{
  config,
  pkgs,
  ...
}: let
  fqdn = "matrix.vhack.eu";
  clientConfig."m.homeserver".base_url = "https://${fqdn}";
  serverConfig."m.server" = "${fqdn}:443";
  mkWellKnown = data: ''
    add_header Content-Type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in {
  imports = [
    ./bridges/mautrix-whatsapp.nix
  ];

  networking.firewall.allowedTCPPorts = [80 443];

  services.postgresql.enable = true;
  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
      TEMPLATE template0
      LC_COLLATE = "C"
      LC_CTYPE = "C";
  '';

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    virtualHosts = {
      "vhack.eu" = {
        enableACME = true;
        forceSSL = true;
        locations = {
          "/.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
          "/.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
        };
      };
      "matrix.vhack.eu" = {
        enableACME = true;
        forceSSL = true;
        locations."/".extraConfig = ''
          return 404;
        '';
        locations = {
          "/_matrix".proxyPass = "http://[::1]:8008";
          "/_synapse/client".proxyPass = "http://[::1]:8008";
        };
      };
    };
  };

  services.mautrix-whatsapp = {
    enable = true;
    settings = {
      appservice = {
        database = {
          type = "postgres";
          uri = "postgres:///dbname?host=/var/run/postgresql";
        };
        whatsapp = {
          # TODO: See https://github.com/tulir/whatsmeow/blob/efc632c008604016ddde63bfcfca8de4e5304da9/binary/proto/def.proto#L43-L64 for a list.
          # This also determints the whatsapp icon
          browser_name = "unknown";
        };
      };
      homeserver.address = "https://matrix.vhack.eu";
      bridge.permissions = {
        "@soispha:vhack.eu" = "admin";
        "@sils:vhack.eu" = "admin";
        "@nightingale:vhack.eu" = "admin";
      };
    };
  };

  services.matrix-synapse = {
    enable = true;
    dataDir = "/var/lib/matrix";
    configFile = "/etc/matrix/matrix.conf";
    settings = {
      media_store_path = "/var/lib/matrix/media_store";
      registration_shared_secret_path = "${config.age.secrets.matrix-synapse_registration_shared_secret.path}";
      server_name = "vhack.eu";
      listeners = [
        {
          port = 8008;
          bind_addresses = ["::1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];
    };
  };
}