{ ... }:

let

  domain = "jeppers.app";
  fqdn = "matrix.${domain}";
  baseUrl = "https://${fqdn}";
  clientConfig."m.homeserver".base_url = baseUrl;
  serverConfig."m.server" = "${fqdn}:443";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
  maxUploadSize = "20M";

in

{

  services.matrix-synapse = {
    enable = true;
    settings = { 
      server_name = domain;
      public_baseurl = baseUrl;
      max_upload_size = maxUploadSize;
      listeners = [
        {
          port = 8008;
          bind_addresses = [ "::1" ];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = [
                "client"
                "federation"
              ];
              compress = true;
            }
          ];
        }
      ];
    };
    extraConfigFiles = [ "/var/custom-access/matrix-shared-secret" ];
  };

  services.nginx.virtualHosts = {

    "${domain}" = {
      enableACME = true;
      onlySSL = true;
      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
    };

    "${fqdn}" = {
      enableACME = true;
      onlySSL = true;
      extraConfig = ''
        client_max_body_size ${maxUploadSize};
      '';
      locations."/".extraConfig = ''
        return 404;
      '';
      locations."/_matrix".proxyPass = "http://[::1]:8008";
      locations."/_synapse/client".proxyPass = "http://[::1]:8008";
    };
  };

  services.postgresql.enable = true;

}