Add initial Vaultwarden support
Absorbed from the https://github.com/spantaleev/vaultwarden-docker-ansible-deploy Ansible playbook. The `vaultwarden_backup` role hasn't been migrated over yet.
This commit is contained in:
parent
a6cbd9836e
commit
6908865900
6 changed files with 145 additions and 1 deletions
|
@ -7,6 +7,7 @@
|
|||
| [PostgreSQL](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](postgres.md) |
|
||||
| [Radicale](https://miniflux.app/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](radicale.md) |
|
||||
| [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](traefik.md) |
|
||||
| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](vaultwarden.md) |
|
||||
| [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](uptime-kuma.md) |
|
||||
|
||||
|
||||
|
|
|
@ -47,7 +47,7 @@ Before doing the actual import, **you need to upload your Postgres dump file to
|
|||
|
||||
### Importing
|
||||
|
||||
To import, run this command (make sure to replace `<server-path-to-postgres-dump.sql>` with a file path on your server):
|
||||
To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server):
|
||||
|
||||
```sh
|
||||
just run-tags import-postgres \
|
||||
|
|
84
docs/services/vaultwarden.md
Normal file
84
docs/services/vaultwarden.md
Normal file
|
@ -0,0 +1,84 @@
|
|||
# Vaultwarden
|
||||
|
||||
[Vaultwarden](https://github.com/dani-garcia/vaultwarden) (unofficial [Bitwarden](https://bitwarden.com/) compatible server) is a password manager server that you can use with the official **Bitwarden** apps and browser addons.
|
||||
|
||||
|
||||
## Dependencies
|
||||
|
||||
This service requires the following other services:
|
||||
|
||||
- a [Postgres](postgres.md) database
|
||||
- a [Traefik](traefik.md) reverse-proxy server
|
||||
|
||||
|
||||
## Configuration
|
||||
|
||||
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
|
||||
|
||||
```yaml
|
||||
########################################################################
|
||||
# #
|
||||
# vaultwarden #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
vaultwarden_enabled: true
|
||||
|
||||
vaultwarden_hostname: mash.example.com
|
||||
|
||||
# For additional security, we recommend hosting Vaultwarden at a subpath.
|
||||
# See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#hiding-under-a-subdir
|
||||
#
|
||||
# Choose your own custom path below.
|
||||
# When using a path prefix, Vaultwarden will be available at: https://VAULTWARDEN_DOMAIN/PATH_PREFIX
|
||||
# while the homepage (/) shows a 404 HTTP error.
|
||||
#
|
||||
# If you'd like to host at the root (without a path prefix), remove this configuration line.
|
||||
vaultwarden_path_prefix: /vaultwarden-secret-custom-prefix
|
||||
|
||||
# Configure a strong admin secret here (generated with `pwgen -s 64 1`, etc).
|
||||
# You will need this for accessing the /admin section useful for creating your first user
|
||||
# and for doing various maintenance tasks.
|
||||
# In the future, you can also consider disabling the /admin section by removing this configuration line.
|
||||
vaultwarden_config_admin_token: ''
|
||||
|
||||
# Require people to validate their email addresses. When enabled, SMTP settings (below) are required.
|
||||
vaultwarden_config_signups_verify: true
|
||||
|
||||
# Example SMTP settings.
|
||||
# If you keep `vaultwarden_config_signups_verify` enabled, you will need to specify them.
|
||||
# There are more SMTP variables in `roles/custom/devture_vaultwarden/defaults/main.yml`, in case you need them.
|
||||
# If you decide you won't set up SMTP, consider removing all these configuration lines below
|
||||
# and removing `vaultwarden_config_signups_verify: true` above.
|
||||
vaultwarden_config_smtp_from: vaultwarden@DOMAIN
|
||||
vaultwarden_config_smtp_host: ''
|
||||
vaultwarden_config_smtp_port: 587
|
||||
vaultwarden_config_smtp_security: starttls
|
||||
vaultwarden_config_smtp_username: ''
|
||||
vaultwarden_config_smtp_password: ''
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /vaultwarden #
|
||||
# #
|
||||
########################################################################
|
||||
```
|
||||
|
||||
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/vaultwarden-secret-custom-prefix`.
