From 7cf143fbe735b1ad97534c1927fc5801180fb5d3 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 14 May 2021 17:00:07 +0200 Subject: [PATCH] Update to 2021-05-14 17:00 --- roles/vaultwarden/defaults/main.yml | 56 +++++++------- roles/vaultwarden/handlers/main.yml | 6 +- roles/vaultwarden/meta/main.yml | 4 +- roles/vaultwarden/tasks/archive_post.yml | 10 +-- roles/vaultwarden/tasks/archive_pre.yml | 32 ++++---- roles/vaultwarden/tasks/cleanup.yml | 10 +-- roles/vaultwarden/tasks/conf.yml | 10 +-- roles/vaultwarden/tasks/directories.yml | 11 +-- roles/vaultwarden/tasks/facts.yml | 85 +++++++++++---------- roles/vaultwarden/tasks/install.yml | 88 +++++++++++----------- roles/vaultwarden/tasks/iptables.yml | 11 ++- roles/vaultwarden/tasks/main.yml | 7 +- roles/vaultwarden/tasks/migrate_bitwarden_rs.yml | 73 ++++++++++++++++++ roles/vaultwarden/tasks/service.yml | 6 +- roles/vaultwarden/tasks/user.yml | 6 +- roles/vaultwarden/tasks/write_version.yml | 8 +- roles/vaultwarden/templates/nginx.conf.j2 | 30 ++++---- roles/vaultwarden/templates/post-backup.sh.j2 | 3 +- roles/vaultwarden/templates/pre-backup.sh.j2 | 19 +++-- roles/vaultwarden/templates/vaultwarden.conf.j2 | 28 +++++++ roles/vaultwarden/templates/vaultwarden.service.j2 | 27 +++++++ 21 files changed, 333 insertions(+), 197 deletions(-) create mode 100644 roles/vaultwarden/tasks/migrate_bitwarden_rs.yml create mode 100644 roles/vaultwarden/templates/vaultwarden.conf.j2 create mode 100644 roles/vaultwarden/templates/vaultwarden.service.j2 diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml index 63dcf4f..f420853 100644 --- a/roles/vaultwarden/defaults/main.yml +++ b/roles/vaultwarden/defaults/main.yml @@ -1,49 +1,49 @@ --- -bitwarden_version: 1.20.0 -bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz -bitwarden_archive_sha1: 39354ae4124a95a7fcb53e81d6234c5599f609fa +vaultwarden_version: 1.21.0 +vaultwarden_archive_url: https://github.com/dani-garcia/vaultwarden/archive/{{ vaultwarden_version }}.tar.gz +vaultwarden_archive_sha1: b3671dc641e05a903b3ab96299e07700eede5126 -bitwarden_web_version: 2.19.0 -bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz -bitwarden_web_archive_sha1: dfb5acdad88bb6a915b7115739428278e7f3ea98 +vaultwarden_web_version: 2.20.1 +vaultwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ vaultwarden_web_version }}/bw_web_v{{ vaultwarden_web_version }}.tar.gz +vaultwarden_web_archive_sha1: 1ebfd6a26c373b415b34ef6f921ec582f1c75bc9 -bitwarden_root_dir: /opt/bitwarden_rs -bitwarden_user: bitwarden_rs +vaultwarden_root_dir: /opt/vaultwarden +vaultwarden_user: vaultwarden # Database : can be sqlite or mysql -bitwarden_db_engine: sqlite -bitwarden_db_server: "{{ mysql_server | default('localhost') }}" -bitwarden_db_port: 3306 -bitwarden_db_name: bitwardenrs -bitwarden_db_user: bitwardenrs +vaultwarden_db_engine: sqlite +vaultwarden_db_server: "{{ mysql_server | default('localhost') }}" +vaultwarden_db_port: 3306 +vaultwarden_db_name: vaultwarden +vaultwarden_db_user: vaultwarden # A random one will be created if not defined # bitwaren_db_pass: S3cr3t. -# Port on which bitwarden will bind -bitwarden_http_port: 8000 -bitwarden_ws_port: 8001 +# Port on which vaultwarden will bind +vaultwarden_http_port: 8000 +vaultwarden_ws_port: 8001 # List of IP addresses (can be CIDR notation) which will be able to -# access bitwarden ports -bitwarden_src_ip: [] -bitwarden_web_src_ip: [] +# access vaultwarden ports +vaultwarden_src_ip: [] +vaultwarden_web_src_ip: [] -# Public URL on which bitwarden will be accessible -bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }} +# Public URL on which vaultwarden will be accessible +vaultwarden_public_url: http://{{ inventory_hostname }}:{{ vaultwarden_http_port }} # Should registration be enabled -bitwarden_registration: False +vaultwarden_registration: False # List of domain names for which registration will be accepted -# Those domains will be accepted for registration even if bitwarden_registration is set to False -bitwarden_domains_whitelist: +# Those