diff --git a/flake.nix b/flake.nix
index b3bf2da..1b69a43 100644
--- a/flake.nix
+++ b/flake.nix
@@ -63,7 +63,7 @@
             age.secrets.zfs-passphrase-vno1-oh2.file = ./secrets/vno1-oh2/zfs-passphrase.age;
 
             age.secrets.borgbackup-password.file = ./secrets/hel1-a/borgbackup/password.age;
-            age.secrets.sasl-passwd.file = ./secrets/hel1-a/postfix/sasl_passwd.age;
+            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
             age.secrets.turn-static-auth-secret.file = ./secrets/hel1-a/turn/static_auth_secret.age;
             age.secrets.synapse-jakstys-signing-key.file = ./secrets/hel1-a/synapse/jakstys_lt_signing_key.age;
             age.secrets.synapse-registration-shared-secret.file = ./secrets/hel1-a/synapse/registration_shared_secret.age;
@@ -84,6 +84,8 @@
           agenix.nixosModules.default
 
           {
+            age.secrets.sasl-passwd.file = ./secrets/postfix_sasl_passwd.age;
+
             age.secrets.motiejus-passwd-hash.file = ./secrets/motiejus_passwd_hash.age;
             age.secrets.root-passwd-hash.file = ./secrets/root_passwd_hash.age;
             age.secrets.zfs-passphrase-hel1-a.file = ./secrets/hel1-a/zfs-passphrase.age;
diff --git a/hosts/hel1-a/configuration.nix b/hosts/hel1-a/configuration.nix
index a1f785d..3a09a6b 100644
--- a/hosts/hel1-a/configuration.nix
+++ b/hosts/hel1-a/configuration.nix
@@ -18,6 +18,11 @@ in {
     timeZone = "UTC";
 
     services = {
+      postfix = {
+        enable = true;
+        saslPasswdPath = config.age.secrets.sasl-passwd.path;
+      };
+
       zfsunlock = {
         enable = true;
         targets."vno1-oh2.servers.jakst" = {
@@ -371,31 +376,6 @@ in {
       };
     };
 
-    postfix = {
-      enable = true;
-      enableSmtp = true;
-      networks = [
-        "127.0.0.1/8"
-        "[::ffff:127.0.0.0]/104"
-        "[::1]/128"
-        myData.tailscale_subnet.cidr
-      ];
-      hostname = "${config.networking.hostName}.${config.networking.domain}";
-      relayHost = "smtp.sendgrid.net";
-      relayPort = 587;
-      mapFiles = {
-        sasl_passwd = config.age.secrets.sasl-passwd.path;
-      };
-      extraConfig = ''
-        smtp_sasl_auth_enable = yes
-        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-        smtp_sasl_security_options = noanonymous
-        smtp_sasl_tls_security_options = noanonymous
-        smtp_tls_security_level = encrypt
-        header_size_limit = 4096000
-      '';
-    };
-
     logrotate = {
       settings = {
         "/var/log/caddy/access-jakstys.lt.log" = {
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index 5185f91..066a471 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -40,21 +40,28 @@
       };
     };
 
-    services.syncthing = {
-      enable = true;
-      dataDir = "/home/motiejus/";
-      user = "motiejus";
-      group = "users";
-    };
+    services = {
+      postfix = {
+        enable = true;
+        saslPasswdPath = config.age.secrets.sasl-passwd.path;
+      };
 
-    services.zfsunlock = {
-      enable = true;
-      targets."hel1-a.servers.jakst" = {
-        sshEndpoint = myData.hosts."hel1-a.servers.jakst".publicIP;
-        pingEndpoint = "hel1-a.servers.jakst";
-        remotePubkey = myData.hosts."hel1-a.servers.jakst".initrdPubKey;
-        pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
-        startAt = "*-*-* *:00/5:00";
+      syncthing = {
+        enable = true;
+        dataDir = "/home/motiejus/";
+        user = "motiejus";
+        group = "users";
+      };
+
+      zfsunlock = {
+        enable = true;
+        targets."hel1-a.servers.jakst" = {
+          sshEndpoint = myData.hosts."hel1-a.servers.jakst".publicIP;
+          pingEndpoint = "hel1-a.servers.jakst";
+          remotePubkey = myData.hosts."hel1-a.servers.jakst".initrdPubKey;
+          pwFile = config.age.secrets.zfs-passphrase-hel1-a.path;
+          startAt = "*-*-* *:00/5:00";
+        };
       };
     };
   };
diff --git a/modules/services/default.nix b/modules/services/default.nix
index bb9e45e..c6796d2 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -5,6 +5,7 @@
   ...
