diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index d8bfa09..ddfdfa0 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -7,6 +7,8 @@ let
   shblib = pkgs.callPackage ../../lib {};
 
   fqdn = "${cfg.subdomain}.${cfg.domain}";
+
+  dataFolder = "/var/lib/bitwarden_rs";
 in
 {
   options.shb.vaultwarden = {
@@ -94,6 +96,24 @@ in
       });
     };
 
+    mount = lib.mkOption {
+      type = contracts.mount;
+      description = ''
+        Mount configuration. This is an output option.
+
+        Use it to initialize a block implementing the "mount" contract.
+        For example, with a zfs dataset:
+
+        ```
+        shb.zfs.datasets."vaultwarden" = {
+          poolName = "root";
+        } // config.shb.vaultwarden.mount;
+        ```
+      '';
+      readOnly = true;
+      default = { path = dataFolder; };
+    };
+
     backupConfig = lib.mkOption {
       type = lib.types.nullOr lib.types.anything;
       description = "Backup configuration of Vaultwarden.";
@@ -113,7 +133,7 @@ in
       enable = true;
       dbBackend = "postgresql";
       config = {
-        DATA_FOLDER = "/var/lib/bitwarden_rs";
+        DATA_FOLDER = dataFolder;
         IP_HEADER = "X-Real-IP";
         SIGNUPS_ALLOWED = false;
         # Disabled because the /admin path is protected by SSO
@@ -135,13 +155,13 @@ in
         SMTP_PORT = cfg.smtp.port;
         SMTP_AUTH_MECHANISM = cfg.smtp.auth_mechanism;
       };
-      environmentFile = "/var/lib/bitwarden_rs/vaultwarden.env";
+      environmentFile = "${dataFolder}/vaultwarden.env";
     };
     # We create a blank environment file for the service to start. Then, ExecPreStart kicks in and
     # fills out the environment file for ExecStart to pick it up.
     systemd.tmpfiles.rules = [
-      "d /var/lib/bitwarden_rs 0750 vaultwarden vaultwarden"
-      "f /var/lib/bitwarden_rs/vaultwarden.env 0640 vaultwarden vaultwarden"
+      "d ${dataFolder} 0750 vaultwarden vaultwarden"
+      "f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
     ];
     systemd.services.vaultwarden.preStart =
       shblib.replaceSecrets {
@@ -151,7 +171,7 @@ in
         } // lib.optionalAttrs (cfg.smtp != null) {
           SMTP_PASSWORD.source = cfg.smtp.passwordFile;
         };
-        resultPath = "/var/lib/bitwarden_rs/vaultwarden.env";
+        resultPath = "${dataFolder}/vaultwarden.env";
         generator = name: v: pkgs.writeText "template" (lib.generators.toINIWithGlobalSection {} { globalSection = v; });
       };
 
@@ -197,12 +217,16 @@ in
       members = [ "backup" ];
     };
 
-    shb.backup.instances.vaultwarden =
+    shb.backup.instances.vaultwarden = lib.mkIf (cfg.backupConfig != null) (
       cfg.backupConfig //
       {
         sourceDirectories = [
           config.services.vaultwarden.config.DATA_FOLDER
         ];
-      };
+      });
+
+    # TODO: make this work.
+    # It does not work because it leads to infinite recursion.
+    # ${cfg.mount}.path = dataFolder;
   };
 }