let
  certs = import ./common/acme/server/snakeoil-certs.nix;
  domain = certs.domain;
in
import ./make-test-python.nix ({ pkgs, ... }: {
  name = "alps";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ hmenke ];
  };

  nodes = {
    server = {
      imports = [ ./common/user-account.nix ];
      security.pki.certificateFiles = [
        certs.ca.cert
      ];
      networking.extraHosts = ''
        127.0.0.1 ${domain}
      '';
      networking.firewall.allowedTCPPorts = [ 25 465 993 ];
      services.postfix = {
        enable = true;
        enableSubmission = true;
        enableSubmissions = true;
        tlsTrustedAuthorities = "${certs.ca.cert}";
        sslCert = "${certs.${domain}.cert}";
        sslKey = "${certs.${domain}.key}";
      };
      services.dovecot2 = {
        enable = true;
        enableImap = true;
        sslCACert = "${certs.ca.cert}";
        sslServerCert = "${certs.${domain}.cert}";
        sslServerKey = "${certs.${domain}.key}";
      };
    };

    client = { nodes, config, ... }: {
      security.pki.certificateFiles = [
        certs.ca.cert
      ];
      networking.extraHosts = ''
        ${nodes.server.config.networking.primaryIPAddress} ${domain}
      '';
      services.alps = {
        enable = true;
        theme = "alps";
        imaps = {
          host = domain;
          port = 993;
        };
        smtps = {
          host = domain;
          port = 465;
        };
      };
      environment.systemPackages = [
        (pkgs.writers.writePython3Bin "test-alps-login" { } ''
          from urllib.request import build_opener, HTTPCookieProcessor, Request
          from urllib.parse import urlencode, urljoin
          from http.cookiejar import CookieJar

          baseurl = "http://localhost:${toString config.services.alps.port}"
          username = "alice"
          password = "${nodes.server.config.users.users.alice.password}"
          cookiejar = CookieJar()
          cookieprocessor = HTTPCookieProcessor(cookiejar)
          opener = build_opener(cookieprocessor)

          data = urlencode({"username": username, "password": password}).encode()
          req = Request(urljoin(baseurl, "login"), data=data, method="POST")
          with opener.open(req) as ret:
              # Check that the alps_session cookie is set
              print(cookiejar)
              assert any(cookie.name == "alps_session" for cookie in cookiejar)

          req = Request(baseurl)
          with opener.open(req) as ret:
              # Check that the alps_session cookie is still there...
              print(cookiejar)
              assert any(cookie.name == "alps_session" for cookie in cookiejar)
              # ...and that we have not been redirected back to the login page
              print(ret.url)
              assert ret.url == urljoin(baseurl, "mailbox/INBOX")

          req = Request(urljoin(baseurl, "logout"))
          with opener.open(req) as ret:
              # Check that the alps_session cookie is now gone
              print(cookiejar)
              assert all(cookie.name != "alps_session" for cookie in cookiejar)
        '')
      ];
    };
  };

  testScript = { nodes, ... }: ''
    server.start()
    server.wait_for_unit("postfix.service")
    server.wait_for_unit("dovecot2.service")
    server.wait_for_open_port(465)
    server.wait_for_open_port(993)

    client.start()
    client.wait_for_unit("alps.service")
    client.wait_for_open_port(${toString nodes.client.config.services.alps.port})
    client.succeed("test-alps-login")
  '';
})