{ config, pkgs, lib, ... }:
let
  cfg = config.services.vaultwarden;
  domain = "pw.feal.no";
  address = "127.0.0.1";
  port = 3011; # Note! The websocket port is left as default
in {
  sops.secrets."vaultwarden/admintoken" = {
    owner = "vaultwarden";
    group = "vaultwarden";
  };

  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = config.sops.secrets."vaultwarden/admintoken".path;
    config = {
      domain = "https://${domain}";

      rocketAddress = address;
      rocketPort = port;
      websocketEnabled = true;
      databaseUrl = "postgresql://vaultwarden@localhost/vaultwarden?sslmode=disable";

      signupsAllowed = false;
      rocketLog = "critical";

    # This example assumes a mailserver running on localhost,
    # thus without transport encryption.
    # If you use an external mail server, follow:
    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
      /* SMTP_HOST = "127.0.0.1"; */
      /* SMTP_PORT = 25; */
      /* SMTP_SSL = false; */

      /* SMTP_FROM = "admin@bitwarden.example.com"; */
      /* SMTP_FROM_NAME = "example.com Bitwarden server"; */

    };
  };


  services.nginx.virtualHosts."${domain}" = {
    extraConfig = ''
      client_max_body_size 128M;
    '';
    locations."/" = {
      proxyPass = "http://${address}:${toString port}";
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
      proxyPass = "http://localhost:3012";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
      proxyPass = "http://${address}:${toString port}";
      proxyWebsockets = true;
    };
  };
  services.postgresql = {
    ensureDatabases = [ "vaultwarden" ];
    ensureUsers = [{
      name = "vaultwarden";
      ensurePermissions = {
        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
      };
    }];
  };
}