Daniel Berteaud
4 years ago
parent
bab729a956
commit
7cf143fbe7
21 changed files with 333 additions and 197 deletions
@ -1,49 +1,49 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
bitwarden_version: 1.20.0 |
vaultwarden_version: 1.21.0 |
||||||
bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz |
vaultwarden_archive_url: https://github.com/dani-garcia/vaultwarden/archive/{{ vaultwarden_version }}.tar.gz |
||||||
bitwarden_archive_sha1: 39354ae4124a95a7fcb53e81d6234c5599f609fa |
vaultwarden_archive_sha1: b3671dc641e05a903b3ab96299e07700eede5126 |
||||||
|
|
||||||
bitwarden_web_version: 2.19.0 |
vaultwarden_web_version: 2.20.1 |
||||||
bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz |
vaultwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ vaultwarden_web_version }}/bw_web_v{{ vaultwarden_web_version }}.tar.gz |
||||||
bitwarden_web_archive_sha1: dfb5acdad88bb6a915b7115739428278e7f3ea98 |
vaultwarden_web_archive_sha1: 1ebfd6a26c373b415b34ef6f921ec582f1c75bc9 |
||||||
|
|
||||||
bitwarden_root_dir: /opt/bitwarden_rs |
vaultwarden_root_dir: /opt/vaultwarden |
||||||
bitwarden_user: bitwarden_rs |
vaultwarden_user: vaultwarden |
||||||
|
|
||||||
# Database : can be sqlite or mysql |
# Database : can be sqlite or mysql |
||||||
bitwarden_db_engine: sqlite |
vaultwarden_db_engine: sqlite |
||||||
bitwarden_db_server: "{{ mysql_server | default('localhost') }}" |
vaultwarden_db_server: "{{ mysql_server | default('localhost') }}" |
||||||
bitwarden_db_port: 3306 |
vaultwarden_db_port: 3306 |
||||||
bitwarden_db_name: bitwardenrs |
vaultwarden_db_name: vaultwarden |
||||||
bitwarden_db_user: bitwardenrs |
vaultwarden_db_user: vaultwarden |
||||||
# A random one will be created if not defined |
# A random one will be created if not defined |
||||||
# bitwaren_db_pass: S3cr3t. |
# bitwaren_db_pass: S3cr3t. |
||||||
|
|
||||||
# Port on which bitwarden will bind |
# Port on which vaultwarden will bind |
||||||
bitwarden_http_port: 8000 |
vaultwarden_http_port: 8000 |
||||||
bitwarden_ws_port: 8001 |
vaultwarden_ws_port: 8001 |
||||||
# List of IP addresses (can be CIDR notation) which will be able to |
# List of IP addresses (can be CIDR notation) which will be able to |
||||||
# access bitwarden ports |
# access vaultwarden ports |
||||||
bitwarden_src_ip: [] |
vaultwarden_src_ip: [] |
||||||
bitwarden_web_src_ip: [] |
vaultwarden_web_src_ip: [] |
||||||
|
|
||||||
# Public URL on which bitwarden will be accessible |
# Public URL on which vaultwarden will be accessible |
||||||
bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }} |
vaultwarden_public_url: http://{{ inventory_hostname }}:{{ vaultwarden_http_port }} |
||||||
|
|
||||||
# Should registration be enabled |
# Should registration be enabled |
||||||
bitwarden_registration: False |
vaultwarden_registration: False |
||||||
# List of domain names for which registration will be accepted |
# List of domain names for which registration will be accepted |
||||||
# Those domains will be accepted for registration even if bitwarden_registration is set to False |
# Those domains will be accepted for registration even if vaultwarden_registration is set to False |
||||||
bitwarden_domains_whitelist: |
vaultwarden_domains_whitelist: |
||||||
- "{{ ansible_domain }}" |
- "{{ ansible_domain }}" |
||||||
|
|
||||||
# Admin Token to access /admin. A random one is created if not defined |
# Admin Token to access /admin. A random one is created if not defined |
||||||
# bitwarden_admin_token: S3cr3t. |
# vaultwarden_admin_token: S3cr3t. |
||||||
|
|
||||||
# Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy) |
# Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy) |
||||||
bitwarden_disable_admin_token: False |
vaultwarden_disable_admin_token: False |
||||||
|
|
||||||
# YubiKey settings |
# YubiKey settings |
||||||
# bitwarden_yubico_client_id: XXXX |
# vaultwarden_yubico_client_id: XXXX |
||||||
# bitwarden_yubico_secret_key: XXXX |
# vaultwarden_yubico_secret_key: XXXX |
||||||
|
|||||||
