{
  config,
  lib,
  pkgs,
  ...
}: let
  mailDomain = config.customOps.domain;
in {
  sops.secrets = {
    "mailserver/contact".owner = "dovecot2";
  };

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = mailDomain;
    domains = [mailDomain];

    virusScanning = true;

    systemDomain = mailDomain;
    systemName = mailDomain;

    dmarcReporting.enable = true;
    fullTextSearch.enable = true;

    mailboxes = {
      Archive = {
        auto = "subscribe";
        specialUse = "Archive";
      };
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Junk = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };

    loginAccounts = {
      "contact@${mailDomain}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
        aliases = [
          "root@${mailDomain}"
          "postmaster@${mailDomain}"
          "security@${mailDomain}"
          "abuse@${mailDomain}"
          "webmaster@${mailDomain}"
          "admin@${mailDomain}"
          "info@${mailDomain}"
          "support@${mailDomain}"
        ];
      };
    };
    certificateScheme = "acme";
  };

  services.roundcube = {
    enable = true;
    hostName = "mail.${mailDomain}";
    extraConfig = ''
      $config['imap_host'] = "ssl://${mailDomain}";
      $config['smtp_host'] = "ssl://${mailDomain}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  services.radicale = let
    mailAccounts = config.mailserver.loginAccounts;
    htpasswd = pkgs.writeText "radicale.users" (
      lib.concatStrings
      (lib.flip lib.mapAttrsToList mailAccounts (
        mail: user:
          mail + ":" + user.hashedPassword + "\n"
      ))
    );
  in {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_filename = "${htpasswd}";
        htpasswd_encryption = "bcrypt";
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."cal.${mailDomain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:5232/";
        extraConfig = ''
          proxy_set_header  X-Script-Name /;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass_header Authorization;
        '';
      };
    };
  };
}