{ config, pkgs, ... }@all: with all; {
  sops.secrets = {
    "nx2site/maddy/nxcaldav_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/nextcloud_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/lennart_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/daniel_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/diane_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/georg_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
    "nx2site/maddy/tessa_password" = { owner = "maddy"; group = "maddy"; mode = "600"; };
  };
  users.users."maddy" = {
    extraGroups = [ "acme" "nginx" ];
  };
  services.maddy = {
    enable = true;
    primaryDomain = hyper.domain;
    user = "maddy";
    group = "maddy";
    hostname = "mail.${hyper.domain}";
    ensureAccounts = [
      "nxcaldav@${hyper.domain}"
      "nextcloud@${hyper.domain}"
      "lennart@${hyper.domain}"
      "daniel@${hyper.domain}"
      "diane@${hyper.domain}"
      "georg@${hyper.domain}"
      "tessa@${hyper.domain}"
    ];
    ensureCredentials = {
      "nxcaldav@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nxcaldav_password".path;
      "nextcloud@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/nextcloud_password".path;
      "lennart@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/lennart_password".path;
      "daniel@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/daniel_password".path;
      "diane@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/diane_password".path;
      "georg@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/georg_password".path;
      "tessa@${hyper.domain}".passwordFile = config.sops.secrets."nx2site/maddy/tessa_password".path;
    };

    openFirewall = true;
    tls = {
      loader = "file";
      certificates = [{
        keyPath = "/var/lib/acme/nx2.site/key.pem";
        certPath = "/var/lib/acme/nx2.site/cert.pem";
      }];
    };
    # Enable TLS listeners. Configuring this via the module is not yet
    # implemented, see https://github.com/NixOS/nixpkgs/pull/153372
    config = (builtins.replaceStrings [
      "imap tcp://0.0.0.0:143"
      "submission tcp://0.0.0.0:587"
    ] [
      "imap tls://0.0.0.0:993 tcp://0.0.0.0:143"
      "submission tls://0.0.0.0:465 tcp://0.0.0.0:587"
    ] options.services.maddy.config.default) + ''
      smtp tcp://127.0.0.1:2525 {
          tls off
          # 1. Allow local delivery (e.g., app sending to admin@nx2.site)
          destination postmaster $(local_domains) {
              deliver_to &local_routing
          }
          # 2. Allow remote delivery (e.g., app sending to gmail.com)
          default_destination {
              modify {
                  # Ensure outgoing mail is signed even if sent via 2525
                  dkim $(primary_domain) $(local_domains) default
              }
              deliver_to &remote_queue
          }
      }
    '';
  };
}