diff --git a/modules/nixos/services/homeserver/kanidm.nix b/modules/nixos/services/homeserver/kanidm.nix
index 988186e..e475f6d 100644
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@@ -3,20 +3,17 @@
 {
   sops.secrets = {
     "acme/secrets.env" = {};
-
-    "kanidm/oauth2/grafana" = {
-      owner = "kanidm";
-      group = "kanidm";
-    };
-    "kanidm/oauth2/jellyfin" = {
-      owner = "kanidm";
-      group = "kanidm";
-    };
-    "kanidm/oauth2/nextcloud" = {
-      owner = "kanidm";
-      group = "kanidm";
-    };
-  };
+  }
+  // lib.genAttrs [
+    "kanidm/oauth2/grafana"
+    "kanidm/oauth2/jellyfin"
+    "kanidm/oauth2/nextcloud"
+    "kanidm/oauth2/vaultwarden"
+  ]
+  (x: {
+    owner = "kanidm";
+    group = "kanidm";
+  });
 
   users.groups.tls-kanidm.members = [ "caddy" "kanidm" ];
 
@@ -75,17 +72,20 @@
           "grafana_users"
           "jellyfin_users"
           "nextcloud_users"
+          "vaultwarden_users"
 
           "grafana_admins"
           "jellyfin_admins"
         ];
       };
 
-      groups = {
-        grafana_users = {};
-        jellyfin_users = {};
-        nextcloud_users = {};
-
+      groups = lib.genAttrs [
+        "grafana_users"
+        "jellyfin_users"
+        "nextcloud_users"
+        "vaultwarden_users"
+      ] (x: {})
+      // {
         grafana_admins.members = [ "grafana_users" ];
         jellyfin_admins.members = [ "jellyfin_users" ];
       };
@@ -122,6 +122,16 @@
           basicSecretFile = config.sops.secrets."kanidm/oauth2/nextcloud".path;
           scopeMaps.nextcloud_users = [ "openid" "profile" ];
         };
+        
+        vaultwarden = {
+          displayName = "Vaultwarden";
+          originUrl = "https://vaultwarden.taild5f7e6.ts.net/identity/connect/oidc-signin";
+          originLanding = "https://vaultwarden.taild5f7e6.ts.net";
+
+          preferShortUsername = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/vaultwarden".path;
+          scopeMaps.vaultwarden_users = [ "openid" "email" "profile" "offline_access" ];
+        };
       };
     };
 
diff --git a/modules/nixos/services/homeserver/vaultwarden.nix b/modules/nixos/services/homeserver/vaultwarden.nix
index 40f4b54..e788729 100755
--- a/modules/nixos/services/homeserver/vaultwarden.nix
+++ b/modules/nixos/services/homeserver/vaultwarden.nix
@@ -1,7 +1,10 @@
 { config, ... }:
 
 {
-  sops.secrets."vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+  sops.secrets = {
+    "vaultwarden/secrets.env".restartUnits = [ "vaultwarden.service" ];
+    "kanidm/oauth2/vaultwarden".restartUnits = [ "vaultwarden.service" ];
+  };
 
   services.caddy.virtualHosts."vaultwarden.taild5f7e6.ts.net".extraConfig =
     assert config.services.caddy.enable;
@@ -23,6 +26,12 @@
       IP_HEADER = "X-Forwarded-For";
 
       SIGNUPS_ALLOWED = false;
+      SSO_ENABLED = true;
+      SSO_ONLY = true;
+      SSO_CLIENT_ID = "vaultwarden";
+      SSO_AUTHORITY = "https://kanidm.wo2wz.fyi/oauth2/openid/vaultwarden";
+      SSO_SCOPES = "openid email profile offline_access";
+      SSO_CLIENT_CACHE_EXPIRATION = 600;
 
