{config, ...}: let
  vaultPort = 8222;
in {
  age.secrets = {
    "vaultwarden.env".file = ../secrets/vaultwarden.env;
    "hidden_service/vaultwarden".file = ../secrets/hidden_service/vaultwarden;
  };

  services.vaultwarden = {
    enable = true;
    config = {
      DOMAIN = "https://vault.distrust.network";
      ROCKET_PORT = vaultPort;
    };
    environmentFile = config.age.secrets."vaultwarden.env".path;
  };

  distrust.services."vaultwarden" = {
    url = "https://vault.distrust.network";
    onion = {
      url = "http://gfoqwlo4nmhcywzzyhfanhkf7hz64lkjayngfyrpbd7ohaucu3q4znqd.onion";
      secretKey = config.age.secrets."hidden_service/vaultwarden".path;
    };
    virtualHostConfig = ''
      reverse_proxy localhost:${toString vaultPort}
    '';
  };
}