Update to 2021-05-14 17:00

4 years ago · 7cf143fbe7
parent bab729a956
commit 7cf143fbe7
21 changed files with 333 additions and 197 deletions
--- a/roles/vaultwarden/defaults/main.yml
+++ b/roles/vaultwarden/defaults/main.yml
@ -1,49 +1,49 @@
 ---

-bitwarden_version: 1.20.0
-bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz
-bitwarden_archive_sha1: 39354ae4124a95a7fcb53e81d6234c5599f609fa
+vaultwarden_version: 1.21.0
+vaultwarden_archive_url: https://github.com/dani-garcia/vaultwarden/archive/{{ vaultwarden_version }}.tar.gz
+vaultwarden_archive_sha1: b3671dc641e05a903b3ab96299e07700eede5126

-bitwarden_web_version: 2.19.0
-bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz
-bitwarden_web_archive_sha1: dfb5acdad88bb6a915b7115739428278e7f3ea98
+vaultwarden_web_version: 2.20.1
+vaultwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ vaultwarden_web_version }}/bw_web_v{{ vaultwarden_web_version }}.tar.gz
+vaultwarden_web_archive_sha1: 1ebfd6a26c373b415b34ef6f921ec582f1c75bc9

-bitwarden_root_dir: /opt/bitwarden_rs
-bitwarden_user: bitwarden_rs
+vaultwarden_root_dir: /opt/vaultwarden
+vaultwarden_user: vaultwarden

 # Database : can be sqlite or mysql
-bitwarden_db_engine: sqlite
-bitwarden_db_server: "{{ mysql_server | default('localhost') }}"
-bitwarden_db_port: 3306
-bitwarden_db_name: bitwardenrs
-bitwarden_db_user: bitwardenrs
+vaultwarden_db_engine: sqlite
+vaultwarden_db_server: "{{ mysql_server | default('localhost') }}"
+vaultwarden_db_port: 3306
+vaultwarden_db_name: vaultwarden
+vaultwarden_db_user: vaultwarden
 # A random one will be created if not defined
 # bitwaren_db_pass: S3cr3t.

-# Port on which bitwarden will bind
-bitwarden_http_port: 8000
-bitwarden_ws_port: 8001
+# Port on which vaultwarden will bind
+vaultwarden_http_port: 8000
+vaultwarden_ws_port: 8001
 # List of IP addresses (can be CIDR notation) which will be able to
-# access bitwarden ports
-bitwarden_src_ip: []
-bitwarden_web_src_ip: []
+# access vaultwarden ports
+vaultwarden_src_ip: []
+vaultwarden_web_src_ip: []

-# Public URL on which bitwarden will be accessible
-bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }}
+# Public URL on which vaultwarden will be accessible
+vaultwarden_public_url: http://{{ inventory_hostname }}:{{ vaultwarden_http_port }}

 # Should registration be enabled
-bitwarden_registration: False
+vaultwarden_registration: False
 # List of domain names for which registration will be accepted
-# Those domains will be accepted for registration even if bitwarden_registration is set to False
-bitwarden_domains_whitelist:
+# Those domains will be accepted for registration even if vaultwarden_registration is set to False
+vaultwarden_domains_whitelist:
  - "{{ ansible_domain }}"

 # Admin Token to access /admin. A random one is created if not defined
-# bitwarden_admin_token: S3cr3t.
+# vaultwarden_admin_token: S3cr3t.

 # Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy)
-bitwarden_disable_admin_token: False
+vaultwarden_disable_admin_token: False

 # YubiKey settings
-# bitwarden_yubico_client_id: XXXX
-# bitwarden_yubico_secret_key: XXXX
+# vaultwarden_yubico_client_id: XXXX
+# vaultwarden_yubico_secret_key: XXXX
--- a/roles/vaultwarden/handlers/main.yml
+++ b/roles/vaultwarden/handlers/main.yml
@ -1,5 +1,5 @@
 ---

- name: restart bitwarden_rs
-  service: name=bitwarden_rs state=restarted
-  when: not bitwarden_started.changed
+- name: restart vaultwarden
+  service: name=vaultwarden state=restarted
+  when: not vaultwarden_started.changed
--- a/roles/vaultwarden/meta/main.yml
+++ b/roles/vaultwarden/meta/main.yml
@ -4,6 +4,6 @@ dependencies:
  - role: rust
  - role: nginx
  - role: repo_mariadb
-    when: bitwarden_db_engine == 'mysql'
+    when: vaultwarden_db_engine == 'mysql'
  - role: mysql_server
-    when: bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1')
+    when: vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1'])
--- a/roles/vaultwarden/tasks/archive_post.yml
+++ b/roles/vaultwarden/tasks/archive_post.yml
@ -1,12 +1,12 @@
 ---

 - name: Compress previous version
-  command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./
+  command: tar cJf {{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}.txz ./
  args:
    warn: False
-    chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}"
-  tags: bitwarden
+    chdir: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}"
+  tags: vaultwarden

 - name: Remove archive dir
-  file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent
-  tags: bitwarden
+  file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=absent
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/archive_pre.yml
+++ b/roles/vaultwarden/tasks/archive_pre.yml
@ -1,38 +1,38 @@
 ---

 - name: Create archive dir
-  file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory
-  tags: bitwarden
+  file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=directory
+  tags: vaultwarden

- name: Stop bitwarden during upgrade
-  service: name=bitwarden_rs state=stopped
-  tags: bitwarden
+- name: Stop vaultwarden during upgrade
+  service: name=vaultwarden state=stopped
+  tags: vaultwarden

 - name: Archive current version
  synchronize:
-    src: "{{ bitwarden_root_dir }}/{{ item }}"
-    dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/"
+    src: "{{ vaultwarden_root_dir }}/{{ item }}"
+    dest: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/"
    recursive: True
    delete: True
  delegate_to: "{{ inventory_hostname }}"
  loop:
-    - bitwarden_rs
+    - vaultwarden
    - data
    - etc
    - web-vault
-  tags: bitwarden
+  tags: vaultwarden

 - name: Dump the database
  mysql_db:
    state: dump
-    name: "{{ bitwarden_db_name }}"
-    target: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/{{ bitwarden_db_name }}.sql.xz"
-    login_host: "{{ bitwarden_db_server }}"
-    login_user: "{{ bitwarden_db_user }}"
-    login_password: "{{ bitwarden_db_pass }}"
+    name: "{{ vaultwarden_db_name }}"
+    target: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/{{ vaultwarden_db_name }}.sql.xz"
+    login_host: "{{ vaultwarden_db_server }}"
+    login_user: "{{ vaultwarden_db_user }}"
+    login_password: "{{ vaultwarden_db_pass }}"
    quick: True
    single_transaction: True
  environment:
    XZ_OPT: -T0
-  when: bitwarden_db_engine == 'mysql'
-  tags: bitwarden
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/cleanup.yml
+++ b/roles/vaultwarden/tasks/cleanup.yml
@ -3,8 +3,8 @@
 - name: Remove temp files
  file: path={{ item }} state=absent
  loop:
-    - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}"
-    - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz"
-    - "{{ bitwarden_root_dir }}/tmp/web-vault"
-    - "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz"
-  tags: bitwarden
+    - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}"
+    - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz"
+    - "{{ vaultwarden_root_dir }}/tmp/web-vault"
+    - "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz"
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/conf.yml
+++ b/roles/vaultwarden/tasks/conf.yml
@ -1,11 +1,11 @@
 ---

 - name: Deploy configuration
-  template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640
-  notify: restart bitwarden_rs
-  tags: bitwarden
+  template: src=vaultwarden.conf.j2 dest={{ vaultwarden_root_dir }}/etc/vaultwarden.conf group={{ vaultwarden_user }} mode=640
+  notify: restart vaultwarden
+  tags: vaultwarden

