{config, ...}: {
  services.matrix-conduit = {
    enable = true;
    settings.global = {
      server_name = "m3ta.dev";
      address = "127.0.0.1";
      port = config.m3ta.ports.get "conduit";
      max_request_size = 20000000;
      allow_registration = false;
      allow_encryption = true;
      allow_federation = true;
      trusted_servers = ["matrix.org"];
      database_backend = "rocksdb";
    };
    secretFile = config.age.secrets.conduit-env.path;
  };

  # Traefik configuration for Conduit
  services.traefik.dynamicConfigOptions.http = {
    services.conduit.loadBalancer.servers = [
      {
        url = "http://localhost:${toString (config.m3ta.ports.get "conduit")}/";
      }
    ];

    routers.conduit = {
      rule = "Host(`matrix.m3ta.dev`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "conduit";
      entrypoints = "websecure";
    };

    # Federation endpoint on base domain
    routers.conduit-federation = {
      rule = "Host(`m3ta.dev`) && PathPrefix(`/_matrix`)";
      tls = {
        certResolver = "godaddy";
      };
      service = "conduit";
      entrypoints = "websecure";
    };
  };

  # Open federation port
  networking.firewall.allowedTCPPorts = [8448];
}