diff --git a/nix/hosts/nixedo/default.nix b/nix/hosts/nixedo/default.nix
index 9c64fdf..68119ab 100644
--- a/nix/hosts/nixedo/default.nix
+++ b/nix/hosts/nixedo/default.nix
@@ -13,7 +13,7 @@
       paperless.enable = true;
       pihole.enable = true;
       tubearchivist-container.enable = true;
-      # vaultwarden.enable = true;
+      vaultwarden.enable = true;
     };
   };
 
diff --git a/nix/modules/nixos/features/homelab/default.nix b/nix/modules/nixos/features/homelab/default.nix
index c62d843..7231aa8 100644
--- a/nix/modules/nixos/features/homelab/default.nix
+++ b/nix/modules/nixos/features/homelab/default.nix
@@ -9,5 +9,6 @@
     ./paperless.nix
     ./pi-hole.nix
     ./tubearchivist-container.nix
+    ./vaultwarden.nix
   ];
 }
diff --git a/nix/modules/nixos/features/homelab/vaultwarden.nix b/nix/modules/nixos/features/homelab/vaultwarden.nix
new file mode 100644
index 0000000..25767b6
--- /dev/null
+++ b/nix/modules/nixos/features/homelab/vaultwarden.nix
@@ -0,0 +1,31 @@
+{ config, lib, ... }:
+
+with lib;
+
+{
+  options.features.homelab.vaultwarden.enable = mkEnableOption "Enable vaultwarden";
+
+  config = mkIf config.features.homelab.vaultwarden.enable {
+    services = {
+      vaultwarden = {
+        enable = true;
+
+        config = {
+          DOMAIN = "https://vaultwarden.opdavies.uk";
+
+          # TODO: check registrations are disabled.
+          SIGNUPS_ALLOWED = false;
+
+          ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_PORT = 8222;
+        };
+      };
+
+      caddy.virtualHosts."vaultwarden.opdavies.uk" = {
+        useACMEHost = "opdavies.uk";
+
+        extraConfig = "reverse_proxy localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+      };
+    };
+  };
+}