vaultwarden: new role

2022-09-03 12:21:08 +02:00 · 2022-09-03 12:21:08 +02:00 · 14c055bff0
commit 14c055bff0
parent a08b2c047e
10 changed files with 304 additions and 102 deletions
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@ -161,4 +161,10 @@ slapd_root_hash: "{SSHA}OB75kTfH6JRyX0dA0fM8/8ldP89qyzb+"
 slapd_root_pass: "{{ vault_slapd_root_pass }}"
 slapd_san: ldap.binary.kitchen
 vaultwarden_domain: vault.binary-kitchen.de
 vaultwarden_dbname: vaultwarden
 vaultwarden_dbuser: vaultwarden
 vaultwarden_dbpass: "{{ vault_vaultwarden_dbpass }}"
 vaultwarden_token: "{{ vault_vaultwarden_token }}"
 workadventure_domain: wa.binary-kitchen.de
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@ -1,102 +1,110 @@
 $ANSIBLE_VAULT;1.1;AES256
-34313430623638333161613331623835666163626232326164366136373833633138373733333231
+39356339623163613730323336636362666334396239316561313565356362626630353633376265
-6563336334663666373235313064363364646361643033310a663033616232363434306230313765
+3839633232386162373936633161386265386563656464390a663136633330363039316232613833
-31386338646433393334663031623261353661333565663763363834313264363463383562633934
+65636634666266333537353638326561663063333038316563386565636239633737313037613566
-3663623932356635360a306231613431623763663130656634623365643730336564663862336536
+3835363937663238640a646334326131343632326136323266653061333162356338613638326264
-34663863313364613831656162663663646634636432656539643531326163653363376662393935
+63326362333065336665303362633362633236626362633333363765336633373738356462613937
-61343934313135623265646539616136306231633566616534383562393964663565323534386162
+30626163383432636162396366343738396633343635626664326235626137306462333866383333
-31646233313339383863313334353031386166653264353831383133633761306539636533656336
+61376532373165623837323061303433363936646638646132623236653065653136363231623838
-37643866646538316234633736613136356166613037383638303465663639633432326533653832
+31383766613032373636383163353764326633363964623661333638613736636337613465633231
-30313862646132393063393239656561646566336362643466386435613734623632613361323266
+30356339396537623361656362333230323131346264363835373439613862366138373266313735
-64316166313635306631396166303132626139386563613231646439356637393662623530353261
+63643237333438393763313863333738616233353962383063373938356434346263363031383536
-62326661663064393362653136346262313762376130623461313563613161623838356363306263
+62363938643431653039373338643434336566303434393530323335623763626331663463383033
-38376438333632623962646535313239343038383030383736313536303935346236326631616632
+66643436386432346332363735336336373436323966656662373066323334636165616231333463
-65376162613630343064356361336535623030316435333036363635623461626330663635653631
+31363538316333653233333133663138336130323363306263353031373765656635623564323830
-61313435373839366363613338666630366333383962393734333662646239663237386437373333
+31346430323163376432666364386533343532663131363233363634336165376662366465353833
-31373065336139643033643666653737306664626134643937343264646539616264393530343462
+66383835366337306131646637653032353837363937386230313730386631613838393632336365
-38366232393832666439383066383738643966363132663832396562646238306638343266353934
+66363133343430626561336664623665393366346331663139623938396365663338356539316234
-38396236373830303661336635646137306236386436343033383764666535323834313534346533
+33643838663664306230326163666637363236393965636431636562633938383363633730356332
-35333665303534383634303732346164616666643731313839353462343365356338386561613231
+33666330363363386633393736626636373765356364623937333063343039656635313536333431
-35333965353736386531356565376434393563653562373261633664623438346638613765303736
+65366263343632376330343662616538336361633233613965616239313631363233303732353931
-65336230636539613332616433326335326436333136636566383731306437663438306636363930
+30353561306630613763386432646264643438363561373934386631636333366362616465323661
-31376230353230613038636662623432646361383263663532396234656133333237333738666233
+32653231383533616661653663663465303063303036373938646361656434373735323334353339
-61613961343963393437393664393265306564373164316265363232303831663331393130356662
+34396132343335376366383537623334323134336362396333653133646164643961366465633134
-39313230616463636163386261353431356338353833393161313861643137646166363864313861
+62336438363634373037653230343931376633656236643735323035326533356630363863383232
-64306161653565396339656333346235346365373836373633376231333833313034353864656434
+65393763393164393031306434353066376432653830323766353832653864613438336264363936
