{ pkgs, config, ... }:

{

  dns.zones."ctu.cx".subdomains.vault.CNAME = [ "${config.networking.fqdn}." ];

  age.secrets = {
    restic-vaultwarden.file = ./. + "/../../secrets/${config.networking.hostName}/restic/vaultwarden.age";
    vaultwarden-secrets = {
      file  = ./. + "/../../secrets/${config.networking.hostName}/vaultwarden-secrets.age";
      owner = "vaultwarden";
      group = "vaultwarden";
    };
  };

  restic-backups.vaultwarden = {
    user         = "vaultwarden";
    passwordFile = config.age.secrets.restic-vaultwarden.path;
    paths        = [ "/var/lib/bitwarden_rs" ];
  };

  systemd.services.vaultwarden.onFailure = [ "email-notify@%i.service" ];

  services = {
    vaultwarden = {
      enable          = true;
      dbBackend       = "sqlite";
      backupDir       = "/var/lib/bitwarden_rs/backups";
      environmentFile = config.age.secrets.vaultwarden-secrets.path;
      config          = {
        DOMAIN          = "https://vault.ctu.cx";
        SIGNUPS_ALLOWED = false;

        PUSH_ENABLED = true;

        SMTP_HOST     = "trabbi.ctu.cx";
        SMTP_FROM     = "vaultwarden@ctu.cx";
        SMTP_USERNAME = "vaultwarden@ctu.cx";
        SMTP_PORT     = 587;
        SMTP_SECURITY = "starttls";

        ROCKET_ADDRESS = "::1";
        ROCKET_PORT = 8582;
      };
    };

    nginx = {
      enable = true;
      virtualHosts."vault.ctu.cx" = {
        enableACME = true;
        forceSSL   = true;
        kTLS       = true;
        locations."/".proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
        locations."/notifications/hub" = {
          proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
          proxyWebsockets = true;
        };
      };
    };
  };

}