Merge remote-tracking branch 'origin' into thancred

2026-03-23 21:25:36 -04:00
parent 80fd89c5ac 2f378ddc22
commit 89cdef92a7
8 changed files with 364 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -162,6 +162,7 @@
      # ];
    };

+    # Vintage story server
    nixosConfigurations."thancred" = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      specialArgs = {
@@ -187,6 +188,32 @@
      ];
    };

+    # Matrix and Mastodon server
+    nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = {
+        inherit userName userEmail;
+        hostname = "yshtola";
+        role = "server";
+      };
+      modules = [
+        myOverlays
+        ./modules/common
+        ./modules/machine/yshtola
+
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+          home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; };
+          home-manager.backupFileExtension = "bak";
+          home-manager.users.${userName}.imports = [
+            ./home
+          ];
+        }
+      ];
+    };
+
    # generic non-NixOS Linux machine
    homeConfigurations."generic" = let
      hostname = builtins.getEnv "HOSTNAME";
--- a/home/git.nix
+++ b/home/git.nix
@@ -40,6 +40,11 @@
      ca = "commit -am";
      dc = "diff --cached";
      amend = "commit --amend -m";
+      wipe = "git reset --hard";
+      gg = "git reset --hard";
+      ggs = "git reset --hard";
+      sw = "git switch";
+      r = "git restore";

      # aliases for submodules
      update = "submodule update --init --recursive";
--- a/home/packages/linux.nix
+++ b/home/packages/linux.nix
@@ -3,5 +3,13 @@ lib.mkIf pkgs.stdenv.isLinux {
  home.packages = with pkgs; [
    imv
    xdg-utils
+  ] ++ lib.optionals isNixOS [
+    vesktop
+    xfce.thunar
+    pavucontrol
+    zathura
+    gpu-screen-recorder
+    gpu-screen-recorder-gtk
+    inetutils
  ];
 }
--- a/home/shell.nix
+++ b/home/shell.nix
@@ -62,7 +62,13 @@
            "If you’ve brought your ivory standard, I’ll be happy to tell you where you can stick it" \
            "Speeches? Oh, yes, I love them. There's nothing like a good exposition when you're having trouble sleeping!" \
            "Somehow, the boy just isn't very buoyant" \
-            "I am...not interested, little sun. Try again when you have become a man"
+            "I am...not interested, little sun. Try again when you have become a man" \
+            "I am rightousness! And rightousness shall previal!" \
+            "Ahhh such bliss!" \
+            "The gods themselves will be my meal. Your dear companions my dessert. Upon this world I'll feast, and death shall follow in my wake. All your hate, all your rage, you will render unto me." \
+            "Boring, boring, boring" \
+            "Would you be 'happier' had I a 'good reason'?" \
+            "A test of your reflexes!"


          set choose_meme (random)"%"(count $memes)
--- a/modules/machine/README.md
+++ b/modules/machine/README.md
@@ -10,6 +10,10 @@ I like Final Fantasy, alright? Isn't everyone supposed to have a hobby?

 These are named after Final Fantasy VII characters.

-### Servers/Network Infrastructure
+### Servers/Network Infrastructure (bare metal)

