++ lib.optionals isNixOS [ + vesktop + xfce.thunar + pavucontrol + zathura + gpu-screen-recorder + gpu-screen-recorder-gtk + inetutils + ]; } From 937deb70795131657c7404c6ef6b095e29efdf55 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Mon, 23 Mar 2026 20:39:02 -0400 Subject: [PATCH 13/14] added some git aliases --- home/git.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/home/git.nix b/home/git.nix index db30f9d..ab4f498 100644 --- a/home/git.nix +++ b/home/git.nix @@ -40,6 +40,11 @@ ca = "commit -am"; dc = "diff --cached"; amend = "commit --amend -m"; + wipe = "git reset --hard"; + gg = "git reset --hard"; + ggs = "git reset --hard"; + sw = "git switch"; + r = "git restore"; # aliases for submodules update = "submodule update --init --recursive"; From 2f378ddc22228cd6ca3f8afbedf6d8cb3b23a93b Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Mon, 23 Mar 2026 21:15:36 -0400 Subject: [PATCH 14/14] added some shell quotes --- home/shell.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/home/shell.nix b/home/shell.nix index f8266c1..a1fa065 100644 --- a/home/shell.nix +++ b/home/shell.nix @@ -64,7 +64,11 @@ "Somehow, the boy just isn't very buoyant" \ "I am...not interested, little sun. Try again when you have become a man" \ "I am rightousness! And rightousness shall previal!" \ - "Ahhh such bliss!" + "Ahhh such bliss!" \ + "The gods themselves will be my meal. Your dear companions my dessert. Upon this world I'll feast, and death shall follow in my wake. All your hate, all your rage, you will render unto me." \ + "Boring, boring, boring" \ + "Would you be 'happier' had I a 'good reason'?" \ + "A test of your reflexes!" set choose_meme (random)"%"(count $memes)