{
  pkgs,
  config,
  ...
}: let
  ldapConfig = {
    vaultwarden_url = "https://bitwarden.cloonar.com";
    vaultwarden_admin_token = "@ADMIN_TOKEN@";
    ldap_host = "ldap.cloonar.com";
    ldap_ssl = true;
    ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com";
    ldap_bind_password = "@LDAP_PASSWORD@";
    ldap_search_base_dn = "ou=users,dc=cloonar,dc=com";
    ldap_search_filter = "(&(objectClass=cloonarUser))";
    ldap_sync_interval_seconds = 3600;
  };

  ldapConfigFile =
    pkgs.runCommand "config.toml"
    {
      buildInputs = [pkgs.remarshal];
      preferLocalBuild = true;
    } ''
      remarshal -if json -of toml \
      < ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \
      > $out
    '';
in {
  imports = [
    ../nur.nix
  ];

  environment.systemPackages = with pkgs; [
    nur.repos.mic92.vaultwarden_ldap
  ];

  services.vaultwarden = {
    enable = true;
    dbBackend = "mysql";
    config = {
      domain = "https://bitwarden.cloonar.com";
      signupsAllowed = false;
      rocketPort = 3011;
      enableDbWal = "false";
      websocketEnabled = true;
      smtpHost = "mail.cloonar.com";
      smtpFrom = "bitwarden@cloonar.com";
      smtpUsername = "bitwarden@cloonar.com";
    };
  };

  systemd.services.vaultwarden.serviceConfig = {
    EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
  };

  systemd.services.vaultwarden_ldap = {
    wantedBy = ["multi-user.target"];

    preStart = ''
      sed \
        -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
        -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
        ${ldapConfigFile} \
        > /run/vaultwarden_ldap/config.toml
    '';

    serviceConfig = {
      Restart = "on-failure";
      RestartSec = "2s";
      ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap";
      Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml";

      RuntimeDirectory = ["vaultwarden_ldap"];
      User = "vaultwarden_ldap";
    };
  };

  services.nginx.virtualHosts."bitwarden.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;
    extraConfig = ''
      client_max_body_size 128M;
    '';
    locations."/" = {
      proxyPass = "http://localhost:3011";
      proxyWebsockets = true;
    };
    locations."/notifications/hub" = {
      proxyPass = "http://localhost:3012";
      proxyWebsockets = true;
    };
    locations."/notifications/hub/negotiate" = {
      proxyPass = "http://localhost:3011";
      proxyWebsockets = true;
    };
  };

  sops.secrets = {
    bitwarden-admin-token = {
      owner = "vaultwarden_ldap";
      sopsFile = ./secrets.yaml;
    };
    bitwarden-ldap-password = {
      owner = "vaultwarden_ldap";
      sopsFile = ./secrets.yaml;
    };
    bitwarden-db-password = {
      owner = "vaultwarden";
      sopsFile = ./secrets.yaml;
    };
    bitwarden-smtp-password = {
      owner = "vaultwarden";
      sopsFile = ./secrets.yaml;
    };
  };

  users.users.vaultwarden_ldap = {
    isSystemUser = true;
    group = "vaultwarden_ldap";
  };

  users.groups.vaultwarden_ldap = {};

  services.mysqlBackup.databases = [ "bitwarden" ];
}