{ config, ... }:
let
  domain = "vault.${config.networking.domain}";
in
{
  age.secrets.vaultwarden = {
    file = ../../../../secrets/nuc/vaultwarden.age;
    owner = "vaultwarden";
  };
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = config.age.secrets.vaultwarden.path;
    config = {
      domain = "https://${domain}";
      signupsAllowed = false;
      # somehow this works
      databaseUrl = "postgresql://vaultwarden@%2Frun%2Fpostgresql/vaultwarden";
      rocketPort = 8000;
    };
  };
  services.postgresql = {
    enable = true;
    ensureUsers = [
      {
        name = "vaultwarden";
        ensureDBOwnership = true;
      }
    ];
    ensureDatabases = [ "vaultwarden" ];
  };
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    reverse_proxy 127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}
  '';
}