{
  config,
  lib,
  pkgs,
  ...
}:

{

  options.zpha.websites."vault.zaphyra.eu".enable = lib.mkEnableOption "";

  config = lib.mkIf config.zpha.websites."vault.zaphyra.eu".enable {
    dns.zones."zaphyra.eu".subdomains."vault".CNAME = [
      "${config.networking.fqdn}."
    ];

    users = {
      users.vaultwarden.uid = 523;
      groups.vaultwarden.gid = 523;
    };

    sops.secrets = {
      "restic/vaultwarden/repositoryPassword" = { };
      "restic/vaultwarden/sshPrivateKey" = { };
      "environments/vaultwarden" = {
        owner = config.systemd.services.vaultwarden.serviceConfig.User;
        group = config.systemd.services.vaultwarden.serviceConfig.Group;
        restartUnits = [ "vaultwarden.service" ];
      };
    };

    systemd = {
      services.vaultwarden.after = [ "sops-install-secrets.service" ];
      tmpfiles.settings.vaultwarden = {
        "${config.services.vaultwarden.backupDir}".d = {
          user = config.systemd.services.vaultwarden.serviceConfig.User;
          group = config.systemd.services.vaultwarden.serviceConfig.Group;
          mode = "750";
          age = "-";
        };
      };
    };

    common = {
      configure.persist.system.dirs = [
        {
          directory = "/var/lib/vaultwarden";
          mode = "0700";
          user = config.systemd.services.vaultwarden.serviceConfig.User;
          group = config.systemd.services.vaultwarden.serviceConfig.Group;
        }
        {
          directory = config.services.vaultwarden.backupDir;
          mode = "0700";
          user = config.systemd.services.vaultwarden.serviceConfig.User;
          group = config.systemd.services.vaultwarden.serviceConfig.Group;
        }
      ];
      services.resticBackup.vaultwarden = {
        enable = true;
        targets = [
          "restic-target.fc9f.de"
          "isodon.fc9f.de"
        ];
        sshKeyFile = config.sops.secrets."restic/vaultwarden/sshPrivateKey".path;
        passwordFile = config.sops.secrets."restic/vaultwarden/repositoryPassword".path;
        paths = [ config.services.vaultwarden.backupDir ];
        runBeforeBackup = ''
          ${lib.getExe' pkgs.systemd "systemctl"} start --wait backup-vaultwarden.service
        '';
      };
    };

    services = {
      vaultwarden = {
        enable = true;
        domain = "vault.zaphyra.eu";
        dbBackend = "sqlite";
        backupDir = "/var/backups/vaultwarden";
        environmentFile = config.sops.secrets."environments/vaultwarden".path;
        config = {
          ROCKET_ADDRESS = "::1";
          ROCKET_PORT = 8582;

          DOMAIN = "https://vault.zaphyra.eu";
          SIGNUPS_ALLOWED = false;

          PUSH_ENABLED = true;

          SMTP_HOST = "morio.infra.zaphyra.eu";
          SMTP_FROM = "vaultwarden@zaphyra.eu";
          SMTP_USERNAME = "vaultwarden@zaphyra.eu";
          SMTP_PORT = 465;
          SMTP_SECURITY = "force_tls";
        };
      };
      nginx.virtualHosts."vault.zaphyra.eu" = {
        useACMEHost = "${config.networking.fqdn}";
        forceSSL = true;
        kTLS = true;
        locations."/" = {
          proxyPass = "http://[${config.services.vaultwarden.config.ROCKET_ADDRESS}]:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
          proxyWebsockets = true;
        };
      };
    };
  };

}