diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e187a5..98f0fa7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
   - `shb.authelia.oidcClients.id` -> `shb.authelia.oidcClients.client_id`
   - `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
   - `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
+- Vaultwarden data folder changed to `/var/lib/vaultwarden`.
 
 ## User Facing Backwards Compatible Changes
 
diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix
index 3117148..391f36b 100644
--- a/modules/services/vaultwarden.nix
+++ b/modules/services/vaultwarden.nix
@@ -8,7 +8,7 @@ let
 
   fqdn = "${cfg.subdomain}.${cfg.domain}";
 
-  dataFolder = "/var/lib/bitwarden_rs";
+  dataFolder = "/var/lib/vaultwarden";
 in
 {
   options.shb.vaultwarden = {
@@ -152,7 +152,6 @@ in
       enable = true;
       dbBackend = "postgresql";
       config = {
-        DATA_FOLDER = dataFolder;
         IP_HEADER = "X-Real-IP";
         SIGNUPS_ALLOWED = false;
         # Disabled because the /admin path is protected by SSO
@@ -182,6 +181,8 @@ in
       "d ${dataFolder} 0750 vaultwarden vaultwarden"
       "f ${dataFolder}/vaultwarden.env 0640 vaultwarden vaultwarden"
     ];
+    # Needed to be able to write template config.
+    systemd.services.vaultwarden.serviceConfig.ProtectHome = lib.mkForce false;
     systemd.services.vaultwarden.preStart =
       shblib.replaceSecrets {
         userConfig = {
diff --git a/test/services/vaultwarden.nix b/test/services/vaultwarden.nix
index 9398b07..1ad4d17 100644
--- a/test/services/vaultwarden.nix
+++ b/test/services/vaultwarden.nix
@@ -31,7 +31,7 @@ let
             {"email": "me@example.com"}
         """))
         print(response)
-        if 'Kdf' not in response:
+        if 'kdf' not in response:
             raise Exception("Unrecognized response: {}".format(response))
 
     with subtest("get token"):
@@ -45,7 +45,7 @@ let
           &password=mypassword
         """))
         print(response)
-        if response["Message"] != "Username or password is incorrect. Try again":
+        if response["message"] != "Username or password is incorrect. Try again":
             raise Exception("Unrecognized response: {}".format(response))
     '';
   };