diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix
index f973d1b..4b06b9b 100644
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@@ -4,15 +4,18 @@
   pkgs,
   ...
 }: {
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
   foehammer = {
     users.admin = {
       enable = true;
       hashedPasswordFile = config.sops.secrets.admin-password.path;
     };
+
+    services.vaultwarden = {
+      enable = true;
+      domain = "https://passwords.foehammer.me";
+      signups = false;
+      envPath = config.sops.secrets.vaultwarden-env.path;
+    };
   };
 
   services.tailscale = {
diff --git a/machines/lebesgue/config/routing.nix b/machines/lebesgue/config/routing.nix
new file mode 100644
index 0000000..94e3281
--- /dev/null
+++ b/machines/lebesgue/config/routing.nix
@@ -0,0 +1,13 @@
+{config, ...}: {
+  foehammer.caddy.enable = true;
+
+  services.caddy = {
+    virtualHosts = {
+      "passwords.foehammer.me" = {
+        extraConfig = ''
+          reverse_proxy :${toString config.foehammer.services.vaultwarden.port}
+        '';
+      };
+    };
+  };
+}
diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix
index d76be8b..3763276 100644
--- a/machines/lebesgue/config/secrets.nix
+++ b/machines/lebesgue/config/secrets.nix
@@ -5,6 +5,7 @@
     secrets = {
       admin-password.neededForUsers = true;
       tskey = {};
+      vaultwarden-env = {};
     };
   };
 }
diff --git a/machines/lebesgue/config/state.nix b/machines/lebesgue/config/state.nix
index 8ea2adf..a63744c 100644
--- a/machines/lebesgue/config/state.nix
+++ b/machines/lebesgue/config/state.nix
@@ -8,6 +8,7 @@
         "/var/log"
         "/var/lib/nixos"
         "/var/lib/docker"
+        "/var/lib/caddy/.local/share/caddy"
       ]
       ++ config.foehammer.backups.paths;
 
diff --git a/machines/lebesgue/flake.lock b/machines/lebesgue/flake.lock
index 210cf86..a27b76c 100644
--- a/machines/lebesgue/flake.lock
+++ b/machines/lebesgue/flake.lock
@@ -7,7 +7,7 @@
       },
       "locked": {
         "lastModified": 1,
-        "narHash": "sha256-WEokvgGDzO4WVp5gHu9rZVPyNzMdLuX8dMV/Zhf9OwQ=",
+        "narHash": "sha256-o3CFNeEY0LvR1kOSCVC8nxPqL3TggTQ9PcWKdy+2l2A=",
         "path": "../../nixos",
         "type": "path"
       },
diff --git a/machines/lebesgue/secrets/main.yaml b/machines/lebesgue/secrets/main.yaml
index d124e34..3941403 100644
--- a/machines/lebesgue/secrets/main.yaml
+++ b/machines/lebesgue/secrets/main.yaml
@@ -1,5 +1,6 @@
 admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str]
 tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str]
+vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj7kp7EdiWBV8cXyHs189ncJ/vG02QCkrv46BH2eBN6kq4eHhefAoklS8kT0v9/7w==,iv:JrWh/0/arWoXOFhtgC+s/eoRDV9tppGXblZR3YOrTZg=,tag:3+wVYTlOodSwkLzApAsLOg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -15,8 +16,8 @@ sops:
             L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
             8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-02-03T20:29:36Z"
-    mac: ENC[AES256_GCM,data:mdK+B9R2THvjrKGlghcVVzCSSOnsJe9AqjMkj8H80l+Ij2SLPw/tS+/EgVwD6f87QGdV0o4U482CZc4GzbvrwdZgwYcjd2v2z7qUurDuga4SD/ex3czV43dmfzgePPnhVV60bVVfRebsuUdf48wwnZ8WA5aNtUxcFhoJ9zUaMjs=,iv:sMU3YgIVfynURvN6Jv8ixB7q4IuRYSGxvyRw4KhQwjg=,tag:4sRYLtAwkBBERdPS9qY/+w==,type:str]
+    lastmodified: "2025-02-03T23:49:44Z"
+    mac: ENC[AES256_GCM,data:gtH6PMQzxRGMpFI2hAka/MpXeLEivczq+L4Vruo1Vdain9f7iIdvATjomYO+NwkWUiDNWXqzU3VBb8NoyfqDeywtbu6GaUhmAUgVEFt0W2ceyqSF8qje+inI8rCjduodzIRG8XFgHoCvR8iQOtYWseyo6oOHFqBGiw1cBr/ciW8=,iv:9SeerJbjF3LTbjnAkvqqg4ceGJQCJScRBg1rG+xJ5dk=,tag:09H9oJU25ApddCgiMGIQFg==,type:str]
     pgp:
         - created_at: "2025-02-03T18:58:54Z"
           enc: |-
diff --git a/nixos/common/caddy.nix b/nixos/common/caddy.nix
index bbb0ccc..3d9332b 100644
--- a/nixos/common/caddy.nix
+++ b/nixos/common/caddy.nix
@@ -10,7 +10,7 @@ in {
   config = mkIf cfg.enable {
     services.caddy = {
       enable = true;
-      email = "foehammer127+acme@gmail.com";
+      email = "foehammer127points+acme@gmail.com";
     };
 
     networking.firewall.allowedTCPPorts = [80 443];
diff --git a/nixos/common/services/vaultwarden.nix b/nixos/common/services/vaultwarden.nix
index b945ce2..8463adf 100644
--- a/nixos/common/services/vaultwarden.nix
+++ b/nixos/common/services/vaultwarden.nix
@@ -25,7 +25,7 @@ in {
     };
 
     envPath = mkOption {
-      type = lib.types.port;
+      type = lib.types.path;
     };
 
     domain = mkOption {
@@ -49,7 +49,7 @@ in {
     };
 
     foehammer.backups.paths = [
-      "/var/lib/bitwarden_rs"
+      "/var/lib/vaultwarden"
     ];
   };
 }