about summary refs log tree commit diff
path: root/nixos/cobalt/services
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/cobalt/services')
-rw-r--r--nixos/cobalt/services/README.md5
-rw-r--r--nixos/cobalt/services/acme.nix33
-rw-r--r--nixos/cobalt/services/akkoma-assets/blocklist.toml163
-rw-r--r--nixos/cobalt/services/akkoma-assets/logo.pngbin1304 -> 0 bytes
-rw-r--r--nixos/cobalt/services/akkoma-assets/logo.svg71
-rw-r--r--nixos/cobalt/services/akkoma-assets/robots.txt2
-rw-r--r--nixos/cobalt/services/akkoma.nix57
-rw-r--r--nixos/cobalt/services/cgit.nix105
-rw-r--r--nixos/cobalt/services/dendrite.nix157
-rw-r--r--nixos/cobalt/services/fail2ban.nix5
-rw-r--r--nixos/cobalt/services/git-daemon.nix15
-rw-r--r--nixos/cobalt/services/gitolite-noncore/fix-refs9
-rw-r--r--nixos/cobalt/services/gitolite-noncore/rename62
-rw-r--r--nixos/cobalt/services/gitolite.nix109
-rw-r--r--nixos/cobalt/services/nginx.nix15
-rw-r--r--nixos/cobalt/services/soju.nix28
16 files changed, 0 insertions, 836 deletions
diff --git a/nixos/cobalt/services/README.md b/nixos/cobalt/services/README.md
deleted file mode 100644
index 89d9ca5..0000000
--- a/nixos/cobalt/services/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-# colmena/cobalt/services
-
-A list of 'pluggable' services.
-TODO: this should be moved to /modules/ and
-converted to modules.
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
deleted file mode 100644
index f8816d4..0000000
--- a/nixos/cobalt/services/acme.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{ config, ... }:
-
-let
-  poorObfuscation = y: x: "${x}@${y}";
-in
-{
-  sops.secrets.hetzner-dns-key = {
-    owner = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = poorObfuscation "sefidel.com" "postmaster";
-    certs = {
-      "sefidel.com" = {
-        domain = "sefidel.com";
-        extraDomainNames = [
-          "bouncer.sefidel.com"
-          "git.sefidel.com"
-          "matrix.sefidel.com"
-          "social.sefidel.com"
-        ];
-        dnsProvider = "hetzner";
-        dnsPropagationCheck = true;
-        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
-      };
-    };
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/acme"
-  ];
-}
diff --git a/nixos/cobalt/services/akkoma-assets/blocklist.toml b/nixos/cobalt/services/akkoma-assets/blocklist.toml
deleted file mode 100644
index e5eac7a..0000000
--- a/nixos/cobalt/services/akkoma-assets/blocklist.toml
+++ /dev/null
@@ -1,163 +0,0 @@
-[followers_only]
-
-[media_nsfw]
-
-[reject]
-"*.tk" = "Free TLD"
-"*.ml" = "Free TLD"
-"*.ga" = "Free TLD"
-"*.cf" = "Free TLD"
-"*.gq" = "Free TLD"
-# Reject list from chaos.social at 2023-02-06
-"activitypub-proxy.cf" = "Only exists to evade instance blocks, details"
-"activitypub-troll.cf" = "Spam"
-"aethy.com" = "Lolicon"
-"bae.st" = "Discrimination, racism, “free speech zone”"
-"baraag.net" = "Lolicon"
-"banepo.st" = "Homophobia"
-"beefyboys.club" = "Discrimination, racism, “free speech zone”"
-"beefyboys.win" = "Discrimination, racism, “free speech zone”"
-"beta.birdsite.live" = "Twitter crossposter"
-"birb.elfenban.de" = "Twitter crossposter"
-"bird.evilcyberhacker.net" = "Twitter crossposter"
-"bird.froth.zone" = "Twitter crossposter"
-"bird.geiger.ee" = "Twitter crossposter"
-"bird.im-in.space" = "Twitter crossposter"
-"bird.istheguy.com" = "Twitter crossposter"
-"bird.karatek.net" = "Twitter crossposter"
-"bird.makeup" = "Twitter crossposter"
-"bird.nzbr.de" = "Twitter crossposter"
