feat(vaultwarden): add ansible role

2024-10-17 20:44:51 +02:00
9 changed files with 28 additions and 66 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# `finallycoffee.services` ansible collection
+# `finallycoffee.service` ansible collection
 ## Overview
@ -26,9 +26,6 @@ concise area of concern.
 - [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
  installation using the upstream provided docker-compose setup.
 - [`vaultwarden`](roles/vaultwarden/README.md): Deploy [vaultwarden](https://github.com/dani-garcia/vaultwarden/),
  an open-source implementation of the Bitwarden Server (formerly Bitwarden\_RS).
 - [`vouch_proxy`](roles/vouch_proxy/README.md): Deploys [vouch-proxy](https://github.com/vouch/vouch-proxy),
  an authorization proxy for arbitrary webapps working with `nginx`s' `auth_request` module.
--- a/galaxy.yml
+++ b/galaxy.yml
@ -1,6 +1,6 @@
 namespace: finallycoffee
 name: services
-version: 0.1.6
+version: 0.1.5
 readme: README.md
 authors:
 - transcaffeine <transcaffeine@finally.coffee>
@ -18,5 +18,4 @@ tags:
  - gitea
  - hedgedoc
  - jellyfin
  - vaultwarden
  - docker
--- a/playbooks/vaultwarden.yml
+++ b/playbooks/vaultwarden.yml
@ -1,6 +0,0 @@
 ---
 - name: Install and configure vaultwarden
  hosts: "{{ vaultwarden_hosts | default('vaultwarden') }}"
  become: "{{ vaultwarden_become | default(true, false) }}"
  roles:
    - role: finallycoffee.services.vaultwarden
--- a/roles/hedgedoc/tasks/check.yml
+++ b/roles/hedgedoc/tasks/check.yml
@ -15,7 +15,7 @@
  when: hedgedoc_deployment_method not in hedgedoc_deployment_methods
 - name: Ensure required variables are given
-  ansible.builtin.fail:
+  ansible.builtin.file:
    msg: "Required variable '{{ item }}' is undefined!"
  loop: "{{ hedgedoc_required_arguments }}"
  when: >-2
--- a/roles/vaultwarden/README.md
+++ b/roles/vaultwarden/README.md
@ -1,12 +1,5 @@
 # `finallycoffee.services.vaultwarden` ansible role
 Vaultwarden is an unofficial (not associated with Bitwarden) bitwarden API compatible
 server backend, formally called `bitwarden_rs`, written in rust.
 This ansible role can deploy and configure `vaultwarden`, and supports removing
 itself using `vaultwarden_state: absent` (Warning: It does not ask for confirmation,
 and will remove all user data when instructed to remove it).
 ## Configuration
 To use this role, the following variables need to be populated:
@ -14,14 +7,9 @@ To use this role, the following variables need to be populated:
 - `vaultwarden_config_domain` - always. Changing this will lead to two-factor not working for two-factor methods registered in the past.
 - `vaultwarden_config_admin_token` - if `vaultwarden_config_disable_admin_token` is `false`.
 Setting other configuration values for vaultwarden can be done using role-provided flattened keys in the
 `vaultwarden_config_*` namespace (see [`defaults/main/config.yml`](defaults/main/config.yml) for available variables),
 or by setting the configuration directly in the same structure as the `config.json` would be in `vaultwarden_config`.
 ### Email
-Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`,
+Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`, then configure your email server like this:
 then configure your email server like this:
 ```yaml
 vaultwarden_config:
  smtp_host: "mail.example.com"
@ -36,8 +24,7 @@ vaultwarden_config:
 ### 2FA via email
-To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true`
+To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true` and optionally set the following configuration:
 and optionally set the following configuration:
 ```yaml
 vaultwarden_config:
  email_token_size: 8
@ -45,10 +32,3 @@ vaultwarden_config:
  email_attempts_limit: 3
 ```
 ### Feature flags
 To enable more authentication methods, toggles are provided in
 [`vaultwarden_config_enable_*`](defaults/main/config.yml#L18).
 It is genereally recommended to simply keep unused methods off.
 Per default, 'Sends' are allowed.
