{ config, ... }:

let
    workDir = "/srv/containers/vaultwarden";
in
{
    systemd.tmpfiles.rules = [
        "d ${workDir} 2775 root admin"
    ];

    virtualisation.oci-containers.containers.vaultwarden = {
        autoStart = true;
        image = "vaultwarden/server:latest";

        ports = [
            "0.0.0.0:10002:80"
        ];

        volumes = [
            "${workDir}:/data"
        ];
        
        environment = {
            TZ = "Europe/Bucharest";
            DOMAIN = "https://vault.isan.ro";
            WEBSOCKET_ENABLED = "true";
            SIGNUPS_ALLOWED = "true";
        };

        environmentFiles = [
            config.age.secrets.vaultwarden.path # SMTP Secrets
        ];

        # For directory permissions
        extraOptions = [
            "--user=1000:10000"
        ];
    };
}