Update to 2021-12-01 19:13

roles/vaultwarden/defaults/main.yml

@@ -0,0 +1,49 @@
+---
+
+vaultwarden_version: 1.23.0
+vaultwarden_archive_url: https://github.com/dani-garcia/vaultwarden/archive/{{ vaultwarden_version }}.tar.gz
+vaultwarden_archive_sha1: 76c83155bb4e7bf7b998dcd0853145ac96202dcd
+
+vaultwarden_web_version: 2.24.1
+vaultwarden_web_archive_url: https://github.com/dani-garcia/bw_web_builds/releases/download/v{{ vaultwarden_web_version }}/bw_web_v{{ vaultwarden_web_version }}.tar.gz
+vaultwarden_web_archive_sha1: 63efb8146ef6e5482cf711eb4abdc36432b15af5
+
+vaultwarden_root_dir: /opt/vaultwarden
+vaultwarden_user: vaultwarden
+
+# Database : can be sqlite or mysql
+vaultwarden_db_engine: sqlite
+vaultwarden_db_server: "{{ mysql_server | default('localhost') }}"
+vaultwarden_db_port: 3306
+vaultwarden_db_name: vaultwarden
+vaultwarden_db_user: vaultwarden
+# A random one will be created if not defined
+# bitwaren_db_pass: S3cr3t.
+
+# Port on which vaultwarden will bind
+vaultwarden_http_port: 8000
+vaultwarden_ws_port: 8001
+# List of IP addresses (can be CIDR notation) which will be able to
+# access vaultwarden ports
+vaultwarden_src_ip: []
+vaultwarden_web_src_ip: []
+
+# Public URL on which vaultwarden will be accessible
+vaultwarden_public_url: http://{{ inventory_hostname }}:{{ vaultwarden_http_port }}
+
+# Should registration be enabled
+vaultwarden_registration: False
+# List of domain names for which registration will be accepted
+# Those domains will be accepted for registration even if vaultwarden_registration is set to False
+vaultwarden_domains_whitelist:
+  - "{{ ansible_domain }}"
+
+# Admin Token to access /admin. A random one is created if not defined
+# vaultwarden_admin_token: S3cr3t.
+
+# Or you can just disable the admin token. But you have to protect /admin yourself (eg, on a reverse proxy)
+vaultwarden_disable_admin_token: False
+
+# YubiKey settings
+# vaultwarden_yubico_client_id: XXXX
+# vaultwarden_yubico_secret_key: XXXX

roles/vaultwarden/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: restart vaultwarden
+  service: name=vaultwarden state=restarted
+  when: not vaultwarden_started.changed

roles/vaultwarden/meta/main.yml

@@ -0,0 +1,9 @@
+---
+
+dependencies:
+  - role: rust
+  - role: nginx
+  - role: repo_mariadb
+    when: vaultwarden_db_engine == 'mysql'
+  - role: mysql_server
+    when: vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1'])

roles/vaultwarden/tasks/archive_post.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Compress previous version
+  command: tar cJf {{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}.txz ./
+  args:
+    warn: False
+    chdir: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}"
+  tags: vaultwarden
+
+- name: Remove archive dir
+  file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=absent
+  tags: vaultwarden

roles/vaultwarden/tasks/archive_pre.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Create archive dir
+  file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=directory
+  tags: vaultwarden
+
+- name: Stop vaultwarden during upgrade
+  service: name=vaultwarden state=stopped
+  tags: vaultwarden
+
+- name: Archive current version
+  synchronize:
+    src: "{{ vaultwarden_root_dir }}/{{ item }}"
+    dest: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  loop:
+    - bin
+    - data
+    - etc
+    - web-vault
+  tags: vaultwarden
+
+- name: Dump the database
+  mysql_db:
+    state: dump
+    name: "{{ vaultwarden_db_name }}"
+    target: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/{{ vaultwarden_db_name }}.sql.xz"
+    login_host: "{{ vaultwarden_db_server }}"
+    login_user: "{{ vaultwarden_db_user }}"
+    login_password: "{{ vaultwarden_db_pass }}"
+    quick: True
+    single_transaction: True
+  environment:
+    XZ_OPT: -T0
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden

