diff --git a/flake.nix b/flake.nix
index b046ff8..fbc725b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -23,6 +23,12 @@
     in
     {
       formatter.${system} = pkgs.nixfmt-tree;
+      apps.${system}.connect = {
+        type = "app";
+        program = "${pkgs.writeShellScript "connect.sh" ''
+          ${pkgs.openssh}/bin/ssh root@matrix.berlin.ccc.de -L 3000:[::1]:3000 -L 9090:[::1]:9090 -N
+        ''}";
+      };
       devShells.${system}.default = pkgs.mkShell {
         packages = [
           (agenix.packages.${system}.default)
@@ -82,7 +88,18 @@
               };
             };
           }
-          ./hosts/matrix
+          ./hosts/matrix.nix
+
+          ./services/openssh.nix
+
+          ./services/nginx.nix
+          ./services/postgres.nix
+
+          ./services/synapse.nix
+          ./services/draupnir.nix
+
+          ./services/prometheus.nix
+          ./services/grafana.nix
         ];
       };
       nixosConfigurations."hedgedoc" = nixpkgs.lib.nixosSystem {
@@ -92,7 +109,10 @@
         modules = [
           agenix.nixosModules.default
           { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
-          ./hosts/hedgedoc
+
+          ./hosts/hedgedoc.nix
+
+          ./services/openssh.nix
         ];
       };
     };
diff --git a/hosts/common.nix b/hosts/hedgedoc.nix
similarity index 76%
rename from hosts/common.nix
rename to hosts/hedgedoc.nix
index e1c850b..0f5ed23 100644
--- a/hosts/common.nix
+++ b/hosts/hedgedoc.nix
@@ -2,13 +2,12 @@
   config,
   modulesPath,
   pkgs,
+  lib,
   ...
 }:
 
 {
-  imports = [
-    (modulesPath + "/virtualisation/proxmox-lxc.nix")
-  ];
+  imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
 
   systemd.suppressedSystemUnits = [
     "dev-mqueue.mount"
@@ -69,6 +68,7 @@
   };
 
   networking = {
+    hostName = "hedgedoc";
     domain = "berlin.ccc.de";
     nameservers = [
       "2606:4700:4700::1111#one.one.one.one"
@@ -81,7 +81,17 @@
     dhcpcd.enable = false;
     nftables.enable = true;
     tempAddresses = "disabled";
-    firewall.enable = true;
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+        80 # HTTP/1
+        443 # HTTP/2
+      ];
+      allowedUDPPorts = [
+        443 # HTTP/3
+      ];
+    };
   };
 
