{pkgs, ...}: {
  project.name = "matrix";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  networks.transport = {};

  services = {
    synapse.service = {
      image = "matrixdotorg/synapse:v1.104.0";
      container_name = "synapse";
      labels = {
        "traefik.enable" = "true";

        "traefik.http.services.synapse.loadbalancer.server.port" = "8008";
        "traefik.http.routers.synapse.service" = "synapse";
        "traefik.http.routers.synapse.entrypoints" = "websecure";
        "traefik.http.routers.synapse.rule" = "Host(`synapse.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.synapse.tls" = "true";
        "traefik.http.routers.synapse.tls.certresolver" = "letsencrypt";

        "traefik.http.services.synapse-external.loadbalancer.server.port" = "8008";
        "traefik.http.routers.synapse-external.service" = "synapse-external";
        "traefik.http.routers.synapse-external.rule" = "Host(`synapse.ghoscht.com`)";
        "traefik.http.routers.synapse-external.entrypoints" = "websecure-external";
        "traefik.http.routers.synapse-external.tls" = "true";
        "traefik.http.routers.synapse-external.tls.certresolver" = "letsencrypt";
      };
      volumes = [
        "/storage/dataset/docker/matrix/synapse_data:/data"
      ];
      env_file = [
        "/home/ghoscht/.docker/matrix/synapse.env"
      ];
      environment = {
        UID = "1000";
        GID = "1000";
        TZ = "Europe/Berlin";
      };
      restart = "unless-stopped";
      networks = [
        "dmz"
        "transport"
      ];
    };
    postgres.service = {
      image = "postgres:14";
      env_file = [
        "/home/ghoscht/.docker/matrix/synapse.env"
      ];
      volumes = [
        "/storage/dataset/docker/matrix/synapse_db:/var/lib/postgresql/data"
      ];
      restart = "unless-stopped";
      networks = [
        "transport"
      ];
    };
    matrix-nginx.service = {
      container_name = "matrix-nginx";
      image = "nginx:1.25.4";
      volumes = [
        "/storage/dataset/docker/matrix/nginx_data/matrix.conf:/etc/nginx/conf.d/matrix.conf"
        "/storage/dataset/docker/matrix/nginx_data/www:/var/www/"
      ];
      labels = {
        "traefik.enable" = "true";

        "traefik.http.services.matrix.loadbalancer.server.port" = "80";
        "traefik.http.routers.matrix.service" = "matrix";
        "traefik.http.routers.matrix.entrypoints" = "websecure";
        "traefik.http.routers.matrix.rule" = "Host(`matrix.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.matrix.tls" = "true";
        "traefik.http.routers.matrix.tls.certresolver" = "letsencrypt";

        "traefik.http.services.matrix-external.loadbalancer.server.port" = "80";
        "traefik.http.routers.matrix-external.service" = "matrix-external";
        "traefik.http.routers.matrix-external.rule" = "Host(`matrix.ghoscht.com`)";
        "traefik.http.routers.matrix-external.entrypoints" = "websecure-external";
        "traefik.http.routers.matrix-external.tls" = "true";
        "traefik.http.routers.matrix-external.tls.certresolver" = "letsencrypt";
      };
      restart = "unless-stopped";
      networks = [
        "transport"
        "dmz"
      ];
    };
    element.service = {
      image = "vectorim/element-web:v1.11.64";
      volumes = [
        "/storage/dataset/docker/matrix/element_data/element-config.json:/app/config.json"
      ];
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.element.entrypoints" = "websecure";
        "traefik.http.routers.element.rule" = "Host(`chat.ghoscht.com`)";
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.element.tls" = "true";
        "traefik.http.routers.element.tls.certresolver" = "letsencrypt";
      };
      restart = "unless-stopped";
      networks = [
        "dmz"
      ];
    };
  };
}