diff --git a/hosts/cave/fuckery.nix b/hosts/cave/fuckery.nix
index 9edc316..f9729bf 100644
--- a/hosts/cave/fuckery.nix
+++ b/hosts/cave/fuckery.nix
@@ -23,8 +23,6 @@
   #   };
   # };
 
-
-
   #  services.rustdesk-server = {
   #    enable = true;
   #    openFirewall = true;
diff --git a/hosts/jo/configuration.nix b/hosts/jo/configuration.nix
index f6ec362..4f9b142 100644
--- a/hosts/jo/configuration.nix
+++ b/hosts/jo/configuration.nix
@@ -64,14 +64,13 @@ in {
     "/crypto_keyfile.bin" = null;
   };
 
-   services.logind.extraConfig = ''
+  services.logind.extraConfig = ''
     # don’t shutdown when power button is short-pressed
     HandleLidSwitch=ignore
     HandleLidSwitchExternalPower=ignore
     HandleLidSwitchDocked=ignore
   '';
 
-
   boot.loader.grub.enableCryptodisk = true;
 
   services.tailscale.enable = true;
diff --git a/hosts/vulpecula-vps/nextcloud.nix b/hosts/vulpecula-vps/nextcloud.nix
index a1e544c..c762b30 100644
--- a/hosts/vulpecula-vps/nextcloud.nix
+++ b/hosts/vulpecula-vps/nextcloud.nix
@@ -1,4 +1,8 @@
-{config, pkgs, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
   services.nginx.virtualHosts."nextcloud.vulpecula.zone" = {
     addSSL = true;
     enableACME = true;
@@ -14,4 +18,4 @@
     config.dbtype = "sqlite";
     https = true;
   };
-}
\ No newline at end of file
+}
diff --git a/hosts/vulpecula-vps/vaultwarden.nix b/hosts/vulpecula-vps/vaultwarden.nix
index 4bfe226..2b9fd42 100644
--- a/hosts/vulpecula-vps/vaultwarden.nix
+++ b/hosts/vulpecula-vps/vaultwarden.nix
@@ -1,10 +1,48 @@
-{inputs, ...}: {
+{inputs, config, ...}: {
   services.nginx.virtualHosts."vault.vulpecula.zone" = {
     addSSL = true;
     enableACME = true;
-    # root = ;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+    };
   };
 
   services.vaultwarden.enable = true;
   services.bitwarden-directory-connector-cli.domain = "vault.vulpecula.zone";
+
+  services.vaultwarden.config = {
+    DOMAIN = "https://vault.vulpecula.zone";
+    SIGNUPS_ALLOWED = true;
+
+    # Vaultwarden currently recommends running behind a reverse proxy
+    # (nginx or similar) for TLS termination, see
+    # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
+    # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
+    # > especially if your instance is publicly accessible.
+    #
+    # A suitable NixOS nginx reverse proxy example config might be:
+    #
+    #     services.nginx.virtualHosts."bitwarden.example.com" = {
+    #       enableACME = true;
+    #       forceSSL = true;
+    #       locations."/" = {
+    #         proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
+    #       };
+    #     };
+    ROCKET_ADDRESS = "127.0.0.1";
+    ROCKET_PORT = 62107;
+
+    ROCKET_LOG = "critical";
+
+    # This example assumes a mailserver running on localhost,
+    # thus without transport encryption.
+    # If you use an external mail server, follow:
+    #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+    # SMTP_HOST = "127.0.0.1";
+    # SMTP_PORT = 25;
+    # SMTP_SSL = false;
+
+    # SMTP_FROM = "admin@bitwarden.example.com";
+    # SMTP_FROM_NAME = "example.com Bitwarden server";
+  };
 }