{
  config,
  lib,
  pkgs,
  self,
  ...
}:
let
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkEnableOption;
  inherit (lib.lists) singleton;
  inherit (builtins) toJSON;

  cfg = config.modules.system.services.matrix;

  port = 4926;
  domain = "faukah.com";

  # Taken from Max Privatevoid.
  serverFederation = pkgs.writeText "server_federation.json" (toJSON {
    "m.server" = "matrix.${domain}:443";
  });

  clientFederation = pkgs.writeText "client_federation.json" (toJSON {
    "m.homeserver".base_url = "https://matrix.${domain}";
  });
in
{
  options.modules.system.services.matrix.enable = mkEnableOption "matrix";
  config = mkIf cfg.enable {
    age.secrets.registrationToken.file = "${self}/secrets/tuwunel_token_file.age";

    services = {
      nginx = {
        enable = true;
        virtualHosts.${domain} = {
          addSSL = true;
          enableACME = true;
          locations = {
            "= /.well-known/matrix/server".alias = serverFederation;
            "= /.well-known/matrix/client".alias = clientFederation;
          };
        };
        virtualHosts."matrix.${domain}" = {
          addSSL = true;
          enableACME = true;
          locations."/_matrix".proxyPass = "http://localhost:${toString port}";
        };
      };

      matrix-tuwunel = {
        enable = true;
        package = pkgs.matrix-tuwunel;
        settings = {
          global = {
            port = singleton port;
            address = [
              "127.0.0.1"
              "::1"
            ];
            server_name = domain;
            allow_registration = true;
            allow_federation = true;
            allow_encryption = true;
            new_user_displayname_suffix = "";
            registration_token_file = config.age.secrets.registrationToken.path;
          };
        };
      };
    };
  };
}