diff --git a/hosts/common.nix b/hosts/common.nix
index abe5fbe..4c1aae0 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -24,7 +24,6 @@
     config.allowUnfree = true;
     overlays = [
       inputs.agenix.overlays.default
-      (import ../overlays/default.nix)
       (final: prev: {
         unstable = import inputs.nixpkgs-unstable {
           config = {
@@ -33,6 +32,7 @@
           system = final.system;
         };
       })
+      (import ../overlays/default.nix)
     ];
   };
 
diff --git a/overlays/default.nix b/overlays/default.nix
index 4ab9663..bde0c04 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -31,6 +31,8 @@ lib.mapAttrs (
     else
       # Namespaced package sets in regular attrsets.
       prev.${name} // value
+  else if name == "vaultwarden" then
+    final.callPackage value { rustPlatform = final.unstable.rustPlatform; }
   else
     final.callPackage value { }
 ) pkgs
diff --git a/pkgs/vaultwarden/package.nix b/pkgs/vaultwarden/package.nix
new file mode 100644
index 0000000..e273f57
--- /dev/null
+++ b/pkgs/vaultwarden/package.nix
@@ -0,0 +1,65 @@
+{
+  lib,
+  stdenv,
+  callPackage,
+  rustPlatform,
+  fetchFromGitHub,
+  nixosTests,
+  pkg-config,
+  openssl,
+  libiconv,
+  dbBackend ? "sqlite",
+  libmysqlclient,
+  libpq,
+}:
+
+let
+  webvault = callPackage ./webvault.nix { };
+in
+
+rustPlatform.buildRustPackage rec {
+  pname = "vaultwarden";
+  version = "git-" + builtins.substring 0 7 src.rev;
+
+  src = fetchFromGitHub {
+    owner = "dani-garcia";
+    repo = "vaultwarden";
+    rev = "a2ad1dc7c3d28834749d4b14206838d795236c27";
+    sha256 = "sha256-6Qmp/Uv8hdKuL9e3tPMKgNq1ZdvRQbzM65ifmS2Z3UY=";
+  };
+
+  cargoHash = "sha256-F7we9rurJ7srz54lsuSrdoIZpkGE+4ncW3+wjEwaD7M=";
+
+  # used for "Server Installed" version in admin panel
+  env.VW_VERSION = version;
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    openssl
+  ]
+  ++ lib.optionals stdenv.hostPlatform.isDarwin [
+    libiconv
+  ]
+  ++ lib.optional (dbBackend == "mysql") libmysqlclient
+  ++ lib.optional (dbBackend == "postgresql") libpq;
+
+  buildFeatures = dbBackend;
+
+  passthru = {
+    inherit webvault;
+    tests = nixosTests.vaultwarden;
+    updateScript = callPackage ./update.nix { };
+  };
+
+  meta = with lib; {
+    description = "Unofficial Bitwarden compatible server written in Rust";
+    homepage = "https://github.com/dani-garcia/vaultwarden";
+    changelog = "https://github.com/dani-garcia/vaultwarden/releases/tag/${version}";
+    license = licenses.agpl3Only;
+    maintainers = with maintainers; [
+      dotlambda
+      SuperSandro2000
+    ];
+    mainProgram = "vaultwarden";
+  };
+}
diff --git a/pkgs/vaultwarden/webvault.nix b/pkgs/vaultwarden/webvault.nix
new file mode 100644
index 0000000..6452688
--- /dev/null
+++ b/pkgs/vaultwarden/webvault.nix
@@ -0,0 +1,83 @@
+{
+  lib,
+  buildNpmPackage,
+  fetchFromGitHub,
+  nixosTests,
+  python3,
+  vaultwarden,
+}:
+
+let
+  version = "2025.8.0";
+
+  bw_web_builds = fetchFromGitHub {
+    owner = "dani-garcia";
+    repo = "bw_web_builds";
+    rev = "v${version}";
+    hash = "sha256-93acGKO3Fq81M1wKPvIynvkTFXPQXypcMb+c4aEtxJc=";
+  };
+
+in
+buildNpmPackage rec {
+  pname = "vaultwarden-webvault";
+  inherit version;
+
+  src = fetchFromGitHub {
+    owner = "vaultwarden";
+    repo = "vw_web_builds";
+    rev = bw_web_builds.rev;
+    hash = "sha256-u51EP4I+bUcTeMqfzx1gbZMxpjalt3bpK3QGp5QEpYU=";
+  };
+
+  npmDepsHash = "sha256-wi7ZDgGKXrtueLob5OVNKCpnzC00UW9zo8KwuoyL1Bo=";
+
+  postPatch = ''
+    ln -s ${bw_web_builds}/{patches,resources} ..
+  '';
+
+  nativeBuildInputs = [
+    python3
+  ];
+
+  makeCacheWritable = true;
+
+  env = {
+    ELECTRON_SKIP_BINARY_DOWNLOAD = "1";
+    npm_config_build_from_source = "true";
+  };
+
+  npmRebuildFlags = [
+    # FIXME one of the esbuild versions fails to download @esbuild/linux-x64
+    "--ignore-scripts"
+  ];
+
+  npmBuildScript = "dist:oss:selfhost";
+
+  npmBuildFlags = [
+    "--workspace"
+    "apps/web"
+  ];
+
+  npmFlags = [ "--legacy-peer-deps" ];
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/share/vaultwarden
+    mv apps/web/build $out/share/vaultwarden/vault
+    runHook postInstall
+  '';
+
+  passthru = {
+    inherit bw_web_builds;
+    tests = nixosTests.vaultwarden;
+  };
+
+  meta = with lib; {
+    description = "Integrates the web vault into vaultwarden";
+    homepage = "https://github.com/dani-garcia/bw_web_builds";
+    changelog = "https://github.com/dani-garcia/bw_web_builds/releases/tag/v${version}";
+    platforms = platforms.all;
+    license = licenses.gpl3Plus;
+    inherit (vaultwarden.meta) maintainers;
+  };
+}