{pkgs, lib, config, system, ...}:
let inherit (builtins) toString toFile;
    inherit (lib) types;
    inherit (pkgs.lib) unlines unlinesAttrs unlinesValues unwords;
    inherit (config) networking;
    inherit (config.services) dovecot2 postfix x509 openldap;
    when        = x: y: if x == null then "" else y;
    extSep      = postfix.recipientDelimiter;
    dirSep      = extSep;
    stateDir      = "/var/lib/dovecot";
      # NOTE: nixpkgs' dovecot2.stateDir is currently not exported
    mailDir     = "${stateDir}/mail";
    sieveDir    = "${stateDir}/sieve";
    authDir     = "${stateDir}/auth";
    authUser    = dovecot2.mailUser;  # TODO: php_roundcube
    authGroup   = dovecot2.mailGroup; # TODO: php_roundcube
    escapeGroup = lib.stringAsChars (c: if "a"<=c && c<="z"
                                        || "0"<=c && c<="9"
                                        || c=="-"
                                        then c else "_");
    domainGroup = escapeGroup "${networking.domainBase}";
    etc_dovecot = [
      { target = "dovecot/${networking.domain}/dovecot-ldap.conf";
        source = pkgs.writeText "dovecot-ldap.conf" ''
          ${lib.optionalString dovecot2.debug ''
            debug_level = 1
          ''}

          # LDAP database
          uris = ldapi://
          base = ou=posix,${openldap.domainSuffix}
          scope = subtree
          deref = never
          blocking = no
            # NOTE: sufficient for small systems and uses less resources.

          # LDAP auth
          sasl_bind = yes
          sasl_mech = EXTERNAL
          #dn = cn=admin,${openldap.domainSuffix}
          #dnpass = useless with sasl_mech=EXTERNAL
          auth_bind = no
          #auth_bind_userdn = cn=%n,ou=accounts,ou=posix,dc=${openldap.domainSuffix}

          # dovecot passdb query
          # DOC: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
          pass_filter = (&(objectClass=posixAccount)(uid=%n)(mailEnabled=TRUE))
          pass_attrs = userPassword=password,\
                       uidNumber=userdb_uid,\
                       gidNumber=userdb_gid,\
                       mailGroupMember=userdb_mail_access_groups=${domainGroup},\
                       quotaBytes=userdb_quota_rule=*:bytes=%{ldap:quotaBytes},\
                       =user=%n@%d
                       #homeDirectory=userdb_home
            # TODO: userdb_quota_rule=*:storage=
          default_pass_scheme = CRYPT

          # dovecot userdb query
          # DOC: http://wiki2.dovecot.org/UserDatabase/ExtraFields
          user_filter = (&(objectClass=posixAccount)(uid=%n)(mailEnabled=TRUE))
          #user_filter = (&(objectClass=inetOrgPerson)(uid=%n))
          #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
          #user_attrs = mailHomeDirectory=home,\
          #              mailStorageDirectory=mail,\
          #              mailUidNumber=uid,\
          #              mailGidNumber=gid,\
          #              mailQuota=quota_rule=*:bytes=%$

          # doveadm user query
          iterate_attrs = =user=%{ldap:uid}@${networking.domain}
          iterate_filter = (&(objectClass=posixAccount)(mailEnabled=TRUE))
        '';
      }
    ];
    dovecot-virtual = pkgs.writeTextFile {
      name = "dovecot-virtual";
      destination = "/pop3/INBOX/dovecot-virtual";
      text = ''
        all
        all+*
          all
      '';
    };