-33623861326664356339336333663365663663353061323037346330653133396235363831623136
+66633666643130366633326666373531383561653936326335336464633935643935343836306361
-63343662356235633332373733626232353437373263343038663932636232363030336436616131
+63656332616536343961343733346462653032643037663566666536306238303837323133396136
-65376436663962363631386664353531303963313263633261633766326566383262643334646466
+62393561336535306462346636666638303033353131636366656163313730613663626638303063
-65363664306332656134633039643135323134616535613834313533626633353066343762646132
+64373565313537313365353133396464613630386634643664623664666638306662613962633734
-31353761373366313365373632366661646235333039656231323030366338326264333162646562
+64393734326233366266373437613364653862663831623366356563633235346165643062363137
-39343265376234363635306537636464323030316231306564316635656563303565336539326237
+39663034636436646662653438366363366433316333343563313330613930343636323037623937
-36393632386564343730616566373535616263383564343866353665373363363333343935346464
+37363637336663623432383330646235613764303561653135623535363135326563396435356636
-31646338353235356231353135663062323766663231383730396235373934303465346239303961
+61346130663666316464323332313766303965346139623338666265366438306463623633643832
-66646463663762633963336365356431323431383938373839346364303464633031633633663937
+61666466306535656339303264386438653439653737323462633435366564313461323165333233
-36646165633661633361313635393134646133363334373863663132376266336233336435356435
+32346135623362313563383865646436366563346139633632306566393235326163383539613837
-38303862613564363731313062316533633465353830316436326431656132353431373231646337
+62613138623532336436616435346634636139323164623331623635353136623637666436343539
-33343464353039623236643633636239343965643633343966326562343934313664633563613730
+37396663633431393061346535633164623439653766613438626661373232316331343562393430
-63313930643936393838636634613331633835656434646163386661663037376330646366656232
+32313036363338363362626261363931356234653031393162376161333564393437363230636334
-32623461633935353134343533626266653031666335336236343039363066396337633639363235
+35613835653963363466353265636238656565376633383062653564366439613866623661653434
-38626233383461356264616534656537633931663936383330386532363434383833613835613439
+61613566346436383932653734623266303135383131326637633039303864623362633561613366
-64306262626539623136376630646439353335623266306139306434663331346237306331666533
+34626437336364346663353562383566613966333931333332386666396234326436343461616334
-37363433343433363632336333633065313865626564633134616462393831626237333638333739
+32303863656563643732323961323965363234396136326339366330336232623733643362646430
-61623030386235666132666661623462323332393666623539636139326530623233396533373939
+62376430663136626632623962386437333337646330333533373130303766666262326232646231
-32396261306661663739333138353335663734316232303661353166376133653934306233343739
+63616466663063363561613764316233393834643761646639363635303662363465376161363461
-33353833323739343163396234633264373139346264653933633433393132363966636135393365
+62653033383336393832306334353037613962356163353931356239633964623162613432313065
-36363530396166363630643764633436663037666631343535366132373334663938333930396133
+35373638326632346666386565353739346465366532626534633830653661306563663162393261
-36303864303961333664653635343935353266396231313964646262363038626561653466646438
+32663661393462343361313134643462313162656366386234303631633962616635316265363637
-62306434373136393738303835656130333936663430636139383137633536383131616533613634
+31313765626264633230373063313830306431343137616433316331353038303730333665366238
-62343464636332343031326365383964326666636466666636663236633935356635336435313437
+35623439326133643264363038386538613666626332323533393833613433373061303230366363
-33626137326238356537353762613164653731326563663239316537646338643131643564663632
+36383838366166383532666263656338353933313031373161656364616366666332643834616337
-33353536383265303030343735616530666236343064323337623232396130393366363161356636
+38626638393235343264336339396135643738636163383365386130613834613933313633303862
-61333862313432323139313963386538393365373335373139353533356537383739373539646134
+34306131646230373035303831333234626438346630633236373263303566616263333061303565
-37623936653933326633643961313530663533326532383133353238303336643432353833393338
+33303539643931643735303761383830633434643963653735623737396432313234643239356539
-31633065666336373236386537636536326236636639376465346136326535653764373131636135
