{
  constants,
  config,
  ...
}:

let
  inherit (constants) domain;
  inherit (constants.services.vaultwarden) fqdn port;
in
{
  services.vaultwarden = {
    enable = true;

    dbBackend = "postgresql";
    configurePostgres = true;

    configureNginx = false;
    domain = fqdn;

    environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];

    config = {
      SIGNUPS_ALLOWED = false;

      SMTP_FROM = "vaultwarden@${domain}";
      SMTP_FROM_NAME = "${domain} Vaultwarden server";
      SMTP_HOST = "mail@${domain}";
      SMTP_PORT = 587;
      SMTP_SECURITY = "starttls";
      SMTP_USERNAME = "vaultwarden@${domain}";

      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = port;
      ROCKET_LOG = "critical";
    };
  };

  sops =
    let
      owner = config.users.users.vaultwarden.name;
      group = config.users.groups.vaultwarden.name;
      mode = "0400";
    in
    {
      secrets = {
        "vaultwarden/admin-token" = {
          inherit owner group mode;
        };
        "vaultwarden/smtp-password" = {
          inherit owner group mode;
        };
      };
      templates = {
        "vaultwarden/env-file" = {
          inherit owner group mode;
          content = ''
            ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"}
            SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"}
          '';
        };
      };
    };
}