diff --git a/cloudflare-kittywit.ch.tf b/cloudflare-kittywit.ch.tf
index 6bf31808..0722e0f1 100644
--- a/cloudflare-kittywit.ch.tf
+++ b/cloudflare-kittywit.ch.tf
@@ -75,7 +75,7 @@ resource "cloudflare_record" "terraform_managed_resource_95d39eb707041e694c6b7f0
   proxied = false
   ttl     = 3600
   type    = "CNAME"
-  value   = "daiyousei.kittywit.ch"
+  value   = "yukari.gensokyo.zone"
   zone_id = "7e44e5503a0bba73d2025d0a9679205e"
 }
 
diff --git a/nixos/roles/matrix-server/nginx.nix b/nixos/roles/matrix-homeserver/nginx.nix
similarity index 100%
rename from nixos/roles/matrix-server/nginx.nix
rename to nixos/roles/matrix-homeserver/nginx.nix
diff --git a/nixos/roles/matrix-server/scalpel.nix b/nixos/roles/matrix-homeserver/scalpel.nix
similarity index 100%
rename from nixos/roles/matrix-server/scalpel.nix
rename to nixos/roles/matrix-homeserver/scalpel.nix
diff --git a/nixos/roles/matrix-server/secrets.nix b/nixos/roles/matrix-homeserver/secrets.nix
similarity index 100%
rename from nixos/roles/matrix-server/secrets.nix
rename to nixos/roles/matrix-homeserver/secrets.nix
diff --git a/nixos/roles/matrix-server/secrets.yaml b/nixos/roles/matrix-homeserver/secrets.yaml
similarity index 100%
rename from nixos/roles/matrix-server/secrets.yaml
rename to nixos/roles/matrix-homeserver/secrets.yaml
diff --git a/nixos/roles/matrix-server/synapse.nix b/nixos/roles/matrix-homeserver/synapse.nix
similarity index 100%
rename from nixos/roles/matrix-server/synapse.nix
rename to nixos/roles/matrix-homeserver/synapse.nix
diff --git a/nixos/roles/vaultwarden-server/nginx.nix b/nixos/roles/vaultwarden-server/nginx.nix
new file mode 100644
index 00000000..9f155a93
--- /dev/null
+++ b/nixos/roles/vaultwarden-server/nginx.nix
@@ -0,0 +1,18 @@
+_: {
+  services.nginx.virtualHosts."vault.kittywit.ch" = {
+    locations = {
+      "/" = {
+        proxyPass = "http://localhost:4000";
+        proxyWebsockets = true;
+      };
+      "/notifications/hub" = {
+        proxyPass = "http://localhost:3012";
+        proxyWebsockets = true;
+      };
+      "/notifications/hub/negotiate" = {
+        proxyPass = "http://localhost:4000";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
diff --git a/nixos/roles/vaultwarden-server/postgres.nix b/nixos/roles/vaultwarden-server/postgres.nix
new file mode 100644
index 00000000..083c102b
--- /dev/null
+++ b/nixos/roles/vaultwarden-server/postgres.nix
@@ -0,0 +1,11 @@
+_: {
+  services.postgresql = {
+    ensureDatabases = ["bitwarden_rs"];
+    ensureUsers = [
+      {
+        name = "bitwarden_rs";
+        ensurePermissions = {"DATABASE bitwarden_rs" = "ALL PRIVILEGES";};
+      }
+    ];
+  };
+}
diff --git a/nixos/roles/vaultwarden-server/scalpel.nix b/nixos/roles/vaultwarden-server/scalpel.nix
new file mode 100644
index 00000000..ffb7e848
--- /dev/null
+++ b/nixos/roles/vaultwarden-server/scalpel.nix
@@ -0,0 +1,20 @@
+_: {
+  secrets.files.vaultwarden-env = {
+    owner = "bitwarden_rs";
+    group = "bitwarden_rs";
+  };
+
+  services.vaultwarden = {
+    environmentFile = config.secrets.files.vaultwarden-env.path;
+  };
+
+  scalpel.trafos."environment_file" = {
+    source = "/etc/vaultwarden/environment_file_template";
+    matchers."VAULTWARDEN_ADMIN_TOKEN".secret = config.sops.secrets.vaultwarden_admin_token.path;
+    owner = "acme";
+    group = "acme";
+    mode = "0440";
+  };
+
+  services.vaultwarden.environmentFile = config.scalpel.trafos."environment_file".destination;
+}
diff --git a/nixos/roles/vaultwarden-server/secrets.yaml b/nixos/roles/vaultwarden-server/secrets.yaml
