From 00c9e35779cbb298d6395a6e2c2534007a92976f Mon Sep 17 00:00:00 2001
From: Preston Pan <ret2pop@gmail.com>
Date: Fri, 21 Mar 2025 04:52:46 -0700
Subject: add a ton of VPS upgrades; update website; live life

---
 nix/data/deploy-matterbridge.sh     |  25 ++
 nix/data/matterbridge.toml          |  25 ++
 nix/data/motd.txt                   |   8 +
 nix/flake.lock                      |  36 +--
 nix/modules/configuration.nix       |  31 ++-
 nix/modules/default.nix             |   1 +
 nix/modules/home/default.nix        |   1 +
 nix/modules/home/emacs.nix          |   2 +-
 nix/modules/home/mpd.nix            |  14 +
 nix/modules/icecast.nix             |  21 ++
 nix/modules/inspircd.nix            | 539 ++++++++++++++++++++++++++++++++++++
 nix/modules/ircd.nix                |  12 +
 nix/modules/maddy.nix               |  18 ++
 nix/modules/matterbridge.nix        |   7 +
 nix/modules/murmur.nix              |   6 +-
 nix/modules/nginx.nix               |  18 +-
 nix/modules/ngircd.nix              |  28 ++
 nix/modules/secrets.nix             |   1 -
 nix/modules/znc.nix                 |  31 +++
 nix/secrets/secrets.yaml            |   7 +-
 nix/systems/spontaneity/default.nix |  21 +-
 21 files changed, 804 insertions(+), 48 deletions(-)
 create mode 100755 nix/data/deploy-matterbridge.sh
 create mode 100644 nix/data/matterbridge.toml
 create mode 100644 nix/data/motd.txt
 create mode 100644 nix/modules/icecast.nix
 create mode 100644 nix/modules/inspircd.nix
 create mode 100644 nix/modules/ircd.nix
 create mode 100644 nix/modules/maddy.nix
 create mode 100644 nix/modules/matterbridge.nix
 create mode 100644 nix/modules/ngircd.nix
 create mode 100644 nix/modules/znc.nix

(limited to 'nix')

diff --git a/nix/data/deploy-matterbridge.sh b/nix/data/deploy-matterbridge.sh
new file mode 100755
index 0000000..a0758ec
--- /dev/null
+++ b/nix/data/deploy-matterbridge.sh
@@ -0,0 +1,25 @@
+set -e  # Exit on error
+
+# Ensure required environment variables are set
+#: "${MATTERBRIDGE_DISCORD_TOKEN:?Need to set MATTERBRIDGE_DISCORD_TOKEN}"
+: "${MATTERBRIDGE_MATRIX_PASS:?Need to set MATTERBRIDGE_MATRIX_PASS}"
+
+# Define paths
+TEMPLATE_CONFIG="matterbridge.toml"
+GENERATED_CONFIG="matterbridge.built.toml"
+REMOTE_SERVER="root@nullring.xyz"
+REMOTE_PATH="/etc/matterbridge.toml"
+
+# Generate config file
+sed "s|\${MATTERBRIDGE_MATRIX_PASS}|$MATTERBRIDGE_MATRIX_PASS|g" $TEMPLATE_CONFIG > $GENERATED_CONFIG
+
+# Securely transfer to server
+scp "$GENERATED_CONFIG" "$REMOTE_SERVER:$REMOTE_PATH"
+
+# Restart Matterbridge service
+ssh "$REMOTE_SERVER" "sudo systemctl restart matterbridge"
+
+# delete config file with secrets from repo
+shred -u "$GENERATED_CONFIG"
+
+echo "✅ Matterbridge config deployed successfully!"
diff --git a/nix/data/matterbridge.toml b/nix/data/matterbridge.toml
new file mode 100644
index 0000000..aebb8c2
--- /dev/null
+++ b/nix/data/matterbridge.toml
@@ -0,0 +1,25 @@
+[matrix.mymatrix]
+Server="https://matrix.ret2pop.net"
+Login="bridge"
+Password="${MATTERBRIDGE_MATRIX_PASS}"
+RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+NoHomeServerSuffix=true
+
+[irc.myirc]
+Server="nullring.xyz:6697"
+Nick="bridge"
+RemoteNickFormat="[{PROTOCOL}] <{NICK}> "
+UseTLS=true
+SkipTLSVerify=true
+
+[[gateway]]
+name="gateway1"
+enable=true
+
+[[gateway.inout]]
+account="matrix.mymatrix"
+channel="!BQZli4UPBNC5w6ntXu:matrix.ret2pop.net"
+
+[[gateway.inout]]
+account="irc.myirc"
+channel="#nullring"
\ No newline at end of file
diff --git a/nix/data/motd.txt b/nix/data/motd.txt
new file mode 100644
index 0000000..ffcd31f
--- /dev/null
+++ b/nix/data/motd.txt
@@ -0,0 +1,8 @@
+Welcome to the NullRing experience!
+The main channel is #nullring; we're glad to have you!
+
+Rules:
+1. Don't be annoying.
+2. No illegal content.
