From 00c9e35779cbb298d6395a6e2c2534007a92976f Mon Sep 17 00:00:00 2001
From: Preston Pan <ret2pop@gmail.com>
Date: Fri, 21 Mar 2025 04:52:46 -0700
Subject: add a ton of VPS upgrades; update website; live life

---
 nix/modules/configuration.nix |  31 ++-
 nix/modules/default.nix       |   1 +
 nix/modules/home/default.nix  |   1 +
 nix/modules/home/emacs.nix    |   2 +-
 nix/modules/home/mpd.nix      |  14 ++
 nix/modules/icecast.nix       |  21 ++
 nix/modules/inspircd.nix      | 539 ++++++++++++++++++++++++++++++++++++++++++
 nix/modules/ircd.nix          |  12 +
 nix/modules/maddy.nix         |  18 ++
 nix/modules/matterbridge.nix  |   7 +
 nix/modules/murmur.nix        |   6 +-
 nix/modules/nginx.nix         |  18 +-
 nix/modules/ngircd.nix        |  28 +++
 nix/modules/secrets.nix       |   1 -
 nix/modules/znc.nix           |  31 +++
 15 files changed, 715 insertions(+), 15 deletions(-)
 create mode 100644 nix/modules/icecast.nix
 create mode 100644 nix/modules/inspircd.nix
 create mode 100644 nix/modules/ircd.nix
 create mode 100644 nix/modules/maddy.nix
 create mode 100644 nix/modules/matterbridge.nix
 create mode 100644 nix/modules/ngircd.nix
 create mode 100644 nix/modules/znc.nix

(limited to 'nix/modules')

diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 732f83c..ad244b8 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 {
   imports = [
+    ./matterbridge.nix
     ./xserver.nix
     ./ssh.nix
     ./pipewire.nix
@@ -10,14 +11,14 @@
     ./cuda.nix
     ./nginx.nix
     ./git-daemon.nix
-    ./postfix.nix
-    ./dovecot.nix
     ./ollama.nix
     ./i2pd.nix
     ./gitweb.nix
     ./conduit.nix
     ./bitcoin.nix
     ./murmur.nix
+    ./ngircd.nix
+    ./znc.nix
   ];
 
   documentation = {
@@ -315,12 +316,28 @@
 
   users.groups.nginx = lib.mkDefault {};
   users.groups.git = lib.mkDefault {};
+  users.groups.ircd = lib.mkDefault {};
+
   users.users = {
-    nginx.group = "nginx";
-    nginx.isSystemUser = lib.mkDefault true;
-    nginx.extraGroups = [
-      "acme"
-    ];
+    ngircd = {
+      isSystemUser = lib.mkDefault true;
+      extraGroups = [ "acme" "nginx" ];
+    };
+
+    ircd = {
+      isSystemUser = lib.mkDefault true;
+      group = "ircd";
+      home = "/home/ircd";
+    };
+    
+    nginx = {
+      group = "nginx";
+      isSystemUser = lib.mkDefault true;
+      extraGroups = [
+        "acme"
+      ];
+    };
+
     root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
     ];
diff --git a/nix/modules/default.nix b/nix/modules/default.nix
index 00a188b..4bd4161 100644
--- a/nix/modules/default.nix
+++ b/nix/modules/default.nix
@@ -27,6 +27,7 @@
 	    linux-manual
 	    man-pages
 	    man-pages-posix
+      iproute2
     ]);
     boot.loader.grub = lib.mkIf config.monorepo.profiles.grub.enable {
       enable = true;
diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix
index fa18632..72fcc31 100644
--- a/nix/modules/home/default.nix
+++ b/nix/modules/home/default.nix
@@ -84,6 +84,7 @@
                     ++
                     (if config.monorepo.profiles.workstation.enable then (with pkgs; [
                       open-webui
+                      mumble
                     ]) else [])
                     ++
 					          (if config.monorepo.profiles.lang-js.enable then (with pkgs; [
diff --git a/nix/modules/home/emacs.nix b/nix/modules/home/emacs.nix
index 4358ca3..71e234c 100644
--- a/nix/modules/home/emacs.nix
+++ b/nix/modules/home/emacs.nix
@@ -3,7 +3,7 @@
   programs.emacs = 
     {
       enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
-      package = pkgs.emacs29-pgtk;
+      package = pkgs.emacs30-pgtk;
       extraConfig = ''
       (setq debug-on-error t)
       (org-babel-load-file
diff --git a/nix/modules/home/mpd.nix b/nix/modules/home/mpd.nix
index 087b19a..3ab9d2d 100644
--- a/nix/modules/home/mpd.nix
+++ b/nix/modules/home/mpd.nix
@@ -24,6 +24,20 @@
         always_on       "yes" # prevent MPD from disconnecting all listeners when playback is stopped.
