{ config, unstable, ... }: {
  age.secrets.vaultwarden_env = {
    file = ../secrets/vaultwarden_env.age;
    owner = "vaultwarden";
  };

  services.vaultwarden = {
    enable = true;
    package = unstable.vaultwarden;
    environmentFile = config.age.secrets.vaultwarden_env.path;
    config = {
      DOMAIN = "https://bitwarden.bertof.net";
      SIGNUPS_ALLOWED = false;

      # Vaultwarden currently recommends running behind a reverse proxy
      # (nginx or similar) for TLS termination, see
      # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
      # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
      # > especially if your instance is publicly accessible.
      #
      # A suitable NixOS nginx reverse proxy example config might be:
      #
      #     services.nginx.virtualHosts."bitwarden.example.com" = {
      #       enableACME = true;
      #       forceSSL = true;
      #       locations."/" = {
      #         proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
      #       };
      #     };
      ROCKET_ADDRESS = "::";
      ROCKET_PORT = 8222;

      ROCKET_LOG = "critical";

      # This example assumes a mailserver running on localhost,
      # thus without transport encryption.
      # If you use an external mail server, follow:
      #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
      SMTP_HOST = "smtp.gmail.com";
      SMTP_PORT = 587;
      SMTP_SECURITY = "starttls";

      SMTP_FROM = "filippoberto95@gmail.com";
      SMTP_FROM_NAME = "Bitwarden server";
    };
  };
}