diff --git a/nix/docker/default.nix b/nix/docker/default.nix
index ae9b7a73e2..27f2bbbc4e 100644
--- a/nix/docker/default.nix
+++ b/nix/docker/default.nix
@@ -4,4 +4,5 @@
 
 args: {
   heptapod = import ./heptapod args;
+  vault = import ./vault args;
 }
diff --git a/nix/docker/vault/default.nix b/nix/docker/vault/default.nix
new file mode 100644
index 0000000000..1ebc984523
--- /dev/null
+++ b/nix/docker/vault/default.nix
@@ -0,0 +1,58 @@
+# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ pkgs, depot, ... }:
+let
+  vault = pkgs.vault-bin;
+
+  imageName = "europe-docker.pkg.dev/lukegb-vault/lukegb-vault/vault";
+  imageVersion = vault.version;
+
+  plugins = [
+  ];
+
+  pluginDrv = pkgs.runCommand "vault-plugins" {
+    inherit plugins;
+  } ''
+    mkdir -p $out/libexec/vault
+
+    for plugin in $plugins; do
+      for f in $plugin/libexec/vault/*; do
+        # Must actually put the file into the directory.
+        cp $f $out/libexec/vault
+      done
+    done
+  '';
+
+  container = pkgs.dockerTools.buildImage rec {
+    name = imageName;
+    tag = imageVersion;
+
+    contents = pluginDrv;
+
+    # Using vault-bin because I want the vault UI.
+    config.Entrypoint = [ "${vault}/bin/vault" "server" "-config" "/etc/vault/config.hcl" ];
+    config.Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
+  } // {
+    plugins = pluginDrv;
+  };
+
+  uploadCmd = pkgs.writeShellApplication {
+    name = "upload-vault-container";
+
+    runtimeInputs = with pkgs; [ skopeo google-cloud-sdk ];
+
+    text = ''
+      echo
+      echo Uploading ${imageName}:${imageVersion}
+      skopeo copy docker-archive:${container} docker://${imageName}:${imageVersion}
+
+      echo
+      echo Switching Cloud Run over
+      gcloud --project lukegb-vault run deploy vault-server --region europe-west1 --image ${imageName}:${imageVersion} --concurrency default
+    '';
+  };
+in container // {
+  upload = uploadCmd;
+}