{ pkgs, lib, config, system, ... }:
let inherit (builtins) toString toFile;
    inherit (builtins.extraBuiltins) pass;
    inherit (lib) types;
    inherit (pkgs.lib) loadFile unlines unlinesAttrs unlinesValues unwords;
    inherit (config) networking;
    inherit (config.services) dovecot2 postfix openldap;
    when        = x: y: if x == null then "" else y;
    extSep      = postfix.recipientDelimiter;
    dirSep      = extSep;
    # NOTE: nixpkgs' dovecot2.stateDir is currently not exported
    stateDir    = "/var/lib/dovecot";
    mailDir     = "${stateDir}/mail";
    sieveDir    = "${stateDir}/sieve";
    authDir     = "${stateDir}/auth";
    authUser    = dovecot2.mailUser;  # TODO: php_roundcube
    authGroup   = dovecot2.mailGroup; # TODO: php_roundcube
    escapeGroup = lib.stringAsChars (c: if "a"<=c && c<="z"
                                        || "0"<=c && c<="9"
                                        || c=="-"
                                        then c else "_");
    domainGroup = escapeGroup "${networking.domainBase}";
    etc_dovecot = [
      { target = "dovecot/${networking.domain}/dovecot-ldap.conf";
        source = pkgs.writeText "dovecot-ldap.conf" ''
          ${lib.optionalString dovecot2.debug ''
            debug_level = 1
          ''}

          # LDAP database
          uris = ldapi://
          base = ou=posix,${openldap.domainSuffix}
          scope = subtree
          deref = never
          # NOTE: sufficient for small systems and uses less resources.
          blocking = no

          # LDAP auth
          sasl_bind = yes
          sasl_mech = EXTERNAL
          #dn = cn=admin,${openldap.domainSuffix}
          #dnpass = useless with sasl_mech=EXTERNAL
          auth_bind = no
          #auth_bind_userdn = cn=%n,ou=accounts,ou=posix,dc=${openldap.domainSuffix}

          # dovecot passdb query
          # DOC: http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
          pass_filter = (&(objectClass=posixAccount)(uid=%n)(mailEnabled=TRUE))
          # TODO: userdb_quota_rule=*:storage=
          pass_attrs = userPassword=password,\
                       uidNumber=userdb_uid,\
                       gidNumber=userdb_gid,\
                       mailGroupMember=userdb_mail_access_groups=${domainGroup},\
                       quotaBytes=userdb_quota_rule=*:bytes=%{ldap:quotaBytes},\
                       =user=%n@%d
                       #homeDirectory=userdb_home
          default_pass_scheme = CRYPT

          # dovecot userdb query
          # DOC: http://wiki2.dovecot.org/UserDatabase/ExtraFields
          user_filter = (&(objectClass=posixAccount)(uid=%n)(mailEnabled=TRUE))
          #user_filter = (&(objectClass=inetOrgPerson)(uid=%n))
          #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
          #user_attrs = mailHomeDirectory=home,\
          #              mailStorageDirectory=mail,\
          #              mailUidNumber=uid,\
          #              mailGidNumber=gid,\
          #              mailQuota=quota_rule=*:bytes=%$

          # doveadm user query
          iterate_attrs = =user=%{ldap:uid}@${networking.domain}
          iterate_filter = (&(objectClass=posixAccount)(mailEnabled=TRUE))
        '';
      }
    ];
    dovecot-virtual = pkgs.writeTextFile {
      name = "dovecot-virtual";
      destination = "/pop3/INBOX/dovecot-virtual";
      text = ''
        all
        all+*
          all
      '';
    };

