{ pkgs, lib, domain, domainSuffix, domainGroup }:
let
  inherit (pkgs.lib) unlines;
in
{ uid
, uidNumber
, gidNumber ? uidNumber
, cn ? ""
, sn ? ""
, userPassword ? null # Use slappasswd -o module-load=pw-pbkdf2 -h "{PBKDF2-SHA256}"
, mailAlias ? []
, homeDirectory ? ""
, mailHomeDirectory ? null
, mailStorageDirectory ? null
, loginShell ? "/run/current-system/sw/bin/bash"
, mailEnabled ? true
, mailForwardingAddress ? []
, mailGroupMember ? domainGroup
, mailQuota ? null
}:
 "\n" + lib.concatStringsSep "\n\n" [
 (unlines ([ ''
  dn: uid=${uid},ou=accounts,ou=posix,${domainSuffix}
  objectClass: person
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: PostfixBookMailAccount
  objectClass: PostfixBookMailForward
  cn: ${cn}
  sn: ${sn}
  mail: ${uid}@${domain}
  mailEnabled: ${if mailEnabled then "TRUE" else "FALSE"}
  mailGroupMember: ${mailGroupMember}''
  ]
  ++ [ "uidNumber: ${toString uidNumber}" ]
  ++ [ "gidNumber: ${toString gidNumber}" ]
  ++ [ "homeDirectory: ${homeDirectory}" ]
  ++ lib.optional (loginShell != null)  "loginShell: ${loginShell}"
  ++ lib.optional (userPassword != null) "userPassword: ${userPassword}"
  ++ lib.optional (mailHomeDirectory != null) "mailHomeDirectory: ${mailHomeDirectory}"
  ++ lib.optional (mailStorageDirectory != null) "mailStorageDirectory: ${mailStorageDirectory}"
  ++ lib.optional (mailQuota != null) "mailQuota: ${mailQuota}"
  ++ map (forward: "mailForwardingAddress: ${forward}") mailForwardingAddress
  ++ map (alias: "mailAlias: ${alias}@${domain}") mailAlias
  ++ lib.optional (mailAlias == []) "mailAlias:"
  # mailAlias is required by PostfixBookMailForward
 ))
 ''
  dn: cn=${uid},ou=groups,ou=posix,${domainSuffix}
  objectClass: top
  objectClass: posixGroup
  gidNumber: ${toString gidNumber}
  memberUid: ${uid}
 ''
]