{ pkgs, lib, config, ... }:
let
  inherit (config.services) dovecot2;
  stateDir = "/var/lib/dovecot";
  domain = "sourcephile.fr";
  domainGroup = "sourcephile";
  domainConfig = ''
    ssl_cert = <${../../../../sec/openssl/sourcephile.fr/cert.self-signed.pem}
    ssl_key = </run/keys/${domain}.key.pem
  '';
in
{
systemd.services.dovecot2 = {
  preStart = ''
    install -D -d -m 1770 \
     -o "${dovecot2.user}" \
     -g "${domainGroup}" \
     ${stateDir}/home/${domain} \
     ${stateDir}/control/${domain} \
     ${stateDir}/index/${domain} \
     ${stateDir}/acl/${domain}

    # NOTE: do not set the sticky bit (+t)
    #       on acl/<domain>/, to let dovecot
    #       rename acl.db.lock (own by new user)
    #       to     acl.db      (own by old user)
    chmod -t ${stateDir}/acl/${domain}
  '';
};
services.dovecot2 = {
  extraConfig = lib.mkAfter ''
    passdb {
      username_filter = *@${domain}
      driver = ldap
      # Because auth_bind=yes and auth_bind_userdn are used,
      # this cannot prefetch any userdb_*.
      args = ${./ldap.conf}
      default_fields =
      override_fields =
    }
    local_name mail.${domain} {
      ${domainConfig}
    }
    local_name imap.${domain} {
      ${domainConfig}
    }
  '';
};
services.nginx.virtualHosts."autoconfig.${domain}" = {
  serverName = "autoconfig.${domain}";
  #addSSL = true;
  extraConfig = ''
    access_log off;
    log_not_found off;
  '';
  forceSSL = true;
  useACMEHost = domain;
  root = pkgs.writeTextFile {
    name = "autoconfig";
    destination = "/mail/config-v1.1.xml";
    text = ''
      <?xml version="1.0"?>
      <clientConfig version="1.1">
        <emailProvider id="%EMAILDOMAIN%">
          <!-- <displayName></displayName> -->
          <!-- <displayShortName></displayShortName> -->
          <domain>%EMAILDOMAIN%</domain>
          <incomingServer type="imap">
            <hostname>mail.%EMAILDOMAIN%</hostname>
            <port>993</port>
            <socketType>SSL</socketType>
            <username>%EMAILADDRESS%</username>
            <authentication>password-cleartext</authentication>
          </incomingServer>
          <incomingServer type="pop3">
            <hostname>mail.%EMAILDOMAIN%</hostname>
            <port>995</port>
            <socketType>SSL</socketType>
            <username>%EMAILADDRESS%</username>
            <authentication>password-cleartext</authentication>
            <pop3>
              <leaveMessagesOnServer>false</leaveMessagesOnServer>
              <downloadOnBiff>true</downloadOnBiff>
            </pop3>
          </incomingServer>
          <outgoingServer type="smtp">
            <hostname>mail.%EMAILDOMAIN%</hostname>
            <port>465</port>
            <socketType>SSL</socketType> <!-- see above -->
            <username>%EMAILADDRESS%</username> <!-- if smtp-auth -->
            <authentication>password-cleartext</authentication>
            <!-- <restriction>client-IP-address</restriction> -->
            <addThisServer>true</addThisServer>
            <useGlobalPreferredServer>false</useGlobalPreferredServer>
          </outgoingServer>
        </emailProvider>
        <!-- <clientConfigUpdate url="https://www.example.com/config/mozilla.xml" /> -->
      </clientConfig>
    '';
  };
};
}