{
  config,
  pkgs,
  unstablePkgs,
  auxiliaryPkgs,
  ...
}:

let
  inherit (pkgs) dockerTools;
  inherit (unstablePkgs) matrix-continuwuity;
  inherit (auxiliaryPkgs) common;

  continuwuityLocalPort = 2123;
  continuwuityDir = "/srv/matrix";

  continuwuityImage = dockerTools.streamLayeredImage {
    name = "continuwuity";
    tag = matrix-continuwuity.version;
    fromImage = common.alpine.base;

    contents = [ matrix-continuwuity ];
  };

in
{
  age.secrets.continuwuity-registration-token = {
    file = ../secrets/continuwuity-registration-token.age;
  };

  foundation.service.continuwuity = {
    continuwuity = {
      image = continuwuityImage;
      ports = [ continuwuityLocalPort ];

      volumes = [
        [
          "${continuwuityDir}/db"
          "/var/lib/continuwuity"
        ]
        [
          "${continuwuityDir}/continuwuity.toml"
          "/etc/continuwuity/continuwuity.toml"
        ]
        [
          "${config.age.secrets.continuwuity-registration-token.path}"
          "/etc/continuwuity/registration-token"
        ]
      ];

      environment = {
        CONDUWUIT_CONFIG = "/etc/continuwuity/continuwuity.toml";
      };

      entrypoint = "${matrix-continuwuity}/bin/conduwuit";
    };
  };

  services.nginx.virtualHosts = {
    "matrix.rnrd.eu" =
      let
        proxySettings = {
          proxyPass = "http://127.0.0.1:${toString continuwuityLocalPort}";
        };
      in
      {
        useACMEHost = "rnrd.eu";
        forceSSL = true;

        locations."/" = proxySettings;
        locations."/_matrix" = proxySettings;
        locations."/_conduwuit" = proxySettings;
        locations."/_continuwuity" = proxySettings;

        extraConfig = ''
          client_max_body_size 20M;

          proxy_connect_timeout 600;
          proxy_send_timeout 600;
          proxy_read_timeout 600;
          send_timeout 600;

          access_log /var/log/nginx/matrix.access.log json_combined;
        '';
      };
  };
}