{ config, ... }:
{
  age.secrets."matrix-registration-token" = {
    file = ../secrets/matrix-registration-token.age;
    mode = "400";
    owner = "tuwunel";
  };

  services.matrix-tuwunel = {
    enable = true;
    settings = {
      global = {
        server_name = "jankremer.de";
        allow_registration = true;
        registration_token_file = config.age.secrets.matrix-registration-token.path;
        # trusted_servers = [ "matrix.org" ];
      };
    };
  };

  services.caddy = {
    enable = true;
    ## Matrix federation
    virtualHosts = {
      "jankremer.de:8448" = {
        extraConfig = ''
          reverse_proxy localhost:6167
        '';
      };
      "jankremer.de" = {
        extraConfig = ''
          handle /_matrix/* {
            reverse_proxy localhost:6167
          }

          handle /.well-known/matrix/server {
            header Content-Type application/json
            respond `{"m.server": "jankremer.de:443"}` 200
          }

          handle /.well-known/matrix/client {
            header Content-Type application/json
            header Access-Control-Allow-Origin *
            respond `{"m.homeserver": {"base_url": "https://jankremer.de"}}` 200
          }
        '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
    8448
  ];
}