Update to 2021-12-01 19:13

roles/vaultwarden/tasks/archive_post.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Compress previous version
+  command: tar cJf {{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}.txz ./
+  args:
+    warn: False
+    chdir: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}"
+  tags: vaultwarden
+
+- name: Remove archive dir
+  file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=absent
+  tags: vaultwarden

roles/vaultwarden/tasks/archive_pre.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Create archive dir
+  file: path={{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }} state=directory
+  tags: vaultwarden
+
+- name: Stop vaultwarden during upgrade
+  service: name=vaultwarden state=stopped
+  tags: vaultwarden
+
+- name: Archive current version
+  synchronize:
+    src: "{{ vaultwarden_root_dir }}/{{ item }}"
+    dest: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  loop:
+    - bin
+    - data
+    - etc
+    - web-vault
+  tags: vaultwarden
+
+- name: Dump the database
+  mysql_db:
+    state: dump
+    name: "{{ vaultwarden_db_name }}"
+    target: "{{ vaultwarden_root_dir }}/archives/{{ vaultwarden_current_version }}+{{ vaultwarden_web_current_version }}/{{ vaultwarden_db_name }}.sql.xz"
+    login_host: "{{ vaultwarden_db_server }}"
+    login_user: "{{ vaultwarden_db_user }}"
+    login_password: "{{ vaultwarden_db_pass }}"
+    quick: True
+    single_transaction: True
+  environment:
+    XZ_OPT: -T0
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden

roles/vaultwarden/tasks/cleanup.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}"
+    - "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz"
+    - "{{ vaultwarden_root_dir }}/tmp/web-vault"
+    - "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz"
+  tags: vaultwarden

roles/vaultwarden/tasks/conf.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Deploy configuration
+  template: src=vaultwarden.conf.j2 dest={{ vaultwarden_root_dir }}/etc/vaultwarden.conf group={{ vaultwarden_user }} mode=640
+  notify: restart vaultwarden
+  tags: vaultwarden
+
+- name: Deploy nginx configuration
+  template: src=nginx.conf.j2 dest=/etc/nginx/ansible_conf.d/31-vaultwarden.conf
+  notify: reload nginx
+  tags: vaultwarden

roles/vaultwarden/tasks/directories.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Create directories
+  file: path={{ vaultwarden_root_dir }}/{{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /
+      mode: 755
+    - dir: etc
+      group: "{{ vaultwarden_user }}"
+      mode: 750
+    - dir: tmp
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: archives
+      mode: 700
+    - dir: data
+      owner: "{{ vaultwarden_user }}"
+      group: "{{ vaultwarden_user }}"
+      mode: 700
+    - dir: web-vault
+    - dir: bin
+    - dir: backup
+      mode: 700
+  tags: vaultwarden

roles/vaultwarden/tasks/facts.yml

@@ -0,0 +1,74 @@
+---
+
+- name: Set initial install modes
+  block:
+    - set_fact: vaultwarden_install_mode='none'
+    - set_fact: vaultwarden_current_version=''
+    - set_fact: vaultwarden_web_install_mode='none'
+    - set_fact: vaultwarden_web_current_version=''
+  tags: vaultwarden
+
+- name: Check if we need to migrate from bitwarden_rs
+  block:
+    - stat: path=/etc/systemd/system/bitwarden_rs.service
+      register: vaultwarden_bitwarden_unit
+    - set_fact: vaultwarden_migrate_from_bitwarden={{ vaultwarden_bitwarden_unit.stat.exists }}
+  tags: vaultwarden
+
+- name: Check if server is installed
+  stat: path={{ vaultwarden_root_dir }}/meta/ansible_version
+  register: vaultwarden_version_file
+  tags: vaultwarden
+
+- when: vaultwarden_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ vaultwarden_root_dir }}/meta/ansible_version
+      register: vaultwarden_current_version
+    - set_fact: vaultwarden_current_version={{ vaultwarden_current_version.content | b64decode | trim }}
+    - set_fact: vaultwarden_install_mode='upgrade'
+      when: vaultwarden_current_version != vaultwarden_version
+  tags: vaultwarden
+
+- when: not vaultwarden_version_file.stat.exists
+  block:
+    - set_fact: vaultwarden_install_mode='install'
+  tags: vaultwarden
+
+- name: Check if web vault is installed
+  stat: path={{ vaultwarden_root_dir }}/meta/ansible_web_version
+  register: vaultwarden_web_version_file
+  tags: vaultwarden
+
+- when: vaultwarden_web_version_file.stat.exists
+  block:
+    - name: Check installed version
+      slurp: src={{ vaultwarden_root_dir }}/meta/ansible_web_version
+      register: vaultwarden_web_current_version
+    - set_fact: vaultwarden_web_current_version={{ vaultwarden_web_current_version.content | b64decode | trim }}
+    - set_fact: vaultwarden_web_install_mode='upgrade'
+      when: vaultwarden_web_current_version != vaultwarden_web_version
+  tags: vaultwarden
+
+- when: not vaultwarden_web_version_file.stat.exists
+  block:
+    - set_fact: vaultwarden_web_install_mode='install'
+  tags: vaultwarden
+
+- when: vaultwarden_admin_token is not defined
+  name: Generate a random admin token
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_admin_token"
+    - set_fact: vaultwarden_admin_token={{ rand_pass }}
+  tags: vaultwarden
+
+- when: vaultwarden_db_pass is not defined
+  tags: vaultwarden
+  block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ vaultwarden_root_dir }}/meta/ansible_dbpass"
+    - set_fact: vaultwarden_db_pass={{ rand_pass }}
+

