{ config, ... }:
{
  age.secrets.environments-vaultwarden = {
    file = ../../../secrets/environments/vaultwarden.age;
  };

  users.users.vaultwarden = {
    description = "Vaultwarden Service";
    home = "/var/lib/bitwarden_rs";
    useDefaultShell = true;
    isSystemUser = true;
  };

  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = config.age.secrets.environments-vaultwarden.path;
    config = {
      DOMAIN = "https://vaultwarden.dryb.org";
      SIGNUPS_ALLOWED = false;
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8005;
      DATABASE_URL = "postgresql:///vaultwarden";
      WEB_VAULT_ENABLED = true;
    };
  };
}