 These are named after Final Fantasy summons. There is some infrastructure missing here like my routers and switches that I also name after summons.
+
+### Servers/Network Infrastructure (virtual machines)
+
+These are named after Final Fantasy XIV Online characters (currently, these are named after the Scions of the Seventh Dawn).
--- a/modules/machine/yshtola/configuration.nix
+++ b/modules/machine/yshtola/configuration.nix
@@ -0,0 +1,271 @@
+{
+  pkgs,
+  userName,
+  ...
+}: let
+  # INFO: set these to your liking
+  matrixFqdn = "chat.wyattjmiller.com";
+  rtcFqdn = "rtc.wyattjmiller.com";
+
+  supportEmail = "wyatt@wyattjmiller.com";
+  livekitKeyFile = "/var/lib/livekit/livekit.key";
+  matrixRegistrationTokenFile = "/var/lib/matrix.key";
+in {
+  imports = [
+    ../../pwrMgmt
+  ];
+
+  # Enable flakes for NixOS
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  nix.settings = {
+    download-buffer-size = 134217728;  # 128 MiB in bytes
+  };
+
+  # Custom kernel/boot stuff
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Set your timezone
+  time.timeZone = "America/Detroit";
+
+  # Enable OpenSSH
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+    settings.PasswordAuthentication = false;
+  };
+
+  # Enable keyring
+  services.gnome.gnome-keyring.enable = true;
+
+  # Enable GnuPG
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Enable SUID wrappers (some programs need them)
+  programs.mtr.enable = true;
+
+  # Enable Polkit
+  security.polkit.enable = true;
+
+  # Power management (see ../../pwrMgmt/default.nix)
+  pwrMgmt = {
+    enable = true;
+    cpuFreqGovernor = "performance";
+    powertop.enable = false;
+  };
+
+  # Firewall settings (fallback, upstream way of doing things)
+  networking.firewall = {
+    enable = true;
+
+    allowedTCPPorts = [
+      80
+      443
+      8448
+      3478
+      5349
+      7880
+      7881
+      8080
+      8081
+    ];
+
+    allowedUDPPorts = [
+      3478
+      7881
+      8448
+    ];
+
+    allowedUDPPortRanges =[
+      # TURN UDP relays
+      { 
+        from = 49000;
+        to = 50000;
+      }
+      # 
+      {
+        from = 50100;
+        to = 50200;
+      }
+    ];
+  };
+
+  # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.${userName} = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com"
+    ];
+    extraGroups = ["wheel" "video" "network"];
+  };
+
+  # fail2ban
+  services.fail2ban = {
+    enable = true;
+    package = pkgs.fail2ban;
+    maxretry = 5;
+    bantime = "3h";
+    bantime-increment = {
+      enable = true;
+      rndtime = "10m";
+    };
+  };
+
+  # Matrix server
+  services.matrix-tuwunel = {
+    enable = true;
+    package = pkgs.matrix-tuwunel;
+    settings = {
+      global = {
+        server_name = matrixFqdn;
+        allow_encryption = true;
+        allow_federation = true;
+        allow_registration = true;
+        registration_token = matrixRegistrationTokenFile;
+        allow_unstable_room_versions = false;
+        allow_experimental_room_versions = false;
+        zstd_compression = true;
+        new_user_displayname_suffix = "✨";
+        max_request_size = 1048575600; # 100MB in bytes, for file uploads
+        database_backup_path = "/var/lib/tuwunel/database_backups";
+        database_backups_to_keep = 2;
+
+        address = [
+          "127.0.0.1"
+          "::1"
+        ];
+        port = [ 8008 ];
+
+        well_known = {
+          client = "https://${matrixFqdn}";
+          server = "${matrixFqdn}:443";
+          support_email = supportEmail;
+          support_mxid = "@wymiller:${matrixFqdn}";
+          
+          rtc_transports = [{
+            type = "livekit";
+            livekit_service_url = "https://${rtcFqdn}";
+          }];
+        };
+      };
+    };
+  };
+
+  # LiveKit (Matrix RTC)
+  services.livekit = {
+    enable = true;
+    package = pkgs.livekit;
+    openFirewall = true;
+    keyFile = livekitKeyFile;
+    settings = {
+      port = 7880;
+      room.auto_create = true;
+      rtc = {
+        use_external_ip = true;
+      };
+    };
+  };
+
+  # Reverse proxy
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy;
+    virtualHosts = {
+      "${matrixFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy localhost:8008
+        '';
+      };
+      "${matrixFqdn}:8448" = {
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy localhost:8008
+        '';
+      };
+      "${rtcFqdn}" = {
+        extraConfig = ''
+          @jwt_service {
+            path /sfu/get* /healthz*
+          }
+
+          handle @jwt_service {
+            reverse_proxy localhost:8080
+          }
+
+          handle {
+            reverse_proxy localhost:7880 {
+              header_up Connection "upgrade"
+              header_up Upgrade {http.request.header.Upgrade}
+            }
+          }
+        '';
+      };
+    };
+  };
+
+  # LiveKit JWT service
+  services.lk-jwt-service = {
+    enable = true;
+    port = 8080;
+    livekitUrl = "wss://rtc.wyattjmiller.com";
+    keyFile = livekitKeyFile;
+  };
+
+  # Generate LiveKit key if it doesn't exist
+  systemd.services = {
+    matrix-registration-token-gen = {
+      before = [ "tuwunel.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ];
+      script = ''
+        set -eu
+
+        if [ -f "${matrixRegistrationTokenFile}" ]; then
+          exit 0
+        fi
+
+        install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")"
+
+        TOKEN="$(openssl rand -hex 32)"
+
+        umask 077
+        printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+
+    livekit-key-gen = {
+      before = [ "lk-jwt-service.service" "livekit.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ];
+      script = ''
+        set -eu
+
+        if [ -f "${livekitKeyFile}" ]; then
+          exit 0
+        fi
+
+        install -d -m 0700 "$(dirname "${livekitKeyFile}")"
+
+        API_KEY="$(openssl rand -hex 8)"
+        API_SECRET="$(openssl rand -hex 32)"
+
+        umask 077
+        printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+  };
+
+  system.stateVersion = "25.11";
+}
--- a/modules/machine/yshtola/default.nix
+++ b/modules/machine/yshtola/default.nix
@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+  ];
+}
--- a/modules/machine/yshtola/hardware-configuration.nix
+++ b/modules/machine/yshtola/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.kernelParams = [ "console=ttyS0,19200n8" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial;
+  '';
+  boot.loader.grub.forceInstall = true;
+#  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.timeout = 10;
+
+  fileSystems."/" =
+    { device = "/dev/sda";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/sdb"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}