Dustin C. Hatch
e3b5b4d5ff
Docker is effectively deprecated by Fedora/Red Hat. It is a pain in the ass to work with anyway. Podman integrates better with systemd, and is in general more aligned with how I prefer to deploy and manage applications. I am following the same pattern here that I have used for Home Assistant, ZWaveJS2MQTT, etc. The systemd service starts the container with `podman`, passing the necessary arguments for UID/GID mapping, etc. Note that, by default, Vaultwarden expects to be able to bind to port 80; since the container is unprivileged, we have to configure it (or rather, its embedded HTTP server [Rocket](https://rocket.rs)) to listen on a different port. We also configure it to listen only on the loopback, since it is being proxied by Apache to the outside network. To migrate the data from the Docker volume, we just have to copy the files and fix their ownership. The *bitwarden_rs* project was recently renamed to *Vaultwarden*, so I took this opportunity to update the name in most places within the *bitwarden_rs* role.
104 lines
2.1 KiB
YAML
104 lines
2.1 KiB
YAML
- name: ensure sqlite command is installed
|
|
package:
|
|
name: sqlite
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure podman is installed
|
|
package:
|
|
name: podman
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure vaultwarden user exists
|
|
user:
|
|
name: vaultwarden
|
|
system: true
|
|
home: /var/lib/vaultwarden
|
|
createhome: false
|
|
register: vaultwarden_user
|
|
tags:
|
|
- user
|
|
- name: cache vaultwarden user fact
|
|
set_fact:
|
|
vaultwarden_user: '{{ vaultwarden_user }}'
|
|
cacheable: true
|
|
|
|
- name: ensure vaultwarden_rs home directory exists
|
|
file:
|
|
path: '{{ vaultwarden_user.home }}'
|
|
owner: '{{ vaultwarden_user.name }}'
|
|
group: '{{ vaultwarden_user.group }}'
|
|
mode: u=rwx,go=
|
|
state: directory
|
|
tags:
|
|
- datadir
|
|
|
|
- name: ensure vaultwarden container image is available
|
|
podman_image:
|
|
name: docker.io/vaultwarden/server
|
|
tag: latest
|
|
state: present
|
|
force: '{{ vaultwarden_update|d|bool }}'
|
|
notify:
|
|
- restart vaultwarden
|
|
tags:
|
|
- container-image
|
|
- container
|
|
|
|
- name: ensure vaultwarden environment is configured
|
|
template:
|
|
src: vaultwarden.sysconfig.j2
|
|
dest: /etc/sysconfig/vaultwarden
|
|
mode: u=rw,go=
|
|
notify:
|
|
- restart vaultwarden
|
|
tags:
|
|
- config
|
|
|
|
- name: ensure vaultwarden systemd unit is installed
|
|
template:
|
|
src: vaultwarden.service.j2
|
|
dest: /etc/systemd/system/vaultwarden.service
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart vaultwarden
|
|
tags:
|
|
- service
|
|
- systemd
|
|
- name: ensure vaultwarden starts at boot
|
|
service:
|
|
name: vaultwarden
|
|
enabled: true
|
|
tags:
|
|
- service
|
|
|
|
- import_tasks: migration.yml # noqa: unnamed-task
|
|
tags:
|
|
- migration
|
|
|
|
- meta: flush_handlers # noqa: unnamed-task
|
|
|
|
- name: ensure vaultwarden is running
|
|
service:
|
|
name: vaultwarden
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure apache is allowed to proxy
|
|
seboolean:
|
|
name: httpd_can_network_connect
|
|
persistent: true
|
|
state: true
|
|
- name: ensure apache is configured to proxy for bitwarden
|
|
template:
|
|
src: bitwarden.httpd.conf.j2
|
|
dest: /etc/httpd/conf.d/bitwarden.conf
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload httpd
|