{ config, ... }:
let
in
{
  age.secrets = {
    matrix_mjolnir_pass = {
      file = ../secrets/matrix_mjolnir_pass.age;
      owner = "mjolnir";
      group = "mjolnir";
      mode = "0600";
    };

    matrix_mjolnir_tle_pass = {
      file = ../secrets/matrix_mjolnir_tle_pass.age;
      owner = "mjolnir";
      group = "mjolnir";
      mode = "0777"; # not ideal, but containers are weird
    };
  };

  # global mjolnir  
  services.mjolnir = {
    enable = true;
    homeserverUrl = config.services.matrix-synapse-next.settings.public_baseurl;
    protectedRooms = [ "https://matrix.to/#/!zDkrFrfuMIKbqYFbFv:grimmauld.de" ];
    managementRoom = "!kgfXXqEYHGgToIwhMP:grimmauld.de";
    pantalaimon = {
      enable = true;
      username = "mjolnir";
      options = {
        homeserver = config.services.matrix-synapse-next.settings.public_baseurl;
      };
      passwordFile = config.age.secrets.matrix_mjolnir_pass.path;
    };
  };

  services.logrotate.checkConfig = false; # needed or this explodes
  containers.mjolnirtle =
    let
      baseurl = config.services.matrix-synapse-next.settings.public_baseurl;
      pass_file = config.age.secrets.matrix_mjolnir_tle_pass.path;
    in
    {
      privateNetwork = false; # don't want nat
      autoStart = true;
      bindMounts."${pass_file}".isReadOnly = true;
      config =
        { config, ... }:
        {
          system.stateVersion = "unstable";
          # tle mjolnir  
          services.logrotate.checkConfig = false;
          services.mjolnir = {
            enable = true;
            homeserverUrl = baseurl;
            protectedRooms = [ "https://matrix.to/#/!BgDBnHgMgilMMnPMyp:grimmauld.de" ];
            managementRoom = "!NQedmlMeoQErGgAwxm:grimmauld.de";
            pantalaimon = {
              enable = true;
              username = "mjolnir_tle";
              options = {
                homeserver = baseurl;
              };
              passwordFile = pass_file;
            };
          };
        };
    };
}