-"bird.r669.live" = "Twitter crossposter"
-"bird.seafoam.space" = "Twitter crossposter"
-"birdbots.leptonics.com" = "Twitter crossposter"
-"birdsite.b93.dece.space" = "Twitter crossposter"
-"birdsite.blazelights.dev" = "Twitter crossposter"
-"birdsite.frog.fashion" = "Twitter crossposter"
-"birdsite.gabeappleton.me" = "Twitter crossposter"
-"birdsite.james.moody.name" = "Twitter crossposter"
-"birdsite.koyu.space" = "Twitter crossposter"
-"birdsite.lakedrops.com" = "Twitter crossposter"
-"birdsite.link" = "Twitter crossposter"
-"birdsite.monster" = "Twitter crossposter"
-"birdsite.oliviaappleton.com" = "Twitter crossposter"
-"birdsite.platypush.tech" = "Twitter crossposter"
-"birdsite.slashdev.space" = "Twitter crossposter"
-"birdsite.tcjc.uk" = "Twitter crossposter"
-"birdsite.thorlaksson.com" = "Twitter crossposter"
-"birdsite.toot.si" = "Twitter crossposter"
-"birdsite.wilde.cloud" = "Twitter crossposter"
-"birdsitelive.ffvo.dev" = "Twitter crossposter"
-"birdsitelive.kevinyank.com" = "Twitter crossposter"
-"birdsitelive.peanutlasko.com" = "Twitter crossposter"
-"birdsitelive.treffler.cloud" = "Twitter crossposter"
-"bridge.birb.space" = "Twitter crossposter"
-"brighteon.social" = "“free speech zone”"
-"cawfee.club" = "Discrimination, racism, “free speech zone”"
-"childpawn.shop" = "Pedophilia"
-"chudbuds.lol" = "Discrimination, racism, “free speech zone”"
-"club.darknight-coffee.eu" = "“free speech zone”"
-"clubcyberia.co" = "Homophobia"
-"clube.social" = "Harassment"
-"comfyboy.club" = "Discrimination, racism"
-"cum.camp" = "Harassment"
-"cum.salon" = "Misogynic, pedophilia"
-"daishouri.moe" = "Fascism, openly advertises with swastika"
-"detroitriotcity.com" = "Discrimination, racism, “free speech zone”"
-"eientei.org" = "Racism, antisemitism"
-"eveningzoo.club" = "Discrimination, racism, “free speech zone”"
-"f.haeder.net" = "Discrimination"
-"freak.university" = "Pedophilia"
-"freeatlantis.com" = "Conspiracy theory instance"
-"freecumextremist.com" = "Discrimination, racism, “free speech zone”"
-"freefedifollowers.ga" = "Follower spam"
-"freespeechextremist.com" = "Discrimination, racism, “free speech zone”"
-"frennet.link" = "Discrimination, racism, “free speech zone”"
-"froth.zone" = "Calls freespeechextremist their local bubble"
-"gab.com/.ai, develop.gab.com" = "Discrimination, racism, “free speech zone”"
-"gameliberty.club" = "“free speech zone”"
-"gegenstimme.tv" = "“free speech zone”"
-"genderheretics.xyz" = "Tagline “Now With 41% More Misgendering!”"
-"gitmo.life" = "“free speech zone”"
-"gleasonator.com" = "Transphobia, TERFs"
-"glindr.org" = "Discrimination"
-"glowers.club" = "Discrimination, racism, “free speech zone”"
-"honkwerx.tech" = "Racism"
-"iamterminally.online" = "Discrimination, racism, “free speech zone”"
-"iddqd.social" = "Discrimination, racism, “free speech zone”"
-"itmslaves.com" = "“free speech zone”, noagenda affiliated"
-"jaeger.website" = "Discrimination, racism, “free speech zone”"
-"kenfm.quadplay.tv" = "Conspiracy videos"
-"kiwifarms.cc" = "Discrimination"
-"lgbtfree.zone" = "Racism, transphobia, all that"
-"liberdon.com" = "Conspiracy theories, transphobia, racism"
-"libre.tube" = "Promotion of violence and murder, multiple other violations of our rules"
-"lolicon.rocks" = "Lolicon"
-"lolison.top" = "Lolicon, paedophilia"
-"mastinator.com" = "Block evasion, unwanted profile mirroring, and more"
-"mastodon.network" = "Instance went down, now porn spam"
-"mastodon.popps.org" = "Homophobia"
