about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--README.md2
-rw-r--r--flake.nix2
-rw-r--r--lib/default.nix1
-rw-r--r--lib/mk_colmena.nix37
-rw-r--r--nixos/.sops.yaml6
-rw-r--r--nixos/cobalt/configuration.nix145
-rw-r--r--nixos/cobalt/hardware-configuration.nix65
-rw-r--r--nixos/cobalt/modules/git-daemon.nix137
-rw-r--r--nixos/cobalt/modules/soju.nix132
-rw-r--r--nixos/cobalt/secrets/secrets.yaml44
-rw-r--r--nixos/cobalt/services/README.md5
-rw-r--r--nixos/cobalt/services/acme.nix33
-rw-r--r--nixos/cobalt/services/akkoma-assets/blocklist.toml163
-rw-r--r--nixos/cobalt/services/akkoma-assets/logo.pngbin1304 -> 0 bytes
-rw-r--r--nixos/cobalt/services/akkoma-assets/logo.svg71
-rw-r--r--nixos/cobalt/services/akkoma-assets/robots.txt2
-rw-r--r--nixos/cobalt/services/akkoma.nix57
-rw-r--r--nixos/cobalt/services/cgit.nix105
-rw-r--r--nixos/cobalt/services/dendrite.nix157
-rw-r--r--nixos/cobalt/services/fail2ban.nix5
-rw-r--r--nixos/cobalt/services/git-daemon.nix15
-rw-r--r--nixos/cobalt/services/gitolite-noncore/fix-refs9
-rw-r--r--nixos/cobalt/services/gitolite-noncore/rename62
-rw-r--r--nixos/cobalt/services/gitolite.nix109
-rw-r--r--nixos/cobalt/services/nginx.nix15
-rw-r--r--nixos/cobalt/services/soju.nix28
-rw-r--r--nixos/colmena.nix28
27 files changed, 0 insertions, 1435 deletions
diff --git a/README.md b/README.md
index 8b5df8d..1eddee0 100644
--- a/README.md
+++ b/README.md
@@ -39,8 +39,6 @@
 
 `kompakt` - Laptop (MBA, Darwin)
 
-`cobalt` - Main server (managed with colmena)
-
 ## Resources
 
 + **Flakes**
diff --git a/flake.nix b/flake.nix
index d8b1284..192e28b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -32,8 +32,6 @@
 
       nixosConfigurations = import ./nixos inputs;
 
-      colmena = import ./nixos/colmena.nix inputs;
-
       darwinConfigurations = import ./darwin inputs;
 
       homeConfigurations = import ./home inputs;
diff --git a/lib/default.nix b/lib/default.nix
index 13164a9..704a15e 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -4,7 +4,6 @@ inputs:
   mkSystem = import ./mk_system.nix inputs;
   mkHome = import ./mk_home.nix inputs;
   mkDarwin = import ./mk_darwin.nix inputs;
-  mkColmena = import ./mk_colmena.nix inputs;
   nixosConfigurationsAsPackages = import ./nixos_configurations_as_packages.nix inputs;
   homeConfigurationsAsPackages = import ./home_configurations_as_packages.nix inputs;
 }
diff --git a/lib/mk_colmena.nix b/lib/mk_colmena.nix
deleted file mode 100644
index 82dce9d..0000000
--- a/lib/mk_colmena.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ self, ... } @ args:
-
-{ name
-, system ? "x86_64-linux"
-, deployment ? null
-, host ? null
-, port ? 22
-, tags ? null
-, inputs ? null
-, ...
-}:
-let
-  configFolder = "${self}/nixos";
-  entryPoint = "${configFolder}/${name}/configuration.nix";
-  hardware = "${configFolder}/${name}/hardware-configuration.nix";
-in
-{
-  deployment = deployment;
-  # system = system;
-
-  imports = [
-    {
-      _module.args = args;
-      networking.hostName = name;
-      nix.flakes.enable = true;
-      system.configurationRevision = self.rev or "dirty";
-      documentation.man = { enable = true; generateCaches = true; };
-    }
-    entryPoint
-    hardware
-    ../nixos/modules/flake.nix
-    ../nixos/modules/nix.nix
-    # TODO: implement extraModules
-    inputs.impermanence.nixosModules.impermanence
-    inputs.sops-nix.nixosModules.sops
-  ];
-}
diff --git a/nixos/.sops.yaml b/nixos/.sops.yaml
index 030fefe..f6cb8c7 100644
--- a/nixos/.sops.yaml
+++ b/nixos/.sops.yaml
@@ -1,15 +1,9 @@
 keys:
   - &sefidel 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
   - &host_alpha c62b0336ff6e444e5f2041e8074ca855641a5b7f
-  - &host_cobalt 9794c486d5673ff6613f6cde774d4895eb911703
 creation_rules:
   - path_regex: alpha/secrets/[^/]+\.yaml$
     key_groups:
     - pgp:
       - *sefidel
       - *host_alpha
-  - path_regex: cobalt/secrets/[^/]+\.yaml$
-    key_groups:
-    - pgp:
-      - *sefidel
-      - *host_cobalt
diff --git a/nixos/cobalt/configuration.nix b/nixos/cobalt/configuration.nix
deleted file mode 100644
index a3c77da..0000000
--- a/nixos/cobalt/configuration.nix
+++ /dev/null
@@ -1,145 +0,0 @@
-{ config, pkgs, lib, ... }:
-let
-  ipv4 = {
-    address = "95.216.74.104";
-    gateway = "95.216.74.65";
-    netmask = "255.255.255.192";
-    prefixLength = 26; # https://www.pawprint.net/designresources/netmask-converter.php
-  };
-  ipv6 = {
-    address = "2a01:4f9:2b:a98::";
-    gateway = "fe80::1";
-    prefixLength = 64;
-  };
-  networkInterface = "eth0";
-  hostName = "cobalt";
-  hostId = "712ae82a";
-in
-{
-  imports =
-    [
-      ./hardware-configuration.nix
-
-      ./services/acme.nix
-      ./services/nginx.nix
-      ./services/fail2ban.nix
-      ./services/soju.nix
-      ./services/gitolite.nix
-      ./services/git-daemon.nix
-      ./services/cgit.nix
-      ./services/dendrite.nix
-      ./services/akkoma.nix
-    ];
-
-  boot.supportedFilesystems = [ "zfs" ];
-  networking.hostId = hostId;
-
-  boot.loader.grub.enable = true;
-  # boot.loader.grub.version = 2;
-  boot.loader.grub.efiSupport = false;
-  # boot.loader.grub.device = "nodev";
-
-  # This should be done automatically, but explicitly declare it just in case.
-  boot.loader.grub.copyKernels = true;
-  # Make sure that you've listed all of the boot partitions here.
-  boot.loader.grub.mirroredBoots = [
-    { path = "/boot"; devices = [ "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC17GW7G" ]; }
-    { path = "/boot-fallback"; devices = [ "/dev/disk/by-id/ata-ST4000NM0245-1Z2107_ZC17GWB2" ]; }
-  ];
-
-  # Boot normally when one of the boot partitions are missing
-  fileSystems."/boot".options = [ "nofail" ];
-  fileSystems."/boot-fallback".options = [ "nofail" ];
-
-  # Erase your darlings
-  boot.initrd.postDeviceCommands = lib.mkAfter ''
-    zfs rollback -r rpool/local/root@blank
-  '';
-
-  # NOTE: replace these to boot.initrd.availableKernelModules?
