diff --git a/hosts/build-coord/default.nix b/hosts/build-coord/default.nix
index 26c0cdb..28f906a 100644
--- a/hosts/build-coord/default.nix
+++ b/hosts/build-coord/default.nix
@@ -10,6 +10,13 @@
   bagel.services = {
     hydra.enable = true;
     hydra.builders = map (i: "builder-${builtins.toString i}") [4 5 10];
+
+    # Arguably, the build-coordinator is the most sensitive piece of our own infrastructure.
+    # Henceforth, it can run as well another sensitive piece of the system: the Vault.
+    vault = {
+      enable = true;
+      domain = "vault.forkos.org";
+    };
   };
 
   bagel.monitoring.exporters.hydra.enable = true;
diff --git a/terraform/dnsimple.nix b/terraform/dnsimple.nix
index 56b2d09..ff59e5d 100644
--- a/terraform/dnsimple.nix
+++ b/terraform/dnsimple.nix
@@ -104,6 +104,7 @@ in
           (record "amqp" 300 "CNAME" "bagel-box.infra.p.forkos.org")
           (record "grafana" 300 "CNAME" "meta01.infra.p.forkos.org")
           (record "hydra" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
+          (record "vault" 300 "CNAME" "build-coord.wob01.infra.p.forkos.org")
           (record "loki" 300 "CNAME" "meta01.infra.p.forkos.org")
           (record "mimir" 300 "CNAME" "meta01.infra.p.forkos.org")
           (record "pyroscope" 300 "CNAME" "meta01.infra.p.forkos.org")