{ lib, config, ... }:
let
  cfg = config.modules.services.vaultwarden;
  fqdn = "${cfg.subdomain}.${config.networking.domain}";
  port = config.services.vaultwarden.config.ROCKET_PORT;
in
{
  options.modules.services.vaultwarden = {
    enable = lib.mkEnableOption "Enable Vaultwarden";
    subdomain = lib.mkOption {
      type = lib.types.str;
    };
    secrets = lib.mkOption {
      type = lib.types.str;
    };
    config = lib.mkOption {
      type = lib.types.attrs;
      default = { };
    };
  };

  config = lib.mkIf cfg.enable {
    services.vaultwarden = {
      enable = true;
      dbBackend = "postgresql";
      environmentFile = "/var/secrets/vaultwarden.env";
      config = {
        DOMAIN = "https://${fqdn}";
        DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden";
        WEBSOCKET_ENABLED = true;
        SIGNUPS_VERIFY = true;
        PASSWORD_ITERATIONS = 600000;
        ROCKET_LIMITS = "{json=10485760}";
        ROCKET_PORT = 8000;
      } // cfg.config;
    };

    modules.services.webserver = {
      enable = lib.mkDefault true;
      vHosts.${fqdn}.locations."/".proxyPort = port;
    };

    services.postgresql = {
      enable = lib.mkDefault true;
      ensureDatabases = [ "vaultwarden" ];
      ensureUsers = [{
        name = "vaultwarden";
        ensureDBOwnership = true;
      }];
    };
  };
}