    learn-spam = pkgs.writeShellScriptBin "learn-spam.sh" ''
      exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/learner.sock learn_spam
    '';
    learn-ham = pkgs.writeShellScriptBin "learn-ham.sh" ''
      exec ${pkgs.rspamd}/bin/rspamc -h /run/rspamd/learner.sock learn_ham
    '';
    sieve_pipe_bin_dir = pkgs.buildEnv {
      name = "sieve_pipe_bin_dir";
      pathsToLink = [ "/bin" ];
      paths = [
        learn-spam
        learn-ham
      ];
    };
in
{
  imports = [
    dovecot/autoconfig.nix
  ];
  #services.postfix.mapFiles."transport-dovecot" =
  #  toFile "transport-dovecot"
  #   (unlines
  #     (lib.mapAttrsToList
  #       (dom: {...}: "${transportSubDomain}.${dom} lmtp:unix:private/dovecot-lmtp")
  #       dovecot2.domains));
  systemd.services.dovecot2 = {
    after = [
      "postfix.service"
      "openldap.service"
      "dovecot.${networking.domainBase}.key.pem-key.service"
    ];
    restartTriggers = map (f: f.source) etc_dovecot;
  };
  deployment.keys = {
    "dovecot.${networking.domainBase}.key.pem" = {
      text        = pass "x509/${networking.domainBase}/key.pem";
      user        = dovecot2.user;
      group       = "root";
      destDir     = "/run/keys/";
      permissions = "0400"; # WARNING: not enforced when deployment.storeKeysOnMachine = true
    };
  };
  environment.etc = etc_dovecot;
  users.users."${dovecot2.mailUser}".isSystemUser = true; # Fix nixpkgs
  services.dovecot2 = {
    enable    = true;
    debug     = true;
    mailUser  = "dovemail";
    mailGroup = "dovemail";
    modules   = [
      #pkgs.dovecot_antispam
      pkgs.dovecot_pigeonhole
    ];
    sieves = {
      global = {
        list = ''
          require
           [ "date"
           , "fileinto"
           , "mailbox"
           , "variables"
           ];

          if currentdate :matches "year"  "*" { set "year"  "''${1}"; }
          if currentdate :matches "month" "*" { set "month" "''${1}"; }

          if exists "List-ID" {
            if header :matches "List-ID" "*<*.*.*.*>*" {
              set "list"   "''${2}";
              set "domain" "''${4}";
            }
            elsif header :matches "List-ID" "*<*.*.*>*" {
              set "list"   "''${2}";
              set "domain" "''${3}";
            }
            fileinto :create "Listes+''${domain}+''${list}+''${year}+''${month}";
            stop;
           }
        '';
        spam = ''
          require [ "imap4flags" ];

          if header :contains "X-Spam-Level" "***" {
            addflag "Junk";
          }
        '';
        /*
          require ["fileinto","mailbox"];

          if header :contains "X-Spam" "Yes" {
           fileinto :create "INBOX.Junk";
           stop;
          }
        */
        extension = ''
          require
           [ "envelope"
           , "fileinto"
           , "mailbox"
           , "subaddress"
           , "variables"
           ];
          if envelope :matches :detail "TO" "*" {
            set "extension" "''${1}";
          }
          if not string :is "''${extension}" "" {
            fileinto :create "Plus+''${extension}";
            stop;
          }
        '';
        spam-or-ham = ''
          require ["vnd.dovecot.pipe", "copy", "imapsieve", "variables", "imap4flags", "environment"];

          if environment :is "imap.changedflags" "Junk" {
            if hasflag :is "Junk" {
              pipe :copy :try "learn-spam.sh";
            } elsif not hasflag :is "Junk" {
              pipe :copy :try "learn-ham.sh";
            }
          }
        '';
        report-spam = ''
          require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

          if environment :matches "imap.user" "*" {
            set "username" "''${1}";
          }

          pipe :copy :try "learn-spam.sh" [ "''${username}" ];
        '';
        report-ham = ''
          require ["vnd.dovecot.pipe", "copy", "imapsieve", "environment", "variables"];

          if environment :matches "imap.mailbox" "*" {
            set "mailbox" "''${1}";
          }

          if string "''${mailbox}" "Trash" {
            stop;
          }

          if environment :matches "imap.user" "*" {
            set "username" "''${1}";
          }

