# # Vaultwarden Configuration # # Option: [_duo_akey] # Notes: DUO Application Key # Values: [ NONE | KEY ] Default: '' # _DUO_AKEY='' # Option: [admin_ratelimit_max_burst] # Notes: Allow a burst of requests of up to this size, while maintaining # the average indicated by 'admin_ratelimit_seconds' # Values: [ NUMBER ] Default: '3' # ADMIN_RATELIMIT_MAX_BURST='3' # Option: [admin_ratelimit_seconds] # Notes: Number of seconds, on average, between admin requests from the # same IP address before rate limiting kicks in. # Values: [ SECONDS ] Default: '300' # ADMIN_RATELIMIT_SECONDS='300' # Option: [admin_token] # Notes: The plain text token or Argon2 PHC string used to authenticate # in this very same page. # # Values: [ NONE | TOKEN ] Default: '' # ADMIN_TOKEN='' # Option: [attachments_folder] # Notes: Attachments folder. # Values: [ FOLDER ] Default: '/var/lib/vaultwarden/attachments' # ATTACHMENTS_FOLDER='/var/lib/vaultwarden/attachments' # Option: [data_folder] # Notes: Main data folder. # Values: [ FOLDER ] Default: '/var/lib/vaultwarden' # DATA_FOLDER='/var/lib/vaultwarden' # Option: [database_conn_init] # Notes: SQL statements to run when creating a new database connection, # mainly useful for connection-scoped pragmas. # Values: [ NONE | SQL ] Default: '' # DATABASE_CONN_INIT='' # Option: [database_max_conns] # Notes: Maximal number of connections at the same time. # Values: [ SECONDS ] Default: '10' # DATABASE_MAX_CONNS='10' # Option: [database_timeout] # Notes: Number of seconds to try connect to the database before give up. # Values: [ SECONDS ] Default: '30' # DATABASE_TIMEOUT='30' # Option: [database_url] # Notes: File or MySQL/PostgreSQL backend for database. # Values: [ FILE | SQLCON ] Default: 'vaultwarden.sqlite' # DATABASE_URL='/var/lib/vaultwarden/server.sqlite' #DATABASE_URL='mysql://:@/' # Option: [db_connection_retries] # Notes: Number of times to retry the database connection during startup, # with 1 second between each retry, set to 0 to retry indefinitely. # Values: [ NUMBER ] Default: '15' # DB_CONNECTION_RETRIES='15' # Option: [disable_admin_token] # Notes: Disables the Admin Token for the admin page so you may use your # own auth in-front. # Values: [ TRUE | FALSE ] Default: 'false' # DISABLE_ADMIN_TOKEN='false' # Option: [domain_path] # Notes: Domain URL Path - For Example in # https://example.com:8443/path # /path is the path. # Values: [ NONE | PATH ] Default: '' # DOMAIN_PATH='' # Option: [emergency_notification_reminder_schedule] # Notes: Cron schedule of the job that sends expiration reminders to # emergency access grantors. # Values: [ NONE | CRON ] Default: '0 3 * * * *' # EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE='0 3 * * * *' # Option: [emergency_request_timeout_schedule] # Notes: Cron schedule of the job that grants emergency access # requests that have met the required wait time. # Values: [ NONE | CRON ] Default: '0 7 * * * *' # EMERGENCY_REQUEST_TIMEOUT_SCHEDULE='0 7 * * * *' # Option: [enable_db_wal] # Notes: Set SQLite to operate in WAL mode. # Values: [ TRUE | FALSE ] Default: 'true' # ENABLE_DB_WAL='true' # Option: [event_cleanup_schedule] # Notes: Cron schedule of the job that cleans old events from the # event table. # Values: [ NONE | CRON ] Default: '0 10 0 * * *' # EVENT_CLEANUP_SCHEDULE='0 10 0 * * *' # Option: [events_days_retain] # Notes: Number of days to retain events stored in the database. # Values: [ NONE | DAYS ] Default: '' # EVENTS_DAYS_RETAIN='' # Option: [experimental_client_feature_flags] # Notes: Enable experimental feature flags for clients. # This is a comma-separated list of flags, e.g. "flag1,flag2,flag3". # The following flags are available: # - inline-menu-positioning-improvements Enable the use of inline menu password generator # and identity suggestions in the browser extension. # - inline-menu-totp Enable the inline menu TOTP codes in the browser # extension. # - ssh-agent Enable SSH agent support on Desktop. # - ssh-key-vault-item Enable the creation and