{config, ...}: {
  mailserver = {
    enable = true;
    stateVersion = 3;

    # domain bs
    fqdn = "mail.${config.networking.domain}";
    domains = ["${config.networking.domain}"];
    x509.useACMEHost = config.mailserver.fqdn;

    loginAccounts = {
      # test acc
      "test@${config.networking.domain}" = {
        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-test-pw.path;
      };
      "admin@${config.networking.domain}" = {
        hashedPasswordFile = builtins.toString config.age.secrets.mailserver-acc-admin-pw.path;
        aliases = ["@${config.networking.domain}"];
      };
    };
  };

  # put dkim key into /etc for declarability
  mailserver.dkimKeyDirectory = "/etc/dkim";
  environment.etc."dkim/${config.networking.domain}.${config.mailserver.dkimSelector}.key".source =
    config.age.secrets."dkim-${config.networking.domain}.${config.mailserver.dkimSelector}.key".path;

  # does acme for me
  services.nginx = {
    enable = true;
    virtualHosts = {
      "mail.${config.networking.domain}" = {
        forceSSL = true;
        enableACME = true;
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "mtgmonket@gmail.com";
  };

  # persist directories per the backup guidelines
  environment.persistence."/persist" = {
    directories = [
      # not needed bc the dkim dir is declared
      # "/var/dkim"
      "/var/vmail"
      "/var/lib/redis-rspamd"
      "/var/lib/acme"
    ];
  };
}