summary refs log tree commit diff
diff options
context:
space:
mode:
-rwxr-xr-xhost/Rory-devenv/configuration.nix68
-rwxr-xr-xhost/Rory-devenv/software.nix78
-rwxr-xr-xhost/Rory-discordbots/configuration.nix6
-rwxr-xr-xhost/Rory-discordbots/software.nix15
-rwxr-xr-xhost/Rory-fosscord/configuration.nix4
-rwxr-xr-xhost/Rory-fosscord/software.nix14
-rwxr-xr-xhost/Rory-nginx/configuration.nix74
-rwxr-xr-xhost/Rory-nginx/software.nix83
-rwxr-xr-xhost/Rory-postgres/configuration.nix30
-rwxr-xr-xhost/Rory-postgres/software.nix40
-rwxr-xr-xhost/Rory-synapse/configuration.nix200
-rwxr-xr-xhost/Rory-synapse/software.nix210
12 files changed, 446 insertions, 376 deletions
diff --git a/host/Rory-devenv/configuration.nix b/host/Rory-devenv/configuration.nix
index ae1fe1a..108ff82 100755
--- a/host/Rory-devenv/configuration.nix
+++ b/host/Rory-devenv/configuration.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ../../modules/base-server.nix
+      ./software.nix
     ];
 
   networking = {
@@ -18,73 +19,6 @@
     } ];
   };
 
-  systemd.tmpfiles.rules = [  "d /data/pg 0750 postgres postgres" ];
-
-  services = {
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_14;
-      enableTCPIP = true;
-      authentication = pkgs.lib.mkOverride 10 ''
-        # TYPE, DATABASE, USER, ADDRESS, METHOD
-        local all all trust
-        host all all 127.0.0.1/32 trust
-        host all all ::1/128 trust
-        host all all 0.0.0.0/0 md5
-      '';
-      # initialScript = pkgs.writeText "backend-initScript" ''
-      #   CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
-      #   CREATE DATABASE nixcloud;
-      #   GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
-      # '';
-
-      # we dont care about data here - this is a dev env
-      #dataDir = "/data/pg";
-      settings = {
-        "max_connections" = "100";
-        "shared_buffers" = "128MB";
-        "max_wal_size" = "1GB";
-        "min_wal_size" = "80MB";
-      };
-    };
-    xserver = {
-      enable = true;
-      desktopManager.plasma5 = {
-        enable = true;
-        #phonon-backend = "gstreamer";
-        excludePackages = with pkgs.libsForQt5; [ konsole print-manager khelpcenter oxygen okular gwenview elisa ];
-      };
-      displayManager.sddm.enable = true;
-      displayManager.sddm.autoLogin = {
-        enable = true;
-        user = "Rory";
-      };
-      libinput.enable = true;
-      videoDrivers = [ "qxl" ];
-    };
-    qemuGuest.enable = true;
-    spice-vdagentd.enable = true;
-  };
-
-  environment.systemPackages = with pkgs; [
-    zsh
-    gnome-console
-    kitty
-    feh
-    lsd
-    sshfs
-    cinnamon.nemo
-    firefox-bin
-    udisks
-    gparted
-    glxinfo
-    vscode-with-extensions
-    nodejs
-  ];
-  fonts.fonts = with pkgs; [
-    (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
-  ];
-
   system.stateVersion = "22.11"; # DO NOT EDIT!