 - name: Deploy nginx configuration
-  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf
+  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-vaultwarden.conf
  notify: reload nginx
-  tags: bitwarden
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/directories.yml
+++ b/roles/vaultwarden/tasks/directories.yml
@ -1,12 +1,12 @@
 ---

 - name: Create directories
-  file: path={{ bitwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  file: path={{ vaultwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
  loop:
    - dir: /
      mode: 755
    - dir: etc
-      group: "{{ bitwarden_user }}"
+      group: "{{ vaultwarden_user }}"
      mode: 750
    - dir: tmp
      mode: 700
@ -15,10 +15,11 @@
    - dir: archives
      mode: 700
    - dir: data
-      owner: "{{ bitwarden_user }}"
-      group: "{{ bitwarden_user }}"
+      owner: "{{ vaultwarden_user }}"
+      group: "{{ vaultwarden_user }}"
      mode: 700
    - dir: web-vault
+    - dir: bin
    - dir: backup
      mode: 700
-  tags: bitwarden
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/facts.yml
+++ b/roles/vaultwarden/tasks/facts.yml
@ -2,66 +2,73 @@

 - name: Set initial install modes
  block:
-    - set_fact: bitwarden_install_mode='none'
-    - set_fact: bitwarden_current_version=''
-    - set_fact: bitwarden_web_install_mode='none'
-    - set_fact: bitwarden_web_current_version=''
-  tags: bitwarden
+    - set_fact: vaultwarden_install_mode='none'
+    - set_fact: vaultwarden_current_version=''
+    - set_fact: vaultwarden_web_install_mode='none'
+    - set_fact: vaultwarden_web_current_version=''
+  tags: vaultwarden
+
+- name: Check if we need to migrate from bitwarden_rs
+  block:
+    - stat: path=/etc/systemd/system/bitwarden_rs.service
+      register: vaultwarden_bitwarden_unit
+    - set_fact: vaultwarden_migrate_from_bitwarden={{ vaultwarden_bitwarden_unit.stat.exists }}
+  tags: vaultwarden

 - name: Check if server is installed
-  stat: path={{ bitwarden_root_dir }}/meta/ansible_version
-  register: bitwarden_version_file
-  tags: bitwarden
+  stat: path={{ vaultwarden_root_dir }}/meta/ansible_version
+  register: vaultwarden_version_file
+  tags: vaultwarden

- when: bitwarden_version_file.stat.exists
+- when: vaultwarden_version_file.stat.exists
  block:
    - name: Check installed version
-      slurp: src={{ bitwarden_root_dir }}/meta/ansible_version
-      register: bitwarden_current_version
-    - set_fact: bitwarden_current_version={{ bitwarden_current_version.content | b64decode | trim }}
-    - set_fact: bitwarden_install_mode='upgrade'
-      when: bitwarden_current_version != bitwarden_version
-  tags: bitwarden
+      slurp: src={{ vaultwarden_root_dir }}/meta/ansible_version
+      register: vaultwarden_current_version
+    - set_fact: vaultwarden_current_version={{ vaultwarden_current_version.content | b64decode | trim }}
+    - set_fact: vaultwarden_install_mode='upgrade'
+      when: vaultwarden_current_version != vaultwarden_version
+  tags: vaultwarden

- when: not bitwarden_version_file.stat.exists
+- when: not vaultwarden_version_file.stat.exists
  block:
-    - set_fact: bitwarden_install_mode='install'
-  tags: bitwarden
+    - set_fact: vaultwarden_install_mode='install'
+  tags: vaultwarden

 - name: Check if web vault is installed
-  stat: path={{ bitwarden_root_dir }}/meta/ansible_web_version
-  register: bitwarden_web_version_file
-  tags: bitwarden
+  stat: path={{ vaultwarden_root_dir }}/meta/ansible_web_version
+  register: vaultwarden_web_version_file
+  tags: vaultwarden

