Repository/Vaultwarden
0
Fork 0
Code Actions Releases 1 Activity

Inital Commit
All checks were successful
Vaultwarden / Vaultwarden [arm64] (push) Successful in 59s
Details
Vaultwarden / Vaultwarden [amd64] (push) Successful in 51s
Details

Browse Source
This commit is contained in:
Cantibra
2025-10-26 21:11:06 +01:00
commit 3180255caa
89 changed files with 4156 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
root/etc/init.d/vaultwarden Normal file
View File

@@ -0,0 +1,83 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: vaultwarden
# Required-Start: $local_fs $network $remote_fs
# Required-Stop: $local_fs $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Vaultwarden Server
# Description: Alternative implementation of the Bitwarden server API
# written in Rust and compatible with upstream Bitwarden
# clients.
### END INIT INFO
NAME='vaultwarden'
DESC='Vaultwarden Server'
USER='vaultwarden'
GROUP='vaultwarden'
PIDFOLDER="/run/vaultwarden"
PIDFILE="${PIDFOLDER}/vaultwarden.pid"
DAEMON='/usr/sbin/vaultwarden'
DAEMON_CONFIG='/etc/vaultwarden/vaultwarden.conf'
set -e
[ -f "${DAEMON_CONFIG}" ]
. "${DAEMON_CONFIG}"
. '/lib/lsb/init-functions'
[ -x "${DAEMON}" ]
case "${1}" in
start)
/usr/bin/install --directory --group="${GROUP}" ---mode='0755' --owner="${USER}" "${PIDFOLDER}"
log_daemon_msg "Starting ${DESC}" "${NAME}"
if /usr/sbin/start-stop-daemon --quiet \
--start \
--oknodo \
--make-pidfile \
--pidfile "${PIDFILE}" \
--user "${USER}" \
--group "${GROUP}" \
--exec "${DAEMON}"; then
log_end_msg 0
else
log_end_msg 1
/usr/bin/test -f "${PIDFILE}" && \
/usr/bin/rm --force "${PIDFILE}"
fi
;;
stop)
log_daemon_msg "Stopping ${DESC}" "${NAME}"
if /usr/sbin/start-stop-daemon --quiet \
--stop \
--oknodo \
--retry 30 \
--remove-pidfile \
--pidfile "${PIDFILE}" \
--user "${USER}" \
--group "${GROUP}" \
--exec "${DAEMON}"; then
/usr/bin/test -f "${PIDFILE}" && \
/usr/bin/rm --force "${PIDFILE}"
log_end_msg 0
else
log_end_msg 1
fi
;;
restart)
"${0}" stop
"${0}" start
;;
status)
status_of_proc -p "${PIDFILE}" "${DAEMON}" "${NAME}" && \
exit 0 || \
exit "${?}"
;;
*)
echo "Usage: /etc/init.d/${NAME} {start|stop|restart|status}" >&2
exit 1
;;
esac

71
root/etc/logrotate.d/vaultwarden Normal file
View File

