{
  config,
  lib,
  ...
}: let
  inherit (import ./lib.nix) toAppRegistration;
  inherit (config.sops) templates placeholder;
in {
  virtualisation.oci-containers.containers.mautrix-signal = {
    image = "dock.mau.dev/mautrix/signal:v25.10";
    dependsOn = ["mautrix-signal-psql"];
    volumes = [
      "/home/tristan/pods/signal-bridge/mautrix-signal:/data:z"
    ];
    ports = [
      "29328:29328"
      "8000:8000"
    ];
  };

  # when you get around to backing this up
  # 1. stop the server.
  # 2. backup the db.
  # 3. migrate to newer version of postgres
  # 4. migrate db to local
  virtualisation.oci-containers.containers.mautrix-signal-psql = {
    image = "docker.io/postgres:14-alpine";
    ports = ["5435:5432"];
    volumes = ["/home/tristan/pods/signal-bridge/db:/var/lib/postgresql/data"];
    environmentFiles = [templates."mautrix-signal/psql.env".path];
  };
  sops.templates = {
    "mautrix-signal/psql.env" = {
      owner = config.users.users.nobody.name;
      content = lib.strings.toShellVars {
        POSTGRES_PASSWORD = placeholder."mautrix-signal/postgres_password";
        POSTGRES_USER = "signald";
        POSTGRES_DB = "signald";
      };
    };
  };
  sops.secrets = {
    "mautrix-signal/postgres_password" = {};
    "mautrix-signal/as_token" = {};
    "mautrix-signal/hs_token" = {};
  };
  sops.templates = {
    "mautrix-signal/appservice.yaml" = {
      owner = "matrix-synapse";
      content = toAppRegistration {
        id = "signal";
        port = 29328;
        as_token = placeholder."mautrix-signal/as_token";
        hs_token = placeholder."mautrix-signal/hs_token";
        sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV";
        "de.sorunome.msc2409.push_ephemeral" = true;
      };
    };
  };
  services.matrix-synapse.settings.app_service_config_files = [
    templates."mautrix-signal/appservice.yaml".path
  ];
}