let

  configuration = { config, pkgs, ... }: {
    imports = [ ./configuration.nix ];

    users.extraUsers.gebner.password = "password";
    users.users.root.password = "";

    boot.enableContainers = true;

    systemd.services.setupVM = rec {
      wantedBy = [ "gitea.service" "dovecot2.service" "nginx.service" ];
      before = wantedBy;
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = "yes";
      };
      script = ''
        mkdir -p /srv/git.gebner.org
        chown gitea:gitea -R /srv/git.gebner.org
      '';
    };

    environment.systemPackages = with pkgs; [
      elinks
      carddav-util
      fcgi
      wstunnel
      sqlite-interactive
    ];

    security.acme.server = "http://localhost";

    networking.extraHosts = ''
      127.0.0.1 gebner.org www.gebner.org reader.gebner.org git.gebner.org mail.gebner.org radicale.gebner.org gabrielebner.at

      # disable letsencrypt
      127.0.0.111 acme-v01.api.letsencrypt.org
    '';

    networking.firewall.extraCommands = ''
      # disable HE dns notification
      iptables -A OUTPUT -d 216.218.130.2 -j REJECT
    '';
  };

  nixos = import <nixpkgs/nixos> { configuration = configuration; };

in nixos.vm