{ config, lib, pkgs, ... }:

let cfg = config.sydnix.deertopia.vaultwarden;
in {
  options.sydnix.deertopia.vaultwarden = {
    enable = lib.mkEnableOption "Vaultwarden";
  };

  config = lib.mkIf cfg.enable {
    services.vaultwarden = {
      enable = true;
      config = {
	ROCKET_ADDRESS = "127.0.0.1";
	ROCKET_PORT = 8222;
	DOMAIN = "https://vault.deertopia.net";
      };
    };

    sydnix.impermanence.directories = [
      "/var/backup/vaultwarden"
    ];

    services.nginx.upstreams.vaultwarden.servers =
      let port = toString config.services.vaultwarden.config.ROCKET_PORT;
      in {
	"127.0.0.1:${port}" = { };
      };

    sydnix.deertopia.nginx.vhosts."vault".vhost = {
        forceSSL = true;
        enableACME = true;
	locations = {
	  "/".proxyPass = "http://vaultwarden";
          "= /notifications/anonymous-hub" = {
            proxyPass = "http://vaultwarden";
            proxyWebsockets = true;
          };
          "= /notifications/hub" = {
            proxyPass = "http://vaultwarden";
            proxyWebsockets = true;
          };
	};
      };
  };
}