diff --git a/flake.nix b/flake.nix
index 1a256c9..841b923 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,7 +15,8 @@
       hostPkgs = import nixpkgs { system = "x86_64-linux"; };
     in {
       devShell."x86_64-linux" = with hostPkgs; mkShell {
-        buildInputs = [ colmena ];
+        buildInputs = [ colmena vault ];
+        VAULT_ADDR = "https://hc-vault.katzen.cafe";
       };
       colmena = {
         meta = {
@@ -50,6 +51,7 @@
             ./modules/mumble.nix
             ./modules/modded-mc.nix
             #./modules/prosody.nix
+            ./modules/vault.nix
           ];
 
           system.stateVersion = "22.11";
diff --git a/modules/proxy.nix b/modules/proxy.nix
index 362b6a6..0866187 100644
--- a/modules/proxy.nix
+++ b/modules/proxy.nix
@@ -35,6 +35,10 @@
         group = "murmur";
         keyType = "rsa4096";
       };
+      "hc-vault.katzen.cafe" = {
+        group = "nginx";
+        keyType = "rsa4096";
+      };
       # "prosody.katzen.cafe" = {
       #   group = "prosody";
       #   keyType = "rsa4096";
@@ -110,6 +114,13 @@
           proxyPass = "http://127.0.0.2:8081";
         };
       };
+      "hc-vault.katzen.cafe" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8200";
+        };
+      };
     };
   };
 }
diff --git a/modules/vault.nix b/modules/vault.nix
new file mode 100644
index 0000000..0ffc409
--- /dev/null
+++ b/modules/vault.nix
@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+{
+  services.vault = {
+    enable = true;
+    package = pkgs.vault-bin;
+    storageBackend = "file";
+    extraConfig = ''
+      ui = true
+    '';
+  };
+}