{ hostRegistry, lib, pkgs, ... }:
{
  c3d2 = {
    isInHq = true;
    hq.interface = "eth0";
  };
  networking.hostName = "matemat";
  networking.useNetworkd = true;
  networking.interfaces.eth0 = {
    ipv4.addresses = [{
      address = hostRegistry.hosts.matemat.ip4;
      prefixLength = 26;
    }];
  };
  networking.defaultGateway = "172.20.73.1";
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.yammat.enable = true;

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts."matemat.hq.c3d2.de" = {
      default = true;
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:3000";
        extraConfig = ''
          satisfy any;
          auth_basic secured;
          auth_basic_user_file ${pkgs.matemat-auth};
          allow 2a00:8180:2c00:200::/56;
          allow 172.22.99.0/24;
          allow 172.20.72.0/21;
          deny all;
        '';
      };
    };
  };

  services.ssmtp = {
    enable = true;
    root = "nek0@c3d2.de";
    useTLS = true;
    useSTARTTLS = true;
    hostName = "mail.c3d2.de:587";
    domain = "matemat.hq.c3d2.de";
    settings = {
      hostname = "matemat.hq.c3d2.de";
    };
  };
}