{ pkgs, config, ... }:

let
  startISync = pkgs.writeShellScriptBin "start-isync" ''
    systemctl start isync.service
  '';
in
{
  # Might want to run mbsync manually
  environment.systemPackages = with pkgs; [ isync startISync ];

  # Setup spacekookie-mail user
  users.users.spacekookie-mail = {
    createHome = true;
    group = "spacekookie";
    home = "/var/lib/spacekookie-mail";
  };
  
  systemd.services.isync =
    let
      maildir = "${config.users.users.spacekookie.home}/Office/mail";
      mbsyncrc = pkgs.writeText "mbsyncrc"
        (import ../../../ext/mail/mbsyncrc.nix { inherit maildir; });
    in with pkgs; {
      serviceConfig.Type = "oneshot";
      script = ''
        ${sudo}/bin/sudo -u spacekookie-mail \
        ${isync}/bin/mbsync -a -V -c ${mbsyncrc}
      '';
      postStart = ''
        ${findutils}/bin/find \
            "${maildir}" \
            \! -name .mbsyncstate* \
            \( \
              \( \! -user spacekookie -o \! -group spacekookie \) \
              -exec ${coreutils}/bin/chown spacekookie:spacekookie '{}' \; \
            , \
              -type f \! -perm 660 \
              -exec ${coreutils}/bin/chmod 0660 '{}' \; \
            , \
              -type d \! -perm 770 \
              -exec ${coreutils}/bin/chmod 0770 '{}' \; \
            \)
            ${sudo}/bin/sudo -u spacekookie \
              ${notmuch}/bin/notmuch new
      '';
    };

  systemd.timers.isync = {
    timerConfig.Unit = "isync.service";
    timerConfig.OnCalendar = "*:0/5";
    timerConfig.Persistent = "true";
    after = [ "network-online.target" ];
    wantedBy = [ "timers.target" ];
  };

  # This sudoers rule allows anyone in the wheel group to run this
  # particular command without a password. Make sure that 'startISync'
  # is present in a path (environment.systemPackages above)!
  security.sudo.extraRules = [
    { commands = [ { command = "${startISync}/bin/start-isync";
                     options = [ "NOPASSWD" ]; } ];
      groups = [ "wheel" ];  }
  ];
}