{ config, ... }:

let
  host = "pass.dgnum.eu";
in
{
  services.vaultwarden = {
    enable = true;

    config = {
      DOMAIN = "https://${host}";
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_PORT = 10500;
      SIGNUPS_DOMAINS_WHITELIST = "dgnum.eu,ens.fr,ens.psl.eu";
      ROCKET_PORT = 10501;
      ROCKET_ADDRESS = "127.0.0.1";
      SIGNUPS_VERIFY = true;
      USE_SYSLOG = true;

      DATABASE_URL = "postgresql://vaultwarden?host=/run/postgresql";

      SMTP_USERNAME = "web-services@infra.dgnum.eu";
      SMTP_FROM = "noreply@infra.dgnum.eu";
      SMTP_FROM_NAME = "DGNum Vault";
      SMTP_PORT = 465;
      SMTP_HOST = "kurisu.lahfa.xyz";
      SMTP_SECURITY = "force_tls";
    };

    dbBackend = "postgresql";
    environmentFile = config.age.secrets."vaultwarden-environment_file".path;
  };

  services = {
    nginx = {
      enable = true;

      virtualHosts.${host} = {
        forceSSL = true;
        enableACME = true;

        locations = {
          "/" = {
            proxyPass = "http://127.0.0.1:10501";
            proxyWebsockets = true;
          };

          "/notifications/hub" = {
            proxyPass = "http://127.0.0.1:10500";
            proxyWebsockets = true;
          };

          "/notifications/hub/negotiate" = {
            proxyPass = "http://127.0.0.1:10501";
            proxyWebsockets = true;
          };
        };
      };
    };

    postgresql = {
      enable = true;

      ensureDatabases = [ "vaultwarden" ];

      ensureUsers = [
        {
          name = "vaultwarden";
          ensureDBOwnership = true;
        }
      ];
    };
  };

  dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
  dgn-backups.postgresDatabases = [ "vaultwarden" ];
}