+And if you're here to have constructive, philisophical and theoretical
+conversations, this is the place for you!
diff --git a/nix/flake.lock b/nix/flake.lock
index 0515e11..67c9ad1 100644
--- a/nix/flake.lock
+++ b/nix/flake.lock
@@ -49,11 +49,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1740485968,
-        "narHash": "sha256-WK+PZHbfDjLyveXAxpnrfagiFgZWaTJglewBWniTn2Y=",
+        "lastModified": 1741786315,
+        "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "19c1140419c4f1cdf88ad4c1cfb6605597628940",
+        "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
         "type": "github"
       },
       "original": {
@@ -328,11 +328,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1740743217,
-        "narHash": "sha256-brsCRzLqimpyhORma84c3W2xPbIidZlIc3JGIuQVSNI=",
+        "lastModified": 1741724370,
+        "narHash": "sha256-WsD+8uodhl58jzKKcPH4jH9dLTLFWZpVmGq4W1XDVF4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b27ba4eb322d9d2bf2dc9ada9fd59442f50c8d7c",
+        "rev": "95600680c021743fd87b3e2fe13be7c290e1cac4",
         "type": "github"
       },
       "original": {
@@ -360,11 +360,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1740695751,
-        "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=",
+        "lastModified": 1741851582,
+        "narHash": "sha256-cPfs8qMccim2RBgtKGF+x9IBCduRvd/N5F4nYpU0TVE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
+        "rev": "6607cf789e541e7873d40d3a8f7815ea92204f32",
         "type": "github"
       },
       "original": {
@@ -376,11 +376,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1731763621,
-        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "lastModified": 1741708242,
+        "narHash": "sha256-cNRqdQD4sZpN7JLqxVOze4+WsWTmv2DGH0wNCOVwrWc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "rev": "b62d2a95c72fb068aecd374a7262b37ed92df82b",
         "type": "github"
       },
       "original": {
@@ -397,11 +397,11 @@
         "treefmt-nix": "treefmt-nix_2"
       },
       "locked": {
-        "lastModified": 1740915906,
-        "narHash": "sha256-29HktIztPUFv9MQA9afzVnWnUMdmmu0nqK7z8Q9givY=",
+        "lastModified": 1741887947,
+        "narHash": "sha256-QQojmc7+HVYEZq4Ksim7y8KYobkIhqZ/oivd5Gnr8sA=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "24505e0253c0ea54d50355c53bfd7a8d55c9cf4b",
+        "rev": "2ac2be6a5936459018f10608b723487468a13f56",
         "type": "github"
       },
       "original": {
@@ -524,11 +524,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1739262228,
-        "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=",
+        "lastModified": 1741861888,
+        "narHash": "sha256-ynOgXAyToeE1UdLNfrUn/hL7MN0OpIS2BtNdLjpjPf0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975",
+        "rev": "d016ce0365b87d848a57c12ffcfdc71da7a2b55f",
         "type": "github"
       },
       "original": {
diff --git a/nix/modules/configuration.nix b/nix/modules/configuration.nix
index 732f83c..ad244b8 100644
--- a/nix/modules/configuration.nix
+++ b/nix/modules/configuration.nix
@@ -1,6 +1,7 @@
 { config, pkgs, lib, ... }:
 {
   imports = [
+    ./matterbridge.nix
     ./xserver.nix
     ./ssh.nix
     ./pipewire.nix
@@ -10,14 +11,14 @@
     ./cuda.nix
     ./nginx.nix
     ./git-daemon.nix
-    ./postfix.nix
-    ./dovecot.nix
     ./ollama.nix
     ./i2pd.nix
     ./gitweb.nix
     ./conduit.nix
     ./bitcoin.nix
     ./murmur.nix
+    ./ngircd.nix
+    ./znc.nix
   ];
 
   documentation = {
@@ -315,12 +316,28 @@
 
   users.groups.nginx = lib.mkDefault {};
   users.groups.git = lib.mkDefault {};
+  users.groups.ircd = lib.mkDefault {};
+
   users.users = {
-    nginx.group = "nginx";
-    nginx.isSystemUser = lib.mkDefault true;
-    nginx.extraGroups = [
-      "acme"
-    ];
+    ngircd = {
+      isSystemUser = lib.mkDefault true;
+      extraGroups = [ "acme" "nginx" ];
+    };
+
+    ircd = {
+      isSystemUser = lib.mkDefault true;
+      group = "ircd";
+      home = "/home/ircd";
+    };
+    
+    nginx = {
+      group = "nginx";
+      isSystemUser = lib.mkDefault true;
+      extraGroups = [
+        "acme"
+      ];
+    };
+
     root.openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICts6+MQiMwpA+DfFQxjIN214Jn0pCw/2BDvOzPhR/H2 preston@continuity-dell"
     ];
diff --git a/nix/modules/default.nix b/nix/modules/default.nix
index 00a188b..4bd4161 100644
--- a/nix/modules/default.nix
+++ b/nix/modules/default.nix
@@ -27,6 +27,7 @@
 	    linux-manual
 	    man-pages
 	    man-pages-posix
+      iproute2
     ]);
     boot.loader.grub = lib.mkIf config.monorepo.profiles.grub.enable {
       enable = true;
diff --git a/nix/modules/home/default.nix b/nix/modules/home/default.nix
index fa18632..72fcc31 100644
--- a/nix/modules/home/default.nix
+++ b/nix/modules/home/default.nix
@@ -84,6 +84,7 @@
                     ++
                     (if config.monorepo.profiles.workstation.enable then (with pkgs; [
                       open-webui
+                      mumble
                     ]) else [])
                     ++
 					          (if config.monorepo.profiles.lang-js.enable then (with pkgs; [
diff --git a/nix/modules/home/emacs.nix b/nix/modules/home/emacs.nix
index 4358ca3..71e234c 100644
--- a/nix/modules/home/emacs.nix
+++ b/nix/modules/home/emacs.nix
@@ -3,7 +3,7 @@
   programs.emacs = 
     {
       enable = lib.mkDefault config.monorepo.profiles.graphics.enable;
-      package = pkgs.emacs29-pgtk;
+      package = pkgs.emacs30-pgtk;
       extraConfig = ''
       (setq debug-on-error t)
       (org-babel-load-file
diff --git a/nix/modules/home/mpd.nix b/nix/modules/home/mpd.nix
index 087b19a..3ab9d2d 100644
--- a/nix/modules/home/mpd.nix
+++ b/nix/modules/home/mpd.nix
@@ -24,6 +24,20 @@
         always_on       "yes" # prevent MPD from disconnecting all listeners when playback is stopped.
         tags            "yes" # httpd supports sending tags to listening streams.
