{
  config,
  pkgs,
  service_configs,
  lib,
  ...
}:
let
  package =
    let
      src = pkgs.fetchFromGitea {
        domain = "forgejo.ellis.link";
        owner = "continuwuation";
        repo = "continuwuity";
        rev = "688ef727e5f2b04812f79bd5507e02f17f70b699";
        hash = "sha256-mLcz20Gd5cYOCox0vDWYepFYenBD72klcDM1ARxk1dA=";
      };
    in
    pkgs.matrix-continuwuity.overrideAttrs (old: {
      inherit src;
      cargoDeps = pkgs.rustPlatform.fetchCargoVendor {
        inherit src;
        name = "${old.pname}-vendor";
        hash = "sha256-V7OEvZxRe4Hg/XNp4PtQWxxQS8a5ONUw5X+6n7DIaCI=";
      };

      patches = (old.patches or [ ]) ++ [

      ];
    });
in
{
  imports = [
    (lib.serviceMountWithZpool "continuwuity" service_configs.zpool_ssds [
      "/var/lib/private/continuwuity"
    ])
    (lib.serviceFilePerms "continuwuity" [
      "Z /var/lib/private/continuwuity 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}"
    ])
  ];

  services.matrix-continuwuity = {
    enable = true;
    inherit package;

    settings.global = {
      port = [ service_configs.ports.matrix ];
      server_name = service_configs.https.domain;
      allow_registration = true;
      registration_token = lib.strings.trim (builtins.readFile ../secrets/matrix_reg_token);

      new_user_displayname_suffix = "";

      trusted_servers = [
        "matrix.org"
        "constellatory.net"
        "tchncs.de"
        "envs.net"
      ];

      address = [
        "0.0.0.0"
      ];

      # TURN server config (coturn)
      turn_secret = config.services.coturn.static-auth-secret;
      turn_uris = [
        "turn:${service_configs.https.domain}?transport=udp"
        "turn:${service_configs.https.domain}?transport=tcp"
      ];
      turn_ttl = 86400;
    };
  };

  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
    header /.well-known/matrix/* Content-Type application/json
    header /.well-known/matrix/* Access-Control-Allow-Origin *
    respond /.well-known/matrix/server `{"m.server": "${service_configs.matrix.domain}:${builtins.toString service_configs.ports.https}"}`
    respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.matrix.domain}"},"m.homeserver":{"base_url":"https://${service_configs.matrix.domain}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-continuwuity.settings.global.server_name}"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://${service_configs.livekit.domain}"}]}`
  '';

  services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig = ''
    reverse_proxy :${builtins.toString service_configs.ports.matrix}
  '';

  # Exact duplicate for federation port
  services.caddy.virtualHosts."${service_configs.matrix.domain}:${builtins.toString service_configs.ports.matrix_federation}".extraConfig =
    config.services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig;

  # for federation
  networking.firewall.allowedTCPPorts = [
    service_configs.ports.matrix_federation
  ];

  # for federation
  networking.firewall.allowedUDPPorts = [
    service_configs.ports.matrix_federation
  ];
}