r/bitwarden_rs: Migrate to podman
Docker is effectively deprecated by Fedora/Red Hat. It is a pain in the ass to work with anyway. Podman integrates better with systemd, and is in general more aligned with how I prefer to deploy and manage applications. I am following the same pattern here that I have used for Home Assistant, ZWaveJS2MQTT, etc. The systemd service starts the container with `podman`, passing the necessary arguments for UID/GID mapping, etc. Note that, by default, Vaultwarden expects to be able to bind to port 80; since the container is unprivileged, we have to configure it (or rather, its embedded HTTP server [Rocket](https://rocket.rs)) to listen on a different port. We also configure it to listen only on the loopback, since it is being proxied by Apache to the outside network. To migrate the data from the Docker volume, we just have to copy the files and fix their ownership. The *bitwarden_rs* project was recently renamed to *Vaultwarden*, so I took this opportunity to update the name in most places within the *bitwarden_rs* role.
This commit is contained in:
25
roles/bitwarden_rs/templates/vaultwarden.service.j2
Normal file
25
roles/bitwarden_rs/templates/vaultwarden.service.j2
Normal file
@@ -0,0 +1,25 @@
|
||||
[Unit]
|
||||
Description=Vaultwarden API server
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
NotifyAccess=all
|
||||
ExecStart=/usr/bin/podman run \
|
||||
--pull never \
|
||||
--sdnotify=conmon --cgroups=no-conmon \
|
||||
--rm \
|
||||
--network=host \
|
||||
--name vaultwarden \
|
||||
-v /var/lib/vaultwarden/data:/data:Z \
|
||||
--env-file /etc/sysconfig/vaultwarden \
|
||||
--uidmap 0:{{ vaultwarden_user.uid }}:1 \
|
||||
--gidmap 0:{{ vaultwarden_user.group }}:1 \
|
||||
--uidmap 1:100000:65536 \
|
||||
--gidmap 1:100000:65536 \
|
||||
docker.io/vaultwarden/server:latest
|
||||
SuccessExitStatus=143
|
||||
ProtectSystem=full
|
||||
UMask=0077
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Reference in New Issue
Block a user