diff --git a/clients/nova/continuwuity.nix b/clients/nova/continuwuity.nix
new file mode 100644
index 0000000..20bc9bc
--- /dev/null
+++ b/clients/nova/continuwuity.nix
@@ -0,0 +1,10 @@
+{
+  quad.matrix = {
+    enable = true;
+    domain = "polyphony.chat";
+    settings.well_known = {
+      support_email = "info@polyphony.chat";
+      support_mxid = null;
+    };
+  };
+}
diff --git a/clients/nova/flori.nix b/clients/nova/flori.nix
new file mode 100644
index 0000000..07df9a9
--- /dev/null
+++ b/clients/nova/flori.nix
@@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  users = {
+    mutableUsers = true;
+    users.flori = {
+      isNormalUser = true;
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcXzWUeVwJN7iPxMT/1lhJySY4t6Z2/fH/GHVuzQFr6 cardno:32_241_564"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBnstd9HyyIjfXWfGymWDcRlK9nZuqgTIcueiqPUDaQ star@starforge"
+      ];
+      hashedPasswordFile = config.age.secrets."initialFloriPassword.age".path;
+      description = "Flori";
+      extraGroups = [ "wheel" ];
+    };
+  };
+}
diff --git a/clients/nova/hardware-configuration.nix b/clients/nova/hardware-configuration.nix
new file mode 100644
index 0000000..89720d2
--- /dev/null
+++ b/clients/nova/hardware-configuration.nix
@@ -0,0 +1,7 @@
+{
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd.availableKernelModules = [
+    "virtio_pci"
+    "virtio_net"
+  ];
+}
diff --git a/clients/nova/unlock-ssh-initrd.nix b/clients/nova/unlock-ssh-initrd.nix
new file mode 100644
index 0000000..716edad
--- /dev/null
+++ b/clients/nova/unlock-ssh-initrd.nix
@@ -0,0 +1,20 @@
+{ config, ... }:
+{
+  fileSystems."/".options = [ "x-systemd.device-timeout=0" ];
+  networking.firewall.allowedTCPPorts = [ 222 ];
+  boot = {
+    loader.grub.enable = false;
+    initrd = {
+      systemd = {
+        enable = true;
+        users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      };
+      network.ssh = {
+        enable = true;
+        port = 222;
+        hostKeys = [ "/etc/ssh/ssh_host_ed25519_key_initrd" ];
+        authorizedKeys = config.users.users.ava.openssh.authorizedKeys.keys;
+      };
+    };
+  };
+}
diff --git a/modules/server/disko.nix b/clients/quadraticserver/disko.nix
similarity index 100%
rename from modules/server/disko.nix
rename to clients/quadraticserver/disko.nix
diff --git a/clients/quadraticserver/matrix/bridges.nix b/clients/quadraticserver/matrix/bridges.nix
index 804d0b8..c12c97f 100644
--- a/clients/quadraticserver/matrix/bridges.nix
+++ b/clients/quadraticserver/matrix/bridges.nix
@@ -66,7 +66,7 @@ in
       matrix-ooye = {
         enable = true;
         homeserver = client;
-        homeserverName = "federated.nexus";
+        homeserverName = server_name;
         discordTokenPath = config.age.secrets."discordToken.age".path;
         discordClientSecretPath = config.age.secrets."discordClientSecret.age".path;
         socket = "8081";
diff --git a/clients/quadraticserver/matrix/continuwuity.nix b/clients/quadraticserver/matrix/continuwuity.nix
index a3ecc0e..3ea9b5f 100644
