{
  config,
  pkgs,
  lib,
  ...
}:
with (import ./common.nix {inherit config;}); let
  cfg = config.mailsystem;
in {
  config = lib.mkIf (cfg.enable && cfg.certificateScheme == "selfsigned") {
    systemd.services.mailsystem-selfsigned-certificate = {
      after = ["local-fs.target"];
      script = ''
        # Create certificates if they do not exist yet
        dir="${certificateDirectory}"
        fqdn="${cfg.fqdn}"
        [[ $fqdn == /* ]] && fqdn=$(< "$fqdn")
        key="${sslKeyPath}"
        cert="${sslCertPath}"

        if [[ ! -f $key || ! -f $cert ]]; then
          mkdir -p "$dir"
          (umask 077; "${pkgs.openssl}/bin/openssl" genrsa -out "$key" 4096) &&
          "${pkgs.openssl}/bin/openssl" req -new -key "$key" -x509 -subj "/CN=$fqdn" -days 3650 -out "$cert"
        fi
      '';
      serviceConfig = {
        Type = "oneshot";
        PrivateTmp = true;
      };
    };
  };
}