Merge branch 'main' into etebase

30 files changed, 805 insertions, 33 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 41fb768..a90b456 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,174 @@
 All notable changes to this project will be documented in this file. See [conventional commits](https://www.conventionalcommits.org/) for commit guidelines.
 
 - - -
+## v0.15.0 - 2023-10-13
+#### Bug Fixes
+- **(system/services/mastodon)** remove unneccessary stringcasts - (cfdd2e3) - sils
+- **(system/services/mastodon)** change string to list of string - (478437b) - sils
+- **(system/services/mastodon)** add nginx to group 'mastodon' - (1ddfb65) - sils
+- **(system/services/mastodon)** allow registration only with vhack.eu/sils.li mail - (bd82494) - sils
+- **(system/services/mastodon)** separate domains for user handles and webinterface - (cb49aa5) - sils
+- **(system/services/mastodon)** correct age secret path - (b8f786b) - sils
+#### Build system
+- **(flake)** update - (d4fbb49) - sils
+#### Features
+- **(system/services)** actually import mastodon - (927fc16) - sils
+- **(treewide)** add mastodon - (631e9c0) - sils
+
+- - -
+
+## v0.14.0 - 2023-10-11
+#### Features
+- **(system/services/nix)** add wheel group to trusted-users - (52ae495) - sils
+
+- - -
+
+## v0.13.0 - 2023-10-03
+#### Bug Fixes
+- **(system/services/murmur)** Allow murmur's user to read certs - (c154fa3) - Soispha
+#### Features
+- **(system/services/murmur)** Initialize - (a3c3166) - Soispha
+#### Miscellaneous Chores
+- **(version)** v0.12.0 - (5b1220b) - Soispha
+
+- - -
+
+## v0.12.0 - 2023-10-03
+#### Bug Fixes
+- **(system/services/murmur)** Allow murmur's user to read certs - (c37bf3d) - Soispha
+#### Build system
+- **(flake)** update - (f3eeef8) - sils
+#### Features
+- **(system/services/murmur)** Init - (beb53b0) - Soispha
+
+- - -
+
+## v0.11.0 - 2023-10-03
+#### Bug Fixes
+- **(system/services/miniflux)** Reduce password length - (ca1e354) - Soispha
+- **(system/services/miniflux)** Correctly specify secret path - (b4944b1) - Soispha
+#### Features
+- **(system/services/miniflux)** Init - (932c45d) - Soispha
+
+- - -
+
+## v0.10.0 - 2023-10-02
+#### Bug Fixes
+- **(system/services/nginx)** Update hosts - (2aa1c16) - Soispha
+- **(system/services/taskserver)** Use strict certificate validation - (17f6a00) - Soispha
+- **(system/services/taskserver)** Specify domain to listen on - (18624e4) - Soispha
+#### Build system
+- **(flake)** Update - (327e8bf) - Soispha
+- **(flake)** update - (0a877a1) - sils
+- **(flake)** update - (ec43442) - sils
+- **(flake)** Update - (a4c1e69) - Soispha
+#### Features
+- **(system/services/taskserver)** Init - (cd75ff6) - Soispha
+
+- - -
+
+## v0.9.0 - 2023-08-18
+#### Bug Fixes
+- **(system)** Binary substitution for debugging - (9685791) - sils
+- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils
+- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils
+- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils
+- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha
+- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha
+- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha
+- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha
+- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha
+- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha
+- **(system/services/invidious)** Specifiy database host - (704232e) - sils
+- **(system/services/libreddit)** Don't open firewall - (f0a9852) - Soispha
+- **(system/services/libreddit)** Actually proxy services via nginx - (097d566) - Soispha
+#### Build system
+- **(flake)** Update - (46dfce2) - Soispha
+#### Features
+- **(system)** Add invidious - (3175754) - sils
+- **(system/services/libreddit)** Init - (7428d69) - Soispha
+#### Miscellaneous Chores
+- **(Changelog)** Delete branch specific changelogs - (112606a) - Soispha
+- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha
+- **(version)** v0.9.0 - (74e2c16) - sils
+- **(version)** v0.8.0 - (03ce680) - Soispha
+- **(version)** v0.8.0 - (d9ac400) - Soispha
+#### Refactoring
+- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha
+- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils
+
+- - -
+
+## v0.9.0 - 2023-08-13
+#### Bug Fixes
