{ matrixHost, matrixServerName, openIdClientId, openIdClientSecret
, openIdJwtSecret, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  domainName = "fudo.im";
  zoneName = config.fudo.domains."${domainName}".zone;
  isMatrix = hostname == matrixHost;
  matrixFqdn = "matrix.${domainName}";
in {
  config = {
    fudo = {
      zones."${zoneName}".aliases =
        let matrixHostFqdn = pkgs.lib.getHostFqdn matrixHost;
        in {
          web = "${matrixHostFqdn}.";
          matrix = "${matrixHostFqdn}.";
        };

      services.matrix = mkIf isMatrix {
        enable = true;
        server-name = matrixServerName;
        hostname = matrixFqdn;
        openid = {
          client-id = openIdClientId;
          client-secret = openIdClientSecret;
          provider = "fudo-auth";
          provider-name = "Fudo Auth";
          issuer = "https://authentik.fudo.org/application/o/matrix/";
          jwt-secret = openIdJwtSecret;
        };
      };
    };

    networking.firewall.allowedTCPPorts = [ 80 443 8008 8448 ];

    services.nginx.virtualHosts = mkIf isMatrix {
      "${domainName}" = let
        mkWellKnown = data: ''
          add_header Content-Type application/json;
          add_header Access-Control-Allow-Origin *;
          return 200 '${builtins.toJSON data}';
        '';
      in {
        enableACME = true;
        forceSSL = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 8008;
            ssl = false;
          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
            ssl = false;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
        ];
        locations = {
          "/.well-known/matrix/server".extraConfig =
            mkWellKnown { "m.server" = "${matrixFqdn}:443"; };
          "/.well-known/matrix/client".extraConfig = mkWellKnown {
            "m.homeserver".base_url = "https://${matrixFqdn}:443";
          };
          "/.well-known/matrix/openid".extraConfig = mkWellKnown {
            "token-issuer" = "https://authentik.fudo.org/application/o/token/";
            "client-id" = openIdClientId;
          };
          "/.well-known/acme-challenge" = {
            root = "/var/lib/acme/acme-challenge/";
            extraConfig = "auth_basic off;";
          };
          "/".return = "301 https://web.${domainName}";
        };
      };
      "web.${domainName}" = {
        enableACME = true;
        forceSSL = true;
        root = pkgs.element-web.override {
          conf = {
            default_server_name = domainName;
            default_server_config."m.homeserver".base_url =
              "https://${matrixFqdn}";
            brand = "Fudo";
            room_directory.servers =
              [ matrixFqdn "matrix.org" "libera.chat" "gitter.im" ];
            map_style_url =
              "https://api.maptiler.com/maps/streets/style.json?key=fU3vlMsMn4Jb6dnEIFsx";
          };
        };
      };
    };
  };
}