add vaultwarden config

This commit is contained in:
Elizabeth Hunt 2024-01-15 16:04:36 -07:00
parent a1ff343f7d
commit e068478865
Signed by: simponic
GPG Key ID: 52B3774857EB24B1
8 changed files with 115 additions and 0 deletions

View File

@ -8,3 +8,6 @@ PIHOLE_WEBPWD=
STEP_CA_ROOT_PASSWORD=
STEP_CA_INTERMEDIATE_PASSWORD=
OPENVPN_USER=
VAULTWARDEN_ADMIN_TOKEN=
INFO_FROM_PASSWORD=

4
deploy-vaultwarden.yml Normal file
View File

@ -0,0 +1,4 @@
- name: vaultwarden setup
hosts: vaultwarden
roles:
- vaultwarden

View File

@ -0,0 +1,2 @@
---
vaultwarden_admin_token: "{{ lookup('env', 'VAULTWARDEN_ADMIN_TOKEN') }}"

View File

@ -34,6 +34,9 @@ johan ansible_user=root ansible_connection=ssh
[pihole]
johan ansible_user=root ansible_connection=ssh
[vaultwarden]
johan ansible_user=root ansible_connection=ssh
[lldap]
johan ansible_user=root ansible_connection=ssh

View File

@ -0,0 +1,13 @@
server {
listen 80;
server_name vaultwarden.internal.simponic.xyz;
location /.well-known/acme-challenge {
root /var/www/letsencrypt;
try_files $uri $uri/ =404;
}
location / {
rewrite ^ https://vaultwarden.internal.simponic.xyz$request_uri? permanent;
}
}

View File

@ -0,0 +1,32 @@
server {
listen 443 ssl;
server_name vaultwarden.internal.simponic.xyz;
ssl_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8652;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $server_name;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}

View File

@ -0,0 +1,22 @@
---
- name: ensure vaultwarden docker/compose exist
file:
path: /etc/docker/compose/vaultwarden
state: directory
owner: root
group: root
mode: 0700
- name: build vaultwarden docker-compose.yml.j2
template:
src: ../templates/docker-compose.yml.j2
dest: /etc/docker/compose/vaultwarden/docker-compose.yml
owner: root
group: root
mode: u=rw,g=r,o=r
- name: daemon-reload and enable vaultwarden
ansible.builtin.systemd_service:
state: restarted
enabled: true
name: docker-compose@vaultwarden

View File

@ -0,0 +1,36 @@
version: '3'
services:
vaultwarden:
container_name: vaultwarden
image: vaultwarden/server:latest
restart: unless-stopped
volumes:
- ./data/:/data/
ports:
- 8652:80
environment:
- DOMAIN=https://vaultwarden.internal.simponic.xyz
- LOGIN_RATELIMIT_MAX_BURST=10
- LOGIN_RATELIMIT_SECONDS=60
- ADMIN_RATELIMIT_MAX_BURST=10
- ADMIN_RATELIMIT_SECONDS=60
- ADMIN_TOKEN={{ vaultwarden_admin_token }}
- SENDS_ALLOWED=true
- EMERGENCY_ACCESS_ALLOWED=true
- WEB_VAULT_ENABLED=true
- SIGNUPS_ALLOWED=false
- SIGNUPS_VERIFY=true
- SIGNUPS_VERIFY_RESEND_TIME=3600
- SIGNUPS_VERIFY_RESEND_LIMIT=5
- SIGNUPS_DOMAINS_WHITELIST=simponic.xyz
- SMTP_HOST=mail.simponic.xyz
- SMTP_FROM=info@simponic.xyz
- SMTP_FROM_NAME=VaultWarden
- SMTP_SECURITY=starttls
- SMTP_PORT=587
- SMTP_USERNAME=info@simponic.xyz
- SMTP_PASSWORD={{ email_password }}
- SMTP_AUTH_MECHANISM="Plain"