{ config, pkgs, ... }:
let
  secrets = import ./secrets.nix;
  hostname = "mail-dumpstack-io";
  domain = "dumpstack.io";
  branch = "22.11";
in {
  imports = [
    ./hardware-configuration.nix
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-${branch}/nixos-mailserver-nixos-${branch}.tar.gz";
    })
  ];

  users.extraUsers.root = {
    openssh.authorizedKeys.keys = [ secrets.pubkey ];
  };

  boot.loader.grub.enable = true;
  boot.loader.grub.version = 2;
  boot.loader.grub.device = "/dev/vda";

  networking.hostName = hostname;

  networking.firewall.allowedTCPPorts = [ 443 ];

  environment.systemPackages = with pkgs; [
    htop vim git
  ];

  security.acme.acceptTerms = true;
  security.acme.certs."mail.${domain}".email = "letsencrypt@${domain}";

  mailserver = {
    enable = true;
    fqdn = "mail.${domain}";
    domains = [ "${domain}" ];
    loginAccounts = {
        "root@${domain}" = {
            hashedPassword = "${secrets.mailHashedPassword}";
            aliases = [ "@${domain}" ];
        };
    };

    certificateScheme = 3;      # Let's Encrypt
    enableImapSsl = true;
  };

  time.timeZone = "UTC";
  services.openssh.enable = true;

  system.autoUpgrade = {
    enable = true;
    allowReboot = true;
  };

  # read release notes carefully before changing it
  system.stateVersion = "21.05";

  nix = {
    optimise.automatic = true;
    gc = {
      automatic = true;
      options = "--delete-older-than 7d";
    };
  };
}