{
  config,
  modulesPath,
  machine,
  ...
}: {
  # zulip config
  services.zulip = {
    enable = true;
    host = "chat.${config.networking.domain}";
    camoKeyFile = builtins.toFile "camoKeyFile" "key";
    rabbitmqPasswordFile = builtins.toFile "rabbitmqPasswordFile" "password";
    secretKeyFile = builtins.toFile "secretKeyFile" "secret key";
    sharedSecretKeyFile = builtins.toFile "sharedSecretKeyFile" "shared secret key";
    avatarSaltKeyFile = builtins.toFile "avatarSaltKeyFile" "avatar salt key";
    zulipSettings = {
      EXTERNAL_HOST = "EXTERNAL_HOST";
      ZULIP_ADMINISTRATOR = "ZULIP_ADMINISTRATOR";
    };
  };

  # roundcube config
  services.roundcube = {
    enable = true;
    hostName = "webmail.${config.networking.domain}";
    extraConfig = ''
      $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
      $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  # mailserver config
  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "mail.${config.networking.domain}";
    domains = ["${config.networking.domain}"];
    x509.useACMEHost = config.mailserver.fqdn;
    loginAccounts = {
      "test@${config.networking.domain}" = {
        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
      };
    };
  };

  # cert config
  security.acme = {
    acceptTerms = true;
    defaults.email = "mtgmonket@gmail.com";
  };
  services.nginx = {
    enable = true;
    virtualHosts."mail.${config.networking.domain}" = {
      forceSSL = true;
      enableACME = true;
    };
  };

  # system config
  system.stateVersion = "25.11";
  nix.settings.experimental-features = ["flakes" "nix-command"];
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
  };
  boot.loader.grub.device = "/dev/sda";
  boot.loader.timeout = 30;
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
  boot.initrd.kernelModules = ["nvme"];
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking = {
    useNetworkd = true;
    usePredictableInterfaceNames = true;
    hostName = machine.hostname;
    domain = "galaxious.de";
    firewall = {
      enable = true;
      allowedTCPPorts = [80 443];
      allowedUDPPorts = [80 443];
    };
  };
  systemd.network = {
    enable = true;
    networks."40-wan" = {
      matchConfig.Name = "enx0050565f4fff";
      address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
      routes = [
        {
          Gateway = "109.199.96.1";
          GatewayOnLink = true;
        }
        {Gateway = "fe80::1";}
      ];
      dns = ["2620:fe::fe" "9.9.9.9"];
    };
  };
  services.openssh.enable = true;
  users.mutableUsers = false;
  users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
  programs.noshell.enable = true;
}