{ config, ... }:
let domain = "leaf.ninja";
in {
  age.secrets.synapse-secrets-config.file =
    ./secrets/synapse-secrets-config.age;

  services.matrix-synapse = {
    enable = true;
    extraConfigFiles = [ config.age.secrets.synapse-secrets-config.path ];
    settings = {
      server_name = domain;
      database_type = "psycopg2";
      database_args.database = "matrix-synapse";
    };
  };

  networking.firewall.allowedTCPPorts = [
    8448 # Matrix federation
  ];

  services.caddy = {
    enable = true;
    virtualHosts."matrix.${domain}".extraConfig = ''
      reverse_proxy /_matrix/* localhost:8008
      reverse_proxy /_synapse/client/* localhost:8008
    '';
  };
}