From 26662e1419fb2ad357018146e27a123e5f1a7ee1 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Tue, 17 Feb 2026 18:24:34 -0500 Subject: [PATCH 1/4] wip: yshtola build in progress --- flake.nix | 25 +++++ modules/machine/yshtola/configuration.nix | 93 +++++++++++++++++++ modules/machine/yshtola/default.nix | 6 ++ .../yshtola/hardware-configuration.nix | 0 4 files changed, 124 insertions(+) create mode 100644 modules/machine/yshtola/configuration.nix create mode 100644 modules/machine/yshtola/default.nix create mode 100644 modules/machine/yshtola/hardware-configuration.nix diff --git a/flake.nix b/flake.nix index 45f93d3..2a55f9e 100644 --- a/flake.nix +++ b/flake.nix @@ -162,6 +162,31 @@ # ]; }; + nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit userName userEmail; + hostname = "yshtola"; + role = "server"; + }; + modules = [ + myOverlays + ./modules/common + ./modules/machine/yshtola + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; }; + home-manager.backupFileExtension = "bak"; + home-manager.users.${userName}.imports = [ + ./home + ]; + } + ]; + }; + # generic non-NixOS Linux machine homeConfigurations."generic" = let hostname = builtins.getEnv "HOSTNAME"; diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix new file mode 100644 index 0000000..97c6488 --- /dev/null +++ b/modules/machine/yshtola/configuration.nix @@ -0,0 +1,93 @@ + +{ + pkgs, + userName, + ... +}: { + imports = [ + ../../pwrMgmt + ../../networking/core.nix + ../../networking/dns.nix + ../../virtualization/podman.nix + ]; + + # Enable flakes for NixOS + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Custom kernel/boot stuff + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.loader.systemd-boot.enable = true; # TODO: check on this + boot.loader.efi.canTouchEfiVariables = true; + + # Set your timezone + time.timeZone = "America/Detroit"; + + # Enable OpenSSH + services.openssh.enable = true; + + # Enable keyring + services.gnome.gnome-keyring.enable = true; + + # Enable GnuPG + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable SUID wrappers (some programs need them) + programs.mtr.enable = true; + + # Enable Polkit + security.polkit.enable = true; + + # Power management (see ../../pwrMgmt/default.nix) + pwrMgmt = { + enable = true; + cpuFreqGovernor = "performance"; + powertop.enable = false; + }; + + # Podman module (see ../../virtualization/podman.nix) + # podman = { + # enable = true; + # extraPackages = with pkgs; [ + # docker-credential-helpers + # toolbox + # cosign + # crane + # podman-tui + # podman-desktop + # ]; + # }; + + # Core networking module (see ../../networking/core.nix) + network = { + firewall.enable = true; + networkManager.enable = true; + }; + + # Add username to groups "wheel" and "video" - more may be added here later + users.users.${userName}.extraGroups = ["wheel" "video" "network"]; + + # fail2ban + services.fail2ban = { + + }; + + # Matrix server + services.matrix-tuwunel = { + + }; + + # LiveKit (MatrixRTC) + services.livekit = { + + }; + + # TURN/STUN server + services.coturn = { + + }; + + system.stateVersion = "25.11"; +} diff --git a/modules/machine/yshtola/default.nix b/modules/machine/yshtola/default.nix new file mode 100644 index 0000000..3c4d411 --- /dev/null +++ b/modules/machine/yshtola/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/modules/machine/yshtola/hardware-configuration.nix b/modules/machine/yshtola/hardware-configuration.nix new file mode 100644 index 0000000..e69de29 -- 2.49.1 From bdf4d54e99a3093d702c04c85e3868e8862822cf Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Feb 2026 08:40:47 -0500 Subject: [PATCH 2/4] wip: build still in progress --- modules/machine/yshtola/configuration.nix | 34 +++++++++++++++++++---- 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 97c6488..182b7f2 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -71,23 +71,45 @@ # fail2ban services.fail2ban = { - + enable = true; + package = pkgs.fail2ban; + maxretry = 5; + bantime = "3h"; + bantime-increment = { + enable = true; + rndtime = "10m"; + }; }; # Matrix server services.matrix-tuwunel = { - + enable = true; + package = pkgs.matrix-tuwunel; + settings = { + global = { + server_name = "wyattjmiller.com"; + allow_encryption = true; + allow_federation = true; + allow_registration = true; + }; + # TODO: figure out what goes here + }; }; # LiveKit (MatrixRTC) services.livekit = { - + enable = true; + package = pkgs.livekit; + openFirewall = true; + settings = { + # TODO: figure out what goes here + }; }; # TURN/STUN server - services.coturn = { - - }; + # services.coturn = { + # + # }; system.stateVersion = "25.11"; } -- 2.49.1 From e7b2a1bc1e94daac956411af6f79895c2da8241d Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Feb 2026 14:57:21 -0500 Subject: [PATCH 3/4] wip: still in progress --- modules/machine/yshtola/configuration.nix | 129 ++++++++++++++++++---- 