diff --git a/ansible.cfg b/ansible.cfg
index fc4ad9d..60ebecc 100755
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,3 +1,5 @@
 [defaults]
 inventory = hosts.yml
 roles_path = ./roles
+vault_password_file = ~/.homelab-ansible-vault-pass
+vars_files="group_vars/secrets.yml"
diff --git a/group_vars/vms.yml b/group_vars/vms.yml
new file mode 100644
index 0000000..1af6190
--- /dev/null
+++ b/group_vars/vms.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+66666232393236366535336639396266366131643930323662376334333138363266633431656263
+6266363861373237346231343334623565386138393737390a623932363063306437383466303564
+35616132383361353036663839643763363762623534653732323864636462346635363366623533
+6536376161333663300a643939303465326133366463383234356535626465623162303836373664
+65373562363134653633363335326536353062373734373066393862363139376435303833393836
+3664646663646534323938393762373535666332386164353631
diff --git a/playbooks/apps/kan.yml b/playbooks/apps/kan.yml
deleted file mode 100644
index 70db0c5..0000000
--- a/playbooks/apps/kan.yml
+++ /dev/null
@@ -1,23 +0,0 @@
----
-- name: Deploy Kan.bn app
-  hosts: apps
-  become: true
-  roles:
-    - role: app/database
-      vars:
-        app_name: kan
-  tasks:
-    - name: Create kan-web container with correct ports
-      community.docker.docker_container:
-        name: kan-web
-        image: ghcr.io/kanbn/kan:latest
-        pull: true
-        state: started
-        restart_policy: unless-stopped
-        ports:
-          - "7070:3000"
-        env:
-          NEXT_PUBLIC_BASE_URL: "https://tasks.thegrind.dev"
-          BETTER_AUTH_SECRET:  "your_auth_secret"
-          POSTGRES_URL:        "postgresql://kan:password@10.89.0.102:5432/kan"
-          NEXT_PUBLIC_ALLOW_CREDENTIALS: "true"
\ No newline at end of file
diff --git a/playbooks/nodes/apps.yml b/playbooks/nodes/apps.yml
new file mode 100644
index 0000000..c1af816
--- /dev/null
+++ b/playbooks/nodes/apps.yml
@@ -0,0 +1,14 @@
+---
+- name: Deploy apps to apps-1 node
+  hosts: apps
+  become: true
+  roles:
+  - role: apps/kan
+    vars:
+      port: 7070
+  - role: apps/memos
+    vars:
+      port: 7071
+  - role: apps/vaultwarden
+    vars:
+      port: 7072
diff --git a/roles/apps/kan/defaults/main.yml b/roles/apps/kan/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/apps/kan/tasks/main.yml b/roles/apps/kan/tasks/main.yml
new file mode 100644
index 0000000..5b7ef5c
--- /dev/null
+++ b/roles/apps/kan/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Create app DB
+  ansible.builtin.include_role:
+    name: app/database
+  vars:
+    app_name: kan
+
+- name: Create kan-web container
+  community.docker.docker_container:
+    name: kan-web
+    image: ghcr.io/kanbn/kan:latest
+    pull: true
+    state: started
+    restart_policy: unless-stopped
+    ports:
+      - "{{ port }}:3000"
+    env:
+      NEXT_PUBLIC_BASE_URL: "https://tasks.thegrind.dev"
+      BETTER_AUTH_SECRET:  "your_auth_secret"
+      POSTGRES_URL:        "postgresql://kan:password@10.89.0.102:5432/kan"
+      NEXT_PUBLIC_ALLOW_CREDENTIALS: "true"
\ No newline at end of file
diff --git a/roles/apps/memos/defaults/main.yml b/roles/apps/memos/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/apps/memos/tasks/main.yml b/roles/apps/memos/tasks/main.yml
new file mode 100644
index 0000000..08819ee
--- /dev/null
+++ b/roles/apps/memos/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Create app DB
+  ansible.builtin.include_role:
+    name: app/database
+  vars:
+    app_name: memos
+
+- name: Deploy memos container
+  community.docker.docker_container:
+    name: memos
+    image: neosmemo/memos:stable
+    pull: true
+    state: started
+    restart_policy: unless-stopped
+    ports:
+      - "{{ port }}:5230"
+    env:
+      MEMOS_DRIVER: "postgres"
+      MEMOS_DSN: "user=memos password=password dbname=memos host=10.89.0.102 sslmode=disable"
\ No newline at end of file
diff --git a/roles/apps/vaultwarden/defaults/main.yml b/roles/apps/vaultwarden/defaults/main.yml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/apps/vaultwarden/tasks/main.yml b/roles/apps/vaultwarden/tasks/main.yml
new file mode 100644
index 0000000..c0226f8
--- /dev/null
+++ b/roles/apps/vaultwarden/tasks/main.yml
@@ -0,0 +1,35 @@
+- name: Create the data directory 
+  ansible.builtin.file:
+    path: "/home/docker/container-data"
+    state: directory
+    mode: '0777'
+  become: true
+
+- name: Mount the data share to the VM
+  ansible.builtin.include_tasks:
+    file: ../tasks/mount_nfs.yml
+  vars:
+    mount_path: "/home/docker/container-data"
+    mount_source: "10.89.0.15:/mnt/main/container-data"
+
+- name: Create the data directory 
+  ansible.builtin.file:
+    path: "/home/docker/container-data/vaultwarden-data"
+    state: directory
+    mode: '0777'
+  become: true
+
+- name: Create vaultwarden container
+  community.docker.docker_container:
+    name: vaultwarden
+    image: vaultwarden/server:latest
+    pull: true
+    state: started
+    restart_policy: always 
+    ports:
+      - "{{ port }}:80" 
+    env:
+      DOMAIN: "https://vaultwarden.blinker.club"
+      ADMIN_TOKEN: "{{ vaultwarden_admin_token }}"
+    volumes:
+      - /home/docker/container-data/vaultwarden-data/:/data/
\ No newline at end of file