ansible
/
xoxys.vaultwarden_docker
0
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: ansible:main
Branches Tags
ansible:main
ansible:docs
ansible:test-rocky8
...
pull from: ansible:docs
Branches Tags
ansible:main
ansible:docs
ansible:test-rocky8

No commits in common. "main" and "docs" have entirely different histories.
main ... docs

22 changed files with 646 additions and 1034 deletions
Show Stats Expand all files Collapse all files

159
.drone.jsonnet
View File

@ -1,159 +0,0 @@
local PipelineLinting = {
kind: 'pipeline',
name: 'linting',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'ansible-later',
image: 'thegeeklab/ansible-later',
commands: [
'ansible-later',
],
},
{
name: 'python-format',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq yapf',
'[ -z "$(find . -type f -name *.py)" ] || (yapf -rd ./)',
],
},
{
name: 'python-flake8',
image: 'python:3.11',
environment: {
PY_COLORS: 1,
},
commands: [
'pip install -qq flake8',
'flake8',
],
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
};
local PipelineDeployment(scenario='centos7') = {
kind: 'pipeline',
name: 'testing-' + scenario,
platform: {
os: 'linux',
arch: 'amd64',
},
concurrency: {
limit: 1,
},
workspace: {
base: '/drone/src',
path: '${DRONE_REPO_NAME}',
},
steps: [
{
name: 'ansible-molecule',
image: 'thegeeklab/molecule:4',
environment: {
HCLOUD_TOKEN: { from_secret: 'hcloud_token' },
},
commands: [
'molecule test -s ' + scenario,
],
},
],
depends_on: [
'linting',
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**'],
},
};
local PipelineDocumentation = {
kind: 'pipeline',
name: 'documentation',
platform: {
os: 'linux',
arch: 'amd64',
},
steps: [
{
name: 'generate',
image: 'thegeeklab/ansible-doctor',
environment: {
ANSIBLE_DOCTOR_LOG_LEVEL: 'INFO',
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true,
ANSIBLE_DOCTOR_EXCLUDE_FILES: 'molecule/',
ANSIBLE_DOCTOR_TEMPLATE: 'hugo-book',
ANSIBLE_DOCTOR_ROLE_NAME: '${DRONE_REPO_NAME#*.}',
ANSIBLE_DOCTOR_OUTPUT_DIR: '_docs/',
},
},
{
name: 'publish',
image: 'plugins/gh-pages',
settings: {
remote_url: 'https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}',
netrc_machine: 'gitea.rknet.org',
username: { from_secret: 'gitea_username' },
password: { from_secret: 'gitea_token' },
pages_directory: '_docs/',
target_branch: 'docs',
},
when: {
ref: ['refs/heads/main'],
},
},
],
trigger: {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
},
depends_on: [
'testing-centos7',
],
};
local PipelineNotification = {
kind: 'pipeline',
name: 'notification',
platform: {
os: 'linux',
arch: 'amd64',
},
clone: {
disable: true,
},
steps: [
{
name: 'matrix',
image: 'thegeeklab/drone-matrix',
settings: {
homeserver: { from_secret: 'matrix_homeserver' },
roomid: { from_secret: 'matrix_roomid' },
template: 'Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}',
username: { from_secret: 'matrix_username' },
password: { from_secret: 'matrix_password' },
},
},
],
depends_on: [
'documentation',
],
trigger: {
status: ['success', 'failure'],
ref: ['refs/heads/main', 'refs/tags/**'],
},
};
[
PipelineLinting,
PipelineDeployment(scenario='centos7'),
PipelineDocumentation,
PipelineNotification,
]

152
.drone.yml
View File

@ -1,152 +0,0 @@
---
kind: pipeline
name: linting
platform:
os: linux
arch: amd64
steps:
- name: ansible-later
image: thegeeklab/ansible-later
commands:
- ansible-later
- name: python-format
image: python:3.11
commands:
- pip install -qq yapf
- "[ -z \"$(find . -type f -name *.py)\" ] || (yapf -rd ./)"
environment:
PY_COLORS: 1
- name: python-flake8
image: python:3.11
commands:
- pip install -qq flake8
- flake8
environment:
PY_COLORS: 1
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
---
kind: pipeline
name: testing-centos7
platform:
os: linux
arch: amd64
concurrency:
limit: 1
workspace:
base: /drone/src
path: ${DRONE_REPO_NAME}
steps:
- name: ansible-molecule
image: thegeeklab/molecule:4
commands:
- molecule test -s centos7
environment:
HCLOUD_TOKEN:
from_secret: hcloud_token
trigger:
ref:
- refs/heads/main
- refs/tags/**
depends_on:
- linting
---
kind: pipeline
name: documentation
platform:
os: linux
arch: amd64
steps:
- name: generate
image: thegeeklab/ansible-doctor
environment:
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
ANSIBLE_DOCTOR_FORCE_OVERWRITE: true
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
ANSIBLE_DOCTOR_OUTPUT_DIR: _docs/
ANSIBLE_DOCTOR_ROLE_NAME: ${DRONE_REPO_NAME#*.}
ANSIBLE_DOCTOR_TEMPLATE: hugo-book
- name: publish
image: plugins/gh-pages
settings:
netrc_machine: gitea.rknet.org
pages_directory: _docs/
password:
from_secret: gitea_token
remote_url: https://gitea.rknet.org/ansible/${DRONE_REPO_NAME}
target_branch: docs
username:
from_secret: gitea_username
when:
ref:
- refs/heads/main
trigger:
ref:
- refs/heads/main
- refs/tags/**
- refs/pull/**
depends_on:
- testing-centos7
---
kind: pipeline
name: notification
platform:
os: linux
arch: amd64
clone:
disable: true
steps:
- name: matrix
image: thegeeklab/drone-matrix
settings:
homeserver:
from_secret: matrix_homeserver
password:
from_secret: matrix_password
roomid:
from_secret: matrix_roomid
template: "Status: **{{ .Build.Status }}**<br/> Build: [{{ .Repo.Owner }}/{{ .Repo.Name }}]({{ .Build.Link }}){{ if .Build.Branch }} ({{ .Build.Branch }}){{ end }} by {{ .Commit.Author }}<br/> Message: {{ .Commit.Message.Title }}"
username:
from_secret: matrix_username
trigger:
ref:
- refs/heads/main
- refs/tags/**
status:
- success
- failure
depends_on:
- documentation
---
kind: signature
hmac: 31eb9a4c185a37b7847160b41128317fdc3b34a05c2c30acf2b54d50d35d40c6
...

