{
  config,
  lib,
  ...
}: let
  cfg = config.vhack.jitsi-meet;
in {
  options.vhack.jitsi-meet = {
    enable = lib.mkEnableOption "jitsi-meet";

    domain = lib.mkOption {
      type = lib.types.str;
      description = "The domain jitsi-meet should be served on.";
    };
  };

  config = lib.mkIf cfg.enable {
    nixpkgs.config.permittedInsecurePackages = [
      # Jitsi uses libolm for E2EE, which is no longer maintained upstream by the element
      # team (as they switch to a rust new based crypto library.)
      #
      # libolm has two CVEs about timing based side-channel attacks in their crypt
      # primitives. This is not ideal, but it has not (yet) been exploited in the wild and
      # upstream (i.e. the matrix/element team) claims, that the CVEs are very difficult to
      # exploit (they have been know _long_ before element switched to the rust version).
      #
      # Considering the lack of deployable video conferencing alternatives, the active
      # interest in upstream to resolve this issue [1] and the fact, that we are unlikely
      # to be attacked via a target attack, permitting this package seems viable.
      #
      # [1]: https://github.com/jitsi/jitsi-meet/issues/15107
      "jitsi-meet-1.0.8043"
    ];

    services = {
      nginx.virtualHosts.${cfg.domain} = {
        enableACME = true;
        forceSSL = true;
      };

      jitsi-meet = {
        enable = true;
        hostName = cfg.domain;

        nginx.enable = true;

        config = {
          enableWelcomePage = true;
          requireDisplayName = true;
          analytics.disabled = true;

          # Don't try to GET gravata stuff.
          disableThirdPartyRequests = true;

          # Avoids a heavy load on conference start.
          startAudioOnly = true;

          # Only transmit the last four members.
          channelLastN = 4;

          constraints.video.height = {
            ideal = 720;
            max = 1080;
            min = 240;
          };

          remoteVideoMenu.disabled = false;
          breakoutRooms.hideAddRoomButton = false;
          maxFullResolutionParticipants = 1;

          prejoinPageEnabled = true;
          defaultLang = "sv";
        };

        interfaceConfig = {
          GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
          DISABLE_PRESENCE_STATUS = true;

          SHOW_CHROME_EXTENSION_BANNER = false;

          # The default google play android apps comes with trackers.
          MOBILE_DOWNLOAD_LINK_ANDROID = "https://f-droid.org/en/packages/org.jitsi.meet/";

          # Don't try to promote the mobile app.
          MOBILE_APP_PROMO = false;

          SHOW_JITSI_WATERMARK = false;
          SHOW_WATERMARK_FOR_GUESTS = false;
        };

        prosody = {
          enable = true;

          # We only use prosody for jitsi XMPP communication, and therefore can remove support
          # for general XMPP server stuff.
          lockdown = true;
        };
      };

      jitsi-videobridge = {
        openFirewall = true;
        config.videobridge = {
          cc.assumed-bandwidth-limit = "1000 Mbps";
        };
      };
    };
  };
}