{
  config,
  pkgs,
  lib,
  ...
}: let
  domain = "enter-your-domain";
  matrixDomain = "matrix.${domain}";
  clientConfig = {
    "m.homeserver".base_url = "https://${matrixDomain}";
    "m.identity_server" = {};
  };
  serverConfig = {
    "m.server" = "${matrixDomain}:443";
  };
  mkWellKnown = data: ''
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
    return 200 '${builtins.toJSON data}';
  '';
in {
  services.matrix-synapse = {
    enable = true;
    settings = {
      server_name = domain;
      public_baseurl = "https://${matrixDomain}";

      listeners = [
        {
          port = 8008;
          bind_addresses = ["::1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];

      database = {
        name = "psycopg2";
        allow_unsafe_locale = true;
        args = {
          user = "matrix-synapse";
          database = "matrix-synapse";
          host = "/run/postgresql";
        };
      };

      max_upload_size_mib = 100;
      url_preview_enabled = true;
      enable_registration = false;
      enable_metrics = false;
      registration_shared_secret_path = "/var/lib/matrix-synapse/registration_secret";
      
      # Allow others to view the public room list
      allow_public_rooms_without_auth = true;
      allow_public_rooms_over_federation = true;

      room_list_publication_rules = [
        {
          action = "allow";
          user_id = "*";
          room_id = "*";
          alias = "*";
          require_admin = true;
        }
      ];

      trusted_key_servers = [
        {
          server_name = "matrix.org";
        }
      ];
    };
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = ["matrix-synapse"];
    ensureUsers = [
      {
        name = "matrix-synapse";
        ensureDBOwnership = true;
      }
    ];
  };

  services.nginx.enable = true;

  system.activationScripts.generate-matrix-certs = {
    text = ''
      mkdir -p /var/lib/matrix-certs
      # Ensure permissions on the directory itself
      chown nginx:nginx /var/lib/matrix-certs
      chmod 750 /var/lib/matrix-certs

      if [ ! -f /var/lib/matrix-certs/matrix.key ]; then
        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 -keyout /var/lib/matrix-certs/matrix.key -out /var/lib/matrix-certs/matrix.crt -days 3650 -nodes -subj "/CN=${matrixDomain}"
      fi
      
      # Force permissions on files every time
      chown nginx:nginx /var/lib/matrix-certs/matrix.*
      chmod 640 /var/lib/matrix-certs/matrix.key
      chmod 644 /var/lib/matrix-certs/matrix.crt
      
      # Ensure log directory exists and is writable
      mkdir -p /var/log/nginx
      chown -R nginx:nginx /var/log/nginx
      chmod 750 /var/log/nginx
    '';
    deps = ["users"];
  };



  services.nginx.virtualHosts.${domain} = {
    sslCertificate = "/var/lib/matrix-certs/matrix.crt";
    sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
    forceSSL = true;
    locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
    locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
  };

  services.nginx.virtualHosts.${matrixDomain} = {
    sslCertificate = "/var/lib/matrix-certs/matrix.crt";
    sslCertificateKey = "/var/lib/matrix-certs/matrix.key";
    forceSSL = true;
    locations."/" = {
      proxyPass = "http://[::1]:8008";
      extraConfig = ''
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        client_max_body_size 100M;
      '';
    };
  };

  networking.firewall.allowedTCPPorts = [443];
}