From c457ef602a2a519d6bf923dc6dc02c18c9b44ecd Mon Sep 17 00:00:00 2001
From: xengi <email@ricardo.band>
Date: Fri, 5 Dec 2025 10:18:21 +0100
Subject: [PATCH 1/6] Update README.md

Signed-off-by: xengi <email@ricardo.band>
---
 README.md | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index f295fe6..bde01f5 100644
--- a/README.md
+++ b/README.md
@@ -13,20 +13,30 @@ server {
   hostname berlin.ccc.de;
   location "/.well-known/matrix/server" {
     default_type application/json;
+    add_header Access-Control-Allow-Origin "*";
     return 200 '{"m.server":"matrix.berlin.ccc.de:443"}';
   }
+  location "/.well-known/matrix/client" {
+    default_type application/json;
+    add_header Access-Control-Allow-Origin "*";
+    return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}';
+  }
 }
 ```
 
 # DNS
 
 ```
-_matrix-fed._tcp.matrix.berlin.ccc.de.  IN SRV  10 0 443 matrix.berlin.ccc.de.
-#_matrix._tcp.matrix.berlin.ccc.de.     IN SRV  10 0 443 matrix.berlin.ccc.de.
-#_matrix._tcp.berlin.ccc.de.            IN SRV  10 0 443 matrix.berlin.ccc.de.
-_matrix-fed._tcp.berlin.ccc.de.         IN SRV  10 0 443 matrix.berlin.ccc.de.
-matrix.berlin.ccc.de.                   IN A     <IPv4>
-matrix.berlin.ccc.de.                   IN AAAA  <IPv6>
+_matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
+_matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
+matrix.berlin.ccc.de.            IN A      195.160.173.25
+matrix.berlin.ccc.de.            IN AAAA   2001:678:760:cccb::25
+matrix.berlin.ccc.de.            IN CAA    0 issue "letsencrypt.org;validationmethods=http-01"
+matrix.berlin.ccc.de.            IN CAA    0 iodef "mailto:caa@xengi.de"
+matrix.berlin.ccc.de.            IN SSHFP  1 1 f40e117b002957939a454070adbbafe42d6f5842
+matrix.berlin.ccc.de.            IN SSHFP  1 2 8ba0c605a365ef5369e91c531dd86fabfe4ce6dbd5e8280093ec2672d67c329b
+matrix.berlin.ccc.de.            IN SSHFP  4 1 62d10fa57f8a1aa7469cd9b00621e4ce89261d91
+matrix.berlin.ccc.de.            IN SSHFP  4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887
 ```
 
 # Bots

From 3b84ac33f0bbdbc2acd657dd05826a18a5b3a31d Mon Sep 17 00:00:00 2001
From: xengi <email@ricardo.band>
Date: Fri, 5 Dec 2025 10:18:41 +0100
Subject: [PATCH 2/6] Update README.md

Signed-off-by: xengi <email@ricardo.band>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bde01f5..e608ad8 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ server {
 
 # DNS
 
-```
+```dns
 _matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
 _matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
 matrix.berlin.ccc.de.            IN A      195.160.173.25

From 8bfa4284cbadfebcf8f738594ba717211a6867ee Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Fri, 5 Dec 2025 12:06:16 +0100
Subject: [PATCH 3/6] things

---
 configuration.nix  | 22 ++++++++++++++++++----
 services/nginx.nix |  3 ++-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 404c171..02c4f3d 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -55,7 +55,8 @@
   users.users.root = {
     packages = with pkgs; [
       kitty # for terminfo
-      neofetch # for shits and giggles
+      fastfetch # for shits and giggles
+      tmux
     ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
@@ -69,16 +70,25 @@
   };
 
   networking = {
+    hostname = "matrix";
+    domain = "berlin.ccc.de";
+    nameservers = [
+      "2606:4700:4700::1111#one.one.one.one"
+      "2620:fe::fe#dns.quad9.net"
+    ];
+    useDHCP = false;
     useNetworkd = true;
-    nftables.enable = true;
     dhcpcd.enable = false;
+    nftables.enable = true;
+    tempAddresses = "disabled";
     firewall = {
       enable = true;
