{
  extraModules,
  pkgs,
  vhackPackages,
}: {
  mkMailServer = serverName: principal: {
    config,
    lib,
    nodes,
    ...
  }: {
    imports =
      extraModules
      ++ [
        ../../../../../modules
        ./acme/client.nix
      ];

    environment.systemPackages = [
      pkgs.bind
      pkgs.openssl
    ];

    networking.nameservers = lib.mkForce [
      nodes.name_server.networking.primaryIPAddress
      nodes.name_server.networking.primaryIPv6Address
    ];

    age.identityPaths = ["${../secrets/hostKey}"];

    vhack = {
      stalwart-mail = {
        enable = true;
        fqdn = "${serverName}.server.com";
        admin = "admin@${serverName}.server.com";
        security = {
          dkimKeys = let
            loadKey = name: {
              dkimPublicKey = builtins.readFile (../secrets/dkim + "/${name}/public");
              dkimPrivateKeyPath = ../secrets/dkim + "/${name}/private.age";
              keyAlgorithm = "ed25519-sha256";
            };
          in {
            "mail1.server.com" = loadKey "mail1.server.com";
            "mail2.server.com" = loadKey "mail2.server.com";
            "alice.com" = loadKey "alice.com";
            "bob.com" = loadKey "bob.com";
          };
          verificationMode = "strict";
        };
        openFirewall = true;
        principals = [principal];
      };
    };
  };
}