{ config, lib, pkgs, inputs, ... }:

with lib;

{
  sops.defaultSopsFile = ./secrets.yaml;
  sops.secrets = {
    vaultwarden_env = {
      owner = "vaultwarden";
      group = "vaultwarden";
    };
  };
  networking = {
    hostName = mkDefault "vaultwarden";
    useDHCP = false;
  };

  imports = [
    ../modules/malobeo_user.nix
    ../modules/sshd.nix
    inputs.self.nixosModules.malobeo.metrics
  ];

  networking.firewall.allowedTCPPorts = [ 80 ];

  malobeo.metrics = {
    enable = true;
    enablePromtail = true;
    logNginx = true;
  };

  services.nginx = {
    enable = true;
    virtualHosts."keys.malobeo.org" = {
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
        extraConfig = ''
        '';
      };
    };
  };

  services.vaultwarden = {
    enable = true;
    backupDir = "/var/local/vaultwarden/backup";
    environmentFile = config.sops.secrets.vaultwarden_env.path;
    config = {
      DOMAIN = "https://keys.malobeo.org";
      SIGNUPS_ALLOWED = true;
      #WEBSERVER
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
      ROCKET_LOG = "critical";
      #EMAIL
      SMTP_HOST = "mail.systemli.org";
      SMTP_PORT = 465;
      SMTP_SECURITY = "force_tls";
      SMTP_USERNAME = "malobot@systemli.org";

      SMTP_FROM = "malobot@systemli.org";
      SMTP_FROM_NAME = "Malobeo Vaultwarden Server";
    };
  };

  system.stateVersion = "22.11"; # Did you read the comment?
}