          pipe :copy :try "learn-ham.sh" [ "''${username}" ];
        '';
      };
    };
    configFile = toString ( pkgs.writeText "dovecot.conf" ''
      passdb {
        driver = ldap
        args = /etc/dovecot/${networking.domain}/dovecot-ldap.conf
        default_fields = userdb_mail_access_groups=${domainGroup}
        override_fields =
      }
      userdb {
        driver = prefetch
      }
      userdb {
        # NOTE: this userdb is only used by lda.
        driver = ldap
        args = /etc/dovecot/${networking.domain}/dovecot-ldap.conf
        default_fields = mail_access_groups=${domainGroup}
        override_fields =
        skip = found
      }
      #passdb {
      #  driver = passwd-file
      #  args   = scheme=crypt username_format=%n ${authDir}/%d/passwd
      #}
      #userdb {
      #  # NOTE: this userdb is only used by lda.
      #  driver = passwd-file
      #  args = username_format=%n ${authDir}/%d/passwd
      #  #default_fields = home=${mailDir}/%d/%n
      #  skip = found
      #}
      # Store METADATA information within user's HOME directory
      mail_attribute_dict = file:%h/dovecot-attributes
      # If needed, may be overrided by userdb_mail
      mail_home = ${mailDir}/%d/%n
      # NOTE: if needed, may be overrided by userdb_mail
      # NOTE: INDEX and CONTROL are on a partition without quota, as explain in the doc.
      # SEE: http://wiki2.dovecot.org/Quota/FS
      mail_location = maildir:${mailDir}/%d/%n/mail.d:LAYOUT=fs:INDEX=${stateDir}/index/%d/%n:INDEXPVT=${stateDir}/index/%d/%n:CONTROL=${stateDir}/control/%d/%n
      auth_mechanisms = plain login
      # NOTE: postfix does not supply a client cert.
      auth_ssl_require_client_cert = no
      #auth_ssl_username_from_cert = yes
      auth_verbose = yes
      # NOTE: lowercase the username, help with LDAP?
      auth_username_format = %Lu
      ${lib.optionalString dovecot2.debug ''
        auth_debug  = yes
        mail_debug  = yes
        verbose_ssl = yes
      ''}
      default_internal_user = ${dovecot2.user}
      default_internal_group = ${dovecot2.group}
      disable_plaintext_auth = yes
      # NOTE: sync with LDAP's data.
      first_valid_uid = 1000
      lda_mailbox_autocreate = yes
      lda_mailbox_autosubscribe = yes
      listen = *
      log_timestamp = "%Y-%m-%d %H:%M:%S "
      #maildir_copy_with_hardlinks = yes
      namespace inbox {
        # NOTE: here because protocol sieve {namespace inbox{}} does not seem to work.
        type      = private
        inbox     = yes
        location  =
        list      = yes
        prefix    =
        separator = ${dirSep}
      }
      namespace {
        type = shared
        #list = children
        # NOTE: always listed in the LIST command.
        list = yes
        # NOTE: how to access the other users' mailboxes.
        # NOTE: %var expands to the logged in user's variable, while
        #       %%var expands to the other users' variables.
        # NOTE: INDEX and CONTROL are shared, INDEXPVT is not.
