vaultwarden role #27
|
@ -94,3 +94,4 @@ backup.yml
|
||||||
jenkins.yml
|
jenkins.yml
|
||||||
kvm.yml
|
kvm.yml
|
||||||
paperless.yml
|
paperless.yml
|
||||||
|
vaultwarden.yml
|
||||||
|
|
21
newrole.sh
21
newrole.sh
|
@ -12,3 +12,24 @@ touch roles/$1/tasks/$1.yml
|
||||||
echo "---" >> roles/$1/tasks/main.yml
|
echo "---" >> roles/$1/tasks/main.yml
|
||||||
echo " - import_tasks: $1.yml" >> roles/$1/tasks/main.yml
|
echo " - import_tasks: $1.yml" >> roles/$1/tasks/main.yml
|
||||||
echo " tags: $1" >> roles/$1/tasks/main.yml
|
echo " tags: $1" >> roles/$1/tasks/main.yml
|
||||||
|
|
||||||
|
|
||||||
|
echo "- import_playbook: $1.yml" >> private/site2.yml
|
||||||
|
|
||||||
|
echo "---" >> private/playbooks/$1.yml
|
||||||
|
echo "- hosts: $1" >> private/playbooks/$1.yml
|
||||||
|
echo " become: true" >> private/playbooks/$1.yml
|
||||||
|
echo " gather_facts: true" >> private/playbooks/$1.yml
|
||||||
|
echo " roles:" >> private/playbooks/$1.yml
|
||||||
|
echo " - $1" >> private/playbooks/$1.yml
|
||||||
|
|
||||||
|
ln -s private/playbooks/$1.yml .
|
||||||
|
echo "${1}.yml" >> .gitignore
|
||||||
|
|
||||||
|
(
|
||||||
|
cd private/
|
||||||
|
git st
|
||||||
|
git add private/site2.yml
|
||||||
|
git add private/playbooks/$1.yml
|
||||||
|
git commit -m "new role: $1"
|
||||||
|
)
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
vw_vaults:
|
||||||
|
- name: vault
|
||||||
|
shared: true
|
||||||
|
container_name: vaultwarden
|
|
@ -0,0 +1,23 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: reload nginx
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart filebeat
|
||||||
|
service:
|
||||||
|
name: filebeat
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: restart vaultwarden
|
||||||
|
docker_container:
|
||||||
|
name: vaultwarden
|
||||||
|
state: started
|
||||||
|
restart: true
|
||||||
|
|
||||||
|
- name: restart vaultwarden_ldap
|
||||||
|
docker_container:
|
||||||
|
name: vaultwarden_ldap
|
||||||
|
state: started
|
||||||
|
restart: true
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
dependencies:
|
||||||
|
- mariadb
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
- import_tasks: vaultwarden.yml
|
||||||
|
tags: vaultwarden
|
|
@ -0,0 +1,93 @@
|
||||||
|
{% for item in vw_vaults -%}
|
||||||
|
upstream {{ item.container_name }}-default {
|
||||||
|
zone vaultwarden-default 64k;
|
||||||
|
server {{ bridgewithdns[item.container_name] }}:80;
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
upstream {{ item.container_name }}-ws {
|
||||||
|
zone vaultwarden-ws 64k;
|
||||||
|
server {{ bridgewithdns[item.container_name] }}:3012;
|
||||||
|
keepalive 2;
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
{% if inventory_hostname in wg_clients -%}
|
||||||
|
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
server_name {{ vaultwarden_url }};
|
||||||
|
|
||||||
|
include listen-proxy-protocol.conf;
|
||||||
|
include /etc/nginx/authelia_internal.conf;
|
||||||
|
include /etc/nginx/sudo-known.conf;
|
||||||
|
|
||||||
|
|
||||||
|
# Specify SSL Config when needed
|
||||||
|
#ssl_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||||
|
#ssl_certificate_key /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/privkey.pem;
|
||||||
|
#ssl_trusted_certificate /path/to/certificate/letsencrypt/live/vaultwarden.example.tld/fullchain.pem;
|
||||||
|
|
||||||
|
client_max_body_size 128M;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header "Connection" "";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://{{ item.container_name }}-default;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /notifications/hub/negotiate {
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header "Connection" "";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://{{ item.container_name }}-default;
|
||||||
|
}
|
||||||
|
|
||||||
|
location /notifications/hub {
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header Forwarded $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://{{ item.container_name }}-ws;
|
||||||
|
}
|
||||||
|
|
||||||
|
# block to include authelia auth
|
||||||
|
location /admin {
|
||||||
|
include /etc/nginx/require_auth.conf;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header "Connection" "";
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://{{ item.container_name }}-default;
|
||||||
|
}
|
||||||
|
|
||||||
|
access_log /var/log/nginx/access_{{ vaultwarden_url }}.log main;
|
||||||
|
error_log /var/log/nginx/error_{{ vaultwarden_url }}.log warn;
|
||||||
|
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
ssl_certificate /usr/local/etc/certs/{{ domain }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /usr/local/etc/certs/{{ domain }}/privkey.pem;
|
||||||
|
|
||||||
|
fastcgi_hide_header X-Powered-By;
|
||||||
|
}
|
||||||
|
{% endfor %}
|
|
@ -0,0 +1,11 @@
|
||||||
|
vaultwarden_url = "{{ vaultwarden_ldap_vaultwarden_url}}"
|
||||||
|
vaultwarden_admin_token = "{{ vw_admin_token }}"
|
||||||
|
ldap_host = "{{ openldap_url }}"
|
||||||
|
ldap_scheme = "ldaps"
|
||||||
|
ldap_ssl = true
|
||||||
|
ldap_bind_dn = "cn=readonly,{{ openldap_dc }}"
|
||||||
|
ldap_bind_password = "{{ openldap_readonly_pass }}"
|
||||||
|
ldap_search_base_dn = "{{ openldap_dc }}"
|
||||||
|
ldap_search_filter = "(&(|(objectclass=inetOrgPerson))(|(memberof=cn=vaultwarden,ou=groups,{{ openldap_dc }})))"
|
||||||
|
ldap_mail_field = "mail"
|
||||||
|
ldap_sync_interval_seconds = 60 {# 900 = 15 mins #}
|
Loading…
Reference in New Issue