{ config, lib, ... }:

with lib;

mkIf (elem "mailserver" config.machine.services) {
  mailserver = let
    cfg = config.machine;
    domain = cfg.domain;
    fdomain = (findFirst (s: s.service == "mail") cfg cfg.vHosts).domain;
    mkFqdnAlias = name: [ "${name}@${domain}" "${name}@${fdomain}" ];
    mkExDomAlias = name: (map (exDom: "${name}@${exDom}") cfg.extraDomains);
    mkUser = user: rec {
      name = "${user.name}@${domain}";
      value = {
        hashedPassword = (fileContents "${cfg.secretPath}/${user.name}.mail");
        aliases = [ "${user.name}@${fdomain}" ]
                  ++ (flatten (map mkFqdnAlias user.aliases))
                  ++ (flatten (map mkExDomAlias ([ user.name ] ++ user.aliases)));
      };
    };
  in rec {
    enable = true;
    fqdn = fdomain;
    domains = ([ fdomain domain ] ++ cfg.extraDomains);
    loginAccounts = listToAttrs (map mkUser cfg.mailAccounts);

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 1;
    certificateFile = "/var/lib/acme/" + fqdn + "/fullchain.pem";
    keyFile = "/var/lib/acme/" + fqdn + "/key.pem";

    #dhParamBitLength = 4096; # this doesn't exist???

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = false;
    enableImapSsl = true;
    enablePop3Ssl = false;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
}