-"mastodong.lol" = "Admin maintains and runs activitypub-proxy.cf"
-"meta-tube.de" = "Conspiracy, CoVid19 denier videos https://fediblock.org/blocklist/#meta-tube.de"
-"midnightride.rs" = "Discrimination"
-"misskey-forkbomb.cf" = "Spam"
-"morale.ch" = "Antisemitism and more"
-"mstdn.foxfam.club" = "Right wing twitter mirror"
-"natehiggers.online" = "Racism"
-"newjack.city" = "Exclusive to unwanted follow bots"
-"nicecrew.digital" = "Discrimination, racism, “free speech zone”"
-"noagendasocial.com" = "“free speech zone”, harassment"
-"noagendasocial.nl" = "“free speech zone”, harassment"
-"noagendatube.com" = "“free speech zone”, harassment"
-"ns.auction" = "Racism etc"
-"ohai.su" = "Offline"
-"pawoo.net" = "Untagged nfsw content, unwanted follow bots, lolicon"
-"paypig.org" = "Racism"
-"pieville.net" = "Racism, antisemitism"
-"pl.serialmay.link" = "Racism, transphobia"
-"pl.tkammer.de" = "Transphobia"
-"play.xmr.101010.pl" = "Cryptomining"
-"pleroma.kitsunemimi.club" = "Discrimination"
-"pleroma.narrativerry.xyz" = "Discrimination, racism, “free speech zone”"
-"pleroma.nobodyhasthe.biz" = "Doxxing and discrimination"
-"pleroma.rareome.ga" = "Doesn’t respect blocks or status privacy, lolicons"
-"poa.st" = "Discrimination"
-"podcastindex.social" = "noagenda affiliated"
-"poster.place" = "Discrimination, racism, “free speech zone”, harassment in response to blocks"
-"qoto.org" = "“free speech zone”, harassment"
-"rapemeat.solutions" = "Lolicon and also, like, the domain name"
-"rdrama.cc" = "Discrimination, “free speech zone”, racism"
-"repl.co" = "Spam"
-"rojogato.com" = "Harassment, “free speech zone”"
-"ryona.agency" = "Alt-right trolls, harassment"
-"seal.cafe" = "Discrimination, racism, “free speech zone”"
-"shitpost.cloud" = "“Free speech zone”, antisemitism"
-"shitposter.club" = "“Free speech zone”"
-"shortstackran.ch" = "Racism, homophobia, “free speech zone”"
-"shota.house" = "Lolicon"
-"skippers-bin.com" = "Same admin as neckbeard.xyz, same behaviour"
-"sleepy.cafe" = "Racism, harassment"
-"sneak.berlin" = "privacy violation"
-"sneed.social" = "Discrimination, racism, “free speech zone”, nationalism, hate speech, completely unmoderated"
-"soc.ua-fediland.de" = "Spam"
-"social.ancreport.com" = "Discrimination, racism, “free speech zone”"
-"social.lovingexpressions.net" = "Transphobia"
-"social.teci.world" = "Discrimination, racism, “free speech zone”"
-"social.urspringer.de" = "Conspiracy, CoVid19 denier"
-"socnet.supes.com" = "Right wing “free speech zone”"
-"solagg.com" = "Scammers"
-"spinster.xyz" = "Discrimination, TERFs"
-"tastingtraffic.net" = "Homophobia"
-"truthsocial.co.in" = "Alt-right trolls"
-"tube.kenfm.de" = "Right-wing conspiracy videos"
-"tube.querdenken-711.de" = "Right-wing onspiracy videos"
-"tweet.pasture.moe" = "Twitter crossposter"
-"tweetbridge.kogasa.de" = "Twitter crossposter"
-"tweets.icu" = "Twitter crossposter"
-"twitter.activitypub.actor" = "Twitter crossposter"
-"twitter.doesnotexist.club" = "Twitter crossposter"
-"twitterbridge.jannis.rocks" = "Twitter crossposter"
-"twtr.plus" = "Twitter crossposter"
-"varishangout.net" = "Transphobia and racism go unmoderated, aggressive trolling, lolicon permitted in rules"
-"wiki-tube.de" = "Right-wing conspiracy videos (initial video welcomes Querdenken and KenFM)"
-"wolfgirl.bar" = "Discrimination, homophobia, unmoderated trolling"
-"yggdrasil.social" = "Instance rules: “No LGBTQ. Period. No homosexuality. No men who think they’re women or women who think they’re men. No made up genders.”"