@ -1,5 +1,5 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: restart bitwarden_rs |
- name: restart vaultwarden |
||||||
service: name=bitwarden_rs state=restarted |
service: name=vaultwarden state=restarted |
||||||
when: not bitwarden_started.changed |
when: not vaultwarden_started.changed |
||||||
|
|||||||
@ -1,12 +1,12 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Compress previous version |
- name: Compress previous version |
||||||
command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./ |
command: tar cJf {{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}.txz ./ |
||||||
args: |
args: |
||||||
warn: False |
warn: False |
||||||
chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}" |
chdir: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}" |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|
||||||
- name: Remove archive dir |
- name: Remove archive dir |
||||||
file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent |
file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=absent |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|||||||
@ -1,38 +1,38 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Create archive dir |
- name: Create archive dir |
||||||
file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory |
file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=directory |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|
||||||
- name: Stop bitwarden during upgrade |
- name: Stop vaultwarden during upgrade |
||||||
service: name=bitwarden_rs state=stopped |
service: name=vaultwarden state=stopped |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|
||||||
- name: Archive current version |
- name: Archive current version |
||||||
synchronize: |
synchronize: |
||||||
src: "{{ bitwarden_root_dir }}/{{ item }}" |
src: "{{ vaultwarden_root_dir }}/{{ item }}" |
||||||
dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/" |
dest: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/" |
||||||
recursive: True |
recursive: True |
||||||
delete: True |
delete: True |
||||||
delegate_to: "{{ inventory_hostname }}" |
delegate_to: "{{ inventory_hostname }}" |
||||||
loop: |
loop: |
||||||
- bitwarden_rs |
- vaultwarden |
||||||
- data |
- data |
||||||
- etc |
- etc |
||||||
- web-vault |
- web-vault |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|
||||||
- name: Dump the database |
- name: Dump the database |
||||||
mysql_db: |
mysql_db: |
||||||
state: dump |
state: dump |
||||||
name: "{{ bitwarden_db_name }}" |
name: "{{ vaultwarden_db_name }}" |
||||||
target: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/{{ bitwarden_db_name }}.sql.xz" |
target: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/{{ vaultwarden_db_name }}.sql.xz" |
||||||
login_host: "{{ bitwarden_db_server }}" |
login_host: "{{ vaultwarden_db_server }}" |
||||||
login_user: "{{ bitwarden_db_user }}" |
login_user: "{{ vaultwarden_db_user }}" |
||||||
login_password: "{{ bitwarden_db_pass }}" |
login_password: "{{ vaultwarden_db_pass }}" |
||||||
quick: True |
quick: True |
||||||
single_transaction: True |
single_transaction: True |
||||||
environment: |
environment: |
||||||
XZ_OPT: -T0 |
XZ_OPT: -T0 |
||||||
when: bitwarden_db_engine == 'mysql' |
when: vaultwarden_db_engine == 'mysql' |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|||||||
@ -1,11 +1,11 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Deploy configuration |
- name: Deploy configuration |
||||||
template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640 |
template: src=vaultwarden.conf.j2 dest={{ vaultwarden_root_dir }}/etc/vaultwarden.conf group={{ vaultwarden_user }} mode=640 |
||||||
notify: restart bitwarden_rs |
notify: restart vaultwarden |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|
||||||
- name: Deploy nginx configuration |
- name: Deploy nginx configuration |
||||||
template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf |
template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-vaultwarden.conf |
