{
  pkgs,
  lib,
  config,
  ...
}:
let
  conduitCfg = config.services.matrix-conduit;
  matrixLib = pkgs.callPackage ./lib.nix { };
in
{
  systemd.services.heisenbridge =
    let
      registration = matrixLib.writeRegistrationScript {
        id = "heisenbridge";
        url = "http://127.0.0.1:9898";
        sender_localpart = "heisenbridge";

        namespaces = {
          users = [
            {
              regex = "@irc_.*";
              exclusive = true;
            }
            {
              regex = "@heisenbridge:.*";
              exclusive = true;
            }
          ];

          aliases = [ ];
          rooms = [ ];
        };
      };
    in
    {
      description = "Matrix<->IRC bridge";
      wantedBy = [ "multi-user.target" ];
      after = [ "conduit.service" ];

      serviceConfig = {
        Type = "exec";

        LoadCredential = "heisenbridge:/run/secrets/heisenbridge";

        inherit (registration) ExecStartPre;
        ExecStart = lib.concatStringsSep " " [
          "${lib.getExe pkgs.heisenbridge}"
          "--config \${RUNTIME_DIRECTORY}/heisenbridge-registration.yaml"
          "--owner @tlater:matrix.tlater.net"
          "http://localhost:${toString conduitCfg.settings.global.port}"
        ];

        DynamicUser = true;
        RuntimeDirectory = "heisenbridge";
        RuntimeDirectoryMode = "0700";

        RestrictNamespaces = true;
        PrivateUsers = true;
        ProtectHostname = true;
        ProtectClock = true;
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectKernelLogs = true;
        ProtectControlGroups = true;
        RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
        LockPersonality = true;
        RestrictRealtime = true;
        ProtectProc = "invisible";
        ProcSubset = "pid";
        UMask = 77;

        # For the identd port
        # CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
        # AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
      };
    };
}