nix-config/modules/nixos/matrix.nix

# { config, ... }:
{
  age.secrets."matrix-registration-token" = {
    file = ../secrets/matrix-registration-token.age;
    mode = "400";
    owner = "tuwunel";
  };

  services.matrix-tuwunel = {
    enable = true;
    settings = {
      global = {
        server_name = "jankremer.de";
        # allow_registration = true;
        # registration_token_file = config.age.secrets.matrix-registration-token.path;
        # trusted_servers = [ "matrix.org" ];
      };
    };
  };

  services.caddy = {
    enable = true;
    ## Matrix federation
    virtualHosts = {
      "jankremer.de:8448" = {
        extraConfig = # caddyfile
          ''
            reverse_proxy localhost:6167
          '';
      };
      "jankremer.de" = {
        extraConfig = # caddyfile
          ''
            handle /_matrix/* {
              reverse_proxy localhost:6167
            }

            handle /.well-known/matrix/server {
              header Content-Type application/json
              respond `{"m.server": "jankremer.de:443"}` 200
            }

            handle /.well-known/matrix/client {
              header Content-Type application/json
              header Access-Control-Allow-Origin *
              respond `{"m.homeserver": {"base_url": "https://jankremer.de"}}` 200
            }
          '';
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80
    443
    8448
  ];
}