||||||
notify: reload nginx |
notify: reload nginx |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|||||||
@ -1,9 +1,8 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Handle bitwarden_rs ports in the firewall |
- name: Handle vaultwarden ports in the firewall |
||||||
iptables_raw: |
iptables_raw: |
||||||
name: bitwarden_rs |
name: vaultwarden |
||||||
state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}" |
state: "{{ (vaultwarden_src_ip | length > 0) | ternary('present','absent') }}" |
||||||
rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT" |
rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ vaultwarden_http_port }},{{ vaultwarden_ws_port }} -s {{ vaultwarden_src_ip | join(',') }} -j ACCEPT" |
||||||
when: iptables_manage | default(True) |
tags: firewall,vaultwarden |
||||||
tags: firewall,bitwarden |
|
||||||
|
|||||||
@ -0,0 +1,73 @@ |
|||||||
|
--- |
||||||
|
|
||||||
|
- name: Set bitwarden facts |
||||||
|
block: |
||||||
|
- set_fact: bitwarden_root_dir={{ bitwarden_root_dir | default('/opt/bitwarden_rs') }} |
||||||
|
- set_fact: bitwarden_db_name={{ bitwarden_db_name | default('bitwardenrs') }} |
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
- name: Check if SQLite DB exists |
||||||
|
stat: path={{ bitwarden_root_dir }}/data/db.sqlite3 |
||||||
|
register: vaultwarden_bitwarden_sqlite |
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
- name: Stop the old service |
||||||
|
service: name=bitwarden_rs state=stopped |
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
- name: Migrate data dir |
||||||
|
synchronize: |
||||||
|
src: "{{ bitwarden_root_dir }}/data/" |
||||||
|
dest: "{{ vaultwarden_root_dir }}/data/" |
||||||
|
compress: False |
||||||
|
recursive: True |
||||||
|
delegate_to: "{{ inventory_hostname }}" |
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
- name: Fix permissions on vaultwarden data dir |
||||||
|
file: path={{ vaultwarden_root_dir }}/data/ recurse=True owner={{ vaultwarden_user }} group={{ vaultwarden_user }} |
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
# We assume vaultwarden was configured the same way bitwarden was, same db engine, db server etc. |
||||||
|
# So here we just dump the database and inject the dump in the new DB |
||||||
|
- when: vaultwarden_db_engine == 'mysql' |
||||||
|
block: |
||||||
|
# Dump the database of Bitwarden_RS |
||||||
|
- mysql_db: |
||||||
|
state: dump |
||||||
|
name: "{{ bitwarden_db_name }}" |
||||||
|
target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz" |
||||||
|
login_host: "{{ vaultwarden_db_server }}" |
||||||
|
login_user: sqladmin |
||||||
|
login_password: "{{ mysql_admin_pass }}" |
||||||
|
quick: True |
||||||
|
single_transaction: True |
||||||
|
|
||||||
|
# Inject the dump in the new vaultwarden database |
||||||
|
- mysql_db: |
||||||
|
state: import |
||||||
|
name: "{{ vaultwarden_db_name }}" |
||||||
|
target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz" |
||||||
|
login_host: "{{ vaultwarden_db_server }}" |
||||||
|
login_user: sqladmin |
||||||
|
login_password: "{{ mysql_admin_pass }}" |
||||||
|
|
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
- name: Cleanup files |
||||||
|
file: path={{ item }} state=absent |
||||||
|
loop: |
||||||
|
- /etc/systemd/system/bitwarden_rs.service |
||||||
|
- /etc/nginx/ansible_conf.d/31-bitwarden.conf |
||||||
|
- /etc/backup/pre.d/bitwarden_rs.sh |
||||||
|
- /etc/backup/post.d/bitwarden_rs.sh |
||||||
|
- "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz" |
||||||
|
notify: reload nginx |
||||||
|
tags: vaultwarden |
||||||
|
|
||||||
|
- name: Remove old iptables rules |
||||||
|
iptables_raw: |
||||||
|
name: bitwarden_rs |
||||||
|
state: absent |
||||||
|
when: iptables_manage | default(True) |
||||||
|
tags: vaultwarden |
||||||
@ -1,6 +1,6 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Start and enable the service |
- name: Start and enable the service |
||||||
service: name=bitwarden_rs state=started enabled=True |
