{ pkgs, config, ... }:
let
  srv = "matrirc";
  inherit (config.users) users;
in
{
  users.users.${srv} = {
    isSystemUser = true;
    group = srv;
  };
  users.groups.${srv} = { };

  systemd.services.${srv} = {
    description = "${srv} service";
    serviceConfig = {
      BindReadOnlyPaths = [
        "/etc/resolv.conf"
        "/etc/ssl/certs/ca-certificates.crt"
      ];
      Type = "simple";
      User = srv;
      #Environment = "RUST_LOG=matrirc=trace";
      StateDirectory = [ "${srv}" "${srv}/media" ];
      ExecStart = "${pkgs.matrirc}/bin/matrirc --ircd-listen 127.0.0.1:6667 --state-dir /var/lib/${srv} --media-dir /var/lib/${srv}/media"; # --allow-register --media-url https://gaia.codewreck.org/local/tmp/matrix
      Restart = "on-failure";
      NoNewPrivileges = true;
    };
    wantedBy = [ "default.target" ];
    confinement = {
      enable = true;
      binSh = null;
      mode = "chroot-only";
    };
  };
  networking.hosts = {
    "127.0.0.1" = [ srv ];
  };
  networking.nftables.ruleset = ''
    table inet filter {
      chain output-net {
        tcp dport 443 meta skuid ${users.matrirc.name} counter accept comment "${srv}"
      }
    }
  '';
  services.sanoid.datasets."rpool/var/lib/${srv}" = {
    use_template = [ "snap" ];
    hourly = 0;
    daily = 7;
    monthly = 0;
    recursive = true;
  };

  # TODO: timer to cleanup /var/lib/${srv}/media ?
}