## Vaultwarden Configuration File ## Uncomment any of the following lines to change the defaults ## ## Be aware that most of these settings will be overridden if they were changed ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . ## Main data folder DATA_FOLDER=/srv/vaultwarden ## Database URL ## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3 # DATABASE_URL=data/db.sqlite3 ## When using MySQL, specify an appropriate connection URI. ## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html # DATABASE_URL=mysql://user:password@host[:port]/database_name ## When using PostgreSQL, specify an appropriate connection URI (recommended) ## or keyword/value connection string. ## Details: ## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING # DATABASE_URL=postgresql://user:password@host[:port]/database_name #>GNUNUX DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%tls_cert_directory/postgresql.crt&sslkey=%%tls_key_directory/postgresql.key&sslrootcert=%%tls_ca_directory/PostgreSQL.crt #GNUNUX IP_HEADER=X-Real-IP #GNUNUX INVITATION_ORG_NAME=%%vaultwarden_org_name #GNUNUX %set %%location = %%revprox_client_external_domainnames[0].revprox_client_location %if %%location.endswith('/') %set %%location = %%location[:-1] %end if DOMAIN=https://%%{revprox_client_external_domainnames[0]}%%location # # DUO_SKEY= # DUO_HOST= ## After that, you should be able to follow the rest of the guide linked above, ## ignoring the fields that ask for the values that you already configured beforehand. ## Authenticator Settings ## Disable authenticator time drifted codes to be valid. ## TOTP codes of the previous and next 30 seconds will be invalid ## ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238), ## we allow by default the TOTP code which was valid one step back and one in the future. ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes. ## You can disable this, so that only the current TOTP Code is allowed. ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. # AUTHENTICATOR_DISABLE_TIME_DRIFT=false ## Rocket specific settings ## See https://rocket.rs/v0.4/guide/configuration/ for more details. # ROCKET_ADDRESS=0.0.0.0 # ROCKET_PORT=80 # Defaults to 80 in the Docker images, or 8000 otherwise. # ROCKET_WORKERS=10 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} #>GNUNUX ROCKET_ADDRESS=0.0.0.0 ROCKET_PORT=443 ROCKET_TLS='{certs="/etc/pki/tls/certs/revprox.crt",key="/etc/pki/tls/private/revprox.key"}' #GNUNUX SMTP_HOST=%%smtp_relay_address SMTP_FROM=%%vaultwarden_admin_email SMTP_FROM_NAME=%%domain_name_eth0 SMTP_PORT=25 SMTP_SSL=true #SMTP_EXPLICIT_TLS=true SMTP_TIMEOUT=15 SMTP_USERNAME=%%smtp_relay_user@%%ip_eth0 SMTP_PASSWORD=%%smtp_relay_password #