         tags            "yes" # httpd supports sending tags to listening streams.
       }
+audio_output {
+    type        "shout"
+    encoding    "ogg"
+    name        "my cool stream"
+    host        "localhost"
+    port        "8000"
+    mount       "/example.ogg"
+    user        "source"
+    password    "<source-password>"
+
+    bitrate     "64"
+    format      "44100:16:1"
+    description "Nullring public radio"
+}
     '';
   };
 }
diff --git a/nix/modules/icecast.nix b/nix/modules/icecast.nix
new file mode 100644
index 0000000..0cef018
--- /dev/null
+++ b/nix/modules/icecast.nix
@@ -0,0 +1,21 @@
+{ lib, config, ... }:
+{
+  services.icecast = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    listen.address = "0.0.0.0";
+    extraConfig = ''
+<mount type="default">
+  <public>0</public>
+  <intro>/stream.m3u</intro>
+  <max-listener-duration>3600</max-listener-duration>
+  <authentication type="url">
+    <option name="mount_add" value="http://auth.example.org/stream_start.php"/>
+  </authentication>
+  <http-headers>
+    <header name="foo" value="bar" />
+  </http-headers>
+</mount>
+'';
+  };
+  admin.password = "changeme";
+}
diff --git a/nix/modules/inspircd.nix b/nix/modules/inspircd.nix
new file mode 100644
index 0000000..bf3e9ba
--- /dev/null
+++ b/nix/modules/inspircd.nix
@@ -0,0 +1,539 @@
+{ lib, config, ... }:
+{
+  services.inspircd = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    modules = [ "ssl_openssl" ];
+    config = ''
+<server name="nullring.xyz"
+        description="Nullring IRC Instance"
+        network="NullRing">
+
+<admin
+       name="Preston Pan"
+       nick="prestonp"
+       email="ret2pop@gmail.com">
+
+<bind
+      address="0.0.0.0"
+      port="6697"
+      type="clients"
+      ssl="openssl">
+
+<module name="ssl_openssl">
+<openssl certfile="/var/lib/acme/fullchain.pem" keyfile="/var/lib/acme/key.pem">
+
+<power
+       # hash: what hash these passwords are hashed with.
+       # Requires the module for selected hash (m_md5.so, m_sha256.so
+       # or m_ripemd160.so) be loaded and the password hashing module
+       # (m_password_hash.so) loaded.
+       # Options here are: "md5", "sha256" and "ripemd160", or one of
+       # these prefixed with "hmac-", e.g.: "hmac-sha256".
+       # Optional, but recommended. Create hashed passwords with:
+       # /mkpasswd <hash> <password>
+       #hash="sha256"
+
+       # diepass: Password for opers to use if they need to shutdown (die)
+       # a server.
+       diepass=""
+
+       # restartpass: Password for opers to use if they need to restart
+       # a server.
+       restartpass="">
+
+<connect
+         # name: Name to use for this connect block. Mainly used for
+         # connect class inheriting.
+         name="main"
+
+         # allow: What IP addresses/hosts to allow for this block.
+         allow="*"
+
+         # maxchans: Maximum number of channels a user in this class
+         # be in at one time. This overrides every other maxchans setting.
+         #maxchans="30"
+
+         # timeout: How long (in seconds) the server will wait before
+         # disconnecting a user if they do not do anything on connect.
