diff --git a/proxmox/services/vaultwarden.yml b/proxmox/services/vaultwarden.yml
new file mode 100644
index 0000000..4d27825
--- /dev/null
+++ b/proxmox/services/vaultwarden.yml
@@ -0,0 +1,41 @@
+version: '3.8'
+
+# Deploy with:
+#   docker stack deploy -c vaultwarden.yml vaultwarden
+#
+# Runs on: pve-tools
+# Self-hosted Bitwarden-compatible password manager.
+# Uses default SQLite backend; data persisted in a named volume.
+# Web vault exposed on port 8222.
+
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    environment:
+      SIGNUPS_ALLOWED: "false"
+      INVITATIONS_ALLOWED: "true"
+      SHOW_PASSWORD_HINT: "false"
+      ROCKET_PORT: 8222
+    ports:
+      - "8222:8222"
+    volumes:
+      - vaultwarden_data:/data
+    networks:
+      - overlay-net
+    deploy:
+      replicas: 1
+      placement:
+        constraints:
+          - node.hostname == pve-tools
+      restart_policy:
+        condition: on-failure
+        delay: 5s
+        max_attempts: 3
+
+volumes:
+  vaultwarden_data:
+
+networks:
+  overlay-net:
+    external: true
+    name: ${OVERLAY_NETWORK:-homelab-net}