-  boot.kernelModules = [ "e1000e" ];
-  boot.initrd.kernelModules = [ "e1000e" ];
-
-  boot.kernelParams = [
-    # See <https:#www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt> for documentation.
-    # ip=<client-ip>:<server-ip>:<gw-ip>:<netmask>:<hostname>:<device>:<autoconf>:<dns0-ip>:<dns1-ip>:<ntp0-ip>
-    # The server ip refers to the NFS server -- not needed in this case.
-    "ip=${ipv4.address}::${ipv4.gateway}:${ipv4.netmask}:${hostName}-initrd:${networkInterface}:off:8.8.8.8"
-  ];
-
-  boot.initrd.network.enable = true;
-  boot.initrd.network.ssh = {
-    enable = true;
-
-    # Using the same port as the actual SSH will cause clients to throw errors
-    # related to host key mismatch.
-    port = 2222;
-
-    # This takes 'path's, not 'string's.
-    hostKeys = [
-      /boot/initrd-ssh-key
-      /boot-fallback/initrd-ssh-key
-    ];
-
-    # Public ssh key to log into the initrd ssh
-    authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F" ];
-  };
-  boot.initrd.network.postCommands = ''
-    cat <<EOF > /root/.profile
-    if pgrep -x "zfs" > /dev/null
-    then
-      zfs load-key -a
-      killall zfs
-    else
-      echo "ZFS is not running -- this could be a sign of failure."
-    fi
-    EOF
-  '';
-
-
-  networking.hostName = hostName;
-
-  networking.useDHCP = false;
-  networking.interfaces.${networkInterface} = {
-    ipv4 = { addresses = [{ address = ipv4.address; prefixLength = ipv4.prefixLength; }]; };
-    ipv6 = { addresses = [{ address = ipv6.address; prefixLength = ipv6.prefixLength; }]; };
-  };
-  networking.defaultGateway = ipv4.gateway;
-  networking.defaultGateway6 = { address = ipv6.gateway; interface = networkInterface; };
-  networking.nameservers = [ "8.8.8.8" ];
-
-  networking.firewall.enable = true;
-
-  time.timeZone = "UTC";
-
-  users.users.root.initialHashedPassword = "";
-  users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F" ];
-  services.openssh.enable = true;
-  services.openssh.permitRootLogin = "prohibit-password";
-
-  services.openssh.hostKeys = [
-    {
-      path = "/persist/ssh/ssh_host_ed25519_key";
-      type = "ed25519";
-    }
-    {
-      path = "/persist/ssh/ssh_host_rsa_key";
-      type = "rsa";
-      bits = 4096;
-    }
-  ];
-
-  # impermanence requirement
-  fileSystems."/persist".neededForBoot = true;
-
-  sops.defaultSopsFile = ./secrets/secrets.yaml;
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-}
-
diff --git a/nixos/cobalt/hardware-configuration.nix b/nixos/cobalt/hardware-configuration.nix
deleted file mode 100644
index 95ecb96..0000000
--- a/nixos/cobalt/hardware-configuration.nix
+++ /dev/null
@@ -1,65 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [
-      (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
-  boot.extraModulePackages = [ ];
-
-  fileSystems."/" =
-    {
-      device = "rpool/local/root";
-      fsType = "zfs";
-    };
-
-  fileSystems."/boot" =
-    {
-      device = "/dev/disk/by-uuid/445A-0C55";
-      fsType = "vfat";
-    };
-
-  fileSystems."/boot-fallback" =
-    {
-      device = "/dev/disk/by-uuid/445C-198F";
-      fsType = "vfat";
-    };
-
-  fileSystems."/nix" =
-    {
-      device = "rpool/local/nix";
-      fsType = "zfs";
-    };
-
-  fileSystems."/home" =
-    {
-      device = "rpool/safe/home";
-      fsType = "zfs";
-    };
-
-  fileSystems."/persist" =
-    {
-      device = "rpool/safe/persist";
-      fsType = "zfs";
-    };
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault false;
-  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}
diff --git a/nixos/cobalt/modules/git-daemon.nix b/nixos/cobalt/modules/git-daemon.nix
deleted file mode 100644
index 76b395e..0000000
--- a/nixos/cobalt/modules/git-daemon.nix
+++ /dev/null
@@ -1,137 +0,0 @@
-{ config, lib, pkgs, ... }:
-with lib;
-let
-
-  cfg = config.services.gitDaemon;
-
-in
-{
-
-  ###### interface
-
-  options = {
-    services.gitDaemon = {
-
-      enable = mkOption {
-        type = types.bool;
-        default = false;
-        description = lib.mdDoc ''
-          Enable Git daemon, which allows public hosting of git repositories
-          without any access controls. This is mostly intended for read-only access.
-
-          You can allow write access by setting daemon.receivepack configuration
-          item of the repository to true. This is solely meant for a closed LAN setting
-          where everybody is friendly.
-
-          If you need any access controls, use something else.
-        '';
-      };
-
-      basePath = mkOption {
-        type = types.str;
-        default = "";
-        example = "/srv/git/";
-        description = lib.mdDoc ''
-          Remap all the path requests as relative to the given path. For example,
-          if you set base-path to /srv/git, then if you later try to pull
-          git://example.com/hello.git, Git daemon will interpret the path as /srv/git/hello.git.
-        '';
-      };
-
-      exportAll = mkOption {
-        type = types.bool;
-        default = false;
-        description = lib.mdDoc ''
-          Publish all directories that look like Git repositories (have the objects
-          and refs subdirectories), even if they do not have the git-daemon-export-ok file.
-
-          If disabled, you need to touch .git/git-daemon-export-ok in each repository
-          you want the daemon to publish.
-
-          Warning: enabling this without a repository whitelist or basePath
-          publishes every git repository you have.
-        '';
-      };
-
-      repositories = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-        example = [ "/srv/git" "/home/user/git/repo2" ];
-        description = lib.mdDoc ''
-          A whitelist of paths of git repositories, or directories containing repositories
-          all of which would be published. Paths must not end in "/".
-
-          Warning: leaving this empty and enabling exportAll publishes all
-          repositories in your filesystem or basePath if specified.
-        '';
-      };
-
-      listenAddress = mkOption {
-        type = types.str;
-        default = "";
-        example = "example.com";
-        description = lib.mdDoc "Listen on a specific IP address or hostname.";
-      };
-
-      port = mkOption {
-        type = types.port;
-        default = 9418;
-        description = lib.mdDoc "Port to listen on.";
-      };
-
-      options = mkOption {
-        type = types.str;
-        default = "";
-        description = lib.mdDoc "Extra configuration options to be passed to Git daemon.";
-      };
-
-      user = mkOption {
-        type = types.str;
-        default = "git";
-        description = lib.mdDoc "User under which Git daemon would be running.";
-      };
-
-      group = mkOption {
-        type = types.str;
-        default = "git";
-        description = lib.mdDoc "Group under which Git daemon would be running.";
-      };
-
-      createUserAndGroup = mkOption {
-        type = types.bool;
-        default = true;
-        description = lib.mdDoc ''
-          Create the specified group and user.
