{ pkgs, lib, config, ... }:
let
  inherit (builtins) toString toFile attrNames;
  inherit (lib) types;
  inherit (pkgs.lib) unlinesAttrs unlinesValues unwords;
  inherit (config.services) dovecot2 openldap;
  inherit (config) networking;
  stateDir = "/var/lib/dovecot";
  escapeGroup = lib.stringAsChars (c: if "a"<=c && c<="z"
                                      || "0"<=c && c<="9"
                                      || c=="-"
                                      then c else "_");
  domainGroup = escapeGroup "${networking.domainBase}";
in
{
options.services.dovecot2 = {
  domains = lib.mkOption {
    default = {};
    type    = types.attrsOf (types.submodule ({domain, ...}: {
      #config.domain = lib.mkDefault domain;
      options = {
        accounts = lib.mkOption {
          type = types.attrsOf (types.submodule ({account, ...}: {
            options = {
              password = lib.mkOption {
                type        = types.str;
                example     = "{SSHA512}uyjL1KYx4z7HpfNvnKzuVxpMLD2KVueGGBvOcj7AF1EZCTVhT++IIKUVOC4xpZtWdqVD0OVmZqgYr2qpn/3t3Aj4oU0=";
                description = ''Password.
                Use: `doveadm pw -s SSHA512 -p "$password"`
                '';
              };
              aliases = lib.mkOption {
                type        = with types; listOf types.str;
                example     = [ "abuse@${config.networking.domain}" ];
                default     = [];
                description = ''Aliases of this account.'';
              };
              quota = lib.mkOption {
                type        = with types; nullOr types.str;
                default     = null;
                example     = "2G";
                description = ''
                  Per user quota rules. Accepted sizes are `xx k/M/G/T` with the
                  obvious meaning. Leave blank for the standard quota `100G`.
                '';
              };
              groups = lib.mkOption {
                type    = with types; listOf str;
                default = [];
              };
            };
          }));
        };
      };
    }));
  };
};

config = lib.mkIf dovecot2.enable {
  systemd.services.dovecot2 = {
    preStart = unlinesValues {
      installDomains =
        lib.optionalString openldap.enable ''
          # NOTE: make sure nslcd cache is in sync with the LDAP data
          systemctl restart nslcd
        '' + ''
        # SEE: http://wiki2.dovecot.org/SharedMailboxes/Permissions
        install -D -d -m 0771 \
         -o "${dovecot2.user}" \
         -g "${dovecot2.group}" \
         ${stateDir}/mail

        # NOTE: domainAliases point to the very same mailboxes as domain's.
        for domainAlias in ${unwords networking.domainAliases}
         do
          ln -fns ${networking.domain} ${stateDir}/mail/$domainAlias
          ln -fns ${networking.domain} ${stateDir}/control/$domainAlias
          ln -fns ${networking.domain} ${stateDir}/index/$domainAlias
          ln -fns ${networking.domain} ${stateDir}/acl/$domainAlias
         done
      '';
    };
  };
};
}