        location = maildir:${mailDir}/%%d/%%n/mail.d:LAYOUT=fs:INDEX=${stateDir}/index/%%d/%%n/Shared:INDEXPVT=${stateDir}/index/%d/%n/Shared/%%n:CONTROL=${stateDir}/control/%d/%n/Shared
        prefix = Partages+%%n+
        separator = ${dirSep}
        subscriptions = yes
      }
      mail_plugins = $mail_plugins acl quota virtual
      #mail_uid = ${dovecot2.mailUser}
      #mail_gid = ${dovecot2.mailGroup}
        # NOTE: each user has a dedicated (uid,gid) pair
      #mail_privileged_group = mail
      #mail_access_groups =
      plugin {
        acl = vfile:/etc/dovecot/acl/global.d
        acl_anyone = allow
        # NOTE: to let users LIST mailboxes shared by other users,
        #       Dovecot needs a shared mailbox dictionary.
        # FIXME: %d not working with userdb ldap
        acl_shared_dict = file:${stateDir}/acl/%d/acl.db
        ## NOTE: pour offlineimap
        ##antispam_allow_append_to_spam = yes
        #antispam_backend = pipe
        ##antispam_crm_args = -u;${mailDir}/%d/.crm114;/usr/share/crm114/mailfilter.crm
        #antispam_crm_args = -u;${mailDir}/crm114;/usr/share/crm114/mailfilter.crm
        #antispam_crm_binary = /usr/bin/crm
        #antispam_debug_target = syslog
        ##antispam_crm_env = HOME=%h;USER=%u
        #antispam_ham_keywords = NonJunk
        #antispam_pipe_program = /usr/bin/crm
        #antispam_pipe_program_args = -u;${mailDir}/crm114;/usr/share/crm114/mailfilter.crm;--stats_only;--force
        #antispam_pipe_program_notspam_arg = --learnnonspam
        #antispam_pipe_program_spam_arg = --learnspam
        #antispam_pipe_program_unlearn_spam_args = --unlearn;--learnspam
        #antispam_pipe_program_unlearn_notspam_args = --unlearn;--learnnonspam
        #antispam_pipe_tmpdir = ${mailDir}/crm114/tmp
        #antispam_signature = X-CRM114-CacheID
        #antispam_signature_missing = move
        #antispam_spam = Junk
        #antispam_spam_keywords = Junk
        #antispam_trash = Trash
        #antispam_unsure = Unsure
        #antispam_verbose_debug = 0
        quota = maildir:User quota
        quota_rule = *:storage=256M
        quota_rule2 = Trash:storage=+64M
        quota_max_mail_size = 20M
        #quota_exceeded_message = </path/to/quota_exceeded_message.txt
        quota_warning  = storage=95%% quota-warning 95 %u
        quota_warning2 = storage=80%% quota-warning 80 %u
        quota_warning3 = -storage=100%% quota-warning below %u
        recipient_delimiter = ${extSep}
        #sieve_default = file:${mailDir}/%u/default.sieve
        #sieve_default_name = default
        sieve_after  = ${sieveDir}/after.d/
        sieve_before = ${sieveDir}/before.d/
        sieve = file:~/sieve.d;active=~/sieve
        #sieve_extensions = +spamtest +spamtestplus
        sieve_global = ${sieveDir}/global.d/
        sieve_max_script_size = 1M
        sieve_quota_max_scripts = 0
        sieve_quota_max_storage = 10M
        sieve_spamtest_max_value = 10
        sieve_spamtest_status_header = X-Spam-Score
        sieve_spamtest_status_type = strlen
        sieve_user_log = /var/log/dovecot/%d/sieve.%n.log

