Compare commits
4 Commits
fadea9d84f
...
0.1.6
| Author | SHA1 | Date | |
|---|---|---|---|
98c60a73c6
|
|||
|
5ac019bace
|
|||
|
43fd798712
|
|||
|
88dc6377ce
|
@ -1,4 +1,4 @@
|
||||
# `finallycoffee.service` ansible collection
|
||||
# `finallycoffee.services` ansible collection
|
||||
|
||||
## Overview
|
||||
|
||||
@ -26,6 +26,9 @@ concise area of concern.
|
||||
- [`openproject`](roles/openproject/README.md): Deploys an [openproject.org](https://www.openproject.org)
|
||||
installation using the upstream provided docker-compose setup.
|
||||
|
||||
- [`vaultwarden`](roles/vaultwarden/README.md): Deploy [vaultwarden](https://github.com/dani-garcia/vaultwarden/),
|
||||
an open-source implementation of the Bitwarden Server (formerly Bitwarden\_RS).
|
||||
|
||||
- [`vouch_proxy`](roles/vouch_proxy/README.md): Deploys [vouch-proxy](https://github.com/vouch/vouch-proxy),
|
||||
an authorization proxy for arbitrary webapps working with `nginx`s' `auth_request` module.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
namespace: finallycoffee
|
||||
name: services
|
||||
version: 0.1.5
|
||||
version: 0.1.6
|
||||
readme: README.md
|
||||
authors:
|
||||
- transcaffeine <transcaffeine@finally.coffee>
|
||||
@ -18,4 +18,5 @@ tags:
|
||||
- gitea
|
||||
- hedgedoc
|
||||
- jellyfin
|
||||
- vaultwarden
|
||||
- docker
|
||||
|
||||
6
playbooks/vaultwarden.yml
Normal file
6
playbooks/vaultwarden.yml
Normal file
@ -0,0 +1,6 @@
|
||||
---
|
||||
- name: Install and configure vaultwarden
|
||||
hosts: "{{ vaultwarden_hosts | default('vaultwarden') }}"
|
||||
become: "{{ vaultwarden_become | default(true, false) }}"
|
||||
roles:
|
||||
- role: finallycoffee.services.vaultwarden
|
||||
@ -15,7 +15,7 @@
|
||||
when: hedgedoc_deployment_method not in hedgedoc_deployment_methods
|
||||
|
||||
- name: Ensure required variables are given
|
||||
ansible.builtin.file:
|
||||
ansible.builtin.fail:
|
||||
msg: "Required variable '{{ item }}' is undefined!"
|
||||
loop: "{{ hedgedoc_required_arguments }}"
|
||||
when: >-2
|
||||
|
||||
@ -1,5 +1,12 @@
|
||||
# `finallycoffee.services.vaultwarden` ansible role
|
||||
|
||||
Vaultwarden is an unofficial (not associated with Bitwarden) bitwarden API compatible
|
||||
server backend, formally called `bitwarden_rs`, written in rust.
|
||||
|
||||
This ansible role can deploy and configure `vaultwarden`, and supports removing
|
||||
itself using `vaultwarden_state: absent` (Warning: It does not ask for confirmation,
|
||||
and will remove all user data when instructed to remove it).
|
||||
|
||||
## Configuration
|
||||
|
||||
To use this role, the following variables need to be populated:
|
||||
@ -7,9 +14,14 @@ To use this role, the following variables need to be populated:
|
||||
- `vaultwarden_config_domain` - always. Changing this will lead to two-factor not working for two-factor methods registered in the past.
|
||||
- `vaultwarden_config_admin_token` - if `vaultwarden_config_disable_admin_token` is `false`.
|
||||
|
||||
Setting other configuration values for vaultwarden can be done using role-provided flattened keys in the
|
||||
`vaultwarden_config_*` namespace (see [`defaults/main/config.yml`](defaults/main/config.yml) for available variables),
|
||||
or by setting the configuration directly in the same structure as the `config.json` would be in `vaultwarden_config`.