roles/vaultwarden/tasks/cleanup.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}"
+    - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz"
+    - "{{ vaultwarden_root_dir }}/tmp/web-vault"
+    - "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz"
+  tags: vaultwarden

roles/vaultwarden/tasks/conf.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Deploy configuration
+  template: src=vaultwarden.conf.j2 dest={{ vaultwarden_root_dir }}/etc/vaultwarden.conf group={{ vaultwarden_user }} mode=640
+  notify: restart vaultwarden
+  tags: vaultwarden
+
+- name: Deploy nginx configuration
+  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-vaultwarden.conf
+  notify: reload nginx
+  tags: vaultwarden

roles/vaultwarden/tasks/directories.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Create directories
+  file: path={{ vaultwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /
+      mode: 755
+    - dir: etc
+      group: "{{ vaultwarden_user }}"
+      mode: 750
+    - dir: tmp
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: archives
+      mode: 700
+    - dir: data
+      owner: "{{ vaultwarden_user }}"
+      group: "{{ vaultwarden_user }}"
+      mode: 700
+    - dir: web-vault
+    - dir: bin
+    - dir: backup
+      mode: 700
+  tags: vaultwarden

roles/vaultwarden/tasks/facts.yml

@@ -0,0 +1,74 @@
+---
+
+- name: Set initial install modes
+  block:
+    - set_fact: vaultwarden_install_mode='none'
+    - set_fact: vaultwarden_current_version=''
+    - set_fact: vaultwarden_web_install_mode='none'
+    - set_fact: vaultwarden_web_current_version=''
+  tags: vaultwarden
+
+- name: Check if we need to migrate from bitwarden_rs
+  block:
+    - stat: path=/etc/systemd/system/bitwarden_rs.service
+      register: vaultwarden_bitwarden_unit
+    - set_fact: vaultwarden_migrate_from_bitwarden={{ vaultwarden_bitwarden_unit.stat.exists }}
+  tags: vaultwarden
+
+- name: Check if server is installed
+  stat: path={{ vaultwarden_root_dir }}/meta/ansible_version
+  register: vaultwarden_version_file
+  tags: vaultwarden
+
+- when: vaultwarden_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ vaultwarden_root_dir }}/meta/ansible_version
+      register: vaultwarden_current_version
+    - set_fact: vaultwarden_current_version={{ vaultwarden_current_version.content | b64decode | trim }}
+    - set_fact: vaultwarden_install_mode='upgrade'
+      when: vaultwarden_current_version != vaultwarden_version
+  tags: vaultwarden
+
+- when: not vaultwarden_version_file.stat.exists
+  block:
+    - set_fact: vaultwarden_install_mode='install'
+  tags: vaultwarden
+
+- name: Check if web vault is installed
+  stat: path={{ vaultwarden_root_dir }}/meta/ansible_web_version
+  register: vaultwarden_web_version_file
+  tags: vaultwarden
+
+- when: vaultwarden_web_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ vaultwarden_root_dir }}/meta/ansible_web_version
+      register: vaultwarden_web_current_version
+    - set_fact: vaultwarden_web_current_version={{ vaultwarden_web_current_version.content | b64decode | trim }}
+    - set_fact: vaultwarden_web_install_mode='upgrade'
+      when: vaultwarden_web_current_version != vaultwarden_web_version
+  tags: vaultwarden
+
+- when: not vaultwarden_web_version_file.stat.exists
+  block:
+    - set_fact: vaultwarden_web_install_mode='install'
+  tags: vaultwarden
+
+- when: vaultwarden_admin_token is not defined
+  name: Generate a random admin token
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_admin_token"
+    - set_fact: vaultwarden_admin_token={{ rand_pass }}
+  tags: vaultwarden
+
+- when: vaultwarden_db_pass is not defined
+  tags: vaultwarden
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_dbpass"
+    - set_fact: vaultwarden_db_pass={{ rand_pass }}
+