       }
+audio_output {
+    type        "shout"
+    encoding    "ogg"
+    name        "my cool stream"
+    host        "localhost"
+    port        "8000"
+    mount       "/example.ogg"
+    user        "source"
+    password    "<source-password>"
+
+    bitrate     "64"
+    format      "44100:16:1"
+    description "Nullring public radio"
+}
     '';
   };
 }
diff --git a/nix/modules/icecast.nix b/nix/modules/icecast.nix
new file mode 100644
index 0000000..0cef018
--- /dev/null
+++ b/nix/modules/icecast.nix
@@ -0,0 +1,21 @@
+{ lib, config, ... }:
+{
+  services.icecast = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    listen.address = "0.0.0.0";
+    extraConfig = ''
+<mount type="default">
+  <public>0</public>
+  <intro>/stream.m3u</intro>
+  <max-listener-duration>3600</max-listener-duration>
+  <authentication type="url">
+    <option name="mount_add" value="http://auth.example.org/stream_start.php"/>
+  </authentication>
+  <http-headers>
+    <header name="foo" value="bar" />
+  </http-headers>
+</mount>
+'';
+  };
+  admin.password = "changeme";
+}
diff --git a/nix/modules/inspircd.nix b/nix/modules/inspircd.nix
new file mode 100644
index 0000000..bf3e9ba
--- /dev/null
+++ b/nix/modules/inspircd.nix
@@ -0,0 +1,539 @@
+{ lib, config, ... }:
+{
+  services.inspircd = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    modules = [ "ssl_openssl" ];
+    config = ''
+<server name="nullring.xyz"
+        description="Nullring IRC Instance"
+        network="NullRing">
+
+<admin
+       name="Preston Pan"
+       nick="prestonp"
+       email="ret2pop@gmail.com">
+
+<bind
+      address="0.0.0.0"
+      port="6697"
+      type="clients"
+      ssl="openssl">
+
+<module name="ssl_openssl">
+<openssl certfile="/var/lib/acme/fullchain.pem" keyfile="/var/lib/acme/key.pem">
+
+<power
+       # hash: what hash these passwords are hashed with.
+       # Requires the module for selected hash (m_md5.so, m_sha256.so
+       # or m_ripemd160.so) be loaded and the password hashing module
+       # (m_password_hash.so) loaded.
+       # Options here are: "md5", "sha256" and "ripemd160", or one of
+       # these prefixed with "hmac-", e.g.: "hmac-sha256".
+       # Optional, but recommended. Create hashed passwords with:
+       # /mkpasswd <hash> <password>
+       #hash="sha256"
+
+       # diepass: Password for opers to use if they need to shutdown (die)
+       # a server.
+       diepass=""
+
+       # restartpass: Password for opers to use if they need to restart
+       # a server.
+       restartpass="">
+
+<connect
+         # name: Name to use for this connect block. Mainly used for
+         # connect class inheriting.
+         name="main"
+
+         # allow: What IP addresses/hosts to allow for this block.
+         allow="*"
+
+         # maxchans: Maximum number of channels a user in this class
+         # be in at one time. This overrides every other maxchans setting.
+         #maxchans="30"
+
+         # timeout: How long (in seconds) the server will wait before
+         # disconnecting a user if they do not do anything on connect.
+         # (Note, this is a client-side thing, if the client does not
+         # send /nick, /user or /pass)
+         timeout="10"
+
+         # pingfreq: How often (in seconds) the server tries to ping connecting clients.
+         pingfreq="120"
+
+         # hardsendq: maximum amount of data allowed in a client's send queue
+         # before they are dropped. Keep this value higher than the length of
+         # your network's /LIST or /WHO output, or you will have lots of
+         # disconnects from sendq overruns!
+         # Setting this to "1M" is equivalent to "1048576", "8K" is 8192, etc.
+         hardsendq="1M"
+
+         # softsendq: amount of data in a client's send queue before the server
+         # begins delaying their commands in order to allow the sendq to drain
+         softsendq="8192"
+
+         # recvq: amount of data allowed in a client's queue before they are dropped.
+         # Entering "8K" is equivalent to "8192", see above.
+         recvq="8K"
+
+         # threshold: This specifies the amount of command penalty a user is allowed to have
+         # before being quit or fakelagged due to flood. Normal commands have a penalty of 1,
+         # ones such as /OPER have penalties up to 10.
+         #
+         # If you are not using fakelag, this should be at least 20 to avoid excess flood kills
+         # from processing some commands.
+         threshold="10"
+
+         # commandrate: This specifies the maximum rate that commands can be processed.
+         # If commands are sent more rapidly, the user's penalty will increase and they will
+         # either be fakelagged or killed when they reach the threshold
+         #
+         # Units are millicommands per second, so 1000 means one line per second.
+         commandrate="1000"
+
+         # fakelag: Use fakelag instead of killing users for excessive flood
+         #
+         # Fake lag stops command processing for a user when a flood is detected rather than
+         # immediately killing them; their commands are held in the recvq and processed later
+         # as the user's command penalty drops. Note that if this is enabled, flooders will
+         # quit with "RecvQ exceeded" rather than "Excess Flood".
+         fakelag="on"
+
+         # localmax: Maximum local connections per IP.
+         
+		 localmax="200"
+
+         # globalmax: Maximum global (network-wide) connections per IP.
+         
+		 globalmax="200"
+
+         # useident: Defines if users in this class must respond to a ident query or not.
