{ config, pkgs, ... }:

let
  inherit (config.services.matrix-conduit.settings.global) server_name;
  bridge_permissions = {
    "@felschr:${server_name}" = "admin";
    "@felschr:matrix.org" = "admin";
  };
  bridge_encryption = {
    allow = true;
    default = true;
    # TODO encryption doesn't work yet
    # require = true;
    # appservice = true;
    allow_key_sharing = true;
    delete_keys.delete_outdated_inbound = false;
  };
in
{
  # Mautrix-signal settings
  services.signald.enable = true;
  systemd.services.matrix-as-signal = {
    requires = [ "signald.service" ];
    after = [ "signald.service" ];
    path = [
      pkgs.ffmpeg # voice messages need `ffmpeg`
    ];
  };

  services.matrix-appservices = {
    addRegistrationFiles = false;
    homeserverDomain = server_name;
    homeserverURL = "https://matrix.${server_name}";
    services = {
      signal = {
        port = 29184;
        format = "mautrix-python";
        package = pkgs.unstable.mautrix-signal;
        serviceConfig = {
          StateDirectory = [ "matrix-as-signal" ];
          SupplementaryGroups = [ "signald" ];
        };
        settings.signal = {
          socket_path = config.services.signald.socketPath;
          outgoing_attachment_dir = "/var/lib/signald/tmp";
        };
        settings.bridge.permissions = bridge_permissions;
        settings.bridge.encryption = bridge_encryption;
      };
      whatsapp = {
        port = 29183;
        format = "mautrix-go";
        package = pkgs.unstable.mautrix-whatsapp;
        settings.bridge.permissions = bridge_permissions;
        settings.bridge.encryption = bridge_encryption;
      };
    };
  };
}