{ config, pkgs, lib, ... }:

let
  fqdn = "matrix.itamar.site";
  domain = "itamar.site";
in {

  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];

  services.postgresql = {
    enable = true;
    initialScript = pkgs.writeText "synapse-init.sql" ''
      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '';
      CREATE DATABASE "matrix-synapse"
        ENCODING 'UTF8'
        LC_COLLATE='C'
        LC_CTYPE='C'
        TEMPLATE=template0
        OWNER "matrix-synapse";
    '';
  };

  services.matrix-synapse = {
    enable = true;

    settings = {
      server_name = domain;        
      public_baseurl = "https://${fqdn}";

      listeners = [{
        port = 8008;
        bind_addresses = [ "127.0.0.1" ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [
          { names = [ "client" "federation" ]; compress = false; }
        ];
      }];

      database = {
        name = "psycopg2";
        args = {
          user = "matrix-synapse";
          password = "galoisoverGF2";   
          database = "matrix-synapse";
          host = "localhost";
          cp_min = 5;
          cp_max = 10;
        };
      };

      enable_registration = false;
      registration_shared_secret = "";

      media_store_path = "/var/lib/matrix-synapse/media";

      log_config = "/var/lib/matrix-synapse/log.yaml";
    };

    extraConfigFiles = [ "/run/secrets/synapse.yaml" ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "itamar@itamar.site";
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings   = true;
    recommendedOptimisation   = true;
    recommendedGzipSettings   = true;
    recommendedProxySettings  = true;

    virtualHosts = {

      "${domain}" = {
        enableACME = true;
        forceSSL   = true;

        locations."= /.well-known/matrix/server".extraConfig = let
          server = { "m.server" = "${fqdn}:443"; };
        in ''
          add_header Content-Type application/json;
          return 200 '${builtins.toJSON server}';
        '';

        locations."= /.well-known/matrix/client".extraConfig = let
          client = {
            "m.homeserver"     = { "base_url" = "https://${fqdn}"; };
            "m.identity_server" = { "base_url" = "https://vector.im"; };
          };
        in ''
          add_header Content-Type application/json;
          add_header Access-Control-Allow-Origin *;
          return 200 '${builtins.toJSON client}';
        '';
      };

      # matrix.itamar.site — reverse proxy to Synapse
      "${fqdn}" = {
        enableACME = true;
        forceSSL   = true;

        locations."/" = {
          proxyPass = "http://127.0.0.1:8008";
          extraConfig = ''
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            client_max_body_size 50M;
          '';
        };
      };
    };
  };
}