+         useident="no"
+
+         # limit: How many users are allowed in this class
+         limit="5000"
+
+         # modes: Usermodes that are set on users in this block on connect.
+         # Enabling this option requires that the m_conn_umodes module be loaded.
+         # This entry is highly recommended to use for/with IP Cloaking/masking.
+         # For the example to work, this also requires that the m_cloaking
+         # module be loaded as well.
+         modes="+x">
+
+
+#-#-#-#-#-#-#-#-#-#-#-#-  CIDR CONFIGURATION   -#-#-#-#-#-#-#-#-#-#-#-
+#                                                                     #
+# CIDR configuration allows detection of clones and applying of       #
+# throttle limits across a CIDR range. (A CIDR range is a group of    #
+# IPs, for example, the CIDR range 192.168.1.0-192.168.1.255 may be   #
+# represented as 192.168.1.0/24). This means that abuse across an ISP #
+# is detected and curtailed much easier. Here is a good chart that    #
+# shows how many IPs the different CIDRs correspond to:               #
+# http://en.wikipedia.org/wiki/CIDR#Prefix_aggregation                #
+#                                                                     #
+
+<cidr
+      # ipv4clone: specifies how many bits of an IP address should be
+      # looked at for clones. The default only looks for clones on a
+      # single IP address of a user. You do not want to set this
+      # extremely low. (Values are 0-32).
+      ipv4clone="32"
+
+      # ipv6clone: specifies how many bits of an IP address should be
+      # looked at for clones. The default only looks for clones on a
+      # single IP address of a user. You do not want to set this
+      # extremely low. (Values are 0-128).
+      ipv6clone="128">
+
+<channels
+          # users: Maximum number of channels a user can be in at once.
+          users="20"
+
+          # opers: Maximum number of channels an oper can be in at once.
+          opers="60">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-#-# DNS SERVER -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
+# If these values are not defined, InspIRCd uses the default DNS resolver
+# of your system.
+
+<dns
+     # server: DNS server to use to attempt to resolve IP's to hostnames.
+     # in most cases, you won't need to change this, as inspircd will
+     # automatically detect the nameserver depending on /etc/resolv.conf
+     # (or, on Windows, your set nameservers in the registry.)
+     # Note that this must be an IP address and not a hostname, because
+     # there is no resolver to resolve the name until this is defined!
+     #
+     # server="127.0.0.1"
+
+     # timeout: seconds to wait to try to resolve DNS/hostname.
+     timeout="5">
+
+# An example of using an IPv6 nameserver
+#<dns server="::1" timeout="5">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-#-#  PID FILE  -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# Define the path to the PID file here. The PID file can be used to   #
+# rehash the ircd from the shell or to terminate the ircd from the    #
+# shell using shell scripts, perl scripts, etc... and to monitor the  #
+# ircd's state via cron jobs. If this is a relative path, it will be  #
+# relative to the configuration directory, and if it is not defined,  #
+# the default of 'inspircd.pid' is used.                              #
+#                                                                     #
+
+#<pid file="/path/to/inspircd.pid">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#- BANLIST LIMITS #-#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# Use these tags to customise the ban limits on a per channel basis.  #
+# The tags are read from top to bottom, and any tag found which       #
+# matches the channels name applies the banlimit to that channel.     #
+# It is advisable to put an entry with the channel as '*' at the      #
+# bottom of the list. If none are specified or no maxbans tag is      #
+# matched, the banlist size defaults to 64 entries.                   #
+#                                                                     #
+
+<banlist chan="#largechan" limit="128">
+<banlist chan="*" limit="69">
+
+#-#-#-#-#-#-#-#-#-#-#-  DISABLED FEATURES  -#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# This tag is optional, and specifies one or more features which are  #
+# not available to non-operators.                                     #
+#                                                                     #
+# For example you may wish to disable NICK and prevent non-opers from #
+# changing their nicknames.                                           #
+# Note that any disabled commands take effect only after the user has #
+# 'registered' (e.g. after the initial USER/NICK/PASS on connection)  #
+# so for example disabling NICK will not cripple your network.        #
+#                                                                     #
+# You can also define if you want to disable any channelmodes         #
+# or usermodes from your users.                                       #
+#                                                                     #
+# `fakenonexistant' will make the ircd pretend that nonexistant       #
+# commands simply don't exist to non-opers ("no such command").       #
+#                                                                     #
+#<disabled commands="TOPIC MODE" usermodes="" chanmodes="" fakenonexistant="yes">
+
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-  RTFM LINE  -#-#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+#   Just remove this... Its here to make you read ALL of the config   #
+#   file options ;)                                                   #
+
+#<die value="You should probably edit your config *PROPERLY* and try again.">
+
+
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-  SERVER OPTIONS   -#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+#   Settings to define which features are usable on your server.      #
+#                                                                     #
+
+<options
+         # prefixquit: What (if anything) users' quit messages
+         # should be prefixed with.
+         prefixquit="Quit: "
+
+         # suffixquit: What (if anything) users' quit messages
+         # should be suffixed with.
+         suffixquit=""
+
+         # prefixpart: What (if anything) users' part messages
+         # should be prefixed with.
+         prefixpart="&quot;"
+         # NOTE: Use "\"" instead of "&quot;" if not using <config format="xml">
+
+         # suffixpart: What (if anything) users' part message
+         # should be suffixed with.
+         suffixpart="&quot;"
+
+         # fixedquit: Set all users' quit messages to this value.
+         #fixedquit=""
+
+         # fixedpart: Set all users' part messages in all channels
+         # to this value.
+         #fixedpart=""
+
+         # syntaxhints: If enabled, if a user fails to send the correct parameters
+         # for a command, the ircd will give back some help text of what
+         # the correct parameters are.