-          Disable this option if you want to use the existing user
-        '';
-      };
-    };
-  };
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-
-    users.users.${cfg.user} = optionalAttrs (cfg.createUserAndGroup == true) {
-      uid = config.ids.uids.git;
-      group = cfg.group;
-      description = "Git daemon user";
-    };
-
-    users.groups.${cfg.group} = optionalAttrs (cfg.createUserAndGroup == true) {
-      gid = config.ids.gids.git;
-    };
-
-    systemd.services.git-daemon = {
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      script = "${pkgs.git}/bin/git daemon --reuseaddr "
-        + (optionalString (cfg.basePath != "") "--base-path=${cfg.basePath} ")
-        + (optionalString (cfg.listenAddress != "") "--listen=${cfg.listenAddress} ")
-        + "--port=${toString cfg.port} --user=${cfg.user} --group=${cfg.group} ${cfg.options} "
-        + "--verbose " + (optionalString cfg.exportAll "--export-all ") + concatStringsSep " " cfg.repositories;
-    };
-
-  };
-
-}
diff --git a/nixos/cobalt/modules/soju.nix b/nixos/cobalt/modules/soju.nix
deleted file mode 100644
index d14082c..0000000
--- a/nixos/cobalt/modules/soju.nix
+++ /dev/null
@@ -1,132 +0,0 @@
-# Not an overlay, module replacement
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  cfg = config.services.soju;
-  stateDir = "/var/lib/soju";
-  listenCfg = concatMapStringsSep "\n" (l: "listen ${l}") cfg.listen;
-  tlsCfg = optionalString (cfg.tlsCertificate != null)
-    "tls ${cfg.tlsCertificate} ${cfg.tlsCertificateKey}";
-  logCfg = optionalString cfg.enableMessageLogging
-    "log fs ${stateDir}/logs";
-
-  configFile = pkgs.writeText "soju.conf" ''
-    ${listenCfg}
-    hostname ${cfg.hostName}
-    ${tlsCfg}
-    db sqlite3 ${stateDir}/soju.db
-    ${logCfg}
-    http-origin ${concatStringsSep " " cfg.httpOrigins}
-    accept-proxy-ip ${concatStringsSep " " cfg.acceptProxyIP}
-
-    ${cfg.extraConfig}
-  '';
-in
-{
-  ###### interface
-
-  options.services.soju = {
-    enable = mkEnableOption (lib.mdDoc "soju");
-
-    listen = mkOption {
-      type = types.listOf types.str;
-      default = [ ":6697" ];
-      description = lib.mdDoc ''
-        Where soju should listen for incoming connections. See the
-        `listen` directive in
-        {manpage}`soju(1)`.
-      '';
-    };
-
-    hostName = mkOption {
-      type = types.str;
-      default = config.networking.hostName;
-      defaultText = literalExpression "config.networking.hostName";
-      description = lib.mdDoc "Server hostname.";
-    };
-
-    tlsCertificate = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/var/host.cert";
-      description = lib.mdDoc "Path to server TLS certificate.";
-    };
-
-    tlsCertificateKey = mkOption {
-      type = types.nullOr types.path;
-      default = null;
-      example = "/var/host.key";
-      description = lib.mdDoc "Path to server TLS certificate key.";
-    };
-
-    enableMessageLogging = mkOption {
-      type = types.bool;
-      default = true;
-      description = lib.mdDoc "Whether to enable message logging.";
-    };
-
-    httpOrigins = mkOption {
-      type = types.listOf types.str;
-      default = [ ];
-      description = lib.mdDoc ''
-        List of allowed HTTP origins for WebSocket listeners. The parameters are
-        interpreted as shell patterns, see
-        {manpage}`glob(7)`.
-      '';
-    };
-
-    acceptProxyIP = mkOption {
-      type = types.listOf types.str;
-      default = [ ];
-      description = lib.mdDoc ''
-        Allow the specified IPs to act as a proxy. Proxys have the ability to
-        overwrite the remote and local connection addresses (via the X-Forwarded-\*
-        HTTP header fields). The special name "localhost" accepts the loopback
-        addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected.
-      '';
-    };
-
-    extraConfig = mkOption {
-      type = types.lines;
-      default = "";
-      description = lib.mdDoc "Lines added verbatim to the configuration file.";
-    };
-
-    extraGroups = mkOption {
-      type = types.listOf types.str;
-      default = [ ];
-      description = lib.mdDoc "Extra groups for the dynamic user.";
-    };
-  };
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = (cfg.tlsCertificate != null) == (cfg.tlsCertificateKey != null);
-        message = ''
-          services.soju.tlsCertificate and services.soju.tlsCertificateKey
-          must both be specified to enable TLS.
