bitwarden_rs: Deploy Bitwarden_rs using Docker

The *bitwarden_rs* role sets up the Bitwarden_rs server using its official Docker container. It sets up Apache as a reverse proxy for TLS support.
2019-09-19 17:21:09 -05:00 · 2019-09-19 17:21:09 -05:00 · 14cb924ba7
parent 1f535e980f
commit 14cb924ba7
7 changed files with 88 additions and 0 deletions
--- a/bitwarden_rs.yml
+++ b/bitwarden_rs.yml
@ -0,0 +1,11 @@
 - hosts: bitwarden_rs
  vars_files:
  - vault/bitwarden
  roles:
  - bitwarden_rs
  tasks:
  - meta: flush_handlers
  - name: ensure apache is running
    service:
      name: httpd
      state: started
--- a/5
+++ b/5
@ -4,6 +4,8 @@ ansible_python_interpreter=/usr/bin/python3
 [aria2]
 file0.pyrocufflink.blue
 [bitwarden_rs]
 [burp-client]
 file0.pyrocufflink.blue
@ -28,6 +30,9 @@ pyrocufflink-dhcp
 [docker]
 [docker:children]
 bitwarden_rs
 [file-servers]
 file0.pyrocufflink.blue
--- a/roles/bitwarden_rs/meta/main.yml
+++ b/roles/bitwarden_rs/meta/main.yml
@ -0,0 +1,2 @@
 dependencies:
 - apache
--- a/roles/bitwarden_rs/tasks/main.yml
+++ b/roles/bitwarden_rs/tasks/main.yml
@ -0,0 +1,33 @@
 - name: ensure python docker client is installed
  package:
    name: python3-docker
    state: present
  tags:
  - install
 - name: ensure bitwarden_rs docker container is running
  docker_container:
    name: bitwarden
    image: mprasil/bitwarden:latest
    detach: yes
    volumes:
    - bw-data:/data
    published_ports:
    - 127.0.0.1:8080:80
    - 127.0.0.1:3012:3012
    env:
      ADMIN_TOKEN: '{{ bitwarden_admin_token|d(omit) }}'
      DOMAIN: '{{ bitwarden_domain|d(omit) }}'
      WEBSOCKET_ENABLED: 'true'
 - name: ensure apache is allowed to proxy
  seboolean:
    name: httpd_can_network_connect
    persistent: true
    state: true
 - name: ensure apache is configured to proxy for bitwarden
  template:
    src: bitwarden.httpd.conf.j2
    dest: /etc/httpd/conf.d/bitwarden.conf
  notify:
  - reload httpd
--- a/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2
+++ b/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2
@ -0,0 +1,27 @@
 RewriteEngine On
 RewriteCond %{HTTPS} !on
 RewriteRule /.* https://%{SERVER_NAME}$0
 <VirtualHost _default_:443>
 Include conf.d/ssl.include
 SSLCertificateFile {{ apache_ssl_certificate }}
 SSLCertificateKeyFile {{ apache_ssl_certificate_key }}
 SSLCertificateChainFile {{ apache_ssl_certificate }}
 {% if apache_ssl_ca_certificate is defined %}
 SSLCACertificateFile {{ apache_ssl_ca_certificate }}
 {% endif %}
 Header always set \
 	Strict-Transport-Security "max-age=63072000; includeSubDomains"
 RewriteEngine On
 RewriteCond %{HTTP:Upgrade} =websocket [NC]
 RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [QSA,P,L]
 ProxyPreserveHost On
 ProxyRequests Off
 ProxyPass / http://localhost:8080/
 ProxyPassReverse / http://localhost:8080/
 RequestHeader set X-Real-IP %{REMOTE_ADDR}s
 </VirtualHost>
--- a/roles/bitwarden_rs/vars/main.yml
+++ b/roles/bitwarden_rs/vars/main.yml
@ -0,0 +1 @@
 apache_default_ssl_vhost: false
--- a/vault/bitwarden
+++ b/vault/bitwarden
@ -0,0 +1,9 @@
 $ANSIBLE_VAULT;1.1;AES256
 35323663363530353631616663373633313837376630373633323063323337336536303231336663
 3664313638633833383565383062343735303963663934370a313036643465366631643938363635
 61623934383165303933346338333561373831646238623337316637373239336331363962616532
 3739633039643131640a663734393233623137656135396138343164643339623863306265613939
 34363836396535613566643537356365316239613431313365316637383262353466646366663836
 32303861623861616465343935663062616466393537376362616566393231646464663832333635
 65363239376161313663353039376633633132383266336366303032643633346364343132356239
 30373366383464643961