forgot branding

pulled out the FQDNs and repeating strings that i don't need repeated

modules/machine/yshtola/configuration.nix

@@ -1,10 +1,24 @@
 {
   pkgs,
+  config,
   userName,
   ...
 }: let
+  # INFO: set these to your liking
+  matrixFqdn = "chat.wyattjmiller.com";
+  rtcFqdn = "rtc.wyattjmiller.com";
+
+  supportEmail = "wyatt@wyattjmiller.com";
   livekitKeyFile = "/var/lib/livekit/livekit.key";
   matrixRegistrationTokenFile = "/var/lib/matrix.key";
+  mastodonFqdn = "social.wyattjmiller.com";
+  mastodonSecretsDir = "/var/lib/mastodon/secrets";
+
+  # After deploying Mastodon, register an OAuth application at
+  # https://social.wyattjmiller.com/settings/applications and write the
+  # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
+  mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
+  mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
 in {
   imports = [
     ../../pwrMgmt
@@ -19,8 +33,6 @@ in {
 
   # Custom kernel/boot stuff
   boot.kernelPackages = pkgs.linuxPackages_latest;
-  #  boot.loader.systemd-boot.enable = true; # TODO: check on this
-  #  boot.loader.efi.canTouchEfiVariables = true;
 
   # Set your timezone
   time.timeZone = "America/Detroit";
@@ -91,6 +103,8 @@ in {
   };
 
   # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.caddy.extraGroups = [ "mastodon" ];
+
   users.users.${userName} = {
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
@@ -111,20 +125,38 @@ in {
     };
   };
 
+  # Mastodon service — social.wyattjmiller.com
+  services.mastodon = {
+    enable = true;
+    localDomain = mastodonFqdn;
+    configureNginx = false;
+    secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
+    otpSecretFile = "${mastodonSecretsDir}/otp_secret";
+    vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
+    vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
+    # Configure SMTP after initial deploy via mastodonSecretsDir or a separate
+    # NixOS secrets manager (sops-nix / agenix).
+    smtp = {
+      host = "mail.wyattjmiller.com";
+      port = 25;
+      fromAddress = "notifications@${mastodonFqdn}";
+      authenticate = false;
+    };
+  };
+
   # Matrix server
   services.matrix-tuwunel = {
     enable = true;
     package = pkgs.matrix-tuwunel;
     settings = {
       global = {
-        server_name = "chat.wyattjmiller.com";
+        server_name = matrixFqdn;
         allow_encryption = true;
         allow_federation = true;
         allow_registration = true;
         registration_token = matrixRegistrationTokenFile;
         allow_unstable_room_versions = false;
         allow_experimental_room_versions = false;
-        # encryption_enabled_by_default_for_room_type = false;
         zstd_compression = true;
         new_user_displayname_suffix = "✨";
         max_request_size = 1048575600; # 100MB in bytes, for file uploads
@@ -138,34 +170,41 @@ in {
         port = [ 8008 ];
 
         well_known = {
-          client = "https://chat.wyattjmiller.com";
+          client = "https://${matrixFqdn}";
-          server = "chat.wyattjmiller.com:443";
+          server = "${matrixFqdn}:443";
-          support_email = "wyatt@wyattjmiller.com";
+          support_email = supportEmail;
-          support_mxid = "@wymiller:chat.wyattjmiller.com";
+          support_mxid = "@wymiller:${matrixFqdn}";
           
           rtc_transports = [{
             type = "livekit";
-            livekit_service_url = "https://rtc.wyattjmiller.com";
+            livekit_service_url = "https://${rtcFqdn}";
           }];
         };
-      };
-    };
-  };
 
-  # TURN/STUN server
+        # Mastodon as OIDC provider for Matrix login.
-  services.coturn = {
+        # Mastodon 4.3+ exposes OpenID Connect discovery at
-    enable = true;
+        # https://<domain>/.well-known/openid-configuration.
-    no-cli = false;
+        #
-    no-tcp-relay = false;
+        # REQUIRED RUNTIME SETUP (once, after first Mastodon deploy):
-    realm = "turn.wyattjmiller.com";
+        #   1. Visit https://social.wyattjmiller.com/settings/applications
-    min-port = 49000;
+        #   2. Create a new application with the redirect URI:
-    max-port = 50000;
+        #        https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
-
+        #      and scopes: read:accounts
-    # TODO: fill out this extraConfig option a bit more with denial of private IP addresses
+        #   3. Write the Application ID  → /var/lib/tuwunel/mastodon-oauth-client-id  (chmod 400, owned by tuwunel)
-    extraConfig = ''
+        #      Write the Client Secret   → /var/lib/tuwunel/mastodon-oauth-client-secret
-      verbose
+        #   4. nixos-rebuild switch (or restart tuwunel.service)
-      no-multicast-peers
+        identity_provider= [
-    '';
+          {
+            brand = "Mastodon";
+            issuer_url = "https://${mastodonFqdn}";
+            id = "oidc-mastodon";
+            client_id = mastodonOauthClientIdFile;
+            client_secret = mastodonOauthClientSecretFile;
+            scope = ["openid" "read:accounts"];
+          }
+        ];
+      };
+    };
   };
 
