From bab729a956740042839298d77d7400d55b1ac8f2 Mon Sep 17 00:00:00 2001 From: Daniel Berteaud Date: Fri, 14 May 2021 12:00:06 +0200 Subject: [PATCH] Update to 2021-05-14 12:00 --- roles/vaultwarden/defaults/main.yml | 49 +++++++++ roles/vaultwarden/handlers/main.yml | 5 + roles/vaultwarden/meta/main.yml | 9 ++ roles/vaultwarden/tasks/archive_post.yml | 12 +++ roles/vaultwarden/tasks/archive_pre.yml | 38 +++++++ roles/vaultwarden/tasks/cleanup.yml | 10 ++ roles/vaultwarden/tasks/conf.yml | 11 +++ roles/vaultwarden/tasks/directories.yml | 24 +++++ roles/vaultwarden/tasks/facts.yml | 67 +++++++++++++ roles/vaultwarden/tasks/install.yml | 109 +++++++++++++++++++++ roles/vaultwarden/tasks/iptables.yml | 9 ++ roles/vaultwarden/tasks/main.yml | 15 +++ roles/vaultwarden/tasks/service.yml | 6 ++ roles/vaultwarden/tasks/user.yml | 5 + roles/vaultwarden/tasks/write_version.yml | 10 ++ roles/vaultwarden/templates/bitwarden_rs.conf.j2 | 28 ++++++ .../vaultwarden/templates/bitwarden_rs.service.j2 | 27 +++++ roles/vaultwarden/templates/nginx.conf.j2 | 69 +++++++++++++ roles/vaultwarden/templates/post-backup.sh.j2 | 4 + roles/vaultwarden/templates/pre-backup.sh.j2 | 17 ++++ 20 files changed, 524 insertions(+) create mode 100644 roles/vaultwarden/defaults/main.yml create mode 100644 roles/vaultwarden/handlers/main.yml create mode 100644 roles/vaultwarden/meta/main.yml create mode 100644 roles/vaultwarden/tasks/archive_post.yml create mode 100644 roles/vaultwarden/tasks/archive_pre.yml create mode 100644 roles/vaultwarden/tasks/cleanup.yml create mode 100644 roles/vaultwarden/tasks/conf.yml create mode 100644 roles/vaultwarden/tasks/directories.yml create mode 100644 roles/vaultwarden/tasks/facts.yml create mode 100644 roles/vaultwarden/tasks/install.yml create mode 100644 roles/vaultwarden/tasks/iptables.yml create mode 100644 roles/vaultwarden/tasks/main.yml create mode 100644 roles/vaultwarden/tasks/service.yml create mode 100644 roles/vaultwarden/tasks/user.yml create mode 100644 roles/vaultwarden/tasks/write_version.yml create mode 100644 roles/vaultwarden/templates/bitwarden_rs.conf.j2 create mode 100644 roles/vaultwarden/templates/bitwarden_rs.service.j2 create mode 100644 roles/vaultwarden/templates/nginx.conf.j2 create mode 100644 roles/vaultwarden/templates/post-backup.sh.j2 create mode 100644 roles/vaultwarden/templates/pre-backup.sh.j2 diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml new file mode 100644 index 0000000..63dcf4f --- /dev/null +++ b/roles/vaultwarden/defaults/main.yml @@ -0,0 +1,49 @@ +--- + +bitwarden_version: 1.20.0 +bitwarden_archive_url: https://github.com/dani-garcia/bitwarden_rs/archive/{{ bitwarden_version }}.tar.gz +bitwarden_archive_sha1: 39354ae4124a95a7fcb53e81d6234c5599f609fa + +bitwarden_web_version: 2.19.0 +bitwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ bitwarden_web_version }}/bw_web_v{{ bitwarden_web_version }}.tar.gz +bitwarden_web_archive_sha1: dfb5acdad88bb6a915b7115739428278e7f3ea98 + +bitwarden_root_dir: /opt/bitwarden_rs +bitwarden_user: bitwarden_rs + +# Database : can be sqlite or mysql +bitwarden_db_engine: sqlite +bitwarden_db_server: "{{ mysql_server | default('localhost') }}" +bitwarden_db_port: 3306 +bitwarden_db_name: bitwardenrs +bitwarden_db_user: bitwardenrs +# A random one will be created if not defined +# bitwaren_db_pass: S3cr3t. + +# Port on which bitwarden will bind +bitwarden_http_port: 8000 +bitwarden_ws_port: 8001 +# List of IP addresses (can be CIDR notation) which will be able to +# access bitwarden ports +bitwarden_src_ip: [] +bitwarden_web_src_ip: [] + +# Public URL on which bitwarden will be accessible +bitwarden_public_url: http://{{ inventory_hostname }}:{{ bitwarden_http_port }} + +# Should