forgot branding

flake.lock

@@ -9,11 +9,11 @@
         "rust-overlay": "rust-overlay"
       },
       "locked": {
-        "lastModified": 1774186997,
+        "lastModified": 1771170334,
-        "narHash": "sha256-hyNVlhAqmwcBPl7XRkxbGcMt1BfCOdvuEfBDUf0k8Oo=",
+        "narHash": "sha256-tCgoCWORfNHaRXTh2QS44LwxlV8q28jVvjN5ioMicv8=",
         "owner": "ezKEa",
         "repo": "aagl-gtk-on-nix",
-        "rev": "546e95f7ec74892a31f883a10b1723c35f2c2edd",
+        "rev": "821b4f92c2c0981ea5b571b03403df87d2b2e2ae",
         "type": "github"
       },
       "original": {
@@ -29,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1772129556,
+        "lastModified": 1767634391,
-        "narHash": "sha256-Utk0zd8STPsUJPyjabhzPc5BpPodLTXrwkpXBHYnpeg=",
+        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "ebec37af18215214173c98cf6356d0aca24a2585",
+        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
         "type": "github"
       },
       "original": {
@@ -94,11 +94,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774274588,
+        "lastModified": 1770260404,
-        "narHash": "sha256-dnHvv5EMUgTzGZmA+3diYjQU2O6BEpGLEOgJ1Qe9LaY=",
+        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "cf9686ba26f5ef788226843bc31fda4cf72e373b",
+        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
         "type": "github"
       },
       "original": {
@@ -142,11 +142,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1774244481,
+        "lastModified": 1771043024,
-        "narHash": "sha256-4XfMXU0DjN83o6HWZoKG9PegCvKvIhNUnRUI19vzTcQ=",
+        "narHash": "sha256-O1XDr7EWbRp+kHrNNgLWgIrB0/US5wvw9K6RERWAj6I=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "4590696c8693fea477850fe379a01544293ca4e2",
+        "rev": "3aadb7ca9eac2891d52a9dec199d9580a6e2bf44",
         "type": "github"
       },
       "original": {
@@ -235,11 +235,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1774321696,
+        "lastModified": 1771211437,
-        "narHash": "sha256-g18xMjMNla/nsF5XyQCNyWmtb2UlZpkY0XE8KinIXAA=",
+        "narHash": "sha256-lcNK438i4DGtyA+bPXXyVLHVmJjYpVKmpux9WASa3ro=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "49a67e6894d4cb782842ee6faa466aa90c92812d",
+        "rev": "c62195b3d6e1bb11e0c2fb2a494117d3b55d410f",
         "type": "github"
       },
       "original": {

flake.nix

@@ -162,33 +162,6 @@
       # ];
     };
 
-    # Vintage story server
-    nixosConfigurations."thancred" = nixpkgs.lib.nixosSystem {
-      system = "x86_64-linux";
-      specialArgs = {
-        inherit userName userEmail vintage-story;
-        hostname = "thancred";
-        role = "server";
-      };
-      modules = [
-        myOverlays
-        ./modules/common
-        ./modules/machine/thancred
-
-        home-manager.nixosModules.home-manager
-        {
-          home-manager.useGlobalPkgs = true;
-          home-manager.useUserPackages = true;
-          home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; };
-          home-manager.backupFileExtension = "bak";
-          home-manager.users.${userName}.imports = [
-            ./home
-          ];
-        }
-      ];
-    };
-
-    # Matrix and Mastodon server
     nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       specialArgs = {

home/git.nix

@@ -31,7 +31,6 @@
       a = "add";
       ap = "add -p";
       br = "branch";
-      cb = "checkout -b";
       co = "checkout";
       st = "status -sb";
       status = "status -sb";
@@ -41,11 +40,6 @@
       ca = "commit -am";
       dc = "diff --cached";
       amend = "commit --amend -m";
-      wipe = "reset --hard";
-      gg = "reset --hard";
-      ggs = "reset --hard";
-      sw = "switch";
-      r = "restore";
 
