Inital Commit

2025-10-26 21:11:06 +01:00
commit 3180255caa
89 changed files with 4156 additions and 0 deletions
--- a/root/etc/vaultwarden/vaultwarden.conf
+++ b/root/etc/vaultwarden/vaultwarden.conf
@@ -0,0 +1,416 @@
+#
+# Vaultwarden Configuration
+#
+
+# Option: [_duo_akey]
+# Notes:  DUO Application Key
+# Values: [ NONE | KEY ]  Default: ''
+#
+_DUO_AKEY=''
+
+# Option: [admin_ratelimit_max_burst]
+# Notes:  Allow a burst of requests of up to this size, while maintaining
+#         the average indicated by 'admin_ratelimit_seconds'
+# Values: [ NUMBER ]  Default: '3'
+#
+ADMIN_RATELIMIT_MAX_BURST='3'
+
+# Option: [admin_ratelimit_seconds]
+# Notes:  Number of seconds, on average, between admin requests from the
+#         same IP address before rate limiting kicks in.
+# Values: [ SECONDS ]  Default: '300'
+#
+ADMIN_RATELIMIT_SECONDS='300'
+
+# Option: [admin_token] 
+# Notes:  The plain text token or Argon2 PHC string used to authenticate
+#         in this very same page.
+#         
+# Values: [ NONE | TOKEN ]  Default: ''
+#
+ADMIN_TOKEN=''
+
+# Option: [attachments_folder]
+# Notes:  Attachments folder.
+# Values: [ FOLDER ]  Default: '/var/lib/vaultwarden/attachments'
+#
+ATTACHMENTS_FOLDER='/var/lib/vaultwarden/attachments'
+
+# Option: [data_folder]
+# Notes:  Main data folder.
+# Values: [ FOLDER ]  Default: '/var/lib/vaultwarden'
+#
+DATA_FOLDER='/var/lib/vaultwarden'
+
+# Option: [database_conn_init]
+# Notes:  SQL statements to run when creating a new database connection,
+#         mainly useful for connection-scoped pragmas.
+# Values: [ NONE | SQL ]  Default: ''
+#
+DATABASE_CONN_INIT=''
+
+# Option: [database_max_conns]
+# Notes:  Maximal number of connections at the same time.
+# Values: [ SECONDS ]  Default: '10'
+#
+DATABASE_MAX_CONNS='10'
+
+# Option: [database_timeout]
+# Notes:  Number of seconds to try connect to the database before give up.
+# Values: [ SECONDS ]  Default: '30'
+#
+DATABASE_TIMEOUT='30'
+
+# Option: [database_url]
+# Notes:  File or MySQL/PostgreSQL backend for database.
+# Values: [ FILE | SQLCON ]  Default: 'vaultwarden.sqlite'
+#
+DATABASE_URL='/var/lib/vaultwarden/server.sqlite'
+#DATABASE_URL='mysql://<MYSQL_USER>:<MYSQL_PASSWORD>@<MYSQL_HOST>/<MYSQL_DATABASE>'
+
+# Option: [db_connection_retries]
+# Notes:  Number of times to retry the database connection during startup,
+#         with 1 second between each retry, set to 0 to retry indefinitely.
+# Values: [ NUMBER ]  Default: '15'
+#
+DB_CONNECTION_RETRIES='15'
+
+# Option: [disable_admin_token]
+# Notes:  Disables the Admin Token for the admin page so you may use your
+#         own auth in-front.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+DISABLE_ADMIN_TOKEN='false'
+
+# Option: [domain_path]
+# Notes:  Domain URL Path - For Example in
+#           https://example.com:8443/path
+#         /path is the path.
+# Values: [ NONE | PATH ]  Default: ''
+#
+DOMAIN_PATH=''
+
+# Option: [emergency_notification_reminder_schedule]
+# Notes:  Cron schedule of the job that sends expiration reminders to
+#         emergency access grantors.
