Jump to content

Vaultwarden

From NixOS Wiki
Revision as of 07:00, 8 August 2025 by Death916 (talk | contribs) (added environmentfile variable as its needed for admin page and account setup.)

Vaultwarden is an alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients, allowing you to self-host your own password manager backend.

Example Configuration

services.vaultwarden = {
    enable = true;
    backupDir = "/var/lib/vaultwarden/backup";
    config = {
        # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
        DOMAIN = "https://bitwarden.example.com";
        SIGNUPS_ALLOWED = false;
        # Needed to enable admin page and signups set ADMIN_TOKEN
        environmentFile = "/var/lib/vaultwarden/vaultwarden.env"
        
        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8222;
        ROCKET_LOG = "critical";

        # This example assumes a mailserver running on localhost,
        # thus without transport encryption.
        # If you use an external mail server, follow:
        #   https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
        SMTP_HOST = "127.0.0.1";
        SMTP_PORT = 25;
        SMTP_SSL = false;

        SMTP_FROM = "admin@bitwarden.example.com";
        SMTP_FROM_NAME = "example.com Bitwarden server";
    };
};

Reverse Proxy Setup (recommended)

Caddy

services.caddy.virtualHosts."bitwarden.example.com".extraConfig = ''
    encode zstd gzip

    reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {
        header_up X-Real-IP {remote_host}
    }
'';

Nginx

services.nginx.virtualHosts."bitwarden.example.com" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
        proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
    };
};
'';
Retrieved from "https://wiki.nixos.org/w/index.php?title=Vaultwarden&oldid=23942"