       # aliases for submodules
       update = "submodule update --init --recursive";

home/packages/linux.nix

@@ -1,16 +1,4 @@
 { lib, pkgs, isNixOS ? true, ... }:
 lib.mkIf pkgs.stdenv.isLinux {
-  home.packages = with pkgs; [
+
-    imv
-    xdg-utils
-  ] ++ lib.optionals isNixOS [
-    vesktop
-    xfce.thunar
-    pavucontrol
-    zathura
-    gpu-screen-recorder
-    gpu-screen-recorder-gtk
-    inetutils
-    easyeffects
-  ];
 }

home/shell.nix

@@ -62,13 +62,7 @@
             "If you’ve brought your ivory standard, I’ll be happy to tell you where you can stick it" \
             "Speeches? Oh, yes, I love them. There's nothing like a good exposition when you're having trouble sleeping!" \
             "Somehow, the boy just isn't very buoyant" \
-            "I am...not interested, little sun. Try again when you have become a man" \
+            "I am...not interested, little sun. Try again when you have become a man"
-            "I am rightousness! And rightousness shall previal!" \
-            "Ahhh such bliss!" \
-            "The gods themselves will be my meal. Your dear companions my dessert. Upon this world I'll feast, and death shall follow in my wake. All your hate, all your rage, you will render unto me." \
-            "Boring, boring, boring" \
-            "Would you be 'happier' had I a 'good reason'?" \
-            "A test of your reflexes!"
 
 
           set choose_meme (random)"%"(count $memes)

modules/machine/README.md

@@ -10,10 +10,6 @@ I like Final Fantasy, alright? Isn't everyone supposed to have a hobby?
 
 These are named after Final Fantasy VII characters.
 
-### Servers/Network Infrastructure (bare metal)
+### Servers/Network Infrastructure
 
 These are named after Final Fantasy summons. There is some infrastructure missing here like my routers and switches that I also name after summons.
-
-### Servers/Network Infrastructure (virtual machines)
-
-These are named after Final Fantasy XIV Online characters (currently, these are named after the Scions of the Seventh Dawn).