+# Values: [ NONE | CRON ]  Default: '0 3 * * * *'
+#
+EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE='0 3 * * * *'
+
+# Option: [emergency_request_timeout_schedule]
+# Notes:  Cron schedule of the job that grants emergency access
+#         requests that have met the required wait time.
+# Values: [ NONE | CRON ]  Default: '0 7 * * * *'
+#
+EMERGENCY_REQUEST_TIMEOUT_SCHEDULE='0 7 * * * *'
+
+# Option: [enable_db_wal]
+# Notes:  Set SQLite to operate in WAL mode.
+# Values: [ TRUE | FALSE ]  Default: 'true'
+#
+ENABLE_DB_WAL='true'
+
+# Option: [event_cleanup_schedule]
+# Notes:  Cron schedule of the job that cleans old events from the
+#         event table.
+# Values: [ NONE | CRON ]  Default: '0 10 0 * * *'
+#
+EVENT_CLEANUP_SCHEDULE='0 10 0 * * *'
+
+# Option: [events_days_retain]
+# Notes:  Number of days to retain events stored in the database.
+# Values: [ NONE | DAYS ]  Default: ''
+#
+EVENTS_DAYS_RETAIN=''
+
+# Option: [experimental_client_feature_flags]
+# Notes: Enable experimental feature flags for clients.
+# This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
+# The following flags are available:
+#  - inline-menu-positioning-improvements   Enable the use of inline menu password generator
+#                                           and identity suggestions in the browser extension.
+#  - inline-menu-totp                       Enable the inline menu TOTP codes in the browser
+#                                           extension.
+#  - ssh-agent                              Enable SSH agent support on Desktop.
+#  - ssh-key-vault-item                     Enable the creation and use of SSH key vault
+#                                           items.
+#  - export-attachments                     Enable support for exporting attachments.
+#  - anon-addy-self-host-alias              Enable configuring self-hosted Anon Addy alias
+#                                           generator.
+#  - simple-login-self-host-alias           Enable configuring self-hosted Simple Login alias
+#                                           generator.
+#  - mutual-tls                             Enable the use of mutual TLS on Android.
+# Values: [ FLAGS ]  Default: 'fido2-vault-credentials'
+#
+EXPERIMENTAL_CLIENT_FEATURE_FLAGS='fido2-vault-credentials'
+
+# Option: [extended_logging]
+# Notes:  State of extended logging.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+EXTENDED_LOGGING='false'
+
+# Option: [icon_cache_folder]
+# Notes:  Icon Cache folder.
+# Values: [ FOLDER ]  Default: '/var/lib/vaultwarden/icon_cache'
+#
+ICON_CACHE_FOLDER='/var/cache/vaultwarden'
+
+# Option: [icon_service]
+# Notes:  The predefined icon services are:
+#           internal | bitwarden | duckduckgo | google
+#         To specify a custom icon service, set a URL template with
+#         exactly one instance of '{}', which is replaced with the domain.
+#           For example: 'https://icon.example.com/domain/{}'
+#         'internal' refers to Vaultwarden's built-in icon fetching
+#         implementation. If an external service is set, an icon request
+#         to Vaultwarden will return an HTTP redirect to the corresponding
+#         icon at the external service.
+# Values: [ INTERNAL | BITWARDEN | DUCKDUCKGO | GOOGLE | IP/FQDN ]  Default: 'internal'
+#
+ICON_SERVICE='internal'
+
+# Option: [incomplete_2fa_schedule]
+# Notes:  Cron schedule of the job that checks for incomplete 2FA logins.
+# Values: [ NONE | CRON ]  Default: '30 * * * * *'
+#
+INCOMPLETE_2FA_SCHEDULE='30 * * * * *'
+
+# Option: [invitation_expiration_hours]
+# Notes:  The number of hours after which an organization invite token,
+#         emergency access invite token, email verification token and
+#         deletion request token will expire (must be at least 1)
+# Values: [ HOURS ]  Default: '3'
+#
+INVITATION_EXPIRATION_HOURS='3'
+
+# Option: [job_poll_interval_ms]
+# Notes:  How often the job scheduler thread checks for jobs to run.
