diff --git a/flake.lock b/flake.lock
index d6fb4f8..a69e369 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1470,11 +1470,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1704582381,
-        "narHash": "sha256-GC56ZF7qAtRqxF/SchmlVN86mA4BMwRFRz411utqUvc=",
+        "lastModified": 1709496928,
+        "narHash": "sha256-g9dipr2h98QommLyv5uGF6T9Oqp5OQAyyxCugr4B6+A=",
         "ref": "main",
-        "rev": "cd333595c000cd2b1cbce7b2a6027fd6c3f07769",
-        "revCount": 62,
+        "rev": "e38a0471afe70fa2d262ba0a86a68bfbae8c2c26",
+        "revCount": 63,
         "type": "git",
         "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git"
       },
diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix
index c315aba..4da6955 100644
--- a/nixos/components/network/tinc/private.nix
+++ b/nixos/components/network/tinc/private.nix
@@ -16,8 +16,10 @@ let
     chungus = "10.23.42.28";
     cherry = "10.23.42.29";
     robi = "10.23.42.111";
+    orbi = "10.23.42.100";
   };
   subDomains = {
+    # orbi
     # robi
     "grafana.robi" = hosts.robi;
     "loki.robi" = hosts.robi;
@@ -97,6 +99,11 @@ in
           subnets = [{ address = hosts.robi; }];
           settings.Ed25519PublicKey = "bZUbSdME4fwudNVbUoNO7PpoOS2xALsyTs81F260KbL";
         };
+        orbi = {
+          addresses = [{ address = "95.216.66.212"; }];
+          subnets = [{ address = hosts.orbi; }];
+          settings.Ed25519PublicKey = "/1OE8xsnRT6egxd/+iH9TE+tzlwiUJeNsGFIIWyc70A";
+        };
       };
     };
   };
diff --git a/nixos/machines/orbi/configuration.nix b/nixos/machines/orbi/configuration.nix
index 9af5071..5b4010e 100644
--- a/nixos/machines/orbi/configuration.nix
+++ b/nixos/machines/orbi/configuration.nix
@@ -5,7 +5,6 @@
 
     ../../system/all/defaults.nix
 
-
     ../../components
     ../../modules
 
@@ -21,7 +20,7 @@
     #./nginx.nix
     #./nginx-wkd.nix
 
-    #./network-tinc.nix
+    ./network-tinc.nix
     #./network-wireguard.nix
 
     #./media-share.nix
@@ -35,6 +34,7 @@
     #./sync-torrent.nix
 
     #./social-jitsi.nix
+    ./social-matrix.nix
 
     # matrix
     # ------
@@ -62,7 +62,6 @@
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "contact@ingolf-wagner.de";
 
-  # todo create your own
-  sops.defaultSopsFile = ../../secrets/robi.yaml;
+  sops.defaultSopsFile = ../../secrets/orbi.yaml;
 
 }
diff --git a/nixos/machines/orbi/hardware-configuration/default.nix b/nixos/machines/orbi/hardware-configuration/default.nix
index ab1819d..c48958e 100644
--- a/nixos/machines/orbi/hardware-configuration/default.nix
+++ b/nixos/machines/orbi/hardware-configuration/default.nix
@@ -74,6 +74,7 @@ in
       hostKeys = [
         # make sure you use --copy-host-keys during nixos-anywhere
         # (you can create ne ssh keys later, again)
+        # rm /etc/ssh/ssh_host_* && systemctl restart sshd.service
         /etc/ssh/ssh_host_rsa_key
         /etc/ssh/ssh_host_ed25519_key
       ];
diff --git a/nixos/machines/orbi/network-tinc.nix b/nixos/machines/orbi/network-tinc.nix
index 0bf4df2..9afe192 100644
--- a/nixos/machines/orbi/network-tinc.nix
+++ b/nixos/machines/orbi/network-tinc.nix
@@ -7,9 +7,9 @@
   };
 
   tinc.private.enable = true;
-  tinc.private.ipv4 = "10.23.42.111";
+  tinc.private.ipv4 = "10.23.42.100";
 
   tinc.secret.enable = true;
-  tinc.secret.ipv4 = "10.123.42.123";
+  tinc.secret.ipv4 = "10.123.42.100";
 