+         syntaxhints="no"
+
+         # cyclehosts: If enabled, when a user gets a host set, it will cycle
+         # them in all their channels. If not, it will simply change their host
+         # without cycling them.
+         cyclehosts="yes"
+
+         # cyclehostsfromuser: If enabled, the source of the mode change for
+         # cyclehosts will be the user who cycled. This can look nicer, but
+         # triggers anti-takeover mechanisms of some obsolete bots.
+         cyclehostsfromuser="no"
+
+         # ircumsgprefix: Use undernet-style message prefixing for NOTICE and
+         # PRIVMSG. If enabled, it will add users' prefix to the line, if not,
+         # it will just message the user normally.
+         ircumsgprefix="no"
+
+         # announcets: If set to yes, when the timestamp on a channel changes, all users
+         # in the channel will be sent a NOTICE about it.
+         announcets="yes"
+
+         # allowmismatch: Setting this option to yes will allow servers to link even
+         # if they don't have the same "optionally common" modules loaded. Setting this to
+         # yes may introduce some desyncs and unwanted behaviour.
+         allowmismatch="no"
+
+         # defaultbind: Sets the default for <bind> tags without an address. Choices are
+         # ipv4 or ipv6; if not specified, IPv6 will be used if your system has support,
+         # falling back to IPv4 otherwise.
+         defaultbind="auto"
+
+         # hostintopic: If enabled, channels will show the host of the topic setter
+         # in the topic. If set to no, it will only show the nick of the topic setter.
+         hostintopic="yes"
+
+         # pingwarning: If a server does not respond to a ping within x seconds,
+         # it will send a notice to opers with snomask +l informing that the server
+         # is about to ping timeout.
+         pingwarning="15"
+
+         # serverpingfreq: How often pings are sent between servers (in seconds).
+         serverpingfreq="60"
+
+         # defaultmodes: What modes are set on a empty channel when a user
+         # joins it and it is unregistered.
+         defaultmodes="nt"
+
+         # moronbanner: This is the text that is sent to a user when they are
+         # banned from the server.
+         moronbanner="You're banned! Email abuse@example.com with the ERROR line below for help."
+
+         # exemptchanops: exemptions for channel access restrictions based on prefix.
+         exemptchanops="nonick:v flood:o"
+
+         # invitebypassmodes: This allows /invite to bypass other channel modes.
+         # (Such as +k, +j, +l, etc.)
+         invitebypassmodes="yes"
+
+         # nosnoticestack: This prevents snotices from 'stacking' and giving you
+         # the message saying '(last message repeated X times)'. Defaults to no.
+         nosnoticestack="no"
+
+         # welcomenotice: When turned on, this sends a NOTICE to connecting users
+         # with the text Welcome to <networkname>! after successful registration.
+         # Defaults to yes.
+         welcomenotice="yes">
+
+
+#-#-#-#-#-#-#-#-#-#-#-# PERFORMANCE CONFIGURATION #-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+
+<performance
+             # netbuffersize: Size of the buffer used to receive data from clients.
+             # The ircd may only read this amount of text in 1 go at any time.
+             netbuffersize="10240"
+
+             # somaxconn: The maximum number of connections that may be waiting
+             # in the accept queue. This is *NOT* the total maximum number of
+             # connections per server. Some systems may only allow this to be up
+             # to 5, while others (such as Linux and *BSD) default to 128.
+             somaxconn="128"
+
+             # limitsomaxconn: By default, somaxconn (see above) is limited to a
+             # safe maximum value in the 2.0 branch for compatibility reasons.
+             # This setting can be used to disable this limit, forcing InspIRCd
+             # to use the value specified above.
+             limitsomaxconn="true"
+
+             # softlimit: This optional feature allows a defined softlimit for
+             # connections. If defined, it sets a soft max connections value.
+             softlimit="12800"
+
+             # quietbursts: When syncing or splitting from a network, a server
+             # can generate a lot of connect and quit messages to opers with
+             # +C and +Q snomasks. Setting this to yes squelches those messages,
+             # which makes it easier for opers, but degrades the functionality of
+             # bots like BOPM during netsplits.
+             quietbursts="yes"
+
+             # nouserdns: If enabled, no DNS lookups will be performed on
+             # connecting users. This can save a lot of resources on very busy servers.
+             nouserdns="no">
+
+#-#-#-#-#-#-#-#-#-#-#-# SECURITY CONFIGURATION  #-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+
+<security
+
+          # announceinvites: This option controls which members of the channel
+          # receive an announcement when someone is INVITEd. Available values:
+          # 'none' - don't send invite announcements
+          # 'all' - send invite announcements to all members
+          # 'ops' - send invite announcements to ops and higher ranked users
+          # 'dynamic' - send invite announcements to halfops (if available) and
+          #             higher ranked users. This is the recommended setting.
+          announceinvites="dynamic"
+
+          # hidemodes: If enabled, then the listmodes given will be hidden
+          # from users below halfop. This is not recommended to be set on +b
+          # as it may break some functionality in popular clients such as mIRC.
+          hidemodes="eI"
+
+          # hideulines: If this value is set to yes, U-lined servers will
+          # be hidden from non-opers in /links and /map.
+          hideulines="no"
+
+          # flatlinks: If this value is set to yes, /map and /links will
+          # be flattened when shown to non-opers.
+          flatlinks="no"
+
+          # hidewhois: When defined, the given text will be used in place
+          # of the server a user is on when whoised by a non-oper. Most
+          # networks will want to set this to something like "*.netname.net"
+          # to conceal the actual server a user is on.
+          # Note that enabling this will cause users' idle times to only be
+          # shown when the format /WHOIS <nick> <nick> is used.
