{config, pkgs, ...}:

{
  sops.secrets.vaultenv = {
    owner = config.systemd.services.vaultwarden.serviceConfig.User;
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = config.sops.secrets.vaultenv.path;
    config = {
      DOMAIN = "https://vault.crompton.cc";
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
    };
  };
  services.postgresql = {
    enable = true;
    port = 5432;
    ensureDatabases = [
      "vaultwarden"
    ];
    ensureUsers = [{
      name = "vaultwarden";
      ensurePermissions = {
        "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES";
      };
    }];
  };
  services.caddy.virtualHosts = {
    "vault.crompton.cc" = {
      extraConfig = ''
        reverse_proxy 127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}
      '';
    };
  };
}