- when: bitwarden_web_version_file.stat.exists
+- when: vaultwarden_web_version_file.stat.exists
  block:
    - name: Check installed version
-      slurp: src={{ bitwarden_root_dir }}/meta/ansible_web_version
-      register: bitwarden_web_current_version
-    - set_fact: bitwarden_web_current_version={{ bitwarden_web_current_version.content | b64decode | trim }}
-    - set_fact: bitwarden_web_install_mode='upgrade'
-      when: bitwarden_web_current_version != bitwarden_web_version
-  tags: bitwarden
+      slurp: src={{ vaultwarden_root_dir }}/meta/ansible_web_version
+      register: vaultwarden_web_current_version
+    - set_fact: vaultwarden_web_current_version={{ vaultwarden_web_current_version.content | b64decode | trim }}
+    - set_fact: vaultwarden_web_install_mode='upgrade'
+      when: vaultwarden_web_current_version != vaultwarden_web_version
+  tags: vaultwarden

- when: not bitwarden_web_version_file.stat.exists
+- when: not vaultwarden_web_version_file.stat.exists
  block:
-    - set_fact: bitwarden_web_install_mode='install'
-  tags: bitwarden
+    - set_fact: vaultwarden_web_install_mode='install'
+  tags: vaultwarden

- when: bitwarden_admin_token is not defined
+- when: vaultwarden_admin_token is not defined
  name: Generate a random admin token
  block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
-        - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_admin_token"
-    - set_fact: bitwarden_admin_token={{ rand_pass }}
-  tags: bitwarden
+        - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_admin_token"
+    - set_fact: vaultwarden_admin_token={{ rand_pass }}
+  tags: vaultwarden

- when: bitwarden_db_pass is not defined
-  tags: bitwarden
+- when: vaultwarden_db_pass is not defined
+  tags: vaultwarden
  block:
    - import_tasks: ../includes/get_rand_pass.yml
      vars:
-        - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_dbpass"
-    - set_fact: bitwarden_db_pass={{ rand_pass }}
+        - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_dbpass"
+    - set_fact: vaultwarden_db_pass={{ rand_pass }}

--- a/roles/vaultwarden/tasks/install.yml
+++ b/roles/vaultwarden/tasks/install.yml
@ -6,23 +6,23 @@
      - openssl-devel
      - gcc
      - sqlite
-  tags: bitwarden
+  tags: vaultwarden

 - name: Check if MariaDB version is set
  fail: msg="Need to define mysql_mariadb_version"
  when:
-    - bitwarden_db_engine == 'mysql'
+    - vaultwarden_db_engine == 'mysql'
    - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default'
    - ansible_os_family == 'RedHat'
    - ansible_distribution_major_version is version('8','<')
-  tags: bitwarden
+  tags: vaultwarden

 - name: Install MariaDB devel package
  yum:
    name:
      - mariadb-devel
-  when: bitwarden_db_engine == 'mysql'
-  tags: bitwarden
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden

  # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel
 - name: Install MariaDB shared libs
@ -30,80 +30,80 @@
    name:
      - MariaDB-shared
  when:
-    - bitwarden_db_engine == 'mysql'
+    - vaultwarden_db_engine == 'mysql'
    - mysql_mariadb_version is defined
    - mysql_mariadb_version != 'default'
-  tags: bitwarden
+  tags: vaultwarden

- when: bitwarden_install_mode != 'none'
-  tags: bitwarden
+- when: vaultwarden_install_mode != 'none'
+  tags: vaultwarden
  block:
-    - name: Download bitwarden
+    - name: Download vaultwarden
      get_url:
-        url: "{{ bitwarden_archive_url }}"
-        dest: "{{ bitwarden_root_dir }}/tmp"
-        checksum: sha1:{{ bitwarden_archive_sha1 }}
+        url: "{{ vaultwarden_archive_url }}"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        checksum: sha1:{{ vaultwarden_archive_sha1 }}