@@ -0,0 +1,71 @@
/var/log/vaultwarden/*.log {
# Truncate the original log file in place after creating a copy,
# instead of moving the old log file and optionally creating a
# new one. It can be used when some program cannot be told to
# close its logfile and thus might continue writing (appending)
# to the previous log file forever. Note that there is a very
# small time slice between copying the file and truncating it, so
# some logging data might be lost. When this option is used, the
# create option will have no effect, as the old log file stays in
# place.
copytruncate
# Log files are rotated every day.
daily
# Archive old versions of log files adding a daily extension like
# YYYYMMDD instead of simply adding a number. The extension may
# be configured using the dateformat option.
dateext
# Specify the extension for dateext using the notation similar to
# strftime(3) function. Only %Y %m %d and %s specifiers are allowed.
# The default value is -%Y%m%d. Note that also the character
# separating log name from the extension is part of the dateformat
# string. The system clock must be set past Sep 9th 2001 for %s to
# work correctly. Note that the datestamps generated by this format
# must be lexically sortable (i.e., first the year, then the month
# then the day. e.g., 2001/12/01 is ok, but 01/12/2001 is not, since
# 01/11/2002 would sort lower while it is later). This is because when
# using the rotate option, logrotate sorts all rotated filenames to
# find out which logfiles are older and should be removed.
dateformat .%Y-%m-%d
# Use yesterday's instead of today's date to create the dateext
# extension, so that the rotated log file has a date in its name that
# is the same as the timestamps within it.
dateyesterday
# Postpone compression of the previous log file to the next rotation
# cycle. This only has effect when used in combination with compress.
# It can be used when some program cannot be told to close its logfile
# and thus might continue writing to the previous log file for some time.
delaycompress
# Do not copy the original log file and leave it in place.
nocopy
# New log files are not created.
nocreate
# Don't mail old log files to any address.
nomail
# Do not use shred when deleting old log files.
noshred
# Do not rotate the log if it is empty.
notifempty
# Logs are moved into directory for rotation. The directory must be on the
# same physical device as the log file being rotated, and is assumed to be
# relative to the directory holding the log file unless an absolute path
# name is specified. When this option is used all old versions of the log
# end up in directory.
olddir /var/logrotate/vaultwarden
# Log files are rotated count times before being removed or mailed to the
# address specified in a mail directive. If count is 0, old versions are
# removed rather than rotated.
rotate 7
}

BIN
root/etc/vaultwarden/email_logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.4 KiB

416
root/etc/vaultwarden/vaultwarden.conf Normal file
View File

@@ -0,0 +1,416 @@
#
# Vaultwarden Configuration
#
# Option: [_duo_akey]
# Notes: DUO Application Key
# Values: [ NONE | KEY ] Default: ''
#
_DUO_AKEY=''
# Option: [admin_ratelimit_max_burst]
# Notes: Allow a burst of requests of up to this size, while maintaining
# the average indicated by 'admin_ratelimit_seconds'
# Values: [ NUMBER ] Default: '3'
#
ADMIN_RATELIMIT_MAX_BURST='3'
# Option: [admin_ratelimit_seconds]
# Notes: Number of seconds, on average, between admin requests from the
# same IP address before rate limiting kicks in.
# Values: [ SECONDS ] Default: '300'
#
ADMIN_RATELIMIT_SECONDS='300'
# Option: [admin_token]
# Notes: The plain text token or Argon2 PHC string used to authenticate
# in this very same page.
#
# Values: [ NONE | TOKEN ] Default: ''
#
ADMIN_TOKEN=''
# Option: [attachments_folder]
# Notes: Attachments folder.
# Values: [ FOLDER ] Default: '/var/lib/vaultwarden/attachments'
#
ATTACHMENTS_FOLDER='/var/lib/vaultwarden/attachments'
# Option: [data_folder]
# Notes: Main data folder.
# Values: [ FOLDER ] Default: '/var/lib/vaultwarden'
#
DATA_FOLDER='/var/lib/vaultwarden'
# Option: [database_conn_init]
# Notes: SQL statements to run when creating a new database connection,
# mainly useful for connection-scoped pragmas.
# Values: [ NONE | SQL ] Default: ''
#
DATABASE_CONN_INIT=''
# Option: [database_max_conns]
# Notes: Maximal number of connections at the same time.
# Values: [ SECONDS ] Default: '10'
#
DATABASE_MAX_CONNS='10'
# Option: [database_timeout]
# Notes: Number of seconds to try connect to the database before give up.
# Values: [ SECONDS ] Default: '30'
#
DATABASE_TIMEOUT='30'
# Option: [database_url]
# Notes: File or MySQL/PostgreSQL backend for database.
# Values: [ FILE | SQLCON ] Default: 'vaultwarden.sqlite'
#
DATABASE_URL='/var/lib/vaultwarden/server.sqlite'
#DATABASE_URL='mysql://<MYSQL_USER>:<MYSQL_PASSWORD>@<MYSQL_HOST>/<MYSQL_DATABASE>'
