diff --git a/machines/CDServer/options.nix b/machines/CDServer/options.nix
index 461deca..e826b61 100644
--- a/machines/CDServer/options.nix
+++ b/machines/CDServer/options.nix
@@ -1,36 +1,51 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 with lib;
 
-{
-  imports = [ 
-    ../../options/machine.nix 
+let
+  cfg = config.machine;
+in {
+  imports = [
+    ../../options/machine.nix
+    ../../options/mailman3/options.nix
   ];
 
-  config.machine = {
+  config.machine = rec {
     hostName = "CDServer";
-    administrators = [ { name = "derped"; id = 1337; } ];
-    allowUnfree = true;
+    domain = "countdown-dresden.de";
+    extraDomains = [ "iz-ev.de" "clubduererstrasse.de" ];
+    administrators = [
+      { name = "kevin"; id = 1337; }
+      { name = "reinhold"; id= 1000; }
+    ];
+    mailAccounts = import "${cfg.secretPath}/mailAccounts.nix";
+    allowUnfree = false;
     conffiles = [
       "etcvars"
-#      "security"
+      "security"
       "zsh"
     ];
     pkgs = [
       "base"
-      "emacs"
       "server"
     ];
     services = [
-      "docker"
-#      "fail2ban"
-#      "gitea"
-#      "mailserver"
-      "cd-internes"
+      "fail2ban"
+      "gitea"
+      "mailserver"
       "mariaDB"
+      "nextcloud"
       "nginx"
       "openssh"
+#      "cd-internes"
+#      "docker"
     ];
+    vHosts = (flatten (map (base: [
+      { domain = base; service = "simple"; }
+      { domain = "storage.${base}"; service = "nextcloud"; }
+      { domain = "mail.${base}"; service = "mail"; }
+      { domain = "git.${base}"; service = "gitea"; }
+    ]) ([ domain ] ++ extraDomains)));
     firewall = {
       enable = true;
       allowPing = false;
@@ -38,4 +53,22 @@ with lib;
       allowedTCPPorts = [ 80 443 ];
     };
   };
+  config.services.mailman3 = {
+    enable = true;
+    site_owner = "derped@ophanim.de";
+    database = {
+      type = "mysql";
+      name = "mailman3";
+      user = "mailman3";
+      host = "localhost";
+      port = 3306;
+      passwordFile = "${cfg.secretPath}/mailman3_db";
+    };
+    mta = {
+      lmtp_host = "mail.ophanim.de";
+      smtp_host = "mail.ophanim.de";
+      smtp_user = "mailman3";
+      smtp_passFile = "${cfg.secretPath}/mailman3_mail";
+    };
+  };
 }
diff --git a/machines/Ophanim/options.nix b/machines/Ophanim/options.nix
index 4920405..21366db 100644
--- a/machines/Ophanim/options.nix
+++ b/machines/Ophanim/options.nix
@@ -1,18 +1,20 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 with lib;
 
-{
-  imports = [ 
-    ../../options/machine.nix 
+let
+  cfg = config.machine;
+in {
+  imports = [
+    ../../options/machine.nix
     ../../options/mailman3/options.nix
   ];
 
   config.machine = rec {
     hostName = "Ophanim";
+    domain = "ophanim.de";
     administrators = [ { name = "derped"; id = 1337; } ];
     mailAccounts = [ { name = "derped"; aliases = [ "postmaster" ]; } { name = "mailman3"; aliases = []; } ];
-    domain = "ophanim.de";
     allowUnfree = true;
     conffiles = [
       "etcvars"
@@ -32,7 +34,6 @@ with lib;
       "nextcloud"
       "nginx"
       "openssh"
-      "webblog"
     ];
     vHosts = (let base = domain; in [
       { domain = base; service = "simple"; }
@@ -58,13 +59,13 @@ with lib;
       user = "mailman3";
       host = "localhost";
       port = 3306;
-      passwordFile = "/secret/mailman3_db";
+      passwordFile = "${cfg.secretPath}/mailman3_db";
     };
     mta = {
       lmtp_host = "mail.ophanim.de";
       smtp_host = "mail.ophanim.de";
       smtp_user = "mailman3";
-      smtp_passFile = "/secret/mailman3_mail";
+      smtp_passFile = "${cfg.secretPath}/mailman3_mail";
     };
   };
 }
diff --git a/options/machine.nix b/options/machine.nix
index 8f0030e..a240635 100644
--- a/options/machine.nix
+++ b/options/machine.nix
@@ -4,26 +4,23 @@ with lib;
 
