{ lib, pkgs, config, myconfig,  ... }:
let
  domains = (lib.remove null (lib.flatten (map
    (zone: map
      (e: if e.receive
      then {
        domain = "${e.domain}${lib.optionalString (e.domain != "") "."}${zone.name}";
        mail = zone.name;
      }
      else null
      )
      (zone.withEmail or [])
    )
    myconfig.env.dns.masterZones
  )));
  # FIXME: increase the id number in modules/private/dns.nix when this
  # file change (date -u +'%Y%m%d%H%M%S'Z)
  file = domain: pkgs.writeText "mta-sts-${domain.domain}.txt" ''
    version: STSv1
    mode: testing
    mx: mx-1.${domain.mail}
    mx: mx-2.${domain.mail}
    max_age: 604800
    '';
  root = pkgs.runCommand "mta-sts_root" {} ''
    mkdir -p $out
    ${builtins.concatStringsSep "\n" (map (d:
      "cp ${file d} $out/${d.domain}.txt"
    ) domains)}
    '';
  cfg = config.myServices.websites.tools.email;
in
{
  config = lib.mkIf cfg.enable {
    myServices.websites.webappDirs = {
      _mta-sts = root;
    };

    services.websites.env.tools.vhostConfs.mta_sts = {
      certName   = "mail";
      addToCerts = true;
      hosts = ["mta-sts.mail.immae.eu"] ++ map (v: "mta-sts.${v.domain}") domains;
      root = "/run/current-system/webapps/_mta-sts";
      extraConfig = [
        ''
          RewriteEngine on
          RewriteCond %{HTTP_HOST} ^mta-sts.(.*)$
          RewriteRule ^/.well-known/mta-sts.txt$ %{DOCUMENT_ROOT}/%1.txt [L]
          <Directory /run/current-system/webapps/_mta-sts>
            Require all granted
            Options -Indexes
          </Directory>
        ''
      ];
    };
  };
}