{ config, pkgs, ... }:

{
  networking.firewall.allowedTCPPorts = [
    993 # IMAP
  ];

  security.acme.certs."${config.networking.fqdn}-dovecot" = {
    domain = config.networking.fqdn;
    webroot = "/var/lib/acme/.challenges";
    group = config.services.dovecot2.group;
  };

  users.groups."vmail" = {};
  users.users."vmail" = {
    group = "vmail";
    isSystemUser = true;
  };

  services.dovecot2 = {
    enable = true;
    sslServerKey = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/key.pem";
    sslServerCert = config.security.acme.certs."${config.networking.fqdn}-dovecot".directory + "/cert.pem";
    mailboxes = {
      Junk = { specialUse = "Junk"; auto = "subscribe"; };
      Sent = { specialUse = "Sent"; auto = "subscribe"; };
      Drafts = { specialUse = "Drafts"; auto = "subscribe"; };
      Trash = { specialUse = "Trash"; auto = "subscribe"; };
      Archive = { specialUse = "Archive"; auto = "subscribe"; };
    };
    mailUser = "vmail";
    mailGroup = "vmail";
    enablePAM = false;
    enableLmtp = true;
    mailLocation = "maildir:/var/spool/mail/vmail/mailboxes/%u";
    extraConfig = ''
      ssl = required
      service auth {
        unix_listener auth {
          mode = 0660
          user = postfix
          group = postfix
        }
      }
      mail_home = /var/spool/mail/vmail/users/%u
      passdb {
        driver = passwd-file
        args = /var/custom-access/dovecot.passwd
      }
      userdb {
        driver = passwd-file
        args = /var/custom-access/dovecot.passwd
        default_fields = uid=vmail gid=vmail home=/var/spool/mail/vmail/users/%u
      }
      service lmtp {
        unix_listener lmtp {
          group = postfix
          mode = 0600
          user = postfix
        }
      }
    '';
  };

}