+- **(system)** Binary substitution for debugging - (9685791) - sils
+- **(system/secrets)** Tell (r)agenix new location of invidious hmac secret - (95b7f9d) - sils
+- **(system/secrets)** make invidious settings readable for invidious - (c31ce7f) - sils
+- **(system/secrets/invidious)** Change formatting of invidiousSettings - (38c2bb6) - sils
+- **(system/service/invidious)** Copy their script, to remove shell escape - (542bb5d) - Soispha
+- **(system/services/invidious)** Add interpreter to start script - (08eb773) - Soispha
+- **(system/services/invidious)** Force the new script option to be applied - (df87e1d) - Soispha
+- **(system/services/invidious)** Set correct access permissions on hmac - (c525e36) - Soispha
+- **(system/services/invidious)** Check tables on startup - (b39d800) - Soispha
+- **(system/services/invidious)** Quote attr names in json config - (b6d9d96) - Soispha
+- **(system/services/invidious)** Specifiy database host - (704232e) - sils
+#### Features
+- **(system)** Add invidious - (3175754) - sils
+#### Miscellaneous Chores
+- **(Merge)** Branch 'invidious' - (e33c36f) - Soispha
+- **(version)** v0.8.0 - (03ce680) - Soispha
+- **(version)** v0.8.0 - (d9ac400) - Soispha
+#### Refactoring
+- **(system/secrets/invidious)** Remove unneeded files and improve names - (320cc25) - Soispha
+- **(system/secrets/secrets.nix)** Remove redundant secretlist - (e1f0250) - sils
+
+- - -
+## v0.8.0 - 2023-08-11
+#### Features
+- **(system/services/snapper)** Add - (1256cab) - Soispha
+
+- - -
+## v0.7.0 - 2023-08-04
+#### Bug Fixes
+- **(system/services/nix-sync)** Remove timeout on build - (dfb847a) - Soispha
+- **(system/services/nix-sync)** Rebase on pulls, to allow for force pushes - (8d9ef95) - Soispha
+- **(system/services/nix-sync)** Make the timer relative to the unit start - (18aa0c5) - Soispha
+- **(system/users)** declare nixremote as normal user - (e326476) - sils
+#### Build system
+- **(flake)** Update - (7e153ea) - Soispha
+#### Features
+- **(system/services/nginx/hosts)** Add another domain - (81bf112) - Soispha
+- **(system/users)** Add nixremote - (6e2578e) - sils
+
+- - -
+
+## v0.6.0 - 2023-07-28
+#### Bug Fixes
+- **(treewide)** Use correct function argument specification - (8350b2e) - Soispha
+#### Features
+- **(system/services/mail/users)** Add mailusers - (a3eed53) - Soispha
+#### Refactoring
+- **(system/services/nginx)** Reduce encrypted stuff to a minimum - (2b766df) - Soispha
+
+- - -
+
+## v0.5.1 - 2023-07-28
+#### Bug Fixes
+- **(system/services/mail)** Update mail users - (fe5da03) - sils
+
+- - -
+
+## v0.5.0 - 2023-07-27
+#### Bug Fixes
+- **(system/impermanence)** Keycloak was actually postgresql - (595ab5c) - Soispha
+- **(system/mail)** Add User - (8423cea) - sils
+- **(system/services/matrix/bridges/m-wa)** Use own database - (911c3a1) - Soispha
+- **(system/services/matrix/bridges/m-wa)** Correct postgresql uri - (30c0434) - Soispha
+#### Features
+- **(system/services/matrix/bridges)** Add mautrix-whatsapp bridge - (7fe499e) - Soispha
+
+- - -
+
 ## v0.4.1 - 2023-07-25
 #### Bug Fixes
 - **(system/services/mail)** Add new user - (e03e490) - sils
@@ -222,4 +390,4 @@ All notable changes to this project will be documented in this file. See [conven
 
 - - -
 
-Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto).
\ No newline at end of file
+Changelog generated by [cocogitto](https://github.com/cocogitto/cocogitto).
diff --git a/flake.lock b/flake.lock
index bc45c24..298efde 100644
--- a/flake.lock
+++ b/flake.lock
@@ -9,11 +9,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690228878,
-        "narHash": "sha256-9Xe7JV0krp4RJC9W9W9WutZVlw6BlHTFMiUP/k48LQY=",
+        "lastModified": 1696775529,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "d8c973fd228949736dedf61b7f8cc1ece3236792",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688772518,
-        "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=",
+        "lastModified": 1696384830,
+        "narHash": "sha256-j8ZsVqzmj5sOm5MW9cqwQJUZELFFwOislDmqDDEMl6k=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e",
+        "rev": "f2143cd27f8bd09ee4f0121336c65015a2a0a19c",
         "type": "github"
       },
       "original": {
