{ pkgs, ... }:
let
  masConfig = (pkgs.formats.yaml { }).generate "matrix-authentication-service-config.yaml" {
    http = {
      public_base = "https://matrix-auth.nekover.se";
      listeners = [
        {
          name = "web";
          resources = [
            { name = "discovery"; }
            { name = "human"; }
            { name = "oauth"; }
            { name = "compat"; }
            { name = "graphql"; }
            { name = "assets"; }
          ];
          binds = [{ socket = "/var/run/mas.sock"; }];
          proxy_protocol = false;
        }
        {
          name = "internal";
          resources = [
            { name = "health"; }
          ];
          binds = [
            {
              host = "localhost";
              port = 8081;
            }
          ];
          proxy_protocol = false;
        }
      ];
      trusted_proxies = [
        "192.168.0.0/16"
        "172.16.0.0/12"
        "10.0.0.0/10"
        "127.0.0.1/8"
        "fd00::/8"
        "::1/128"
      ];
    };
    database = {
      uri = "postgresql://mas_user:mas@localhost/mas";
      max_connections = 10;
      min_connections = 0;
      connect_timeout = 30;
      idle_timeout = 600;
      max_lifetime = 1800;
    };
    email = {
      from = "\"Matrix Authentication Service\" <nyareply@nekover.se>";
      reply_to = "\"No reply\" <nyareply@nekover.se>";
      transport = "smtp";
      mode = "tls";
      hostname = "mail-1.grzb.de";
      port = 465;
      username = "matrix@nekover.se";
      # password = "";
    };
    passwords = {
      enabled = true;
      schemes = [
        {
          version = 1;
          algorithm = "argon2id";
        }
      ];
      # See https://github.com/dropbox/zxcvbn#usage
      minimum_complexity = 3;
    };
    matrix = {
      homeserver = "nekover.se";
      # secret =
      endpoint = "http://localhost:8008";
    };
    upstream_oauth2 = {
      providers = [{
        id = "01H8PKNWKKRPCBW4YGH1RWV279";
        issuer = "https://id.nekover.se/realms/nekoverse";
        human_name = "Nekoverse ID";
        token_endpoint_auth_method = "client_secret_basic";
        client_id = "matrix-authentication-service";
        #client_secret = "";
        scope = "openid profile email";
        claims_imports = {
          localpart = {
            action = "require";
            template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
          };
          displayname = {
            action = "suggest";
            template = "\"{% if user.matrix_username is defined %}{{ user.matrix_username }}{% else %}{{ user.preferred_username }}{% endif %}\"";
          };
          email = {
            action = "suggest";
            template = "\"{{ user.email }}\"";
            set_email_verification = "import";
          };
        };
      }];
    };
    # secrets = { }
  };
in
{
  environment.systemPackages = with pkgs; [
    matrix-authentication-service
  ];

  systemd.services.matrix-authentication-service = {
    description = "Matrix Authentication Service";
    after = [ "network-online.target" "postgresql.service" ];
    requires = [ "postgresql.service" ];
    wants = [ "network-online.target" ];

    serviceConfig = {
      Type = "simple";
      ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
      Restart = "on-abort";
      DynamicUser = "yes";
      User = "mas";
      Group = "nogroup";
      WorkingDirectory = pkgs.matrix-authentication-service;
      ExecStart = "${pkgs.matrix-authentication-service}/bin/mas-cli server --config=${masConfig} --config=/secrets/";
      SyslogIdentifier = "matrix-authentication-service";
    };

    wantedBy = [ "multi-user.target" ];
  };
}