diff --git a/conf/vaultwarden.env b/conf/vaultwarden.env index 7a100a6..ae6cc99 100644 --- a/conf/vaultwarden.env +++ b/conf/vaultwarden.env @@ -1,8 +1,13 @@ -## vaultwarden Configuration File +## Vaultwarden Configuration File ## Uncomment any of the following lines to change the defaults ## ## Be aware that most of these settings will be overridden if they were changed ## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json . +## +## By default, vaultwarden expects for this file to be named ".env" and located +## in the current working directory. If this is not the case, the environment +## variable ENV_FILE can be set to the location of this file prior to starting +## vaultwarden. ## Main data folder DATA_FOLDER=__DATADIR__ @@ -24,6 +29,15 @@ DATA_FOLDER=__DATADIR__ ## Define the size of the connection pool used for connecting to the database. # DATABASE_MAX_CONNS=10 +## Database connection initialization +## Allows SQL statements to be run whenever a new database connection is created. +## This is mainly useful for connection-scoped pragmas. +## If empty, a database-specific default is used: +## - SQLite: "PRAGMA busy_timeout = 5000; PRAGMA synchronous = NORMAL;" +## - MySQL: "" +## - PostgreSQL: "" +# DATABASE_CONN_INIT="" + ## Individual folders, these override %DATA_FOLDER% # RSA_KEY_FILENAME=data/rsa_key # ICON_CACHE_FOLDER=data/icon_cache @@ -36,9 +50,9 @@ DATA_FOLDER=__DATADIR__ ## Automatically reload the templates for every request, slow, use only for development # RELOAD_TEMPLATES=false -## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP" +## Client IP Header, used to identify the IP of the client, defaults to "X-Real-IP" ## Set to the string "none" (without quotes), to disable any headers and just use the remote IP -# IP_HEADER=X-Client-IP +# IP_HEADER=X-Real-IP ## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever") # ICON_CACHE_TTL=2592000 @@ -56,6 +70,44 @@ WEBSOCKET_ENABLED=true WEBSOCKET_ADDRESS=127.0.0.1 WEBSOCKET_PORT=__WEBSOCKET_PORT__ +## Controls whether users are allowed to create Bitwarden Sends. +## This setting applies globally to all users. +## To control this on a per-org basis instead, use the "Disable Send" org policy. +# SENDS_ALLOWED=true + +## Controls whether users can enable emergency access to their accounts. +## This setting applies globally to all users. +# EMERGENCY_ACCESS_ALLOWED=true + +## Job scheduler settings +## +## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron), +## and are always in terms of UTC time (regardless of your local time zone settings). +## +## How often (in ms) the job scheduler thread checks for jobs that need running. +## Set to 0 to globally disable scheduled jobs. +# JOB_POLL_INTERVAL_MS=30000 +## +## Cron schedule of the job that checks for Sends past their deletion date. +## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. +# SEND_PURGE_SCHEDULE="0 5 * * * *" +## +## Cron schedule of the job that checks for trashed items to delete permanently. +## Defaults to daily (5 minutes after midnight). Set blank to disable this job. +# TRASH_PURGE_SCHEDULE="0 5 0 * * *" +## +## Cron schedule of the job that checks for incomplete 2FA logins. +## Defaults to once every minute. Set blank to disable this job. +# INCOMPLETE_2FA_SCHEDULE="30 * * * * *" +## +## Cron schedule of the job that sends expiration reminders to emergency access grantors. +## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. +# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 5 * * * *" +## +## Cron schedule of the job that grants emergency access requests that have met the required wait time. +## Defaults to hourly (5 minutes after the hour). Set blank to disable this job. +# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 5 * * * *" + ## Enable extended logging, which shows timestamps and targets in the logs # EXTENDED_LOGGING=true @@ -84,17 +136,39 @@ LOG_FILE=/var/log/__APP__/__APP__.log ## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB, ## this setting only prevents vaultwarden from automatically enabling it on start. ## Please read project wiki page about this setting first before changing the value as it can -## cause performance degradation or might render the service unable to start. +## cause performance degradation or might render the service unable to start. # ENABLE_DB_WAL=true ## Database connection retries ## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely # DB_CONNECTION_RETRIES=15 +## Icon service +## The predefined icon services are: internal, bitwarden, duckduckgo, google. +## To specify a custom icon service, set a URL template with exactly one instance of `{}`, +## which is replaced with the domain. For example: `https://icon.example.com/domain/{}`. +## +## `internal` refers to Vaultwarden's built-in icon fetching implementation. +## If an external service is set, an icon request to Vaultwarden will return an HTTP +## redirect to the corresponding icon at the external service. An external service may +## be useful if your Vaultwarden instance has no external network connectivity, or if +## you are concerned that someone may probe your instance to try to detect whether icons +## for certain sites have been cached. +# ICON_SERVICE=internal + +## Icon redirect code +## The HTTP status code to use for redirects to an external icon service. +## The supported codes are 301 (legacy permanent), 302 (legacy temporary), 307 (temporary), and 308 (permanent). +## Temporary redirects are useful while testing different icon services, but once a service +## has been decided on, consider using permanent redirects for cacheability. The legacy codes +## are