diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample
index 19eea40..bbf6792 100644
--- a/group_vars/all.yml.sample
+++ b/group_vars/all.yml.sample
@@ -12,3 +12,6 @@ acme:
 # Other
 protonmail:
   initialized: false
+
+vaultwarden:
+  admin_token: token
\ No newline at end of file
diff --git a/playbook.yml b/playbook.yml
index f03adad..5e2ff9b 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -9,6 +9,7 @@
     - { role: whoami, tags: ["whoami"] }
     - { role: protonmail, tags: ["protonmail"] }
     - { role: cloud, tags: ["cloud"] }
+    - { role: vaultwarden, tags: ["vaultwarden"] }
     - { role: home_assistant, tags: ["home_assistant"] }
     - { role: n8n, tags: ["n8n"] }
     - { role: matrix, tags: ["matrix"] }
diff --git a/roles/vaultwarden/tasks/base.yml b/roles/vaultwarden/tasks/base.yml
new file mode 100644
index 0000000..14b099e
--- /dev/null
+++ b/roles/vaultwarden/tasks/base.yml
@@ -0,0 +1,46 @@
+---
+
+- name: Check vaultwarden directory exist
+  ansible.builtin.file:
+    path: vaultwarden
+    state: directory
+
+- name: Copy template conf
+  ansible.builtin.template:
+    backup: true
+    src: "{{ item.src }}"
+    dest: "vaultwarden/{{ item.dest }}"
+  loop:
+    - { src: 'docker-compose.yml.j2', dest: 'docker-compose.yml' }
+  register: vaultwarden_copy_templates_results
+
+- name: Copy dotenv as root
+  ansible.builtin.template:
+    backup: true
+    owner: root
+    group: root
+    src: ".env.j2"
+    dest: "vaultwarden/.env"
+    mode: 0600
+  become: true
+
+- name: Prepare volume folder
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+  loop:
+    - "{{ server.work_dir }}/vaultwarden"
+    - "{{ server.work_dir }}/vaultwarden/base"
+    - "{{ server.work_dir }}/vaultwarden/db"
+  become: true
+
+- name: Update and restart container
+  community.docker.docker_compose:
+    project_src: vaultwarden
+    state: present
+    pull: true
+    restarted: "{{ vaultwarden_copy_templates_results.changed }}"
+  become: true
\ No newline at end of file
diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml
new file mode 100644
index 0000000..c4e7ea2
--- /dev/null
+++ b/roles/vaultwarden/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+
+- ansible.builtin.import_tasks: base.yml
+  name: base
diff --git a/roles/vaultwarden/templates/.env.j2 b/roles/vaultwarden/templates/.env.j2
new file mode 100644
index 0000000..316db5a
--- /dev/null
+++ b/roles/vaultwarden/templates/.env.j2
@@ -0,0 +1,7 @@
+WEBSOCKET_ENABLED=true
+SIGNUPS_ALLOWED=false
+ADMIN_TOKEN={{ vaultwarden.admin_token }}
+POSTGRES_PASSWORD=vaultwarden
+POSTGRES_DB=vaultwarden
+POSTGRES_USER=vaultwarden
+DATABASE_URL=postgresql://vaultwarden:vaultwarden@db/vaultwarden
\ No newline at end of file
diff --git a/roles/vaultwarden/templates/docker-compose.yml.j2 b/roles/vaultwarden/templates/docker-compose.yml.j2
new file mode 100644
index 0000000..563d7de
--- /dev/null
+++ b/roles/vaultwarden/templates/docker-compose.yml.j2
@@ -0,0 +1,53 @@
+version: '3'
+
+services:
+  db:
+    image: postgres:latest
+    restart: always
+    container_name: db
+    networks:
+      - internal
+    env_file:
+      - .env
+    volumes:
+      - {{ server.work_dir }}/vaultwarden/db:/var/lib/postgresql/data
+
+  vaultwarden:
+    image: vaultwarden/server:latest
+    restart: always
+    container_name: vaultwarden
+    networks:
+      - proxy
+      - internal
+    env_file:
+      - .env
+    volumes:
+      - {{ server.work_dir }}/vaultwarden/base:/data
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=proxy
+      - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
+      - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
+      - traefik.http.routers.bitwarden-ui-https.rule=Host(`pwds.{{ server.domain }}`)
+      - traefik.http.routers.bitwarden-ui-https.entrypoints=https
+      - traefik.http.routers.bitwarden-ui-https.tls=true
+      - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui
+      - traefik.http.routers.bitwarden-ui-http.rule=Host(`pwds.{{ server.domain }}`)
+      - traefik.http.routers.bitwarden-ui-http.entrypoints=http
+      - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https
+      - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui
+      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
+      - traefik.http.routers.bitwarden-websocket-https.rule=Host(`pwds.{{ server.domain }}`) && Path(`/notifications/hub`)
+      - traefik.http.routers.bitwarden-websocket-https.entrypoints=https
+      - traefik.http.routers.bitwarden-websocket-https.tls=true
+      - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
+      - traefik.http.routers.bitwarden-websocket-http.rule=Host(`pwds.{{ server.domain }}`) && Path(`/notifications/hub`)
+      - traefik.http.routers.bitwarden-websocket-http.entrypoints=http
+      - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https
+      - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
+      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
+
+networks:
+  internal:
+  proxy:
+    external: true