diff --git a/hosts/franz/arion/passwords/arion-compose.nix b/hosts/franz/arion/passwords/arion-compose.nix
new file mode 100644
index 0000000..2d6515e
--- /dev/null
+++ b/hosts/franz/arion/passwords/arion-compose.nix
@@ -0,0 +1,32 @@
+{pkgs, ...}: {
+  project.name = "passwords";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+
+  services = {
+    vaultwarden.service = {
+      image = "vaultwarden/server:latest";
+      container_name = "vaultwarden";
+      labels = {
+        "traefik.enable" = "true";
+        "traefik.http.routers.vaultwarden.entrypoints" = "websecure";
+        "traefik.http.routers.vaultwarden.rule" = "Host(`vaultwarden.ghoscht.com`)";
+        "traefik.http.routers.vaultwarden.tls" = "true";
+        "traefik.http.routers.vaultwarden.tls.certresolver" = "letsencrypt";
+      };
+      volumes = [
+        "/home/ghoscht/.docker/infrastructure/vaultwarden_data/:/data"
+      ];
+      environment = {
+        DOMAIN = "http://vaultwarden.ghoscht.com";
+      };
+      restart = "always";
+      networks = [
+        "dmz"
+      ];
+    };
+  };
+}
diff --git a/hosts/franz/arion/passwords/arion-pkgs.nix b/hosts/franz/arion/passwords/arion-pkgs.nix
new file mode 100644
index 0000000..69aad13
--- /dev/null
+++ b/hosts/franz/arion/passwords/arion-pkgs.nix
@@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
diff --git a/hosts/franz/arion/passwords/default.nix b/hosts/franz/arion/passwords/default.nix
new file mode 100644
index 0000000..c1922c9
--- /dev/null
+++ b/hosts/franz/arion/passwords/default.nix
@@ -0,0 +1,8 @@
+{config, ...}: let
+in {
+  virtualisation.arion = {
+    projects.password.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+}