{
  config,
  lib,
  pkgs,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountDeps "vaultwarden" [
      service_configs.vaultwarden.path
      config.services.vaultwarden.backupDir
    ])
    (lib.serviceMountDeps "backup-vaultwarden" [
      service_configs.vaultwarden.path
      config.services.vaultwarden.backupDir
    ])
    (lib.serviceDependZpool "vaultwarden" service_configs.zpool_ssds)
    (lib.serviceDependZpool "backup-vaultwarden" service_configs.zpool_ssds)
  ];

  services.vaultwarden = {
    enable = true;
    backupDir = "/${service_configs.zpool_ssds}/bak/vaultwarden";
    config = {
      # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
      SIGNUPS_ALLOWED = false;

      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = service_configs.ports.vaultwarden;
      ROCKET_LOG = "critical";
    };
  };

  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
    encode zstd gzip

    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
    }
  '';

  systemd.tmpfiles.rules = [
    "d ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
    "d ${config.services.vaultwarden.backupDir} 0700 vaultwarden vaultwarden"
  ];
}