{ config, lib, ... }:

{
  age.secrets = {
    vaultwarden-env = {
      file = ../../../secrets/vaultwarden/env.age;
    };
  };

  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";

    environmentFile = config.age.secrets.vaultwarden-env.path;
    config = {
      ROCKET_PORT = 8222;
      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
    };
  };

  users.users.vaultwarden.extraGroups = [ "nullmailer" ];

  systemd.services.vaultwarden = {
    path = [ "/run/wrappers" ];
    serviceConfig = {
      NoNewPrivileges = lib.mkForce false;
      PrivateUsers = lib.mkForce false;
      SystemCallFilter = lib.mkForce [ "@system-service" ];
      RestrictAddressFamilies = [
        "AF_LOCAL"
        "AF_NETLINK"
      ];
      ReadWritePaths = [ "/var/spool/nullmailer/" ];
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts."vaultwarden.crans.org" = {
      locations."/" = {
        proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
        proxyWebsockets = true;
      };
    };
  };
}