got sso working

changed sso parameters
Merge branch 'yshtola-build' of https://scm.wyattjmiller.com/wymiller/nix-config-v2 into yshtola-build
2026-05-10 17:49:18 -04:00 · 2026-05-10 14:42:08 -04:00 · 2026-03-01 23:14:25 -05:00 · 2026-03-01 23:14:00 -05:00 · 2026-03-01 23:12:04 -05:00 · 2026-03-01 23:11:50 -05:00
6 changed files with 149 additions and 45 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
        "rust-overlay": "rust-overlay"
      },
      "locked": {
-        "lastModified": 1774186997,
-        "narHash": "sha256-hyNVlhAqmwcBPl7XRkxbGcMt1BfCOdvuEfBDUf0k8Oo=",
+        "lastModified": 1771170334,
+        "narHash": "sha256-tCgoCWORfNHaRXTh2QS44LwxlV8q28jVvjN5ioMicv8=",
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "546e95f7ec74892a31f883a10b1723c35f2c2edd",
+        "rev": "821b4f92c2c0981ea5b571b03403df87d2b2e2ae",
        "type": "github"
      },
      "original": {
@@ -29,11 +29,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772129556,
-        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
+        "lastModified": 1767634391,
+        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
+        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
        "type": "github"
      },
      "original": {
@@ -94,11 +94,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774274588,
-        "narHash": "sha256-dnHvv5EMUgTzGZmA+3diYjQU2O6BEpGLEOgJ1Qe9LaY=",
+        "lastModified": 1770260404,
+        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "cf9686ba26f5ef788226843bc31fda4cf72e373b",
+        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
        "type": "github"
      },
      "original": {
@@ -142,11 +142,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1774244481,
-        "narHash": "sha256-4XfMXU0DjN83o6HWZoKG9PegCvKvIhNUnRUI19vzTcQ=",
+        "lastModified": 1771043024,
+        "narHash": "sha256-O1XDr7EWbRp+kHrNNgLWgIrB0/US5wvw9K6RERWAj6I=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4590696c8693fea477850fe379a01544293ca4e2",
+        "rev": "3aadb7ca9eac2891d52a9dec199d9580a6e2bf44",
        "type": "github"
      },
      "original": {
@@ -235,11 +235,11 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1774321696,
-        "narHash": "sha256-g18xMjMNla/nsF5XyQCNyWmtb2UlZpkY0XE8KinIXAA=",
+        "lastModified": 1771211437,
+        "narHash": "sha256-lcNK438i4DGtyA+bPXXyVLHVmJjYpVKmpux9WASa3ro=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "49a67e6894d4cb782842ee6faa466aa90c92812d",
+        "rev": "c62195b3d6e1bb11e0c2fb2a494117d3b55d410f",
        "type": "github"
      },
      "original": {
--- a/home/git.nix
+++ b/home/git.nix
@@ -31,7 +31,6 @@
      a = "add";
      ap = "add -p";
      br = "branch";
-      cb = "checkout -b";
      co = "checkout";
      st = "status -sb";
      status = "status -sb";
@@ -41,11 +40,6 @@
      ca = "commit -am";
      dc = "diff --cached";
      amend = "commit --amend -m";
-      wipe = "reset --hard";
-      gg = "reset --hard";
-      ggs = "reset --hard";
-      sw = "switch";
-      r = "restore";

      # aliases for submodules
      update = "submodule update --init --recursive";
--- a/home/packages/linux.nix
+++ b/home/packages/linux.nix
@@ -1,15 +1,4 @@
 { lib, pkgs, isNixOS ? true, ... }:
 lib.mkIf pkgs.stdenv.isLinux {
-  home.packages = with pkgs; [
-    imv
-    xdg-utils
-  ] ++ lib.optionals isNixOS [
-    vesktop
-    xfce.thunar
-    pavucontrol
-    zathura
-    gpu-screen-recorder
-    gpu-screen-recorder-gtk
-    inetutils
-  ];
+
 }
--- a/home/shell.nix
+++ b/home/shell.nix
@@ -62,13 +62,7 @@
            "If you’ve brought your ivory standard, I’ll be happy to tell you where you can stick it" \
            "Speeches? Oh, yes, I love them. There's nothing like a good exposition when you're having trouble sleeping!" \
            "Somehow, the boy just isn't very buoyant" \
-            "I am...not interested, little sun. Try again when you have become a man" \
-            "I am rightousness! And rightousness shall previal!" \
-            "Ahhh such bliss!" \
-            "The gods themselves will be my meal. Your dear companions my dessert. Upon this world I'll feast, and death shall follow in my wake. All your hate, all your rage, you will render unto me." \
-            "Boring, boring, boring" \
-            "Would you be 'happier' had I a 'good reason'?" \
-            "A test of your reflexes!"
+            "I am...not interested, little sun. Try again when you have become a man"


          set choose_meme (random)"%"(count $memes)
--- a/modules/machine/README.md
+++ b/modules/machine/README.md
@@ -10,10 +10,6 @@ I like Final Fantasy, alright? Isn't everyone supposed to have a hobby?

