{
  hostAddress,
  localAddress,
  imapsPort ? 993,
  sievePort ? 4190,
  autoStart ? false,
}: let
  passwords = import ../../variables/passwords.crypt.nix;
in {
  config = {pkgs, ...}: {
    system.stateVersion = "21.11"; # Did you read the comment?

    imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];

    networking.firewall.enable = false;

    services.ddclientovh = {
      enable = true;
      domain = "mailserver.svc.stefanjunker.de";
    };

    services.dovecot2 = {
      enable = true;

      modules = [pkgs.dovecot_pigeonhole];
      protocols = ["sieve"];

      enableImap = true;
      enableLmtp = true;
      enablePAM = true;
      showPAMFailure = true;
      mailLocation = "maildir:~/.maildir";
      sslServerCert = "/etc/secrets/server.pem";
      sslServerKey = "/etc/secrets/server.key";

      #configFile = "/etc/dovecot/dovecot2_manual.conf";
      extraConfig = ''
        auth_mechanisms = cram-md5 digest-md5
        auth_verbose = yes

        passdb {
          driver = passwd-file
          args = scheme=CRYPT username_format=%u /etc/dovecot/users
        }

        protocol lda {
          postmaster_address = "mail@stefanjunker.de"
          mail_plugins = $mail_plugins sieve
        }

        protocol imap {
          mail_max_userip_connections = 64
        }
      '';
    };

    environment.etc."dovecot/users".text = ''
      steveej:${passwords.email.steveej}
    '';

    systemd.services.steveej-getmail-stefanjunker = {
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      serviceConfig.RestartSec = 600;
      serviceConfig.Restart = "always";
      description = "Getmail service";
      path = [pkgs.getmail6];
      script = let
        rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
          [options]
          verbose = 1
          read_all = 0
          delete_after = 30

          [retriever]
          type = SimpleIMAPSSLRetriever
          server = ssl0.ovh.net
          port = 993
          username = mail@stefanjunker.de
          password = ${passwords.email.mailStefanjunkerDe}
          mailboxes = ('INBOX',)

          [destination]
          type = MDA_external
          path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
        '';
      in ''
        getmail --rcfile=${rc} --idle=INBOX
      '';
    };

    systemd.services.steveej-getmail-webde = {
      enable = true;
      wantedBy = ["multi-user.target"];
      serviceConfig.User = "steveej";
      serviceConfig.Group = "dovecot2";
      description = "Getmail service";
      path = [pkgs.getmail6];
      serviceConfig.RestartSec = 1000;
      serviceConfig.Restart = "always";
      script = let
        rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
          [options]
          verbose = 1
          read_all = 0
          delete_after = 30

          [retriever]
          type = SimpleIMAPSSLRetriever
          server = imap.web.de
          port = 993
          username = schtif
          password = ${passwords.email.schtifATwebDe}
          mailboxes = ('INBOX',)

          [destination]
          type = Maildir
          path = ~/.maildir/
        '';
      in ''
        getmail --rcfile=${rc}
      '';
    };
  };

  inherit autoStart;

  bindMounts = {
    "/etc/secrets/" = {
      hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
      isReadOnly = false;
    };

    "/home" = {
      hostPath = "/var/lib/container-volumes/mailserver/home";
      isReadOnly = false;
    };
  };

  extraFlags = ["--resolv-conf=bind-host"];

  privateNetwork = true;
  forwardPorts = [
    {
      # imaps
      containerPort = 993;
      hostPort = imapsPort;
      protocol = "tcp";
    }

    {
      # sieve
      containerPort = 4190;
      hostPort = sievePort;
      protocol = "tcp";
    }
  ];

  inherit hostAddress localAddress;
}