{ config, ... }:
{
  # required for elasticsearch
  nixpkgs.config.allowUnfree = true;
  age.secrets.dmarc = {
    file = ../../../../secrets/falkenstein/dmarc.age;
  };
  users.users.dmarc = {
    description = "DMARC Report recipient";
    isNormalUser = true;
  };
  networking.firewall.allowedTCPPorts = [ 9200 ];
  services.elasticsearch.listenAddress = "0.0.0.0";
  services.parsedmarc = {
    enable = true;
    provision = {
      grafana = {
        dashboard = false;
        datasource = false;
      };
      localMail.enable = false;
      elasticsearch = true;
      geoIp = false;
    };
    settings = {
      imap = {
        user = "dmarc@rfive.de";
        port = 993;
        host = "mail.rfive.de";
        password = {
          _secret = config.age.secrets.dmarc.path;
        };
      };
    };
  };
}