+         # (Note, this is a client-side thing, if the client does not
+         # send /nick, /user or /pass)
+         timeout="10"
+
+         # pingfreq: How often (in seconds) the server tries to ping connecting clients.
+         pingfreq="120"
+
+         # hardsendq: maximum amount of data allowed in a client's send queue
+         # before they are dropped. Keep this value higher than the length of
+         # your network's /LIST or /WHO output, or you will have lots of
+         # disconnects from sendq overruns!
+         # Setting this to "1M" is equivalent to "1048576", "8K" is 8192, etc.
+         hardsendq="1M"
+
+         # softsendq: amount of data in a client's send queue before the server
+         # begins delaying their commands in order to allow the sendq to drain
+         softsendq="8192"
+
+         # recvq: amount of data allowed in a client's queue before they are dropped.
+         # Entering "8K" is equivalent to "8192", see above.
+         recvq="8K"
+
+         # threshold: This specifies the amount of command penalty a user is allowed to have
+         # before being quit or fakelagged due to flood. Normal commands have a penalty of 1,
+         # ones such as /OPER have penalties up to 10.
+         #
+         # If you are not using fakelag, this should be at least 20 to avoid excess flood kills
+         # from processing some commands.
+         threshold="10"
+
+         # commandrate: This specifies the maximum rate that commands can be processed.
+         # If commands are sent more rapidly, the user's penalty will increase and they will
+         # either be fakelagged or killed when they reach the threshold
+         #
+         # Units are millicommands per second, so 1000 means one line per second.
+         commandrate="1000"
+
+         # fakelag: Use fakelag instead of killing users for excessive flood
+         #
+         # Fake lag stops command processing for a user when a flood is detected rather than
+         # immediately killing them; their commands are held in the recvq and processed later
+         # as the user's command penalty drops. Note that if this is enabled, flooders will
+         # quit with "RecvQ exceeded" rather than "Excess Flood".
+         fakelag="on"
+
+         # localmax: Maximum local connections per IP.
+         
+		 localmax="200"
+
+         # globalmax: Maximum global (network-wide) connections per IP.
+         
+		 globalmax="200"
+
+         # useident: Defines if users in this class must respond to a ident query or not.
+         useident="no"
+
+         # limit: How many users are allowed in this class
+         limit="5000"
+
+         # modes: Usermodes that are set on users in this block on connect.
+         # Enabling this option requires that the m_conn_umodes module be loaded.
+         # This entry is highly recommended to use for/with IP Cloaking/masking.
+         # For the example to work, this also requires that the m_cloaking
+         # module be loaded as well.
+         modes="+x">
+
+
+#-#-#-#-#-#-#-#-#-#-#-#-  CIDR CONFIGURATION   -#-#-#-#-#-#-#-#-#-#-#-
+#                                                                     #
+# CIDR configuration allows detection of clones and applying of       #
+# throttle limits across a CIDR range. (A CIDR range is a group of    #
+# IPs, for example, the CIDR range 192.168.1.0-192.168.1.255 may be   #
+# represented as 192.168.1.0/24). This means that abuse across an ISP #
+# is detected and curtailed much easier. Here is a good chart that    #
+# shows how many IPs the different CIDRs correspond to:               #
+# http://en.wikipedia.org/wiki/CIDR#Prefix_aggregation                #
+#                                                                     #
+
+<cidr
+      # ipv4clone: specifies how many bits of an IP address should be
+      # looked at for clones. The default only looks for clones on a
+      # single IP address of a user. You do not want to set this
+      # extremely low. (Values are 0-32).
+      ipv4clone="32"
+
+      # ipv6clone: specifies how many bits of an IP address should be
+      # looked at for clones. The default only looks for clones on a
+      # single IP address of a user. You do not want to set this
+      # extremely low. (Values are 0-128).
+      ipv6clone="128">
+
+<channels
+          # users: Maximum number of channels a user can be in at once.
+          users="20"
+
+          # opers: Maximum number of channels an oper can be in at once.
