vaultwarden/variables.yml

---

# Name of this instance (job and service name)
instance: vaultwarden

vaultwarden:

  # Server settings
  server:

    # Version to deploy
    version: 1.30.5

    # Docker image to use
    image: vaultwarden/server:[[ .vaultwarden.server.version ]]-alpine

    # Number of instances to run
    count: 1


    # List of features to enable when building image
    # (not used for now)
    features:
      - postgresql

    # List of vault policies to attach to the task
    vault:
      policies:
        - '[[ .instance ]][[ .consul.suffix ]]'
      # A list of random secrets to generate if not present in vault kv store
      rand_secrets:
        fields:
          - admin_token

    # Postgres settings
    postgres:
      pooler:
        mode: session

    # Resources allocation
    resources:
      cpu: 300
      memory: 128

    # Consul settings
    consul:
      connect:
        upstreams:
          - destination_name: '[[ .mail.smtp_service_name ]]'
            local_bind_port: 25
          - destination_name: postgres[[ .consul.suffix ]]
            local_bind_port: 5432
    wait_for:
      - service: master.postgres[[ .consul.suffix ]]

    # Environment variables to set in the container
    env:
      ORG_EVENTS_ENABLED: 'true'
      EVENTS_DAYS_RETAIN: 720
      SIGNUPS_VERIFY: 'true'
      SMTP_HOST: localhost
      SMTP_PORT: 25
      SMTP_FROM: vaultwarden-no-reply@[[ .consul.domain ]]
      SMTP_SECURITY: off
      TRASH_AUTO_DELETE_DAYS: 7
      INCOMPLETE_2FA_TIME_LIMIT: 5
      USER_ATTACHMENT_LIMIT: 204800
  
    # Public URL of the service
    public_url: https://vaultwarden.example.org/

    # Traefik settings
    traefik:
      # Makes sure
      priority: 100
      csp:
        default-src: "'self'"
        img-src: "'self' data: https://www.gravatar.com"
        script-src: "'self' 'unsafe-inline' 'unsafe-eval'"
        style-src: "'self' 'unsafe-inline'"
        font-src: "'self' data:"
        connect-src: "'self' https://api.pwnedpasswords.com https://api.2fa.directory"

  # Settings for the /admin interface
  # Note that this interface is disabled unless ADMIN_TOKEN env var is set
  admin:
    public_url: '[[ .vaultwarden.server.public_url ]]/admin'
    # If enabled, we can set specific Traefik middlewares
    traefik:
      strip_prefix: false
      router: admin
      priority: 200

  # Volumes for data persistance
  volumes:
    data:
      type: csi
      source: vaultwarden-data
      access_mode: multi-node-multi-writer