use of SSH key vault # items. # - export-attachments Enable support for exporting attachments. # - anon-addy-self-host-alias Enable configuring self-hosted Anon Addy alias # generator. # - simple-login-self-host-alias Enable configuring self-hosted Simple Login alias # generator. # - mutual-tls Enable the use of mutual TLS on Android. # Values: [ FLAGS ] Default: 'fido2-vault-credentials' # EXPERIMENTAL_CLIENT_FEATURE_FLAGS='fido2-vault-credentials' # Option: [extended_logging] # Notes: State of extended logging. # Values: [ TRUE | FALSE ] Default: 'false' # EXTENDED_LOGGING='false' # Option: [icon_cache_folder] # Notes: Icon Cache folder. # Values: [ FOLDER ] Default: '/var/lib/vaultwarden/icon_cache' # ICON_CACHE_FOLDER='/var/cache/vaultwarden' # Option: [icon_service] # Notes: The predefined icon services are: # internal | bitwarden | duckduckgo | google # To specify a custom icon service, set a URL template with # exactly one instance of '{}', which is replaced with the domain. # For example: 'https://icon.example.com/domain/{}' # 'internal' refers to Vaultwarden's built-in icon fetching # implementation. If an external service is set, an icon request # to Vaultwarden will return an HTTP redirect to the corresponding # icon at the external service. # Values: [ INTERNAL | BITWARDEN | DUCKDUCKGO | GOOGLE | IP/FQDN ] Default: 'internal' # ICON_SERVICE='internal' # Option: [incomplete_2fa_schedule] # Notes: Cron schedule of the job that checks for incomplete 2FA logins. # Values: [ NONE | CRON ] Default: '30 * * * * *' # INCOMPLETE_2FA_SCHEDULE='30 * * * * *' # Option: [invitation_expiration_hours] # Notes: The number of hours after which an organization invite token, # emergency access invite token, email verification token and # deletion request token will expire (must be at least 1) # Values: [ HOURS ] Default: '3' # INVITATION_EXPIRATION_HOURS='3' # Option: [job_poll_interval_ms] # Notes: How often the job scheduler thread checks for jobs to run. # Values: [ 0 | MILLISECONDS ] Default: '30000' # JOB_POLL_INTERVAL_MS='30000' # Option: [log_file] # Notes: Looging output to file. # Values: [ FILE ] Default: 'vaultwarden.log' # LOG_FILE='/var/log/vaultwarden/vaultwarden.log' # Option: loglevel # Notes: Set the log level output. # ERROR # WARN # INFO # DEBUG # TRACE # Values: [ LEVEL ] Default: 'info' # LOG_LEVEL='info' # Option: [login_ratelimit_max_burst] # Notes: Allow a burst of requests of up to this size, while maintaining # the average indicated by 'login_ratelimit_seconds'. # Values: [ NUMBER ] Default: '10' # LOGIN_RATELIMIT_MAX_BURST='10' # Option: [login_ratelimit_seconds] # Notes: Number of seconds, on average, between login and 2FA requests # from the same IP address before rate limiting kicks in. # Values: [ SECONDS ] Default: '60' # LOGIN_RATELIMIT_SECONDS='60' # Option: [org_events_enabled] # Notes: Set state of event logging for organizations. # Values: [ TRUE | FALSE ] Default: 'false' # ORG_EVENTS_ENABLED='true' # Option: [org_groups_enabled] # Notes: Set state of groups support for organizations. # Values: [ TRUE | FALSE ] Default: 'false' # ORG_GROUPS_ENABLED='true' # Option: [push_enabled] # Notes: State of push notifications. # Values: [ TRUE | FALSE ] Default: 'false' # PUSH_ENABLED='false' # Option: [push_installation_id] # Notes: Installation ID # See: https://bitwarden.com/host # Values: [ NONE | ID ] Default: '' # PUSH_INSTALLATION_ID='' # Option: [push_installation_key] # Notes: Installation Key # See: https://bitwarden.com/host # Values: [ NONE | KEY ] Default: '' # PUSH_INSTALLATION_KEY='' # Option: [push_relay_uri] # Notes: Addres for push notifications relay server. # Values: [ NONE | IP/FQDN ] Default: 'https://api.bitwarden.eu' # PUSH_RELAY_URI='https://api.bitwarden.eu' # Option: [push_identity_uri] # Notes: Addres for push notifications identity server. # Values: [ NONE | IP/FQDN ] Default: 'https://identity.bitwarden.eu' # PUSH_IDENTITY_URI='https://identity.bitwarden.eu' # Option: [rsa_key_filename] # Notes: