Merge pull request 'vaultwarden' (#1) from vaultwarden into main
Reviewed-on: #1
This commit is contained in:
commit
bc40fcae37
@ -8,3 +8,6 @@ PIHOLE_WEBPWD=
|
||||
STEP_CA_ROOT_PASSWORD=
|
||||
STEP_CA_INTERMEDIATE_PASSWORD=
|
||||
OPENVPN_USER=
|
||||
|
||||
VAULTWARDEN_ADMIN_TOKEN=
|
||||
INFO_FROM_PASSWORD=
|
4
deploy-vaultwarden.yml
Normal file
4
deploy-vaultwarden.yml
Normal file
@ -0,0 +1,4 @@
|
||||
- name: vaultwarden setup
|
||||
hosts: vaultwarden
|
||||
roles:
|
||||
- vaultwarden
|
3
group_vars/vaultwarden.yml
Normal file
3
group_vars/vaultwarden.yml
Normal file
@ -0,0 +1,3 @@
|
||||
---
|
||||
vaultwarden_admin_token: "{{ lookup('env', 'VAULTWARDEN_ADMIN_TOKEN') }}"
|
||||
email_password: "{{ lookup('env', 'INFO_FROM_PASSWORD') }}"
|
@ -34,6 +34,9 @@ johan ansible_user=root ansible_connection=ssh
|
||||
[pihole]
|
||||
johan ansible_user=root ansible_connection=ssh
|
||||
|
||||
[vaultwarden]
|
||||
johan ansible_user=root ansible_connection=ssh
|
||||
|
||||
[lldap]
|
||||
johan ansible_user=root ansible_connection=ssh
|
||||
|
||||
|
@ -0,0 +1,13 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name vaultwarden.internal.simponic.xyz;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
root /var/www/letsencrypt;
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location / {
|
||||
rewrite ^ https://vaultwarden.internal.simponic.xyz$request_uri? permanent;
|
||||
}
|
||||
}
|
@ -0,0 +1,32 @@
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name vaultwarden.internal.simponic.xyz;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
|
||||
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
|
||||
ssl_dhparam /etc/nginx/dhparams.pem;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8652;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $server_name;
|
||||
proxy_buffering off;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||
}
|
||||
}
|
22
roles/vaultwarden/tasks/main.yml
Normal file
22
roles/vaultwarden/tasks/main.yml
Normal file
@ -0,0 +1,22 @@
|
||||
---
|
||||
- name: ensure vaultwarden docker/compose exist
|
||||
file:
|
||||
path: /etc/docker/compose/vaultwarden
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0700
|
||||
|
||||
- name: build vaultwarden docker-compose.yml.j2
|
||||
template:
|
||||
src: ../templates/docker-compose.yml.j2
|
||||
dest: /etc/docker/compose/vaultwarden/docker-compose.yml
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
||||
- name: daemon-reload and enable vaultwarden
|
||||
ansible.builtin.systemd_service:
|
||||
state: restarted
|
||||
enabled: true
|
||||
name: docker-compose@vaultwarden
|
36
roles/vaultwarden/templates/docker-compose.yml.j2
Normal file
36
roles/vaultwarden/templates/docker-compose.yml.j2
Normal file
@ -0,0 +1,36 @@
|
||||
version: '3'
|
||||
|
||||
services:
|
||||
vaultwarden:
|
||||
container_name: vaultwarden
|
||||
image: vaultwarden/server:latest
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./data/:/data/
|
||||
ports:
|
||||
- 8652:80
|
||||
environment:
|
||||
- DOMAIN=https://vaultwarden.internal.simponic.xyz
|
||||
- LOGIN_RATELIMIT_MAX_BURST=10
|
||||
- LOGIN_RATELIMIT_SECONDS=60
|
||||
- ADMIN_RATELIMIT_MAX_BURST=10
|
||||
- ADMIN_RATELIMIT_SECONDS=60
|
||||
- ADMIN_TOKEN={{ vaultwarden_admin_token }}
|
||||
- SENDS_ALLOWED=true
|
||||
- EMERGENCY_ACCESS_ALLOWED=true
|
||||
- WEB_VAULT_ENABLED=true
|
||||
|
||||
- SIGNUPS_ALLOWED=false
|
||||
- SIGNUPS_VERIFY=true
|
||||
- SIGNUPS_VERIFY_RESEND_TIME=3600
|
||||
- SIGNUPS_VERIFY_RESEND_LIMIT=5
|
||||
- SIGNUPS_DOMAINS_WHITELIST=simponic.xyz
|
||||
|
||||
- SMTP_HOST=mail.simponic.xyz
|
||||
- SMTP_FROM=info@simponic.xyz
|
||||
- SMTP_FROM_NAME=VaultWarden
|
||||
- SMTP_SECURITY=starttls
|
||||
- SMTP_PORT=587
|
||||
- SMTP_USERNAME=info@simponic.xyz
|
||||
- SMTP_PASSWORD={{ email_password }}
|
||||
- SMTP_AUTH_MECHANISM="Plain"
|
Loading…
Reference in New Issue
Block a user