 }
 
diff --git a/host/Rory-devenv/software.nix b/host/Rory-devenv/software.nix
new file mode 100755
index 0000000..2d26885
--- /dev/null
+++ b/host/Rory-devenv/software.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  systemd.tmpfiles.rules = [  "d /data/pg 0750 postgres postgres" ];
+
+  services = {
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_14;
+      enableTCPIP = true;
+      authentication = pkgs.lib.mkOverride 10 ''
+        # TYPE, DATABASE, USER, ADDRESS, METHOD
+        local all all trust
+        host all all 127.0.0.1/32 trust
+        host all all ::1/128 trust
+        host all all 0.0.0.0/0 md5
+      '';
+      # initialScript = pkgs.writeText "backend-initScript" ''
+      #   CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+      #   CREATE DATABASE nixcloud;
+      #   GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+      # '';
+
+      # we dont care about data here - this is a dev env
+      #dataDir = "/data/pg";
+      settings = {
+        "max_connections" = "100";
+        "shared_buffers" = "128MB";
+        "max_wal_size" = "1GB";
+        "min_wal_size" = "80MB";
+      };
+    };
+    xserver = {
+      enable = true;
+      desktopManager.plasma5 = {
+        enable = true;
+        #phonon-backend = "gstreamer";
+        excludePackages = with pkgs.libsForQt5; [ konsole print-manager khelpcenter oxygen okular gwenview elisa ];
+      };
+      displayManager.sddm.enable = true;
+      displayManager.sddm.autoLogin = {
+        enable = true;
+        user = "Rory";
+      };
+      libinput.enable = true;
+      videoDrivers = [ "qxl" ];
+    };
+    qemuGuest.enable = true;
+    spice-vdagentd.enable = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    zsh
+    gnome-console
+    kitty
+    feh
+    lsd
+    sshfs
+    cinnamon.nemo
+    firefox-bin
+    udisks
+    gparted
+    glxinfo
+    vscode-with-extensions
+    nodejs
+  ];
+  fonts.fonts = with pkgs; [
+    (nerdfonts.override { fonts = [ "JetBrainsMono" ]; })
+  ];
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-discordbots/configuration.nix b/host/Rory-discordbots/configuration.nix
index 958ae5c..dbc509c 100755
--- a/host/Rory-discordbots/configuration.nix
+++ b/host/Rory-discordbots/configuration.nix
@@ -4,11 +4,7 @@
   imports =
     [
       ../../modules/base-server.nix
-      # ./services.nix
-      botcore-v4.modules.bots
-      botcore-v4.modules.frontend
-      botcore-v4.modules.dataupdater
-      botcore-v4.modules.users
+      ./software.nix
     ];
 
   networking = {
diff --git a/host/Rory-discordbots/software.nix b/host/Rory-discordbots/software.nix
new file mode 100755
index 0000000..b0b9cf2
--- /dev/null
+++ b/host/Rory-discordbots/software.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, lib, botcore-v4, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+      # ./services.nix
+      botcore-v4.modules.bots
+      botcore-v4.modules.frontend
+      botcore-v4.modules.dataupdater
+      botcore-v4.modules.users
+    ];
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
\ No newline at end of file
diff --git a/host/Rory-fosscord/configuration.nix b/host/Rory-fosscord/configuration.nix
index a58ba05..84c997e 100755
--- a/host/Rory-fosscord/configuration.nix
+++ b/host/Rory-fosscord/configuration.nix
@@ -4,9 +4,7 @@
   imports =
     [
       ../../modules/base-server.nix
-      # ./services.nix
-      discord-client-proxy.modules.proxy
-      discord-client-proxy.modules.users
+      ./software.nix
     ];
 
   networking = {
diff --git a/host/Rory-fosscord/software.nix b/host/Rory-fosscord/software.nix
new file mode 100755
index 0000000..78f4412
--- /dev/null
+++ b/host/Rory-fosscord/software.nix
@@ -0,0 +1,14 @@
+{ config, pkgs, lib, discord-client-proxy, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+      # ./services.nix
+      discord-client-proxy.modules.proxy
+      discord-client-proxy.modules.users
+    ];
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-nginx/configuration.nix b/host/Rory-nginx/configuration.nix
index 8400a75..c38a1bf 100755
--- a/host/Rory-nginx/configuration.nix
+++ b/host/Rory-nginx/configuration.nix
@@ -4,7 +4,7 @@
   imports =
     [
       ../../modules/base-server.nix
-      ../../modules/packages/gitfs.nix
+      ./software.nix
     ];
 
   networking = {
@@ -19,77 +19,5 @@
     } ];
   };
 
-  services = {
-    nginx = {
