{ pkgs, lib, config, ... }:
let
  cfg = config.services.matrix-synapse;
  fqdn = "matrix.federez.net";
  baseUrl = "https://${fqdn}";
in {
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.postgresql.enable = true;
  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
      TEMPLATE template0
      LC_COLLATE = "C"
      LC_CTYPE = "C";
  '';

  backups = {
    directories = [ cfg.dataDir ];
    postgresqlDatabases = [ "matrix-synapse" ];
  };

  # Surgical operations for various databases.
  environment.systemPackages = [ pkgs.matrix-synapse pkgs.sqlite ];
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "${fqdn}" = {
        enableACME = true;
        forceSSL = true;
        # It's also possible to do a redirect here or something else, this vhost is not
        # needed for Matrix. It's recommended though to *not put* element
        # here, see also the section about Element.
        locations."/".extraConfig = ''
          return 404;
        '';
        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
        # *must not* be used here.
        locations."/_matrix".proxyPass = "http://[::1]:8008";
        # Forward requests for e.g. SSO and password-resets.
        locations."/_synapse/client".proxyPass = "http://[::1]:8008";
      };
    };
  };

  services.matrix-synapse = {
    enable = true;
    settings.server_name = "federez.net";
    # The public base URL value must match the `base_url` value set in `clientConfig` above.
    # The default value here is based on `server_name`, so if your `server_name` is different
    # from the value of `fqdn` above, you will likely run into some mismatched domain names
    # in client applications.
    settings.public_baseurl = baseUrl;
    settings.app_service_config_files = [
      #"/var/lib/matrix-synapse/telegram-registration.yaml"
      "/var/lib/matrix-synapse/irc-registration.yml"
    ];
    settings.listeners = [
      { port = 8008;
        bind_addresses = [ "::1" ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [ {
          names = [ "client" "federation" ];
          compress = true;
        } ];
      }
    ];
    extraConfigFiles = [
      config.age.secrets.matrix-shared-secret.path
    ];
  };

  age.secrets.matrix-shared-secret = {
    file = ../secrets/matrix-shared-secret.age;
    owner = "matrix-synapse";
    group = "matrix-synapse";
  };
}