{
  config,
  pkgs,
  lib,
  ...
}:
{

  healthchecks.http.vaultwarden = {
    url = config.services.vaultwarden.config.domain;
    expectedContent = "Vaultwarden Web";
  };

  services.vaultwarden = {
    enable = true;
    # backupDir =
    config = {
      domain = "https://bitwarden.ingolf-wagner.de";
      signupsAllowed = false;
      rocketPort = 8222;
      rocketLog = "critical";
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    virtualHosts = {

      "bitwarden.ingolf-wagner.de" = {
        forceSSL = true;
        enableACME = true;
        locations."/" = {
          extraConfig = ''
            client_max_body_size 500M;
          '';
          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.rocketPort}";
        };
      };
    };
  };

}