vaultwarden.domain |
The domain of the Vaultwarden installation |
"" |
vaultwarden.web.enabled |
Whether or not to enable the Vaultwarden Web UI - enabled by default |
true |
vaultwarden.web.folder |
A custom folder from which to load assets for the Web UI - defaults to 'web-vault/' |
"" |
vaultwarden.allowSends |
Controls whether users are allowed to create Bitwarden Sends. Applies globally to all users. |
true |
vaultwarden.allowEmergencyAccess |
Controls whether users can enable emergency access to their accounts. Applies globally to all users. |
true |
vaultwarden.allowEmailChange |
Controls whether users can change their email. Applies globally to all users. |
true |
vaultwarden.enableOrgEvents |
Controls whether event logging is enabled for organizations. Applies to organizations. |
false |
vaultwarden.retainEventsDays |
Number of days to retain events stored in the database. |
"" |
vaultwarden.ipHeader |
The Client IP Header, defaults to "X-Forwarded-For". |
X-Forwarded-For |
vaultwarden.disable2FARemember |
Disable 2FA remembrance. |
false |
vaultwarden.orgCreationUsers |
Controls which users can create new orgs. |
"" |
vaultwarden.enableOrgGroups |
Controls whether group support is enabled for organizations |
false |
vaultwarden.allowedIframeAncestors |
Allowed iframe ancestors (Know the risks!) |
"" |
vaultwarden.adminToken.value |
The value for the Vaultwarden admin token |
"" |
vaultwarden.adminToken.disable |
Disable token authentication for the admin panel |
false |
vaultwarden.adminToken.existingSecret.name |
The name of an existing Secret containing the admin token |
"" |
vaultwarden.adminToken.existingSecret.key |
The key name within the previously named existingSecret |
"" |
vaultwarden.data.rootPath |
The data folder is used for all files by default |
/data |
vaultwarden.data.paths.rsaKey |
The file path for the RSA key, 'data/rsa_key' by default |
"" |
vaultwarden.data.paths.iconCache |
The path for icon cache, 'data/icon_cache' by default |
"" |
vaultwarden.data.paths.attachments |
The mail attachments path, 'data/attachments' by default |
"" |
vaultwarden.data.paths.sends |
The mail sends path, 'data/sends' by default |
"" |
vaultwarden.data.paths.tmp |
The temporary data path, 'data/tmp' by default |
"" |
vaultwarden.data.pvc.size |
The size given to PVCs created from the above data |
5Gi |
vaultwarden.data.pvc.storageClass |
The storageClass given to PVCs created from the above data |
standard |
vaultwarden.data.pvc.reclaimPolicy |
The resourcePolicy given to PVCs created from the above data |
Retain |
vaultwarden.data.pvc.existingClaim |
Provide the name to an existing PVC |
"" |
vaultwarden.email.attemptsLimit |
Maximum attempts before an email token is reset requiring a new email |
3 |
vaultwarden.email.tokenExpirationTime |
Token expiration time |
600 |
vaultwarden.email.tokenSize |
Email token size |
6 |
vaultwarden.email.smtp.host |
Hostname of the Mail server |
"" |
vaultwarden.email.smtp.from |
The from-address for emails sent by Vaultwarden |
"" |
vaultwarden.email.smtp.fromName |
The from-name for emails sent by Vaultwarden |
Vaultwarden |
vaultwarden.email.smtp.security |
Either 'starttls', 'force_tls' or 'off' |
starttls |
vaultwarden.email.smtp.port |
SMTP port used |
587 |
vaultwarden.email.smtp.username |
SMTP user |
"" |
vaultwarden.email.smtp.password |
SMTP password |
"" |
vaultwarden.email.smtp.auth |
Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections. |
Plain |
vaultwarden.email.smtp.existingSecret.name |
The name of an existing BasicAuth secret |
"" |
vaultwarden.email.smtp.timeout |
General SMTP settings |
15 |
vaultwarden.email.smtp.sendmail.enabled |
Whether or not to use sendmail for sending emails |
false |
vaultwarden.email.smtp.sendmail.path |
The path to which sendmail binary to use. |
"" |
vaultwarden.email.smtp.heloName |
Server name sent during the SMTP HELO |
"" |
vaultwarden.email.smtp.embedImages |
