diff --git a/modules/homelab/services/vaultwarden/default.nix b/modules/homelab/services/vaultwarden/default.nix
new file mode 100644
index 0000000..7db8419
--- /dev/null
+++ b/modules/homelab/services/vaultwarden/default.nix
@@ -0,0 +1,77 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.modules.services.vaultwarden;
+  ids = 2771;
+  default_port = 7701;
+  data_dir = "/var/lib/vaultwarden";
+in
+{
+  options.modules.services.vaultwarden = {
+    enable = lib.mkEnableOption "enables vaultwarden";
+
+    # set port options
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = cfg.default_port;
+      description = "set port for vaultwarden (default: ${toString default_port}";
+    };
+
+    backup = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "enable backups for vaultwarden";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    
+    # declare vaultwarden group
+    users.groups.vaultwarden = { gid = ids; };
+
+    # declare vaultwarden user
+    users.users.vaultwarden = {
+      description = "vaultwarden server user";
+      uid = ids;
+      isSystemUser = true;
+      home = "/var/lib/vaultwarden";
+      createHome = true;
+      group = "vaultwarden";
+      extraGroups = [ "media" ];
+    };
+
+    # enable the vaultwarden service
+    services.vaultwarden = {
+      enable = true;
+    };
+
+    # override umask to make permissions work out
+    systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; };
+
+#    # open firewall
+#    networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+    # internal reverse proxy entry
+    services.nginx.virtualHosts."pass.snowbelle.lan" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+     # external reverse proxy entry
+     services.nginx.virtualHosts."pass.blakedheld.xyz" = {
+      enableACME = false;
+      forceSSL = true;
+      sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
+      sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+      };
+    };
+
+     # add to backups
+     modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
+  };
+}