{lib, ...}: {
  imports = [
    ./networking.nix # network configuration that just works
    ./hardware.nix
  ];

  vhack = {
    backup = {
      enable = true;
      privateSshKey = ./secrets/backup/backupssh.age;
      privatePassword = ./secrets/backup/backuppass.age;
      user = "u384702-sub4";
    };
    dns = {
      enable = true;
      openFirewall = true;
      interfaces = [
        "92.60.38.179"
        "2a03:4000:33:25b::4f4e"
      ];
      zones = import ../../../zones {inherit lib;};
    };
    fail2ban.enable = true;
    nix-sync = {
      enable = true;
      domains = import ./websites.nix {};
    };
    mastodon = {
      enable = true;
      domain = "mastodon.vhack.eu";
      enableTLD = false;
      tld = "vhack.eu";
      mailPwFile = ./secrets/mastodon/mail.age;
    };
    matrix = {
      enable = true;
      fqdn = "matrix.vhack.eu";
      url = "vhack.eu";
      sharedSecretFile = ./secrets/matrix/passwd.age;
    };
    miniflux = {
      enable = true;
      domain = "miniflux.foss-syndicate.org";
      extraDomains = [
        "rss.foss-syndicate.org"
        "rss.vhack.eu"
        "miniflux.vhack.eu"
      ];
      adminCredentialsFile = ./secrets/miniflux/admin.age;
    };
    murmur = {
      enable = true;
      host = "mumble.vhack.eu";
      name = "vhack";
      url = "vhack.eu";
    };
    nixconfig.enable = true;
    openssh.enable = true;
    peertube = {
      enable = true;
      peertubeGeneral = ./secrets/peertube/general.age;
      smtpPasswordFile = ./secrets/peertube/smtp.age;
    };
    persist = {
      enable = true;
      directories = [
        "/var/log"
      ];
    };
    stalwart-mail = {
      enable = true;
      fqdn = "mail.vhack.eu";
      admin = "admin@vhack.eu";
      security = {
        dkimKeys = let
          loadKey = name: {
            dkimPublicKey = builtins.readFile (./secrets/dkim + "/${name}-public");
            dkimPrivateKeyPath = ./secrets/dkim + "/${name}-private.age";
            keyAlgorithm = "ed25519-sha256";
          };
        in {
          "mail.vhack.eu" = loadKey "mail.vhack.eu";
        };
        verificationMode = "strict";
      };
      openFirewall = true;
      principals = [
        {
          class = "individual";
          name = "soispha";
          secret = "$6$gKPH1mFl8wXllYZh$87vMmcdTu614KTowGSjFze8mn1pB7YBSiId3uWi69Fbdv1.DeKcVNoSdtaCiiWY3tehLvms4trzTnJkmkzIep0";
          email = [
            "soispha@vhack.eu"
            "abuse@vhack.eu"
            "postmaster@vhack.eu"
            "admin@vhack.eu"
          ];
        }
      ];
    };
    postgresql.enable = true;
    rust-motd.enable = true;
    users.enable = true;
  };

  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  networking.hostName = "server3";
  networking.domain = "vhack.eu";

  system.stateVersion = "24.11";
}