Add initial Vaultwarden support

Absorbed from the https://github.com/spantaleev/vaultwarden-docker-ansible-deploy
Ansible playbook.

The `vaultwarden_backup` role hasn't been migrated over yet.
This commit is contained in:
Slavi Pantaleev 2023-03-16 12:05:21 +02:00
parent a6cbd9836e
commit 6908865900
6 changed files with 145 additions and 1 deletions

View file

@ -7,6 +7,7 @@
| [PostgreSQL](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](postgres.md) | | [PostgreSQL](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](postgres.md) |
| [Radicale](https://miniflux.app/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](radicale.md) | | [Radicale](https://miniflux.app/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](radicale.md) |
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](traefik.md) | | [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](traefik.md) |
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](vaultwarden.md) |
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](uptime-kuma.md) | | [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](uptime-kuma.md) |

View file

@ -47,7 +47,7 @@ Before doing the actual import, **you need to upload your Postgres dump file to
### Importing ### Importing
To import, run this command (make sure to replace `<server-path-to-postgres-dump.sql>` with a file path on your server): To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server):
```sh ```sh
just run-tags import-postgres \ just run-tags import-postgres \

View file

@ -0,0 +1,84 @@
# Vaultwarden
[Vaultwarden](https://github.com/dani-garcia/vaultwarden) (unofficial [Bitwarden](https://bitwarden.com/) compatible server) is a password manager server that you can use with the official **Bitwarden** apps and browser addons.
## Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [Traefik](traefik.md) reverse-proxy server
## Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# vaultwarden #
# #
########################################################################
vaultwarden_enabled: true
vaultwarden_hostname: mash.example.com
# For additional security, we recommend hosting Vaultwarden at a subpath.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#hiding-under-a-subdir
#
# Choose your own custom path below.
# When using a path prefix, Vaultwarden will be available at: https://VAULTWARDEN_DOMAIN/PATH_PREFIX
# while the homepage (/) shows a 404 HTTP error.
#
# If you'd like to host at the root (without a path prefix), remove this configuration line.
vaultwarden_path_prefix: /vaultwarden-secret-custom-prefix
# Configure a strong admin secret here (generated with `pwgen -s 64 1`, etc).
# You will need this for accessing the /admin section useful for creating your first user
# and for doing various maintenance tasks.
# In the future, you can also consider disabling the /admin section by removing this configuration line.
vaultwarden_config_admin_token: ''
# Require people to validate their email addresses. When enabled, SMTP settings (below) are required.
vaultwarden_config_signups_verify: true
# Example SMTP settings.
# If you keep `vaultwarden_config_signups_verify` enabled, you will need to specify them.
# There are more SMTP variables in `roles/custom/devture_vaultwarden/defaults/main.yml`, in case you need them.
# If you decide you won't set up SMTP, consider removing all these configuration lines below
# and removing `vaultwarden_config_signups_verify: true` above.
vaultwarden_config_smtp_from: vaultwarden@DOMAIN
vaultwarden_config_smtp_host: ''
vaultwarden_config_smtp_port: 587
vaultwarden_config_smtp_security: starttls
vaultwarden_config_smtp_username: ''
vaultwarden_config_smtp_password: ''
########################################################################
# #
# /vaultwarden #
# #
########################################################################
```
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/vaultwarden-secret-custom-prefix`.
You can remove the `vaultwarden_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
## Usage
After installation, you should be able to access your new Vaultwarden instance at: `https://VAULTWARDEN_DOMAIN/PATH_PREFIX`, where:
- `VAULTWARDEN_DOMAIN` matches your domain, as specified in `vaultwarden_hostname` in your `vars.yml` file
- `PATH_PREFIX` matches your path prefix, as specified in `vaultwarden_path_prefix` in your `vars.yml` file
To set up your first user account, you should use the `/admin` page, available at `https://VAULTWARDEN_DOMAIN/PATH_PREFIX/admin` and accessible with an admin token, as specified in `vaultwarden_config_admin_token` in your `vars.yml` file.
If you hadn't enabled the `/admin` feature (by defining `vaultwarden_config_admin_token`), you would:
- **either** need to do so and [re-run the playbook](../installing.md) (you can do it quickly with `just install-service vaultwarden`)
- **or** to enable public registration (`vaultwarden_config_signups_enabled: true`) at least temporarily.

View file

@ -18,6 +18,8 @@ devture_systemd_service_manager_services_list_auto: |
+ +
([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else []) ([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
+ +
([{'name': (vaultwarden_identifier + '.service'), 'priority': 1000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}])
+
([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else []) ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
}} }}
@ -58,6 +60,12 @@ devture_postgres_managed_databases_auto: |
'username': miniflux_database_username, 'username': miniflux_database_username,
'password': miniflux_database_password, 'password': miniflux_database_password,
}] if miniflux_enabled else []) }] if miniflux_enabled else [])
+
([{
'name': vaultwarden_database_name,
'username': vaultwarden_database_username,
'password': vaultwarden_database_password,
}] if vaultwarden_enabled else [])
}} }}
######################################################################## ########################################################################
@ -261,6 +269,51 @@ radicale_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certReso
########################################################################
# #
# vaultwarden #
# #
########################################################################
vaultwarden_enable: false
vaultwarden_identifier: mash-vaultwarden
vaultwarden_uid: "{{ mash_playbook_uid }}"
vaultwarden_gid: "{{ mash_playbook_gid }}"
vaultwarden_base_path: "{{ mash_playbook_base_path }}/vaultwarden"
vaultwarden_systemd_required_systemd_services_list: |
{{
(['docker.service'])
+
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
}}
vaultwarden_container_additional_networks: |
{{
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+
([devture_postgres_container_network] if devture_postgres_enabled and vaultwarden_database_hostname == devture_postgres_identifier and vaultwarden_container_network != devture_postgres_container_network else [])
}}
vaultwarden_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
vaultwarden_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
vaultwarden_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
vaultwarden_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
vaultwarden_database_username: "vaultwarden"
vaultwarden_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.vaultwarden', rounds=655555) | to_uuid }}"
########################################################################
# #
# /vaultwarden #
# #
########################################################################
######################################################################## ########################################################################
# # # #
# etke/uptime_kuma # # etke/uptime_kuma #

View file

@ -41,3 +41,7 @@
- src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
version: v1.20.2-1 version: v1.20.2-1
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
name: vaultwarden
version: v1.27.0-0

View file

@ -48,6 +48,8 @@
- role: galaxy/radicale - role: galaxy/radicale
- role: galaxy/vaultwarden
- role: galaxy/uptime_kuma - role: galaxy/uptime_kuma
- when: devture_systemd_service_manager_enabled | bool - when: devture_systemd_service_manager_enabled | bool