{ config, pkgs, ... }:
let
  cfg = config.services.vaultwarden;
  cfgUser = config.users.users.vaultwarden.name;
in
{
  services = {
    vaultwarden = {
      enable = true;
      dbBackend = "sqlite";
      environmentFile = "/run/agenix/vaultwarden";
      config = {
        DOMAIN = "https://vault.bhankas.org";
        SIGNUPS_ALLOWED = false;
        SIGNUPS_VERIFY = false;

        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = "8222";
        ROCKET_LOG = "critical";

        USE_SENDMAIL = true;
        SENDMAIL_COMMAND = "/run/wrappers/bin/sendmail";
        SMTP_HOST = "smtp.purelymail.com";
        SMTP_PORT = 587;
        SMTP_SECURITY = "starttls";
        SMTP_USERNAME = "gandalf@bhankas.org";
        SMTP_FROM = "gandalf@bhankas.org";
        # SMTP_PASSWORD is included in envFile
      };
    };

    nginx = {
      enable = true;
      virtualHosts = {
        "vault.bhankas.org" = {
          addSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8222";
            proxyWebsockets = false;
            extraConfig =
              "proxy_set_header Host $host;"
            ;
          };
        };
      };
    };
  };

  security.acme = {
    acceptTerms = true;
    certs = {
      "vault.bhankas.org" = {
        email = "admin@bhankas.org";
        dnsResolver = "1.1.1.1:53";
      };
    };
  };
}