{ config, ... }:
let
  cfg = config.services.vaultwarden.config;
in
{
  services.vaultwarden.enable = true;
  services.vaultwarden.backupDir = "/mnt/storage/vaultwarden";
  services.vaultwarden.config = {
    ROCKET_ADDRESS = "127.0.0.1";
    ROCKET_PORT = 8222;
  };
  services.vaultwarden.environmentFile =
    config.age.secrets."odin/services/vaultwarden".path;

  users.users.vaultwarden.extraGroups = [ "storage" ];
  systemd.tmpfiles.rules = [
    "d /mnt/storage/vaultwarden 0755 vaultwarden storage -"
  ];

  services.caddy.virtualHosts.vaultwarden = {
    hostName = "vault.{$DOMAIN}";
    extraConfig = ''
      encode gzip zstd
      reverse_proxy ${cfg.ROCKET_ADDRESS}:${toString cfg.ROCKET_PORT}
    '';
  };
}