 }: {
   imports = [
+    ./postfix
     ./syncthing
     ./zfsunlock
   ];
diff --git a/modules/services/postfix/default.nix b/modules/services/postfix/default.nix
new file mode 100644
index 0000000..df07030
--- /dev/null
+++ b/modules/services/postfix/default.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  myData,
+  ...
+}: {
+  options.mj.services.postfix = with lib.types; {
+    enable = lib.mkEnableOption "Enable postfix";
+    saslPasswdPath = lib.mkOption {type = path;};
+  };
+
+  config = lib.mkIf config.mj.services.postfix.enable {
+    services.postfix = {
+      enable = true;
+      enableSmtp = true;
+      networks = [
+        "127.0.0.1/8"
+        "[::ffff:127.0.0.0]/104"
+        "[::1]/128"
+        myData.tailscale_subnet.cidr
+      ];
+      hostname = "${config.networking.hostName}.${config.networking.domain}";
+      relayHost = "smtp.sendgrid.net";
+      relayPort = 587;
+      mapFiles = {
+        sasl_passwd = config.mj.services.postfix.saslPasswdPath;
+      };
+      extraConfig = ''
+        smtp_sasl_auth_enable = yes
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        smtp_sasl_security_options = noanonymous
+        smtp_sasl_tls_security_options = noanonymous
+        smtp_tls_security_level = encrypt
+        header_size_limit = 4096000
+      '';
+    };
+
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 553e4a3..4417a67 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -10,7 +10,6 @@ let
 in {
   # hel1-a + motiejus
   "secrets/hel1-a/borgbackup/password.age".publicKeys = [hel1-a] ++ motiejus;
-  "secrets/hel1-a/postfix/sasl_passwd.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/turn/static_auth_secret.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/jakstys_lt_signing_key.age".publicKeys = [hel1-a] ++ motiejus;
   "secrets/hel1-a/synapse/registration_shared_secret.age".publicKeys = [hel1-a] ++ motiejus;
@@ -23,4 +22,5 @@ in {
   # everywhere + motiejus
   "secrets/motiejus_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
   "secrets/root_passwd_hash.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
+  "secrets/postfix_sasl_passwd.age".publicKeys = [hel1-a vno1-oh2] ++ motiejus;
 }
diff --git a/secrets/hel1-a/borgbackup/password.age b/secrets/hel1-a/borgbackup/password.age
index ec7b942..f28d671 100644
--- a/secrets/hel1-a/borgbackup/password.age
+++ b/secrets/hel1-a/borgbackup/password.age
@@ -1,14 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 vDjOfg jXKd84hBLGshv+pBkasnRvAOR6zJOv9kqj3MFhNEfSc
