From: alex <alex@pdp7.net>
Date: Sat, 11 Oct 2025 16:55:29 +0000 (+0200)
Subject: Add Vaultwarden
X-Git-Url: https://xn--ix-yja.es/gitweb/?a=commitdiff_plain;h=7dd4a64f2f7612efb581c881ca9d59fc8b949663;p=infrastructure.git

Add Vaultwarden
---

diff --git a/infrastructure/roles/vaultwarden/handlers/main.yaml b/infrastructure/roles/vaultwarden/handlers/main.yaml
new file mode 100644
index 0000000..00c03ee
--- /dev/null
+++ b/infrastructure/roles/vaultwarden/handlers/main.yaml
@@ -0,0 +1,4 @@
+- name: restart quadlet
+  ansible.builtin.systemd_service:
+    name: vaultwarden.service
+    state: restarted
diff --git a/infrastructure/roles/vaultwarden/tasks/main.yaml b/infrastructure/roles/vaultwarden/tasks/main.yaml
new file mode 100644
index 0000000..746696e
--- /dev/null
+++ b/infrastructure/roles/vaultwarden/tasks/main.yaml
@@ -0,0 +1,37 @@
+- name: create quadlet
+  ansible.builtin.copy:
+    dest: /etc/containers/systemd/vaultwarden.container
+    content: |
+      [Unit]
+      After=network-online.target
+
+      [Container]
+      AutoUpdate=registry
+      Image=ghcr.io/dani-garcia/vaultwarden:latest
+      Exec=/start.sh
+      EnvironmentFile=vaultwarden.environment
+      Volume=/var/lib/vaultwarden/:/data/
+      PublishPort=127.0.0.1:8080:80
+
+      [Install]
+      WantedBy=default.target
+  notify:
+    - systemd daemon reload
+    - restart quadlet
+- name: create environment
+  ansible.builtin.copy:
+    dest: /etc/containers/systemd/vaultwarden.environment
+    content: |
+      DOMAIN=https://{{ public_hostname }}/vaultwarden
+  notify:
+    - restart quadlet
+- name: create storage
+  ansible.builtin.file:
+    name: /var/lib/vaultwarden
+    state: directory
+- meta: flush_handlers
+- name: enable quadlet
+  ansible.builtin.systemd_service:
+    name: vaultwarden.service
+    enabled: true
+    state: started
diff --git a/infrastructure/roles/web/tasks/main.yaml b/infrastructure/roles/web/tasks/main.yaml
index 9ef0a15..51cef33 100644
--- a/infrastructure/roles/web/tasks/main.yaml
+++ b/infrastructure/roles/web/tasks/main.yaml
@@ -16,6 +16,16 @@
     cmd: a2enmod userdir
     creates: /etc/apache2/mods-enabled/userdir.load
   notify: restart web
+- name: enable mod_proxy_http
+  ansible.builtin.command:
+    cmd: a2enmod proxy_http
+    creates: /etc/apache2/mods-enabled/proxy_http.load
+  notify: restart web
+- name: enable mod_headers
+  ansible.builtin.command:
+    cmd: a2enmod headers
+    creates: /etc/apache2/mods-enabled/headers.load
+  notify: restart web
 - name: ssl site
   ansible.builtin.copy:
     dest: /etc/apache2/sites-enabled/ssl.conf
@@ -27,5 +37,11 @@
         ServerName {{ public_hostname_punycode }}
         SSLEngine on
         ServerAdmin {{ admin_email }}
+
+        <Location /vaultwarden/>
+          ProxyPass http://127.0.0.1:8080/vaultwarden/
+          ProxyPreserveHost On
+          RequestHeader set X-Real-IP %{REMOTE_ADDR}s
+        </Location>
       </VirtualHost>
   notify: restart web
diff --git a/infrastructure/site.yaml b/infrastructure/site.yaml
index acbdc7e..12e4b2d 100644
--- a/infrastructure/site.yaml
+++ b/infrastructure/site.yaml
@@ -7,3 +7,4 @@
     - systemd
     - git
     - podman
+    - vaultwarden