{ config, ... }:
let
  cfg = config.services.vaultwarden.config;
in
{
  services.vaultwarden.enable = true;
  services.vaultwarden.backupDir = "/mnt/storage/vaultwarden";
  services.vaultwarden.config = {
    ROCKET_ADDRESS = "127.0.0.1";
    ROCKET_PORT = 8222;
  };
  services.vaultwarden.environmentFile =
    config.age.secrets."odin/services/vaultwarden".path;

  users.users.vaultwarden.extraGroups = [ "storage" ];
  systemd.tmpfiles.rules = [
    "d /mnt/storage/vaultwarden 0755 vaultwarden storage -"
  ];

  services.cloudflared.tunnels."71c89a7f-2467-444c-9fda-4864860dc8c4" = {
    credentialsFile =
      config.age.secrets."odin/services/cloudflared-tunnel".path;
    default = "http_status:404";
    ingress."vault.t5.st".service =
      "http://${cfg.ROCKET_ADDRESS}:${toString cfg.ROCKET_PORT}";
  };
}