From 69088659000e2b7c822d3f6bb05bb9949cf51064 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 16 Mar 2023 12:05:21 +0200 Subject: [PATCH] Add initial Vaultwarden support Absorbed from the https://github.com/spantaleev/vaultwarden-docker-ansible-deploy Ansible playbook. The `vaultwarden_backup` role hasn't been migrated over yet. --- docs/services/README.md | 1 + docs/services/postgres.md | 2 +- docs/services/vaultwarden.md | 84 ++++++++++++++++++++++++++++++++++++ group_vars/mash_servers | 53 +++++++++++++++++++++++ requirements.yml | 4 ++ setup.yml | 2 + 6 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 docs/services/vaultwarden.md diff --git a/docs/services/README.md b/docs/services/README.md index b136061..d82a223 100644 --- a/docs/services/README.md +++ b/docs/services/README.md @@ -7,6 +7,7 @@ | [PostgreSQL](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](postgres.md) | | [Radicale](https://miniflux.app/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](radicale.md) | | [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](traefik.md) | +| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](vaultwarden.md) | | [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](uptime-kuma.md) | diff --git a/docs/services/postgres.md b/docs/services/postgres.md index bc1d541..e11932e 100644 --- a/docs/services/postgres.md +++ b/docs/services/postgres.md @@ -47,7 +47,7 @@ Before doing the actual import, **you need to upload your Postgres dump file to ### Importing -To import, run this command (make sure to replace `` with a file path on your server): +To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server): ```sh just run-tags import-postgres \ diff --git a/docs/services/vaultwarden.md b/docs/services/vaultwarden.md new file mode 100644 index 0000000..14867a6 --- /dev/null +++ b/docs/services/vaultwarden.md @@ -0,0 +1,84 @@ +# Vaultwarden + +[Vaultwarden](https://github.com/dani-garcia/vaultwarden) (unofficial [Bitwarden](https://bitwarden.com/) compatible server) is a password manager server that you can use with the official **Bitwarden** apps and browser addons. + + +## Dependencies + +This service requires the following other services: + +- a [Postgres](postgres.md) database +- a [Traefik](traefik.md) reverse-proxy server + + +## Configuration + +To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process: + +```yaml +######################################################################## +# # +# vaultwarden # +# # +######################################################################## + +vaultwarden_enabled: true + +vaultwarden_hostname: mash.example.com + +# For additional security, we recommend hosting Vaultwarden at a subpath. +# See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#hiding-under-a-subdir +# +# Choose your own custom path below. +# When using a path prefix, Vaultwarden will be available at: https://VAULTWARDEN_DOMAIN/PATH_PREFIX +# while the homepage (/) shows a 404 HTTP error. +# +# If you'd like to host at the root (without a path prefix), remove this configuration line. +vaultwarden_path_prefix: /vaultwarden-secret-custom-prefix + +# Configure a strong admin secret here (generated with `pwgen -s 64 1`, etc). +# You will need this for accessing the /admin section useful for creating your first user +# and for doing various maintenance tasks. +# In the future, you can also consider disabling the /admin section by removing this configuration line. +vaultwarden_config_admin_token: '' + +# Require people to validate their email addresses. When enabled, SMTP settings (below) are required. +vaultwarden_config_signups_verify: true + +# Example SMTP settings. +# If you keep `vaultwarden_config_signups_verify` enabled, you will need to specify them. +# There are more SMTP variables in `roles/custom/devture_vaultwarden/defaults/main.yml`, in case you need them. +# If you decide you won't set up SMTP, consider removing all these configuration lines below +# and removing `vaultwarden_config_signups_verify: true` above. +vaultwarden_config_smtp_from: vaultwarden@DOMAIN +vaultwarden_config_smtp_host: '' +vaultwarden_config_smtp_port: 587 +vaultwarden_config_smtp_security: starttls +vaultwarden_config_smtp_username: '' +vaultwarden_config_smtp_password: '' + +######################################################################## +# # +# /vaultwarden # +# # +######################################################################## +``` + +In the example configuration above, we configure the service to be hosted at `https://mash.example.com/vaultwarden-secret-custom-prefix`. + +You can remove the `vaultwarden_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`. + + +## Usage + +After installation, you should be able to access your new Vaultwarden instance at: `https://VAULTWARDEN_DOMAIN/PATH_PREFIX`, where: + +- `VAULTWARDEN_DOMAIN` matches your domain, as specified in `vaultwarden_hostname` in your `vars.yml` file +- `PATH_PREFIX` matches your path prefix, as specified in `vaultwarden_path_prefix` in your `vars.yml` file + +To set up your first user account, you should use the `/admin` page, available at `https://VAULTWARDEN_DOMAIN/PATH_PREFIX/admin` and accessible with an admin token, as specified in `vaultwarden_config_admin_token` in your `vars.yml` file. + +If you hadn't enabled the `/admin` feature (by defining `vaultwarden_config_admin_token`), you would: + +- **either** need to do so and [re-run the playbook](../installing.md) (you can do it quickly with `just install-service vaultwarden`) +- **or** to enable public registration (`vaultwarden_config_signups_enabled: true`) at least temporarily. diff --git a/group_vars/mash_servers b/group_vars/mash_servers index c645697..bce03aa 100644 --- a/group_vars/mash_servers +++ b/group_vars/mash_servers @@ -18,6 +18,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else []) + + ([{'name': (vaultwarden_identifier + '.service'), 'priority': 1000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}]) + + ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else []) }} @@ -58,6 +60,12 @@ devture_postgres_managed_databases_auto: | 'username': miniflux_database_username, 'password': miniflux_database_password, }] if miniflux_enabled else []) + + + ([{ + 'name': vaultwarden_database_name, + 'username': vaultwarden_database_username, + 'password': vaultwarden_database_password, + }] if vaultwarden_enabled else []) }} ######################################################################## @@ -261,6 +269,51 @@ radicale_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certReso +######################################################################## +# # +# vaultwarden # +# # +######################################################################## + +vaultwarden_enable: false + +vaultwarden_identifier: mash-vaultwarden + +vaultwarden_uid: "{{ mash_playbook_uid }}" +vaultwarden_gid: "{{ mash_playbook_gid }}" + +vaultwarden_base_path: "{{ mash_playbook_base_path }}/vaultwarden" + +vaultwarden_systemd_required_systemd_services_list: | + {{ + (['docker.service']) + + + ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else []) + }} + +vaultwarden_container_additional_networks: | + {{ + ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else []) + + + ([devture_postgres_container_network] if devture_postgres_enabled and vaultwarden_database_hostname == devture_postgres_identifier and vaultwarden_container_network != devture_postgres_container_network else []) + }} + +vaultwarden_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}" +vaultwarden_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}" + +vaultwarden_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}" +vaultwarden_database_port: "{{ '5432' if devture_postgres_enabled else '' }}" +vaultwarden_database_username: "vaultwarden" +vaultwarden_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.vaultwarden', rounds=655555) | to_uuid }}" + +######################################################################## +# # +# /vaultwarden # +# # +######################################################################## + + + ######################################################################## # # # etke/uptime_kuma # diff --git a/requirements.yml b/requirements.yml index 8e992ad..91db2e1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -41,3 +41,7 @@ - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git version: v1.20.2-1 + +- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git + name: vaultwarden + version: v1.27.0-0 diff --git a/setup.yml b/setup.yml index 78ea5d3..15bfd29 100644 --- a/setup.yml +++ b/setup.yml @@ -48,6 +48,8 @@ - role: galaxy/radicale + - role: galaxy/vaultwarden + - role: galaxy/uptime_kuma - when: devture_systemd_service_manager_enabled | bool