{ pkgs, lib, config, system, ... }:
let
  inherit (builtins) toString toFile readFile;
  inherit (builtins.extraBuiltins) pass;
  inherit (lib) types;
  inherit (pkgs.lib) loadFile unlines unlinesAttrs unlinesValues unwords;
  inherit (config) networking;
  inherit (config.services) dovecot2 postfix openldap;

  # NOTE: nixpkgs' dovecot2.stateDir is currently not exported
  stateDir    = "/var/lib/dovecot";

  sieve_pipe_bin_dir = pkgs.buildEnv {
    name = "sieve_pipe_bin_dir";
    pathsToLink = [ "/bin" ];
    paths = [
      learn-spam
      learn-ham
    ];
  };
  learn-spam = pkgs.writeShellScriptBin "learn-spam.sh" ''
    exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/learner.sock learn_spam
  '';
  learn-ham = pkgs.writeShellScriptBin "learn-ham.sh" ''
    exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/learner.sock learn_ham
  '';

  dovecot-virtual = pkgs.buildEnv {
    name = "dovecot-virtual";
    pathsToLink = [ "/" ];
    paths = [
      dovecot-virtual-all
      dovecot-virtual-recents
    ];
  };
  dovecot-virtual-all = pkgs.writeTextFile {
    name = "dovecot-virtual-all";
    destination = "/All/dovecot-virtual";
    text = ''
      *
        all
    '';
  };
  dovecot-virtual-recents = pkgs.writeTextFile {
    name = "dovecot-virtual-recents";
    destination = "/Recents/dovecot-virtual";
    text = ''
      *
        all younger 172800
    '';
  };
  dovecot-virtual-pop3 = pkgs.writeTextFile {
    name = "dovecot-virtual-pop3";
    destination = "/pop3/INBOX/dovecot-virtual";
    text = ''
      All
      All+*
        all
    '';
  };
in
{
imports = [
  dovecot/autoconfig.nix
];
systemd.services.dovecot2 = {
  after = [
    "postfix.service"
    "openldap.service"
    "${networking.domain}.key.pem-key.service"
  ];
};
#users.users."${dovecot2.mailUser}".isSystemUser = true; # Fix nixpkgs
services.dovecot2 = {
  enable    = true;
  modules   = [
    pkgs.dovecot_pigeonhole
    pkgs.dovecot_fts_xapian
  ];
  enablePAM = false;
  enableImap = true;
  enableLmtp = true;
  enablePop3 = true;
  protocols = [ "sieve" ];
  # If needed, may be overrided by userdb_mail= in passdb, or mail= in userdb
  # Here INDEX and CONTROL are separated,
  # it's not useful since there is not quota at the filesystem level
  # it's just to let this possibility later on.
  mailLocation = "sdbox:${stateDir}/mail/%d/%n/mail.d:UTF-8:CONTROL=${stateDir}/control/%d/%n:INDEX=${stateDir}/index/%d/%n";
  createMailUser = false;
  mailUser = "";
  mailGroup = "";
  sslServerCert = null;
  sieveScripts = {
    global = dovecot/sieve/global;
  };
  extraConfig = ''
    auth_verbose = yes
    auth_debug = yes
    mail_debug = yes
    verbose_ssl = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "

    ssl = required
    ssl_dh = <${../../../sec/openssl/dh.pem}
    ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL
    ssl_cert = <${loadFile (../../../sec + "/openssl/${networking.domain}/cert.self-signed.pem")}
    ssl_key = </run/keys/${networking.domain}.key.pem
    #ssl_ca = <''${caPath}
    #ssl_verify_client_cert = yes

    listen = *
    # If needed, may be overrided by userdb_mail
    mail_home = ${stateDir}/mail/%d/%n
    # Read multiple mails in parallel, improves performance
    mail_prefetch_count = 20
    # Default VSZ (virtual memory size) limit for service processes. This is mainly
    # intended to catch and kill processes that leak memory before they eat up everything.
    # Increased for fts_xapian.
    default_vsz_limit = 1G

