{ pkgs, ... }:
{
  services.vaultwarden = {
    enable = true;
    environmentFile = "/var/lib/secrets/vaultwarden.env";
    config = {
      WEBSOCKET_ENABLED = true;
      WEBSOCKET_ADDRESS = "127.0.0.1";
      WEBSOCKET_PORT = 3012;
      SMTP_HOST = "mail.katzen.cafe";
      SMTP_FROM = "noreply@katzen.cafe";
      SMTP_FROM_NAME = "Katzen.cafe Vaultwarden";
      SMTP_PORT = "465";
      SMTP_USERNAME = "noreply@katzen.cafe";
      SMTP_SECURITY = "force_tls";
      DOMAIN = "https://vw.katzen.cafe";
      SIGNUPS_ALLOWED = false;
      ROCKET_PORT = 8812;
    };
  };
  deployment.keys = {
    "vaultwarden.env" = {
      keyCommand = [ "pass" "vaultwarden/envfile" ];
      destDir = "/var/lib/secrets";
      user = "vaultwarden"; 
    };
  };
}