+39343033383735393362323830373232343338643162653038643132396237303936383961333564
-61393932643639383234396163326633393733616563343637613661326432623461393934653965
+62646239393364346337353337386439353333373739336334333638383462356563636434386439
-32643162386238316261633733613366323834393365633430643964666262306339633766613533
+63373032393235383537343961343433633463363037656434303262653339396161376338306363
-65366264313431333132303063393564383062346365633133383463376631303933643065613137
+64333530383461396638336164353534316636316530653135323334343236633338333934343739
-61383231393339363465363064633862633135326536663163366234623764626439346461303164
+62663234356338373965396634326433346562303062313030623038336331363565346263366330
-32373738636533306362333138643832643862656239303464373434303537653336646430356633
+38313835363737323662656236313662616563393233646562643266633433653237656438633336
-36626436356231616166666163346539633738623734343031373735346165303664346137343132
+33616132353030613165376538363665386466366637653763356339366466616430613138653136
-31663230343934333138656333626339623133323630336266353831653135616363333432616361
+65323433656365643764303134353530393833353335316532623866643338383038663436306637
-33613236623538333663366136656563663331366237303763653238336139363163366635646532
+63633131313036323937643938313235626530653633626562653236643134353738343739653331
-37316430623433336436376462656331373336303831393333626166346135333737326435353834
+37386139663666383865373861346438633565343333623933666533353831616630393233393765
-37636162646438313162303462633830353239623565393331316662616535343138613437653665
+34633237393632663333633631353538643833303036346232303566326363376461306665353664
-31316563346234633031653131666531333266306139346566383263303835343532363633373665
+64646561666361373738313464663631333866376461653231303930393763353066353530343566
-30336462626434393063343234356633636433356164363163363564383263623364386435383239
+32663863613531396639353562353731386163316539386231316262646363643030616535616439
-33323738366534633730666436303433343731306662393863323633653263316138386365376666
+66613734313865313931396331636231363466353633653362616131643033616236623631653432
-35316365303361623030383836316436323663646464386231346432396563663133643834383636
+61343937633039376131313264643833343633666264653337663265656464363634316230633539
-61326534313237316130393538613834656231303732656163346237643535663239366536636633
+38336361633666333665303034343034663137326535663466666434353438343262316139616233
-36306137616664623735613966343264653932363035373336636465323163393539363064386562
+36623735633838383230336332643565323935633766393963323330393866396138623933396138
-31626138316163393466323333613530376265386136376330636364363166323061383034623336
+33323465616563616566366230303933653763333336376364303039613662346238663265643663
-38643166363864383264373665323238326232376633653565356536376466303834313733613531
+37613632633663356630386336646562333735643935663439383837313766303235363832343135
-65333734353036303935333533306334306231373731353463346461353930316562316439356562
+64666263616534346232356564333964383833346231313062306135663032363262616466663532
-38336435366335333230323766626134376131323435323735653736336662313962393766383435
+63366438323361636561623031313431363831653132376631396536366130633031323939326635
-39323734643037643066363338373332653830393337306633336131663131616164336536393837
+34653435303735623866393035333838616563383732333362623239306434356163383637316166
-35383366316130343162663231343763373331613261393566366133346564636334643464373535
+31653332336439363230616137643230336137326237313938633266373435323038333061663731
-37633536323531613831656662323263316630623061383930363637346438623735383430366538
+37373736373164303030303139326139613162616236643433613037393061613233663938393039
-39303961326461323661346630313636643531303265393461373036306435353863643036623665
+30663737333632346132373766333133323763343761616331646133303539343562633038343739
-66333965303032653537613232633162303138343632396134336130333430636666376430323466
+35633534383261363562626432353739353936356234373234376334353633623636383237373862
-61323535313463653866666265313765623831376633666534623033643063386231623238656439
+33663732356166366463366134346661656632306432346166363138313865373166653864386565
-63323166373764306162613233323466366363666535643339646361306638343762393834343131
+65613462663431636164613765313636343234376164353034323233393435353430663534316438
-31393437373733343138306563363032353831616334383631656266346131303161633265343461
