{ config, ... }:
{
  imports = [
    ./utils/nginx-https-server.nix
    ./utils/cert-store-client.nix
  ];

  sops = {
    secrets = {
      smtp-pass = {
        sopsFile = ../secrets/vaultwarden.yaml;
        restartUnits = [ "vaultwarden.service" ];
      };
      admin-token = {
        sopsFile = ../secrets/vaultwarden.yaml;
        restartUnits = [ "vaultwarden.service" ];
      };
    };

    templates."vaultwarden.env" = {
      owner = "vaultwarden";
      content = ''
        SMTP_FROM=vmsskv12@gmail.com
        SMTP_USERNAME=vmsskv12@gmail.com
        SMTP_PASSWORD=${config.sops.placeholder.smtp-pass}
        ADMIN_TOKEN=${config.sops.placeholder.admin-token}
      '';
    };
  };

  services = {
    vaultwarden = {
      enable = true;
      environmentFile = config.sops.templates."vaultwarden.env".path;
      config = {
        DOMAIN = "https://vaultwarden.vsinerva.fi";
        LOGIN_RATELIMIT_MAX_BURST = 10;
        LOGIN_RATELIMIT_SECONDS = 60;
        ADMIN_RATELIMIT_MAX_BURST = 10;
        ADMIN_RATELIMIT_SECONDS = 60;
        SENDS_ALLOWED = true;
        EMERGENCY_ACCESS_ALLOWED = true;
        WEB_VAULT_ENABLED = true;
        SIGNUPS_ALLOWED = true;
        SIGNUPS_VERIFY = true;
        SIGNUPS_VERIFY_RESEND_TIME = 3600;
        SIGNUPS_VERIFY_RESEND_LIMIT = 5;
        SMTP_HOST = "smtp.gmail.com";
        SMTP_FROM_NAME = "Vaultwarden";
        SMTP_SECURITY = "starttls";
        SMTP_PORT = 587;
        SMTP_AUTH_MECHANISM = "Login";
      };
    };

    nginx = {
      virtualHosts."vaultwarden.vsinerva.fi" = {
        locations."/" = {
          proxyPass = "http://localhost:8000";
        };
      };
    };
  };
}