{ config, ... }:

{
  services.matrix-synapse = {
    enable = true;

    settings = {
      listeners = [
        {
          port = 8008;
          bind_addresses = [
            "::1"
            "127.0.0.1"
          ];
          type = "http";
          tls = false;
          x_forwarded = true;

          resources = [
            {
              compress = true;
              names = [ "client" ];
            }
            {
              compress = false;
              names = [ "federation" ];
            }
          ];
        }
      ];

      server_name = "hamburg.ccc.de";
      public_baseurl = "https://matrix.hamburg.ccc.de";

      database = {
        name = "psycopg2";
        args.password = "synapse";
      };

      media_store_path = "/mnt/data/synapse_media_store";
      max_upload_size = "500M";

      admin_contact = "mailto:yuri+ccchh@nekover.se";
    };

    extraConfigFiles = [
      "/run/secrets/matrix_registration_shared_secret"
    ];
  };

  systemd.services.matrix-synapse.serviceConfig.ReadWritePaths = [ config.services.matrix-synapse.settings.media_store_path ];

  sops.secrets."matrix_registration_shared_secret" = {
    mode = "0440";
    owner = "matrix-synapse";
    group = "matrix-synapse";
    restartUnits = [ "matrix-synapse.service" ];
  };
}