13
.gitignore vendored
View File

@ -1,13 +0,0 @@
# ---> Ansible
*.retry
plugins
library
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# ---> Docs
/_docs

19
.later.yml
View File

@ -1,19 +0,0 @@
---
ansible:
custom_modules:
- iptables_raw
- openssl_pkcs12
- proxmox_kvm
- ucr
- corenetworks_dns
- corenetworks_token
rules:
exclude_files:
- molecule/
- "LICENSE*"
- "**/*.md"
- "**/*.ini"
exclude_filter:
- LINT0009

21
LICENSE
View File

@ -1,21 +0,0 @@
MIT License
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice (including the next
paragraph) shall be included in all copies or substantial portions of the
Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

12
README.md
View File

@ -1,12 +0,0 @@
# xoxys.vaultwarden_docker
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.vaultwarden_docker?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.vaultwarden_docker)
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
Role to setup a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password safe. Vaultwarden is a community Bitwarden API server implementation written in Rust.
You can find the full documentation at [https://galaxy.geekdocs.de](https://galaxy.geekdocs.de/roles/cloud/vaultwarden_docker/).
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

131
defaults/main.yml
View File

@ -1,131 +0,0 @@
---
vaultwarden_version: latest
vaultwarden_image: "thegeeklab/vaultwarden:{{ vaultwarden_version }}"
vaultwarden_base_url: "http://localhost/"
vaultwarden_service_directory: /var/lib/docker/services/vaultwarden
vaultwarden_container_name: vaultwarden
vaultwarden_restart_policy: always
vaultwarden_service_stopped: False
# @var vaultwarden_networks:example: >
# vaultwarden_networks:
# - name: default
# # optional network driver, defaults to 'bride'
# driver: host
# @end
vaultwarden_networks:
- name: default
vaultwarden_networks_applied:
- default
# @var vaultwarden_volumes:description: > Define required docker volumes.
# @end
# @var vaultwarden_volumes:example: >
# vaultwarden_volumes:
# # Instead of the name you could specify a path on the container host system,
# # but you also have to enable bind mount for this volume
# - name: data
# # target location inside the container
# dest: /var/www/app/data
# # enable bind mount, if false volume will be configured as named volume
# # keep in mind you MUST set bind in any case
# bind: True
# @end
vaultwarden_volumes:
- name: data
dest: /app/data
bind: False
# @var vaultwarden_websocket_enabled:description: >
# If you enable websockets you also have to expose port `3012`.
# @end
vaultwarden_websocket_enabled: False
# @var vaultwarden_exposed_ports:example: >
# vaultwarden_exposed_ports:
# - "127.0.0.1:8080:8080"
# - "127.0.0.1:3012:3012"
# @end
vaultwarden_exposed_ports:
- "127.0.0.1:8080:8080"
vaultwarden_extra_hosts: []
# @var vaultwarden_memory_limit: $ "_unset_"
# @var vaultwarden_memory_limit:example: $ "512m"
# @var vaultwarden_memory_reservation: $ "_unset_"
# @var vaultwarden_memory_reservation:example: $ "256m"
# @var vaultwarden_cpu_shares: $ "_unset_"
# @var vaultwarden_cpu_shares:example: $ "1024"
vaultwarden_cap_add: []
vaultwarden_cap_drop: []
vaultwarden_security_opt: []
# @var vaultwarden_pids_limit: $ "_unset_"
vaultwarden_healthcheck:
test: '["CMD", "/usr/local/bin/healthcheck"]'
interval: 10s
timeout: 3s
retries: 3
# @var vaultwarden_templates_folder: $ "_unset_"
vaultwarden_reload_templates: False
vaultwarden_ip_header: X-Forwarded-For
vaultwarden_icon_cache_ttl: 2592000
vaultwarden_icon_cache_negttl: "{{ vaultwarden_icon_cache_ttl }}"
vaultwarden_web_vault_enabled: True
vaultwarden_extended_logging: True
vaultwarden_log_level: Info
vaultwarden_disable_icon_download: False
vaultwarden_icon_download_timeout: 10
# @var vaultwarden_icon_blacklist_regexl: $ "_unset_"
vaultwarden_icon_blacklist_non_global_ips: True
vaultwarden_disable_2fa_remember: False
vaultwarden_signups_allowed: False
vaultwarden_signups_verify: False
vaultwarden_signups_verify_resend_time: 3600
vaultwarden_signups_verify_resend_limit: 6
# @var vaultwarden_signups_domains_whitelist: $ "_unset_"
vaultwarden_invitations_allowed: True
# @var vaultwarden_admin_token: $ "_unset_"
vaultwarden_password_iterations: 100000
vaultwarden_show_password_hint: True
vaultwarden_authenticator_disable_time_drift: False
vaultwarden_user_attachment_limit: 1024
vaultwarden_org_attachment_limit: 1024
# @var vaultwarden_smtp_host: $ "_unset_"
vaultwarden_smtp_from: "vaultwarden@localhost"
vaultwarden_smtp_from_name: "Vaultwarden"
vaultwarden_smtp_port: 465
vaultwarden_smtp_security: force_tls
# @var vaultwarden_smtp_username: $ "_unset_"
# @var vaultwarden_smtp_password: $ "_unset_"
vaultwarden_smtp_auth_mechanism: plain
vaultwarden_smtp_timeout: 15
# @var vaultwarden_db_server:description: >
# This ansible roles does only support postgresql as database"
# @end
vaultwarden_db_server: localhost
vaultwarden_db_port: 5432
vaultwarden_db_name: vaultwarden
vaultwarden_db_user: pgvaultwarden
vaultwarden_db_password: secure
vaultwarden_db_ssl_mode: disable
vaultwarden_db_ssl_rootcert: /etc/ssl/certs/ca-certificates.crt