    sieve-rspamd-filter =
      pkgs.stdenv.mkDerivation {
        name = "sieve-rspamd-filter";
        nativeBuildInputs = [ pkgs.makeWrapper ];
        phases = [ "installPhase" ];
        installPhase = ''
          mkdir -p $out/bin
          cat > $out/bin/learn-spam.sh <<EOF
          #!/bin/sh
          exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd.sock learn_spam
          EOF
          cat > $out/bin/learn-ham.sh <<EOF
          #!/bin/sh
          exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd.sock learn_ham
          EOF
          chmod +x $out/bin/*.sh
        '';
      };
in
{
  imports = [
    dovecot/autoconfig.nix
  ];
  options = {
    services.dovecot2.sieves = {
      global = lib.mkOption {
        description = "global scripts.";
        type = types.attrsOf types.str;
        default = {};
      };
      before = lib.mkOption {
        description = "before scripts.";
        type = types.attrsOf types.str;
        default = {};
      };
      after = lib.mkOption {
        description = "after scripts.";
        type = types.attrsOf types.str;
        default = {};
      };
    };
  };
  config = {
    environment.etc = etc_dovecot;
    #services.postfix.mapFiles."transport-dovecot" =
    #  toFile "transport-dovecot"
    #   (unlines
    #     (lib.mapAttrsToList
    #       (dom: {...}: "${transportSubDomain}.${dom} lmtp:unix:private/dovecot-lmtp")
    #       dovecot2.domains));
    systemd.services.dovecot2 = {
      after = [
        "postfix.service"
        "openldap.service"
      ];
      restartTriggers =
        map (f: f.source) etc_dovecot;
      environment  = {
        #LD_LIBRARY_PATH = config.system.nssModules.path;
      };
      preStart = unlinesValues {
        installMailDir = ''
          # SEE: http://wiki2.dovecot.org/SharedMailboxes/Permissions
          install -D -d -m 0771 \
           -o ${dovecot2.mailUser} \
           -g ${dovecot2.mailGroup} \
           ${mailDir}
        '';

        installSieve = ''
          rm -rf "${sieveDir}"
          install -D -d -m 0755 -o root -g root \
           "${sieveDir}/bin"
        '' + unlinesAttrs (dir: sieves: ''
          install -D -d -m 0755 -o root -g root \
           ${sieveDir} ${sieveDir}/${dir}.d
          '' + unlinesAttrs (name: text: ''
            src=${pkgs.writeText "${name}.sieve" text}
            dst="${sieveDir}/${dir}.d/${name}.sieve"
            ln -fns "$src" "$dst"
            ${pkgs.dovecot_pigeonhole}/bin/sievec "$dst"
          '') sieves
        ) dovecot2.sieves;

        installDomains = ''
          # NOTE: make sure nslcd cache is in sync with the LDAP data
          systemctl restart nslcd
          install -D -d -m 1770 \
           -o ${dovecot2.mailUser} \
           -g ${domainGroup} \
           ${mailDir}/${networking.domain} \
           ${stateDir}/control/${networking.domain} \
           ${stateDir}/index/${networking.domain}

          # NOTE: do not set the sticky bit (+t)
          #       on acl/<domain>/, to let dovecot
          #       rename acl.db.lock (own by new user)
          #       to     acl.db      (own by old user)
          install -D -d -m 0770 \
           -o ${dovecot2.mailUser} \
           -g ${domainGroup} \
           ${stateDir}/acl/${networking.domain}

          # NOTE: domainAliases point to the very same mailboxes as domain's.
          for domainAlias in ${unwords networking.domainAliases}
           do
            ln -fns ${networking.domain} ${mailDir}/$domainAlias
            ln -fns ${networking.domain} ${stateDir}/control/$domainAlias
            ln -fns ${networking.domain} ${stateDir}/index/$domainAlias
            ln -fns ${networking.domain} ${stateDir}/acl/$domainAlias
           done
        '';
      };
    };
    services.dovecot2 = {
      enable    = true;
      debug     = true;
      mailUser  = "dovemail";
      mailGroup = "dovemail";
      modules   = [
        #pkgs.dovecot_antispam
        pkgs.dovecot_pigeonhole
      ];
      sieves = {
        global = {
          list = ''
            require
             [ "date"
             , "fileinto"
             , "mailbox"
             , "variables"
             ];

            if currentdate :matches "year"  "*" { set "year"  "''${1}"; }
            if currentdate :matches "month" "*" { set "month" "''${1}"; }

            if exists "List-ID" {
              if header :matches "List-ID" "*<*.*.*.*>*" {
                set "list"   "''${2}";
                set "domain" "''${4}";
              }
              elsif header :matches "List-ID" "*<*.*.*>*" {
                set "list"   "''${2}";
                set "domain" "''${3}";
              }
              fileinto :create "Listes+''${domain}+''${list}+''${year}+''${month}";
              stop;
             }
          '';
          spam = ''
            require
             [ "imap4flags"
             ];

            if header :contains "X-Spam-Level" "***" {
              addflag "Junk";
            }
          '';
          /*
            require ["fileinto","mailbox"];

            if header :contains "X-Spam" "Yes" {
             fileinto :create "INBOX.Junk";
             stop;
            }
          */
          extension = ''
            require
             [ "envelope"
             , "fileinto"
             , "mailbox"
             , "subaddress"
             , "variables"
             ];
            if envelope :matches :detail "TO" "*" {
              set "extension" "''${1}";
            }
            if not string :is "''${extension}" "" {
              fileinto :create "Plus+''${extension}";
              stop;
            }
          '';
          report-spam = ''
            require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

