{ config, pkgs, lib, ... }: {
  sops.secrets.tuwunelreg = {
    owner = config.services.matrix-tuwunel.user;
  };
  services.matrix-tuwunel = {
    enable = true;
    stateDirectory = "tuwunel";
    # Must be equal to whatever reverse proxy is used for the unix
    # socket path to work
    group = config.services.caddy.group;
    settings = {
      global = {
        address = null;
        unix_socket_path = "/run/tuwunel/tuwunel.sock";
        server_name = "glia.club";
        allow_federation = false;
        allow_encryption = true;

        new_user_displayname_suffix = "🌱";

        allow_registration = true;
        registration_token_file = config.sops.secrets.tuwunelreg.path;
      };
    };
  };
  services.caddy.virtualHosts = {
    "glia.club, glia.club:8448" = {
      extraConfig = let
        proxy = "unix/${config.services.matrix-tuwunel.settings.global.unix_socket_path}";
      in ''
        reverse_proxy /_matrix/* ${proxy}
        reverse_proxy /_tuwunel/* ${proxy}
        reverse_proxy /.well-known/matrix/client ${proxy}
        reverse_proxy /.well-known/matrix/server ${proxy}
        reverse_proxy /.well-known/matrix/support ${proxy}
      '';           
    };
  };
}