diff --git a/hosts/physique/hyponix/services/fail2ban.nix b/hosts/physique/hyponix/services/fail2ban.nix
index edc9a34..a997185 100644
--- a/hosts/physique/hyponix/services/fail2ban.nix
+++ b/hosts/physique/hyponix/services/fail2ban.nix
@@ -2,6 +2,10 @@
 {
   services.fail2ban = {
     enable = true;
+
+    ignoreIP = [
+      "zamok.crans.org"
+    ];
   };
 
   services.openssh.settings.LogLevel = "VERBOSE";
diff --git a/modules/available/vaultwarden.nix b/modules/available/vaultwarden.nix
new file mode 100644
index 0000000..bdd8533
--- /dev/null
+++ b/modules/available/vaultwarden.nix
@@ -0,0 +1,34 @@
+{ config, ... }:
+let
+  domain = "pass.${config.networking.domain}";
+in
+{
+
+  age.secrets = {
+    vaultwarden_secret = {
+      file = ../../secrets/services/vaultwarden.age;
+      owner = "vaultwarden";
+    };
+  };
+
+
+  services.vaultwarden = {
+    enable = false; # TODO: enable
+    # TODO: move to pgsql
+    #dbBackend = "postgresql";
+    environmentFile = config.age.secrets.vaultwarden_secret.path;
+    config = {
+      DOMAIN = "https://${domain}";
+      SIGNUPS_ALLOWED = false;
+      
+      ROCKET_ADDRESS = "::1";
+      ROCKET_PORT = 8222;
+    };
+  };
+
+  services.caddy.virtualHosts."${domain}" = {
+    extraConfig = ''
+      			reverse_proxy localhost:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}
+      		'';
+  };
+}