 }
diff --git a/nixos/machines/orbi/social-matrix.nix b/nixos/machines/orbi/social-matrix.nix
new file mode 100644
index 0000000..a20c502
--- /dev/null
+++ b/nixos/machines/orbi/social-matrix.nix
@@ -0,0 +1,121 @@
+{ config, pkgs, ... }:
+let
+
+  inherit (config.services.dendrite.settings.global) server_name;
+
+  nginx-vhost = "matrix.terranix.org";
+  element-web-terranix.org =
+    pkgs.runCommand "element-web-with-config"
+      {
+        nativeBuildInputs = [ pkgs.buildPackages.jq ];
+      } ''
+      cp -r ${pkgs.element-web} $out
+      chmod -R u+w $out
+      jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \
+        > $out/config.json < ${pkgs.element-web}/config.json
+      ln -s $out/config.json $out/config.${nginx-vhost}.json
+    '';
+in
+{
+
+  # postgresql instance dedicated to matrix
+  # todo : mount postgresql folder in a dedicated zfs pool
+  containers.synapse-postgresql = {
+    autoStart = true;
+    privateNetwork = false;
+    config = { config, pkgs, lib, ... }: {
+      system.stateVersion = "23.11";
+      services.postgresql.enable = true;
+    };
+  };
+
+  # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
+  #sops.secrets.matrix-server-key = { };
+
+  #services.dendrite = {
+  #  enable = true;
+  #  httpPort = 8448;
+  #  settings = {
+  #    global = {
+  #      server_name = "terranix.org";
+  #      # `private_key` has the type `path`
+  #      # prefix a `/` to make `path` happy
+  #      private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
+  #      trusted_third_party_id_servers = [
+  #        "matrix.org"
+  #        "vector.im"
+  #        "xaos.space"
+  #        "lassul.us"
+  #        "thalheim.io"
+  #        "nixos.org"
+  #      ];
+  #      metrics.enabled = false;
+  #    };
+  #    logging = [
+  #      {
+  #        type = "std";
+  #        level = "warn";
+  #      }
+  #    ];
+  #    client_api = {
+  #      registration_disabled = true;
+  #      rate_limiting.enabled = false;
+  #      # set only for the first admin account, than remove.
+  #      #registration_shared_secret = ""; # disable once first admin account is created
+  #    };
+  #    media_api = {
+  #      dynamic_thumbnails = true;
+  #    };
+  #    mscs = {
+  #      mscs = [ "msc2836" "msc2946" ];
+  #    };
+  #    sync_api = {
+  #      real_ip_header = "X-Real-IP";
+  #    };
+  #    federation_api = {
+  #      key_perspectives = [
+  #        {
+  #          server_name = "matrix.org";
+  #          keys = [
+  #            {
+  #              key_id = "ed25519:auto";
+  #              public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
+  #            }
+  #            {
+  #              key_id = "ed25519:a_RXGa";
+  #              public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
+  #            }
+  #          ];
+  #        }
+  #      ];
+  #      prefer_direct_fetch = false;
+  #    };
+  #  };
+  #};
+
+  #systemd.services.dendrite.serviceConfig.LoadCredential = [
+  #  "matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
+  #];
+
+  #services.nginx.virtualHosts.${nginx-vhost} = {
+  #  forceSSL = true;
+  #  enableACME = true;
+  #  extraConfig = ''
+  #    proxy_set_header Host $host;
+  #    proxy_set_header X-Real-IP $remote_addr;
+  #    proxy_read_timeout 600;
+  #  '';
+  #  locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+  #  # for remote admin access
+  #  locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+  #  locations."/".root = element-web-terranix.org;
+  #};
+
+  #services.nginx.virtualHosts.${server_name} = {
+  #  locations."= /.well-known/matrix/server".alias =
+  #    pkgs.writeText "matrix-server" (builtins.toJSON { "m.server" = "${nginx-vhost}:443"; });
+  #  locations."= /.well-known/matrix/client".alias =
+  #    pkgs.writeText "matrix-client" (builtins.toJSON { "m.homeserver".base_url = "https://${nginx-vhost}"; });
+  #};
+
+}