   # LiveKit (Matrix RTC)
@@ -188,19 +227,45 @@ in {
     enable = true;
     package = pkgs.caddy;
     virtualHosts = {
-      "chat.wyattjmiller.com" = {
+      "${mastodonFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+
+          root * ${config.services.mastodon.package}/public
+
+          handle /system/* {
+            uri strip_prefix /system
+            root * /var/lib/mastodon/public-system
+            file_server
+          }
+
+          @streaming path /api/v1/streaming*
+          handle @streaming {
+            reverse_proxy localhost:4000
+          }
+
+          handle {
+            @notfile not file
+            handle @notfile {
+              reverse_proxy localhost:3000
+            }
+            file_server
+          }
+        '';
+      };
+      "${matrixFqdn}" = {
         extraConfig = ''
           encode zstd gzip
           reverse_proxy localhost:8008
         '';
       };
-      "chat.wyattjmiller.com:8448" = {
+      "${matrixFqdn}:8448" = {
         extraConfig = ''
           encode zstd gzip
           reverse_proxy localhost:8008
         '';
       };
-      "rtc.wyattjmiller.com" = {
+      "${rtcFqdn}" = {
         extraConfig = ''
           @jwt_service {
             path /sfu/get* /healthz*
@@ -230,7 +295,32 @@ in {
   };
 
   # Generate LiveKit key if it doesn't exist
-  systemd.services.livekit-key = {
+  systemd.services = {
+    matrix-registration-token-gen = {
+      before = [ "tuwunel.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ];
+      script = ''
+        set -eu
+
+        if [ -f "${matrixRegistrationTokenFile}" ]; then
+          exit 0
+        fi
+
+        install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")"
+
+        TOKEN="$(openssl rand -hex 32)"
+
+        umask 077
+        printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}"
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+
+    livekit-key-gen = {
       before = [ "lk-jwt-service.service" "livekit.service" ];
       wantedBy = [ "multi-user.target" ];
       path = with pkgs; [ coreutils openssl ];
@@ -246,8 +336,6 @@ in {
         API_KEY="$(openssl rand -hex 8)"
         API_SECRET="$(openssl rand -hex 32)"
 
-      # keyFile format for nixpkgs services.livekit.keyFile:
-      # a YAML map of apiKey -> apiSecret (no surrounding "keys:" key)
         umask 077
         printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}"
       '';
@@ -257,5 +345,49 @@ in {
       };
     };
 
+    mastodon-secrets-gen = {
+      before = [ "mastodon-web.service" "mastodon-sidekiq-0.service" "mastodon-streaming.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ruby_3_4 ];
+      script = ''
+        set -eu
+
+        dir="${mastodonSecretsDir}"
+        install -d -m 0750 -o mastodon -g mastodon "$dir"
+
+        gen_hex() {
+          local f="$1"
+          if [ ! -f "$f" ]; then
+            umask 077
+            openssl rand -hex 64 | install -o mastodon -g mastodon -m 0400 /dev/stdin "$f"
+          fi
+        }
+
+        gen_hex "$dir/secret_key_base"
+        gen_hex "$dir/otp_secret"
+
+        if [ ! -f "$dir/vapid_private_key" ]; then
+          umask 077
+          ruby -ropenssl -rbase64 -e '
+            key = OpenSSL::PKey::EC.generate("prime256v1")
+            priv = Base64.urlsafe_encode64(key.private_key.to_s(2).rjust(32, "\x00"), padding: false)
+            pub  = Base64.urlsafe_encode64(key.public_key.to_bn.to_s(2), padding: false)
+            File.write(ARGV[0], priv)
+            File.write(ARGV[1], pub)
+          ' \
+            "$dir/vapid_private_key" \
+            "$dir/vapid_public_key"
+          chown mastodon:mastodon "$dir/vapid_private_key" "$dir/vapid_public_key"
+          chmod 0400 "$dir/vapid_private_key" "$dir/vapid_public_key"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        RemainAfterExit = true;
+      };
+    };
+  };
+
   system.stateVersion = "25.11";
 }