{
  container,
  lib,
  config,
  ...
}:
with lib;
let
  cfg = config.container.module.pass;
in
{
  options = {
    container.module.pass = {
      enable = mkEnableOption "Password manager";
      address = mkOption {
        default = "10.1.0.9";
        type = types.str;
      };
      port = mkOption {
        default = 8000;
        type = types.int;
      };
      domain = mkOption {
        default = "pass.${config.container.domain}";
        type = types.str;
      };
      storage = mkOption {
        default = "${config.container.storage}/pass";
        type = types.str;
      };
    };
  };

  config = mkIf cfg.enable {
    systemd.tmpfiles.rules = container.mkContainerDir cfg [ "data" ];

    containers.pass = container.mkContainer cfg {
      bindMounts = {
        "/var/lib/bitwarden_rs" = {
          hostPath = "${cfg.storage}/data";
          isReadOnly = false;
        };
      };

      config =
        { ... }:
        container.mkContainerConfig cfg {
          services.vaultwarden = {
            enable = true;
            dbBackend = "sqlite";
            environmentFile = "/var/lib/bitwarden_rs/Env";
            config = {
              # DATABASE_URL      = "postgresql://vaultwarden:vaultwarden@${container.config.postgres.address}:${toString container.config.postgres.port}/vaultwarden";
              DATA_FOLDER = "/var/lib/bitwarden_rs";
              DOMAIN = "http://${cfg.domain}";
              SIGNUPS_ALLOWED = false;
              WEB_VAULT_ENABLED = true;
              ROCKET_ADDRESS = cfg.address;
              ROCKET_PORT = cfg.port;
            };
          };
        };
    };
  };
}