646
index.md Normal file
View File

@ -0,0 +1,646 @@
---
title: vaultwarden_docker
type: docs
---
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.vaultwarden_docker) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.vaultwarden_docker?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.vaultwarden_docker) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.vaultwarden_docker/src/branch/main/LICENSE)
Role to setup a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password safe. Vaultwarden is a community Bitwarden API server implementation written in Rust.
<!--more-->
- [Default Variables](#default-variables)
- [vaultwarden_admin_token](#vaultwarden_admin_token)
- [vaultwarden_authenticator_disable_time_drift](#vaultwarden_authenticator_disable_time_drift)
- [vaultwarden_base_url](#vaultwarden_base_url)
- [vaultwarden_cap_add](#vaultwarden_cap_add)
- [vaultwarden_cap_drop](#vaultwarden_cap_drop)
- [vaultwarden_container_name](#vaultwarden_container_name)
- [vaultwarden_cpu_shares](#vaultwarden_cpu_shares)
- [vaultwarden_db_name](#vaultwarden_db_name)
- [vaultwarden_db_password](#vaultwarden_db_password)
- [vaultwarden_db_port](#vaultwarden_db_port)
- [vaultwarden_db_server](#vaultwarden_db_server)
- [vaultwarden_db_ssl_mode](#vaultwarden_db_ssl_mode)
- [vaultwarden_db_ssl_rootcert](#vaultwarden_db_ssl_rootcert)
- [vaultwarden_db_user](#vaultwarden_db_user)
- [vaultwarden_disable_2fa_remember](#vaultwarden_disable_2fa_remember)
- [vaultwarden_disable_icon_download](#vaultwarden_disable_icon_download)
- [vaultwarden_exposed_ports](#vaultwarden_exposed_ports)
- [vaultwarden_extended_logging](#vaultwarden_extended_logging)
- [vaultwarden_extra_hosts](#vaultwarden_extra_hosts)
- [vaultwarden_healthcheck](#vaultwarden_healthcheck)
- [vaultwarden_icon_blacklist_non_global_ips](#vaultwarden_icon_blacklist_non_global_ips)
- [vaultwarden_icon_blacklist_regexl](#vaultwarden_icon_blacklist_regexl)
- [vaultwarden_icon_cache_negttl](#vaultwarden_icon_cache_negttl)
- [vaultwarden_icon_cache_ttl](#vaultwarden_icon_cache_ttl)
- [vaultwarden_icon_download_timeout](#vaultwarden_icon_download_timeout)
- [vaultwarden_image](#vaultwarden_image)
- [vaultwarden_invitations_allowed](#vaultwarden_invitations_allowed)
- [vaultwarden_ip_header](#vaultwarden_ip_header)
- [vaultwarden_log_level](#vaultwarden_log_level)
- [vaultwarden_memory_limit](#vaultwarden_memory_limit)
- [vaultwarden_memory_reservation](#vaultwarden_memory_reservation)
- [vaultwarden_networks](#vaultwarden_networks)
- [vaultwarden_networks_applied](#vaultwarden_networks_applied)
- [vaultwarden_org_attachment_limit](#vaultwarden_org_attachment_limit)
- [vaultwarden_password_iterations](#vaultwarden_password_iterations)
- [vaultwarden_pids_limit](#vaultwarden_pids_limit)
- [vaultwarden_reload_templates](#vaultwarden_reload_templates)
- [vaultwarden_restart_policy](#vaultwarden_restart_policy)
- [vaultwarden_security_opt](#vaultwarden_security_opt)
- [vaultwarden_service_directory](#vaultwarden_service_directory)
- [vaultwarden_service_stopped](#vaultwarden_service_stopped)
- [vaultwarden_show_password_hint](#vaultwarden_show_password_hint)
- [vaultwarden_signups_allowed](#vaultwarden_signups_allowed)
- [vaultwarden_signups_domains_whitelist](#vaultwarden_signups_domains_whitelist)
- [vaultwarden_signups_verify](#vaultwarden_signups_verify)
- [vaultwarden_signups_verify_resend_limit](#vaultwarden_signups_verify_resend_limit)
- [vaultwarden_signups_verify_resend_time](#vaultwarden_signups_verify_resend_time)
- [vaultwarden_smtp_auth_mechanism](#vaultwarden_smtp_auth_mechanism)
- [vaultwarden_smtp_from](#vaultwarden_smtp_from)
- [vaultwarden_smtp_from_name](#vaultwarden_smtp_from_name)
- [vaultwarden_smtp_host](#vaultwarden_smtp_host)
- [vaultwarden_smtp_password](#vaultwarden_smtp_password)
- [vaultwarden_smtp_port](#vaultwarden_smtp_port)
- [vaultwarden_smtp_security](#vaultwarden_smtp_security)
- [vaultwarden_smtp_timeout](#vaultwarden_smtp_timeout)
- [vaultwarden_smtp_username](#vaultwarden_smtp_username)
- [vaultwarden_templates_folder](#vaultwarden_templates_folder)
- [vaultwarden_user_attachment_limit](#vaultwarden_user_attachment_limit)
- [vaultwarden_version](#vaultwarden_version)
- [vaultwarden_volumes](#vaultwarden_volumes)
- [vaultwarden_web_vault_enabled](#vaultwarden_web_vault_enabled)
- [vaultwarden_websocket_enabled](#vaultwarden_websocket_enabled)
- [Dependencies](#dependencies)
---
## Default Variables
### vaultwarden_admin_token
#### Default value
```YAML
vaultwarden_admin_token: _unset_
```
### vaultwarden_authenticator_disable_time_drift
#### Default value
```YAML
vaultwarden_authenticator_disable_time_drift: false
```
### vaultwarden_base_url
#### Default value
```YAML
vaultwarden_base_url: http://localhost/
```
### vaultwarden_cap_add
#### Default value
```YAML
vaultwarden_cap_add: []
```
### vaultwarden_cap_drop
#### Default value
```YAML
vaultwarden_cap_drop: []
```
### vaultwarden_container_name
#### Default value
```YAML
vaultwarden_container_name: vaultwarden
```
### vaultwarden_cpu_shares
#### Default value
```YAML
vaultwarden_cpu_shares: _unset_
```
#### Example usage
```YAML
vaultwarden_cpu_shares: '1024'
```
### vaultwarden_db_name
#### Default value
```YAML
vaultwarden_db_name: vaultwarden
```
### vaultwarden_db_password
#### Default value
```YAML
vaultwarden_db_password: secure
```
### vaultwarden_db_port
#### Default value
```YAML
vaultwarden_db_port: 5432
```
### vaultwarden_db_server
This ansible roles does only support postgresql as database"
#### Default value
```YAML
vaultwarden_db_server: localhost
```
### vaultwarden_db_ssl_mode
#### Default value
```YAML
vaultwarden_db_ssl_mode: disable
```
### vaultwarden_db_ssl_rootcert
#### Default value
```YAML
vaultwarden_db_ssl_rootcert: /etc/ssl/certs/ca-certificates.crt
```
### vaultwarden_db_user
#### Default value
```YAML
vaultwarden_db_user: pgvaultwarden
