{
  config,
  lib,
  pkgs,
  ...
}:

{
  options = {
    server.misc.vaultwarden = {
      enable = lib.mkEnableOption "enable dawarich";
      port = lib.mkOption {
        default = 8000;
        description = "vaultwarden port";
      };
      public = lib.mkEnableOption "make vaultwarden public";
      subdomain = lib.mkOption {
        default = "vault";
        description = "vaultwarden subdomain";
      };
    };
  };
  config = {
    services = {
      vaultwarden = {
        enable = true;
        config = {
          DOMAIN = "https://${config.server.misc.vaultwarden.subdomain}.${config.networking.domain}";
          SIGNUPS_ALLOWED = false;
        };
      };
      nginx = {
        virtualHosts = {
          "${config.server.misc.vaultwarden.subdomain}.${config.networking.domain}" =
            if config.server.misc.vaultwarden.public then
              {
                enableACME = true;
                forceSSL = true;
                locations."/" = {
                  proxyPass = "http://127.0.0.1:${toString config.server.misc.vaultwarden.port}";
                };
              }
            else
              { };
        };
      };
    };
  };
}