Vaultwarden admin token not working

blank · December 27, 2025, 7:58pm

I can access the service fine with vault.example.com but the admin token doesn’t work.

The vaultwarden config looks something like this:

  {
    ...
  }:
  {
    config = let
      subdomainName = "vault";
    in {
      sops.secrets."vaultwarden/env".sopsFile = ../../../secrets/other/. + "/${config.hostname}.yaml";
  
      modules.server.domain.subs = [subdomainName];
  
      services.vaultwarden = {
        enable = true;
        environmentFile = config.sops.secrets."vaultwarden/env".path;
  
        config = {
          DOMAIN = "https://${subdomainName}.${config.modules.server.domain.main}";
          SIGNUPS_ALLOWED = false;
  
          ROCKET_ADDRESS = "127.0.0.1";
          ROCKET_PORT = 8222;
          ROCKET_LOG = "critical";
        };
      };
  
      services.nginx.virtualHosts.${"${subdomainName}.${config.modules.server.domain.main}"} = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
        };
      };
    };
  }

The sops file looks something like this:

vaultwarden:
  env: ADMIN_TOKEN='argonBlahblahblah'

Looking up the env files with:

systemctl cat vaultwarden

Gives me the files:

/run/secrets/vaultwarden/env something like this:

ADMIN_TOKEN='argonBlahblahblah'

/nix/store/nypfnz8kbwm1afwrqjf3n0p2f77jxsxz-vaultwarden.env something like this:

DATA_FOLDER=/var/lib/vaultwarden
DOMAIN=https://vault.example.com
ROCKET_ADDRESS=127.0.0.1
ROCKET_LOG=critical
ROCKET_PORT=8222
SIGNUPS_ALLOWED=false
WEB_VAULT_FOLDER=/nix/store/kl9mz9a9fsq53f1zs5icgwdgh5d2ic37-vaultwarden-webvault-2025.7.0.0/share/vaultwarden/vault

The token was hashed with:

echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4

And when logging into the admin panel token MySecrectPassword was used. The actual token was generated with:

openssl rand -base64 60

Journalctl only has the failed login attempts nothing else.

blank · December 27, 2025, 8:44pm

A test token “SomethingShort” did work but this did not:

generating the password with this:

PASSWORD=$(openssl rand -base64 48)
echo $PASSWORD > ~/vaultwarden-admin-password.txt
echo -n “$PASSWORD” | argon2 “$(openssl rand -base64 32)” -e -id -k 65540 -t 3 -p 4

Then doing copying the argon has into the sops file.

And copying vaultwarden-admin-password.txt with

wl-copy < filename

Dind’t work!!! WHY

blank · December 27, 2025, 9:59pm

Changed it to write both of them to files so I could triple check that they are correct.

#!/bin/bash
PASSWORD=$(openssl rand -base64 48)
echo -n "'" > ~/admin-token.txt
echo -n "$PASSWORD" >> ~/admin-token.txt
echo "'" >> ~/admin-token.txt
echo -n "'" > ~/argon2-hash.txt
HASH=$(echo -n "$PASSWORD" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4)
echo -n "$HASH" >> ~/argon2-hash.txt
echo "'" >> ~/argon2-hash.txt

Still it doesn’t work

blank · December 27, 2025, 10:36pm

I rechecked the logs with journalctl and found this

Dec 28 00:25:03 hostname vaultwarden[1832]: [INFO] Using saved config from /var/lib/vaultwarden/config.json for configuration.
Dec 28 00:25:03 hostname vaultwarden[1832]: [WARNING] The following environment variables are being overridden by the config.json file.
Dec 28 00:25:03 hostname vaultwarden[1832]: [WARNING] Please use the admin panel to make changes to them:
Dec 28 00:25:03 hostname vaultwarden[1832]: [WARNING] DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN

Quick rm fixed the issue, why was there an empty config overwriting my config? I did not make that file.