{ config, pkgs, lib, sources, ... }:

{
  imports = [
      sources.nixos-mailserver.outPath
  ];

  mailserver = {
    mailDirectory = "/persist/mail";
    enable = true;
    fqdn = "mail.hacc.space";
    domains = [ "hacc.space" "muc.hacc.space" "hacc.earth" "4future.dev" "4futu.re" "infra4future.de" "discuss.infra4future.de" ];

    loginAccounts = {
        "hexchen@hacc.space".hashedPassword = "$6$x9skYtRp4dgxC$1y8gPC2BuVqG3kJVSMGgzZv0Bg1T9qxcnBWLIDbANy1d//SQ23Y7s3IMYcEPd1/l/MYWD9Y/Qse6HbT5w5Xwq/";
        "hexchen@hacc.space".aliases = [ "postmaster@hacc.space" "abuse@hacc.space" "hexchen@infra4future.de" ];

        "octycs@hacc.space".hashedPassword = "$6$KceTivtJ$58jxhYF6ULfivNsb3Z0J7PnGea0Hs2wTWh3c9FrKRIAmuOD96u2IDgZRCn6P5NrXA0BL.n6HC2RS3r.4JnOmg.";
        "octycs@hacc.space".aliases = [ "markus@hacc.space" ];

        "raphael@hacc.space".hashedPassword = "$6$QveHpwMcp9mkFVAU$EFuahOrJIxPg.c.WGFHtrP3.onwJYwvP7fiBHHGb9jhosewZ2tEUP.2D3uyDLhd9Cfny6Yp4jDk/Hkjk7/ME1/";

        "schweby@hacc.space".hashedPassword = "$6$BpYhwcZNrkLhVqK$6FMqA/vUkdV4GBlHLSqS5DRCb/CaLDNeIsBcZ8G30heytS/tJj2Ag7b1ovSltTA4PUfhee3pJrz1BkwkA93vN1";

        "zauberberg@hacc.space".hashedPassword = "$6$ISAaU8X6D$oGKe9WXDWrRpGzHUTdxrxdtg9zuGOlBMuDc82IZhegpsv1bqd550FhZZrI40IjZTA5Hy2MZ8j/0efpnQ4fOQH0";
        "zauberberg@hacc.space".aliases = [ "lukas@hacc.space" ];

        "stuebinm@hacc.space".hashedPassword = "$6$mjrMQG5smqLRlm$WzmbiZnGlEXGT7hj/n2qz0nvVzGyZfMToCyLRi0wErfVEHI7y7jtWoHqIWnpcHAM29UocsIFFsUCb3XqQCwwB.";

        "lenny@hacc.space".hashedPassword = "$6$EZpv9XImv5F3$p2NSoo5gLxh6NnB3/C6wF8knRTuMHqDXYF3BEscaQuk7qok2Z13xKT/6mFvvSKKBnFCuYptgnfGswmoqIzm/1/";
        "lenny@hacc.space".aliases = [ "rinderhacc@hacc.space" ];

        "finance@muc.hacc.space".hashedPassword = "$6$R3GRmvXwqnMM6q.R$Y9mrUAmMnCScsM6pKjxo2a2XPM7lHrV8FIgK0PzhYvZbxWczo7.O4dk1onYeV1mRx/nXZfkZNjqNCruCn0S2m.";

        # service accounts
        "noreply@hacc.space".hashedPassword = "$6$YsqMoItITZUzI5wo$5Lejf8XBHRx4LW4VuZ9wJCiBbT4kOV/EZaCdWQ07eVIrkRTZwXWZ5zfsh.olXEFwvpNWN.DBnU.dQc.cC0/ra/";
        "newsletter@hacc.space".hashedPassword = "$6$f0xKnQxBInd$zbVIi1lTKWauqW.c8sMNLHNwzn81oQrVOiIfJwPa98n9xWz/NkjuWLYuFpK.MSZwNwP7Yv/a/qaOb9v8qv/.N1";
        "gitlab@infra4future.de".hashedPassword = "$6$8vvkYuxv$9xV5WktsqfgM3cWSxonjtaohm7oqvDC5qsgJCJBATwesjTRxd/QTLa7t7teK8Nzyl.Py26xz.NvYowCZQ4aBE1";
        "noreply@infra4future.de".hashedPassword = "$6$uaD8bRcT1$gFqhFyu5RUsyUUOG5b.kN.JAJ1rVHvaYhpeRHoMvrERAMgBu1FHu2oDnjTsy.5NKoLc5xpI5uv4Gpy4YbmDmV.";
        "discuss@infra4future.de".hashedPassword = "$6$8x8/OlMFjq1$S54jdBh7WjrdC6UtbYAHHzMJak7Ai/CjwmWBBbqh7yRHuZt.mfZrsfBNiL3JKBHE7seQ7JYRU99lJKCU6Aujg/";
    };

