{ pkgs, config, lib, ... }:

let
  cfg = config.modules.services.vaultwarden;
  ids = 2771;
  default_port = 8000;
  data_dir = "/var/lib/vaultwarden";
  domain = https://pass.blakedheld.xyz;
in
{
  options.modules.services.vaultwarden = {
    enable = lib.mkEnableOption "enables vaultwarden";

    # set port options
    port = lib.mkOption {
      type = lib.types.int;
      default = 7701;
      description = "set port for vaultwarden (default: ${toString default_port}";
    };

    backup = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable backups for vaultwarden";
    };
  };

  config = lib.mkIf cfg.enable {
    
    # declare vaultwarden group
    users.groups.vaultwarden = { gid = ids; };

    # declare vaultwarden user
    users.users.vaultwarden = {
      description = "vaultwarden server user";
      uid = ids;
      isSystemUser = true;
      home = "/var/lib/vaultwarden";
      createHome = true;
      group = "vaultwarden";
      extraGroups = [ "media" ];
    };

    # enable the vaultwarden service
    services.vaultwarden = {
      enable = true;
      config = {
        DOMAIN = domain;
        ROCKET_ADDRESS = "0.0.0.0";
        ROCKET_PORT = cfg.port;
        SIGNUPS_ALLOWED = true;
#       EXPERIMENTAL_CLIENT_FEATURE_FLAGS=fido2-vault-credentials
          # The following flags are available:
          # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
          # - "autofill-v2": Use the new autofill implementation.
          # - "browser-fileless-import": Directly import credentials from other providers without a file.
          # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
          # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
          # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
          # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
          # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
      };
    };

    # override umask to make permissions work out
    systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; };

#    # open firewall
#    networking.firewall.allowedTCPPorts = [ cfg.port ];

    # internal reverse proxy entry
    services.nginx.virtualHosts."pass.snowbelle.lan" = {
      enableACME = false;
      forceSSL = true;
      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };
     # external reverse proxy entry
     services.nginx.virtualHosts."vaultwarden.blakedheld.xyz" = {
      enableACME = false;
      forceSSL = true;
      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString cfg.port}";
      };
    };

     # add to backups
     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
    };
}