diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix
index b7f4705..b1af5d7 100644
--- a/hosts/zora/default.nix
+++ b/hosts/zora/default.nix
@@ -16,6 +16,7 @@
       ../../modules/server
       ../../modules/server/link
       ../../modules/server/taf
+      ../../modules/server/giovanni
 
       # disko.nixosModules.disko
       agenix.nixosModules.default
diff --git a/hosts/zora/reverse-proxy.nix b/hosts/zora/reverse-proxy.nix
index 1ad4360..1fd925e 100644
--- a/hosts/zora/reverse-proxy.nix
+++ b/hosts/zora/reverse-proxy.nix
@@ -19,6 +19,12 @@
           proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
         };
       };
+      "vault.lyes.eu" = {
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+          proxyWebsockets = true;
+        };
+      };
     };
   };
 }
diff --git a/modules/server/giovanni/default.nix b/modules/server/giovanni/default.nix
new file mode 100644
index 0000000..2b6d646
--- /dev/null
+++ b/modules/server/giovanni/default.nix
@@ -0,0 +1,35 @@
+{ config, lib, ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+
+    environmentFile = config.age.secrets.giovanni-env.path;
+    config = {
+      ROCKET_PORT = 44301;
+      SENDMAIL_COMMAND = "${config.security.wrapperDir}/sendmail";
+    };
+  };
+
+  systemd.services.vaultwarden = {
+    path = [ "/run/wrappers" ];
+    serviceConfig = {
+      NoNewPrivileges = lib.mkForce false;
+      PrivateUsers = lib.mkForce false;
+      SystemCallFilter = lib.mkForce [ "@system-service" ];
+      RestrictAddressFamilies = [
+        "AF_LOCAL"
+        "AF_NETLINK"
+      ];
+      ReadWritePaths = [ "/var/spool/mail/" ];
+    };
+  };
+
+  age.secrets = {
+    giovanni-env = {
+      file = ../../../secrets/zora/services/giovanni-env.age;
+    };
+  };
+}
+
diff --git a/secrets.nix b/secrets.nix
index c0b2da1..0cb5945 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -13,4 +13,5 @@ in
   "secrets/zora/services/kanidm-admin-password.age".publicKeys = all;
   "secrets/zora/services/kanidm-idm-admin-password.age".publicKeys = all;
   "secrets/zora/services/taf-token.age".publicKeys = all;
+  "secrets/zora/services/giovanni-env.age".publicKeys = all;
 }
diff --git a/secrets/zora/services/giovanni-env.age b/secrets/zora/services/giovanni-env.age
new file mode 100644
index 0000000..efb6b6d
Binary files /dev/null and b/secrets/zora/services/giovanni-env.age differ