{
  pkgs,
  config,
  ...
}: let
  ldapConfig = {
    vaultwarden_url = "https://bitwarden.cloonar.com";
    vaultwarden_admin_token = "@ADMIN_TOKEN@";
    ldap_host = "localhost";
    ldap_bind_dn = "cn=vmail,dc=cloonar,dc=com";
    ldap_bind_password = "@LDAP_PASSWORD@";
    ldap_search_base_dn = "dc=cloonar,dc=com";
    ldap_search_filter = "(&(objectClass=inetOrgPerson))";
    ldap_sync_interval_seconds = 3600;
  };

  ldapConfigFile =
    pkgs.runCommand "config.toml"
    {
      buildInputs = [pkgs.remarshal];
      preferLocalBuild = true;
    } ''
      remarshal -if json -of toml \
      < ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \
      > $out
    '';
in {
  packageOverrides = pkgs: {
    nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
      inherit pkgs;
    };
  };

  environment.systemPackages = with pkgs; [
    nur.repos.mic92.vaultwarden_ldap
  ];

  services.vaultwarden = {
    enable = true;
    dbBackend = "mysql";
    config = {
      domain = "https://bitwarden.cloonar.com";
      signupsAllowed = false;
      rocketPort = 3011;
      databaseUrl = "mysql://bitwarden:<${config.sops.secrets.bitwarden-db-password.path}@localhost/bitwarden";
      enableDbWal = "false";
      websocketEnabled = true;
      smtpHost = "smtp.cloonar.com";
      smtpFrom = "bitwarden@cloonar.com";
      smtpUsername = "bitwarden@cloonar.com";
    };
  };

  systemd.services.vaultwarden.serviceConfig = {
    EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
  };

  systemd.services.vaultwarden_ldap = {
    wantedBy = ["multi-user.target"];

    preStart = ''
      sed \
        -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
        -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
        ${ldapConfigFile} \
        > /run/vaultwarden_ldap/config.toml
    '';

    serviceConfig = {
      Restart = "on-failure";
      RestartSec = "2s";
      ExecStart = "${config.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap";
      Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml";

      RuntimeDirectory = ["vaultwarden_ldap"];
      User = "vaultwarden_ldap";
    };
  };

  services.nginx = {
    virtualHosts."bitwarden.cloonar.com" = {
      forceSSL = true;
      enableACME = true;
      acmeRoot = null;
      extraConfig = ''
        client_max_body_size 128M;
      '';
      locations."/" = {
        proxyPass = "http://localhost:3011";
        proxyWebsockets = true;
      };
      locations."/notifications/hub" = {
        proxyPass = "http://localhost:3012";
        proxyWebsockets = true;
      };
      locations."/notifications/hub/negotiate" = {
        proxyPass = "http://localhost:3011";
        proxyWebsockets = true;
      };
    };
  };

  sops.secrets = {
    bitwarden-admin-token.owner = "vaultwarden_ldap";
    bitwarden-ldap-password.owner = "vaultwarden_ldap";
    bitwarden-db-password.owner = "vaultwarden";
    bitwarden-smtp-password.owner = "vaultwarden";
  };

  users.users.vaultwarden_ldap = {
    isSystemUser = true;
    group = "vaultwarden_ldap";
  };

  users.groups.vaultwarden_ldap = {};
}