{
  config,
  inputs,
  lib,
  ...
}:

with lib;

let
  cfg = homelab.services.${service};
  homelab = config.homelab;
  service = "vaultwarden";
in
{
  options.homelab.services.${service} = {
    enable = mkEnableOption "Enable ${service}";

    url = mkOption {
      default = "${service}.${homelab.domain}";
      type = types.str;
    };
  };

  config = mkIf cfg.enable {
    services = {
      ${service} = {
        enable = true;

        environmentFile = config.age.secrets.vaultwarden-env.path;

        config = {
          DOMAIN = "https://${cfg.url}";
          ROCKET_ADDRESS = "127.0.0.1";
          ROCKET_PORT = homelab.ports.${service};
          SIGNUPS_ALLOWED = false;
        };
      };

      nginx.virtualHosts.${cfg.url} = {
        forceSSL = true;
        useACMEHost = homelab.domain;

        locations."/" = {
          proxyPass = "http://localhost:${toString config.services.${service}.config.ROCKET_PORT}";
          recommendedProxySettings = true;
        };
      };
    };

    age.secrets.vaultwarden-env.file = "${inputs.self}/secrets/vaultwarden-env.age";
  };
}