{ config, pkgs, my, secrets, ... }:

let
  conduitSettings = config.services.matrix-conduit.settings;
  serverName = "c8h4.io";
  matrixHost = "matrix.${serverName}";
in {
  services.matrix-conduit = {
    enable = true;
    settings.global = {
      server_name = serverName;
      address = "::1";
      port = 6167;
      allow_encryption = true;
      allow_federation = true;
      allow_registration = false;
      database_backend = "sqlite";
      trusted_servers = [ "matrix.org" ];
      max_request_size = 32 * 1024 * 1024; # 32 MiB
    };
  };

  services.nginx.virtualHosts = {
    ${matrixHost} = {
      forceSSL = true;
      useACMEHost = serverName;
      kTLS = true;
      listen = [
        {
          addr = "0.0.0.0";
          port = 443;
          ssl = true;
        }
        {
          addr = " [::0]";
          port = 443;
          ssl = true;
        }
        {
          addr = "0.0.0.0";
          port = 8448;
          ssl = true;
        }
        {
          addr = " [::0]";
          port = 8448;
          ssl = true;
        }
      ];
      locations."/_matrix/" = {
        proxyPass = "http://[${conduitSettings.global.address}]:${
            toString conduitSettings.global.port
          }";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_set_header Host $host;
          client_max_body_size 32M;
        '';
      };
      locations."/".return = "301 https://${serverName}";
      extraConfig = ''
        merge_slashes off;
      '';
    };
    ${serverName} = {
      locations."= /.well-known/matrix/server" = let
        contents = pkgs.writeText "well-known-matrix-server" ''
          {
            "m.server": "${matrixHost}"
          }
        '';
      in {
        alias = "${contents}";
        extraConfig = ''
          default_type application/json;
        '';
      };
      locations."= /.well-known/matrix/client" = let
        contents = pkgs.writeText "well-known-matrix-server" ''
          {
            "m.homeserver": {
              "base_url": "https://${matrixHost}"
            }
          }
        '';
      in {
        alias = "${contents}";
        extraConfig = ''
          default_type application/json;

          # https://matrix.org/docs/spec/client_server/r0.4.0#web-browser-clients
          add_header Access-Control-Allow-Origin "*";
        '';
      };
    };
  };

  networking.firewall = {
    allowedTCPPorts = [ 8448 ];
    allowedUDPPorts = [ 8448 ];
  };

  systemd.tmpfiles.settings."50-var-backup-matrix-conduit" = {
    "/var/backup/matrix-conduit".d = {
      user = "root";
      group = "root";
      mode = "0700";
    };
  };

  services.restic.backups.matrix-conduit = {
    environmentFile = secrets."restic/rest-env".path;
    initialize = true;
    repository =
      "${my.homelab.services.restic.repositoryBase}/${config.networking.hostName}";
    passwordFile = secrets."restic/repo-password".path;
    paths = [
      "/var/backup/matrix-conduit/conduit.db.zst"
      "/var/lib/matrix-conduit/media"
    ];
    timerConfig.OnCalendar = "*-*-* 4:05:00"; # daily at 04:05
    backupPrepareCommand = ''
      set -euo pipefail
      umask 0077
      f=$(mktemp)

      # consistency is provided by the internal locking of sqlite
      ${pkgs.sqlite}/bin/sqlite3 /var/lib/matrix-conduit/conduit.db ".backup $f"
      ${pkgs.zstd}/bin/zstd --compress -9 --rm --force \
        -o /var/backup/matrix-conduit/conduit.db.zst $f
    '';
    backupCleanupCommand = my.mkResticBackupNotificationCmd {
      name = "matrix-conduit";
      inherit pkgs secrets;
    };
  };
}