{inputs, config, ...}: {
  services.nginx.virtualHosts."vault.vulpecula.zone" = {
    addSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
    };
  };

  services.vaultwarden.enable = true;
  services.bitwarden-directory-connector-cli.domain = "vault.vulpecula.zone";

  services.vaultwarden.config = {
    DOMAIN = "https://vault.vulpecula.zone";
    SIGNUPS_ALLOWED = true;

    # Vaultwarden currently recommends running behind a reverse proxy
    # (nginx or similar) for TLS termination, see
    # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
    # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
    # > especially if your instance is publicly accessible.
    #
    # A suitable NixOS nginx reverse proxy example config might be:
    #
    #     services.nginx.virtualHosts."bitwarden.example.com" = {
    #       enableACME = true;
    #       forceSSL = true;
    #       locations."/" = {
    #         proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
    #       };
    #     };
    ROCKET_ADDRESS = "127.0.0.1";
    ROCKET_PORT = 62107;

    ROCKET_LOG = "critical";

    # This example assumes a mailserver running on localhost,
    # thus without transport encryption.
    # If you use an external mail server, follow:
    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
    # SMTP_HOST = "127.0.0.1";
    # SMTP_PORT = 25;
    # SMTP_SSL = false;

    # SMTP_FROM = "admin@bitwarden.example.com";
    # SMTP_FROM_NAME = "example.com Bitwarden server";
  };
}