# Option: [db_connection_retries]
# Notes: Number of times to retry the database connection during startup,
# with 1 second between each retry, set to 0 to retry indefinitely.
# Values: [ NUMBER ] Default: '15'
#
DB_CONNECTION_RETRIES='15'
# Option: [disable_admin_token]
# Notes: Disables the Admin Token for the admin page so you may use your
# own auth in-front.
# Values: [ TRUE | FALSE ] Default: 'false'
#
DISABLE_ADMIN_TOKEN='false'
# Option: [domain_path]
# Notes: Domain URL Path - For Example in
# https://example.com:8443/path
# /path is the path.
# Values: [ NONE | PATH ] Default: ''
#
DOMAIN_PATH=''
# Option: [emergency_notification_reminder_schedule]
# Notes: Cron schedule of the job that sends expiration reminders to
# emergency access grantors.
# Values: [ NONE | CRON ] Default: '0 3 * * * *'
#
EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE='0 3 * * * *'
# Option: [emergency_request_timeout_schedule]
# Notes: Cron schedule of the job that grants emergency access
# requests that have met the required wait time.
# Values: [ NONE | CRON ] Default: '0 7 * * * *'
#
EMERGENCY_REQUEST_TIMEOUT_SCHEDULE='0 7 * * * *'
# Option: [enable_db_wal]
# Notes: Set SQLite to operate in WAL mode.
# Values: [ TRUE | FALSE ] Default: 'true'
#
ENABLE_DB_WAL='true'
# Option: [event_cleanup_schedule]
# Notes: Cron schedule of the job that cleans old events from the
# event table.
# Values: [ NONE | CRON ] Default: '0 10 0 * * *'
#
EVENT_CLEANUP_SCHEDULE='0 10 0 * * *'
# Option: [events_days_retain]
# Notes: Number of days to retain events stored in the database.
# Values: [ NONE | DAYS ] Default: ''
#
EVENTS_DAYS_RETAIN=''
# Option: [experimental_client_feature_flags]
# Notes: Enable experimental feature flags for clients.
# This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
# The following flags are available:
# - inline-menu-positioning-improvements Enable the use of inline menu password generator
# and identity suggestions in the browser extension.
# - inline-menu-totp Enable the inline menu TOTP codes in the browser
# extension.
# - ssh-agent Enable SSH agent support on Desktop.
# - ssh-key-vault-item Enable the creation and use of SSH key vault
# items.
# - export-attachments Enable support for exporting attachments.
# - anon-addy-self-host-alias Enable configuring self-hosted Anon Addy alias
# generator.
# - simple-login-self-host-alias Enable configuring self-hosted Simple Login alias
# generator.
# - mutual-tls Enable the use of mutual TLS on Android.
# Values: [ FLAGS ] Default: 'fido2-vault-credentials'
#
EXPERIMENTAL_CLIENT_FEATURE_FLAGS='fido2-vault-credentials'
# Option: [extended_logging]
# Notes: State of extended logging.
# Values: [ TRUE | FALSE ] Default: 'false'
#
EXTENDED_LOGGING='false'
# Option: [icon_cache_folder]
# Notes: Icon Cache folder.
# Values: [ FOLDER ] Default: '/var/lib/vaultwarden/icon_cache'
#
ICON_CACHE_FOLDER='/var/cache/vaultwarden'
# Option: [icon_service]
# Notes: The predefined icon services are:
# internal | bitwarden | duckduckgo | google
# To specify a custom icon service, set a URL template with
# exactly one instance of '{}', which is replaced with the domain.
# For example: 'https://icon.example.com/domain/{}'
# 'internal' refers to Vaultwarden's built-in icon fetching
# implementation. If an external service is set, an icon request
# to Vaultwarden will return an HTTP redirect to the corresponding
# icon at the external service.
# Values: [ INTERNAL | BITWARDEN | DUCKDUCKGO | GOOGLE | IP/FQDN ] Default: 'internal'
#
ICON_SERVICE='internal'