```
### vaultwarden_disable_2fa_remember
#### Default value
```YAML
vaultwarden_disable_2fa_remember: false
```
### vaultwarden_disable_icon_download
#### Default value
```YAML
vaultwarden_disable_icon_download: false
```
### vaultwarden_exposed_ports
#### Default value
```YAML
vaultwarden_exposed_ports:
- 127.0.0.1:8080:8080
```
#### Example usage
```YAML
vaultwarden_exposed_ports:
- "127.0.0.1:8080:8080"
- "127.0.0.1:3012:3012"
```
### vaultwarden_extended_logging
#### Default value
```YAML
vaultwarden_extended_logging: true
```
### vaultwarden_extra_hosts
#### Default value
```YAML
vaultwarden_extra_hosts: []
```
### vaultwarden_healthcheck
#### Default value
```YAML
vaultwarden_healthcheck:
test: '["CMD", "/usr/local/bin/healthcheck"]'
interval: 10s
timeout: 3s
retries: 3
```
### vaultwarden_icon_blacklist_non_global_ips
#### Default value
```YAML
vaultwarden_icon_blacklist_non_global_ips: true
```
### vaultwarden_icon_blacklist_regexl
#### Default value
```YAML
vaultwarden_icon_blacklist_regexl: _unset_
```
### vaultwarden_icon_cache_negttl
#### Default value
```YAML
vaultwarden_icon_cache_negttl: '{{ vaultwarden_icon_cache_ttl }}'
```
### vaultwarden_icon_cache_ttl
#### Default value
```YAML
vaultwarden_icon_cache_ttl: 2592000
```
### vaultwarden_icon_download_timeout
#### Default value
```YAML
vaultwarden_icon_download_timeout: 10
```
### vaultwarden_image
#### Default value
```YAML
vaultwarden_image: thegeeklab/vaultwarden:{{ vaultwarden_version }}
```
### vaultwarden_invitations_allowed
#### Default value
```YAML
vaultwarden_invitations_allowed: true
```
### vaultwarden_ip_header
#### Default value
```YAML
vaultwarden_ip_header: X-Forwarded-For
```
### vaultwarden_log_level
#### Default value
```YAML
vaultwarden_log_level: Info
```
### vaultwarden_memory_limit
#### Default value
```YAML
vaultwarden_memory_limit: _unset_
```
#### Example usage
```YAML
vaultwarden_memory_limit: 512m
```
### vaultwarden_memory_reservation
#### Default value
```YAML
vaultwarden_memory_reservation: _unset_
```
#### Example usage
```YAML
vaultwarden_memory_reservation: 256m
```
### vaultwarden_networks
#### Default value
```YAML
vaultwarden_networks:
- name: default
```
#### Example usage
```YAML
vaultwarden_networks:
- name: default
# optional network driver, defaults to 'bride'
driver: host
```
### vaultwarden_networks_applied
#### Default value
```YAML
vaultwarden_networks_applied:
- default
```
### vaultwarden_org_attachment_limit
#### Default value
```YAML
vaultwarden_org_attachment_limit: 1024
```
### vaultwarden_password_iterations
#### Default value
```YAML
vaultwarden_password_iterations: 100000
```
### vaultwarden_pids_limit
#### Default value
```YAML
vaultwarden_pids_limit: _unset_
```
### vaultwarden_reload_templates
#### Default value
```YAML
vaultwarden_reload_templates: false
```
### vaultwarden_restart_policy
#### Default value
```YAML
vaultwarden_restart_policy: always
```
### vaultwarden_security_opt
#### Default value
```YAML
vaultwarden_security_opt: []
```
### vaultwarden_service_directory
#### Default value
```YAML
vaultwarden_service_directory: /var/lib/docker/services/vaultwarden
```
### vaultwarden_service_stopped
#### Default value
```YAML
vaultwarden_service_stopped: false
```
### vaultwarden_show_password_hint
#### Default value
```YAML
vaultwarden_show_password_hint: true
```
### vaultwarden_signups_allowed
#### Default value
```YAML
vaultwarden_signups_allowed: false
```
### vaultwarden_signups_domains_whitelist
#### Default value
```YAML
vaultwarden_signups_domains_whitelist: _unset_
```
### vaultwarden_signups_verify
#### Default value
```YAML
vaultwarden_signups_verify: false
```
### vaultwarden_signups_verify_resend_limit
#### Default value
```YAML
vaultwarden_signups_verify_resend_limit: 6
```
### vaultwarden_signups_verify_resend_time
#### Default value
```YAML
vaultwarden_signups_verify_resend_time: 3600
```
### vaultwarden_smtp_auth_mechanism
#### Default value
```YAML
vaultwarden_smtp_auth_mechanism: plain
```
### vaultwarden_smtp_from
#### Default value
```YAML
vaultwarden_smtp_from: vaultwarden@localhost
```
### vaultwarden_smtp_from_name
#### Default value
```YAML
vaultwarden_smtp_from_name: Vaultwarden
```
### vaultwarden_smtp_host
#### Default value
```YAML
vaultwarden_smtp_host: _unset_
```
### vaultwarden_smtp_password
#### Default value
```YAML
vaultwarden_smtp_password: _unset_
```
### vaultwarden_smtp_port
#### Default value
```YAML
vaultwarden_smtp_port: 465
```
### vaultwarden_smtp_security
#### Default value
```YAML
vaultwarden_smtp_security: force_tls
```
### vaultwarden_smtp_timeout
#### Default value
```YAML
vaultwarden_smtp_timeout: 15
```
### vaultwarden_smtp_username
#### Default value
```YAML
vaultwarden_smtp_username: _unset_
```
### vaultwarden_templates_folder
#### Default value
```YAML
vaultwarden_templates_folder: _unset_
```
### vaultwarden_user_attachment_limit
#### Default value
```YAML
vaultwarden_user_attachment_limit: 1024
```
### vaultwarden_version
#### Default value
```YAML
vaultwarden_version: latest
```
### vaultwarden_volumes
> Define required docker volumes.
#### Default value
```YAML
vaultwarden_volumes:
- name: data
dest: /app/data
bind: false
```
#### Example usage
```YAML
vaultwarden_volumes:
# Instead of the name you could specify a path on the container host system,
# but you also have to enable bind mount for this volume
- name: data
# target location inside the container
dest: /var/www/app/data
# enable bind mount, if false volume will be configured as named volume
# keep in mind you MUST set bind in any case
bind: True
```
### vaultwarden_web_vault_enabled
#### Default value
```YAML
vaultwarden_web_vault_enabled: true
```
### vaultwarden_websocket_enabled
If you enable websockets you also have to expose port `3012`.
#### Default value
```YAML
vaultwarden_websocket_enabled: false
```
## Dependencies
None.

