{ primaryMailserver, primaryDomain, authentikServer, servedDomains, ldapBase
, ldapBindDn, ldapBindPwFile, dkimRecord, saslDomain, authentikOutpostToken, ...
}:

{ config, lib, pkgs, ... }:

with lib;
let hostname = config.instance.hostname;

in {
  config = {
    fudo = {
      acme.host-domains = {
        "imap.${primaryDomain}".extra-domain = [ "mail.${primaryDomain}" ];
        "smtp.${primaryDomain}".extra-domain = [ "mail.${primaryDomain}" ];
      };

      zones."${primaryDomain}" = let
        mailserverDomain = config.fudo.hosts."${primaryMailserver}".domain;
        mailserverZone = config.fudo.domains."${mailserverDomain}".zone;
        mailserverIps =
          config.fudo.zones."${mailserverZone}".hosts."${mailserver}";
      in {
        hosts = {
          imap = {
            ipv4-address = mailserverIps.ipv4-address;
            ipv6-address = mailserverIps.ipv6-address;
          };
          smtp = {
            ipv4-address = mailserverIps.ipv4-address;
            ipv6-address = mailserverIps.ipv6-address;
          };
          mail = {
            ipv4-address = mailserverIps.ipv4-address;
            ipv6-address = mailserverIps.ipv6-address;
          };
        };
        # FIXME: DKIM key!!!
        verbatim-dns-records = [ dkimRecord ];
      };

      mail = {
        enable = hostname == primaryMailserver;
        debug = true;
        primary-domain = primaryDomain;
        sasl-domain = saslDomain;
        trusted-networks = config.instance.local-networks;
        smtp = {
          hostname = "smtp.${primaryDomain}";
          ssl-directory =
            config.security.acme.certs."smtp.${primaryDomain}".directory;
        };
        imap = {
          hostname = "imap.${primaryDomain}";
          ssl-directory =
            config.security.acme.certs."imap.${primaryDomain}".directory;
        };
        ldap = {
          authentik-host = "https://${authentikServer}";
          outpost-token = readFile authentikOutpostToken;
          base = ldapBase;
          bind-dn = ldapBindDn;
          bind-password-file = ldapBindPwFile;
        };
        aliases = let admins = config.instance.local-admins;
        in {
          alias-users = {
            admin = admins;
            dmarc-reports = admins;
            ftp = admins;
            hostmaster = admins;
            irc = admins;
            postmaster = admins;
            root = admins;
            system = admins;
            webmaster = admins;
            www-data = admins;
          };
          user-aliases =
            let hasAliases = _: userOpts: userOpts.email-aliases != [ ];
            in mapAttrs (_: userOpts: userOpts.email-aliases)
            (filterAttrs hasAliases config.fudo.users);
        };
      };
    };

    services.nginx = mkIf (hostname == primaryMailserver) {
      enable = true;
      virtualHosts = {
        "smtp.${primaryDomain}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".return = "301 https://webmail.${primaryDomain}";
        };
        "imap.${primaryDomain}" = {
          enableACME = true;
          forceSSL = true;
          locations."/".return = "301 https://webmail.${primaryDomain}";
        };
      };
    };
  };
}