+          hidewhois=""
+
+          # hidebans: If this value is set to yes, when a user is banned ([gkz]lined)
+          # only opers will see the ban message when the user is removed
+          # from the server.
+          hidebans="no"
+
+          # hidekills: If defined, replaces who set a /kill with a custom string.
+          hidekills=""
+
+          # hideulinekills: Hide kills from clients of ulined servers from server notices.
+          hideulinekills="yes"
+
+          # hidesplits: If enabled, non-opers will not be able to see which
+          # servers split in a netsplit, they will only be able to see that one
+          # occurred (If their client has netsplit detection).
+          hidesplits="no"
+
+          # maxtargets: Maximum number of targets per command.
+          # (Commands like /notice, /privmsg, /kick, etc)
+          maxtargets="20"
+
+          # customversion: Displays a custom string when a user /version's
+          # the ircd. This may be set for security reasons or vanity reasons.
+          customversion=""
+
+          # operspywhois: show opers (users/auspex) the +s channels a user is in. Values:
+          #  splitmsg  Split with an explanatory message
+          #  yes       Split with no explanatory message
+          #  no        Do not show
+          operspywhois="no"
+
+          # runasuser: If this is set, InspIRCd will attempt to switch
+          # to run as this user, which allows binding of ports under 1024.
+          # You should NOT set this unless you are starting as root.
+          # NOT SUPPORTED/NEEDED UNDER WINDOWS.
+          #runasuser=""
+
+          # runasgroup: If this is set, InspIRCd will attempt to switch
+          # to run as this group, which allows binding of ports under 1024.
+          # You should NOT set this unless you are starting as root.
+          # NOT SUPPORTED/NEEDED UNDER WINDOWS.
+          #runasgroup=""
+
+          # restrictbannedusers: If this is set to yes, InspIRCd will not allow users
+          # banned on a channel to change nickname or message channels they are
+          # banned on.
+          restrictbannedusers="yes"
+
+          # genericoper: Setting this value to yes makes all opers on this server
+          # appear as 'is an IRC operator' in their WHOIS, regardless of their
+          # oper type, however oper types are still used internally. This only
+          # affects the display in WHOIS.
+          genericoper="no"
+
+          # userstats: /stats commands that users can run (opers can run all).
+          userstats="Pu">
+
+<limits
+        # maxnick: Maximum length of a nickname.
+        maxnick="500"
+
+        # maxchan: Maximum length of a channel name.
+        maxchan="500"
+
+        # maxmodes: Maximum number of mode changes per line.
+        maxmodes="20"
+
+        # maxident: Maximum length of a ident/username.
+        maxident="500"
+
+        # maxquit: Maximum length of a quit message.
+        maxquit="255"
+
+        # maxtopic: Maximum length of a channel topic.
+        maxtopic="307"
+
+        # maxkick: Maximum length of a kick message.
+        maxkick="255"
+
+        # maxgecos: Maximum length of a GECOS (realname).
+        maxgecos="128"
+
+        # maxaway: Maximum length of an away message.
+        maxaway="200">
+
+<log method="file" type="* -USERINPUT -USEROUTPUT" level="default" target="logs/ircd.log">
+
+#-#-#-#-#-#-#-#-#-#-#-#-#-  WHOWAS OPTIONS   -#-#-#-#-#-#-#-#-#-#-#-#-#
+#                                                                     #
+# This tag lets you define the behaviour of the /whowas command of    #
+# your server.                                                        #
+#                                                                     #
+
+<whowas
+        # groupsize: Maximum entries per nick shown when performing
+        # a /whowas nick.
+        groupsize="10"
+
+        # maxgroups: Maximum number of nickgroups that can be added to
+        # the list so that /whowas does not use a lot of resources on
+        # large networks.
+        maxgroups="100000"
+
+        # maxkeep: Maximum time a nick is kept in the whowas list
+        # before being pruned. Time may be specified in seconds,
+        # or in the following format: 1y2w3d4h5m6s. Minimum is
+        # 1 hour.
+        maxkeep="3d">
+
+<badnick
+         # nick: Nick to disallow. Wildcards are supported.
+         nick="ChanServ"
+
+         # reason: Reason to display on /nick.
+         reason="Reserved For Services">
+
+<badnick nick="NickServ" reason="Reserved For Services">
+<badnick nick="OperServ" reason="Reserved For Services">
+<badnick nick="MemoServ" reason="Reserved For Services">
+
+<badhost host="root@*" reason="Don't IRC as root!">
+
+<insane
+        # hostmasks: Allow bans with insane hostmasks. (over-reaching bans)
+        hostmasks="no"
+
+        # ipmasks: Allow bans with insane ipmasks. (over-reaching bans)
+        ipmasks="no"
+
+        # nickmasks: Allow bans with insane nickmasks. (over-reaching bans)
+        nickmasks="no"
+
+        # trigger: What percentage of users on the network to trigger
+        # specifying an insane ban as. The default is 95.5%, which means
+        # if you have a 1000 user network, a ban will not be allowed if it
+        # will be banning 955 or more users.