 {
   options.machine = {
-    allowUnfree = mkOption {
-      type = types.bool;
-      description = ''
-        Wether to allow the installation of unfree packages.
-      '';
-    };
     pkgs = mkOption {
       type = types.listOf types.str;
+      default = [ "base" ];
       description = ''
         The list of metapackages to be installed.
       '';
     };
     services = mkOption {
       type = types.listOf types.str;
+      default = [];
       description = ''
         List of services to be enabled.
       '';
     };
     conffiles = mkOption {
       type = types.listOf types.str;
+      default = [ "zsh" ];
       description = ''
         List of configuration files to be enabled.
       '';
@@ -54,14 +51,23 @@ with lib;
         The Machines domain name.
       '';
     };
+    extraDomains = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      description = ''
+        Extra domains used in various services.
+      '';
+    };
     mailAccounts = mkOption {
       type = types.listOf types.attrs;
+      default = [];
       description = ''
         List of mail account user names.
       '';
     };
     vHosts = mkOption {
       type = types.listOf types.attrs;
+      default = [];
       description = ''
         Domain - Service mappings for nginx vHost config.
       '';
@@ -74,5 +80,8 @@ with lib;
       '';
     };
   };
-  imports = [(mkAliasOptionModule [ "machine" "firewall" ] [ "networking" "firewall" ])];
+  imports = [
+    (mkAliasOptionModule [ "machine" "firewall" ] [ "networking" "firewall" ])
+    (mkAliasOptionModule [ "machine" "allowUnfree" ] [ "nixpkgs" "config" "allowUnfree" ])
+  ];
 }
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 64559c7..debe831 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -5,20 +5,23 @@ with lib;
 mkIf (elem "mailserver" config.machine.services) {
   mailserver = let
     cfg = config.machine;
-    domain = config.machine.domain;
+    domain = cfg.domain;
     fdomain = (findFirst (s: s.service == "mail") cfg cfg.vHosts).domain;
     mkFqdnAlias = name: [ "${name}@${domain}" "${name}@${fdomain}" ];
+    mkExDomAlias = name: (map (exDom: "${name}@${exDom}") cfg.extraDomains);
     mkUser = user: rec {
       name = "${user.name}@${domain}";
       value = {
         hashedPassword = (fileContents "${cfg.secretPath}/${user.name}.mail");
-        aliases = [ "${user.name}@${fdomain}" ] ++ (flatten (map mkFqdnAlias user.aliases));
+        aliases = [ "${user.name}@${fdomain}" ]
+                  ++ (flatten (map mkFqdnAlias user.aliases))
+                  ++ (flatten (map mkExDomAlias ([ user.name ] ++ user.aliases)));
       };
     };
   in rec {
     enable = true;
     fqdn = fdomain;
-    domains = [ fdomain domain ];
+    domains = ([ fdomain domain ] ++ cfg.extraDomains);
     loginAccounts = listToAttrs (map mkUser cfg.mailAccounts);
 
     # Use Let's Encrypt certificates. Note that this needs to set up a stripped
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index ee7a9cc..0307cb2 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -23,6 +23,7 @@ mkIf (elem "nextcloud" config.machine.services) {
         dbpassFile = "${cfg.secretPath}/nextcloud_db";
         dbname = "nextcloud";
         dbtableprefix = "oc_";
+        extraTrustedDomains = cfg.extraDomains;
       };
       caching = {
         apcu = true;