{
  config,
  lib,
  pkgs,
  ...
}:

with pkgs;

{
  # Matrix server configuration
  services.matrix-continuwuity = {
    enable = true;
    settings = {
      global = {
        server_name = "psydnd.org";
        port = [ 8008 ];
        allow_encryption = true;
        allow_federation = true;
        well_known.client = "https://matrix.psydnd.org";
      };
    };
  };

  ## Matrix bridges
  # Facebook
  services.mautrix-meta.instances.facebook = {
    enable = true;
    environmentFile = config.age.secrets.facebook.path;
    settings = {
      homeserver = {
        address = "https://matrix.psysdnd.org";
        domain = "psydnd.org";
      };
      appservice = {
        address = "http://localhost:8228";
        port = 8228;
        database = "$DB_STRING";
      };
      bridge.permissions."@coolneng:psydnd.org" = "admin";
    };
    serviceDependencies = [ "continuwuity.service" ];
  };

  # Enable voice messages for Facebook
  systemd.services.matrix-as-facebook.path = [ ffmpeg ];

  # Telegram
  services.mautrix-telegram = {
    enable = true;
    environmentFile = config.age.secrets.telegram.path;
    settings = {
      homeserver = {
        address = "https://matrix.psysdnd.org";
        domain = "psydnd.org";
      };
      appservice = {
        address = "http://localhost:8118";
        port = 8118;
        database = "$DB_STRING";
      };
      bridge.permissions."@coolneng:psydnd.org" = "admin";
    };
    serviceDependencies = [ "continuwuity.service" ];
  };

  # Signal
  services.mautrix-signal = {
    enable = true;
    environmentFile = config.age.secrets.signal.path;
    settings = {
      homeserver = {
        address = "https://matrix.psysdnd.org";
        domain = "psydnd.org";
      };
      appservice = {
        address = "http://localhost:8338";
        port = 8338;
        database = "$DB_STRING";
      };
      bridge.permissions."@coolneng:psydnd.org" = "admin";
    };
    serviceDependencies = [ "continuwuity.service" ];
  };

  # HACK Use libolm as there's no good alternative
  nixpkgs.config.permittedInsecurePackages = [
    "olm-3.2.16"
  ];

  # Start dendrite after config files are mounted
  systemd.services.continuwuity.unitConfig.RequiresMountsFor = [
    /var/lib/mautrix-meta-facebook
    /var/lib/mautrix-signal
    /var/lib/mautrix-telegram
  ];

  # MQTT configuration
  services.mosquitto = {
    enable = true;
    dataDir = "/vault/mosquitto";
    logType = [
      "websockets"
      "error"
      "warning"
      "notice"
      "information"
    ];
    logDest = [ "syslog" ];
    listeners = [
      {
        users.homeostasis = {
          acl = [ "write #" ];
          hashedPasswordFile = config.age.secrets.mqtt-sender.path;
        };
        users.prometheus = {
          acl = [ "read #" ];
          hashedPasswordFile = config.age.secrets.mqtt-receiver.path;
        };
      }
    ];
  };

}