forgot branding

modified config some more
added mastodon group to caddy user
2026-03-01 23:14:00 -05:00 · 2026-03-01 23:11:50 -05:00 · 2026-03-01 21:51:51 -05:00 · 2026-03-01 00:09:07 -05:00 · 2026-02-28 23:53:13 -05:00 · 2026-02-28 21:36:02 -05:00
3 changed files with 124 additions and 8 deletions
--- a/home/shell.nix
+++ b/home/shell.nix
@@ -62,9 +62,7 @@
            "If you’ve brought your ivory standard, I’ll be happy to tell you where you can stick it" \
            "Speeches? Oh, yes, I love them. There's nothing like a good exposition when you're having trouble sleeping!" \
            "Somehow, the boy just isn't very buoyant" \
-            "I am...not interested, little sun. Try again when you have become a man" \
-            "I am rightousness! And rightousness shall previal!" \
-            "Ahhh such bliss!"
+            "I am...not interested, little sun. Try again when you have become a man"


          set choose_meme (random)"%"(count $memes)
--- a/modules/machine/README.md
+++ b/modules/machine/README.md
@@ -10,10 +10,6 @@ I like Final Fantasy, alright? Isn't everyone supposed to have a hobby?

 These are named after Final Fantasy VII characters.

-### Servers/Network Infrastructure (bare metal)
+### Servers/Network Infrastructure

 These are named after Final Fantasy summons. There is some infrastructure missing here like my routers and switches that I also name after summons.
-
-### Servers/Network Infrastructure (virtual machines)
-
-These are named after Final Fantasy XIV Online characters (currently, these are named after the Scions of the Seventh Dawn).
--- a/modules/machine/yshtola/configuration.nix
+++ b/modules/machine/yshtola/configuration.nix
@@ -1,5 +1,6 @@
 {
  pkgs,
+  config,
  userName,
  ...
 }: let
@@ -10,6 +11,14 @@
  supportEmail = "wyatt@wyattjmiller.com";
  livekitKeyFile = "/var/lib/livekit/livekit.key";
  matrixRegistrationTokenFile = "/var/lib/matrix.key";
+  mastodonFqdn = "social.wyattjmiller.com";
+  mastodonSecretsDir = "/var/lib/mastodon/secrets";
+
+  # After deploying Mastodon, register an OAuth application at
+  # https://social.wyattjmiller.com/settings/applications and write the
+  # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
+  mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
+  mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
 in {
  imports = [
    ../../pwrMgmt
@@ -94,6 +103,8 @@ in {
  };

  # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.caddy.extraGroups = [ "mastodon" ];
+
  users.users.${userName} = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
@@ -114,6 +125,25 @@ in {
    };
  };