-    - name: Extract bitwarden archive
+    - name: Extract vaultwarden archive
      unarchive:
-        src: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz"
-        dest: "{{ bitwarden_root_dir }}/tmp"
+        src: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
        remote_src: True
  
-    - name: Build bitwarden
-      command: bash -lc 'cargo build --features={{ (bitwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release'
+    - name: Build vaultwarden
+      command: bash -lc 'cargo build --features={{ (vaultwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release'
      args:
-        chdir: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}"
+        chdir: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}"

    - name: Install binary
-      copy: src={{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}/target/release/bitwarden_rs dest="{{ bitwarden_root_dir }}/" mode=755 remote_src=True
-      notify: restart bitwarden_rs
+      copy: src={{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}/target/release/vaultwarden dest="{{ vaultwarden_root_dir }}/bin/" mode=755 remote_src=True
+      notify: restart vaultwarden

- when: bitwarden_web_install_mode != 'none'
-  tags: bitwarden
+- when: vaultwarden_web_install_mode != 'none'
+  tags: vaultwarden
  block:
-    - name: Download bitwarden web vault
+    - name: Download vaultwarden web vault
      get_url:
-       url: "{{ bitwarden_web_archive_url }}"
-       dest: "{{ bitwarden_root_dir }}/tmp"
-       checksum: sha1:{{ bitwarden_web_archive_sha1 }}
+       url: "{{ vaultwarden_web_archive_url }}"
+       dest: "{{ vaultwarden_root_dir }}/tmp"
+       checksum: sha1:{{ vaultwarden_web_archive_sha1 }}

    - name: Extract the archive
      unarchive:
-        src: "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz"
-        dest: "{{ bitwarden_root_dir }}/tmp"
+        src: "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
        remote_src: True

    - name: Move files to their final location
      synchronize:
-        src: "{{ bitwarden_root_dir }}/tmp/web-vault/"
-        dest: "{{ bitwarden_root_dir }}/web-vault/"
+        src: "{{ vaultwarden_root_dir }}/tmp/web-vault/"
+        dest: "{{ vaultwarden_root_dir }}/web-vault/"
        recursive: True
        delete: True
      delegate_to: "{{ inventory_hostname }}"

 - name: Install systemd unit
-  template: src=bitwarden_rs.service.j2 dest=/etc/systemd/system/bitwarden_rs.service
-  register: bitwarden_unit
-  tags: bitwarden
+  template: src=vaultwarden.service.j2 dest=/etc/systemd/system/vaultwarden.service
+  register: vaultwarden_unit
+  tags: vaultwarden

 - name: Reload systemd
  systemd: daemon_reload=True
-  when: bitwarden_unit.changed
-  tags: bitwarden
+  when: vaultwarden_unit.changed
+  tags: vaultwarden

 - name: Install pre/post backup hooks
-  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/bitwarden_rs.sh mode=755
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/vaultwarden.sh mode=755
  loop:
    - pre
    - post
-  tags: bitwarden
+  tags: vaultwarden

 - import_tasks: ../includes/webapps_create_mysql_db.yml
  vars:
-    - db_name: "{{ bitwarden_db_name }}"
-    - db_user: "{{ bitwarden_db_user }}"
-    - db_server: "{{ bitwarden_db_server }}"
-    - db_pass: "{{ bitwarden_db_pass }}"
-  when: bitwarden_db_engine == 'mysql'
-  tags: bitwarden
+    - db_name: "{{ vaultwarden_db_name }}"
+    - db_user: "{{ vaultwarden_db_user }}"
+    - db_server: "{{ vaultwarden_db_server }}"
+    - db_pass: "{{ vaultwarden_db_pass }}"
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/iptables.yml
+++ b/roles/vaultwarden/tasks/iptables.yml
@ -1,9 +1,8 @@
 ---

