{
  config,
  lib,
  ...
}:
with lib;
let
  cfg = config.machine;
in
{
  config.machine = rec {
    hostName = "Ophanim";
    domain = "ophanim.de";
    administrators = [
      {
        name = "derped";
        id = 1337;
      }
    ];
    mailAccounts = [
      {
        name = "derped";
        aliases = [
          "postmaster"
          "baensch"
        ];
      }
      {
        name = "august";
        aliases = [
        ];
      }
    ];
    allowUnfree = true;
    conffiles = [
      "etcvars"
      "security"
      "zsh"
    ];
    pkgs = [
      "base"
      "server"
      "nvim"
      "nvim::cmp"
      "nvim::fugitive"
      "nvim::harpoon"
      "nvim::kanagawa-nvim"
      "nvim::lsp"
      "nvim::lsp::bash"
      "nvim::lsp::nix-nil"
      "nvim::lsp::python"
      "nvim::lualine"
      "nvim::nvim-highlight"
      "nvim::telescope"
      "nvim::tmux-navigate"
      "nvim::treesitter"
      "nvim::trim"
      "nvim::undotree"
    ];
    services = [
      "acme"
      "btrbk"
      "btrfs"
      "fail2ban"
      "forgejo"
      "impermanence"
      "mailserver"
      "mariaDB"
      "nginx"
      "openssh"
      "radicale"
      "tmux"
      # TODO: re-add sservices
      # "tandoor"
      # "tt-rss"
    ];
    vHosts =
      let
        base = domain;
      in
      [
        {
          domain = base;
          service = "simple";
        }
        {
          domain = "cal.${base}";
          service = "radicale";
        }
        {
          domain = "mail.${base}";
          service = "mail";
        }
        {
          domain = "git.${base}";
          service = "forgejo";
        }
        # {
        #   domain = "food.${base}";
        #   service = "tandoor";
        # }
        # {
        #   domain = "feed.${base}";
        #   service = "tt-rss";
        # }
      ];
    firewall = {
      enable = true;
      allowPing = false;
      allowedUDPPorts = [
        22
        80
        443
      ];
      allowedTCPPorts = [
        80
        443
      ];
    };
  };
}