{
  pkgs,
  nixpkgs-unstable,
  unstable,
  config,
  ...
}: {
  disabledModules = ["services/mail/stalwart-mail.nix"];
  imports = [
    "${nixpkgs-unstable}/nixos/modules/services/mail/stalwart-mail.nix"
  ];

  secrets.stalwart-env = {
    file = ./secrets/stalwart-env.age;
    mode = "444";
  };

  systemd.services.stalwart-mail.serviceConfig = {
    EnvironmentFile = config.age.secrets.stalwart-env.path;
  };

  users.users.stalwart-mail.extraGroups = ["acme"];

  services.stalwart-mail = {
    enable = true;
    package = unstable.stalwart-mail;
    openFirewall = true;
    settings = {
      certificate.default = {
        cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
        private-key = "%{file:/var/lib/acme/mail.m4siri.com/key.pem}%";
        default = true;
      };
      http.url = "protocol + '://' + config_get('server.hostname')";
      tracer.stdout = {
        level = "trace";
      };
      server = {
        hostname = "mail.m4siri.com";
        tls = {
          implicit = false;
        };
        auto-ban = {
          auth.rate = "100/1d";
        };
        listener = {
          smtp = {
            protocol = "smtp";
            bind = "[::]:25";
          };
          submissions = {
            bind = "[::]:465";
            protocol = "smtp";
            tls.implicit = true;
          };
          submission = {
            bind = "[::]:587";
            protocol = "smtp";
            tls.implicit = true;
          };
          pop3 = {
            bind = "[::]:110";
            protocol = "pop3";
          };
          pop3s = {
            bind = "[::]:995";
            protocol = "pop3";
            tls.implicit = true;
          };
          imap = {
            bind = "[::]:143";
            protocol = "imap";
          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";
            tls.implicit = true;
          };
          http = {
            bind = ["127.0.0.1:8080"];
            protocol = "http";
          };
          https = {
            bind = ["127.0.0.1:1443"];
            protocol = "http";
            tls.implicit = true;
          };
          jmap = {
            bind = ["127.0.0.1:1443"];
            protocol = "http";
            tls.implicit = true;
          };
          sieve = {
            bind = "[::]:4190";
            protocol = "managesieve";
          };
        };
      };

      storage.blob = "rocksdb";
      storage.data = "rocksdb";
      storage.directory = "ldap";
      storage.fts = "rocksdb";
      store = {
        "rocksdb" = {
          compression = "lz4";
          path = "/var/lib/stalwart-mail/data";
          type = "rocksdb";
        };
      };

      authentication.fallback-admin = {
        user = "fallback-admin";
        secret = "%{env:STALWART_ADMIN_PW}%";
      };

      directory.ldap = {
        type = "ldap";
        url = "ldap://localhost:389";
        timeout = "30s";
        base-dn = "dc=m4siri,dc=com";
        tls.enable = false;

        bind = {
          dn = "cn=searchuser,ou=users,dc=m4siri,dc=com";
          secret = "%{env:STALWART_SEARCH_PW}%";
          auth = {
            method = "template";
            template = "uid={local},ou=users,dc=m4siri,dc=com";
            search = true;
          };
        };
        filter = {
          name = "(&(objectClass=inetOrgPerson)(|(mail=?)(uid=?)))";
          email = "(&(objectClass=inetLocalMailRecipient)(|(mail=?)(mailLocalAddress=?)))";
        };

        attributes = {
          name = "uid";
          secret = "userPassword";
          email = "mail";
          email-alias = "mailLocalAddress";
        };
      };
    };
  };
}