{
  config,
  flake,
  lib,
  ...
}:
let
  # Find element in list config.services.matrix-synapse.settings.listeners
  # that sets type = "metrics"
  listenerWithMetrics =
    lib.findFirst (listener: listener.type == "metrics")
      (throw "Found no matrix-synapse.settings.listeners.*.type containing string metrics")
      config.services.matrix-synapse.settings.listeners;
  synapseMetricsPort = "${toString listenerWithMetrics.port}";
in
{
  age.secrets.nachtigall-metrics-nginx-basic-auth = {
    file = "${flake.self}/secrets/nachtigall-metrics-nginx-basic-auth.age";
    mode = "600";
    owner = "nginx";
  };
  services.nginx.virtualHosts = {
    "nachtigall.${config.pub-solar-os.networking.domain}" = {
      enableACME = true;
      addSSL = true;
      basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";
      locations."/metrics" = {
        proxyPass = "http://127.0.0.1:${toString (config.services.prometheus.exporters.node.port)}";
      };
      locations."/_synapse/metrics" = {
        proxyPass = "http://127.0.0.1:${synapseMetricsPort}";
      };
    };
  };
}