roles/vaultwarden/tasks/install.yml

@@ -0,0 +1,109 @@
+---
+
+- name: Install needed packages
+  yum:
+    name:
+      - openssl-devel
+      - gcc
+      - sqlite
+  tags: vaultwarden
+
+- name: Check if MariaDB version is set
+  fail: msg="Need to define mysql_mariadb_version"
+  when:
+    - vaultwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default'
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version is version('8','<')
+  tags: vaultwarden
+
+- name: Install MariaDB devel package
+  yum:
+    name:
+      - mariadb-devel
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden
+
+  # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel
+- name: Install MariaDB shared libs
+  yum:
+    name:
+      - MariaDB-shared
+  when:
+    - vaultwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is defined
+    - mysql_mariadb_version != 'default'
+  tags: vaultwarden
+
+- when: vaultwarden_install_mode != 'none'
+  tags: vaultwarden
+  block:
+    - name: Download vaultwarden
+      get_url:
+        url: "{{ vaultwarden_archive_url }}"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        checksum: sha1:{{ vaultwarden_archive_sha1 }}
+
+    - name: Extract vaultwarden archive
+      unarchive:
+        src: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        remote_src: True
+  
+    - name: Build vaultwarden
+      command: bash -lc 'cargo build --features={{ (vaultwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release'
+      args:
+        chdir: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}"
+
+    - name: Install binary
+      copy: src={{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}/target/release/vaultwarden dest="{{ vaultwarden_root_dir }}/bin/" mode=755 remote_src=True
+      notify: restart vaultwarden
+
+- when: vaultwarden_web_install_mode != 'none'
+  tags: vaultwarden
+  block:
+    - name: Download vaultwarden web vault
+      get_url:
+       url: "{{ vaultwarden_web_archive_url }}"
+       dest: "{{ vaultwarden_root_dir }}/tmp"
+       checksum: sha1:{{ vaultwarden_web_archive_sha1 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        remote_src: True
+
+    - name: Move files to their final location
+      synchronize:
+        src: "{{ vaultwarden_root_dir }}/tmp/web-vault/"
+        dest: "{{ vaultwarden_root_dir }}/web-vault/"
+        recursive: True
+        delete: True
+      delegate_to: "{{ inventory_hostname }}"
+
+- name: Install systemd unit
+  template: src=vaultwarden.service.j2 dest=/etc/systemd/system/vaultwarden.service
+  register: vaultwarden_unit
+  tags: vaultwarden
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vaultwarden_unit.changed
+  tags: vaultwarden
+
+- name: Install pre/post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/vaultwarden.sh mode=755
+  loop:
+    - pre
+    - post
+  tags: vaultwarden
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ vaultwarden_db_name }}"
+    - db_user: "{{ vaultwarden_db_user }}"
+    - db_server: "{{ vaultwarden_db_server }}"
+    - db_pass: "{{ vaultwarden_db_pass }}"
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden

roles/vaultwarden/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Handle vaultwarden ports in the firewall
+  iptables_raw:
+    name: vaultwarden
+    state: "{{ (vaultwarden_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ vaultwarden_http_port }},{{ vaultwarden_ws_port }} -s {{ vaultwarden_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,vaultwarden

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: migrate_bitwarden_rs.yml
+  when: vaultwarden_migrate_from_bitwarden
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: service.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade'
+- include: cleanup.yml

