Move related settings together.

Merge Yubikey, Duo, Email 2FA sections into one. Other minor fixes.
2 years ago · 41baf47d50
1 changed files with 69 additions and 77 deletions
--- a/.env.template
+++ b/.env.template
@ -27,9 +27,12 @@
 ## Templates data folder, by default uses embedded templates
 ## Check source code to see the format
 # TEMPLATES_FOLDER=data/templates
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
-## Web vault folder
+## Web vault settings
 # WEB_VAULT_FOLDER=web-vault/
 # WEB_VAULT_ENABLED=tru
 #########################
 ### Database settings ###
@ -94,6 +97,8 @@
 ## Enables push notifications (requires key and id from https://bitwarden.com/host)
 ## If you choose "European Union" Data Region, uncomment PUSH_RELAY_URI and PUSH_IDENTITY_URI then replace .com by .eu
 ## Details about mobile client push notification:
 ## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
 # PUSH_ENABLED=false
 # PUSH_INSTALLATION_ID=CHANGEME
 # PUSH_INSTALLATION_KEY=CHANGEME
@ -141,10 +146,6 @@
 ## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
 # EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
 ##
 ## Cron schedule of the job that cleans old events from the event table.
 ## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
 # EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
 ##
 ## Cron schedule of the job that cleans old auth requests from the auth request.
 ## Defaults to every minute. Set blank to disable this job.
 # AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
@ -163,9 +164,6 @@
 ## For public server
 # DOMAIN=https://vw.domain.tld:8443
 ## Enable web vault
 # WEB_VAULT_ENABLED=true
 ## Controls whether users are allowed to create Bitwarden Sends.
 ## This setting applies globally to all users.
 ## To control this on a per-org basis instead, use the "Disable Send" org policy.
@ -233,6 +231,14 @@
 ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
 # ORG_EVENTS_ENABLED=false
 ## Cron schedule of the job that cleans old events from the event table.
 ## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
 # EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
 ## Number of days to retain events stored in the database.
 ## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
 # EVENTS_DAYS_RETAIN=
 ## Controls which users can create new orgs.
 ## Blank or 'all' means all users can create orgs (this is the default):
 # ORG_CREATION_USERS=
@ -270,21 +276,6 @@
 ## as this provides unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 ## Token for the admin interface, preferably an Argon2 PCH string
 ## Vaultwarden has a built-in generator by calling `vaultwarden hash`
 ## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
 ## If not set, the admin panel is disabled
 ## New Argon2 PHC string
 ## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
 ## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
 # ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
 ## Old plain text string (Will generate warnings in favor of Argon2)
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
 ## Number of days to retain events stored in the database.
 ## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
 # EVENTS_DAYS_RETAIN=
 #########################
 ### Advanced settings ###
 #########################
@ -328,29 +319,12 @@
 ## Any domains or IPs that match this regex won't be fetched by the icon service.
 ## Useful to hide other servers in the local network. Check the WIKI for more details
 ## NOTE: Always enclose this regex withing single quotes!
-# ICON_BLACKLIST_REGEX='^(191\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
+# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
 ## Any IP which is not defined as a global IP will be blacklisted.
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
 # ICON_BLACKLIST_NON_GLOBAL_IPS=true
 ## Disable 2FA remember
 ## Enabling this would force the users to use a second factor to login every time.
 ## Note that the checkbox would still be present, but ignored.
 # DISABLE_2FA_REMEMBER=false
 ## Authenticator Settings
 ## Disable authenticator time drifted codes to be valid.
 ## TOTP codes of the previous and next 30 seconds will be invalid
 ##
 ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
 ## we allow by default the TOTP code which was valid one step back and one in the future.
 ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
 ## You can disable this, so that only the current TOTP Code is allowed.
 ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
 ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
 # AUTHENTICATOR_DISABLE_TIME_DRIFT=false
 ## Client Settings
 ## Enable experimental feature flags for clients.
 ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
@ -366,9 +340,6 @@
 ## If sending the email fails the login attempt will fail!!
 # REQUIRE_DEVICE_EMAIL=false
 ## Automatically reload the templates for every request, slow, use only for development
 # RELOAD_TEMPLATES=false
 ## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
@ -388,12 +359,31 @@
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
 ## Setting it to "trace" or "debug" would also show logs for mounted
 ## routes and static file, websocket and alive requests
-# LOG_LEVEL=Info
+# LOG_LEVEL=info
 ## Token for the admin interface, preferably an Argon2 PCH string
 ## Vaultwarden has a built-in generator by calling `vaultwarden hash`
 ## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
 ## If not set, the admin panel is disabled
 ## New Argon2 PHC string
 ## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
 ## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
 # ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
 ## Old plain text string (Will generate warnings in favor of Argon2)
 # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
 ## Enable this to bypass the admin panel security. This option is only
 ## meant to be used with the use of a separate auth layer in front
 # DISABLE_ADMIN_TOKEN=false
 ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
 # ADMIN_RATELIMIT_SECONDS=300
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
 # ADMIN_RATELIMIT_MAX_BURST=3
 ## Set the lifetime of admin sessions to this value (in minutes).
 # ADMIN_SESSION_LIFETIME=20
 ## Allowed iframe ancestors (Know the risks!)
 ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
 ## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
@ -407,14 +397,6 @@
 ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
 # LOGIN_RATELIMIT_MAX_BURST=10
 ## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
 # ADMIN_RATELIMIT_SECONDS=300
 ## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
 # ADMIN_RATELIMIT_MAX_BURST=3
 ## Set the lifetime of admin sessions to this value (in minutes).
 # ADMIN_SESSION_LIFETIME=20
 ## BETA FEATURE: Groups
 ## Controls whether group support is enabled for organizations
 ## This setting applies to organizations.
@ -423,7 +405,7 @@
 # ORG_GROUPS_ENABLED=false
 ########################
-### Yubikey settings ###
+### MFA/2FA settings ###
 ########################
 ## Yubico (Yubikey) Settings
@ -434,10 +416,6 @@
 # YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
 # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
 ####################
 ### Duo settings ###
 ####################
 ## Duo Settings
 ## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
 ## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
@ -449,6 +427,37 @@
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.
 ## Email 2FA settings
 ## Email token size
 ## Number of digits in an email 2FA token (min: 6, max: 255).
 ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
 # EMAIL_TOKEN_SIZE=6
 ##
 ## Token expiration time
 ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
 # EMAIL_EXPIRATION_TIME=600
 ##
 ## Maximum attempts before an email token is reset and a new email will need to be sent.
 # EMAIL_ATTEMPTS_LIMIT=3
 ## Other MFA/2FA settings
 ## Disable 2FA remember
 ## Enabling this would force the users to use a second factor to login every time.
 ## Note that the checkbox would still be present, but ignored.
 # DISABLE_2FA_REMEMBER=false
 ##
 ## Authenticator Settings
 ## Disable authenticator time drifted codes to be valid.
 ## TOTP codes of the previous and next 30 seconds will be invalid
 ##
 ## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
 ## we allow by default the TOTP code which was valid one step back and one in the future.
 ## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
 ## You can disable this, so that only the current TOTP Code is allowed.
 ## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
 ## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
 # AUTHENTICATOR_DISABLE_TIME_DRIFT=false
 ###########################
 ### SMTP Email settings ###
 ###########################
@ -499,32 +508,15 @@
 ## Only use this as a last resort if you are not able to use a valid certificate.
 # SMTP_ACCEPT_INVALID_HOSTNAMES=false
 ##########################
 ### Email 2FA settings ###
 ##########################
 ## Email token size
 ## Number of digits in an email 2FA token (min: 6, max: 255).
 ## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
 # EMAIL_TOKEN_SIZE=6
 ## Token expiration time
 ## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
 # EMAIL_EXPIRATION_TIME=600
 ## Maximum attempts before an email token is reset and a new email will need to be sent.
 # EMAIL_ATTEMPTS_LIMIT=3
 ##########################
 ### Rocket settings ###
 ##########################
 ## Rocket specific settings
-## See https://rocket.rs/v0.4/guide/configuration/ for more details.
+## See https://rocket.rs/v0.5/guide/configuration/ for more details.
 # ROCKET_ADDRESS=0.0.0.0
 # ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise.
 # ROCKET_WORKERS=10
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
-# vim: syntax=ini
+# vim: syntax=ini