{ config, pkgs, ... }:

{
  imports = [
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-22.11/nixos-mailserver-nixos-22.11.tar.gz";
      sha256 = "1h1r4x2ffqwyk0ql6kjvcpg1bdiimyzhrsvn49702fsgzpx57fhd";
    })
  ];

  mailserver = {
    enable = true;
    fqdn = "mail.eurofusion.eu";
    domains = [ "eurofusion.eu" ];

    messageSizeLimit = 78643200;  # ~50MiB of base64 binary

    loginAccounts = config.secrets.emailAccounts;
    extraVirtualAliases = config.secrets.emailAliases;

    # store state under /var
    mailDirectory    = "/var/lib/mail";
    dkimKeyDirectory = "/var/lib/dkim";

    mailboxes = {
      # default IMAP folders
      Sent   = { specialUse = "Sent";   auto = "subscribe"; };
      Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
      Spam   = { specialUse = "Junk";   auto = "subscribe"; };
      Trash  = { specialUse = "Trash";  auto = "no"; };
    };

    # Use Let's Encrypt certificate
    certificateScheme = 3;

    # There is one already (pdns-recursor)
    localDnsResolver = false;

    # Enable IMAPS (993), SMTPS (465)
    enableImapSsl = true;
    enableImap = false;
    enableSubmissionSsl = true;
    enableSubmission = false;
  };

  services.dovecot2.extraConfig = ''
    # Improve hashing speed
    auth_cache_verify_password_with_worker = yes
  '';

  services.postfix.extraConfig = ''
    # Prefer IPv6
    smtp_address_preference = ipv6
    # Prevent binding on temporary addresses
    smtp_bind_address6 = 2001:470:c8e8:0:230:48ff:fefa:91e1
  '';

  # Keep the key stable across renewals (for DANE)
  security.acme.certs.${config.mailserver.fqdn}.extraLegoRenewFlags = [ "--reuse-key" ];

  # Utilities
  environment.systemPackages = [
    # computes the DANE records
    (pkgs.writers.writeDashBin "mailserver-dane" ''
      set -e
      export PATH=${with pkgs; lib.makeBinPath [ coreutils openssl gawk ]}:$PATH

      pubkey_hash() {
        openssl x509 -noout -pubkey | \
        openssl pkey -pubin -outform DER | \
        sha256sum | cut -f1 -d' '
      }

      fqdn=${config.mailserver.fqdn}
      cert="/var/lib/acme/$fqdn/cert.pem"
      self=$(awk '{print $0} /END CERT/{exit}' "$cert" | pubkey_hash)
      ca=$(awk '{if(keep) print $0} /END CERT/{keep=1}' "$cert" | pubkey_hash)

      # main: DANE-EE(3) SPKI(1) SHA2-256(1)
      printf '_25._tcp.%s. IN TLSA 3 1 1 %s\n' "$fqdn" "$self"
      # fallback: DANE-TA(2) SPKI(1) SHA2-256(1)
      printf '_25._tcp.%s. IN TLSA 2 1 1 %s\n' "$fqdn" "$ca"
    '')

    # computes the DKIM record
    (pkgs.writers.writeDashBin "mailserver-dkim" ''
      set -e
      export PATH=${with pkgs; lib.makeBinPath [ coreutils gawk ]}:$PATH

      domain=${builtins.elemAt config.mailserver.domains 0}
      raw=$(cat ${config.mailserver.dkimKeyDirectory}/*.txt | tr -d '\n\t' | awk -F'"' '{print $2$4}')
      printf 'mail._domainkey.%s IN TXT %s' "$domain" "$raw"
    '')

  ];
}