{host_secrets, ...}: let
  secrets = host_secrets;
in {
  config.mailserver = {
    enable = true;
    fqdn = "mail.owo.monster";
    domains = ["owo.monster"];

    ssl_config = {
      useACME = false;
      cert = "/var/lib/acme/mail.owo.monster/fullchain.pem";
      key = "/var/lib/acme/mail.owo.monster/key.pem";
    };

    enable_roundcube = true;
    force_roundcube_ssl = false;
    force_roundcube_acme = false;

    debug_mode = true;

    extra_roundcube_config = ''
      $config['session_lifetime'] = (60 * 24 * 7 * 2); # 2 Weeks
      $config['product_name'] = 'Chaos Mail';
      $config['username_domain'] = "owo.monster";
      $config['username_domain_forced'] = true;
      $config['log_driver'] = 'syslog';
      $config['smtp_debug'] = true;
    '';

    extra_aliases_file = "${secrets.private_mail_aliases.path}";

    accounts = {
      "chaos@owo.monster" = {
        name = "chaos@owo.monster";
        passwordFile = "${secrets.chaos_mail_passwd.path}";
        aliases = [
          "all@owo.monster"
          "chaoticryptidz@owo.monster"
        ];
        sieveScript = null;
      };

      "system@owo.monster" = {
        name = "system@owo.monster";
        passwordFile = "${secrets.system_mail_passwd.path}";
        aliases = [];
        sieveScript = null;
      };

      "gotosocial@owo.monster" = {
        name = "gotosocial@owo.monster";
        passwordFile = "${secrets.gotosocial_mail_passwd.path}";
        aliases = [];
        sieveScript = null;
      };
    };
  };

  config.systemd.tmpfiles.rules = [
    "d /var/sockets - nginx nginx"
  ];

  config.systemd.services.nginx.serviceConfig.ReadWritePaths = [
    "/var/sockets"
  ];

  config.services.nginx.virtualHosts."mail.owo.monster" = {
    listen = [
      {
        addr = "127.0.0.1";
        port = 8089;
      }
    ];
    extraConfig = "listen unix:/var/sockets/roundcube.sock;";
  };
}