+39626339386231393135366263653337363165663137353861653662616430316638323832313432
-62343234383936303664643234323665343635626435613766343737396564656137393061666165
+33343265353361383833386434393366626665636533323366346563356231333137343538393636
-66313531666562303030323764356632626233333432343461393362303563643661336335366339
+38353362393537363862346364363533316662376233326265663533376634373534656136653939
-62346366643835303563646161366434386532363265313531303634336136653062613464376138
+35313837663031396637366334393432376235376137346631373163393838663464363461313135
-66336333623565623263363561303537303337623137656430353830353937323265313837333237
+34323261336139346439383437396165663162353038343639336535656264366531663063643166
-62343132326665326130376566626661366534353335366532623539303536323762646462306261
+34363566613934373832643438366333393330313562313936623231623637396630316166643138
-63383133633462376162316338663765393933663536663239636439643733376434333030616131
+62313666623536353866313233393561326261316438353133636164303764366435366236613836
-63326332336563326232346430643534336133376334646635653862333133306135666132353839
+35653565323433333134623637666464353034643563323131613230623534623765323661383231
-37336136346464363365633262623630343463343035666161626665663030346533303266313837
+31323366363363333965663263643436646437353930346536356136646635346133666265623836
-32323566393630626566393334353832383235626161343532323930656430343739663432333866
+66303366633731386233333164653437373235356663353035303137336630316632623231316336
-62663136333637663563366536303437363964666638326134373766313837383431663733383630
+30656338656539386535303964373330386137343233363538313961656336353736383936346436
-63336432656239393465353666383131326536643531663337396234396663373432303163653331
+65656538333861326337626637376638303237656134303533656462336233663036323435373261
-33626237386237626433653637313835376632613131663235353037336231613134633065323035
+31363936336161306563333536343138356635626339306361653336303339613732336130343362
-31366531343131303937663561336262623062313961366233633430323639383332656236363535
+65383538663563366565613335363564313763626639376138323138633630343135633464623865
-35353639633366366439666532326539666230323338643931383264306436386634316331393133
+34363831343762626536303331613939323938366534646662343965366130666139373939356664
-33393963303734303037353139356436313036343766646131333735356266333434333039363339
+30643038363666356636633165666434333335336665363465363363663039626636363162363361
-62396231303137303236626439633331306663313630653437363733656130653863646537316536
+61366239663333306138393762616330643433666331623465386536613531396162336261313936
-39346233633436323565363466653862333630633030666136613237333663643339306334613532
+33613966616533373538316563313431383265663266653466303534626463383663316662616139
-63343565393632353138616637356339623639373135636334333130323032346536626465323430
+30386261356439396339353130396166623065623663373933353663653335366662663739393465
-63383363313338636466316464303039633236343038613734633632633234313837656436663137
+64643333396564373966666137646531373533353835396433623263373334396234336537353764
-62643130383463333137363537646233613366653664613137623130333330636362
+30663132393432646533626163373133326638363963663737333063363635383065323264623439
 65383134343765383662373661383838313134346331373965306266323763373133663338386436
 36343634623936373332323032613566643635623236646562383962313363656331303637666637
 30633763616234616166656334613738613231386530633665643235303733623364383865636462
 66366533613361663535656632393665323264353165653732656430623031333332356365323733
 36386166303039343065363533393739636266663739383664316437356239646437373562643130
 64663365363064616166393832366134616462353963356437633432633138613766653764326135
 30373930313062653034616635656434653364336336346437393836333865303130616332623961
 3833
--- a/roles/vaultwarden/handlers/main.yml
+++ b/roles/vaultwarden/handlers/main.yml
@ -0,0 +1,13 @@
 ---
 - name: Reload systemd
  systemd: daemon_reload=yes
 - name: Restart vaultwarden
  service: name=vaultwarden state=restarted
 - name: Restart nginx
  service: name=nginx state=restarted
 - name: Run acertmgr
  command: /usr/bin/acertmgr
--- a/roles/vaultwarden/meta/main.yml
+++ b/roles/vaultwarden/meta/main.yml
@ -0,0 +1,5 @@
 ---
 dependencies:
 - { role: acertmgr }
 - { role: nginx, nginx_ssl: True }
--- a/roles/vaultwarden/tasks/main.yml
+++ b/roles/vaultwarden/tasks/main.yml
@ -0,0 +1,51 @@
 ---
 - name: Install packages
  apt:
    name:
    - docker-compose
 - name: Create vaultwarden group
  group: name=vaultwarden
 - name: Create vaultwarden user