-        '';
-      }
-    ];
-
-    systemd.services.soju = {
-      description = "soju IRC bouncer";
-      wantedBy = [ "multi-user.target" ];
-      after = [ "network-online.target" ];
-      serviceConfig = {
-        DynamicUser = true;
-        SupplementaryGroups = cfg.extraGroups;
-        Restart = "always";
-        ExecStart = "${pkgs.soju}/bin/soju -config ${configFile}";
-        StateDirectory = "soju";
-      };
-    };
-  };
-
-  meta.maintainers = with maintainers; [ malvo ];
-}
diff --git a/nixos/cobalt/secrets/secrets.yaml b/nixos/cobalt/secrets/secrets.yaml
deleted file mode 100644
index bbc771a..0000000
--- a/nixos/cobalt/secrets/secrets.yaml
+++ /dev/null
@@ -1,44 +0,0 @@
-hetzner-dns-key: ENC[AES256_GCM,data:Ir3gRLc8XXIOC8Vjm43gLAmuhyDw5wysOsTCXlJfBQTcpingEbCENc4+eziStyF6,iv:5R4k9Yb8AJjavSivhs19RWrNh7r3rtkrbB6HdZZudqc=,tag:2tFXwQOXKZKYt/qwfsRr7A==,type:str]
-matrix-server-key: ENC[AES256_GCM,data:QZD2CkgHco86GQBb3dQKjBX8oRQ44R7lsK+ZOPzCjtE5Su338b8Tzj5NoKepuodRsdprUPO62yTSIbRFA79E34y4T5oXoq4UyFXX32MfsThVaqxPgyGh369jYfTx405RFGCfxLTXwLTrsHeR3oPm3q9QTWOWRwPQw3NWznq0b+0SJLbA8wQx/cE=,iv:wv93ER7yhvNg87EhmMSR3QoK6ThTrBhhhe2f5zGS3mU=,tag:NV8TvGTnTTF0U4LiRAlFcQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2023-02-06T09:17:19Z"
-    mac: ENC[AES256_GCM,data:MvOZ8lkcuULUa82fL7DqT2Qkl89+z42O+CivmD1iuFroYQ2NUtLAf5Nn58Ta/Lj8YhI4Y/RiMM8l/1Kbn/FbC6oLMLhj+5P7n3s/4W5tW+OlXgd0qLorZHqdx/WTra84QmoII9KA/F4UHcJML2xbRPGZDZ5m9VkIfgMd3s4r+ps=,iv:z8nx0yqvY1bXOJ2APh6wVyITXOOzpuyZuiHt/PrYDKI=,tag:0pJLyfY8U8tCj2IUFQmz2g==,type:str]
-    pgp:
-        - created_at: "2023-02-05T09:56:11Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hF4Dr9flwPWa1q8SAQdAtFIasB4kQZqTb7d1+2X6i3W7xHM/BnU87nUBzjgARwAw
-            cDezIZDi9L0IKZt/pui44uCJHBQKLZ9rGHuVKqY3R0Hsv06D2Lmgm6z9agano1JZ
-            0l4BUstc9knAl/dqAoNcLs+0Ehb84EYUxPfJowAnZaDbH5oaB0ke24Ug6gpHnejc
-            2eilh+Gnu4hEtrob//BQ0FSEn/PlLHjedqKJuJG0+w19sTZD5BPPj2ydbWLU6DYL
-            =3baE
-            -----END PGP MESSAGE-----
-          fp: 387E2BF0402610B00A9CB7E689C80C5BD6DBE2B2
-        - created_at: "2023-02-05T09:56:11Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA3dNSJXrkRcDAQ/8DD0yVDj+CfykNQ6GupMBfKpNrEByupAijeMQKrPGSLAi
-            TKI0vi7Bh5UwxbhS9DZWnZqDnApba0/0S4t7oeRNTGjDusZJ4C1pglQY022hRvzh
-            AGvWwVnilg57ccqWW42eScqGL9ohtRTc2nFjWEXr2rc9w4CyjxzT46ZmYUo1zV7B
-            XXTn5TdpcRiFx81rvriW+L2BLE4Bd0nUeNxnL7FWG9mO+yaJtuv0lXtO5A3cGTn1
-            0hERax7VyCxzV78PHHtYVzkSY5ZVfpLH8su/Wg3dgMa6goMFmufnXPFr1l3HCQMH
-            oF2qEaWu3mP8efpSgstCDFMlH+i8wAbhPMFVwcN8kxPox9JACGmlqIvbCgOOwfKQ
-            eoQKkZPRpNuuK3e/+NddFqf+Eex5lh7v+iFk6PXZWqxzdOAjenWR53Gww5gFBJj+
-            bt6qvS/8Z7Hq8zNWD1eHhUj+ywazxuUrtUz7TOMRbfcGqaeFTAJntTc1pIu4GNcA
-            ut0fSyQr/xoTxv4J1Zyz4GnAzuJKE4fB4LCeonXLwIEU/MsV0sNKwUcgRL4oimYO
-            xDJ44rbKzHNX1cmmh3bVrdezJSqTNiG/5DCdYi8iqGcUzvUfkhhzT44VcUI7MIgI
-            VhLLk21M3eITbXKNPbOvkbXm/y1EeDeVNLg1JeqcXA43V5RBOKw3qKFheD+Se3bS
-            WAHZQxWslmuEvXVgWiewK+sh0x3uY7dCHN3Tcs1dggonAZBD1MIaKNutmPT1h8Nx
-            NtXsIaXB23oTv5xZ7R6b5B0NnVUFFok4VzYwSZBxPDBX9RQp9ErYX/o=
-            =uD2V
-            -----END PGP MESSAGE-----
-          fp: 9794c486d5673ff6613f6cde774d4895eb911703
-    unencrypted_suffix: _unencrypted
-    version: 3.7.3
diff --git a/nixos/cobalt/services/README.md b/nixos/cobalt/services/README.md
deleted file mode 100644
index 89d9ca5..0000000
--- a/nixos/cobalt/services/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# colmena/cobalt/services
-
-A list of 'pluggable' services.
-TODO: this should be moved to /modules/ and
-converted to modules.
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
deleted file mode 100644
index f8816d4..0000000
--- a/nixos/cobalt/services/acme.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ config, ... }:
-
-let
-  poorObfuscation = y: x: "${x}@${y}";
-in
-{
-  sops.secrets.hetzner-dns-key = {
-    owner = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = poorObfuscation "sefidel.com" "postmaster";
-    certs = {
-      "sefidel.com" = {
-        domain = "sefidel.com";
-        extraDomainNames = [
-          "bouncer.sefidel.com"
-          "git.sefidel.com"
-          "matrix.sefidel.com"
-          "social.sefidel.com"
-        ];
-        dnsProvider = "hetzner";
-        dnsPropagationCheck = true;
-        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
-      };
-    };
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/acme"
-  ];
-}
diff --git a/nixos/cobalt/services/akkoma-assets/blocklist.toml b/nixos/cobalt/services/akkoma-assets/blocklist.toml
deleted file mode 100644
index e5eac7a..0000000
--- a/nixos/cobalt/services/akkoma-assets/blocklist.toml
+++ /dev/null
@@ -1,163 +0,0 @@
-[followers_only]
-
-[media_nsfw]
-
-[reject]
-"*.tk" = "Free TLD"
-"*.ml" = "Free TLD"
-"*.ga" = "Free TLD"
-"*.cf" = "Free TLD"
-"*.gq" = "Free TLD"
-# Reject list from chaos.social at 2023-02-06
-"activitypub-proxy.cf" = "Only exists to evade instance blocks, details"
-"activitypub-troll.cf" = "Spam"
-"aethy.com" = "Lolicon"
-"bae.st" = "Discrimination, racism, “free speech zone”"
-"baraag.net" = "Lolicon"
-"banepo.st" = "Homophobia"
-"beefyboys.club" = "Discrimination, racism, “free speech zone”"
-"beefyboys.win" = "Discrimination, racism, “free speech zone”"
-"beta.birdsite.live" = "Twitter crossposter"
-"birb.elfenban.de" = "Twitter crossposter"
-"bird.evilcyberhacker.net" = "Twitter crossposter"
-"bird.froth.zone" = "Twitter crossposter"
-"bird.geiger.ee" = "Twitter crossposter"
-"bird.im-in.space" = "Twitter crossposter"
-"bird.istheguy.com" = "Twitter crossposter"
-"bird.karatek.net" = "Twitter crossposter"
-"bird.makeup" = "Twitter crossposter"
-"bird.nzbr.de" = "Twitter crossposter"
-"bird.r669.live" = "Twitter crossposter"
-"bird.seafoam.space" = "Twitter crossposter"
-"birdbots.leptonics.com" = "Twitter crossposter"
-"birdsite.b93.dece.space" = "Twitter crossposter"
-"birdsite.blazelights.dev" = "Twitter crossposter"
-"birdsite.frog.fashion" = "Twitter crossposter"
-"birdsite.gabeappleton.me" = "Twitter crossposter"
-"birdsite.james.moody.name" = "Twitter crossposter"
-"birdsite.koyu.space" = "Twitter crossposter"
-"birdsite.lakedrops.com" = "Twitter crossposter"
-"birdsite.link" = "Twitter crossposter"
-"birdsite.monster" = "Twitter crossposter"
-"birdsite.oliviaappleton.com" = "Twitter crossposter"
