{ pkgs, config, ... }:
let
  canonicalDomain = "consortium.chat";
  delegatedDomain = "matrix.consortium.chat";
  adminAppDomain = "admin.consortium.chat";
in {
  age.secrets.matrix-synapse-secrets = {
    file = ./secrets/matrix-synapse-secrets.yaml;
    owner = "matrix-synapse";
    mode = "400";
  };

  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = "consortium.chat";
      database_type = "psycopg2";
      database_args.database = "matrix-synapse";
    };
    extraConfigFiles = [ config.age.secrets.matrix-synapse-secrets.path ];
  };

  services.caddy.virtualHosts = {
    ${canonicalDomain}.extraConfig = let
      wellknown = {
        server = builtins.toJSON { "m.server" = "${delegatedDomain}:443"; };
        client = builtins.toJSON {
          "m.homeserver".base_url = "https://${delegatedDomain}";
        };
      };
    in ''
      respond /.well-known/matrix/server `${wellknown.server}` 200
      respond /.well-known/matrix/client `${wellknown.client}` 200
      reverse_proxy localhost:8008
      header Strict-Transport-Security "max-age=63072000; includeSubDomains"
    '';
    ${delegatedDomain}.extraConfig = ''
      reverse_proxy /_matrix/* localhost:8008
      reverse_proxy /_synapse/client/* localhost:8008
    '';
    ${adminAppDomain}.extraConfig = ''
      root * ${pkgs.synapse-admin}
      file_server
    '';
  };
}