diff --git a/.gitignore b/.gitignore
index 06aebda..8522af6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .env
+vaultwarden/.vaultwarden-data/
 crafty/docker/
 todo
 certs/
diff --git a/ddns/compose.yaml b/ddns/compose.yaml
index ff5144c..0d19d9a 100644
--- a/ddns/compose.yaml
+++ b/ddns/compose.yaml
@@ -38,4 +38,13 @@ services:
       - SUBDOMAIN=cloud
       - PROXIED=false
     restart: always
+  ddns-vaultwarden:
+    image: oznu/cloudflare-ddns:latest
+    container_name: ddns-vaultwarden
+    environment:
+      - API_KEY=${API_KEY}
+      - ZONE=${DOMAIN}
+      - SUBDOMAIN=vault
+      - PROXIED=false
+    restart: always
 
diff --git a/vaultwarden/compose.yaml b/vaultwarden/compose.yaml
new file mode 100644
index 0000000..c3842b5
--- /dev/null
+++ b/vaultwarden/compose.yaml
@@ -0,0 +1,30 @@
+---
+
+services:
+  vaultwarden:
+    container_name: vaultwarden
+    image: vaultwarden/server:latest
+    restart: always
+    volumes:
+      - .vaultwarden-data:/data
+    environment:
+      - ADMIN_TOKEN=${ADMIN_TOKEN}
+      - WEBSOCKET_ENABLED=true
+    networks:
+      - frontend
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.vaultwarden.tls=true
+      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
+      - traefik.http.routers.vaultwarden.rule=Host(`vault.${DOMAIN}`)
+      - traefik.http.routers.vaultwarden.entrypoints=websecure
+      - traefik.http.routers.vaultwarden.tls=true
+      - traefik.http.routers.vaultwarden.tls.certresolver=cloudflare
+
+volumes:
+  .vaultwarden-data:
+    driver: local
+
+networks:
+  frontend:
+    external: true