diff --git a/hosts/physique/hyponix/services/fail2ban.nix b/hosts/physique/hyponix/services/fail2ban.nix
index edc9a34..a997185 100644
--- a/hosts/physique/hyponix/services/fail2ban.nix
+++ b/hosts/physique/hyponix/services/fail2ban.nix
@@ -2,6 +2,10 @@
 {
   services.fail2ban = {
     enable = true;
+
+    ignoreIP = [
+      "zamok.crans.org"
+    ];
   };
 
   services.openssh.settings.LogLevel = "VERBOSE";
diff --git a/modules/available/vaultwarden.nix b/modules/available/vaultwarden.nix
new file mode 100644
index 0000000..bdd8533
--- /dev/null
+++ b/modules/available/vaultwarden.nix
@@ -0,0 +1,34 @@
+{ config, ... }:
+let
+  domain = "pass.${config.networking.domain}";
+in
+{
+
+  age.secrets = {
+    vaultwarden_secret = {
+      file = ../../secrets/services/vaultwarden.age;
+      owner = "vaultwarden";
+    };
+  };
+
+
+  services.vaultwarden = {
+    enable = false; # TODO: enable
+    # TODO: move to pgsql
+    #dbBackend = "postgresql";
+    environmentFile = config.age.secrets.vaultwarden_secret.path;
+    config = {
+      DOMAIN = "https://${domain}";
+      SIGNUPS_ALLOWED = false;
+      
+      ROCKET_ADDRESS = "::1";
+      ROCKET_PORT = 8222;
+    };
+  };
+
+  services.caddy.virtualHosts."${domain}" = {
+    extraConfig = ''
+      			reverse_proxy localhost:${builtins.toString config.services.vaultwarden.config.ROCKET_PORT}
+      		'';
+  };
+}
diff --git a/modules/common/monitoring.nix b/modules/common/monitoring.nix
index 90ea232..117328d 100644
--- a/modules/common/monitoring.nix
+++ b/modules/common/monitoring.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
   services.prometheus.exporters = {
     node = {
@@ -9,6 +9,19 @@
         "--collector.softirqs"
         "--collector.tcpstat"
       ];
+
+      openFirewall = true;
+    };
+
+    postgres = {
+      enable = config.services.postgresql.enable;
     };
   };
+
+
+  services.caddy.globalConfig = "
+      metrics {
+        per_host
+      }
+    ";
 }
diff --git a/tools/devshell.nix b/tools/devshell.nix
index 724c18e..3dd58fb 100644
--- a/tools/devshell.nix
+++ b/tools/devshell.nix
@@ -8,7 +8,7 @@ pkgs.mkShell {
   packages = with pkgs; [
     nil
     nixpkgs-fmt
-    agenix.packages.${system}.default
+    agenix.packages.${stdenv.hostPlatform.system}.default
   ];
 
   shellHook = ''