roles/vaultwarden/tasks/migrate_bitwarden_rs.yml

@@ -0,0 +1,73 @@
+---
+
+- name: Set bitwarden facts
+  block:
+    - set_fact: bitwarden_root_dir={{ bitwarden_root_dir | default('/opt/bitwarden_rs') }}
+    - set_fact: bitwarden_db_name={{ bitwarden_db_name | default('bitwardenrs') }}
+  tags: vaultwarden
+
+- name: Check if SQLite DB exists
+  stat: path={{ bitwarden_root_dir }}/data/db.sqlite3
+  register: vaultwarden_bitwarden_sqlite
+  tags: vaultwarden
+
+- name: Stop the old service
+  service: name=bitwarden_rs state=stopped
+  tags: vaultwarden
+
+- name: Migrate data dir
+  synchronize:
+    src: "{{ bitwarden_root_dir }}/data/"
+    dest: "{{ vaultwarden_root_dir }}/data/"
+    compress: False
+    recursive: True
+  delegate_to: "{{ inventory_hostname }}"
+  tags: vaultwarden
+
+- name: Fix permissions on vaultwarden data dir
+  file: path={{ vaultwarden_root_dir }}/data/ recurse=True owner={{ vaultwarden_user }} group={{ vaultwarden_user }}
+  tags: vaultwarden
+
+# We assume vaultwarden was configured the same way bitwarden was, same db engine, db server etc.
+# So here we just dump the database and inject the dump in the new DB
+- when: vaultwarden_db_engine == 'mysql'
+  block:
+    # Dump the database of Bitwarden_RS
+    - mysql_db:
+        state: dump
+        name: "{{ bitwarden_db_name }}"
+        target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+        login_host: "{{ vaultwarden_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ mysql_admin_pass }}"
+        quick: True
+        single_transaction: True
+
+    # Inject the dump in the new vaultwarden database
+    - mysql_db:
+        state: import
+        name: "{{ vaultwarden_db_name }}"
+        target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+        login_host: "{{ vaultwarden_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ mysql_admin_pass }}"
+
+  tags: vaultwarden
+
+- name: Cleanup files
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/systemd/system/bitwarden_rs.service
+    - /etc/nginx/ansible_conf.d/31-bitwarden.conf
+    - /etc/backup/pre.d/bitwarden_rs.sh
+    - /etc/backup/post.d/bitwarden_rs.sh
+    - "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+  notify: reload nginx
+  tags: vaultwarden
+
+- name: Remove old iptables rules
+  iptables_raw:
+    name: bitwarden_rs
+    state: absent
+  when: iptables_manage | default(True)
+  tags: vaultwarden

roles/vaultwarden/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=vaultwarden state=started enabled=True
+  register: vaultwarden_started
+  tags: vaultwarden

roles/vaultwarden/tasks/user.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Create vaultwarden user
+  user: name={{ vaultwarden_user }} home={{ vaultwarden_root_dir }} system=True
+  tags: vaultwarden

roles/vaultwarden/tasks/write_version.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Write versions
+  copy: content={{ item.version }} dest={{ vaultwarden_root_dir }}/meta/{{ item.file }}
+  loop:
+    - version: "{{ vaultwarden_version }}"
+      file: ansible_version
+    - version: "{{ vaultwarden_web_version }}"
+      file: ansible_web_version
+  tags: vaultwarden

roles/vaultwarden/templates/nginx.conf.j2

@@ -0,0 +1,69 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ vaultwarden_public_url | urlsplit('hostname') }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+{% if vaultwarden_cert_path is defined and vaultwarden_key_path is defined %}
+  ssl_certificate     {{ vaultwarden_cert_path }};
+  ssl_certificate_key {{ vaultwarden_key_path }};
+{% elif vaultwarden_letsencrypt_cert is defined and vaultwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif vaultwarden_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/privkey.pem;
+{% endif %}
+
+  root {{ vaultwarden_root_dir }}/web-vault;
+
+  client_max_body_size 512M;
+
+  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
+    return 405;
+  }
+
+  location /notifications/hub {
+    proxy_pass http://localhost:{{ vaultwarden_ws_port }};
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+  location /notifications/hub/negotiate {
+    proxy_pass http://localhost:{{ vaultwarden_http_port }};
+  }
+
+  location @proxy {
+    proxy_pass http://localhost:{{ vaultwarden_http_port }};
+  }
+
+  location / {
+    try_files $uri $uri/index.html @proxy;
+  }
+
+  add_header X-Frame-Options "DENY";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "$hsts_header";
+
+  # Send info about the original request to the backend
+  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+  proxy_set_header X-Real-IP "$remote_addr";
+  proxy_set_header X-Forwarded-Proto "$scheme";
+  proxy_set_header X-Forwarded-Host "$host";
+  proxy_set_header Host "$host";
+
+  # Set the timeout to read responses from the backend
+  proxy_read_timeout 60s;
+
+  # Enable Keep Alive to the backend
+  proxy_socket_keepalive on;
+
+  # Disable buffering large files
+  proxy_max_temp_file_size 5m;
+
+  allow 127.0.0.1;
+{% for ip in vaultwarden_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}

