services.matrix-synapse = {
      enable = true;

      # this attribute set holds all values that go into your homeserver.yaml configuration
      # See https://github.com/matrix-org/synapse/blob/develop/docs/sample_config.yaml for
      # possible values.
      settings = {
        server_name = "example.com";
        public_baseurl = "https://example.com:8448";

        enable_registration = false;
        # pass `registration_shared_secret` and `macaroon_secret_key` via `extraConfigFiles` instead

        tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";
        tls_certificate_path = "/var/lib/acme/example.com/fullchain.pem";

        listeners = [ {
          port = 8448;
          bind_addresses = [
            "::"
            "0.0.0.0"
          ];
          type = "http";
          tls = true;
          resources = [ {
            names = [ "client" ];
            compress = true;
          } {
            names = [ "federation" ];
            compress = false;
          } ];
        } ];
      };

      extraConfigFiles = [
        "/run/keys/matrix-synapse/secrets.yaml"
      ];
    };
  }
  ```

  The secrets in your original config should be migrated into a YAML file that is included via `extraConfigFiles`. The filename must be quoted to prevent nix from copying it to the (world readable) store.

  Additionally a few option defaults have been synced up with upstream default values, for example the `max_upload_size` grew from `10M` to `50M`. For the same reason, the default
  `media_store_path` was changed from `${dataDir}/media` to `${dataDir}/media_store` if `system.stateVersion` is at least `22.05`. Files will need to be manually moved to the new
  location if the `stateVersion` is updated.

  As of Synapse 1.58.0, the old groups/communities feature has been disabled by default. It will be completely removed with Synapse 1.61.0.

- The Keycloak package (`pkgs.keycloak`) has been switched from the
  Wildfly version, which will soon be deprecated, to the Quarkus based
  version. The Keycloak service (`services.keycloak`) has been updated
  to accommodate the change and now differs from the previous version
  in a few ways:

  - `services.keycloak.extraConfig` has been removed in favor of the
    new [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md)
    [`services.keycloak.settings`](#opt-services.keycloak.settings)
    option. The available options correspond directly to parameters in
    `conf/keycloak.conf`. Some of the most important parameters are
    documented as suboptions, the rest can be found in the [All
    configuration section of the Keycloak Server Installation and
    Configuration
    Guide](https://www.keycloak.org/server/all-config). While the new
    configuration is much simpler and cleaner than the old JBoss CLI
    one, this unfortunately mean that there's no straightforward way
    to convert an old configuration to the new format and some
    settings may not even be available anymore.

  - `services.keycloak.frontendUrl` was removed and the frontend URL
    is now configured through the `hostname` family of settings in
    [`services.keycloak.settings`](#opt-services.keycloak.settings)
    instead. See the [Hostname section of the Keycloak Server
    Installation and Configuration
    Guide](https://www.keycloak.org/server/hostname) for more
    details. Additionally, `/auth` was removed from the default
    context path and needs to be added back in
    [`services.keycloak.settings.http-relative-path`](#opt-services.keycloak.settings.http-relative-path)
    if you want to keep compatibility with your current clients.

  - `services.keycloak.bindAddress`,
    `services.keycloak.forceBackendUrlToFrontendUrl`,
    `services.keycloak.httpPort` and `services.keycloak.httpsPort`
    have been removed in favor of their equivalent options in
    [`services.keycloak.settings`](#opt-services.keycloak.settings). `httpPort`
    and `httpsPort` have additionally had their types changed from