{
  config,
  inputs,
  lib,
  ...
}:
with lib; {
  imports = [inputs.mailserver.nixosModule];

  # Redis?
  ark.directories = with config.mailserver; [
    "/var/lib/dovecot"
    "/var/lib/postfix"
    config.security.dhparams.params.dovecot2.path
    dkimKeyDirectory
    mailDirectory
    sieveDirectory
  ];

  secrets = with config.mailserver; {
    dkim-key-azahi-cc = {
      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
      path = "${dkimKeyDirectory}/${my.domain.azahi}.${dkimSelector}.key";
      owner = config.services.opendkim.user;
      inherit (config.services.opendkim) group;
    };
    dkim-key-rohan-net = {
      file = "${inputs.self}/secrets/dkim-key-rohan-net";
      path = "${dkimKeyDirectory}/${my.domain.rohan}.${dkimSelector}.key";
      owner = config.services.opendkim.user;
      inherit (config.services.opendkim) group;
    };
    dkim-key-gondor-net = {
      file = "${inputs.self}/secrets/dkim-key-gondor-net";
      path = "${dkimKeyDirectory}/${my.domain.gondor}.${dkimSelector}.key";
      owner = config.services.opendkim.user;
      inherit (config.services.opendkim) group;
    };
    dkim-key-shire-net = {
      file = "${inputs.self}/secrets/dkim-key-shire-net";
      path = "${dkimKeyDirectory}/${my.domain.shire}.${dkimSelector}.key";
      owner = config.services.opendkim.user;
      inherit (config.services.opendkim) group;
    };
  };

  nixfiles.modules = {
    acme.enable = true;
    redis.enable = true;
  };

  mailserver = let
    cert = config.certs.${my.domain.shire};
  in {
    enable = true;

    # Disable potentially insecure[1] STARTTLS connections. SSL-only connections
    # are still enabled by default.
    #
    # [1]: https://www.rfc-editor.org/rfc/rfc3207#section-6
    enableImap = false;
    enablePop3 = false;
    enableSubmission = false;

    fqdn = config.networking.domain;
    domains = with my.domain; [azahi gondor rohan shire];

    localDnsResolver = false;

    certificateScheme = "manual";
    certificateFile = "${cert.directory}/fullchain.pem";
    keyFile = "${cert.directory}/key.pem";

    lmtpSaveToDetailMailbox = "no";

    redis = with config.services.redis.servers.default; {
      address = bind;
      inherit port;
      password = requirePass;
    };

    # Just a list of accounts with aliases and hasedPasswords. Not necessarily
    # secret, but kept from prying eyes.
    loginAccounts = import ./accounts.nix lib;
  };

  # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/241
  services.redis.servers.rspamd.enable = mkForce false;
  systemd.services.rspamd = {
    requires = mkForce ["redis-default.service"];
    after = mkForce ["redis-default.service"];
  };

  services.fail2ban.jails = {
    dovecot = {
      enabled = true;
      settings.mode = "aggressive";
    };
    postfix = {
      enabled = true;
      settings.mode = "aggressive";
    };
  };
}