31
meta/main.yml
View File

@ -1,31 +0,0 @@
# Standards: 0.2
---
galaxy_info:
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
author: Robert Kaussow <mail@thegeeklab.de>
namespace: xoxys
role_name: vaultwarden_docker
# @meta description: >
# [![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.vaultwarden_docker)
# [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.vaultwarden_docker?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.vaultwarden_docker)
# [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.vaultwarden_docker/src/branch/main/LICENSE)
#
# Role to setup a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password safe.
# Vaultwarden is a community Bitwarden API server implementation written in Rust.
# @end
description: Role to setup Vaultwarden passsword safe
license: MIT
min_ansible_version: 2.10
platforms:
- name: EL
versions:
- 7
galaxy_tags:
- security
- vault
- password
- save
dependencies: []
collections:
- xoxys.general
- community.general

40
molecule/centos7/converge.yml
View File

@ -1,40 +0,0 @@
---
- name: Converge (Stage 1)
hosts: all
vars:
dockerengine_packages_extra:
- epel-release
- python-pip
- python-virtualenv
roles:
- role: xoxys.docker_engine
- name: Converge (Stage 2)
hosts: all
environment:
PYTHONPATH: /opt/python2/ansible-deps/lib/python2.7/site-packages
vars:
postgres_repository_enabled: True
postgres_connection_addresses:
- "{{ ansible_docker0.ipv4.address }}"
postgres_users:
- name: "pgvaultwarden"
password: "secure"
priv: ALL
db: "vaultwarden"
postgres_dbs:
- name: "vaultwarden"
postgres_hba_entries_extra:
- contype: host
databases:
- all
users:
- all
address: "172.18.0.0/16"
auth_method: md5
vaultwarden_db_server: "{{ ansible_docker0.ipv4.address }}"
roles:
- role: xoxys.postgres
- role: xoxys.vaultwarden_docker

