{
  config,
  modulesPath,
  machine,
  pkgs,
  ...
}: {
  # mailserver config
  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "mail.galaxious.de";
    domains = ["galaxious.de"];
    x509.useACMEHost = config.mailserver.fqdn;
    loginAccounts = {
      "test@galaxious.de" = {
        hashedPasswordFile = builtins.toString config.age.secrets.secret3.path;
      };
    };
  };

  # wildcard cert config
  # systemctl start galaxious.de.service & journalctl -fu acme-galaxious.de.service
  security.acme = {
    acceptTerms = true;
    defaults.email = "security@example.com";
    certs."mail.galaxious.de" = {
      domain = "mail.galaxious.de";
      dnsProvider = "rfc2136";
      environmentFile = "/var/lib/secrets/certs.secret";
      dnsPropagationCheck = false;
    };
  };
  services.bind = {
    enable = true;
    extraConfig = ''
      include "/var/lib/secrets/dnskeys.conf";
    '';
    zones = [
      rec {
        name = "galaxious.de";
        file = "/var/db/bind/${name}";
        master = true;
        extraConfig = "allow-update { key rfc2136key.galaxious.de; };";
      }
    ];
  };
  systemd.services.dns-rfc2136-conf = {
    requiredBy = [
      "acme-galaxious.de.service"
      "bind.service"
    ];
    before = [
      "acme-galaxious.de.service"
      "bind.service"
    ];
    unitConfig = {
      ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
    };
    serviceConfig = {
      Type = "oneshot";
      UMask = 77;
    };
    path = [pkgs.bind];
    script = ''
      mkdir -p /var/lib/secrets
      chmod 755 /var/lib/secrets
      tsig-keygen rfc2136key.galaxious.de > /var/lib/secrets/dnskeys.conf
      chown named:root /var/lib/secrets/dnskeys.conf
      chmod 400 /var/lib/secrets/dnskeys.conf

      # extract secret value from the dnskeys.conf
      while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf

      cat > /var/lib/secrets/certs.secret << EOF
      RFC2136_NAMESERVER='127.0.0.1:53'
      RFC2136_TSIG_ALGORITHM='hmac-sha256.'
      RFC2136_TSIG_KEY='rfc2136key.galaxious.de'
      RFC2136_TSIG_SECRET='$secret'
      EOF
      chmod 400 /var/lib/secrets/certs.secret
    '';
  };

  system.stateVersion = "25.11";
  nix.settings.experimental-features = ["flakes" "nix-command"];
  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
  fileSystems."/" = {
    device = "/dev/sda1";
    fsType = "ext4";
  };
  boot.loader.grub.device = "/dev/sda";
  boot.loader.timeout = 30;
  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront"];
  boot.initrd.kernelModules = ["nvme"];
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking = {
    useNetworkd = true;
    usePredictableInterfaceNames = true;
    hostName = machine.hostname;
    domain = "galaxious.de";
  };
  systemd.network = {
    enable = true;
    networks."40-wan" = {
      matchConfig.Name = "enx0050565f4fff";
      address = ["2a02:c207:2299:8419::1/64" "109.199.104.83/20"];
      routes = [
        {
          Gateway = "109.199.96.1";
          GatewayOnLink = true;
        }
        {Gateway = "fe80::1";}
      ];
      dns = ["2620:fe::fe" "9.9.9.9"];
    };
  };
  services.openssh.enable = true;
  users.mutableUsers = false;
  users.users.root.openssh.authorizedKeys.keys = [config.pub-keys.ssh.andromeda];
  programs.noshell.enable = true;
}