       TRASH_AUTO_DELETE_DAYS = 30;
     };
diff --git a/secrets/drone.yaml b/secrets/drone.yaml
index d8fc99f..7acd60e 100755
--- a/secrets/drone.yaml
+++ b/secrets/drone.yaml
@@ -13,6 +13,7 @@ kanidm:
         grafana: ENC[AES256_GCM,data:9aWa5SJ4UNWcQCCRT9rL6XnoUjlkXeifBYe3fL4xRbNC3bc5L6jNtJOF9v0ZZ874pTr/dnv5LzLz/ISLDQWfnw==,iv:+V+JjP2EA02cn7aFif262DjqoCXYRLqXv2jR0pc457c=,tag:CI9daTCxkeOueb3d//hx0A==,type:str]
         jellyfin: ENC[AES256_GCM,data:37edw83rscw19EiFOVUYoq33awKMWw+XXN6KKYYjEdKwtBx7I01RuOha3DkspFM7zJdmZf3E6IL1UT3N/sBB6w==,iv:T9N4h90799xOhFeNxqmKR0nDGn6BXuIGB4DiOIkt6vk=,tag:JZuu+uqRKAbQskKxzOPIEQ==,type:str]
         nextcloud: ENC[AES256_GCM,data:P7ha6OwX6A5PyNO4xy+UTfdQBeKbktJbK5Ggv/fLuW+SDrxTehuwM1F9A5el3j1Dsegk3VsrrTPBZTVU6i5qwA==,iv:YcvNvAZHjdBd9q5Uxdp+Phj5uQRqLoRi33rIzUcv7Ng=,tag:cXM58lfOpHbTbaJRNUm1Kw==,type:str]
+        vaultwarden: ENC[AES256_GCM,data:8k89RkSKDExFhFMcdWXG6+R/SJX70gPpbv8F5hlOga6BexaqNisdVdDhkejxpsFX9YdBEPFR9Kzm9/b7f0aQlw==,iv:vTlczksBkENWjxBgyNab5v//AWCgron5mjjuM/+CH/4=,tag:XwB8nSWeK4qyI6qYa+7iHA==,type:str]
 nextcloud:
     adminpass: ENC[AES256_GCM,data:eSQQkhcXB4s9pnJ1hToGgyEr+rGlMIKHLsU0EemMOng=,iv:USq1winT7GPGVKwDjfF+cFs/dj395zgXyTVQ/x1KNS0=,tag:Me6MKsZwUc4sjZIPfZmk+A==,type:str]
 restic:
@@ -24,7 +25,7 @@ syncthing:
     cert.pem: ENC[AES256_GCM,data:BHZ+GuWS9MWWyeXmcGna2IaSli63QbMKOeYFoKZhs3nvLLI1fdsvWhkhR+UZ1/dPrKPz8ZcgvqeClCDnGQLR+UBOIV8/nbuLk/jQxcw+KRl4+OziFeDnHdHdk1ZeSrF8ek7ThCX/MIz3t0/UPv+X0kZQEpwtOYrrLqeYLh3syUKdnVm9N96erv3UWKfSot5dch5EEMDLvli48rZtbqDrNCdx1bg8/CLj56OvmVxKtyPrUW/DZ3euG7PuL4Crrxw1ZeafTWHINpGoTZDrpOfanLEO5BtK65WY6J18ggJ467P9SgpeC2MeRnCJu6WaH1nqRSM5KitDYwhMFFlcdGKDUF30pCUf/W63BZ8AokJFozuhwtTbCWJHAk39j/wYoU+S0MfIhb/5gZu2vs+2Qnkle6r0ew8AS3l0BNcNJbbSdWKnGbYo8uUAtUh6GmK4ADYFx2z8h31z7kONzFAeE03nAkhAEoDtUccDNUlwF6WBeQdaIKYk2lVwU0bi5C4L5RM5qanAlKvsWtqQ7re5B0nbn4QcnGFLBJZsLmxSzX73e+9MRxTaPUyVoPmAsELLuOMBL7y3wqBtmNeLPRih+7zfn2AwQGaZ/UgnfX1s2gJtx3+OnCy8GMRbaxTd+8AM2JkZsFpkQjwG+eI1HE28dELHcpeDZ4ZqzGUh4Xlgq15kmaXo3Ww89Ukq/QCMHs6xqQdbw4ra84Oh33Stt7YFtL+xVcJkoAzIVYKeoJDtqIwPf+LXukvAUZyMbaLSmEJTsfNnKkhsGU1clxyZXs6DK0EaP3LCY6iw9tv096PkrI9wFFNNxbIjuERkQK4xdus506s=,iv:rUJIqoZa9pSMUxSqUmUKnlUahKLEW/vzzmNI4V0LniE=,tag:EKExs0ms3LbIh7FJA923aA==,type:str]
