{
  flake,
  config,
  pkgs,
  ...
}:
let
  publicDomain = "matrix.${config.pub-solar-os.networking.domain}";
  serverDomain = "${config.pub-solar-os.networking.domain}";
in
{
  age.secrets."matrix-synapse-signing-key" = {
    file = "${flake.self}/secrets/matrix-synapse-signing-key.age";
    mode = "400";
    owner = "matrix-synapse";
  };

  age.secrets."matrix-synapse-secret-config.yaml" = {
    file = "${flake.self}/secrets/matrix-synapse-secret-config.yaml.age";
    mode = "400";
    owner = "matrix-synapse";
  };

  age.secrets."matrix-synapse-sliding-sync-secret" = {
    file = "${flake.self}/secrets/matrix-synapse-sliding-sync-secret.age";
    mode = "400";
    owner = "matrix-synapse";
  };

  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = serverDomain;
      public_baseurl = "https://${publicDomain}/";
      database = {
        name = "psycopg2";
        args = {
          host = "/run/postgresql";
          cp_max = 10;
          cp_min = 5;
          database = "matrix";
        };
        allow_unsafe_locale = false;
        txn_limit = 0;
      };
      listeners = [
        {
          bind_addresses = [ "127.0.0.1" ];
          port = 8008;
          resources = [
            {
              compress = true;
              names = [ "client" ];
            }
            {
              compress = false;
              names = [ "federation" ];
            }
          ];
          tls = false;
          type = "http";
          x_forwarded = true;
        }
        {
          bind_addresses = [ "127.0.0.1" ];
          port = 8012;
          resources = [ { names = [ "metrics" ]; } ];
          tls = false;
          type = "metrics";
        }
      ];

      account_threepid_delegates.msisdn = "";
      alias_creation_rules = [
        {
          action = "allow";
          alias = "*";
          room_id = "*";
          user_id = "*";
        }
      ];
      allow_guest_access = false;
      allow_public_rooms_over_federation = true;
      allow_public_rooms_without_auth = false;
      auto_join_rooms = [
        "#community:${serverDomain}"
        "#general:${serverDomain}"
      ];

      autocreate_auto_join_rooms = true;
      caches.global_factor = 0.5;

      default_room_version = "10";
      disable_msisdn_registration = true;
      enable_media_repo = true;
      enable_metrics = true;
      mau_stats_only = true;
      enable_registration = false;
      enable_registration_captcha = false;
      enable_registration_without_verification = false;
      enable_room_list_search = true;
      encryption_enabled_by_default_for_room_type = "off";
      event_cache_size = "100K";
      federation_rr_transactions_per_room_per_second = 50;
      federation_client_minimum_tls_version = "1.2";
      forget_rooms_on_leave = true;
      include_profile_data_on_invite = true;
      instance_map = { };
      limit_profile_requests_to_users_who_share_rooms = false;

      log_config = ./matrix-log-config.yaml;

      max_spider_size = "10M";
      max_upload_size = "50M";
      media_storage_providers = [ ];

      password_config = {
        enabled = false;
        localdb_enabled = false;
        pepper = "";
      };

      presence.enabled = true;
      push.include_content = false;

      rc_admin_redaction = {
        burst_count = 50;
        per_second = 1;
      };
      rc_federation = {
        concurrent = 3;
        reject_limit = 50;
        sleep_delay = 500;
        sleep_limit = 10;
        window_size = 1000;
      };
      rc_invites = {
        per_issuer = {
          burst_count = 10;
          per_second = 0.3;
        };
        per_room = {
          burst_count = 10;
          per_second = 0.3;
        };
        per_user = {
          burst_count = 5;
          per_second = 3.0e-3;
        };
      };
      rc_joins = {
        local = {
          burst_count = 10;
          per_second = 0.1;
        };
        remote = {
          burst_count = 10;
          per_second = 1.0e-2;
        };
      };
      rc_login = {
        account = {
          burst_count = 3;
          per_second = 0.17;
        };
        address = {
          burst_count = 3;
          per_second = 0.17;
        };
        failed_attempts = {
          burst_count = 3;
          per_second = 0.17;
        };
      };
      rc_message = {
        burst_count = 10;
        per_second = 0.2;
      };
      rc_registration = {
        burst_count = 3;
        per_second = 0.17;
      };
      redaction_retention_period = "7d";
      forgotten_room_retention_period = "7d";
      redis.enabled = false;
      registration_requires_token = false;
      registrations_require_3pid = [ "email" ];
      report_stats = false;
      require_auth_for_profile_requests = false;
      room_list_publication_rules = [
        {
          action = "allow";
          alias = "*";
          room_id = "*";
          user_id = "*";
        }
      ];

