diff --git a/hosts/sobotka/server.nix b/hosts/sobotka/server.nix
index 6d6d621c..7813f575 100644
--- a/hosts/sobotka/server.nix
+++ b/hosts/sobotka/server.nix
@@ -12,6 +12,10 @@
     };
     vaultwarden = {
       enable = true;
+      cloudflared = {
+        tunnelId = "c3f541cb-b97e-4766-ae16-a8d863a3eec8";
+        credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
+      };
     };
   };
 }
diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix
index c2e63ee5..4e93b374 100644
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -11,7 +11,23 @@
   cfg = config.server.vaultwarden;
 in {
   options = {
-    server.vaultwarden.enable = mkEnableOption "Enables vaultwarden";
+    server.vaultwarden = {
+      enable = mkEnableOption "Enables vaultwarden";
+      cloudflared = {
+        credentialsFile = lib.mkOption {
+          type = lib.types.str;
+          example = lib.literalExpression ''
+            pkgs.writeText "cloudflare-credentials.json" '''
+            {"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
+            '''
+          '';
+          tunnelId = lib.mkOption {
+            type = lib.types.str;
+            example = "00000000-0000-0000-0000-000000000000";
+          };
+        };
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -39,24 +55,36 @@ in {
       };
     };
 
-    services.vaultwarden = {
-      enable = true;
-      environmentFile = config.age.secrets.vaultwarden-env.path;
+    services = {
+      vaultwarden = {
+        enable = true;
+        environmentFile = config.age.secrets.vaultwarden-env.path;
 
-      backupDir = "/var/backup/vaultwarden";
+        backupDir = "/var/backup/vaultwarden";
 
-      config = {
-        DOMAIN = "https://vault.${domain}";
-        SIGNUPS_ALLOWED = false;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-        IP_HEADER = "CF-Connecting-IP";
+        config = {
+          DOMAIN = "https://vault.${domain}";
+          SIGNUPS_ALLOWED = false;
+          ROCKET_ADDRESS = "127.0.0.1";
+          ROCKET_PORT = 8222;
+          IP_HEADER = "CF-Connecting-IP";
 
-        logLevel = "warn";
-        extendedLogging = true;
-        useSyslog = true;
-        invitationsAllowed = false;
-        showPasswordHint = false;
+          logLevel = "warn";
+          extendedLogging = true;
+          useSyslog = true;
+          invitationsAllowed = false;
+          showPasswordHint = false;
+        };
+      };
+      cloudflared = {
+        enable = true;
+        tunnels.${cfg.cloudflared.tunnelId} = {
+          credentialsFile = cfg.cloudflared.credentialsFile;
+          default = "http_status:404";
+          ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${
+            toString vcfg.ROCKET_PORT
+          }";
+        };
       };
     };
   };
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 76f66cd4..11e6d0f3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -13,4 +13,5 @@ in {
   "cloudflare-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "cloudflareFirewallApiKey.age".publicKeys = [cnst kima usobotka rsobotka];
+  "vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka];
 }
diff --git a/secrets/vaultwardenCloudflared.age b/secrets/vaultwardenCloudflared.age
new file mode 100644
index 00000000..522eb51e
Binary files /dev/null and b/secrets/vaultwardenCloudflared.age differ