{
  pkgs,
  lib,
  config,
  namespace,
  ...
}: {
  ${namespace}.services.conduwuit = {
    enable = true;
    #user = "turnserver";
    settings = {
      global = {
        server_name = "kylekrein.com";
        well_known = {
          server = "matrix.kylekrein.com:443";
          client = "https://matrix.kylekrein.com";
        };
        port = [6167];
        trusted_servers = ["matrix.org"];
        allow_registration = false;
        registration_token = null; #nix shell nixpkgs#openssl -c openssl rand -base64 48 | tr -d '/+' | cut -c1-64
        allow_federation = true;
        allow_encryption = true;

        allow_local_presence = true;
        require_auth_for_profile_requests = true;

        rocksdb_optimize_for_spinning_disks = true;

        turn_uris = let
          coturn = config.services.coturn;
        in [
          "turns:turn.kylekrein.com:${builtins.toString coturn.tls-listening-port}?transport=udp"
          "turns:turn.kylekrein.com:${builtins.toString coturn.tls-listening-port}?transport=tcp"
          "turn:turn.kylekrein.com:${builtins.toString coturn.listening-port}?transport=udp"
          "turn:turn.kylekrein.com:${builtins.toString coturn.listening-port}?transport=tcp"
        ];
        turn_secret_file = config.sops.secrets."services/turn".path;
        turn_user_lifetime = "1h";
        turn_allow_guests = false;
      };
    };
    extraEnvironment = {
    };
  };
  networking.firewall.allowedTCPPorts = [8448];
}