diff --git a/options/custom/containers/vaultwarden.nix b/options/custom/containers/vaultwarden.nix
new file mode 100644
index 0000000..c972508
--- /dev/null
+++ b/options/custom/containers/vaultwarden.nix
@@ -0,0 +1,40 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.custom.containers.vaultwarden;
+in {
+  options.custom.containers.vaultwarden = {
+    enable = mkOption {default = false;};
+    menu = mkOption {default = true;};
+  };
+
+  config = mkIf cfg.enable {
+    age.secrets = let
+      secret = filename: {
+        file = "${inputs.self}/secrets/${filename}";
+      };
+    in {
+      "${config.custom.profile}/vaultwarden/.env" = secret "${config.custom.profile}/vaultwarden/.env";
+    };
+
+    #?? arion-vaultwarden pull
+    environment.shellAliases.arion-vaultwarden = "sudo arion --prebuilt-file ${config.virtualisation.arion.projects.vaultwarden.settings.out.dockerComposeYaml}";
+
+    virtualisation.arion.projects.vaultwarden.settings.services = {
+      # https://github.com/dani-garcia/vaultwarden
+      # https://github.com/dani-garcia/vaultwarden/wiki
+      vaultwarden.service = {
+        container_name = "vaultwarden";
+        env_file = [config.age.secrets."${config.custom.profile}/vaultwarden/.env".path];
+        image = "vaultwarden/server:1.33.1";
+        ports = ["8008:80"];
+        restart = "unless-stopped";
+        volumes = ["${config.custom.containers.directory}/vaultwarden/data:/data"];
+      };
+    };
+  };
+}
diff --git a/profiles/server/default.nix b/profiles/server/default.nix
index b172170..9d485bf 100644
--- a/profiles/server/default.nix
+++ b/profiles/server/default.nix
@@ -24,6 +24,7 @@
       #// owncast.enable = true;
       #// redlib.enable = true;
       #// searxng.enable = true;
+      vaultwarden.enable = true;
     };
 
     services = {
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9d64ac3..4d384a3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -87,4 +87,5 @@ in {
   "server/searxng/.env".publicKeys = server;
   "server/users/myned.pass".publicKeys = server;
   "server/users/root.pass".publicKeys = server;
+  "server/vaultwarden/.env".publicKeys = server;
 }
diff --git a/secrets/server/vaultwarden/.env b/secrets/server/vaultwarden/.env
new file mode 100644
index 0000000..9747da2
Binary files /dev/null and b/secrets/server/vaultwarden/.env differ