{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.services.vaultwarden;
  rocketPort = 8222;
in
{

  options.my.services.vaultwarden = {
    enable = lib.mkEnableOption "Enable Vaultwarden module";

    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };

    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

      age.secrets.vaultwarden-admin-pwd.file = ../../secrets/vaultwarden-admin-pwd.age;

      my.services.postgresql = {
        enable = true;
        ensures = [
          {
            username = "vaultwarden";
            database = "vaultwarden";
          }
        ];
      };

      services.vaultwarden = {
        enable = true;
        dbBackend = "postgresql";
        environmentFile = config.age.secrets.vaultwarden-admin-pwd.path;
        config = {
          DOMAIN = "https://vault.${cfg.proxy.domain}";
          SENDS_ALLOWED = true;
          SIGNUPS_ALLOWED = false;
          WEBSOCKET_ENABLED = true;
          ROCKET_ADDRESS = "0.0.0.0";
          ROCKET_PORT = rocketPort;
          DATABASE_URL = "postgresql:///vaultwarden?host=/run/postgresql";
          SMTP_HOST = "smtp.eu.mailgun.org";
          SMTP_FROM = "vault@pazpi.top";
          SMTP_SECURITY = "starttls";
          SMTP_USERNAME = "vault@pazpi.top";
        };
      };

      networking.firewall.allowedTCPPorts = [ rocketPort ];

    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."vault.${domain}".extraConfig = ''
          reverse_proxy http://${host}:${toString rocketPort}
          import cloudflare
        '';
      };
    })
  ];
}