diff --git a/.ansible/ansible.cfg b/.ansible/ansible.cfg index b177cda..50e48df 100644 --- a/.ansible/ansible.cfg +++ b/.ansible/ansible.cfg @@ -1,9 +1,4 @@ [defaults] -stdout_callback = debug host_key_checking = True retry_files_enabled = False - -# Fixes ansible variable precedence issue: Makes inventory group_vars override playbook group_vars -# https://github.com/ansible/ansible/issues/18154 -precedence = all_plugins_play, all_inventory, all_plugins_inventory, groups_plugins_play, groups_inventory, groups_plugins_inventory diff --git a/.ansible/inventory/development/group_vars/tools/config.yaml b/.ansible/inventory/development/group_vars/tools/config.yaml index 2b49ee1..061d036 100644 --- a/.ansible/inventory/development/group_vars/tools/config.yaml +++ b/.ansible/inventory/development/group_vars/tools/config.yaml @@ -1,2 +1,3 @@ signups_allowed: yes admin_token: admin +host: bitwarden.dev.diesel.net diff --git a/.ansible/inventory/development/group_vars/tools/proxy.yaml b/.ansible/inventory/development/group_vars/tools/proxy.yaml deleted file mode 100644 index 179a79a..0000000 --- a/.ansible/inventory/development/group_vars/tools/proxy.yaml +++ /dev/null @@ -1 +0,0 @@ -proxy_domain: bitwarden.dev.diesel.net diff --git a/.ansible/inventory/development/hosts b/.ansible/inventory/development/hosts index 6e1b21a..3ffb164 100644 --- a/.ansible/inventory/development/hosts +++ b/.ansible/inventory/development/hosts @@ -1,8 +1,10 @@ all: children: + tools: hosts: dev.diesel.net + vars: ansible_user: automation ansible_python_interpreter: /usr/bin/python3 diff --git a/.ansible/inventory/production/group_vars/tools/config.yaml b/.ansible/inventory/production/group_vars/tools/config.yaml index 07d2858..44f1263 100644 --- a/.ansible/inventory/production/group_vars/tools/config.yaml +++ b/.ansible/inventory/production/group_vars/tools/config.yaml @@ -1,11 +1,3 @@ -signups_allowed: no -admin_token: !vault | - $ANSIBLE_VAULT;1.1;AES256 - 63353762613865376264346632316461666430653533353062363762393766383936303538663831 - 6535613862376263623966663039626631313931336331320a376464633533353262373739323330 - 62373336316365323964323665383137616132613364313239363736656236623630663061333838 - 3633383966323731330a306535626637363034366362323738336235623239373064386536636361 - 33613136346535323839396132636130373639613966346235396531636338646338316661343564 - 65386330303032623163306131616333623931633139363334376332383463646233396664613339 - 66623662643664366633396236313466663663353935353166383865356665393332653064643464 - 64313437303036626330 +signups_allowed: yes +admin_token: "{{ lookup('env', 'ADMIN_TOKEN') }}" +host: bitwarden.diesel.net diff --git a/.ansible/inventory/production/group_vars/tools/proxy.yaml b/.ansible/inventory/production/group_vars/tools/proxy.yaml deleted file mode 100644 index 3dec846..0000000 --- a/.ansible/inventory/production/group_vars/tools/proxy.yaml +++ /dev/null @@ -1 +0,0 @@ -proxy_domain: bitwarden.diesel.net diff --git a/.ansible/inventory/production/hosts b/.ansible/inventory/production/hosts index 3c92186..f64cfb8 100644 --- a/.ansible/inventory/production/hosts +++ b/.ansible/inventory/production/hosts @@ -1,8 +1,10 @@ all: children: + tools: hosts: tools.diesel.net + vars: ansible_user: automation ansible_python_interpreter: /usr/bin/python3 diff --git a/.ansible/roles/requirements.yaml b/.ansible/roles/requirements.yaml index 7985374..b0dee25 100644 --- a/.ansible/roles/requirements.yaml +++ b/.ansible/roles/requirements.yaml @@ -1,9 +1,9 @@ - name: docker scm: git src: "git@github.com:Diesel-Net/ansible-role-docker.git" - version: 1.3.0 + version: 1.10.0 - name: common scm: git src: "git@github.com:Diesel-Net/ansible-role-common.git" - version: 1.1.0 + version: 1.2.0 diff --git a/.ansible/templates/docker-compose.yaml.j2 b/.ansible/templates/docker-compose.yaml.j2 index 10f099c..7290a70 100644 --- a/.ansible/templates/docker-compose.yaml.j2 +++ b/.ansible/templates/docker-compose.yaml.j2 @@ -5,40 +5,31 @@ services: main: - image: vaultwarden/server:1.22.2 + image: vaultwarden/server:1.23.1 volumes: - - /etc/localtime:/etc/localtime - - {{ ssl_cert_dir }}/:/etc/ssl/certs/ - - {{ data_dir }}:/data/ + - {{ localtime_file }}:/etc/localtime + - {{ ssl_cert_file }}:/etc/ssl/certs/ca-certificates.crt + - {{ data_dir }}:/data environment: - SIGNUPS_ALLOWED={{ signups_allowed | string | lower }} - ADMIN_TOKEN={{ admin_token }} - - DOMAIN=https://{{ proxy_domain }} + - DOMAIN=https://{{ host }} deploy: labels: - traefik.enable=true - - traefik.docker.network={{ docker_network }} - - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https - - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true - - traefik.http.routers.bitwarden-ui-https.rule=Host(`{{ proxy_domain }}`) - - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure - - traefik.http.routers.bitwarden-ui-https.tls=true - - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui - - traefik.http.routers.bitwarden-ui-http.rule=Host(`{{ proxy_domain }}`) - - traefik.http.routers.bitwarden-ui-https.tls.certresolver=step-ca - - traefik.http.routers.bitwarden-ui-http.entrypoints=web - - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https - - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui + + # web interface - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80 - - traefik.http.routers.bitwarden-websocket-https.rule=Host(`{{ proxy_domain }}`) && Path(`/notifications/hub`) - - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure - - traefik.http.routers.bitwarden-websocket-https.tls=true - - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket - - traefik.http.routers.bitwarden-websocket-http.rule=Host(`{{ proxy_domain }}`) && Path(`/notifications/hub`) - - traefik.http.routers.bitwarden-websocket-http.entrypoints=web - - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https - - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket + - traefik.http.routers.bitwarden-ui.rule=Host(`{{ host }}`) + - traefik.http.routers.bitwarden-ui.tls.certresolver=step-ca + - traefik.http.routers.bitwarden-ui.service=bitwarden-ui + + # websocket notifications - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012 + - traefik.http.routers.bitwarden-websocket.rule=Host(`{{ host }}`) && Path(`/notifications/hub`) + - traefik.http.routers.bitwarden-websocket.tls.certresolver=step-ca + - traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket + networks: - {{ docker_network }} diff --git a/.drone.yaml b/.drone.yaml index 7944278..2909ae7 100644 --- a/.drone.yaml +++ b/.drone.yaml @@ -15,7 +15,7 @@ steps: settings: playbook: .ansible/deploy.yaml galaxy: .ansible/roles/requirements.yaml - inventory: .ansible/inventory/development/hosts + inventory: .ansible/inventory/development private_key: from_secret: automation_id_rsa vault_password: @@ -41,10 +41,12 @@ steps: image: plugins/ansible:3 environment: ANSIBLE_CONFIG: .ansible/ansible.cfg + ADMIN_TOKEN: + from_secret: admin_token settings: playbook: .ansible/deploy.yaml galaxy: .ansible/roles/requirements.yaml - inventory: .ansible/inventory/production/hosts + inventory: .ansible/inventory/production private_key: from_secret: automation_id_rsa vault_password: diff --git a/.gitignore b/.gitignore index 1a9d9cc..8fd013d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ -.ansible/roles/docker_deploy +.ansible/roles/docker +.ansible/roles/common .DS_Store diff --git a/README.md b/README.md index fb995c8..f3ceb63 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,28 @@ [![Build Status](https://drone.kiwi-labs.net/api/badges/Diesel-Net/bitwarden/status.svg)](https://drone.kiwi-labs.net/Diesel-Net/bitwarden) # bitwarden -Sets up [vaultwarden](https://github.com/dani-garcia/vaultwarden) (formerly called bitwarden_rs) on the internal network. +Sets up bitwarden on Docker Swarm. -# Notes -- [traefik v2 labels](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#traefik-v1-labels-migrated-to-traefik-v2) +:warning: this configuration uses the unofficial backend [vaultwarden](https://github.com/dani-garcia/vaultwarden), formerly known as `bitwarden_rs` :warning: -## Requirements -- Ansible 2.10+ -## Installing Dependencies -```bash -ansible-galaxy install -r .ansible/roles/requirements.yaml -p .ansible/roles --force -``` +## Deployments +This application is configured and deployed automatically using [Drone CI](https://github.com/harness/drone), however there might be situations where you would prefer to do this manually. -## Deploy to Docker Swarm +You will need to have the [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html#encrypting-content-with-ansible-vault) password file configured on your machine, if there are any vaulted secrets. Please read the relevant ansible documentation on [setting a default password source](https://docs.ansible.com/ansible/latest/user_guide/vault.html#setting-a-default-password-source). If you are trying to reuse this Ansible configuration for your own purposes, then you will need to encrypt all of _your own_ secrets using _your own_ Ansible Vault password and replace those variables in the [Ansible configuration](.ansible). + +### Requirements +I recommend [installing Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible) with `pip` (globally) versus other package managers like Apt or Brew. It makes upgrading and using third party modules much easier. ```bash -ansible-playbook .ansible/deploy.yaml -i .ansible/inventory/development/hosts --vault-id ~/.tokens/master_id +python3 -m pip install --user ansible ``` + +### Steps +1. Install roles (dependencies). + ```bash + ansible-galaxy install -r .ansible/roles/requirements.yaml -p .ansible/roles --force + ``` +2. Run playbook. + ```bash + ansible-playbook .ansible/deploy.yaml -i .ansible/inventory/development + ```