-"birdsite.platypush.tech" = "Twitter crossposter"
-"birdsite.slashdev.space" = "Twitter crossposter"
-"birdsite.tcjc.uk" = "Twitter crossposter"
-"birdsite.thorlaksson.com" = "Twitter crossposter"
-"birdsite.toot.si" = "Twitter crossposter"
-"birdsite.wilde.cloud" = "Twitter crossposter"
-"birdsitelive.ffvo.dev" = "Twitter crossposter"
-"birdsitelive.kevinyank.com" = "Twitter crossposter"
-"birdsitelive.peanutlasko.com" = "Twitter crossposter"
-"birdsitelive.treffler.cloud" = "Twitter crossposter"
-"bridge.birb.space" = "Twitter crossposter"
-"brighteon.social" = "“free speech zone”"
-"cawfee.club" = "Discrimination, racism, “free speech zone”"
-"childpawn.shop" = "Pedophilia"
-"chudbuds.lol" = "Discrimination, racism, “free speech zone”"
-"club.darknight-coffee.eu" = "“free speech zone”"
-"clubcyberia.co" = "Homophobia"
-"clube.social" = "Harassment"
-"comfyboy.club" = "Discrimination, racism"
-"cum.camp" = "Harassment"
-"cum.salon" = "Misogynic, pedophilia"
-"daishouri.moe" = "Fascism, openly advertises with swastika"
-"detroitriotcity.com" = "Discrimination, racism, “free speech zone”"
-"eientei.org" = "Racism, antisemitism"
-"eveningzoo.club" = "Discrimination, racism, “free speech zone”"
-"f.haeder.net" = "Discrimination"
-"freak.university" = "Pedophilia"
-"freeatlantis.com" = "Conspiracy theory instance"
-"freecumextremist.com" = "Discrimination, racism, “free speech zone”"
-"freefedifollowers.ga" = "Follower spam"
-"freespeechextremist.com" = "Discrimination, racism, “free speech zone”"
-"frennet.link" = "Discrimination, racism, “free speech zone”"
-"froth.zone" = "Calls freespeechextremist their local bubble"
-"gab.com/.ai, develop.gab.com" = "Discrimination, racism, “free speech zone”"
-"gameliberty.club" = "“free speech zone”"
-"gegenstimme.tv" = "“free speech zone”"
-"genderheretics.xyz" = "Tagline “Now With 41% More Misgendering!”"
-"gitmo.life" = "“free speech zone”"
-"gleasonator.com" = "Transphobia, TERFs"
-"glindr.org" = "Discrimination"
-"glowers.club" = "Discrimination, racism, “free speech zone”"
-"honkwerx.tech" = "Racism"
-"iamterminally.online" = "Discrimination, racism, “free speech zone”"
-"iddqd.social" = "Discrimination, racism, “free speech zone”"
-"itmslaves.com" = "“free speech zone”, noagenda affiliated"
-"jaeger.website" = "Discrimination, racism, “free speech zone”"
-"kenfm.quadplay.tv" = "Conspiracy videos"
-"kiwifarms.cc" = "Discrimination"
-"lgbtfree.zone" = "Racism, transphobia, all that"
-"liberdon.com" = "Conspiracy theories, transphobia, racism"
-"libre.tube" = "Promotion of violence and murder, multiple other violations of our rules"
-"lolicon.rocks" = "Lolicon"
-"lolison.top" = "Lolicon, paedophilia"
-"mastinator.com" = "Block evasion, unwanted profile mirroring, and more"
-"mastodon.network" = "Instance went down, now porn spam"
-"mastodon.popps.org" = "Homophobia"
-"mastodong.lol" = "Admin maintains and runs activitypub-proxy.cf"
-"meta-tube.de" = "Conspiracy, CoVid19 denier videos https://fediblock.org/blocklist/#meta-tube.de"
-"midnightride.rs" = "Discrimination"
-"misskey-forkbomb.cf" = "Spam"
-"morale.ch" = "Antisemitism and more"
-"mstdn.foxfam.club" = "Right wing twitter mirror"
-"natehiggers.online" = "Racism"
-"newjack.city" = "Exclusive to unwanted follow bots"
-"nicecrew.digital" = "Discrimination, racism, “free speech zone”"
-"noagendasocial.com" = "“free speech zone”, harassment"
-"noagendasocial.nl" = "“free speech zone”, harassment"
-"noagendatube.com" = "“free speech zone”, harassment"
-"ns.auction" = "Racism etc"
-"ohai.su" = "Offline"
-"pawoo.net" = "Untagged nfsw content, unwanted follow bots, lolicon"
-"paypig.org" = "Racism"
-"pieville.net" = "Racism, antisemitism"
-"pl.serialmay.link" = "Racism, transphobia"
-"pl.tkammer.de" = "Transphobia"
-"play.xmr.101010.pl" = "Cryptomining"
-"pleroma.kitsunemimi.club" = "Discrimination"
-"pleroma.narrativerry.xyz" = "Discrimination, racism, “free speech zone”"
-"pleroma.nobodyhasthe.biz" = "Doxxing and discrimination"
-"pleroma.rareome.ga" = "Doesn’t respect blocks or status privacy, lolicons"
-"poa.st" = "Discrimination"
-"podcastindex.social" = "noagenda affiliated"
-"poster.place" = "Discrimination, racism, “free speech zone”, harassment in response to blocks"
-"qoto.org" = "“free speech zone”, harassment"
-"rapemeat.solutions" = "Lolicon and also, like, the domain name"
-"rdrama.cc" = "Discrimination, “free speech zone”, racism"
-"repl.co" = "Spam"
-"rojogato.com" = "Harassment, “free speech zone”"
-"ryona.agency" = "Alt-right trolls, harassment"
-"seal.cafe" = "Discrimination, racism, “free speech zone”"
-"shitpost.cloud" = "“Free speech zone”, antisemitism"
-"shitposter.club" = "“Free speech zone”"
-"shortstackran.ch" = "Racism, homophobia, “free speech zone”"
-"shota.house" = "Lolicon"
-"skippers-bin.com" = "Same admin as neckbeard.xyz, same behaviour"
-"sleepy.cafe" = "Racism, harassment"
-"sneak.berlin" = "privacy violation"
-"sneed.social" = "Discrimination, racism, “free speech zone”, nationalism, hate speech, completely unmoderated"
-"soc.ua-fediland.de" = "Spam"
-"social.ancreport.com" = "Discrimination, racism, “free speech zone”"
-"social.lovingexpressions.net" = "Transphobia"
-"social.teci.world" = "Discrimination, racism, “free speech zone”"
-"social.urspringer.de" = "Conspiracy, CoVid19 denier"
-"socnet.supes.com" = "Right wing “free speech zone”"
-"solagg.com" = "Scammers"
-"spinster.xyz" = "Discrimination, TERFs"
-"tastingtraffic.net" = "Homophobia"
-"truthsocial.co.in" = "Alt-right trolls"
-"tube.kenfm.de" = "Right-wing conspiracy videos"
-"tube.querdenken-711.de" = "Right-wing onspiracy videos"
-"tweet.pasture.moe" = "Twitter crossposter"
-"tweetbridge.kogasa.de" = "Twitter crossposter"
-"tweets.icu" = "Twitter crossposter"
-"twitter.activitypub.actor" = "Twitter crossposter"
-"twitter.doesnotexist.club" = "Twitter crossposter"
-"twitterbridge.jannis.rocks" = "Twitter crossposter"
-"twtr.plus" = "Twitter crossposter"
-"varishangout.net" = "Transphobia and racism go unmoderated, aggressive trolling, lolicon permitted in rules"
-"wiki-tube.de" = "Right-wing conspiracy videos (initial video welcomes Querdenken and KenFM)"
-"wolfgirl.bar" = "Discrimination, homophobia, unmoderated trolling"
-"yggdrasil.social" = "Instance rules: “No LGBTQ. Period. No homosexuality. No men who think they’re women or women who think they’re men. No made up genders.”"
