{
  config,
  lib,
  ...
}:
let
  inherit (config.machine.synapse)
    enable
    ;
in
with lib; mkIf enable {
  sops.secrets = {
    "matrix/registrationSharedSecret" = {
      sopsFile = ./../../secrets/common.yaml;
      owner = config.users.users.matrix-synapse.name;
      inherit (config.users.users.matrix-synapse) group;
      restartUnits = [ "matrix-synapse.service" ];
    };
    "matrix/signingKey" = {
      sopsFile = ./../../secrets/common.yaml;
      owner = config.users.users.matrix-synapse.name;
      inherit (config.users.users.matrix-synapse) group;
      restartUnits = [ "matrix-synapse.service" ];
    };
    "turn/authSecret" = {
      sopsFile = ./../../secrets/common.yaml;
      owner = config.users.users.turnserver.name;
      inherit (config.users.users.turnserver) group;
      restartUnits = [ "coturn.service" ];
    };
  };
  sops.templates.matrix-synapse-config = {
    owner = config.users.users.matrix-synapse.name;
    inherit (config.users.users.matrix-synapse) group;
    restartUnits = [ "matrix-synapse.service" ];
    content = ''
      registration_shared_secret: ${config.sops.placeholder."matrix/registrationSharedSecret"}
      turn_shared_secret: ${config.sops.placeholder."turn/authSecret"}
      mail:
        smtp_pass: ${config.sops.placeholder."mail/servicePassword"}
    '';
  };
  services.matrix-synapse.extraConfigFiles = with lib; mkIf config.machine.synapse.enable [
    config.sops.templates.matrix-synapse-config.path
  ];
}