diff --git a/constants.nix b/constants.nix
index 164ef1f..af7c34a 100644
--- a/constants.nix
+++ b/constants.nix
@@ -39,6 +39,10 @@ rec {
       fqdn = "rsshub." + domain;
       port = 1200;
     };
+    vaultwarden = {
+      fqdn = "pw.rx4.tail";
+      port = 8222;
+    };
     webdav = {
       fqdn = "dav.rx4.tail";
       port = 8080;
diff --git a/hosts/rx4/secrets/secrets.yaml b/hosts/rx4/secrets/secrets.yaml
index 2cfc73b..51b3768 100644
--- a/hosts/rx4/secrets/secrets.yaml
+++ b/hosts/rx4/secrets/secrets.yaml
@@ -16,6 +16,9 @@ forgejo-runner:
 webdav:
     user: ENC[AES256_GCM,data:vCLx,iv:Nra/FprNfd02HpvqOb5uYK+IGRFHhNwnFXWrX71c0C0=,tag:TjbKKOKBTq31o/5MxmqIsA==,type:str]
     pass: ENC[AES256_GCM,data:jfIoob6R6OhqKa2EujRzTQbvIlA=,iv:HvB088H2Z2uLCveT4YfNEdkK5VU0lBFD5FrZhx79fg0=,tag:1RnrfeUEURx0C575GTxi9A==,type:str]
+vaultwarden:
+    admin-token: ENC[AES256_GCM,data:HhD0xNZ/Ep7pCOX1j6p/M/ZZ3gs=,iv:7QT71KlYz+HQYBhiRavpiXS9sNS2PoJiM/WkxM3Hk/g=,tag:SYTRWpyA2+WMSMiRM8mvew==,type:str]
+    smtp-password: ENC[AES256_GCM,data:eQo7op5+74EID6689hL0/J1pq2s=,iv:JqrEqxabWGydRuJJ/27e1q+4YnQhTQ1bKRSsOvjQ+bE=,tag:weqnrhqK+LGEfAacBcuPUA==,type:str]
 sops:
     age:
         - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
@@ -36,7 +39,7 @@ sops:
             NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
             f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-14T18:41:58Z"
-    mac: ENC[AES256_GCM,data:2e546c6VEf7vFGgSM344upn5C7YDGAwi8cLA/RV68ukJMKLvH1gdra4ii77uOaC1sCNan5mV0Kjs5ZVYj81O8PU3WJa9ra8TeAt8F690zTxNWSo1F/4sZxAk8d1WIBoNn4IPkYxi8Ry9+xqK13Q9PvplHc14VArMYC86wU+k5hc=,iv:T3td5G+pdfWzSLDuVkb75uWub6eBPxjqJgOrv3wvaiQ=,tag:vlQJVzFJEDncDzjA3JWM6Q==,type:str]
+    lastmodified: "2026-04-03T11:36:39Z"
+    mac: ENC[AES256_GCM,data:mIufcQyHd6sWnUCF/G8aRE10uwnntRXGz5R+fK6TbZSBJrRznTBaa4tVLtGo4wSghn4eBRfxecebuxSy0C2CQjBCkMbrjh4I2sYzAb5f8ghG4cQZgccuI7MCfQZ6JAEaa0BY7HJUZzlR9H+6iuDVuWwOO3OKzj0lWUlpDA6aC/M=,iv:qMSu9tYYkoirM2WHx7St/ztWSYxm8/gSosnCZYazNgU=,tag:NuUDG8fpAlBEbvKSq7/5bQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1
diff --git a/hosts/rx4/services/default.nix b/hosts/rx4/services/default.nix
index 356a390..94cc10c 100644
--- a/hosts/rx4/services/default.nix
+++ b/hosts/rx4/services/default.nix
@@ -19,9 +19,10 @@
     ./print-server.nix
     ./rss-bridge.nix
     ./rsshub-oci.nix
-    # ./webdav.nix # FIXME
+    ./vaultwarden.nix
 
     # ./alditalk-extender.nix # FIXME
+    # ./webdav.nix # FIXME
   ];
 
   # bootstrap
diff --git a/hosts/rx4/services/vaultwarden.nix b/hosts/rx4/services/vaultwarden.nix
new file mode 100644
index 0000000..4675f1b
--- /dev/null
+++ b/hosts/rx4/services/vaultwarden.nix
@@ -0,0 +1,68 @@
+{
+  constants,
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (constants) domain;
+  inherit (constants.services.vaultwarden) fqdn port;
+  inherit (lib) mkForce;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+
+    dbBackend = "postgresql";
+    configurePostgres = true;
+
+    configureNginx = true;
+    domain = fqdn;
+
+    environmentFile = [ config.sops.templates."vaultwarden/env-file".path ];
+
+    config = {
+      SIGNUPS_ALLOWED = false;
+
+      SMTP_FROM = "vaultwarden@${domain}";
+      SMTP_FROM_NAME = "${domain} Vaultwarden server";
+      SMTP_HOST = "mail@${domain}";
+      SMTP_PORT = 587;
+      SMTP_SECURITY = "starttls";
+      SMTP_USERNAME = "vaultwarden@${domain}";