 These are named after Final Fantasy VII characters.

-### Servers/Network Infrastructure (bare metal)
+### Servers/Network Infrastructure

 These are named after Final Fantasy summons. There is some infrastructure missing here like my routers and switches that I also name after summons.
-
-### Servers/Network Infrastructure (virtual machines)
-
-These are named after Final Fantasy XIV Online characters (currently, these are named after the Scions of the Seventh Dawn).
--- a/modules/machine/yshtola/configuration.nix
+++ b/modules/machine/yshtola/configuration.nix
@@ -1,5 +1,7 @@
 {
+  lib,
  pkgs,
+  config,
  userName,
  ...
 }: let
@@ -10,6 +12,16 @@
  supportEmail = "wyatt@wyattjmiller.com";
  livekitKeyFile = "/var/lib/livekit/livekit.key";
  matrixRegistrationTokenFile = "/var/lib/matrix.key";
+  mastodonFqdn = "social.wyattjmiller.com";
+  mastodonSecretsDir = "/var/lib/mastodon/secrets";
+
+  # After deploying Mastodon, register an OAuth application at
+  # https://social.wyattjmiller.com/settings/applications and write the
+  # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
+  mastodonOauthClientIdFile = "/var/lib/private/tuwunel/matrix-oauth-client-id";
+  mastodonOauthClientSecretFile = "/var/lib/private/tuwunel/matrix-oauth-client-secret";
+  mastodonOauthClientId = builtins.readFile mastodonOauthClientIdFile;
+  mastodonOauthClientSecret = builtins.readFile mastodonOauthClientSecretFile;
 in {
  imports = [
    ../../pwrMgmt
@@ -94,6 +106,8 @@ in {
  };

  # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.caddy.extraGroups = [ "mastodon" ];
+
  users.users.${userName} = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
@@ -114,6 +128,28 @@ in {
    };
  };

