{ config, pkgs, ... }:

let
  fqdn = "matrix.bib3.de";
in {
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.postgresql = {
    enable = true;
    initialScript = pkgs.writeText "synapse-init.sql" ''
      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
        TEMPLATE template0
        LC_COLLATE = "C"
        LC_CTYPE = "C";
    '';
  };
  
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts.${fqdn} = {
      enableACME = true;
      forceSSL = true;
      locations."/".extraConfig = ''
        return 404;
      '';

      locations."/_matrix" = {
        proxyPass = "http://[::1]:8008";
      };
    };
  };

  services.matrix-synapse = {
    enable = true;
    server_name = fqdn;
    listeners = [
      {
        port = 8008;
        bind_address = "::1";
        type = "http";
        tls = false;
        x_forwarded = true;
        resources = [
          {
            names = [ "client" "federation" ];
            compress = false;
          }
        ];
      }
    ];
    extraConfig = ''
      password_providers:
       - module: "ldap_auth_provider.LdapAuthProvider"
         config:
           enabled: true
           mode: "search"
           uri: "ldap://bib3.de:389"
           start_tls: true
           base: "ou=users,o=bib3,c=DE"
           attributes:
              uid: "cn"
              mail: "mail"
              name: "givenName"
    '';
  };
}