+# Values: [ 0 | MILLISECONDS ]  Default: '30000'
+#
+JOB_POLL_INTERVAL_MS='30000'
+
+# Option: [log_file]
+# Notes:  Looging output to file.
+# Values: [ FILE ]  Default: 'vaultwarden.log'
+#
+LOG_FILE='/var/log/vaultwarden/vaultwarden.log'
+
+# Option: loglevel
+# Notes:  Set the log level output.
+#         ERROR
+#         WARN
+#         INFO
+#         DEBUG
+#         TRACE
+# Values: [ LEVEL ]  Default: 'info'
+#
+LOG_LEVEL='info'
+
+# Option: [login_ratelimit_max_burst]
+# Notes:  Allow a burst of requests of up to this size, while maintaining
+#         the average indicated by 'login_ratelimit_seconds'.
+# Values: [ NUMBER ]  Default: '10'
+#
+LOGIN_RATELIMIT_MAX_BURST='10'
+
+# Option: [login_ratelimit_seconds]
+# Notes:  Number of seconds, on average, between login and 2FA requests
+#         from the same IP address before rate limiting kicks in.
+# Values: [ SECONDS ]  Default: '60'
+#
+LOGIN_RATELIMIT_SECONDS='60'
+
+# Option: [org_events_enabled]
+# Notes:  Set state of event logging for organizations.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+ORG_EVENTS_ENABLED='true'
+
+# Option: [org_groups_enabled]
+# Notes:  Set state of groups support for organizations.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+ORG_GROUPS_ENABLED='true'
+
+# Option: [push_enabled]
+# Notes:  State of push notifications.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+PUSH_ENABLED='false'
+
+# Option: [push_installation_id]
+# Notes:  Installation ID
+#           See: https://bitwarden.com/host
+# Values: [ NONE | ID ]  Default: ''
+#
+PUSH_INSTALLATION_ID=''
+
+# Option: [push_installation_key]
+# Notes:  Installation Key
+#           See: https://bitwarden.com/host
+# Values: [ NONE | KEY ]  Default: ''
+#
+PUSH_INSTALLATION_KEY=''
+
+# Option: [push_relay_uri]
+# Notes:  Addres for push notifications relay server.
+# Values: [ NONE | IP/FQDN ]  Default: 'https://api.bitwarden.eu'
+#
+PUSH_RELAY_URI='https://api.bitwarden.eu'
+
+# Option: [push_identity_uri]
+# Notes:  Addres for push notifications identity server.
+# Values: [ NONE | IP/FQDN ]  Default: 'https://identity.bitwarden.eu'
+#
+PUSH_IDENTITY_URI='https://identity.bitwarden.eu'
+
+# Option: [rsa_key_filename]
+# Notes:  Name of RSA keyfile.
+# Values: [ FILE ]  Default: 'rsa_key'
+#
+RSA_KEY_FILENAME='/var/lib/vaultwarden/vaultwarden'
+
+# Option: [send_purge_schedule]
+# Notes:  Cron schedule of the job that checks for Sends past their
+#         deletion date.
+# Values: [ NONE | CRON ]  Default: '0 5 * * * *'
+#
+SEND_PURGE_SCHEDULE='0 5 * * * *'
+
+# Option: [sends_folder]
+# Notes:  Sends folder.
+# Values: [ FOLDER ]  Default: '/var/lib/vaultwarden/sends'
+#
+SENDS_FOLDER='/var/lib/vaultwarden/sends'
+
+# Option: [smtp_debug]
+# Notes:  State of detailed SMTP messages. This could contain sensitive
+#         information like passwords and usernames!
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+SMTP_DEBUG='false'
+
+# Option: [sso_enabled]
+# Notes:  Controls whether users can login using an OpenID Connect
+#         identity provider.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+SSO_ENABLED='false'
+
+# Option: [sso_only]
+# Notes:  Prevent users from logging in directly without going through
+#         SSO.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+SSO_ONLY='false'
+
+# Option: [sso_signups_match_email]
+# Notes:  On SSO Signup if a user with a matching email already exists
+#         make the association.