+          opers="60">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-#-# DNS SERVER -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
+# If these values are not defined, InspIRCd uses the default DNS resolver
+# of your system.
+
+<dns
+     # server: DNS server to use to attempt to resolve IP's to hostnames.
+     # in most cases, you won't need to change this, as inspircd will
+     # automatically detect the nameserver depending on /etc/resolv.conf
+     # (or, on Windows, your set nameservers in the registry.)
+     # Note that this must be an IP address and not a hostname, because
+     # there is no resolver to resolve the name until this is defined!
+     #
+     # server="127.0.0.1"
+
+     # timeout: seconds to wait to try to resolve DNS/hostname.
+     timeout="5">
+
+# An example of using an IPv6 nameserver
+#<dns server="::1" timeout="5">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  PID FILE  -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# Define the path to the PID file here. The PID file can be used to   #
+# rehash the ircd from the shell or to terminate the ircd from the    #
+# shell using shell scripts, perl scripts, etc... and to monitor the  #
+# ircd's state via cron jobs. If this is a relative path, it will be  #
+# relative to the configuration directory, and if it is not defined,  #
+# the default of 'inspircd.pid' is used.                              #
+#                                                                     #
+
+#<pid file="/path/to/inspircd.pid">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#- BANLIST LIMITS #-#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# Use these tags to customise the ban limits on a per channel basis.  #
+# The tags are read from top to bottom, and any tag found which       #
+# matches the channels name applies the banlimit to that channel.     #
+# It is advisable to put an entry with the channel as '*' at the      #
+# bottom of the list. If none are specified or no maxbans tag is      #
+# matched, the banlist size defaults to 64 entries.                   #
+#                                                                     #
+
+<banlist chan="#largechan" limit="128">
+<banlist chan="*" limit="69">
+
+#-#-#-#-#-#-#-#-#-#-#-  DISABLED FEATURES  -#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# This tag is optional, and specifies one or more features which are  #
+# not available to non-operators.                                     #
+#                                                                     #
+# For example you may wish to disable NICK and prevent non-opers from #
+# changing their nicknames.                                           #
+# Note that any disabled commands take effect only after the user has #
+# 'registered' (e.g. after the initial USER/NICK/PASS on connection)  #
+# so for example disabling NICK will not cripple your network.        #
+#                                                                     #
+# You can also define if you want to disable any channelmodes         #
+# or usermodes from your users.                                       #
+#                                                                     #
+# `fakenonexistant' will make the ircd pretend that nonexistant       #
+# commands simply don't exist to non-opers ("no such command").       #
+#                                                                     #
+#<disabled commands="TOPIC MODE" usermodes="" chanmodes="" fakenonexistant="yes">
+
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-  RTFM LINE  -#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+#   Just remove this... Its here to make you read ALL of the config   #
+#   file options ;)                                                   #
+
+#<die value="You should probably edit your config *PROPERLY* and try again.">
+
+
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-  SERVER OPTIONS   -#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+#   Settings to define which features are usable on your server.      #
+#                                                                     #
+
+<options
+         # prefixquit: What (if anything) users' quit messages
+         # should be prefixed with.
+         prefixquit="Quit: "
+
+         # suffixquit: What (if anything) users' quit messages
+         # should be suffixed with.
+         suffixquit=""
+
+         # prefixpart: What (if anything) users' part messages
+         # should be prefixed with.
+         prefixpart="&quot;"
+         # NOTE: Use "\"" instead of "&quot;" if not using <config format="xml">
+
+         # suffixpart: What (if anything) users' part message
+         # should be suffixed with.
+         suffixpart="&quot;"
+
+         # fixedquit: Set all users' quit messages to this value.
+         #fixedquit=""
+
+         # fixedpart: Set all users' part messages in all channels
+         # to this value.
+         #fixedpart=""
+
+         # syntaxhints: If enabled, if a user fails to send the correct parameters
+         # for a command, the ircd will give back some help text of what
+         # the correct parameters are.