-      enable = true;
-      package = pkgs.nginxQuic;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      appendConfig = ''
-        worker_processes 16;
-        '';
-       eventsConfig = ''
-        #use kqueue;
-        worker_connections 512;
-        '';
-      upstreams = import ./matrix/upstreams.nix;
-      virtualHosts = {
-        "siliconheaven.thearcanebrony.net" = import ./hosts/thearcanebrony.net/siliconheaven.nix;
-        "lfs.thearcanebrony.net" = import ./hosts/thearcanebrony.net/lfs.nix;
-        "http.thearcanebrony.net" = import ./hosts/thearcanebrony.net/http.nix;
-        "thearcanebrony.net" = import ./hosts/thearcanebrony.net/root.nix;
-        "sentry.thearcanebrony.net" = import ./hosts/thearcanebrony.net/sentry.nix;
-        "awooradio.thearcanebrony.net" = import ./hosts/thearcanebrony.net/awooradio.nix;
-        "search.thearcanebrony.net" = import ./hosts/thearcanebrony.net/search.nix;
-        "git.thearcanebrony.net" = import ./hosts/thearcanebrony.net/git.nix;
-        "files.thearcanebrony.net" = import ./hosts/thearcanebrony.net/files.nix;
-        "spigotav.thearcanebrony.net" = import ./hosts/thearcanebrony.net/spigotav.nix;
-        "terra.thearcanebrony.net" = import ./hosts/thearcanebrony.net/terra.nix;
-        "vives.thearcanebrony.net" = import ./hosts/thearcanebrony.net/vives.nix;
-        "rory.gay" = import ./hosts/rory.gay/root.nix;
-        "rory.boo" = import ./hosts/rory.gay/root.nix;
-        "lfs.rory.gay" = import ./hosts/rory.gay/lfs.nix;
-        "git.rory.gay" = import ./hosts/rory.gay/git.nix;
-        "matrix.rory.gay" = import ./hosts/rory.gay/matrix.nix;
-        "mru.rory.gay" = import ./hosts/rory.gay/mru.nix;
-        "tunnel.rory.boo" = import ./hosts/rory.boo/tunnel.nix;
-        "boorunav.com" = import ./hosts/boorunav.com/root.nix;
-        "catgirlsaresexy.com" = import ./hosts/catgirlsaresexy.com/root.nix;
-        "sugarcanemc.org" = import ./hosts/sugarcanemc.org/root.nix;
-
-        #bots...
-        "0bottests.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "catnipbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "impulsyeeter.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "omnibot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "yatopiawatchdog.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "playground.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "kinobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "siliconbotpublic.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "thearcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "anonbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "hericanbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "siliconbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "impulsbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "studiobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "carsnbots.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "binsh.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "fosscordbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "sugarcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-        "gradbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
-      };
-    };
-  };
-  systemd.services.nginx.serviceConfig = {
-    LimitNOFILE=5000000;
-  };
-  systemd.services.nginx.requires = [ "data.mount" ];
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "root@thearcanebrony.net";
-
-  environment.systemPackages = with pkgs; [
-    #gitfs
-  ];
-
   system.stateVersion = "22.11"; # DO NOT EDIT!
 }
diff --git a/host/Rory-nginx/software.nix b/host/Rory-nginx/software.nix
new file mode 100755
index 0000000..a551c6b
--- /dev/null
+++ b/host/Rory-nginx/software.nix
@@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+      #../../modules/packages/gitfs.nix
+    ];
+
+  services = {
+    nginx = {
+      enable = true;
+      package = pkgs.nginxQuic;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      appendConfig = ''
+        worker_processes 16;
+        '';
+       eventsConfig = ''
+        #use kqueue;
+        worker_connections 512;
+        '';
+      upstreams = import ./matrix/upstreams.nix;
+      virtualHosts = {
+        "siliconheaven.thearcanebrony.net" = import ./hosts/thearcanebrony.net/siliconheaven.nix;
+        "lfs.thearcanebrony.net" = import ./hosts/thearcanebrony.net/lfs.nix;
