Vaultwarden

2024-02-20 23:47:48 +01:00
parent 1e9276aebf
commit 33e1e1adf0
5 changed files with 149 additions and 55 deletions
--- a/ansible/plays/infra.yaml
+++ b/ansible/plays/infra.yaml
@ -11,5 +11,6 @@
    # - {role: compose_project, service: monitoring-stack} # mimir, loki, grafana
    - {role: compose_project, service: pantalaimon}
    - {role: compose_project, service: watchtower}
+    - {role: compose_project, service: vaultwarden}

 # vim: ft=yaml.ansible
--- a/ansible/plays/services/vaultwarden/.env
+++ b/ansible/plays/services/vaultwarden/.env
@ -0,0 +1 @@
+COMPOSE_PROJECT_NAME=vaultwarden
--- a/ansible/plays/services/vaultwarden/docker-compose.yaml
+++ b/ansible/plays/services/vaultwarden/docker-compose.yaml
@ -0,0 +1,60 @@
+{% import 'macro/postgres.j2' as pg with context %}
+---
+version: '3'
+services:
+  vault:
+    # Make sure to use the latest release from https://hedgedoc.org/latest-release
+    image: vaultwarden/server:latest
+    user: 65100:65100
+    environment:
+      DATABASE_URL: "postgresql://{{ vault.db.user }}:{{ vault.db.password }}@db/{{ vault.db.name }}"
+      WEBSOCKET_ENABLED: "false"
+      DOMAIN: "https://vault.unruhig.eu"
+      SENDS_ALLOWED: "true"
+      PUSH_ENABLED: "true"
+      SIGNUPS_ALLOWED: "false"
+      ORG_EVENTS_ENABLED: "true"
+      ORG_CREATION_USERS: "{{ vault.admin.mail }}"
+      ADMIN_TOKEN: "{{ vault.admin.token }}"
+      PUSH_INSTALLATION_ID: "{{ vault.push.id }}"
+      PUSH_INSTALLATION_KEY: "{{ vault.push.key }}"
+      PUSH_RELAY_URI: https://push.bitwarden.eu
+      PUSH_IDENTITY_URI: https://identity.bitwarden.eu
+      SMTP_HOST: "{{ vault.smtp.host }}"
+      SMTP_FROM: "{{ vault.smtp.from }}"
+      SMTP_PORT: "{{ vault.smtp.port }}"
+      SMTP_SECURITY: "force_tls"
+      SMTP_USERNAME: "{{ vault.smtp.username }}"
+      SMTP_PASSWORD: "{{ vault.smtp.password }}"
+      ROCKET_PORT: "8080"
+    restart: always
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=${COMPOSE_PROJECT_NAME}_default"
+      - "traefik.http.routers.vault.rule=Host(`vault.unruhig.eu`)"
+      # - "traefik.http.routers.vault.middlewares=deny-metrics@file"
+      - "traefik.http.routers.vault.entryPoints=websecure"
+      - "traefik.http.services.vault.loadbalancer.server.port=8080"
+      # - "prometheus-scrape.enabled=true"
+      # - "prometheus-scrape.port=3000"
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - vault_data:/data
+    networks:
+      - backend
+      - default # traefik
+
+{{ pg.postgres("db", vault.db.user, vault.db.password, vault.db.name, ["backend"]) }}
+
+volumes:
+  db_data:
+  vault_data:
+
+networks:
+  backend:
+    internal: true
+  postgres:
+    internal: true
+...