+  # Mastodon service — social.wyattjmiller.com
+  services.mastodon = {
+    enable = true;
+    localDomain = mastodonFqdn;
+    webPort = 3000;
+    enableUnixSocket = false;
+    configureNginx = false;
+    secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
+    # otpSecretFile = "${mastodonSecretsDir}/otp_secret";
+    vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
+    vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
+    streamingProcesses = 3;
+    # Configure SMTP after initial deploy via mastodonSecretsDir or a separate
+    # NixOS secrets manager (sops-nix / agenix).
+    smtp = {
+      host = "mail.wyattjmiller.com";
+      port = 25;
+      fromAddress = "notifications@${mastodonFqdn}";
+      authenticate = false;
+    };
+  };
+
  # Matrix server
  services.matrix-tuwunel = {
    enable = true;
@@ -150,6 +186,32 @@ in {
            livekit_service_url = "https://${rtcFqdn}";
          }];
        };
+
+        # Mastodon as OIDC provider for Matrix login.
+        # Mastodon 4.3+ exposes OpenID Connect discovery at
+        # https://<domain>/.well-known/openid-configuration.
+        #
+        # REQUIRED RUNTIME SETUP (once, after first Mastodon deploy):
+        #   1. Visit https://social.wyattjmiller.com/settings/applications
+        #   2. Create a new application with the redirect URI:
+        #        https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
+        #      and scopes: profile
+        #   3. Write the Client Key      → /var/lib/private/tuwunel/matrix-oauth-client-id  (chmod 400, owned by tuwunel)
+        #      Write the Client Secret   → /var/lib/private/tuwunel/matrix-oauth-client-secret
+        #   4. nixos-rebuild switch (or restart tuwunel.service)
+        identity_provider = [
+          {
+            brand = "Mastodon";
+            issuer_url = "https://${mastodonFqdn}";
+            # id = mastodonOauthClientId;
+            callback_url = "https://${matrixFqdn}/_matrix/client/unstable/login/sso/callback/${lib.removeSuffix "\n" (mastodonOauthClientId)}";
+            discovery_url = "https://${mastodonFqdn}/.well-known/oauth-authorization-server";
+            client_id = lib.removeSuffix "\n" (mastodonOauthClientId);
+            client_secret = lib.removeSuffix "\n" (mastodonOauthClientSecret);
+            scope = ["profile"];
+            userid_claims = ["preferred_username"];
+          }
+        ];
      };
    };
  };
@@ -174,6 +236,32 @@ in {
    enable = true;
    package = pkgs.caddy;
    virtualHosts = {
+      "${mastodonFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+
+          root * ${config.services.mastodon.package}/public
+
+          handle /system/* {
+            uri strip_prefix /system
+            root * /var/lib/mastodon/public-system
+            file_server
+          }
+
+          @streaming path /api/v1/streaming*
+          handle @streaming {
+            reverse_proxy localhost:4000
+          }
+
+          handle {
+            @notfile not file
+            handle @notfile {
+              reverse_proxy localhost:3000
+            }
+            file_server
+          }
+        '';
+      };
      "${matrixFqdn}" = {
        extraConfig = ''
          encode zstd gzip
@@ -265,6 +353,49 @@ in {
        User = "root";
      };
    };
+
+    mastodon-secrets-gen = {
+      before = [ "mastodon-web.service" "mastodon-sidekiq-0.service" "mastodon-streaming.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ruby_3_4 ];
+      script = ''
+        set -eu
+
+        dir="${mastodonSecretsDir}"
+        install -d -m 0750 -o mastodon -g mastodon "$dir"
+
+        gen_hex() {
+          local f="$1"
+          if [ ! -f "$f" ]; then
+            umask 077
+            openssl rand -hex 64 | install -o mastodon -g mastodon -m 0400 /dev/stdin "$f"
+          fi
+        }
+
+        gen_hex "$dir/secret_key_base"
+        gen_hex "$dir/otp_secret"
+
+        if [ ! -f "$dir/vapid_private_key" ]; then
+          umask 077
+          ruby -ropenssl -rbase64 -e '
+            key = OpenSSL::PKey::EC.generate("prime256v1")
+            priv = Base64.urlsafe_encode64(key.private_key.to_s(2).rjust(32, "\x00"), padding: false)
+            pub  = Base64.urlsafe_encode64(key.public_key.to_bn.to_s(2), padding: false)
+            File.write(ARGV[0], priv)
+            File.write(ARGV[1], pub)
+          ' \
+            "$dir/vapid_private_key" \
+            "$dir/vapid_public_key"
+          chown mastodon:mastodon "$dir/vapid_private_key" "$dir/vapid_public_key"
+          chmod 0400 "$dir/vapid_private_key" "$dir/vapid_public_key"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        RemainAfterExit = true;
+      };
+    };
  };

  system.stateVersion = "25.11";
Author	SHA1	Message	Date
Wyatt J. Miller	af0357aa1e	got sso working	2026-05-10 17:49:18 -04:00
Wyatt J. Miller	4e0a2fc86f	changed sso parameters	2026-05-10 14:42:08 -04:00
Wyatt J. Miller	8b7c4fd871	Merge branch 'yshtola-build' of https://scm.wyattjmiller.com/wymiller/nix-config-v2 into yshtola-build	2026-03-01 23:14:25 -05:00
Wyatt J. Miller	e556dae87d	forgot branding	2026-03-01 23:14:00 -05:00
Wyatt J. Miller	1d04c5b5cd	Merge branch 'yshtola-build' of https://scm.wyattjmiller.com/wymiller/nix-config-v2 into yshtola-build	2026-03-01 23:12:04 -05:00
Wyatt J. Miller	313177eff7	modified config some more	2026-03-01 23:11:50 -05:00
Wyatt J. Miller	754635dafc	Merge branch 'yshtola-build' of https://scm.wyattjmiller.com/wymiller/nix-config-v2 into yshtola-build	2026-03-01 21:52:29 -05:00
Wyatt J. Miller	1b20e6d215	added mastodon group to caddy user	2026-03-01 21:51:51 -05:00
Wyatt J. Miller	edada4c1c9	Merge branch 'yshtola-build' of https://scm.wyattjmiller.com/wymiller/nix-config-v2 into yshtola-build	2026-03-01 00:09:19 -05:00
Wyatt J. Miller	11e6274e37	added some more stuff to caddy	2026-03-01 00:09:07 -05:00
Wyatt J. Miller	a2899cf823	Merge branch 'yshtola-build' of https://scm.wyattjmiller.com/wymiller/nix-config-v2 into yshtola-build	2026-02-28 23:54:18 -05:00
Wyatt J. Miller	807d099a70	added webPort, enableUnixSocket attr	2026-02-28 23:54:07 -05:00
Wyatt J. Miller	a3d0c56204	added more to proxy for mastodon	2026-02-28 23:53:13 -05:00
Wyatt J. Miller	6bdff15117	added mastodon instance	2026-02-28 21:36:02 -05:00