nix-config-v2/modules/machine/yshtola/configuration.nix

{
  pkgs,
  userName,
  ...
}: let
  # INFO: set these to your liking
  matrixFqdn = "chat.wyattjmiller.com";
  rtcFqdn = "rtc.wyattjmiller.com";

  supportEmail = "wyatt@wyattjmiller.com";
  livekitKeyFile = "/var/lib/livekit/livekit.key";
  matrixRegistrationTokenFile = "/var/lib/matrix.key";
  mastodonFqdn = "social.wyattjmiller.com";
  mastodonSecretsDir = "/var/lib/mastodon/secrets";

  # After deploying Mastodon, register an OAuth application at
  # https://social.wyattjmiller.com/settings/applications and write the
  # client ID / secret to these paths (chmod 400, owned by the tuwunel user):
  mastodonOauthClientIdFile = "/var/lib/tuwunel/mastodon-oauth-client-id";
  mastodonOauthClientSecretFile = "/var/lib/tuwunel/mastodon-oauth-client-secret";
in {
  imports = [
    ../../pwrMgmt
  ];

  # Enable flakes for NixOS
  nix.settings.experimental-features = ["nix-command" "flakes"];

  nix.settings = {
    download-buffer-size = 134217728;  # 128 MiB in bytes
  };

  # Custom kernel/boot stuff
  boot.kernelPackages = pkgs.linuxPackages_latest;

  # Set your timezone
  time.timeZone = "America/Detroit";

  # Enable OpenSSH
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = "no";
    settings.PasswordAuthentication = false;
  };

  # Enable keyring
  services.gnome.gnome-keyring.enable = true;

  # Enable GnuPG
  programs.gnupg.agent = {
    enable = true;
    enableSSHSupport = true;
  };

  # Enable SUID wrappers (some programs need them)
  programs.mtr.enable = true;

  # Enable Polkit
  security.polkit.enable = true;

  # Power management (see ../../pwrMgmt/default.nix)
  pwrMgmt = {
    enable = true;
    cpuFreqGovernor = "performance";
    powertop.enable = false;
  };

  # Firewall settings (fallback, upstream way of doing things)
  networking.firewall = {
    enable = true;

    allowedTCPPorts = [
      80
      443
      8448
      3478
      5349
      7880
      7881
      8080
      8081
    ];

    allowedUDPPorts = [
      3478
      7881
      8448
    ];

    allowedUDPPortRanges =[
      # TURN UDP relays
      { 
        from = 49000;
        to = 50000;
      }
      # 
      {
        from = 50100;
        to = 50200;
      }
    ];
  };

  # Add username to groups "wheel" and "video" - more may be added here later
  users.users.${userName} = {
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com"
    ];
    extraGroups = ["wheel" "video" "network"];
  };

  # fail2ban
  services.fail2ban = {
    enable = true;
    package = pkgs.fail2ban;
    maxretry = 5;
    bantime = "3h";
    bantime-increment = {
      enable = true;
      rndtime = "10m";
    };
  };

  # Mastodon service — social.wyattjmiller.com
  services.mastodon = {
    enable = true;
    localDomain = mastodonFqdn;
    configureNginx = false;
    secretKeyBaseFile = "${mastodonSecretsDir}/secret_key_base";
    otpSecretFile = "${mastodonSecretsDir}/otp_secret";
    vapidPrivateKeyFile = "${mastodonSecretsDir}/vapid_private_key";
    vapidPublicKeyFile = "${mastodonSecretsDir}/vapid_public_key";
    # Configure SMTP after initial deploy via mastodonSecretsDir or a separate
    # NixOS secrets manager (sops-nix / agenix).
    smtp = {
      host = "mail.wyattjmiller.com";
      port = 25;
      fromAddress = "notifications@${mastodonFqdn}";
      authenticate = false;
    };
  };

  # Matrix server
  services.matrix-tuwunel = {
    enable = true;
    package = pkgs.matrix-tuwunel;
    settings = {
      global = {
        server_name = matrixFqdn;
        allow_encryption = true;
        allow_federation = true;
        allow_registration = true;
        registration_token = matrixRegistrationTokenFile;
        allow_unstable_room_versions = false;
        allow_experimental_room_versions = false;
        zstd_compression = true;
        new_user_displayname_suffix = "✨";
        max_request_size = 1048575600; # 100MB in bytes, for file uploads
        database_backup_path = "/var/lib/tuwunel/database_backups";
        database_backups_to_keep = 2;

        address = [
          "127.0.0.1"
          "::1"
        ];
        port = [ 8008 ];

        well_known = {
          client = "https://${matrixFqdn}";
          server = "${matrixFqdn}:443";
          support_email = supportEmail;
          support_mxid = "@wymiller:${matrixFqdn}";
          
          rtc_transports = [{
            type = "livekit";
            livekit_service_url = "https://${rtcFqdn}";
          }];
        };