            if environment :matches "imap.user" "*" {
              set "username" "''${1}";
            }

            pipe :copy "learn-spam.sh" [ "''${username}" ];
          '';
          report-ham = ''
            require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

            if environment :matches "imap.mailbox" "*" {
              set "mailbox" "''${1}";
            }

            if string "''${mailbox}" "Trash" {
              stop;
            }

            if environment :matches "imap.user" "*" {
              set "username" "''${1}";
            }

            pipe :copy "learn-ham.sh" [ "''${username}" ];
          '';
        };
      };
      configFile = toString (pkgs.writeText "dovecot.conf" ''
        passdb {
          driver = ldap
          args = /etc/dovecot/${networking.domain}/dovecot-ldap.conf
          default_fields = userdb_mail_access_groups=${domainGroup}
          override_fields =
        }
        userdb {
          driver = prefetch
        }
        userdb {
          # NOTE: this userdb is only used by lda.
          driver = ldap
          args = /etc/dovecot/${networking.domain}/dovecot-ldap.conf
          default_fields = mail_access_groups=${domainGroup}
          override_fields =
          skip = found
        }
        #passdb {
        #  driver = passwd-file
        #  args   = scheme=crypt username_format=%n ${authDir}/%d/passwd
        #}
        #userdb {
        #  # NOTE: this userdb is only used by lda.
        #  driver = passwd-file
        #  args = username_format=%n ${authDir}/%d/passwd
        #  #default_fields = home=${mailDir}/%d/%n
        #  skip = found
        #}
        mail_home = ${mailDir}/%d/%n
          # NOTE: if needed, may be overrided by userdb_mail
        mail_location = maildir:${mailDir}/%d/%n/Maildir:LAYOUT=fs:INDEX=${stateDir}/index/%d/%n:INDEXPVT=${stateDir}/index/%d/%n:CONTROL=${stateDir}/control/%d/%n
          # NOTE: if needed, may be overrided by userdb_mail
          # NOTE: INDEX and CONTROL are on a partition without quota, as explain in the doc.
          # SEE: http://wiki2.dovecot.org/Quota/FS
        auth_mechanisms = plain login
        auth_ssl_require_client_cert = no
          # NOTE: postfix does not supply a client cert.
        auth_ssl_username_from_cert = yes
        auth_verbose = yes
        auth_username_format = %Lu
          # NOTE: lowercase the username, help with LDAP?
        ${lib.optionalString dovecot2.debug ''
          auth_debug  = yes
          mail_debug  = yes
          verbose_ssl = yes
        ''}
        default_internal_user = ${dovecot2.user}
        default_internal_group = ${dovecot2.group}
        disable_plaintext_auth = yes
        first_valid_uid = 10000
          # NOTE: sync with LDAP's data.
        lda_mailbox_autocreate = yes
        lda_mailbox_autosubscribe = yes
        listen = *
        log_timestamp = "%Y-%m-%d %H:%M:%S "
        #maildir_copy_with_hardlinks = yes
        namespace inbox {
          # NOTE: here because protocol sieve {namespace inbox{}} does not seem to work.
          type      = private
          inbox     = yes
          location  =
          list      = yes
          prefix    =
          separator = ${dirSep}
        }
        namespace {
          type = shared
          #list = children
          list = yes
            # NOTE: always listed in the LIST command.
          location = maildir:${mailDir}/%%d/%%n/Maildir:LAYOUT=fs:INDEX=${stateDir}/index/%%d/%%n/Shared:INDEXPVT=${stateDir}/index/%d/%n/Shared/%%n:CONTROL=${stateDir}/control/%d/%n/Shared
            # NOTE: how to access the other users' mailboxes.
            # NOTE: %var expands to the logged in user's variable, while
            #       %%var expands to the other users' variables.
            # NOTE: INDEX and CONTROL are shared, INDEXPVT is not.
          prefix = Partages+%%n+
          separator = ${dirSep}
          subscriptions = yes
        }
        mail_plugins = $mail_plugins acl quota virtual
        #mail_uid = ${dovecot2.mailUser}
        #mail_gid = ${dovecot2.mailGroup}
          # NOTE: each user has a dedicated (uid,gid) pair
        #mail_privileged_group = mail
        #mail_access_groups =
        plugin {
          acl = vfile:/etc/dovecot/acl/global.d
          acl_anyone = allow
          acl_shared_dict = file:${stateDir}/acl/%d/acl.db
            # NOTE: to let users LIST mailboxes shared by other users,
            #       Dovecot needs a shared mailbox dictionary.
            # FIXME: %d not working with userdb ldap
          ##antispam_allow_append_to_spam = yes
          # # NOTE: pour offlineimap
          #antispam_backend = pipe
          ##antispam_crm_args = -u;${mailDir}/%d/.crm114;/usr/share/crm114/mailfilter.crm
          #antispam_crm_args = -u;${mailDir}/crm114;/usr/share/crm114/mailfilter.crm
          #antispam_crm_binary = /usr/bin/crm
          #antispam_debug_target = syslog
          ##antispam_crm_env = HOME=%h;USER=%u
          #antispam_ham_keywords = NonJunk
          #antispam_pipe_program = /usr/bin/crm
          #antispam_pipe_program_args = -u;${mailDir}/crm114;/usr/share/crm114/mailfilter.crm;--stats_only;--force
          #antispam_pipe_program_notspam_arg = --learnnonspam
          #antispam_pipe_program_spam_arg = --learnspam
          #antispam_pipe_program_unlearn_spam_args = --unlearn;--learnspam
          #antispam_pipe_program_unlearn_notspam_args = --unlearn;--learnnonspam
          #antispam_pipe_tmpdir = ${mailDir}/crm114/tmp
          #antispam_signature = X-CRM114-CacheID
          #antispam_signature_missing = move
          #antispam_spam = Junk
          #antispam_spam_keywords = Junk
          #antispam_trash = Trash
          #antispam_unsure = Unsure
          #antispam_verbose_debug = 0
          quota = maildir:User quota
          quota_rule = *:storage=256M
          quota_rule2 = Trash:storage=+64M
          quota_max_mail_size = 20M
          #quota_exceeded_message = </path/to/quota_exceeded_message.txt
          quota_warning  = storage=95%% quota-warning 95 %u
          quota_warning2 = storage=80%% quota-warning 80 %u
          quota_warning3 = -storage=100%% quota-warning below %u
           # NOTE: user is no longer over quota
          recipient_delimiter = ${extSep}
          sieve = file:${mailDir}/%d/%n/sieve;active=${mailDir}/%d/%n/sieve/main.sieve
          #sieve_default = file:${mailDir}/%u/default.sieve
          #sieve_default_name = default
          sieve_after  = ${sieveDir}/after.d/
          sieve_before = ${sieveDir}/before.d/
          sieve_dir = ${mailDir}/%d/%n/sieve/
          #sieve_extensions = +spamtest +spamtestplus
          sieve_global_dir = ${sieveDir}/global.d/
          sieve_max_script_size = 1M
          sieve_quota_max_scripts = 0
          sieve_quota_max_storage = 10M
          sieve_spamtest_max_value = 10
          sieve_spamtest_status_header = X-Spam-Score
          sieve_spamtest_status_type = strlen
          sieve_user_log = /var/log/dovecot/%d/sieve.%n.log

