nix/modules/nixos/mail-server/mobileconfig.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.mailserver;
  hasMailDiscoveryConfig = cfg.enable && cfg.fqdn != null && cfg.domains != [ ];
in
lib.mkIf hasMailDiscoveryConfig (
  let
    domain = builtins.head cfg.domains;
    mobileconfigHost = "autoconfig.${domain}";
    radicaleHost = "cal.${domain}";
    mobileconfigPort = 8426;

    safeLegacyPath = email: builtins.replaceStrings [ "@" "+" ] [ "_" "-" ] email;

    accountEntries = lib.filter (entry: entry.domain == domain) (
      lib.mapAttrsToList (
        email: _:
        let
          parts = lib.splitString "@" email;
          username = builtins.head parts;
          domainPart = lib.last parts;
        in
        {
          inherit email username;
          domain = domainPart;
          legacyPath = safeLegacyPath email;
        }
      ) cfg.loginAccounts
    );

    usernames = map (entry: entry.username) accountEntries;
    defaultUsername =
      if lib.length accountEntries == 1 then (builtins.head accountEntries).username else null;

    generatorScript = ./mobileconfig-generator.py;

    accountArgs = lib.concatMapStrings (
      entry: " --account ${entry.username}:${entry.email}:${entry.legacyPath}"
    ) accountEntries;

    defaultUsernameArg =
      if defaultUsername != null then " --default-username ${defaultUsername}" else "";
  in
  {
    assertions = [
      {
        assertion = lib.length usernames == lib.length (lib.unique usernames);
        message = "Mail mobileconfig usernames must be unique within ${domain}.";
      }
    ];

    systemd.services.mobileconfig-generator = {
      description = "Apple mobileconfig generator";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        DynamicUser = true;
        ExecStart =
          lib.concatStringsSep " " [
            "${pkgs.python3}/bin/python3"
            "${generatorScript}"
            "--domain"
            domain
            "--mail-host"
            cfg.fqdn
            "--radicale-host"
            radicaleHost
            "--port"
            (toString mobileconfigPort)
          ]
          + defaultUsernameArg
          + accountArgs;
        NoNewPrivileges = true;
        PrivateTmp = true;
        ProtectHome = true;
        ProtectSystem = "strict";
        Restart = "always";
      };
    };

    services.nginx.virtualHosts.${mobileconfigHost}.locations = {
      "= /mobileconfig".return = "308 /mobileconfig/$is_args$args";
      "/mobileconfig/" = {
        proxyPass = "http://127.0.0.1:${toString mobileconfigPort}";
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
        '';
      };
    };
  }
)