{ config, pkgs, ... }:
let

  inherit (config.services.dendrite.settings.global) server_name;
  fqdn = "matrix.terranix.org";
  element-web-terranix.org =
    pkgs.runCommand "element-web-with-config"
      {
        nativeBuildInputs = [ pkgs.buildPackages.jq ];
      } ''
      cp -r ${pkgs.element-web} $out
      chmod -R u+w $out
      jq '."default_server_config"."m.homeserver" = { "base_url": "https://${nginx-vhost}:443", "server_name": "${server_name}" }' \
        > $out/config.json < ${pkgs.element-web}/config.json
      ln -s $out/config.json $out/config.${nginx-vhost}.json
    '';
in
{

  # postgresql instance dedicated to matrix
  # todo : mount postgresql folder in a dedicated zfs pool
  containers.synapse-postgresql = {
    autoStart = true;
    privateNetwork = false;
    config = { config, pkgs, lib, ... }: {
      system.stateVersion = "23.11";
      services.postgresql.enable = true;
      services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
        CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
          TEMPLATE template0
          LC_COLLATE = "C"
          LC_CTYPE = "C";
      '';
    };
  };


  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "${fqdn}" = {
        enableACME = true;
        forceSSL = true;
        # It's also possible to do a redirect here or something else, this vhost is not
        # needed for Matrix. It's recommended though to *not put* element
        # here, see also the section about Element.
        locations."/".extraConfig = ''
          return 404;
        '';
        # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
        # *must not* be used here.
        locations."/_matrix".proxyPass = "http://[::1]:8008";
        # Forward requests for e.g. SSO and password-resets.
        locations."/_synapse/client".proxyPass = "http://[::1]:8008";
      };
    };
  };

  services.matrix-synapse = {
    enable = true;
    settings.server_name = config.networking.domain;
    # The public base URL value must match the `base_url` value set in `clientConfig` above.
    # The default value here is based on `server_name`, so if your `server_name` is different
    # from the value of `fqdn` above, you will likely run into some mismatched domain names
    # in client applications.
    settings.public_baseurl = baseUrl;
    settings.listeners = [
      {
        port = 8008;
        bind_addresses = [ "::1" ];
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [{
          names = [ "client" "federation" ];
          compress = true;
        }];
      }
    ];
  };

  # $ nix-shell -p dendrite --run 'generate-keys --private-key /tmp/key'
  #sops.secrets.matrix-server-key = { };

  #services.dendrite = {
  #  enable = true;
  #  httpPort = 8448;
  #  settings = {
  #    global = {
  #      server_name = "terranix.org";
  #      # `private_key` has the type `path`
  #      # prefix a `/` to make `path` happy
  #      private_key = "/$CREDENTIALS_DIRECTORY/matrix-server-key";
  #      trusted_third_party_id_servers = [
  #        "matrix.org"
  #        "vector.im"
  #        "xaos.space"
  #        "lassul.us"
  #        "thalheim.io"
  #        "nixos.org"
  #      ];
  #      metrics.enabled = false;
  #    };
  #    logging = [
  #      {
  #        type = "std";
  #        level = "warn";
  #      }
  #    ];
  #    client_api = {
  #      registration_disabled = true;
  #      rate_limiting.enabled = false;
  #      # set only for the first admin account, than remove.
  #      #registration_shared_secret = ""; # disable once first admin account is created
  #    };
  #    media_api = {
  #      dynamic_thumbnails = true;
  #    };
  #    mscs = {
  #      mscs = [ "msc2836" "msc2946" ];
  #    };
  #    sync_api = {
  #      real_ip_header = "X-Real-IP";
  #    };
  #    federation_api = {
  #      key_perspectives = [
  #        {
  #          server_name = "matrix.org";
  #          keys = [
  #            {
  #              key_id = "ed25519:auto";
  #              public_key = "Noi6WqcDj0QmPxCNQqgezwTlBKrfqehY1u2FyWP9uYw";
  #            }
  #            {
  #              key_id = "ed25519:a_RXGa";
  #              public_key = "l8Hft5qXKn1vfHrg3p4+W8gELQVo8N13JkluMfmn2sQ";
  #            }
  #          ];
  #        }
  #      ];
  #      prefer_direct_fetch = false;
  #    };
  #  };
  #};

  #systemd.services.dendrite.serviceConfig.LoadCredential = [
  #  "matrix-server-key:${config.sops.secrets.matrix-server-key.path}"
  #];

  #services.nginx.virtualHosts.${nginx-vhost} = {
  #  forceSSL = true;
  #  enableACME = true;
  #  extraConfig = ''
  #    proxy_set_header Host $host;
  #    proxy_set_header X-Real-IP $remote_addr;
  #    proxy_read_timeout 600;
  #  '';
  #  locations."/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
  #  # for remote admin access
  #  locations."/_synapse".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
  #  locations."/".root = element-web-terranix.org;
  #};

  #services.nginx.virtualHosts.${server_name} = {
  #  locations."= /.well-known/matrix/server".alias =
  #    pkgs.writeText "matrix-server" (builtins.toJSON { "m.server" = "${nginx-vhost}:443"; });
  #  locations."= /.well-known/matrix/client".alias =
  #    pkgs.writeText "matrix-client" (builtins.toJSON { "m.homeserver".base_url = "https://${nginx-vhost}"; });
  #};

}