diff --git a/nixos/cobalt/services/akkoma-assets/logo.png b/nixos/cobalt/services/akkoma-assets/logo.png
deleted file mode 100644
index 7744b1a..0000000
--- a/nixos/cobalt/services/akkoma-assets/logo.png
+++ /dev/null
Binary files differdiff --git a/nixos/cobalt/services/akkoma-assets/logo.svg b/nixos/cobalt/services/akkoma-assets/logo.svg
deleted file mode 100644
index 68e647e..0000000
--- a/nixos/cobalt/services/akkoma-assets/logo.svg
+++ /dev/null
@@ -1,71 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   version="1.1"
-   id="svg4485"
-   width="512"
-   height="512"
-   viewBox="0 0 512 512"
-   sodipodi:docname="logo.svg"
-   inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)">
-  <metadata
-     id="metadata4491">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title />
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <defs
-     id="defs4489" />
-  <sodipodi:namedview
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1"
-     objecttolerance="10"
-     gridtolerance="10"
-     guidetolerance="10"
-     inkscape:pageopacity="0"
-     inkscape:pageshadow="2"
-     inkscape:window-width="1274"
-     inkscape:window-height="1410"
-     id="namedview4487"
-     showgrid="false"
-     inkscape:zoom="1.2636719"
-     inkscape:cx="305.99333"
-     inkscape:cy="304.30809"
-     inkscape:window-x="1280"
-     inkscape:window-y="22"
-     inkscape:window-maximized="0"
-     inkscape:current-layer="g4612"
-     inkscape:document-rotation="0" />
-  <g
-     id="g4612">
-    <g
-       id="g850"
-       transform="matrix(0.99659595,0,0,0.99659595,0.37313949,0.87143746)">
-      <path
-         style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#009bff;stroke-width:0;stroke-linecap:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:0.175879"
-         d="m 194.75841,124.65165 a 20.449443,20.449443 0 0 0 -20.44944,20.44945 v 242.24725 h 65.28091 v -262.6967 z"
-         id="path4497" />
-      <path
-         style="fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-         d="M 272.6236,124.65165 V 256 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -110.8989 z"
-         id="path4516" />
-      <path
-         style="opacity:1;fill:#fba457;fill-opacity:1;stroke:#000000;stroke-width:0;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
-         d="m 272.6236,322.06744 v 65.28091 h 45.61799 a 20.449443,20.449443 0 0 0 20.44944,-20.44945 v -44.83146 z"
-         id="path4516-5" />
-    </g>
-  </g>
-</svg>
diff --git a/nixos/cobalt/services/akkoma-assets/robots.txt b/nixos/cobalt/services/akkoma-assets/robots.txt
deleted file mode 100644
index 1f53798..0000000
--- a/nixos/cobalt/services/akkoma-assets/robots.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-User-agent: *
-Disallow: /
diff --git a/nixos/cobalt/services/akkoma.nix b/nixos/cobalt/services/akkoma.nix
deleted file mode 100644
index c390e7d..0000000
--- a/nixos/cobalt/services/akkoma.nix
+++ /dev/null
@@ -1,57 +0,0 @@
-{ pkgs, lib, ... }:
-
-let
-  poorObfuscation = y: x: "${x}@${y}";
-  federation-blocklist = lib.importTOML ./akkoma-assets/blocklist.toml;
-
-  # ifd3f/infra
-  wrapFile = name: path:
-    (pkgs.runCommand name { inherit path; } ''
-      cp -r "$path" "$out"
-    '');
-in
-{
-  services.akkoma = {
-    enable = true;
-    initDb.enable = true;
-
-    extraStatic = {
-      "static/logo.svg" = wrapFile "logo.svg" ./akkoma-assets/logo.svg;
-      "static/logo.png" = wrapFile "logo.png" ./akkoma-assets/logo.png;
-    };
-    config = let inherit ((pkgs.formats.elixirConf { }).lib) mkRaw mkMap;
-    in {
-      ":pleroma"."Pleroma.Web.Endpoint".url.host = "social.sefidel.com";
-      ":pleroma".":media_proxy".enabled = false;
-      ":pleroma".":instance" = {
-        name = "Akkoma on sefidel";
-        description = "Private akkoma instance";
-        email = poorObfuscation "sefidel.com" "postmaster";
-        notify_email = poorObfuscation "sefidel.com" "postmaster";
-
-        registrations_open = false;
-        invites_enabled = true;
-
-        limit = 5000;
-      };
-      ":pleroma".":frontend_configurations" = {
-        pleroma_fe = mkMap {
-          logo = "/static/logo.png";
-        };