diff --git a/nixos/cobalt/services/akkoma-assets/logo.png b/nixos/cobalt/services/akkoma-assets/logo.png
deleted file mode 100644
index 7744b1a..0000000
--- a/nixos/cobalt/services/akkoma-assets/logo.png
+++ /dev/null
Binary files differdiff --git a/nixos/cobalt/services/akkoma-assets/logo.svg b/nixos/cobalt/services/akkoma-assets/logo.svg
deleted file mode 100644
index 68e647e..0000000
--- a/nixos/cobalt/services/akkoma-assets/logo.svg
+++ /dev/null
@@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   version="1.1"
-   id="svg4485"
-   width="512"
-   height="512"
-   viewBox="0 0 512 512"
-   sodipodi:docname="logo.svg"
-   inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)">
-  <metadata
-     id="metadata4491">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <defs
-     id="defs4489" />
-  <sodipodi:namedview
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1"
-     objecttolerance="10"
-     gridtolerance="10"
-     guidetolerance="10"
-     inkscape:pageopacity="0"
-     inkscape:pageshadow="2"
-     inkscape:window-width="1274"
-     inkscape:window-height="1410"
-     id="namedview4487"
-     showgrid="false"
-     inkscape:zoom="1.2636719"
-     inkscape:cx="305.99333"
-     inkscape:cy="304.30809"
-     inkscape:window-x="1280"
-     inkscape:window-y="22"
-     inkscape:window-maximized="0"
-     inkscape:current-layer="g4612"
-     inkscape:document-rotation="0" />
-  <g
-     id="g4612">
-    <g
-       id="g850"
-       transform="matrix(0.99659595,0,0,0.99659595,0.37313949,0.87143746)">
-      <path
-         style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#009bff;stroke-width:0;stroke-linecap:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:0.175879"
-         d="m 194.75841,124.65165 a 20.449443,20.449443 0 0 0 -20.44944,20.44945 v 242.24725 h 65.28091 v -262.6967 z"
-         id="path4497" />
-      <path
-         style="fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-         d="M 272.6236,124.65165 V 256 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -110.8989 z"
-         id="path4516" />
-      <path
-         style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-         d="m 272.6236,322.06744 v 65.28091 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -44.83146 z"
-         id="path4516-5" />
-    </g>
-  </g>
-</svg>
diff --git a/nixos/cobalt/services/akkoma-assets/robots.txt b/nixos/cobalt/services/akkoma-assets/robots.txt
deleted file mode 100644
index 1f53798..0000000
--- a/nixos/cobalt/services/akkoma-assets/robots.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-User-agent: *
-Disallow: /
diff --git a/nixos/cobalt/services/akkoma.nix b/nixos/cobalt/services/akkoma.nix
deleted file mode 100644
index c390e7d..0000000
--- a/nixos/cobalt/services/akkoma.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{ pkgs, lib, ... }:
-
-let
-  poorObfuscation = y: x: "${x}@${y}";
-  federation-blocklist = lib.importTOML ./akkoma-assets/blocklist.toml;
-
-  # ifd3f/infra
-  wrapFile = name: path:
-    (pkgs.runCommand name { inherit path; } ''
-      cp -r "$path" "$out"
-    '');
-in
-{
-  services.akkoma = {
-    enable = true;
-    initDb.enable = true;
-
-    extraStatic = {
-      "static/logo.svg" = wrapFile "logo.svg" ./akkoma-assets/logo.svg;
-      "static/logo.png" = wrapFile "logo.png" ./akkoma-assets/logo.png;
-    };
-    config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap;
-    in {
-      ":pleroma"."Pleroma.Web.Endpoint".url.host = "social.sefidel.com";
-      ":pleroma".":media_proxy".enabled = false;
-      ":pleroma".":instance" = {
-        name = "Akkoma on sefidel";
-        description = "Private akkoma instance";
-        email = poorObfuscation "sefidel.com" "postmaster";
-        notify_email = poorObfuscation "sefidel.com" "postmaster";
-
-        registrations_open = false;
-        invites_enabled = true;
-
-        limit = 5000;
-      };
-      ":pleroma".":frontend_configurations" = {
-        pleroma_fe = mkMap {
-          logo = "/static/logo.png";
-        };
-      };
-      ":pleroma".":mrf" = {
-        policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ];
-      };
-      ":pleroma".":mrf_simple" = {
-        followers_only = mkMap federation-blocklist.followers_only;
-        media_nsfw = mkMap federation-blocklist.media_nsfw;
-        reject = mkMap federation-blocklist.reject;
-      };
-    };
-
-    nginx = {
-      forceSSL = true;
-      useACMEHost = "sefidel.com";
-    };
-  };
-}
diff --git a/nixos/cobalt/services/cgit.nix b/nixos/cobalt/services/cgit.nix
deleted file mode 100644
index c0cd948..0000000
--- a/nixos/cobalt/services/cgit.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.uwsgi = {
-    enable = true;
-    user = "nginx";
-    group = "nginx";
-    plugins = [ "cgi" ];
-
-    instance = {
-      type = "emperor";
-      vassals = {
-        cgit = {
-          type = "normal";
-          master = true;
-          socket = "/run/uwsgi/cgit.sock";
-          procname-master = "uwsgi cgit";
-          plugins = [ "cgi" ];
-          cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi";
-        };
-      };
-    };
-  };
-
-  users.extraUsers.nginx.extraGroups = [ "git" ];
-
-  services.nginx.virtualHosts."git.sefidel.com" = {
-    forceSSL = true;
-    useACMEHost = "sefidel.com";
-    root = "${pkgs.cgit-pink}/cgit";
-    locations = {
-      "/" = {
-        extraConfig = ''
-          try_files $uri @cgit;
-        '';
-      };
-      "@cgit" = {
-        extraConfig = ''
-          uwsgi_pass unix:/run/uwsgi/cgit.sock;
-          include ${pkgs.nginx}/conf/uwsgi_params;
-          uwsgi_modifier1 9;
-        '';
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.create-cgit-cache = {
-    description = "Create cache directory for cgit";
-    enable = true;
-
-    script = ''
-      mkdir -p /run/cgit
-      chown -R nginx:nginx /run/cgit
-    '';
-
-    wantedBy = [ "uwsgi.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-    };
-  };
-
-  environment.etc."cgitrc".text = ''
-    virtual-root=/
-
-    cache-size=1000
-    cache-root=/run/cgit
-
-    root-title=sefidel git
-    root-desc=Exotic place.
