diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml
index b1a9d68..3150772 100644
--- a/apps/kustomization.yaml
+++ b/apps/kustomization.yaml
@@ -14,4 +14,5 @@ resources:
   - technitium
   - thelounge
   - uptime-kuma
-  - znc
\ No newline at end of file
+  - znc
+  - vaultwarden
\ No newline at end of file
diff --git a/apps/vaultwarden/configmap.yaml b/apps/vaultwarden/configmap.yaml
new file mode 100644
index 0000000..0b57fac
--- /dev/null
+++ b/apps/vaultwarden/configmap.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vaultwarden-config
+data:
+  DOMAIN: "https://passwords.prettysunflower.moe"
+  SMTP_HOST: mail.prettysunflower.moe
+  SMTP_FROM: vaultwarden@prettysunflower.moe
+  SMTP_PORT: "587"
+  SMTP_SECURITY: starttls
+  SMTP_USERNAME: me@prettysunflower.moe
+  SIGNUPS_DOMAINS_WHITELIST: prettysunflower.moe
\ No newline at end of file
diff --git a/apps/vaultwarden/deployment.yaml b/apps/vaultwarden/deployment.yaml
new file mode 100644
index 0000000..723994e
--- /dev/null
+++ b/apps/vaultwarden/deployment.yaml
@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vaultwarden
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vaultwarden
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            preference:
+              matchExpressions:
+              - key: location
+                operator: In
+                values:
+                - fsn
+      volumes:
+        - name: vaultwarden-data
+          persistentVolumeClaim:
+            claimName: vaultwarden-data-pvc
+      hostAliases:
+        - ip: "100.113.193.5"
+          hostnames:
+          - "mail.prettysunflower.moe"
+      containers:
+        - name: teable
+          image: vaultwarden/server:1.34.1
+          ports:
+            - containerPort: 80
+              name: http
+          envFrom:
+            - configMapRef:
+                name: vaultwarden-config
+            - secretRef:
+                name: vaultwarden-secrets
+          volumeMounts:
+          - name: vaultwarden-data
+            mountPath: "/data"
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
\ No newline at end of file
diff --git a/apps/vaultwarden/kustomization.yaml b/apps/vaultwarden/kustomization.yaml
new file mode 100644
index 0000000..8d4a522
--- /dev/null
+++ b/apps/vaultwarden/kustomization.yaml
@@ -0,0 +1,6 @@
+resources:
+  - configmap.yaml
+  - deployment.yaml
+  - pvc.yaml
+  - secrets.yaml
+  - services.yaml
\ No newline at end of file
diff --git a/apps/vaultwarden/pvc.yaml b/apps/vaultwarden/pvc.yaml
new file mode 100644
index 0000000..d70c3a9
--- /dev/null
+++ b/apps/vaultwarden/pvc.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-data-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: seaweedfs-storage
\ No newline at end of file
diff --git a/apps/vaultwarden/secrets.sops.yaml b/apps/vaultwarden/secrets.sops.yaml
new file mode 100644
index 0000000..32105ee
--- /dev/null
+++ b/apps/vaultwarden/secrets.sops.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: vaultwarden-secrets
+type: Opaque
+stringData:
+    SMTP_PASSWORD: ENC[AES256_GCM,data:ufFFpjspCNUdGT3sYNuuKQ==,iv:D3h1kX9ZQ9530gJ63L/YBD15NKu8j8OxhKcCzP61vnM=,tag:IxXauPdCxSqlYRtzFH0Hhw==,type:str]
+    DATABASE_URL: ENC[AES256_GCM,data:7+H4czU+m7HZhda+y7mj9ST6bayMgC+jcQmRgcLlmZFV+4Nnzypd2vefOrhLAiZV9wpOi1orKvUtcrl9gNsBjOXxgkVGSos6W+pKnckupikbknW+Ra99ij5VJw==,iv:f3zvmuf1Z6ysdmvC0kbstOnkvM9O/zYsrkv5pP026HA=,tag:286U6+3GZyfwZxK2L4wWSw==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VFNZYnJzd2NQYXV1ckd2
+            d3lybWtYbUJIcWxnVlhLV09STTRtVDdhZVZVClZQOVZQZTJqQzJkb3R0clBxNG5q
+            elY2MFNpNGVLTVYyQkJENUJ5SmQ5TWsKLS0tIGFmWDRsUS9YZVgwaFBsN3RZcVlz
+            VFRQMEprYVA0ZEU1ZG5ienJ1dEt5S28KgCutiomxOnX/G58d4XOBOJxgr5W9NW0s
+            GogonWwuW7gCHvS0K2LQFYaQpZtM++9y+IjTFwUYv2fIxuKBkd5QVw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-23T15:29:56Z"
+    mac: ENC[AES256_GCM,data:fFr7jczPTJKtBui7cItBem3TEO2VAEGp6GfyvPeJ3/ZjxUJzxSjIUiTTAVWKYq4a4O69tCHijFfXMlAXSf4C/CgjfFpi0y459gn4Iz0GC8uD2YlJS5558tB8roc5QPF5NK6SN2AtIAOTe37ScbI//aKzM0LYTEb1Lke18yei4Fw=,iv:GzIaYOUgk684UX1lpIhP6iuoxVTenVWfhAbV4tcO8So=,tag:+mY461BhKOJUggExjK7AHA==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
diff --git a/apps/vaultwarden/services.yaml b/apps/vaultwarden/services.yaml
new file mode 100644
index 0000000..f6ab5f8
--- /dev/null
+++ b/apps/vaultwarden/services.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: vaultwarden
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http
\ No newline at end of file