    # DOC: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/
    # DOC: https://ldapwiki.com/wiki/DIGEST-MD5
    # The misunderstanding is the notion "password sent over the network in plain-text" is not secure,
    # when in fact, storing the password in the directory server using a Salted SHA-2 hash
    # and transmitting the clear text password over a secure connection
    # is more secure than having the directory server store the password in clear text
    # or in a reversible encryption scheme.
    # Therefore, SASL with DIGEST-MD5 (or CRAM-MD5) should be avoided.
    # Use doveadm pw -s SSHA256 -u $user
    auth_mechanisms = plain login
    auth_username_format = %Ln
    passdb {
      driver = ldap
      # Because auth_bind=yes and auth_bind_userdn are used,
      # this cannot prefetch any userdb_*.
      args = ${dovecot/ldap/sourcephile.fr.conf}
      default_fields =
      override_fields =
    }
    userdb {
      driver = ldap
      # A different path than passdb's args enables non-blocking LDAP requests
      args = ${pkgs.symlinkJoin {name="ldap"; paths=[dovecot/ldap];}}/sourcephile.fr.conf
      default_fields =
      override_fields =
    }
    service auth {
      user = ${dovecot2.user}
      # auth_socket_path points to this userdb socket by default. It's typically
      # used by dovecot-lda, doveadm, possibly imap process, etc.
      # Users that have access to this socket are able to get a list
      # of all usernames and get results of everyone's userdb lookups.
      unix_listener auth-userdb {
        user  = ${dovecot2.user}
        group = ${dovecot2.group}
        mode  = 0660
      }
      unix_listener /var/lib/postfix/queue/private/auth {
        user  = ${postfix.user}
        group = ${postfix.group}
        mode  = 0660
      }
    }
    service auth-worker {
      user = ${dovecot2.user}
    }
    auth_cache_verify_password_with_worker = yes
    # SEE: http://wiki2.dovecot.org/Quota/FS
    # NOTE: postfix does not supply a client cert.
    auth_ssl_require_client_cert = no
    #auth_ssl_username_from_cert = yes
    # NOTE: lowercase the username, help with LDAP?
    auth_username_format = %Lu
    # NOTE: sync with LDAP's data.
    first_valid_uid = 1000
    disable_plaintext_auth = yes

    # No dirty syncs for maildir: locations which may be used directly by neomutt
    maildir_very_dirty_syncs = no
    namespace Inbox {
      type      = private
      inbox     = yes
      hidden    = no
      list      = yes
      prefix    =
      separator = +
    }
    namespace Shared {
      type = shared
      #list = children
      # NOTE: always listed in the LIST command.
      list = yes
      # NOTE: how to access the other users' mailboxes.
      # NOTE: %var expands to the logged in user's variable, while
      #       %%var expands to the other users' variables.
      # NOTE: INDEX and CONTROL are shared, INDEXPVT is not.
      location = sdbox:${stateDir}/mail/%%d/%%n/${stateDir}/mail.d:UTF-8:CONTROL=${stateDir}/control/%%d/%%n/Shared:INDEX=${stateDir}/index/%%d/%%n/Shared:INDEXPVT=${stateDir}/index/%d/%n/Shared/%%n
      prefix = Partages+%%n+
      separator = +
      subscriptions = yes
    }
    mail_plugins = $mail_plugins virtual
    namespace Virtual {
      prefix = Virtual+
      separator = +
      hidden = no
      list = yes
      subscriptions = no
      location = virtual:${dovecot-virtual}:UTF-8:INDEX=${stateDir}/index/%d/%n/virtual
    }

    mail_plugins = $mail_plugins acl
    plugin {
      acl = vfile:/etc/dovecot/acl/global.d
      acl_anyone = allow
      # NOTE: to let users LIST mailboxes shared by other users,
      #       Dovecot needs a shared mailbox dictionary.
      # FIXME: %d not working with userdb ldap
      acl_shared_dict = file:${stateDir}/acl/%d/acl.db
    }

    mail_plugins = $mail_plugins fts fts_xapian
    plugin {
      plugin = fts fts_xapian
      fts = xapian
      fts_autoindex = yes
      fts_autoindex_exclude = \Junk
      fts_autoindex_exclude2 = \Trash
      fts_enforced = yes
      # 2 and 20 are the NGram values for header fields, which means the
      # keywords created for fields (To, Cc, ...) are between is 2 and 20 chars long.
      # Full words are also added by default.
      fts_xapian = partial=2 full=20 verbose=0
    }

    mail_plugins = $mail_plugins quota
    plugin {
      quota = maildir:User quota
      quota_rule = *:storage=256M
      quota_rule2 = Trash:storage=+64M
      quota_max_mail_size = 20M
      #quota_exceeded_message = </path/to/quota_exceeded_message.txt
      quota_warning  = storage=95%% quota-warning 95 %u
      quota_warning2 = storage=80%% quota-warning 80 %u
      quota_warning3 = -storage=100%% quota-warning below %u
    }

