diff --git a/nixos/modules/mail.nix b/nixos/modules/mail.nix
index 54644bd..4d7f950 100644
--- a/nixos/modules/mail.nix
+++ b/nixos/modules/mail.nix
@@ -24,18 +24,18 @@
     mkEnableOption
     mkOption
     ;
-  inherit (lib.types) listOf strMatching str path;
+  inherit (lib.types) listOf strMatching nonEmptyStr path;
   cfg = config.services.mathebau-mail;
 in {
   options.services.mathebau-mail = {
     enable = mkEnableOption "mathebau mail service";
     stalwartAdmin = mkOption {
       type = path;
-      description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth";
+      description = "Path to a file that contains the stalwart fallback admin password encoded for HTTP Basic Auth. Update together with the stalwartAdminHash and the pass store.";
     };
     stalwartAdminHash = mkOption {
-      type = str;
-      description = "String containing the hashed fallback admin password";
+      type = nonEmptyStr;
+      description = "String containing the hashed fallback admin password. Update together with the stalwartAdmin setting and the pass store.";
     };
     domains = mkOption {
       type = listOf (lib.types.submodule {
@@ -98,6 +98,7 @@ in {
             domains = ["fb04184.mathematik.tu-darmstadt.de" "imap.mathebau.de" "smtp.mathebau.de"];
             default = true;
           };
+          # Reevaluate after DKIM and DMARC deployment
           spam.header.is-spam = "Dummyheader"; # disable moving to spam which would conflict with forwarding
           auth = {
             # TODO check if HRZ conforms to these standards and we can validate them strictly
@@ -162,6 +163,7 @@ in {
           # We here define what comes from the TOML-file and especially add "sieve.trusted.scripts.*" to the default ones
           # because only TOML-based keys may use macros to load files from disk.
           # We want this to be able to load our sieve-script for mail forwarding.
+          # See https://stalw.art/docs/configuration/overview/#local-and-database-settings for more details.
           config.local-keys =
             [
               "store.*"
@@ -226,6 +228,7 @@ in {
             }: ''
               echo "process ${domain}"
               # This line gets the available mailboxes from stalwart's Rest API, searches for their addresses and collects them to a file for submission.
+              # The regex searches for alphanumerics combined with some special characters as local paths and the right domain.
               ${pkgs.curl}/bin/curl -s --header "authorization: Basic $(<${cfg.stalwartAdmin})" http://localhost/api/principal | ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" | tee /tmp/addresses
               # This line searches for available redirects and adds them to the submission file.
               ${pkgs.gnugrep}/bin/grep -o -e "[A-Za-z0-9.!#\$%&'*+-/=?^_{|}~]*@${domain}" /tmp/virt_aliases >> /tmp/addresses # This doesn't catch all RFC conform local parts. Improve if you need.
@@ -260,6 +263,7 @@ in {
             RestrictSUIDSGID = true;
           };
         };
+        # This service is defined by the nixpkgs stalwart module and we only modify it.
         "stalwart-mail" = {
           restartTriggers = lib.attrsets.mapAttrsToList (_: aliaslist: aliaslist.sopsFile) config.sops.secrets; # restart if secrets, especially alias files, have changed.
           serviceConfig.PrivateTmp = lib.mkForce false; # enable access to generated Sieve script