{ ... }:
{
  boot.loader.grub = {
    enable = true;
    device = "/dev/vda";
  };

  networking = {
    hostName = "mail-1";
    useDHCP = true;
    defaultGateway = {
      address = "172.16.50.1";
      interface = "wg0";
    };
    interfaces.enp6s18.ipv4 = {
      routes = [
        {
          address = "10.201.0.0";
          prefixLength = 16;
          via = "10.202.41.1";
        }
        {
          address = "10.202.0.0";
          prefixLength = 16;
          via = "10.202.41.1";
        }
        {
          address = "172.21.87.0"; # management VPN
          prefixLength = 24;
          via = "10.202.41.1";
        }
        {
          address = "212.53.203.19"; # valkyrie.af.grzb.de
          prefixLength = 32;
          via = "10.202.41.1";
        }
      ];
    };
    wireguard = {
      enable = true;
      interfaces.wg0 = {
        ips = [
          "172.16.50.2/24"
        ];
        peers = [
          {
            name = "valkyrie";
            publicKey = "ik480irMZtGBs1AFpf1KGzDBekjdziD3ck7XK8r1WXQ=";
            presharedKeyFile = "/secrets/wireguard-valkyrie-mail-1-mail-1-psk.secret";
            endpoint = "212.53.203.19:51821";
            allowedIPs = [ "0.0.0.0/0" ];
            persistentKeepalive = 25;
          }
        ];
        privateKeyFile = "/secrets/wireguard-mail-1-wg0-privatekey.secret";
      };
    };
  };

  system.stateVersion = "23.05";
}