{config, ...}: let
  vaultPort = 8222;
  onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
in {
  age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;

  services = {
    vaultwarden = {
      enable = true;
      config = {
        DOMAIN = "https://vault.distrust.network";
        ROCKET_PORT = vaultPort;
      };
      environmentFile = config.age.secrets."vaultwarden.env".path;
    };

    caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
      reverse_proxy localhost:${toString vaultPort}
      header Onion-Location ${onionUrl}
    '';

    tor.relay.onionServices."vaultwarden".map = [
      80
    ];
  };
}