{ config, ... }:
{
  users.users.vaultwarden.extraGroups = [ config.users.groups.keys.name ];

  services.vaultwarden = {
    enable = true;
    environmentFile = "/run/secrets/services/vaultwarden/.env";
    config = {
      DOMAIN = "https://vault.lewd.wtf";
      SIGNUPS_ALLOWED = false;
      SIGNUPS_VERIFY = true;
      INVITATIONS_ALLOWED = false;
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_PORT = 3012;
      ROCKET_PORT = 8222;
    };
  };

  services.nginx.clientMaxBodySize = "128M";

  services.nginx.virtualHosts."vault.lewd.wtf" = {
    enableACME = false;
    forceSSL = false;
    locations."/" = {
      proxyPass = "http://127.0.0.1:8222";
      proxyWebsockets = true; # needed if you need to use WebSocket
      extraConfig =
        "proxy_set_header        Host $host;" +
        "proxy_set_header        X-Real-IP $remote_addr;" +
        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
        "proxy_set_header        X-Forwarded-Proto $scheme;"
        ;
    };
    locations."/notifications/hub/negotiate" = {
      proxyPass = "http://127.0.0.1:8222";
      proxyWebsockets = true; # needed if you need to use WebSocket
      extraConfig =
        "proxy_set_header        Host $host;" +
        "proxy_set_header        X-Real-IP $remote_addr;" +
        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
        "proxy_set_header        X-Forwarded-Proto $scheme;"
        ;
    };
    locations."/notifications/hub" = {
      proxyPass = "http://127.0.0.1:3012";
      proxyWebsockets = true; # needed if you need to use WebSocket
      extraConfig =
        "proxy_set_header        Host $host;" +
        "proxy_set_header        X-Real-IP $remote_addr;" +
        "proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;" +
        "proxy_set_header        X-Forwarded-Proto $scheme;"
        ;
    };
  };
}