{ config, pkgs, ... }:

{
  c3d2 = {
    deployment.server = "server10";
    hq.sendmail = true;
  };

  # microvm.mem = 2 * 1024;

  networking.hostName = "vaultwarden";

  services = {
    backup = {
      enable = true;
      paths = [ "/var/lib/vaultwarden/" ];
      exclude = [
        "/var/lib/vaultwarden/icon_cache/"
        "/var/lib/vaultwarden/tmp/"
      ];
    };

    nginx = {
      enable = true;
      virtualHosts."vaultwarden.c3d2.de" = {
        forceSSL = true;
        enableACME = true;
      };
    };

    postgresql = {
      package = pkgs.postgresql_16;
      # upgrade.stopServices = [ "" ];
    };

    vaultwarden = {
      enable = true;
      config = {
        PUSH_ENABLED = true;
        PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
        PUSH_RELAY_URI = "https://push.bitwarden.eu";
        SENDMAIL_COMMAND = "/run/wrappers/bin/sendmail";
        SMTP_DEBUG = false;
        SMTP_FROM = "noreply@c3d2.de";
        SMTP_FROM_NAME = "Vaultwarden";
        SHOW_PASSWORD_HINT = false;
        SIGNUPS_ALLOWED = false;
        USE_SENDMAIL = true;
      };
      dbBackend = "postgresql";
      domain = "vaultwarden.c3d2.de";
      environmentFile = config.sops.secrets."vaultwarden/environment".path;
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "vaultwarden/environment".owner = "vaultwarden";
    };
  };

  system.stateVersion = "23.11";
}