diff --git a/hosts/oracle/default.nix b/hosts/oracle/default.nix
index 382e7cc..8f48abf 100644
--- a/hosts/oracle/default.nix
+++ b/hosts/oracle/default.nix
@@ -22,6 +22,7 @@ nixpkgs.lib.nixosSystem {
       nextcloudServer = "cloud.masu.rs";
       transmissionServer = "download.masu.rs";
       metricsServer = "metrics.masu.rs";
+      vaultwardenServer = "vault.masu.rs";
 
       # Disable passwords, only use SSH key
       passwordHash = null;
@@ -80,6 +81,7 @@ nixpkgs.lib.nixosSystem {
     ../../modules/services/cloudflare.nix
     ../../modules/services/transmission.nix
     ../../modules/services/prometheus.nix
+    ../../modules/services/vaultwarden.nix
     ../../modules/gaming/minecraft-server.nix
   ];
 }
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index e452281..8acb438 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }: {
+{ config, lib, ... }: {
 
   options = {
 
@@ -13,12 +13,40 @@
     services.vaultwarden = {
       enable = true;
       config = {
-        DOMAIN = config.vaultwardenServer;
+        DOMAIN = "https://${config.vaultwardenServer}";
         SIGNUPS_ALLOWED = false;
+        SIGNUPS_VERIFY = true;
+        INVITATIONS_ALLOWED = true;
+        WEB_VAULT_ENABLED = true;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = 8222;
+        WEBSOCKET_ENABLED = true;
+        WEBSOCKET_ADDRESS = "0.0.0.0";
+        WEBSOCKET_PORT = 3012;
+        LOGIN_RATELIMIT_SECONDS = 60;
+        LOGIN_RATELIMIT_MAX_BURST = 10;
+        ADMIN_RATELIMIT_SECONDS = 300;
+        ADMIN_RATELIMIT_MAX_BURST = 3;
       };
-      environmentFile = null;
+      environmentFile = config.secrets.vaultwarden.dest;
       dbBackend = "sqlite";
     };
-  };
+
+    secrets.vaultwarden = {
+      source = ../../private/vaultwarden.age;
+      dest = "${config.secretsDirectory}/vaultwarden";
+      owner = "vaultwarden";
+      group = "vaultwarden";
+    };
+
+    networking.firewall.allowedTCPPorts = [ 3012 ];
+
+    caddyRoutes = [{
+      match = [{ host = [ config.vaultwardenServer ]; }];
+      handle = [{
+        handler = "reverse_proxy";
+        upstreams = [{ dial = "localhost:8222"; }];
+      }];
+    }];
 
 }
diff --git a/private/vaultwarden.age b/private/vaultwarden.age
new file mode 100644
index 0000000..523b1bd
--- /dev/null
+++ b/private/vaultwarden.age
@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBqNm0x
+YVc0bXp6eldNdkp1QWk2cEI0WFBhVVd3cHhDODNwMS9UUTBPN25JCmxXZnRIcFZr
+SFJrQnI3R1BTUk1BcVl3RjlUaXMzSXpqaGdTMi9reno1eHcKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIFlKWCtsWGtWdTI4L0ZFTVRHNFN5by9vTE95MXFoMVZGYlYrM1I2
+alREaE0Kd251SGRDdE96VmZqblhEWXFkZDhvRUZsZ1pnZ3NqdEdJSlBvaXhoOHVB
+WQotLS0gaGJNRm14SkdXcTFmYlJUell1WUZUeEllT3ZwMkNaejF3eWJ5U1ZSdno1
+MAqQIT8vvUro+C+avm6lCPfrX9yigKzx/gtKfMB//1Ie7BUo1+o5iYoA+R0luMU8
+/zVX1yGAzDPqas/HfYclIPg3bdjm2dnpz0ltOrOvjA4x3nEzzrmS96zo3Fy1d8oX
+oAMw2l/p2QDHI60cyhvC
+-----END AGE ENCRYPTED FILE-----