{
  lib,
  config,
  inputs,
  common,
  systemConfig,
  ...
}:
let
  cfg = config.mailserver;
  passwordHashKey = "mailserver/password-hash";
in
{
  imports = [
    inputs.simple-nixos-mailserver.nixosModule
  ];

  mailserver = {
    enable = true;
    # stateVersion = 1; TODO uncomment on 25.11
    fqdn = "mail.${common.domain}";
    domains = [
      common.domain
    ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "${systemConfig.username}@${common.domain}" = {
        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    # certificateScheme = "acme-nginx";
  };
  # security.acme.acceptTerms = true;
  # security.acme.defaults.email = "security@example.com";

  services.nginx.virtualHosts.${cfg.fqdn}.listen = lib.mkForce [
    {
      addr = "127.0.0.1";
      port = 8003;
      ssl = false;
    }
    {
      addr = "192.168.10.188";
      port = 8003;
      ssl = false;
    }
  ];

  sops.secrets.${passwordHashKey}.neededForUsers = true;
}