        # Mastodon as OIDC provider for Matrix login.
        # Mastodon 4.3+ exposes OpenID Connect discovery at
        # https://<domain>/.well-known/openid-configuration.
        #
        # REQUIRED RUNTIME SETUP (once, after first Mastodon deploy):
        #   1. Visit https://social.wyattjmiller.com/settings/applications
        #   2. Create a new application with the redirect URI:
        #        https://chat.wyattjmiller.com/_matrix/client/v3/login/sso/redirect/oidc-mastodon
        #      and scopes: read:accounts
        #   3. Write the Application ID  → /var/lib/tuwunel/mastodon-oauth-client-id  (chmod 400, owned by tuwunel)
        #      Write the Client Secret   → /var/lib/tuwunel/mastodon-oauth-client-secret
        #   4. nixos-rebuild switch (or restart tuwunel.service)
        oidc_providers = [
          {
            issuer = "https://${mastodonFqdn}";
            id = "oidc-mastodon";
            client_id_file = mastodonOauthClientIdFile;
            client_secret_file = mastodonOauthClientSecretFile;
            scopes = ["openid" "read:accounts"];
          }
        ];
      };
    };
  };

  # LiveKit (Matrix RTC)
  services.livekit = {
    enable = true;
    package = pkgs.livekit;
    openFirewall = true;
    keyFile = livekitKeyFile;
    settings = {
      port = 7880;
      room.auto_create = true;
      rtc = {
        use_external_ip = true;
      };
    };
  };

  # Reverse proxy
  services.caddy = {
    enable = true;
    package = pkgs.caddy;
    virtualHosts = {
      "${mastodonFqdn}" = {
        extraConfig = ''
          encode zstd gzip

          @streaming path /api/v1/streaming*
          handle @streaming {
            reverse_proxy localhost:4000
          }

          handle {
            reverse_proxy localhost:3000
          }
        '';
      };
      "${matrixFqdn}" = {
        extraConfig = ''
          encode zstd gzip
          reverse_proxy localhost:8008
        '';
      };
      "${matrixFqdn}:8448" = {
        extraConfig = ''
          encode zstd gzip
          reverse_proxy localhost:8008
        '';
      };
      "${rtcFqdn}" = {
        extraConfig = ''
          @jwt_service {
            path /sfu/get* /healthz*
          }

          handle @jwt_service {
            reverse_proxy localhost:8080
          }

          handle {
            reverse_proxy localhost:7880 {
              header_up Connection "upgrade"
              header_up Upgrade {http.request.header.Upgrade}
            }
          }
        '';
      };
    };
  };

  # LiveKit JWT service
  services.lk-jwt-service = {
    enable = true;
    port = 8080;
    livekitUrl = "wss://rtc.wyattjmiller.com";
    keyFile = livekitKeyFile;
  };

  # Generate LiveKit key if it doesn't exist
  systemd.services = {
    matrix-registration-token-gen = {
      before = [ "tuwunel.service" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ coreutils openssl ];
      script = ''
        set -eu

        if [ -f "${matrixRegistrationTokenFile}" ]; then
          exit 0
        fi

        install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")"

        TOKEN="$(openssl rand -hex 32)"

        umask 077
        printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}"
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "root";
      };
    };

    livekit-key-gen = {
      before = [ "lk-jwt-service.service" "livekit.service" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ coreutils openssl ];
      script = ''
        set -eu

        if [ -f "${livekitKeyFile}" ]; then
          exit 0
        fi

        install -d -m 0700 "$(dirname "${livekitKeyFile}")"

        API_KEY="$(openssl rand -hex 8)"
        API_SECRET="$(openssl rand -hex 32)"

        umask 077
        printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}"
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "root";
      };
    };

    mastodon-secrets-gen = {
      before = [ "mastodon-web.service" "mastodon-sidekiq-0.service" "mastodon-streaming.service" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ coreutils openssl ruby_3_4 ];
      script = ''
        set -eu

        dir="${mastodonSecretsDir}"
        install -d -m 0750 -o mastodon -g mastodon "$dir"

        gen_hex() {
          local f="$1"
          if [ ! -f "$f" ]; then
            umask 077
            openssl rand -hex 64 | install -o mastodon -g mastodon -m 0400 /dev/stdin "$f"
          fi
        }

        gen_hex "$dir/secret_key_base"
        gen_hex "$dir/otp_secret"

        if [ ! -f "$dir/vapid_private_key" ]; then
          umask 077
          ruby -ropenssl -rbase64 -e '
            key = OpenSSL::PKey::EC.generate("prime256v1")
            priv = Base64.urlsafe_encode64(key.private_key.to_s(2).rjust(32, "\x00"), padding: false)
            pub  = Base64.urlsafe_encode64(key.public_key.to_bn.to_s(2), padding: false)
            File.write(ARGV[0], priv)
            File.write(ARGV[1], pub)
          ' \
            "$dir/vapid_private_key" \
            "$dir/vapid_public_key"
          chown mastodon:mastodon "$dir/vapid_private_key" "$dir/vapid_public_key"
          chmod 0400 "$dir/vapid_private_key" "$dir/vapid_public_key"
        fi
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "root";
        RemainAfterExit = true;
      };
    };
  };

  system.stateVersion = "25.11";
}