{config, ...}: let
  mailDomain = config.customOps.domain;
in {
  sops.secrets = {
    "mailserver/contact".owner = "dovecot2";
  };

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = mailDomain;
    domains = [mailDomain];

    systemDomain = mailDomain;
    systemName = mailDomain;

    dmarcReporting.enable = true;
    fullTextSearch.enable = true;

    mailboxes = {
      Archive = {
        auto = "subscribe";
        specialUse = "Archive";
      };
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Junk = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };

    loginAccounts = {
      "contact@${mailDomain}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
        aliases = [
          "root@${mailDomain}"
          "postmaster@${mailDomain}"
          "security@${mailDomain}"
          "abuse@${mailDomain}"
          "webmaster@${mailDomain}"
          "admin@${mailDomain}"
          "info@${mailDomain}"
          "support@${mailDomain}"
        ];
      };
    };
    certificateScheme = "acme";
  };
}