{ config, ... }:
let 
  vaultPort = 8222;
  onionUrl = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
in
{
  age.secrets."vaultwarden.env".file = ../secrets/vaultwarden.env;
 
  services.vaultwarden = {
    enable = true;
    config = {
      DOMAIN = "https://vault.distrust.network";
      ROCKET_PORT = vaultPort;
    };
    environmentFile = config.age.secrets."vaultwarden.env".path;
  };

  services.caddy.virtualHosts."https://vault.distrust.network ${onionUrl}".extraConfig = ''
    reverse_proxy localhost:${toString vaultPort}
  '';

  services.tor.relay.onionServices."vaultwarden".map = [
    80
  ];
}