bitwarden_rs: Deploy Bitwarden_rs using Docker

The *bitwarden_rs* role sets up the Bitwarden_rs server using its official Docker container. It sets up Apache as a reverse proxy for TLS support.
2019-09-19 17:21:09 -05:00
parent 1f535e980f
commit 14cb924ba7
7 changed files with 88 additions and 0 deletions
--- a/roles/bitwarden_rs/meta/main.yml
+++ b/roles/bitwarden_rs/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- apache
--- a/roles/bitwarden_rs/tasks/main.yml
+++ b/roles/bitwarden_rs/tasks/main.yml
@@ -0,0 +1,33 @@
+- name: ensure python docker client is installed
+  package:
+    name: python3-docker
+    state: present
+  tags:
+  - install
+
+- name: ensure bitwarden_rs docker container is running
+  docker_container:
+    name: bitwarden
+    image: mprasil/bitwarden:latest
+    detach: yes
+    volumes:
+    - bw-data:/data
+    published_ports:
+    - 127.0.0.1:8080:80
+    - 127.0.0.1:3012:3012
+    env:
+      ADMIN_TOKEN: '{{ bitwarden_admin_token|d(omit) }}'
+      DOMAIN: '{{ bitwarden_domain|d(omit) }}'
+      WEBSOCKET_ENABLED: 'true'
+
+- name: ensure apache is allowed to proxy
+  seboolean:
+    name: httpd_can_network_connect
+    persistent: true
+    state: true
+- name: ensure apache is configured to proxy for bitwarden
+  template:
+    src: bitwarden.httpd.conf.j2
+    dest: /etc/httpd/conf.d/bitwarden.conf
+  notify:
+  - reload httpd
--- a/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2
+++ b/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2
@@ -0,0 +1,27 @@
+RewriteEngine On
+RewriteCond %{HTTPS} !on
+RewriteRule /.* https://%{SERVER_NAME}$0
+
+<VirtualHost _default_:443>
+Include conf.d/ssl.include
+
+SSLCertificateFile {{ apache_ssl_certificate }}
+SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
+SSLCertificateChainFile {{ apache_ssl_certificate }}
+{% if apache_ssl_ca_certificate is defined %}
+SSLCACertificateFile {{ apache_ssl_ca_certificate }}
+{% endif %}
+
+Header always set \
+	Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+RewriteEngine On
+RewriteCond %{HTTP:Upgrade} =websocket [NC]
+RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [QSA,P,L]
+
+ProxyPreserveHost On
+ProxyRequests Off
+ProxyPass / http://localhost:8080/
+ProxyPassReverse / http://localhost:8080/
+RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+</VirtualHost>
--- a/roles/bitwarden_rs/vars/main.yml
+++ b/roles/bitwarden_rs/vars/main.yml
@@ -0,0 +1 @@
+apache_default_ssl_vhost: false