{config, ...}: {
  sops.secrets."service_accounts/mail/password" = {};
  sops.secrets."cloudflare/dns-api-token" = {};
  sops.secrets."cloudflare/zone-api-token" = {};

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "mail.procopius.dk";
    domains = ["procopius.dk"];
    dmarcReporting.enable = true;
    localDnsResolver = false;
    ldap = {
      enable = true;
      uris = [
        "ldap://auth.lab:3890"
      ];
      bind = {
        dn = "cn=mail,ou=people,dc=procopius,dc=dk";
        passwordFile = config.sops.secrets."service_accounts/mail/password".path;
      };
      postfix = {
        filter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(|(mail=%s)(mail-alias=%s)))"; # Will require MR!351 for aliases to work properly
        mailAttribute = "mail";
      };

      dovecot = {
        userFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
        passFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
      };

      searchBase = "ou=people,dc=procopius,dc=dk";
    };

    certificateScheme = "acme";
    acmeCertificateName = "mail.procopius.dk";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "david.mikael@proton.me";
  security.acme.defaults = {
    dnsProvider = "cloudflare";
    dnsResolver = "1.1.1.1:53";
    credentialFiles = {
      "CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/dns-api-token".path;
      "CF_ZONE_API_TOKEN_FILE" = config.sops.secrets."cloudflare/zone-api-token".path;
    };
  };
}