registration be enabled +bitwarden_registration: False +# List of domain names for which registration will be accepted +# Those domains will be accepted for registration even if bitwarden_registration is set to False +bitwarden_domains_whitelist: + - "{{ ansible_domain }}" + +# Admin Token to access /admin. A random one is created if not defined +# bitwarden_admin_token: S3cr3t. + +# Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy) +bitwarden_disable_admin_token: False + +# YubiKey settings +# bitwarden_yubico_client_id: XXXX +# bitwarden_yubico_secret_key: XXXX diff --git a/roles/vaultwarden/handlers/main.yml b/roles/vaultwarden/handlers/main.yml new file mode 100644 index 0000000..2794df6 --- /dev/null +++ b/roles/vaultwarden/handlers/main.yml @@ -0,0 +1,5 @@ +--- + +- name: restart bitwarden_rs + service: name=bitwarden_rs state=restarted + when: not bitwarden_started.changed diff --git a/roles/vaultwarden/meta/main.yml b/roles/vaultwarden/meta/main.yml new file mode 100644 index 0000000..7c96be6 --- /dev/null +++ b/roles/vaultwarden/meta/main.yml @@ -0,0 +1,9 @@ +--- + +dependencies: + - role: rust + - role: nginx + - role: repo_mariadb + when: bitwarden_db_engine == 'mysql' + - role: mysql_server + when: bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') diff --git a/roles/vaultwarden/tasks/archive_post.yml b/roles/vaultwarden/tasks/archive_post.yml new file mode 100644 index 0000000..0ed100d --- /dev/null +++ b/roles/vaultwarden/tasks/archive_post.yml @@ -0,0 +1,12 @@ +--- + +- name: Compress previous version + command: tar cJf {{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}.txz ./ + args: + warn: False + chdir: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}" + tags: bitwarden + +- name: Remove archive dir + file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=absent + tags: bitwarden diff --git a/roles/vaultwarden/tasks/archive_pre.yml b/roles/vaultwarden/tasks/archive_pre.yml new file mode 100644 index 0000000..c703fbe --- /dev/null +++ b/roles/vaultwarden/tasks/archive_pre.yml @@ -0,0 +1,38 @@ +--- + +- name: Create archive dir + file: path={{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }} state=directory + tags: bitwarden + +- name: Stop bitwarden during upgrade + service: name=bitwarden_rs state=stopped + tags: bitwarden + +- name: Archive current version + synchronize: + src: "{{ bitwarden_root_dir }}/{{ item }}" + dest: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/" + recursive: True + delete: True + delegate_to: "{{ inventory_hostname }}" + loop: + - bitwarden_rs + - data + - etc + - web-vault + tags: bitwarden + +- name: Dump the database + mysql_db: + state: dump + name: "{{ bitwarden_db_name }}" + target: "{{ bitwarden_root_dir }}/archives/{{ bitwarden_current_version }}+{{ bitwarden_web_current_version }}/{{ bitwarden_db_name }}.sql.xz" + login_host: "{{ bitwarden_db_server }}" + login_user: "{{ bitwarden_db_user }}" + login_password: "{{ bitwarden_db_pass }}" + quick: True + single_transaction: True + environment: + XZ_OPT: -T0 + when: bitwarden_db_engine == 'mysql' + tags: bitwarden diff --git a/roles/vaultwarden/tasks/cleanup.yml b/roles/vaultwarden/tasks/cleanup.yml new file mode 100644 index 0000000..7832a7f --- /dev/null +++ b/roles/vaultwarden/tasks/cleanup.yml @@ -0,0 +1,10 @@ +--- + +- name: Remove temp files + file: path={{ item }} state=absent + loop: + - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}" + - "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz" + - "{{ bitwarden_root_dir }}/tmp/web-vault" + - "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz" + tags: bitwarden diff --git a/roles/vaultwarden/tasks/conf.yml b/roles/vaultwarden/tasks/conf.yml new file mode 100644 index 