{ config, pkgs, lib, ... }:

let
  cfg = config.services.password-manager;
  inherit (lib) mkIf mkOption types;
in

{
  options.services.password-manager = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable the password manager service (Vaultwarden)";
    };

    domain = mkOption {
      type = types.str;
      default = "pass.lagraula.fr";
      description = "Domain name for the Vaultwarden instance";
    };

    port = mkOption {
      type = types.port;
      default = 8080;
      description = "HTTP port for the Vaultwarden web interface";
    };

    dataDir = mkOption {
      type = types.str;
      default = "/var/lib/vaultwarden";
      description = "Data directory for Vaultwarden persistent state";
    };

    dbBackend = mkOption {
      type = types.enum [ "sqlite" "mysql" "postgresql" ];
      default = "sqlite";
      description = "Database backend type";
    };

    adminTokenFile = mkOption {
      type = types.nullOr types.str;
      default = null;
      description = ''
        Path to a file containing the admin token for the /admin panel.
        Use agenix or sops-nix to provide this file securely.
      '';
    };

    signupsAllowed = mkOption {
      type = types.bool;
      default = true;
      description = "Allow new user registration";
    };

    extraConfig = mkOption {
      type = types.attrsOf (types.nullOr (types.oneOf [ types.bool types.str types.int types.port ]));
      default = { };
      description = "Additional Vaultwarden config options as attribute set (mapped to env vars)";
    };
  };

  config = mkIf cfg.enable {
    # Use the built-in NixOS vaultwarden module
    services.vaultwarden = {
      enable = true;
      package = pkgs.vaultwarden;
      webVaultPackage = pkgs.vaultwarden-webvault;
      inherit (cfg) dbBackend;
      config = {
        DOMAIN = "https://${cfg.domain}";
        PORT = cfg.port;
        SIGNUPS_ALLOWED = cfg.signupsAllowed;
      } // (lib.mapAttrs (name: value:
        if value == true then "true"
        else if value == false then "false"
        else toString value
      ) cfg.extraConfig);
    } // lib.optionalAttrs (cfg.adminTokenFile != null) {
      environmentFile = cfg.adminTokenFile;
      config = {
        ADMIN_TOKEN = null; # Will be read from environmentFile
      };
    };

    # Open firewall port
    networking.firewall = mkIf config.services.vaultwarden.enable {
      allowedTCPPorts = [ cfg.port ];
    };
  };
}