let
  fqdn = "${hostname}.${domain}";
  domain = "tristans.cloud";
  hostname = "matrix";
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in {
  services.matrix-synapse = {
    enable = false; # using podman for the moment
  };
  services.nginx.virtualHosts = {
    ${domain} = {
      locations."= /.well-known/matrix/server".extraConfig = mkWellKnown {
        "m.server" = "${fqdn}:443";
      };
      locations."= /.well-known/matrix/client".extraConfig = mkWellKnown {
        "m.homeserver".base_url = "https://${fqdn}";
        "org.matrix.msc3575.proxy"."url" = "https://${fqdn}";
      };
      locations."= /.well-known/matrix/support".extraConfig = mkWellKnown {
        admins = [
          {
            matrix_id = "@tristan:tristans.cloud";
            email_address = "tristan@tristans.cloud";
            role = "admin";
          }
        ];
      };
      locations."/_matrix".proxyPass = "http://localhost:8008";
      locations."/_synapse/client".proxyPass = "http://localhost:8008";
      locations."/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://localhost:8009";
    };
    ${fqdn} = {
      enableACME = true;
      forceSSL = true;
      locations."/_matrix".proxyPass = "http://localhost:8008";
      locations."/_synapse/client".proxyPass = "http://localhost:8008";
      locations."/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://localhost:8009";
    };
  };
}