diff --git a/data.nix b/data.nix
index f7839f0..a68c345 100644
--- a/data.nix
+++ b/data.nix
@@ -24,9 +24,6 @@ rec {
     grafana = 3000;
     gitea = 3001;
 
-    # not necessary from vaultwarden 1.29.0
-    vaultwarden_ws = 3012;
-
     soju = 6697;
     soju-ws = 6698;
     matrix-synapse = 8008;
diff --git a/flake.nix b/flake.nix
index e66cefc..8194f9a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -210,6 +210,7 @@
                 headscale-client-oidc.file = ./secrets/headscale/oidc_client_secret2.age;
                 borgbackup-password.file = ./secrets/fwminex/borgbackup-password.age;
                 grafana-oidc.file = ./secrets/grafana.jakstys.lt/oidc.age;
+                vaultwarden-secrets-env.file = ./secrets/vaultwarden/secrets.env.age;
                 photoprism-admin-passwd.file = ./secrets/photoprism/admin_password.age;
                 syncthing-key.file = ./secrets/fwminex/syncthing/key.pem.age;
                 syncthing-cert.file = ./secrets/fwminex/syncthing/cert.pem.age;
diff --git a/hosts/fwminex/configuration.nix b/hosts/fwminex/configuration.nix
index af5acbc..7e4e06d 100644
--- a/hosts/fwminex/configuration.nix
+++ b/hosts/fwminex/configuration.nix
@@ -178,9 +178,14 @@ in
     };
 
     services = {
-      sshguard.enable = false;
+      sshguard.enable = true;
       gitea.enable = true;
       hass.enable = true;
+      vaultwarden = {
+        enable = true;
+        port = myData.ports.vaultwarden;
+        secretsEnvFile = config.age.secrets.vaultwarden-secrets-env.path;
+      };
 
       grafana = {
         enable = true;
@@ -229,6 +234,7 @@ in
                     "gitea"
                     "grafana"
                     "headscale"
+                    "bitwarden_rs"
                     "private/photoprism"
                   ];
                   patterns = [ "- gitea/data/repo-archive/" ];
diff --git a/hosts/vno1-oh2/configuration.nix b/hosts/vno1-oh2/configuration.nix
index 0ec5e4d..451dd41 100644
--- a/hosts/vno1-oh2/configuration.nix
+++ b/hosts/vno1-oh2/configuration.nix
@@ -61,7 +61,6 @@
             mountpoint = "/var/lib";
             repo = "zh2769@zh2769.rsync.net:${config.networking.hostName}.${config.networking.domain}-var_lib";
             paths = [
-              "bitwarden_rs"
               "caddy"
               "nsd-acme"
               "tailscale"
@@ -81,7 +80,6 @@
               myData.hosts."vno3-rp3b.servers.jakst".jakstIP
             }:${config.networking.hostName}.${config.networking.domain}-var_lib";
             paths = [
-              "bitwarden_rs"
               "caddy"
               "nsd-acme"
               "tailscale"
@@ -255,7 +253,7 @@
               X-Frame-Options "SAMEORIGIN"
             }
 
-            reverse_proxy 127.0.0.1:${toString myData.ports.vaultwarden} {
+            reverse_proxy ${fwminex-jakst}:${toString myData.ports.vaultwarden} {
                header_up X-Real-IP {remote_host}
             }
           '';
@@ -381,40 +379,10 @@
       '';
     };
 
-    vaultwarden = {
-      enable = true;
-
-      config = {
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = myData.ports.vaultwarden;
-        LOG_LEVEL = "warn";
-        DOMAIN = "https://bitwarden.jakstys.lt";
-        SIGNUPS_ALLOWED = false;
-        INVITATION_ORG_NAME = "jakstys";
-        PUSH_ENABLED = true;
-
-        SMTP_HOST = "localhost";
-        SMTP_PORT = 25;
-        SMTP_SECURITY = "off";
-        SMTP_FROM = "admin@jakstys.lt";
-        SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
-      };
-    };
-
-    minidlna = {
-      enable = true;
-      openFirewall = true;
-      settings = {
-        media_dir = [ "/home/motiejus/video" ];
-        friendly_name = "vno1-oh2";
-        inotify = "yes";
-      };
-    };
-
-    syncthing.relay = {
-      enable = true;
-      providedBy = "11sync.net";
-    };
+    #syncthing.relay = {
+    #  enable = true;
+    #  providedBy = "11sync.net";
+    #};
   };
 
   systemd.services = {
@@ -460,15 +428,6 @@
         requires = [ "nsd-acme-irc.jakstys.lt.service" ];
       };
 
