{config, ...}: {
  sops.secrets."service_accounts/mail/password" = {};
  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "mail.procopius.dk";
    domains = ["procopius.dk"];
    localDnsResolver = false;
    ldap = {
      enable = true;
      uris = [
        "ldap://auth.lab:3890"
      ];
      bind = {
        dn = "cn=mail,ou=people,dc=procopius,dc=dk";
        passwordFile = config.sops.secrets."service_accounts/mail/password".path;
      };
      postfix = {
        filter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(|(mail=%s)(mail-alias=%s)))"; # Will require MR!351 for aliases to work properly
        mailAttribute = "mail";
      };

      dovecot = {
        userFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
        passFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
      };

      searchBase = "ou=people,dc=procopius,dc=dk";
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = "david.mikael@proton.me";
}