diff --git a/README.md b/README.md
index 5a9ba51..b64db0c 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ concise area of concern.
 
 - [`hedgedoc`](playbooks/hedgedoc.md)
 - [`gitea`](playbooks/gitea.md)
+- [`vaultwarden`](playbooks/vaultwarden.md)
 
 ## License
 
diff --git a/playbooks/vaultwarden.md b/playbooks/vaultwarden.md
new file mode 100644
index 0000000..ef91b4b
--- /dev/null
+++ b/playbooks/vaultwarden.md
@@ -0,0 +1,6 @@
+# `finallycoffee.services.vaultwarden` ansible playbook
+
+## Feature toggles
+
+- `vaultwarden_configure_lego_rfc2136` (default `false`)
+- `vaultwarden_configure_caddy_reverse_proxy` (default `false`)
diff --git a/playbooks/vaultwarden.yml b/playbooks/vaultwarden.yml
index 24ac3e5..62ccb25 100644
--- a/playbooks/vaultwarden.yml
+++ b/playbooks/vaultwarden.yml
@@ -1,6 +1,53 @@
 ---
+- import_playbook: finallycoffee.base.lego_certificate
+  when: vaultwarden_configure_lego_rfc2136 | default(false)
+  vars:
+    target_domains: "{{ vaultwarden_lego_cert_domains }}"
+    target_acme_zone: "{{ acme_domain }}"
+    target_acme_account_email: "{{ vaultwarden_lego_acme_account_email }}"
+    target_dns_server: "{{ dns_server }}"
+    target_dns_tsig_key: "{{ dns_tsig_keydata }}"
+    target_dns_additional_records: "{{ vaultwarden_dns_records }}"
+    target_hosts: >-2
+      {{ vaultwarden_lego_hosts | default(vaultwarden_hosts | default('vaultwarden')) }}
+    target_become: >-2
+      {{ vaultwarden_lego_become | default(vaultwarden_become | default(false)) }}
+    target_gather_facts: >-2
+      {{ vaultwarden_lego_gather_facts | default(false) }}
+  tags:
+    - vaultwarden
+    - vaultwarden-lego
+
 - name: Install and configure vaultwarden
   hosts: "{{ vaultwarden_hosts | default('vaultwarden') }}"
-  become: "{{ vaultwarden_become | default(true, false) }}"
+  become: "{{ vaultwarden_become | default(false) }}"
+  gather_facts: "{{ vaultwarden_gather_facts | default(false) }}"
+  pre_tasks:
+    - name: Ensure host directories are created
+      file:
+        path: "{{ item }}"
+        state: directory
+        mode: 0750
+      loop:
+        - "{{ vaultwarden_base_dir }}"
+        - "{{ vaultwarden_config_dir }}"
+      when: vaultwarden_state == 'present'
   roles:
     - role: finallycoffee.services.vaultwarden
+  tags:
+    - vaultwarden
+
+- import_playbook: finallycoffee.base.caddy_reverse_proxy
+  when: vaultwarden_configure_caddy_reverse_proxy | default(false)
+  vars:
+    caddy_site_name: "{{ vaultwarden_domain }}"
+    caddy_reverse_proxy_backend_addr: "http://{{ vaultwarden_host_bind_ip }}"
+    target_hosts: >-2
+      {{ vaultwarden_caddy_hosts | default(vaultwarden_hosts | default('vaultwarden')) }}
+    target_become: >-2
+      {{ vaultwarden_caddy_become | default(vaultwarden_become | default(false)) }}
+    target_gather_facts: >-2
+      {{ vaultwarden_caddy_gather_facts | default(false) }}
+  tags:
+    - vaultwarden
+    - vaultwarden-caddy