-      };
-      ":pleroma".":mrf" = {
-        policies = map mkRaw [ "Pleroma.Web.ActivityPub.MRF.SimplePolicy" ];
-      };
-      ":pleroma".":mrf_simple" = {
-        followers_only = mkMap federation-blocklist.followers_only;
-        media_nsfw = mkMap federation-blocklist.media_nsfw;
-        reject = mkMap federation-blocklist.reject;
-      };
-    };
-
-    nginx = {
-      forceSSL = true;
-      useACMEHost = "sefidel.com";
-    };
-  };
-}
diff --git a/nixos/cobalt/services/cgit.nix b/nixos/cobalt/services/cgit.nix
deleted file mode 100644
index c0cd948..0000000
--- a/nixos/cobalt/services/cgit.nix
+++ /dev/null
@@ -1,105 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.uwsgi = {
-    enable = true;
-    user = "nginx";
-    group = "nginx";
-    plugins = [ "cgi" ];
-
-    instance = {
-      type = "emperor";
-      vassals = {
-        cgit = {
-          type = "normal";
-          master = true;
-          socket = "/run/uwsgi/cgit.sock";
-          procname-master = "uwsgi cgit";
-          plugins = [ "cgi" ];
-          cgi = "${pkgs.cgit-pink}/cgit/cgit.cgi";
-        };
-      };
-    };
-  };
-
-  users.extraUsers.nginx.extraGroups = [ "git" ];
-
-  services.nginx.virtualHosts."git.sefidel.com" = {
-    forceSSL = true;
-    useACMEHost = "sefidel.com";
-    root = "${pkgs.cgit-pink}/cgit";
-    locations = {
-      "/" = {
-        extraConfig = ''
-          try_files $uri @cgit;
-        '';
-      };
-      "@cgit" = {
-        extraConfig = ''
-          uwsgi_pass unix:/run/uwsgi/cgit.sock;
-          include ${pkgs.nginx}/conf/uwsgi_params;
-          uwsgi_modifier1 9;
-        '';
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  systemd.services.create-cgit-cache = {
-    description = "Create cache directory for cgit";
-    enable = true;
-
-    script = ''
-      mkdir -p /run/cgit
-      chown -R nginx:nginx /run/cgit
-    '';
-
-    wantedBy = [ "uwsgi.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-    };
-  };
-
-  environment.etc."cgitrc".text = ''
-    virtual-root=/
-
-    cache-size=1000
-    cache-root=/run/cgit
-
-    root-title=sefidel git
-    root-desc=Exotic place.
-
-    snapshots=tar.gz zip
-
-    enable-git-config=1
-    remove-suffix=1
-
-    enable-git-clone=1
-    enable-index-links=1
-    enable-commit-graph=1
-    enable-log-filecount=1
-    enable-log-linecount=1
-
-    branch-sort=age
-
-    readme=:README
-    readme=:readme
-    readme=:README.md
-    readme=:readme.md
-    readme=:README.org
-    readme=:readme.org
-
-    source-filter=${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py
-    about-filter=${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh
-
-    section-from-path=2
-
-    project-list=/var/lib/gitolite/projects.list
-    scan-path=/var/lib/gitolite/repositories
-  '';
-
-  imports = [
-    ./nginx.nix
-  ];
-}
diff --git a/nixos/cobalt/services/dendrite.nix b/nixos/cobalt/services/dendrite.nix
deleted file mode 100644
index af1af32..0000000
--- a/nixos/cobalt/services/dendrite.nix
+++ /dev/null
@@ -1,157 +0,0 @@
-{ config, ... }:
-
-let
-  database = {
-    connection_string = "postgres:///dendrite?host=/run/postgresql";
-    max_open_conns = 97;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
-in
-{
-  # Adapted from Mic92/dotfiles, (C) 2021 Jörg Thalheim (MIT)
-  sops.secrets.matrix-server-key = { };
-
-  services.dendrite = {
-    enable = true;
-    settings = {
-      global = {
-        server_name = "sefidel.com";
-        # `private_key` has the type `path`
-        # prefix a `/` to make `path` happy
-        private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
-        trusted_third_party_id_servers = [
-          "matrix.org"
-          "vector.im"
-        ];
-        metrics.enable = true;
-      };
-      logging = [
-        {
-          type = "std";
-          level = "warn";
-        }
-      ];
-      app_service_api = {
-        inherit database;
-        config_files = [ ];
-      };
-      client_api = {
-        registration_disabled = true;
-        rate_limiting.enabled = false;
-        # registration_shared_secret = ""; # Initially set this option to configure the admin user.
