Merge branch 'jesse-troy-add-bitwarden-service'

* jesse-troy-add-bitwarden-service:
  Enable Bitwarden for external access
  Tweaks for Bitwarden WebSockets
  Updated bitwarden and documentation
  fix trailing whitespace
  Adding bitwarden documentation
  Changes to vars, toml, task and playbook
This commit is contained in:
David Stephens 2019-04-14 17:06:00 +01:00
commit d57aa8ec58
7 changed files with 85 additions and 5 deletions

View file

@ -26,6 +26,7 @@ just a stock Ubuntu install, some clever Ansible config and a bunch of Docker co
### Docker Containers Used
* [Airsonic](https://airsonic.github.io/) - catalog and stream music
* [Bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs) - Self-Hosting port of password manager
* [Cloudflare DDNS](https://hub.docker.com/r/joshuaavalon/cloudflare-ddns/) - automatically update Cloudflare with your dynamic IP address
* [CouchPotato](https://couchpota.to/) - for downloading and managing movies
* [Duplicati](https://www.duplicati.com/) - for backing up your stuff

View file

@ -0,0 +1,18 @@
# Bitwarden(_rs) Password Management
Homepage: [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs)
Bitwarden: [https://bitwarden.com/](https://bitwarden.com/)
This is a Bitwarden server API implementation written in Rust compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
## Usage
Set `bitwarden_enabled: true` in your `group_vars/all.yml` file.
## Specific Configuration
Make sure you set your admin token! It is bitwarden_admin_token in `group_vars/all.yml` file. The string you put here will be the login to the admin section of your bitwarden installation (https://bitwarden.ansiblenasdomain.tld/admin). This token can be anything, but it's recommended to use a long, randomly generated string of characters, for example running: openssl rand -base64 48.
To create a user, you need to change a variable in ./tasks/bitwarden.yml. Set "SIGNUPS_ALLOWED" to "true", and reprovision the container. Once you have created your user, I would reccomend setting it to false and reprovisioning one more time.
There is currently an issue with websockets and this configuration; traefik does not work correctly when enabled. If this issue gets resolved, I will update the file. Until that time, please note that synchronizations between your vault and browser extensions will not be instant. You will need to force a sync or wait on the scheduled sync (approx. 1h).

View file

@ -5,6 +5,8 @@ By default, applications can be found on the ports listed below.
| Application | Port | Notes |
|-----------------|--------|-----------|
| Couchpotato | 5050 | |
| Bitwarden "hub" | 3012 | Web Not. |
| Bitwarden | 19080 | HTTP |
| Duplicati | 8200 | |
| Emby | 8096 | HTTP |
| Emby | 8920 | HTTPS |

View file

@ -61,6 +61,9 @@ timemachine_enabled: false
znc_enabled: false
thelounge_enabled: false
# Password Management
bitwarden_enabled: false
###
### General
###
@ -208,10 +211,9 @@ cloudflare_email: "{{ ansible_nas_email }}"
# Cloudflare 'Global API Key', can be found on the 'My Profile' page
cloudflare_api_key: abcdeabcdeabcdeabcde1234512345
######################################################################################
###### Advanced Settings ######
###### Ensure you know what you're doing before getting stuck in down here 8-) ######
######################################################################################
##################################################################
###### You shouldn't need to edit anything below this point ######
##################################################################
###
### General
@ -485,4 +487,15 @@ jackett_data_directory: "{{ docker_home }}/jackett"
###
### The Lounge
###
thelounge_data_directory: "{{ docker_home }}/thelounge"
thelounge_data_directory: "{{ docker_home }}/thelounge"
###
### Bitwarden
###
bitwarden_data_directory: "{{ docker_home }}/bitwarden"
bitwarden_available_externally: "false"
# Keep this token secret, this is password to access admin area of your server!
# This token can be anything, but it's recommended to use a long, randomly generated string of characters,
# for example running openssl rand -base64 48
bitwarden_admin_token: qwertyuiop1234567890poiuytrewq0987654321

View file

@ -142,3 +142,7 @@
- import_tasks: tasks/jackett.yml
when: (jackett_enabled | default(False))
tags: jackett
- import_tasks: tasks/bitwarden.yml
when: (bitwarden_enabled | default(False))
tags: bitwarden

41
tasks/bitwarden.yml Normal file
View file

@ -0,0 +1,41 @@
- name: Create Bitwarden Directories
file:
path: "{{ item }}"
state: directory
with_items:
- "{{ bitwarden_data_directory }}"
- name: Bitwarden Docker Container
docker_container:
name: bitwarden
image: mprasil/bitwarden:latest
pull: true
ports:
- "19080:80"
- "3012:3012"
volumes:
- "{{ bitwarden_data_directory }}:/data:rw"
env:
SIGNUPS_ALLOWED: "false"
ADMIN_TOKEN: "{{ bitwarden_admin_token }}"
LOG_FILE: "/data/bitwarden.log"
WEBSOCKET_ENABLED: "true"
labels:
traefik.backend: "bitwarden"
traefik.web.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }}"
traefik.enable: "{{ bitwarden_available_externally }}"
traefik.web.port: "80"
traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub"
traefik.hub.port: "3012"
traefik.hub.protocol: "ws"
restart_policy: unless-stopped
#memory: 1g
- name: Bitwarden Backup Container
docker_container:
name: bitwarden-backup
image: bruceforce/bw_backup:latest
pull: true
restart_policy: unless-stopped
volumes_from: bitwarden
memory: 1g

View file

@ -180,6 +180,7 @@ onDemand = false # create certificate when container is created
# we request a certificate for everything, because why not.
sans = ["airsonic.{{ ansible_nas_domain }}",
"bitwarden.{{ ansible_nas_domain }}",
"couchpotato.{{ ansible_nas_domain }}",
"duplicati.{{ ansible_nas_domain }}",
"emby.{{ ansible_nas_domain }}",