diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 9dac50d55..e87b33600 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -13,6 +13,7 @@ let
       ./buildbot/slave.nix
       ./build.nix
       ./current.nix
+      ./exim.nix
       ./exim-retiolum.nix
       ./exim-smarthost.nix
       ./fetchWallpaper.nix
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index 696c48baf..8b6ac4a4e 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -32,7 +32,7 @@ let
   };
 
   imp = {
-    services.exim = {
+    krebs.exim = {
       enable = true;
       config =
         # This configuration makes only sense for retiolum-enabled hosts.
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index a01ab543b..8d9227039 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -105,7 +105,7 @@ let
         requires = [ "secret.service" ];
       };
     };
-    services.exim = {
+    krebs.exim = {
       enable = true;
       config = ''
         keep_environment =
diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix
new file mode 100644
index 000000000..16a2a37b6
--- /dev/null
+++ b/krebs/3modules/exim.nix
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }: with config.krebs.lib; let
+  cfg = config.krebs.exim;
+in {
+  options.krebs.exim = {
+    enable = mkEnableOption "krebs.exim";
+    config = mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        Verbatim Exim configuration.  This should not contain exim_user,
+        exim_group, exim_path, or spool_directory.
+      '';
+    };
+    user = mkOption {
+      type = types.user;
+      default = {
+        name = "exim";
+        home = "/var/spool/exim";
+      };
+      description = ''
+        User to use when no root privileges are required.
+        In particular, this applies when receiving messages and when doing
+        remote deliveries.  (Local deliveries run as various non-root users,
+        typically as the owner of a local mailbox.) Specifying this value
+        as root is not supported.
+      '';
+    };
+    group = mkOption {
+      type = types.group;
+      default = {
+        name = "exim";
+      };
+      description = ''
+        Group to use when no root privileges are required.
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    environment = {
+      etc."exim.conf".text = ''
+        exim_user = ${cfg.user.name}
+        exim_group = ${cfg.group.name}
+        exim_path = /var/setuid-wrappers/exim
+        spool_directory = ${cfg.user.home}
+        ${cfg.config}
+      '';
+      systemPackages = [ pkgs.exim ];
+    };
+    krebs.setuid = {
+      exim = {
+        filename = "${pkgs.exim}/bin/exim";
+        mode = "4111";
+      };
+      sendmail = {
+        filename = "${pkgs.exim}/bin/exim";
+        mode = "4111";
+      };
+    };
+    systemd.services.exim = {
+      restartTriggers = [
+        config.environment.etc."exim.conf".source
+      ];
+      serviceConfig = {
+        ExecStart = "${pkgs.exim}/bin/exim -bdf -q30m";
+        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+    users = {
+      groups.${cfg.group.name} = {
+        inherit (cfg.group) name gid;
+      };
+      users.${cfg.user.name} = {
+        inherit (cfg.user) home name uid;
+        createHome = true;
+        group = cfg.group.name;
+      };
+    };
+  };
+}
diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix
index 405a91e45..56d1d55c3 100644
--- a/krebs/4lib/types.nix
+++ b/krebs/4lib/types.nix
@@ -213,6 +213,18 @@ types // rec {
       };
     };
   });
+  group = submodule ({ config, ... }: {
+    options = {
+      name = mkOption {
+        type = username;
+        default = config._module.args.name;
+      };
+      gid = mkOption {
+        type = int;
+        default = genid config.name;
+      };
+    };
+  });
 
   addr = either addr4 addr6;
   addr4 = mkOptionType {
diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix
index 5c3ba9421..0084a7837 100644
--- a/shared/1systems/test-all-krebs-modules.nix
+++ b/shared/1systems/test-all-krebs-modules.nix
@@ -19,10 +19,11 @@ in {
       username = "lol";
       password = "wut";
     };
-    exim-retiolum = {
-      enable = true;
-      primary_hostname = "test.r";
-    };
+    # XXX exim-retiolum and exim-smarthost are mutually exclusive
+    #exim-retiolum = {
+    #  enable = true;
+    #  primary_hostname = "test.r";
+    #};
     exim-smarthost = {
       enable = true;
       primary_hostname = "test.r";
diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix
index 27dd12520..cebd7c9e4 100644
--- a/tv/1systems/wu.nix
+++ b/tv/1systems/wu.nix
@@ -183,7 +183,5 @@ with config.krebs.lib;
     KERNEL=="hpet", GROUP="audio"
   '';
 
-  services.tor.client.enable = true;
-  services.tor.enable = true;
   services.virtualboxHost.enable = true;
 }
diff --git a/tv/2configs/exim-retiolum.nix b/tv/2configs/exim-retiolum.nix
index dbe83dcf1..9197a3c30 100644
--- a/tv/2configs/exim-retiolum.nix
+++ b/tv/2configs/exim-retiolum.nix
@@ -4,9 +4,5 @@ with config.krebs.lib;
 
 {
   krebs.exim-retiolum.enable = true;
-  krebs.setuid.sendmail = {
-    filename = "${pkgs.exim}/bin/exim";
-    mode = "4111";
-  };
   tv.iptables.input-retiolum-accept-new-tcp = singleton "smtp";
 }
diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix
index 2b9ad77d7..3616a8f52 100644
--- a/tv/2configs/exim-smarthost.nix
+++ b/tv/2configs/exim-smarthost.nix
@@ -43,9 +43,5 @@ with config.krebs.lib;
       { from = "mirko"; to = "mv"; }
     ];
   };
-  krebs.setuid.sendmail = {
-    filename = "${pkgs.exim}/bin/exim";
-    mode = "4111";
-  };
   tv.iptables.input-internet-accept-new-tcp = singleton "smtp";
 }