diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix
index b2920931f..443b8421b 100644
--- a/nixos/modules/services/security/vaultwarden/default.nix
+++ b/nixos/modules/services/security/vaultwarden/default.nix
@@ -23,7 +23,7 @@ let
       configEnv = lib.concatMapAttrs (name: value: lib.optionalAttrs (value != null) {
         ${nameToEnvVar name} = if lib.isBool value then lib.boolToString value else toString value;
       }) cfg.config;
-    in { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
+    in { DATA_FOLDER = cfg.dataDir; } // lib.optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
       WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
     } // configEnv;

@@ -163,6 +163,16 @@ in {
       defaultText = lib.literalExpression "pkgs.vaultwarden.webvault";
       description = "Web vault package to use.";
     };
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/bitwarden_rs";
+      description = ''
+        The directury in which vaultwarden will keep its state. If left as the default value
+        this directory will automatically be created before the vaultwarden server starts, otherwise
+        the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.
+      '';
+    };
   };

   config = lib.mkIf cfg.enable {
@@ -180,28 +190,32 @@ in {
     systemd.services.vaultwarden = {
       after = [ "network.target" ];
       path = with pkgs; [ openssl ];
-      serviceConfig = {
-        User = user;
-        Group = group;
-        EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;
-        ExecStart = "${vaultwarden}/bin/vaultwarden";
-        LimitNOFILE = "1048576";
-        PrivateTmp = "true";
-        PrivateDevices = "true";
-        ProtectHome = "true";
-        ProtectSystem = "strict";
-        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-        StateDirectory = "bitwarden_rs";
-        StateDirectoryMode = "0700";
-        Restart = "always";
-      };
+      serviceConfig = lib.mkMerge [
+        (lib.mkIf (cfg.dataDir == "/var/lib/bitwarden_rs") {
+          StateDirectory = "bitwarden_rs";
+          StateDirectoryMode = "0700";
+        })
+        {
+          User = user;
+          Group = group;
+          EnvironmentFile = [ configFile ] ++ lib.optional (cfg.environmentFile != null) cfg.environmentFile;
+          ExecStart = "${vaultwarden}/bin/vaultwarden";
+          LimitNOFILE = "1048576";
+          PrivateTmp = "true";
+          PrivateDevices = "true";
+          ProtectHome = "true";
+          ProtectSystem = "strict";
+          AmbientCapabilities = "CAP_NET_BIND_SERVICE";
+          Restart = "always";
+        }
+      ];
       wantedBy = [ "multi-user.target" ];
     };

     systemd.services.backup-vaultwarden = lib.mkIf (cfg.backupDir != null) {
       description = "Backup vaultwarden";
       environment = {
-        DATA_FOLDER = "/var/lib/bitwarden_rs";
+        DATA_FOLDER = cfg.dataDir;
         BACKUP_FOLDER = cfg.backupDir;
       };
       path = with pkgs; [ sqlite ];