# yanked from @fufexan
{
  config,
  self,
  lib,
  ...
}: let
  inherit (config.networking) domain;
  inherit (lib) mkIf mkEnableOption;
  vcfg = config.services.vaultwarden.config;
  cfg = config.server.vaultwarden;
in {
  options = {
    server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
  };
  config = mkIf cfg.enable {
    systemd.services.backup-vaultwarden.serviceConfig = {
      User = "root";
      Group = "root";
    };

    services.caddy.virtualHosts."vault.cnst.dev".extraConfig = ''
      encode zstd gzip

      reverse_proxy ${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
      }
    '';

    server = {
      fail2ban = lib.mkIf config.server.fail2ban.enable {
        jails = {
          vaultwarden = {
            serviceName = "vaultwarden";
            failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
          };
        };
      };
      vaultwarden = {
        enable = true;

        backupDir = "/var/backup/vaultwarden";

        config = {
          DOMAIN = "https://vault.${domain}";
          SIGNUPS_ALLOWED = false;
          ROCKET_ADDRESS = "127.0.0.1";
          ROCKET_PORT = 8222;

          logLevel = "warn";
          extendedLogging = true;
          useSyslog = true;
          invitationsAllowed = false;
          showPasswordHint = false;
          # IP_HEADER = "CF-Connecting-IP";
        };
      };
    };
  };
}