diff --git a/hosts/astral/default.nix b/hosts/astral/default.nix
index 421f5e0..4e019e7 100644
--- a/hosts/astral/default.nix
+++ b/hosts/astral/default.nix
@@ -1,9 +1,10 @@
-{ nixosModules, modulesPath, lib, pkgs, ... }: {
+{ modulesPath, nixosModules, agenix, lib, pkgs, config, ... }: {
   imports = [
     "${modulesPath}/virtualisation/amazon-image.nix"
     nixosModules.nano
     nixosModules.nettika
     nixosModules.promptmoji
+    agenix.nixosModules.default
   ];
 
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
@@ -14,7 +15,10 @@
       dates = "weekly";
       options = "--delete-older-than 30d";
     };
-    settings.trusted-users = [ "@wheel" ];
+    settings = {
+      trusted-users = [ "@wheel" ];
+      experimental-features = [ "nix-command" "flakes" ];
+    };
   };
 
   networking = {
@@ -22,6 +26,8 @@
     firewall.allowedTCPPorts = [ 80 443 ];
   };
 
+  age.secrets.vaultwarden-env.file = ./secrets/vaultwarden-env.age;
+
   users.defaultUserShell = pkgs.fish;
 
   security.sudo.wheelNeedsPassword = false;
@@ -33,9 +39,28 @@
         respond "astral is online"
         header Strict-Transport-Security: "max-age=63072000; includeSubDomains"
       '';
+      "vault.leaf.ninja".extraConfig = ''
+        reverse_proxy localhost:8222
+      '';
     };
   };
 
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      domain = "https://vault.leaf.ninja";
+      signupsAllowed = false;
+      rocketAddress = "0.0.0.0";
+      rocketPort = 8222;
+      smtpHost = "smtp.migadu.com";
+      smtpFrom = "vaultwarden@leaf.ninja";
+      smtpPort = 587;
+      smtpSecurity = "starttls";
+      smtpUsername = "vaultwarden@leaf.ninja";
+    };
+    environmentFile = config.age.secrets.vaultwarden-env.path;
+  };
+
   programs.fish.enable = true;
 
   documentation.man.generateCaches = false;
diff --git a/hosts/astral/secrets/vaultwarden-env.age b/hosts/astral/secrets/vaultwarden-env.age
new file mode 100644
index 0000000..83accd1
Binary files /dev/null and b/hosts/astral/secrets/vaultwarden-env.age differ
diff --git a/hosts/default.nix b/hosts/default.nix
index 23f9596..2c19793 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -1,25 +1,24 @@
 { self, nixpkgs, phps, agenix, ... }:
-let inherit (nixpkgs.lib) nixosSystem;
+let
+  baseSpecialArgs = {
+    inherit (self) nixosModules;
+    inherit agenix;
+  };
+  nixosSystem = args:
+    nixpkgs.lib.nixosSystem
+    (nixpkgs.lib.recursiveUpdate args { specialArgs = baseSpecialArgs; });
 in {
   marauder = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./marauder ];
-    specialArgs = {
-      inherit (self) nixosModules;
-      inherit phps agenix;
-    };
+    specialArgs = { inherit phps; };
   };
   astral = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./astral ];
-    specialArgs = { inherit (self) nixosModules; };
   };
   quasar = nixosSystem {
     system = "x86_64-linux";
     modules = [ ./quasar ];
-    specialArgs = {
-      inherit (self) nixosModules;
-      inherit agenix;
-    };
   };
 }
diff --git a/hosts/marauder/secrets/restic-env.age b/hosts/marauder/secrets/restic-env.age
index 1d93a5d..55e4f77 100644
--- a/hosts/marauder/secrets/restic-env.age
+++ b/hosts/marauder/secrets/restic-env.age
@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 f+PJrQ qccE2xAzfBZ3DCRQtQDgwS1UzjlZx44oUrYjcDfMfDk
-I2l6xRJsdQLYB2cMo0Kfi6mVyhZsuSPFG574P8pl12Y
---- WoBlo7fqYRkiBYPoLpa3wHB8ZPCVy32a4aL5UswCHJc
-L£æÎšÈ[¤Nî<#Õ]ˆŸüBÄ}–×fË%P„ôxK±Û¨þkI½©”<§VŸ…¶YÄ5#å±ð÷û”qE³4’­®¶l—ËøF¾“8ukÈ¨ûÂ%À´U53yìû"g\îƒ©ªZæÙC®õW¥²g­z
\ No newline at end of file
+-> ssh-ed25519 f+PJrQ VJshLBSbF93anR9fOJ3Kwhxh1AOdvsS0hoJ86Bw9oBQ
+It8hELrRN+EYt9nv75lVHha+ZDUhCDNQVczDZVlDCBs
+--- xzJ/50+WOA+IWRXiAvBbJLUlsgsSztQrzbimng2QdlU
+´Ï¬jÒÿ8K7$ðwÃbÔ²Ç°€Ì~]NBª]QÐM+cw
+þþÔJ•o—Í”ÔSîØš!N¨Du¦OÈnçZnNâæÍÑµV¬:ŒŸ®¬kúÝcó)|æŒJ…opÇSÎH˜«f§ùØu1šã9Çå
\ No newline at end of file
diff --git a/hosts/marauder/secrets/restic-password.age b/hosts/marauder/secrets/restic-password.age
index 58bbd5c..6722ce5 100644
Binary files a/hosts/marauder/secrets/restic-password.age and b/hosts/marauder/secrets/restic-password.age differ
diff --git a/hosts/quasar/default.nix b/hosts/quasar/default.nix
index 289cf4b..c4d5809 100644
--- a/hosts/quasar/default.nix
+++ b/hosts/quasar/default.nix
@@ -28,7 +28,7 @@
     matrix-synapse-secrets.file = ./secrets/matrix-synapse-secrets.age;
   };
 
-  services.postgresql = { enable = true; };
+  services.postgresql.enable = true;
 
   services.caddy = {
     enable = true;
diff --git a/hosts/quasar/secrets/matrix-synapse-secrets.age b/hosts/quasar/secrets/matrix-synapse-secrets.age
index f8716bd..5fba682 100644
Binary files a/hosts/quasar/secrets/matrix-synapse-secrets.age and b/hosts/quasar/secrets/matrix-synapse-secrets.age differ
diff --git a/secrets.nix b/secrets.nix
index 1e8ad6a..48f0c4b 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,10 +1,14 @@
 let
-  marauder.nettika =
+  marauder =
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHopty1QG8P+OfGxQ9CV0BI1IRB/q6yITzMZaZ6Zspid";
+  astral =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILRJf6qsNoITXPBdiFsmZuLR0dyP/D6WYNP/RQynl3kf";
+  quasar =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOoVsKoMEiA2G0WIC/6gFsNE09yhumWf4xnDuoRcD2Px";
 in {
-  "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder.nettika ];
-  "hosts/marauder/secrets/restic-password.age".publicKeys =
-    [ marauder.nettika ];
+  "hosts/marauder/secrets/restic-env.age".publicKeys = [ marauder ];
+  "hosts/marauder/secrets/restic-password.age".publicKeys = [ marauder ];
   "hosts/quasar/secrets/matrix-synapse-secrets.age".publicKeys =
-    [ marauder.nettika ];
+    [ marauder quasar ];
+  "hosts/astral/secrets/vaultwarden-env.age".publicKeys = [ marauder astral ];
 }