{ lib, pkgs, ... }:
let
  commonHeaders = ''
    add_header Permissions-Policy interest-cohort=() always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-XSS-Protection "1; mode=block";
  '';
  clientConfig = import ./element-client-config.nix { inherit lib pkgs; };
  wellKnownClient = domain: {
    "m.homeserver".base_url = "https://matrix.${domain}";
    "m.identity_server".base_url = "https://matrix.${domain}";
    "org.matrix.msc3575.proxy".url = "https://matrix.${domain}";
    "im.vector.riot.e2ee".default = true;
    "io.element.e2ee" = {
      default = true;
      secure_backup_required = false;
      secure_backup_setup_methods = [ ];
    };
    "m.integrations" = {
      managers = [
        {
          api_url = "https://dimension.${domain}/api/v1/scalar";
          ui_url = "https://dimension.${domain}/element";
        }
      ];
    };
  };
  wellKnownServer = domain: { "m.server" = "matrix.${domain}:8448"; };
  wellKnownSupport = {
    contacts = [
      {
        email_address = "crew@pub.solar";
        matrix_id = "@b12f:pub.solar";
        role = "m.role.admin";
      }
      {
        email_address = "crew@pub.solar";
        matrix_id = "@hensoko:pub.solar";
        role = "m.role.admin";
      }
      {
        email_address = "crew@pub.solar";
        matrix_id = "@teutat3s:pub.solar";
        role = "m.role.admin";
      }
    ];
    support_page = "https://pub.solar/about";
  };
  mkWellKnown = data: ''
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
  wellKnownLocations = domain: {
    "= /.well-known/matrix/server".extraConfig = mkWellKnown (wellKnownServer domain);
    "= /.well-known/matrix/client".extraConfig = mkWellKnown (wellKnownClient domain);
    "= /.well-known/matrix/support".extraConfig = mkWellKnown wellKnownSupport;
  };
in
{
  services.nginx.virtualHosts = {

    #####################################
    # This is already in production use #
    #####################################

    "pub.solar" = {
      locations = wellKnownLocations "pub.solar";
    };

    "chat.pub.solar" = {
      forceSSL = true;
      enableACME = true;
      root = pkgs.element-web.override {
        conf = clientConfig;
      };
    };

    "stickers.chat.pub.solar" = {
      forceSSL = true;
      enableACME = true;
      root = pkgs.element-stickerpicker;
    };

    "matrix.pub.solar" = {
      root = "/dev/null";

      forceSSL = lib.mkDefault true;
      enableACME = lib.mkDefault true;

      extraConfig = ''
        server_tokens off;
        gzip on;
        gzip_types text/plain application/json;
      '';
      locations = {
        # For telegram
        "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b" = {
          proxyPass = "http://127.0.0.1:8009";
          extraConfig = commonHeaders;
        };

        # sliding-sync
        "~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync)" = {
          proxyPass = "http://127.0.0.1:8011";
          extraConfig = commonHeaders;
        };

        "~* ^(/_matrix|/_synapse/client|/_synapse/oidc)" = {
          proxyPass = "http://127.0.0.1:8008";

          extraConfig = ''
            ${commonHeaders}
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

            client_body_buffer_size 25M;
            client_max_body_size 50M;
            proxy_max_temp_file_size 0;
          '';
        };
      };
    };
    "matrix.pub.solar-federation" = {
      serverName = "matrix.pub.solar";
      forceSSL = lib.mkDefault true;
      enableACME = lib.mkDefault true;
      listen = [{
        port = 8448;
        addr = "0.0.0.0";
        ssl = true;
      }
        {
          port = 8448;
          addr = "[::]";
          ssl = true;
        }];
      root = "/dev/null";
      extraConfig = ''
        server_tokens off;

        gzip on;
        gzip_types text/plain application/json;
      '';
      locations."/" = {
        proxyPass = "http://127.0.0.1:8008";
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;

          client_body_buffer_size 25M;
          client_max_body_size 150M;
          proxy_max_temp_file_size 0;
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 8448 ];
}