+        trigger="95.5">
+'';
+  };
+}
diff --git a/nix/modules/ircd.nix b/nix/modules/ircd.nix
new file mode 100644
index 0000000..ee4eb75
--- /dev/null
+++ b/nix/modules/ircd.nix
@@ -0,0 +1,12 @@
+{ lib, config, ... }:
+{
+  services.ircdHybrid = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    extraIPs = [ "0.0.0.0" ];
+    extraPort = "6697";
+    adminEmail = "ret2pop@gmail.com";
+    description = "NullRing IRC instance";
+    serverName = "nullring.xyz";
+    certificate = "/var/lib/acme/nullring.xyz/cert.pem";
+  };
+}
diff --git a/nix/modules/maddy.nix b/nix/modules/maddy.nix
new file mode 100644
index 0000000..158b6b5
--- /dev/null
+++ b/nix/modules/maddy.nix
@@ -0,0 +1,18 @@
+{ lib, config, options, ... }:
+{
+  services.maddy = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    openFirewall = true;
+    primaryDomain = "ret2pop.net";
+    tls = {
+      loader = "acme";
+    };
+    config = builtins.replaceStrings [
+      "imap tcp://0.0.0.0:143"
+      "submission tcp://0.0.0.0:587"
+    ] [
+      "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
+      "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
+    ] options.services.maddy.config.default;
+  };
+}
diff --git a/nix/modules/matterbridge.nix b/nix/modules/matterbridge.nix
new file mode 100644
index 0000000..567e2b7
--- /dev/null
+++ b/nix/modules/matterbridge.nix
@@ -0,0 +1,7 @@
+{ lib, config, ... }:
+{
+  services.matterbridge = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    configPath = "/etc/matterbridge.toml";
+  };
+}
diff --git a/nix/modules/murmur.nix b/nix/modules/murmur.nix
index 463ee1d..7595520 100644
--- a/nix/modules/murmur.nix
+++ b/nix/modules/murmur.nix
@@ -4,9 +4,11 @@
     enable = lib.mkDefault config.monorepo.profiles.server.enable;
     logFile = "/var/log/murmur.log";
     openFirewall = true;
-    hostName = "talk.nullring.xyz";
+    hostName = "0.0.0.0";
     welcometext = "Wecome to the Null Murmur instance!";
     registerName = "nullring";
-    registerHostname = "talk.nullring.xyz";
+    registerHostname = "nullring.xyz";
+    sslCert = "/var/lib/acme/nullring.xyz/fullchain.pem";
+    sslKey = "/var/lib/acme/nullring.xyz/sslKey.pem";
   };
 }
diff --git a/nix/modules/nginx.nix b/nix/modules/nginx.nix
index e603759..bb87fce 100644
--- a/nix/modules/nginx.nix
+++ b/nix/modules/nginx.nix
@@ -8,10 +8,6 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-
-    # Only allow PFS-enabled ciphers with AES256
-    # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
-
     appendHttpConfig = '''';
 
     gitweb = {
@@ -64,6 +60,20 @@
 	      addSSL = true;
 	      enableACME = true;
 	    };
+
+      "nullring.xyz" = {
+        serverName = "nullring.xyz";
+        root = "/var/www/nullring/";
+        addSSL = true;
+        enableACME = true;
+      };
+
+      "mail.${config.monorepo.vars.remoteHost}" = {
+        serverName = "mail.${config.monorepo.vars.remoteHost}";
+        root = "/var/www/dummy";
+        addSSL = true;
+        enableACME = true;
+      };
     };
   };
 }
diff --git a/nix/modules/ngircd.nix b/nix/modules/ngircd.nix
new file mode 100644
index 0000000..0900017
--- /dev/null
+++ b/nix/modules/ngircd.nix
@@ -0,0 +1,28 @@
+{ lib, config, ... }:
+{
+  services.ngircd = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    config = ''
+[Global]
+	Name = nullring.xyz
+	Info = NullRing IRC Instance
+  Listen = 0.0.0.0
+  MotdFile = /etc/motd.txt
+	Network = NullRing
+	Ports = 6667
+[Options]
+	PAM = no
+[SSL]
+	CertFile = /var/lib/acme/nullring.xyz/fullchain.pem
+	CipherList = HIGH:!aNULL:@STRENGTH:!SSLv3
+	KeyFile = /var/lib/acme/nullring.xyz/key.pem
+	Ports = 6697
+'';
+  };
+  environment.etc."motd.txt" = {
+    source = ../data/motd.txt;
+    mode = "644";
+    user = "ngircd";
+    group = "ngircd";
+  };
+}
diff --git a/nix/modules/secrets.nix b/nix/modules/secrets.nix
index f157e3e..2f8defc 100644
--- a/nix/modules/secrets.nix
+++ b/nix/modules/secrets.nix
@@ -5,7 +5,6 @@
     age = {
       keyFile = "/home/${config.monorepo.vars.userName}/.ssh/keys.txt";
     };
-
     secrets = {
       mail = {
         format = "yaml";
diff --git a/nix/modules/znc.nix b/nix/modules/znc.nix
new file mode 100644
index 0000000..c2e2079
--- /dev/null
+++ b/nix/modules/znc.nix
@@ -0,0 +1,31 @@
+{ lib, config, ... }:
+{
+  services.znc = {