- name: Handle bitwarden_rs ports in the firewall
+- name: Handle vaultwarden ports in the firewall
  iptables_raw:
-    name: bitwarden_rs
-    state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}"
-    rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT"
-  when: iptables_manage | default(True)
-  tags: firewall,bitwarden
+    name: vaultwarden
+    state: "{{ (vaultwarden_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ vaultwarden_http_port }},{{ vaultwarden_ws_port }} -s {{ vaultwarden_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,vaultwarden
--- a/roles/vaultwarden/tasks/main.yml
+++ b/roles/vaultwarden/tasks/main.yml
@ -4,12 +4,15 @@
 - include: directories.yml
 - include: facts.yml
 - include: archive_pre.yml
-  when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade'
+  when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade'
 - include: install.yml
 - include: conf.yml
+- include: migrate_bitwarden_rs.yml
+  when: vaultwarden_migrate_from_bitwarden
 - include: iptables.yml
+  when: iptables_manage | default(True)
 - include: service.yml
 - include: write_version.yml
 - include: archive_post.yml
-  when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade'
+  when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade'
 - include: cleanup.yml
--- a/roles/vaultwarden/tasks/migrate_bitwarden_rs.yml
+++ b/roles/vaultwarden/tasks/migrate_bitwarden_rs.yml
@ -0,0 +1,73 @@
+---
+
+- name: Set bitwarden facts
+  block:
+    - set_fact: bitwarden_root_dir={{ bitwarden_root_dir | default('/opt/bitwarden_rs') }}
+    - set_fact: bitwarden_db_name={{ bitwarden_db_name | default('bitwardenrs') }}
+  tags: vaultwarden
+
+- name: Check if SQLite DB exists
+  stat: path={{ bitwarden_root_dir }}/data/db.sqlite3
+  register: vaultwarden_bitwarden_sqlite
+  tags: vaultwarden
+
+- name: Stop the old service
+  service: name=bitwarden_rs state=stopped
+  tags: vaultwarden
+
+- name: Migrate data dir
+  synchronize:
+    src: "{{ bitwarden_root_dir }}/data/"
+    dest: "{{ vaultwarden_root_dir }}/data/"
+    compress: False
+    recursive: True
+  delegate_to: "{{ inventory_hostname }}"
+  tags: vaultwarden
+
+- name: Fix permissions on vaultwarden data dir
+  file: path={{ vaultwarden_root_dir }}/data/ recurse=True owner={{ vaultwarden_user }} group={{ vaultwarden_user }}
+  tags: vaultwarden
+
+# We assume vaultwarden was configured the same way bitwarden was, same db engine, db server etc.
+# So here we just dump the database and inject the dump in the new DB
+- when: vaultwarden_db_engine == 'mysql'
+  block:
+    # Dump the database of Bitwarden_RS
+    - mysql_db:
+        state: dump
+        name: "{{ bitwarden_db_name }}"
+        target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+        login_host: "{{ vaultwarden_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ mysql_admin_pass }}"
+        quick: True
+        single_transaction: True
+
+    # Inject the dump in the new vaultwarden database
+    - mysql_db:
+        state: import
+        name: "{{ vaultwarden_db_name }}"
+        target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+        login_host: "{{ vaultwarden_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ mysql_admin_pass }}"
+
+  tags: vaultwarden
+
+- name: Cleanup files
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/systemd/system/bitwarden_rs.service
+    - /etc/nginx/ansible_conf.d/31-bitwarden.conf
+    - /etc/backup/pre.d/bitwarden_rs.sh
+    - /etc/backup/post.d/bitwarden_rs.sh
+    - "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+  notify: reload nginx
+  tags: vaultwarden
+
+- name: Remove old iptables rules
+  iptables_raw:
+    name: bitwarden_rs
+    state: absent
+  when: iptables_manage | default(True)
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/service.yml
+++ b/roles/vaultwarden/tasks/service.yml
@ -1,6 +1,6 @@
 ---

 - name: Start and enable the service
-  service: name=bitwarden_rs state=started enabled=True
-  register: bitwarden_started
-  tags: bitwarden
+  service: name=vaultwarden state=started enabled=True
+  register: vaultwarden_started
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/user.yml
+++ b/roles/vaultwarden/tasks/user.yml
@ -1,5 +1,5 @@
 ---