modules/machine/thancred/configuration.nix

@@ -1,121 +0,0 @@
-{
-  pkgs,
-  userName,
-  vintage-story,
-  ...
-}: {
-  imports = [
-    ../../pwrMgmt
-    ../../networking/core.nix
-    ../../virtualization/podman.nix
-  ];
-
-  # Enable flakes for NixOS
-  nix.settings.experimental-features = ["nix-command" "flakes"];
-
-  # Custom kernel/boot stuff
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  # Set your timezone
-  time.timeZone = "America/Detroit";
-
-  # Enable OpenSSH
-  services.openssh.enable = true;
-
-  # Enable keyring
-  services.gnome.gnome-keyring.enable = true;
-
-  # Enable GnuPG
-  programs.gnupg.agent = {
-    enable = true;
-    enableSSHSupport = true;
-  };
-
-  # Enable SUID wrappers (some programs need them)
-  programs.mtr.enable = true;
-
-  # Enable Polkit
-  security.polkit.enable = true;
-
-  # Power management (see ../../pwrMgmt/default.nix)
-  pwrMgmt = {
-    enable = true;
-    cpuFreqGovernor = "performance";
-    powertop.enable = false;
-  };
-
-  network = {
-    firewall = {
-      enable = true;
-      tcpPorts = {
-        allowedPorts = [ 42420 ];
-      };
-      udpPorts = {
-        allowedPorts = [ 42420 ];
-      };
-    };
-    networkManager.enable = true;
-  };
-
-  environment.systemPackages = [
-    vintage-story.packages.${pkgs.system}.default
-  ];
-
-  systemd.services.vintagestory-server = {
-    description = "Vintage Story Server";
-    wantedBy = [ "multi-user.target" ];
-    after = [ "network.target" ];
-    serviceConfig = {
-      Type = "simple";
-      User = userName;
-      WorkingDirectory = "/home/${userName}";
-      ExecStart = "${vintage-story.packages.${pkgs.system}.default}/bin/vintagestory-server";
-      Restart = "on-failure";
-      RestartSec = "5s";
-    };
-  };
-
-  # Add username to groups "wheel" and "video" - more may be added here later
-  users = {
-    groups.hazel = {};
-    users = {
-      ${userName} = {
-        extraGroups = [ "wheel" "network" ];
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com"
-        ];
-      };
-      "hazel" = {
-        home = "/home/hazel";
-        group = "hazel";
-        extraGroups = [ "wheel" ];
-        description = "hazel";
-        isNormalUser = true;
-        openssh.authorizedKeys.keys = [
-          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZnyiQx+k1ygX8E1lsUCB6aTdMc+OKzlZ4admlzknc5ulj0YrtUyqhbNhkNd6pP0QDBFMnXO/rzUvHp4TAyZXKFfpcBCa4zhK97ufymAfvzAjM4vRBqRNcr2n+2iRzxtolbklfjs3ocBQVxXW+pRT5wWxTgK2fcmP2xviDVldr7qte37x5YkQb5SAhYNH8tqJRnuGPe+Q0A3oN4HyHZFnrMq/HlbL5yg/0VKPTtF/IgHf+2dDz5OQQpBx3/N9u/QLwuIm9lkyOG03s0TGmE7up/i0jX2vIqp2BbGSnwdQEL/eSVZx73qQB/J62VFafg13P5yQWDJ33WSoiwhac6bg26HPmPOnCJp5R3c+7jM8N1F1ZbtsKicHSVsRg1RQSree4lchPy7FOPkCuUrB7LNE71mbpOzZNR767S6UAPaXxRw6QNYGBaDqQBwhlU8ZDF5F7EW6ahSUMOI6ECyoibzIMb56xs9osuNeUhB/BcL5sHSFpJjIbdcDLNkEKggrBl6s="
-        ];
-      };
-    };
-  };
-
-  services.fail2ban = {
-    enable = true;
-    package = pkgs.fail2ban;
-    maxretry = 5;
-    bantime = "3h";
-    bantime-increment = {
-      enable = true;
-      rndtime = "10m";
-    };
-  };
-
-  services.tailscale = {
-    enable = true;
-    package = pkgs.tailscale;
-  };
-
-  system.stateVersion = "24.11";
-}

modules/machine/thancred/default.nix

@@ -1,6 +0,0 @@
-{ ... }: {
-  imports = [
-    ./configuration.nix
-    ./hardware-configuration.nix
-  ];
-}

modules/machine/thancred/hardware-configuration.nix

@@ -1,32 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/e2e621c1-0090-472a-99d9-61c6a87bd068";
-      fsType = "ext4";
-    };
-
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/663E-15C0";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
-    };
-
-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/60104b1a-4285-4dd1-be5e-3c3dee24515a"; }
-    ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}

modules/machine/yshtola/configuration.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  config,
   userName,
   ...
 }: let
@@ -10,6 +11,14 @@
   supportEmail = "wyatt@wyattjmiller.com";
   livekitKeyFile = "/var/lib/livekit/livekit.key";
   matrixRegistrationTokenFile = "/var/lib/matrix.key";
+  mastodonFqdn = "social.wyattjmiller.com";
+  mastodonSecretsDir = "/var/lib/mastodon/secrets";
+
+  # After deploying Mastodon, register an OAuth application at
+  # https://social.wyattjmiller.com/settings/applications and write the
+  # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
+  mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
+  mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
 in {
   imports = [
     ../../pwrMgmt
@@ -94,6 +103,8 @@ in {
   };
 
   # Add username to groups "wheel" and "video" - more may be added here later
+  users.users.caddy.extraGroups = [ "mastodon" ];
+
   users.users.${userName} = {
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
@@ -114,6 +125,25 @@ in {
     };
   };
 
