{ config, ... }: {
  sops.secrets."services/vaultwarden/environmentFile" = {
    sopsFile = ../../secrets/services/vaultwarden.yaml;
    owner = "vaultwarden";
  };
  sops.secrets."services/vaultwarden/basicAuth" = {
    sopsFile = ../../secrets/services/vaultwarden.yaml;
    owner = "nginx";
  };
  services.vaultwarden = {
    enable = true;
    environmentFile = config.sops.secrets."services/vaultwarden/environmentFile".path;
    backupDir = "/var/backup/bitwarden_rs";
    config = {
      DOMAIN = "https://vault.kyouma.net";
      DATABASE_MAX_CONNS = 15;
      WEB_VAULT_ENABLED = true;
      WEBSOCKET_ADDRESS = "::1";
      SENDS_ALLOWED = true;
      ORG_ATTACHMENT_LIMIT = 1048576;
      USER_ATTACHMENT_LIMIT = 524288;
      USER_SEND_LIMIT = 1048576;
      INCOMPLETE_2FA_TIME_LIMIT = 5;
      SIGNUPS_ALLOWED = true;
      SIGNUPS_VERIFY = true;
      INVITATION_ORG_NAME = "vault.kyouma.net";
      PASSWORD_ITERATIONS = 1200000;
      ICON_DOWNLOAD_TIMEOUT = 30;
      SMTP_HOST = "mail.kyouma.net";
      SMTP_FROM = "vault@kyouma.net";
      SMTP_FROM_NAME = "vault.kyouma.net";
      SMTP_USERNAME = "vault@kyouma.net";
      SMTP_SECURITY = "starttls";
      SMTP_PORT = 587;
      ROCKET_ADDRESS = "::1";
      ROCKET_PORT = 8222;
    };
  };
  kyouma.nginx.virtualHosts."vault.kyouma.net" = {
    locations."/" = {
      proxyPass = "http://[::1]:8222";
      proxyWebsockets = true;
    };
    locations."/admin" = {
      proxyPass = "http://[::1]:8222";
      basicAuthFile = config.sops.secrets."services/vaultwarden/basicAuth".path;
    };
  };
  security.acme.certs."vault.kyouma.net" = {};
}