{config, ...}: {
  age.secrets."bind_pw".file = ../secrets/bind_pw;

  mailserver = {
    stateVersion = 3;
    enable = true;
    fqdn = "distrust.network";
    domains = ["distrust.network"];
    certificateScheme = "acme";
    ldap = {
      enable = true;
      bind.dn = "cn=bind,ou=people,dc=distrust,dc=network";
      bind.passwordFile = config.age.secrets."bind_pw".path;
      searchBase = "ou=people,dc=distrust,dc=network";
      uris = ["ldap://localhost:3890"];
    };
  };

  services.borgbackup.jobs."mailserver" = {
    repo = "ssh://u506783@u506783.your-storagebox.de:23/./mailserver";
    environment = {
      BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
    };
    paths = [
      "/var/vmail/ldap"
    ];
    encryption = {
      mode = "keyfile";
      passCommand = "cat ${config.age.secrets."borg_pass".path}";
    };
    compression = "auto,lzma";
    startAt = "daily";
    prune.keep = {
      daily = 7;
      weekly = 4;
      monthly = -1;
    };
  };
}