+  # Mastodon service — social.wyattjmiller.com
+  services.mastodon = {
+    enable = true;
+    localDomain = mastodonFqdn;
+    configureNginx = false;
+    secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
+    otpSecretFile = "${mastodonSecretsDir}/otp_secret";
+    vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
+    vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
+    # Configure SMTP after initial deploy via mastodonSecretsDir or a separate
+    # NixOS secrets manager (sops-nix / agenix).
+    smtp = {
+      host = "mail.wyattjmiller.com";
+      port = 25;
+      fromAddress = "notifications@${mastodonFqdn}";
+      authenticate = false;
+    };
+  };
+
  # Matrix server
  services.matrix-tuwunel = {
    enable = true;
@@ -150,6 +180,29 @@ in {
            livekit_service_url = "https://${rtcFqdn}";
          }];
        };
+
+        # Mastodon as OIDC provider for Matrix login.
+        # Mastodon 4.3+ exposes OpenID Connect discovery at
+        # https://<domain>/.well-known/openid-configuration.
+        #
+        # REQUIRED RUNTIME SETUP (once, after first Mastodon deploy):
+        #   1. Visit https://social.wyattjmiller.com/settings/applications
+        #   2. Create a new application with the redirect URI:
+        #        https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
+        #      and scopes: read:accounts
+        #   3. Write the Application ID  → /var/lib/tuwunel/mastodon-oauth-client-id  (chmod 400, owned by tuwunel)
+        #      Write the Client Secret   → /var/lib/tuwunel/mastodon-oauth-client-secret
+        #   4. nixos-rebuild switch (or restart tuwunel.service)
+        identity_provider= [
+          {
+            brand = "Mastodon";
+            issuer_url = "https://${mastodonFqdn}";
+            id = "oidc-mastodon";
+            client_id = mastodonOauthClientIdFile;
+            client_secret = mastodonOauthClientSecretFile;
+            scope = ["openid" "read:accounts"];
+          }
+        ];
      };
    };
  };
@@ -174,6 +227,32 @@ in {
    enable = true;
    package = pkgs.caddy;
    virtualHosts = {
+      "${mastodonFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+
+          root * ${config.services.mastodon.package}/public
+
+          handle /system/* {
+            uri strip_prefix /system
+            root * /var/lib/mastodon/public-system
+            file_server
+          }
+
+          @streaming path /api/v1/streaming*
+          handle @streaming {
+            reverse_proxy localhost:4000
+          }
+
+          handle {
+            @notfile not file
+            handle @notfile {
+              reverse_proxy localhost:3000
+            }
+            file_server
+          }
+        '';
+      };
      "${matrixFqdn}" = {
        extraConfig = ''
          encode zstd gzip
@@ -265,6 +344,49 @@ in {
        User = "root";
      };
    };
+
+    mastodon-secrets-gen = {
+      before = [ "mastodon-web.service" "mastodon-sidekiq-0.service" "mastodon-streaming.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ruby_3_4 ];
+      script = ''
+        set -eu
+
+        dir="${mastodonSecretsDir}"
+        install -d -m 0750 -o mastodon -g mastodon "$dir"
+
+        gen_hex() {
+          local f="$1"
+          if [ ! -f "$f" ]; then
+            umask 077
+            openssl rand -hex 64 | install -o mastodon -g mastodon -m 0400 /dev/stdin "$f"
+          fi
+        }
+
+        gen_hex "$dir/secret_key_base"
+        gen_hex "$dir/otp_secret"
+
+        if [ ! -f "$dir/vapid_private_key" ]; then
+          umask 077
+          ruby -ropenssl -rbase64 -e '
+            key = OpenSSL::PKey::EC.generate("prime256v1")
+            priv = Base64.urlsafe_encode64(key.private_key.to_s(2).rjust(32, "\x00"), padding: false)
+            pub  = Base64.urlsafe_encode64(key.public_key.to_bn.to_s(2), padding: false)
+            File.write(ARGV[0], priv)
+            File.write(ARGV[1], pub)
+          ' \
+            "$dir/vapid_private_key" \
+            "$dir/vapid_public_key"
+          chown mastodon:mastodon "$dir/vapid_private_key" "$dir/vapid_public_key"
+          chmod 0400 "$dir/vapid_private_key" "$dir/vapid_public_key"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        RemainAfterExit = true;
+      };
+    };
  };

  system.stateVersion = "25.11";
Author	SHA1	Message	Date
Wyatt J. Miller	e556dae87d	forgot branding	2026-03-01 23:14:00 -05:00
Wyatt J. Miller	313177eff7	modified config some more	2026-03-01 23:11:50 -05:00
Wyatt J. Miller	1b20e6d215	added mastodon group to caddy user	2026-03-01 21:51:51 -05:00
Wyatt J. Miller	11e6274e37	added some more stuff to caddy	2026-03-01 00:09:07 -05:00
Wyatt J. Miller	a3d0c56204	added more to proxy for mastodon	2026-02-28 23:53:13 -05:00
Wyatt J. Miller	6bdff15117	added mastodon instance	2026-02-28 21:36:02 -05:00