{ config, lib, ... }:
with lib; let
  cfg = config.local.web.sites.matrix;
  inherit (config.local) domains;
in
{
  options.local.web.sites.matrix = {
    enable = mkEnableOption "matrix proxy site";

    proxyUrl = mkOption {
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    local.web = {
      enable = mkDefault true;
      ownedCerts = [ "matrix" ];

      sites.portal.enable = true;
    };

    services.nginx.virtualHosts = {
      ${domains.exdev.www}.locations =
        let
          serverConfig."m.server" = "${domains.matrix.main}:443";
          clientConfig."m.homeserver".base_url = "https://${domains.matrix.main}";

          mkWellKnown = data: ''
            default_type application/json;
            add_header Access-Control-Allow-Origin *;
            return 200 '${builtins.toJSON data}';
          '';
        in
        {
          "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
          "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
        };

      ${domains.matrix.main} = {
        forceSSL = true;
        useACMEHost = domains.matrix.main;

        locations =
          let
            proxyLocation =
              throwIf (hasSuffix "/" cfg.proxyUrl)
                "matrix site: a trailing slash *must not* be used here"
                cfg.proxyUrl;
          in
          {
            "/".extraConfig = ''
              return 403;
            '';

            # Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
            # *must not* be used here.
            "/_matrix".proxyPass = proxyLocation;

            # Forward requests for e.g. SSO and password-resets.
            "/_synapse/client".proxyPass = proxyLocation;
          };
      };
    };
  };
}