{ ... }:
{
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    environmentFile = "/var/secrets/vaultwarden.env";
    config = {
      DOMAIN = "https://pw.freun.dev";
      DATABASE_URL = "postgres://%2Fvar%2Frun%2Fpostgresql/vaultwarden";
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_ADDRESS = "127.0.0.1";
      WEBSOCKET_PORT = 3012;
      SIGNUPS_VERIFY = true;
      PASSWORD_ITERATIONS = 600000;
      YUBICO_CLIENT_ID = 86799;
      SMTP_HOST = "horologium.uberspace.de";
      SMTP_FROM = "noreply@freun.dev";
      SMTP_FROM_NAME = "Vaultwarden";
      SMTP_USERNAME = "noreply@freun.dev";
      SMTP_PORT = 587;
      HELO_NAME = "freun.dev";
      ROCKET_LIMITS = "{json=10485760}";
    };
  };

  services.caddy.virtualHosts = {
    "pw.freun.dev".extraConfig = ''
      reverse_proxy /notifications/hub localhost:3012
      reverse_proxy localhost:8000 {
        header_up X-Real-IP {remote_host}
      }
    '';
  };

  services.postgresql = {
    ensureDatabases = [ "vaultwarden" ];
    ensureUsers = [{
      name = "vaultwarden";
      ensureDBOwnership = true;
    }];
  };
}