+         syntaxhints="no"
+
+         # cyclehosts: If enabled, when a user gets a host set, it will cycle
+         # them in all their channels. If not, it will simply change their host
+         # without cycling them.
+         cyclehosts="yes"
+
+         # cyclehostsfromuser: If enabled, the source of the mode change for
+         # cyclehosts will be the user who cycled. This can look nicer, but
+         # triggers anti-takeover mechanisms of some obsolete bots.
+         cyclehostsfromuser="no"
+
+         # ircumsgprefix: Use undernet-style message prefixing for NOTICE and
+         # PRIVMSG. If enabled, it will add users' prefix to the line, if not,
+         # it will just message the user normally.
+         ircumsgprefix="no"
+
+         # announcets: If set to yes, when the timestamp on a channel changes, all users
+         # in the channel will be sent a NOTICE about it.
+         announcets="yes"
+
+         # allowmismatch: Setting this option to yes will allow servers to link even
+         # if they don't have the same "optionally common" modules loaded. Setting this to
+         # yes may introduce some desyncs and unwanted behaviour.
+         allowmismatch="no"
+
+         # defaultbind: Sets the default for <bind> tags without an address. Choices are
+         # ipv4 or ipv6; if not specified, IPv6 will be used if your system has support,
+         # falling back to IPv4 otherwise.
+         defaultbind="auto"
+
+         # hostintopic: If enabled, channels will show the host of the topic setter
+         # in the topic. If set to no, it will only show the nick of the topic setter.
+         hostintopic="yes"
+
+         # pingwarning: If a server does not respond to a ping within x seconds,
+         # it will send a notice to opers with snomask +l informing that the server
+         # is about to ping timeout.
+         pingwarning="15"
+
+         # serverpingfreq: How often pings are sent between servers (in seconds).
+         serverpingfreq="60"
+
+         # defaultmodes: What modes are set on a empty channel when a user
+         # joins it and it is unregistered.
+         defaultmodes="nt"
+
+         # moronbanner: This is the text that is sent to a user when they are
+         # banned from the server.
+         moronbanner="You're banned! Email abuse@example.com with the ERROR line below for help."
+
+         # exemptchanops: exemptions for channel access restrictions based on prefix.
+         exemptchanops="nonick:v flood:o"
+
+         # invitebypassmodes: This allows /invite to bypass other channel modes.
+         # (Such as +k, +j, +l, etc.)
+         invitebypassmodes="yes"
+
+         # nosnoticestack: This prevents snotices from 'stacking' and giving you
+         # the message saying '(last message repeated X times)'. Defaults to no.
+         nosnoticestack="no"
+
+         # welcomenotice: When turned on, this sends a NOTICE to connecting users
+         # with the text Welcome to <networkname>! after successful registration.
+         # Defaults to yes.
+         welcomenotice="yes">
+
+
+#-#-#-#-#-#-#-#-#-#-#-# PERFORMANCE CONFIGURATION #-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+
+<performance
+             # netbuffersize: Size of the buffer used to receive data from clients.
+             # The ircd may only read this amount of text in 1 go at any time.
+             netbuffersize="10240"
+
+             # somaxconn: The maximum number of connections that may be waiting
+             # in the accept queue. This is *NOT* the total maximum number of
+             # connections per server. Some systems may only allow this to be up
+             # to 5, while others (such as Linux and *BSD) default to 128.
+             somaxconn="128"
+
+             # limitsomaxconn: By default, somaxconn (see above) is limited to a
+             # safe maximum value in the 2.0 branch for compatibility reasons.
+             # This setting can be used to disable this limit, forcing InspIRCd
+             # to use the value specified above.
+             limitsomaxconn="true"
+
+             # softlimit: This optional feature allows a defined softlimit for
+             # connections. If defined, it sets a soft max connections value.
+             softlimit="12800"
+
+             # quietbursts: When syncing or splitting from a network, a server
+             # can generate a lot of connect and quit messages to opers with
+             # +C and +Q snomasks. Setting this to yes squelches those messages,
+             # which makes it easier for opers, but degrades the functionality of
+             # bots like BOPM during netsplits.