@@ -96,11 +96,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690278259,
-        "narHash": "sha256-0Ujy0ZD1Yg5+QDaEnk4TeYhIZ6AckRORrXLGsAEhFKE=",
+        "lastModified": 1696814493,
+        "narHash": "sha256-1qArVsJGG2RHbV2iKFpAmM5os3myvwpXMOdFy5nh54M=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "5b19fb2e74df312751cecbf0f668217eb59d9170",
+        "rev": "32ce057c183506cecb0b84950e4eaf39f37e8c75",
         "type": "github"
       },
       "original": {
@@ -112,11 +112,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
         "type": "github"
       },
       "original": {
@@ -132,11 +132,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "impermanence": {
       "locked": {
-        "lastModified": 1684264534,
-        "narHash": "sha256-K0zr+ry3FwIo3rN2U/VWAkCJSgBslBisvfRIPwMbuCQ=",
+        "lastModified": 1694622745,
+        "narHash": "sha256-z397+eDhKx9c2qNafL1xv75lC0Q4nOaFlhaU1TINqb8=",
         "owner": "nix-community",
         "repo": "impermanence",
-        "rev": "89253fb1518063556edd5e54509c30ac3089d5e6",
+        "rev": "e9643d08d0d193a2e074a19d4d90c67a874d932e",
         "type": "github"
       },
       "original": {
@@ -183,11 +183,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1690231403,
-        "narHash": "sha256-R9IcQpnzarV34znupG9Bq3PCRamswvZW0BMXLqkh5cw=",
+        "lastModified": 1696954215,
+        "narHash": "sha256-AFnALq/MZs0vRKwjGpS27maCMRcXr04lzi+BI7ZIoDw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0108b255ea1ea0e230a664f375c8bde1644bcc18",
+        "rev": "0927ba648bbbdff18356c292edcfefbb4e1a143d",
         "type": "github"
       },
       "original": {
@@ -284,11 +284,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690252178,
-        "narHash": "sha256-9oEz822bvbHobfCUjJLDor2BqW3I5tycIauzDlzOALY=",
+        "lastModified": 1696990596,
+        "narHash": "sha256-Yyb4o7/qNGB+oig3978ehzRrJf/zjfCOEB/g7ZF3//E=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "8d64353ca827002fb8459e44d49116c78d868eba",
+        "rev": "c6d2f0bbd56fc833a7c1973f422ca92a507d0320",
         "type": "github"
       },
       "original": {
diff --git a/notes/taskserver.md b/notes/taskserver.md
new file mode 100644
index 0000000..36aeff0
--- /dev/null
+++ b/notes/taskserver.md
@@ -0,0 +1,7 @@
+# User export
+Use
+```bash
+nixos-taskserver user export my-company alice
+# or via ssh
+ssh $server nixos-taskserver user export my-company alice #| sh
+```
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 0d3bd82..3c923d8 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -3,12 +3,16 @@
   imports = [
     ./mods/acme.nix
     ./mods/etebase-server.nix
-    ./mods/keycloak.nix
+    ./mods/fail2ban.nix
     ./mods/mail.nix
+    ./mods/mastodon.nix
     ./mods/matrix.nix
     ./mods/minecraft.nix
+    ./mods/murmur.nix
     ./mods/nix-sync.nix
     ./mods/openssh.nix
+    ./mods/postgresql.nix
+    ./mods/taskserver.nix
     ./mods/users.nix
   ];
 
diff --git a/system/impermanence/mods/mastodon.nix b/system/impermanence/mods/mastodon.nix
new file mode 100644
index 0000000..a5bdbfd
--- /dev/null
+++ b/system/impermanence/mods/mastodon.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/mastodon";
+      user = "mastodon";
+      group = "mastodon";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/matrix.nix b/system/impermanence/mods/matrix.nix
index 7f02609..3af6530 100644
--- a/system/impermanence/mods/matrix.nix
+++ b/system/impermanence/mods/matrix.nix
@@ -6,6 +6,12 @@
       group = "matrix-synapse";
       mode = "0700";
     }
+    {
+      directory = "/var/lib/mautrix-whatsapp";
+      user = "mautrix-whatsapp";
+      group = "matrix-synapse";
+      mode = "0750";
+    }
   ];
   systemd.tmpfiles.rules = [
     "d /etc/matrix 0755 matrix-synapse matrix-synapse"
diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix
new file mode 100644
index 0000000..48912e1
--- /dev/null
+++ b/system/impermanence/mods/murmur.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/murmur";
+      user = "murmur";
+      group = "murmur";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/impermanence/mods/keycloak.nix b/system/impermanence/mods/postgresql.nix
index 63b02f5..63b02f5 100644
--- a/system/impermanence/mods/keycloak.nix
