{lib, ...}: {
  options.mailsystem = {
    enable = lib.mkEnableOption "nixos-mailsystem";

    openFirewall = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "Automatically open ports in the firewall.";
    };

    fqdn = lib.mkOption {
      type = lib.types.str;
      example = "mail.example.com";
      description = "Fully qualified domain name of the mail server.";
    };

    vmailUID = lib.mkOption {
      type = lib.types.int;
      default = 5000;
      description = "The unix UID of the virtual mail user.";
    };

    vmailUserName = lib.mkOption {
      type = lib.types.str;
      default = "vmail";
      description = "The user name of the user that owns the directory all the mail is stored.";
    };

    vmailGroupName = lib.mkOption {
      type = lib.types.str;
      default = "vmail";
      description = "The group name of the user that owns the directory all the mail is stored.";
    };

    mailDirectory = lib.mkOption {
      type = lib.types.str;
      default = "/var/vmail";
      description = "Storage location for all mail.";
    };

    accounts = lib.mkOption {
      type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
        options = {
          name = lib.mkOption {
            type = lib.types.str;
            example = "user1@example.com";
            description = "Username";
          };

          hashedPasswordFile = lib.mkOption {
            type = with lib.types; nullOr str;
            default = null;
            example = "/run/secrets/user1-passwordhash";
            description = ''
              A file containing the user's hashed password. Use `mkpasswd` as follows

              ```
              nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
              ```
            '';
          };

          isSystemUser = lib.mkOption {
            type = lib.types.bool;
            default = false;
            description = ''
              System users are not allowed to change their password and are
              cannot receive any mails (-> send-only). Mails sent to such an
              account will be rejected.
            '';
          };
        };
        config.name = lib.mkDefault name;
      }));
      example = {
        user1 = {
          hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
        };
        user2 = {
          hashedPassword = "$6$oE0ZNv2n7Vk9gOf$9xcZWCCLGdMflIfuA0vR1Q1Xblw6RZqPrP94mEit2/81/7AKj2bqUai5yPyWE.QYPyv6wLMHZvjw3Rlg7yTCD/";
        };
      };
      description = "All available accounts for the mailsystem.";
      default = {};
    };
  };

  imports = [
    ./dovecot.nix
    ./nginx.nix
    ./user.nix
  ];
}