{
  config,
  pkgs,
  lib,
  ...
}:

{
  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
    environmentFile = "/private/vaultwarden/vaultwarden.env";
    config = {
      # Keep data alongside the secret env file so we can back it up together.
      DATA_FOLDER = "/private/vaultwarden/data";
      PUSH_RELAY_URI = "https://api.bitwarden.eu";
      PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
      DOMAIN = "https://vault.ocbwoy3.dev";
      ROCKET_ADDRESS = "0.0.0.0";
      ROCKET_PORT = 8222;
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_ADDRESS = "0.0.0.0";
      WEBSOCKET_PORT = 3012;
      SIGNUPS_ALLOWED = false;
    };
  };

  # Allow vaultwarden to write under /private/vaultwarden and ensure the directories exist.
  systemd.services.vaultwarden.serviceConfig = {
    ReadWritePaths = [ "/private/vaultwarden" ];
  };

  # Create parent/data directories with proper ownership before startup.
  systemd.tmpfiles.rules = [
    "d /private/vaultwarden 0750 vaultwarden vaultwarden -"
    "d /private/vaultwarden/data 0750 vaultwarden vaultwarden -"
  ];

  # cloudflared!!
  # networking.firewall.allowedTCPPorts = [
  #   8222
  #   3012
  # ];
}