{
  pkgs,
  config,
  ...
}: {
  age.secrets."prosody.env".file = ../secrets/prosody.env;

  services = {
    prosody = {
      package = pkgs.prosody.override {
        withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
      };
      enable = true;
      admins = ["root@distrust.network"];
      ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
      ssl.key = "/var/lib/acme/distrust.network/key.pem";
      virtualHosts."distrust.network" = {
        enabled = true;
        domain = "distrust.network";
        ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
        ssl.key = "/var/lib/acme/distrust.network/key.pem";
      };
      muc = [{domain = "conference.distrust.network";}];
      httpFileShare = {
        domain = "upload.distrust.network";
        path = "/var/lib/prosody";
      };
      extraConfig = ''
        authentication = "ldap"
        ldap_base = "ou=people,dc=distrust,dc=network"
        ldap_server = "localhost:3890"
        ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
      '';
    };
    caddy.virtualHosts."distrust.network".extraConfig = ''
      handle /.well-known/* {
        root * /var/lib/acme/
        file_server
      }
    '';

    caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
      handle /.well-known/* {
        root * /var/lib/acme/
        file_server
      }
    '';
    borgbackup.jobs."prosody" = {
      repo = "ssh://u506783@u506783.your-storagebox.de:23/./prosody";
      environment = {
        BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
      };
      paths = [
        "/var/lib/prosody"
      ];
      encryption.mode = "none";
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = -1;
      };
    };
  };

  security.acme = {
    defaults = {
      email = "root@distrust.network";
      webroot = "/var/lib/acme";
    };
    acceptTerms = true;
    certs = {
      "distrust.network" = {
        extraDomainNames = [
          "upload.distrust.network"
          "conference.distrust.network"
        ];
        postRun = ''
          chmod -R 770 /var/lib/acme/distrust.network
          chown -R acme:prosody /var/lib/acme/distrust.network
        '';
      };
    };
  };

  networking.resolvconf.dnsExtensionMechanism = false;
  networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];

  systemd.services = {
    caddy.serviceConfig.SupplementaryGroups = ["acme"];
    prosody.serviceConfig = {
      SupplementaryGroups = ["acme"];
      EnvironmentFile = config.age.secrets."prosody.env".path;
    };
  };
}