{
  config,
  pkgs,
  ...
}: let
  cfg = config.mailsystem;
in rec {
  certificateDirectory = "/var/certs";
  sslCertPath =
    if cfg.certificateScheme == "acme"
    then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
    else "${certificateDirectory}/cert-${cfg.fqdn}.pem";

  sslKeyPath =
    if cfg.certificateScheme == "acme"
    then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
    else "${certificateDirectory}/key-${cfg.fqdn}.pem";

  sslCertService =
    if cfg.certificateScheme == "acme"
    then ["acme-finished-${cfg.fqdn}.target"]
    else ["mailsystem-selfsigned-certificate.service"];

  mailnixCfgFile = pkgs.writeText "mailnix-public.json" (builtins.toJSON {
    inherit (cfg) accounts domains;
    aliases = cfg.virtualAliases;
  });

  dovecotDynamicStateDir = "/var/lib/dovecot";
  dovecotDynamicPasswdFile = "${dovecotDynamicStateDir}/passwd";

  rspamdProxySocket = "/run/rspamd-proxy.sock";
  rspamdControllerSocket = "/run/rspamd-controller.sock";
}