{
  config,
  inputs,
  pkgs,
  ...
}:
let
  sopsFolder = builtins.toString inputs.nix-secrets + "/sops";
in
{
  sops.secrets."matrix/registration_token" = {
    owner = "tuwunel";
    sopsFile = "${sopsFolder}/services.yaml";
  };

  services.matrix-tuwunel = {
    enable = true;
    package = pkgs.matrix-tuwunel;
    stateDirectory = "tuwunel";
    settings = {
      global = {
        server_name = "psychal.link";
        new_user_displayname_suffix = "";
        unix_socket_path = "/run/tuwunel/tuwunel.sock";
        unix_socket_perms = 660;
        allow_registration = true;
        registration_token_file = config.sops.secrets."matrix/registration_token".path;
        allow_encryption = true;
        allow_federation = true;
        require_auth_for_profile_requests = true; # no user enumeration
        trusted_servers = [ "matrix.org" ];
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 8448 ];

  users.users.caddy.extraGroups = [ "tuwunel" ];
}