{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.mailsystem;
  redisCfg = config.services.redis.servers.rspamd;
  rspamdCfg = config.services.rspamd;
in {
  config = lib.mkIf cfg.enable {
    services.redis.servers.rspamd = {
      enable = true;
      # Don't accept connections via tcp
      port = 0;
      unixSocketPerm = 600;
    };

    # TODO: Run commands as service user instead of as root?
    systemd.services.redis-rspamd.serviceConfig.ExecStartPost =
      "+"
      + pkgs.writeShellScript "redis-rspamd-postStart" ''
        ${pkgs.acl.bin}/bin/setfacl -m "u:${rspamdCfg.user}:x" "${builtins.dirOf redisCfg.unixSocket}"
        ${pkgs.acl.bin}/bin/setfacl -m "u:${rspamdCfg.user}:rw" "${redisCfg.unixSocket}"
      '';
  };
}