Vaultwarden
Vaultwarden is a lightweight, self-hosted Bitwarden-compatible password manager. It runs in a NixOS container with private networking and user namespace isolation.
Source: server/containers/vaultwarden.nix
Network
| Property | Value |
|---|---|
| Private network | Yes |
| Host address | 10.10.10.2 |
| Container address | 10.10.10.3 |
| Port | 8000 |
| Subdomain | vault.nemnix.site |
| Authelia middleware | No |
| User namespace | privateUsers = "pick" |
Why No Authelia?
Vaultwarden has its own authentication system and needs to be accessible by Bitwarden client apps that cannot handle forward-auth. The Traefik router has an empty middlewares list:
routers.vaultwarden = {
rule = "Host(`vault.nemnix.site`)";
service = "vaultwarden";
entrypoints = [ "websecure" ];
middlewares = [ ]; # No Authelia
};Configuration
services.vaultwarden = {
enable = true;
config = {
DOMAIN = "https://vault.nemnix.site";
USE_SYSLOG = true;
ROCKET_LOG = "critical";
ROCKET_PORT = 8000;
ROCKET_ADDRESS = config.containers.vaultwarden.localAddress;
};
};| Setting | Value | Purpose |
|---|---|---|
DOMAIN | https://vault.nemnix.site | Public URL for email links and WebSocket |
USE_SYSLOG | true | Log to syslog instead of stdout |
ROCKET_LOG | "critical" | Minimal Rocket framework logging |
ROCKET_PORT | 8000 | Listening port |
ROCKET_ADDRESS | 10.10.10.3 | Bind to container IP only |
Disabled Features
The admin panel and public signups are disabled (commented out):
# ADMIN_TOKEN = "admin";
# SIGNUPS_ALLOWED = true;New accounts must be created by temporarily enabling signups or using the admin panel.
Data Persistence
Vaultwarden stores its SQLite database and attachments under /var/lib/vaultwarden. This path persists through host reboots via impermanence (container data lives under /var/lib/nixos-containers/vaultwarden/).
Backups
Vaultwarden data is included in the Restic backup set:
paths = [
"/persist/var/lib/nixos-containers/vaultwarden/var/lib/vaultwarden"
];See Backups & Recovery.