{
  config,
  lib,
  pkgs,
  ...
}:
with (import ./common.nix {inherit config;}); let
  cfg = config.mailsystem;
  roundcubeCfg = config.mailsystem.roundcube;
in {
  options.mailsystem.roundcube = {
    enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "Whether to enable roundcube in order to provide a webmail interface";
    };
    hostName = lib.mkOption {
      type = lib.types.str;
      default = cfg.fqdn;
      description = "FQDN to be used by roundcube. Defaults to {option}`mailsystem.fqdn`.";
    };
    passwordHashingAlgorithm = lib.mkOption {
      type = lib.types.str;
      default = "BLF-CRYPT";
      description = "Password hashing algorithm to be used with `doveadm pw`";
    };
  };

  config = lib.mkIf (cfg.enable && roundcubeCfg.enable) {
    services.roundcube = {
      enable = true;
      hostName = roundcubeCfg.hostName;
      plugins = ["managesieve" "password"];
      extraConfig = ''
        // Use implicitly encrypted communications for imap and imap (implicit tls)
        $config['imap_host'] = "ssl://${cfg.fqdn}";
        $config['smtp_host'] = "ssl://${cfg.fqdn}";
        $config['smtp_user'] = "%u";
        $config['smtp_pass'] = "%p";

        $config['managesieve_host'] = "localhost";

        $config['password_driver'] = "dovecot_passwdfile";
        $config['password_confirm_current'] = true;
        $config['password_minimum_length'] = 8;
        $config['password_algorithm'] = "dovecot";
        // Enables saving the new password even if it machtes the old password. Useful
        // for upgrading the stored passwords after the encryption scheme has changed.
        $config['password_force_save'] = true;
        $config['password_dovecot_passwdfile_path'] = "${pkgs.dovecot}/bin/doveadm pw";
        $config['password_dovecotpw'] = "${dovecotDynamicPasswdFile}";
        $config['password_dovecotpw_method'] = "${roundcubeCfg.passwordHashingAlgorithm}";
        $config['password_dovecotpw_with_method'] = true;
      '';
    };
  };
}