# Option: [incomplete_2fa_schedule]
# Notes: Cron schedule of the job that checks for incomplete 2FA logins.
# Values: [ NONE | CRON ] Default: '30 * * * * *'
#
INCOMPLETE_2FA_SCHEDULE='30 * * * * *'
# Option: [invitation_expiration_hours]
# Notes: The number of hours after which an organization invite token,
# emergency access invite token, email verification token and
# deletion request token will expire (must be at least 1)
# Values: [ HOURS ] Default: '3'
#
INVITATION_EXPIRATION_HOURS='3'
# Option: [job_poll_interval_ms]
# Notes: How often the job scheduler thread checks for jobs to run.
# Values: [ 0 | MILLISECONDS ] Default: '30000'
#
JOB_POLL_INTERVAL_MS='30000'
# Option: [log_file]
# Notes: Looging output to file.
# Values: [ FILE ] Default: 'vaultwarden.log'
#
LOG_FILE='/var/log/vaultwarden/vaultwarden.log'
# Option: loglevel
# Notes: Set the log level output.
# ERROR
# WARN
# INFO
# DEBUG
# TRACE
# Values: [ LEVEL ] Default: 'info'
#
LOG_LEVEL='info'
# Option: [login_ratelimit_max_burst]
# Notes: Allow a burst of requests of up to this size, while maintaining
# the average indicated by 'login_ratelimit_seconds'.
# Values: [ NUMBER ] Default: '10'
#
LOGIN_RATELIMIT_MAX_BURST='10'
# Option: [login_ratelimit_seconds]
# Notes: Number of seconds, on average, between login and 2FA requests
# from the same IP address before rate limiting kicks in.
# Values: [ SECONDS ] Default: '60'
#
LOGIN_RATELIMIT_SECONDS='60'
# Option: [org_events_enabled]
# Notes: Set state of event logging for organizations.
# Values: [ TRUE | FALSE ] Default: 'false'
#
ORG_EVENTS_ENABLED='true'
# Option: [org_groups_enabled]
# Notes: Set state of groups support for organizations.
# Values: [ TRUE | FALSE ] Default: 'false'
#
ORG_GROUPS_ENABLED='true'
# Option: [push_enabled]
# Notes: State of push notifications.
# Values: [ TRUE | FALSE ] Default: 'false'
#
PUSH_ENABLED='false'
# Option: [push_installation_id]
# Notes: Installation ID
# See: https://bitwarden.com/host
# Values: [ NONE | ID ] Default: ''
#
PUSH_INSTALLATION_ID=''
# Option: [push_installation_key]
# Notes: Installation Key
# See: https://bitwarden.com/host
# Values: [ NONE | KEY ] Default: ''
#
PUSH_INSTALLATION_KEY=''
# Option: [push_relay_uri]
# Notes: Addres for push notifications relay server.
# Values: [ NONE | IP/FQDN ] Default: 'https://api.bitwarden.eu'
#
PUSH_RELAY_URI='https://api.bitwarden.eu'
# Option: [push_identity_uri]
# Notes: Addres for push notifications identity server.
# Values: [ NONE | IP/FQDN ] Default: 'https://identity.bitwarden.eu'
#
PUSH_IDENTITY_URI='https://identity.bitwarden.eu'
# Option: [rsa_key_filename]
# Notes: Name of RSA keyfile.
# Values: [ FILE ] Default: 'rsa_key'
#
RSA_KEY_FILENAME='/var/lib/vaultwarden/vaultwarden'
# Option: [send_purge_schedule]
# Notes: Cron schedule of the job that checks for Sends past their
# deletion date.
# Values: [ NONE | CRON ] Default: '0 5 * * * *'
#
SEND_PURGE_SCHEDULE='0 5 * * * *'
# Option: [sends_folder]
# Notes: Sends folder.
# Values: [ FOLDER ] Default: '/var/lib/vaultwarden/sends'
#
SENDS_FOLDER='/var/lib/vaultwarden/sends'
# Option: [smtp_debug]
# Notes: State of detailed SMTP messages. This could contain sensitive
# information like passwords and usernames!
# Values: [ TRUE | FALSE ] Default: 'false'
#
SMTP_DEBUG='false'
