{
  config,
  self,
  self',
  ...
}:
let

  d = self.lib.data.services.vaultwarden;

  vaultwardenSecret = {
    owner = "vaultwarden";
    group = "vaultwarden";
  };
in
{
  services.vaultwarden = {
    enable = true;
    dbBackend = "postgresql";
    config = {
      # Web Server Settings
      domain = "https://${d.extUrl}";
      rocketAddress = "0.0.0.0";
      rocketCliColors = false;
      rocketPort = d.port;
      reloadTemplates = false;
      logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";
      # # Ratelimiting
      loginRatelimitSeconds = 60;
      loginRatelimitMaxBurst = 10;
      adminRatelimitSeconds = 120;
      adminRatelimitMaxBurst = 2;
      adminSessionLifetime = 10;

      # Logging
      useSyslog = true;
      extendedLogging = true;

      # Features
      sendsAllowed = true;
      emailChangeAllowed = true;
      emergencyAccessAllowed = true;

      # Invitations
      invitationsAllowed = true;
      invitationOrgName = "dishNet Vault";
      invitationExpirationHours = 168;

      # Database
      databaseUrl = "postgresql://localhost:5432/vaultwarden";

      # Signups
      signupsAllowed = false;
      signupsVerify = true;
      signupsDomainWhitelist = "pyrox.dev";

      # Passwords
      # # 1 Mil hash iterations by default
      passwordIterations = 1000000;
      passwordHintsAllowed = true;
      showPasswordHint = true;

      # Mail
      smtpFrom = "vault@pyrox.dev";
      smtpFromName = "dishNet Vault <vault@pyrox.dev>";
      smtpUsername = "vault@pyrox.dev";
      smtpSecurity = "force_tls";
      smtpPort = 465;
      smtpHost = "mail.pyrox.dev";
      smtpAuthMechanism = "Login";
      smtpTimeout = 20;
      smtpEmbedImages = true;
      useSendmail = false;

      # Authentication
      incomplete2faTimeLimit = 5;
      # # Email 2FA
      emailExpirationTime = 180;
      emailTokenSize = 7;
      requireDeviceEmail = true;

      # Misc Settings
      trashAutoDeleteDays = 14;
    };
    environmentFile = config.age.secrets.vaultwarden-vars.path;
  };
  systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path;
  age.secrets.vaultwarden-vars = vaultwardenSecret // {
    file = ./secrets/vaultwarden-vars.age;
  };
  age.secrets.vaultwarden-pgpass = vaultwardenSecret // {
    file = ./secrets/vaultwarden-pgpass.age;
  };
  services.anubis.instances.vaultwarden = {
    settings = {
      BIND = ":${toString d.anubis}";
      POLICY_FNAME = "${self'.packages.anubis-files}/policies/vaultwarden.yaml";
      TARGET = "http://localhost:${toString d.port}";
    };
  };
}