diff --git a/nixos/modules/services/security/vaultwarden/default.nix b/nixos/modules/services/security/vaultwarden/default.nix
index 8277f493639..756e0ee93b2 100644
--- a/nixos/modules/services/security/vaultwarden/default.nix
+++ b/nixos/modules/services/security/vaultwarden/default.nix
@@ -62,20 +62,52 @@ in {
default = {};
example = literalExpression ''
{
- domain = "https://bw.domain.tld:8443";
- signupsAllowed = true;
- rocketPort = 8222;
- rocketLog = "critical";
+ DOMAIN = "https://bitwarden.example.com";
+ SIGNUPS_ALLOWED = false;
+
+ # Vaultwarden currently recommends running behind a reverse proxy
+ # (nginx or similar) for TLS termination, see
+ # https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#reverse-proxying
+ # > you should avoid enabling HTTPS via vaultwarden's built-in Rocket TLS support,
+ # > especially if your instance is publicly accessible.
+ #
+ # A suitable NixOS nginx reverse proxy example config might be:
+ #
+ # services.nginx.virtualHosts."bitwarden.example.com" = {
+ # enableACME = true;
+ # forceSSL = true;
+ # locations."/" = {
+ # proxyPass = "http://127.0.0.1:''${toString config.services.vaultwarden.config.ROCKET_PORT}";
+ # };
+ # };
+ ROCKET_ADDRESS = "127.0.0.1";
+ ROCKET_PORT = 8222;
+
+ ROCKET_LOG = "critical";
+
+ # This example assumes a mailserver running on localhost,
+ # thus without transport encryption.
+ # If you use an external mail server, follow:
+ # https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
+ SMTP_HOST = "127.0.0.1";
+ SMTP_PORT = 25;
+ SMTP_SSL = false;
+
+ SMTP_FROM = "admin@bitwarden.example.com";
+ SMTP_FROM_NAME = "example.com Bitwarden server";
}
'';
description = ''
The configuration of vaultwarden is done through environment variables,
- therefore the names are converted from camel case (e.g. disable2FARemember)
- to upper case snake case (e.g. DISABLE_2FA_REMEMBER).
+ therefore it is recommended to use upper snake case (e.g. DISABLE_2FA_REMEMBER).
+
+ However, camel case (e.g. disable2FARemember) is also supported:
+ The NixOS module will convert it automatically to
+ upper case snake case (e.g. DISABLE_2FA_REMEMBER).
In this conversion digits (0-9) are handled just like upper case characters,
- so foo2 would be converted to FOO_2.
- Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such,
- even though foo2 would have been converted to FOO_2.
+ so foo2 would be converted to FOO_2.
+ Names already in this format remain unchanged, so FOO2 remains FOO2 if passed as such,
+ even though foo2 would have been converted to FOO_2.
This allows working around any potential future conflicting naming conventions.
Based on the attributes passed to this config option an environment file will be generated
@@ -83,13 +115,16 @@ in {
The available configuration options can be found in
the environment template file.
+
+ See for how
+ to set up access to the Admin UI to invite initial users.
'';
};
environmentFile = mkOption {
type = with types; nullOr path;
default = null;
- example = "/root/vaultwarden.env";
+ example = "/var/lib/vaultwarden.env";
description = ''
Additional environment file as defined in systemd.exec5
@@ -100,6 +135,23 @@ in {
Note that this file needs to be available on the host on which
vaultwarden is running.
+
+ As a concrete example, to make the Admin UI available
+ (from which new users can be invited initially),
+ the secret ADMIN_TOKEN needs to be defined as described
+ here.
+ Setting environmentFile to /var/lib/vaultwarden.env
+ and ensuring permissions with e.g.
+ chown vaultwarden:vaultwarden /var/lib/vaultwarden.env
+ (the vaultwarden user will only exist after activating with
+ enable = true; before this), we can set the contents of the file to have
+ contents such as:
+
+
+# Admin secret token, see
+# https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
+ADMIN_TOKEN=...copy-paste a unique generated secret token here...
+
'';
};