diff --git a/.env.sample b/.env.sample index 2fcb0ed..4c6f97e 100644 --- a/.env.sample +++ b/.env.sample @@ -8,3 +8,6 @@ PIHOLE_WEBPWD= STEP_CA_ROOT_PASSWORD= STEP_CA_INTERMEDIATE_PASSWORD= OPENVPN_USER= + +VAULTWARDEN_ADMIN_TOKEN= +INFO_FROM_PASSWORD= \ No newline at end of file diff --git a/deploy-vaultwarden.yml b/deploy-vaultwarden.yml new file mode 100644 index 0000000..08923d1 --- /dev/null +++ b/deploy-vaultwarden.yml @@ -0,0 +1,4 @@ +- name: vaultwarden setup + hosts: vaultwarden + roles: + - vaultwarden diff --git a/group_vars/vaultwarden.yml b/group_vars/vaultwarden.yml new file mode 100644 index 0000000..6ada896 --- /dev/null +++ b/group_vars/vaultwarden.yml @@ -0,0 +1,3 @@ +--- +vaultwarden_admin_token: "{{ lookup('env', 'VAULTWARDEN_ADMIN_TOKEN') }}" +email_password: "{{ lookup('env', 'INFO_FROM_PASSWORD') }}" diff --git a/inventory b/inventory index 17e7e07..fe8727c 100644 --- a/inventory +++ b/inventory @@ -34,6 +34,9 @@ johan ansible_user=root ansible_connection=ssh [pihole] johan ansible_user=root ansible_connection=ssh +[vaultwarden] +johan ansible_user=root ansible_connection=ssh + [lldap] johan ansible_user=root ansible_connection=ssh diff --git a/roles/private/files/johan/http.vaultwarden.internal.simponic.xyz.conf b/roles/private/files/johan/http.vaultwarden.internal.simponic.xyz.conf new file mode 100644 index 0000000..77f8790 --- /dev/null +++ b/roles/private/files/johan/http.vaultwarden.internal.simponic.xyz.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name vaultwarden.internal.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://vaultwarden.internal.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/private/files/johan/https.vaultwarden.internal.simponic.xyz.conf b/roles/private/files/johan/https.vaultwarden.internal.simponic.xyz.conf new file mode 100644 index 0000000..4b7ba2c --- /dev/null +++ b/roles/private/files/johan/https.vaultwarden.internal.simponic.xyz.conf @@ -0,0 +1,32 @@ +server { + listen 443 ssl; + server_name vaultwarden.internal.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:8652; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $server_name; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } +} diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml new file mode 100644 index 0000000..5c57bb5 --- /dev/null +++ b/roles/vaultwarden/tasks/main.yml @@ -0,0 +1,22 @@ +--- +- name: ensure vaultwarden docker/compose exist + file: + path: /etc/docker/compose/vaultwarden + state: directory + owner: root + group: root + mode: 0700 + +- name: build vaultwarden docker-compose.yml.j2 + template: + src: ../templates/docker-compose.yml.j2 + dest: /etc/docker/compose/vaultwarden/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: daemon-reload and enable vaultwarden + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@vaultwarden diff --git a/roles/vaultwarden/templates/docker-compose.yml.j2 b/roles/vaultwarden/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..6224524 --- /dev/null +++ b/roles/vaultwarden/templates/docker-compose.yml.j2 @@ -0,0 +1,36 @@ +version: '3' + +services: + vaultwarden: + container_name: vaultwarden + image: vaultwarden/server:latest + restart: unless-stopped + volumes: + - ./data/:/data/ + ports: + - 8652:80 + environment: + - DOMAIN=https://vaultwarden.internal.simponic.xyz + - LOGIN_RATELIMIT_MAX_BURST=10 + - LOGIN_RATELIMIT_SECONDS=60 + - ADMIN_RATELIMIT_MAX_BURST=10 + - ADMIN_RATELIMIT_SECONDS=60 + - ADMIN_TOKEN={{ vaultwarden_admin_token }} + - SENDS_ALLOWED=true + - EMERGENCY_ACCESS_ALLOWED=true + - WEB_VAULT_ENABLED=true + + - SIGNUPS_ALLOWED=false + - SIGNUPS_VERIFY=true + - SIGNUPS_VERIFY_RESEND_TIME=3600 + - SIGNUPS_VERIFY_RESEND_LIMIT=5 + - SIGNUPS_DOMAINS_WHITELIST=simponic.xyz + + - SMTP_HOST=mail.simponic.xyz + - SMTP_FROM=info@simponic.xyz + - SMTP_FROM_NAME=VaultWarden + - SMTP_SECURITY=starttls + - SMTP_PORT=587 + - SMTP_USERNAME=info@simponic.xyz + - SMTP_PASSWORD={{ email_password }} + - SMTP_AUTH_MECHANISM="Plain" \ No newline at end of file