{ ... }:
{
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  networking = {
    hostName = "mail-1";
    useDHCP = true;
    defaultGateway = {
      address = "172.16.50.1";
      interface = "wg0";
    };
    interfaces.enp6s18.ipv4 = {
      routes = [
        {
          address = "10.201.0.0";
          prefixLength = 16;
          via = "10.202.41.1";
        }
        {
          address = "10.202.0.0";
          prefixLength = 16;
          via = "10.202.41.1";
        }
        {
          address = "172.21.87.0"; # management VPN
          prefixLength = 24;
          via = "10.202.41.1";
        }
        {
          address = "217.160.117.160"; # 
          prefixLength = 32;
          via = "10.202.41.1";
        }
      ];
    };
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        ips = [
          "172.16.50.2/24"
        ];
        peers = [
          {
            name = "lifeline";
            publicKey = "g3xZ5oJCbPtzYDPTVAS400FDw6kirGR+7300bwiZDUY=";
            presharedKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-psk.secret";
            endpoint = "lifeline.io.grzb.de:51820";
            allowedIPs = [ "0.0.0.0/0" ];
            persistentKeepalive = 25;
          }
        ];
        privateKeyFile = "/secrets/wireguard-lifeline-mail-1-mail-1-privatekey.secret";
      };
    };
  };

  system.stateVersion = "23.05";
}