    extraVirtualAliases = {
        # address = forward address;

        # -- International --
        # info/contact: main entrypoint, anyone can read or reply to this.
        "info@hacc.space" = [
            "hexchen@hacc.space"
            "octycs@hacc.space"
            "raphael@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
            "stuebinm@hacc.space"
            "lenny@hacc.space"
        ];
        # admin: current people with access to the mail server and knowledge on how to use it
        "admin@hacc.space" = [
            "hexchen@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
        ];
        # voc: hacc video operation center, various streaming-related things
        "voc@hacc.space" = [
            "hexchen@hacc.space"
            "schweby@hacc.space"
            "octycs@hacc.space"
            "stuebinm@hacc.space"
            "zauberberg@hacc.space"
            "lenny@hacc.space"
        ];

        # -- Regional: Germany --
        # board of hacc e.V.
        "vorstand@hacc.space" = [
            "raphael@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
        ];
        # members of hacc e.V.
        "mitglieder@hacc.space" = [
            "hexchen@hacc.space"
            "raphael@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
            "lenny@hacc.space"
            "octycs@hacc.space"
        ];

        # -- Regional: Munich --
        "muc@hacc.space" = [
            "hexchen@hacc.space"
            "octycs@hacc.space"
            "raphael@hacc.space"
            "schweby@hacc.space"
            "zauberberg@hacc.space"
            "stuebinm@hacc.space"
            "lenny@hacc.space"
        ];

        # -- c3 world operation centre --
        "world@muc.hacc.space" = [
            "hexchen@hacc.space"
            "stuebinm@hacc.space"
        ];
    };

    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
    # down nginx and opens port 80.
    certificateScheme = 3;

    # Enable IMAP and POP3
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;

    # Enable the ManageSieve protocol
    enableManageSieve = true;

    # whether to scan inbound emails for viruses (note that this requires at least
    # 1 Gb RAM for the server. Without virus scanning 256 MB RAM should be plenty)
    virusScanning = false;
  };
  services.postfix.submissionOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
  services.postfix.submissionsOptions.smtpd_sender_restrictions = "reject_non_fqdn_sender,reject_unknown_sender_domain,permit";
  services.postfix.virtual = ''
    @4future.dev @hacc.space
    @4futu.re @hacc.space
    @hacc.earth @hacc.space
    @discuss.infra4future.de discuss@infra4future.de
    admin@infra4future.de admin@hacc.space
    noreply@infra4future.de admin@hacc.space
    lukas@infra4future.de zauberberg@hacc.space
    info@infra4future.de admin@hacc.space
    postmaster@infra4future.de admin@hacc.space
    voc@infra4future.de voc@hacc.space
    haccvoc@infra4future.de voc@hacc.space
    contact@hacc.space info@hacc.space
    himmel@hacc.space admin@hacc.space
    divoc-patches@muc.hacc.space world@muc.hacc.space
  '';

  systemd.services.alps = {
    enable = true;
    script = "${pkgs.alps}/bin/alps -theme alps imaps://mail.hacc.space:993 smtps://mail.hacc.space:465";
    serviceConfig.WorkingDirectory = "${pkgs.alps}/share/alps";
    serviceConfig.Restart = "always";
    requiredBy = [ "multi-user.target" ];
  };

  services.nginx.virtualHosts."mail.hacc.space" = {
    enableACME = true;
    forceSSL = true;
    locations."/".proxyPass = "http://[::1]:1323";
  };
}