init
commit
e237cbb91f
|
@ -0,0 +1,11 @@
|
||||||
|
# Ansible Deployment for bitwarden-rs
|
||||||
|
|
||||||
|
## Variables
|
||||||
|
|
||||||
|
```
|
||||||
|
- bitwarden_version Docker image version to use
|
||||||
|
- bitwarden_domain Fully qualified domain name, e.g. vault.example.tld
|
||||||
|
- bitwarden_admin_token Token for admin panel
|
||||||
|
- bitwarden_port_web UI port to run on localhost
|
||||||
|
- bitwarden_port_ws Socket port to run on localhost
|
||||||
|
```
|
|
@ -0,0 +1,12 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: thiuda
|
||||||
|
description: role to deploy bitwarden behind nginx reverse proxy
|
||||||
|
company: progressivwerk
|
||||||
|
license: MIT
|
||||||
|
min_ansible_version: 2.1
|
||||||
|
galaxy_tags: []
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- 10
|
||||||
|
dependencies: []
|
|
@ -0,0 +1,43 @@
|
||||||
|
---
|
||||||
|
- name: Create directory if it does not exists
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: "{{ compose_dir }}/bitwarden"
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
|
||||||
|
- name: Place docker-compose file
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: templates/docker-compose.yml.j2
|
||||||
|
dest: "{{ compose_dir }}/bitwarden/docker-compose.yml"
|
||||||
|
mode: 0700
|
||||||
|
|
||||||
|
- name: Place bitwarden env file
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: templates/.env.j2
|
||||||
|
dest: "{{ compose_dir }}/bitwarden/.env"
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Update and start services
|
||||||
|
become: yes
|
||||||
|
docker_compose:
|
||||||
|
project_src: "{{ compose_dir }}/bitwarden"
|
||||||
|
pull: yes
|
||||||
|
state: present
|
||||||
|
remove_orphans: yes
|
||||||
|
register: output
|
||||||
|
|
||||||
|
- name: Check all containers are running
|
||||||
|
ansible.builtin.assert:
|
||||||
|
that:
|
||||||
|
- "output.ansible_facts.bitwarden.bitwarden.state.running": true
|
||||||
|
|
||||||
|
- name: Place reverse proxy conf
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: templates/reverse_proxy.conf.j2
|
||||||
|
dest: "/etc/nginx/conf.d/bitwarden.conf"
|
||||||
|
mode: 0600
|
||||||
|
notify: Check and Reload nginx
|
|
@ -0,0 +1,3 @@
|
||||||
|
WEBSOCKET_ENABLED=true
|
||||||
|
SIGNUPS_ALLOWED=false
|
||||||
|
ADMIN_TOKEN={{ bitwarden_admin_token }}
|
|
@ -0,0 +1,21 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }}
|
||||||
|
|
||||||
|
version: "3.4"
|
||||||
|
|
||||||
|
services:
|
||||||
|
bitwarden:
|
||||||
|
image: bitwardenrs/server:{{ bitwarden_version }}-alpine
|
||||||
|
restart: unless-stopped
|
||||||
|
container_name: bitwarden
|
||||||
|
hostname: bitwarden
|
||||||
|
ports:
|
||||||
|
- 127.0.0.1:{{ bitwarden_port_web }}:80
|
||||||
|
- 127.0.0.1:{{ bitwarden_port_ws }}:3021
|
||||||
|
volumes:
|
||||||
|
- data:/data
|
||||||
|
env_file:
|
||||||
|
- ./.env
|
||||||
|
|
||||||
|
volumes:
|
||||||
|
data
|
|
@ -0,0 +1,92 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
listen 3012 ssl http2;
|
||||||
|
listen [::]:3012 ssl http2;
|
||||||
|
server_name {{ bitwarden_domain }};
|
||||||
|
|
||||||
|
##
|
||||||
|
# SSL Settings
|
||||||
|
##
|
||||||
|
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
||||||
|
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_dhparam {{ ssl_dir }}/dhparams.pem;
|
||||||
|
ssl_ecdh_curve secp384r1;
|
||||||
|
ssl_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem;
|
||||||
|
ssl_certificate_key {{ certs_dir }}/{{ domain | get_tld }}/key.pem;
|
||||||
|
ssl_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem;
|
||||||
|
ssl_certificate_key {{ certs_dir }}/{{ domain | get_tld }}/key.pem;
|
||||||
|
|
||||||
|
##
|
||||||
|
# OCSP Stapling
|
||||||
|
##
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
resolver {{ dns_resolvers }} valid=300s;
|
||||||
|
ssl_trusted_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem;
|
||||||
|
|
||||||
|
##
|
||||||
|
# FloC
|
||||||
|
##
|
||||||
|
add_header Permissions-Policy: interest-cohort=();
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Ssl on;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Server $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:{{ bitwarden_port_web }};
|
||||||
|
|
||||||
|
client_max_body_size 128M;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /notifications/hub {
|
||||||
|
proxy_pass http://127.0.0.1:{{ bitwarden_port_ws }};
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Forwarded-Ssl on;
|
||||||
|
proxy_set_header X-Forwarded-Host $host;
|
||||||
|
proxy_set_header X-Forwarded-Server $host;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /notifications/hub/negotiate {
|
||||||
|
proxy_pass http://127.0.0.1:{{ bitwarden_port_web }};
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 404 /404.html;
|
||||||
|
location = /40x.html {
|
||||||
|
}
|
||||||
|
|
||||||
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
location = /50x.html {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
server {
|
||||||
|
if ($host = {{ bitwarden_domain }}) {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ bitwarden_domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue