diff --git a/nixos/flake.nix b/nixos/flake.nix
index 5b74f25..f70f8b5 100644
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@@ -122,6 +122,14 @@
           };
         };
 
+        vaultwarden = {
+          imports = [ ./machines/vaultwarden ];
+          deployment = {
+            targetHost = "vaultwarden.lxd";
+            tags = [ "system" ];
+          };
+        };
+
         # k3s = {
         #   imports = [ ./machines/k3s ];
         #   deployment = {
diff --git a/nixos/machines/nginx/default.nix b/nixos/machines/nginx/default.nix
index cd5e836..02a9544 100644
--- a/nixos/machines/nginx/default.nix
+++ b/nixos/machines/nginx/default.nix
@@ -46,6 +46,7 @@ in {
     virtualHosts."s3.asraphiel.dev" = bigProxy "http://minio.lxd:9000/";
     virtualHosts."shell.s3.asraphiel.dev" = proxy "http://minio.lxd:9001/";
     virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
+    virtualHosts."vaultwarden.asraphiel.dev" = proxy "http://vaultwarden.lxd:8000/";
   };
   security.acme.email = "acme@voidcorp.nl";
   security.acme.acceptTerms = true;
diff --git a/nixos/machines/postgres/default.nix b/nixos/machines/postgres/default.nix
index a6d2244..157ddb5 100644
--- a/nixos/machines/postgres/default.nix
+++ b/nixos/machines/postgres/default.nix
@@ -17,7 +17,7 @@
       host all all 10.0.0.0/8 trust
       host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
     '';
-    ensureDatabases = [ "gitea" "vault" ];
+    ensureDatabases = [ "gitea" "vault" "vaultwarden" ];
     ensureUsers = [
       {
         name = "gitea";
@@ -28,6 +28,10 @@
         name = "vault";
         ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; };
       }
+      {
+        name = "vaultwarden";
+        ensurePermissions = { "DATABASE \"vaultwarden\"" = "ALL PRIVILEGES"; };
+      }
     ];
 
     enableTCPIP = true;
diff --git a/nixos/machines/vaultwarden/default.nix b/nixos/machines/vaultwarden/default.nix
new file mode 100644
index 0000000..fc2b3a0
--- /dev/null
+++ b/nixos/machines/vaultwarden/default.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, deployment, ... }: {
+  imports = [ ../../common ../../common/lxc.nix ];
+  networking.hostName = "vaultwarden";
+  system.stateVersion = "21.11";
+
+  networking.firewall.allowedTCPPorts = [ 8000 ];
+
+  deployment.keys."envFile" = {
+    user = "vaultwarden";
+    group = "vaultwarden";
+    destDir = "/var/lib/keys";
+    keyCommand = [ "vault" "kv" "get" "-field=env" "kv/vaultwarden" ];
+
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = "/var/lib/keys/envFile";
+    config = {
+      domain = "https://vaultwarden.asraphiel.dev";
+      signupsDomainsWhitelist = "voidcorp.nl";
+      rocketPort = 8000;
+    };
+  };
+}