{
  pkgs,
  hostSecrets,
  ...
}: let
  secrets = hostSecrets;
in {
  services.mailserver = {
    enable = true;
    fqdn = "mail.owo.monster";
    domains = ["owo.monster"];
    debugMode = true;

    sslConfig = {
      useACME = false;
      cert = "/var/lib/acme/mail.owo.monster/fullchain.pem";
      key = "/var/lib/acme/mail.owo.monster/key.pem";
    };

    rspamd.enable = true;
    spf.enable = false;

    accounts = {
      "chaos@owo.monster" = {
        passwordHashFile = "${secrets.chaos_mail_passwd.path}";
        aliases = [
          "all@owo.monster"
          "chaoticryptidz@owo.monster"
        ];
      };

      "system@owo.monster" = {
        passwordHashFile = "${secrets.system_mail_passwd.path}";
      };

      "gotosocial@owo.monster" = {
        passwordHashFile = "${secrets.gotosocial_mail_passwd.path}";
      };
    };

    extraAliasesFile = "${secrets.private_mail_aliases.path}";

    roundcube = {
      enable = true;

      package = pkgs.roundcube.withPlugins (_plugins:
        with pkgs.roundcubePlugins; [
          persistent_login
        ]);
      plugins = ["persistent_login"];

      # running in container, passing socket to host
      forceSSL = false;
      enableACME = false;

      extraConfig = ''
        $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks
        $config['product_name'] = 'Chaos Mail';
        $config['username_domain'] = "owo.monster";
        $config['username_domain_forced'] = true;
        $config['log_driver'] = 'syslog';
        $config['smtp_debug'] = true;
      '';
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/sockets - nginx nginx"
  ];

  systemd.services.nginx.serviceConfig.ReadWritePaths = [
    "/var/sockets"
  ];

  services.nginx.virtualHosts."mail.owo.monster" = {
    # running in privateNetwork
    # required so nginx doesn't try listening on port 80
    listen = [
      {
        addr = "127.0.0.1";
        port = 8089;
      }
    ];
    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
  };
}