  user:
    name: vaultwarden
    home: /opt/vaultwarden
    shell: /bin/bash
    group: vaultwarden
    groups: docker
 - name: Configure vaultwarden container
  template: src=docker-compose.yml.j2 dest=/opt/vaultwarden/docker-compose.yml
  notify: Restart vaultwarden
 - name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ vaultwarden_domain }}.key -out /etc/nginx/ssl/{{ vaultwarden_domain }}.crt -days 730 -subj "/CN={{ vaultwarden_domain }}" creates=/etc/nginx/ssl/{{ vaultwarden_domain }}.crt
  notify: Restart nginx
 - name: Configure certificate manager for vaultwarden
  template: src=certs.j2 dest=/etc/acertmgr/{{ vaultwarden_domain }}.conf
  notify: Run acertmgr
 - name: Configure vhost
  template: src=vhost.j2 dest=/etc/nginx/sites-available/vaultwarden
  notify: Restart nginx
 - name: Enable vhost
  file: src=/etc/nginx/sites-available/vaultwarden dest=/etc/nginx/sites-enabled/vaultwarden state=link
  notify: Restart nginx
 - name: Systemd unit for vaultwarden
  template: src=vaultwarden.service.j2 dest=/etc/systemd/system/vaultwarden.service
  notify:
  - Reload systemd
  - Restart vaultwarden
 - name: Start the vaultwarden service
  service: name=vaultwarden state=started enabled=yes
 - name: Enable monitoring
  include_role: name=icinga-monitor tasks_from=http
  vars:
    vhost: "{{ vaultwarden_domain }}"
--- a/roles/vaultwarden/templates/certs.j2
+++ b/roles/vaultwarden/templates/certs.j2
@ -0,0 +1,15 @@
 ---
 {{ vaultwarden_domain }}:
 - path: /etc/nginx/ssl/{{ vaultwarden_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ vaultwarden_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/vaultwarden/templates/docker-compose.yml.j2
+++ b/roles/vaultwarden/templates/docker-compose.yml.j2
@ -0,0 +1,34 @@
 version: "3"
 services:
  database:
    image: postgres:13.4-alpine
    environment:
      - POSTGRES_USER={{ vaultwarden_dbuser }}
      - POSTGRES_PASSWORD={{ vaultwarden_dbpass }}
      - POSTGRES_DB={{ vaultwarden_dbname }}
    volumes:
      - ./database:/var/lib/postgresql/data
    restart: unless-stopped
  app:
    image: vaultwarden/server:latest
    environment:
     - DATABASE_URL=postgres://{{ vaultwarden_dbuser }}:{{ vaultwarden_dbpass }}@database/{{ vaultwarden_dbname }}
     - SIGNUPS_VERIFY=true
     - SIGNUPS_DOMAINS_WHITELIST=binary-kitchen.de
     - ADMIN_TOKEN={{ vaultwarden_token }}
     - ORG_ATTACHMENT_LIMIT=1024
     - USER_ATTACHMENT_LIMIT=1024
     - DOMAIN=http://{{ vaultwarden_domain }}
     - ROCKET_PORT=4000
     - SMTP_HOST=mail.binary-kitchen.de
     - SMTP_FROM=vaultwarden@binary-kitchen.de
     - SMTP_FROM_NAME=Vaultwarden
     - SMTP_PORT=25
     - HELO_NAME={{ ansible_fqdn }}
    volumes:
     - ./data:/data
    ports:
      - "127.0.0.1:4000:4000"
    restart: unless-stopped
    depends_on:
      - database
--- a/roles/vaultwarden/templates/vaultwarden.service.j2
+++ b/roles/vaultwarden/templates/vaultwarden.service.j2
@ -0,0 +1,28 @@
 [Unit]
 Description=vaultwarden service using docker compose
 Requires=docker.service
 After=docker.service
 Before=nginx.service
 [Service]
 Type=simple
 User=vaultwarden
 Group=vaultwarden
 Restart=always
 TimeoutStartSec=1200
 WorkingDirectory=/opt/vaultwarden
 # Make sure no old containers are running
 ExecStartPre=/usr/bin/docker-compose down -v
 # Compose up
 ExecStart=/usr/bin/docker-compose up
 # Compose down, remove containers and volumes
 ExecStop=/usr/bin/docker-compose down -v
 [Install]
 WantedBy=multi-user.target
--- a/roles/vaultwarden/templates/vhost.j2
+++ b/roles/vaultwarden/templates/vhost.j2
@ -0,0 +1,41 @@
 map $http_upgrade $connection_upgrade {
 	default	upgrade;
 	''	close;
 }
 server {
 	listen 80;
 	listen [::]:80;
 	server_name {{ vaultwarden_domain }};
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
 		alias /var/www/acme-challenge;
 	}
 	location / {
 		return 301 https://{{ vaultwarden_domain }}$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ vaultwarden_domain }};
 	ssl_certificate_key /etc/nginx/ssl/{{ vaultwarden_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ vaultwarden_domain }}.crt;
 	# set max upload size
 	client_max_body_size 8M;
 	location / {
 		proxy_pass http://localhost:4000;
 		proxy_set_header Host $host;
 		proxy_set_header X-Real-IP $remote_addr;
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header X-Forwarded-Proto $scheme;
 	}
 }
--- a/site.yml
+++ b/site.yml
@ -90,10 +90,11 @@
  roles:
  - nextcloud
- name: Setup hedgedoc server
+- name: Setup web server (dockerized)
  hosts: fluorine.binary-kitchen.net
  roles:
  - hedgedoc
  - vaultwarden
 - name: Setup authoritative dns server
  hosts: neon.binary-kitchen.net