currently better supported by the Bitwarden clients. +# ICON_REDIRECT_CODE=302 + ## Disable icon downloading -## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER, -## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0, -## otherwise it will delete them and they won't be downloaded again. +## Set to true to disable icon downloading in the internal icon service. +## This still serves existing icons from $ICON_CACHE_FOLDER, without generating any external +## network requests. $ICON_CACHE_TTL must also be set to 0; otherwise, the existing icons +## will be deleted eventually, but won't be downloaded again. # DISABLE_ICON_DOWNLOAD=false ## Icon download timeout @@ -125,8 +199,8 @@ LOG_FILE=/var/log/__APP__/__APP__.log # EMAIL_EXPIRATION_TIME=600 ## Email token size -## Number of digits in an email token (min: 6, max: 19). -## Note that the vaultwarden clients are hardcoded to mention 6 digit codes regardless of this setting! +## Number of digits in an email 2FA token (min: 6, max: 255). +## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting! # EMAIL_TOKEN_SIZE=6 ## Controls if new users can register @@ -170,22 +244,37 @@ ADMIN_TOKEN=__ADMIN_TOKEN__ ## Invitations org admins to invite users, even when signups are disabled # INVITATIONS_ALLOWED=true ## Name shown in the invitation emails that don't come from a specific organization -# INVITATION_ORG_NAME=vaultwarden +# INVITATION_ORG_NAME=Vaultwarden -## Per-organization attachment limit (KB) -## Limit in kilobytes for an organization attachments, once the limit is exceeded it won't be possible to upload more +## Per-organization attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per organization. +## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization. # ORG_ATTACHMENT_LIMIT= -## Per-user attachment limit (KB). -## Limit in kilobytes for a users attachments, once the limit is exceeded it won't be possible to upload more +## Per-user attachment storage limit (KB) +## Max kilobytes of attachment storage allowed per user. +## When this limit is reached, the user will not be allowed to upload further attachments. # USER_ATTACHMENT_LIMIT= +## Number of days to wait before auto-deleting a trashed item. +## If unset (the default), trashed items are not auto-deleted. +## This setting applies globally, so make sure to inform all users of any changes to this setting. +# TRASH_AUTO_DELETE_DAYS= + +## Number of minutes to wait before a 2FA-enabled login is considered incomplete, +## resulting in an email notification. An incomplete 2FA login is one where the correct +## master password was provided but the required 2FA step was not completed, which +## potentially indicates a master password compromise. Set to 0 to disable this check. +## This setting applies globally to all users. +# INCOMPLETE_2FA_TIME_LIMIT=3 ## Controls the PBBKDF password iterations to apply on the server ## The change only applies when the password is changed # PASSWORD_ITERATIONS=100000 -## Whether password hint should be sent into the error response when the client request it -# SHOW_PASSWORD_HINT=true +## Controls whether a password hint should be shown directly in the web page if +## SMTP service is not configured. Not recommended for publicly-accessible instances +## as this provides unauthenticated access to potentially sensitive data. +# SHOW_PASSWORD_HINT=false ## Domain settings ## The domain must match the address from where you access the server @@ -201,6 +290,17 @@ DOMAIN=https://__DOMAIN____PATH_URL__ ## Multiple values must be separated with a whitespace. # ALLOWED_IFRAME_ANCESTORS= +## Number of seconds, on average, between login requests from the same IP address before rate limiting kicks in. +# LOGIN_RATELIMIT_SECONDS=60 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `LOGIN_RATELIMIT_SECONDS`. +## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2. +# LOGIN_RATELIMIT_MAX_BURST=10 + +## Number of seconds, on average, between admin requests from the same IP address before rate limiting kicks in. +# ADMIN_RATELIMIT_SECONDS=300 +## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`. +# ADMIN_RATELIMIT_MAX_BURST=3 + ## Yubico (Yubikey) Settings ## Set your Client ID and Secret Key for Yubikey OTP ## You can generate it here: https://upgrade.yubico.com/getapikey/ @@ -230,28 +330,25 @@ DOMAIN=https://__DOMAIN____PATH_URL__ ## You can disable this, so that only the current TOTP Code is allowed. ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid. ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid. -# AUTHENTICATOR_DISABLE_TIME_DRIFT = false +# AUTHENTICATOR_DISABLE_TIME_DRIFT=false -## Rocket specific settings, check Rocket documentation to learn more -# ROCKET_ENV=staging +## Rocket specific settings +## See https://rocket.rs/v0.4/guide/configuration/ for more details. ROCKET_ADDRESS=127.0.0.1 ROCKET_PORT=__ROCKET_PORT__ -# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} -# Workaround for YunoHost CI ROCKET_WORKERS=1 +# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"} ## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service. ## To make sure the email links are pointing to the correct host, set the DOMAIN variable. ## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory SMTP_HOST=127.0.0.1 SMTP_FROM=vaultwarden-rs@__DOMAIN__ -SMTP_FROM_NAME=vaultwarden +SMTP_FROM_NAME=Vaultwarden +SMTP_SECURITY=off SMTP_PORT=25 -SMTP_SSL=false -# SMTP_EXPLICIT_TLS=true # N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) # SMTP_USERNAME=username # SMTP_PASSWORD=password -# SMTP_AUTH_MECHANISM="Plain" # SMTP_TIMEOUT=15 ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.