{ config, ... }:
{
  services.dendrite = {
    enable = true;
    httpsPort = 44443;
    tlsCert = "${config.security.acme.certs.${config.domainName}.directory}/fullchain.pem";
    tlsKey = "${config.security.acme.certs.${config.domainName}.directory}/key.pem";
    environmentFile = config.sops.secrets."matrix/registration".path;
    settings = {
      global = {
        private_key = config.sops.secrets."matrix/private_key".path;
        server_name = "matrix.${config.domainName}";
      };
    };
  };

  users.users.matrix.isNormalUser = true;
  systemd.services.dendrite.serviceConfig.User = "matrix";
  sops.secrets."matrix/registration" = { owner = "matrix"; };
  sops.secrets."matrix/private_key" = { owner = "matrix"; };
  systemd.services.dendrite.serviceConfig.Group = "nginx";
  security.acme.certs."${config.domainName}".extraDomainNames = [ config.services.dendrite.settings.global.server_name ];
  services.nginx.virtualHosts.${config.services.dendrite.settings.global.server_name} = {
    useACMEHost = config.domainName;
    addSSL = true;
    locations."/".proxyPass = "https://localhost:${toString config.services.dendrite.httpsPort}";
    locations."/.well-known/matrix/server".extraConfig = 
      let inherit (config.services.dendrite) httpsPort settings;
      in ''
        add_header Content-Type application/json;
        add_header Access-Control-Allow-Origin *;
        return 200 '{"m.server":"${settings.global.server_name}:${toString httpsPort}"}';
      '';
  };
  # reachability via ip required for federation
  networking.firewall.allowedTCPPorts = [ config.services.dendrite.httpsPort ];
}