diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index afbc5e0..57166b0 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -55,10 +55,12 @@ in
       address = constants.hosts.rx4.ip;
       port = constants.services.rsshub-oci.port;
     };
-    virtualHosts."${constants.services.vaultwarden.fqdn}" = mkVirtualHost {
-      inherit ssl;
-      address = constants.hosts.rx4.ip;
-      port = constants.services.vaultwarden.port;
+    virtualHosts."${constants.services.vaultwarden.fqdn}" = {
+      useACMEHost = "sid-internal";
+      forceSSL = ssl;
+      locations."/" = {
+        proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.vaultwarden.port}";
+      };
     };
     virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
       inherit ssl;
diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix
index 20fcae3..8ce01bd 100644
--- a/hosts/sid/services/step-ca.nix
+++ b/hosts/sid/services/step-ca.nix
@@ -75,6 +75,7 @@ in
     certs."sid-internal" = {
       domain = "*.${constants.intranet}";
       server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
+      group = "nginx";
     };
   };