service: name=vaultwarden state=started enabled=True |
||||||
register: bitwarden_started |
register: vaultwarden_started |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|||||||
@ -1,5 +1,5 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Create bitwarden_rs user |
- name: Create vaultwarden user |
||||||
user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True |
user: name={{ vaultwarden_user }} home={{ vaultwarden_root_dir }} system=True |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|||||||
@ -1,10 +1,10 @@ |
|||||||
--- |
--- |
||||||
|
|
||||||
- name: Write versions |
- name: Write versions |
||||||
copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }} |
copy: content={{ item.version }} dest={{ vaultwarden_root_dir }}/meta/{{ item.file }} |
||||||
loop: |
loop: |
||||||
- version: "{{ bitwarden_version }}" |
- version: "{{ vaultwarden_version }}" |
||||||
file: ansible_version |
file: ansible_version |
||||||
- version: "{{ bitwarden_web_version }}" |
- version: "{{ vaultwarden_web_version }}" |
||||||
file: ansible_web_version |
file: ansible_web_version |
||||||
tags: bitwarden |
tags: vaultwarden |
||||||
|
|||||||
@ -1,4 +1,3 @@ |
|||||||
#!/bin/bash -e |
#!/bin/bash -e |
||||||
|
|
||||||
rm -f {{ bitwarden_root_dir }}/backup/* |
rm -f {{ vaultwarden_root_dir }}/backup/* |
||||||
umount /home/lbkp/bitwarden_rs |
|
||||||
|
|||||||
@ -0,0 +1,28 @@ |
|||||||
|
IP_HEADER=X-Forwarded-For |
||||||
|
SIGNUPS_VERIFY=true |
||||||
|
SIGNUPS_ALLOWED={{ vaultwarden_registration | ternary('true','false') }} |
||||||
|
{% if vaultwarden_domains_whitelist | length > 0 %} |
||||||
|
SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_domains_whitelist | join(',') }} |
||||||
|
{% endif %} |
||||||
|
ADMIN_TOKEN={{ vaultwarden_admin_token }} |
||||||
|
DISABLE_ADMIN_TOKEN={{ vaultwarden_disable_admin_token | ternary('true','false') }} |
||||||
|
DOMAIN={{ vaultwarden_public_url }} |
||||||
|
ROCKET_ENV=prod |
||||||
|
ROCKET_ADDRESS=0.0.0.0 |
||||||
|
ROCKET_PORT={{ vaultwarden_http_port }} |
||||||
|
WEBSOCKET_ENABLED=true |
||||||
|
WEBSOCKET_PORT={{ vaultwarden_ws_port }} |
||||||
|
SMTP_HOST=localhost |
||||||
|
SMTP_PORT=25 |
||||||
|
SMTP_SSL=false |
||||||
|
SMTP_FROM=vaultwarden-rs-noreply@{{ ansible_domain }} |
||||||
|
{% if vaultwarden_db_engine == 'mysql' %} |
||||||
|
DATABASE_URL=mysql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ vaultwarden_db_server }}:{{ vaultwarden_db_port }}/{{ vaultwarden_db_name }} |
||||||
|
ENABLE_DB_WAL=false |
||||||
|
{% else %} |
||||||
|
DATABASE_URL=data/db.sqlite3 |
||||||
|
{% endif %} |
||||||
|
{% if vaultwarden_yubico_client_id is defined and vaultwarden_yubico_secret_key is defined %} |
||||||
|
YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }} |
||||||
|
YUBICO_SECRET_KEY={{ vaultwarden_yubico_secret_key }} |
||||||
|
{% endif %} |
||||||
@ -0,0 +1,27 @@ |
|||||||
|
[Unit] |
||||||
|
Description=Bitwarden Server (Rust Edition) |
||||||
|
Documentation=https://github.com/dani-garcia/vaultwarden_rs |
||||||
|
After=network.target |
||||||
|
{% if vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1']) %} |
||||||
|
After=mariadb.service |
||||||
|
Requires=mariadb.service |
||||||
|
{% endif %} |
||||||
|
|
||||||
|
[Service] |
||||||
|
User={{ vaultwarden_user }} |
||||||
|
Group={{ vaultwarden_user }} |
||||||
|
EnvironmentFile={{ vaultwarden_root_dir }}/etc/vaultwarden.conf |
||||||
|
ExecStart={{ vaultwarden_root_dir }}/bin/vaultwarden |
||||||
|
PrivateTmp=true |
||||||
|
PrivateDevices=true |
||||||
|
ProtectHome=true |
||||||
|
ProtectSystem=full |
||||||
|
WorkingDirectory={{ vaultwarden_root_dir }} |
||||||
|
ReadWriteDirectories={{ vaultwarden_root_dir }}/data |
||||||
|
ReadOnlyDirectories={{ vaultwarden_root_dir }}/etc {{ vaultwarden_root_dir }}/web-vault |
||||||
|
Restart=on-failure |
||||||
|
StartLimitInterval=0 |
||||||
|
RestartSec=30 |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target |
||||||
Loading…
Reference in new issue