|
||||
|
||||
### Email
|
||||
|
||||
Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`, then configure your email server like this:
|
||||
Configure mailing by first enabling SMTP using `vaultwarden_config_enable_smtp: true`,
|
||||
then configure your email server like this:
|
||||
```yaml
|
||||
vaultwarden_config:
|
||||
smtp_host: "mail.example.com"
|
||||
@ -24,7 +36,8 @@ vaultwarden_config:
|
||||
|
||||
### 2FA via email
|
||||
|
||||
To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true` and optionally set the following configuration:
|
||||
To enable email-based two-factor-authentication, set `vaultwarden_config_enable_email_2fa: true`
|
||||
and optionally set the following configuration:
|
||||
```yaml
|
||||
vaultwarden_config:
|
||||
email_token_size: 8
|
||||
@ -32,3 +45,10 @@ vaultwarden_config:
|
||||
email_attempts_limit: 3
|
||||
```
|
||||
|
||||
### Feature flags
|
||||
|
||||
To enable more authentication methods, toggles are provided in
|
||||
[`vaultwarden_config_enable_*`](defaults/main/config.yml#L18).
|
||||
It is genereally recommended to simply keep unused methods off.
|
||||
|
||||
Per default, 'Sends' are allowed.
|
||||
|
||||
@ -7,24 +7,13 @@ vaultwarden_config_invitations_allowed: false
|
||||
vaultwarden_config_invitation_org_name: ~
|
||||
vaultwarden_config_signups_allowed: false
|
||||
vaultwarden_config_signups_verify: true
|
||||
vaultwarden_config_signups_verify_resend_time: >-2
|
||||
{{ vaultwarden_config_signups_verify_resend_time_seconds }}
|
||||
vaultwarden_config_signups_verify_resend_time_seconds: 3600
|
||||
vaultwarden_config_signups_verify_resend_limit: >-2
|
||||
{{ vaultwarden_config_signups_verify_resend_limit_count }}
|
||||
vaultwarden_config_signups_verify_resend_limit_count: 5
|
||||
vaultwarden_config_signups_verify_resend_time: 3600
|
||||
vaultwarden_config_signups_verify_resend_limit: 5
|
||||
# Entry preview icons
|
||||
vaultwarden_config_disable_icon_download: true
|
||||
vaultwarden_config_icon_cache_ttl: >-2
|
||||
{{ vaultwarden_config_icon_cache_ttl_seconds }}
|
||||
vaultwarden_config_icon_cache_ttl_seconds: "{{ (60 * 60 * 24 * 7) | int }}"
|
||||
vaultwarden_config_icon_cache_negttl: >-2
|
||||
{{ vaultwarden_config_icon_cache_negttl_seconds }}
|
||||
vaultwarden_config_icon_cache_negttl_seconds: >-2
|
||||
{{ (60 * 60 * 24 * 3) | int }}
|
||||
vaultwarden_config_icon_download_timeout: >-2
|
||||
{{ vaultwarden_config_icon_download_timeout_seconds }}
|
||||
vaultwarden_config_icon_download_timeout_seconds: 30
|
||||
vaultwarden_config_icon_cache_ttl: 604800 # 7 days
|
||||
vaultwarden_config_icon_cache_negttl: 259200 # 3 days
|
||||
vaultwarden_config_icon_download_timeout: 30 # seconds
|
||||
vaultwarden_config_icon_blacklist_non_global_ips: true
|
||||
# Features
|
||||
vaultwarden_config_sends_allowed: true
|
||||
@ -39,6 +28,10 @@ vaultwarden_config_disable_2fa_remember: false
|
||||
vaultwarden_config_disable_admin_token: true
|
||||
vaultwarden_config_require_device_email: false
|
||||
vaultwarden_config_authenticator_disable_time_drift: true
|
||||
# Other
|
||||
vaultwarden_config_log_timestamp_format: "%Y-%m-%d %H:%M:%S.%3f"
|
||||
vaultwarden_config_ip_header: "X-Real-IP"