-
-    snapshots=tar.gz zip
-
-    enable-git-config=1
-    remove-suffix=1
-
-    enable-git-clone=1
-    enable-index-links=1
-    enable-commit-graph=1
-    enable-log-filecount=1
-    enable-log-linecount=1
-
-    branch-sort=age
-
-    readme=:README
-    readme=:readme
-    readme=:README.md
-    readme=:readme.md
-    readme=:README.org
-    readme=:readme.org
-
-    source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py
-    about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh
-
-    section-from-path=2
-
-    project-list=/var/lib/gitolite/projects.list
-    scan-path=/var/lib/gitolite/repositories
-  '';
-
-  imports = [
-    ./nginx.nix
-  ];
-}
diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix
deleted file mode 100644
index af1af32..0000000
--- a/nixos/cobalt/services/dendrite.nix
+++ /dev/null
@@ -1,157 +0,0 @@
-{ config, ... }:
-
-let
-  database = {
-    connection_string = "postgres:///dendrite?host=/run/postgresql";
-    max_open_conns = 97;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
-in
-{
-  # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT)
-  sops.secrets.matrix-server-key = { };
-
-  services.dendrite = {
-    enable = true;
-    settings = {
-      global = {
-        server_name = "sefidel.com";
-        # `private_key` has the type `path`
-        # prefix a `/` to make `path` happy
-        private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
-        trusted_third_party_id_servers = [
-          "matrix.org"
-          "vector.im"
-        ];
-        metrics.enable = true;
-      };
-      logging = [
-        {
-          type = "std";
-          level = "warn";
-        }
-      ];
-      app_service_api = {
-        inherit database;
-        config_files = [ ];
-      };
-      client_api = {
-        registration_disabled = true;
-        rate_limiting.enabled = false;
-        # registration_shared_secret = ""; # Initially set this option to configure the admin user.
-      };
-      media_api = {
-        inherit database;
-        dynamic_thumbnails = true;
-      };
-      room_server = {
-        inherit database;
-      };
-      push_server = {
-        inherit database;
-      };
-      mscs = {
-        inherit database;
-        mscs = [ "msc2836" "msc2946" ];
-      };
-      sync_api = {
-        inherit database;
-        real_ip_header = "X-Real-IP";
-      };
-      key_server = {
-        inherit database;
-      };
-      federation_api = {
-        inherit database;
-        key_perspectives = [
-          {
-            server_name = "matrix.org";
-            keys = [
-              {
-                key_id = "ed25519:auto";
-                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-              }
-              {
-                key_id = "ed25519:a_RXGa";
-                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
-              }
-            ];
-          }
-        ];
-        prefer_direct_fetch = false;
-      };
-      user_api = {
-        account_database = database;
-        device_database = database;
-      };
-    };
-    loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ];
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/private/dendrite"
-  ];
-
-  services.postgresql.enable = true;
-  services.postgresql.ensureDatabases = [ "dendrite" ];
-  services.postgresql.ensureUsers = [
-    {
-      name = "dendrite";
-      ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES";
-    }
-  ];
-
-
-  services.nginx.virtualHosts."matrix.sefidel.com" = {
-    forceSSL = true;
-    useACMEHost = "sefidel.com";
-    listen = [
-      { addr = "0.0.0.0"; port = 443; ssl = true; }
-      { addr = "[::]"; port = 443; ssl = true; }
-      { addr = "0.0.0.0"; port = 8448; ssl = true; }
-      { addr = "[::]"; port = 8448; ssl = true; }
-
-    ];
-    extraConfig = ''
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_read_timeout 600;
-      client_max_body_size 50M;
-    '';
-    locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-    locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-    locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-    # TODO: web client
-  };
-
-  services.nginx.virtualHosts."sefidel.com" =
-    let
-      server-hello = { "m.server" = "matrix.sefidel.com:443"; };
-      client-hello = {
-        "m.homeserver"."base_url" = "https://matrix.sefidel.com";
-        "m.identity_server"."base_url" = "https://vector.im";
-      };
-    in
-    {
-      forceSSL = true;
-      useACMEHost = "sefidel.com";
-      locations = {
-        "/.well-known/matrix/server" = {
-          extraConfig = ''
-            add_header Content-Type application/json;
-            return 200 '${builtins.toJSON server-hello}';
-          '';
-        };
-        "/.well-known/matrix/client" = {
-          extraConfig = ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client-hello}';
-          '';
-        };
-      };
-    };
-
-  networking.firewall.allowedTCPPorts = [ 8448 ];
-}
diff --git a/nixos/cobalt/services/fail2ban.nix b/nixos/cobalt/services/fail2ban.nix
deleted file mode 100644
index 9731ef6..0000000
--- a/nixos/cobalt/services/fail2ban.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  services.fail2ban = {
-    enable = true;
-  };
-}
diff --git a/nixos/cobalt/services/git-daemon.nix b/nixos/cobalt/services/git-daemon.nix
deleted file mode 100644
index 21e957e..0000000
--- a/nixos/cobalt/services/git-daemon.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  services.gitDaemon = {
-    enable = true;
-    createUserAndGroup = false;
-    basePath = "/var/lib/gitolite/repositories";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 9418 ];
-
-  disabledModules = [ "services/networking/git-daemon.nix" ];
-
-  imports = [
-    ../modules/git-daemon.nix
-  ];
-}
diff --git a/nixos/cobalt/services/gitolite-noncore/fix-refs b/nixos/cobalt/services/gitolite-noncore/fix-refs
deleted file mode 100644
index 8ffec9e..0000000
--- a/nixos/cobalt/services/gitolite-noncore/fix-refs
+++ /dev/null
@@ -1,9 +0,0 @@
-[[ $4 == W ]] || exit 0
-
-cd $GL_REPO_BASE/$2.git
-
-head=`git symbolic-ref HEAD`
-[[ -f $head ]] || {
-  set -- refs/heads/*
-  git symbolic-ref HEAD $1
-}
diff --git a/nixos/cobalt/services/gitolite-noncore/rename b/nixos/cobalt/services/gitolite-noncore/rename
deleted file mode 100644
index 00aa5ca..0000000
--- a/nixos/cobalt/services/gitolite-noncore/rename
+++ /dev/null
@@ -1,62 +0,0 @@
-
-# Usage:    ssh git@host rename [-c] <repo1> <repo2>
-#
-# Renames repo1 to repo2. You must be the creator of repo1, and have
-# create ("C") permissions for repo2, which of course must not exist.
-# Alternatively you must be an account admin, that is, you must have
-# write access to the gitolite-admin repository. If you have "C"
-# permissions for repo2 then you can use the -c option to take over
-# as creator of the repository.
