diff --git a/security/vaultwarden/docker-compose.yml b/security/vaultwarden/docker-compose.yml
new file mode 100644
index 0000000..6e56cc1
--- /dev/null
+++ b/security/vaultwarden/docker-compose.yml
@@ -0,0 +1,42 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+
+    environment:
+      TZ: Europe/Berlin
+      DOMAIN: https://vault.kaleschke.info
+      WEBSOCKET_ENABLED: "true"
+      SIGNUPS_ALLOWED: "false"
+      INVITATIONS_ALLOWED: "false"
+      ADMIN_TOKEN_FILE: /run/secrets/admin_token
+
+    volumes:
+      - /mnt/user/appdata/vaultwarden:/data
+
+    secrets:
+      - admin_token
+
+    networks:
+      - frontend_net
+
+    security_opt:
+      - no-new-privileges:true
+
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network=frontend_net
+      - traefik.http.routers.vaultwarden.rule=Host(`vault.kaleschke.info`)
+      - traefik.http.routers.vaultwarden.entrypoints=websecure
+      - traefik.http.routers.vaultwarden.tls=true
+      - traefik.http.routers.vaultwarden.tls.certresolver=le
+      - traefik.http.services.vaultwarden.loadbalancer.server.port=80
+
+secrets:
+  admin_token:
+    file: /mnt/user/appdata/secrets/vaultwarden_admin_token.txt
+
+networks:
+  frontend_net:
+    external: true