+++ b/system/impermanence/mods/postgresql.nix
diff --git a/system/impermanence/mods/taskserver.nix b/system/impermanence/mods/taskserver.nix
new file mode 100644
index 0000000..9208aa4
--- /dev/null
+++ b/system/impermanence/mods/taskserver.nix
@@ -0,0 +1,5 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    "/var/lib/taskserver"
+  ];
+}
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index dcff9ca..1e3ce84 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -18,6 +18,23 @@
         mode = "700";
         owner = "etebase-server";
         group = "etebase-server";
+      invidiousHmac = {
+        file = ./invidious/hmac.tix;
+        mode = "700";
+        owner = "root";
+        group = "root";
+      };
+      minifluxAdmin = {
+        file = ./miniflux/admin.tix;
+        mode = "700";
+        owner = "root";
+        group = "root";
+      };
+      mastodonMail = {
+        file = ./mastodon/mail.tix;
+        mode = "700";
+        owner = "mastodon";
+        group = "mastodon";
       };
     };
   };
diff --git a/system/secrets/invidious/hmac.tix b/system/secrets/invidious/hmac.tix
new file mode 100644
index 0000000..f760fa9
--- /dev/null
+++ b/system/secrets/invidious/hmac.tix
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvZGJGNzVGUWhsVTJFUGds
+dFZmVnRnY1NrVTZBWEt2eFp1YU4yM0xoOUgwClZZNDNFQlp2aEx1eHVqbE5ZU29t
+dVpMcStrMXd5WEFOaDJUVlVuUnJ4YkkKLT4gWDI1NTE5IEZSTVFhdk83RGRNWWdZ
+bmQyd0FNTWhrUUxSRjVOQjAvWSsyU1Z4OWFvVUUKdkIraVRtRW5mUnZFbVRkcDBw
+ME5NTDVkRUo1b0d1Z2xERWZnS0tMLzFhYwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+d09jY1doam1nc3B3MEVqN0grM3JWZzFwMW5WU2ZYdGh0TUZnM0VVdzJBSQppL3Qv
+T0VDOTc1U3gyaTB6YVV4dDhEVU1OMzdlMnV2dC9zMVl1VkdkRmlBCi0+IGc/SEJa
+aDZoLWdyZWFzZSBKPW1xOFRaIE9DUCBdfl1HXVUKL0I4MTJZT1ljOXE3cUtTR0Fv
+S3E2UHcvYWxhUlU5QkdXVWZyUjU0SlcveG9GcjZZV242QXVwaDBQTjN0VldBCi0t
+LSB6S0E2SWtmaXBnRkI5aFNIOU9VWkdhOHQrQ0x0MzJ3TC9aNkpJSTY5eDkwClOc
+N6wSpWFX87Vbr+J8Sxn9O6uRbYAyNDmiJk5mDqYaqy/+PRPTx0gbmqRz911sW5Zx
+aBKfDzSPjNx0CSKKL7ioTYlRrW0YyQ==
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/mastodon/mail.tix b/system/secrets/mastodon/mail.tix
new file mode 100644
index 0000000..c64a2e7
--- /dev/null
+++ b/system/secrets/mastodon/mail.tix
@@ -0,0 +1,15 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqT05Uc2hrcFAwd1c5S1o0
+L3hhQURmdUVBbmxSYVFGczdGWThTck9VdkhRCktOZ1JSamN0Ly9pVXJDMDZ4Y0VZ
+bmRyMTlaOU9HOEZ5SitzOVovUkhCNFUKLT4gWDI1NTE5IHlqUTFtODd6QXpNMFBY
+WTY2cTJ2TFI5S0ZGc1doeEVEUi9veGRDKzN5UWsKUC9WZUtXVUs5cnkxL3Y5RlJs
+RTRkNE5zQ0NtbG0vdStuZXZVUzFoeTBwNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+Um1qczl3YTM0S3dIb3AzQmpSNVNNUXFzMFNLNEEwQllOSUkrMHNzVy9uMApTdjhz
+U250NGNpdk5SbWhPNjhjWWM0aWovRCt0MjR3M29JSTZjLy9IbTAwCi0+IEwtZ3Jl
+YXNlIEp6KCk4by1jIF0Kd2xoKytCU3d3MGFxZmRmS2gxSDJiVFp1L3hOS2hJVEtz
+NlFHWHhnRW5SNTZRMFFFRUJrVXo2blZvNlZTSXNqeQpVbWFLUmVHN1ptWGdLMkJT
+RVJuUWxTVE4vcDhsCi0tLSA5ckxpdFhrQWErb2NkcXlWaHR6WmVndVppbjRIQ3cw
+VjAxdTlnTEdmTkVrCou6/oezocFtYn7QDWLFzknFPlD5d1xBFutng6dvazWasZXD
+qecouKvAmFFA4mQHUjbmD2QxWdorU7SyYpEPeTJ4rbOuayySkYPxUoo8gqvd7JkS
+0VCavUuSb8nmfk24E3M=
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/miniflux/admin.tix b/system/secrets/miniflux/admin.tix
new file mode 100644
index 0000000..6b34ab0
--- /dev/null
+++ b/system/secrets/miniflux/admin.tix
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0ZHJ3V0E3bjVLYUd5N2gx
+eE15dlBldWt1ZGpBcGc3ZWcwMTNKSTcxR0Y0Cm03dEgxYzdhYjYvWFNNUVdtR3E1
+dW1lMlE3R3dlcUZ1Qm1GMElPQU8xYmMKLT4gWDI1NTE5IFJrc28wZzhWQ3RoeFFK
+WFlTSmVzRGMzamxrQ0NSUG9KVWxSajJsQ1BablEKS0tFb096djZOdUJIVTdaSndH
+b1ZMT3ZCZGVkaWMvU0hPSFhsMkY3RzBkNAotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+SWdGV1pSYzY3bWxadWJZeXVmTXBHeGpMTTYyak1IbE9jTjZQS3dwRXozUQo1UFlT
+am9WNzh1TytMNTFsNjM4amh0N2JDdkxjYk9GL285UWUrZHV5L3p3Ci0+IEkqMS1n
+cmVhc2UgZV4KRFlYWlRyNDFtZlJWcS9vZ1hiUkJxdE9saHpTTWQ3TitMc1N0UXBE
+eWZ5SQotLS0gRzE4bmpSTWpjUnlHUlNHTTNWSjNNL0d3VFFpVFdOaVlMUERmRHNt
+d2k3WQqd+49pa75kfJffbdCOmNvPLUN7N+d+lI4lXlPTyLWTNnM8qaVz+BAhMH40
+ri9BTHHtg4ql7bXZWXZt/CiBLUOuv+yKckm4u51vjOwyHwUjaMYF4bfXS+rChsQV
+BL+XWihQZ5wNsUh1PRHMy3mrF1XSYROa4ApK/i5Sgm271cvBMI4C4G+oux0/wvkL
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix
index 9e52383..29904ab 100644
--- a/system/secrets/secrets.nix
+++ b/system/secrets/secrets.nix
