diff --git a/flake.lock b/flake.lock
index 98abf61..b3dffba 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1143,11 +1143,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1755887038,
-        "narHash": "sha256-HoEMwFfR3rwNxwJjFCbj3rfW8k6EabHuMJAZOwsT95c=",
+        "lastModified": 1756051653,
+        "narHash": "sha256-JJkQliqI7zn+esLnKQP82eQEuolNz8IELm/BYGPTvEw=",
         "ref": "refs/heads/master",
-        "rev": "9e47b557087ebde3a30c9f97189d110c29d144fd",
-        "revCount": 40,
+        "rev": "01cf200f61946ac9f259f9163933ea1749cb3531",
+        "revCount": 41,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix
index d695270..d2627dd 100644
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -12,6 +12,7 @@
     ./matrix.nix
     ./nginx.nix
     ./photoprism.nix
+    ./vaultwarden.nix
     ../server.nix
   ];
 
diff --git a/hosts/vps1/vaultwarden.nix b/hosts/vps1/vaultwarden.nix
new file mode 100644
index 0000000..61d5129
--- /dev/null
+++ b/hosts/vps1/vaultwarden.nix
@@ -0,0 +1,73 @@
+{
+  inputs,
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    mkForce
+    ;
+  baseDomain = "vimium.com";
+  domain = "vaultwarden.${baseDomain}";
+in
+{
+  age.secrets."files/services/vaultwarden/envfile" = {
+    file = "${inputs.secrets}/files/services/vaultwarden/envfile.age";
+  };
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    backupDir = "/var/cache/vaultwarden-backup";
+    config = {
+      dataFolder = mkForce "/var/lib/vaultwarden";
+      useSysLog = true;
+      webVaultEnabled = true;
+
+      rocketPort = 8222;
+
+      signupsAllowed = false;
+      passwordIterations = 1000000;
+      invitationsAllowed = true;
+      invitationOrgName = "Vaultwarden";
+      domain = "https://${domain}";
+    };
+    environmentFile = config.age.secrets."files/services/vaultwarden/envfile".path;
+  };
+
+  services.nginx.virtualHosts = {
+    "${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  systemd.services.backup-vaultwarden.environment.DATA_FOLDER = mkForce "/var/lib/vaultwarden";
+  systemd.services.vaultwarden.serviceConfig = {
+    StateDirectory = mkForce "vaultwarden";
+    RestartSec = "60";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/vaultwarden";
+      user = "vaultwarden";
+      group = "vaultwarden";
+      mode = "0700";
+    }
+  ];
+
+  environment.persistence."/state".directories = [
+    {
+      directory = config.services.vaultwarden.backupDir;
+      user = "vaultwarden";
+      group = "vaultwarden";
+      mode = "0700";
+    }
+  ];
+}