{ config, ... }:
let
  inherit (config.machine.synapse) domain port;
  maxUploadSize = config.services.matrix-synapse.settings.max_upload_size;
in
{
  systemd.services.nginx.serviceConfig.SupplementaryGroups = [ "matrix-synapse" ];

  services.nginx = {
    appendHttpConfig = ''
      limit_req_zone $binary_remote_addr zone=matrix_login:10m rate=1r/s;
      limit_req_zone $binary_remote_addr zone=matrix_register:10m rate=1r/m;
      limit_req_zone $binary_remote_addr zone=matrix_api:10m rate=20r/s;
      limit_req_zone $binary_remote_addr zone=matrix_media:10m rate=10r/s;
      limit_req_zone $binary_remote_addr zone=matrix_federation:10m rate=50r/s;
      limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
    '';
    upstreams."matrix-synapse".servers = {
      "unix:/run/matrix-synapse/matrix-synapse.sock" = { };
    };
    virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;

      locations = {
        # Synapse client API
        "/_matrix/client" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_api burst=50 nodelay;
            client_max_body_size ${maxUploadSize};
          '';
        };

        # Login endpoint with stricter rate limiting
        "~ ^/_matrix/client/(r0|v3)/login$" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_login burst=3 nodelay;
          '';
        };

        # Registration with very strict rate limiting
        "~ ^/_matrix/client/(r0|v3)/register" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_register burst=2 nodelay;
          '';
        };

        # Sync endpoint with longer timeout
        "~ ^/_matrix/client/(r0|v3|unstable)/sync" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_api burst=50 nodelay;
            proxy_read_timeout 600s;
          '';
        };

        # Media
        "/_matrix/media" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_media burst=100 nodelay;
            client_max_body_size ${maxUploadSize};
          '';
        };

        # Federation
        "/_matrix/federation" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_federation burst=100 nodelay;
            client_max_body_size 50M;
          '';
        };

        "/_matrix/key" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            limit_req zone=matrix_federation burst=50 nodelay;
          '';
        };

        # Health check
        "= /health" = {
          proxyPass = "http://127.0.0.1:${toString port}";
          extraConfig = ''
            access_log off;
          '';
        };

        # Block admin API from public
        "/_synapse/admin".return = "404";
      };
    };
  };
}