@@ -13,4 +13,8 @@ in {
   "keycloak/passwd.tix".publicKeys = allSecrets;
   "matrix-synapse/passwd.tix".publicKeys = allSecrets;
   "etebase-server/passwd.tix".publicKeys = allSecrets;
+  "invidious/hmac.tix".publicKeys = allSecrets;
+  "invidious/settings.tix".publicKeys = allSecrets;
+  "miniflux/admin.tix".publicKeys = allSecrets;
+  "mastodon/mail.tix".publicKeys = allSecrets;
 }
diff --git a/system/services/default.nix b/system/services/default.nix
index 1b459f7..e269dbc 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -2,14 +2,21 @@
   imports = [
     ./etebase
     ./fail2ban
+    ./invidious
     ./keycloak
+    ./libreddit
     ./mail
+    ./mastodon
     ./matrix
     ./minecraft
+    ./miniflux
+    ./murmur
     ./nginx
     ./nix
     ./nix-sync
     ./openssh
     ./rust-motd
+    ./snapper
+    ./taskserver
   ];
 }
diff --git a/system/services/invidious/default.nix b/system/services/invidious/default.nix
new file mode 100644
index 0000000..a1d202c
--- /dev/null
+++ b/system/services/invidious/default.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.invidious;
+in {
+  services.invidious = {
+    enable = true;
+    database = {
+      createLocally = true;
+    };
+    domain = "invidious.vhack.eu";
+    nginx.enable = true;
+    extraSettingsFile = "$CREDENTIALS_DIRECTORY/hmac";
+
+    settings = {
+      check_tables = true;
+    };
+  };
+  systemd.services.invidious.serviceConfig = {
+    LoadCredential = "hmac:${config.age.secrets.invidiousHmac.path}";
+
+    ExecStart = let
+      # taken from the invidious module
+      settingsFormat = pkgs.formats.json {};
+      settingsFile = settingsFormat.generate "invidious-settings" cfg.settings;
+
+      jqFilter =
+        "."
+        + lib.optionalString (cfg.database.host != null) "[0].db.password = \"'\"'\"$(cat ${lib.escapeShellArg cfg.database.passwordFile})\"'\"'\""
+        + " | .[0]"
+        + lib.optionalString (cfg.extraSettingsFile != null) " * .[1]";
+
+      # don't escape extraSettingsFile, to allow variable substitution
+      jqFiles =
+        settingsFile
+        + lib.optionalString (cfg.extraSettingsFile != null) " \"${cfg.extraSettingsFile}\"";
+    in
+      lib.mkForce (pkgs.writeScript "start-invidious" ''
+        #! ${pkgs.dash}/bin/dash
+
+        export INVIDIOUS_CONFIG="$(${pkgs.jq}/bin/jq -s "${jqFilter}" ${jqFiles})"
+        exec ${cfg.package}/bin/invidious
+      '');
+  };
+}
diff --git a/system/services/libreddit/default.nix b/system/services/libreddit/default.nix
new file mode 100644
index 0000000..e4ab893
--- /dev/null
+++ b/system/services/libreddit/default.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  domain = "libreddit.vhack.eu";
+in {
+  services.libreddit = {
+    enable = true;
+    address = "127.0.0.1";
+    openFirewall = false;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${domain} = {
+      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}";
+
+      enableACME = lib.mkDefault true;
+      forceSSL = lib.mkDefault true;
+    };
+  };
+}
diff --git a/system/services/mail/users.nix b/system/services/mail/users.nix
index 60f41a9..2104a8a 100644
--- a/system/services/mail/users.nix
+++ b/system/services/mail/users.nix
diff --git a/system/services/mastodon/default.nix b/system/services/mastodon/default.nix
new file mode 100644
index 0000000..39a0f56
--- /dev/null
+++ b/system/services/mastodon/default.nix
@@ -0,0 +1,54 @@
+{config, ...}: let
+  emailAddress = "mastodon@vhack.eu";
+in {
+  services.mastodon = {
+    enable = true;
+    localDomain = "vhack.eu";
+    smtp = {
+      authenticate = true;
+      createLocally = false;
+      fromAddress = emailAddress;
+      user = emailAddress;
+      host = "server1.vhack.eu";
+      passwordFile = config.age.secrets.mastodonMail.path;
+    };
+    extraConfig = {
+      WEB_DOMAIN = "mastodon.vhack.eu";
+      EMAIL_DOMAIN_ALLOWLIST = "vhack.eu|sils.li";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true; # required for redirections to work
+    virtualHosts = {
+      ${config.services.mastodon.extraConfig.WEB_DOMAIN} = {
+        root = "${config.services.mastodon.package}/public/";
+        # mastodon only supports https, but you can override this if you offload tls elsewhere.
