diff --git a/secrets.nix b/secrets.nix
index ed83bce..8889720 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -57,6 +57,7 @@ in {
   "secrets/redis-lapi-key.age".publicKeys = [tbarnouin redis];
 
   "services/vaultwarden/secrets/env-file.age".publicKeys = [tbarnouin vaultwarden];
+  "secrets/vaultwarden-api-key.age".publicKeys = [tbarnouin vaultwarden];
 
   "services/qbittorrent-vpn/secrets/docker-gluetun-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
   "services/qbittorrent-vpn/secrets/docker-qbittorrent-env.age".publicKeys = [tbarnouin qbittorrent-vpn];
diff --git a/services/nginx/default.nix b/services/nginx/default.nix
index b18158d..0b76e87 100644
--- a/services/nginx/default.nix
+++ b/services/nginx/default.nix
@@ -192,7 +192,7 @@ in {
             forceSSL = true;
             enableACME = true;
             locations."/" = {
-              proxyPass = "http://192.168.1.125:8888";
+              proxyPass = "http://192.168.1.22:8000";
               recommendedProxySettings = true;
             };
           };
diff --git a/services/vaultwarden/default.nix b/services/vaultwarden/default.nix
index bf11dc1..1704e65 100644
--- a/services/vaultwarden/default.nix
+++ b/services/vaultwarden/default.nix
@@ -9,20 +9,46 @@ in {
     enable = lib.mkEnableOption "Enable minimal config";
   };
   config = lib.mkIf cfg.enable {
-    age.secrets.env-file = {
-      file = ./secrets/env-file.age;
+    age.secrets = {
+      vaultwarden-lapi-key = {
+        file = ../../secrets/vaultwarden-lapi-key.age;
+        owner = "crowdsec";
+      };
+      env-file = {
+        file = ./secrets/env-file.age;
+      };
     };
     services = {
+      crowdsec = {
+        hub.collections = [
+          "Dominic-Wagner/vaultwarden"
+        ];
+        settings.lapi.credentialsFile = "${config.age.secrets.vaultwarden-lapi-key.path}";
+        localConfig = {
+          acquisitions = [
+            {
+              source = "journalctl";
+              journalctl_filter = ["_SYSTEMD_UNIT=vaultwarden.service"];
+              labels = {
+                type = "syslog";
+              };
+            }
+          ];
+        };
+      };
       vaultwarden = {
         enable = true;
         dbBackend = "postgresql";
         environmentFile = config.age.secrets.env-file.path;
         config = {
+          ROCKET_ADDRESS = "0.0.0.0";
+          ROCKET_PORT = "8000";
           DOMAIN = "https://vault.le43.eu";
           SIGNUPS_ALLOWED = false;
           IP_HEADER = "X-Forwarded-For";
         };
       };
     };
+    networking.firewall.allowedTCPPorts = [8000];
   };
 }
diff --git a/services/vaultwarden/secrets/env-file.age b/services/vaultwarden/secrets/env-file.age
index e6ca032..5d80d5d 100644
--- a/services/vaultwarden/secrets/env-file.age
+++ b/services/vaultwarden/secrets/env-file.age
@@ -1 +1,13 @@
-DATABASE_URL=postgresql://vaultwarden:Vaultwarden43Zer!@192.168.1.13/vaultwarden
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBhb2hF
+emtvdEdTWUI2UVRJeVBmejN0YWliR1lEbmoyeVpIOFVZdHFOVFdvCmtXOXE2WVZs
+TFkvUnhCZGY0UG14VE42SGxQQVpLQk9OblFtbWRQWWJuMzQKLT4gc3NoLWVkMjU1
+MTkgeDBDOU93IFFsWmxnNXZzR0xUanpxTXRyeE9BWWpPcFlYYytpaUduK2lXYXQ4
+LzJSbTAKTHdLMGpsQ0t2eDhYSy9CaTlVWWo0SDB0SFE0dytLckZyYklxVlI4WE0w
+SQotPiBxLWdyZWFzZSBxKS8wRyBJCmZ4dnRmYzVPZ3c1TDNKdHptcTkzVEExZWw3
+dlF0MzJrS2pNeHRsUVRWakxhS3pVaDg2RSs5eFcwYWhlVmFsUkYKQm5ZeURKMXR6
+eEwzSGVmb1NwKzBDTEVZbk9oWHJuT0piQQotLS0gdWZ0dThlU2tMa3ZlTWJFaTdD
+bWc2cGlZVEJzV3h6ZWJBenVyVUdlRlNJOAqu2t8gss9xXx4P+8PIPJLzqLiU26Cc
+4MxIYDk6g7KQOGbchP4tvwpZPGD2Aafaa+lI12xw2wLB3/y0FAxmi0mX3c3u6RZL
+sFzBKE6Yr2CernqyEeTt/tD4h3xQ4dSbW+zNvajIQHHg4GFckbEdaDCk4A==
+-----END AGE ENCRYPTED FILE-----