{
  pkgs,
  config,
  service_configs,
  lib,
  ...
}:
{
  services.matrix-conduit.settings.global.registration_token =
    builtins.readFile ../secrets/matrix_reg_token;

  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
    header /.well-known/matrix/* Content-Type application/json
    header /.well-known/matrix/* Access-Control-Allow-Origin *
    respond /.well-known/matrix/server `{"m.server": "${service_configs.https.matrix_hostname}:443"}`
    respond /.well-known/matrix/client `{"m.server":{"base_url":"https://${service_configs.https.matrix_hostname}"},"m.homeserver":{"base_url":"https://${service_configs.https.matrix_hostname}"},"org.matrix.msc3575.proxy":{"base_url":"https://${config.services.matrix-conduit.settings.global.server_name}"}}`
  '';

  services.caddy.virtualHosts."${service_configs.https.matrix_hostname}".extraConfig = ''
    reverse_proxy :${builtins.toString config.services.matrix-conduit.settings.global.port}
  '';

  # Exact duplicate
  services.caddy.virtualHosts."${service_configs.https.matrix_hostname}:8448".extraConfig =
    config.services.caddy.virtualHosts."${config.services.matrix-conduit.settings.global.server_name
    }".extraConfig;

  services.matrix-conduit = {
    enable = true;
    package = pkgs.conduwuit;

    settings.global = {
      port = 6167;
      server_name = service_configs.https.domain;
      database_backend = "rocksdb";
      allow_registration = true;

      new_user_displayname_suffix = "";

      trusted_servers = [
        "matrix.org"
        "constellatory.net"
        "tchncs.de"
        "envs.net"
      ];

      # without this, conduit fails to start
      address = "0.0.0.0";
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/private/matrix-conduit 0770 conduit conduit"
  ];
}