       allowedTCPPorts = [
-        22 # SSH
+        22
         80 # HTTP/1
         443 # HTTP/2
         8448 # Matrix federation
+        10022 # SSH
       ];
       allowedUDPPorts = [
         443 # HTTP/3
@@ -94,7 +104,7 @@
     fstrim.enable = false; # Let Proxmox host handle fstrim
     openssh = {
       enable = true;
-      openFirewall = true;
+      ports = [ 22 10022 ];
       settings = {
         PermitEmptyPasswords = "no";
         PermitRootLogin = "prohibit-password";
@@ -111,6 +121,10 @@
          \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/   \/_/\//\/_/   \/____/\/____/\/____/ \/___/
       '';
     };
+    sshguard = {
+      enable = true;
+      services = [ "sshd" ];
+    };
     # Cache DNS lookups to improve performance
     resolved = {
       enable = true;
diff --git a/services/nginx.nix b/services/nginx.nix
index e8c1f7b..8ac5477 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -21,6 +21,7 @@ in
     recommendedGzipSettings = true;
     recommendedBrotliSettings = true;
     virtualHosts."${fqdn}" = {
+      default = true;
       quic = true;
       kTLS = true;
       forceSSL = true;
@@ -49,7 +50,7 @@ in
       ];
       locations = {
         "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
-        "/".return = "418 \"I'm a Teapot!\"";
+        "/".return = "418 \"🫖\"";
         "= /.well-known/matrix/client" = {
           return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
           extraConfig = ''

From ac3739c83d38ec2c89c1a5c0e1d9872e69ee2793 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Fri, 5 Dec 2025 12:09:01 +0100
Subject: [PATCH 4/6] fix

---
 configuration.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 7a0be5f..a3ff60c 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -49,7 +49,7 @@
   proxmoxLXC = {
     manageNetwork = false;
     manageHostName = false;
-    privileged = true;
+    privileged = false;
   };
 
   users.users.root = {
@@ -70,7 +70,7 @@
   };
 
   networking = {
-    hostname = "matrix";
+    hostName = "matrix";
     domain = "berlin.ccc.de";
     nameservers = [
       "2606:4700:4700::1111#one.one.one.one"

From 935244f72e1ff40e0fb49bd2987efb9e6e61a776 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Fri, 5 Dec 2025 12:11:59 +0100
Subject: [PATCH 5/6] fix

---
 configuration.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index a3ff60c..91418b3 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -84,11 +84,10 @@
     firewall = {
       enable = true;
       allowedTCPPorts = [
-        22
+        22 # SSH
         80 # HTTP/1
         443 # HTTP/2
         8448 # Matrix federation
-        10022 # SSH
       ];
       allowedUDPPorts = [
         443 # HTTP/3
@@ -104,7 +103,6 @@
     fstrim.enable = false; # Let Proxmox host handle fstrim
     openssh = {
       enable = true;
-      ports = [ 22 10022 ];
       settings = {
         PermitEmptyPasswords = "no";
         PermitRootLogin = "prohibit-password";

From 4ec1302a6872c71d21d6c189136580e4934b94c1 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Fri, 5 Dec 2025 19:49:24 +0100
Subject: [PATCH 6/6] fmt fix

---
 services/draupnir.nix | 1 -
 services/nginx.nix    | 1 -
 2 files changed, 2 deletions(-)

diff --git a/services/draupnir.nix b/services/draupnir.nix
index de4d809..8564d39 100644
--- a/services/draupnir.nix
+++ b/services/draupnir.nix
@@ -14,4 +14,3 @@
     secrets.accessToken = config.age.secrets.draupnir_access_token.path;
   };
 }
-
diff --git a/services/nginx.nix b/services/nginx.nix
index a848f13..eff02e6 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -42,4 +42,3 @@ in
     };
   };
 }
-