diff --git a/bitwarden_rs.yml b/bitwarden_rs.yml new file mode 100644 index 0000000..fd6a7aa --- /dev/null +++ b/bitwarden_rs.yml @@ -0,0 +1,11 @@ +- hosts: bitwarden_rs + vars_files: + - vault/bitwarden + roles: + - bitwarden_rs + tasks: + - meta: flush_handlers + - name: ensure apache is running + service: + name: httpd + state: started diff --git a/hosts b/hosts index 638da41..9259d04 100644 --- a/hosts +++ b/hosts @@ -4,6 +4,8 @@ ansible_python_interpreter=/usr/bin/python3 [aria2] file0.pyrocufflink.blue +[bitwarden_rs] + [burp-client] file0.pyrocufflink.blue @@ -28,6 +30,9 @@ pyrocufflink-dhcp [docker] +[docker:children] +bitwarden_rs + [file-servers] file0.pyrocufflink.blue diff --git a/roles/bitwarden_rs/meta/main.yml b/roles/bitwarden_rs/meta/main.yml new file mode 100644 index 0000000..9838d9f --- /dev/null +++ b/roles/bitwarden_rs/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: +- apache diff --git a/roles/bitwarden_rs/tasks/main.yml b/roles/bitwarden_rs/tasks/main.yml new file mode 100644 index 0000000..0ecda2a --- /dev/null +++ b/roles/bitwarden_rs/tasks/main.yml @@ -0,0 +1,33 @@ +- name: ensure python docker client is installed + package: + name: python3-docker + state: present + tags: + - install + +- name: ensure bitwarden_rs docker container is running + docker_container: + name: bitwarden + image: mprasil/bitwarden:latest + detach: yes + volumes: + - bw-data:/data + published_ports: + - 127.0.0.1:8080:80 + - 127.0.0.1:3012:3012 + env: + ADMIN_TOKEN: '{{ bitwarden_admin_token|d(omit) }}' + DOMAIN: '{{ bitwarden_domain|d(omit) }}' + WEBSOCKET_ENABLED: 'true' + +- name: ensure apache is allowed to proxy + seboolean: + name: httpd_can_network_connect + persistent: true + state: true +- name: ensure apache is configured to proxy for bitwarden + template: + src: bitwarden.httpd.conf.j2 + dest: /etc/httpd/conf.d/bitwarden.conf + notify: + - reload httpd diff --git a/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2 b/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2 new file mode 100644 index 0000000..d19ff4d --- /dev/null +++ b/roles/bitwarden_rs/templates/bitwarden.httpd.conf.j2 @@ -0,0 +1,27 @@ +RewriteEngine On +RewriteCond %{HTTPS} !on +RewriteRule /.* https://%{SERVER_NAME}$0 + + +Include conf.d/ssl.include + +SSLCertificateFile {{ apache_ssl_certificate }} +SSLCertificateKeyFile {{ apache_ssl_certificate_key }} +SSLCertificateChainFile {{ apache_ssl_certificate }} +{% if apache_ssl_ca_certificate is defined %} +SSLCACertificateFile {{ apache_ssl_ca_certificate }} +{% endif %} + +Header always set \ + Strict-Transport-Security "max-age=63072000; includeSubDomains" + +RewriteEngine On +RewriteCond %{HTTP:Upgrade} =websocket [NC] +RewriteRule /notifications/hub(.*) ws://localhost:3012/$1 [QSA,P,L] + +ProxyPreserveHost On +ProxyRequests Off +ProxyPass / http://localhost:8080/ +ProxyPassReverse / http://localhost:8080/ +RequestHeader set X-Real-IP %{REMOTE_ADDR}s + diff --git a/roles/bitwarden_rs/vars/main.yml b/roles/bitwarden_rs/vars/main.yml new file mode 100644 index 0000000..419501e --- /dev/null +++ b/roles/bitwarden_rs/vars/main.yml @@ -0,0 +1 @@ +apache_default_ssl_vhost: false diff --git a/vault/bitwarden b/vault/bitwarden new file mode 100644 index 0000000..d54f8ab --- /dev/null +++ b/vault/bitwarden @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +35323663363530353631616663373633313837376630373633323063323337336536303231336663 +3664313638633833383565383062343735303963663934370a313036643465366631643938363635 +61623934383165303933346338333561373831646238623337316637373239336331363962616532 +3739633039643131640a663734393233623137656135396138343164643339623863306265613939 +34363836396535613566643537356365316239613431313365316637383262353466646366663836 +32303861623861616465343935663062616466393537376362616566393231646464663832333635 +65363239376161313663353039376633633132383266336366303032643633346364343132356239 +30373366383464643961