{ primaryMailserver, primaryDomain, authentikServer, servedDomains, ldapBase
, ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken, ...
}:

{ config, lib, pkgs, ... }:

with lib;
let
  inherit (pkgs.lib) getHostIpv4 getHostIpv6;
  hostname = config.instance.hostname;

in {
  config = {
    systemd.services.arion-mail-server = {
      requires = [ "podman.service" ];
      after = [ "podman.service" ];
    };

    fudo = {
      acme.host-domains = {
        "imap.${primaryDomain}".extra-domain = [ "mail.${primaryDomain}" ];
        "smtp.${primaryDomain}".extra-domain = [ "mail.${primaryDomain}" ];
      };

      zones."${primaryDomain}" = let
        mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain;
        mailserver =
          config.fudo.domains."${mailserverDomain}".primary-mailserver;
        mailserverIps = {
          ipv4-address = getHostIpv4 mailserver;
          ipv6-address = getHostIpv6 mailserver;
        };
        srvRecord = host: port: [{ inherit host port; }];
      in {
        srv-records = {
          tcp = {
            imap = srvRecord "imap.${primaryDomain}" 143;
            imaps = srvRecord "imap.${primaryDomain}" 993;
            smtp = srvRecord "smtp.${primaryDomain}" 25;
            submission = srvRecord "smtp.${primaryDomain}" 587;
            submissions = srvRecord "smtp.${primaryDomain}" 465;
          };
          udp = {
            smtp = srvRecord "smtp.${primaryDomain}" 25;
            submission = srvRecord "smtp.${primaryDomain}" 587;
          };
        };

        metric-records = genAttrs [ "dovecot" "postfix" "rspamd" ]
          (_: srvRecord "mail-stats.${primaryDomain}" 443);

        hosts = {
          imap = mailserverIps;
          smtp = mailserverIps;
          mail = mailserverIps;
          mail-stats = mailserverIps;
        };
        verbatim-dns-records = [ dkimRecord ];
      };

      metrics.prometheus.service-discovery-dns =
        (genAttrs [ "dovecot" "postfix" "rspamd" ]
          (metricType: [ "${metricType}._metrics._tcp.${primaryDomain}" ]));

      mail = {
        enable = hostname == primaryMailserver;
        debug = true;
        primary-domain = primaryDomain;
        sasl-domain = saslDomain;
        trusted-networks = config.instance.local-networks;
        smtp = {
          hostname = "smtp.${primaryDomain}";
          ssl-directory =
            config.security.acme.certs."smtp.${primaryDomain}".directory;
        };
        imap = {
          hostname = "imap.${primaryDomain}";
          ssl-directory =
            config.security.acme.certs."imap.${primaryDomain}".directory;
        };
        ldap = {
          authentik-host = "https://${authentikServer}";
          outpost-token = readFile authentikOutpostToken;
          base = ldapBase;
          bind-dn = ldapBindDn;
          bind-password-file = ldapBindPwFile;
        };
        aliases = let admins = config.instance.local-admins;
        in {
          alias-users = {
            admin = admins;
            dmarc-reports = admins;
            ftp = admins;
            hostmaster = admins;
            irc = admins;
            postmaster = admins;
            root = admins;
            system = admins;
            webmaster = admins;
            www-data = admins;
          };
          user-aliases =
            let hasAliases = _: userOpts: userOpts.email-aliases != [ ];
            in mapAttrs (_: userOpts: userOpts.email-aliases)
            (filterAttrs hasAliases config.fudo.users);
        };
      };
    };

    services.nginx = mkIf (hostname == primaryMailserver) {
      enable = true;
      virtualHosts = {
        "smtp.${primaryDomain}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".return = "301 https://webmail.${primaryDomain}";
        };
        "imap.${primaryDomain}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".return = "301 https://webmail.${primaryDomain}";
        };
      };
    };
  };
}