{
  pkgs,
  config,
  ...
}: {
  age.secrets."prosody.env".file = ../../secrets/prosody.env;

  services = {
    prosody = {
      package = pkgs.prosody.override {
        withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
      };
      enable = true;
      admins = ["root@distrust.network"];
      ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
      ssl.key = "/var/lib/acme/distrust.network/key.pem";
      virtualHosts."distrust.network" = {
        enabled = true;
        domain = "distrust.network";
        ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
        ssl.key = "/var/lib/acme/distrust.network/key.pem";
      };
      muc = [{domain = "conference.distrust.network";}];
      httpFileShare = {
        domain = "upload.distrust.network";
        path = "/var/lib/prosody";
      };
      extraConfig = ''
        authentication = "ldap"
        ldap_base = "ou=people,dc=distrust,dc=network"
        ldap_server = "localhost:3890"
        ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
      '';
    };

    # Adjust caddy to serve the ACME challenges for prosody
    caddy.virtualHosts = {
      "distrust.network".extraConfig = ''
        handle /.well-known/* {
          root * /var/lib/acme/
          file_server
        }
      '';
      "conference.distrust.network upload.distrust.network".extraConfig = ''
        handle /.well-known/* {
          root * /var/lib/acme/
          file_server
        }
      '';
    };

    borgbackup.jobs."prosody" = {
      repo = config.distrust.backups.borgRepository + "/./prosody";
      environment = {
        BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
      };
      paths = [
        "/var/lib/prosody"
      ];
      encryption = {
        mode = "keyfile";
        passCommand = config.distrust.backups.borgPassCommand;
      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = -1;
      };
    };
  };

  security.acme = {
    defaults = {
      email = "root@distrust.network";
      webroot = "/var/lib/acme";
    };
    acceptTerms = true;
    certs = {
      "distrust.network" = {
        extraDomainNames = [
          "upload.distrust.network"
          "conference.distrust.network"
        ];
        postRun = ''
          chmod -R 770 /var/lib/acme/distrust.network
          chown -R acme:prosody /var/lib/acme/distrust.network
        '';
      };
    };
  };

  networking = {
    # This can mess with prosody's DNS resolution, so we disable it
    resolvconf.dnsExtensionMechanism = false;
    firewall.allowedTCPPorts = [5222 5269 5281 5000];
  };

  systemd.services = {
    caddy.serviceConfig.SupplementaryGroups = ["acme"];
    prosody.serviceConfig = {
      SupplementaryGroups = ["acme"];
      # Slightly hacky way to inject the LDAP password into prosody without builtins.readFile exposing it system-wide
      EnvironmentFile = config.age.secrets."prosody.env".path;
    };
  };
}