{
  config,
  pkgs,
  lib,
  meta,
  nodeMeta,
  ...
}:

let
  inherit (lib)
    concatStringsSep
    mkEnableOption
    mkForce
    mkIf
    ;

  emails = concatStringsSep ", " (
    builtins.map (name: meta.organization.members.${name}.email) (
      builtins.foldl' (
        admins: group: admins ++ meta.organization.groups.${group}
      ) nodeMeta.admins nodeMeta.adminGroups
    )
  );

  cfg = config.dgn-notify;
in

{

  options.dgn-notify = {
    enable = mkEnableOption "DGNum email notification cli" // {
      default = true;
    };
  };

  config = mkIf cfg.enable {
    services.mail.sendmailSetuidWrapper.group = mkForce "mail";
    users.groups.mail = { };

    programs.msmtp = {
      enable = true;
      setSendmail = true;
      accounts.default = {
        tls = true;
        tls_starttls = false;
        port = 465;
        auth = true;
        host = "kurisu.lahfa.xyz";
        from = "noreply@infra.dgnum.eu";
        user = "web-services@infra.dgnum.eu";
        passwordeval = "cat ${config.age.secrets.mail.path}";
      };
    };

    services.systemd-notify = {
      enable = true;
      command = builtins.toString (
        pkgs.writeShellScript "sendmail" ''
          ${pkgs.msmtp}/bin/sendmail -i -t <<ERRMAIL
          To: admins+monitoring@dgnum.eu, ${emails}
          Subject: [$HOSTNAME] Systemd failure: $1
          Content-Transfer-Encoding: 8bit
          Content-Type: text/plain; charset=UTF-8

          $(systemctl status --full "$1")
          ERRMAIL
        ''
      );
    };
    age-secrets.sources = [ ./. ];
  };
}