- name: Create bitwarden_rs user
-  user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True
-  tags: bitwarden
+- name: Create vaultwarden user
+  user: name={{ vaultwarden_user }} home={{ vaultwarden_root_dir }} system=True
+  tags: vaultwarden
--- a/roles/vaultwarden/tasks/write_version.yml
+++ b/roles/vaultwarden/tasks/write_version.yml
@ -1,10 +1,10 @@
 ---

 - name: Write versions
-  copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }}
+  copy: content={{ item.version }} dest={{ vaultwarden_root_dir }}/meta/{{ item.file }}
  loop:
-    - version: "{{ bitwarden_version }}"
+    - version: "{{ vaultwarden_version }}"
      file: ansible_version
-    - version: "{{ bitwarden_web_version }}"
+    - version: "{{ vaultwarden_web_version }}"
      file: ansible_web_version
-  tags: bitwarden
+  tags: vaultwarden
--- a/roles/vaultwarden/templates/nginx.conf.j2
+++ b/roles/vaultwarden/templates/nginx.conf.j2
@ -1,21 +1,21 @@
 server {
  listen 443 ssl http2;
-  server_name {{ bitwarden_public_url | urlsplit('hostname') }};
+  server_name {{ vaultwarden_public_url | urlsplit('hostname') }};

  include /etc/nginx/ansible_conf.d/acme.inc;

-{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %}
-  ssl_certificate     {{ bitwarden_cert_path }};
-  ssl_certificate_key {{ bitwarden_key_path }};
-{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
-  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
-  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem;
-{% elif bitwarden_letsencrypt_cert is string %}
-  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem;
-  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem;
+{% if vaultwarden_cert_path is defined and vaultwarden_key_path is defined %}
+  ssl_certificate     {{ vaultwarden_cert_path }};
+  ssl_certificate_key {{ vaultwarden_key_path }};
+{% elif vaultwarden_letsencrypt_cert is defined and vaultwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif vaultwarden_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/privkey.pem;
 {% endif %}

-  root {{ bitwarden_root_dir }}/web-vault;
+  root {{ vaultwarden_root_dir }}/web-vault;

  client_max_body_size 512M;

@ -24,16 +24,16 @@ server {
  }

  location /notifications/hub {
-    proxy_pass http://localhost:{{ bitwarden_ws_port }};
+    proxy_pass http://localhost:{{ vaultwarden_ws_port }};
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  location /notifications/hub/negotiate {
-    proxy_pass http://localhost:{{ bitwarden_http_port }};
+    proxy_pass http://localhost:{{ vaultwarden_http_port }};
  }

  location @proxy {
-    proxy_pass http://localhost:{{ bitwarden_http_port }};
+    proxy_pass http://localhost:{{ vaultwarden_http_port }};
  }

  location / {
@ -62,7 +62,7 @@ server {
  proxy_max_temp_file_size 5m;

  allow 127.0.0.1;
-{% for ip in bitwarden_web_src_ip %}
+{% for ip in vaultwarden_web_src_ip %}
  allow {{ ip }};
 {% endfor %}
  deny all;
--- a/roles/vaultwarden/templates/post-backup.sh.j2
+++ b/roles/vaultwarden/templates/post-backup.sh.j2
@ -1,4 +1,3 @@
 #!/bin/bash -e

-rm -f {{ bitwarden_root_dir }}/backup/*
-umount /home/lbkp/bitwarden_rs
+rm -f {{ vaultwarden_root_dir }}/backup/*
--- a/roles/vaultwarden/templates/pre-backup.sh.j2
+++ b/roles/vaultwarden/templates/pre-backup.sh.j2
@ -1,17 +1,16 @@
 #!/bin/bash -e

