commit e237cbb91f667a832bd8cfecfbba5ec3cbd0c7cf Author: thiuda Date: Fri Sep 17 20:01:30 2021 +0200 init diff --git a/README.md b/README.md new file mode 100644 index 0000000..f6922d0 --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +# Ansible Deployment for bitwarden-rs + +## Variables + +``` +- bitwarden_version Docker image version to use +- bitwarden_domain Fully qualified domain name, e.g. vault.example.tld +- bitwarden_admin_token Token for admin panel +- bitwarden_port_web UI port to run on localhost +- bitwarden_port_ws Socket port to run on localhost +``` \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c97c962 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,12 @@ +galaxy_info: + author: thiuda + description: role to deploy bitwarden behind nginx reverse proxy + company: progressivwerk + license: MIT + min_ansible_version: 2.1 + galaxy_tags: [] + platforms: + - name: Debian + versions: + - 10 +dependencies: [] \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..844c36c --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,43 @@ +--- +- name: Create directory if it does not exists + become: yes + file: + path: "{{ compose_dir }}/bitwarden" + state: directory + mode: 0755 + +- name: Place docker-compose file + become: yes + template: + src: templates/docker-compose.yml.j2 + dest: "{{ compose_dir }}/bitwarden/docker-compose.yml" + mode: 0700 + +- name: Place bitwarden env file + become: yes + template: + src: templates/.env.j2 + dest: "{{ compose_dir }}/bitwarden/.env" + mode: 0600 + +- name: Update and start services + become: yes + docker_compose: + project_src: "{{ compose_dir }}/bitwarden" + pull: yes + state: present + remove_orphans: yes + register: output + +- name: Check all containers are running + ansible.builtin.assert: + that: + - "output.ansible_facts.bitwarden.bitwarden.state.running": true + +- name: Place reverse proxy conf + become: yes + template: + src: templates/reverse_proxy.conf.j2 + dest: "/etc/nginx/conf.d/bitwarden.conf" + mode: 0600 + notify: Check and Reload nginx diff --git a/templates/.env.j2 b/templates/.env.j2 new file mode 100644 index 0000000..9d791fe --- /dev/null +++ b/templates/.env.j2 @@ -0,0 +1,3 @@ +WEBSOCKET_ENABLED=true +SIGNUPS_ALLOWED=false +ADMIN_TOKEN={{ bitwarden_admin_token }} \ No newline at end of file diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..930b786 --- /dev/null +++ b/templates/docker-compose.yml.j2 @@ -0,0 +1,21 @@ +# {{ ansible_managed }} +# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }} + +version: "3.4" + +services: + bitwarden: + image: bitwardenrs/server:{{ bitwarden_version }}-alpine + restart: unless-stopped + container_name: bitwarden + hostname: bitwarden + ports: + - 127.0.0.1:{{ bitwarden_port_web }}:80 + - 127.0.0.1:{{ bitwarden_port_ws }}:3021 + volumes: + - data:/data + env_file: + - ./.env + +volumes: + data diff --git a/templates/reverse_proxy.conf.j2 b/templates/reverse_proxy.conf.j2 new file mode 100644 index 0000000..8e96339 --- /dev/null +++ b/templates/reverse_proxy.conf.j2 @@ -0,0 +1,92 @@ +# {{ ansible_managed }} +# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + listen 3012 ssl http2; + listen [::]:3012 ssl http2; + server_name {{ bitwarden_domain }}; + + ## + # SSL Settings + ## + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2 TLSv1.1 TLSv1; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_dhparam {{ ssl_dir }}/dhparams.pem; + ssl_ecdh_curve secp384r1; + ssl_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem; + ssl_certificate_key {{ certs_dir }}/{{ domain | get_tld }}/key.pem; + ssl_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem; + ssl_certificate_key {{ certs_dir }}/{{ domain | get_tld }}/key.pem; + + ## + # OCSP Stapling + ## + ssl_stapling on; + ssl_stapling_verify on; + resolver {{ dns_resolvers }} valid=300s; + ssl_trusted_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem; + + ## + # FloC + ## + add_header Permissions-Policy: interest-cohort=(); + + location / { + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:{{ bitwarden_port_web }}; + + client_max_body_size 128M; + } + + location /notifications/hub { + proxy_pass http://127.0.0.1:{{ bitwarden_port_ws }}; + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /notifications/hub/negotiate { + proxy_pass http://127.0.0.1:{{ bitwarden_port_web }}; + } + + error_page 404 /404.html; + location = /40x.html { + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } +} + + +server { + if ($host = {{ bitwarden_domain }}) { + return 301 https://$host$request_uri; + } + + listen 80; + listen [::]:80; + server_name {{ bitwarden_domain }}; + + location / { + return 301 https://$host$request_uri; + } +}