diff --git a/modules/services/server/vaultwarden.nix b/modules/services/server/vaultwarden.nix
new file mode 100644
index 0000000..cb9a7b7
--- /dev/null
+++ b/modules/services/server/vaultwarden.nix
@@ -0,0 +1,41 @@
+#
+# System notifications
+#
+
+{ config, lib, pkgs, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    backupDir = "/var/backup/vaultwarden";
+    environmentFile = config.age.secrets."services/vaultwarden/environment".path;
+    config = {
+      DOMAIN = "https://vault.kabtop.de";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "${config.services.vaultwarden.config.DOMAIN}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+  };
+  age.secrets."services/vaultwarden/environment" = {
+      file = ../../../secrets/services/vaultwarden/environment.age;
+      owner = "vaultwarden";
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 195a6c4..db82666 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -81,6 +81,7 @@ in
         "services/gitea/mailerPassword.age".publicKeys = servers ++ users;
         "services/gitea/homerunner-token.age".publicKeys = homerunners ++ users;
         "services/gitea/serverrunner-token.age".publicKeys = serverrunners ++ users;
+        "services/vaultwarden/environment.age".publicKeys = servers ++ users;
         "services/acme/opel-online.age".publicKeys = buildServer ++ users;
         "keys/nixremote.age".publicKeys = buildClients ++ users;
         "keys/nixservepriv.age".publicKeys = buildServer ++ users;
diff --git a/secrets/services/vaultwarden/environment.age b/secrets/services/vaultwarden/environment.age
new file mode 100644
index 0000000..f4cf795
Binary files /dev/null and b/secrets/services/vaultwarden/environment.age differ