--- a/clients/quadraticserver/matrix/continuwuity.nix
+++ b/clients/quadraticserver/matrix/continuwuity.nix
@@ -1,39 +1,10 @@
-{ lib, ... }:
 {
-  systemd.services.continuwuity.serviceConfig.Restart = lib.mkForce "always";
-
-  services =
-    let
-      domain = "federated.nexus";
-      subdomain = "matrix.${domain}";
-      socket = "/var/run/continuwuity/continuwuity.sock";
-    in
-    {
-      matrix-continuwuity = {
-        enable = true;
-        group = "caddy";
-        settings.global = {
-          server_name = domain;
-          unix_socket_path = socket;
-          new_user_displayname_suffix = "";
-          allow_public_room_directory_over_federation = true;
-          trusted_servers = [
-            "matrix.org"
-            "tchncs.de"
-            "maunium.net"
-          ];
-          ignore_messages_from_server_names = [ ];
-          url_preview_domain_explicit_allowlist = [ "*" ];
-
-          well_known = {
-            client = "https://${subdomain}";
-            server = "${subdomain}:443";
-            support_email = "henry@henryhiles.com";
-            support_mxid = "@quadradical:${domain}";
-          };
-        };
-      };
-
-      caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy unix/${socket}";
+  quad.matrix = rec {
+    enable = true;
+    domain = "federated.nexus";
+    settings.well_known = {
+      support_email = "henry@henryhiles.com";
+      support_mxid = "@quadradical:${domain}";
     };
+  };
 }
diff --git a/clients/quadraticserver/ssh.nix b/clients/quadraticserver/ssh.nix
new file mode 100644
index 0000000..43db8af
--- /dev/null
+++ b/clients/quadraticserver/ssh.nix
@@ -0,0 +1 @@
+{ services.openssh.ports = [ 2222 ]; }
diff --git a/flake.nix b/flake.nix
index c784111..bb6a6c3 100755
--- a/flake.nix
+++ b/flake.nix
@@ -158,6 +158,10 @@
               type = "server";
               graphical = false;
             };
+            "nova" = {
+              type = "server";
+              graphical = false;
+            };
             "quadphone" = {
               type = "mobile";
               system = "aarch64-linux";
diff --git a/modules/graphical/ssh.nix b/modules/graphical/ssh.nix
index 43faeeb..48ba65d 100644
--- a/modules/graphical/ssh.nix
+++ b/modules/graphical/ssh.nix
@@ -3,5 +3,7 @@
     Host server
       HostName ssh.federated.nexus
       Port 2222
+    Host nova
+      HostName nova.bitfl0wer.de
   '';
 }
diff --git a/modules/mobile/repart.nix b/modules/mobile/repart.nix
index 87f1982..f11b05e 100644
--- a/modules/mobile/repart.nix
+++ b/modules/mobile/repart.nix
@@ -11,8 +11,6 @@ let
 in
 {
   imports = [ "${modulesPath}/image/repart.nix" ];
-  boot.loader.grub.enable = false;
-
   systemd.repart = {
     enable = true;
     partitions."03-root".Type = "root";
diff --git a/clients/quadraticserver/caddy.nix b/modules/server/caddy.nix
similarity index 100%
rename from clients/quadraticserver/caddy.nix
rename to modules/server/caddy.nix
index 7337831..570f3c6 100644
--- a/clients/quadraticserver/caddy.nix
+++ b/modules/server/caddy.nix
@@ -5,6 +5,11 @@
   ...
