{ config, lib, pkgs, ... }:

{
  sops.secrets = {
    "vaultwarden/env" = {};
  };

  services.vaultwarden = {
    enable = true;
    config = {
      DATA_FOLDER="/persist/var/lib/vaultwarden/data";
      LOG_LEVEL="error";
      SIGNUPS_ALLOWED=false;
      SIGNUPS_VERIFY=true;
      SIGNUPS_DOMAINS_WHITELIST="hacc.space";
      ORG_CREATION_USERS="admin@hacc.space";
      INVITATIONS_ALLOWED=true;
      INVITATION_ORG_NAME="haccwarden";

      TRASH_AUTO_DELETE_DAYS=90;
      
      DOMAIN="https://pw.hacc.space";
      ROCKET_ADDRESS="127.0.0.1";
      ROCKET_PORT=5354;
      ROCKET_WORKERS=2;
      
      SMTP_HOST="mail.hacc.space";
      SMTP_FROM="vaultwarden@hacc.space";
      SMTP_FROM_NAME="haccwarden";
      SMTP_PORT=587;
      SMTP_USERNAME="noreply@infra4future.de";

    };
    environmentFile = "/run/secrets/vaultwarden/env";
    dbBackend = "sqlite";
    backupDir = "/persist/data/vaultwarden_backups/";
  };

  #work around ProtectSystem=strict, cleanup
  systemd.services.vaultwarden.serviceConfig = {
    ReadWritePaths = [ "/persist/var/lib/vaultwarden" ];
    StateDirectory = lib.mkForce "";
  };
  systemd.services.backup-vaultwarden.environment.DATA_FOLDER =
    lib.mkForce "/persist/var/lib/vaultwarden/data";

  services.nginx.virtualHosts."pw.hacc.space" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:5354";
      proxyWebsockets = true;
    };
    forceSSL = true;
    enableACME = true;
  };
}