          sieve_plugins = sieve_imapsieve sieve_extprograms
          sieve_pipe_bin_dir = ${sieve-rspamd-filter}/bin
          sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
          # From elsewhere to Spam folder
          imapsieve_mailbox1_name = Spam
          imapsieve_mailbox1_causes = COPY
          imapsieve_mailbox1_before = file:${sieveDir}/global.d/report-spam.sieve

          # From Spam folder to elsewhere
          imapsieve_mailbox2_name = *
          imapsieve_mailbox2_from = Spam
          imapsieve_mailbox2_causes = COPY
          imapsieve_mailbox2_before = file:${sieveDir}/global.d/report-ham.sieve
        }
        # If you have Dovecot v2.2.8+ you may get a significant performance improvement with fetch-headers:
        imapc_features = $imapc_features fetch-headers
        # Read multiple mails in parallel, improves performance
        mail_prefetch_count = 20
        service quota-warning {
          executable = script ${
            pkgs.writeScript "quota-warning" ''
              #!/bin/sh -eu
              PERCENT=$1
              USER=$2
              cat << EOF | ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -d $USER -o
              "plugin/quota=maildir:User quota:noenforcing"
              From: postmaster@${networking.domain}
              Subject: [WARNING] your mailbox is now $PERCENT% full.

