From 0701f7159962f9bec900cfcc2d1ed3310ee3e7d4 Mon Sep 17 00:00:00 2001 From: Jesse Beard Date: Wed, 10 Apr 2019 08:46:47 -0400 Subject: [PATCH 1/6] Changes to vars, toml, task and playbook --- group_vars/all.yml.dist | 15 +++++++++++++ nas.yml | 4 ++++ tasks/bitwarden.yml | 41 ++++++++++++++++++++++++++++++++++ templates/traefik/traefik.toml | 1 + tests/test.yml | 16 +++++++++++++ 5 files changed, 77 insertions(+) create mode 100644 tasks/bitwarden.yml diff --git a/group_vars/all.yml.dist b/group_vars/all.yml.dist index e15dfa71..6efc958b 100644 --- a/group_vars/all.yml.dist +++ b/group_vars/all.yml.dist @@ -59,6 +59,8 @@ timemachine_enabled: false # IRC bouncer znc_enabled: false +# Password Management +bitwarden_enabled: false ### ### General @@ -207,6 +209,14 @@ cloudflare_email: dave@awesomedomain.com # Cloudflare 'Global API Key', can be found on the 'My Profile' page cloudflare_api_key: abcdeabcdeabcdeabcde1234512345 +### +### Bitwarden +### +# Keep this token secret, this is password to access admin area of your server! +# This token can be anything, but it's recommended to use a long, randomly generated string of characters, +# for example running openssl rand -base64 48 +bitwarden_admin_token: qwertyuiop1234567890poiuytrewq0987654321 + ################################################################## ###### You shouldn't need to edit anything below this point ###### ################################################################## @@ -449,3 +459,8 @@ mymediaforalexa_data_directory: "{{ docker_home }}/mymediaforalexa" ### jackett ### jackett_data_directory: "{{ docker_home }}/jackett" + +### +### bitwarden +### +bitwarden_data_directory: "{{ docker_home }}/bitwarden" \ No newline at end of file diff --git a/nas.yml b/nas.yml index ccb85447..6f1514a7 100644 --- a/nas.yml +++ b/nas.yml @@ -138,3 +138,7 @@ - import_tasks: tasks/jackett.yml when: (jackett_enabled | default(False)) tags: jackett + + - import_tasks: tasks/bitwarden.yml + when: (bitwarden_enabled | default(False)) + tags: bitwarden \ No newline at end of file diff --git a/tasks/bitwarden.yml b/tasks/bitwarden.yml new file mode 100644 index 00000000..e6217aec --- /dev/null +++ b/tasks/bitwarden.yml @@ -0,0 +1,41 @@ +- name: Create Bitwarden Directories + file: + path: "{{ item }}" + state: directory + with_items: + - "{{ bitwarden_data_directory }}" + +- name: Bitwarden Docker Container + docker_container: + name: bitwarden + image: mprasil/bitwarden:latest + pull: true + ports: + #- "19080:80" + - "3012:3012" + volumes: + - "{{ bitwarden_data_directory }}:/data:rw" + env: + SIGNUPS_ALLOWED: "false" + ADMIN_TOKEN: "{{ bitwarden_admin_token }}" + LOG_FILE: "/data/bitwarden.log" + labels: + traefik.backend: "bitwarden" + traefik.web.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }}" + traefik.enable: "true" + traefik.web.port: "80" + #traefik.web.frontend.headers.customFrameOptionsValue: "ALLOW-FROM http://{{ ansible_nas_domain }}" + #traefik.web.frontend.headers.customFrameOptionsValue: "ALLOW-FROM https://{{ ansible_nas_domain }}" + #traefik.web.frontend.headers.SSLRedirect: "true" + traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub" + traefik.hub.port: "3012" + restart_policy: unless-stopped + #memory: 1g + +- name: Bitwarden Backup Container + docker_container: + name: bitwarden-backup + image: bruceforce/bw_backup:latest + pull: true + restart_policy: unless-stopped + volumes_from: bitwarden \ No newline at end of file diff --git a/templates/traefik/traefik.toml b/templates/traefik/traefik.toml index 69eba793..49f510ce 100644 --- a/templates/traefik/traefik.toml +++ b/templates/traefik/traefik.toml @@ -180,6 +180,7 @@ onDemand = false # create certificate when container is created # we request a certificate for everything, because why not. sans = ["airsonic.