Embed images as email attachments |
false |
vaultwarden.email.smtp.acceptInvalidHostnames |
Accept Invalid Hostnames |
false |
vaultwarden.email.smtp.acceptInvalidCertificates |
Accept Invalid Certificates |
false |
vaultwarden.email.smtp.requireDeviceEmail |
Require new device emails. |
false |
vaultwarden.email.smtp.debug |
Enable debug mode |
false |
vaultwarden.email.twoFactor.enforceInviteVerification |
Setup email 2FA regardless of any organization policy |
false |
vaultwarden.email.twoFactor.autoFallback |
Automatically setup email 2FA as fallback provider when needed |
false |
vaultwarden.websocket.enabled |
Whether to enable Websocket push notifications |
true |
vaultwarden.database.type |
Choose the database type. Can be 'sqlite' or (external) 'mysql'/'postgresql' |
"sqlite" |
vaultwarden.database.user |
Provide the username to the (external) Vaultwarden database - ignored if the database type is 'sqlite' |
"" |
vaultwarden.database.password |
Provide the password to the (external) Vaultwarden database - ignored if the database type is 'sqlite' |
"" |
vaultwarden.database.host |
Provide the host to the (external) Vaultwarden database - ignored if the database type is 'sqlite' |
"" |
vaultwarden.database.port |
Provide the port to the (external) Vaultwarden database - ignored if the database type is 'sqlite' |
"" |
vaultwarden.database.name |
Provide the name to the (external) Vaultwarden database - ignored if the database type is 'sqlite' |
"" |
vaultwarden.database.uri |
Manually provide the entire URI to the (external) Vaultwarden database - ignored if the database type is 'sqlite' |
"" |
vaultwarden.database.existingSecret.name |
The name of an existing secret |
"" |
vaultwarden.database.existingSecret.key |
The key within the existing secret |
"" |
vaultwarden.database.enableWAL |
Enable write-ahead logging |
false |
vaultwarden.database.maxConnections |
Maximum database connections |
10 |
vaultwarden.database.timeout |
Database timeout |
30 |
vaultwarden.database.connectionRetries |
Database connection retries |
15 |
vaultwarden.limits.logins.ratelimitSeconds |
Number of seconds between login requests |
60 |
vaultwarden.limits.logins.ratelimitMaxBurst |
Allow bursts of requests up to this amount |
10 |
vaultwarden.limits.logins.adminRatelimitSeconds |
Number of seconds between admin login requests |
300 |
vaultwarden.limits.logins.adminRatelimitMaxBurst |
Allow bursts of admin requests up to this amount |
300 |
vaultwarden.limits.logins.adminSessionLifetime |
The lifetime of an admin session |
20 |
vaultwarden.limits.attachments.orgLimit |
Per-organization attachment storage limit (KB) |
"" |
vaultwarden.limits.attachments.userLimit |
Per-user attachment storage limit (KB) |
"" |
vaultwarden.limits.send.userLimit |
Per-user send storage limit (KB) |
"" |
vaultwarden.passwords.iterations |
Number of password hash iterations |
350000 |
vaultwarden.passwords.hintsAllowed |
Allow sending of password hints |
false |
vaultwarden.passwords.showHint |
Show hints directly on login page - disabled by default |
false |
vaultwarden.signup.allowed |
Whether or not new users can register |
true |
vaultwarden.signup.verify |
Whether email verification is need to sign up |
true |
vaultwarden.signup.verifyResendTime |
How many seconds to wait to resend a verification email |
3600 |
vaultwarden.signup.verifyResendLimit |
How many verificatione mails will be sent in total |
6 |
vaultwarden.signup.domainWhitelist |
A comma-separated list of domains which can always register |
"" |
vaultwarden.auth.authenticatorDisableTimeDrift |
Allow 2FA time drift |
false |
vaultwarden.auth.incomplete2FATimeLimit |
Minutes to wait before a 2FA login is considere incomplete |
3 |
vaultwarden.auth.yubikey.enable |
Whether to enable authentication via YubiKeys |
false |
vaultwarden.auth.yubikey.clientId |
Yubikey client ID |
"" |
vaultwarden.auth.yubikey.clientSecret |
Yubikey client Secret |