-PR634A9Br6c0NTSZUoq6HpHfbIkbZxCrx+QzdK0tnHo
--> X25519 EQxm5Y1GnCgOAxq/sWSksofOs4bqh5thYKchFE7AVlY
-i0eqmFuXZ2VGMOHqS42vifcYXuBCTlF+Ckp6M2Dxrrc
--> piv-p256 +y2G/w AvNFDhoheGvhx1OPcsYjNiXgcE2IyzNxnQa5o92TOfo/
-ORGLR75OPtt5t3ZntdrmKeWNqcoOh9/9l9LPrbNd9/s
--> piv-p256 jNqd3A A0hKbEWxWIgzjqC5rPnQvI6C89vvp3Ejm5X3hoSmJwcV
-nae0utik6loEuMbOUe7EZoWszJYMsA4aYIT1fBu7rmk
--> W3-grease Bi-\Y /Yn
-vVlW417ifsv6IU8m3IZWxis
---- 4+ia3CXXOvu7hPj9GLiTnzqQWwNPc8osiIysKZl1ApI
-y?sA«EöoFkÏ'ÑE2Î¬–ù²þÐÙ*Ò*ñ’Zc»÷-éêq˜S„ä
-JI6Ýóu,êD¢
\ No newline at end of file
+-> ssh-ed25519 vDjOfg vySEUwrEbfzV/E9EKMzF7il7gSKxn80EQKSTSKE4WGA
+++iFPSRIhJ3nRa2AKoCqctDt+gmQCrmrZeDt8NXPjRI
+-> X25519 aFkDi0dqTmG0ZRK3x/GwJgktpCXp8H1+UqHfGIZ2Bzs
+DXdwjN9xu9c40bdMyJmNI/iE9ejsQGxJrrfutrFBOIg
+-> piv-p256 +y2G/w Ay2OS/A9MQ8kz4GFqGA2Jqu+qw2r1RkY7XDX8vRIM/bp
+6jE/jqzx8Z7KFoX6OerNLqEXi8oEsQSzbu/4UTDfjt8
+-> piv-p256 jNqd3A AtoS0czOJchiKvrVfng6DWWdjdtyObdkwn3p5T3D+1uf
+i62iUXpOEN0nTgcYe/YrXUki6QG9cq6hXRv2Ar/JrAc
+-> g_@F2fyi-grease mXj
+lTRFX2OWma7s/ER1R0NLRL//r2j50z4Hfv/ka0HJhg
+--- YbEUnvdIuGKWPKLybsHLoDH5uBbnau59aiUJk72V1UQ
+i;î Äýu1tô„yXh±Lî
+J|Õ¼¼ä–°9®~’mÐAñ©ûUŠì_Í§B7Ûüˆ@}3§¨
\ No newline at end of file
diff --git a/secrets/hel1-a/postfix/sasl_passwd.age b/secrets/hel1-a/postfix/sasl_passwd.age
deleted file mode 100644
index 1aa8836..0000000
Binary files a/secrets/hel1-a/postfix/sasl_passwd.age and /dev/null differ
diff --git a/secrets/hel1-a/synapse/jakstys_lt_signing_key.age b/secrets/hel1-a/synapse/jakstys_lt_signing_key.age
index fa1f159..d2a1a88 100644
Binary files a/secrets/hel1-a/synapse/jakstys_lt_signing_key.age and b/secrets/hel1-a/synapse/jakstys_lt_signing_key.age differ
diff --git a/secrets/hel1-a/synapse/macaroon_secret_key.age b/secrets/hel1-a/synapse/macaroon_secret_key.age
index 132f06b..54b14ec 100644
Binary files a/secrets/hel1-a/synapse/macaroon_secret_key.age and b/secrets/hel1-a/synapse/macaroon_secret_key.age differ
diff --git a/secrets/hel1-a/synapse/registration_shared_secret.age b/secrets/hel1-a/synapse/registration_shared_secret.age
index 13d2047..bc57565 100644
Binary files a/secrets/hel1-a/synapse/registration_shared_secret.age and b/secrets/hel1-a/synapse/registration_shared_secret.age differ
diff --git a/secrets/hel1-a/turn/static_auth_secret.age b/secrets/hel1-a/turn/static_auth_secret.age
index af7b896..40ab080 100644
--- a/secrets/hel1-a/turn/static_auth_secret.age