new file mode 100644
index 00000000..c938869e
--- /dev/null
+++ b/nixos/roles/vaultwarden-server/secrets.yaml
@@ -0,0 +1,42 @@
+vaultwarden_admin_token: ENC[AES256_GCM,data:aA1eO9z4XLpynGmpfdSiXtjft5Nmlu/VfZSA3J8wCbLaUau0P6qHQSAqNRTTJOUjqard7bMnjC5s3sEu9waLMQ==,iv:HWU/25zBd/v3tiySjSOsFUqCTrvtetrXIGyqqvqz+sk=,tag:TgPVkgXkzGTqO6r9H9Jixg==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyTkdCQ1ptaTY2cysvRlJk
+            Ylh1amlFZExzc0gxSFY1Zm5XUDRkUzl0bUNZClF1REJUbXUvQjhWa3FNanZJQXh2
+            SVlXdHRqUDdIdHZvMlNPaGxCdlJRZW8KLS0tIEJab3NZbDZqdlIwR3laeUx3N3cr
+            S0ZSYXhTNnMwRXVPa3RsS29PZEM4STgKkN4KuaiH5MnSKs2HsrZvdf6c8oYUZzDs
+            m6Cxcoasow0eY/3G65x5Rn5Klc0LXm6/kwJuHq4Og0njDBgzY0h53g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-04-27T00:57:18Z"
+    mac: ENC[AES256_GCM,data:8QwxkjAuISrTs8Ls0fFtQ52AhzDRJIw130Dox2c5zrdqnr3rTjZDvz+zmOjFt+gg0iC6gDrvEkYh+4+9+g3o3D3A8wdQHCpi4ia7pSiZ4palxKwHkq8XY9sgDOamYb1534QlLZk5OmpxFPLATyNfDt1+UoM2++ATkZ3t1MjL1PM=,iv:9C59fPOga2/aih1Wty1HFdZJk5T3xyIWRVuogZ6k4dM=,tag:Eh7uYYty+mkC828aJKd9iA==,type:str]
+    pgp:
+        - created_at: "2023-04-27T00:55:52Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA82M54yws73UAQ//egTjrBCYrVLa0vQRoFDEcflSXNzAhOGHr7O2ZL3aDHLx
+            V5JNYr03u6VzpFADpram8Cdz1JrCDYicjly8MT37dNqbzddr/1eaezfbzD9itI+A
+            iNQNrIpQiqm7boznVnlw6xm1BCforU0ddyAKVbGNkDCE9XXUWwBggGRshTFSGBa0
+            wOM5haBrY7AXz1VvvhTTWh5qjEZQEwlqTvtxbpXty0P9L8jkntwE+Tgr+h7sqPXR
+            QwWgUypxbNrV+yso+rHxMof9ti1aD0m0TzpJrKVllQYdIppNCnWF6GPB640o5g4C
+            S2XgDDf64xS1j1KhezPrB1s1u6P2Cwodlf45Gaoq2Xb4KQ/n+dg23P8W6Y/baEkp
+            5jvzvJ1SoANxvspkMCKbDcQoDT1MnvIX08yZQK5NUbwMtmwjgJh1XdRAuktCAWSV
+            Cxhv+hP2STVxtZqa6ekXze4Yuw0B2U3Vu2YLtgaTCMr3sq8Cvy3Mjz6lS3H6adob
+            x4Oq8ra56ZszAChoVpfKIyYjRaZxZjBi/XdiCugLmR3P2Em8KM7447N1p+RqP+Va
+            Vm3mHAfhdIemZlySJNvIQkbQQw119Lgqbr2WzrGaYts9TVHMhzgU1Ej7z9kP1IRa
+            mBetkO92zShSS2uEAd5g58P98SLFBncN6VVDc+nOQoUTfFWAeG0HV9EYya7oVNTS
+            XgHuSXOBoj2bNJlcw1QZw68CpYoBQgzJx7lXWGKAIY8r60xJcmeY9sj623rQAATS
+            s4tiQHXMAvRpdCogniKmdgs6Z4Br82sTQOuRw9CSBlHDHn/COsvlp/Xw1bmVsJ0=
+            =CFLr
+            -----END PGP MESSAGE-----
+          fp: CD8CE78CB0B3BDD4
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/nixos/roles/vaultwarden-server/vaultwarden.nix b/nixos/roles/vaultwarden-server/vaultwarden.nix
new file mode 100644
index 00000000..a7e544c3
--- /dev/null
+++ b/nixos/roles/vaultwarden-server/vaultwarden.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib; {
+  secrets.variables = mapListToAttrs (field:
+    nameValuePair "vaultwarden-${field}" {
+      path = "secrets/vaultwarden";
+      inherit field;
+    }) ["password" "smtp"];
+
+  users.users.vaultwarden.name = "bitwarden_rs";
+  users.groups.vaultwarden.name = "bitwarden_rs";
+
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    config = {
+      rocketPort = 4000;
+      websocketEnabled = true;
+      signupsAllowed = false;
+      domain = "https://vault.kittywit.ch";
+      databaseUrl = "postgresql://bitwarden_rs@/bitwarden_rs";
+    };
+  };
+
+  environment.etc."vaultwarden/environment_file_template".text = ''
+    ADMIN_TOKEN=!!VAULTWARDEN_ADMIN_TOKEN!!
+  '';
+}
diff --git a/systems/yukari.nix b/systems/yukari.nix
index 9d0fac44..e3d28f81 100644
--- a/systems/yukari.nix
+++ b/systems/yukari.nix
@@ -13,7 +13,8 @@ _: let
         server
         web-server
         postgres-server
-        matrix-server
+        matrix-homeserver
+        vaultwarden-server
       ]);
 
     boot = {