{ config, ... }:

{
  mailserver = {
    enable = true;
    stateVersion = 3;
    fqdn = "taf.lyes.eu";
    domains = [
      "lyes.eu"
      "mail.lyes.eu"
    ];

    localDnsResolver = false;
    enableManageSieve = true;

    ldap = {
      enable = true;

      uris = [ "ldaps://" ];
      searchBase = "dc=auth,dc=lyes,dc=eu";
      searchScope = "sub";

      bind = {
        dn = "dn=token,dc=auth,dc=lyes,dc=eu";
        passwordFile = config.age.secrets.taf-token.path;
      };

      dovecot = {
        userFilter = "(mail=%u)";
        passFilter = "(mail=%u)";
      };

      postfix = {
        filter = "(mail=%s)";
        mailAttribute = "mail";
        uidAttribute = "name";
      };
    };

    extraVirtualAliases = {
      "@lyes.eu" = "lyes@mail.lyes.eu";
    };

    certificateScheme = "acme-nginx";
  };

  services.roundcube = {
    enable = true;

    hostName = "mail.lyes.eu";
    extraConfig = ''
      $config['smtp_host'] = "tls://taf.lyes.eu";
      $config['smtp_port'] = 587;
      $config['smtp_user'] = "%u";
      $config['smtp_pass'] = "%p";
    '';
  };

  age.secrets = {
    taf-token = {
      owner = "postfix";
      file = ../../../secrets/zora/services/taf-token.age;
    };
  };
}