diff --git a/configuration.nix b/configuration.nix
index e1db06f..1afe5d0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -7,7 +7,6 @@
     ./users.nix
     ./letsencrypt/acme.nix
     ./letsencrypt/resolve.nix
-    ./passmgr/bitwarden.nix
     ./webserver/nginx.nix
     ./webserver/memcached.nix
     # ./resources/limits.nix
diff --git a/files.nix b/files.nix
index 4f3f0a8..4d06b3a 100644
--- a/files.nix
+++ b/files.nix
@@ -18,10 +18,7 @@ in
       domain = builtins.replaceStrings [ "\n" "\"" "\\" "%" ] [ "\\n" "\\\"" "\\\\" "%%" ] cfg.domain;
     in
     [
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
-      (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
       "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
-      (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
     ];
   system.activationScripts =
     let
@@ -41,20 +38,5 @@ in
         chmod 0440 /var/lib/cloudflare/Credentials.ini
         chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
       '';
-      bitwardenCredentials =
-        if cfg.bitwarden.enable then ''
-          mkdir -p /var/lib/bitwarden
-          token=$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.bitwarden.adminToken')
-          if [ "$token" == "null" ]; then
-            # If it's null, delete the contents of the file
-            > /var/lib/bitwarden/.env
-          else
-            echo "ADMIN_TOKEN=$token" > /var/lib/bitwarden/.env
-          fi
-          chmod 0640 /var/lib/bitwarden/.env
-          chown vaultwarden:vaultwarden /var/lib/bitwarden/.env
-        '' else ''
-          rm -f /var/lib/bitwarden/.env
-        '';
     };
 }
diff --git a/passmgr/bitwarden.nix b/passmgr/bitwarden.nix
deleted file mode 100644
index 532e170..0000000
--- a/passmgr/bitwarden.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.selfprivacy;
-in
-{
-  fileSystems = lib.mkIf cfg.useBinds {
-    "/var/lib/bitwarden" = {
-      device = "/volumes/${cfg.bitwarden.location}/bitwarden";
-      options = [ "bind" ];
-    };
-    "/var/lib/bitwarden_rs" = {
-      device = "/volumes/${cfg.bitwarden.location}/bitwarden_rs";
-      options = [ "bind" ];
-    };
-  };
-  services.vaultwarden = {
-    enable = cfg.bitwarden.enable;
-    dbBackend = "sqlite";
-    backupDir = "/var/lib/bitwarden/backup";
-    environmentFile = "/var/lib/bitwarden/.env";
-    config = {
-      domain = "https://password.${cfg.domain}/";
-      signupsAllowed = true;
-      rocketPort = 8222;
-    };
-  };
-}
diff --git a/sp-modules/bitwarden/cleanup-module.nix b/sp-modules/bitwarden/cleanup-module.nix
new file mode 100644
index 0000000..d66785f
--- /dev/null
+++ b/sp-modules/bitwarden/cleanup-module.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+let
+  inherit (import ./common.nix config) bitwarden-env sp;
+in
+# FIXME do we really want to delete passwords on module deactivation!?
+{
+  config = lib.mkIf (!sp.modules.bitwarden.enable) {
+    system.activationScripts.bitwarden =
+      lib.trivial.warn
+        (
+          "bitwarden service is disabled, ${bitwarden-env} will be removed!"
