{
  pkgs,
  lib,
  flake,
  ...
}: {
  age.secrets."mail@b12f.io-password" = {
    file = "${flake.self}/secrets/mail@b12f.io-password.age";
    mode = "400";
    # owner = "maddy";
  };

  services.caddy.virtualHosts = {
    "mail.b12f.io" = {
      extraConfig = ''
        respond "404 Not Found"
      '';
    };
  };

  services.maddy = {
    enable = false;

    openFirewall = true;

    primaryDomain = "b12f.io";

    ensureAccounts = [
      "mail@b12f.io"
    ];

    ensureCredentials = {
      # Do not use this in production. This will make passwords world-readable
      # in the Nix store
      "mail@b12f.io".passwordFile = "${pkgs.writeText "postmaster" "test"}";
    };

    tls = {
      certificates = [
        {
          keyPath = "";
          certPath = "";
        }
      ];
    };
  };
}