Update to 2021-12-01 19:13

roles/unmaintained/bitwarden_rs/templates/bitwarden_rs.conf.j2

@@ -0,0 +1,28 @@
+IP_HEADER=X-Forwarded-For
+SIGNUPS_VERIFY=true
+SIGNUPS_ALLOWED={{ bitwarden_registration | ternary('true','false') }}
+{% if bitwarden_domains_whitelist | length > 0 %}
+SIGNUPS_DOMAINS_WHITELIST={{ bitwarden_domains_whitelist | join(',') }}
+{% endif %}
+ADMIN_TOKEN={{ bitwarden_admin_token }}
+DISABLE_ADMIN_TOKEN={{ bitwarden_disable_admin_token | ternary('true','false') }}
+DOMAIN={{ bitwarden_public_url }}
+ROCKET_ENV=prod
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT={{ bitwarden_http_port }}
+WEBSOCKET_ENABLED=true
+WEBSOCKET_PORT={{ bitwarden_ws_port }}
+SMTP_HOST=localhost
+SMTP_PORT=25
+SMTP_SSL=false
+SMTP_FROM=bitwarden-rs-noreply@{{ ansible_domain }}
+{% if bitwarden_db_engine == 'mysql' %}
+DATABASE_URL=mysql://{{ bitwarden_db_user }}:{{ bitwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ bitwarden_db_server }}:{{ bitwarden_db_port }}/{{ bitwarden_db_name }}
+ENABLE_DB_WAL=false
+{% else %}
+DATABASE_URL=data/db.sqlite3
+{% endif %}
+{% if bitwarden_yubico_client_id is defined and bitwarden_yubico_secret_key is defined %}
+YUBICO_CLIENT_ID={{ bitwarden_yubico_client_id }}
+YUBICO_SECRET_KEY={{ bitwarden_yubico_secret_key }}
+{% endif %}

roles/unmaintained/bitwarden_rs/templates/bitwarden_rs.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/bitwarden_rs
+After=network.target
+{% if bitwarden_db_engine == 'mysql' and (bitwarden_db_server == 'localhost' or bitwarden_db_server == '127.0.0.1') %}
+After=mariadb.service
+Requires=mariadb.service
+{% endif %}
+
+[Service]
+User={{ bitwarden_user }}
+Group={{ bitwarden_user }}
+EnvironmentFile={{ bitwarden_root_dir }}/etc/bitwarden_rs.conf
+ExecStart={{ bitwarden_root_dir }}/bitwarden_rs
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+WorkingDirectory={{ bitwarden_root_dir }}
+ReadWriteDirectories={{ bitwarden_root_dir }}/data
+ReadOnlyDirectories={{ bitwarden_root_dir }}/etc {{ bitwarden_root_dir }}/web-vault
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/unmaintained/bitwarden_rs/templates/nginx.conf.j2

@@ -0,0 +1,69 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ bitwarden_public_url | urlsplit('hostname') }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+{% if bitwarden_cert_path is defined and bitwarden_key_path is defined %}
+  ssl_certificate     {{ bitwarden_cert_path }};
+  ssl_certificate_key {{ bitwarden_key_path }};
+{% elif bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif bitwarden_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ bitwarden_letsencrypt_cert }}/privkey.pem;
+{% endif %}
+
+  root {{ bitwarden_root_dir }}/web-vault;
+
+  client_max_body_size 512M;
+
+  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
+    return 405;
+  }
+
+  location /notifications/hub {
+    proxy_pass http://localhost:{{ bitwarden_ws_port }};
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+  location /notifications/hub/negotiate {
+    proxy_pass http://localhost:{{ bitwarden_http_port }};
+  }
+
+  location @proxy {
+    proxy_pass http://localhost:{{ bitwarden_http_port }};
+  }
+
+  location / {
+    try_files $uri $uri/index.html @proxy;
+  }
+
+  add_header X-Frame-Options "DENY";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "$hsts_header";
+
+  # Send info about the original request to the backend
+  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+  proxy_set_header X-Real-IP "$remote_addr";
+  proxy_set_header X-Forwarded-Proto "$scheme";
+  proxy_set_header X-Forwarded-Host "$host";
+  proxy_set_header Host "$host";
+
+  # Set the timeout to read responses from the backend
+  proxy_read_timeout 60s;
+
+  # Enable Keep Alive to the backend
+  proxy_socket_keepalive on;
+
+  # Disable buffering large files
+  proxy_max_temp_file_size 5m;
+
+  allow 127.0.0.1;
+{% for ip in bitwarden_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}

roles/unmaintained/bitwarden_rs/templates/post-backup.sh.j2

@@ -0,0 +1,4 @@
+#!/bin/bash -e
+
+rm -f {{ bitwarden_root_dir }}/backup/*
+umount /home/lbkp/bitwarden_rs

roles/unmaintained/bitwarden_rs/templates/pre-backup.sh.j2

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mkdir -p /home/lbkp/bitwarden_rs/
+cp {{ bitwarden_root_dir }}/data/rsa* {{ bitwarden_root_dir }}/backup/
+{% if bitwarden_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if bitwarden_db_server != 'localhost' and bitwarden_db_server != '127.0.0.1' %}
+        --user={{ bitwarden_db_user }} \
+        --password={{ bitwarden_db_pass | quote }} \
+        --host={{ bitwarden_db_server }} \
+{% endif %}
+        --quick --single-transaction \
+        --add-drop-table {{ bitwarden_db_name }} | zstd -T0 -c > {{ bitwarden_root_dir }}/backup/{{ bitwarden_db_name }}.sql.zst
+{% else %}
+sqlite3 {{ bitwarden_root_dir }}/data/db.sqlite3 ".backup '{{ bitwarden_root_dir }}/backup/db.sqlite3'"
+{% endif %}
+mountpoint -q /home/lbkp/bitwarden_rs/ || mount -o bind,ro {{ bitwarden_root_dir }}/backup/ /home/lbkp/bitwarden_rs/