--- a/roles/vaultwarden/defaults/main/config.yml
+++ b/roles/vaultwarden/defaults/main/config.yml
@ -7,13 +7,24 @@ vaultwarden_config_invitations_allowed: false
 vaultwarden_config_invitation_org_name: ~
 vaultwarden_config_signups_allowed: false
 vaultwarden_config_signups_verify: true
-vaultwarden_config_signups_verify_resend_time: 3600
+vaultwarden_config_signups_verify_resend_time: >-2
-vaultwarden_config_signups_verify_resend_limit: 5
+  {{ vaultwarden_config_signups_verify_resend_time_seconds }}
 vaultwarden_config_signups_verify_resend_time_seconds: 3600
 vaultwarden_config_signups_verify_resend_limit: >-2
  {{ vaultwarden_config_signups_verify_resend_limit_count }}
 vaultwarden_config_signups_verify_resend_limit_count: 5
 # Entry preview icons
 vaultwarden_config_disable_icon_download: true
-vaultwarden_config_icon_cache_ttl: 604800 # 7 days
+vaultwarden_config_icon_cache_ttl: >-2
-vaultwarden_config_icon_cache_negttl: 259200 # 3 days
+  {{ vaultwarden_config_icon_cache_ttl_seconds }}
-vaultwarden_config_icon_download_timeout: 30 # seconds
+vaultwarden_config_icon_cache_ttl_seconds: "{{ (60 * 60 * 24 * 7) | int }}"
 vaultwarden_config_icon_cache_negttl: >-2
  {{ vaultwarden_config_icon_cache_negttl_seconds }}
 vaultwarden_config_icon_cache_negttl_seconds: >-2
  {{ (60 * 60 * 24 * 3) | int }}
 vaultwarden_config_icon_download_timeout: >-2
  {{ vaultwarden_config_icon_download_timeout_seconds }}
 vaultwarden_config_icon_download_timeout_seconds: 30
 vaultwarden_config_icon_blacklist_non_global_ips: true
 # Features
 vaultwarden_config_sends_allowed: true
@ -28,10 +39,6 @@ vaultwarden_config_disable_2fa_remember: false
 vaultwarden_config_disable_admin_token: true
 vaultwarden_config_require_device_email: false
 vaultwarden_config_authenticator_disable_time_drift: true
 # Other
 vaultwarden_config_log_timestamp_format: "%Y-%m-%d %H:%M:%S.%3f"
 vaultwarden_config_ip_header: "X-Real-IP"
 vaultwarden_config_reload_templates: false
 vaultwarden_base_config:
  domain: "{{ vaultwarden_config_domain }}"
@ -53,9 +60,6 @@ vaultwarden_base_config:
  disable_admin_token: "{{ vaultwarden_config_disable_admin_token }}"
  require_device_email: "{{ vaultwarden_config_require_device_email }}"
  authenticator_disable_time_drift: "{{ vaultwarden_config_authenticator_disable_time_drift }}"
  ip_header: "{{ vaultwarden_config_ip_header }}"
  log_timestamp_format: "{{ vaultwarden_config_log_timestamp_format }}"
  reload_templates: "{{ vaultwarden_config_reload_templates }}"
  sends_allowed: "{{ vaultwarden_config_sends_allowed }}"
  _enable_yubico: "{{ vaultwarden_config_enable_yubico }}"
  _enable_duo: "{{ vaultwarden_config_enable_duo }}"
--- a/roles/vaultwarden/defaults/main/container.yml
+++ b/roles/vaultwarden/defaults/main/container.yml
@ -18,14 +18,14 @@ vaultwarden_container_image: >-2
    + (vaultwarden_container_image_tag | default(
        vaultwarden_version + (
          ((vaultwarden_container_image_flavour is string)
-            and (vaultwarden_container_image_flavour | length > 0))
+            and (hedgedoc_container_image_flavour | length > 0))
          | ternary(
-            '-' + vaultwarden_container_image_flavour | default('', true),
+            '-' + hedgedoc_container_image_flavour | default('', true),
            ''
          )
        ),
        true
-    ))
+    )
  }}
 vaultwarden_container_name: vaultwarden
--- a/roles/vaultwarden/meta/main.yml
+++ b/roles/vaultwarden/meta/main.yml
@ -1,12 +0,0 @@
 ---
 allow_duplicates: true
 dependencies: []
 galaxy_info:
  role_name: vaultwarden
  description: >-2
    Deploy vaultwarden, a bitwarden-compatible server backend
  galaxy_tags:
    - vaultwarden
    - bitwarden
    - passwordstore
    - docker
--- a/roles/vaultwarden/tasks/main.yml
+++ b/roles/vaultwarden/tasks/main.yml
@ -26,7 +26,7 @@
 - name: Ensure required variables are given
  ansible.builtin.fail:
    msg: "Required variable '{{ var.name }}' is undefined!"
-  loop: "{{ vaultwarden_conditionally_required_variables }}"
+  loop: "{{ vaultwarden_optionally_required_variables }}"
  loop_control:
    loop_var: var
    label: "{{ var.name }}"
@ -47,18 +47,18 @@
        (vaultwarden_user_groups | default([], true) | length > 0),
        true,
      ) }}
-  register: vaultwarden_user_info
+  register: ansible_user_info
 - name: Ensure base paths are {{ vaultwarden_state }}
  ansible.builtin.file:
    path: "{{ mount.path }}"
-    state: "{{ (vaultwarden_state == 'present') | ternary('directory', 'absent') }}"
+    state: "{{ (vaultwarden_state == 'present' | ternary('directory', 'absent') }}"
    owner: "{{ mount.owner | default(vaultwarden_run_user_id) }}"
    group: "{{ mount.group | default(vaultwarden_run_group_id) }}"
    mode: "{{ mount.mode | default('0755', true) }}"
  loop:
    - path: "{{ vaultwarden_config_directory }}"
-    - path: "{{ vaultwarden_data_directory }}"
+    - path: "{[ vaultwarden_data_directory }}"
  loop_control:
    loop_var: mount
    label: "{{ mount.path }}"