{config, ...}: let
  vaultEnvironment = "vaultwarden/environment";
in {
  services.vaultwarden = {
    enable = true;
    config = with config.constants; {
      DOMAIN = "https://vault.${domain}";
      # Specify service port
      ROCKET_ADDRESS = localhost;
      ROCKET_PORT = port.vault;
      # Disable signup
      SIGNUPS_ALLOWED = false;
      # SMTP config
      SMTP_FROM = "vaultwarden@${domain}";
      SMTP_FROM_NAME = "vaultwarden";
      SMTP_HOST = "mail.${domain}";
      SMTP_USERNAME = "vaultwarden@${domain}";
      SMTP_PORT = 587;
      SMTP_SECURITY = "starttls";
    };
    environmentFile = config.sops.secrets.${vaultEnvironment}.path;
  };
  sops.secrets.${vaultEnvironment} = {};
}