bitwarden_rs: Deploy Bitwarden_rs using Docker

The *bitwarden_rs* role sets up the Bitwarden_rs server using its official Docker container. It sets up Apache as a reverse proxy for TLS support.
2019-09-19 17:21:09 -05:00 · 2019-09-19 17:21:09 -05:00 · 14cb924ba7
parent 1f535e980f
commit 14cb924ba7
7 changed files with 88 additions and 0 deletions
--- a/bitwarden_rs.yml
+++ b/bitwarden_rs.yml
@ -0,0 +1,11 @@
+- hosts: bitwarden_rs
+  vars_files:
+  - vault/bitwarden
+  roles:
+  - bitwarden_rs
+  tasks:
+  - meta: flush_handlers
+  - name: ensure apache is running
+    service:
+      name: httpd
+      state: started
--- a/5
+++ b/5
@ -4,6 +4,8 @@ ansible_python_interpreter=/usr/bin/python3
 [aria2]
 file0.pyrocufflink.blue

+[bitwarden_rs]
+
 [burp-client]
 file0.pyrocufflink.blue

@ -28,6 +30,9 @@ pyrocufflink-dhcp

 [docker]

+[docker:children]
+bitwarden_rs
+
 [file-servers]
 file0.pyrocufflink.blue

--- a/roles/bitwarden_rs/meta/main.yml
+++ b/roles/bitwarden_rs/meta/main.yml
@ -0,0 +1,2 @@
+dependencies:
+- apache
--- a/roles/bitwarden_rs/tasks/main.yml
+++ b/roles/bitwarden_rs/tasks/main.yml
@ -0,0 +1,33 @@
+- name: ensure python docker client is installed
+  package:
+    name: python3-docker
+    state: present
+  tags:
+  - install
+
+- name: ensure bitwarden_rs docker container is running
+  docker_container:
+    name: bitwarden
+    image: mprasil/bitwarden:latest
+    detach: yes
+    volumes:
+    - bw-data:/data
+    published_ports:
+    - 127.0.0.1:8080:80
+    - 127.0.0.1:3012:3012
+    env:
+      ADMIN_TOKEN: '{{ bitwarden_admin_token|d(omit) }}'
+      DOMAIN: '{{ bitwarden_domain|d(omit) }}'
+      WEBSOCKET_ENABLED: 'true'
+
+- name: ensure apache is allowed to proxy
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+- name: ensure apache is configured to proxy for bitwarden
+  template:
+    src: bitwarden.httpd.conf.j2
+    dest: /etc/httpd/conf.d/bitwarden.conf
+  notify:
+  - reload httpd
--- a/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2
+++ b/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2
@ -0,0 +1,27 @@
+RewriteEngine On
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0
+
+<VirtualHost _default_:443>
+Include conf.d/ssl.include
+
+SSLCertificateFile {{ apache_ssl_certificate }}
+SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+SSLCertificateChainFile {{ apache_ssl_certificate }}
+{% if apache_ssl_ca_certificate is defined %}
+SSLCACertificateFile {{ apache_ssl_ca_certificate }}
+{% endif %}
+
+Header always set \
+	Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+RewriteEngine On
+RewriteCond %{HTTP:Upgrade} =websocket [NC]
+RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [QSA,P,L]
+
+ProxyPreserveHost On
+ProxyRequests Off
+ProxyPass / http://localhost:8080/
+ProxyPassReverse / http://localhost:8080/
+RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+</VirtualHost>
--- a/roles/bitwarden_rs/vars/main.yml
+++ b/roles/bitwarden_rs/vars/main.yml
@ -0,0 +1 @@
+apache_default_ssl_vhost: false
--- a/vault/bitwarden
+++ b/vault/bitwarden
@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+35323663363530353631616663373633313837376630373633323063323337336536303231336663
+3664313638633833383565383062343735303963663934370a313036643465366631643938363635
+61623934383165303933346338333561373831646238623337316637373239336331363962616532
+3739633039643131640a663734393233623137656135396138343164643339623863306265613939
+34363836396535613566643537356365316239613431313365316637383262353466646366663836
+32303861623861616465343935663062616466393537376362616566393231646464663832333635
+65363239376161313663353039376633633132383266336366303032643633346364343132356239
+30373366383464643961