{config, ...}: let
  domainFqdn = config.customOps.domain.fqdn;
  domainName = config.customOps.domain.name;
  domainTld = config.customOps.domain.tld;
in {
  sops.secrets = {
    "mailserver/root".owner = "dovecot2";
    "mailserver/contact".owner = "dovecot2";
    "mailserver/dmarc".owner = "dovecot2";
    "radicale".owner = "radicale";
  };

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = domainFqdn;
    domains = [domainFqdn];

    virusScanning = true;

    systemDomain = domainFqdn;
    systemName = domainFqdn;

    dmarcReporting.enable = true;
    fullTextSearch.enable = true;

    mailboxes = {
      Archive = {
        auto = "subscribe";
        specialUse = "Archive";
      };
      Drafts = {
        auto = "subscribe";
        specialUse = "Drafts";
      };
      Junk = {
        auto = "subscribe";
        specialUse = "Junk";
      };
      Sent = {
        auto = "subscribe";
        specialUse = "Sent";
      };
      Trash = {
        auto = "subscribe";
        specialUse = "Trash";
      };
    };

    loginAccounts = {
      "dmarc@${domainFqdn}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/dmarc".path;
        aliases = [
          "rua@${domainFqdn}"
          "ruf@${domainFqdn}"
        ];
      };
      "root@${domainFqdn}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/root".path;
        aliases = [
          "postmaster@${domainFqdn}"
          "security@${domainFqdn}"
          "abuse@${domainFqdn}"
          "webmaster@${domainFqdn}"
          "info@${domainFqdn}"
          "support@${domainFqdn}"
        ];
        aliasesRegexp = [
          "/^admin\\..*@${domainName}\\.${domainTld}$/"
        ];
      };
      "contact@${domainFqdn}" = {
        hashedPasswordFile = config.sops.secrets."mailserver/contact".path;
        aliases = ["@${domainFqdn}"];
        catchAll = [domainFqdn];
      };
    };
    certificateScheme = "acme";
  };

  services.roundcube = {
    enable = true;
    hostName = "mail.${domainFqdn}";
    extraConfig = ''
      $config['imap_host'] = "ssl://${domainFqdn}";
      $config['smtp_host'] = "ssl://${domainFqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  services.radicale = {
    enable = true;
    settings = {
      auth = {
        type = "htpasswd";
        htpasswd_filename = config.sops.secrets."radicale".path;
        htpasswd_encryption = "bcrypt";
      };
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."cal.${domainFqdn}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:5232/";
        extraConfig = ''
          proxy_set_header  X-Script-Name /;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass_header Authorization;
        '';
      };
    };
  };
}