Vaultwarden: Difference between revisions
No edit summary |
backup folder in the /var/lib/vaultwarden directory would reference itself and is therefore not allowed |
||
| (One intermediate revision by one other user not shown) | |||
| Line 5: | Line 5: | ||
services.vaultwarden = { | services.vaultwarden = { | ||
enable = true; | enable = true; | ||
backupDir = "/var/ | backupDir = "/var/local/vaultwarden/backup"; | ||
# in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file | # in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file | ||
# be aware that this file must be created by hand (or via secrets management like sops) | # be aware that this file must be created by hand (or via secrets management like sops) | ||
| Line 56: | Line 56: | ||
[[Category:Server]] | [[Category:Server]] | ||
[[Category:Security]] | [[Category:Security]] | ||
[[Category:Rust]] | |||
Latest revision as of 13:28, 22 October 2025
Vaultwarden is an alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients, allowing you to self-host your own password manager backend.
Example Configuration
services.vaultwarden = {
enable = true;
backupDir = "/var/local/vaultwarden/backup";
# in order to avoid having ADMIN_TOKEN in the nix store it can be also set with the help of an environment file
# be aware that this file must be created by hand (or via secrets management like sops)
environmentFile = "/var/lib/vaultwarden/vaultwarden.env"
config = {
# Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
DOMAIN = "https://bitwarden.example.com";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# This example assumes a mailserver running on localhost,
# thus without transport encryption.
# If you use an external mail server, follow:
# https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
SMTP_HOST = "127.0.0.1";
SMTP_PORT = 25;
SMTP_SSL = false;
SMTP_FROM = "admin@bitwarden.example.com";
SMTP_FROM_NAME = "example.com Bitwarden server";
};
};
Reverse Proxy Setup (recommended)
Caddy
services.caddy.virtualHosts."bitwarden.example.com".extraConfig = ''
encode zstd gzip
reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
header_up X-Real-IP {remote_host}
}
'';
Nginx
services.nginx.virtualHosts."bitwarden.example.com" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};
'';