{ config, pkgs, ... }:
{
  # Enable necessary services
  services.vaultwarden = {
    enable = true;
    package = pkgs.vaultwarden;
    config = {
      # Hardening and security settings
      DOMAIN = "https://vault.berlin.ccc.de";
      SIGNUPS_ALLOWED = false; # Disable public signups
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;
      ROCKET_LOG = "critical";
      RATE_LIMITS = "200/1m";

      # Enhanced logging and security
      LOG_LEVEL = "warn";
      ADMIN_TOKEN = ""; # Set a strong, unique admin token via environment file
      WEBSOCKET_ENABLED = true;
      
      # Database and storage
      DATABASE_URL = "sqlite:///var/lib/vaultwarden/db.sqlite3";
      DATA_FOLDER = "/var/lib/vaultwarden/data";
    };
  };

  # ACME and SSL configuration
  security.acme = {
    defaults.email = "admin@berlin.ccc.de";
    acceptTerms = true;
  };

  # Nginx reverse proxy configuration
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    services.nginx.recommendedTlsSettings = true;
    security.acme.certs."vault.berlin.ccc.de".extraConfig = ''
      ssl_stapling on;
      ssl_stapling_verify on;
    '';

    virtualHosts."vault.berlin.ccc.de" = {
      enableACME = true;
      forceSSL = true;

      # Strict security headers
      extraConfig = ''
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "DENY" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'none';" always;
      '';

      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
        proxyWebsockets = true;
      };
    };
  };

  # Backup configuration
  services.restic.backups = {
    vaultwarden-backup = {
      initialize = true;
      repository = "/mnt/backup/vaultwarden";
      paths = [ "/var/lib/vaultwarden" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
      };
      # Consider using environment file for sensitive backup credentials
      passwordFile = "/path/to/restic/password/file";
      checkConfig = {
        OnCalendar = "weekly";
        Persistent = true;
      };
    };
  };

  # Firewall configuration
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPorts = [];
    extraConfig = ''
      iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT; # DNS
      iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT; # HTTPS
      iptables -P OUTPUT DROP;
    '';

  };

  # Additional security hardening
  security.hardening.enable = true;

  # Periodic system updates
  system.autoUpgrade = {
    enable = true;
    allowReboot = false;
  };

  services.fail2ban = {
    enable = true;
    filters."nginx-http-auth".enable = true;
  };
}