+++ b/secrets/hel1-a/turn/static_auth_secret.age
@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 vDjOfg DGeT72n4VsH43Ns9yEnxfgy/uYKynfQGUzAtDPf+2mU
-LPe1Uwll/Ee//jfjz4jRryl0Fej3jyev6QnYAtcEGD4
--> X25519 LYVUZF8IQa2pfNevLpSI26VfzRe4wlMy23FeTIH9eVQ
-HYXSzjCz7aeMm2BzGrD96m0CbWjLH/XYskhMNYtbX4g
--> piv-p256 +y2G/w AqE+qszNsNVu365Jq5MwieKVzPG2rAYMrO1bOF2z7Wh/
-KUdsBS22jiqWPB+9PoNSugsOKRk5PnFacCoRI05dnRg
--> piv-p256 jNqd3A A+sbeoWSbRRLu2mtTWPX/DJHjB19j7T7TR33zP0tqK3M
-WCsLFXjWeDBNEnBwITpjAQz2HJjcv46YFO9OSB/0psc
--> -.}!Z;^n-grease K
-fpu7Uos5Lia2hiTlW0SixCdyJP4FXRmmeHP5ufJGbk6qy972vmOeacC4M6/6Ck6h
-eex4qQEs2epkNf0tsYvfeA
---- b54YQan0Bm8INDPrhn8N9LIt41/yGKQ8HeStn2Wqf5Q
-_¶§‚ìb©6¨ÑÌÉ!NÅP%ÙEôœ˜¬³ÿ¯pðìÑ'ppÈ,ÈVÈŠ¶§eÐÖ6ÞE
\ No newline at end of file
+-> ssh-ed25519 vDjOfg 7IvjFsGDpA0Y7YQzvK1LKv97Aytio3P8QK6kP3zVoh8
+/HZv5HmuXHpJvB8qBUSmJ2qEqPDV4dIzUjQuEC5yKIU
+-> X25519 n2ZwLm3NBIPJ8fG67O292YwQgMfMrOpMsfD9fvVKAEg
+Wj5y+8NuPl5VtyzLAt2qk3qY44cxqfr7IknpK8jzAMs
+-> piv-p256 +y2G/w A8uQrdSqZAQQxlPUCpeJIR4vwmG3raRCi1Es2ORARLXl
+G4bx1broyBxj7ARPQ3uOnzD9lrxTi8wRTW6h71SVmz4
+-> piv-p256 jNqd3A AiclfkktevGeKEIhwiAl0oghZEGeA58GBm+kWlD98ev4
+Y1Gu7nDRipmXehp1uYiGhCLRo0gt06+AIZYZ6ZkF7UE
+-> ;\NX'-grease 4{cJ&fP
+5oT1NHoPUeN6JtDhuGYhtE/Jipo6u5qRTdLJCpWZGZ2PBnQ
+--- DaaAQQvDPetK5SpVDe5BehckkP7HgdQQdHKB7IBa1rs
+8Ä	,„1À€¼dÒj%Zr¡ÏdwÑA]CÜÖWAÝ•*©JæÐŠ`Q£µ(·ðŠIô
\ No newline at end of file
diff --git a/secrets/hel1-a/zfs-passphrase.age b/secrets/hel1-a/zfs-passphrase.age
index a12f1f7..5c4bc50 100644
--- a/secrets/hel1-a/zfs-passphrase.age
+++ b/secrets/hel1-a/zfs-passphrase.age
@@ -1,13 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 gJrHQg DsQM1OiPx2mZ5zCIoWhswaXAruIyjeYvDT/NpCfQang
-ExnIjettDSsT1BhtrOiuKTHmkuG1UH2oJVFvtaxcskI
--> X25519 cOjSCW3bPvgvXwZ+OGhYqmuuzTyBG5D0EUA9aSPIABE
-7dzr3eQjQcF3buVLfn66yiv4Oo8gVATjngSn3JtYiEA
--> piv-p256 +y2G/w A9mCDRKigSM1Bjz5UfNn6pCge9Ifip1qEuSi8oXrqxFR
-v7VYoxTUZhVwjvo6HwGuLwppz808rVadQV+uSTisKc4
--> piv-p256 jNqd3A A+IpWq0hEn3lvkXGhdA4HwzOf7qMUfP8h2Ulyw6RJWr2
-VKT5WZBnNscxcu2Bv3JyvRzzs9C1PwrrdHOW4mwJbg4
--> c[,kV-grease
-V6pw1EYTT8KqLcGIVKZWTAGr5gjj1J3O6+jElQ
---- rU4We/c5iA84jdP6PP46PtDHPv2hFUnKIQd7d8C2AR8
-˜ÝâF;Dš¾`A¤ÎàÝcHÑV o¸J9y_¬Z°N°áÚŒoýˆÅëÞ/ýÝ+¯iœÂj±F<oô†›­ó
\ No newline at end of file
+-> ssh-ed25519 gJrHQg mQiy3u+UMFfs61WPlbo0OHqLxahWNfpYACeYIo267BA
+TW0fW13NrjYjj3iwckwEzXjIx6IIckCh5r+UHw8Ij3I
+-> X25519 rt/IGRSKAZ5ZkGv0pWmhj86+Uq9e2GXAmIv+HBZ2ZHI
+C1j2j2U+HCko+ohp1gOY4Ng70pE3gOS6REm4/PQzB60
+-> piv-p256 +y2G/w Al/4EHKxjWqlWu15ijrzuh9wMq5VMiVP/W7Le4XxzV33
