{ config, ... }:
let
  oauthConfigFile = "/run/secret/dovecot/dovecot-oauth2.conf.ext";
in
{
  config = {
    khscodes.infrastructure.kanidm-client-application = {
      enable = true;
      appName = "dovecot";
      secretOwner = "root";
      perms = "0644";
    };
    khscodes.services.vault-agent.templates = [
      {
        contents = ''
          {{- with secret "kanidm/data/apps/dovecot" -}}
          scope = email openid profile
          username_attribute = username
          introspection_url = https://dovecot:{{ .Data.data.basic_secret }}@login.kaareskovgaard.net/oauth2/token/introspect
          introspection_mode = post
          {{- end -}}
        '';
        destination = oauthConfigFile;
        perms = "0600";
        owner = "root";
        group = "root";
        restartUnits = [ "dovecot2.service" ];
      }
    ];
    services.roundcube.extraConfig = ''
      $config['oauth_provider'] = 'generic';
      $config['oauth_provider_name'] = 'Kanidm';
      $config['oauth_client_id'] = 'dovecot';
      $config['oauth_client_secret'] = file_get_contents("${config.khscodes.infrastructure.kanidm-client-application.secretFile}");
      $config['oauth_auth_uri'] = 'https://login.kaareskovgaard.net/ui/oauth2';
      $config['oauth_token_uri'] = 'https://login.kaareskovgaard.net/oauth2/token';
      $config['oauth_identity_uri'] = 'https://login.kaareskovgaard.net/oauth2/openid/dovecot/userinfo';
      $config['oauth_identity_fields'] = ['preferred_username'];
      $config['oauth_scope'] = 'email openid profile';
    '';
    services.dovecot2.extraConfig = ''
      auth_mechanisms = $auth_mechanisms oauthbearer xoauth2

      passdb {
        driver = oauth2
        mechanisms = xoauth2 oauthbearer
        args = ${oauthConfigFile}
      }
    '';
    systemd.services.dovecot2 = {
      serviceConfig.ReadOnlyPaths = [
        oauthConfigFile
      ];
      unitConfig.ConditionPathExists = [
        oauthConfigFile
      ];
    };

  };
}