{
  config,
  inputs,
  pkgs,
  ...
}:
let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
  fluffyconfig = pkgs.writeText "fluffychat-config.json" (
    builtins.toJSON {
      defaultHomeserver = "psychal.link";
    }
  );
  customFluffy = pkgs.unstable.fluffychat-web.overrideAttrs (
    final: prev: {

      postInstall = ''
        cp ${fluffyconfig} $out/config.json
      '';
    }
  );
in
{
  environment.systemPackages = [
    customFluffy
    pkgs.unstable.element-web
  ];

  sops.secrets."matrix/registration_token" = {
    owner = "tuwunel";
    sopsFile = "${sopsFolder}/services.yaml";
  };

  services.matrix-tuwunel = {
    enable = true;
    package = pkgs.unstable.matrix-tuwunel;
    stateDirectory = "tuwunel";
    settings = {
      global = {
        server_name = "psychal.link";
        new_user_displayname_suffix = "";
        unix_socket_path = "/run/tuwunel/tuwunel.sock";
        unix_socket_perms = 660;
        allow_registration = true;
        registration_token_file = config.sops.secrets."matrix/registration_token".path;
        allow_encryption = true;
        allow_federation = true;
        require_auth_for_profile_requests = true; # no user enumeration
        trusted_servers = [ "matrix.org" ];
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 8448 ];

  users.users.caddy.extraGroups = [ "tuwunel" ];

  services.caddy = {
    enable = true;
    virtualHosts = {
      "psychal.link, psychal.link:8448".extraConfig = ''
        reverse_proxy unix//run/tuwunel/tuwunel.sock
      '';
      "fl.psychal.link".extraConfig = ''
        root * ${customFluffy}
        file_server
      '';
      "em.psychal.link".extraConfig = ''
        root * ${pkgs.unstable.element-web}
        file_server
      '';
    };
  };
}