{ config, ... }:
let domain = "vault.leaf.ninja";
in {
  services.vaultwarden = {
    enable = true;
    config = {
      domain = "https://${domain}";
      signupsAllowed = false;
      rocketAddress = "0.0.0.0";
      rocketPort = 8222;
      smtpHost = "smtp.migadu.com";
      smtpFrom = "vaultwarden@leaf.ninja";
      smtpPort = 587;
      smtpSecurity = "starttls";
      smtpUsername = "vaultwarden@leaf.ninja";
    };
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

  services.caddy.virtualHosts.${domain}.extraConfig = ''
    reverse_proxy localhost:8222
  '';

  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
}