diff --git a/.gitignore b/.gitignore index bbfde49..1db0010 100644 --- a/.gitignore +++ b/.gitignore @@ -94,3 +94,4 @@ backup.yml jenkins.yml kvm.yml paperless.yml +vaultwarden.yml diff --git a/newrole.sh b/newrole.sh index 171ad22..024c38a 100755 --- a/newrole.sh +++ b/newrole.sh @@ -9,6 +9,27 @@ mkdir roles/$1/defaults touch roles/$1/tasks/main.yml touch roles/$1/tasks/$1.yml -echo "---" >> roles/$1/tasks/main.yml -echo " - import_tasks: $1.yml" >> roles/$1/tasks/main.yml -echo " tags: $1" >> roles/$1/tasks/main.yml +echo "---" >> roles/$1/tasks/main.yml +echo " - import_tasks: $1.yml" >> roles/$1/tasks/main.yml +echo " tags: $1" >> roles/$1/tasks/main.yml + + +echo "- import_playbook: $1.yml" >> private/site2.yml + +echo "---" >> private/playbooks/$1.yml +echo "- hosts: $1" >> private/playbooks/$1.yml +echo " become: true" >> private/playbooks/$1.yml +echo " gather_facts: true" >> private/playbooks/$1.yml +echo " roles:" >> private/playbooks/$1.yml +echo " - $1" >> private/playbooks/$1.yml + +ln -s private/playbooks/$1.yml . +echo "${1}.yml" >> .gitignore + +( + cd private/ + git st + git add private/site2.yml + git add private/playbooks/$1.yml + git commit -m "new role: $1" +) diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml new file mode 100644 index 0000000..9ab0a02 --- /dev/null +++ b/roles/vaultwarden/defaults/main.yml @@ -0,0 +1,6 @@ +--- + +vw_vaults: + - name: vault + shared: true + container_name: vaultwarden diff --git a/roles/vaultwarden/handlers/main.yml b/roles/vaultwarden/handlers/main.yml new file mode 100644 index 0000000..feb0f88 --- /dev/null +++ b/roles/vaultwarden/handlers/main.yml @@ -0,0 +1,23 @@ +--- + +- name: reload nginx + service: + name: nginx + state: reloaded + +- name: restart filebeat + service: + name: filebeat + state: restarted + +- name: restart vaultwarden + docker_container: + name: vaultwarden + state: started + restart: true + +- name: restart vaultwarden_ldap + docker_container: + name: vaultwarden_ldap + state: started + restart: true diff --git a/roles/vaultwarden/meta/main.yml b/roles/vaultwarden/meta/main.yml new file mode 100644 index 0000000..1a84be8 --- /dev/null +++ b/roles/vaultwarden/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: + - mariadb diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml new file mode 100644 index 0000000..d4cbeb6 --- /dev/null +++ b/roles/vaultwarden/tasks/main.yml @@ -0,0 +1,3 @@ +--- + - import_tasks: vaultwarden.yml + tags: vaultwarden diff --git a/roles/vaultwarden/templates/01-vaultwarden.j2 b/roles/vaultwarden/templates/01-vaultwarden.j2 new file mode 100644 index 0000000..f0d2680 --- /dev/null +++ b/roles/vaultwarden/templates/01-vaultwarden.j2 @@ -0,0 +1,93 @@ +{% for item in vw_vaults -%} +upstream {{ item.container_name }}-default { + zone vaultwarden-default 64k; + server {{ bridgewithdns[item.container_name] }}:80; + keepalive 2; +} +upstream {{ item.container_name }}-ws { + zone vaultwarden-ws 64k; + server {{ bridgewithdns[item.container_name] }}:3012; + keepalive 2; +} +server { + listen 443 ssl http2; + {% if inventory_hostname in wg_clients -%} + listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2; + {% endif -%} + + server_name {{ vaultwarden_url }}; + + include listen-proxy-protocol.conf; + include /etc/nginx/authelia_internal.conf; + include /etc/nginx/sudo-known.conf; + + + # Specify SSL Config when needed + #ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; + #ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem; + #ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem; + + client_max_body_size 128M; + + location / { + proxy_http_version 1.1; + proxy_set_header "Connection" ""; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://{{ item.container_name }}-default; + } + + location /notifications/hub/negotiate { + proxy_http_version 1.1; + proxy_set_header "Connection" ""; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://{{ item.container_name }}-default; + } + + location /notifications/hub { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Forwarded $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://{{ item.container_name }}-ws; + } + + # block to include authelia auth + location /admin { + include /etc/nginx/require_auth.conf; + proxy_http_version 1.1; + proxy_set_header "Connection" ""; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://{{ item.container_name }}-default; + } + + access_log /var/log/nginx/access_{{ vaultwarden_url }}.log main; + error_log /var/log/nginx/error_{{ vaultwarden_url }}.log warn; + + ssl_session_timeout 5m; + ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem; + ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem; + + fastcgi_hide_header X-Powered-By; +} +{% endfor %} diff --git a/roles/vaultwarden/templates/ldap-config.toml.j2 b/roles/vaultwarden/templates/ldap-config.toml.j2 new file mode 100644 index 0000000..a09bb8d --- /dev/null +++ b/roles/vaultwarden/templates/ldap-config.toml.j2 @@ -0,0 +1,11 @@ +vaultwarden_url = "{{ vaultwarden_ldap_vaultwarden_url}}" +vaultwarden_admin_token = "{{ vw_admin_token }}" +ldap_host = "{{ openldap_url }}" +ldap_scheme = "ldaps" +ldap_ssl = true +ldap_bind_dn = "cn=readonly,{{ openldap_dc }}" +ldap_bind_password = "{{ openldap_readonly_pass }}" +ldap_search_base_dn = "{{ openldap_dc }}" +ldap_search_filter = "(&(|(objectclass=inetOrgPerson))(|(memberof=cn=vaultwarden,ou=groups,{{ openldap_dc }})))" +ldap_mail_field = "mail" +ldap_sync_interval_seconds = 60 {# 900 = 15 mins #}