{
  config,
  lib,
  pkgs,
  site_config,
  service_configs,
  ...
}:
{
  imports = [
    (lib.serviceMountWithZpool "vaultwarden" service_configs.zpool_ssds [
      service_configs.vaultwarden.path
    ])
    (lib.serviceFilePerms "vaultwarden" [
      "Z ${service_configs.vaultwarden.path} 0700 vaultwarden vaultwarden"
    ])
    (lib.mkFail2banJail {
      name = "vaultwarden";
      failregex = ''^.*Username or password is incorrect\. Try again\. IP: <HOST>\..*$'';
    })
  ];

  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    configurePostgres = true;
    config = {
      # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
      DOMAIN = "https://bitwarden.${site_config.domain}";
      SIGNUPS_ALLOWED = false;

      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = service_configs.ports.private.vaultwarden.port;
      ROCKET_LOG = "critical";
    };
  };

  services.caddy.virtualHosts."bitwarden.${site_config.domain}".extraConfig = ''
    encode zstd gzip

    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
    }
  '';

}