-    vaultwarden = {
-      preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
-      serviceConfig = {
-        EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
-        RuntimeDirectory = "vaultwarden";
-        LoadCredential = [ "secrets.env:${config.age.secrets.vaultwarden-secrets-env.path}" ];
-      };
-    };
-
     cert-watcher = {
       description = "Restart caddy when tls keys/certs change";
       wantedBy = [ "multi-user.target" ];
diff --git a/modules/services/default.nix b/modules/services/default.nix
index ec3d45a..c70a885 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -20,6 +20,7 @@
     ./sshguard
     ./syncthing
     ./tailscale
+    ./vaultwarden
     ./wifibackup
     ./zfsunlock
   ];
diff --git a/modules/services/vaultwarden/default.nix b/modules/services/vaultwarden/default.nix
new file mode 100644
index 0000000..ffd7fa6
--- /dev/null
+++ b/modules/services/vaultwarden/default.nix
@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  myData,
+  ...
+}:
+let
+  cfg = config.mj.services.vaultwarden;
+in
+{
+  options.mj.services.vaultwarden = with lib.types; {
+    enable = lib.mkEnableOption "Enable vautwarden";
+    port = lib.mkOption { type = port; };
+    secretsEnvFile = lib.mkOption { type = path; };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+
+      config = {
+        # TODO http migration
+        ROCKET_ADDRESS = "0.0.0.0";
+        ROCKET_PORT = cfg.port;
+        LOG_LEVEL = "warn";
+        DOMAIN = "https://bitwarden.jakstys.lt";
+        SIGNUPS_ALLOWED = false;
+        INVITATION_ORG_NAME = "jakstys";
+        PUSH_ENABLED = true;
+
+        SMTP_HOST = "localhost";
+        SMTP_PORT = 25;
+        SMTP_SECURITY = "off";
+        SMTP_FROM = "admin@jakstys.lt";
+        SMTP_FROM_NAME = "Bitwarden at jakstys.lt";
+      };
+    };
+
+    systemd.services.vaultwarden = {
+      preStart = "ln -sf $CREDENTIALS_DIRECTORY/secrets.env /run/vaultwarden/secrets.env";
+      serviceConfig = {
+        EnvironmentFile = [ "-/run/vaultwarden/secrets.env" ];
+        RuntimeDirectory = "vaultwarden";
+        LoadCredential = [ "secrets.env:${cfg.secretsEnvFile}" ];
+      };
+    };
+
+    mj.services.friendlyport.ports = [
+      {
+        subnets = [ myData.subnets.tailscale.cidr ];
+        tcp = [ cfg.port ];
+      }
+    ];
+
+  };
+
+}
diff --git a/secrets.nix b/secrets.nix
index 713a735..d88a960 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -33,7 +33,6 @@ in
 // mk ([ vno1-oh2 ] ++ motiejus) [
   "secrets/vno1-oh2/borgbackup/password.age"
   "secrets/letsencrypt/account.key.age"
-  "secrets/vaultwarden/secrets.env.age"
 
   "secrets/synapse/jakstys_lt_signing_key.age"
   "secrets/synapse/registration_shared_secret.age"
@@ -50,13 +49,19 @@ in
   "secrets/mtworx/syncthing/key.pem.age"
   "secrets/mtworx/syncthing/cert.pem.age"
 ]
-// mk (
-  [
-    fwminex
-    vno1-oh2
-  ]
-  ++ motiejus
-) [ "secrets/grafana.jakstys.lt/oidc.age" ]
+//
+  mk
+    (
+      [
+        fwminex
+        vno1-oh2
+      ]
+      ++ motiejus
+    )
+    [
+      "secrets/grafana.jakstys.lt/oidc.age"
+      "secrets/vaultwarden/secrets.env.age"
+    ]
 // mk ([ fwminex ] ++ motiejus) [
   "secrets/motiejus_server_passwd_hash.age"
   "secrets/root_server_passwd_hash.age"
diff --git a/secrets/vaultwarden/secrets.env.age b/secrets/vaultwarden/secrets.env.age
index ad3e994..21e6d91 100644
Binary files a/secrets/vaultwarden/secrets.env.age and b/secrets/vaultwarden/secrets.env.age differ