      signing_key_path = "/run/agenix/matrix-synapse-signing-key";

      stream_writers = { };
      trusted_key_servers = [ { server_name = "matrix.org"; } ];
      suppress_key_server_warning = true;

      turn_allow_guests = false;
      turn_uris = [
        "turn:${config.services.coturn.realm}:3478?transport=udp"
        "turn:${config.services.coturn.realm}:3478?transport=tcp"
      ];
      turn_user_lifetime = "1h";

      url_preview_accept_language = [
        "en-US"
        "en"
      ];
      url_preview_enabled = true;
      url_preview_ip_range_blacklist = [
        "127.0.0.0/8"
        "10.0.0.0/8"
        "172.16.0.0/12"
        "192.168.0.0/16"
        "100.64.0.0/10"
        "192.0.0.0/24"
        "169.254.0.0/16"
        "192.88.99.0/24"
        "198.18.0.0/15"
        "192.0.2.0/24"
        "198.51.100.0/24"
        "203.0.113.0/24"
        "224.0.0.0/4"
        "::1/128"
        "fe80::/10"
        "fc00::/7"
        "2001:db8::/32"
        "ff00::/8"
        "fec0::/10"
      ];

      user_directory = {
        prefer_local_users = false;
        search_all_users = false;
      };
      user_ips_max_age = "28d";

      app_service_config_files = [
        "/var/lib/matrix-synapse/telegram-registration.yaml"
        "/var/lib/matrix-appservice-irc/registration.yml"
        # "/matrix-appservice-slack-registration.yaml"
        # "/hookshot-registration.yml"
        # "/matrix-mautrix-signal-registration.yaml"
        # "/matrix-mautrix-telegram-registration.yaml"
      ];
    };

    withJemalloc = true;

    extraConfigFiles = [
      "/run/agenix/matrix-synapse-secret-config.yaml"

      # The registration file is automatically generated after starting the
      # appservice for the first time.
      # cp /var/lib/mautrix-telegram/telegram-registration.yaml \
      #   /var/lib/matrix-synapse/
      # chown matrix-synapse:matrix-synapse \
      #   /var/lib/matrix-synapse/telegram-registration.yaml
      "/var/lib/matrix-synapse/telegram-registration.yaml"
    ];

    extras = [
      "oidc"
      "redis"
    ];

    plugins = [ config.services.matrix-synapse.package.plugins.matrix-synapse-shared-secret-auth ];

    sliding-sync = {
      enable = true;
      settings = {
        SYNCV3_SERVER = "https://${publicDomain}";
        SYNCV3_BINDADDR = "127.0.0.1:8011";
        # The bind addr for Prometheus metrics, which will be accessible at
        # /metrics at this address
        SYNCV3_PROM = "127.0.0.1:9100";
      };
      environmentFile = config.age.secrets."matrix-synapse-sliding-sync-secret".path;
    };
  };

  services.restic.backups.matrix-synapse-storagebox = {
    paths = [
      "/var/lib/matrix-synapse"
      "/var/lib/matrix-appservice-irc"
      "/var/lib/mautrix-telegram"
      "/tmp/matrix-synapse-backup.sql"
    ];
    timerConfig = {
      OnCalendar = "*-*-* 05:00:00 Etc/UTC";
    };
    initialize = true;
    passwordFile = config.age.secrets."restic-repo-storagebox".path;
    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
    backupPrepareCommand = ''
      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql
    '';
    backupCleanupCommand = ''
      rm /tmp/matrix-synapse-backup.sql
    '';
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 4"
      "--keep-monthly 3"
    ];
  };
}