+        "http.thearcanebrony.net" = import ./hosts/thearcanebrony.net/http.nix;
+        "thearcanebrony.net" = import ./hosts/thearcanebrony.net/root.nix;
+        "sentry.thearcanebrony.net" = import ./hosts/thearcanebrony.net/sentry.nix;
+        "awooradio.thearcanebrony.net" = import ./hosts/thearcanebrony.net/awooradio.nix;
+        "search.thearcanebrony.net" = import ./hosts/thearcanebrony.net/search.nix;
+        "git.thearcanebrony.net" = import ./hosts/thearcanebrony.net/git.nix;
+        "files.thearcanebrony.net" = import ./hosts/thearcanebrony.net/files.nix;
+        "spigotav.thearcanebrony.net" = import ./hosts/thearcanebrony.net/spigotav.nix;
+        "terra.thearcanebrony.net" = import ./hosts/thearcanebrony.net/terra.nix;
+        "vives.thearcanebrony.net" = import ./hosts/thearcanebrony.net/vives.nix;
+        "rory.gay" = import ./hosts/rory.gay/root.nix;
+        "rory.boo" = import ./hosts/rory.gay/root.nix;
+        "lfs.rory.gay" = import ./hosts/rory.gay/lfs.nix;
+        "git.rory.gay" = import ./hosts/rory.gay/git.nix;
+        "matrix.rory.gay" = import ./hosts/rory.gay/matrix.nix;
+        "mru.rory.gay" = import ./hosts/rory.gay/mru.nix;
+        "tunnel.rory.boo" = import ./hosts/rory.boo/tunnel.nix;
+        "boorunav.com" = import ./hosts/boorunav.com/root.nix;
+        "catgirlsaresexy.com" = import ./hosts/catgirlsaresexy.com/root.nix;
+        "sugarcanemc.org" = import ./hosts/sugarcanemc.org/root.nix;
+
+        #bots...
+        "0bottests.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "catnipbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "impulsyeeter.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "omnibot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "yatopiawatchdog.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "playground.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "kinobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "siliconbotpublic.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "thearcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "anonbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "hericanbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "siliconbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "impulsbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "studiobot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "carsnbots.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "binsh.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "fosscordbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "sugarcanebot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+        "gradbot.bots.rory.gay" = import ./hosts/rory.gay/bots.nix;
+      };
+    };
+  };
+  systemd.services.nginx.serviceConfig = {
+    LimitNOFILE=5000000;
+  };
+  systemd.services.nginx.requires = [ "data.mount" ];
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "root@thearcanebrony.net";
+
+  environment.systemPackages = with pkgs; [
+    #gitfs
+  ];
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
diff --git a/host/Rory-postgres/configuration.nix b/host/Rory-postgres/configuration.nix
index fef0296..f399f78 100755
--- a/host/Rory-postgres/configuration.nix
+++ b/host/Rory-postgres/configuration.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ../../modules/base-server.nix
+      ./software.nix
     ];
 
   networking = {
@@ -17,35 +18,6 @@
       prefixLength = 16;
     } ];
   };
-  
-  systemd.tmpfiles.rules = [  "d /data/pg 0750 postgres postgres" ];
-
-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_14;
-    enableTCPIP = true;
-    authentication = pkgs.lib.mkOverride 10 ''
-      # TYPE, DATABASE, USER, ADDRESS, METHOD
-      local all all trust
-      host all all 127.0.0.1/32 trust
-      host all all ::1/128 trust
-      host discordbots discordbots 192.168.1.50/32 trust
-      host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
-      host all all 0.0.0.0/0 md5
-    '';
-    # initialScript = pkgs.writeText "backend-initScript" ''
-    #   CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
-    #   CREATE DATABASE nixcloud;
-    #   GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
-    # '';
-    dataDir = "/data/pg";
-    settings = {
-      "max_connections" = "100";
-      "shared_buffers" = "128MB";
-      "max_wal_size" = "1GB";
-      "min_wal_size" = "80MB";
-    };
-  };
 
   system.stateVersion = "22.11"; # DO NOT EDIT!
