Update to 2021-12-01 19:13

roles/vaultwarden/templates/nginx.conf.j2

@@ -0,0 +1,69 @@
+server {
+  listen 443 ssl http2;
+  server_name {{ vaultwarden_public_url | urlsplit('hostname') }};
+
+  include /etc/nginx/ansible_conf.d/acme.inc;
+
+{% if vaultwarden_cert_path is defined and vaultwarden_key_path is defined %}
+  ssl_certificate     {{ vaultwarden_cert_path }};
+  ssl_certificate_key {{ vaultwarden_key_path }};
+{% elif vaultwarden_letsencrypt_cert is defined and vaultwarden_letsencrypt_cert == True %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_public_url | urlsplit('hostname') }}/privkey.pem;
+{% elif vaultwarden_letsencrypt_cert is string %}
+  ssl_certificate     /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/fullchain.pem;
+  ssl_certificate_key /var/lib/dehydrated/certificates/certs/{{ vaultwarden_letsencrypt_cert }}/privkey.pem;
+{% endif %}
+
+  root {{ vaultwarden_root_dir }}/web-vault;
+
+  client_max_body_size 512M;
+
+  if ($request_method !~ ^(GET|POST|HEAD|PUT|DELETE)$ ) {
+    return 405;
+  }
+
+  location /notifications/hub {
+    proxy_pass http://localhost:{{ vaultwarden_ws_port }};
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+  location /notifications/hub/negotiate {
+    proxy_pass http://localhost:{{ vaultwarden_http_port }};
+  }
+
+  location @proxy {
+    proxy_pass http://localhost:{{ vaultwarden_http_port }};
+  }
+
+  location / {
+    try_files $uri $uri/index.html @proxy;
+  }
+
+  add_header X-Frame-Options "DENY";
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Strict-Transport-Security "$hsts_header";
+
+  # Send info about the original request to the backend
+  proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
+  proxy_set_header X-Real-IP "$remote_addr";
+  proxy_set_header X-Forwarded-Proto "$scheme";
+  proxy_set_header X-Forwarded-Host "$host";
+  proxy_set_header Host "$host";
+
+  # Set the timeout to read responses from the backend
+  proxy_read_timeout 60s;
+
+  # Enable Keep Alive to the backend
+  proxy_socket_keepalive on;
+
+  # Disable buffering large files
+  proxy_max_temp_file_size 5m;
+
+  allow 127.0.0.1;
+{% for ip in vaultwarden_web_src_ip %}
+  allow {{ ip }};
+{% endfor %}
+  deny all;
+}

roles/vaultwarden/templates/post-backup.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -f {{ vaultwarden_root_dir }}/backup/*

roles/vaultwarden/templates/pre-backup.sh.j2

@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mkdir -p /home/lbkp/vaultwarden/
+cp {{ vaultwarden_root_dir }}/data/rsa* {{ vaultwarden_root_dir }}/backup/
+{% if vaultwarden_db_engine == 'mysql' %}
+/usr/bin/mysqldump \
+{% if vaultwarden_db_server not in ['localhost', '127.0.0.1'] %}
+        --user={{ vaultwarden_db_user }} \
+        --password={{ vaultwarden_db_pass | quote }} \
+        --host={{ vaultwarden_db_server }} \
+{% endif %}
+        --quick --single-transaction \
+        --add-drop-table {{ vaultwarden_db_name }} | zstd -c > {{ vaultwarden_root_dir }}/backup/{{ vaultwarden_db_name }}.sql.zst
+{% else %}
+sqlite3 {{ vaultwarden_root_dir }}/data/db.sqlite3 ".backup '{{ vaultwarden_root_dir }}/backup/db.sqlite3'"
+{% endif %}

roles/vaultwarden/templates/vaultwarden.conf.j2

@@ -0,0 +1,28 @@
+IP_HEADER=X-Forwarded-For
+SIGNUPS_VERIFY=true
+SIGNUPS_ALLOWED={{ vaultwarden_registration | ternary('true','false') }}
+{% if vaultwarden_domains_whitelist | length > 0 %}
+SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_domains_whitelist | join(',') }}
+{% endif %}
+ADMIN_TOKEN={{ vaultwarden_admin_token }}
+DISABLE_ADMIN_TOKEN={{ vaultwarden_disable_admin_token | ternary('true','false') }}
+DOMAIN={{ vaultwarden_public_url }}
+ROCKET_ENV=prod
+ROCKET_ADDRESS=0.0.0.0
+ROCKET_PORT={{ vaultwarden_http_port }}
+WEBSOCKET_ENABLED=true
+WEBSOCKET_PORT={{ vaultwarden_ws_port }}
+SMTP_HOST=localhost
+SMTP_PORT=25
+SMTP_SSL=false
+SMTP_FROM=vaultwarden-noreply@{{ ansible_domain }}
+{% if vaultwarden_db_engine == 'mysql' %}
+DATABASE_URL=mysql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_pass | urlencode | regex_replace('/','%2F') }}@{{ vaultwarden_db_server }}:{{ vaultwarden_db_port }}/{{ vaultwarden_db_name }}
+ENABLE_DB_WAL=false
+{% else %}
+DATABASE_URL=data/db.sqlite3
+{% endif %}
+{% if vaultwarden_yubico_client_id is defined and vaultwarden_yubico_secret_key is defined %}
+YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }}
+YUBICO_SECRET_KEY={{ vaultwarden_yubico_secret_key }}
+{% endif %}

roles/vaultwarden/templates/vaultwarden.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=Bitwarden Server (Rust Edition)
+Documentation=https://github.com/dani-garcia/vaultwarden_rs
+After=network.target
+{% if vaultwarden_db_engine == 'mysql' and (vaultwarden_db_server in ['localhost', '127.0.0.1']) %}
+After=mariadb.service
+Requires=mariadb.service
+{% endif %}
+
+[Service]
+User={{ vaultwarden_user }}
+Group={{ vaultwarden_user }}
+EnvironmentFile={{ vaultwarden_root_dir }}/etc/vaultwarden.conf
+ExecStart={{ vaultwarden_root_dir }}/bin/vaultwarden
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=full
+WorkingDirectory={{ vaultwarden_root_dir }}
+ReadWriteDirectories={{ vaultwarden_root_dir }}/data
+ReadOnlyDirectories={{ vaultwarden_root_dir }}/etc {{ vaultwarden_root_dir }}/web-vault
+Restart=on-failure
+StartLimitInterval=0
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target