    protocol lda {
      hostname = ${networking.domain}
      mail_plugins = $mail_plugins sieve
      postmaster_address = postmaster+dovecot+lda@${networking.domain}
      syslog_facility = mail
    }
    lda_mailbox_autocreate = yes
    lda_mailbox_autosubscribe = yes

    protocol lmtp {
      mail_plugins = $mail_plugins sieve
      postmaster_address = postmaster+dovecot+lmtp@${networking.domain}
    }
    service lmtp {
      process_min_avail = ${toString config.nix.maxJobs}
      unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
        user  = ${postfix.user}
        group = ${postfix.group}
        mode  = 0600
      }
    }
    plugin {
      # Let extension.sieve do the handling of the detail
      #lmtp_save_to_detail_mailbox = yes
      recipient_delimiter = ${postfix.recipientDelimiter}
    }

    service imap {
      # Most of the memory goes to mmap()ing files.
      # You may need to increase this limit if you have huge mailboxes.
      #vsz_limit =
      process_limit = 1024
    }
    service imap-login {
      #inet_listener imap {
      #  address = 127.0.0.1
      #  port    = 143
      #  ssl     = no
      #}
      inet_listener imaps {
        port = 993
        ssl  = yes
      }
    }
    # Store METADATA information within user's HOME directory
    mail_attribute_dict = file:%h/dovecot-attributes
    # If you have Dovecot v2.2.8+ you may get a significant performance improvement with fetch-headers:
    imapc_features = $imapc_features fetch-headers
    protocol imap {
      #mail_max_userip_connections = 10
      mail_plugins = $mail_plugins imap_acl imap_quota imap_sieve virtual
      imap_metadata = yes

      # DOC: https://wiki.dovecot.org/MailboxSettings
      # Due to a bug in Dovecot v2.2.30+ if special-use flags are used,
      # SPECIAL-USE needs to be added to post-login CAPABILITY response as RFC 6154 mandates.
      imap_capability = +SPECIAL-USE

      namespace Inbox {
        mailbox "Archives" {
          auto = subscribe
          special_use = \Archive
        }
        mailbox "Drafts" {
          auto = no
          special_use = \Drafts
        }
        mailbox "Brouillons" {
          auto = subscribe
          special_use = \Drafts
        }
        mailbox "Junk" {
          auto = no
          #autoexpunge = 30d
          special_use = \Junk
        }
        mailbox "Spams" {
          auto = no
          special_use = \Junk
        }
        mailbox "Spam" {
          auto = no
          special_use = \Junk
        }
        mailbox "Pourriels" {
          auto = no
          special_use = \Junk
        }
        mailbox "Pourriel" {
          auto = no
          special_use = \Junk
        }
        mailbox "Sent" {
          auto = no
          special_use = \Sent
        }
        mailbox "Sent Items" {
          auto = no
          special_use = \Sent
        }
        mailbox "Sent Messages" {
          auto = no
          special_use = \Sent
        }
        mailbox "Envoyés" {
          auto = no
          special_use = \Sent
        }
        mailbox "Trash" {
          auto = no
          special_use = \Trash
          #autoexpunge = 30d
        }
        mailbox "Corbeille" {
          auto = no
          special_use = \Trash
        }
      }
      namespace Virtual {
        mailbox All {
          auto = no
          comment = All messages from all mailboxes
          special_use = \All
        }
        mailbox Recents {
          auto = no
          comment = All messages from all mailboxes arrived in the past 48h
        }
      }
    }
    plugin {
      #sieve_default = file:${stateDir}/mail/%u/default.sieve
      #sieve_default_name = default
      sieve_plugins = sieve_imapsieve sieve_extprograms
      sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
      #sieve_extensions = +editheader
      sieve = file:~/sieve.d;active=~/sieve
      sieve_pipe_bin_dir = ${sieve_pipe_bin_dir}/bin
      sieve_max_script_size = 1M
      sieve_quota_max_scripts = 0
      sieve_quota_max_storage = 10M
      #sieve_spamtest_max_value = 10
      #sieve_spamtest_status_header = X-Spam-Score
      #sieve_spamtest_status_type = strlen
      sieve_user_log = /var/log/dovecot/%d/sieve.%n.log
      # Enables support for user Sieve scripts in IMAP
      #imapsieve_url = sieve://mail.${networking.domain}:4190

