diff --git a/deployments/bitwarden/deployment.yaml b/deployments/bitwarden/deployment.yaml
new file mode 100644
index 0000000..3931fe2
--- /dev/null
+++ b/deployments/bitwarden/deployment.yaml
@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bitwarden
+  namespace: security
+  labels:
+    app: bitwarden
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bitwarden
+  template:
+    metadata:
+      labels:
+        app: bitwarden
+    spec:
+      containers:
+        - name: bitwarden
+          image: bitwarden/server:1.30.1
+          ports:
+            - containerPort: 80
+          env:
+            - name: WEBSOCKET_ENABLED
+              value: "true"
+            - name: SIGNUPS_ALLOWED
+              value: "true"
+            - name: ADMIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-secret
+                  key: admin-token
+            - name: DB_CERT_FORMAT
+              value: "pem"
+            - name: SIGNUP_ORIGINS
+              value: "https://bitwarden.khalisio.com"
+          volumeMounts:
+            - name: bitwarden-data
+              mountPath: /data
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 512Mi
+      volumes:
+        - name: bitwarden-data
+          persistentVolumeClaim:
+            claimName: bitwarden-data
diff --git a/deployments/bitwarden/ingress.yaml b/deployments/bitwarden/ingress.yaml
new file mode 100644
index 0000000..1976d66
--- /dev/null
+++ b/deployments/bitwarden/ingress.yaml
@@ -0,0 +1,21 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden
+  namespace: security
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`bitwarden.khalisio.com`)
+      kind: Rule
+      services:
+        - name: bitwarden
+          port: 80
+  tls:
+    secretName: bitwarden-tls
+    options:
+      name: default
+      kind: ClusterEntrypoint
diff --git a/deployments/bitwarden/pvc.yaml b/deployments/bitwarden/pvc.yaml
new file mode 100644
index 0000000..a95af8b
--- /dev/null
+++ b/deployments/bitwarden/pvc.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bitwarden-data
+  namespace: security
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi
diff --git a/deployments/bitwarden/service.yaml b/deployments/bitwarden/service.yaml
new file mode 100644
index 0000000..7e07252
--- /dev/null
+++ b/deployments/bitwarden/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bitwarden
+  namespace: security
+  labels:
+    app: bitwarden
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+  selector:
+    app: bitwarden