-      };
-      media_api = {
-        inherit database;
-        dynamic_thumbnails = true;
-      };
-      room_server = {
-        inherit database;
-      };
-      push_server = {
-        inherit database;
-      };
-      mscs = {
-        inherit database;
-        mscs = [ "msc2836" "msc2946" ];
-      };
-      sync_api = {
-        inherit database;
-        real_ip_header = "X-Real-IP";
-      };
-      key_server = {
-        inherit database;
-      };
-      federation_api = {
-        inherit database;
-        key_perspectives = [
-          {
-            server_name = "matrix.org";
-            keys = [
-              {
-                key_id = "ed25519:auto";
-                public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
-              }
-              {
-                key_id = "ed25519:a_RXGa";
-                public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
-              }
-            ];
-          }
-        ];
-        prefer_direct_fetch = false;
-      };
-      user_api = {
-        account_database = database;
-        device_database = database;
-      };
-    };
-    loadCredential = [ "matrix-server-key:${config.sops.secrets.matrix-server-key.path}" ];
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/private/dendrite"
-  ];
-
-  services.postgresql.enable = true;
-  services.postgresql.ensureDatabases = [ "dendrite" ];
-  services.postgresql.ensureUsers = [
-    {
-      name = "dendrite";
-      ensurePermissions."DATABASE dendrite" = "ALL PRIVILEGES";
-    }
-  ];
-
-
-  services.nginx.virtualHosts."matrix.sefidel.com" = {
-    forceSSL = true;
-    useACMEHost = "sefidel.com";
-    listen = [
-      { addr = "0.0.0.0"; port = 443; ssl = true; }
-      { addr = "[::]"; port = 443; ssl = true; }
-      { addr = "0.0.0.0"; port = 8448; ssl = true; }
-      { addr = "[::]"; port = 8448; ssl = true; }
-
-    ];
-    extraConfig = ''
-      proxy_set_header Host $host;
-      proxy_set_header X-Real-IP $remote_addr;
-      proxy_read_timeout 600;
-      client_max_body_size 50M;
-    '';
-    locations."/_matrix".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-    locations."/_dendrite".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-    locations."/_synapse".proxyPass = "http://[::1]:${toString config.services.dendrite.httpPort}";
-    # TODO: web client
-  };
-
-  services.nginx.virtualHosts."sefidel.com" =
-    let
-      server-hello = { "m.server" = "matrix.sefidel.com:443"; };
-      client-hello = {
-        "m.homeserver"."base_url" = "https://matrix.sefidel.com";
-        "m.identity_server"."base_url" = "https://vector.im";
-      };
-    in
-    {
-      forceSSL = true;
-      useACMEHost = "sefidel.com";
-      locations = {
-        "/.well-known/matrix/server" = {
-          extraConfig = ''
-            add_header Content-Type application/json;
-            return 200 '${builtins.toJSON server-hello}';
-          '';
-        };
-        "/.well-known/matrix/client" = {
-          extraConfig = ''
-            add_header Content-Type application/json;
-            add_header Access-Control-Allow-Origin *;
-            return 200 '${builtins.toJSON client-hello}';
-          '';
-        };
-      };
-    };
-
-  networking.firewall.allowedTCPPorts = [ 8448 ];
-}
diff --git a/nixos/cobalt/services/fail2ban.nix b/nixos/cobalt/services/fail2ban.nix
deleted file mode 100644
index 9731ef6..0000000
--- a/nixos/cobalt/services/fail2ban.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  services.fail2ban = {
-    enable = true;
-  };
-}
diff --git a/nixos/cobalt/services/git-daemon.nix b/nixos/cobalt/services/git-daemon.nix
deleted file mode 100644
index 21e957e..0000000
--- a/nixos/cobalt/services/git-daemon.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  services.gitDaemon = {
-    enable = true;
-    createUserAndGroup = false;
-    basePath = "/var/lib/gitolite/repositories";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 9418 ];
-
-  disabledModules = [ "services/networking/git-daemon.nix" ];
-
-  imports = [
-    ../modules/git-daemon.nix
-  ];
-}
diff --git a/nixos/cobalt/services/gitolite-noncore/fix-refs b/nixos/cobalt/services/gitolite-noncore/fix-refs
deleted file mode 100644
index 8ffec9e..0000000
--- a/nixos/cobalt/services/gitolite-noncore/fix-refs
+++ /dev/null
@@ -1,9 +0,0 @@
-[[ $4 == W ]] || exit 0
-
-cd $GL_REPO_BASE/$2.git
-
-head=`git symbolic-ref HEAD`
-[[ -f $head ]] || {
-  set -- refs/heads/*
-  git symbolic-ref HEAD $1
-}
diff --git a/nixos/cobalt/services/gitolite-noncore/rename b/nixos/cobalt/services/gitolite-noncore/rename
deleted file mode 100644
index 00aa5ca..0000000
--- a/nixos/cobalt/services/gitolite-noncore/rename
+++ /dev/null
@@ -1,62 +0,0 @@
-
-# Usage:    ssh git@host rename [-c] <repo1> <repo2>
-#
-# Renames repo1 to repo2. You must be the creator of repo1, and have
-# create ("C") permissions for repo2, which of course must not exist.
