diff --git a/hosts/auth/authentik.nix b/hosts/auth/authentik.nix
new file mode 100644
index 0000000..0e04762
--- /dev/null
+++ b/hosts/auth/authentik.nix
@@ -0,0 +1,75 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  users.groups.authentik = { };
+  users.users.authentik = {
+    isSystemUser = true;
+    extraGroups = [ "docker" ];
+    group = "authentik";
+  };
+
+  virtualisation.docker.enable = true;
+
+  systemd.services = {
+    authentik-secrets-setup = {
+      enable = true;
+    };
+  };
+  services.authentik-ldap = {
+    enable = true;
+    environmentFile = "/var/lib/authentik-ldap-env";
+  };
+  services.authentik = {
+    enable = true;
+    # The environmentFile needs to be on the target host!
+    # Best use something like sops-nix or agenix to manage it
+    environmentFile = "/var/lib/authentik_secret";
+    settings = {
+      email = {
+        host = "mail.${config.networking.domain}";
+        port = 25;
+        username = "authentik@${config.networking.domain}";
+        use_tls = false;
+        use_ssl = false;
+        from = "authentik@${config.networking.domain}";
+      };
+      disable_startup_analytics = true;
+      avatars = "initials";
+    };
+  };
+
+  systemd.services.authentik-secrets-generator = {
+    enable = true;
+    requiredBy = [
+      "authentik-secrets-setup.service"
+      "authentik-worker.service"
+    ];
+    script = ''
+      echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
+    '';
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "auth.${config.networking.domain}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          proxyPass = "http://localhost:9000";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          extraConfig = ''
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          '';
+        };
+      };
+    };
+  };
+}
+
diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix
new file mode 100644
index 0000000..e4ba74b
--- /dev/null
+++ b/hosts/auth/default.nix
@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-lxc.nix"
+    ./authentik.nix
+  ];
+
+  networking = {
+    hostName = "auth";
+    domain = lib.mkForce "test.htw.stura-dresden.de";
+    interfaces.eth0.ipv4.addresses = [
+      {
+        address = "141.56.51.96";
+        prefixLength = 24;
+      }
+    ];
+
+    defaultGateway = {
+      address = "141.56.51.254";
+      interface = "eth0";
+    };
+
+    firewall.allowedTCPPorts = [
+      80
+      443
+      3389
+    ];
+  };
+
+  system.stateVersion = "25.05";
+}
+
diff --git a/hosts/mail/default.nix b/hosts/mail/default.nix
new file mode 100644
index 0000000..e4f81ec
--- /dev/null
+++ b/hosts/mail/default.nix
@@ -0,0 +1,202 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+let
+  generatedAliases = pkgs.writeText "generated-aliases" (
+    lib.concatStringsSep "\n" (
+      lib.mapCartesianProduct
+        ({ aliases, domain }: "${aliases}@${domain}  root@test.htw.stura-dresden.de")
+        {
+          aliases = [
+            "abuse"
+            "hostmaster"
+            "noreply"
+            "postmaster"
+            "webmaster"
+          ];
+          domain = config.mailserver.domains;
+        }
+    )
+  );
+
+in
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-lxc.nix"
+  ];
+
+  security.pam.loginLimits = [
+    {
+      domain = "*";
+      type = "soft";
+      item = "nofile";
+      value = "8192";
+    }
+  ];
+
+  networking = {
+    hostName = "mail";
+    domain = lib.mkForce "test.htw.stura-dresden.de";
+    interfaces.ens18.ipv4.addresses = [
+      {
+        address = "141.56.51.95";
+        prefixLength = 24;
+      }
+    ];
+
+    defaultGateway = {
+      address = "141.56.51.254";
+      interface = "eth0";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "lists.${config.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      # locations."/" = {
