{config, lib, pkgs, ... }:

{
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.postgresql.enable = true;
  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
      TEMPLATE template0
      LC_COLLATE = "C"
      LC_CTYPE = "C";
  '';

  services.nginx = {
    enable = true;
    # only recommendedProxySettings and recommendedGzipSettings are strictly required,
    # but the rest make sense as well (according to the broken example from the manual)
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts = {

      # This host section can be placed on a different host than the rest,
      # i.e. to delegate from the host on which matrix / synapse actually run.
      # This may make migration easier; in our case it's mostly added complexity.
      "hacc.space" = {
        # see https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
        # for documentation on what should be returned at these endpoints.
        locations."= /.well-known/matrix/server".extraConfig = ''
          add_header Content-Type application/json;
          return 200 '${builtins.toJSON  { "m.server" = "matrix.hacc.space:443"; }}';
        '';
        # this is to configure the nice default homeserver setting for our element web.
        locations."= /.well-known/matrix/client".extraConfig =
          let client = {
            "m.homeserver" =  { "base_url" = "https://matrix.hacc.space"; };
            "m.identity_server" =  { "base_url" = "https://vector.im"; };
          };
        in ''
          add_header Content-Type application/json;
          add_header Access-Control-Allow-Origin *;
          return 200 '${builtins.toJSON client}';
        '';
      };


      # this serves the actual matrix endpoint
      "matrix.hacc.space" = {
        enableACME = true;
        forceSSL = true;

        # it is not recommended to have the actual element web interface on the same domain,
        # cf. https://github.com/vector-im/element-web#separate-domains on this.
        locations."/".extraConfig = ''
          return 404;
        '';

        locations."/_matrix" = {
          proxyPass = "http://[::1]:8008";
        };
      };


      # the element web client for our matrix server.
      "element.hacc.space" = {
        enableACME = true;
        forceSSL = true;
        root = pkgs.element-web.override {
          conf = {
            # the base_url here must be identical to the one on hacc.space/.well-known above.
            default_server_config."m.homeserver" = {
              "base_url" = "https://matrix.hacc.space";
              "server_name" = "matrix.hacc.space";
            };
          };
        };
      };
    };
  };

  services.matrix-synapse = {
    enable = true;
    server_name = "hacc.space";
    extraConfigFiles = [ "/var/lib/matrix-synapse/secrets.yml" ];
    extraConfig = ''
      public_baseurl: https://matrix.hacc.space
      email:
        smtp_host: mail.hacc.space
        smtp_user: "noreply@infra4future.de"
        smtp_port: 587
        notif_from: "Your Friendly %(app)s homeserver <noreply@hacc.space>"
        require_transport_security: true
        enable_notifs: true
        client_base_url: "https://element.hacc.space"
        invite_client_location: "https://element.hacc.space"
    '';
    listeners = [ {
      port = 8008;
      bind_address = "::1";
      type = "http";
      tls = false;
      x_forwarded = true;
      resources = [ {
        names = [ "client" "federation" ];
        compress = false;
      } ];
    } ];
  };
}