120
molecule/centos7/create.yml
View File

@ -1,120 +0,0 @@
---
- name: Create
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
vars:
ssh_port: 22
ssh_user: root
ssh_path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/ssh_key"
tasks:
- name: Create SSH key
user:
name: "{{ lookup('env', 'USER') }}"
generate_ssh_key: true
ssh_key_file: "{{ ssh_path }}"
force: true
register: generated_ssh_key
- name: Register the SSH key name
set_fact:
ssh_key_name: "molecule-generated-{{ 12345 | random | to_uuid }}"
- name: Register SSH key for test instance(s)
hcloud_ssh_key:
name: "{{ ssh_key_name }}"
public_key: "{{ generated_ssh_key.ssh_public_key }}"
state: present
- name: Create molecule instance(s)
hcloud_server:
name: "{{ item.name }}"
server_type: "{{ item.server_type }}"
ssh_keys:
- "{{ ssh_key_name }}"
image: "{{ item.image }}"
location: "{{ item.location | default(omit) }}"
datacenter: "{{ item.datacenter | default(omit) }}"
user_data: "{{ item.user_data | default(omit) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: present
register: server
loop: "{{ molecule_yml.platforms }}"
async: 7200
poll: 0
- name: Wait for instance(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- name: Create volume(s)
hcloud_volume:
name: "{{ item.name }}"
server: "{{ item.name }}"
location: "{{ item.location | default(omit) }}"
size: "{{ item.volume_size | default(10) }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "present"
loop: "{{ molecule_yml.platforms }}"
when: item.volume | default(False) | bool
register: volumes
async: 7200
poll: 0
- name: Wait for volume(s) creation to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
# Mandatory configuration for Molecule to function.
- name: Populate instance config dict
set_fact:
instance_conf_dict:
{
"instance": "{{ item.hcloud_server.name }}",
"ssh_key_name": "{{ ssh_key_name }}",
"address": "{{ item.hcloud_server.ipv4_address }}",
"user": "{{ ssh_user }}",
"port": "{{ ssh_port }}",
"identity_file": "{{ ssh_path }}",
"volume": "{{ item.item.item.volume | default(False) | bool }}",
}
loop: "{{ hetzner_jobs.results }}"
register: instance_config_dict
when: server.changed | bool
- name: Convert instance config dict to a list
set_fact:
instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}"
when: server.changed | bool
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool
- name: Wait for SSH
wait_for:
port: "{{ ssh_port }}"
host: "{{ item.address }}"
search_regex: SSH
delay: 10
loop: "{{ lookup('file', molecule_instance_config) | from_yaml }}"
- name: Wait for VM to settle down
pause:
seconds: 30

78
molecule/centos7/destroy.yml
View File

@ -1,78 +0,0 @@
---
- name: Destroy
hosts: localhost
connection: local
gather_facts: false
no_log: "{{ molecule_no_log }}"
tasks:
- name: Check existing instance config file
stat:
path: "{{ molecule_instance_config }}"
register: cfg
- name: Populate the instance config
set_fact:
instance_conf: "{{ (lookup('file', molecule_instance_config) | from_yaml) if cfg.stat.exists else [] }}"
- name: Destroy molecule instance(s)
hcloud_server:
name: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: absent
register: server
loop: "{{ instance_conf }}"
async: 7200
poll: 0
- name: Wait for instance(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_jobs
until: hetzner_jobs.finished
retries: 300
loop: "{{ server.results }}"
- pause:
seconds: 5
- name: Destroy volume(s)
hcloud_volume:
name: "{{ item.instance }}"
server: "{{ item.instance }}"
api_token: "{{ lookup('env', 'HCLOUD_TOKEN') }}"
state: "absent"
register: volumes
loop: "{{ instance_conf }}"
when: item.volume | default(False) | bool
async: 7200
poll: 0
- name: Wait for volume(s) deletion to complete
async_status:
jid: "{{ item.ansible_job_id }}"
register: hetzner_volumes
until: hetzner_volumes.finished
retries: 300
when: volumes.changed
loop: "{{ volumes.results }}"
- name: Remove registered SSH key
hcloud_ssh_key:
name: "{{ instance_conf[0].ssh_key_name }}"
state: absent
when: (instance_conf | default([])) | length > 0
# Mandatory configuration for Molecule to function.
- name: Populate instance config
set_fact:
instance_conf: {}
- name: Dump instance config
copy:
content: |
# Molecule managed
{{ instance_conf | to_nice_yaml(indent=2) }}
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

24
molecule/centos7/molecule.yml
View File

@ -1,24 +0,0 @@
---
dependency:
name: galaxy
options:
role-file: molecule/requirements.yml
requirements-file: molecule/requirements.yml
env:
ANSIBLE_GALAXY_DISPLAY_PROGRESS: "false"
driver:
name: delegated
platforms:
- name: centos7-vaultwarden
image: centos-7
server_type: cx11
lint: |
/usr/local/bin/flake8
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: ${ANSIBLE_FILTER_PLUGINS:-./plugins/filter}
ANSIBLE_LIBRARY: ${ANSIBLE_LIBRARY:-./library}
log: False
verifier:
name: testinfra

