{
  povSelf,
  hostConfig,
  config,
  pkgs,
  lib,
  ...
}:

let
  inherit (lib) types;
  cfg = lib.getAttrFromPath povSelf config;

in
{

  options = {
    enable = {
      type = types.bool;
      default = false;
    };
    domain = {
      type = types.str;
      default = "zaphyra.eu";
    };
    subdomain = {
      type = types.str;
      default = "vault";
    };
  };

  config = lib.mkIf cfg.enable {
    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];

    modules.filesystem.impermanence.system.dirs = [
      {
        directory = "/var/lib/vaultwarden";
        mode = "0700";
        user = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
      }
      {
        directory = config.services.vaultwarden.backupDir;
        mode = "0700";
        user = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
      }
    ];

    systemd.services.vaultwarden.after = [ "sops-install-secrets.service" ];
    sops.secrets = {
      "resticPasswords/vaultwarden" = { };
      "environments/vaultwarden" = {
        owner = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
        restartUnits = [ "vaultwarden.service" ];
      };
    };

    systemd.tmpfiles.settings.vaultwarden = {
      "${config.services.vaultwarden.backupDir}".d = {
        user = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
        mode = "750";
        age = "-";
      };
    };

    modules.services.resticBackup.paths = {
      vaultwarden = {
        enable = true;
        passwordFile = config.sops.secrets."resticPasswords/vaultwarden".path;
        paths = [ config.services.vaultwarden.backupDir ];
        runBeforeBackup = ''
          ${pkgs.systemd}/bin/systemctl start backup-vaultwarden.service
        '';
      };
    };

    services = {
      vaultwarden = {
        enable = true;
        dbBackend = "sqlite";
        backupDir = "/var/backups/vaultwarden";
        environmentFile = config.sops.secrets."environments/vaultwarden".path;
        config = {
          DOMAIN = "https://${cfg.subdomain}.${cfg.domain}";
          SIGNUPS_ALLOWED = false;

          PUSH_ENABLED = true;

          SMTP_HOST = "morio.infra.zaphyra.eu";
          SMTP_FROM = "vaultwarden@zaphyra.eu";
          SMTP_USERNAME = "vaultwarden@zaphyra.eu";
          SMTP_PORT = 465;
          SMTP_SECURITY = "force_tls";

          ROCKET_ADDRESS = "::1";
          ROCKET_PORT = 8582;
        };
      };
      nginx = {
        enable = true;
        virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
          useACMEHost = "${config.networking.fqdn}";
          forceSSL = true;
          kTLS = true;
          locations = {
            "/" = {
              proxyPass = "http://[::1]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };

}