{ config, ... }:
{
  # this should really be imported through a flake but I couldn't get that
  # working :(
  imports = [
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.11/nixos-mailserver-nixos-25.11.tar.gz";
      sha256 = "16kanlk74xnj7xgmjsj7pahy31hlxqcbv76xnsg8qbh54b0hwxgq";
    })
  ];

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "mail.zacharyscheiman.com";
    domains = [ "zacharyscheiman.com" "squi.bid" ];
    messageSizeLimit = 2500000000; # 2.5GB

    loginAccounts = {
      "me@zacharyscheiman.com" = {
        hashedPasswordFile = config.sops.secrets."mail/me".path;
        aliases = [
          "zach@zacharyscheiman.com"
          "zack@zacharyscheiman.com"
          "zachary@zacharyscheiman.com"

          # required aliases
          "postmaster@zacharyscheiman.com"
          "abuse@zacharyscheiman.com"
          "security@zacharyscheiman.com"
        ];
      };
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = "acme-nginx";
  };

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "security@zacharyscheiman.com";
}