diff --git a/config/hosts/athame/bitwarden.nix b/config/hosts/athame/bitwarden.nix
index e549d4d6..fa3ec585 100644
--- a/config/hosts/athame/bitwarden.nix
+++ b/config/hosts/athame/bitwarden.nix
@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 
-let secrets = (import ../../../../secrets.nix);
+let secrets = (import ../../../secrets.nix);
 in {
   services.bitwarden_rs = {
     enable = true;
diff --git a/config/hosts/athame/configuration.nix b/config/hosts/athame/configuration.nix
index a930ee63..351f100c 100644
--- a/config/hosts/athame/configuration.nix
+++ b/config/hosts/athame/configuration.nix
@@ -9,6 +9,7 @@
     ../../services/nginx.nix
     ./virtualhosts.nix
     # services
+    ./mail.nix
     ./gitea.nix
     ./nextcloud.nix
     ./bitwarden.nix
diff --git a/config/hosts/athame/hardware.nix b/config/hosts/athame/hardware.nix
index f7d39c19..2520050e 100644
--- a/config/hosts/athame/hardware.nix
+++ b/config/hosts/athame/hardware.nix
@@ -1,6 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, ... }:
 
 {
diff --git a/config/hosts/athame/mail.nix b/config/hosts/athame/mail.nix
new file mode 100644
index 00000000..c0a1a62e
--- /dev/null
+++ b/config/hosts/athame/mail.nix
@@ -0,0 +1,56 @@
+{ config, pkgs, ... }:
+let sources = (import ../../../nix/sources.nix);
+secrets = (import ../../../secrets.nix);
+in {
+  imports = [
+    sources.nixos-mailserver.outPath
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "kittywit.ch";
+    domains = [ "kittywit.ch" ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
+    loginAccounts = {
+        "kat@kittywit.ch" = {
+            hashedPassword = secrets.hosts.athame.mail.kat.password;
+
+            aliases = [
+                "postmaster@kittywit.ch"
+            ];
+
+            # Make this user the catchAll address for domains kittywit.ch and
+            # example2.com
+            catchAll = [
+                "kittywit.ch"
+            ];
+        };
+    };
+
+    # Extra virtual aliases. These are email addresses that are forwarded to
+    # loginAccounts addresses.
+    extraVirtualAliases = {
+        # address = forward address;
+        "abuse@kittywit.ch" = "kat@kittywit.ch";
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = 3;
+
+    # Enable IMAP and POP3
+    enableImap = true;
+    enablePop3 = true;
+    enableImapSsl = true;
+    enablePop3Ssl = true;
+
+    # Enable the ManageSieve protocol
+    enableManageSieve = true;
+
+    # whether to scan inbound emails for viruses (note that this requires at least
+    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
+    virusScanning = false;
+  };
+}
\ No newline at end of file
diff --git a/config/hosts/athame/matrix.nix b/config/hosts/athame/matrix.nix
index 5a7a0d40..d2bad84d 100644
--- a/config/hosts/athame/matrix.nix
+++ b/config/hosts/athame/matrix.nix
@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 
-let secrets = (import ../../../../secrets.nix);
+let secrets = (import ../../../secrets.nix);
 in {
   environment.systemPackages =
     [ pkgs.arc.pkgs.mx-puppet-discord pkgs.mautrix-whatsapp ];
diff --git a/config/hosts/athame/virtualhosts.nix b/config/hosts/athame/virtualhosts.nix
index f00acea3..057758b0 100644
--- a/config/hosts/athame/virtualhosts.nix
+++ b/config/hosts/athame/virtualhosts.nix
@@ -5,7 +5,7 @@ let
     enableACME = true;
     forceSSL = true;
   };
-  secrets = (import ../../../../secrets.nix);
+  secrets = (import ../../../secrets.nix);
 in {
   services.nginx.virtualHosts = {
     "kittywit.ch" = {
diff --git a/config/hosts/athame/znc.nix b/config/hosts/athame/znc.nix
index 6e451fd6..ad0612de 100644
--- a/config/hosts/athame/znc.nix
+++ b/config/hosts/athame/znc.nix
@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 
-let secrets = (import ../../../../secrets.nix);
+let secrets = (import ../../../secrets.nix);
 in {
   services.znc = {
     enable = true;
diff --git a/config/hosts/samhain/hardware.nix b/config/hosts/samhain/hardware.nix
index 476884e5..de9e94a8 100644
--- a/config/hosts/samhain/hardware.nix
+++ b/config/hosts/samhain/hardware.nix
@@ -1,6 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
diff --git a/config/hosts/yule/hardware.nix b/config/hosts/yule/hardware.nix
index fbe198b8..309a27fa 100644
--- a/config/hosts/yule/hardware.nix
+++ b/config/hosts/yule/hardware.nix
@@ -1,6 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
diff --git a/config/users/kat/desktop.nix b/config/users/kat/desktop.nix
index b78ea446..4e210e9e 100644
--- a/config/users/kat/desktop.nix
+++ b/config/users/kat/desktop.nix
@@ -28,6 +28,7 @@ in {
         pkgs.avidemux
         pkgs.vlc
         pkgs.ffmpeg-full
+        pkgs.thunderbird
         unstable.syncplay
         unstable.youtube-dl
         unstable.google-chrome