"" |
vaultwarden.auth.yubikey.server |
Yubikey server |
"" |
vaultwarden.auth.duo.enable |
Whether to enable authentication via Duo |
false |
vaultwarden.auth.duo.integrationKey |
Duo integration key |
"" |
vaultwarden.auth.duo.secretKey |
Duo secret key |
"" |
vaultwarden.auth.duo.host |
Duo host |
"" |
vaultwarden.invitations.allowed |
Invitations org admins to invite users, even when signups are disabled |
true |
vaultwarden.invitations.orgName |
Generic organization name for Emails |
Vaultwarden |
vaultwarden.invitations.expirationHours |
Number of hours which an email invitation lasts |
120 |
vaultwarden.pushNotifications.enabled |
Whether to enable push notifications |
false |
vaultwarden.pushNotifications.installationId |
Installation ID from 'https://bitwarden.com/host' |
"" |
vaultwarden.pushNotifications.installationKey |
Installation Key from 'https://bitwarden.com/host' |
"" |
vaultwarden.pushNotifications.relayUri |
Set a custom relay URI for push notifications |
"" |
vaultwarden.pushNotifications.identityUri |
Set a custom identity URI for push notifications |
"" |
vaultwarden.hibpApiKey.value |
The HIBP API key-value |
"" |
vaultwarden.hibpApiKey.existingSecret.name |
The name of an existing Secret containing the HIBP API key |
"" |
vaultwarden.hibpApiKey.existingSecret.key |
The key within an existing Secret which contains the key |
"" |
vaultwarden.jobScheduler.pollIntervalMS |
The poll interval for the job schedular in milliseconds |
30000 |
vaultwarden.jobScheduler.sendPurgeSchedule |
Cron schedule to purge outdated Bitwarden Sends |
'0 5 * * * *' |
vaultwarden.jobScheduler.trashPurgeSchedule |
Cron schedule to purge trashed items |
'0 5 0 * * *' |
vaultwarden.jobScheduler.incomplete2FASchedule |
Cron schedule to check for incomplete 2FA logins |
'0 5 0 * * *' |
vaultwarden.jobScheduler.emergencyNotificationReminder |
Cron schedule for expiration reminders |
'0 3 * * * *' |
vaultwarden.jobScheduler.emergencyRequestTimeout |
Cron schedule for emergency access requests |
'0 7 * * * *' |
vaultwarden.jobScheduler.eventCleanup |
Cron schedule for event cleanups |
'0 10 0 * * *' |
vaultwarden.jobScheduler.trashAutoDeleteDays |
Number of days to wait before auto-deleting a trashed item. |
"" |
vaultwarden.logs.level |
The configured logging level |
info |
vaultwarden.logs.extended |
Configure extended logging |
true |
vaultwarden.logs.timestampFormat |
Timestamp format used in extended logging. |
"%Y-%m-%d %H:%M:%S.%3f" |
vaultwarden.logs.file |
Logging to a file |
/var/log/vaultwarden.log |
vaultwarden.logs.useSyslog |
Logging to Syslog |
false |
vaultwarden.templates.folder |
Templates data folder, by default embedded templates are used |
"" |
vaultwarden.templates.reload |
Automatically reload the templates for every request |
false |
vaultwarden.icons.service |
Which service to use for fetching icons |
internal |
vaultwarden.icons.redirectCode |
The HTTP code to use for redirects to external services |
302 |
vaultwarden.icons.disableDownloading |
Disable icon downloading |
false |
vaultwarden.icons.downloadTimeout |
Icon download timeout |
10 |
vaultwarden.icons.blacklistRegex |
Icon blacklist regular expression |
"" |
vaultwarden.icons.blacklistNonGlobalIPs |
Any IP which is not defined as a global IP will be blacklisted. |
true |
vaultwarden.icons.cache.ttl |
Cache time-to-live for successfully obtained icons, in seconds |
259200 |
vaultwarden.icons.cache.negttl |
Cache time-to-live for icons which weren't available, in seconds |
259200 |
vaultwarden.rocket.address |
The address Rocket should bind to |
"0.0.0.0" |
vaultwarden.rocket.port |
The port rocket should bind to |
80 |
vaultwarden.rocket.workers |
The amount of rocket workers to create |
10 |
vaultwarden.rocket.tls |
Rocket TLS configuration e.g.: "{certs="/path/to/certs.pem",key="/path/to/key.pem"}" |
"" |
vaultwarden.experimental.featureFlags |
A list of feature flags to enable |
[] |
