diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 38a2192..93ce630 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -1,34 +1,70 @@
-{ config, ... }:
 {
-  services.vaultwarden = {
-    enable = true;
-    dbBackend = "sqlite";
-    config = {
-      SIGNUPS_ALLOWED = false;
-      ENABLE_WEBSOCKET = true;
-      SENDS_ALLOWED = true;
-      INVITATIONS_ENABLED = true;
-      EMERGENCY_ACCESS_ALLOWED = true;
-      EMAIL_ACCESS_ALLOWED = true;
-      DOMAIN = "https://passwords.liv.town";
-      ROCKET_ADDRESS = "0.0.0.0";
-      ROCKET_PORT = 8003;
+  config,
+  host,
+  pkgs,
+  username,
+  ...
+}:
+let
+  baseRepo = "ssh://liv@dandelion:9123/spinners/rootvol/backups/${host}";
+in
+{
+  services = {
+    vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      config = {
+        SIGNUPS_ALLOWED = false;
+        ENABLE_WEBSOCKET = true;
+        SENDS_ALLOWED = true;
+        INVITATIONS_ENABLED = true;
+        EMERGENCY_ACCESS_ALLOWED = true;
+        EMAIL_ACCESS_ALLOWED = true;
+        DOMAIN = "https://passwords.liv.town";
+        ROCKET_ADDRESS = "0.0.0.0";
+        ROCKET_PORT = 8003;
+      };
     };
-  };
-  services.nginx = {
-    enable = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    virtualHosts = {
-      "passwords.liv.town" = {
-        forceSSL = true;
-        sslCertificate = "/var/lib/acme/liv.town/cert.pem";
-        sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
-          proxyWebsockets = true;
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "passwords.liv.town" = {
+          forceSSL = true;
+          sslCertificate = "/var/lib/acme/liv.town/cert.pem";
+          sslCertificateKey = "/var/lib/acme/liv.town/key.pem";
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+            proxyWebsockets = true;
+          };
         };
       };
     };
+    borgbackup.jobs."violet-vaultwarden" = {
+      paths = [ "/var/lib/bitwarden_rs" ];
+      repo = "${baseRepo}/var-vaultwarden";
+      encryption.mode = "none";
+      compression = "auto,zstd";
+      startAt = "daily";
+      preHook = ''
+        systemctl stop vaultwarden
+      '';
+      postHook = ''
+        systemctl start vaultwarden
+        if [ $exitStatus -eq 2 ]; then
+          ${pkgs.ntfy-sh}/bin/ntfy send https://notify.liv.town/${host} "borgbackup: ${host} backup (vaultwarden) failed with errors"
+        else
+          ${pkgs.ntfy-sh}/bin/ntfy send https://notify.liv.town/${host} "borgbackup: ${host} backup (vaultwarden) completed succesfully with exit status $exitStatus"
+        fi
+      '';
+      user = "root";
+      extraCreateArgs = [
+        "--stats"
+      ];
+      environment = {
+        BORG_RSH = "ssh -p 9123 -i /home/${username}/.ssh/id_ed25519";
+      };
+    };
   };
 }