{ lib, pkgs, config, myconfig,  ... }:
{
  config.users.users.nullmailer.uid = config.ids.uids.nullmailer;
  config.users.groups.nullmailer.gid = config.ids.gids.nullmailer;

  config.services.nullmailer = {
    enable = true;
    config = {
      me = myconfig.env.mail.host;
      remotes = "${myconfig.env.mail.relay} smtp";
    };
  };

  config.secrets.keys = [
    {
      dest = "opendkim/eldiron.private";
      user = config.services.opendkim.user;
      group = config.services.opendkim.group;
      permissions = "0400";
      text = myconfig.env.mail.dkim.eldiron.private;
    }
    {
      dest = "opendkim/eldiron.txt";
      user = config.services.opendkim.user;
      group = config.services.opendkim.group;
      permissions = "0444";
      text = ''
        eldiron._domainkey	IN	TXT	${myconfig.env.mail.dkim.eldiron.public}'';
    }
    {
      dest = "opendmarc/ignore.hosts";
      user = config.services.opendmarc.user;
      group = config.services.opendmarc.group;
      permissions = "0400";
      text = myconfig.env.mail.dmarc.ignore_hosts;
    }
  ];
  config.users.users."${config.services.opendkim.user}".extraGroups = [ "keys" ];
  config.services.opendkim = {
    enable = true;
    domains = builtins.concatStringsSep "," (lib.flatten (map
      (zone: map
        (e: "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}")
        (zone.withEmail or [])
      )
      myconfig.env.dns.masterZones
    ));
    keyPath = "${config.secrets.location}/opendkim";
    selector = "eldiron";
    configFile = pkgs.writeText "opendkim.conf" ''
      SubDomains     yes
      UMask          002
      '';
  };
  config.systemd.services.opendkim.preStart = lib.mkBefore ''
    # Skip the prestart script as keys are handled in secrets
    exit 0
    '';
  config.services.filesWatcher.opendkim = {
    restart = true;
    paths = [
      config.secrets.fullPaths."opendkim/eldiron.private"
    ];
  };

  config.users.users."${config.services.opendmarc.user}".extraGroups = [ "keys" ];
  config.services.opendmarc = {
    enable = true;
    configFile = pkgs.writeText "opendmarc.conf" ''
      AuthservID                  HOSTNAME
      FailureReports              false
      FailureReportsBcc           postmaster@localhost.immae.eu
      FailureReportsOnNone        true
      FailureReportsSentBy        postmaster@immae.eu
      IgnoreAuthenticatedClients  true
      IgnoreHosts                 ${config.secrets.fullPaths."opendmarc/ignore.hosts"}
      SoftwareHeader              true
      SPFSelfValidate             true
      TrustedAuthservIDs          HOSTNAME, immae.eu, nef2.ens.fr
      UMask                       002
      '';
  };
  config.services.filesWatcher.opendmarc = {
    restart = true;
    paths = [
      config.secrets.fullPaths."opendmarc/ignore.hosts"
    ];
  };

  config.services.openarc = {
    enable = true;
    user = "opendkim";
    group = "opendkim";
    configFile = pkgs.writeText "openarc.conf" ''
      AuthservID              mail.immae.eu
      Domain                  mail.immae.eu
      KeyFile                 ${config.secrets.fullPaths."opendkim/eldiron.private"}
      Mode                    sv
      Selector                eldiron
      SoftwareHeader          yes
      Syslog                  Yes
      '';
  };
  config.systemd.services.openarc.postStart = lib.optionalString
        (lib.strings.hasPrefix "local:" config.services.openarc.socket) ''
    while [ ! -S ${lib.strings.removePrefix "local:" config.services.openarc.socket} ]; do
      sleep 0.5
    done
    chmod g+w ${lib.strings.removePrefix "local:" config.services.openarc.socket}
    '';
  config.services.filesWatcher.openarc = {
    restart = true;
    paths = [
      config.secrets.fullPaths."opendkim/eldiron.private"
    ];
  };
}