{
  pkgs,
  config,
  lib,
  ...
}: let
  service = "postfix";
  cfg = config.homelab.${service};
  sec = config.sops.secrets;
  homelab = config.homelab;
in {
  options.homelab.${service} = {
    enable = lib.mkEnableOption "enables ${service}";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 587;
      description = "set port for ${service} (default: ${toString cfg.port}";
    };
    url = lib.mkOption {
      type = lib.types.str;
      default = "${service}.${homelab.base_domain}";
      description = "set domain for ${service}";
    };
    data_dir = lib.mkOption {
      type = lib.types.str;
      default = "/var/lib/${service}";
      description = "set data directory for ${service}";
    };
    ids = lib.mkOption {
      type = lib.types.int;
      default = cfg.port;
      description = "set uid and pid of ${service} user (matches port by default)";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for ${service}";
    };
  };

  config = lib.mkIf cfg.enable {
    # declare ${service} group
    #    users.groups.${service} = {
    #      gid = lib.mkForce cfg.ids;
    #    };
    #
    #    # declare ${service} user
    #    users.users.${service} = {
    #      description = "${service} server user";
    #      uid = lib.mkForce cfg.ids;
    #      isSystemUser = true;
    #      home = cfg.data_dir;
    #      createHome = true;
    #      group = service;
    #      extraGroups = [];
    #    };

    # enable the ${service} service
    services.postfix = {
      enable = true;
      relayHost = "smtp.gmail.com";
      relayPort = cfg.port;
      config = {
        #smtp_use_tls = "yes";
        smtp_tls_security_level = "may";
        smtp_sasl_auth_enable = "yes";
        smtp_sasl_security_options = "";
        smtp_sasl_password_maps = "texthash:${config.sops.secrets."postfix_passwd".path}";
        # optional: Forward mails to root (e.g. from cron jobs, smartd)
        # to me privately and to my work email:
        virtual_alias_maps = "inline:{ {root=me@blakedheld.xyz, throwedspam@gmail.com} }";
      };
    };

    # override umask to make permissions work out
    #    systemd.services.${service}.serviceConfig = {
    #  UMask = lib.mkForce "0007";
      #      User = service;
      #      Group = service;
    #};

   # open firewall
    networking.firewall.allowedTCPPorts = [ cfg.port ];

    sops.secrets = {
      "${service}_passwd" = {
        owner = config.services.postfix.user;
        group = config.services.postfix.group;
      };
    };

    # add to backups
    homelab.backups.baks = {
      ${service} = {
        paths = [cfg.data_dir];
      };
    };
  };
}