diff --git a/nix/homes/x86_64-linux/sab@nz/default.nix b/nix/homes/x86_64-linux/sab@nz/default.nix
index 7eb8e1d..1a6514b 100644
--- a/nix/homes/x86_64-linux/sab@nz/default.nix
+++ b/nix/homes/x86_64-linux/sab@nz/default.nix
@@ -39,6 +39,9 @@ with lib.custom; {
       git = enabled;
       direnv = disabled;
     };
-    security.rbw.enable = true;
+    security = {
+      rbw = enabled;
+      vault = enabled;
+    };
   };
 }
diff --git a/nix/modules/home/security/vault/default.nix b/nix/modules/home/security/vault/default.nix
new file mode 100644
index 0000000..7fe5932
--- /dev/null
+++ b/nix/modules/home/security/vault/default.nix
@@ -0,0 +1,22 @@
+{
+  options,
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.custom.security.vault;
+in {
+  options.custom.security.vault = with types; {
+    enable = mkBoolOpt false "Whether or not to enable Hashicort Vault.";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      vault
+    ];
+  };
+}
diff --git a/nix/systems/x86_64-linux/nz/hardware-configuration.nix b/nix/systems/x86_64-linux/nz/hardware-configuration.nix
index dc20ebd..74ea871 100644
--- a/nix/systems/x86_64-linux/nz/hardware-configuration.nix
+++ b/nix/systems/x86_64-linux/nz/hardware-configuration.nix
@@ -44,6 +44,7 @@
   networking.useDHCP = lib.mkDefault true;
   networking.hosts = {
     "192.168.89.200" = ["truenas.sbulav.ru"];
+    "100.92.128.100" = ["vault-c12.pyn.ru"];
   };
   # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp5s0.useDHCP = lib.mkDefault true;