{ pkgs, config, lib, inputs, ... }:
let
  module = toString inputs.simple-nixos-mailserver;
in {
  imports = [ module ];
  secrets.mailserver = {
    owner = "dovecot2:cert";
    services = [ "dovecot2" ];
  };
  secrets.sasl_passwd = {
    permissions = "444";
  };

  security.acme = {
    email = "ataraxiadev@ataraxiadev.com";
    acceptTerms = true;
    certs."mail.ataraxiadev.com" = {
      group = "cert";
      webroot = "/var/lib/acme/acme-challenge";
      postRun = ''
        systemctl reload postfix
        systemctl reload dovecot2
      '';
    };
  };

  services.postfix = {
    mapFiles."sasl_passwd" = config.secrets.sasl_passwd.decrypted;
    extraConfig =
    ''
      smtp_tls_security_level = may
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
      smtp_sasl_security_options =
      smtp_sasl_tls_security_options =
      relayhost = [smtp.email.eu-zurich-1.oci.oraclecloud.com]:587
    '';
    dnsBlacklists = [
      "all.s5h.net"
      "b.barracudacentral.org"
      "bl.spamcop.net"
      "blacklist.woody.ch"
      "bogons.cymru.com"
      "cbl.abuseat.org"
      "combined.abuse.ch"
      "db.wpbl.info"
      "dnsbl-1.uceprotect.net"
      "dnsbl-2.uceprotect.net"
      "dnsbl-3.uceprotect.net"
      "dnsbl.anticaptcha.net"
      "dnsbl.dronebl.org"
      "dnsbl.inps.de"
      "dnsbl.sorbs.net"
      "dnsbl.spfbl.net"
      "drone.abuse.ch"
      "duinv.aupads.org"
      "dul.dnsbl.sorbs.net"
      "dyna.spamrats.com"
      "dynip.rothen.com"
      "http.dnsbl.sorbs.net"
      "ips.backscatterer.org"
      "ix.dnsbl.manitu.net"
      "korea.services.net"
      "misc.dnsbl.sorbs.net"
      "noptr.spamrats.com"
      "orvedb.aupads.org"
      "pbl.spamhaus.org"
      "proxy.bl.gweep.ca"
      "psbl.surriel.com"
      "relays.bl.gweep.ca"
      "relays.nether.net"
      "sbl.spamhaus.org"
      "singular.ttk.pte.hu"
      "smtp.dnsbl.sorbs.net"
      "socks.dnsbl.sorbs.net"
      "spam.abuse.ch"
      "spam.dnsbl.anonmails.de"
      "spam.dnsbl.sorbs.net"
      "spam.spamrats.com"
      "spambot.bls.digibase.ca"
      "spamrbl.imp.ch"
      "spamsources.fabel.dk"
      "ubl.lashback.com"
      "ubl.unsubscore.com"
      "virus.rbl.jp"
      "web.dnsbl.sorbs.net"
      "wormrbl.imp.ch"
      "xbl.spamhaus.org"
      "z.mailspike.net"
      "zen.spamhaus.org"
      "zombie.dnsbl.sorbs.net"
    ];
    dnsBlacklistOverrides = ''
      ataraxiadev.com OK
      mail.ataraxiadev.com OK
      192.168.0.0/16 OK
      ${lib.concatMapStringsSep "\n" (machine: "${machine}.lan OK") (builtins.attrNames inputs.self.nixosConfigurations)}
    '';
  };
  mailserver = rec {
    enable = true;
    openFirewall = true;
    fqdn = "mail.ataraxiadev.com";
    domains = [ "ataraxiadev.com" ];
    loginAccounts = {
      "ataraxiadev@ataraxiadev.com" = {
        aliases =
          [ "ataraxiadev" "admin@ataraxiadev.com" "admin" "root@ataraxiadev.com" "root" ];
        hashedPasswordFile = config.secrets.mailserver.decrypted;
      };
    };
    localDnsResolver = false;
    certificateScheme = 1;
    certificateFile = "${config.security.acme.certs.${fqdn}.directory}/fullchain.pem";
    keyFile = "${config.security.acme.certs.${fqdn}.directory}/key.pem";
    enableImap = true;
    enableImapSsl = true;
    enableSubmission = true;
    enableSubmissionSsl = true;
    virusScanning = false;
  };
}