Jump to content

Vaultwarden: Difference between revisions

From NixOS Wiki
← Older edit
VisualWikitext
m fixed caddy syntax
backup folder in the /var/lib/vaultwarden directory would reference itself and is therefore not allowed
 
(3 intermediate revisions by 3 users not shown)
Line 2: Line 2:


== Example Configuration ==
== Example Configuration ==
<syntaxHighlight lang=nix>
<syntaxhighlight lang="nix">
services.vaultwarden = {
services.vaultwarden = {
     enable = true;
     enable = true;
     backupDir = "/var/lib/vaultwarden/backup";
     backupDir = "/var/local/vaultwarden/backup";
    # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
    # be aware that this file must be created by hand (or via secrets management like sops)
    environmentFile = "/var/lib/vaultwarden/vaultwarden.env"
     config = {
     config = {
         # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
         # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
         DOMAIN = "https://bitwarden.example.com";
         DOMAIN = "https://bitwarden.example.com";
         SIGNUPS_ALLOWED = false;
         SIGNUPS_ALLOWED = false;
       
 
         ROCKET_ADDRESS = "127.0.0.1";
         ROCKET_ADDRESS = "127.0.0.1";
         ROCKET_PORT = 8222;
         ROCKET_PORT = 8222;
Line 27: Line 30:
     };
     };
};
};
</syntaxHighlight>
</syntaxhighlight>


== Reverse Proxy Setup (recommended) ==
== Reverse Proxy Setup (recommended) ==
Line 53: Line 56:
[[Category:Server]]
[[Category:Server]]
[[Category:Security]]
[[Category:Security]]
[[Category:Rust]]

Latest revision as of 13:28, 22 October 2025

Vaultwarden is an alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients, allowing you to self-host your own password manager backend.

Example Configuration

services.vaultwarden = {
    enable = true;
    backupDir = "/var/local/vaultwarden/backup";
    # in order to avoid having  ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
    # be aware that this file must be created by hand (or via secrets management like sops)
    environmentFile = "/var/lib/vaultwarden/vaultwarden.env"
    config = {
        # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
        DOMAIN = "https://bitwarden.example.com";
        SIGNUPS_ALLOWED = false;

        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8222;
        ROCKET_LOG = "critical";

        # This example assumes a mailserver running on localhost,
        # thus without transport encryption.
        # If you use an external mail server, follow:
        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
        SMTP_HOST = "127.0.0.1";
        SMTP_PORT = 25;
        SMTP_SSL = false;

        SMTP_FROM = "admin@bitwarden.example.com";
        SMTP_FROM_NAME = "example.com Bitwarden server";
    };
};

Reverse Proxy Setup (recommended)

Caddy

services.caddy.virtualHosts."bitwarden.example.com".extraConfig = ''
    encode zstd gzip

    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
    }
'';

Nginx

services.nginx.virtualHosts."bitwarden.example.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
    };
};
'';
Retrieved from "https://wiki.nixos.org/w/index.php?title=Vaultwarden&oldid=27883"