diff --git a/hosts/liminal/configuration.nix b/hosts/liminal/configuration.nix
index 54c1cbf..5d82894 100644
--- a/hosts/liminal/configuration.nix
+++ b/hosts/liminal/configuration.nix
@@ -325,6 +325,8 @@
       awww.packages.${pkgs.stdenv.hostPlatform.system}.awww
       nix-index # for nix-locate
       sops
+      bitwarden-desktop
+      bitwarden-cli
     ];
   };
   systemd.user.services = {
diff --git a/hosts/ruil/configuration.nix b/hosts/ruil/configuration.nix
index 504a3c2..144f8f0 100644
--- a/hosts/ruil/configuration.nix
+++ b/hosts/ruil/configuration.nix
@@ -3,6 +3,7 @@
 {
   imports = [
     ./hardware-configuration.nix
+    ./modules/vaultwarden.nix
     (modulesPath + "/virtualisation/digital-ocean-config.nix")
   ];
 
diff --git a/hosts/ruil/modules/vaultwarden.nix b/hosts/ruil/modules/vaultwarden.nix
new file mode 100644
index 0000000..a0b67a8
--- /dev/null
+++ b/hosts/ruil/modules/vaultwarden.nix
@@ -0,0 +1,24 @@
+{ config, ... }:
+
+{
+  sops.secrets.vaultwarden-env = {
+    owner = "vaultwarden";
+    mode = "0400";
+  };
+
+  # Vaultwarden on warden.hunner.dev
+  services.vaultwarden = {
+    enable = true;
+    configureNginx = true;
+    domain = "warden.hunner.dev";
+    # SMTP and admin token are sourced from the sops-managed env file.
+    environmentFile = [ config.sops.secrets.vaultwarden-env.path ];
+    config = {
+      SIGNUPS_ALLOWED = true;
+      INVITATIONS_ALLOWED = true;
+    };
+  };
+
+  # ACME certificate for Cloudflare Full (strict) origin TLS.
+  services.nginx.virtualHosts."warden.hunner.dev".enableACME = true;
+}
diff --git a/hosts/ruil/secrets/config.yaml b/hosts/ruil/secrets/config.yaml
index 8dfc58e..7522db4 100644
--- a/hosts/ruil/secrets/config.yaml
+++ b/hosts/ruil/secrets/config.yaml
@@ -4,6 +4,7 @@ hashedPassword-root: ENC[AES256_GCM,data:E/T3LBreiSZaC/qZ2QNxz3prGHoj47zS3ILsa7l
 openclaw-env: ENC[AES256_GCM,data:pJq+HdqlNjx0qeVHhPcnZk9FNm7/eMWm8vZ3ROnQ00qR4lXo3f86wL3vH9UQjVtdKSGDQj171b88nCVWqLY/h9YP2ld/1AwI7K06bzCRTjAYXzcpCfLyDEc0x3olSNTwsyKN4avI1x+9xciE36b53VVFpLNhGsRz9pT+jWx1jeVIUNbh6OGu4CGA1I2L4TaAiGEfEh29mDrAzqPLzIkyaSvay3+fun4X0SbpbE0bLnd6NnVUjff0HCgiDDDckc/O33G/k6OcLaN04hDnnCVIfGxPkRQKB02QC33mb35T5N4T,iv:DNNbwHGfQjY9Uvw4QXUz6IqtNQWZKLDD0GtvnoowxB0=,tag:+cu3ZVjo2xUg/wyIlUvD0Q==,type:str]
