inputs:

{
  name = "grapevine";

  nodes.machine = { pkgs, lib, ... }:  let
    certs = 
      import "${pkgs.path}/nixos/tests/common/acme/server/snakeoil-certs.nix";
    domain = certs.domain;
  in {
    imports = [ inputs.self.nixosModules.default ];

    security.pki.certificateFiles = [ certs.ca.cert ];

    services.grapevine = {
      enable = true;

      settings = {
        server_name = domain;
        server_discovery = {
          server.authority = "${domain}:443";
          client.base_url = "https://${domain}:443";
        };

        federation.self_test = false;

        # Enable debug logs, for easier debugging test issues
        observability.logs.filter = "debug,ruma_state_res=warn";

        tls = {
          certs = certs.${domain}.cert;
          key = certs.${domain}.key;
        };

        listen = [
          {
            type = "tcp";
            address = "127.0.0.1";
            port = 443;
            tls = true;
          }
        ];
      };
    };

    systemd.services.grapevine.serviceConfig = {
      # To allow binding port 443, which is needed to serve .well-known without
      # a reverse proxy.
      AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
      CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];

      # TODO: we probably don't want to do this, but capabilities don't work
      # otherwise
      PrivateUsers = lib.mkForce false;
    };

    networking.extraHosts = ''
      127.0.0.1 ${certs.domain}
    '';
  };

  testScript = ''
    start_all()
    machine.wait_for_unit("grapevine.service")
  '';
}