{ config, pkgs, ... }:

{
  services.stalwart = {
    enable = true;
    # Let stalwart open its own ports if needed for the main services
    openFirewall = true;

    settings = {
      server = {
        hostname = "extremist.software";
        tls = {
          enable = true;
          implicit = false; # StartTLS usually on 587
        };
        listener = {
          smtp = {
            protocol = "smtp";
            bind = "[::]:25";
          };
          submissions = {
            bind = "[::]:465";
            protocol = "smtp";
            tls.implicit = true;
          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";
            tls.implicit = true;
          };
          management = {
            bind = [ "127.0.0.1:8080" ];
            protocol = "http";
          };
        };
      };

      # Use the certificate procured by security.acme for Caddy
      certificate."default" = {
        cert = "%{file:/var/lib/acme/extremist.software/fullchain.pem}%";
        private-key = "%{file:/var/lib/acme/extremist.software/key.pem}%";
      };

      authentication.fallback-admin = {
        user = "admin";
        secret = "%{file:/run/agenix/stalwart-admin}%";
      };

      session.hook."qa-webhook" = {
        enable = "contains(recipients, 'qa@jetpham.com')";
        url = "http://127.0.0.1:3003/api/webhook";
        stages = [ "data" ];
        auth = {
          username = "qa-webhook";
          secret = "%{file:${config.age.secrets.webhook-secret.path}}%";
        };
        options = {
          "tempfail-on-error" = true;
          "max-response-size" = 1048576;
        };
      };
    };
  };

  # Allow Stalwart to read the ACME certificate procured for Caddy and the agenix secret
  systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];
  systemd.services.stalwart.serviceConfig.ReadOnlyPaths = [
    "/run/agenix/stalwart-admin"
    config.age.secrets.webhook-secret.path
  ];

}