{ pkgs, lib, config, ... }:
let
  inherit (config) networking;
  inherit (config.users) users;
  inherit (config.services) prosody;
in
{
networking.nftables.ruleset = ''
  add rule inet filter net2fw tcp dport {5222, 5269} counter accept comment "XMPP"
  add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
  add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
  add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
'';
users.groups.acme.members = [ users.prosody.name ];
services.prosody = {
  enable = true;
  xmppComplianceSuite = true;
  modules = {
    websocket = false;
    limits = false;
    groups = true;
    announce = true;
    welcome = true;
    watchregistrations = true;
    motd = true;
  };
  extraModules = [
    #"net_multiplex"
  ];
  extraConfig = ''
    Component "proxy65.${networking.domain}" "proxy65"
      proxy65_ports = 5000
  '';
  #ports = {80};
  #ssl_ports = {443};
  c2sRequireEncryption = true;
  s2sRequireEncryption = true;
  s2sSecureAuth = true;
  uploadHttp = {
    domain = "tmp.${networking.domain}";
    # Prosody's HTTP parser limit on body size
    uploadFileSizeLimit = "10485760";
    userQuota = 100 * 1024 * 1024;
    uploadExpireAfter = "60 * 60 * 24 * 7";
  };
  muc = [
    { domain = "salons.${networking.domain}";
      extraConfig = ''
        restrict_room_creation = "local"
        max_history_messages = 42
        muc_room_locking = true
        muc_room_lock_timeout = 600
        muc_tombstones = true
        muc_tombstone_expiry = 31 * 24 * 60 * 60
        muc_room_default_public = true
        muc_room_default_members_only = false
        muc_room_default_moderated = true
        muc_room_default_public_jids = false
        muc_room_default_change_subject = true
        muc_room_default_history_length = 42
        muc_room_default_language = "fr"
      '';
    }
  ];
  virtualHosts."${networking.domain}" = {
    enabled = true;
    domain = "${networking.domain}";
    ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
    ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
  };
  admins = [
    "julm@${networking.domain}"
  ];
  allowRegistration = false;
  authentication = "internal_hashed";
  httpPorts = [];
  disco_items = [];
};
}