Add Vaultwarden

diff --git a/infrastructure/roles/vaultwarden/handlers/main.yaml b/infrastructure/roles/vaultwarden/handlers/main.yaml
new file mode 100644 (file)
index 0000000..00c03ee
--- /dev/null
+++ b/infrastructure/roles/vaultwarden/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: restart quadlet
+  ansible.builtin.systemd_service:
+    name: vaultwarden.service
+    state: restarted

diff --git a/infrastructure/roles/vaultwarden/tasks/main.yaml b/infrastructure/roles/vaultwarden/tasks/main.yaml
new file mode 100644 (file)
index 0000000..746696e
--- /dev/null
+++ b/infrastructure/roles/vaultwarden/tasks/main.yaml
@@ -0,0 +1,37 @@
+- name: create quadlet
+  ansible.builtin.copy:
+    dest: /etc/containers/systemd/vaultwarden.container
+    content: |
+      [Unit]
+      After=network-online.target
+
+      [Container]
+      AutoUpdate=registry
+      Image=ghcr.io/dani-garcia/vaultwarden:latest
+      Exec=/start.sh
+      EnvironmentFile=vaultwarden.environment
+      Volume=/var/lib/vaultwarden/:/data/
+      PublishPort=127.0.0.1:8080:80
+
+      [Install]
+      WantedBy=default.target
+  notify:
+    - systemd daemon reload
+    - restart quadlet
+- name: create environment
+  ansible.builtin.copy:
+    dest: /etc/containers/systemd/vaultwarden.environment
+    content: |
+      DOMAIN=https://{{ public_hostname }}/vaultwarden
+  notify:
+    - restart quadlet
+- name: create storage
+  ansible.builtin.file:
+    name: /var/lib/vaultwarden
+    state: directory
+- meta: flush_handlers
+- name: enable quadlet
+  ansible.builtin.systemd_service:
+    name: vaultwarden.service
+    enabled: true
+    state: started

diff --git a/infrastructure/roles/web/tasks/main.yaml b/infrastructure/roles/web/tasks/main.yaml
index 9ef0a151da1e577f40bbab40f7db7b950ec4fb94..51cef33ffa7e4e19f80a74c2e8bc893ab7bd05d7 100644 (file)
--- a/infrastructure/roles/web/tasks/main.yaml
+++ b/infrastructure/roles/web/tasks/main.yaml
@@ -16,6 +16,16 @@
     cmd: a2enmod userdir
     creates: /etc/apache2/mods-enabled/userdir.load
   notify: restart web
+- name: enable mod_proxy_http
+  ansible.builtin.command:
+    cmd: a2enmod proxy_http
+    creates: /etc/apache2/mods-enabled/proxy_http.load
+  notify: restart web
+- name: enable mod_headers
+  ansible.builtin.command:
+    cmd: a2enmod headers
+    creates: /etc/apache2/mods-enabled/headers.load
+  notify: restart web
 - name: ssl site
   ansible.builtin.copy:
     dest: /etc/apache2/sites-enabled/ssl.conf
@@ -27,5 +37,11 @@
         ServerName {{ public_hostname_punycode }}
         SSLEngine on
         ServerAdmin {{ admin_email }}
+
+        <Location /vaultwarden/>
+          ProxyPass http://127.0.0.1:8080/vaultwarden/
+          ProxyPreserveHost On
+          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+        </Location>
       </VirtualHost>
   notify: restart web

diff --git a/infrastructure/site.yaml b/infrastructure/site.yaml
index acbdc7e7462d8486350fdf1dd71276f2a2428ec1..12e4b2d2286e31f4f3f99faa16a4fdeeb0a8b3b9 100644 (file)
--- a/infrastructure/site.yaml
+++ b/infrastructure/site.yaml
@@ -7,3 +7,4 @@
     - systemd
     - git
     - podman
+    - vaultwarden