{config, ...}: let
  vaultPort = 8222;
in {
  age.secrets = {
    "vaultwarden.env".file = ../secrets/vaultwarden.env;
    "hidden_service/vaultwarden".file = ../secrets/hidden_service/vaultwarden;
  };

  services = {
    vaultwarden = {
      enable = true;
      config = {
        DOMAIN = "https://vault.distrust.network";
        ROCKET_PORT = vaultPort;
      };
      environmentFile = config.age.secrets."vaultwarden.env".path;
    };
    borgbackup.jobs."vaultwarden" = {
      repo = "ssh://u506783@u506783.your-storagebox.de:23/./vaultwarden";
      environment = {
        BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
      };
      paths = [
        "/var/lib/vaultwarden"
      ];
      encryption = {
        mode = "keyfile";
        passCommand = "cat ${config.age.secrets."borg_pass".path}";
      };
      compression = "auto,lzma";
      startAt = "daily";
      prune.keep = {
        daily = 7;
        weekly = 4;
        monthly = -1;
      };
    };
  };

  distrust.services."vaultwarden" = {
    url = "https://vault.distrust.network";
    onion = {
      url = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
      secretKey = config.age.secrets."hidden_service/vaultwarden".path;
    };
    virtualHostConfig = ''
      reverse_proxy localhost:${toString vaultPort}
    '';
  };
}