class profiles::dovecot::server (
  Stdlib::Absolutepath $tls_cert_file = '/etc/pki/tls/vault/certificate.pem',
  Stdlib::Absolutepath $tls_key_file  = '/etc/pki/tls/vault/certificate.pem',
  Stdlib::Absolutepath $tls_ca_file   = '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
  Stdlib::Absolutepath $maildir_path  = '/var/vmail',
  String $maildir_var                 = '%d/%n',
  String $hostname                    = $trusted['certname'],
  Array[String] $listen               = ['*', '::'],
  Array[String] $protocols            = ['imap'],
) {

  # Ensure the maildata directory exists
  file { $maildir_path:
    ensure => directory,
    owner  => 'vmail',
    group  => 'vmail',
    mode   => '0755',
  }

  # Create vmail user for dovecot
  user { 'vmail':
    ensure     => present,
    uid        => 5000,
    gid        => 5000,
    home       => $maildir_path,
    shell      => '/usr/sbin/nologin',
    managehome => false,
    system     => true,
  }

  group { 'vmail':
    ensure => present,
    gid    => 5000,
    system => true,
  }

  # Main dovecot configuration
  $main_config = {
    values => {
      'listen'                    => join($listen, ', '),
      'protocols'                 => join($protocols, ' '),
      'default_login_user'        => 'vmail',
      'default_internal_user'     => 'vmail',
      'first_valid_uid'           => '5000',
      'last_valid_uid'            => '5000',
      'first_valid_gid'           => '5000',
      'last_valid_gid'            => '5000',
      'mail_uid'                  => 'vmail',
      'mail_gid'                  => 'vmail',
      'mail_location'             => "maildir:${maildir_path}/${maildir_var}/Maildir",
      'login_trusted_networks'    => '10.0.0.0/8 127.0.0.0/8 [::1]/128',
      'disable_plaintext_auth'    => 'no',
      'auth_mechanisms'           => 'cram-md5 plain login',
      'ssl'                       => 'required',
      'ssl_cert'                  => $tls_cert_file,
      'ssl_key'                   => $tls_key_file,
      'ssl_ca'                    => $tls_ca_file,
      'ssl_min_protocol'          => 'TLSv1.2',
      'ssl_cipher_list'           => join([
        'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES',
        'ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'
      ], ':'),
      'ssl_prefer_server_ciphers' => 'yes',
    },
    sections => [
      {
        name   => 'passdb',
        values => {
          'driver' => 'passwd-file',
          'args'   => 'scheme=CRAM-MD5 username_format=%u /etc/dovecot/users',
        },
      },
      {
        name   => 'userdb',
        values => {
          'driver' => 'static',
          'args'   => "uid=vmail gid=vmail home=${maildir_path}/${maildir_var}",
        },
      },
    ],
  }


  #  # Postfix smtp-auth
  #  unix_listener /var/spool/postfix/private/auth {
  #    mode = 0666
  #    user = postfix
  #    group = postfix
  #  }


  # Configure dovecot
  class { 'dovecot':
    main_config        => $main_config,
    include_sysdefault => false,
    require            => [User['vmail'], Group['vmail'], File[$maildir_path]],
  }

}