{ pkgs, config, tmp, ... }:

with import ./network.nix;
{
  services = {
    matrix-synapse = {
      enable = true;
      server_name = "${matrixdomain}";
      database_name = "synapse";
      public_baseurl = "https://${matrixdomain}";
      registration_shared_secret = "runas!";
      dynamic_thumbnails = true;
#      enable_registration = true;
      app_service_config_files = [ 
        "/var/lib/matrix-synapse/discord-registration.yaml" 
        "/var/lib/matrix-synapse/telegram-registration.yaml" 
      ];
      extraConfig = ''
        auto_join_rooms:
          - "#infra:matrix.giugl.io"
          - "#general:matrix.giugl.io"
          - "#gaming:matrix.giugl.io"
          - "#movies:matrix.giugl.io"
      '';
      listeners = [
        {
          port = 8008;
          bind_address = "::1";
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = [ "client" "federation" ];
              compress = false;
            }
          ];
        }
      ];
      turn_uris = [ 
      "turns:turn.giugl.io:5349?transport=udp" 
      "turns:turn.giugl.io:5349?transport=tcp"
      ];
    turn_shared_secret = "69duck duck fuck420";
    turn_user_lifetime = "1h";
    };

    postgresql = {
      enable = true;
      ensureDatabases = [ "synapse" ];
      ensureUsers = [
        {
          name = "matrix-synapse";
          ensurePermissions = {
            "DATABASE synapse" = "ALL PRIVILEGES";
          };
        }
      ];
    };

    nginx.virtualHosts = {
      # server
      ${matrixdomain} = {
        enableACME = true;
        forceSSL = true;
        locations."= /.well-known/matrix/server".extraConfig =
          let
            server = { "m.server" = "${matrixdomain}:443"; };
          in ''
            add_header Content-Type application/json;
            return 200 '${builtins.toJSON server}';
          '';

          locations."= /.well-known/matrix/client".extraConfig =
            let
              client = {
                "m.homeserver" =  { "base_url" = "https://${matrixdomain}:443"; };
                "m.identity_server" =  { "base_url" = "https://vector.im"; };
              };
            # ACAO required to allow element-web on any URL to request this json file
            in ''
              add_header Content-Type application/json;
              add_header Access-Control-Allow-Origin *;
              return 200 '${builtins.toJSON client}';
            '';


            locations."/".extraConfig = ''
              return 404;
            '';

        # forward all Matrix API calls to the synapse Matrix homeserver
        locations."/_matrix" = {
          proxyPass = "http://[::1]:8008"; # without a trailing /
        };
      };

      # web client

      "${matrixwebdomain}" = {
        enableACME = true;
        forceSSL = true;

        root = pkgs.unstable.element-web.override {
          conf = {
            default_server_config."m.homeserver" = {
              "base_url" = "https://${matrixdomain}";
              "server_name" = "${matrixdomain}";
            };
          };
        };
      };
    };

    # discord bridge
    matrix-appservice-discord = {
      enable = true;
      environmentFile = /secrets/matrix-appservice-discord/tokens.env;
      # The appservice is pre-configured to use SQLite by default.
      # It's also possible to use PostgreSQL.
      settings = {
        bridge = {
          domain = matrixdomain;
          homeserverUrl = "https://${matrixdomain}";  
          disablePresence = true;
        };
      };
    };

    # telegram bridge

    mautrix-telegram = {
      enable = true;
      environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;

      settings = {
        homeserver = {
          address = "https://${matrixdomain}";
          domain = "${matrixdomain}";
        };

        appservice = {
          provisioning.enabled = false;
          id = "telegram";
        };

        bridge = {
          permissions = {
            "@pepe:${matrixdomain}" = "admin";
            "${matrixdomain}" = "puppeting";
          };

        # Animated stickers conversion requires additional packages in the
        # service's path.
        # If this isn't a fresh installation, clearing the bridge's uploaded
        # file cache might be necessary (make a database backup first!):
        # delete from telegram_file where \
        #   mime_type in ('application/gzip', 'application/octet-stream')
        animated_sticker = {
          target = "gif";
          args = {
            width = 256;
            height = 256;
            fps = 30;               # only for webm
            background = "020202";  # only for gif, transparency not supported
          };
        };

	encryption = {
	  allow = true;
	  default = true;
	};
      };
    };
  };

};

systemd.services.mautrix-telegram.path = with pkgs; [
  lottieconverter  # for animated stickers conversion, unfree package
  ffmpeg           # if converting animated stickers to webm (very slow!)
];

networking.extraHosts = ''
        ${architect-lan} ${matrixdomain} ${matrixwebdomain}
        ${architect-wg} ${matrixdomain} ${matrixwebdomain}
'';

}