{config, ...}: let
  cfg = config.mailsystem;
in rec {
  certificateDirectory = "/var/certs";
  sslCertPath =
    if cfg.certificateScheme == "acme"
    then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
    else "${certificateDirectory}/cert-${cfg.fqdn}.pem";

  sslKeyPath =
    if cfg.certificateScheme == "acme"
    then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
    else "${certificateDirectory}/key-${cfg.fqdn}.pem";

  sslCertService =
    if cfg.certificateScheme == "acme"
    then ["acme-finished-${cfg.fqdn}.target"]
    else ["mailsystem-selfsigned-certificate.service"];

  dovecotDynamicStateDir = "/var/lib/dovecot";
  dovecotDynamicPasswdFile = "${dovecotDynamicStateDir}/passwd";

  rspamdProxySocket = "/run/rspamd-proxy.sock";
  rspamdControllerSocket = "/run/rspamd-controller.sock";
}