-mkdir -p /home/lbkp/bitwarden_rs/
-cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/
-{% if bitwarden_db_engine == 'mysql' %}
+mkdir -p /home/lbkp/vaultwarden/
+cp {{ vaultwarden_root_dir }}/data/rsa* {{ vaultwarden_root_dir }}/backup/
+{% if vaultwarden_db_engine == 'mysql' %}
 /usr/bin/mysqldump \
-{% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %}
-	--user='{{ bitwarden_db_user }}' \
-        --password='{{ bitwarden_db_pass }}' \
-        --host='{{ bitwarden_db_server }}' \
+{% if vaultwarden_db_server != 'localhost' and vaultwarden_db_server != '127.0.0.1' %}
+	--user='{{ vaultwarden_db_user }}' \
+        --password='{{ vaultwarden_db_pass }}' \
+        --host='{{ vaultwarden_db_server }}' \
 {% endif %}
        --quick --single-transaction \
-        --add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zst
+        --add-drop-table {{ vaultwarden_db_name }} | zstd -c > {{ vaultwarden_root_dir }}/backup/{{ vaultwarden_db_name }}.sql.zst
 {% else %}
-sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'"
+sqlite3 {{ vaultwarden_root_dir }}/data/db.sqlite3 ".backup '{{ vaultwarden_root_dir }}/backup/db.sqlite3'"
 {% endif %}
-mountpoint -q /home/lbkp/bitwarden_rs/ || mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/
--- a/roles/vaultwarden/templates/vaultwarden.conf.j2
+++ b/roles/vaultwarden/templates/vaultwarden.conf.j2
@ -0,0 +1,28 @@
+IP_HEADER=X-Forwarded-For
+SIGNUPS_VERIFY=true
+SIGNUPS_ALLOWED={{ vaultwarden_registration | ternary('true','false') }}
+{% if vaultwarden_domains_whitelist | length > 0 %}
+SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_domains_whitelist | join(',') }}
+{% endif %}
+ADMIN_TOKEN={{ vaultwarden_admin_token }}
+DISABLE_ADMIN_TOKEN={{ vaultwarden_disable_admin_token | ternary('true','false') }}
+DOMAIN={{ vaultwarden_public_url }}
+ROCKET_ENV=prod
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT={{ vaultwarden_http_port }}
+WEBSOCKET_ENABLED=true
+WEBSOCKET_PORT={{ vaultwarden_ws_port }}
+SMTP_HOST=localhost
+SMTP_PORT=25
+SMTP_SSL=false
+SMTP_FROM=vaultwarden-rs-noreply@{{ ansible_domain }}
+{% if vaultwarden_db_engine == 'mysql' %}
+DATABASE_URL=mysql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ vaultwarden_db_server }}:{{ vaultwarden_db_port }}/{{ vaultwarden_db_name }}
+ENABLE_DB_WAL=false
+{% else %}
+DATABASE_URL=data/db.sqlite3
+{% endif %}
+{% if vaultwarden_yubico_client_id is defined and vaultwarden_yubico_secret_key is defined %}
+YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }}
+YUBICO_SECRET_KEY={{ vaultwarden_yubico_secret_key }}
+{% endif %}
--- a/roles/vaultwarden/templates/vaultwarden.service.j2
+++ b/roles/vaultwarden/templates/vaultwarden.service.j2
@ -0,0 +1,27 @@
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden_rs
+After=network.target
+{% if vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1']) %}
+After=mariadb.service
+Requires=mariadb.service
+{% endif %}
+
+[Service]
+User={{ vaultwarden_user }}
+Group={{ vaultwarden_user }}
+EnvironmentFile={{ vaultwarden_root_dir }}/etc/vaultwarden.conf
+ExecStart={{ vaultwarden_root_dir }}/bin/vaultwarden
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+WorkingDirectory={{ vaultwarden_root_dir }}
+ReadWriteDirectories={{ vaultwarden_root_dir }}/data
+ReadOnlyDirectories={{ vaultwarden_root_dir }}/etc {{ vaultwarden_root_dir }}/web-vault
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target