+             quietbursts="yes"
+
+             # nouserdns: If enabled, no DNS lookups will be performed on
+             # connecting users. This can save a lot of resources on very busy servers.
+             nouserdns="no">
+
+#-#-#-#-#-#-#-#-#-#-#-# SECURITY CONFIGURATION  #-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+
+<security
+
+          # announceinvites: This option controls which members of the channel
+          # receive an announcement when someone is INVITEd. Available values:
+          # 'none' - don't send invite announcements
+          # 'all' - send invite announcements to all members
+          # 'ops' - send invite announcements to ops and higher ranked users
+          # 'dynamic' - send invite announcements to halfops (if available) and
+          #             higher ranked users. This is the recommended setting.
+          announceinvites="dynamic"
+
+          # hidemodes: If enabled, then the listmodes given will be hidden
+          # from users below halfop. This is not recommended to be set on +b
+          # as it may break some functionality in popular clients such as mIRC.
+          hidemodes="eI"
+
+          # hideulines: If this value is set to yes, U-lined servers will
+          # be hidden from non-opers in /links and /map.
+          hideulines="no"
+
+          # flatlinks: If this value is set to yes, /map and /links will
+          # be flattened when shown to non-opers.
+          flatlinks="no"
+
+          # hidewhois: When defined, the given text will be used in place
+          # of the server a user is on when whoised by a non-oper. Most
+          # networks will want to set this to something like "*.netname.net"
+          # to conceal the actual server a user is on.
+          # Note that enabling this will cause users' idle times to only be
+          # shown when the format /WHOIS <nick> <nick> is used.
+          hidewhois=""
+
+          # hidebans: If this value is set to yes, when a user is banned ([gkz]lined)
+          # only opers will see the ban message when the user is removed
+          # from the server.
+          hidebans="no"
+
+          # hidekills: If defined, replaces who set a /kill with a custom string.
+          hidekills=""
+
+          # hideulinekills: Hide kills from clients of ulined servers from server notices.
+          hideulinekills="yes"
+
+          # hidesplits: If enabled, non-opers will not be able to see which
+          # servers split in a netsplit, they will only be able to see that one
+          # occurred (If their client has netsplit detection).
+          hidesplits="no"
+
+          # maxtargets: Maximum number of targets per command.
+          # (Commands like /notice, /privmsg, /kick, etc)
+          maxtargets="20"
+
+          # customversion: Displays a custom string when a user /version's
+          # the ircd. This may be set for security reasons or vanity reasons.
+          customversion=""
+
+          # operspywhois: show opers (users/auspex) the +s channels a user is in. Values:
+          #  splitmsg  Split with an explanatory message
+          #  yes       Split with no explanatory message
+          #  no        Do not show
+          operspywhois="no"
+
+          # runasuser: If this is set, InspIRCd will attempt to switch
+          # to run as this user, which allows binding of ports under 1024.
+          # You should NOT set this unless you are starting as root.
+          # NOT SUPPORTED/NEEDED UNDER WINDOWS.
+          #runasuser=""
+
+          # runasgroup: If this is set, InspIRCd will attempt to switch
+          # to run as this group, which allows binding of ports under 1024.
+          # You should NOT set this unless you are starting as root.
+          # NOT SUPPORTED/NEEDED UNDER WINDOWS.
+          #runasgroup=""
+
+          # restrictbannedusers: If this is set to yes, InspIRCd will not allow users
+          # banned on a channel to change nickname or message channels they are
+          # banned on.
+          restrictbannedusers="yes"
+
+          # genericoper: Setting this value to yes makes all opers on this server
+          # appear as 'is an IRC operator' in their WHOIS, regardless of their
+          # oper type, however oper types are still used internally. This only
+          # affects the display in WHOIS.
+          genericoper="no"
+
+          # userstats: /stats commands that users can run (opers can run all).
+          userstats="Pu">
+
+<limits
+        # maxnick: Maximum length of a nickname.
+        maxnick="500"
+
+        # maxchan: Maximum length of a channel name.
