{config, ...}: let
  vaultEnvironment = "vaultwarden/environment";
  vaultwardenAddr = "vaultwarden@${config.constants.domain}";
in {
  services.vaultwarden = {
    enable = true;
    config = with config.constants; {
      DOMAIN = "https://vault.${domain}";
      # Specify service port
      ROCKET_ADDRESS = localhost;
      ROCKET_PORT = port.vault;
      # Disable signup
      SIGNUPS_ALLOWED = false;
      # SMTP config
      SMTP_FROM = vaultwardenAddr;
      SMTP_FROM_NAME = "vaultwarden";
      SMTP_HOST = config.mailserver.fqdn;
      SMTP_USERNAME = vaultwardenAddr;
      SMTP_PORT = 587;
      SMTP_SECURITY = "starttls";
    };
    environmentFile = config.sops.secrets.${vaultEnvironment}.path;
  };
  sops.secrets.${vaultEnvironment} = {};
}