diff --git a/hosts/koi/containers/vaultwarden.nix b/hosts/koi/containers/vaultwarden.nix
index fee8428..e593b3e 100644
--- a/hosts/koi/containers/vaultwarden.nix
+++ b/hosts/koi/containers/vaultwarden.nix
@@ -1,46 +1,42 @@
-{ abs, pkgs, lib, config, ... }@inputs:
+{ abs, pkgs, config, ... }@inputs:
 
 let
-  containers = import (abs "lib/containers.nix") inputs;
   secrets = import (abs "lib/secrets.nix");
 
-  env = secrets.mount config "vaultwarden-env";
+  UID = 1109;
 in {
   imports = [
-    (secrets.declare [ "vaultwarden-env" ])
-    (containers.mkNixosContainer {
-      name = "vault";
-      ip = ".0.7";
-      private = true;
+    (secrets.declare [{
+      name = "vaultwarden-env";
+      owner = "vaultwarden";
+    }])
+  ];
 
-      config = { ... }: {
-        services.vaultwarden = {
-          enable = true;
-          config = {
-            SIGNUPS_ALLOWED = false;
-            DOMAIN = "https://bw.tei.su";
-            WEBSOCKET_ENABLED = true;
-            ROCKET_ADDRESS = "0.0.0.0";
-            ROCKET_PORT = 80;
-            DATA_FOLDER = "/mnt/vault/data";
-          };
-          environmentFile = env.path;
-        };
+  virtualisation.oci-containers.containers.vaultwarden = {
+    image = "vaultwarden/server:1.32.0";
+    volumes = [
+      "/srv/vaultwarden:/data"
+    ];
+    environment = {
+      SIGNUPS_ALLOWED = "false";
+      DOMAIN = "https://bw.tei.su";
+      WEBSOCKET_ENABLED = "true";
+      ROCKET_ADDRESS = "0.0.0.0";
+      ROCKET_PORT = "80";
+    };
+    environmentFiles = [
+      (secrets.file config "vaultwarden-env")
+    ];
+    user = builtins.toString UID;
+  };
 
-        systemd.services.vaultwarden.serviceConfig = {
-          ReadWritePaths = [ "/mnt/vault" ];
-        };
+  users.users.vaultwarden = {
+    isNormalUser = true;
+    uid = UID;
+  };
 
-        networking.firewall.allowedTCPPorts = [ 80 ];
-      };
-
-      mounts = {
-        "/mnt/vault" = {
-          hostPath = "/mnt/puffer/vaultwarden-vault";
-          isReadOnly = false;
-        };
-      } // (env.mounts);
-    })
+  systemd.tmpfiles.rules = [
+    "d /srv/vaultwarden 0700 ${builtins.toString UID} ${builtins.toString UID} -"
   ];
 
   services.nginx.virtualHosts."bw.tei.su" = {
@@ -48,7 +44,7 @@ in {
     useACMEHost = "tei.su";
 
     locations."/" = {
-      proxyPass = "http://vault.containers$request_uri";
+      proxyPass = "http://vaultwarden.docker$request_uri";
       proxyWebsockets = true;
     };
   };