# Option: [sso_enabled]
# Notes: Controls whether users can login using an OpenID Connect
# identity provider.
# Values: [ TRUE | FALSE ] Default: 'false'
#
SSO_ENABLED='false'
# Option: [sso_only]
# Notes: Prevent users from logging in directly without going through
# SSO.
# Values: [ TRUE | FALSE ] Default: 'false'
#
SSO_ONLY='false'
# Option: [sso_signups_match_email]
# Notes: On SSO Signup if a user with a matching email already exists
# make the association.
# Values: [ TRUE | FALSE ] Default: 'true'
#
SSO_SIGNUPS_MATCH_EMAIL='true'
# Option: [sso_authority]
# Notes: Base URL of the OIDC server.
# Values: [ NONE | IP/FQDN ] Default: ''
#
SSO_AUTHORITY=''
# Option: [sso_scopes]
# Notes: Authorization request scopes.
# Values: [ SCOPES ] Default: 'email profile'
#
SSO_SCOPES='email profile'
# Option: [sso_authorize_extra_params]
# Notes: Authorization request scopes.
# Values: [ PARAMETER ] Default: 'access_type=offline&prompt=consent'
#
SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
# Option: [sso_pkce]
# Notes: Activate PKCE for the Auth Code flow.
# Values: [ TRUE | FALSE ] Default: 'true'
#
SSO_PKCE='true'
# Option: [sso_audience_trusted]
# Notes: Regex for additional trusted Id token audience.
# Values: [ REGEX ] Default: '^$'
#
SSO_AUDIENCE_TRUSTED='^$'
# Option: [sso_client_id]
# Notes: SSO Client ID
# Values: [ NONE | ID ] Default: ''
#
SSO_CLIENT_ID=''
# Option: [sso_client_secret]
# Notes: SSO Client Key.
# Values: [ NONE | KEY ] Default: ''
#
SSO_CLIENT_SECRET=''
# Option: [sso_master_password_policy]
# Notes: Optional Master password policy.
# Values: [ POLICY ] Default: '{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
#
SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
# Option: [sso_auth_only_not_session]
# Notes: Use sso only for authentication not the session lifecycle.
# Values: [ TRUE | FALSE ] Default: 'false'
#
SSO_AUTH_ONLY_NOT_SESSION='false'
# Option: [sso_client_cache_expiration]
# Notes: Client cache for discovery endpoint.
# Values: [ SECONDS ] Default: '0'
#
SSO_CLIENT_CACHE_EXPIRATION='0'
# Option: [sso_debug_tokens]
# Notes: Log all the tokens, LOG_LEVEL=debug is required.
# Values: [ TRUE | FALSE ] Default: 'false'
#
SSO_DEBUG_TOKENS='false'
# Option: [templates_folder]
# Notes: Templates folder.
# Values: [ FOLDER ] Default: '/usr/lib/vaultwarden/templates'
#
TEMPLATES_FOLDER='/usr/lib/vaultwarden/templates'
# Option: [tmp_folder]
# Notes: Temporary folder used for storing temporary file uploads.
# Values: [ FOLDER ] Default: '/var/lib/vaultwarden/tmp'
#
TMP_FOLDER='/tmp'
# Option: [trash_purge_schedule]
# Notes: Cron schedule of the job that checks for trashed items to delete
# permanently.
# Values: [ NONE | CRON ] Default: '0 5 0 * * *'
#
TRASH_PURGE_SCHEDULE='0 5 0 * * *'
# Option: [use_syslog]
# Notes: State of logging output to syslog.
# Values: [ TRUE | FALSE ] Default: 'false'
#
USE_SYSLOG='false'
# Option: [web_vault_enabled]
# Notes: State of Web Vault.
# Values: [ TRUE | FALSE ] Default: 'true'
#
WEB_VAULT_ENABLED='true'
# Option: [web_vault_folder]
# Notes: Web Vault folder.
# Values: [ FOLDER ] Default: '/usr/lib/vaultwarden/web-vault'
#
WEB_VAULT_FOLDER='/usr/lib/vaultwarden/web-vault'