{ config, lib, ... }:

let
  cfg = config.control.vaultwarden;
in
{
  config = lib.mkIf cfg.enable {
    services.vaultwarden = {
      enable = true;
      config = {
        DOMAIN = cfg.domain;
        ROCKET_ADDRESS = "0.0.0.0";
        ROCKET_PORT = cfg.port;
        SIGNUPS_ALLOWED = false;
      };
    };

    networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
  };
}