{config, ...}: let
  serviceName = "vaultwarden";
  servicePort = config.m3ta.ports.get serviceName;
in {
  services.${serviceName} = {
    enable = true;
    dbBackend = "postgresql";
    config = {
      ROCKET_ADDRESS = "127.0.0.1";
      ROCKET_PORT = servicePort;
    };
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

  # Traefik configuration
  services.traefik.dynamicConfigOptions.http = {
    services.${serviceName}.loadBalancer.servers = [
      {
        url = "http://localhost:${toString servicePort}/";
      }
    ];

    routers.${serviceName} = {
      rule = "Host(`pw.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = serviceName;
      entrypoints = "websecure";
    };
  };
}