# Minimal ops-jrz1 configuration example
# Demonstrates Matrix homeserver + single bridge deployment
{ config, pkgs, ... }:

{
  imports = [
    ../../modules/matrix-continuwuity.nix
    ../../modules/mautrix-slack.nix
    ../../modules/security/ssh-hardening.nix
    ../../modules/security/fail2ban.nix
  ];

  # Basic networking
  networking = {
    hostName = "matrix";
    firewall = {
      enable = true;
      allowedTCPPorts = [ 22 80 443 8008 ];
    };
  };

  # Matrix homeserver configuration
  services.matrix-homeserver = {
    enable = true;
    domain = "matrix.example.org";
    port = 8008;
    enableRegistration = true;
    enableFederation = false;
  };

  # Slack bridge configuration
  services.mautrix-slack = {
    enable = true;
    matrix = {
      homeserverUrl = "http://127.0.0.1:8008";
      serverName = "matrix.example.org";
    };
    bridge = {
      permissions = {
        "matrix.example.org" = "user";
        "@admin:matrix.example.org" = "admin";
      };
    };
  };

  # Security hardening
  security = {
    fail2ban-enhanced = {
      enable = true;
      bantime = "1h";
      maxretry = 3;
    };
    acme = {
      acceptTerms = true;
      defaults.email = "admin@example.com";
    };
  };

  # SSH hardening
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "prohibit-password";
      PasswordAuthentication = false;
    };
  };

  # PostgreSQL for bridge database
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "mautrix_slack" ];
    ensureUsers = [{
      name = "mautrix_slack";
      ensureDBOwnership = true;
    }];
  };

  system.stateVersion = "24.05";
}