{ config, lib, pkgs, ... }:
let
  cfg = config.jalr.mailserver;
in
{
  options.jalr.mailserver = with lib; with lib.types; {
    enable = mkEnableOption "simple mail server";
    relayPort = mkOption {
      description = "SMTP port for relay mail relay.";
      type = port;
      default = 25;
    };
    fqdn = mkOption {
      type = str;
      description = ''
        FQDN of the mail server

        It needs to have a matching reverse DNS record.
        By default, an acme certificate with this name has to be present.
        See `certDir` for more details.
      '';
      example = "mail.example.com";
    };
    storageDir = mkOption {
      type = path;
      description = "Location of the storage directory for mails";
      default = "/var/vmail";
    };
    domains = mkOption {
      type = listOf (submodule {
        options = {
          domain = mkOption {
            type = str;
            description = "Domain to serve";
            example = [ "example.com" "example.org" ];
          };
          enableDKIM = (lib.mkEnableOption "Enable DKIM signing") // { default = false; };
          DKIMSelector = mkOption {
            type = str;
            description = "DKIM selector to use when signing";
            default = "default";
          };
        };
      });
      description = "Domains of the mail server";
    };
    certDir = mkOption {
      type = path;
      description = "Directory with `fullchain.pem` and `key.pem` for the FQDN. Defaults to the ACME directory of the FQDN.";
      default = config.security.acme.certs."${cfg.fqdn}".directory;
    };
    users = mkOption {
      type = listOf (submodule {
        options = {
          address = mkOption {
            type = str;
            description = "Primary e-mail address of the user";
            example = "jdoe@example.com";
          };
          passwordHash = mkOption {
            type = str;
            description = ''
              Argon2id hash of the user’s password. Please note that it will be
              world-readable in the nix store.
            '';
            example = "$argon2id$v=19$m=2097152,t=9,p=4$ycAnTa3lq5EAPTNJVpZ3+A$dIJ0CHVNn3vRUUso3IveHlrzTURoudrkxU92P5Q9/P4";
          };
          aliases = mkOption {
            type = listOf str;
            description = ''
              A list of aliases for the user.

              If multiple users have the same alias defined, mail will be
              delivered to both of them.
            '';
            default = [ ];
            example = [
              "j.doe@example.com"
              "jane.doe@example.com"
              "postmaster@example.com"
            ];
          };
        };
      });
      description = "Users of the mail server";
    };
    cleanHeaders = mkOption {
      type = listOf str;
      description = "A list of regular expressions that define what headers are filtered";
      default = [
        "/^\\s*Received:/"
        "/^\\s*User-Agent:/"
        "/^\\s*X-Mailer:/"
        "/^\\s*X-Originating-IP:/"
      ];
    };
    messageSizeLimit = mkOption {
      type = int;
      description = ''
        Message size limit, in bytes.
      '';
      default = 10485760;
    };
  };

  imports = [
    ./dovecot.nix
    ./postfix.nix
    ./rspamd.nix
    ./users.nix
  ];
}