{ config, pkgs, secrets, domain, ... }:
{
  sops.secrets = {
    "nx2site/vaultwarden.env" = {
      owner = "vaultwarden";
    };
  };
  services.vaultwarden = {
    enable = true;
    package = pkgs.vaultwarden;
    webVaultPackage = pkgs.vaultwarden.webvault;
    dbBackend = "postgresql";
    # backupDir = "/var/backup/vaultwarden";
    environmentFile = config.sops.secrets."nx2site/vaultwarden.env".path;
    config = {
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = 8222;

      DATABASE_URL = "@DATABASE_URL@";
      # DATABASE_URL = "postgresql://vaultwarden:fakepw123@127.0.0.1:5432/vaultwarden";
      
      SMTP_HOST = "smtp.gmail.com";
      SMTP_FROM = secrets.email.gmail-online.mail;
      SMTP_PORT = 587;
      SMTP_SECURITY = "starttls";
      SMTP_USERNAME = secrets.email.gmail-online.mail;
      SMTP_PASSWORD = "@SMTP_PASSWORD@";
      LOGIN_RATELIMIT_MAX_BURST = 10;
      LOGIN_RATELIMIT_SECONDS = 60;
      DOMAIN = "https://pw2.${domain}";
      INVITATION_ORG_NAME = "NxPW";
      INVITATIONS_ALLOWED = true;
      ADMIN_TOKEN = "@ADMIN_TOKEN@";
      SIGNUPS_ALLOWED = false;
      SIGNUPS_VERIFY = true;
      SIGNUPS_VERIFY_RESEND_TIME = 3600;
      SIGNUPS_VERIFY_RESEND_LIMIT = 6;
      EMERGENCY_ACCESS_ALLOWED = true;
      SENDS_ALLOWED = true;
      WEB_VAULT_ENABLED = true;
    };
  };
}