      # When a flag changes, spam or ham according to the \Junk or \NonJunk flags
      imapsieve_mailbox1_name = *
      imapsieve_mailbox1_causes = FLAG
      imapsieve_mailbox1_before = file:${stateDir}/sieve/global/spam-or-ham.sieve

      # From elsewhere to Junk folder
      imapsieve_mailbox2_name = Pourriel
      imapsieve_mailbox2_causes = COPY APPEND
      imapsieve_mailbox2_before = file:${stateDir}/sieve/global/report-spam.sieve

      # From Junk folder to elsewhere
      imapsieve_mailbox3_name = *
      imapsieve_mailbox3_from = Pourriel
      imapsieve_mailbox3_causes = COPY
      imapsieve_mailbox3_before = file:${stateDir}/sieve/global/report-ham.sieve
    }
    protocol sieve {
      # Maximum number of ManageSieve connections allowed for a user from each IP address.
      # NOTE: The username is compared case-sensitively.
      mail_max_userip_connections = 10

      # To fool ManageSieve clients that are focused on CMU's timesieved you can specify
      # the IMPLEMENTATION capability that the dovecot reports to clients.
      # For example: 'Cyrus timsieved v2.2.13'
      managesieve_implementation_string = Dovecot Pigeonhole

      # The maximum number of compile errors that are returned to the client upon script
      # upload or script verification.
      managesieve_max_compile_errors = 5

      #mail_max_userip_connections = 10
      #managesieve_implementation_string = Dovecot Pigeonhole
      managesieve_max_compile_errors = 5
      #managesieve_max_line_length = 65536
      #managesieve_notify_capability = mailto
      #managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
    }
    service managesieve-login {
      inet_listener sieve {
        port = 4190
        #ssl  = yes
      }

      # Number of connections to handle before starting a new process. Typically
      # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
      # is faster. <doc/wiki/LoginProcess.txt>
      service_count = 1

      # Number of processes to always keep waiting for more connections.
      process_min_avail = 0

      # If you set service_count=0, you probably need to grow this.
      #vsz_limit = 64M
    }

    service quota-warning {
      executable = script ${
        pkgs.writeScript "quota-warning" ''
          #!/bin/sh -eu
          PERCENT=$1
          USER=$2
          cat << EOF | ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -d $USER -o
          "plugin/quota=maildir:User quota:noenforcing"
          From: postmaster@${networking.domain}
          Subject: [WARNING] your mailbox is now $PERCENT% full.

          Please remove some mails to make room for new ones.
          EOF
        ''
      }
      # use some unprivileged user for executing the quota warnings
      user = ${dovecot2.user}
      unix_listener quota-warning {
      }
    }

    protocol pop3 {
      mail_plugins = $mail_plugins virtual
      #mail_max_userip_connections = 10
      # Virtual namespace for the virtual INBOX.
      # Use a global directory for dovecot-virtual files.
      #namespace Inbox {
      #  hidden    = yes
      #  list      = no
      #  location  = virtual:''${dovecot-virtual-pop3}/pop3:INDEX=${stateDir}/index/%d/%n/virtual/pop3:LAYOUT=fs
      #  prefix    = pop3+
      #}
      pop3_client_workarounds =
      pop3_fast_size_lookups = yes
      pop3_lock_session = yes
      pop3_no_flag_updates = yes
      # Use GUIDs to avoid accidental POP3 UIDL changes instead of IMAP UIDs.
      pop3_uidl_format = %g
    }
    service pop3 {
      process_limit = 1024
    }
    service pop3-login {
      inet_listener pop3s {
        port = 995
        ssl  = yes
      }
    }
  '';
  #${lib.concatMapStringsSep "\n"
  #    (dom: ''
  #      local_name mail.${dom} {
  #        #ssl_ca   = <''${caPath}
  #        ssl_cert = <${x509.cert dom}
  #        ssl_key  = <${x509.key dom}
  #        }
  #    '')
  #    dovecot2.domains
  #}
};
#services.postfix.mapFiles."transport-dovecot" =
#  toFile "transport-dovecot"
#   (unlines
#     (lib.mapAttrsToList
#       (dom: {...}: "${transportSubDomain}.${dom} lmtp:unix:private/dovecot-lmtp")
#       dovecot2.domains));
}