-# Alternatively you must be an account admin, that is, you must have
-# write access to the gitolite-admin repository. If you have "C"
-# permissions for repo2 then you can use the -c option to take over
-# as creator of the repository.
-
-die() { echo "$@" >&2; exit 1; }
-usage() { perl -lne 'print substr($_, 2) if /^# Usage/../^$/' < $0; exit 1; }
-[ -z "$1" ] && usage
-[ "$1" = "-h" ] && usage
-[ -z "$GL_USER" ] && die GL_USER not set
-
-# ----------------------------------------------------------------------
-
-if [ "$1" = "-c" ]
-then	shift
-	takeover=true
-else	takeover=false
-fi
-
-from="$1"; shift
-to="$1"; shift
-[ -z "$to" ] && usage
-
-topath=$GL_REPO_BASE/$to.git
-
-checkto() {
-	gitolite access -q "$to" $GL_USER ^C any ||
-		die "'$to' already exists or you are not allowed to create it"
-}
-
-if gitolite access -q gitolite-admin $GL_USER
-then
-	# the user is an admin so we can avoid most permission checks
-	if $takeover
-	then checkto
-	elif [ -e $topath ]
-	then die "'$to' already exists"
-	fi
-else
-	# the user isn't an admin, so do all the checks
-	checkto
-	gitolite creator "$from" $GL_USER ||
-		die "'$from' does not exist or you are not allowed to delete it"
-fi
-
-# ----------------------------------------------------------------------
-
-mv $GL_REPO_BASE/$from.git $topath
-[ $? -ne 0 ] && exit 1
-
-$takeover && echo $GL_USER > $topath/gl-creator
-
-[ -f "$HOME/projects.list" ] && sed "s:$from.git$:$to.git:g" -i "$HOME/projects.list"
-
-echo "$from renamed to $to" >&2
-
-exit
diff --git a/nixos/cobalt/services/gitolite.nix b/nixos/cobalt/services/gitolite.nix
deleted file mode 100644
index 94c7ac9..0000000
--- a/nixos/cobalt/services/gitolite.nix
+++ /dev/null
@@ -1,109 +0,0 @@
-{ pkgs, ... }:
-
-let
-  # https://groups.google.com/g/gitolite/c/NwZ1-hq9-9E/m/mDbiKyAvDwAJ
-  fixRefsTrigger = pkgs.writeText "fix-refs" ''
-    [[ $4 == W ]] || exit 0
-
-    cd $GL_REPO_BASE/$2.git
-
-    head=`git symbolic-ref HEAD`
-    [[ -f $head ]] || {
-      set -- refs/heads/*
-      git symbolic-ref HEAD $1
-    }
-  '';
-in
-{
-  services.gitolite = {
-    enable = true;
-    user = "git";
-    group = "git";
-    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDi7GGOGVj1Y5Sc1EW6zEdrp78dS6hvmS348pqu9dUsB openpgp:0x6BE7BD6F";
-    extraGitoliteRc = ''
-      $RC{UMASK} = 0027;
-      $RC{GIT_CONFIG_KEYS} = '.*';
-      $RC{ROLES}{OWNERS} = 1;
-      $RC{OWNER_ROLENAME} = 'OWNERS';
-      # For some unknown reason, $ENV{HOME} doesn't get resolved to the correct
-      # directory.
