diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix
index a65204f..13103ef 100644
--- a/hosts/deertopia/configuration.nix
+++ b/hosts/deertopia/configuration.nix
@@ -66,6 +66,7 @@
       # umurmur.enable = true;
       murmur.enable = true;
       anki-sync-server.enable = true;
+      vaultwarden.enable = true;
       servarr = {
         enable = true;
         prowlarr.enable = true;
diff --git a/modules/nixos/deertopia/vaultwarden.nix b/modules/nixos/deertopia/vaultwarden.nix
new file mode 100644
index 0000000..5f7d134
--- /dev/null
+++ b/modules/nixos/deertopia/vaultwarden.nix
@@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.vaultwarden;
+in {
+  options.sydnix.deertopia.vaultwarden = {
+    enable = lib.mkEnableOption "Vaultwarden";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+      config = {
+	ROCKET_ADDRESS = "127.0.0.1";
+	ROCKET_PORT = 8222;
+	DOMAIN = "https://vault.deertopia.net";
+      };
+    };
+
+    sydnix.impermanence.directories = [
+      "/var/backup/vaultwarden"
+    ];
+
+    services.nginx.upstreams.vaultwarden.servers =
+      let port = toString config.services.vaultwarden.config.ROCKET_PORT;
+      in {
+	"127.0.0.1:${port}" = { };
+      };
+
+    sydnix.deertopia.nginx.vhosts."vault".vhost = {
+        forceSSL = true;
+        enableACME = true;
+	locations = {
+	  "/".proxyPass = "http://vaultwarden";
+          "= /notifications/anonymous-hub" = {
+            proxyPass = "http://vaultwarden";
+            proxyWebsockets = true;
+          };
+          "= /notifications/hub" = {
+            proxyPass = "http://vaultwarden";
+            proxyWebsockets = true;
+          };
+	};
+      };
+  };
+}