{
  pkgs,
  options,
  config,
  ...
}:
{
  services.maddy = {
    enable = true;
    primaryDomain = "rory.gay";
    hostname = "mail.rory.gay";
    ensureAccounts = [
      "root@rory.gay"
    ];
    ensureCredentials = {
      "root@rory.gay".passwordFile = "/var/lib/maddy/passwd/root";
    };
    config =
      builtins.replaceStrings
        [
          "imap tcp://0.0.0.0:143"
          "submission tcp://0.0.0.0:587"
        ]
        [
          "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
          "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
        ]
        options.services.maddy.config.default;

    tls = {
      loader = "file";
      certificates = [
        {
          certPath = "/var/lib/acme/mail.rory.gay/fullchain.pem";
          keyPath = "/var/lib/acme/mail.rory.gay/key.pem";
        }
      ];
    };
  };
  
  networking.firewall.allowedTCPPorts = [
    993
    465
  ];

  users.users.maddy.extraGroups = [ "nginx" ];
}