diff --git a/flake.nix b/flake.nix
index 45f93d3..2a55f9e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -162,6 +162,31 @@
       # ];
     };
 
+    nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = {
+        inherit userName userEmail;
+        hostname = "yshtola";
+        role = "server";
+      };
+      modules = [
+        myOverlays
+        ./modules/common
+        ./modules/machine/yshtola
+
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+          home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; };
+          home-manager.backupFileExtension = "bak";
+          home-manager.users.${userName}.imports = [
+            ./home
+          ];
+        }
+      ];
+    };
+
     # generic non-NixOS Linux machine
     homeConfigurations."generic" = let
       hostname = builtins.getEnv "HOSTNAME";
diff --git a/home/packages/linux.nix b/home/packages/linux.nix
index 79436a2..e06b684 100644
--- a/home/packages/linux.nix
+++ b/home/packages/linux.nix
@@ -1,18 +1,4 @@
 { lib, pkgs, isNixOS ? true, ... }:
 lib.mkIf pkgs.stdenv.isLinux {
-  home.packages = with pkgs; [
-    imv
-    xdg-utils
-  ] ++ lib.optionals isNixOS [
-    betterdiscordctl
-    vesktop
-    xfce.thunar
-    pavucontrol
-    godot
-    aseprite
-    zathura
-    gpu-screen-recorder
-    gpu-screen-recorder-gtk
-    inetutils
-  ];
+
 }
diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix
new file mode 100644
index 0000000..187f301
--- /dev/null
+++ b/modules/machine/yshtola/configuration.nix
@@ -0,0 +1,271 @@
+{
+  pkgs,
+  userName,
+  ...
+}: let
+  # INFO: set these to your liking
+  matrixFqdn = "chat.wyattjmiller.com";
+  rtcFqdn = "rtc.wyattjmiller.com";
+
+  supportEmail = "wyatt@wyattjmiller.com";
+  livekitKeyFile = "/var/lib/livekit/livekit.key";
+  matrixRegistrationTokenFile = "/var/lib/matrix.key";
+in {
+  imports = [
+    ../../pwrMgmt
+  ];
+
+  # Enable flakes for NixOS
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  nix.settings = {
+    download-buffer-size = 134217728;  # 128 MiB in bytes
+  };
+
+  # Custom kernel/boot stuff
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Set your timezone
+  time.timeZone = "America/Detroit";
+
+  # Enable OpenSSH
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+    settings.PasswordAuthentication = false;
+  };
+
+  # Enable keyring
+  services.gnome.gnome-keyring.enable = true;
+
+  # Enable GnuPG
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Enable SUID wrappers (some programs need them)
+  programs.mtr.enable = true;
+
+  # Enable Polkit
+  security.polkit.enable = true;
+
+  # Power management (see ../../pwrMgmt/default.nix)
+  pwrMgmt = {
+    enable = true;
+    cpuFreqGovernor = "performance";
+    powertop.enable = false;
+  };
+
+  # Firewall settings (fallback, upstream way of doing things)
+  networking.firewall = {
+    enable = true;
+
+    allowedTCPPorts = [
+      80
+      443
+      8448
+      3478
+      5349
+      7880
+      7881
+      8080
+      8081
+    ];
+
+    allowedUDPPorts = [
+      3478
+      7881
+      8448
+    ];
+
+    allowedUDPPortRanges =[
+      # TURN UDP relays
+      { 
+        from = 49000;
+        to = 50000;
+      }
+      # 
+      {
+        from = 50100;
+        to = 50200;
+      }
+    ];
+  };
+
+  # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.${userName} = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com"
+    ];
+    extraGroups = ["wheel" "video" "network"];
+  };
+
+  # fail2ban
+  services.fail2ban = {
+    enable = true;
+    package = pkgs.fail2ban;
+    maxretry = 5;
+    bantime = "3h";
+    bantime-increment = {
+      enable = true;
+      rndtime = "10m";
+    };
+  };
+
+  # Matrix server
+  services.matrix-tuwunel = {
+    enable = true;
+    package = pkgs.matrix-tuwunel;
+    settings = {
+      global = {
+        server_name = matrixFqdn;
+        allow_encryption = true;
+        allow_federation = true;
+        allow_registration = true;
+        registration_token = matrixRegistrationTokenFile;
+        allow_unstable_room_versions = false;
+        allow_experimental_room_versions = false;
