diff --git a/azure-inv/group_vars/vaultwarden/all.yaml b/azure-inv/group_vars/vaultwarden/all.yaml
new file mode 100644
index 0000000..fb7fd08
--- /dev/null
+++ b/azure-inv/group_vars/vaultwarden/all.yaml
@@ -0,0 +1,11 @@
+---
+nomad_job_vaultwarden:
+  affinity_attrib: "${meta.admin}"
+  affinity_value: "1"
+  affinity_operator: "!="
+  volumes:
+    - dir: /data/vaultwarden
+      container_dir: "/data"
+  service_ports:
+    - 8088
+
diff --git a/azure-inv/hosts b/azure-inv/hosts
index 5171d8c..c9b2c7b 100644
--- a/azure-inv/hosts
+++ b/azure-inv/hosts
@@ -60,3 +60,6 @@ cl2.example.net
 
 [postgresql]
 cl0.example.net
+
+[vaultwarden]
+cl0.example.net
diff --git a/playbooks/sub_plays/vaultwarden.yml b/playbooks/sub_plays/vaultwarden.yml
new file mode 100644
index 0000000..81f1d1b
--- /dev/null
+++ b/playbooks/sub_plays/vaultwarden.yml
@@ -0,0 +1,6 @@
+- hosts: vaultwarden
+  roles:
+    - role: vaultwarden
+      vars:
+        job_name: vaultwarden
+    - role: vaultwarden_client
diff --git a/playbooks/templates/vaultwarden.hcl.j2 b/playbooks/templates/vaultwarden.hcl.j2
new file mode 100644
index 0000000..3f805a0
--- /dev/null
+++ b/playbooks/templates/vaultwarden.hcl.j2
@@ -0,0 +1,69 @@
+job "vaultwarden" {
+  datacenters = ["{{ nomad_datacenter }}"]
+  type = "service"
+
+  group "{{ job_name }}" {
+    count = 1
+    network {
+      mode = "bridge"
+      port "vaultwarden" {
+        static =  8088
+        host_network = "public"
+      }
+    }
+    task "{{job_name}}" {
+    {% if job_fact.affinity_value is defined %}
+      constraint {
+        attribute = "${node.unique.name}"
+        operator = "{{ job_fact['affinity_operator'] if 'affinity_operator' in job_fact else '=' }}"
+        value = "{{ job_fact['affinity_value'] }}"
+      }
+    {% endif %}
+      driver = "docker"
+      config {
+        image = "vaultwarden/server:1.26.0"
+        ports = ["vaultwarden"]
+        volumes = [
+        {% for dirs in job_fact.volumes %}
+          "{{ dirs.dir }}:{{ dirs.container_dir }}",
+        {% endfor %}
+        ]
+        {% if 'aarch64' != ansible_architecture %}
+         logging {
+          type = "loki"
+        }
+        {% endif %}
+      }
+      env {
+        ROCKET_PORT=8088
+        SIGNUPS_ALLOWED=false
+        SIGNUPS_DOMAINS_WHITELIST="{{ zone }}"
+        SIGNUPS_VERIFY=true
+      }
+    }
+    service {
+      name = "vaultwarden"
+      port = "vaultwarden"
+      tags = [
+        "vaultwarden", "client",
+        "traefik.enable=true",
+        "traefik.http.routers.{{ job_name}}.entryPoints=http,https",
+        "traefik.http.routers.{{ job_name }}.rule=Host(`vaultwarden.{{ zone }}`)",
+        "traefik.http.routers.{{ job_name }}.tls=true"
+        ]
+      check {
+        type = "http"
+        path = "/alive"
+        port = "vaultwarden"
+        interval = "10s"
+        timeout = "2s"
+      }
+    }
+    restart {
+      attempts = 10
+      interval = "5m"
+      delay = "30s"
+      mode = "delay"
+    }
+  }
+}