roles/vaultwarden/tasks/install.yml

@@ -0,0 +1,109 @@
+---
+
+- name: Install needed packages
+  yum:
+    name:
+      - openssl-devel
+      - gcc
+      - sqlite
+  tags: vaultwarden
+
+- name: Check if MariaDB version is set
+  fail: msg="Need to define mysql_mariadb_version"
+  when:
+    - vaultwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is not defined or mysql_mariadb_version == 'default'
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version is version('8','<')
+  tags: vaultwarden
+
+- name: Install MariaDB devel package
+  yum:
+    name:
+      - mariadb-devel
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden
+
+  # With upstream MariaDB repo, /usr/lib64/libmariadb.so is in MariaDB-shared not in MariaDB-devel
+- name: Install MariaDB shared libs
+  yum:
+    name:
+      - MariaDB-shared
+  when:
+    - vaultwarden_db_engine == 'mysql'
+    - mysql_mariadb_version is defined
+    - mysql_mariadb_version != 'default'
+  tags: vaultwarden
+
+- when: vaultwarden_install_mode != 'none'
+  tags: vaultwarden
+  block:
+    - name: Download vaultwarden
+      get_url:
+        url: "{{ vaultwarden_archive_url }}"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        checksum: sha1:{{ vaultwarden_archive_sha1 }}
+
+    - name: Extract vaultwarden archive
+      unarchive:
+        src: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}.tar.gz"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        remote_src: True
+  
+    - name: Build vaultwarden
+      command: bash -lc 'cargo build --features={{ (vaultwarden_db_engine == "mysql") | ternary("mysql","sqlite") }} --release'
+      args:
+        chdir: "{{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}"
+
+    - name: Install binary
+      copy: src={{ vaultwarden_root_dir }}/tmp/vaultwarden-{{ vaultwarden_version }}/target/release/vaultwarden dest="{{ vaultwarden_root_dir }}/bin/" mode=755 remote_src=True
+      notify: restart vaultwarden
+
+- when: vaultwarden_web_install_mode != 'none'
+  tags: vaultwarden
+  block:
+    - name: Download vaultwarden web vault
+      get_url:
+       url: "{{ vaultwarden_web_archive_url }}"
+       dest: "{{ vaultwarden_root_dir }}/tmp"
+       checksum: sha1:{{ vaultwarden_web_archive_sha1 }}
+
+    - name: Extract the archive
+      unarchive:
+        src: "{{ vaultwarden_root_dir }}/tmp/bw_web_v{{ vaultwarden_web_version }}.tar.gz"
+        dest: "{{ vaultwarden_root_dir }}/tmp"
+        remote_src: True
+
+    - name: Move files to their final location
+      synchronize:
+        src: "{{ vaultwarden_root_dir }}/tmp/web-vault/"
+        dest: "{{ vaultwarden_root_dir }}/web-vault/"
+        recursive: True
+        delete: True
+      delegate_to: "{{ inventory_hostname }}"
+
+- name: Install systemd unit
+  template: src=vaultwarden.service.j2 dest=/etc/systemd/system/vaultwarden.service
+  register: vaultwarden_unit
+  tags: vaultwarden
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: vaultwarden_unit.changed
+  tags: vaultwarden
+
+- name: Install pre/post backup hooks
+  template: src={{ item }}-backup.sh.j2 dest=/etc/backup/{{ item }}.d/vaultwarden.sh mode=755
+  loop:
+    - pre
+    - post
+  tags: vaultwarden
+
+- import_tasks: ../includes/webapps_create_mysql_db.yml
+  vars:
+    - db_name: "{{ vaultwarden_db_name }}"
+    - db_user: "{{ vaultwarden_db_user }}"
+    - db_server: "{{ vaultwarden_db_server }}"
+    - db_pass: "{{ vaultwarden_db_pass }}"
+  when: vaultwarden_db_engine == 'mysql'
+  tags: vaultwarden

roles/vaultwarden/tasks/iptables.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Handle vaultwarden ports in the firewall
+  iptables_raw:
+    name: vaultwarden
+    state: "{{ (vaultwarden_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -m multiport -p tcp --dports {{ vaultwarden_http_port }},{{ vaultwarden_ws_port }} -s {{ vaultwarden_src_ip | join(',') }} -j ACCEPT"
+  tags: firewall,vaultwarden

