init
commit
e237cbb91f
|
@ -0,0 +1,11 @@
|
|||
# Ansible Deployment for bitwarden-rs
|
||||
|
||||
## Variables
|
||||
|
||||
```
|
||||
- bitwarden_version Docker image version to use
|
||||
- bitwarden_domain Fully qualified domain name, e.g. vault.example.tld
|
||||
- bitwarden_admin_token Token for admin panel
|
||||
- bitwarden_port_web UI port to run on localhost
|
||||
- bitwarden_port_ws Socket port to run on localhost
|
||||
```
|
|
@ -0,0 +1,12 @@
|
|||
galaxy_info:
|
||||
author: thiuda
|
||||
description: role to deploy bitwarden behind nginx reverse proxy
|
||||
company: progressivwerk
|
||||
license: MIT
|
||||
min_ansible_version: 2.1
|
||||
galaxy_tags: []
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- 10
|
||||
dependencies: []
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
- name: Create directory if it does not exists
|
||||
become: yes
|
||||
file:
|
||||
path: "{{ compose_dir }}/bitwarden"
|
||||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Place docker-compose file
|
||||
become: yes
|
||||
template:
|
||||
src: templates/docker-compose.yml.j2
|
||||
dest: "{{ compose_dir }}/bitwarden/docker-compose.yml"
|
||||
mode: 0700
|
||||
|
||||
- name: Place bitwarden env file
|
||||
become: yes
|
||||
template:
|
||||
src: templates/.env.j2
|
||||
dest: "{{ compose_dir }}/bitwarden/.env"
|
||||
mode: 0600
|
||||
|
||||
- name: Update and start services
|
||||
become: yes
|
||||
docker_compose:
|
||||
project_src: "{{ compose_dir }}/bitwarden"
|
||||
pull: yes
|
||||
state: present
|
||||
remove_orphans: yes
|
||||
register: output
|
||||
|
||||
- name: Check all containers are running
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- "output.ansible_facts.bitwarden.bitwarden.state.running": true
|
||||
|
||||
- name: Place reverse proxy conf
|
||||
become: yes
|
||||
template:
|
||||
src: templates/reverse_proxy.conf.j2
|
||||
dest: "/etc/nginx/conf.d/bitwarden.conf"
|
||||
mode: 0600
|
||||
notify: Check and Reload nginx
|
|
@ -0,0 +1,3 @@
|
|||
WEBSOCKET_ENABLED=true
|
||||
SIGNUPS_ALLOWED=false
|
||||
ADMIN_TOKEN={{ bitwarden_admin_token }}
|
|
@ -0,0 +1,21 @@
|
|||
# {{ ansible_managed }}
|
||||
# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }}
|
||||
|
||||
version: "3.4"
|
||||
|
||||
services:
|
||||
bitwarden:
|
||||
image: bitwardenrs/server:{{ bitwarden_version }}-alpine
|
||||
restart: unless-stopped
|
||||
container_name: bitwarden
|
||||
hostname: bitwarden
|
||||
ports:
|
||||
- 127.0.0.1:{{ bitwarden_port_web }}:80
|
||||
- 127.0.0.1:{{ bitwarden_port_ws }}:3021
|
||||
volumes:
|
||||
- data:/data
|
||||
env_file:
|
||||
- ./.env
|
||||
|
||||
volumes:
|
||||
data
|
|
@ -0,0 +1,92 @@
|
|||
# {{ ansible_managed }}
|
||||
# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
listen 3012 ssl http2;
|
||||
listen [::]:3012 ssl http2;
|
||||
server_name {{ bitwarden_domain }};
|
||||
|
||||
##
|
||||
# SSL Settings
|
||||
##
|
||||
ssl_session_cache builtin:1000 shared:SSL:10m;
|
||||
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
|
||||
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_dhparam {{ ssl_dir }}/dhparams.pem;
|
||||
ssl_ecdh_curve secp384r1;
|
||||
ssl_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem;
|
||||
ssl_certificate_key {{ certs_dir }}/{{ domain | get_tld }}/key.pem;
|
||||
ssl_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem;
|
||||
ssl_certificate_key {{ certs_dir }}/{{ domain | get_tld }}/key.pem;
|
||||
|
||||
##
|
||||
# OCSP Stapling
|
||||
##
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver {{ dns_resolvers }} valid=300s;
|
||||
ssl_trusted_certificate {{ certs_dir }}/{{ domain | get_tld }}/cert.pem;
|
||||
|
||||
##
|
||||
# FloC
|
||||
##
|
||||
add_header Permissions-Policy: interest-cohort=();
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
proxy_pass http://127.0.0.1:{{ bitwarden_port_web }};
|
||||
|
||||
client_max_body_size 128M;
|
||||
}
|
||||
|
||||
location /notifications/hub {
|
||||
proxy_pass http://127.0.0.1:{{ bitwarden_port_ws }};
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
}
|
||||
|
||||
location /notifications/hub/negotiate {
|
||||
proxy_pass http://127.0.0.1:{{ bitwarden_port_web }};
|
||||
}
|
||||
|
||||
error_page 404 /404.html;
|
||||
location = /40x.html {
|
||||
}
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
server {
|
||||
if ($host = {{ bitwarden_domain }}) {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name {{ bitwarden_domain }};
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue