vaultwarden role #27
|
|
@ -94,3 +94,4 @@ backup.yml
|
|||
jenkins.yml
|
||||
kvm.yml
|
||||
paperless.yml
|
||||
vaultwarden.yml
|
||||
|
|
|
|||
27
newrole.sh
27
newrole.sh
|
|
@ -9,6 +9,27 @@ mkdir roles/$1/defaults
|
|||
touch roles/$1/tasks/main.yml
|
||||
touch roles/$1/tasks/$1.yml
|
||||
|
||||
echo "---" >> roles/$1/tasks/main.yml
|
||||
echo " - import_tasks: $1.yml" >> roles/$1/tasks/main.yml
|
||||
echo " tags: $1" >> roles/$1/tasks/main.yml
|
||||
echo "---" >> roles/$1/tasks/main.yml
|
||||
echo " - import_tasks: $1.yml" >> roles/$1/tasks/main.yml
|
||||
echo " tags: $1" >> roles/$1/tasks/main.yml
|
||||
|
||||
|
||||
echo "- import_playbook: $1.yml" >> private/site2.yml
|
||||
|
||||
echo "---" >> private/playbooks/$1.yml
|
||||
echo "- hosts: $1" >> private/playbooks/$1.yml
|
||||
echo " become: true" >> private/playbooks/$1.yml
|
||||
echo " gather_facts: true" >> private/playbooks/$1.yml
|
||||
echo " roles:" >> private/playbooks/$1.yml
|
||||
echo " - $1" >> private/playbooks/$1.yml
|
||||
|
||||
ln -s private/playbooks/$1.yml .
|
||||
echo "${1}.yml" >> .gitignore
|
||||
|
||||
(
|
||||
cd private/
|
||||
git st
|
||||
git add private/site2.yml
|
||||
git add private/playbooks/$1.yml
|
||||
git commit -m "new role: $1"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
|
||||
vw_vaults:
|
||||
- name: vault
|
||||
shared: true
|
||||
container_name: vaultwarden
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
|
||||
- name: reload nginx
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
||||
- name: restart filebeat
|
||||
service:
|
||||
name: filebeat
|
||||
state: restarted
|
||||
|
||||
- name: restart vaultwarden
|
||||
docker_container:
|
||||
name: vaultwarden
|
||||
state: started
|
||||
restart: true
|
||||
|
||||
- name: restart vaultwarden_ldap
|
||||
docker_container:
|
||||
name: vaultwarden_ldap
|
||||
state: started
|
||||
restart: true
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
|
||||
dependencies:
|
||||
- mariadb
|
||||
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
- import_tasks: vaultwarden.yml
|
||||
tags: vaultwarden
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
{% for item in vw_vaults -%}
|
||||
upstream {{ item.container_name }}-default {
|
||||
zone vaultwarden-default 64k;
|
||||
server {{ bridgewithdns[item.container_name] }}:80;
|
||||
keepalive 2;
|
||||
}
|
||||
upstream {{ item.container_name }}-ws {
|
||||
zone vaultwarden-ws 64k;
|
||||
server {{ bridgewithdns[item.container_name] }}:3012;
|
||||
keepalive 2;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
{% if inventory_hostname in wg_clients -%}
|
||||
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
|
||||
{% endif -%}
|
||||
|
||||
server_name {{ vaultwarden_url }};
|
||||
|
||||
include listen-proxy-protocol.conf;
|
||||
include /etc/nginx/authelia_internal.conf;
|
||||
include /etc/nginx/sudo-known.conf;
|
||||
|
||||
|
||||
# Specify SSL Config when needed
|
||||
#ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||
#ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
|
||||
#ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||
|
||||
client_max_body_size 128M;
|
||||
|
||||
location / {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header "Connection" "";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://{{ item.container_name }}-default;
|
||||
}
|
||||
|
||||
location /notifications/hub/negotiate {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header "Connection" "";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://{{ item.container_name }}-default;
|
||||
}
|
||||
|
||||
location /notifications/hub {
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Forwarded $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://{{ item.container_name }}-ws;
|
||||
}
|
||||
|
||||
# block to include authelia auth
|
||||
location /admin {
|
||||
include /etc/nginx/require_auth.conf;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header "Connection" "";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://{{ item.container_name }}-default;
|
||||
}
|
||||
|
||||
access_log /var/log/nginx/access_{{ vaultwarden_url }}.log main;
|
||||
error_log /var/log/nginx/error_{{ vaultwarden_url }}.log warn;
|
||||
|
||||
ssl_session_timeout 5m;
|
||||
ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem;
|
||||
ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem;
|
||||
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
}
|
||||
{% endfor %}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
vaultwarden_url = "{{ vaultwarden_ldap_vaultwarden_url}}"
|
||||
vaultwarden_admin_token = "{{ vw_admin_token }}"
|
||||
ldap_host = "{{ openldap_url }}"
|
||||
ldap_scheme = "ldaps"
|
||||
ldap_ssl = true
|
||||
ldap_bind_dn = "cn=readonly,{{ openldap_dc }}"
|
||||
ldap_bind_password = "{{ openldap_readonly_pass }}"
|
||||
ldap_search_base_dn = "{{ openldap_dc }}"
|
||||
ldap_search_filter = "(&(|(objectclass=inetOrgPerson))(|(memberof=cn=vaultwarden,ou=groups,{{ openldap_dc }})))"
|
||||
ldap_mail_field = "mail"
|
||||
ldap_sync_interval_seconds = 60 {# 900 = 15 mins #}
|
||||
Loading…
Reference in New Issue