+        maxchan="500"
+
+        # maxmodes: Maximum number of mode changes per line.
+        maxmodes="20"
+
+        # maxident: Maximum length of a ident/username.
+        maxident="500"
+
+        # maxquit: Maximum length of a quit message.
+        maxquit="255"
+
+        # maxtopic: Maximum length of a channel topic.
+        maxtopic="307"
+
+        # maxkick: Maximum length of a kick message.
+        maxkick="255"
+
+        # maxgecos: Maximum length of a GECOS (realname).
+        maxgecos="128"
+
+        # maxaway: Maximum length of an away message.
+        maxaway="200">
+
+<log method="file" type="* -USERINPUT -USEROUTPUT" level="default" target="logs/ircd.log">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-  WHOWAS OPTIONS   -#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# This tag lets you define the behaviour of the /whowas command of    #
+# your server.                                                        #
+#                                                                     #
+
+<whowas
+        # groupsize: Maximum entries per nick shown when performing
+        # a /whowas nick.
+        groupsize="10"
+
+        # maxgroups: Maximum number of nickgroups that can be added to
+        # the list so that /whowas does not use a lot of resources on
+        # large networks.
+        maxgroups="100000"
+
+        # maxkeep: Maximum time a nick is kept in the whowas list
+        # before being pruned. Time may be specified in seconds,
+        # or in the following format: 1y2w3d4h5m6s. Minimum is
+        # 1 hour.
+        maxkeep="3d">
+
+<badnick
+         # nick: Nick to disallow. Wildcards are supported.
+         nick="ChanServ"
+
+         # reason: Reason to display on /nick.
+         reason="Reserved For Services">
+
+<badnick nick="NickServ" reason="Reserved For Services">
+<badnick nick="OperServ" reason="Reserved For Services">
+<badnick nick="MemoServ" reason="Reserved For Services">
+
+<badhost host="root@*" reason="Don't IRC as root!">
+
+<insane
+        # hostmasks: Allow bans with insane hostmasks. (over-reaching bans)
+        hostmasks="no"
+
+        # ipmasks: Allow bans with insane ipmasks. (over-reaching bans)
+        ipmasks="no"
+
+        # nickmasks: Allow bans with insane nickmasks. (over-reaching bans)
+        nickmasks="no"
+
+        # trigger: What percentage of users on the network to trigger
+        # specifying an insane ban as. The default is 95.5%, which means
+        # if you have a 1000 user network, a ban will not be allowed if it
+        # will be banning 955 or more users.
+        trigger="95.5">
+'';
+  };
+}
diff --git a/nix/modules/ircd.nix b/nix/modules/ircd.nix
new file mode 100644
index 0000000..ee4eb75
--- /dev/null
+++ b/nix/modules/ircd.nix
@@ -0,0 +1,12 @@
+{ lib, config, ... }:
+{
+  services.ircdHybrid = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    extraIPs = [ "0.0.0.0" ];
+    extraPort = "6697";
+    adminEmail = "ret2pop@gmail.com";
+    description = "NullRing IRC instance";
+    serverName = "nullring.xyz";
+    certificate = "/var/lib/acme/nullring.xyz/cert.pem";
+  };
+}
diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix
new file mode 100644
index 0000000..158b6b5
--- /dev/null
+++ b/nix/modules/maddy.nix
@@ -0,0 +1,18 @@
+{ lib, config, options, ... }:
+{
+  services.maddy = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    openFirewall = true;
+    primaryDomain = "ret2pop.net";
+    tls = {
+      loader = "acme";
+    };
+    config = builtins.replaceStrings [
+      "imap tcp://0.0.0.0:143"
+      "submission tcp://0.0.0.0:587"
+    ] [
+      "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+      "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+    ] options.services.maddy.config.default;
