Vaultwarden: Difference between revisions
Vaultwarden – A self-hosted Bitwarden-compatible password manager server written in Rust, available as a NixOS module. |
|||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 2: | Line 2: | ||
== Example Configuration == | == Example Configuration == | ||
< | <syntaxhighlight lang="nix"> | ||
services.vaultwarden = { | services.vaultwarden = { | ||
enable = true; | enable = true; | ||
backupDir = "/var/lib/vaultwarden/backup"; | backupDir = "/var/lib/vaultwarden/backup"; | ||
# in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file | |||
# be aware that this file must be created by hand (or via secrets management like sops) | |||
environmentFile = "/var/lib/vaultwarden/vaultwarden.env" | |||
config = { | config = { | ||
# Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template | # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template | ||
DOMAIN = "https://bitwarden.example.com"; | DOMAIN = "https://bitwarden.example.com"; | ||
SIGNUPS_ALLOWED = false; | SIGNUPS_ALLOWED = false; | ||
ROCKET_ADDRESS = "127.0.0.1"; | ROCKET_ADDRESS = "127.0.0.1"; | ||
ROCKET_PORT = 8222; | ROCKET_PORT = 8222; | ||
| Line 27: | Line 30: | ||
}; | }; | ||
}; | }; | ||
</ | </syntaxhighlight> | ||
== Reverse Proxy Setup (recommended) == | == Reverse Proxy Setup (recommended) == | ||
=== Caddy === | === Caddy === | ||
< | <syntaxhighlight lang="nix">services.caddy.virtualHosts."bitwarden.example.com".extraConfig = '' | ||
services.caddy.virtualHosts."bitwarden.example.com".extraConfig = '' | |||
encode zstd gzip | encode zstd gzip | ||
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} | reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} { | ||
header_up X-Real-IP {remote_host} | |||
} | |||
''; | '';</syntaxhighlight> | ||
</ | |||
=== Nginx === | === Nginx === | ||
<syntaxHighlight lang=nix> | <syntaxHighlight lang=nix> | ||
| Line 55: | Line 56: | ||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Security]] | [[Category:Security]] | ||
[[Category:Rust]] | |||
Latest revision as of 13:37, 17 August 2025
Vaultwarden is an alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients, allowing you to self-host your own password manager backend.
Example Configuration
services.vaultwarden = {
enable = true;
backupDir = "/var/lib/vaultwarden/backup";
# in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
# be aware that this file must be created by hand (or via secrets management like sops)
environmentFile = "/var/lib/vaultwarden/vaultwarden.env"
config = {
# Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
DOMAIN = "https://bitwarden.example.com";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# This example assumes a mailserver running on localhost,
# thus without transport encryption.
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
SMTP_HOST = "127.0.0.1";
SMTP_PORT = 25;
SMTP_SSL = false;
SMTP_FROM = "admin@bitwarden.example.com";
SMTP_FROM_NAME = "example.com Bitwarden server";
};
};
Reverse Proxy Setup (recommended)
Caddy
services.caddy.virtualHosts."bitwarden.example.com".extraConfig = ''
encode zstd gzip
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
Nginx
services.nginx.virtualHosts."bitwarden.example.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
'';