domains will be accepted for registration even if vaultwarden_registration is set to False +vaultwarden_domains_whitelist: - "{{ ansible_domain }}" # Admin Token to access /admin. A random one is created if not defined -# bitwarden_admin_token: S3cr3t. +# vaultwarden_admin_token: S3cr3t. # Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy) -bitwarden_disable_admin_token: False +vaultwarden_disable_admin_token: False # YubiKey settings -# bitwarden_yubico_client_id: XXXX -# bitwarden_yubico_secret_key: XXXX +# vaultwarden_yubico_client_id: XXXX +# vaultwarden_yubico_secret_key: XXXX diff --git a/roles/vaultwarden/handlers/main.yml b/roles/vaultwarden/handlers/main.yml index 2794df6..4456dad 100644 --- a/roles/vaultwarden/handlers/main.yml +++ b/roles/vaultwarden/handlers/main.yml @@ -1,5 +1,5 @@ --- -- name: restart bitwarden_rs - service: name=bitwarden_rs state=restarted - when: not bitwarden_started.changed +- name: restart vaultwarden + service: name=vaultwarden state=restarted + when: not vaultwarden_started.changed diff --git a/roles/vaultwarden/meta/main.yml b/roles/vaultwarden/meta/main.yml index 7c96be6..5fbca29 100644 --- a/roles/vaultwarden/meta/main.yml +++ b/roles/vaultwarden/meta/main.yml @@ -4,6 +4,6 @@ dependencies: - role: rust - role: nginx - role: repo_mariadb - when: bitwarden_db_engine == 'mysql' + when: vaultwarden_db_engine == 'mysql' - role: mysql_server - when: bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') + when: vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1']) diff --git a/roles/vaultwarden/tasks/archive_post.yml b/roles/vaultwarden/tasks/archive_post.yml index 0ed100d..aa370ed 100644 --- a/roles/vaultwarden/tasks/archive_post.yml +++ b/roles/vaultwarden/tasks/archive_post.yml @@ -1,12 +1,12 @@ --- - name: Compress previous version - command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./ + command: tar cJf {{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}.txz ./ args: warn: False - chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}" - tags: bitwarden + chdir: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}" + tags: vaultwarden - name: Remove archive dir - file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent - tags: bitwarden + file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=absent + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/archive_pre.yml b/roles/vaultwarden/tasks/archive_pre.yml index c703fbe..52d3081 100644 --- a/roles/vaultwarden/tasks/archive_pre.yml +++ b/roles/vaultwarden/tasks/archive_pre.yml @@ -1,38 +1,38 @@ --- - name: Create archive dir - file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory - tags: bitwarden + file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=directory + tags: vaultwarden -- name: Stop bitwarden during upgrade - service: name=bitwarden_rs state=stopped - tags: bitwarden +- name: Stop vaultwarden during upgrade + service: name=vaultwarden state=stopped + tags: vaultwarden - name: Archive current version synchronize: - src: "{{ bitwarden_root_dir }}/{{ item }}" - dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/" + src: "{{ vaultwarden_root_dir }}/{{ item }}" + dest: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/" recursive: True delete: True delegate_to: "{{ inventory_hostname }}" loop: - - bitwarden_rs + - vaultwarden - data - etc - web-vault - tags: bitwarden + tags: vaultwarden - name: Dump the database mysql_db: state: dump - name: "{{ bitwarden_db_name }}" - target: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/{{ bitwarden_db_name }}.sql.xz" - login_host: "{{ bitwarden_db_server }}" - login_user: "{{ bitwarden_db_user }}" - login_password: "{{ bitwarden_db_pass }}" + name: "{{ vaultwarden_db_name }}" + target: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/{{ vaultwarden_db_name }}.sql.xz" + login_host: "{{ vaultwarden_db_server }}" + login_user: "{{ vaultwarden_db_user }}" + login_password: "{{ vaultwarden_db_pass }}" quick: True single_transaction: True environment: XZ_OPT: -T0 - when: bitwarden_db_engine == 'mysql' - tags: bitwarden + when: vaultwarden_db_engine == 'mysql' + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/cleanup.yml b/roles/vaultwarden/tasks/cleanup.yml index 7832a7f..a9df0b5 100644 --- a/roles/vaultwarden/tasks/cleanup.yml +++ b/roles/vaultwarden/tasks/cleanup.yml @@ -3,8 +3,8 @@ - name: Remove temp files file: path={{ item }} state=absent loop: - - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}" - - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz" - - "{{ bitwarden_root_dir }}/tmp/web-vault" - - "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz" - tags: bitwarden + - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}" + - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz" + - "{{ vaultwarden_root_dir }}/tmp/web-vault" + - "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz" + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/conf.yml b/roles/vaultwarden/tasks/conf.yml index b927011..5987c2a 100644 --- a/roles/vaultwarden/tasks/conf.yml +++ b/roles/vaultwarden/tasks/conf.yml @@ -1,11 +1,11 @@ --- - name: Deploy configuration - template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640 - notify: restart bitwarden_rs - tags: bitwarden + template: src=vaultwarden.conf.j2 dest={{ vaultwarden_root_dir }}/etc/vaultwarden.conf group={{ vaultwarden_user }} mode=640 + notify: restart vaultwarden + tags: vaultwarden - name: Deploy nginx configuration - template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf + template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-vaultwarden.conf notify: reload nginx - tags: bitwarden + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/directories.yml b/roles/vaultwarden/tasks/directories.yml index e25f096..f7f69db 100644 --- a/roles/vaultwarden/tasks/directories.yml +++ b/roles/vaultwarden/tasks/directories.yml @@ -1,12 +1,12 @@ --- - name: Create directories - file: path={{ bitwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + file: path={{ vaultwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} loop: - dir: / mode: 755 - dir: etc - group: "{{ bitwarden_user }}" + group: "{{ vaultwarden_user }}" mode: 750 - dir: tmp mode: 700 @@ -15,10 +15,11 @@ - dir: archives mode: 700 - dir: data - owner: "{{ bitwarden_user }}" - group: "{{ bitwarden_user }}" + owner: "{{ vaultwarden_user }}" + group: "{{ vaultwarden_user }}" mode: 700 - dir: web-vault + - dir: bin - dir: backup mode: 700 - tags: bitwarden + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/facts.yml b/roles/vaultwarden/tasks/facts.yml index cbe95c5..ff2273f 100644 --- a/roles/vaultwarden/tasks/facts.yml +++ b/roles/vaultwarden/tasks/facts.yml @@ -2,66 +2,73 @@ - name: Set initial install modes block: - - set_fact: bitwarden_install_mode='none' - - set_fact: bitwarden_current_version='' - - set_fact: bitwarden_web_install_mode='none' - - set_fact: bitwarden_web_current_version='' - tags: bitwarden + - set_fact: vaultwarden_install_mode='none' + - set_fact: vaultwarden_current_version='' + - set_fact: vaultwarden_web_install_mode='none' + - set_fact: vaultwarden_web_current_version='' + tags: vaultwarden + +- name: Check if we need to migrate from bitwarden_rs + block: + - stat: path=/etc/systemd/system/bitwarden_rs.service + register: vaultwarden_bitwarden_unit + - set_fact: vaultwarden_migrate_from_bitwarden={{ vaultwarden_bitwarden_unit.stat.exists }} + tags: vaultwarden - name: Check if server is installed - stat: path={{ bitwarden_root_dir }}/meta/ansible_version - register: bitwarden_version_file - tags: bitwarden + stat: path={{ vaultwarden_root_dir }}/meta/ansible_version + register: vaultwarden_version_file + tags: vaultwarden -- when: bitwarden_version_file.stat.exists +- when: vaultwarden_version_file.stat.exists block: - name: Check installed version - slurp: src={{ bitwarden_root_dir }}/meta/ansible_version - register: bitwarden_current_version - - set_fact: bitwarden_current_version={{ bitwarden_current_version.content | b64decode | trim }} - - set_fact: