.env.sample

@@ -8,3 +8,6 @@ PIHOLE_WEBPWD=
 STEP_CA_ROOT_PASSWORD=
 STEP_CA_INTERMEDIATE_PASSWORD=
 OPENVPN_USER=
+
+VAULTWARDEN_ADMIN_TOKEN=
+INFO_FROM_PASSWORD=

deploy-vaultwarden.yml

@@ -0,0 +1,4 @@
+- name: vaultwarden setup
+  hosts: vaultwarden
+  roles:
+    - vaultwarden

group_vars/vaultwarden.yml

@@ -0,0 +1,3 @@
+---
+vaultwarden_admin_token: "{{ lookup('env', 'VAULTWARDEN_ADMIN_TOKEN') }}"
+email_password: "{{ lookup('env', 'INFO_FROM_PASSWORD') }}"

inventory

@@ -34,6 +34,9 @@ johan ansible_user=root ansible_connection=ssh
 [pihole]
 johan  ansible_user=root ansible_connection=ssh
 
+[vaultwarden]
+johan  ansible_user=root ansible_connection=ssh
+
 [lldap]
 johan  ansible_user=root ansible_connection=ssh
 

roles/private/files/johan/http.vaultwarden.internal.simponic.xyz.conf

@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name vaultwarden.internal.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://vaultwarden.internal.simponic.xyz$request_uri? permanent;
+  }
+}

roles/private/files/johan/https.vaultwarden.internal.simponic.xyz.conf

@@ -0,0 +1,32 @@
+server {
+  listen 443 ssl;
+  server_name vaultwarden.internal.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/vaultwarden.internal.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://127.0.0.1:8652;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $server_name;
+    proxy_buffering off;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+  }
+}

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: ensure vaultwarden docker/compose exist
+  file:
+    path: /etc/docker/compose/vaultwarden
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: build vaultwarden docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/vaultwarden/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable vaultwarden
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@vaultwarden

roles/vaultwarden/templates/docker-compose.yml.j2

@@ -0,0 +1,36 @@
+version: '3'
+
+services:
+  vaultwarden:
+    container_name: vaultwarden
+    image: vaultwarden/server:latest
+    restart: unless-stopped
+    volumes:
+      - ./data/:/data/
+    ports:
+      - 8652:80
+    environment:
+      - DOMAIN=https://vaultwarden.internal.simponic.xyz
+      - LOGIN_RATELIMIT_MAX_BURST=10
+      - LOGIN_RATELIMIT_SECONDS=60
+      - ADMIN_RATELIMIT_MAX_BURST=10
+      - ADMIN_RATELIMIT_SECONDS=60
+      - ADMIN_TOKEN={{ vaultwarden_admin_token }}
+      - SENDS_ALLOWED=true
+      - EMERGENCY_ACCESS_ALLOWED=true
+      - WEB_VAULT_ENABLED=true
+      
+      - SIGNUPS_ALLOWED=false
+      - SIGNUPS_VERIFY=true
+      - SIGNUPS_VERIFY_RESEND_TIME=3600
+      - SIGNUPS_VERIFY_RESEND_LIMIT=5
+      - SIGNUPS_DOMAINS_WHITELIST=simponic.xyz
+
+      - SMTP_HOST=mail.simponic.xyz
+      - SMTP_FROM=info@simponic.xyz
+      - SMTP_FROM_NAME=VaultWarden
+      - SMTP_SECURITY=starttls
+      - SMTP_PORT=587
+      - SMTP_USERNAME=info@simponic.xyz
+      - SMTP_PASSWORD={{ email_password }}
+      - SMTP_AUTH_MECHANISM="Plain"