+# Values: [ TRUE | FALSE ]  Default: 'true'
+#
+SSO_SIGNUPS_MATCH_EMAIL='true'
+
+# Option: [sso_authority]
+# Notes:  Base URL of the OIDC server.
+# Values: [ NONE | IP/FQDN ]  Default: ''
+#
+SSO_AUTHORITY=''
+
+# Option: [sso_scopes]
+# Notes:  Authorization request scopes.
+# Values: [ SCOPES ]  Default: 'email profile'
+#
+SSO_SCOPES='email profile'
+
+# Option: [sso_authorize_extra_params]
+# Notes:  Authorization request scopes.
+# Values: [ PARAMETER ]  Default: 'access_type=offline&prompt=consent'
+#
+SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent"
+
+# Option: [sso_pkce]
+# Notes:  Activate PKCE for the Auth Code flow.
+# Values: [ TRUE | FALSE ]  Default: 'true'
+#
+SSO_PKCE='true'
+
+# Option: [sso_audience_trusted]
+# Notes:  Regex for additional trusted Id token audience.
+# Values: [ REGEX ]  Default: '^$'
+#
+SSO_AUDIENCE_TRUSTED='^$'
+
+# Option: [sso_client_id]
+# Notes:  SSO Client ID
+# Values: [ NONE | ID ]  Default: ''
+#
+SSO_CLIENT_ID=''
+ 
+# Option: [sso_client_secret]
+# Notes:  SSO Client Key.
+# Values: [ NONE | KEY ]  Default: ''
+#
+SSO_CLIENT_SECRET=''
+
+# Option: [sso_master_password_policy]
+# Notes:  Optional Master password policy.
+# Values: [ POLICY ]  Default: '{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+#
+SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}'
+
+# Option: [sso_auth_only_not_session]
+# Notes:  Use sso only for authentication not the session lifecycle.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+SSO_AUTH_ONLY_NOT_SESSION='false'
+
+# Option: [sso_client_cache_expiration]
+# Notes:  Client cache for discovery endpoint.
+# Values: [ SECONDS ]  Default: '0'
+#
+SSO_CLIENT_CACHE_EXPIRATION='0'
+
+# Option: [sso_debug_tokens]
+# Notes:  Log all the tokens, LOG_LEVEL=debug is required.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+SSO_DEBUG_TOKENS='false'
+
+# Option: [templates_folder]
+# Notes:  Templates folder.
+# Values: [ FOLDER ]  Default: '/usr/lib/vaultwarden/templates'
+#
+TEMPLATES_FOLDER='/usr/lib/vaultwarden/templates'
+
+# Option: [tmp_folder]
+# Notes:  Temporary folder used for storing temporary file uploads.
+# Values: [ FOLDER ]  Default: '/var/lib/vaultwarden/tmp'
+#
+TMP_FOLDER='/tmp'
+
+# Option: [trash_purge_schedule]
+# Notes:  Cron schedule of the job that checks for trashed items to delete
+#         permanently.
+# Values: [ NONE | CRON ]  Default: '0 5 0 * * *'
+#
+TRASH_PURGE_SCHEDULE='0 5 0 * * *'
+
+# Option: [use_syslog]
+# Notes:  State of logging output to syslog.
+# Values: [ TRUE | FALSE ]  Default: 'false'
+#
+USE_SYSLOG='false'
+
+# Option: [web_vault_enabled]
+# Notes:  State of Web Vault.
+# Values: [ TRUE | FALSE ]  Default: 'true'
+#
+WEB_VAULT_ENABLED='true'
+
+# Option: [web_vault_folder]
+# Notes:  Web Vault folder.
+# Values: [ FOLDER ]  Default: '/usr/lib/vaultwarden/web-vault'
+#
+WEB_VAULT_FOLDER='/usr/lib/vaultwarden/web-vault'