+        forceSSL = true;
+        enableACME = true;
+
+        locations = {
+          "/system/".alias = "/var/lib/mastodon/public-system/";
+          "/".tryFiles = "$uri @proxy";
+          "@proxy" = {
+            proxyPass = "http://unix:/run/mastodon-web/web.socket";
+            proxyWebsockets = true;
+          };
+          "/api/v1/streaming/" = {
+            proxyPass = "http://unix:/run/mastodon-streaming/streaming.socket";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      "vhack.eu" = {
+        locations."/.well-known/webfinger".return = "301 https://${config.services.mastodon.extraConfig.WEB_DOMAIN}$request_uri";
+      };
+    };
+  };
+
+  users.groups.${config.services.mastodon.group}.members = [
+    config.services.nginx.user
+  ];
+}
diff --git a/system/services/matrix/bridges/mautrix-whatsapp.nix b/system/services/matrix/bridges/mautrix-whatsapp.nix
new file mode 100644
index 0000000..1c68af9
--- /dev/null
+++ b/system/services/matrix/bridges/mautrix-whatsapp.nix
@@ -0,0 +1,149 @@
+# TAKEN FROM: https://raw.githubusercontent.com/Vskilet/nixpkgs/mautrix-whatsapp2/nixos/modules/services/matrix/mautrix-whatsapp.nix
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.services.mautrix-whatsapp;
+  dataDir = "/var/lib/mautrix-whatsapp";
+  settingsFormat = pkgs.formats.json {};
+
+  registrationFile = "${dataDir}/whatsapp-registration.yaml";
+  settingsFile = settingsFormat.generate "config.json" cfg.settings;
+
+  startupScript = ''
+    ${pkgs.yq}/bin/yq -s '.[0].appservice.as_token = .[1].as_token
+      | .[0].appservice.hs_token = .[1].hs_token
+      | .[0]' ${settingsFile} ${registrationFile} \
+      > ${dataDir}/config.yml
+
+    ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
+      --config='${dataDir}/config.yml' \
+      --registration='${registrationFile}'
+  '';
+in {
+  options.services.mautrix-whatsapp = {
+    enable = mkEnableOption "Mautrix-whatsapp, a puppeting bridge between Matrix and WhatsApp.";
+
+    settings = mkOption rec {
+      apply = recursiveUpdate default;
+      inherit (settingsFormat) type;
+
+      description = lib.mdDoc ''
+        {file}`config.yaml` configuration as a Nix attribute set.
+        Configuration options should match those described in
+        [example-config.yaml](https://github.com/mautrix/whatsapp/blob/master/example-config.yaml).
+      '';
+      default = {
+        homeserver = {
+          domain = config.services.matrix-synapse.settings.server_name;
+        };
+        appservice = {
+          address = "http://localhost:29318";
+          hostname = "0.0.0.0";
+          port = 29318;
+          database = {
+            type = "sqlite3";
+            uri = "${dataDir}/mautrix-whatsapp.db";
+          };
+          id = "whatsapp";
+          bot = {
+            username = "whatsappbot";
+            displayname = "WhatsApp Bot";
+          };
+          as_token = "";
+          hs_token = "";
+        };
+        bridge = {
+          username_template = "whatsapp_{{.}}";
+          displayname_template = "{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}";
+          command_prefix = "!wa";
+          permissions."*" = "relay";
+        };
+        relay = {
+          enabled = true;
+          management = "!whatsappbot:${toString config.services.matrix-synapse.settings.server_name}";
+        };
+        logging = {
+          directory = "${dataDir}/logs";
+          file_name_format = "{{.Date}}-{{.Index}}.log";
+          file_date_format = "2006-01-02";
+          file_mode = 0384;
+          timestamp_format = "Jan _2, 2006 15:04:05";
+          print_level = "info";
+        };
+      };
+      example = {
+        settings = {
+          homeserver.address = "https://matrix.myhomeserver.org";
+          bridge.permissions = {
+            "@admin:myhomeserver.org" = "admin";
+          };
+        };
+      };
+    };
+
+    serviceDependencies = mkOption {
+      type = with types; listOf str;
+      default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
+      defaultText = literalExpression ''
+        optional config.services.matrix-synapse.enable "matrix-synapse.service"
+      '';
+      description = lib.mdDoc ''
+        List of Systemd services to require and wait for when starting the application service.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.mautrix-whatsapp = {
+      description = "Mautrix-WhatsApp Service - A WhatsApp bridge for Matrix";
+
+      wantedBy = ["multi-user.target"];
+      wants = ["network-online.target"] ++ cfg.serviceDependencies;
+      after = ["network-online.target"] ++ cfg.serviceDependencies;
+
+      preStart = ''
+        # generate the appservice's registration file if absent
+        if [ ! -f '${registrationFile}' ]; then
+          ${pkgs.mautrix-whatsapp}/bin/mautrix-whatsapp \
+            --generate-registration \
+            --config='${settingsFile}' \
+            --registration='${registrationFile}'
+        fi
+        chmod 640 ${registrationFile}
+      '';
+
+      script = startupScript;
+
+      serviceConfig = {
+        Type = "simple";
+        #DynamicUser = true;
+        PrivateTmp = true;
+        StateDirectory = baseNameOf dataDir;
+        WorkingDirectory = "${dataDir}";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+        User = "mautrix-whatsapp";
+        Group = "matrix-synapse";
+        SupplementaryGroups = "matrix-synapse";
+        UMask = 0027;
+        Restart = "always";
+      };
+    };
+
+    users.groups.mautrix-whatsapp = {};
+    users.users.mautrix-whatsapp = {
+      isSystemUser = true;
+      group = "mautrix-whatsapp";
+      home = dataDir;
+    };
+    services.matrix-synapse.settings.app_service_config_files = ["${registrationFile}"];
+  };
+}
diff --git a/system/services/matrix/default.nix b/system/services/matrix/default.nix
index 62345a7..ed3b567 100644
--- a/system/services/matrix/default.nix
+++ b/system/services/matrix/default.nix
@@ -12,15 +12,27 @@
     return 200 '${builtins.toJSON data}';
   '';
 in {
+  imports = [
+    ./bridges/mautrix-whatsapp.nix
+  ];
+
   networking.firewall.allowedTCPPorts = [80 443];
 
   services.postgresql.enable = true;
   services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+    --Matrix:
     CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
     CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
       TEMPLATE template0
       LC_COLLATE = "C"
       LC_CTYPE = "C";
+
+    --Whatsapp-bridge:
+    CREATE ROLE "mautrix-whatsapp" WITH LOGIN PASSWORD 'whatsapp';
+    CREATE DATABASE "mautrix-whatsapp" WITH OWNER "mautrix-whatsapp"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
   '';
 
   services.nginx = {
@@ -52,6 +64,29 @@ in {
     };
   };
 
+  services.mautrix-whatsapp = {
+    enable = true;
+    settings = {
+      appservice = {
+        database = {
+          type = "postgres";
+          uri = "postgres:///mautrix-whatsapp?host=/run/postgresql";
+        };
+        whatsapp = {
+          # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list.
