{ config, ... }:
let
  domain = "pass.${config.networking.domain}";
in
{

  age.secrets = {
    vaultwarden_secret = {
      file = ../../secrets/services/vaultwarden.age;
      owner = "vaultwarden";
    };
  };


  services.vaultwarden = {
    enable = false; # TODO: enable
    # TODO: move to pgsql
    #dbBackend = "postgresql";
    environmentFile = config.age.secrets.vaultwarden_secret.path;
    config = {
      DOMAIN = "https://${domain}";
      SIGNUPS_ALLOWED = false;
      
      ROCKET_ADDRESS = "::1";
      ROCKET_PORT = 8222;
    };
  };

  services.caddy.virtualHosts."${domain}" = {
    extraConfig = ''
      			reverse_proxy localhost:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}
      		'';
  };
}