{dns, ...}: let
  domain = "ruject.fun";
  database = {
    host = "127.0.0.1";
    port = 5432;
  };
  ipv4 = "94.156.112.0";
in {
  services.nginx.enable = true;
  machine = {
    gateway = "10.0.0.1";
    inherit ipv4;
    bind = {
      enable = true;
      inherit domain;
      zones = with dns.lib.combinators; {
        ${domain} = {
          SOA = {
            nameServer = "ns1";
            adminEmail = "hostmaster";
            serial = 2019030800;
            refresh = 3 * 60 * 60; # 3 hours
            retry = 1 * 60 * 60; # 1 hour
            expire = 7 * 24 * 60 * 60; # 7 days
          };
          useOrigin = false;
          NS = [
            "ns1"
            "ns2"
          ];

          A = [ipv4];

          subdomains = rec {
            ns1 = host ipv4 null;
            ns2 = ns1;
            "3x-ui" = ns1;
            "sub.3x-ui" = ns1;
            git = ns1;
            music = ns1;
            bitwarden = ns1;
            roundcube = ns1;
            status = ns1;
            irc = ns1;
            "upload.irc" = ns1;
            nextcloud = ns1;
            code = ns1;
            mail = ns1;
            matrix = ns1;
            chat = ns1;
            turn = ns1;
          };

          TXT = [
            (with spf; strict ["a:mail.ruject.fun"])
          ];

          MX = with mx; [(mx 10 "mail.ruject.fun.")];

          DMARC = [
            {
              p = "quarantine";
              adkim = "strict";
              aspf = "strict";
            }
          ];
          DKIM = [
            {
              selector = "mail";
              k = "rsa";
              p = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0L14rM/ObA5WwVlPpCMiy3ESOhqo9Ye0edtc52sjt+YxJxpDgT1oo1yCdoXWbF38/f2RfqgmBCKg0+N9YQFsAL8FbBcAlkERXbt52T/5A5gBkfUnwB1I646WQdT43JsCWiSYgDc4IcVM/tG8Quj/oKois+b8W6dco6NWLET7bBcnBCEfJYL7TLnG+O83poB+gHef3g0WqwMMqXqbgvJutGb4uevJ327Ywa77fcUp7oYrMvgz6ESmetgmsizTwJadwuXC2k4E50ZmlM3tdjpisQgaUImJBqEa311SXfkhD9AbKjfp5tmOjinPMZwqVM09GFkIn89X7U6LDykh85zBNwIDAQAB";
            }
          ];
        };
      };
    };
    code-server = {
      enable = true;
      port = 4444;
      domain = "code.${domain}";
      user = "rus07tam";
      hashedPassword = "$argon2i$v=19$m=4096,t=3,p=1$Z29zNjNOalFobUwyak1YY3pwYlYwL0IrN053PQ$hmRE46O8UM9zTgINjt5/xn35xypU+MMxNNq1r7xPXqo";
    };
    coturn = {
      enable = true;
      startPort = 49000;
      endPort = 50000;
      realm = "turn.${domain}";
    };
    forgejo = {
      enable = true;
      enableRunner = true;
      domain = "git.${domain}";
      port = 3000;
      inherit database;
    };
    mail = {
      enable = true;
      inherit domain;
      fqdn = "mail.${domain}";
    };
    minecraft-server = {
      enable = false;
      port = 25565;
    };
    mysql = {
      enable = true;
      port = 3306;
    };
    navidrome = {
      enable = true;
      domain = "music.${domain}";
      port = 4533;
      folder = "/mnt/music";
    };
    postgresql = {
      enable = true;
      port = 5432;
    };
    prosody = {
      enable = true;
      port = 5347;
      domain = "irc.${domain}";
    };
    nextcloud = {
      enable = true;
      host = "nextcloud.${domain}";
    };
    redis = {
      enable = true;
      port = 6379;
    };
    roundcube = {
      enable = true;
      domain = "roundcube.${domain}";
    };
    synapse = {
      enable = true;
      element = {
        enable = true;
        domain = "chat.${domain}";
      };
      domain = "matrix.${domain}";
      port = 8008;
      metrics = {
        enable = true;
        port = 9000;
      };
    };
    uptime-kuma = {
      enable = true;
      domain = "status.${domain}";
      port = 4000;
    };
    vaultwarden = {
      enable = true;
      domain = "bitwarden.${domain}";
      port = 4534;
    };
  };
}