{ lib, ... }:
let
  fqdn = "pw.freun.dev";
in
{
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = "/var/secrets/vaultwarden.env";
    config = {
      DOMAIN = "https://${fqdn}";
      DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden";
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_ADDRESS = "127.0.0.1";
      WEBSOCKET_PORT = 3012;
      SIGNUPS_VERIFY = true;
      PASSWORD_ITERATIONS = 600000;
      YUBICO_CLIENT_ID = 86799;
      SMTP_HOST = "horologium.uberspace.de";
      SMTP_FROM = "noreply@freun.dev";
      SMTP_FROM_NAME = "Vaultwarden";
      SMTP_USERNAME = "noreply@freun.dev";
      SMTP_PORT = 587;
      HELO_NAME = "freun.dev";
      ROCKET_LIMITS = "{json=10485760}";
    };
  };

  modules.webserver.vHosts.${fqdn}.locations = {
    "/".proxy = "http://127.0.0.1:8000";
    "/notifications/hub".proxy = "http://127.0.0.1:3012";
  };

  services.postgresql = {
    ensureDatabases = [ "vaultwarden" ];
    ensureUsers = [{
      name = "vaultwarden";
      ensureDBOwnership = true;
    }];
  };
}