+        )
+        ''
+          rm -f -v ${bitwarden-env}
+        '';
+  };
+}
diff --git a/sp-modules/bitwarden/common.nix b/sp-modules/bitwarden/common.nix
new file mode 100644
index 0000000..231bed3
--- /dev/null
+++ b/sp-modules/bitwarden/common.nix
@@ -0,0 +1,5 @@
+config:
+{
+  sp = config.selfprivacy;
+  bitwarden-env = "/var/lib/bitwarden/.env";
+}
diff --git a/sp-modules/bitwarden/config-paths-needed.json b/sp-modules/bitwarden/config-paths-needed.json
new file mode 100644
index 0000000..4f8b9e7
--- /dev/null
+++ b/sp-modules/bitwarden/config-paths-needed.json
@@ -0,0 +1,5 @@
+[
+  [ "selfprivacy", "domain" ],
+  [ "selfprivacy", "useBinds" ],
+  [ "selfprivacy", "modules", "bitwarden" ]
+]
diff --git a/sp-modules/bitwarden/flake.nix b/sp-modules/bitwarden/flake.nix
new file mode 100644
index 0000000..d01d6b9
--- /dev/null
+++ b/sp-modules/bitwarden/flake.nix
@@ -0,0 +1,10 @@
+{
+  description = "PoC SP module for Bitwarden password management solution";
+
+  outputs = { self }: {
+    nixosModules.default = _:
+      { imports = [ ./module.nix ./cleanup-module.nix ]; };
+    configPathsNeeded =
+      builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
+  };
+}
diff --git a/sp-modules/bitwarden/module.nix b/sp-modules/bitwarden/module.nix
new file mode 100644
index 0000000..ccf6b62
--- /dev/null
+++ b/sp-modules/bitwarden/module.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets-filepath = "/etc/selfprivacy/secrets.json";
+  inherit (import ./common.nix config) bitwarden-env sp;
+in
+{
+  options.selfprivacy.modules.bitwarden = {
+    enable = lib.mkOption {
+      default = false;
+      type = with lib.types; nullOr bool;
+    };
+    location = lib.mkOption {
+      default = "sda1";
+      type = with lib.types; nullOr str;
+    };
+  };
+
+  config = lib.mkIf config.selfprivacy.modules.bitwarden.enable {
+    fileSystems = lib.mkIf sp.useBinds {
+      "/var/lib/bitwarden" = {
+        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden";
+        options = [ "bind" ];
+      };
+      "/var/lib/bitwarden_rs" = {
+        device = "/volumes/${sp.modules.bitwarden.location}/bitwarden_rs";
+        options = [ "bind" ];
+      };
+    };
+    services.vaultwarden = {
+      enable = true;
+      dbBackend = "sqlite";
+      backupDir = "/var/lib/bitwarden/backup";
+      environmentFile = "${bitwarden-env}";
+      config = {
+        domain = "https://password.${sp.domain}/";
+        signupsAllowed = true;
+        rocketPort = 8222;
+      };
+    };
+    systemd.services.bitwarden-secrets = {
+      before = [ "vaultwarden.service" ];
+      requiredBy = [ "vaultwarden.service" ];
+      serviceConfig.Type = "oneshot";
+      path = with pkgs; [ coreutils jq ];
+      script = ''
+        set -o nounset
+
+        token="$(jq -r '.bitwarden.adminToken' ${secrets-filepath})"
+        if [ "$token" == "null" ]; then
+            # If it's null, empty the contents of the file
+            bitwarden_env=""
+        else
+            bitwarden_env="ADMIN_TOKEN=$token"
+        fi
+        # TODO revise this permissions mode
+        install -m 0640 -o vaultwarden -g vaultwarden -DT \
+        <(printf "%s" "$bitwarden_env") ${bitwarden-env}
+      '';
+    };
+    systemd.tmpfiles.rules = [
+      "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -"
+      "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -"
+      "f ${bitwarden-env} 0640 vaultwarden vaultwarden - -"
+    ];
+  };
+}
diff --git a/userdata-variables.nix b/userdata-variables.nix
index 59f8d3c..d7df053 100644
--- a/userdata-variables.nix
+++ b/userdata-variables.nix
@@ -18,10 +18,6 @@ jsonData: { lib, ... }:
     server = {
       provider = lib.attrsets.attrByPath [ "server" "provider" ] "HETZNER" jsonData;
     };
-    bitwarden = {
-      enable = lib.attrsets.attrByPath [ "bitwarden" "enable" ] false jsonData;
-      location = lib.attrsets.attrByPath [ "bitwarden" "location" ] "sda1" jsonData;
-    };
     gitea = {
       enable = lib.attrsets.attrByPath [ "gitea" "enable" ] false jsonData;
       location = lib.attrsets.attrByPath [ "gitea" "location" ] "sda1" jsonData;
diff --git a/variables-module.nix b/variables-module.nix
index fa3cd54..fc407ec 100644
--- a/variables-module.nix
+++ b/variables-module.nix
@@ -109,16 +109,6 @@ with lib;
     ##############
     #  Services  #
     ##############
-    bitwarden = {
-      enable = mkOption {
-        default = false;
-        type = types.nullOr types.bool;
-      };
-      location = mkOption {
-        default = "sda1";
-        type = types.nullOr types.str;
-      };
-    };
     email = {
       location = mkOption {
         default = "sda1";