diff --git a/apps/vaultwarden/deployment.yaml b/apps/vaultwarden/deployment.yaml
index eb37bad..f391d5c 100644
--- a/apps/vaultwarden/deployment.yaml
+++ b/apps/vaultwarden/deployment.yaml
@@ -31,6 +31,22 @@ spec:
             - name: DATA_FOLDER
               value: /data
 
+            - name: SMTP_HOST
+              value: "smtp.gmail.com"
+            - name: SMTP_PORT
+              value: "587"
+            - name: SMTP_SECURITY
+              value: "starttls"
+            - name: SMTP_USERNAME
+              value: "sebastiansrasppi@gmail.com"
+            - name: SMTP_FROM
+              value: "sebastiansrasppi@gmail.com"
+            - name: SMTP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-smtp-secret
+                  key: SMTP_PASSWORD
+
             # Optional but recommended
             - name: WEBSOCKET_ENABLED
               value: "true"
diff --git a/apps/vaultwarden/secret.yaml b/apps/vaultwarden/secret.yaml
index d3dd21c..3c41ad9 100644
--- a/apps/vaultwarden/secret.yaml
+++ b/apps/vaultwarden/secret.yaml
@@ -6,3 +6,11 @@ metadata:
 type: Opaque
 stringData:
   ADMIN_TOKEN: "LDJMnr80lwRBDIbKBPiz1O7vTRkmupCAcMvAr+bR+L3E1Cz2UmrPgJAHWesi3i1M"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vaultwarden-smtp-secret
+type: Opaque
+stringData:
+  SMTP_PASSWORD: "oobylstuekxjdixd"
diff --git a/apps/vaultwarden/service.yaml b/apps/vaultwarden/service.yaml
index 57826d8..21cc939 100644
--- a/apps/vaultwarden/service.yaml
+++ b/apps/vaultwarden/service.yaml
@@ -1,13 +1,14 @@
-
 apiVersion: v1
 kind: Service
 metadata:
   name: vaultwarden
+  namespace: default
 spec:
-  type: NodePort
+  type: ClusterIP
   selector:
     app: vaultwarden
   ports:
-    - port: 80
+    - name: http
+      port: 80
       targetPort: 80
-      nodePort: 30084
+      protocol: TCP
diff --git a/apps/vaultwarden/vaultwarden-ingress.yaml b/apps/vaultwarden/vaultwarden-ingress.yaml
new file mode 100644
index 0000000..823230c
--- /dev/null
+++ b/apps/vaultwarden/vaultwarden-ingress.yaml
@@ -0,0 +1,38 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+  namespace: default
+  annotations:
+    # 1. Enable cert-manager to automatically get a TLS certificate
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+
+    # 2. NGINX annotations crucial for Vaultwarden/Bitwarden:
+    #    WebSockets (ws://) and WebSocket Secure (wss://) support.
+    nginx.ingress.kubernetes.io/websocket-services: "vaultwarden"
+    
+    # 3. Increase timeouts for long-lived WebSocket connections (optional, but recommended)
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+spec:
+  # Ensure this matches the ingress class name of your running NGINX controller
+  ingressClassName: nginx 
+  
+  # TLS configuration: Instruct NGINX to use the secret created by cert-manager
+  tls:
+    - hosts:
+        - vaultwarden.sebastians-co.de
+      secretName: vaultwarden-tls # cert-manager will create this secret
+  
+  # Routing rules
+  rules:
+    - host: vaultwarden.sebastians-co.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: vaultwarden # Name of the Service above
+                port:
+                  number: 80 # The port the Service exposes (targetPort 80 to the pod)