+    enable = lib.mkDefault config.monorepo.profiles.server.enable;
+    openFirewall = true;
+    confOptions = {
+      useSSL = true;
+      passBlock = ''
+<Pass password>
+  Method = sha256
+  Hash = d4abdd69aa24de69693885c5bd83a4a0e9ee989e1a69a905041b0dad9abc06ea
+  Salt = sDY,?H5AxC-!gH3a.:)D
+</Pass>
+'';
+      modules = [
+        "partyline"
+        "webadmin"
+        "adminlog"
+        "log"
+      ];
+      networks = {
+        "libera" = {
+          server = "irc.libera.chat";
+          port = 6697;
+          useSSL = true;
+          modules = [ "simple_away" ];
+        };
+      };
+    };
+  };
+}
diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml
index 0513f7c..7dbdbe5 100644
--- a/nix/secrets/secrets.yaml
+++ b/nix/secrets/secrets.yaml
@@ -1,8 +1,9 @@
-hello: ENC[AES256_GCM,data:SyGz4JsQGWYBSsn59/iy2jtF5LxcLqvuYlJa9Ng30TYHZLjGHLFnFLCN8H1JLg==,iv:DAtgeXT/nnNDGfayt7GrzDI527CawbF7sLAbw6A5bYs=,tag:zQyCdvFekQW3fhsqzV51Fw==,type:str]
 mail: ENC[AES256_GCM,data:IFJnuVbshByUh5S3HoSnX5AyOg==,iv:gF0JlnBGAMLduMIG/hZtssdkHVL9/RDmDwBw/WoMDwQ=,tag:adDgcz/VrAN6/kfYTKa5XA==,type:str]
 digikey: ENC[AES256_GCM,data:U1c2HYB/YjwlyHvD3XVTqWJdb9/8BeS6,iv:DNsBoaqgUPdfO9knQLCMeJVO8kctQ9XNvcY2xcpI0NM=,tag:kuJ9BYqVx0GeTBSW5EsItg==,type:str]
 cloudflare-dns: ENC[AES256_GCM,data:Gztc/M+r/eRO2DwyLxlIBxS7B7MpOXimbFkQwlYhq9SzGG/fLl6Xqw==,iv:aDyNwbc8EyrNyhucULUkeg7VM7BmqNQTndSTh1SWqq0=,tag:HvysjKquD1g2PCrCgX2swg==,type:str]
 dn42: ENC[AES256_GCM,data:xSYssg7ReFjmf7LvmqmH/A==,iv:Gj/LZrxzRJLOLbP5rumjmViYWP6ufW3ocngektBW3V8=,tag:SA4f1vAnMFUO5Yk6NTr81Q==,type:str]
+znc: ENC[AES256_GCM,data:EYB9Gk/oZgU=,iv:zxtAFRKGPhfeanhOP6YiXQujWny6XGFvf2op2NNlo78=,tag:jxGNirhEbyYrZ+S3ZjssxA==,type:str]
+matrix_bridge: ENC[AES256_GCM,data:wkfUpMvpoktkUaFr2BopCRo=,iv:gMdF+nnyl9XeJhGvAUKcfK5mvLytt8DvcPLgxMUtOlg=,tag:v06PRV6rM+4a1E3iW3vjnQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -18,8 +19,8 @@ sops:
             OFFNeEtOTk5FSm9RaDFad0UyeWZ2WDgKIwGoB4a5WAIkE93gzqdUzNlo5vgQ1zLy
             yhEFrE1NbhyItnZIg/yRhqFG0dv7D3pEP3pq2Seew6pKJg/s9UTJ8Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-02T12:09:49Z"
-    mac: ENC[AES256_GCM,data:Uk29XBkAVIMiAsVfQ4sMhVE8QKdTFWB1jYCnn7WmjumB9o4GPlNZAIlAn43Ja456/SkGlxaZm7HlqPRD8Rgzu1HdudHHhDgRoO7IDzc/Lu+ick7eR5BtnmotNQLe3vPVwmc8l8O2px5x3xMoYtzhbm5H6Om6s3AeI50hGBdK0EQ=,iv:PQD2APLPY6IiAes76QF1t5YL1ZW4vlnU28XR4D3XfnY=,tag:bZp0wh3+EkByGQ2kIO5BWw==,type:str]
+    lastmodified: "2025-03-19T06:34:16Z"
+    mac: ENC[AES256_GCM,data:5pXwLkFf9N1uafukgPkYpMC5JywdkhCYwH+JCMlCkjGlJedtGagbiqsvceLDD4yo01h9v0KovN4kPS6qrkdTYxOBPkkoTpZzwE6/pGMCRL9tizF2Zi2LmKUsS5uyFQf9KvFkon6bdf9+z/mavnhBhrZSSBSkJiJeQpjkjRJGuVQ=,iv:E+epnNJi/g9MkwxQtcEctC+JKJXkcJvuuFjHGiLbvg4=,tag:50CSytg3EDPDxhrFQjcmeQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4
diff --git a/nix/systems/spontaneity/default.nix b/nix/systems/spontaneity/default.nix
index bb5a92b..b023414 100644
--- a/nix/systems/spontaneity/default.nix
+++ b/nix/systems/spontaneity/default.nix
@@ -19,7 +19,11 @@
       firewall.allowedTCPPorts = [
         80
         443
+        465
+        993
         8448
+        6697
+        6667
       ];
       domains = {
         enable = true;
@@ -29,26 +33,19 @@
             aaaa.data = "2001:19f0:5401:10d0:5400:5ff:fe4a:7794";
           };
           "nullring.xyz" = {
-            a.data = "144.202.92.209";
-            aaaa.data = "2001:19f0:8000:1c38:5400:04ff:fecf:58cd";
+            a.data = "66.42.84.130";
+            aaaa.data = "2001:19f0:5401:10d0:5400:5ff:fe4a:7794";
           };
         };
         subDomains = {
           "${config.monorepo.vars.remoteHost}" = {};
           "matrix.${config.monorepo.vars.remoteHost}" = {};
           "www.${config.monorepo.vars.remoteHost}" = {};
+          "mail.${config.monorepo.vars.remoteHost}" = {};
 
           "nullring.xyz" = {};
-          "git.nullring.xyz" = {};
-          "social.nullring.xyz" = {};
-          "talk.nullring.xyz" = {
-            a.data = "66.42.84.130";
-            aaaa.data = "2001:19f0:5401:10d0:5400:5ff:fe4a:7794";
-          };
-          "ret2pop.nullring.xyz" = {
-            a.data = "66.42.84.130";
-            aaaa.data = "2001:19f0:5401:10d0:5400:5ff:fe4a:7794";
-          };
+          "talk.nullring.xyz" = {};
+          "ret2pop.nullring.xyz" = {};
         };
       };
     };
-- 
cgit v1.3