with import <stockholm/lib>;
{ config, pkgs, lib, ... }: let
  cfg = config.krebs.exim-retiolum;

  # Due to improvements to the JSON notation, braces around top-level objects
  # are not necessary^Wsupported by rspamd's parser when including files:
  # https://github.com/rspamd/rspamd/issues/2674
  toMostlyJSON = value:
    assert typeOf value == "set";
    (s: substring 1 (stringLength s - 2) s)
    (toJSON value);

in {
  options.krebs.exim-retiolum = {
    enable = mkEnableOption "krebs.exim-retiolum";
    local_domains = mkOption {
      type = with types; listOf hostname;
      default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases;
    };
    primary_hostname = mkOption {
      type = types.str;
      default = let x = "${config.krebs.build.host.name}.r"; in
        assert elem x config.krebs.build.host.nets.retiolum.aliases;
        x;
    };
    relay_to_domains = mkOption {
      # TODO hostname with wildcards
      type = with types; listOf str;
      default = [
        "*.r"
      ];
    };
    rspamd = {
      enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
        default = false;
      };
      locals = {
        logging = {
          level = mkOption {
            type = types.enum [
              "error"
              "warning"
              "notice"
              "info"
              "debug"
              "silent"
            ];
            default = "notice";
          };
        };
        options = {
          local_networks = mkOption {
            type = types.listOf types.cidr;
            default = [
              config.krebs.build.host.nets.retiolum.ip4.prefix
              config.krebs.build.host.nets.retiolum.ip6.prefix
            ];
          };
        };
      };
    };
  };
  imports = [
    {
      config = lib.mkIf cfg.rspamd.enable {
        services.rspamd.enable = true;
        services.rspamd.locals =
          mapAttrs'
            (name: value: nameValuePair "${name}.inc" {
              text = toMostlyJSON value;
            })
            cfg.rspamd.locals;
        users.users.${config.krebs.exim.user.name}.extraGroups = [
          config.services.rspamd.group
        ];
      };
    }
  ];
  config = lib.mkIf cfg.enable {
    krebs.exim = {
      enable = true;
      config =
        # This configuration makes only sense for retiolum-enabled hosts.
        # TODO modular configuration
        assert config.krebs.tinc.retiolum.enable;
        /* exim */ ''
          keep_environment =

          primary_hostname = ${cfg.primary_hostname}
          domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
          domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}

          ${optionalString cfg.rspamd.enable /* exim */ ''
            spamd_address = /run/rspamd/rspamd.sock variant=rspamd
          ''}

          acl_smtp_rcpt = acl_check_rcpt
          acl_smtp_data = acl_check_data

          host_lookup = *
          rfc1413_hosts = *
          rfc1413_query_timeout = 5s

          log_file_path = syslog
          syslog_timestamp = false
          syslog_duplication = false

          tls_advertise_hosts =

          begin acl

          acl_check_rcpt:
            deny
              local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
              message = restricted characters in address

            accept
              domains = +local_domains : +relay_to_domains

            deny
              message = relay not permitted


          acl_check_data:
            ${optionalString cfg.rspamd.enable /* exim */ ''
              accept condition = ''${if eq{$interface_port}{587}}

              warn remove_header = ${concatStringsSep " : " [
                "x-spam"
                "x-spam-report"
                "x-spam-score"
              ]}

              warn
                spam = nobody:true

              warn
                condition = ''${if !eq{$spam_action}{no action}}
                add_header = X-Spam: Yes
                add_header = X-Spam-Report: $spam_report
                add_header = X-Spam-Score: $spam_score
            ''}
            accept


          begin routers

          local:
            driver = accept
            domains = +local_domains
            check_local_user
          # local_part_suffix = +*
          # local_part_suffix_optional
            transport = home_maildir

          remote:
            driver = manualroute
            domains = +relay_to_domains
            transport = remote_smtp
            route_list = ^.* $0 byname


          begin transports

          remote_smtp:
            driver = smtp

          home_maildir:
            driver = appendfile
            maildir_format
            directory = $home/Maildir
            directory_mode = 0700
            delivery_date_add
            envelope_to_add
            return_path_add
          # group = mail
          # mode = 0660

          begin retry
          ${concatMapStringsSep "\n" (k: "${k} * F,42d,1m") cfg.relay_to_domains}
          * * F,2h,15m; G,16h,1h,1.5; F,4d,6h

          begin rewrite

          begin authenticators
        '';
    };
  };
}