{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  domain-name = config.instance.local-domain;

  cfg = config.fudo.france.mail;

  secrets = config.fudo.secrets.host-secrets.${hostname};

  mail-reader-dn = "mail-auth-reader";
in {
  options.fudo.france.mail = with types; {
    mail-directory = mkOption {
      type = str;
      description = "Directory to contain user maildirs.";
    };

    state-directory = mkOption {
      type = str;
      description = "Directory to contain mail-server state.";
    };

    ldap-server-urls = mkOption {
      type = listOf str;
      description = "List of LDAP server URLs.";
    };
  };

  config.fudo = let
    mail-reader-password =
      pkgs.lib.fudo.passwd.random-passwd-file "${mail-reader-dn}-ldap-password" 30;
  in {
    # This is used at build time...
    # secrets.host-secrets.${hostname}.mail-reader-passwd = {
    #   source-file = ldap-password;
    #   target-file = "/run/mail/${mail-reader-dn}-ldap.passwd";
    #   user = config.services.dovecot2.user;
    # };

    system-users.${mail-reader-dn} = {
      description = "Used by the mail server to connect to LDAP for auth.";
      ldap-hashed-password =
        pkgs.lib.fudo.passwd.hash-ldap-passwd
          "${mail-reader-dn}-hashed"
          mail-reader-password;
    };

    mail-server = let
      mail-hostname = "mail.${domain-name}";
      mail-ssl-dir = config.security.acme.certs.${mail-hostname}.directory;
      ssl-certificate = "${mail-ssl-dir}/cert.pem";
      ssl-private-key = "${mail-ssl-dir}/key.pem";
    in {
      enableContainer = true;
      monitoring = true;

      domain = domain-name;
      mail-hostname = "mail.${domain-name}";

      trusted-networks = config.instance.local-networks;

      dovecot = {
        ldap = {
          reader-dn = "cn=${mail-reader-dn},${config.fudo.authentication.base}";
          reader-password-file = mail-reader-password;
          server-urls = cfg.ldap-server-urls;
        };
      };

      user-aliases = let
        aliased-users = filterAttrs
          (username: userOpts: length userOpts.email-aliases > 0)
          config.fudo.users;
      in mapAttrs (username: userOpts: userOpts.email-aliases) aliased-users;

      state-directory = cfg.state-directory;
      mail-directory = cfg.mail-directory;

      clamav.enable = true;
      dkim.signing = true;

      ssl = {
        certificate = ssl-certificate;
        private-key = ssl-private-key;
      };
    };
  };
}