diff --git a/nixos/flake.nix b/nixos/flake.nix
index 3ead40c..efac27b 100644
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -70,13 +70,21 @@
           };
         };
 
-        k3s = {
-          imports = [ ./machines/k3s ];
+        vault = {
+          imports = [ ./machines/vault ];
           deployment = {
-            targetHost = "k3s.lxd";
-            tags = [ "k3s" ];
+            targetHost = "vault.lxd";
+            tags = [ "website" "system" ];
           };
         };
+
+        # k3s = {
+        #   imports = [ ./machines/k3s ];
+        #   deployment = {
+        #     targetHost = "k3s.lxd";
+        #     tags = [ "k3s" ];
+        #   };
+        # };
       };
 
       devShells.x86_64-linux.default = pkgs.mkShell {
diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix
index 1910d7b..5ecce48 100644
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@@ -26,6 +26,15 @@
         proxyWebsockets = true;
       };
     };
+    virtualHosts."vault.asraphiel.dev" = {
+      forceSSL = true;
+      enableACME = true;
+      http2 = true;
+      locations."/" = {
+        proxyPass = "http://vault.lxd:8200/";
+        proxyWebsockets = true;
+      };
+    };
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;
diff --git a/nixos/machines/postgres/default.nix b/nixos/machines/postgres/default.nix
index 856b398..64b7618 100644
--- a/nixos/machines/postgres/default.nix
+++ b/nixos/machines/postgres/default.nix
@@ -17,12 +17,17 @@
       host all all 10.0.0.0/8 trust
       host all all fd42:14c:5baf:51ec:216:3eff:fe6e:32a7/96 trust
     '';
-    ensureDatabases = [ "gitea" ];
+    ensureDatabases = [ "gitea" "vault" ];
     ensureUsers = [
       {
         name = "gitea";
         ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
       }
+
+      {
+        name = "vault";
+        ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; };
+      }
     ];
 
     enableTCPIP = true;
diff --git a/nixos/machines/vault/default.nix b/nixos/machines/vault/default.nix
new file mode 100644
index 0000000..2b0ec1c
--- /dev/null
+++ b/nixos/machines/vault/default.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }: {
+  imports = [ ../../common ../../common/lxc.nix ];
+  networking.hostName = "vault";
+  system.stateVersion = "21.11";
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [ 8200 ];
+  services.vault = {
+    enable = true;
+    address = "0.0.0.0:8200";
+    storageBackend = "postgresql";
+    storageConfig = ''
+      connection_url = "postgres://vault:x@postgres.lxd:5432/vault?sslmode=disable"
+    '';
+    extraConfig = ''
+      ui = true
+      disable_mlock = true
+    '';
+  };
+}