{ config, pkgs, ... }@all: with all; {
  sops.secrets = {
    "nx2site/maddy/nxcaldav_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/lennart_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/daniel_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
  };
  users.users."maddy" = {
    extraGroups = [ "acme" "nginx" ];
  };
  services.maddy = {
    enable = true;
    primaryDomain = hyper.domain;
    user = "maddy";
    group = "maddy";
    hostname = "mail.${hyper.domain}";
    ensureAccounts = [
      "nxcaldav@${hyper.domain}"
      "lennart@${hyper.domain}"
      "daniel@${hyper.domain}"
    ];
    ensureCredentials = {
      "nxcaldav@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nxcaldav_password".path;
      "lennart@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/lennart_password".path;
      "daniel@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/daniel_password".path;
    };

    openFirewall = true;
    tls = {
      loader = "file";
      certificates = [{
        keyPath = "/var/lib/acme/nx2.site/key.pem";
        certPath = "/var/lib/acme/nx2.site/cert.pem";
      }];
    };
    # Enable TLS listeners. Configuring this via the module is not yet
    # implemented, see https://github.com/NixOS/nixpkgs/pull/153372
    config = builtins.replaceStrings [
      "imap tcp://0.0.0.0:143"
      "submission tcp://0.0.0.0:587"
    ] [
      "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
      "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
    ] options.services.maddy.config.default;
  };
}