{
  config,
  lib,
  pkgs,
  ...
}:

let
  cfg = config.modules.services.matrix-synapse;
in {
  options.modules.services.matrix-synapse = {
    enable = lib.mkOption {
      default = false;
      example = true;
    };
    serverName = lib.mkOption {
      type = lib.types.str;
      default = "vimium.com";
      example = "vimium.com";
    };
    enableElementWeb = lib.mkOption {
      default = true;
      example = false;
    };
  };

  config = let
    matrixClientConfig = {
      "m.homeserver" = {
        base_url = "https://matrix.${cfg.serverName}";
        server_name = cfg.serverName;
      };
      "m.identity_server" = {};
    };
    matrixServerConfig."m.server" = "matrix.${cfg.serverName}:443";
    mkWellKnown = data: ''
      more_set_headers 'Content-Type: application/json';
      return 200 '${builtins.toJSON data}';
    '';
  in lib.mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      8448 # Matrix federation
    ];

    security.acme.certs = {
      "matrix.${cfg.serverName}" = {
        reloadServices = [ "matrix-synapse" ];
      };
    };

    services.nginx.virtualHosts = {
      "matrix.${cfg.serverName}" = {
        forceSSL = true;
        enableACME = true;
        listen = [
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 8448;
            ssl = true;
          }
          {
            addr = "[::1]";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::1]";
            port = 80;
          }
          {
            addr = "[::1]";
            port = 8448;
            ssl = true;
          }
        ];
        locations = {
          "/" = {
            proxyPass = "http://localhost:8008";
            extraConfig = ''
              proxy_set_header X-Forwarded-For $remote_addr;
            '';
          };
          "/_matrix" = {
            proxyPass = "http://localhost:8008";
            extraConfig = ''
              proxy_set_header X-Forwarded-For $remote_addr;
              client_max_body_size 50M;
            '';
          };
          "/_synapse/client".proxyPass = "http://localhost:8008";
        };
      };
      "${cfg.serverName}" = {
        locations."= /.well-known/matrix/server".extraConfig = (mkWellKnown matrixServerConfig);
        locations."= /.well-known/matrix/client".extraConfig = (mkWellKnown matrixClientConfig);
      };
    } // (if cfg.enableElementWeb then {
      "chat.${cfg.serverName}" = {
        forceSSL = true;
        enableACME = true;
        root = pkgs.unstable.element-web.override {
          conf = {
            default_server_config = matrixClientConfig;
            brand = "Vimium Chat";
            branding = {
              auth_header_logo_url = "https://vimium.com/images/logo.svg";
              auth_footer_links = [
                { "text" = "Vimium.com"; "url" = "https://vimium.com"; }
              ];
            };
          };
        };
      };
    } else {});

    services.matrix-synapse = {
      enable = true;
      settings = {
        database.name = "sqlite3";
        enable_metrics = false;
        enable_registration = false;
        max_upload_size = "100M";
        report_stats = false;
        server_name = cfg.serverName;
      };
    };
  };
}