+      #   proxyPass = "http://127.0.0.1:18507";
+      # };
+    };
+  };
+  services.automx2 = {
+    enable = true;
+    domain = "${config.networking.domain}";
+    settings = {
+      automx2 = {
+        db_uri = "sqlite:////var/lib/automx2/db.sqlite";
+        proxy_count = 1;
+      };
+    };
+  };
+  services.mailman = {
+    enable = true;
+    hyperkitty = {
+      enable = true;
+    };
+    serve.enable = true;
+    webHosts = [
+      "lists.${config.networking.domain}"
+    ];
+  };
+
+  services.mailman.siteOwner = "mailman@${config.networking.domain}";
+  mailserver = {
+    enable = true;
+    fqdn = "mail.${config.networking.domain}";
+    domains = [
+      "${config.networking.domain}"
+      "lists.${config.networking.domain}"
+    ];
+    ldap = {
+      enable = true;
+      bind = {
+        # dn = "cn=dovecot,ou=users,DC=test,DC=htw,DC=stura-dresden,DC=de";
+        dn = "cn=ldapuser,ou=users,dc=ldap,dc=goauthentik,dc=io";
+        passwordFile = "/var/lib/dovecot_ldap_passwd";
+      };
+      dovecot = {
+        userFilter = "(&(objectClass=posixAccount)(mail=%u))";
+        passFilter = "(&(objectClass=posixAccount)(mail=%u))";
+        userAttrs = "cn";
+      };
+      postfix = {
+        filter = "(|(&(objectClass=posixAccount)(mail=%s))(&(objectClass=posixAccount)(cn=%s)))";
+        mailAttribute = "mail";
+        uidAttribute = "cn";
+      };
+      #searchBase = "DC=test,DC=htw,DC=stura-dresden,DC=de";
+      searchBase = "DC=ldap,DC=goauthentik,DC=io";
+      uris = [
+        "ldap://auth.test.htw.stura-dresden.de:3389"
+      ];
+    };
+
+    certificateScheme = "acme-nginx";
+    enableImap = true;
+    enableImapSsl = true;
+    enableManageSieve = true;
+    enableSubmission = true;
+    enableSubmissionSsl = true;
+    extraVirtualAliases = { };
+    lmtpSaveToDetailMailbox = "no"; # DOS potential
+    mailboxes = {
+      Drafts = {
+        auto = "subscribe";
+        specialUse = "Drafts";
+      };
+      Sent = {
+        auto = "subscribe";
+        specialUse = "Sent";
+      };
+      Spam = {
+        auto = "subscribe";
+        specialUse = "Junk";
+      };
+      Trash = {
+        auto = "subscribe";
+        specialUse = "Trash";
+      };
+    };
+    maxConnectionsPerUser = 10;
+    messageSizeLimit = 10 * 1000 * 1024; # 10 MiB
+
+    stateVersion = 3;
+  };
+
+  # services.dovecot2.mailLocation = lib.mkForce "maildir:/var/vmail/%n";
+  services.postfix =
+    let
+      submissionOptions = {
+        # hash:/etc/postfix/virtual,
+        smtpd_sender_login_maps = lib.mkForce "ldap:/run/postfix/ldap-sender-login-map.cf";
+        smtpd_client_restrictions = "permit_sasl_authenticated,reject";
+      };
+    in
+    {
+      masterConfig = {
+        submission = {
+          args = [ "-v" ];
+        };
+        submissions = {
+          args = [ "-v" ];
+        };
+      };
+      settings.main = {
+        unknown_local_recipient_reject_code = 550;
+        relay_domains = [
+          "hash:/var/lib/mailman/data/postfix_domains"
+        ];
+        transport_maps = [
+          "hash:/var/lib/mailman/data/postfix_lmtp"
+        ];
+        local_recipient_maps = [
+          "hash:/var/lib/mailman/data/postfix_lmtp"
+        ];
+      };
+      # mapFiles = {
+      #   "valias" = lib.mkForce "/var/lib/postfix/valias";
+      #   "virtual" = lib.mkForce "/var/lib/postfix/virtual";
+      # };
+      submissionOptions = submissionOptions;
+      submissionsOptions = submissionOptions;
+    };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "cert@stura.htw-dresden.de";
+
+  networking.firewall.allowedTCPPorts = [
+    25
+    80
+    443
+    597
+  ];
+
+  system.stateVersion = "24.11";
+
+}
+