+X1kHLFt0LrGJkVNS5Jb2s/mYzoNgLye6Cxi8uu9lGLM
+-> piv-p256 jNqd3A Ak1e2RkiQSLkIdP2GVE4P59DZ0I5eSdVD+bxpsezr3d4
+9aZR3+vmaOs3SH/i3ZOjl03VBwYvYByPiqLRJsHztVM
+-> #iyKy*r-grease I~l K,!{*
+36alLYkZaIJjAYgaw62ulNfYAj8b8Q0
+--- 0E+LmPXzbCtwllF5uDoIEkYI/qMLWdmfLwdtY1/iYqs
+êðýt˜úµ$»¯nMÚ	R8f¼jgÎõ.Ÿ6$ÚWvW=Ï×ò·ŽaP@$ä	Öy¸Ïq'ñ×	z¢òåÿŽ
\ No newline at end of file
diff --git a/secrets/motiejus_passwd_hash.age b/secrets/motiejus_passwd_hash.age
index 35c4464..b3d26a2 100644
Binary files a/secrets/motiejus_passwd_hash.age and b/secrets/motiejus_passwd_hash.age differ
diff --git a/secrets/postfix_sasl_passwd.age b/secrets/postfix_sasl_passwd.age
new file mode 100644
index 0000000..900efd0
Binary files /dev/null and b/secrets/postfix_sasl_passwd.age differ
diff --git a/secrets/root_passwd_hash.age b/secrets/root_passwd_hash.age
index 2055dda..cd6b06a 100644
Binary files a/secrets/root_passwd_hash.age and b/secrets/root_passwd_hash.age differ
diff --git a/secrets/vno1-oh2/zfs-passphrase.age b/secrets/vno1-oh2/zfs-passphrase.age
index 367f6c2..b6d719d 100644
--- a/secrets/vno1-oh2/zfs-passphrase.age
+++ b/secrets/vno1-oh2/zfs-passphrase.age
@@ -1,13 +1,14 @@
 age-encryption.org/v1
--> ssh-ed25519 vDjOfg yX0zrlNsaJBSf3PqD4ccm/9z5tQhv5d7vbGQbITKNGQ
-1adV8hkhSTQPSlPuKQypvWPAcker/kjObBxDfos6x2I
--> X25519 TASHTwnBupJ72eFuJs4Oph68Js31AyjtpXcHDR8xKl8
-/181mos15wmANSJwo5QPZRUAx3vFoZ4wPpimbIfvC4o
--> piv-p256 +y2G/w A09p8H96e0/FfHSTajYQZTvSYXwT7EvzFf1qVZtdwsax
-Mgkl6t5uDGN8cYVoDXjEYB+RxeXyyLsZrWvGP7KMCNc
--> piv-p256 jNqd3A A3Rh+tYvU/vfS6+2GXyOOM3auOu4KfXWFhyvyXgojBbf
-l0whgIauEX31OqPyDMTZ2OLUBOzPVFSVnjxbYu7JeSE
--> cD-grease u8 9nH (N(2JYW 'd
-mAo1sjuzyaHtnQhYLApV9g
---- QcxzgeZhzogykC09MKj4VMVOZdq6i8N1OOcFf0nkABc
-kë{nµúþã/c8ÒgQ~ã1¦÷®ó“†v§Šçqùà{ÀsÝ€Å€„¶O²
\ No newline at end of file
+-> ssh-ed25519 vDjOfg DSA11LD9kTPJXL6q7ezsCRMlN3QBgcEA+i7PpYbn1HM
+002pudzzJdq69RLzbnmEu1uXaF578FCwpUEUeQvrE1I
+-> X25519 k+nrZinBJQOsxyUC/qw+UQ4F0EFxs4Dt2oPvHMwguS4
+zEYUmyjLq5gU9M0sTx2CVLMTaiLXw6O1f6kWz6tG01g
+-> piv-p256 +y2G/w AnR7AVB8k5lZ+6DuqVvT+6tR9rw24Z7GZ15wlIWAakMq
+1bvu/AJ9DkZ1cgL1crnhH8gi5SkE8hW4sjVNWw6znBc
+-> piv-p256 jNqd3A AmqhEzPN6+LvtcYHlF26ygzX3lgdNY8alH5SHECivjnq
+jb/Iv7sHqn3FCBgH65YoKsIE0GT390Zrki5mPN2NRyM
+-> ]IKx--grease
+0ZRby4OvsWGHVKCIhG27byA9hQw2a1xgQQgxrYy8QbxvmcY97+zbYY4nYThDUsA8
+/oJsg5IfHI3ukFzek3SoLw
+--- ceQ+78jo/wEnqKEzoDo3dYvkISTigadwZ/R9U9e0Z5U
+æþ]¯S÷rà–’9lŽúP	E?f€Š(kÏvZ‘‘Ú•°Od›=u™´g
\ No newline at end of file