diff --git a/hosts/nachtigall/apps/mailman.nix b/hosts/nachtigall/apps/mailman.nix
new file mode 100644
index 0000000..b01b380
--- /dev/null
+++ b/hosts/nachtigall/apps/mailman.nix
@@ -0,0 +1,69 @@
+{
+  flake,
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  networking.firewall.allowedTCPPorts = [25];
+
+  services.postfix = {
+    enable = true;
+    relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
+    # get TLS certs for list.pub.solar from acme
+    sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem";
+    sslKey = "/var/lib/acme/list.pub.solar/key.pem";
+    config = {
+      transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
+      local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
+    };
+    rootAlias = "admins@pub.solar";
+    postmasterAlias = "admins@pub.solar";
+    hostname = "list.pub.solar";
+  };
+
+  systemd.paths.watcher-acme-ssl-file = {
+    description = "Watches for changes in acme's TLS cert file (after renewals) to reload postfix";
+    documentation = ["systemd.path(5)"];
+    partOf = ["postfix-reload.service"];
+    pathConfig = {
+      PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem";
+      Unit = "postfix-reload.service";
+    };
+    wantedBy = ["multi-user.target"];
+  };
+
+  systemd.services."postfix-reload" = {
+    description = "Reloads postfix config, e.g. after TLS certs change, notified by watcher-acme-ssl-file.path";
+    documentation = ["systemd.path(5)"];
+    requires = ["postfix.service"];
+    after = ["postfix.service"];
+    startLimitIntervalSec = 10;
+    startLimitBurst = 5;
+    serviceConfig.Type = "oneshot";
+    script = ''
+      ${pkgs.systemd}/bin/systemctl reload postfix
+    '';
+    wantedBy = ["multi-user.target"];
+  };
+
+  services.mailman = {
+    enable = true;
+    serve.enable = true;
+    hyperkitty.enable = true;
+    webHosts = ["list.pub.solar"];
+    siteOwner = "admins@pub.solar";
+  };
+
+  # TODO add django-keycloak as auth provider
+  # https://django-keycloak.readthedocs.io/en/latest/
+  ## Extend settings.py directly since this can't be done via JSON
+  ## settings (services.mailman.webSettings)
+  #environment.etc."mailman3/settings.py".text = ''
+  #  INSTALLED_APPS.extend([
+  #    "allauth.socialaccount.providers.github",
+  #    "allauth.socialaccount.providers.gitlab"
+  #  ])
+  #'';
+}
diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix
index 5ee4ba9..451acde 100644
--- a/hosts/nachtigall/default.nix
+++ b/hosts/nachtigall/default.nix
@@ -11,10 +11,11 @@
       ./apps/nginx.nix
 
       ./apps/keycloak.nix
+      ./apps/mailman.nix
+      ./apps/mastodon.nix
       ./apps/nginx-mastodon.nix
       ./apps/nginx-mastodon-files.nix
       ./apps/nginx-website.nix
-      ./apps/mastodon.nix
       ./apps/opensearch.nix
       ./apps/postgresql.nix
       ./apps/forgejo.nix