 }:
 {
+  options.services.caddy.authedHosts = lib.mkOption {
+    type = lib.types.attrsOf lib.types.lines;
+    default = [ ];
+  };
+
   config = {
     systemd.services.caddy.serviceConfig.Restart = lib.mkForce "always";
     networking.firewall.allowedTCPPorts = [ 443 ];
@@ -44,9 +49,4 @@
       }) config.services.caddy.authedHosts;
     };
   };
-
-  options.services.caddy.authedHosts = lib.mkOption {
-    type = lib.types.attrsOf lib.types.lines;
-    default = [ ];
-  };
 }
diff --git a/modules/server/continuwuity.nix b/modules/server/continuwuity.nix
new file mode 100644
index 0000000..a3c1059
--- /dev/null
+++ b/modules/server/continuwuity.nix
@@ -0,0 +1,47 @@
+{ config, lib, ... }:
+{
+  options.quad.matrix = {
+    enable = lib.mkEnableOption "matrix";
+
+    domain = lib.mkOption { type = lib.types.string; };
+    settings = lib.mkOption {
+      type = lib.types.submodule { };
+      default = { };
+    };
+  };
+
+  config = {
+    systemd.services.continuwuity.serviceConfig.Restart = lib.mkForce "always";
+    services =
+      let
+        subdomain = "matrix.${config.quad.matrix.domain}";
+        socket = "/var/run/continuwuity/continuwuity.sock";
+      in
+      {
+        matrix-continuwuity = {
+          enable = config.quad.matrix.enable;
+          group = "caddy";
+          settings.global = config.quad.matrix.settings // {
+            server_name = config.quad.matrix.domain;
+            unix_socket_path = socket;
+            new_user_displayname_suffix = "";
+            allow_public_room_directory_over_federation = true;
+            trusted_servers = [
+              "matrix.org"
+              "tchncs.de"
+              "maunium.net"
+            ];
+            ignore_messages_from_server_names = [ ];
+            url_preview_domain_explicit_allowlist = [ "*" ];
+
+            well_known = {
+              client = "https://${subdomain}";
+              server = "${subdomain}:443";
+            };
+          };
+        };
+
+        caddy.virtualHosts."${subdomain}".extraConfig = "reverse_proxy unix/${socket}";
+      };
+  };
+}
diff --git a/modules/server/ssh.nix b/modules/server/ssh.nix
index ff62382..7899f3b 100644
--- a/modules/server/ssh.nix
+++ b/modules/server/ssh.nix
@@ -1,16 +1,28 @@
-let
-  port = 2222;
-in
 {
-  networking.firewall.allowedTCPPorts = [ port ];
   users.users.quadradical.openssh.authorizedKeys.keys = import ../../secrets/keys.nix;
-  services.openssh = {
-    enable = true;
-    ports = [ port ];
-    settings = {
-      PasswordAuthentication = false;
-      AllowUsers = [ "quadradical" ];
-      PermitRootLogin = "no";
+  services = {
+    openssh = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        PasswordAuthentication = false;
+        AllowUsers = [ "quadradical" ];
+        PermitRootLogin = "no";
+      };
+    };
+
+    fail2ban = {
+      enable = true;
+      maxretry = 5;
+      ignoreIP = [ "192.168.0.0/16" ];
+      bantime = "6h";
+      bantime-increment = {
+        enable = true;
+        formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
+        maxtime = "240h";
+        overalljails = true;
+      };
     };
   };
+
 }
diff --git a/secrets/initialFloriPassword.age b/secrets/initialFloriPassword.age
new file mode 100644
index 0000000..c24eace
--- /dev/null
+++ b/secrets/initialFloriPassword.age
@@ -0,0 +1,9 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZLUVVkUSBPSXBv
+OWZxUnNMOWxHbDV0Z3h1N2JrbjBiOFh2b2YxZ2RWVlZHMUUzVEhNCjg2QysxRk1w
+cWZoREZvTTZITFkrRGt2a0xhZGhJSmFLS0tuNkdjSWhMeGcKLT4gKmxvIWstZ3Jl
+YXNlIGZ4cyBGIEFOVEwseXdhIFVNOWV3CktuM3lKZUM0ekdpalhWKzIzbE9DSnZi
+OHlWOEJOMG9KWjcrTXI4MllodytGazgzRVpoSQotLS0gODJmRHpLT3oxU1lSbUNQ
+WXhKem50VFJsUjVpbkFrVUdMZi9Yam5ta21hWQqYwhZCHkg5hjh4PboW8UCZOChC
+y+LqaQY4MhIXHWnMlVJYig==
+-----END AGE ENCRYPTED FILE-----