{ config, lib, ... }:

with lib;

mkIf (elem "mailserver" config.machine.services) {
  mailserver = rec {
    enable = true;
    fqdn = "mail.${config.machine.domain}";
    domains = [ config.machine.domain ];
    loginAccounts = {
        "derped@${config.machine.domain}" = {
            hashedPassword = (fileContents /secret/derped.mail);
        };
    };
    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 1;
    certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem";
    keyFile = "/var/lib/acme/" + fqdn + "/key.pem";

    #dhParamBitLength = 4096; # this doesn't exist???

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = false;
    enableImapSsl = true;
    enablePop3Ssl = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
}