+          # This also determints the whatsapp icon
+          browser_name = "unknown";
+        };
+      };
+      homeserver.address = "https://matrix.vhack.eu";
+      bridge.permissions = {
+        "@soispha:vhack.eu" = "admin";
+        "@sils:vhack.eu" = "admin";
+        "@nightingale:vhack.eu" = "admin";
+      };
+    };
+  };
+
   services.matrix-synapse = {
     enable = true;
     dataDir = "/var/lib/matrix";
diff --git a/system/services/miniflux/default.nix b/system/services/miniflux/default.nix
new file mode 100644
index 0000000..516a9b2
--- /dev/null
+++ b/system/services/miniflux/default.nix
@@ -0,0 +1,19 @@
+{config, ...}: {
+  services.miniflux = {
+    enable = true;
+    config = {
+      LISTEN_ADDR = "127.0.0.1:5892";
+    };
+    adminCredentialsFile = config.age.secrets.minifluxAdmin.path;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."rss.vhack.eu" = {
+      locations."/".proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}";
+
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+}
diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix
new file mode 100644
index 0000000..1dcd781
--- /dev/null
+++ b/system/services/murmur/default.nix
@@ -0,0 +1,41 @@
+{...}: let
+  murmurStore = "/var/lib/murmur";
+in {
+  services.murmur = {
+    enable = true;
+    openFirewall = true;
+    welcometext = ''
+      <b>You never get a second chance to make a first impression</b><br>
+
+      The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here!
+    '';
+    sslKey = "${murmurStore}/key.pem";
+    sslCert = "${murmurStore}/fullchain.pem";
+
+    registerUrl = "vhack.eu";
+    registerName = "vhack";
+    registerHostname = "mumble.vhack.eu";
+    hostName = "mumble.vhack.eu";
+    clientCertRequired = true;
+    bandwidth = 7200000;
+  };
+
+  security.acme.certs.murmur = {
+    domain = "mumble.vhack.eu";
+    postRun =
+      /*
+      bash
+      */
+      ''
+        set -x
+        rm "${murmurStore}/key.pem"
+        rm "${murmurStore}/fullchain.pem"
+
+        cp key.pem "${murmurStore}";
+        cp fullchain.pem "${murmurStore}";
+
+        chown murmur:murmur "${murmurStore}/key.pem"
+        chown murmur:murmur "${murmurStore}/fullchain.pem"
+      '';
+  };
+}
diff --git a/system/services/nginx/default.nix b/system/services/nginx/default.nix
index 404c167..8544475 100644
--- a/system/services/nginx/default.nix
+++ b/system/services/nginx/default.nix
@@ -1,7 +1,33 @@
-{...}: {
-  imports = [
-    ./hosts.nix
-  ];
+{...}: let
+  domains = import ./hosts.nix {};
+  mkVirtHost = {
+    domain,
+    root,
+    url,
+  }: {
+    name = "${domain}";
+    value = {
+      forceSSL = true;
+      enableACME = true;
+      root = "${root}";
+    };
+  };
+
+  mkNixSyncRepository = {
+    domain,
+    root,
+    url,
+  }: {
+    name = "${domain}";
+    value = {
+      path = "${root}";
+      uri = "${url}";
+    };
+  };
+
+  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
+  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
+in {
   security.acme = {
     acceptTerms = true;
     defaults = {
@@ -15,5 +41,11 @@
   };
   services.nginx = {
     enable = true;
+    virtualHosts = virtHosts;
+  };
+
+  services.nix-sync = {
+    enable = true;
+    repositories = nixSyncRepositories;
   };
 }
diff --git a/system/services/nginx/hosts.nix b/system/services/nginx/hosts.nix
index 1590756..3abd841 100644
--- a/system/services/nginx/hosts.nix
+++ b/system/services/nginx/hosts.nix
diff --git a/system/services/nix-sync/default.nix b/system/services/nix-sync/default.nix
index 44348c0..8c466b8 100644
--- a/system/services/nix-sync/default.nix
+++ b/system/services/nix-sync/default.nix
@@ -10,7 +10,7 @@
     description = "Nix sync ${name} timer";
     wantedBy = ["timers.target"];
     timerConfig = {
-      OnActiveSec = repo.interval;
+      OnUnitActiveSec = repo.interval;
     };
     after = ["network-online.target"];
   };
@@ -37,7 +37,7 @@
       branch="$(git rev-parse @)";
 
       if ! [ "$origin" = "$branch" ]; then
-        git pull;
+        git pull --rebase;
 
