#  nixos-mailserver: a simple mail server
#  Copyright (C) 2016-2018  Robin Raymond
#
#  This program is free software: you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation, either version 3 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program. If not, see <http://www.gnu.org/licenses/>

{
  config,
  pkgs,
  lib,
  ...
}:

let
  cfg = config.mailserver;

  virtualMailUsersActivationScript =
    pkgs.writeScript "activate-virtual-mail-users"
      # bash
      ''
        #!${pkgs.stdenv.shell}

        set -euo pipefail

        # Prevent world-readable paths, even temporarily.
        umask 007

        # Create directory to store user sieve scripts if it doesn't exist
        if (! test -d "${cfg.sieveDirectory}"); then
          mkdir "${cfg.sieveDirectory}"
          chown "${cfg.storage.owner}:${cfg.storage.group}" "${cfg.sieveDirectory}"
          chmod 770 "${cfg.sieveDirectory}"
        fi
      '';
in
{
  config = lib.mkIf cfg.enable {
    # assert that all accounts provide a password
    assertions = map (acct: {
      assertion =
        lib.length (
          lib.filter (value: value != null) [
            acct.hashedPassword
            acct.hashedPasswordFile
            acct.passwordFile
          ]
        ) == 1;
      message = "Login account ${acct.name} must provide exactly one of password file, hashed password, or hashed password file";
    }) (lib.attrValues cfg.accounts);

    # warn for accounts that specify both password and file
    warnings =
      map (acct: "${acct.name} specifies both a password hash and hash file; hash file will be used")
        (
          lib.filter (acct: (acct.hashedPassword != null && acct.hashedPasswordFile != null)) (
            lib.attrValues cfg.accounts
          )
        );

    users.groups.${cfg.storage.group} = {
      inherit (cfg.storage) gid;
    };
    users.users.${cfg.storage.owner} = lib.mkForce {
      inherit (cfg.storage)
        group
        uid
        ;
      name = cfg.storage.owner;
      isSystemUser = true;
      home = cfg.storage.path;
      createHome = true;
    };

    systemd.services.activate-virtual-mail-users = {
      wantedBy = [ "multi-user.target" ];
      before = [ "dovecot.service" ];
      serviceConfig = {
        ExecStart = virtualMailUsersActivationScript;
      };
      enable = true;
    };
  };
}