 }
diff --git a/host/Rory-postgres/software.nix b/host/Rory-postgres/software.nix
new file mode 100755
index 0000000..99cdd64
--- /dev/null
+++ b/host/Rory-postgres/software.nix
@@ -0,0 +1,40 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+  
+  systemd.tmpfiles.rules = [  "d /data/pg 0750 postgres postgres" ];
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_14;
+    enableTCPIP = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      # TYPE, DATABASE, USER, ADDRESS, METHOD
+      local all all trust
+      host all all 127.0.0.1/32 trust
+      host all all ::1/128 trust
+      host discordbots discordbots 192.168.1.50/32 trust
+      host matrix-synapse-rory-gay matrix-synapse-rory-gay 192.168.1.5/32 trust
+      host all all 0.0.0.0/0 md5
+    '';
+    # initialScript = pkgs.writeText "backend-initScript" ''
+    #   CREATE ROLE nixcloud WITH LOGIN PASSWORD 'nixcloud' CREATEDB;
+    #   CREATE DATABASE nixcloud;
+    #   GRANT ALL PRIVILEGES ON DATABASE nixcloud TO nixcloud;
+    # '';
+    dataDir = "/data/pg";
+    settings = {
+      "max_connections" = "100";
+      "shared_buffers" = "128MB";
+      "max_wal_size" = "1GB";
+      "min_wal_size" = "80MB";
+    };
+  };
+
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+
diff --git a/host/Rory-synapse/configuration.nix b/host/Rory-synapse/configuration.nix
index 46da7b6..020a804 100755
--- a/host/Rory-synapse/configuration.nix
+++ b/host/Rory-synapse/configuration.nix
@@ -4,6 +4,7 @@
   imports =
     [
       ../../modules/base-server.nix
+      ./software.nix
     ];
 
   networking = {
@@ -18,205 +19,6 @@
     } ];
   };
 
-  # coturn (WebRTC)
-  services.coturn = rec {
-    enable = false; # Alicia - figure out secret first...
-    no-cli = true;
-    no-tcp-relay = true;
-    min-port = 49000;
-    max-port = 50000;
-    use-auth-secret = true;
-    static-auth-secret = "will be world readable for local users :(";
-    realm = "turn.example.com";
-    # Alicia - figure out how to get this to work, since nginx runs on separate machine...
-    #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
-    #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
-    extraConfig = ''
-      # for debugging
-      verbose
-      # ban private IP ranges
-      no-multicast-peers
-      denied-peer-ip=0.0.0.0-0.255.255.255
-      denied-peer-ip=10.0.0.0-10.255.255.255
-      denied-peer-ip=100.64.0.0-100.127.255.255
-      denied-peer-ip=127.0.0.0-127.255.255.255
-      denied-peer-ip=169.254.0.0-169.254.255.255
-      denied-peer-ip=172.16.0.0-172.31.255.255
-      denied-peer-ip=192.0.0.0-192.0.0.255
-      denied-peer-ip=192.0.2.0-192.0.2.255
-      denied-peer-ip=192.88.99.0-192.88.99.255
-      denied-peer-ip=192.168.0.0-192.168.255.255
-      denied-peer-ip=198.18.0.0-198.19.255.255
-      denied-peer-ip=198.51.100.0-198.51.100.255
-      denied-peer-ip=203.0.113.0-203.0.113.255
-      denied-peer-ip=240.0.0.0-255.255.255.255
-      denied-peer-ip=::1
-      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
-      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
-      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
-      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
-      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-    '';
-  };
-
-  #services.matrix-synapse = with config.services.coturn; {
-  #  turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
-  #  turn_shared_secret = static-auth-secret;
-  #  turn_user_lifetime = "1h";
-  #};
-
-  # Discord bridge
-   services.matrix-appservice-discord = {
-    enable = false; # Alicia - figure out secret first...
-    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
-    # The appservice is pre-configured to use SQLite by default.
-    # It's also possible to use PostgreSQL.
-    settings = {
-      bridge = {
-        domain = "rory.gay";
-        homeserverUrl = "https://matrix.rory.gay";
-      };
-
-      # The service uses SQLite by default, but it's also possible to use
-      # PostgreSQL instead:
-      database = {
-        #  filename = ""; # empty value to disable sqlite
-        connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
-      };
-    };
-   };
-
-  services.matrix-synapse = {
-    enable = true;
-
-    settings = {
-      server_name = "rory.gay";
-
-      enable_registration = false;
-      # Alicia - figure this out later...
