{ config, ... }: {
  age.secrets.vaultwarden-secrets.file = ../secrets/vaultwarden-secrets.age;
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  backups = {
    directories = [ "/var/lib/bitwarden_rs" ];
    sqliteDatabases = {
      vaultwarden = "/var/lib/bitwarden_rs/db.sqlite3";
    };
  };

  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;

    virtualHosts."vault.federez.net" = {
      enableACME = true;
      forceSSL = true;
      locations."/".proxyPass = "http://127.0.0.1:8222";
    };
  };
  services.vaultwarden = {
    enable = true;
    environmentFile = config.age.secrets.vaultwarden-secrets.path;
    config = {
      DOMAIN = "https://vault.federez.net";
      SIGNUPS_ALLOWED = false;

      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;

      ROCKET_LOG = "critical";
    };
  };
}