{pkgs, config, ...}:
{
  users.users = {
    postgres = {
      isSystemUser = true;
    };
    matrix-synapse = {
      isSystemUser = true;
    };
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = [ "matrix-synapse" ];
    ensureUsers = [
      {
        name = "matrix-synapse";
        ensureDBOwnership = true;
        ensureClauses.login = true;
      }
    ];
    authentication = pkgs.lib.mkOverride 10 ''
      #type #database          #user           #auth-method
      local postgres           all             trust
      local matrix-synapse     matrix-synapse  trust
    '';
  };

  networking.firewall.allowedTCPPorts = [ 8008 8448 ];

  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = "matrix.shobu.fr";
      public_baseurl = "https://matrix.shobu.fr/";
      enable_registration = true;
      enable_registration_captcha = true;
      serve_server_wellknown = true;
      listeners = [
        {
          port = 8008;
          bind_addresses = ["0.0.0.0"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = [ "client" "federation" ];
              compress = true;
            }
          ];
        }
      ];
    };

    extraConfigFiles = [
      config.age.secrets.captcha.path
    ];
  };
}