-      #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"];
-      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
-      
-      # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410
-      listeners = [
-        { 
-          port = 8008;
-          bind_addresses = [ "192.168.1.5" "127.0.0.1" ];
-          type = "http";
-          tls = false;
-          x_forwarded = true;
-          resources = [ {
-            names = [ "client" "federation" ];
-            compress = true;
-          } ];
-        }
-      ];
-      dynamic_thumbnails = true;
-
-      presence = {
-        enable = true;
-        update_interval = 60;
-      };
-      url_preview_enabled = true;
-      
-      database = {
-        name = "psycopg2";
-        args = {
-          user = "matrix-synapse-rory-gay";
-          #passwordFile = "/run/secrets/matrix-synapse-password";
-          password = "somepassword";
-          database = "matrix-synapse-rory-gay";
-          host = "192.168.1.3";
-        };
-      };
-      app_service_config_files = [
-        #"/etc/matrix-synapse/appservice-registration.yaml"
-      ];
-    };
-
-    plugins = with pkgs.matrix-synapse-plugins; [
-      # Alicia - need to port draupnir...
-      #matrix-synapse-mjolnir-antispam
-#      matrix-synapse-pam
-    ];
-#    extraConfigFiles = [
-#        (pkgs.writeTextFile {
-#          name = "matrix-synapse-extra-config.yml";
-#          text = ''
-#            modules:
-#              - module: "pam_auth_provider.PAMAuthProvider"
-#                config:
-#                  create_users: true
-#                  skip_user_check: false
-#          '';
-#        })
-#      ];
-  };
-
-  # Alicia - doesnt work yet... until in nixpkgs...
-  services.draupnir = {
-    enable = true;
-    
-    pantalaimon = {
-      enable = true;
-      username = "draupnir";
-      passwordFile = "/etc/draupnir-password";
-      options = {
-        homeserver = "http://localhost:8008";
-        ssl = false;
-      };
-      
-    };
-    managementRoom = "#draupnir-mgmt:rory.gay";
-    homeserverUrl = "http://localhost:8008";
-    verboseLogging = false;
-    settings = {
-      recordIgnoredInvites = false;
-      automaticallyRedactForReasons = [ "*" ];
-      fasterMembershipChecks = true;
-      backgroundDelayMS = 100;
-      pollReports = true;
-      admin.enableMakeRoomAdminCommand = true;
-      commands.ban.defaultReasons = [
-        "spam"
-        "harassment"
-        "transphobia"
-        "scam"
-      ];
-      protections = {
-        wordlist = {
-          words = [
-            "tranny"
-            "faggot"
-          ];
-          minutesBeforeTrusting = 0;
-        };
-      };
-    };
-  };
-
-    systemd.services.matrix-synapse-reg-token = {
-      description = "Random registration token for Synapse.";
-      before = ["matrix-synapse.service"]; # So the registration can be used by Synapse
-      wantedBy = ["multi-user.target"];
-      after = ["network.target"];
-
-      script = ''
-
-        if [ ! -f "registration_shared_secret.txt" ]
-        then
-          cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
-        else
-          echo Not generating key, key exists;
-        fi'';
-      serviceConfig = {
-        User = "matrix-synapse";
-        Group = "matrix-synapse";
-        WorkingDirectory = "/var/lib/matrix-synapse";
-      };
-    };
   system.stateVersion = "22.11"; # DO NOT EDIT!
 }
 
diff --git a/host/Rory-synapse/software.nix b/host/Rory-synapse/software.nix
new file mode 100755
index 0000000..87e2788
--- /dev/null
+++ b/host/Rory-synapse/software.nix
@@ -0,0 +1,210 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ../../modules/base-server.nix
+    ];
+
+  # coturn (WebRTC)
+  services.coturn = rec {
+    enable = false; # Alicia - figure out secret first...
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret = "will be world readable for local users :(";
+    realm = "turn.example.com";
+    # Alicia - figure out how to get this to work, since nginx runs on separate machine...
+    #cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    #pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  #services.matrix-synapse = with config.services.coturn; {
+  #  turn_uris = ["turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp"];
+  #  turn_shared_secret = static-auth-secret;
+  #  turn_user_lifetime = "1h";
+  #};
+
+  # Discord bridge
+   services.matrix-appservice-discord = {
+    enable = false; # Alicia - figure out secret first...
+    environmentFile = /etc/keyring/matrix-appservice-discord/tokens.env;
+    # The appservice is pre-configured to use SQLite by default.
+    # It's also possible to use PostgreSQL.
