{
  inputs,
  config,
  lib,
  ...
}:
let
  inherit (lib)
    mkForce
    ;
  baseDomain = "vimium.com";
  domain = "vaultwarden.${baseDomain}";
in
{
  age.secrets."files/services/vaultwarden/envfile" = {
    file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
  };

  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
    backupDir = "/var/cache/vaultwarden-backup";
    config = {
      dataFolder = mkForce "/var/lib/vaultwarden";
      useSysLog = true;
      webVaultEnabled = true;

      rocketPort = 8222;

      signupsAllowed = false;
      passwordIterations = 1000000;
      invitationsAllowed = true;
      invitationOrgName = "Vaultwarden";
      domain = "https://${domain}";
    };
    environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
  };

  services.nginx.virtualHosts = {
    "${domain}" = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
        proxyWebsockets = true;
      };
    };
  };

  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
  systemd.services.vaultwarden.serviceConfig = {
    StateDirectory = mkForce "vaultwarden";
    RestartSec = "60";
  };

  environment.persistence."/persist".directories = [
    {
      directory = "/var/lib/vaultwarden";
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0700";
    }
  ];

  environment.persistence."/state".directories = [
    {
      directory = config.services.vaultwarden.backupDir;
      user = "vaultwarden";
      group = "vaultwarden";
      mode = "0700";
    }
  ];
}