diff --git a/secrets.nix b/secrets.nix
index 73b43a0..74913d4 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -11,8 +11,19 @@ let
   jellyfin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiJb+U6LQ3KglTJqdUzwCVkKWqYoBuJXZ8BXXgCMqN5 root@jellyfin";
   qbittorrent-vpn = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILliMLQejGa5BK/pjRAjzD03i3Rc3izdXFlH/gwReLMh root@qbittorrent-vpn";
   nixarr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICbGn92P4OxaGWiQDrAbE8NhFp8UCtkfSzX2fkEv+ckk root@arr-box";
+  vaultwarden = "";
 
-  systems = [grafana onlyoffice postgresql forgejo nginx jellyfin];
+  systems = [
+    grafana
+    onlyoffice
+    postgresql
+    forgejo
+    nginx
+    jellyfin
+    qbittorrent-vpn
+    nixarr
+    vaultwarden
+  ];
 in {
   "secrets/initialPassword.age".publicKeys = users ++ systems;
 
@@ -33,6 +44,7 @@ in {
   "services/postgresql/secrets/grafanaDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/netboxDBPass.age".publicKeys = [tbarnouin postgresql];
   "services/postgresql/secrets/onlyofficeDBPass.age".publicKeys = [tbarnouin postgresql];
+  "services/postgresql/secrets/vaultwardenDBPass.age".publicKeys = [tbarnouin postgresql];
   "secrets/postgresql-lapi-key.age".publicKeys = [tbarnouin postgresql];
 
   "services/nginx/secrets/cs-lapi-key.age".publicKeys = [tbarnouin nginx];
@@ -43,7 +55,9 @@ in {
   "secrets/jellyfin-lapi-key.age".publicKeys = [tbarnouin jellyfin];
 
   "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
-  
+
+  "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden];
+
   "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
   "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
   "secrets/docker-lapi-key.age".publicKeys = [tbarnouin qbittorrent-vpn];
diff --git a/services/authentik/default.nix b/services/authentik/default.nix
deleted file mode 100644
index 5e92ecd..0000000
--- a/services/authentik/default.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-  inputs,
-  config,
-  lib,
-  authentik-nix,
-  ...
-}: let
-  cfg = config.services.vm_authentik;
-in {
-  options.services.vm_authentik = {
-    enable = lib.mkEnableOption "Enable minimal config";
-  };
-  config = lib.mkIf cfg.enable {
-    networking = {
-      firewall.allowedTCPPorts = [9000 9300 9443];
-    };
-  };
-}
diff --git a/services/onlyoffice/default.nix b/services/onlyoffice/default.nix
index 9a0a2ac..72716f4 100644
--- a/services/onlyoffice/default.nix
+++ b/services/onlyoffice/default.nix
@@ -30,7 +30,6 @@ in {
         port = 8000;
         postgresName = "onlyoffice";
         postgresHost = "${cfg.pgsql_ip}";
-        postgresUser = "onlyoffice";
         postgresPasswordFile = config.age.secrets.office-dbpass.path;
         jwtSecretFile = config.age.secrets.office-jwtpass.path;
       };
diff --git a/services/postgresql/default.nix b/services/postgresql/default.nix
index c97a620..471ebe4 100644
--- a/services/postgresql/default.nix
+++ b/services/postgresql/default.nix
@@ -39,6 +39,10 @@ in {
         file = ./secrets/onlyofficeDBPass.age;
         owner = "postgres";
       };
+      vaultwardenDBPass = {
+        file = ./secrets/vaultwardenDBPass.age;
+        owner = "postgres";
+      };
     };
     services = {
       crowdsec = {
@@ -64,12 +68,13 @@ in {
         enableTCPIP = true;
         settings.port = 5432;
         authentication = "
-          host  nextcloud  nextcloud  192.168.1.45/32   md5
-          host  gitea      gitea      192.168.1.14/32   md5
-          host  authentik  authentik  192.168.1.125/32  md5
-          host  grafana    grafana    192.168.1.27/32   md5
-          host  netbox     netbox     192.168.1.90/32   md5
-          host  onlyoffice onlyoffice 192.168.1.20/32   md5
+          host  nextcloud   nextcloud   192.168.1.45/32   md5
+          host  gitea       gitea       192.168.1.14/32   md5
+          host  authentik   authentik   192.168.1.125/32  md5
+          host  grafana     grafana     192.168.1.27/32   md5
+          host  netbox      netbox      192.168.1.90/32   md5
+          host  onlyoffice  onlyoffice  192.168.1.20/32   md5
+          host  vaultwarden vaultwarden 192.168.1.22/32   md5
           ";
         initialScript = pkgs.writeText "init-sql-script" ''
           CREATE ROLE nextcloud WITH LOGIN CREATEDB;
@@ -95,6 +100,10 @@ in {
           CREATE ROLE onlyoffice WITH LOGIN CREATEDB;
           CREATE DATABASE onlyoffice;
           GRANT ALL PRIVILEGES ON DATABASE onlyoffice TO onlyoffice;
+
+          CREATE ROLE vaultwarden WITH LOGIN CREATEDB;
+          CREATE DATABASE vaultwarden;
+          GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
         '';
       };
     };
@@ -106,7 +115,7 @@ in {
       authentikDBPass = config.age.secrets.authentikDBPass.path;
       grafanaDBPass = config.age.secrets.grafanaDBPass.path;
       netboxDBPass = config.age.secrets.netboxDBPass.path;
-      onlyofficeDBPass = config.age.secrets.onlyofficeDBPass.path;
+      vaultwardenDBPass = config.age.secrets.vaultwardenDBPass.path;
     in ''
       $PSQL -tA <<'EOF'
         DO $$
@@ -127,8 +136,8 @@ in {
           password := trim(both from replace(pg_read_file('${netboxDBPass}'), E'\n', '''));
           EXECUTE format('ALTER ROLE netbox WITH PASSWORD '''%s''';', password);
 