+        zstd_compression = true;
+        new_user_displayname_suffix = "✨";
+        max_request_size = 1048575600; # 100MB in bytes, for file uploads
+        database_backup_path = "/var/lib/tuwunel/database_backups";
+        database_backups_to_keep = 2;
+
+        address = [
+          "127.0.0.1"
+          "::1"
+        ];
+        port = [ 8008 ];
+
+        well_known = {
+          client = "https://${matrixFqdn}";
+          server = "${matrixFqdn}:443";
+          support_email = supportEmail;
+          support_mxid = "@wymiller:${matrixFqdn}";
+          
+          rtc_transports = [{
+            type = "livekit";
+            livekit_service_url = "https://${rtcFqdn}";
+          }];
+        };
+      };
+    };
+  };
+
+  # LiveKit (Matrix RTC)
+  services.livekit = {
+    enable = true;
+    package = pkgs.livekit;
+    openFirewall = true;
+    keyFile = livekitKeyFile;
+    settings = {
+      port = 7880;
+      room.auto_create = true;
+      rtc = {
+        use_external_ip = true;
+      };
+    };
+  };
+
+  # Reverse proxy
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy;
+    virtualHosts = {
+      "${matrixFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy localhost:8008
+        '';
+      };
+      "${matrixFqdn}:8448" = {
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy localhost:8008
+        '';
+      };
+      "${rtcFqdn}" = {
+        extraConfig = ''
+          @jwt_service {
+            path /sfu/get* /healthz*
+          }
+
+          handle @jwt_service {
+            reverse_proxy localhost:8080
+          }
+
+          handle {
+            reverse_proxy localhost:7880 {
+              header_up Connection "upgrade"
+              header_up Upgrade {http.request.header.Upgrade}
+            }
+          }
+        '';
+      };
+    };
+  };
+
+  # LiveKit JWT service
+  services.lk-jwt-service = {
+    enable = true;
+    port = 8080;
+    livekitUrl = "wss://rtc.wyattjmiller.com";
+    keyFile = livekitKeyFile;
+  };
+
+  # Generate LiveKit key if it doesn't exist
+  systemd.services = {
+    matrix-registration-token-gen = {
+      before = [ "tuwunel.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ];
+      script = ''
+        set -eu
+
+        if [ -f "${matrixRegistrationTokenFile}" ]; then
+          exit 0
+        fi
+
+        install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")"
+
+        TOKEN="$(openssl rand -hex 32)"
+
+        umask 077
+        printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+
+    livekit-key-gen = {
+      before = [ "lk-jwt-service.service" "livekit.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ];
+      script = ''
+        set -eu
+
+        if [ -f "${livekitKeyFile}" ]; then
+          exit 0
+        fi
+
+        install -d -m 0700 "$(dirname "${livekitKeyFile}")"
+
+        API_KEY="$(openssl rand -hex 8)"
+        API_SECRET="$(openssl rand -hex 32)"
+
+        umask 077
+        printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+  };
+
+  system.stateVersion = "25.11";
+}
diff --git a/modules/machine/yshtola/default.nix b/modules/machine/yshtola/default.nix
new file mode 100644
index 0000000..3c4d411
--- /dev/null
+++ b/modules/machine/yshtola/default.nix
@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+  ];
+}
diff --git a/modules/machine/yshtola/hardware-configuration.nix b/modules/machine/yshtola/hardware-configuration.nix
new file mode 100644
index 0000000..7f5f6fd
--- /dev/null
+++ b/modules/machine/yshtola/hardware-configuration.nix
@@ -0,0 +1,35 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.kernelParams = [ "console=ttyS0,19200n8" ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.loader.grub.extraConfig = ''
+    serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
+    terminal_input serial;
+    terminal_output serial;
+  '';
+  boot.loader.grub.forceInstall = true;
+#  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "nodev";
+  boot.loader.timeout = 10;
+
+  fileSystems."/" =
+    { device = "/dev/sda";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/sdb"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}