+    settings = {
+      bridge = {
+        domain = "rory.gay";
+        homeserverUrl = "https://matrix.rory.gay";
+      };
+
+      # The service uses SQLite by default, but it's also possible to use
+      # PostgreSQL instead:
+      database = {
+        #  filename = ""; # empty value to disable sqlite
+        connString = "postgres://postgres@192.168.1.3/matrix-appservice-discord";
+      };
+    };
+   };
+
+  services.matrix-synapse = {
+    enable = true;
+
+    settings = {
+      server_name = "rory.gay";
+
+      enable_registration = false;
+      # Alicia - figure this out later...
+      #registration_shared_secret = builtins.exec ["cat" "/dev/urandom" "|" "tr" "-dc" "a-zA-Z0-9" "|" "fold" "-w" "256" "|" "head" "-n" "1"];
+      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_shared_secret.txt";
+      
+      # Alicia - types: https://github.com/NixOS/nixpkgs/blob/release-22.11/nixos/modules/services/matrix/synapse.nix#L410
+      listeners = [
+        { 
+          port = 8008;
+          bind_addresses = [ "192.168.1.5" "127.0.0.1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [ {
+            names = [ "client" "federation" ];
+            compress = true;
+          } ];
+        }
+      ];
+      dynamic_thumbnails = true;
+
+      presence = {
+        enable = true;
+        update_interval = 60;
+      };
+      url_preview_enabled = true;
+      
+      database = {
+        name = "psycopg2";
+        args = {
+          user = "matrix-synapse-rory-gay";
+          #passwordFile = "/run/secrets/matrix-synapse-password";
+          password = "somepassword";
+          database = "matrix-synapse-rory-gay";
+          host = "192.168.1.3";
+        };
+      };
+      app_service_config_files = [
+        #"/etc/matrix-synapse/appservice-registration.yaml"
+      ];
+    };
+
+    plugins = with pkgs.matrix-synapse-plugins; [
+      # Alicia - need to port draupnir...
+      #matrix-synapse-mjolnir-antispam
+#      matrix-synapse-pam
+    ];
+#    extraConfigFiles = [
+#        (pkgs.writeTextFile {
+#          name = "matrix-synapse-extra-config.yml";
+#          text = ''
+#            modules:
+#              - module: "pam_auth_provider.PAMAuthProvider"
+#                config:
+#                  create_users: true
+#                  skip_user_check: false
+#          '';
+#        })
+#      ];
+  };
+
+  # Alicia - doesnt work yet... until in nixpkgs...
+  services.draupnir = {
+    enable = true;
+    
+    pantalaimon = {
+      enable = true;
+      username = "draupnir";
+      passwordFile = "/etc/draupnir-password";
+      options = {
+        homeserver = "http://localhost:8008";
+        ssl = false;
+      };
+      
+    };
+    managementRoom = "#draupnir-mgmt:rory.gay";
+    homeserverUrl = "http://localhost:8008";
+    verboseLogging = false;
+    settings = {
+      recordIgnoredInvites = false;
+      automaticallyRedactForReasons = [ "*" ];
+      fasterMembershipChecks = true;
+      backgroundDelayMS = 100;
+      pollReports = true;
+      admin.enableMakeRoomAdminCommand = true;
+      commands.ban.defaultReasons = [
+        "spam"
+        "harassment"
+        "transphobia"
+        "scam"
+      ];
+      protections = {
+        wordlist = {
+          words = [
+            "tranny"
+            "faggot"
+          ];
+          minutesBeforeTrusting = 0;
+        };
+      };
+    };
+  };
+
+    systemd.services.matrix-synapse-reg-token = {
+      description = "Random registration token for Synapse.";
+      before = ["matrix-synapse.service"]; # So the registration can be used by Synapse
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+
+      script = ''
+
+        if [ ! -f "registration_shared_secret.txt" ]
+        then
+          cat /dev/urandom | tr -dc a-zA-Z0-9 | fold -w 256 | head -n 1 > registration_shared_secret.txt
+        else
+          echo Not generating key, key exists;
+        fi'';
+      serviceConfig = {
+        User = "matrix-synapse";
+        Group = "matrix-synapse";
+        WorkingDirectory = "/var/lib/matrix-synapse";
+      };
+    };
+  system.stateVersion = "22.11"; # DO NOT EDIT!
+}
+