   time.timeZone = "Europe/Berlin";
@@ -90,6 +100,17 @@
 
   services = {
     fstrim.enable = false; # Let Proxmox host handle fstrim
+    openssh.banner = ''
+       __                 __                     __
+      /\ \               /\ \                   /\ \
+      \ \ \___      __   \_\ \     __      __   \_\ \    ___     ___
+       \ \  _ `\  /'__`\ /'_` \  /'_ `\  /'__`\ /'_` \  / __`\  /'___\
+        \ \ \ \ \/\  __//\ \L\ \/\ \L\ \/\  __//\ \L\ \/\ \L\ \/\ \__/
+         \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
+          \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/  \/____/
+                                   /\____/
+                                   \_/__/
+    '';
     # Cache DNS lookups to improve performance
     resolved = {
       enable = true;
@@ -132,4 +153,6 @@
       };
     };
   };
+
+  system.stateVersion = "25.11";
 }
diff --git a/hosts/hedgedoc/default.nix b/hosts/hedgedoc/default.nix
deleted file mode 100644
index 92428bd..0000000
--- a/hosts/hedgedoc/default.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ../common.nix
-    ../../services/openssh.nix
-    ../../services/hedgedoc.nix
-  ];
-
-  networking = {
-    hostName = "hedgedoc";
-    firewall = {
-      allowedTCPPorts = [
-        80 # HTTP/1
-        443 # HTTP/2
-      ];
-      allowedUDPPorts = [
-        443 # HTTP/3
-      ];
-    };
-  };
-
-  services = {
-    openssh.banner = ''
-       __                 __                     __
-      /\ \               /\ \                   /\ \
-      \ \ \___      __   \_\ \     __      __   \_\ \    ___     ___
-       \ \  _ `\  /'__`\ /'_` \  /'_ `\  /'__`\ /'_` \  / __`\  /'___\
-        \ \ \ \ \/\  __//\ \L\ \/\ \L\ \/\  __//\ \L\ \/\ \L\ \/\ \__/
-         \ \_\ \_\ \____\ \___,_\ \____ \ \____\ \___,_\ \____/\ \____\
-          \/_/\/_/\/____/\/__,_ /\/___L\ \/____/\/__,_ /\/___/  \/____/
-                                   /\____/
-                                   \_/__/
-    '';
-  };
-
-  system.stateVersion = "25.11";
-}
diff --git a/hosts/matrix.nix b/hosts/matrix.nix
new file mode 100644
index 0000000..ca2942d
--- /dev/null
+++ b/hosts/matrix.nix
@@ -0,0 +1,158 @@
+{
+  config,
+  modulesPath,
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
+
+  systemd.suppressedSystemUnits = [
+    "dev-mqueue.mount"
+    "sys-kernel-debug.mount"
+    "sys-fs-fuse-connections.mount"
+  ];
+
+  nix = {
+    optimise = {
+      automatic = true;
+      dates = [ "11:00" ];
+    };
+    settings = {
+      auto-optimise-store = true;
+      sandbox = false;
+      # Allow remote updates
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+    };
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 14d";
+    };
+  };
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  proxmoxLXC = {
+    manageNetwork = false;
+    manageHostName = false;
+    privileged = false;
+  };
+
+  users.users.root = {
+    packages = with pkgs; [
+      kitty # for terminfo
+      fastfetch # for shits and giggles
+    ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICW1+Ml8R9x1LCJaZ8bIZ1qIV4HCuZ6x7DziFW+0Nn5T xengi@kanae_2022-12-09"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmb+mJfo84IagUaRoDEqY9ROjjQUOQ7tMclpN6NDPrX xengi@kota_2022-01-16"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyklb7dvEHH0VBEMmTUQFKHN6ekBQqkDKj09+EilUIQ xengi@lucy_2018-09-08"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICjv9W8WXq9QGkgmANNPQR24/I1Pm1ghxNIHftEI+jlZ xengi@mayu_2021-06-11"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhyfD+8jMl6FDSADb11sfAsJk0KNoVzjjiDRZjUOtmf xengi@nana_2019-08-16"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMPtGqhV7io3mhIoZho4Yf7eCo0sUZvjT2NziM2PkXSo xengi@nyu_2017-10-11"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwYcSxbP6Hon//kZFIZJSHdqvsJ6AyCwH4JP9/t4q46 xengi@yuka_2020-12-16"
+    ];
+  };
+
+  networking = {
+    hostName = "matrix";
+    domain = "berlin.ccc.de";
+    nameservers = [
+      "2606:4700:4700::1111#one.one.one.one"
+      "2620:fe::fe#dns.quad9.net"
+      "1.1.1.1#one.one.one.one"
+      "9.9.9.9#dns.quad9.net"
+    ];
+    useDHCP = false;
+    useNetworkd = true;
+    dhcpcd.enable = false;
+    nftables.enable = true;
+    tempAddresses = "disabled";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22 # SSH
+        80 # HTTP/1
+        443 # HTTP/2
+        8448 # Matrix federation
+      ];
+      allowedUDPPorts = [
+        443 # HTTP/3
+      ];
+    };
+  };
+
+  time.timeZone = "Europe/Berlin";
+  i18n.defaultLocale = "en_GB.UTF-8";
+  console.font = "Lat2-Terminus16";
+
+  services = {
+    fstrim.enable = false; # Let Proxmox host handle fstrim
+    openssh.banner = ''
+                          __                                               __
+                         /\ \__         __                                /\ \
+        ___ ___      __  \ \ ,_\  _ __ /\_\   __  _      ___    ___    ___\ \ \____
+      /' __` __`\  /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\    /'___\ /'___\ /'___\ \ '__`\
+      /\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/>  </   /\ \__//\ \__//\ \__/\ \ \L\ \
+      \ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\  \ \_\/\_/\_\  \ \____\ \____\ \____\\ \_,__/
+       \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/   \/_/\//\/_/   \/____/\/____/\/____/ \/___/
+    '';
+    # Cache DNS lookups to improve performance
+    resolved = {
+      enable = true;
+      dnssec = "allow-downgrade";
+      dnsovertls = "true";
+      extraConfig = ''
+        Cache=true
+        CacheFromLocalhost=true
+      '';
+    };
+  };
+
+  programs = {
+    mtr.enable = true;
+    vim = {
+      enable = true;
+      defaultEditor = true;
+    };
+    htop = {
+      enable = true;
+    };
+    tmux = {
+      enable = true;
+      terminal = "screen-256color";
+      shortcut = "a";
+      newSession = true;
+      clock24 = true;
+    };
+    ssh.startAgent = true;
+  };
+
+  security = {
+    acme = {
+      acceptTerms = true;
+      defaults = {
+        validMinDays = 14;
+        renewInterval = "daily";
+        email = "acme@xengi.de";
+        group = "nginx";
+      };
+    };
+  };
+
+  system.stateVersion = "25.05";
+}
diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
deleted file mode 100644
index ca27146..0000000
--- a/hosts/matrix/default.nix
+++ /dev/null
@@ -1,41 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ../common.nix
-    ../../services/nginx.nix
-    ../../services/postgres.nix
-    ../../services/synapse.nix
-    ../../services/draupnir.nix
-    ../../services/prometheus.nix
-    ../../services/grafana.nix
-  ];
-
-  networking = {
-    hostName = "matrix";
-    firewall = {
-      allowedTCPPorts = [
-        80 # HTTP/1
-        443 # HTTP/2
-        8448 # Matrix federation
-      ];
-      allowedUDPPorts = [
-        443 # HTTP/3
-      ];
-    };
-  };
-
-  services = {
-    openssh.banner = ''
-                          __                                               __
-                         /\ \__         __                                /\ \
-        ___ ___      __  \ \ ,_\  _ __ /\_\   __  _      ___    ___    ___\ \ \____
-      /' __` __`\  /'__`\ \ \ \/ /\`'__\/\ \ /\ \/'\    /'___\ /'___\ /'___\ \ '__`\
-      /\ \/\ \/\ \/\ \L\.\_\ \ \_\ \ \/ \ \ \\/>  </   /\ \__//\ \__//\ \__/\ \ \L\ \
-      \ \_\ \_\ \_\ \__/.\_\\ \__\\ \_\  \ \_\/\_/\_\  \ \____\ \____\ \____\\ \_,__/
-       \/_/\/_/\/_/\/__/\/_/ \/__/ \/_/   \/_/\//\/_/   \/____/\/____/\/____/ \/___/
-    '';
-  };
-
-  system.stateVersion = "25.05";
-}