15
molecule/centos7/prepare.yml
View File

@ -1,15 +0,0 @@
---
- name: Prepare
hosts: all
gather_facts: false
tasks:
- name: Bootstrap python for Ansible
raw: |
command -v python3 python || (
(test -e /usr/bin/dnf && sudo dnf install -y python3) ||
(test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
(test -e /usr/bin/yum && sudo yum -y -qq install python3) ||
echo "Warning: Python not boostrapped due to unknown platform."
)
become: true
changed_when: false

28
molecule/centos7/tests/test_default.py
View File

@ -1,28 +0,0 @@
import os
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
os.environ["MOLECULE_INVENTORY_FILE"]
).get_hosts("all")
def test_vaultwarden_running(host):
vaultwarden = host.docker("vaultwarden")
assert vaultwarden.is_running
def test_vaultwarden_socket(host):
# Verify the socket is listening for HTTP traffic
assert host.socket("tcp://127.0.0.1:8080").is_listening
def test_vaultwarden_conn_error(host):
code = int(
host.run("curl -s -w '%{http_code}' http://127.0.0.1:8080/alive -o /dev/null").stdout
)
body = host.run("curl -sX GET http://127.0.0.1:8080/").stdout
assert code == 200
assert "Bitwarden Web Vault" in body

1
molecule/default
View File

@ -1 +0,0 @@
centos7

3
molecule/pytest.ini
View File

@ -1,3 +0,0 @@
[pytest]
filterwarnings =
ignore::DeprecationWarning

15
molecule/requirements.yml
View File

@ -1,15 +0,0 @@
---
collections:
- name: https://gitea.rknet.org/ansible/xoxys.general/releases/download/v2.1.1/xoxys-general-2.1.1.tar.gz
- name: community.general
roles:
- src: https://gitea.rknet.org/ansible/xoxys.docker_engine.git
name: xoxys.docker_engine
scm: git
version: main
- src: https://gitea.rknet.org/ansible/xoxys.postgres.git
name: xoxys.postgres
scm: git
version: main

12
setup.cfg
View File

@ -1,12 +0,0 @@
[flake8]
ignore = D100, D101, D102, D103, D105, D107, E402, W503
max-line-length = 99
inline-quotes = double
exclude = .git,.tox,__pycache__,build,dist,tests,*.pyc,*.egg-info,.cache,.eggs,env*
[yapf]
based_on_style = google
column_limit = 99
dedent_closing_brackets = true
coalesce_brackets = true
split_before_logical_operator = true

2
tasks/main.yml
View File

@ -1,2 +0,0 @@
---
- include_tasks: setup.yml

26
tasks/setup.yml
View File

@ -1,26 +0,0 @@
---
- block:
- name: Ensure service directory exists
file:
path: "{{ vaultwarden_service_directory }}"
state: directory
mode: 0755
- name: Deploy compose file to '{{ vaultwarden_service_directory }}'
template:
src: "services/vaultwarden_compose.yml.j2"
dest: "{{ vaultwarden_service_directory }}/docker-compose.yml"
owner: root
group: root
mode: 0640
validate: "docker-compose -f %s config -q"
- name: Ensure service is up and running
docker_compose:
project_src: "{{ vaultwarden_service_directory }}"
pull: yes
remove_orphans: yes
stopped: "{{ vaultwarden_service_stopped }}"
state: present
become: True
become_user: root

