{ secrets, pkgs, config, ... }:

{

  dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ];

  age.secrets = {
    resticVaultwarden.file = secrets."${config.networking.hostName}".restic.vaultwarden;
    vaultwardenSecrets = {
      file  = secrets."${config.networking.hostName}".vaultwardenSecrets;
      owner = "vaultwarden";
      group = "vaultwarden";
    };
  };

  restic-backups.vaultwarden = {
    user         = "vaultwarden";
    passwordFile = config.age.secrets.resticVaultwarden.path;
    paths        = [ "/var/lib/vaultwarden" "/var/backups/vaultwarden"];
  };

  systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ];

  services = {
    vaultwarden = {
      enable          = true;
      dbBackend       = "sqlite";
      backupDir       = "/var/backups/vaultwarden";
      environmentFile = config.age.secrets.vaultwardenSecrets.path;
      config          = {
        DOMAIN          = "https://vault.ctu.cx";
        SIGNUPS_ALLOWED = false;

        PUSH_ENABLED = true;

        SMTP_HOST     = "hector.ctu.cx";
        SMTP_FROM     = "vaultwarden@ctu.cx";
        SMTP_USERNAME = "vaultwarden@ctu.cx";
        SMTP_PORT     = 587;
        SMTP_SECURITY = "starttls";

        ROCKET_ADDRESS = "::1";
        ROCKET_PORT    = 8582;
      };
    };

    nginx = {
      enable = true;
      virtualHosts."vault.ctu.cx" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL    = true;
        kTLS        = true;
        locations   = {
          "/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
          "/notifications/hub" = {
            proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
            proxyWebsockets = true;
          };
        };
      };
    };
  };

}