{config, ...}: {
  imports = [
    ./hardware-configuration.nix
    ../../modules/mail.nix
    ../../roles
    ../../roles/vm.nix
    ../../modules/vmNetwork.nix
  ];

  # System configuration here
  services.mathebau-mail = {
    enable = true;
    stalwartAdmin = config.sops.secrets.stalwartAdmin.path;
    # see passwd on azathoth for plaintext or machine secret in encoded format for HTTP Basic AUTH
    stalwartAdminHash = "$argon2i$v=19$m=4096,t=3,p=1$d0hYOTkzclpzSmFTZUplWnhVeWE$I7q9uB19RWL0oZKaPlMPSlGfFp6FQ/vrx80FFKCsalg";
    domains = [
      # lists.mathebau.de is forwarded to another VM and does not need to be listed here.
      {
        domain = "matheball.de";
        allowlistPass = config.sops.secrets."allowlistPass/matheball".path;
      }
      {
        domain = "mathebau.de";
        allowlistPass = config.sops.secrets."allowlistPass/mathebau".path;
        virt_aliases = config.sops.secrets."mathebau.aliases".path;
      }
      {
        domain = "mathechor.de";
        allowlistPass = config.sops.secrets."allowlistPass/mathechor".path;
        virt_aliases = config.sops.secrets."mathechor.aliases".path;
      }
      {
        domain = "koma89.tu-darmstadt.de";
        allowlistPass = config.sops.secrets."allowlistPass/koma".path;
        virt_aliases = config.sops.secrets."koma.aliases".path;
      }
    ];
  };

  networking.hostName = "kaalut";
  vmNetwork.ipv4 = "192.168.0.17";
  system.stateVersion = "24.05";

  sops.secrets = let
    allowlistSops = {
      sopsFile = ./allowlistPass.yaml;
      owner = "stalwart-mail";
      group = "stalwart-mail";
      mode = "0400";
    };
  in {
    # Password for the HRZ API that gets a list of mailaddresses that we serve
    "allowlistPass/matheball" = allowlistSops;
    "allowlistPass/mathebau" = allowlistSops;
    "allowlistPass/mathechor" = allowlistSops;
    "allowlistPass/koma" = allowlistSops;
    # Virtual alias file
    "mathebau.aliases" = {
      sopsFile = ./mathebau.aliases.yaml;
      owner = "stalwart-mail";
      group = "stalwart-mail";
      mode = "0440";
    };
    "mathechor.aliases" = {
      sopsFile = ./mathechor.aliases.yaml;
      owner = "stalwart-mail";
      group = "stalwart-mail";
      mode = "0440";
    };
    "koma.aliases" = {
      sopsFile = ./koma.aliases.yaml;
      owner = "stalwart-mail";
      group = "stalwart-mail";
      mode = "0440";
    };
    # password for https://stalw.art/docs/auth/authorization/administrator/#fallback-administrator encoded to be supplied in the basic auth header
    stalwartAdmin = {
      sopsFile = ./stalwartAdmin.yaml;
      owner = "stalwart-mail";
      group = "stalwart-mail";
      mode = "0400";
    };
    backupKey = {
      sopsFile = ./backupKey.yaml;
      owner = "root";
      group = "root";
      mode = "0400";
    };
  };
}