{
  config,
  pkgs,
  ...
}: {
  mailserver = {
    enable = true;
    fqdn = "mail.spandrell.ch";
    domains = ["spandrell.ch"];

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "s@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "book@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "site@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "lol@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "sub@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "security@spandrell.ch" = {
        hashedPasswordFile = "/home/span/mail.key";
      };
      "parallax@spandrell.ch" = {
        hashedPassword = "$2y$12$RVCKyEwpPmQLznKOgtXiBOR3nRy5aT3rFMtypJiDe6xFPfi/r3TXq";
      };
      "finnem@spandrell.ch" = {
        hashedPasswordFile = "/home/span/finnem.key";
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };
  services.roundcube = {
    enable = true;
    # this is the url of the vhost, not necessarily the same as the fqdn of
    # the mailserver
    hostName = "mail.spandrell.ch";
    extraConfig = ''
      # starttls needed for authentication, so the fqdn required to match
      # the certificate
      $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };
}