-          password := trim(both from replace(pg_read_file('${onlyofficeDBPass}'), E'\n', '''));
-          EXECUTE format('ALTER ROLE onlyoffice WITH PASSWORD '''%s''';', password);
+          password := trim(both from replace(pg_read_file('${vaultwardenDBPass}'), E'\n', '''));
+          EXECUTE format('ALTER ROLE vaultwarden WITH PASSWORD '''%s''';', password);
         END $$;
       EOF
     '';
diff --git a/services/postgresql/secrets/vaultwardenDBPass.age b/services/postgresql/secrets/vaultwardenDBPass.age
new file mode 100644
index 0000000..cbe46eb
--- /dev/null
+++ b/services/postgresql/secrets/vaultwardenDBPass.age
@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyA4L3gy
+RnJDQ2VOQitLNVd2d0haN2RveUE5OWJOcnUxakdyOGNBVWhMYUdnCjZGTDJuRjda
+L1ZuZmNxVEVLaElQQXlWWjR4NmgrekpnSzNKWi9xdGNVb2cKLT4gc3NoLWVkMjU1
+MTkgc2luZ3ZRIC9Pcy95WTM1Tm1oOUIxVlJUT3RHZ3lOZjdBN2dhUm14blRMSzNI
+SS9ORlUKQUZiMGF5eWNWUVNCL0h5OU5UQ0d6bytxTkxPdTVyRVF0c0FwZkRiUGJD
+TQotPiBFV09dKy1ncmVhc2Ugby4sbiBmJnJZZkYgaCQsZ3RhCkpOakF5akVSTEpE
+b2w4Q1pSN1ZxY3ltOTV3eGhNank3eHVWazlVT3h2WWNXUUhaUHl5aHhFdTNqQUJn
+SFRSSVUKUlpaeDRaUEF2VVdSNUY1L3Z3UQotLS0ganBmdU4yVmNNMUh2NFlZN09t
+WE5LRmlYU0RxL25JZXJXaFdzeTVBbmtMRQqkmAEDkEwwBnIxkBH6I6qzzwg5fPy/
+IL6FzdjsGrBYOrfP1IVfFF/iz5Phd8fsSkusyg==
+-----END AGE ENCRYPTED FILE-----
diff --git a/services/vaultwarden/default.nix b/services/vaultwarden/default.nix
new file mode 100644
index 0000000..bf11dc1
--- /dev/null
+++ b/services/vaultwarden/default.nix
@@ -0,0 +1,28 @@
+{
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.services.vm_vaultwarden;
+in {
+  options.services.vm_vaultwarden = {
+    enable = lib.mkEnableOption "Enable minimal config";
+  };
+  config = lib.mkIf cfg.enable {
+    age.secrets.env-file = {
+      file = ./secrets/env-file.age;
+    };
+    services = {
+      vaultwarden = {
+        enable = true;
+        dbBackend = "postgresql";
+        environmentFile = config.age.secrets.env-file.path;
+        config = {
+          DOMAIN = "https://vault.le43.eu";
+          SIGNUPS_ALLOWED = false;
+          IP_HEADER = "X-Forwarded-For";
+        };
+      };
+    };
+  };
+}