{ config, lib, ... }:

{
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";

    environmentFile = config.age.secrets.giovanni-env.path;
    config = {
      ROCKET_PORT = 44301;
      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
    };
  };

  systemd.services.vaultwarden = {
    path = [ "/run/wrappers" ];
    serviceConfig = {
      NoNewPrivileges = lib.mkForce false;
      PrivateUsers = lib.mkForce false;
      SystemCallFilter = lib.mkForce [ "@system-service" ];
      RestrictAddressFamilies = [
        "AF_LOCAL"
        "AF_NETLINK"
      ];
      ReadWritePaths = [ "/var/spool/mail/" "/var/lib/postfix/queue/maildrop/" ];
    };
  };

  age.secrets = {
    giovanni-env = {
      file = ../../../secrets/zora/services/giovanni-env.age;
    };
  };
}