vaultwarden #1
@ -8,3 +8,6 @@ PIHOLE_WEBPWD=
|
|||||||
STEP_CA_ROOT_PASSWORD=
|
STEP_CA_ROOT_PASSWORD=
|
||||||
STEP_CA_INTERMEDIATE_PASSWORD=
|
STEP_CA_INTERMEDIATE_PASSWORD=
|
||||||
OPENVPN_USER=
|
OPENVPN_USER=
|
||||||
|
|
||||||
|
VAULTWARDEN_ADMIN_TOKEN=
|
||||||
|
INFO_FROM_PASSWORD=
|
4
deploy-vaultwarden.yml
Normal file
4
deploy-vaultwarden.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- name: vaultwarden setup
|
||||||
|
hosts: vaultwarden
|
||||||
|
roles:
|
||||||
|
- vaultwarden
|
2
group_vars/vaultwarden.yml
Normal file
2
group_vars/vaultwarden.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
vaultwarden_admin_token: "{{ lookup('env', 'VAULTWARDEN_ADMIN_TOKEN') }}"
|
@ -34,6 +34,9 @@ johan ansible_user=root ansible_connection=ssh
|
|||||||
[pihole]
|
[pihole]
|
||||||
johan ansible_user=root ansible_connection=ssh
|
johan ansible_user=root ansible_connection=ssh
|
||||||
|
|
||||||
|
[vaultwarden]
|
||||||
|
johan ansible_user=root ansible_connection=ssh
|
||||||
|
|
||||||
[lldap]
|
[lldap]
|
||||||
johan ansible_user=root ansible_connection=ssh
|
johan ansible_user=root ansible_connection=ssh
|
||||||
|
|
||||||
|
@ -0,0 +1,13 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name vaultwarden.internal.simponic.xyz;
|
||||||
|
|
||||||
|
location /.well-known/acme-challenge {
|
||||||
|
root /var/www/letsencrypt;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
rewrite ^ https://vaultwarden.internal.simponic.xyz$request_uri? permanent;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,32 @@
|
|||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
server_name vaultwarden.internal.simponic.xyz;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
|
||||||
|
ssl_dhparam /etc/nginx/dhparams.pem;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8652;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_set_header Host $server_name;
|
||||||
|
proxy_buffering off;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
||||||
|
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
|
||||||
|
}
|
||||||
|
}
|
22
roles/vaultwarden/tasks/main.yml
Normal file
22
roles/vaultwarden/tasks/main.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
---
|
||||||
|
- name: ensure vaultwarden docker/compose exist
|
||||||
|
file:
|
||||||
|
path: /etc/docker/compose/vaultwarden
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: build vaultwarden docker-compose.yml.j2
|
||||||
|
template:
|
||||||
|
src: ../templates/docker-compose.yml.j2
|
||||||
|
dest: /etc/docker/compose/vaultwarden/docker-compose.yml
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
|
||||||
|
- name: daemon-reload and enable vaultwarden
|
||||||
|
ansible.builtin.systemd_service:
|
||||||
|
state: restarted
|
||||||
|
enabled: true
|
||||||
|
name: docker-compose@vaultwarden
|
36
roles/vaultwarden/templates/docker-compose.yml.j2
Normal file
36
roles/vaultwarden/templates/docker-compose.yml.j2
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
version: '3'
|
||||||
|
|
||||||
|
services:
|
||||||
|
vaultwarden:
|
||||||
|
container_name: vaultwarden
|
||||||
|
image: vaultwarden/server:latest
|
||||||
|
restart: unless-stopped
|
||||||
|
volumes:
|
||||||
|
- ./data/:/data/
|
||||||
|
ports:
|
||||||
|
- 8652:80
|
||||||
|
environment:
|
||||||
|
- DOMAIN=https://vaultwarden.internal.simponic.xyz
|
||||||
|
- LOGIN_RATELIMIT_MAX_BURST=10
|
||||||
|
- LOGIN_RATELIMIT_SECONDS=60
|
||||||
|
- ADMIN_RATELIMIT_MAX_BURST=10
|
||||||
|
- ADMIN_RATELIMIT_SECONDS=60
|
||||||
|
- ADMIN_TOKEN={{ vaultwarden_admin_token }}
|
||||||
|
- SENDS_ALLOWED=true
|
||||||
|
- EMERGENCY_ACCESS_ALLOWED=true
|
||||||
|
- WEB_VAULT_ENABLED=true
|
||||||
|
|
||||||
|
- SIGNUPS_ALLOWED=false
|
||||||
|
- SIGNUPS_VERIFY=true
|
||||||
|
- SIGNUPS_VERIFY_RESEND_TIME=3600
|
||||||
|
- SIGNUPS_VERIFY_RESEND_LIMIT=5
|
||||||
|
- SIGNUPS_DOMAINS_WHITELIST=simponic.xyz
|
||||||
|
|
||||||
|
- SMTP_HOST=mail.simponic.xyz
|
||||||
|
- SMTP_FROM=info@simponic.xyz
|
||||||
|
- SMTP_FROM_NAME=VaultWarden
|
||||||
|
- SMTP_SECURITY=starttls
|
||||||
|
- SMTP_PORT=587
|
||||||
|
- SMTP_USERNAME=info@simponic.xyz
|
||||||
|
- SMTP_PASSWORD={{ email_password }}
|
||||||
|
- SMTP_AUTH_MECHANISM="Plain"
|
Loading…
Reference in New Issue
Block a user