let

  configuration = { config, pkgs, ... }: {
    imports = [ ./configuration.nix ];

    users.extraUsers.gebner.password = "";
    users.users.root.password = "";

    boot.enableContainers = true;

    systemd.services.createSSLKeys = {
      path = [ pkgs.easyrsa ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = "yes";
      };
      script = ''
rm -rf /etc/sslcerts
mkdir -p /etc/sslcerts
cd /etc/sslcerts

easyrsa-init
easyrsa init-pki
easyrsa --batch --req-cn=testing.gebner.org build-ca nopass
easyrsa --req-cn=gebner.org build-server-full gebner_org nopass

cat pki/issued/gebner_org.crt pki/ca.crt >fullchain.pem
cp pki/private/gebner_org.key key.pem
cp key.pem key-dovecot.pem && chown dovecot2 key-dovecot.pem
      '';
    };

    systemd.services.setupVM = rec {
      wantedBy = [ "gogs.service" "dovecot2.service" "nginx.service" ];
      before = wantedBy;
      wants = [ "createSSLKeys.service" ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = "yes";
      };
      script = ''
        mkdir -p /srv/git.gebner.org
        chown git:git -R /srv/git.gebner.org
      '';
    };

    environment.systemPackages = with pkgs; [ elinks ];
  };

  nixos = import <nixpkgs/nixos> { configuration = configuration; };

in nixos.vm