{
  lib,
  config,
  ...
}: let
  cfg = config.services.vm_vaultwarden;
in {
  options.services.vm_vaultwarden = {
    enable = lib.mkEnableOption "Enable minimal config";
  };
  config = lib.mkIf cfg.enable {
    age.secrets = {
      vaultwarden-lapi-key = {
        file = ../../secrets/vaultwarden-lapi-key.age;
        owner = "crowdsec";
      };
      env-file = {
        file = ./secrets/env-file.age;
      };
    };
    services = {
      crowdsec = {
        hub.collections = [
          "Dominic-Wagner/vaultwarden"
        ];
        settings.lapi.credentialsFile = "${config.age.secrets.vaultwarden-lapi-key.path}";
        localConfig = {
          acquisitions = [
            {
              source = "journalctl";
              journalctl_filter = ["_SYSTEMD_UNIT=vaultwarden.service"];
              labels = {
                type = "syslog";
              };
            }
          ];
        };
      };
      vaultwarden = {
        enable = true;
        dbBackend = "postgresql";
        environmentFile = config.age.secrets.env-file.path;
        config = {
          ROCKET_ADDRESS = "0.0.0.0";
          ROCKET_PORT = "8000";
          DOMAIN = "https://vault.le43.eu";
          SIGNUPS_ALLOWED = false;
          IP_HEADER = "X-Forwarded-For";
        };
      };
    };
    networking.firewall.allowedTCPPorts = [8000];
  };
}