 searx-env: ENC[AES256_GCM,data:dJ8JGxTWBdrli340Yjs5bA7X25NjExj5Mxp2T49jVEv/pafTtyMWf7Tvonzv+krCe1k/Zsh7KuWoJxXXOOGjRLPP1eQMMJunoL/P6JXruX+ZkBN5XbYB/UdWdkUrcvdDSyMcofZwgqYdDUy6J5ZlvcnmvuIM,iv:DuzG234PInaT/2CYQp9fzGh0EBYrxA7cto5uI4tGSkQ=,tag:1PNQKboKl6N7SULlUeAcgA==,type:str]
 searx-nginx-basic-auth: ENC[AES256_GCM,data:v22LhW/PksCnfheQ5dYF4n0pLNdGEe8q/bp0aoP/ZRcUFsSWZSdt6Wuj3BdpW7Hl/vJiWysxDX/0mi1GQ7flZz0+lmIWe29hSroJljAccMrafL6CY7r2awk+IC5Z2hNmbvLxbHzyN9U8mExazeNuWq0=,iv:OpSkH4C0eAF6CrRJRmQRtC9j+0WEKLM1a0rNeGtROaY=,tag:7nbFtk02bgB0glANehZXTw==,type:str]
+vaultwarden-env: ENC[AES256_GCM,data:C1oXLf+XchounepkJdGskeh3mlIvZYNFOK8Ec7wkPUnysEBXpVjtdfvbWZLkIzlcIn9BxM7pQLGDpn+7vogZA47JA07TkIVef9xrYYytLDYkox6+G/Acd36tuMKrTRWNko/wWX/YQQdHTGLLlBvP56YMQOSQ6mq5w86VK7QDmPFZTeobt3n4neHDIRjxkEWqNQg5x8zVPYbRqeg6rN2ES/hnd9jTzetx2lYH1zU8IncIGnkzw5C/5L8TysmHygWE5cX2CsA+2slkQHMYdQ3cZNFswP793jiAQB2BWXKUE8jyRc7S5XeUzfhFsg6pFdo9m0Om1nF2Hku/sYKaml3U+Fcma5BctuMpaPMAWh20n4wGS9rcIaF3SxwhCTHmk/IFOX/s8eK4,iv:B4DpR2JZQTuDOfCCR9x4uPWH4HyfXVDVYEZ2JZCdDf0=,tag:jwovvzMPLInaQHCxV4fTGw==,type:str]
 sops:
     age:
         - recipient: age17sdp0gguexd88qel74fa4zeckxh93gqpkayz366fz6yvjauw7vcq7w6y45
@@ -24,7 +25,7 @@ sops:
             VHorQzNrMFJLaFpSalZZdjNraXhlSVUKwWLesTzMxsEB45hWWzhZGWc1cDm/gmvF
             MAytSLiBcieAkRKZoklyk/llbnq7kycvpZCU/sQrjKqmoHkC+TF3BQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-24T07:16:51Z"
-    mac: ENC[AES256_GCM,data:sOhZnDFUDSEgoAuj3JKntckpu/2wQ2GrNxU7As855i+zT8zkEJlatf5Lw4Mr5NnYQMu6Jtgq26+6ucY7VcMxlqEdm0+jWMSA9Q2iPFZspgvZHqfoqpKlAjqKP90IcPYuieZm53FQSBdTvD0TlCk5ZNG7DyErAdfPSjqozPPsuk4=,iv:QNXCvwcUvug+rfPJnVGnVs42/hBHOnaEd9FpwhJMJkU=,tag:h8v/W+gt9LFspAty/3zZrg==,type:str]
+    lastmodified: "2026-02-24T23:59:42Z"
+    mac: ENC[AES256_GCM,data:qnbTTnrl84U55wzKMrp7e/gvxrj5TZCH4LC7X+waPEVEpz7jsJ/10gezCU5H6v6lkXCrfJ9CZgupRrFMI+yrndLVtqXyrdUkMWeq6GehzKd9Li2VbnfVu1zfjF5gRX4xyOxjfa3NDvHhfWQOUrTlXQyd4YIJUs0Q4cLjpaT1DH0=,iv:7CGp7qqWNdRsnFfLyqstkxledpWH7b0PuPdVxvWxcQg=,tag:8t2iyWYshX0YMWtRtccclA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0
diff --git a/justfile b/justfile
index 5be2711..f2605ea 100644
--- a/justfile
+++ b/justfile
@@ -24,6 +24,10 @@ deploy-ruil:
 deploy-liminal:
   just deploy-sudo liminal
 
+# Shortcut: deploy zima (local)
+deploy-zima:
+  just deploy-sudo zima
+
 # Update flake lock file
 update:
   nix flake update