Add the first iteration of bitwarden playbook

1 year ago · d2bbf7802a
3 changed files with 283 additions and 0 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,241 @@
+---
+- name: Create bitwarden users
+  ansible.builtin.user:
+    name: "{{ item.name }}"
+    home: "{{ item.home }}"
+    shell: "/bin/false"
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+
+- name: Get rustup installer
+  get_url:
+    url: https://sh.rustup.rs
+    dest: "{{ item.home}}/rustup.sh"
+    owner: "{{ item.name }}"
+    group: "{{ item.name }}"
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Install rust nightly
+  shell: "{{ item.home }}/rustup.sh --no-modify-path --default-toolchain nightly -y"
+  args:
+    executable: /bin/bash
+  register: _bitwardenrs_install_rust_nightly
+  changed_when: "'nightly installed' in _bitwardenrs_install_rust_nightly.stdout"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Remove bitwarden
+  file:
+    path: "{{ item.home }}/bitwarden_rs"
+    state: absent
+  loop: "{{ bitwarden }}"
+  tags:
+    - upgrade
+
+- name: Remove web-vault
+  file:
+    path: "{{ item.home }}/web-vault"
+    state: absent
+  loop: "{{ bitwarden }}"
+  tags:
+    - upgrade
+
+- name: Remove patches
+  file:
+    path: "{{ item.home }}/bw_web_builds"
+    state: absent
+  loop: "{{ bitwarden }}"
+  tags:
+    - upgrade
+
+- name: Stop bitwarden
+  ansible.builtin.systemd:
+    state: stopped
+    name: "{{ item.name }}_bitwarden.service"
+  loop: "{{ bitwarden }}"
+  tags:
+    - upgrade
+
+- name: "Clone bitwarden_rs"
+  git:
+    repo: https://github.com/dani-garcia/bitwarden_rs.git
+    dest: "{{ item.home }}/bitwarden_rs"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: "Clone bitwarden patch"
+  git:
+    repo: https://github.com/dani-garcia/bw_web_builds.git
+    dest: "{{ item.home }}/bw_web_builds"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: "Get last patch"
+  shell: ls | sort --version-sort | tail -n 1 | sed "s/.patch//"
+  args:
+    chdir: "{{ item.home }}/bw_web_builds/patches"
+  register: webvault_version
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: "Clone bitwarden web"
+  git:
+    repo: https://github.com/bitwarden/web.git
+    dest: "{{ item.home }}/web-vault"
+    version: "{{ webvault_version.stdout }}"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Compile bitwarden_rs
+  shell: "{{ item.home }}/.cargo/bin/cargo build --release --features postgresql"
+  args:
+    chdir: "{{ item.home }}/bitwarden_rs"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Patch web-vault
+  shell: "git apply {{ item.home }}/bw_web_builds/patches/{{ webvault_version.stdout }}.patch"
+  args:
+    chdir: "{{ item.home }}/web-vault"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Build web-vault 
+  shell: "npm run sub:init"
+  args:
+    chdir: "{{ item.home }}/web-vault"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Build web-vault 
+  shell: "npm install"
+  args:
+    chdir: "{{ item.home }}/web-vault"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Build web-vault 
+  shell: "npm run dist"
+  args:
+    chdir: "{{ item.home }}/web-vault"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Copy web-vault
+  shell: "cp -a {{ item.home }}/web-vault/build/ {{ item.home }}/bitwarden_rs/target/release/web-vault/"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Install bitwarden
+  shell: "rsync -a --info=progress2 {{ item.home }}/bitwarden_rs/target/release/ {{ item.app_folder }}"
+  become: yes
+  become_user : "{{ item.name }}"
+  become_method: su
+  become_flags: '-s /bin/bash'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+    - upgrade
+
+- name: Add service
+  ansible.builtin.template:
+    src: bitwarden.service.j2
+    dest: "/etc/{{ item.name }}_bitwarden.service"
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+
+- name: Reload systemd
+  ansible.builtin.systemd:
+    daemon_reload: yes
+    name: "{{ item.name }}_bitwarden.service"
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+
+- name: Enable bitwarden
+  ansible.builtin.systemd:
+    enabled: yes
+    name: "{{ item.name }}_bitwarden.service"
+  loop: "{{ bitwarden }}"
+  tags:
+    - install
+
+- name: Restarted bitwarden
+  ansible.builtin.systemd:
+    state: started
+    name: "{{ item.name }}_bitwarden.service"
+  loop: "{{ bitwarden }}"
+  tags:
+    - upgrade
+
--- a/templates/bitwarden.service.j2
+++ b/templates/bitwarden.service.j2
@ -0,0 +1,27 @@
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/bitwarden_rs
+After=network.target
+
+[Service]
+# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
+User={{ item.name }}
+Group={{ item.name }}
+# The location of the .env file for configuration
+EnvironmentFile=/etc/{{ item.name }}_bitwarden_rs.env
+# The location of the compiled binary
+ExecStart={{ item.app_folder }}/bitwarden_rs
+# Set reasonable connection and process limits
+LimitNOFILE=1048576
+LimitNPROC=64
+# Isolate bitwarden_rs from the rest of the system
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=strict
+# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
+WorkingDirectory={{ item.app_folder }}
+ReadWriteDirectories={{ item.app_folder }}
+
+[Install]
+WantedBy=multi-user.target
--- a/templates/env.j2
+++ b/templates/env.j2
@ -0,0 +1,15 @@
+# DATABASE_URL=data/db.sqlite3
+DATABASE_URL=
+SIGNUPS_ALLOWED=false
+WEBSOCKET_ENABLED=true
+ADMIN_TOKEN=
+ROCKET_ADDRESS=0.0.0.0
+WEBSOCKET_ADDRESS=0.0.0.0
+SMTP_HOST=
+SMTP_FROM=
+SMTP_PORT=
+SMTP_SSL=true
+SMTP_USERNAME=
+SMTP_PASSWORD=
+DISABLE_2FA_REMEMBER=true
+SIGNUPS_VERIFY=true