{ config, lib, ... }:

with lib;

mkIf (elem "mailserver" config.machine.services) {
  mailserver = let
    mkUser = username: {
      name = "${username}@${config.machine.domain}";
      value = {
        hashedPassword = (fileContents "/secret/${username}.mail");
      };
    };
  in rec {
    enable = true;
    fqdn = "mail.${config.machine.domain}";
    domains = [ config.machine.domain ];
    loginAccounts = listToAttrs (map mkUser config.machine.mailAccounts);

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 1;
    certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem";
    keyFile = "/var/lib/acme/" + fqdn + "/key.pem";

    #dhParamBitLength = 4096; # this doesn't exist???

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = false;
    enableImapSsl = true;
    enablePop3Ssl = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
}