{
  inputs,
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.mailserver;
  domain = config.networking.domain;
  fqdn = "${cfg.subdomain}.${domain}";

  inherit (lib)
    mapAttrs'
    mkDefault
    mkIf
    mkOption
    nameValuePair
    types
    ;
in
{
  imports = [ inputs.nixos-mailserver.nixosModules.mailserver ];

  options.mailserver = {
    subdomain = mkOption {
      type = types.str;
      default = "mail";
      description = "Subdomain for rDNS";
    };
    accounts = mkOption {
      type = types.attrsOf (
        types.submodule {
          options = {
            aliases = mkOption {
              type = types.listOf types.str;
              default = [ ];
              description = "A list of aliases of this account. `@domain` will be appended automatically.";
            };
            sendOnly = mkOption {
              type = types.bool;
              default = false;
              description = "Specifies if the account should be a send-only account.";
            };
          };
        }
      );
      default = { };
      description = ''
        This options wraps `loginAccounts`.
        `loginAccounts.<attr-name>.name` will be automatically set to `<attr-name>@<domain>`.
      '';
    };
  };

  config = mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.subdomain != "";
        message = "cryodev/nixos/mailserver: config.mailserver.subdomain cannot be empty.";
      }
    ];

    mailserver = {
      fqdn = mkDefault fqdn;

      domains = mkDefault [ domain ];
      # stateVersion 3 requires the new mail directory structure
      # For new installations, this is the correct value
      # For existing installations, see: https://nixos-mailserver.readthedocs.io/en/latest/migrations.html
      stateVersion = mkDefault 3;

      loginAccounts = mapAttrs' (
        user: accConf:
        nameValuePair "${user}@${domain}" {
          name = "${user}@${domain}";
          aliases = map (alias: "${alias}@${domain}") (accConf.aliases or [ ]);
          sendOnly = accConf.sendOnly;
          quota = mkDefault "5G";
          hashedPasswordFile = config.sops.secrets."mailserver/accounts/${user}".path;
        }
      ) cfg.accounts;

      # Use ACME for certificate
      x509.useACMEHost = mkDefault fqdn;
    };

    # ACME certificate for mail server
    security.acme.certs.${fqdn} = { };

    security.acme = {
      acceptTerms = true;
      defaults.email = mkDefault "postmaster@cryodev.xyz";
      defaults.webroot = mkDefault "/var/lib/acme/acme-challenge";
    };

    environment.systemPackages = [ pkgs.mailutils ];

    sops = {
      secrets = mapAttrs' (
        user: _config:
        nameValuePair "mailserver/accounts/${user}" {
          restartUnits = [
            "postfix.service"
            "dovecot.service"
          ];
        }
      ) cfg.accounts;
    };
  };
}