diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix
new file mode 100644
index 0000000..9b1b254
--- /dev/null
+++ b/modules/nixos/services/traefik/default.nix
@@ -0,0 +1,101 @@
+{
+  namespace,
+  hostname,
+  config,
+  ...
+}: with lib; with lib.${namespace};
+let
+  cfg = config.${namespace}.services.traefik;
+in {
+  options.${namespace}.services.traefik = { enable = mkEnableOption "Enable the Traefik service."; };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [80 443];
+
+    systemd.services.traefik = {
+      environment = {
+        CF_API_EMAIL = "johannesreckers2006@gmail.com";
+      };
+    };
+
+    services.traefik = {
+      enable = true;
+
+      staticConfigOptions = {
+        log = {
+          level = "INFO";
+          filePath = "/var/log/traefik.log";
+          noColor = false;
+          maxSize = 100;
+          compress = true;
+        };
+
+        api = {
+          dashboard = true;
+          insecure = true;
+        };
+
+        providers = {
+          docker = {
+            exposedByDefault = false;
+            network = "proxy";
+          };
+        };
+
+        certificatesResolvers = {
+          letsencrypt = {
+            acme = {
+              email = "johannesreckers2006@gmail.com";
+              storage = "/var/lib/traefik/acme.json";
+              dnsChallenge = {
+                provider = "cloudflare";
+                resolvers = ["1.1.1.1:53" "8.8.8.8:53"];
+              };
+            };
+          };
+        };
+
+        entryPoints.web = {
+          address = ":80";
+          http.redirections.entryPoint = {
+            to = "websecure";
+            scheme = "https";
+            permanent = true;
+          };
+        };
+
+        entryPoints.websecure = {
+          address = ":443";
+          http.tls = {
+            certResolver = "letsencrypt";
+            domains = [
+              {
+                main = "voidtales.dev";
+                sans = ["*.voidtales.dev"];
+              }
+              {
+                main = "voxtek.enterprises";
+                sans = ["*.voxtek.enterprises"];
+              }
+              {
+                main = "thevoid.cafe";
+                sans = ["*.thevoid.cafe"];
+              }
+              {
+                main = "reckers.dev";
+                sans = ["*.reckers.dev"];
+              }
+              {
+                main = "rhysbot.co.uk";
+                sans = ["*.rhysbot.co.uk"];
+              }
+            ];
+          };
+        };
+      };
+    };
+
+    # Todo: continue with "traefik" configuration and test it on a running system
+    # Todo: setup sops-nix for secret management
+  };
+}
\ No newline at end of file
diff --git a/modules/home/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix
similarity index 77%
rename from modules/home/services/vaultwarden/default.nix
rename to modules/nixos/services/vaultwarden/default.nix
index 15cca8a..a573f66 100644
--- a/modules/home/services/vaultwarden/default.nix
+++ b/modules/nixos/services/vaultwarden/default.nix
@@ -16,8 +16,5 @@ in {
       hostname = hostname;
       # Todo: continue writing vaultwarden config
     };
-
-    # Todo: figure out "traefik" as a service and how to configure it per-service
-    # Todo: setup age-nix or sops-nix for secret management
   };
 }
\ No newline at end of file