+  };
+}
diff --git a/nix/modules/matterbridge.nix b/nix/modules/matterbridge.nix
new file mode 100644
index 0000000..567e2b7
--- /dev/null
+++ b/nix/modules/matterbridge.nix
@@ -0,0 +1,7 @@
+{ lib, config, ... }:
+{
+  services.matterbridge = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    configPath = "/etc/matterbridge.toml";
+  };
+}
diff --git a/nix/modules/murmur.nix b/nix/modules/murmur.nix
index 463ee1d..7595520 100644
--- a/nix/modules/murmur.nix
+++ b/nix/modules/murmur.nix
@@ -4,9 +4,11 @@
     enable = lib.mkDefault config.monorepo.profiles.server.enable;
     logFile = "/var/log/murmur.log";
     openFirewall = true;
-    hostName = "talk.nullring.xyz";
+    hostName = "0.0.0.0";
     welcometext = "Wecome to the Null Murmur instance!";
     registerName = "nullring";
-    registerHostname = "talk.nullring.xyz";
+    registerHostname = "nullring.xyz";
+    sslCert = "/var/lib/acme/nullring.xyz/fullchain.pem";
+    sslKey = "/var/lib/acme/nullring.xyz/sslKey.pem";
   };
 }
diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix
index e603759..bb87fce 100644
--- a/nix/modules/nginx.nix
+++ b/nix/modules/nginx.nix
@@ -8,10 +8,6 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-
-    # Only allow PFS-enabled ciphers with AES256
-    # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
     appendHttpConfig = '''';
 
     gitweb = {
@@ -64,6 +60,20 @@
 	      addSSL = true;
 	      enableACME = true;
 	    };
+
+      "nullring.xyz" = {
+        serverName = "nullring.xyz";
+        root = "/var/www/nullring/";
+        addSSL = true;
+        enableACME = true;
+      };
+
+      "mail.${config.monorepo.vars.remoteHost}" = {
+        serverName = "mail.${config.monorepo.vars.remoteHost}";
+        root = "/var/www/dummy";
+        addSSL = true;
+        enableACME = true;
+      };
     };
   };
 }
diff --git a/nix/modules/ngircd.nix b/nix/modules/ngircd.nix
new file mode 100644
index 0000000..0900017
--- /dev/null
+++ b/nix/modules/ngircd.nix
@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+{
+  services.ngircd = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    config = ''
+[Global]
+	Name = nullring.xyz
+	Info = NullRing IRC Instance
+  Listen = 0.0.0.0
+  MotdFile = /etc/motd.txt
+	Network = NullRing
+	Ports = 6667
+[Options]
+	PAM = no
+[SSL]
+	CertFile = /var/lib/acme/nullring.xyz/fullchain.pem
+	CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
+	KeyFile = /var/lib/acme/nullring.xyz/key.pem
+	Ports = 6697
+'';
+  };
+  environment.etc."motd.txt" = {
+    source = ../data/motd.txt;
+    mode = "644";
+    user = "ngircd";
+    group = "ngircd";
+  };
+}
diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix
index f157e3e..2f8defc 100644
--- a/nix/modules/secrets.nix
+++ b/nix/modules/secrets.nix
@@ -5,7 +5,6 @@
     age = {
       keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt";
     };
-
     secrets = {
       mail = {
         format = "yaml";
diff --git a/nix/modules/znc.nix b/nix/modules/znc.nix
new file mode 100644
index 0000000..c2e2079
--- /dev/null
+++ b/nix/modules/znc.nix
@@ -0,0 +1,31 @@
+{ lib, config, ... }:
+{
+  services.znc = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    openFirewall = true;
+    confOptions = {
+      useSSL = true;
+      passBlock = ''
+<Pass password>
+  Method = sha256
+  Hash = d4abdd69aa24de69693885c5bd83a4a0e9ee989e1a69a905041b0dad9abc06ea
+  Salt = sDY,?H5AxC-!gH3a.:)D
+</Pass>
+'';
+      modules = [
+        "partyline"
+        "webadmin"
+        "adminlog"
+        "log"
+      ];
+      networks = {
+        "libera" = {
+          server = "irc.libera.chat";
+          port = 6697;
+          useSSL = true;
+          modules = [ "simple_away" ];
+        };
+      };
+    };
+  };
+}
-- 
cgit v1.3