bitwarden_install_mode='upgrade' - when: bitwarden_current_version != bitwarden_version - tags: bitwarden + slurp: src={{ vaultwarden_root_dir }}/meta/ansible_version + register: vaultwarden_current_version + - set_fact: vaultwarden_current_version={{ vaultwarden_current_version.content | b64decode | trim }} + - set_fact: vaultwarden_install_mode='upgrade' + when: vaultwarden_current_version != vaultwarden_version + tags: vaultwarden -- when: not bitwarden_version_file.stat.exists +- when: not vaultwarden_version_file.stat.exists block: - - set_fact: bitwarden_install_mode='install' - tags: bitwarden + - set_fact: vaultwarden_install_mode='install' + tags: vaultwarden - name: Check if web vault is installed - stat: path={{ bitwarden_root_dir }}/meta/ansible_web_version - register: bitwarden_web_version_file - tags: bitwarden + stat: path={{ vaultwarden_root_dir }}/meta/ansible_web_version + register: vaultwarden_web_version_file + tags: vaultwarden -- when: bitwarden_web_version_file.stat.exists +- when: vaultwarden_web_version_file.stat.exists block: - name: Check installed version - slurp: src={{ bitwarden_root_dir }}/meta/ansible_web_version - register: bitwarden_web_current_version - - set_fact: bitwarden_web_current_version={{ bitwarden_web_current_version.content | b64decode | trim }} - - set_fact: bitwarden_web_install_mode='upgrade' - when: bitwarden_web_current_version != bitwarden_web_version - tags: bitwarden + slurp: src={{ vaultwarden_root_dir }}/meta/ansible_web_version + register: vaultwarden_web_current_version + - set_fact: vaultwarden_web_current_version={{ vaultwarden_web_current_version.content | b64decode | trim }} + - set_fact: vaultwarden_web_install_mode='upgrade' + when: vaultwarden_web_current_version != vaultwarden_web_version + tags: vaultwarden -- when: not bitwarden_web_version_file.stat.exists +- when: not vaultwarden_web_version_file.stat.exists block: - - set_fact: bitwarden_web_install_mode='install' - tags: bitwarden + - set_fact: vaultwarden_web_install_mode='install' + tags: vaultwarden -- when: bitwarden_admin_token is not defined +- when: vaultwarden_admin_token is not defined name: Generate a random admin token block: - import_tasks: ../includes/get_rand_pass.yml vars: - - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_admin_token" - - set_fact: bitwarden_admin_token={{ rand_pass }} - tags: bitwarden + - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_admin_token" + - set_fact: vaultwarden_admin_token={{ rand_pass }} + tags: vaultwarden -- when: bitwarden_db_pass is not defined - tags: bitwarden +- when: vaultwarden_db_pass is not defined + tags: vaultwarden block: - import_tasks: ../includes/get_rand_pass.yml vars: - - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_dbpass" - - set_fact: bitwarden_db_pass={{ rand_pass }} + - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_dbpass" + - set_fact: vaultwarden_db_pass={{ rand_pass }} diff --git a/roles/vaultwarden/tasks/install.yml b/roles/vaultwarden/tasks/install.yml index 0ec0731..768bd7f 100644 --- a/roles/vaultwarden/tasks/install.yml +++ b/roles/vaultwarden/tasks/install.yml @@ -6,23 +6,23 @@ - openssl-devel - gcc - sqlite - tags: bitwarden + tags: vaultwarden - name: Check if MariaDB version is set fail: msg="Need to define mysql_mariadb_version" when: - - bitwarden_db_engine == 'mysql' + - vaultwarden_db_engine == 'mysql' - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default' - ansible_os_family == 'RedHat' - ansible_distribution_major_version is version('8','<') - tags: bitwarden + tags: vaultwarden - name: Install MariaDB devel package yum: name: - mariadb-devel - when: bitwarden_db_engine == 'mysql' - tags: bitwarden + when: vaultwarden_db_engine == 'mysql' + tags: vaultwarden # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel - name: Install MariaDB shared libs @@ -30,80 +30,80 @@ name: - MariaDB-shared when: - - bitwarden_db_engine == 'mysql' + - vaultwarden_db_engine == 'mysql' - mysql_mariadb_version is defined - mysql_mariadb_version != 'default' - tags: bitwarden + tags: vaultwarden -- when: bitwarden_install_mode != 'none' - tags: bitwarden +- when: vaultwarden_install_mode != 'none' + tags: vaultwarden block: - - name: Download bitwarden + - name: Download vaultwarden get_url: - url: "{{ bitwarden_archive_url }}" - dest: "{{ bitwarden_root_dir }}/tmp" - checksum: sha1:{{ bitwarden_archive_sha1 }} + url: "{{ vaultwarden_archive_url }}" + dest: "{{ vaultwarden_root_dir }}/tmp" + checksum: sha1:{{ vaultwarden_archive_sha1 }} - - name: Extract bitwarden archive + - name: Extract vaultwarden archive unarchive: - src: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz" - dest: "{{ bitwarden_root_dir }}/tmp" + src: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz" + dest: "{{ vaultwarden_root_dir }}/tmp" remote_src: True - - name: Build bitwarden - command: bash -lc 'cargo build --features={{ (bitwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release' + - name: Build vaultwarden + command: bash -lc 'cargo build --features={{ (vaultwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release' args: - chdir: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}" + chdir: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}" - name: Install binary - copy: src={{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}/target/release/bitwarden_rs dest="{{ bitwarden_root_dir }}/" mode=755 remote_src=True - notify: restart bitwarden_rs + copy: src={{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}/target/release/vaultwarden dest="{{ vaultwarden_root_dir }}/bin/" mode=755 remote_src=True + notify: restart vaultwarden -- when: bitwarden_web_install_mode != 'none' - tags: bitwarden +- when: vaultwarden_web_install_mode != 'none' + tags: vaultwarden block: - - name: Download bitwarden web vault + - name: Download vaultwarden web vault get_url: - url: "{{ bitwarden_web_archive_url }}" - dest: "{{ bitwarden_root_dir }}/tmp" - checksum: sha1:{{ bitwarden_web_archive_sha1 }} + url: "{{ vaultwarden_web_archive_url }}" + dest: "{{ vaultwarden_root_dir }}/tmp" + checksum: sha1:{{ vaultwarden_web_archive_sha1 }} - name: Extract the archive unarchive: - src: "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz" - dest: "{{ bitwarden_root_dir }}/tmp" + src: "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz" + dest: "{{ vaultwarden_root_dir }}/tmp" remote_src: True - name: Move files to their final location synchronize: - src: "{{ bitwarden_root_dir }}/tmp/web-vault/" - dest: "{{ bitwarden_root_dir }}/web-vault/" + src: "{{ vaultwarden_root_dir }}/tmp/web-vault/" + dest: "{{ vaultwarden_root_dir }}/web-vault/" recursive: True delete: True delegate_to: "{{ inventory_hostname }}" - name: Install systemd unit - template: src=bitwarden_rs.service.j2 dest=/etc/systemd/system/bitwarden_rs.service - register: bitwarden_unit - tags: bitwarden + template: src=vaultwarden.service.j2 dest=/etc/systemd/system/vaultwarden.service + register: vaultwarden_unit + tags: vaultwarden - name: Reload systemd systemd: daemon_reload=True - when: bitwarden_unit.changed - tags: bitwarden + when: vaultwarden_unit.changed + tags: vaultwarden - name: Install pre/post backup hooks - template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/bitwarden_rs.sh mode=755 + template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/vaultwarden.sh mode=755 loop: - pre - post - tags: bitwarden + tags: vaultwarden - import_tasks: ../includes/webapps_create_mysql_db.yml vars: - - db_name: "{{ bitwarden_db_name }}" - - db_user: "{{ bitwarden_db_user }}" - - db_server: "{{ bitwarden_db_server }}" - - db_pass: "{{ bitwarden_db_pass }}" - when: bitwarden_db_engine == 'mysql' - tags: bitwarden + - db_name: "{{ vaultwarden_db_name }}" + - db_user: "{{ vaultwarden_db_user }}" + - db_server: "{{ vaultwarden_db_server }}" + - db_pass: "{{ vaultwarden_db_pass }}" + when: vaultwarden_db_engine == 'mysql' + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/iptables.yml b/roles/vaultwarden/tasks/iptables.yml index d320360..a1c43ec 100644 --- a/roles/vaultwarden/tasks/iptables.yml +++ b/roles/vaultwarden/tasks/iptables.yml @@ -1,9 +1,8 @@ --- -- name: Handle bitwarden_rs ports in the firewall +- name: Handle vaultwarden ports in the firewall iptables_raw: - name: bitwarden_rs - state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}" - rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT" - when: iptables_manage | default(True) - tags: firewall,bitwarden + name: vaultwarden + state: "{{ (vaultwarden_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ vaultwarden_http_port }},{{ vaultwarden_ws_port }} -s {{ vaultwarden_src_ip | join(',') }} -j ACCEPT" + tags: firewall,vaultwarden diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml index ee1a661..549fbda 100644 --- a/roles/vaultwarden/tasks/main.yml +++ b/roles/vaultwarden/tasks/main.yml @@ -4,12 +4,15 @@ - include: directories.yml - include: facts.yml - include: archive_pre.yml - when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade' + when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade' - include: install.yml - include: conf.yml +- include: migrate_bitwarden_rs.yml + when: vaultwarden_migrate_from_bitwarden - include: iptables.yml + when: iptables_manage | default(True) - include: service.yml - include: write_version.yml - include: archive_post.yml - when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade' + when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade' - include: cleanup.yml diff --git a/roles/vaultwarden/tasks/migrate_bitwarden_rs.yml b/roles/vaultwarden/tasks/migrate_bitwarden_rs.yml new file mode 100644 index 0000000..e1b3e60 --- /dev/null +++ b/roles/vaultwarden/tasks/migrate_bitwarden_rs.yml @@ -0,0 +1,73 @@ +--- + +- name: Set bitwarden facts + block: + - set_fact: bitwarden_root_dir={{ bitwarden_root_dir | default('/opt/bitwarden_rs') }} + - set_fact: bitwarden_db_name={{ bitwarden_db_name | default('bitwardenrs') }} + tags: vaultwarden + +- name: Check if SQLite DB exists + stat: path={{ bitwarden_root_dir }}/data/db.sqlite3 + register: vaultwarden_bitwarden_sqlite + tags: vaultwarden + +- name: Stop the old service + service: name=bitwarden_rs state=stopped + tags: vaultwarden + +- name: Migrate data dir + synchronize: + src: "{{ bitwarden_root_dir }}/data/" + dest: "{{ vaultwarden_root_dir }}/data/" + compress: False + recursive: True + delegate_to: "{{ inventory_hostname }}" + tags: vaultwarden + +- name: Fix permissions on vaultwarden data dir + file: path={{ vaultwarden_root_dir }}/data/ recurse=True owner={{ vaultwarden_user }} group={{ vaultwarden_user }} + tags: vaultwarden + +# We assume vaultwarden was configured the same way bitwarden was, same db engine, db server etc. +# So here we just dump the database and inject the dump in the new DB +- when: vaultwarden_db_engine == 'mysql' + block: + # Dump the database of Bitwarden_RS + - mysql_db: + state: dump + name: "{{ bitwarden_db_name }}" + target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz" + login_host: "{{ vaultwarden_db_server }}" + login_user: sqladmin + login_password: "{{ mysql_admin_pass }}" + quick: True + single_transaction: True + + # Inject the dump in the new vaultwarden database + - mysql_db: + state: import + name: "{{ vaultwarden_db_name }}" + target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz" + login_host: "{{ vaultwarden_db_server }}" + login_user: sqladmin + login_password: "{{ mysql_admin_pass }}" + + tags: vaultwarden + +- name: Cleanup files + file: path={{ item }} state=absent + loop: + - /etc/systemd/system/bitwarden_rs.service + - /etc/nginx/ansible_conf.d/31-bitwarden.conf + - /etc/backup/pre.d/bitwarden_rs.sh + - /etc/backup/post.d/bitwarden_rs.sh + - "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz" + notify: reload nginx + tags: vaultwarden + +- name: Remove old iptables rules + iptables_raw: + name: bitwarden_rs + state: absent + when: iptables_manage | default(True) + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/service.yml b/roles/vaultwarden/tasks/service.yml