+  # Mastodon service — social.wyattjmiller.com
+  services.mastodon = {
+    enable = true;
+    localDomain = mastodonFqdn;
+    configureNginx = false;
+    secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
+    otpSecretFile = "${mastodonSecretsDir}/otp_secret";
+    vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
+    vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
+    # Configure SMTP after initial deploy via mastodonSecretsDir or a separate
+    # NixOS secrets manager (sops-nix / agenix).
+    smtp = {
+      host = "mail.wyattjmiller.com";
+      port = 25;
+      fromAddress = "notifications@${mastodonFqdn}";
+      authenticate = false;
+    };
+  };
+
   # Matrix server
   services.matrix-tuwunel = {
     enable = true;
@@ -150,6 +180,29 @@ in {
             livekit_service_url = "https://${rtcFqdn}";
           }];
         };
+
+        # Mastodon as OIDC provider for Matrix login.
+        # Mastodon 4.3+ exposes OpenID Connect discovery at
+        # https://<domain>/.well-known/openid-configuration.
+        #
+        # REQUIRED RUNTIME SETUP (once, after first Mastodon deploy):
+        #   1. Visit https://social.wyattjmiller.com/settings/applications
+        #   2. Create a new application with the redirect URI:
+        #        https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
+        #      and scopes: read:accounts
+        #   3. Write the Application ID  → /var/lib/tuwunel/mastodon-oauth-client-id  (chmod 400, owned by tuwunel)
+        #      Write the Client Secret   → /var/lib/tuwunel/mastodon-oauth-client-secret
+        #   4. nixos-rebuild switch (or restart tuwunel.service)
+        identity_provider= [
+          {
+            brand = "Mastodon";
+            issuer_url = "https://${mastodonFqdn}";
+            id = "oidc-mastodon";
+            client_id = mastodonOauthClientIdFile;
+            client_secret = mastodonOauthClientSecretFile;
+            scope = ["openid" "read:accounts"];
+          }
+        ];
       };
     };
   };
@@ -174,6 +227,32 @@ in {
     enable = true;
     package = pkgs.caddy;
     virtualHosts = {
+      "${mastodonFqdn}" = {
+        extraConfig = ''
+          encode zstd gzip
+
+          root * ${config.services.mastodon.package}/public
+
+          handle /system/* {
+            uri strip_prefix /system
+            root * /var/lib/mastodon/public-system
+            file_server
+          }
+
+          @streaming path /api/v1/streaming*
+          handle @streaming {
+            reverse_proxy localhost:4000
+          }
+
+          handle {
+            @notfile not file
+            handle @notfile {
+              reverse_proxy localhost:3000
+            }
+            file_server
+          }
+        '';
+      };
       "${matrixFqdn}" = {
         extraConfig = ''
           encode zstd gzip
@@ -265,6 +344,49 @@ in {
         User = "root";
       };
     };
+
+    mastodon-secrets-gen = {
+      before = [ "mastodon-web.service" "mastodon-sidekiq-0.service" "mastodon-streaming.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ coreutils openssl ruby_3_4 ];
+      script = ''
+        set -eu
+
+        dir="${mastodonSecretsDir}"
+        install -d -m 0750 -o mastodon -g mastodon "$dir"
+
+        gen_hex() {
+          local f="$1"
+          if [ ! -f "$f" ]; then
+            umask 077
+            openssl rand -hex 64 | install -o mastodon -g mastodon -m 0400 /dev/stdin "$f"
+          fi
+        }
+
+        gen_hex "$dir/secret_key_base"
+        gen_hex "$dir/otp_secret"
+
+        if [ ! -f "$dir/vapid_private_key" ]; then
+          umask 077
+          ruby -ropenssl -rbase64 -e '
+            key = OpenSSL::PKey::EC.generate("prime256v1")
+            priv = Base64.urlsafe_encode64(key.private_key.to_s(2).rjust(32, "\x00"), padding: false)
+            pub  = Base64.urlsafe_encode64(key.public_key.to_bn.to_s(2), padding: false)
+            File.write(ARGV[0], priv)
+            File.write(ARGV[1], pub)
+          ' \
+            "$dir/vapid_private_key" \
+            "$dir/vapid_public_key"
+          chown mastodon:mastodon "$dir/vapid_private_key" "$dir/vapid_public_key"
+          chmod 0400 "$dir/vapid_private_key" "$dir/vapid_public_key"
+        fi
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+        RemainAfterExit = true;
+      };
+    };
   };
 
   system.stateVersion = "25.11";