diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index b7b8ef4..d0d20f4 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,5 +1,6 @@ --- bookstack_path: "{{ podman_volumes }}/bookstack" +bitwarden_path: "{{ podman_volumes }}/bitwarden" cam2ip_path: "{{ podman_volumes }}/cam2ip" cloud_path: "{{ podman_volumes }}/cloud" cloud_skudak_path: "{{ podman_volumes }}/skudakcloud" @@ -25,6 +26,7 @@ drone_runner_capacity: "8" base_server_name: bdebyl.net assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com +bitwarden_server_name: bitwarden.skudakrennsport.com ci_server_name: ci.bdebyl.net cloud_server_name: cloud.bdebyl.net cloud_skudak_server_name: cloud.skudakrennsport.com diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml index 8ea51aa..0f2bb6b 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml @@ -64,6 +64,7 @@ - "{{ base_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" + - "{{ bitwarden_server_name }}.conf" - "{{ ci_server_name }}.http.conf" - "{{ cloud_server_name }}.conf" - "{{ cloud_skudak_server_name }}.conf" @@ -89,6 +90,7 @@ - "{{ base_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" + - "{{ bitwarden_server_name }}.conf" - "{{ ci_server_name }}.http.conf" - "{{ cloud_server_name }}.conf" - "{{ cloud_skudak_server_name }}.conf" diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml index acdc86c..3db0341 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml @@ -37,6 +37,7 @@ - "{{ base_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" + - "{{ bitwarden_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" - "{{ cloud_skudak_server_name }}.https.conf" @@ -60,6 +61,7 @@ - "{{ base_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" + - "{{ bitwarden_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" - "{{ cloud_skudak_server_name }}.https.conf" diff --git a/ansible/roles/podman/tasks/containers/skudak/bitwarden.yml b/ansible/roles/podman/tasks/containers/skudak/bitwarden.yml new file mode 100644 index 0000000..0239ff7 --- /dev/null +++ b/ansible/roles/podman/tasks/containers/skudak/bitwarden.yml @@ -0,0 +1,89 @@ +--- +- name: create required bitwarden volumes + become: true + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ podman_subuid.stdout }}" + group: "{{ podman_subuid.stdout }}" + mode: 0755 + notify: restorecon podman + loop: + - "{{ bitwarden_path }}/mysql" + - "{{ bitwarden_path }}/bitwarden" + +- name: flush handlers + ansible.builtin.meta: flush_handlers + +- import_tasks: podman/podman-check.yml + vars: + container_name: bitwarden-db + container_image: "{{ db_image }}" + +- name: create bitwarden-db container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: bitwarden-db + image: "{{ db_image }}" + restart_policy: on-failure:3 + log_driver: journald + network: + - shared + env: + MARIADB_RANDOM_ROOT_PASSWORD: "true" + MARIADB_DATABASE: bitwarden_vault + MARIADB_PASSWORD: "{{ bitwarden_db_pass }}" + MARIADB_USER: bitwarden + volumes: + - "{{ bitwarden_path }}/mysql:/var/lib/mysql" + +- name: create systemd startup job for bitwarden-db + include_tasks: podman/systemd-generate.yml + vars: + container_name: bitwarden-db + +- import_tasks: podman/podman-check.yml + vars: + container_name: bitwarden + container_image: "{{ image }}" + +- name: create bitwarden container + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: bitwarden + image: "{{ image }}" + restart_policy: on-failure:3 + log_driver: journald + network: + - shared + env: + BW_ENABLE_SSL: "false" + BW_ENABLE_SSL_CA: "false" + BW_PORT_HTTP: "8092" + BW_DOMAIN: "{{ bitwarden_server_name }}" + BW_DB_PROVIDER: mysql + BW_DB_SERVER: bitwarden-db + BW_DB_DATABASE: bitwarden_vault + BW_DB_USERNAME: bitwarden + BW_DB_PASSWORD: "{{ bitwarden_db_pass }}" + BW_INSTALLATION_ID: "{{ bitwarden_id }}" + BW_INSTALLATION_KEY: "{{ bitwarden_key }}" + globalSettings__mail__replyToEmail: "{{ skudaknoreply_mail_user }}" + globalSettings__mail__smtp__host: "{{ skudaknoreply_mail_host }}" + globalSettings__mail__smtp__port: 587 + globalSettings__mail__smtp__ssl: "true" + globalSettings__mail__smtp__username: "{{ skudaknoreply_mail_user }}" + globalSettings__mail__smtp__password: "{{ skudaknoreply_mail_pass }}" + globalSettings__disableUserRegistration: "true" + adminSettings__admins: "{{ bitwarden_admins }}" + volumes: + - "{{ bitwarden_path }}/bitwarden:/etc/bitwarden" + ports: + - "8092:8092" + +- name: create systemd startup job for bitwarden + include_tasks: podman/systemd-generate.yml + vars: + container_name: bitwarden diff --git a/ansible/roles/podman/tasks/containers/skudak/wiki.yml b/ansible/roles/podman/tasks/containers/skudak/wiki.yml index af069c8..c7ef08d 100644 --- a/ansible/roles/podman/tasks/containers/skudak/wiki.yml +++ b/ansible/roles/podman/tasks/containers/skudak/wiki.yml @@ -75,12 +75,12 @@ DB_DATABASE: "bookstack" DB_PASSWORD: "{{ bookstack_db_pass }}" MAIL_DRIVER: "smtp" - MAIL_HOST: "{{ bookstack_mail_host }}" + MAIL_HOST: "{{ skudaknoreply_mail_host }}" MAIL_PORT: 465 MAIL_ENCRYPTION: "ssl" - MAIL_USERNAME: "{{ bookstack_mail_user }}" - MAIL_PASSWORD: "{{ bookstack_mail_pass }}" - MAIL_FROM: "{{ bookstack_mail_user }}" + MAIL_USERNAME: "{{ skudaknoreply_mail_user }}" + MAIL_PASSWORD: "{{ skudaknoreply_mail_pass }}" + MAIL_FROM: "{{ skudaknoreply_mail_user }}" MAIL_FROM_NAME: "Skudak Wiki" ports: - "6875:8080" diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 98098f6..d24bcf2 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -64,6 +64,12 @@ image: docker.io/library/nextcloud:30.0-apache tags: skudak, skudak-cloud +- import_tasks: containers/skudak/bitwarden.yml + vars: + db_image: docker.io/library/mariadb:10.6 + image: docker.io/bitwarden/self-host:2025.1.3-beta + tags: skudak, bitwarden + - import_tasks: containers/debyltech/fulfillr.yml vars: image: "{{ aws_ecr_endpoint }}/fulfillr:20241028.1847" diff --git a/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.conf.j2 new file mode 100644 index 0000000..3ee9972 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.conf.j2 @@ -0,0 +1,16 @@ +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + listen 80; + server_name {{ bitwarden_server_name }}; + + location '/.well-known/acme-challenge' { + default_type "text/plain"; + root /srv/http/letsencrypt; + } + + location / { + return 302 https://$host$request_uri; + } +} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.https.conf.j2 new file mode 100644 index 0000000..75c39c7 --- /dev/null +++ b/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.https.conf.j2 @@ -0,0 +1,44 @@ +upstream bitwarden { + server 127.0.0.1:8092; +} + +server { + modsecurity on; + modsecurity_rules_file /etc/nginx/modsec_includes.conf; + + resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; + + listen 443 ssl http2; + server_name {{ bitwarden_server_name }}; + client_max_body_size 500M; + + ssl_certificate /etc/letsencrypt/live/{{ bitwarden_server_name }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ bitwarden_server_name }}/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ bitwarden_server_name }}/fullchain.pem; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_stapling on; + ssl_stapling_verify on; + + location / { + add_header Referrer-Policy "same-origin" always; + add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + + proxy_buffering off; + proxy_http_version 1.1; + proxy_pass http://bitwarden; + } +} \ No newline at end of file diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index 4d44d2a..ba2486c 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -10,6 +10,7 @@ loop: - "{{ base_server_name }}" - "{{ bookstack_server_name }}" + - "{{ bitwarden_server_name }}" - "{{ ci_server_name }}" - "{{ cloud_server_name }}" - "{{ cloud_skudak_server_name }}" diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index 961f155..a3c4bae 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