diff --git a/hosts/nixedo/services/vaultwarden.nix b/hosts/nixedo/services/vaultwarden.nix
index 1928cdc4..b3f697a3 100644
--- a/hosts/nixedo/services/vaultwarden.nix
+++ b/hosts/nixedo/services/vaultwarden.nix
@@ -1,7 +1,7 @@
 {
   config,
+  inputs,
   lib,
-  options,
   ...
 }:
 
@@ -20,26 +20,6 @@ in
       default = "${service}.${homelab.domain}";
       type = types.str;
     };
-
-    homepage.name = mkOption {
-      default = "Vaultwarden";
-      type = types.str;
-    };
-
-    homepage.description = mkOption {
-      default = "Unofficial Bitwarden compatible server written in Rust";
-      type = types.str;
-    };
-
-    homepage.icon = mkOption {
-      default = "bitwarden";
-      type = types.str;
-    };
-
-    homepage.category = mkOption {
-      default = "Services";
-      type = types.str;
-    };
   };
 
   config = mkIf cfg.enable {
@@ -47,6 +27,8 @@ in
       ${service} = {
         enable = true;
 
+        environmentFile = config.age.secrets.vaultwarden-env.path;
+
         config = {
           DOMAIN = "https://${cfg.url}";
           ROCKET_ADDRESS = "127.0.0.1";
@@ -55,11 +37,17 @@ in
         };
       };
 
-      cloudflared.tunnels.${homelab.cloudflared.tunnelId}.ingress = {
-        "${cfg.url}" = "http://${config.services.${service}.config.ROCKET_ADDRESS}:${
-          toString config.services.${service}.config.ROCKET_PORT
-        }";
+      nginx.virtualHosts.${cfg.url} = {
+        forceSSL = true;
+        useACMEHost = homelab.domain;
+
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.${service}.config.ROCKET_PORT}";
+          recommendedProxySettings = true;
+        };
       };
     };
+
+    age.secrets.vaultwarden-env.file = "${inputs.self}/secrets/vaultwarden-env.age";
   };
 }
diff --git a/secrets.nix b/secrets.nix
index 780791b8..23e41540 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -35,4 +35,6 @@ in
     hosts.t480
   ]
   ++ [ users.opdavies ];
+
+  "secrets/vaultwarden-env.age".publicKeys = [ hosts.nixedo ] ++ [ users.opdavies ];
 }
diff --git a/secrets/vaultwarden-env.age b/secrets/vaultwarden-env.age
new file mode 100644
index 00000000..369a978c
--- /dev/null
+++ b/secrets/vaultwarden-env.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 IsVD3g MXyxq6twZvHuGa34cyTGrKJ/2PlQVHwdRvtS/biAAwc
+ds/yAQTJmZ+XUwWWKE6Zpjocp+wOlTUo8ZJEchnyeyA
+-> ssh-rsa +vTWQw
+wr4+JL6SYefXpOjRpWVNeCtwW43P5t1ICTIc2ZeANZoUKZQ+gjJqOnaTIf6O/NCf
+7hLAqGiuqBEiGbo+4VxACVs9y4vwB2JQxklmlGfWxmTN8YFLmg9OBwwb5sPPlpWY
+bC2x1+V2KO0h8z0vrkFjRJcq0a+N6L8G5iM2+KPSia2yFELCTcl6DUTRY3EufsKH
+c7X7KZhyslFjLV9CHOgaHjtrMNxyHnYkxT0cwezRsTb7UFScuU33ox84yZwn5Ebg
+r4Ll9v9M2jw43PI+L6o703yCRNHV+7O2ms6Q4eyZ+LcK0GhBfVGgNlPeRjLCXUcL
+kbKziay/D9k5l9EaLB1vNOyouNLaJVxjDiBo7DUT9O5/1Lo+RiWDMyzaXP3094CR
+/XEjCn+DuWurf0QiZuhtD9zjXrp9pqqa63A6R3oVHTa/EoD6gf+M4aT+RL0P0Sfv
+d2VGSOaUn3H/tInd4psLQRbRr+fiajOgleqo+XhYJd69P5onkBKYfloOOGMtumn2
+quLohQrkmwiNfPYn6WAdzehhgqqLp49nmIaBmBxs2mJ1e78zHPM+Qea3E1dv1eo0
+p4n8niu7rhz+OXWTGz7/QKIw/Fd7cvjTjReu7Zynyb2L32BcxP3xxZuSd+C1a4YH
+JSWEtnOP3dmP483jQI8zh2RWoTZ2ViQ282jG/1whMB8
+--- ZKapT60ToUfDvnxOo1NnGawLAthNptfdDbRt3TgdZDw
+¹×°Õ6eÆ”ßãuAE)êùÞa«[ý“¨à¼‹¯Jü0[ê&½1½%…Î-¨v²Î03S¶d•ÖÙãØ¬^Ÿe¾†f]ngµKý‚/xèg–®c!j?+~„ì÷Íb^'Å@Xc¿™¸
\ No newline at end of file