0000000..b927011 --- /dev/null +++ b/roles/vaultwarden/tasks/conf.yml @@ -0,0 +1,11 @@ +--- + +- name: Deploy configuration + template: src=bitwarden_rs.conf.j2 dest={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf group={{ bitwarden_user }} mode=640 + notify: restart bitwarden_rs + tags: bitwarden + +- name: Deploy nginx configuration + template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-bitwarden.conf + notify: reload nginx + tags: bitwarden diff --git a/roles/vaultwarden/tasks/directories.yml b/roles/vaultwarden/tasks/directories.yml new file mode 100644 index 0000000..e25f096 --- /dev/null +++ b/roles/vaultwarden/tasks/directories.yml @@ -0,0 +1,24 @@ +--- + +- name: Create directories + file: path={{ bitwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }} + loop: + - dir: / + mode: 755 + - dir: etc + group: "{{ bitwarden_user }}" + mode: 750 + - dir: tmp + mode: 700 + - dir: meta + mode: 700 + - dir: archives + mode: 700 + - dir: data + owner: "{{ bitwarden_user }}" + group: "{{ bitwarden_user }}" + mode: 700 + - dir: web-vault + - dir: backup + mode: 700 + tags: bitwarden diff --git a/roles/vaultwarden/tasks/facts.yml b/roles/vaultwarden/tasks/facts.yml new file mode 100644 index 0000000..cbe95c5 --- /dev/null +++ b/roles/vaultwarden/tasks/facts.yml @@ -0,0 +1,67 @@ +--- + +- name: Set initial install modes + block: + - set_fact: bitwarden_install_mode='none' + - set_fact: bitwarden_current_version='' + - set_fact: bitwarden_web_install_mode='none' + - set_fact: bitwarden_web_current_version='' + tags: bitwarden + +- name: Check if server is installed + stat: path={{ bitwarden_root_dir }}/meta/ansible_version + register: bitwarden_version_file + tags: bitwarden + +- when: bitwarden_version_file.stat.exists + block: + - name: Check installed version + slurp: src={{ bitwarden_root_dir }}/meta/ansible_version + register: bitwarden_current_version + - set_fact: bitwarden_current_version={{ bitwarden_current_version.content | b64decode | trim }} + - set_fact: bitwarden_install_mode='upgrade' + when: bitwarden_current_version != bitwarden_version + tags: bitwarden + +- when: not bitwarden_version_file.stat.exists + block: + - set_fact: bitwarden_install_mode='install' + tags: bitwarden + +- name: Check if web vault is installed + stat: path={{ bitwarden_root_dir }}/meta/ansible_web_version + register: bitwarden_web_version_file + tags: bitwarden + +- when: bitwarden_web_version_file.stat.exists + block: + - name: Check installed version + slurp: src={{ bitwarden_root_dir }}/meta/ansible_web_version + register: bitwarden_web_current_version + - set_fact: bitwarden_web_current_version={{ bitwarden_web_current_version.content | b64decode | trim }} + - set_fact: bitwarden_web_install_mode='upgrade' + when: bitwarden_web_current_version != bitwarden_web_version + tags: bitwarden + +- when: not bitwarden_web_version_file.stat.exists + block: + - set_fact: bitwarden_web_install_mode='install' + tags: bitwarden + +- when: bitwarden_admin_token is not defined + name: Generate a random admin token + block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_admin_token" + - set_fact: bitwarden_admin_token={{ rand_pass }} + tags: bitwarden + +- when: bitwarden_db_pass is not defined + tags: bitwarden + block: + - import_tasks: ../includes/get_rand_pass.yml + vars: + - pass_file: "{{ bitwarden_root_dir }}/meta/ansible_dbpass" + - set_fact: bitwarden_db_pass={{ rand_pass }} + diff --git a/roles/vaultwarden/tasks/install.yml b/roles/vaultwarden/tasks/install.yml new file mode 100644 index 0000000..0ec0731 --- /dev/null +++ b/roles/vaultwarden/tasks/install.yml @@ -0,0 +1,109 @@ +--- + +- name: Install needed packages + yum: + name: + - openssl-devel + - gcc + - sqlite + tags: bitwarden + +- name: Check if MariaDB version is set + fail: msg="Need to define mysql_mariadb_version" + when: + - bitwarden_db_engine == 'mysql' + - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default' + - ansible_os_family == 'RedHat' + - ansible_distribution_major_version is version('8','<') + tags: bitwarden + +- name: Install MariaDB devel package + yum: + name: + - mariadb-devel + when: bitwarden_db_engine == 'mysql' + tags: bitwarden + + # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel +- name: Install MariaDB shared libs + yum: + name: + - MariaDB-shared + when: + - bitwarden_db_engine == 'mysql' + - mysql_mariadb_version is defined + - mysql_mariadb_version != 'default' + tags: bitwarden + +- when: bitwarden_install_mode != 'none' + tags: bitwarden + block: + - name: Download bitwarden + get_url: + url: "{{ bitwarden_archive_url }}" + dest: "{{ bitwarden_root_dir }}/tmp" + checksum: sha1:{{ bitwarden_archive_sha1 }} + + - name: Extract bitwarden archive + unarchive: + src: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}.tar.gz" + dest: "{{ bitwarden_root_dir }}/tmp" + remote_src: True + + - name: Build bitwarden + command: bash -lc 'cargo build --features={{ (bitwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release' + args: + chdir: "{{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}" + + - name: Install binary + copy: src={{ bitwarden_root_dir }}/tmp/bitwarden_rs-{{ bitwarden_version }}/target/release/bitwarden_rs dest="{{ bitwarden_root_dir }}/" mode=755 remote_src=True + notify: restart bitwarden_rs + +- when: bitwarden_web_install_mode != 'none' + tags: bitwarden + block: + - name: Download bitwarden web vault + get_url: + url: "{{ bitwarden_web_archive_url }}" + dest: "{{ bitwarden_root_dir }}/tmp" + checksum: sha1:{{ bitwarden_web_archive_sha1 }} + + - name: Extract the archive + unarchive: + src: "{{ bitwarden_root_dir }}/tmp/bw_web_v{{ bitwarden_web_version }}.tar.gz" + dest: "{{ bitwarden_root_dir }}/tmp" + remote_src: True + + - name: Move files to their final location + synchronize: + src: "{{ bitwarden_root_dir }}/tmp/web-vault/" + dest: "{{ bitwarden_root_dir }}/web-vault/" + recursive: True + delete: True + delegate_to: "{{ inventory_hostname }}" + +- name: Install systemd unit + template: src=bitwarden_rs.service.j2 dest=/etc/systemd/system/bitwarden_rs.service + register: bitwarden_unit + tags: bitwarden + +- name: Reload systemd + systemd: daemon_reload=True + when: bitwarden_unit.changed + tags: bitwarden + +- name: Install pre/post backup hooks + template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/bitwarden_rs.sh mode=755 + loop: + - pre + - post + tags: bitwarden + +- import_tasks: ../includes/webapps_create_mysql_db.yml + vars: + - db_name: "{{ bitwarden_db_name }}" + - db_user: "{{ bitwarden_db_user }}" + - db_server: "{{ bitwarden_db_server }}" + - db_pass: "{{ bitwarden_db_pass }}" + when: bitwarden_db_engine == 'mysql' + tags: bitwarden diff --git a/roles/vaultwarden/tasks/iptables.yml b/roles/vaultwarden/tasks/iptables.yml new file mode 100644 index 0000000..d320360 --- /dev/null +++ b/roles/vaultwarden/tasks/iptables.yml @@ -0,0 +1,9 @@ +--- + +- name: Handle bitwarden_rs ports in the firewall + iptables_raw: + name: bitwarden_rs + state: "{{ (bitwarden_src_ip | length > 0) | ternary('present','absent') }}" + rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ bitwarden_http_port }},{{ bitwarden_ws_port }} -s {{ bitwarden_src_ip | join(',') }} -j ACCEPT" + when: iptables_manage | default(True) + tags: firewall,bitwarden diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml new file mode 100644 index 0000000..ee1a661 --- /dev/null +++ b/roles/vaultwarden/tasks/main.yml @@ -0,0 +1,15 @@ +--- + +- include: user.yml +- include: directories.yml +- include: facts.yml +- include: archive_pre.yml + when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade' +- include: install.yml +- include: conf.yml +- include: iptables.yml +- include: service.yml +- include: write_version.yml +- include: archive_post.yml + when: bitwarden_install_mode == 'upgrade' or bitwarden_web_install_mode == 'upgrade' +- include: cleanup.yml diff --git a/roles/vaultwarden/tasks/service.yml b/roles/vaultwarden/tasks/service.yml new file mode 100644 index 0000000..3426883 --- /dev/null +++ b/roles/vaultwarden/tasks/service.yml @@ -0,0 +1,6 @@ +--- + +- name: Start and enable the service + service: name=bitwarden_rs state=started enabled=True + register: bitwarden_started + tags: bitwarden diff --git a/roles/vaultwarden/tasks/user.yml b/roles/vaultwarden/tasks/user.yml new file mode 100644 index 0000000..f7cb253 --- /dev/null +++ b/roles/vaultwarden/tasks/user.yml @@ -0,0 +1,5 @@ +--- + +- name: Create bitwarden_rs user + user: name={{ bitwarden_user }} home={{ bitwarden_root_dir }} system=True + tags: bitwarden diff --git a/roles/vaultwarden/tasks/write_version.yml b/roles/vaultwarden/tasks/write_version.yml new file mode 100644 index 0000000..5b47c7e --- /dev/null +++ b/roles/vaultwarden/tasks/write_version.yml @@ -0,0 +1,10 @@ +--- + +- name: Write versions + copy: content={{ item.version }} dest={{ bitwarden_root_dir }}/meta/{{ item.file }} + loop: + - version: "{{ bitwarden_version }}" + file: ansible_version + - version: "{{ bitwarden_web_version }}" + file: ansible_web_version + tags: bitwarden diff --git a/roles/vaultwarden/templates/bitwarden_rs.conf.j2 b/roles/vaultwarden/templates/bitwarden_rs.conf.j2 new file mode 100644 index 0000000..d162e77 --- /dev/null +++ b/roles/vaultwarden/templates/bitwarden_rs.conf.j2 @@ -0,0 +1,28 @@ +IP_HEADER=X-Forwarded-For +SIGNUPS_VERIFY=true +SIGNUPS_ALLOWED={{ bitwarden_registration | ternary('true','false') }} +{% if bitwarden_domains_whitelist | length > 0 %} +SIGNUPS_DOMAINS_WHITELIST={{ bitwarden_domains_whitelist | join(',') }} +{% endif %} +ADMIN_TOKEN={{ bitwarden_admin_token }} +DISABLE_ADMIN_TOKEN={{ bitwarden_disable_admin_token | ternary('true','false') }} +DOMAIN={{ bitwarden_public_url }} +ROCKET_ENV=prod +ROCKET_ADDRESS=0.0.0.0 +ROCKET_PORT={{ bitwarden_http_port }} +WEBSOCKET_ENABLED=true +WEBSOCKET_PORT={{ bitwarden_ws_port }} +SMTP_HOST=localhost +SMTP_PORT=25 +SMTP_SSL=false +SMTP_FROM=bitwarden-rs-noreply@{{ ansible_domain }} +{% if bitwarden_db_engine == 'mysql' %} +DATABASE_URL=mysql://{{ bitwarden_db_user }}:{{ bitwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ bitwarden_db_server }}:{{ bitwarden_db_port }}/{{ bitwarden_db_name }} +ENABLE_DB_WAL=false +{% else %} +DATABASE_URL=data/db.sqlite3 +{% endif %} +{% if bitwarden_yubico_client_id is defined and bitwarden_yubico_secret_key is defined %} +YUBICO_CLIENT_ID={{ bitwarden_yubico_client_id }} +YUBICO_SECRET_KEY={{ bitwarden_yubico_secret_key }} +{% endif %} diff --git a/roles/vaultwarden/templates/bitwarden_rs.service.j2 b/roles/vaultwarden/templates/bitwarden_rs.service.j2 new file mode 100644 index 0000000..0393c67 --- /dev/null +++ b/roles/vaultwarden/templates/bitwarden_rs.service.j2 @@ -0,0 +1,27 @@ +[Unit] +Description=Bitwarden Server (Rust Edition) +Documentation=https://github.com/dani-garcia/bitwarden_rs +After=network.target +{% if bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') %} +After=mariadb.service +Requires=mariadb.service +{% endif %} + +[Service] +User={{ bitwarden_user }} +Group={{ bitwarden_user }} +EnvironmentFile={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf +ExecStart={{ bitwarden_root_dir }}/bitwarden_rs +PrivateTmp=true +PrivateDevices=true +ProtectHome=true +ProtectSystem=full +WorkingDirectory={{ bitwarden_root_dir }} +ReadWriteDirectories={{ bitwarden_root_dir }}/data +ReadOnlyDirectories={{ bitwarden_root_dir }}/etc {{ bitwarden_root_dir }}/web-vault +Restart=on-failure +StartLimitInterval=0 +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/roles/vaultwarden/templates/nginx.conf.j2 b/roles/vaultwarden/templates/nginx.conf.j2 new file mode 100644 index 0000000..c6c2d56 --- /dev/null +++ b/roles/vaultwarden/templates/nginx.conf.j2 @@ -0,0 +1,69 @@ +server { + listen 443 ssl http2; + server_name {{ bitwarden_public_url | urlsplit('hostname') }}; + + include /etc/nginx/ansible_conf.d/acme.inc; + +{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %} + ssl_certificate {{ bitwarden_cert_path }}; + ssl_certificate_key {{ bitwarden_key_path }}; +{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %} + ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem; +{% elif bitwarden_letsencrypt_cert is string %} + ssl_certificate /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem; + ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem; +{% endif %} + + root {{ bitwarden_root_dir }}/web-vault; + + client_max_body_size 512M; + + if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) { + return 405; + } + + location /notifications/hub { + proxy_pass http://localhost:{{ bitwarden_ws_port }}; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + location /notifications/hub/negotiate { + proxy_pass http://localhost:{{ bitwarden_http_port }}; + } + + location @proxy { + proxy_pass http://localhost:{{ bitwarden_http_port }}; + } + + location / { + try_files $uri $uri/index.html @proxy; + } + + add_header X-Frame-Options "DENY"; + add_header X-Content-Type-Options "nosniff"; + add_header X-XSS-Protection "1; mode=block"; + add_header Strict-Transport-Security "$hsts_header"; + + # Send info about the original request to the backend + proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for"; + proxy_set_header X-Real-IP "$remote_addr"; + proxy_set_header X-Forwarded-Proto "$scheme"; + proxy_set_header X-Forwarded-Host "$host"; + proxy_set_header Host "$host"; + + # Set the timeout to read responses from the backend + proxy_read_timeout 60s; + + # Enable Keep Alive to the backend + proxy_socket_keepalive on; + + # Disable buffering large files + proxy_max_temp_file_size 5m; + + allow 127.0.0.1; +{% for ip in bitwarden_web_src_ip %} + allow {{ ip }}; +{% endfor %} + deny all; +} diff --git a/roles/vaultwarden/templates/post-backup.sh.j2 b/roles/vaultwarden/templates/post-backup.sh.j2 new file mode 100644 index 0000000..35286d4 --- /dev/null +++ b/roles/vaultwarden/templates/post-backup.sh.j2 @@ -0,0 +1,4 @@ +#!/bin/bash -e + +rm -f {{ bitwarden_root_dir }}/backup/* +umount /home/lbkp/bitwarden_rs diff --git a/roles/vaultwarden/templates/pre-backup.sh.j2 b/roles/vaultwarden/templates/pre-backup.sh.j2 new file mode 100644 index 0000000..f145133 --- /dev/null +++ b/roles/vaultwarden/templates/pre-backup.sh.j2 @@ -0,0 +1,17 @@ +#!/bin/bash -e + +mkdir -p /home/lbkp/bitwarden_rs/ +cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/ +{% if bitwarden_db_engine == 'mysql' %} +/usr/bin/mysqldump \ +{% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %} + --user='{{ bitwarden_db_user }}' \ + --password='{{ bitwarden_db_pass }}' \ + --host='{{ bitwarden_db_server }}' \ +{% endif %} + --quick --single-transaction \ + --add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zst +{% else %} +sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'" +{% endif %} +mountpoint -q /home/lbkp/bitwarden_rs/ || mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/