{ config, ... }:
let
  inherit (config.networking) domain;
  mail_host = "mail.${domain}";
in
{
  security.acme.certs."${domain}".extraDomainNames = [ mail_host ];

  #  services.dovecot2.sieve.extensions = [ "fileinto" ]; # sives break without this for some reason
  mailserver = {
    enable = true;
    fqdn = mail_host;
    domains = [ domain ];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "contact@${domain}" = {
        hashedPasswordFile = ./mailpass/contact;
        aliases = [ "kontakt@${domain}" ];
      };
      "admin@${domain}" = {
        hashedPasswordFile = ./mailpass/admin;
      };
      "grimmauld@${domain}" = {
        hashedPasswordFile = ./mailpass/grimmauld;
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "manual";
    certificateFile = "/var/lib/acme/${domain}/fullchain.pem";
    keyFile = "/var/lib/acme/${domain}/key.pem";
  };

  services.nginx = {
    enable = true;
    virtualHosts."${mail_host}" = {
      # you should NOT be here from a browser :P
      serverName = mail_host;
      forceSSL = true;
      useACMEHost = domain;
      locations."/" = {
        return = "307 https://${domain}";
      };
    };
  };
}