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = port;
+      ROCKET_LOG = "critical";
+    };
+  };
+
+  services.nginx.virtualHosts."${fqdn}".forceSSL = mkForce false; # let Tailnet handle SSL
+
+  sops =
+    let
+      owner = config.users.users.vaultwarden.name;
+      group = config.users.groups.vaultwarden.name;
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "vaultwarden/admin-token" = {
+          inherit owner group mode;
+        };
+        "vaultwarden/smtp-password" = {
+          inherit owner group mode;
+        };
+      };
+      templates = {
+        "vaultwarden/env-file" = {
+          inherit owner group mode;
+          content = ''
+            ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin-token"}
+            SMTP_PASSWORD=${config.sops.placeholder."vaultwarden/smtp-password"}
+          '';
+        };
+      };
+    };
+}
diff --git a/hosts/sid/secrets/secrets.yaml b/hosts/sid/secrets/secrets.yaml
index 9e4f07d..5df246e 100644
--- a/hosts/sid/secrets/secrets.yaml
+++ b/hosts/sid/secrets/secrets.yaml
@@ -29,6 +29,7 @@ netdata:
 mailserver:
     accounts:
         sid: ENC[AES256_GCM,data:xnU/+8BEewcZcbTWroIgCx5ceSFtDPe0Pq//qt3RWk81QWvbJxdukF4EyBSoQ7AqBhf4nDFZZxd4s8rZ,iv:OFhRxXHWOEC9mKGyK2ePfVGpBCDTfv0L+q3xzbXFefI=,tag:iO52YhFsSvb59RbcgXb+9w==,type:str]
+        vaultwarden: ENC[AES256_GCM,data:nSiiyurI0pNGlJiHpgu5jUQIq688IbPKlJCvx4jrFN9TwIY+kfVOaO4KWKkavBYfMZqMuEBr7EAdRULS,iv:OpgfXl1uYLgjOGDTkXFj/wPFUoE6uK89gtXLsB2x6gE=,tag:knJkNQnRCNcc/2nKBYdVCw==,type:str]
 radicale:
     sid: ENC[AES256_GCM,data:/OgIrXnGttIymGw98feiUjKPOIlrgRIC0TNCdBnuJOiA0RzbF0b9SMVzwEZiTEmS82g2lSvxQkE4kZjeOgOC0RLvCyZAmtWojq+g1pN0qhEkhwH0Qtu9wNnSYHuRqh2E5nWzHNGl/eF6zQ==,iv:5XtlyXjpB+XrVvJ7IoM7Gu63xA8vYrcJjUjLPmOMAIU=,tag:SAuYl/wzxnINyVWn9nI5yA==,type:str]
 sops:
@@ -51,7 +52,7 @@ sops:
             RzhnczA0S1pxcXZncGpWVHNYQW96L28K+ytH3PPyg4+wibpAQhp02RiSfZ83EDRB
             UJ8UV1d+51D0e2A1sI95r2AzDj4jfwUnI+LYDPC/qEpsu5LFLGVyeg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-01T22:55:09Z"
-    mac: ENC[AES256_GCM,data:l+lTLQJ5FRAmvCNIDDFr4gpEvGw0csSKIeI8MnBfM5qsC+wg0d8JSAvBB1m+P/IKLeRoV4AdLuNaflisVoU+dVnk7yX7/lLKt5dfARoFX6zU+u4G4Q6jmpq80CegHFJNWMJE2NAMVrP6m465foWkXlhZIpyT0FBSwtaZkoc74Hg=,iv:H4sxdjPc1C3XxHkHPAooN2cRCHKd4CpzfoH7UM8t/q4=,tag:JHhdlg4g+8kIN0CngGaOaA==,type:str]
+    lastmodified: "2026-04-03T11:37:47Z"
+    mac: ENC[AES256_GCM,data:5f4/mIJzzvKhZjES4WA0Ds2g642FDS03oSmH4dUi0pnF01aQD75eZ0HI3vcdks6kY+b5xyH5BJ283cgrnIiG2oPjYsIt8ULFnXZql31QQJArirYC35qf5lIiN4gC0ObzC5nSTR4rzrqpWtmf2vrvxDXWftK+JdwPyPjk/4IAu50=,iv:tfHDum7KB+nYQnxfukm+w/BotWW+Itmn11yy6O4V6oE=,tag:0/sFkH9Z2ZP2wzVfJEYFqA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1
diff --git a/hosts/sid/services/headscale.nix b/hosts/sid/services/headscale.nix
index c4673cb..8d9b55a 100644
--- a/hosts/sid/services/headscale.nix
+++ b/hosts/sid/services/headscale.nix
@@ -26,6 +26,7 @@
           100.64.0.6 netdata.sid.tail
           100.64.0.10 rx4.tail
           100.64.0.10 dav.rx4.tail
+          100.64.0.10 pw.rx4.tail
           100.64.0.1 vde.tail
           fallthrough
         }
diff --git a/hosts/sid/services/mailserver.nix b/hosts/sid/services/mailserver.nix
index c6946d8..caa2b9f 100644
--- a/hosts/sid/services/mailserver.nix
+++ b/hosts/sid/services/mailserver.nix
@@ -10,6 +10,7 @@
       sid = {
         aliases = [ "postmaster" ];
       };
+      vaultwarden = { };
     };
   };
 }