{
  config,
  inputs,
  common,
  systemConfig,
  ...
}:
let
  passwordHashKey = "mailserver/password-hash";
in
{
  imports = [
    inputs.simple-nixos-mailserver.nixosModule
  ];

  mailserver = {
    enable = true;
    # stateVersion = 1; TODO uncomment on 25.11
    fqdn = "mail.${common.domain}";
    domains = [
      common.domain
    ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "${systemConfig.username}@${common.domain}" = {
        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };

  networking.firewall.allowedTCPPorts = [
    25
    465
    587
  ];

  sops.secrets.${passwordHashKey}.neededForUsers = true;
}