        sieve_plugins = sieve_imapsieve sieve_extprograms
        sieve_pipe_bin_dir = ${sieve_pipe_bin_dir}/bin
        sieve_global_extensions = +vnd.dovecot.pipe +vnd.dovecot.environment
        # Enables support for user Sieve scripts in IMAP
        #imapsieve_url = sieve://mail.${networking.domain}:4190

        # When a flag changes, spam or ham according to the \Junk or \NonJunk flags
        imapsieve_mailbox1_name = *
        imapsieve_mailbox1_causes = FLAG
        imapsieve_mailbox1_before = file:${sieveDir}/global.d/spam-or-ham.sieve

        # From elsewhere to Junk folder
        imapsieve_mailbox2_name = Pourriel
        imapsieve_mailbox2_causes = COPY APPEND
        imapsieve_mailbox2_before = file:${sieveDir}/global.d/report-spam.sieve

        # From Junk folder to elsewhere
        imapsieve_mailbox3_name = *
        imapsieve_mailbox3_from = Pourriel
        imapsieve_mailbox3_causes = COPY
        imapsieve_mailbox3_before = file:${sieveDir}/global.d/report-ham.sieve
      }
      # If you have Dovecot v2.2.8+ you may get a significant performance improvement with fetch-headers:
      imapc_features = $imapc_features fetch-headers
      # Read multiple mails in parallel, improves performance
      mail_prefetch_count = 20
      service quota-warning {
        executable = script ${
          pkgs.writeScript "quota-warning" ''
            #!/bin/sh -eu
            PERCENT=$1
            USER=$2
            cat << EOF | ${pkgs.dovecot}/libexec/dovecot/dovecot-lda -d $USER -o
            "plugin/quota=maildir:User quota:noenforcing"
            From: postmaster@${networking.domain}
            Subject: [WARNING] your mailbox is now $PERCENT% full.

            Please remove some mails to make room for new ones.
            EOF
          ''
        }
        # use some unprivileged user for executing the quota warnings
        user = ${dovecot2.user}
        unix_listener quota-warning {
        }
      }
      protocol imap {
        #mail_max_userip_connections = 10
        mail_plugins = $mail_plugins imap_acl imap_quota imap_sieve # antispam
        # DOC: https://wiki.dovecot.org/MailboxSettings
        # Due to a bug in Dovecot v2.2.30+ if special-use flags are used,
        # SPECIAL-USE needs to be added to post-login CAPABILITY response as RFC 6154 mandates.
        imap_capability = +SPECIAL-USE
        namespace inbox {
          inbox = yes
          location =
          list = yes
          prefix =
          separator = ${dirSep}
          mailbox "Archive" {
            auto = no
            special_use = \Archive
          }
          mailbox "Archives" {
            auto = no
            special_use = \Archive
          }
          mailbox "Drafts" {
            auto = no
            special_use = \Drafts
          }
          mailbox "Brouillons" {
            auto = no
            special_use = \Drafts
          }
          mailbox "Junk" {
            auto = no
            #autoexpunge = 30d
            special_use = \Junk
          }
          mailbox "Spams" {
            auto = no
            special_use = \Junk
          }
          mailbox "Spam" {
            auto = no
            special_use = \Junk
          }
          mailbox "Pourriels" {
            auto = no
            special_use = \Junk
          }
          mailbox "Pourriel" {
            auto = no
            special_use = \Junk
          }
          mailbox "Sent" {
            auto = no
            special_use = \Sent
          }
          mailbox "Sent Items" {
            auto = no
            special_use = \Sent
          }
          mailbox "Sent Messages" {
            auto = no
            special_use = \Sent
          }
          mailbox "Envoyés" {
            auto = no
            special_use = \Sent
          }
          mailbox "Trash" {
            auto = no
            special_use = \Trash
            #autoexpunge = 30d
          }
          mailbox "Corbeille" {
            auto = no
            special_use = \Trash
          }
        }
      }
      protocol lda {
        auth_socket_path = /var/run/dovecot/auth-userdb
        hostname         = ${networking.domain}
        info_log_path    =
        log_path         =
        mail_plugins     = $mail_plugins sieve
        namespace inbox {
          inbox     = yes
          location  =
          list      = yes
          prefix    =
          separator = ${dirSep}
        }
        postmaster_address = postmaster${extSep}dovecot${extSep}lda@${networking.domain}
        syslog_facility = mail
      }
      protocol lmtp {
        #info_log_path = /tmp/dovecot-lmtp.log
        mail_plugins = $mail_plugins sieve
        namespace inbox {
          inbox     = yes
          location  =
          list      = yes
          prefix    =
          separator = ${dirSep}
        }
        postmaster_address = postmaster${extSep}dovecot${extSep}lmtp@${networking.domain}
      }
      protocol pop3 {
        #mail_max_userip_connections = 10
        namespace all {
          # NOTE: used by ${dovecot-virtual}/pop3/INBOX/dovecot-virtual
          hidden    = yes
          list      = no
          location  =
          prefix    = all+
          separator = ${dirSep}
        }
        # Virtual namespace for the virtual INBOX.
        # Use a global directory for dovecot-virtual files.
        namespace inbox {
          inbox     = yes
          hidden    = yes
          list      = no
          location  = virtual:${dovecot-virtual}/pop3:INDEX=${stateDir}/index/%d/%n/POP3:LAYOUT=fs
          prefix    = pop3+
          separator = ${dirSep}
        }
        pop3_client_workarounds =
        pop3_fast_size_lookups = yes
        pop3_lock_session = yes
        pop3_no_flag_updates = yes
        # Use GUIDs to avoid accidental POP3 UIDL changes instead of IMAP UIDs.
        pop3_uidl_format = %g
      }
      protocol sieve {
        #mail_max_userip_connections = 10
        #managesieve_implementation_string = Dovecot Pigeonhole
        managesieve_max_compile_errors = 5
        #managesieve_max_line_length = 65536
        #managesieve_notify_capability = mailto
        #managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
      }
      # DOC: https://wiki2.dovecot.org/Pigeonhole/ManageSieve/Configuration
      protocol sieve {
        # Maximum number of ManageSieve connections allowed for a user from each IP address.
        # NOTE: The username is compared case-sensitively.
        mail_max_userip_connections = 10