-
-die() { echo "$@" >&2; exit 1; }
-usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; }
-[ -z "$1" ] && usage
-[ "$1" = "-h" ] && usage
-[ -z "$GL_USER" ] && die GL_USER not set
-
-# ----------------------------------------------------------------------
-
-if [ "$1" = "-c" ]
-then	shift
-	takeover=true
-else	takeover=false
-fi
-
-from="$1"; shift
-to="$1"; shift
-[ -z "$to" ] && usage
-
-topath=$GL_REPO_BASE/$to.git
-
-checkto() {
-	gitolite access -q "$to" $GL_USER ^C any ||
-		die "'$to' already exists or you are not allowed to create it"
-}
-
-if gitolite access -q gitolite-admin $GL_USER
-then
-	# the user is an admin so we can avoid most permission checks
-	if $takeover
-	then checkto
-	elif [ -e $topath ]
-	then die "'$to' already exists"
-	fi
-else
-	# the user isn't an admin, so do all the checks
-	checkto
-	gitolite creator "$from" $GL_USER ||
-		die "'$from' does not exist or you are not allowed to delete it"
-fi
-
-# ----------------------------------------------------------------------
-
-mv $GL_REPO_BASE/$from.git $topath
-[ $? -ne 0 ] && exit 1
-
-$takeover && echo $GL_USER > $topath/gl-creator
-
-[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list"
-
-echo "$from renamed to $to" >&2
-
-exit
diff --git a/nixos/cobalt/services/gitolite.nix b/nixos/cobalt/services/gitolite.nix
deleted file mode 100644
index 94c7ac9..0000000
--- a/nixos/cobalt/services/gitolite.nix
+++ /dev/null
@@ -1,109 +0,0 @@
-{ pkgs, ... }:
-
-let
-  # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ
-  fixRefsTrigger = pkgs.writeText "fix-refs" ''
-    [[ $4 == W ]] || exit 0
-
-    cd $GL_REPO_BASE/$2.git
-
-    head=`git symbolic-ref HEAD`
-    [[ -f $head ]] || {
-      set -- refs/heads/*
-      git symbolic-ref HEAD $1
-    }
-  '';
-in
-{
-  services.gitolite = {
-    enable = true;
-    user = "git";
-    group = "git";
-    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F";
-    extraGitoliteRc = ''
-      $RC{UMASK} = 0027;
-      $RC{GIT_CONFIG_KEYS} = '.*';
-      $RC{ROLES}{OWNERS} = 1;
-      $RC{OWNER_ROLENAME} = 'OWNERS';
-      # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct
-      # directory.
-      # $RC{LOCAL_CODE} = '$ENV{HOME}/local';
-      $RC{LOCAL_CODE} = '/var/lib/gitolite/local';
-      push(@{$RC{ENABLE}}, 'D');
-      push(@{$RC{ENABLE}}, 'symbolic-ref');
-      push(@{$RC{ENABLE}}, 'rename');
-      push(@{$RC{POST_GIT}}, 'fix-refs');
-      # push(@{$RC{ENABLE}}, 'set-default-roles');
-      # push(@{$RC{ENABLE}}, 'create');
-      # push(@{$RC{ENABLE}}, 'fork');
-
-    '';
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/gitolite"
-  ];
-
-  system.activationScripts.gitolite-create-local = ''
-    mkdir -p /var/lib/gitolite/local/triggers
-    mkdir -p /var/lib/gitolite/local/commands
-    chown -R git:git /var/lib/gitolite/local
-  '';
-
-  systemd.tmpfiles.rules = [
-    "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}"
-    "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}"
-  ];
-
-
-  systemd.timers."gitolite-trash-cleanup" = {
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-*-* 00:00:00";
-      Unit = "gitolite-trash-cleanup.service";
-    };
-  };
-
-  systemd.services."gitolite-trash-cleanup" = {
-    script = ''
-      set -euo pipefail
-      if [ ! -d "Trash" ] ; then
-        echo Trash directory is nonexistent!
-        echo No operations to perform. Exiting.
-        exit 0
-      fi
-
-      match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$")
-      processed_entry=0
-      removed_entry=0
-
-      for dir in $match
-      do
-        system_timestamp=$(date +%s)
-        trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s)
-        age=$(( $system_timestamp - $trash_timestamp ))
-        # Wipe trashes older than 2w
-        if [[ age -gt 1209600 ]] ; then
-          echo "Removing '$dir' (age $age)"
-          rm -rf $dir
-          ((removed_entry+=1))
-        fi
-        ((processed_entry+=1))
-      done
-
-      echo "Directories that needs cleanup:"
-      find Trash -type d -empty -print -delete
-      echo "Cleaned empty directories."
-
-      echo "Done! Removed $removed_entry/$processed_entry"
-    '';
-
-    path = with pkgs; [ bash util-linux coreutils ];
-
-    serviceConfig = {
-      Type = "oneshot";
-      User = "git";
-      WorkingDirectory = "/var/lib/gitolite/repositories";
-    };
-  };
-}
diff --git a/nixos/cobalt/services/nginx.nix b/nixos/cobalt/services/nginx.nix
deleted file mode 100644
index cb5ced3..0000000
--- a/nixos/cobalt/services/nginx.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-  };
-
-  users.extraUsers.nginx.extraGroups = [ "acme" ];
-
-  imports = [
-    ./acme.nix
-  ];
-}
diff --git a/nixos/cobalt/services/soju.nix b/nixos/cobalt/services/soju.nix
deleted file mode 100644
index bab8a5b..0000000
--- a/nixos/cobalt/services/soju.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ config, ... }:
-
-{
-  services.soju = {
-    enable = true;
-    extraGroups = [ "acme" ];
-    hostName = "cobalt.sefidel.com";
-    listen = [
-      ":6697"
-    ];
-    tlsCertificate = "${config.security.acme.certs."sefidel.com".directory}/cert.pem";
-    tlsCertificateKey = "${config.security.acme.certs."sefidel.com".directory}/key.pem";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 6697 ];
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/private/soju"
-  ];
-
-  # TODO: remove this once merged
-  disabledModules = [ "services/networking/soju.nix" ];
-
-  imports = [
-    ./acme.nix
-    ../modules/soju.nix
-  ];
-}
diff --git a/nixos/colmena.nix b/nixos/colmena.nix
deleted file mode 100644
index 99945e6..0000000
--- a/nixos/colmena.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ self, unstable, unstable-small, ... } @ inputs:
-
-{
-  meta = {
-    nixpkgs = import unstable {
-      system = "x86_64-linux";
-    };
-  };
-
-  defaults = { pkgs, ... }: {
-    environment.systemPackages = with pkgs; [
-      curl
-      vim
-    ];
-  };
-
-  cobalt = self.lib.mkColmena {
-    name = "cobalt";
-    system = "x86_64-linux";
-    inputs = inputs;
-    deployment = {
-      targetHost = "cobalt.sefidel.com";
-      targetPort = 22;
-      targetUser = "root";
-    };
-    time.timeZone = "UTC";
-  };
-}