{ config, pkgs, ... }:

{
  services.stalwart = {
    enable = true;
    # Let stalwart open its own ports if needed for the main services
    openFirewall = true;
    
    settings = {
      server = {
        hostname = "extremist.software";
        tls = {
          enable = true;
          implicit = false; # StartTLS usually on 587
        };
        listener = {
          smtp = {
            protocol = "smtp";
            bind = "[::]:25";
          };
          submissions = {
            bind = "[::]:465";
            protocol = "smtp";
            tls.implicit = true;
          };
          imaps = {
            bind = "[::]:993";
            protocol = "imap";
            tls.implicit = true;
          };
          management = {
            bind = [ "127.0.0.1:8080" ];
            protocol = "http";
          };
        };
      };

      # Use the certificate procured by security.acme for Caddy
      certificate."default" = {
        cert = "%{file:/var/lib/acme/extremist.software/fullchain.pem}%";
        private-key = "%{file:/var/lib/acme/extremist.software/key.pem}%";
      };
      
      authentication.fallback-admin = {
        user = "admin";
        secret = "%{file:/run/agenix/stalwart-admin}%";
      };
    };
  };

  # Allow Stalwart to read the ACME certificate procured for Caddy
  systemd.services.stalwart.serviceConfig.SupplementaryGroups = [ "acme" ];

}