{
  config,
  lib,
  ...
}: let
  domainFqdn = config.customOps.domain.fqdn;
  hostname = config.networking.hostName;
in {
  sops.secrets = let
    accounts = config.customOps.mailAccounts;
  in
    builtins.listToAttrs (
      map (acc: {
        name = accounts.${acc}.passwdFile;
        value = {owner = "dovecot2";};
      }) (builtins.attrNames accounts)
    );

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "${hostname}.${domainFqdn}";
    domains = [domainFqdn];
    systemDomain = domainFqdn;
    systemName = domainFqdn;
    systemContact = "postmaster@${domainFqdn}";

    dmarcReporting.enable = true;
    tlsrpt.enable = true;

    fullTextSearch.enable = true;
    virusScanning = true;

    mailboxes = {
      Archive = {
        auto = "subscribe";
        specialUse = "Archive";
      };
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Junk = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };

    loginAccounts =
      lib.mapAttrs (account: cfg: {
        aliases = cfg.aliases;
        aliasesRegexp = cfg.aliasesRegex;
        catchAll = cfg.catchAll;
        hashedPasswordFile = config.sops.secrets.${cfg.passwdFile}.path;
        sendOnly = cfg.sendOnly;
      })
      config.customOps.mailAccounts;
    certificateScheme = "acme";
  };

  services.roundcube = {
    enable = true;
    hostName = "mail.${domainFqdn}";
    extraConfig = ''
      $config['imap_host'] = "ssl://${hostname}.${domainFqdn}";
      $config['smtp_host'] = "ssl://${hostname}.${domainFqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };
}