index 3426883..2c59e8b 100644 --- a/roles/vaultwarden/tasks/service.yml +++ b/roles/vaultwarden/tasks/service.yml @@ -1,6 +1,6 @@ --- - name: Start and enable the service - service: name=bitwarden_rs state=started enabled=True - register: bitwarden_started - tags: bitwarden + service: name=vaultwarden state=started enabled=True + register: vaultwarden_started + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/user.yml b/roles/vaultwarden/tasks/user.yml index f7cb253..9eddf75 100644 --- a/roles/vaultwarden/tasks/user.yml +++ b/roles/vaultwarden/tasks/user.yml @@ -1,5 +1,5 @@ --- -- name: Create bitwarden_rs user - user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True - tags: bitwarden +- name: Create vaultwarden user + user: name={{ vaultwarden_user }} home={{ vaultwarden_root_dir }} system=True + tags: vaultwarden diff --git a/roles/vaultwarden/tasks/write_version.yml b/roles/vaultwarden/tasks/write_version.yml index 5b47c7e..f61ddac 100644 --- a/roles/vaultwarden/tasks/write_version.yml +++ b/roles/vaultwarden/tasks/write_version.yml @@ -1,10 +1,10 @@ --- - name: Write versions - copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }} + copy: content={{ item.version }} dest={{ vaultwarden_root_dir }}/meta/{{ item.file }} loop: - - version: "{{ bitwarden_version }}" + - version: "{{ vaultwarden_version }}" file: ansible_version - - version: "{{ bitwarden_web_version }}" + - version: "{{ vaultwarden_web_version }}" file: ansible_web_version - tags: bitwarden + tags: vaultwarden diff --git a/roles/vaultwarden/templates/nginx.conf.j2 b/roles/vaultwarden/templates/nginx.conf.j2 index c6c2d56..248a2ad 100644 --- a/roles/vaultwarden/templates/nginx.conf.j2 +++ b/roles/vaultwarden/templates/nginx.conf.j2 @@ -1,21 +1,21 @@ server { listen 443 ssl http2; - server_name {{ bitwarden_public_url | urlsplit('hostname') }}; + server_name {{ vaultwarden_public_url | urlsplit('hostname') }}; include /etc/nginx/ansible_conf.d/acme.inc; -{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %} - ssl_certificate {{ bitwarden_cert_path }}; - ssl_certificate_key {{ bitwarden_key_path }}; -{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %} - ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem; -{% elif bitwarden_letsencrypt_cert is string %} - ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem; - ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem; +{% if vaultwarden_cert_path is defined and vaultwarden_key_path is defined %} + ssl_certificate {{ vaultwarden_cert_path }}; + ssl_certificate_key {{ vaultwarden_key_path }}; +{% elif vaultwarden_letsencrypt_cert is defined and vaultwarden_letsencrypt_cert == True %} + ssl_certificate /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/privkey.pem; +{% elif vaultwarden_letsencrypt_cert is string %} + ssl_certificate /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/privkey.pem; {% endif %} - root {{ bitwarden_root_dir }}/web-vault; + root {{ vaultwarden_root_dir }}/web-vault; client_max_body_size 512M; @@ -24,16 +24,16 @@ server { } location /notifications/hub { - proxy_pass http://localhost:{{ bitwarden_ws_port }}; + proxy_pass http://localhost:{{ vaultwarden_ws_port }}; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notifications/hub/negotiate { - proxy_pass http://localhost:{{ bitwarden_http_port }}; + proxy_pass http://localhost:{{ vaultwarden_http_port }}; } location @proxy { - proxy_pass http://localhost:{{ bitwarden_http_port }}; + proxy_pass http://localhost:{{ vaultwarden_http_port }}; } location / { @@ -62,7 +62,7 @@ server { proxy_max_temp_file_size 5m; allow 127.0.0.1; -{% for ip in bitwarden_web_src_ip %} +{% for ip in vaultwarden_web_src_ip %} allow {{ ip }}; {% endfor %} deny all; diff --git a/roles/vaultwarden/templates/post-backup.sh.j2 b/roles/vaultwarden/templates/post-backup.sh.j2 index 35286d4..04a218d 100644 --- a/roles/vaultwarden/templates/post-backup.sh.j2 +++ b/roles/vaultwarden/templates/post-backup.sh.j2 @@ -1,4 +1,3 @@ #!