diff --git a/apps/hydra/vaultwarden/deployment.yaml b/apps/hydra/vaultwarden/deployment.yaml
new file mode 100644
index 0000000..ba92f4e
--- /dev/null
+++ b/apps/hydra/vaultwarden/deployment.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: vaultwarden
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  selector:
+    matchLabels:
+      app: vaultwarden
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: vaultwarden
+    spec:
+      containers:
+      - env:
+        - name: SIGNUPS_ALLOWED
+          value: "true"
+        image: quay.io/vaultwarden/server:1.36.0
+        name: vaultwarden
+        ports:
+        - containerPort: 80
+        resources: {}
+        volumeMounts:
+        - mountPath: /data
+          name: data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: vaultwarden-pvc
+status: {}
diff --git a/apps/hydra/vaultwarden/kustomization.yaml b/apps/hydra/vaultwarden/kustomization.yaml
index 0b73340..ad1b1e4 100644
--- a/apps/hydra/vaultwarden/kustomization.yaml
+++ b/apps/hydra/vaultwarden/kustomization.yaml
@@ -4,6 +4,7 @@ metadata:
   name: vaultwarden
   namespace: vaultwarden
 resources:
+- deployment.yaml
 - namespace.yaml
 - pvc.yaml
 - service.yaml
diff --git a/pkg/vaultwarden/vaultwarden.go b/pkg/vaultwarden/vaultwarden.go
index c650078..8339c05 100644
--- a/pkg/vaultwarden/vaultwarden.go
+++ b/pkg/vaultwarden/vaultwarden.go
@@ -4,6 +4,7 @@ import (
 	"danicos.dev/daniel/go-kube/pkg/kube"
 	"danicos.dev/daniel/go-kube/pkg/stack"
 	"danicos.dev/daniel/homelab/pkg/root"
+	apps "k8s.io/api/apps/v1"
 	core "k8s.io/api/core/v1"
 )
 
@@ -25,27 +26,35 @@ func Stack() stack.Stack {
 	kz := kube.NewKuztomizedStack(
 		meta,
 		map[string]any{
-			"namespace": Namespace,
-			"service":   srv,
-			"pvc":       pvc,
-			// "deployment":       Deployment(),
+			"namespace":  Namespace,
+			"service":    srv,
+			"pvc":        pvc,
+			"deployment": Deployment(),
 		},
 	)
 	return kz.Stack("vaultwarden")
 }
 
-/*
-services:
-  vaultwarden:
-    image: vaultwarden/server:latest
-    container_name: vaultwarden
-    restart: always
-    environment:
-      # DOMAIN: "https://vaultwarden.example.com"  # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments
-      SIGNUPS_ALLOWED: "true" # Deactivate this with "false" after you have created your account so that no strangers can register
-    volumes:
-      - ./vw-data:/data # the path before the : can be changed
-    ports:
-      - 11001:80 # you can replace the 11001 with your preferred port
-
-*/
+func Deployment() apps.Deployment {
+	envMap := map[string]string{
+		// "DOMAIN": root.Vaultwarden.Public.URL,
+		"SIGNUPS_ALLOWED": "true",
+	}
+	dataVol := kube.NewVolumeFrom(kube.VolumeSourcePVC, "data", pvc.Name)
+	podSpec := core.PodSpec{
+		Containers: []core.Container{{
+			Name:  root.Vaultwarden.Name,
+			Image: root.Vaultwarden.Image,
+			Ports: []core.ContainerPort{{ContainerPort: root.Vaultwarden.Port}},
+			Env:   kube.NewEnvVar(envMap),
+			VolumeMounts: []core.VolumeMount{{
+				Name:      dataVol.Name,
+				MountPath: "/data",
+			}},
+		}},
+		Volumes: []core.Volume{
+			dataVol,
+		},
+	}
+	return kube.NewDeployment(meta, podSpec)
+}