roles/vaultwarden/templates/post-backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ vaultwarden_root_dir }}/backup/*

roles/vaultwarden/templates/pre-backup.sh.j2

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mkdir -p /home/lbkp/vaultwarden/
+cp {{ vaultwarden_root_dir }}/data/rsa* {{ vaultwarden_root_dir }}/backup/
+{% if vaultwarden_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if vaultwarden_db_server not in ['localhost', '127.0.0.1'] %}
+        --user={{ vaultwarden_db_user }} \
+        --password={{ vaultwarden_db_pass | quote }} \
+        --host={{ vaultwarden_db_server }} \
+{% endif %}
+        --quick --single-transaction \
+        --add-drop-table {{ vaultwarden_db_name }} | zstd -c > {{ vaultwarden_root_dir }}/backup/{{ vaultwarden_db_name }}.sql.zst
+{% else %}
+sqlite3 {{ vaultwarden_root_dir }}/data/db.sqlite3 ".backup '{{ vaultwarden_root_dir }}/backup/db.sqlite3'"
+{% endif %}

roles/vaultwarden/templates/vaultwarden.conf.j2

@@ -0,0 +1,28 @@
+IP_HEADER=X-Forwarded-For
+SIGNUPS_VERIFY=true
+SIGNUPS_ALLOWED={{ vaultwarden_registration | ternary('true','false') }}
+{% if vaultwarden_domains_whitelist | length > 0 %}
+SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_domains_whitelist | join(',') }}
+{% endif %}
+ADMIN_TOKEN={{ vaultwarden_admin_token }}
+DISABLE_ADMIN_TOKEN={{ vaultwarden_disable_admin_token | ternary('true','false') }}
+DOMAIN={{ vaultwarden_public_url }}
+ROCKET_ENV=prod
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT={{ vaultwarden_http_port }}
+WEBSOCKET_ENABLED=true
+WEBSOCKET_PORT={{ vaultwarden_ws_port }}
+SMTP_HOST=localhost
+SMTP_PORT=25
+SMTP_SSL=false
+SMTP_FROM=vaultwarden-noreply@{{ ansible_domain }}
+{% if vaultwarden_db_engine == 'mysql' %}
+DATABASE_URL=mysql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ vaultwarden_db_server }}:{{ vaultwarden_db_port }}/{{ vaultwarden_db_name }}
+ENABLE_DB_WAL=false
+{% else %}
+DATABASE_URL=data/db.sqlite3
+{% endif %}
+{% if vaultwarden_yubico_client_id is defined and vaultwarden_yubico_secret_key is defined %}
+YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }}
+YUBICO_SECRET_KEY={{ vaultwarden_yubico_secret_key }}
+{% endif %}

roles/vaultwarden/templates/vaultwarden.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden_rs
+After=network.target
+{% if vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1']) %}
+After=mariadb.service
+Requires=mariadb.service
+{% endif %}
+
+[Service]
+User={{ vaultwarden_user }}
+Group={{ vaultwarden_user }}
+EnvironmentFile={{ vaultwarden_root_dir }}/etc/vaultwarden.conf
+ExecStart={{ vaultwarden_root_dir }}/bin/vaultwarden
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+WorkingDirectory={{ vaultwarden_root_dir }}
+ReadWriteDirectories={{ vaultwarden_root_dir }}/data
+ReadOnlyDirectories={{ vaultwarden_root_dir }}/etc {{ vaultwarden_root_dir }}/web-vault
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target