     key.pem: ENC[AES256_GCM,data:jhYr/fFLvWOGKb7poh3reEDs6WatAoVgYEWw7Y5jwI06eAUO7yQCPpJefKZ+/0VRi0noX71U9Ul/Nv7VNo5bnZ8Yf0fcVxw8FBo0tMXYwg5AMqnJOIr3B48UZUJ9JiWjKG53rE7iGSbnJ4rzvVxB1Opu/wcEDzY=,iv:90R7tjucK/ogTicwAYL5VZ7YF0gCU7KberPQNtAwkBU=,tag:ECCuskrOefltx11+lk2NBA==,type:str]
 vaultwarden:
-    secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str]
+    secrets.env: ENC[AES256_GCM,data:t2eCgDCvN7kZQcSMb2LhJjnbX32YEHCn2fEQ8npW0HQAqnFoFZjik0UzjN/kCmILV7pFk1TKDaXctYbEsOyRZXPJaLDS5URYJQspPJlFEi1hsapWy49f8FG+rnjLCDHLKHt+UsIN4vfNbNZGVK4vpqHdx+1hVi4vWBQVVihMR+Ho9FVm9tTaP7B7Fm88ibGzc1ov9B/PUagEheVljy+9Y+8V3wFeiTzVotbhTJ7qr4Nj/80df2LTkMfzWSc5YVFom6crxihlSX7F779e4JgYGtjfp3O3xW/hQGJHHd98F1KbjT+q/eDO5A==,iv:iCMHcHwozcWzyb2ewgWwbEmF4qm5gAHA1NCcqI6pPYw=,tag:DPWsHovqpMzevMHv/msQLg==,type:str]
 sops:
     age:
         - recipient: age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj
@@ -36,7 +37,7 @@ sops:
             N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
             RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-18T17:37:25Z"
-    mac: ENC[AES256_GCM,data:WAbxmwCprdQOJSH1tXdPoTU8BxeesDRfCR5iY4t3LV5AbCDJBGETtBNIRN7/RcHjAZQri1AW/Z+esqAzbytp29To3vaGJX3LgHLM/1A+jpW10V2dUwlBrILNKivift2/wY4+oUMVqK5xY3rxtvvL2GO6gFq4B5Yu4NIhzgv2VgE=,iv:aoislG3JujD8clv1UIT92PZrxZgLcH5wQ77LvLnQgYA=,tag:0n5TpxlJpxwvkBRn5UrHdA==,type:str]
+    lastmodified: "2026-01-11T18:41:54Z"
+    mac: ENC[AES256_GCM,data:3PAGANiT332H89BQnKgES5eolecmdjfbYT14Tr+svutKBao3T+jmcbUotlAS00fzfjnqozEgdDNDeuCTK5UugZsdwJ5RH2QcpL4oV/jTPPoMVpvvKGL9X0z3PdryyloBcTNOYRMk8rEDs7bPCmEZzbshHIcx8PkIaP6BeT0TO/U=,iv:Vvy+gH/rqJA0e/R/WFP8UBfMZgDqqHm5z53gdv5G8r4=,tag:q0amJGRC1fbvqUDHTA2GeQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0