{pkgs, ...}: {
  project.name = "passwords";

  networks.dmz = {
    name = "dmz";
    external = true;
  };

  services = {
    vaultwarden.service = {
      image = "vaultwarden/server:1.32.0";
      container_name = "vaultwarden";
      labels = {
        "traefik.enable" = "true";
        "traefik.docker.network" = "dmz";

        "traefik.http.services.vaultwarden.loadbalancer.server.port" = "80";
        "traefik.http.routers.vaultwarden.service" = "vaultwarden";
        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
        "traefik.http.routers.vaultwarden.rule" = "Host(`vault.ghoscht.com`)";
        "traefik.http.routers.vaultwarden.tls" = "true";
        "traefik.http.routers.vaultwarden.tls.certresolver" = "letsencrypt";

        "traefik.http.services.vaultwarden-external.loadbalancer.server.port" = "80";
        "traefik.http.routers.vaultwarden-external.service" = "vaultwarden-external";
        "traefik.http.routers.vaultwarden-external.rule" = "Host(`vault.ghoscht.com`)";
        "traefik.http.routers.vaultwarden-external.entrypoints" = "websecure-external";
        "traefik.http.routers.vaultwarden-external.tls" = "true";
        "traefik.http.routers.vaultwarden-external.tls.certresolver" = "letsencrypt";

        "diun.enable" = "true";
        "diun.watch_repo" = "true";
        "diun.sort_tags" = "semver";
        "diun.include_tags" = "^\\d+\\.\\d+\\.\\d+$$";
        "diun.exclude_tags" = "\\b\\d{4,}\\b";
      };
      volumes = [
        "/storage/dataset/docker/passwords/vaultwarden_data/:/data"
      ];
      environment = {
        DOMAIN = "http://vaultwarden.ghoscht.com";
      };
      restart = "always";
      networks = [
        "dmz"
      ];
    };
  };
}