# Adapted and simplified from https://nixos.wiki/wiki/Mailman
{
  config,
  lib,
  ...
}: let
  inherit
    (lib)
    mkIf
    mkEnableOption
    mkOption
    ;
  inherit (lib.types) str;
  cfg = config.services.mathebau-mailman;
in {
  options.services.mathebau-mailman = {
    enable = mkEnableOption "mathebau mailman service";
    hostName = mkOption {
      type = str;
    };
    siteOwner = mkOption {
      type = str;
    };
  };

  config = mkIf cfg.enable {
    services = {
      postfix = {
        enable = true;
        relayDomains = ["hash:/var/lib/mailman/data/postfix_domains"];
        sslCert = config.security.acme.certs.${cfg.hostName}.directory + "/full.pem";
        sslKey = config.security.acme.certs.${cfg.hostName}.directory + "/key.pem";
        config = {
          transport_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
          local_recipient_maps = ["hash:/var/lib/mailman/data/postfix_lmtp"];
          proxy_interfaces = "130.83.2.184";
          smtputf8_enable = "no"; # HRZ does not know SMTPUTF8
        };
        relayHost = "mailout.hrz.tu-darmstadt.de"; # Relay to HRZ
      };
      mailman = {
        enable = true;
        inherit (cfg) siteOwner;
        hyperkitty.enable = true;
        webHosts = [cfg.hostName];
        serve.enable = true; #
      };
      nginx.virtualHosts.${cfg.hostName} = {
        enableACME = true;
        forceSSL = false;
      };
    };

    environment.persistence.${config.impermanence.name} = {
      directories = [
        "/var/lib/acme" # Persist TLS keys and account
        "/var/lib/mailman"
        "/var/lib/mailman-web"
      ];
    };

    security.acme.defaults.email = cfg.siteOwner;
    security.acme.acceptTerms = true;

    networking.firewall.allowedTCPPorts = [25 80 443];

    # Update HRZ allowlist
    #
    systemd.timers."mailAllowlist" = {
      wantedBy = ["timers.target"];
      timerConfig = {
        OnBootSec = "5m"; # Run every 5 minutes
        OnUnitActiveSec = "5m";
        RandomizedDelaySec = "1m"; # Randomized delay
        Unit = "mailAllowlist.service";
      };
    };
    systemd.services."mailAllowlist" = {
      description = "Post the mail addresses used by mailman to the HRZ allow list";
      script = ''
        # Parse addresses
        awk '{print $1}' /var/lib/mailman/data/postfix_lmtp | grep -v '#' | grep "\S" > addresses
        # Post addresses to HRZ
        curl https://www-cgi.hrz.tu-darmstadt.de/mail/whitelist-update.php -F emaildomain=lists.mathebau.de -F password=$(cat /run/secrets/allowlistPass) -F emailliste=@addresses -F meldungen=voll
        # Cleanup
        rm addresses
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "mailman";
      };
    };
    sops.secrets.allowlistPass = {
      sopsFile = ../machines/lobon/allowlistPass.yaml;
      owner = "mailman";
      group = "mailman";
      mode = "0400";
    };
  };
}