diff --git a/.helix/languages.toml b/.helix/languages.toml
new file mode 100644
index 00000000..5dd999ea
--- /dev/null
+++ b/.helix/languages.toml
@@ -0,0 +1,6 @@
+[language-server.nil]
+command = "nil"
+[[language]]
+name = "nix"
+formatter = {command = "nixfmt"}
+language-servers = [ "nil" ]
diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index 3dd98b59..94bd1dc6 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -12,6 +12,7 @@
       ./xynospace-matrix.nix
       ./plausible.nix
       ./obsidianshare.nix
+      ./mail.nix
       # ./ts-ovpn.nix
 
       ../../nixos-modules/system/persist.nix
@@ -60,7 +61,7 @@
   services.postgresql.package = pkgs.postgresql_13;
 
   systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path;
-  networking.firewall.allowedTCPPorts = [ 80 443 config.services.forgejo.settings.server.SSH_PORT ];
+  networking.firewall.allowedTCPPorts = [ 80 443 config.services.forgejo.settings.server.SSH_PORT 25 143 465 587 993 ];
   networking.firewall.allowedUDPPorts = [ 443 ];
   services.caddy = {
     logFormat = "level INFO";
@@ -71,6 +72,9 @@
         token "{$TOKEN}"
       }
     '';
+    virtualHosts."*.hailsatan.eu".extraConfig = ''
+      reverse_proxy https://j.hailsatan.eu
+    '';
     virtualHosts."*.ragon.xyz".extraConfig = ''
       # @8081 host 8081.ragon.xyz
       # handle @8081 {
diff --git a/hosts/picard/mail.nix b/hosts/picard/mail.nix
new file mode 100644
index 00000000..044c6a02
--- /dev/null
+++ b/hosts/picard/mail.nix
@@ -0,0 +1,36 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  virtualisation.oci-containers.containers."mail" = {
+    image = "ghcr.io/docker-mailserver/docker-mailserver:latest";
+    hostname = "mail.hailsatan.eu";
+    ports = [
+      "25:25" # SMTP  (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
+      "143:143" # IMAP4 (explicit TLS => STARTTLS)
+      "465:465" # ESMTP (implicit TLS)
+      "587:587" # ESMTP (explicit TLS => STARTTLS)
+      "993:993" # IMAP4 (implicit TLS)
+    ];
+    volumes = [
+      "mail-data:/var/mail/"
+      "mail-state:/var/mail-state/"
+      "mail-logs:/var/log/mail/"
+      "mail-config:/tmp/docker-mailserver/"
+      "/var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.hailsatan.eu:/srv/tls/meow" # it hates this
+    ];
+    environment = {
+      TZ = "Europe/Berlin";
+      SPOOF_PROTECTION = "1";
+      LOG_LEVEL = "info";
+      ENABLE_CLAMAV = "0";
+      ENABLE_FAIL2BAN = "0";
+      SSL_TYPE = "manual";
+      SSL_CERT_PATH = "/srv/tls/meow/wildcard_.hailsatan.eu.crt";
+      SSL_KEY_PATH = "/srv/tls/meow/wildcard_.hailsatan.eu.key";
+    };
+  };
+}
diff --git a/nixos-modules/cli/default.nix b/nixos-modules/cli/default.nix
index be003e05..77921ed2 100644
--- a/nixos-modules/cli/default.nix
+++ b/nixos-modules/cli/default.nix
@@ -3,7 +3,6 @@ with lib;
 with lib.my;
 let
   cfg = config.ragon.cli;
-  ragon = config.ragon;
 in
 {
   options.ragon.cli.enable = lib.mkEnableOption "Enables ragons CLI stuff";