{ config, pkgs, ... }:
let

  inherit (config.services.dendrite.settings.global) server_name;

  nginx-vhost = "matrix.terranix.org";
  element-web-terranix.org =
    pkgs.runCommand "element-web-with-config"
      {
        nativeBuildInputs = [ pkgs.buildPackages.jq ];
      } ''
      cp -r ${pkgs.element-web} $out
      chmod -R u+w $out
      jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \
        > $out/config.json < ${pkgs.element-web}/config.json
      ln -s $out/config.json $out/config.${nginx-vhost}.json
    '';
in
{

  # postgresql instance dedicated to matrix
  # todo : mount postgresql folder in a dedicated zfs pool
  containers.synapse-postgresql = {
    autoStart = true;
    privateNetwork = false;
    config = { config, pkgs, lib, ... }: {
      system.stateVersion = "23.11";
      services.postgresql.enable = true;
    };
  };

  # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
  #sops.secrets.matrix-server-key = { };

  #services.dendrite = {
  #  enable = true;
  #  httpPort = 8448;
  #  settings = {
  #    global = {
  #      server_name = "terranix.org";
  #      # `private_key` has the type `path`
  #      # prefix a `/` to make `path` happy
  #      private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
  #      trusted_third_party_id_servers = [
  #        "matrix.org"
  #        "vector.im"
  #        "xaos.space"
  #        "lassul.us"
  #        "thalheim.io"
  #        "nixos.org"
  #      ];
  #      metrics.enabled = false;
  #    };
  #    logging = [
  #      {
  #        type = "std";
  #        level = "warn";
  #      }
  #    ];
  #    client_api = {
  #      registration_disabled = true;
  #      rate_limiting.enabled = false;
  #      # set only for the first admin account, than remove.
  #      #registration_shared_secret = ""; # disable once first admin account is created
  #    };
  #    media_api = {
  #      dynamic_thumbnails = true;
  #    };
  #    mscs = {
  #      mscs = [ "msc2836" "msc2946" ];
  #    };
  #    sync_api = {
  #      real_ip_header = "X-Real-IP";
  #    };
  #    federation_api = {
  #      key_perspectives = [
  #        {
  #          server_name = "matrix.org";
  #          keys = [
  #            {
  #              key_id = "ed25519:auto";
  #              public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
  #            }
  #            {
  #              key_id = "ed25519:a_RXGa";
  #              public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
  #            }
  #          ];
  #        }
  #      ];
  #      prefer_direct_fetch = false;
  #    };
  #  };
  #};

  #systemd.services.dendrite.serviceConfig.LoadCredential = [
  #  "matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
  #];

  #services.nginx.virtualHosts.${nginx-vhost} = {
  #  forceSSL = true;
  #  enableACME = true;
  #  extraConfig = ''
  #    proxy_set_header Host $host;
  #    proxy_set_header X-Real-IP $remote_addr;
  #    proxy_read_timeout 600;
  #  '';
  #  locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
  #  # for remote admin access
  #  locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
  #  locations."/".root = element-web-terranix.org;
  #};

  #services.nginx.virtualHosts.${server_name} = {
  #  locations."= /.well-known/matrix/server".alias =
  #    pkgs.writeText "matrix-server" (builtins.toJSON { "m.server" = "${nginx-vhost}:443"; });
  #  locations."= /.well-known/matrix/client".alias =
  #    pkgs.writeText "matrix-client" (builtins.toJSON { "m.homeserver".base_url = "https://${nginx-vhost}"; });
  #};

}