-      # $RC{LOCAL_CODE} = '$ENV{HOME}/local';
-      $RC{LOCAL_CODE} = '/var/lib/gitolite/local';
-      push(@{$RC{ENABLE}}, 'D');
-      push(@{$RC{ENABLE}}, 'symbolic-ref');
-      push(@{$RC{ENABLE}}, 'rename');
-      push(@{$RC{POST_GIT}}, 'fix-refs');
-      # push(@{$RC{ENABLE}}, 'set-default-roles');
-      # push(@{$RC{ENABLE}}, 'create');
-      # push(@{$RC{ENABLE}}, 'fork');
-
-    '';
-  };
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/gitolite"
-  ];
-
-  system.activationScripts.gitolite-create-local = ''
-    mkdir -p /var/lib/gitolite/local/triggers
-    mkdir -p /var/lib/gitolite/local/commands
-    chown -R git:git /var/lib/gitolite/local
-  '';
-
-  systemd.tmpfiles.rules = [
-    "C /var/lib/gitolite/local/triggers/fix-refs 755 - - - ${./gitolite-noncore/fix-refs}"
-    "C /var/lib/gitolite/local/commands/rename 755 - - - ${./gitolite-noncore/rename}"
-  ];
-
-
-  systemd.timers."gitolite-trash-cleanup" = {
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      OnCalendar = "*-*-* 00:00:00";
-      Unit = "gitolite-trash-cleanup.service";
-    };
-  };
-
-  systemd.services."gitolite-trash-cleanup" = {
-    script = ''
-      set -euo pipefail
-      if [ ! -d "Trash" ] ; then
-        echo Trash directory is nonexistent!
-        echo No operations to perform. Exiting.
-        exit 0
-      fi
-
-      match=$(find Trash -type d -regextype posix-extended -regex ".*/[0-9]{4}-[0-9]{2}-[0-9]{2}_[0-9]{2}:[0-9]{2}:[0-9]{2}$")
-      processed_entry=0
-      removed_entry=0
-
-      for dir in $match
-      do
-        system_timestamp=$(date +%s)
-        trash_timestamp=$(basename $dir | sed -e "s/_/ /g" | date -f - +%s)
-        age=$(( $system_timestamp - $trash_timestamp ))
-        # Wipe trashes older than 2w
-        if [[ age -gt 1209600 ]] ; then
-          echo "Removing '$dir' (age $age)"
-          rm -rf $dir
-          ((removed_entry+=1))
-        fi
-        ((processed_entry+=1))
-      done
-
-      echo "Directories that needs cleanup:"
-      find Trash -type d -empty -print -delete
-      echo "Cleaned empty directories."
-
-      echo "Done! Removed $removed_entry/$processed_entry"
-    '';
-
-    path = with pkgs; [ bash util-linux coreutils ];
-
-    serviceConfig = {
-      Type = "oneshot";
-      User = "git";
-      WorkingDirectory = "/var/lib/gitolite/repositories";
-    };
-  };
-}
diff --git a/nixos/cobalt/services/nginx.nix b/nixos/cobalt/services/nginx.nix
deleted file mode 100644
index cb5ced3..0000000
--- a/nixos/cobalt/services/nginx.nix
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  services.nginx = {
-    enable = true;
-
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-  };
-
-  users.extraUsers.nginx.extraGroups = [ "acme" ];
-
-  imports = [
-    ./acme.nix
-  ];
-}
diff --git a/nixos/cobalt/services/soju.nix b/nixos/cobalt/services/soju.nix
deleted file mode 100644
index bab8a5b..0000000
--- a/nixos/cobalt/services/soju.nix
+++ /dev/null
@@ -1,28 +0,0 @@
-{ config, ... }:
-
-{
-  services.soju = {
-    enable = true;
-    extraGroups = [ "acme" ];
-    hostName = "cobalt.sefidel.com";
-    listen = [
-      ":6697"
-    ];
-    tlsCertificate = "${config.security.acme.certs."sefidel.com".directory}/cert.pem";
-    tlsCertificateKey = "${config.security.acme.certs."sefidel.com".directory}/key.pem";
-  };
-
-  networking.firewall.allowedTCPPorts = [ 6697 ];
-
-  environment.persistence."/persist".directories = [
-    "/var/lib/private/soju"
-  ];
-
-  # TODO: remove this once merged
-  disabledModules = [ "services/networking/soju.nix" ];
-
-  imports = [
-    ./acme.nix
-    ../modules/soju.nix
-  ];
-}