{ config, lib, ... }:

with lib;

mkIf (elem "mailserver" config.machine.services) {
  mailserver = let
    domain = config.machine.domain;
    mkFqdnAlias = name: [ "${name}@${domain}" "${name}@mail.${domain}" ];
    mkUser = user: rec {
      name = "${user.name}@${domain}";
      value = {
        hashedPassword = (fileContents "${config.machine.secretPath}/${user.name}.mail");
        aliases = [ "${user.name}@mail.${domain}" ] ++ (flatten (map mkFqdnAlias user.aliases));
      };
    };
  in rec {
    enable = true;
    fqdn = "mail.${domain}";
    domains = [ domain ];
    loginAccounts = listToAttrs (map mkUser config.machine.mailAccounts);

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 1;
    certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem";
    keyFile = "/var/lib/acme/" + fqdn + "/key.pem";

    #dhParamBitLength = 4096; # this doesn't exist???

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = false;
    enableImapSsl = true;
    enablePop3Ssl = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
}