you can put on the same machine (raspi):
- pihole
- vaultwarden
- certbot (letsencrypt)
- lighttpd
Pihole and vaultwarden use HTTP socks, so no encryption
That's why you install the SSL certificate through letsencrypt and setup the reverse proxy from lighttpd to accept only HTTPS connections and reverse them locally to pihole and vaultwarden.
To backup vaultwarden just crontab copying the /data folder to somewhere useful, like Github or Gdrive