|
||||
vaultwarden_config_reload_templates: false
|
||||
|
||||
vaultwarden_base_config:
|
||||
domain: "{{ vaultwarden_config_domain }}"
|
||||
@ -60,6 +53,9 @@ vaultwarden_base_config:
|
||||
disable_admin_token: "{{ vaultwarden_config_disable_admin_token }}"
|
||||
require_device_email: "{{ vaultwarden_config_require_device_email }}"
|
||||
authenticator_disable_time_drift: "{{ vaultwarden_config_authenticator_disable_time_drift }}"
|
||||
ip_header: "{{ vaultwarden_config_ip_header }}"
|
||||
log_timestamp_format: "{{ vaultwarden_config_log_timestamp_format }}"
|
||||
reload_templates: "{{ vaultwarden_config_reload_templates }}"
|
||||
sends_allowed: "{{ vaultwarden_config_sends_allowed }}"
|
||||
_enable_yubico: "{{ vaultwarden_config_enable_yubico }}"
|
||||
_enable_duo: "{{ vaultwarden_config_enable_duo }}"
|
||||
|
||||
@ -18,14 +18,14 @@ vaultwarden_container_image: >-2
|
||||
+ (vaultwarden_container_image_tag | default(
|
||||
vaultwarden_version + (
|
||||
((vaultwarden_container_image_flavour is string)
|
||||
and (hedgedoc_container_image_flavour | length > 0))
|
||||
and (vaultwarden_container_image_flavour | length > 0))
|
||||
| ternary(
|
||||
'-' + hedgedoc_container_image_flavour | default('', true),
|
||||
'-' + vaultwarden_container_image_flavour | default('', true),
|
||||
''
|
||||
)
|
||||
),
|
||||
true
|
||||
)
|
||||
))
|
||||
}}
|
||||
|
||||
vaultwarden_container_name: vaultwarden
|
||||
|
||||
12
roles/vaultwarden/meta/main.yml
Normal file
12
roles/vaultwarden/meta/main.yml
Normal file
@ -0,0 +1,12 @@
|
||||
---
|
||||
allow_duplicates: true
|
||||
dependencies: []
|
||||
galaxy_info:
|
||||
role_name: vaultwarden
|
||||
description: >-2
|
||||
Deploy vaultwarden, a bitwarden-compatible server backend
|
||||
galaxy_tags:
|
||||
- vaultwarden
|
||||
- bitwarden
|
||||
- passwordstore
|
||||
- docker
|
||||
@ -26,7 +26,7 @@
|
||||
- name: Ensure required variables are given
|
||||
ansible.builtin.fail:
|
||||
msg: "Required variable '{{ var.name }}' is undefined!"
|
||||
loop: "{{ vaultwarden_optionally_required_variables }}"
|
||||
loop: "{{ vaultwarden_conditionally_required_variables }}"
|
||||
loop_control:
|
||||
loop_var: var
|
||||
label: "{{ var.name }}"
|
||||
@ -47,18 +47,18 @@
|
||||
(vaultwarden_user_groups | default([], true) | length > 0),
|
||||
true,
|
||||
) }}
|
||||
register: ansible_user_info
|
||||
register: vaultwarden_user_info
|
||||
|
||||
- name: Ensure base paths are {{ vaultwarden_state }}
|
||||
ansible.builtin.file:
|
||||
path: "{{ mount.path }}"
|
||||
state: "{{ (vaultwarden_state == 'present' | ternary('directory', 'absent') }}"
|
||||
state: "{{ (vaultwarden_state == 'present') | ternary('directory', 'absent') }}"
|
||||
owner: "{{ mount.owner | default(vaultwarden_run_user_id) }}"
|
||||
group: "{{ mount.group | default(vaultwarden_run_group_id) }}"
|
||||
mode: "{{ mount.mode | default('0755', true) }}"
|
||||
loop:
|
||||
- path: "{{ vaultwarden_config_directory }}"
|
||||
- path: "{[ vaultwarden_data_directory }}"
|
||||
- path: "{{ vaultwarden_data_directory }}"
|
||||
loop_control:
|
||||
loop_var: mount
|
||||
label: "{{ mount.path }}"
|
||||
|
||||
Reference in New Issue
Block a user