{
  services.vaultwarden = {
    enable = true;
    environmentFile = "/nix/persist/service/vaultwarden/secret.env";
    config = {
      domain = "https://vault.514fpv.io:2096";
      signupsAllowed = false;
      rocketAddress = "127.0.0.1";
      rocketPort = 8222;
      rocketLog = "critical";
      databaseUrl = "postgresql:///vaultwarden";
    };
    dbBackend = "postgresql";
  };

  services.nginx.virtualHosts."vault.514fpv.io" = {
    useACMEHost = ".514fpv.io";
    addSSL = true;
    locations."/".proxyPass = "http://127.0.0.1:8222";
  };

  environment.persistence."/nix/persist/fhs".directories = [
    "/var/lib/bitwarden_rs"
  ];

  global.fs.zfs.mountpoints."/nix/persist/service/vaultwarden" = "service/vaultwarden";
}