/bin/bash -e -rm -f {{ bitwarden_root_dir }}/backup/* -umount /home/lbkp/bitwarden_rs +rm -f {{ vaultwarden_root_dir }}/backup/* diff --git a/roles/vaultwarden/templates/pre-backup.sh.j2 b/roles/vaultwarden/templates/pre-backup.sh.j2 index f145133..3dddb2d 100644 --- a/roles/vaultwarden/templates/pre-backup.sh.j2 +++ b/roles/vaultwarden/templates/pre-backup.sh.j2 @@ -1,17 +1,16 @@ #!/bin/bash -e -mkdir -p /home/lbkp/bitwarden_rs/ -cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/ -{% if bitwarden_db_engine == 'mysql' %} +mkdir -p /home/lbkp/vaultwarden/ +cp {{ vaultwarden_root_dir }}/data/rsa* {{ vaultwarden_root_dir }}/backup/ +{% if vaultwarden_db_engine == 'mysql' %} /usr/bin/mysqldump \ -{% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %} - --user='{{ bitwarden_db_user }}' \ - --password='{{ bitwarden_db_pass }}' \ - --host='{{ bitwarden_db_server }}' \ +{% if vaultwarden_db_server != 'localhost' and vaultwarden_db_server != '127.0.0.1' %} + --user='{{ vaultwarden_db_user }}' \ + --password='{{ vaultwarden_db_pass }}' \ + --host='{{ vaultwarden_db_server }}' \ {% endif %} --quick --single-transaction \ - --add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zst + --add-drop-table {{ vaultwarden_db_name }} | zstd -c > {{ vaultwarden_root_dir }}/backup/{{ vaultwarden_db_name }}.sql.zst {% else %} -sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'" +sqlite3 {{ vaultwarden_root_dir }}/data/db.sqlite3 ".backup '{{ vaultwarden_root_dir }}/backup/db.sqlite3'" {% endif %} -mountpoint -q /home/lbkp/bitwarden_rs/ || mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/ diff --git a/roles/vaultwarden/templates/vaultwarden.conf.j2 b/roles/vaultwarden/templates/vaultwarden.conf.j2 new file mode 100644 index 0000000..adc2375 --- /dev/null +++ b/roles/vaultwarden/templates/vaultwarden.conf.j2 @@ -0,0 +1,28 @@ +IP_HEADER=X-Forwarded-For +SIGNUPS_VERIFY=true +SIGNUPS_ALLOWED={{ vaultwarden_registration | ternary('true','false') }} +{% if vaultwarden_domains_whitelist | length > 0 %} +SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_domains_whitelist | join(',') }} +{% endif %} +ADMIN_TOKEN={{ vaultwarden_admin_token }} +DISABLE_ADMIN_TOKEN={{ vaultwarden_disable_admin_token | ternary('true','false') }} +DOMAIN={{ vaultwarden_public_url }} +ROCKET_ENV=prod +ROCKET_ADDRESS=0.0.0.0 +ROCKET_PORT={{ vaultwarden_http_port }} +WEBSOCKET_ENABLED=true +WEBSOCKET_PORT={{ vaultwarden_ws_port }} +SMTP_HOST=localhost +SMTP_PORT=25 +SMTP_SSL=false +SMTP_FROM=vaultwarden-rs-noreply@{{ ansible_domain }} +{% if vaultwarden_db_engine == 'mysql' %} +DATABASE_URL=mysql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ vaultwarden_db_server }}:{{ vaultwarden_db_port }}/{{ vaultwarden_db_name }} +ENABLE_DB_WAL=false +{% else %} +DATABASE_URL=data/db.sqlite3 +{% endif %} +{% if vaultwarden_yubico_client_id is defined and vaultwarden_yubico_secret_key is defined %} +YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }} +YUBICO_SECRET_KEY={{ vaultwarden_yubico_secret_key }} +{% endif %} diff --git a/roles/vaultwarden/templates/vaultwarden.service.j2 b/roles/vaultwarden/templates/vaultwarden.service.j2 new file mode 100644 index 0000000..e17e50c --- /dev/null +++ b/roles/vaultwarden/templates/vaultwarden.service.j2 @@ -0,0 +1,27 @@ +[Unit] +Description=Bitwarden Server (Rust Edition) +Documentation=https://github.com/dani-garcia/vaultwarden_rs +After=network.target +{% if vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1']) %} +After=mariadb.service +Requires=mariadb.service +{% endif %} + +[Service] +User={{ vaultwarden_user }} +Group={{ vaultwarden_user }} +EnvironmentFile={{ vaultwarden_root_dir }}/etc/vaultwarden.conf +ExecStart={{ vaultwarden_root_dir }}/bin/vaultwarden +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=full +WorkingDirectory={{ vaultwarden_root_dir }} +ReadWriteDirectories={{ vaultwarden_root_dir }}/data +ReadOnlyDirectories={{ vaultwarden_root_dir }}/etc {{ vaultwarden_root_dir }}/web-vault +Restart=on-failure +StartLimitInterval=0 +RestartSec=30 + +[Install] +WantedBy=multi-user.target