{
  ...
}:
let
  name = "vaultwarden";
  user = name;
  uid = 114;
  hostDataDir = "/var/lib/${name}";

  v_port = 8222;
in
{
  users = {
    users.${user} = {
      isSystemUser = true;
      group = user;
      inherit uid;
    };
    groups.${user}.gid = uid;
  };
  system.activationScripts.createMediaServerDirs = ''
    mkdir -p ${hostDataDir}/data
    mkdir -p ${hostDataDir}/backups
    chown -R ${toString uid}:${toString uid} ${hostDataDir}
    chmod -R 750 ${hostDataDir}
  '';

  containers.${name} = {
    ephemeral = true;
    autoStart = true;
    privateNetwork = false;
    bindMounts = {
      "/var/lib/vaultwarden" = {
        hostPath = "${hostDataDir}/data";
        isReadOnly = false;
      };
      "/var/lib/backups/vaultwarden" = {
        hostPath = "${hostDataDir}/backups";
        isReadOnly = false;
      };
    };
    config =
      { ... }:
      {
        system.stateVersion = "24.11";
        users = {
          users.${user} = {
            isSystemUser = true;
            group = user;
            inherit uid;
          };
          groups.${user}.gid = uid;
        };

        services.vaultwarden = {
          enable = true;
          dbBackend = "sqlite";
          backupDir = "/var/lib/backups/vaultwarden";
          config = {
            DOMAIN = "https://vault.joshuabell.xyz";
            SIGNUPS_ALLOWED = false;
            ROCKET_PORT = builtins.toString v_port;
            ROCKET_ADDRESS = "127.0.0.1";
            # ADMIN_TOKEN = "> vaultwarden hash";
          };
        };
      };
  };

  services.nginx.virtualHosts."vault.joshuabell.xyz" = {
    enableACME = true;
    forceSSL = true;
    locations = {
      "/" = {
        proxyWebsockets = true;
        proxyPass = "http://127.0.0.1:${builtins.toString v_port}";
      };
    };
  };
}