|
||||
|
||||
You can remove the `vaultwarden_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
|
||||
|
||||
|
||||
## Usage
|
||||
|
||||
After installation, you should be able to access your new Vaultwarden instance at: `https://VAULTWARDEN_DOMAIN/PATH_PREFIX`, where:
|
||||
|
||||
- `VAULTWARDEN_DOMAIN` matches your domain, as specified in `vaultwarden_hostname` in your `vars.yml` file
|
||||
- `PATH_PREFIX` matches your path prefix, as specified in `vaultwarden_path_prefix` in your `vars.yml` file
|
||||
|
||||
To set up your first user account, you should use the `/admin` page, available at `https://VAULTWARDEN_DOMAIN/PATH_PREFIX/admin` and accessible with an admin token, as specified in `vaultwarden_config_admin_token` in your `vars.yml` file.
|
||||
|
||||
If you hadn't enabled the `/admin` feature (by defining `vaultwarden_config_admin_token`), you would:
|
||||
|
||||
- **either** need to do so and [re-run the playbook](../installing.md) (you can do it quickly with `just install-service vaultwarden`)
|
||||
- **or** to enable public registration (`vaultwarden_config_signups_enabled: true`) at least temporarily.
|
|
@ -18,6 +18,8 @@ devture_systemd_service_manager_services_list_auto: |
|
|||
+
|
||||
([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
|
||||
+
|
||||
([{'name': (vaultwarden_identifier + '.service'), 'priority': 1000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}])
|
||||
+
|
||||
([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
|
||||
}}
|
||||
|
||||
|
@ -58,6 +60,12 @@ devture_postgres_managed_databases_auto: |
|
|||
'username': miniflux_database_username,
|
||||
'password': miniflux_database_password,
|
||||
}] if miniflux_enabled else [])
|
||||
+
|
||||
([{
|
||||
'name': vaultwarden_database_name,
|
||||
'username': vaultwarden_database_username,
|
||||
'password': vaultwarden_database_password,
|
||||
}] if vaultwarden_enabled else [])
|
||||
}}
|
||||
|
||||
########################################################################
|
||||
|
@ -261,6 +269,51 @@ radicale_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certReso
|
|||
|
||||
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# vaultwarden #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
vaultwarden_enable: false
|
||||
|
||||
vaultwarden_identifier: mash-vaultwarden
|
||||
|
||||
vaultwarden_uid: "{{ mash_playbook_uid }}"
|
||||
vaultwarden_gid: "{{ mash_playbook_gid }}"
|
||||
|
||||
vaultwarden_base_path: "{{ mash_playbook_base_path }}/vaultwarden"
|
||||
|
||||
vaultwarden_systemd_required_systemd_services_list: |
|
||||
{{
|
||||
(['docker.service'])
|
||||
+
|
||||
([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
|
||||
}}
|
||||
|
||||
vaultwarden_container_additional_networks: |
|
||||
{{
|
||||
([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
|
||||
+
|
||||
([devture_postgres_container_network] if devture_postgres_enabled and vaultwarden_database_hostname == devture_postgres_identifier and vaultwarden_container_network != devture_postgres_container_network else [])
|
||||
}}
|
||||
|
||||
vaultwarden_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
|
||||
vaultwarden_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
|
||||
|
||||
vaultwarden_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
|
||||
vaultwarden_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
|
||||
vaultwarden_database_username: "vaultwarden"
|
||||
vaultwarden_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.vaultwarden', rounds=655555) | to_uuid }}"
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# /vaultwarden #
|
||||
# #
|
||||
########################################################################
|
||||
|
||||
|
||||
|
||||
########################################################################
|
||||
# #
|
||||
# etke/uptime_kuma #
|
||||
|
|
|
@ -41,3 +41,7 @@
|
|||
|
||||
- src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
|
||||
version: v1.20.2-1
|
||||
|
||||
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
|
||||
name: vaultwarden
|
||||
version: v1.27.0-0
|
||||
|
|
|
@ -48,6 +48,8 @@
|
|||
|
||||
- role: galaxy/radicale
|
||||
|
||||
- role: galaxy/vaultwarden
|
||||
|
||||
- role: galaxy/uptime_kuma
|
||||
|
||||
- when: devture_systemd_service_manager_enabled | bool
|
||||
|
|
Loading…
Reference in a new issue