         out_paths=$(mktemp);
         nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
@@ -66,7 +66,7 @@
       if ! [ -L ${esa repo.path} ]; then
         cd ${esa repoCachePath};
 
-        git pull;
+        git pull --rebase;
 
         out_paths=$(mktemp);
         nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
@@ -88,6 +88,7 @@
     preStart = execStartPreScript;
 
     serviceConfig = {
+      TimeoutSec = 0;
       ExecStart = execStartScript;
       Restart = "on-abort";
       # User and group
diff --git a/system/services/nix/default.nix b/system/services/nix/default.nix
index bd562ec..ec5fe5d 100644
--- a/system/services/nix/default.nix
+++ b/system/services/nix/default.nix
@@ -13,6 +13,10 @@
     settings = {
       auto-optimise-store = true;
       experimental-features = ["nix-command" "flakes"];
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
     };
   };
 }
diff --git a/system/services/snapper/default.nix b/system/services/snapper/default.nix
new file mode 100644
index 0000000..cdebf8d
--- /dev/null
+++ b/system/services/snapper/default.nix
@@ -0,0 +1,41 @@
+{...}: {
+  services.snapper = {
+    configs = {
+      srv = {
+        SUBVOLUME = "/srv";
+        FSTYPE = "btrfs";
+        # users and groups allowed to work with config
+        ALLOW_GROUPS = ["wheel"];
+
+        # sync users and groups from ALLOW_USERS and ALLOW_GROUPS to .snapshots
+        # directory
+        SYNC_ACL = true;
+
+        # run daily number cleanup
+        NUMBER_CLEANUP = false;
+
+        # limit for number cleanup
+        NUMBER_MIN_AGE = 1800;
+        NUMBER_LIMIT = 50;
+        NUMBER_LIMIT_IMPORTANT = 10;
+
+        # create hourly snapshots
+        TIMELINE_CREATE = true;
+
+        # cleanup hourly snapshots after some time
+        TIMELINE_CLEANUP = true;
+
+        # limits for timeline cleanup
+        TIMELINE_MIN_AGE = 1800;
+        TIMELINE_LIMIT_HOURLY = 7;
+        TIMELINE_LIMIT_DAILY = 3;
+        TIMELINE_LIMIT_WEEKLY = 2;
+        TIMELINE_LIMIT_MONTHLY = 2;
+        TIMELINE_LIMIT_YEARLY = 2;
+
+        # cleanup empty pre-post-pairs
+        EMPTY_PRE_POST_CLEANUP = true;
+      };
+    };
+  };
+}
diff --git a/system/services/taskserver/default.nix b/system/services/taskserver/default.nix
new file mode 100644
index 0000000..517da5d
--- /dev/null
+++ b/system/services/taskserver/default.nix
@@ -0,0 +1,30 @@
+{...}: {
+  services.taskserver = {
+    enable = true;
+    pki.auto = {
+      expiration = {
+        server = 365;
+        crl = 365;
+        client = 365;
+        ca = 365;
+      };
+      bits = 4096;
+    };
+    organisations = {
+      vhack = {
+        users = [
+          "soispha"
+        ];
+      };
+      soispha = {
+        users = [
+          "soispha"
+        ];
+      };
+    };
+    trust = "strict";
+    openFirewall = true;
+    fqdn = "taskserver.vhack.eu";
+    listenHost = "taskserver.vhack.eu";
+  };
+}
diff --git a/system/users/default.nix b/system/users/default.nix
index 822c94b..06020a6 100644
--- a/system/users/default.nix
+++ b/system/users/default.nix
@@ -48,6 +48,20 @@
         openssh.authorizedKeys.keys = [
         ];
       };
+      nixremote = {
+        name = "nixremote";
+        isNormalUser = true;
+        createHome = true;
+        home = "/home/nixremote";
+        uid = 1003;
+        group = "nixremote";
+        openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbSWqFzb+WTq2JVoRGoTkCkP7AM3bNY91bsUBeoQQc8gKAWuqCrpAOmr2Q2QMaTTGEOM0CsWfWLs3ZYtynHmc7wIFc4T/sUloV+dB9oSCmOk5ePxtj8+gpPK35Ja+ug5zmXsaI4s+n9mEbuuEjn33MxDYCUzAI+aWvWe68u/j+FM3u9c3Ta009rotajjSZ/cmIltgNLsG1rnAZRpwmLVg5UL4cb9um54o/NLYFd2KAekQFVbwUQDzzqriZhWmzkfhnznBMDblf9R1xvZ18Lqv3JF21shdaR43NW1wtuntBvAdsVYK2VUEbj+3MxTkK0aQ/E9SHMtH8MRE4oxU74TeTWfIhuSZk9/wekzSNMkHP3ReFC6B9xCMYa+ZqaTaGSWLQi78AQDeM2F9rAfp3hQzyRa7T7qKlgbae/hEb07xZglqmG7eml9vPSt4AHv5Y176Q95NiiWduGoLQOmjvSBMU9/KEGrGKyLfGH1Wa2EOfPxKKcvcHW0Xi9PlPiuP0nYk= root@thinklappi"
+        ];
+      };
+    };
+    groups.nixremote = {
+      gid = 1004;
     };
   };
 }