{ config, lib, ... }:
{
  assertions = lib.optionals config.mailserver.ldap.enable [
    {
      assertion = config.mailserver.loginAccounts == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts";
    }
    {
      assertion = config.mailserver.extraVirtualAliases == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
    {
      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
    }
  ] ++ (
    let
      sortedDomains = builtins.sort (a: b: a < b) config.mailserver.domains;
      sortedDkimDomains = builtins.attrNames config.mailserver.dkimDomainPrivateKeyFiles;
      prettyDomains = builtins.concatStringsSep ", " sortedDomains;
      prettyDkimDomains = builtins.concatStringsSep ", " sortedDkimDomains;
    in
    lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles != null && sortedDomains != sortedDkimDomains) [
      {
        assertion = config.mailserver.dkimKeyBits != null;
        message = "When you bring your own DKIM private keys (mailserver.dkimDomainPrivateKeyFiles != null), the DKIM domains (${prettyDkimDomains}) must be identical to the mailserver.domains (${prettyDomains}).";
      }
    ]
  ) ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles != null) [
    {
      assertion = config.mailserver.dkimKeyBits == null;
      message = "When you bring your own DKIM private keys (mailserver.dkimDomainPrivateKeyFiles != null), you must not specify key generation options (mailserver.dkimKeyBits)";
    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.dkimDomainPrivateKeyFiles == null) [
    {
      assertion = config.mailserver.dkimKeyBits != null;
      message = "When generating DKIM private keys (mailserver.dkimDomainPrivateKeyFiles = null), you must specify key generation options (mailserver.dkimKeyBits)";
    }
  ];
}