Move related settings together.

Merge Yubikey, Duo, Email 2FA sections into one.
Other minor fixes.

.env.template

@@ -27,9 +27,12 @@
 ## Templates data folder, by default uses embedded templates
 ## Check source code to see the format
 # TEMPLATES_FOLDER=data/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
 
-## Web vault folder
+## Web vault settings
 # WEB_VAULT_FOLDER=web-vault/
+# WEB_VAULT_ENABLED=tru
 
 #########################
 ### Database settings ###
@@ -94,6 +97,8 @@
 
 ## Enables push notifications (requires key and id from https://bitwarden.com/host)
 ## If you choose "European Union" Data Region, uncomment PUSH_RELAY_URI and PUSH_IDENTITY_URI then replace .com by .eu
+## Details about mobile client push notification:
+## - https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
 # PUSH_ENABLED=false
 # PUSH_INSTALLATION_ID=CHANGEME
 # PUSH_INSTALLATION_KEY=CHANGEME
@@ -141,10 +146,6 @@
 ## Defaults to hourly (7 minutes after the hour). Set blank to disable this job.
 # EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 7 * * * *"
 ##
-## Cron schedule of the job that cleans old events from the event table.
-## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
-# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
-##
 ## Cron schedule of the job that cleans old auth requests from the auth request.
 ## Defaults to every minute. Set blank to disable this job.
 # AUTH_REQUEST_PURGE_SCHEDULE="30 * * * * *"
@@ -163,9 +164,6 @@
 ## For public server
 # DOMAIN=https://vw.domain.tld:8443
 
-## Enable web vault
-# WEB_VAULT_ENABLED=true
-
 ## Controls whether users are allowed to create Bitwarden Sends.
 ## This setting applies globally to all users.
 ## To control this on a per-org basis instead, use the "Disable Send" org policy.
@@ -233,6 +231,14 @@
 ## Disabled by default. Also check the EVENT_CLEANUP_SCHEDULE and EVENTS_DAYS_RETAIN settings.
 # ORG_EVENTS_ENABLED=false
 
+## Cron schedule of the job that cleans old events from the event table.
+## Defaults to daily. Set blank to disable this job. Also without EVENTS_DAYS_RETAIN set, this job will not start.
+# EVENT_CLEANUP_SCHEDULE="0 10 0 * * *"
+
+## Number of days to retain events stored in the database.
+## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
+# EVENTS_DAYS_RETAIN=
+
 ## Controls which users can create new orgs.
 ## Blank or 'all' means all users can create orgs (this is the default):
 # ORG_CREATION_USERS=
@@ -270,21 +276,6 @@
 ## as this provides unauthenticated access to potentially sensitive data.
 # SHOW_PASSWORD_HINT=false
 
-## Token for the admin interface, preferably an Argon2 PCH string
-## Vaultwarden has a built-in generator by calling `vaultwarden hash`
-## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
-## If not set, the admin panel is disabled
-## New Argon2 PHC string
-## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
-## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
-# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
-## Old plain text string (Will generate warnings in favor of Argon2)
-# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
-
-## Number of days to retain events stored in the database.
-## If unset (the default), events are kept indefinitely and the scheduled job is disabled!
-# EVENTS_DAYS_RETAIN=
-
 #########################
 ### Advanced settings ###
 #########################
@@ -334,23 +325,6 @@
 ## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
 # ICON_BLACKLIST_NON_GLOBAL_IPS=true
 
-## Disable 2FA remember
-## Enabling this would force the users to use a second factor to login every time.
-## Note that the checkbox would still be present, but ignored.
-# DISABLE_2FA_REMEMBER=false
-
-## Authenticator Settings
-## Disable authenticator time drifted codes to be valid.
-## TOTP codes of the previous and next 30 seconds will be invalid
-##
-## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
-## we allow by default the TOTP code which was valid one step back and one in the future.
-## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
-## You can disable this, so that only the current TOTP Code is allowed.
-## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
-## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
-# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
-
 ## Client Settings
 ## Enable experimental feature flags for clients.
 ## This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
@@ -366,9 +340,6 @@
 ## If sending the email fails the login attempt will fail!!
 # REQUIRE_DEVICE_EMAIL=false
 
-## Automatically reload the templates for every request, slow, use only for development
-# RELOAD_TEMPLATES=false
-
 ## Enable extended logging, which shows timestamps and targets in the logs
 # EXTENDED_LOGGING=true
 
