{ config, lib, ... }:
with lib; let
  cfg = config.local.web.sites.matrix;
  inherit (config.local) domains;
in
{
  options.local.web.sites.matrix = {
    enable = mkEnableOption "matrix proxy site";

    proxyUrl = mkOption {
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    local.web = {
      enable = mkDefault true;
      ownedCerts = [ "matrix" ];

      sites.portal.enable = true;
    };

    services.nginx.virtualHosts =
      let
        proxyLocation =
          throwIf (hasSuffix "/" cfg.proxyUrl)
            "matrix site: a trailing slash *must not* be used here"
            cfg.proxyUrl;
      in
      {
        ${domains.exdev.main}.locations."/.well-known/matrix".proxyPass = proxyLocation;

        ${domains.matrix.main} = {
          forceSSL = true;
          useACMEHost = domains.matrix.main;

          locations = {
            "/".extraConfig = ''
              return 403;
            '';

            # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
            # *must not* be used here.
            "/_matrix".proxyPass = proxyLocation;

            # Forward requests for e.g. SSO and password-resets.
            "/_synapse/client".proxyPass = proxyLocation;
          };
        };
      };
  };
}