132
templates/services/vaultwarden_compose.yml.j2
View File

@ -1,132 +0,0 @@
#jinja2:lstrip_blocks: True
{{ ansible_managed | comment }}
version: "2.4"
services:
vaultwarden:
container_name: {{ vaultwarden_container_name }}
image: {{ vaultwarden_image }}
restart: {{ vaultwarden_restart_policy }}
{% if vaultwarden_exposed_ports | default([]) %}
ports:
{% for port in vaultwarden_exposed_ports %}
- {{ port | quote }}
{% endfor %}
{% endif %}
{% if vaultwarden_volumes | default([]) %}
volumes:
{% for volume in vaultwarden_volumes %}
- "{{ volume.name }}:{{ volume.dest }}"
{% endfor %}
{% endif %}
{% if vaultwarden_networks_applied | default([]) %}
networks:
{% for network in vaultwarden_networks_applied %}
- {{ network }}
{% endfor %}
{% endif %}
{% if vaultwarden_extra_hosts | default([]) %}
extra_hosts:
{% for host in vaultwarden_extra_hosts %}
- {{ host | quote }}
{% endfor %}
{% endif %}
environment:
- VAULTWARDEN_DOMAIN={{ vaultwarden_base_url }}
- VAULTWARDEN_DATABASE_URL=postgresql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_password | urlencode }}@{{ vaultwarden_db_server }}:{{ vaultwarden_db_port }}/{{ vaultwarden_db_name }}?sslmode={{ vaultwarden_db_ssl_mode }}&sslrootcert={{ vaultwarden_db_ssl_rootcert }}
- VAULTWARDEN_USER_ATTACHMENT_LIMIT={{ vaultwarden_user_attachment_limit }}
- VAULTWARDEN_ORG_ATTACHMENT_LIMIT={{ vaultwarden_org_attachment_limit }}
- VAULTWARDEN_WEBSOCKET_ENABLED={{ vaultwarden_websocket_enabled }}
{% if vaultwarden_templates_folder is defined and vaultwarden_templates_folder %}
- VAULTWARDEN_TEMPLATES_FOLDER={{ vaultwarden_templates_folder }}
{% endif %}
- VAULTWARDEN_RELOAD_TEMPLATES={{ vaultwarden_reload_templates }}
- VAULTWARDEN_IP_HEADER={{ vaultwarden_ip_header }}
- VAULTWARDEN_ICON_CACHE_TTL={{ vaultwarden_icon_cache_ttl }}
- VAULTWARDEN_ICON_CACHE_NEGTTL="{{ vaultwarden_icon_cache_negttl }}"
- VAULTWARDEN_WEB_VAULT_ENABLED={{ vaultwarden_web_vault_enabled }}
- VAULTWARDEN_EXTENDED_LOGGING={{ vaultwarden_extended_logging }}
- VAULTWARDEN_LOG_LEVEL={{ vaultwarden_log_level }}
- VAULTWARDEN_DISABLE_ICON_DOWNLOAD={{ vaultwarden_disable_icon_download }}
- VAULTWARDEN_ICON_DOWNLOAD_TIMEOUT={{ vaultwarden_icon_download_timeout }}
{% if vaultwarden_icon_blacklist_regexl is defined and vaultwarden_icon_blacklist_regexl %}
- VAULTWARDEN_ICON_BLACKLIST_REGEXL={{ vaultwarden_icon_blacklist_regexl }}
{% endif %}
- VAULTWARDEN_ICON_BLACKLIST_NON_GLOBAL_IPS={{ vaultwarden_icon_blacklist_non_global_ips }}
- VAULTWARDEN_DISABLE_2FA_REMEMBER={{ vaultwarden_disable_2fa_remember }}
- VAULTWARDEN_SIGNUPS_ALLOWED={{ vaultwarden_signups_allowed }}
- VAULTWARDEN_SIGNUPS_VERIFY={{ vaultwarden_signups_verify }}
- VAULTWARDEN_SIGNUPS_VERIFY_RESEND_TIME={{ vaultwarden_signups_verify_resend_time }}
- VAULTWARDEN_SIGNUPS_VERIFY_RESEND_LIMIT={{ vaultwarden_signups_verify_resend_limit }}
{% if vaultwarden_signups_domains_whitelist is defined and vaultwarden_signups_domains_whitelist %}
- VAULTWARDEN_SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_signups_domains_whitelist }}
{% endif %}
- VAULTWARDEN_INVITATIONS_ALLOWED={{ vaultwarden_invitations_allowed }}
{% if vaultwarden_admin_token is defined and vaultwarden_admin_token %}
- VAULTWARDEN_ADMIN_TOKEN={{ vaultwarden_admin_token }}
{% endif %}
- VAULTWARDEN_PASSWORD_ITERATIONS={{ vaultwarden_password_iterations }}
- VAULTWARDEN_SHOW_PASSWORD_HINT={{ vaultwarden_show_password_hint }}
- VAULTWARDEN_AUTHENTICATOR_DISABLE_TIME_DRIFT={{ vaultwarden_authenticator_disable_time_drift }}
{% if vaultwarden_smtp_host is defined and vaultwarden_smtp_host %}
- VAULTWARDEN_SMTP_HOST={{ vaultwarden_smtp_host }}
- VAULTWARDEN_SMTP_FROM={{ vaultwarden_smtp_from }}
- VAULTWARDEN_SMTP_FROM_NAME="{{ vaultwarden_smtp_from_name }}"
- VAULTWARDEN_SMTP_PORT={{ vaultwarden_smtp_port }}
- VAULTWARDEN_SMTP_SECURITY={{ vaultwarden_smtp_security }}
{% if vaultwarden_smtp_username is defined and vaultwarden_smtp_username %}
- VAULTWARDEN_SMTP_USERNAME={{ vaultwarden_smtp_username }}
- VAULTWARDEN_SMTP_PASSWORD={{ vaultwarden_smtp_password }}
{% endif %}
- VAULTWARDEN_SMTP_AUTH_MECHANISM={{ vaultwarden_smtp_auth_mechanism }}
- VAULTWARDEN_SMTP_TIMEOUT={{ vaultwarden_smtp_timeout }}
{% endif %}
{% if vaultwarden_memory_limit is defined %}
mem_limit: {{ vaultwarden_memory_limit }}
{% endif %}
{% if vaultwarden_memory_reservation is defined %}
mem_reservation: {{ vaultwarden_memory_reservation }}
{% endif %}
{% if vaultwarden_cpu_shares is defined %}
cpu_shares: {{ vaultwarden_cpu_shares }}
{% endif %}
{% if not vaultwarden_cap_add | length == 0 %}
cap_add:
{% for item in vaultwarden_cap_add %}
- {{ item }}
{% endfor %}
{% endif %}
{% if not vaultwarden_cap_drop | length == 0 %}
cap_drop:
{% for item in vaultwarden_cap_drop %}
- {{ item }}
{% endfor %}
{% endif %}
{% if not vaultwarden_security_opt | length == 0 %}
security_opt:
{% for item in vaultwarden_security_opt %}
- {{ item }}
{% endfor %}
{% endif %}
healthcheck:
{% for key, value in vaultwarden_healthcheck.items() %}
{{ key }}: {{ value }}
{% endfor %}
{% if vaultwarden_pids_limit is defined %}
pids_limit: {{ vaultwarden_pids_limit }}
{% endif %}
{% if vaultwarden_volumes | default([]) | rejectattr("bind") | list | length > 0 %}
volumes:
{% for volume in vaultwarden_volumes | rejectattr("bind") %}
{{ volume.name }}:
{% endfor %}
{% endif %}
{% if vaultwarden_networks | default([]) | length > 0 %}
networks:
{% for network in vaultwarden_networks %}
{{ network.name }}:
driver: {{ network.backend | default("bridge") }}
{% endfor %}
{% endif %}