wip: ready for hardware configuration

flake.nix

@@ -162,6 +162,31 @@
       # ];
     };
 
+    nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = {
+        inherit userName userEmail;
+        hostname = "yshtola";
+        role = "server";
+      };
+      modules = [
+        myOverlays
+        ./modules/common
+        ./modules/machine/yshtola
+
+        home-manager.nixosModules.home-manager
+        {
+          home-manager.useGlobalPkgs = true;
+          home-manager.useUserPackages = true;
+          home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; };
+          home-manager.backupFileExtension = "bak";
+          home-manager.users.${userName}.imports = [
+            ./home
+          ];
+        }
+      ];
+    };
+
     # generic non-NixOS Linux machine
     homeConfigurations."generic" = let
       hostname = builtins.getEnv "HOSTNAME";

modules/machine/yshtola/configuration.nix

@@ -0,0 +1,216 @@
+
+{
+  pkgs,
+  userName,
+  ...
+}: {
+  imports = [
+    ../../pwrMgmt
+    ../../networking/core.nix
+  ];
+
+  # Enable flakes for NixOS
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  # Custom kernel/boot stuff
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.loader.systemd-boot.enable = true; # TODO: check on this
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # Set your timezone
+  time.timeZone = "America/Detroit";
+
+  # Enable OpenSSH
+  services.openssh = {
+    enable = true;
+    PermitRootLogin = "no";
+    PasswordAuthentication = "no";
+  };
+
+  # Enable keyring
+  services.gnome.gnome-keyring.enable = true;
+
+  # Enable GnuPG
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Enable SUID wrappers (some programs need them)
+  programs.mtr.enable = true;
+
+  # Enable Polkit
+  security.polkit.enable = true;
+
+  # Power management (see ../../pwrMgmt/default.nix)
+  pwrMgmt = {
+    enable = true;
+    cpuFreqGovernor = "performance";
+    powertop.enable = false;
+  };
+
+  # Core networking module (see ../../networking/core.nix)
+  network = {
+    networkManager.enable = true;
+  };
+
+  # Firewall settings (fallback, upstream way of doing things)
+  networking.firewall = {
+    enable = true;
+
+    allowedTCPPorts = [
+      3478
+      5349
+      7880
+      7881
+      8080
+    ];
+
+    allowedUDPPorts = [
+      3478
+    ];
+
+    allowedUDPPortRanges =[
+      {
+        from = 49000;
+        to = 50000;
+      }
+      {
+        from = 50100;
+        to = 50200;
+      }
+    ];
+  };
+
+  # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.${userName} = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com"
+    ];
+    extraGroups = ["wheel" "video" "network"];
+  };
+
+  # fail2ban
+  services.fail2ban = {
+    enable = true;
+    package = pkgs.fail2ban;
+    maxretry = 5;
+    bantime = "3h";
+    bantime-increment = {
+      enable = true;
+      rndtime = "10m";
+    };
+  };
+
+  # Matrix server
+  services.matrix-tuwunel = {
+    enable = true;
+    package = pkgs.matrix-tuwunel;
+    settings = {
+      global = {
+        server_name = "wyattjmiller.com";
+        allow_encryption = true;
+        allow_federation = true;
+        allow_registration = false;
+        allow_unstable_room_versions = false;
+        allow_experimental_room_versions = false;
+        encryption_enabled_by_default_for_room_type = "all";
+        zstd_compression = true;
+        new_user_displayname_suffix = "✨";
+        max_request_size = 1048575600; # 100MB in bytes, for file uploads
+        database_path = "/var/lib/tuwunel";
+        database_backup_path = "/var/lib/tuwunel/database_backups";
+        database_backups_to_keep = 2;
+
+        address = [
+          "127.0.0.1"
+          "::1"
+        ];
+        port = [ 8008 ];
+
+        well_known = {
+          client = "https://chat.wyattjmiller.com";
+          server = "chat.wyattjmiller.com:443";
+          support_email = "wyatt@wyattjmiller.com";
+          support_mxid = "@wymiller:wyattjmiller.com";
+          
+          rtc_transports = {
+            type = "livekit";
+            livekit_service_url = "https://rtc.wyattjmiller.com";
+          };
+        };
+      };
+    };
+  };
+
+  # LiveKit (Matrix RTC)
+  services.livekit = {
+    enable = true;
+    package = pkgs.livekit;
+    openFirewall = true;
+    settings = {
+      port = 7880;
+      room.auto_create = true;
+      rtc = {
+        use_external_ip = true;
+      };
+    };
+  };
+
+  # Reverse proxy
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy;
+    virtualHosts = {
+      "chat.wyattjmiller.com" = {
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy localhost:8008
+        '';
+      };
+      "chat.wyattjmiller.com:8443" = {
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy localhost:8008
+        '';
+      };
+      "rtc.wyattjmiller.com" = {
+        extraConfig = ''
+          @jwt_service {
+            path /sfu/get* /healthz*
+          }
+
+          handle @jwt_service {
+            reverse_proxy localhost:8081
+          }
+
+          handle {
+            reverse_proxy localhost:7880 {
+              header_up Connection "upgrade"
+              header_up Upgrade {http.request.header.Upgrade}
+            }
+          }
+        '';
+      };
+    };
+  };
+
+  # TURN/STUN server
+  services.coturn = {
+    enable = true;
+    no-cli = false;
+    no-tcp-relay = false;
+    realm = "turn.wyattjmiller.com";
+    min-port = 49000;
+    max-port = 50000;
+
+    # TODO: fill out this extraConfig option a bit more with denial of private IP addresses
+    extraConfig = ''
+      verbose
+      no-multicast-peers
+    '';
+  };
+
+  system.stateVersion = "25.11";
+}

modules/machine/yshtola/default.nix

@@ -0,0 +1,6 @@
+{ ... }: {
+  imports = [
+    ./configuration.nix
+    ./hardware-configuration.nix
+  ];
+}