{...}: let
  host = "127.0.0.1";
  port = 8222;
in {
  services.vaultwarden = {
    enable = true;

    config = {
      DOMAIN = "https://bitwarden.spoodythe.one";
      SIGNUPS_ALLOWED = false;

      ROCKET_ADDRESS = host;
      ROCKET_PORT = port;
      ROCKET_LOG = "critical";

      SMTP_HOST = host;
      SMTP_PORT = 25;
      SMTP_SSL = false;

      SMTP_FROM = "admin@bitwarden.spoodythe.one";
      SMTP_FROM_NAME = "SpoodyThe.One Bitwarden Server";
    };
  };

  networking.firewall.allowedTCPPorts = [port];
  networking.firewall.allowedUDPPorts = [port];

  services.caddy = {
    enable = true;
    virtualHosts."bitwarden.spoodythe.one".extraConfig = ''
      reverse_proxy * ${host}:${toString port}
    '';
  };
}