diff --git a/machines/nixos/storage01/_configuration.nix b/machines/nixos/storage01/_configuration.nix
index 4c480bc..7e2260d 100644
--- a/machines/nixos/storage01/_configuration.nix
+++ b/machines/nixos/storage01/_configuration.nix
@@ -23,6 +23,7 @@ lib.extra.mkConfig {
     "peertube"
     "prometheus"
     "redirections"
+    "vault"
     "victorialogs"
     "victoriametrics"
   ];
diff --git a/machines/nixos/storage01/vault.nix b/machines/nixos/storage01/vault.nix
new file mode 100644
index 0000000..19d5462
--- /dev/null
+++ b/machines/nixos/storage01/vault.nix
@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2025 Elias Coppens <elias.coppens@dgnum.eu>
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+let
+  host = "vault.dgnum.eu";
+  port = 3100;
+  clusterPort = 3101;
+in
+{
+  config = {
+    services.openbao = {
+      enable = true;
+      address = "127.0.0.1:${toString port}";
+      storageBackend = "raft";
+
+      listenerExtraConfig = {
+        cluster_address = "0.0.0.0:${toString clusterPort}";
+      };
+
+      storageConfig = {
+        path = "/var/lib/raft";
+        node_id = "raft_storage01";
+      };
+
+      extraConfig = {
+        cluster_addr = "http://${host}:${toString clusterPort}";
+        api_addr = "https://${host}";
+      };
+    };
+
+    dgn-web.simpleProxies.openbao = {
+      inherit host port;
+    };
+
+  };
+}
diff --git a/meta/dns.nix b/meta/dns.nix
index f30f942..40f3de6 100644
--- a/meta/dns.nix
+++ b/meta/dns.nix
@@ -110,6 +110,7 @@ let
           "victoria-metrics" # Victoria Metrics
           "videos" # Peertube
           "pub"
+          "vault" # OpenBAO
 
           # Garage S3
           "*.cdn"