              Please remove some mails to make room for new ones.
              EOF
            ''
          }
          # use some unprivileged user for executing the quota warnings
          user = ${dovecot2.user}
          unix_listener quota-warning {
          }
        }
        protocol imap {
          #mail_max_userip_connections = 10
          mail_plugins = $mail_plugins imap_acl imap_quota imap_sieve # antispam
          namespace inbox {
            inbox = yes
            location =
            list = yes
            mailbox Drafts {
              special_use = \Drafts
            }
            mailbox Junk {
              special_use = \Junk
              auto = subscribe
              #autoexpunge = 30d
            }
            mailbox Sent {
              special_use = \Sent
              auto = subscribe
            }
            mailbox "Sent Messages" {
              special_use = \Sent
              auto = subscribe
            }
            mailbox Trash {
              special_use = \Trash
              auto = subscribe
              #autoexpunge = 30d
            }
            prefix =
            separator = ${dirSep}
          }
        }
        protocol lda {
          auth_socket_path = /var/run/dovecot/auth-userdb
          hostname         = ${networking.domain}
          info_log_path    =
          log_path         =
          mail_plugins     = $mail_plugins sieve
          namespace inbox {
            inbox     = yes
            location  =
            list      = yes
            prefix    =
            separator = ${dirSep}
          }
          postmaster_address = postmaster${extSep}dovecot${extSep}lda@${networking.domain}
          syslog_facility = mail
        }
        protocol lmtp {
          #info_log_path = /tmp/dovecot-lmtp.log
          mail_plugins = $mail_plugins sieve
          namespace inbox {
            inbox     = yes
            location  =
            list      = yes
            prefix    =
            separator = ${dirSep}
          }
          postmaster_address = postmaster${extSep}dovecot${extSep}lmtp@${networking.domain}
        }
        protocol pop3 {
          #mail_max_userip_connections = 10
          namespace all {
            # NOTE: used by ${dovecot-virtual}/pop3/INBOX/dovecot-virtual
            hidden    = yes
            list      = no
            location  =
            prefix    = all+
            separator = ${dirSep}
          }
          # Virtual namespace for the virtual INBOX.
          # Use a global directory for dovecot-virtual files.
          namespace inbox {
            inbox     = yes
            hidden    = yes
            list      = no
            location  = virtual:${dovecot-virtual}/pop3:INDEX=${stateDir}/index/%d/%n/POP3:LAYOUT=fs
            prefix    = pop3+
            separator = ${dirSep}
          }
          pop3_client_workarounds =
          pop3_fast_size_lookups = yes
          pop3_lock_session = yes
          pop3_no_flag_updates = yes
          # Use GUIDs to avoid accidental POP3 UIDL changes instead of IMAP UIDs.
          pop3_uidl_format = %g
        }
        protocol sieve {
          #mail_max_userip_connections = 10
          #managesieve_implementation_string = Dovecot Pigeonhole
          managesieve_max_compile_errors = 5
          #managesieve_max_line_length = 65536
          #managesieve_notify_capability = mailto
          #managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
        }
        protocols = imap lmtp pop3 sieve
        service lmtp {
          #executable = lmtp -L
          process_min_avail = 2
          unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
            user  = ${postfix.user}
            group = ${postfix.group}
            mode  = 0600
          }
          #user = mail
        }
        service auth {
          user = root
            # FIXME: may be user=dovecot-auth with LDAP?
          unix_listener auth-userdb {
            user  = ${dovecot2.user}
            group = ${dovecot2.group}
            mode  = 0660
          }
          unix_listener /var/lib/postfix/queue/private/auth {
            user  = ${postfix.user}
            group = ${postfix.group}
            mode  = 0660
          }
        }
        service imap {
          # Most of the memory goes to mmap()ing files.
          # You may need to increase this limit if you have huge mailboxes.
          #vsz_limit =
          process_limit = 1024
        }
        service imap-login {
          #inet_listener imap {
          #  address = 127.0.0.1
          #  port    = 143
          #  ssl     = no
          #}
          inet_listener imaps {
            port = 993
            ssl  = yes
          }
        }
        service pop3 {
          process_limit = 1024
        }
        service pop3-login {
          inet_listener pop3s {
            port = 995
            ssl  = yes
          }
        }
        ssl = required
        ssl_dh = <${x509.dir}/dh.pem
        ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL
        ssl_cert = <${x509.cert}
        ssl_key = <${x509.key}
        #ssl_ca   = <''${caPath}
        #ssl_verify_client_cert = yes
      '');
        #${lib.concatMapStringsSep "\n"
        #    (dom: ''
        #      local_name mail.${dom} {
        #        #ssl_ca   = <''${caPath}
        #        ssl_cert = <${x509.cert dom}
        #        ssl_key  = <${x509.key dom}
        #        }
        #    '')
        #    dovecot2.domains
        #}
    };
  };
}