Add the first iteration of bitwarden playbook

This commit is contained in:
Dryusdan 2021-02-08 15:52:53 +01:00
parent b470a85d28
commit d2bbf7802a
3 changed files with 283 additions and 0 deletions

241
tasks/main.yml Normal file
View File

@ -0,0 +1,241 @@
---
- name: Create bitwarden users
ansible.builtin.user:
name: "{{ item.name }}"
home: "{{ item.home }}"
shell: "/bin/false"
loop: "{{ bitwarden }}"
tags:
- install
- name: Get rustup installer
get_url:
url: https://sh.rustup.rs
dest: "{{ item.home}}/rustup.sh"
owner: "{{ item.name }}"
group: "{{ item.name }}"
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Install rust nightly
shell: "{{ item.home }}/rustup.sh --no-modify-path --default-toolchain nightly -y"
args:
executable: /bin/bash
register: _bitwardenrs_install_rust_nightly
changed_when: "'nightly installed' in _bitwardenrs_install_rust_nightly.stdout"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Remove bitwarden
file:
path: "{{ item.home }}/bitwarden_rs"
state: absent
loop: "{{ bitwarden }}"
tags:
- upgrade
- name: Remove web-vault
file:
path: "{{ item.home }}/web-vault"
state: absent
loop: "{{ bitwarden }}"
tags:
- upgrade
- name: Remove patches
file:
path: "{{ item.home }}/bw_web_builds"
state: absent
loop: "{{ bitwarden }}"
tags:
- upgrade
- name: Stop bitwarden
ansible.builtin.systemd:
state: stopped
name: "{{ item.name }}_bitwarden.service"
loop: "{{ bitwarden }}"
tags:
- upgrade
- name: "Clone bitwarden_rs"
git:
repo: https://github.com/dani-garcia/bitwarden_rs.git
dest: "{{ item.home }}/bitwarden_rs"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: "Clone bitwarden patch"
git:
repo: https://github.com/dani-garcia/bw_web_builds.git
dest: "{{ item.home }}/bw_web_builds"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: "Get last patch"
shell: ls | sort --version-sort | tail -n 1 | sed "s/.patch//"
args:
chdir: "{{ item.home }}/bw_web_builds/patches"
register: webvault_version
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: "Clone bitwarden web"
git:
repo: https://github.com/bitwarden/web.git
dest: "{{ item.home }}/web-vault"
version: "{{ webvault_version.stdout }}"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Compile bitwarden_rs
shell: "{{ item.home }}/.cargo/bin/cargo build --release --features postgresql"
args:
chdir: "{{ item.home }}/bitwarden_rs"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Patch web-vault
shell: "git apply {{ item.home }}/bw_web_builds/patches/{{ webvault_version.stdout }}.patch"
args:
chdir: "{{ item.home }}/web-vault"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Build web-vault
shell: "npm run sub:init"
args:
chdir: "{{ item.home }}/web-vault"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Build web-vault
shell: "npm install"
args:
chdir: "{{ item.home }}/web-vault"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Build web-vault
shell: "npm run dist"
args:
chdir: "{{ item.home }}/web-vault"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Copy web-vault
shell: "cp -a {{ item.home }}/web-vault/build/ {{ item.home }}/bitwarden_rs/target/release/web-vault/"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Install bitwarden
shell: "rsync -a --info=progress2 {{ item.home }}/bitwarden_rs/target/release/ {{ item.app_folder }}"
become: yes
become_user : "{{ item.name }}"
become_method: su
become_flags: '-s /bin/bash'
loop: "{{ bitwarden }}"
tags:
- install
- upgrade
- name: Add service
ansible.builtin.template:
src: bitwarden.service.j2
dest: "/etc/{{ item.name }}_bitwarden.service"
owner: root
group: root
mode: '0644'
loop: "{{ bitwarden }}"
tags:
- install
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: yes
name: "{{ item.name }}_bitwarden.service"
loop: "{{ bitwarden }}"
tags:
- install
- name: Enable bitwarden
ansible.builtin.systemd:
enabled: yes
name: "{{ item.name }}_bitwarden.service"
loop: "{{ bitwarden }}"
tags:
- install
- name: Restarted bitwarden
ansible.builtin.systemd:
state: started
name: "{{ item.name }}_bitwarden.service"
loop: "{{ bitwarden }}"
tags:
- upgrade

View File

@ -0,0 +1,27 @@
[Unit]
Description=Bitwarden Server (Rust Edition)
Documentation=https://github.com/dani-garcia/bitwarden_rs
After=network.target
[Service]
# The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group
User={{ item.name }}
Group={{ item.name }}
# The location of the .env file for configuration
EnvironmentFile=/etc/{{ item.name }}_bitwarden_rs.env
# The location of the compiled binary
ExecStart={{ item.app_folder }}/bitwarden_rs
# Set reasonable connection and process limits
LimitNOFILE=1048576
LimitNPROC=64
# Isolate bitwarden_rs from the rest of the system
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
# Only allow writes to the following directory and set it to the working directory (user and password data are stored here)
WorkingDirectory={{ item.app_folder }}
ReadWriteDirectories={{ item.app_folder }}
[Install]
WantedBy=multi-user.target

15
templates/env.j2 Normal file
View File

@ -0,0 +1,15 @@
# DATABASE_URL=data/db.sqlite3
DATABASE_URL=
SIGNUPS_ALLOWED=false
WEBSOCKET_ENABLED=true
ADMIN_TOKEN=
ROCKET_ADDRESS=0.0.0.0
WEBSOCKET_ADDRESS=0.0.0.0
SMTP_HOST=
SMTP_FROM=
SMTP_PORT=
SMTP_SSL=true
SMTP_USERNAME=
SMTP_PASSWORD=
DISABLE_2FA_REMEMBER=true
SIGNUPS_VERIFY=true