Name of RSA keyfile. # Values: [ FILE ] Default: 'rsa_key' # RSA_KEY_FILENAME='/var/lib/vaultwarden/vaultwarden' # Option: [send_purge_schedule] # Notes: Cron schedule of the job that checks for Sends past their # deletion date. # Values: [ NONE | CRON ] Default: '0 5 * * * *' # SEND_PURGE_SCHEDULE='0 5 * * * *' # Option: [sends_folder] # Notes: Sends folder. # Values: [ FOLDER ] Default: '/var/lib/vaultwarden/sends' # SENDS_FOLDER='/var/lib/vaultwarden/sends' # Option: [smtp_debug] # Notes: State of detailed SMTP messages. This could contain sensitive # information like passwords and usernames! # Values: [ TRUE | FALSE ] Default: 'false' # SMTP_DEBUG='false' # Option: [sso_enabled] # Notes: Controls whether users can login using an OpenID Connect # identity provider. # Values: [ TRUE | FALSE ] Default: 'false' # SSO_ENABLED='false' # Option: [sso_only] # Notes: Prevent users from logging in directly without going through # SSO. # Values: [ TRUE | FALSE ] Default: 'false' # SSO_ONLY='false' # Option: [sso_signups_match_email] # Notes: On SSO Signup if a user with a matching email already exists # make the association. # Values: [ TRUE | FALSE ] Default: 'true' # SSO_SIGNUPS_MATCH_EMAIL='true' # Option: [sso_authority] # Notes: Base URL of the OIDC server. # Values: [ NONE | IP/FQDN ] Default: '' # SSO_AUTHORITY='' # Option: [sso_scopes] # Notes: Authorization request scopes. # Values: [ SCOPES ] Default: 'email profile' # SSO_SCOPES='email profile' # Option: [sso_authorize_extra_params] # Notes: Authorization request scopes. # Values: [ PARAMETER ] Default: 'access_type=offline&prompt=consent' # SSO_AUTHORIZE_EXTRA_PARAMS="access_type=offline&prompt=consent" # Option: [sso_pkce] # Notes: Activate PKCE for the Auth Code flow. # Values: [ TRUE | FALSE ] Default: 'true' # SSO_PKCE='true' # Option: [sso_audience_trusted] # Notes: Regex for additional trusted Id token audience. # Values: [ REGEX ] Default: '^$' # SSO_AUDIENCE_TRUSTED='^$' # Option: [sso_client_id] # Notes: SSO Client ID # Values: [ NONE | ID ] Default: '' # SSO_CLIENT_ID='' # Option: [sso_client_secret] # Notes: SSO Client Key. # Values: [ NONE | KEY ] Default: '' # SSO_CLIENT_SECRET='' # Option: [sso_master_password_policy] # Notes: Optional Master password policy. # Values: [ POLICY ] Default: '{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' # SSO_MASTER_PASSWORD_POLICY='{"enforceOnLogin":false,"minComplexity":3,"minLength":12,"requireLower":false,"requireNumbers":false,"requireSpecial":false,"requireUpper":false}' # Option: [sso_auth_only_not_session] # Notes: Use sso only for authentication not the session lifecycle. # Values: [ TRUE | FALSE ] Default: 'false' # SSO_AUTH_ONLY_NOT_SESSION='false' # Option: [sso_client_cache_expiration] # Notes: Client cache for discovery endpoint. # Values: [ SECONDS ] Default: '0' # SSO_CLIENT_CACHE_EXPIRATION='0' # Option: [sso_debug_tokens] # Notes: Log all the tokens, LOG_LEVEL=debug is required. # Values: [ TRUE | FALSE ] Default: 'false' # SSO_DEBUG_TOKENS='false' # Option: [templates_folder] # Notes: Templates folder. # Values: [ FOLDER ] Default: '/usr/lib/vaultwarden/templates' # TEMPLATES_FOLDER='/usr/lib/vaultwarden/templates' # Option: [tmp_folder] # Notes: Temporary folder used for storing temporary file uploads. # Values: [ FOLDER ] Default: '/var/lib/vaultwarden/tmp' # TMP_FOLDER='/tmp' # Option: [trash_purge_schedule] # Notes: Cron schedule of the job that checks for trashed items to delete # permanently. # Values: [ NONE | CRON ] Default: '0 5 0 * * *' # TRASH_PURGE_SCHEDULE='0 5 0 * * *' # Option: [use_syslog] # Notes: State of logging output to syslog. # Values: [ TRUE | FALSE ] Default: 'false' # USE_SYSLOG='false' # Option: [web_vault_enabled] # Notes: State of Web Vault. # Values: [ TRUE | FALSE ] Default: 'true' # WEB_VAULT_ENABLED='true' # Option: [web_vault_folder] # Notes: Web Vault folder. # Values: [ FOLDER ] Default: '/usr/lib/vaultwarden/web-vault' # WEB_VAULT_FOLDER='/usr/lib/vaultwarden/web-vault'