{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.services.vaultwarden;
  user = config.users.users.vaultwarden.name;
  group = config.users.groups.vaultwarden.name;
in
{

  options.my.services.vaultwarden = {
    enable = lib.mkEnableOption "Enable Vaultwarden module";

    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };

    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

      age.secrets.vaultwarden-admin-pwd.file = ../../secrets/vaultwarden-admin-pwd.age;

      services.vaultwarden = {
        enable = true;
        dbBackend = "postgresql";
        environmentFile = config.age.secrets.vaultwarden-admin-pwd.path;
        config = {
          DOMAIN = "https://vault.${cfg.proxy.domain}";
          SENDS_ALLOWED = true;
          SIGNUPS_ALLOWED = false;
          WEBSOCKET_ENABLED = true;
          ROCKET_ADDRESS = "0.0.0.0";
          ROCKET_PORT = 8222;
        };
      };

    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."vault.${domain}".extraConfig = ''
          reverse_proxy http://${host}:80
          import cloudflare
        '';
      };
    })
  ];
}