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,18 @@
+---
+
+- include: user.yml
+- include: directories.yml
+- include: facts.yml
+- include: archive_pre.yml
+  when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: migrate_bitwarden_rs.yml
+  when: vaultwarden_migrate_from_bitwarden
+- include: iptables.yml
+  when: iptables_manage | default(True)
+- include: service.yml
+- include: write_version.yml
+- include: archive_post.yml
+  when: vaultwarden_install_mode == 'upgrade' or vaultwarden_web_install_mode == 'upgrade'
+- include: cleanup.yml

roles/vaultwarden/tasks/migrate_bitwarden_rs.yml

@@ -0,0 +1,73 @@
+---
+
+- name: Set bitwarden facts
+  block:
+    - set_fact: bitwarden_root_dir={{ bitwarden_root_dir | default('/opt/bitwarden_rs') }}
+    - set_fact: bitwarden_db_name={{ bitwarden_db_name | default('bitwardenrs') }}
+  tags: vaultwarden
+
+- name: Check if SQLite DB exists
+  stat: path={{ bitwarden_root_dir }}/data/db.sqlite3
+  register: vaultwarden_bitwarden_sqlite
+  tags: vaultwarden
+
+- name: Stop the old service
+  service: name=bitwarden_rs state=stopped
+  tags: vaultwarden
+
+- name: Migrate data dir
+  synchronize:
+    src: "{{ bitwarden_root_dir }}/data/"
+    dest: "{{ vaultwarden_root_dir }}/data/"
+    compress: False
+    recursive: True
+  delegate_to: "{{ inventory_hostname }}"
+  tags: vaultwarden
+
+- name: Fix permissions on vaultwarden data dir
+  file: path={{ vaultwarden_root_dir }}/data/ recurse=True owner={{ vaultwarden_user }} group={{ vaultwarden_user }}
+  tags: vaultwarden
+
+# We assume vaultwarden was configured the same way bitwarden was, same db engine, db server etc.
+# So here we just dump the database and inject the dump in the new DB
+- when: vaultwarden_db_engine == 'mysql'
+  block:
+    # Dump the database of Bitwarden_RS
+    - mysql_db:
+        state: dump
+        name: "{{ bitwarden_db_name }}"
+        target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+        login_host: "{{ vaultwarden_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ mysql_admin_pass }}"
+        quick: True
+        single_transaction: True
+
+    # Inject the dump in the new vaultwarden database
+    - mysql_db:
+        state: import
+        name: "{{ vaultwarden_db_name }}"
+        target: "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+        login_host: "{{ vaultwarden_db_server }}"
+        login_user: sqladmin
+        login_password: "{{ mysql_admin_pass }}"
+
+  tags: vaultwarden
+
+- name: Cleanup files
+  file: path={{ item }} state=absent
+  loop:
+    - /etc/systemd/system/bitwarden_rs.service
+    - /etc/nginx/ansible_conf.d/31-bitwarden.conf
+    - /etc/backup/pre.d/bitwarden_rs.sh
+    - /etc/backup/post.d/bitwarden_rs.sh
+    - "{{ vaultwarden_root_dir }}/tmp/bitwardenrs.sql.xz"
+  notify: reload nginx
+  tags: vaultwarden
+
+- name: Remove old iptables rules
+  iptables_raw:
+    name: bitwarden_rs
+    state: absent
+  when: iptables_manage | default(True)
+  tags: vaultwarden

roles/vaultwarden/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=vaultwarden state=started enabled=True
+  register: vaultwarden_started
+  tags: vaultwarden

roles/vaultwarden/tasks/user.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Create vaultwarden user
+  user: name={{ vaultwarden_user }} home={{ vaultwarden_root_dir }} system=True
+  tags: vaultwarden

roles/vaultwarden/tasks/write_version.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Write versions
+  copy: content={{ item.version }} dest={{ vaultwarden_root_dir }}/meta/{{ item.file }}
+  loop:
+    - version: "{{ vaultwarden_version }}"
+      file: ansible_version
+    - version: "{{ vaultwarden_web_version }}"
+      file: ansible_web_version
+  tags: vaultwarden