@@ -388,12 +359,31 @@
 ## Valid values are "trace", "debug", "info", "warn", "error" and "off"
 ## Setting it to "trace" or "debug" would also show logs for mounted
 ## routes and static file, websocket and alive requests
-# LOG_LEVEL=Info
+# LOG_LEVEL=info
+
+## Token for the admin interface, preferably an Argon2 PCH string
+## Vaultwarden has a built-in generator by calling `vaultwarden hash`
+## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
+## If not set, the admin panel is disabled
+## New Argon2 PHC string
+## Note that for some environments, like docker-compose you need to escape all the dollar signs `$` with an extra dollar sign like `$$`
+## Also, use single quotes (') instead of double quotes (") to enclose the string when needed
+# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78'
+## Old plain text string (Will generate warnings in favor of Argon2)
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
 
 ## Enable this to bypass the admin panel security. This option is only
 ## meant to be used with the use of a separate auth layer in front
 # DISABLE_ADMIN_TOKEN=false
 
+## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
+# ADMIN_RATELIMIT_SECONDS=300
+## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
+# ADMIN_RATELIMIT_MAX_BURST=3
+
+## Set the lifetime of admin sessions to this value (in minutes).
+# ADMIN_SESSION_LIFETIME=20
+
 ## Allowed iframe ancestors (Know the risks!)
 ## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
 ## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
@@ -407,14 +397,6 @@
 ## Note that this applies to both the login and the 2FA, so it's recommended to allow a burst size of at least 2.
 # LOGIN_RATELIMIT_MAX_BURST=10
 
-## Number of seconds, on average, between admin login requests from the same IP address before rate limiting kicks in.
-# ADMIN_RATELIMIT_SECONDS=300
-## Allow a burst of requests of up to this size, while maintaining the average indicated by `ADMIN_RATELIMIT_SECONDS`.
-# ADMIN_RATELIMIT_MAX_BURST=3
-
-## Set the lifetime of admin sessions to this value (in minutes).
-# ADMIN_SESSION_LIFETIME=20
-
 ## BETA FEATURE: Groups
 ## Controls whether group support is enabled for organizations
 ## This setting applies to organizations.
@@ -423,7 +405,7 @@
 # ORG_GROUPS_ENABLED=false
 
 ########################
-### Yubikey settings ###
+### MFA/2FA settings ###
 ########################
 
 ## Yubico (Yubikey) Settings
@@ -434,10 +416,6 @@
 # YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
 # YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
 
-####################
-### Duo settings ###
-####################
-
 ## Duo Settings
 ## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
 ## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
@@ -449,6 +427,37 @@
 ## After that, you should be able to follow the rest of the guide linked above,
 ## ignoring the fields that ask for the values that you already configured beforehand.
 
+## Email 2FA settings
+## Email token size
+## Number of digits in an email 2FA token (min: 6, max: 255).
+## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
+# EMAIL_TOKEN_SIZE=6
+##
+## Token expiration time
+## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+# EMAIL_EXPIRATION_TIME=600
+##
+## Maximum attempts before an email token is reset and a new email will need to be sent.
+# EMAIL_ATTEMPTS_LIMIT=3
+
+## Other MFA/2FA settings
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+##
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+##
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
+
 ###########################
 ### SMTP Email settings ###
 ###########################
@@ -499,32 +508,15 @@
 ## Only use this as a last resort if you are not able to use a valid certificate.
 # SMTP_ACCEPT_INVALID_HOSTNAMES=false
 
-##########################
-### Email 2FA settings ###
-##########################
-
-## Email token size
-## Number of digits in an email 2FA token (min: 6, max: 255).
-## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
-# EMAIL_TOKEN_SIZE=6
-
-## Token expiration time
-## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
-# EMAIL_EXPIRATION_TIME=600
-
-## Maximum attempts before an email token is reset and a new email will need to be sent.
-# EMAIL_ATTEMPTS_LIMIT=3
-
 ##########################
 ### Rocket settings ###
 ##########################
 
 ## Rocket specific settings
-## See https://rocket.rs/v0.4/guide/configuration/ for more details.
+## See https://rocket.rs/v0.5/guide/configuration/ for more details.
 # ROCKET_ADDRESS=0.0.0.0
 # ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise.
-# ROCKET_WORKERS=10
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
 
 
-# vim: syntax=ini
+# vim: syntax=ini