From 266601d6f5bad47cf04d6da557934c05c8bec76d Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Wed, 16 Aug 2023 22:03:22 +0100
Subject: [PATCH] Vaguely harden vaultwarden config

---
 ansible/roles/vaultwarden/files/docker-compose.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ansible/roles/vaultwarden/files/docker-compose.yml b/ansible/roles/vaultwarden/files/docker-compose.yml
index 10dacc3..6007347 100644
--- a/ansible/roles/vaultwarden/files/docker-compose.yml
+++ b/ansible/roles/vaultwarden/files/docker-compose.yml
@@ -17,7 +17,7 @@ services:
       - traefik.http.services.vaultwarden.loadbalancer.server.port=80
 
       - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.average=5
-      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=1000
+      - traefik.http.middlewares.vaultwarden-ratelimit.ratelimit.burst=200
 
       - traefik.http.routers.vaultwarden.middlewares=vaultwarden-ratelimit
     environment:
@@ -26,7 +26,9 @@ services:
       - SHOW_PASSWORD_HINT=false
       - DATABASE_URL=postgres://vaultwarden:{{ vaultwarden_database_password }}@db/vaultwarden
       - INVITATIONS_ALLOWED=false
-      - ROCKET_WORKERS={{ ansible_processor_nproc // 2 }}
+      - ROCKET_WORKERS=2
+      - EMERGENCY_ACCESS_ALLOWED=false
+      - AUTHENTICATOR_DISABLE_TIME_DRIFT=true
     networks:
       - default
       - traefik