{
  config,
  ...
}:
{
  imports = [
    (builtins.fetchTarball {
      # Pick a release version you are interested in and set its hash, e.g.
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.11/nixos-mailserver-nixos-25.11.tar.gz";
      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
      # release="nixos-25.11"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
      sha256 = "0000000000000000000000000000000000000000000000000000";
    })
  ];

  security.acme = {
    acceptTerms = true;
    defaults.email = "security@example.com";
    certs.${config.mailserver.fqdn} = {
      # Further setup required, check the manual:
      # https://nixos.org/manual/nixos/stable/#module-security-acme
    };
  };

  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "mail.example.com";
    domains = [ "example.com" ];

    # reference an existing ACME configuration
    x509.useACMEHost = config.mailserver.fqdn;

    # A list of all login accounts. To create the password hashes, use
    # nix-shell -p mkpasswd --run 'mkpasswd -s'
    loginAccounts = {
      "user1@example.com" = {
        hashedPasswordFile = "/a/file/containing/a/hashed/password";
        aliases = [ "postmaster@example.com" ];
      };
      "user2@example.com" = {
        # ...
      };
    };
  };
}