        # To fool ManageSieve clients that are focused on CMU's timesieved you can specify
        # the IMPLEMENTATION capability that the dovecot reports to clients.
        # For example: 'Cyrus timsieved v2.2.13'
        managesieve_implementation_string = Dovecot Pigeonhole

        # The maximum number of compile errors that are returned to the client upon script
        # upload or script verification.
        managesieve_max_compile_errors = 5
      }
      protocols = imap lmtp pop3 sieve
      service lmtp {
        #executable = lmtp -L
        process_min_avail = 2
        unix_listener /var/lib/postfix/queue/private/dovecot-lmtp {
          user  = ${postfix.user}
          group = ${postfix.group}
          mode  = 0600
        }
        #user = mail
      }
      service auth {
        # FIXME: may be user=dovecot-auth with LDAP?
        user = root
        unix_listener auth-userdb {
          user  = ${dovecot2.user}
          group = ${dovecot2.group}
          mode  = 0660
        }
        unix_listener /var/lib/postfix/queue/private/auth {
          user  = ${postfix.user}
          group = ${postfix.group}
          mode  = 0660
        }
      }
      service imap {
        # Most of the memory goes to mmap()ing files.
        # You may need to increase this limit if you have huge mailboxes.
        #vsz_limit =
        process_limit = 1024
      }
      service imap-login {
        #inet_listener imap {
        #  address = 127.0.0.1
        #  port    = 143
        #  ssl     = no
        #}
        inet_listener imaps {
          port = 993
          ssl  = yes
        }
      }
      service pop3 {
        process_limit = 1024
      }
      service pop3-login {
        inet_listener pop3s {
          port = 995
          ssl  = yes
        }
      }
      service managesieve-login {
        inet_listener sieve {
          port = 4190
          #ssl  = yes
        }

        # Number of connections to handle before starting a new process. Typically
        # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
        # is faster. <doc/wiki/LoginProcess.txt>
        service_count = 1

        # Number of processes to always keep waiting for more connections.
        process_min_avail = 0

        # If you set service_count=0, you probably need to grow this.
        #vsz_limit = 64M
      }
      ssl = required
      ssl_dh = <${../../../sec/openssl/dh.pem}
      ssl_cipher_list = HIGH:!LOW:!SSLv2:!EXP:!aNULL
      ssl_cert = <${loadFile (../../../sec + "/openssl/${networking.domainBase}/cert.self-signed.pem")}
      ssl_key = </run/keys/dovecot.${networking.domainBase}.key.pem
      #ssl_ca = <''${caPath}
      #ssl_verify_client_cert = yes
    '' );
      #${lib.concatMapStringsSep "\n"
      #    (dom: ''
      #      local_name mail.${dom} {
      #        #ssl_ca   = <''${caPath}
      #        ssl_cert = <${x509.cert dom}
      #        ssl_key  = <${x509.key dom}
      #        }
      #    '')
      #    dovecot2.domains
      #}
  };
}