1 file changed, 109 insertions(+), 20 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 182b7f2..6fa1e52 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -7,8 +7,6 @@ imports = [ ../../pwrMgmt ../../networking/core.nix - ../../networking/dns.nix - ../../virtualization/podman.nix ]; # Enable flakes for NixOS @@ -47,25 +45,39 @@ powertop.enable = false; }; - # Podman module (see ../../virtualization/podman.nix) - # podman = { - # enable = true; - # extraPackages = with pkgs; [ - # docker-credential-helpers - # toolbox - # cosign - # crane - # podman-tui - # podman-desktop - # ]; - # }; - # Core networking module (see ../../networking/core.nix) network = { - firewall.enable = true; networkManager.enable = true; }; + # Firewall settings (fallback, upstream way of doing things) + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 3478 + 5349 + 7880 + 7881 + 8080 + ]; + + allowedUDPPorts = [ + 3478 + ]; + + allowedUDPPortRanges =[ + { + from = 49000; + to = 50000; + } + { + from = 50100; + to = 50200; + } + ]; + }; + # Add username to groups "wheel" and "video" - more may be added here later users.users.${userName}.extraGroups = ["wheel" "video" "network"]; @@ -90,7 +102,31 @@ server_name = "wyattjmiller.com"; allow_encryption = true; allow_federation = true; - allow_registration = true; + allow_registration = false; + allow_unstable_room_versions = false; + allow_experimental_room_versions = false; + encryption_enabled_by_default_for_room_type = "all"; + zstd_compression = true; + new_user_displayname_suffix = "✨"; + max_request_size = 1048575600; # 100MB in bytes, for file uploads + + address = [ + "127.0.0.1" + "::1" + ]; + port = [ 8008 ]; + + well_known = { + client = "https://chat.wyattjmiller.com"; + server = "chat.wyattjmiller.com:443"; + support_email = "wyatt@wyattjmiller.com"; + support_mxid = "@wymiller:wyattjmiller.com"; + + rtc_transports = { + type = "livekit"; + livekit_service_url = "https://rtc.wyattjmiller.com"; + }; + }; }; # TODO: figure out what goes here }; @@ -102,14 +138,67 @@ package = pkgs.livekit; openFirewall = true; settings = { + port = 7880; + room.auto_create = true; + rtc = { + use_external_ip = true; + }; # TODO: figure out what goes here }; }; + services.caddy = { + enable = true; + package = pkgs.caddy; + virtualHosts = { + "chat.wyattjmiller.com" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "chat.wyattjmiller.com:8443" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "rtc.wyattjmiller.com" = { + extraConfig = '' + @jwt_service { + path /sfu/get* /healthz* + } + + handle @jwt_service { + reverse_proxy localhost:8081 + } + + handle { + reverse_proxy localhost:7880 { + header_up Connection "upgrade" + header_up Upgrade {http.request.header.Upgrade} + } + } + ''; + }; + }; + }; + # TURN/STUN server - # services.coturn = { - # - # }; + services.coturn = { + enable = true; + no-cli = false; + no-tcp-relay = false; + realm = "turn.wyattjmiller.com"; + min-port = 49000; + max-port = 50000; + + # TODO: fill out this extraConfig option a bit more with denial of private IP addresses + extraConfig = '' + verbose + no-multicast-peers + ''; + }; system.stateVersion = "25.11"; } -- 2.49.1 From aea71bb49beb2676f080f7b806a9b66025548049 Mon Sep 17 00:00:00 2001 From: "Wyatt J. Miller" Date: Wed, 18 Feb 2026 19:55:43 -0500 Subject: [PATCH 4/4] wip: ready for hardware configuration --- modules/machine/yshtola/configuration.nix | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix index 6fa1e52..2f962fd 100644 --- a/modules/machine/yshtola/configuration.nix +++ b/modules/machine/yshtola/configuration.nix @@ -21,7 +21,11 @@ time.timeZone = "America/Detroit"; # Enable OpenSSH - services.openssh.enable = true; + services.openssh = { + enable = true; + PermitRootLogin = "no"; + PasswordAuthentication = "no"; + }; # Enable keyring services.gnome.gnome-keyring.enable = true; @@ -79,7 +83,13 @@ }; # Add username to groups "wheel" and "video" - more may be added here later - users.users.${userName}.extraGroups = ["wheel" "video" "network"]; + users.users.${userName} = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com" + ]; + extraGroups = ["wheel" "video" "network"]; + }; # fail2ban services.fail2ban = { @@ -109,6 +119,9 @@ zstd_compression = true; new_user_displayname_suffix = "✨"; max_request_size = 1048575600; # 100MB in bytes, for file uploads + database_path = "/var/lib/tuwunel"; + database_backup_path = "/var/lib/tuwunel/database_backups"; + database_backups_to_keep = 2; address = [ "127.0.0.1" @@ -128,11 +141,10 @@ }; }; }; - # TODO: figure out what goes here }; }; - # LiveKit (MatrixRTC) + # LiveKit (Matrix RTC) services.livekit = { enable = true; package = pkgs.livekit; @@ -143,10 +155,10 @@ rtc = { use_external_ip = true; }; - # TODO: figure out what goes here }; }; + # Reverse proxy services.caddy = { enable = true; package = pkgs.caddy; -- 2.49.1