{{ ansible_nas_domain }}", + "bitwarden.{{ ansible_nas_domain }}", "couchpotato.{{ ansible_nas_domain }}", "duplicati.{{ ansible_nas_domain }}", "emby.{{ ansible_nas_domain }}", diff --git a/tests/test.yml b/tests/test.yml index a9a8f3f2..f787a308 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -59,6 +59,9 @@ timemachine_enabled: false # IRC bouncer znc_enabled: false +# Password Management +bitwarden_enabled: false + ### ### General ### @@ -207,6 +210,14 @@ cloudflare_email: dave@awesomedomain.com # Cloudflare 'Global API Key', can be found on the 'My Profile' page cloudflare_api_key: abcdeabcdeabcdeabcde1234512345 +### +### Bitwarden +### +# Keep this token secret, this is password to access admin area of your server! +# This token can be anything, but it's recommended to use a long, randomly generated string of characters, +# for example running openssl rand -base64 48 +bitwarden_admin_token: qwertyuiop1234567890poiuytrewq0987654321 + ################################################################## ###### You shouldn't need to edit anything below this point ###### ################################################################## @@ -449,3 +460,8 @@ mymediaforalexa_data_directory: "{{ docker_home }}/mymediaforalexa" ### jackett ### jackett_data_directory: "{{ docker_home }}/jackett" + +### +### bitwarden +### +bitwarden_data_directory: "{{ docker_home }}/bitwarden" \ No newline at end of file From d547ce6b0fab7bde8bdc9cdbbbc2c21f0395e2da Mon Sep 17 00:00:00 2001 From: Jesse Beard Date: Wed, 10 Apr 2019 09:08:06 -0400 Subject: [PATCH 2/6] Adding bitwarden documentation --- README.md | 1 + docs/applications/bitwarden.md | 15 +++++++++++++++ docs/configuration/application_ports.md | 2 ++ tasks/bitwarden.yml | 2 +- 4 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 docs/applications/bitwarden.md diff --git a/README.md b/README.md index e24c5f44..c81d6f3b 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ just a stock Ubuntu install, some clever Ansible config and a bunch of Docker co ### Docker Containers Used * [Airsonic](https://airsonic.github.io/) - catalog and stream music +* [Bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs) - Self-Hosting port of password manager * [Cloudflare DDNS](https://hub.docker.com/r/joshuaavalon/cloudflare-ddns/) - automatically update Cloudflare with your dynamic IP address * [CouchPotato](https://couchpota.to/) - for downloading and managing movies * [Duplicati](https://www.duplicati.com/) - for backing up your stuff diff --git a/docs/applications/bitwarden.md b/docs/applications/bitwarden.md new file mode 100644 index 00000000..b66f4b58 --- /dev/null +++ b/docs/applications/bitwarden.md @@ -0,0 +1,15 @@ +# Bitwarden(_rs) Password Management + +Homepage: [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs) +Bitwarden: [https://bitwarden.com/](https://bitwarden.com/) + +This is a Bitwarden server API implementation written in Rust compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal. + +## Usage + +Set `bitwarden_enabled: true` in your `group_vars/all.yml` file. + +## Specific Configuration + +Make sure you set your admin token! It is bitwarden_admin_token in `group_vars/all.yml` file. The string you put here will be the login to the admin section +of your bitwarden installation (https://bitwarden.ansiblenasdomain.tld/admin). This token can be anything, but it's recommended to use a long, randomly generated string of characters, for example running: openssl rand -base64 48. diff --git a/docs/configuration/application_ports.md b/docs/configuration/application_ports.md index 0917bb30..6e642fdc 100644 --- a/docs/configuration/application_ports.md +++ b/docs/configuration/application_ports.md @@ -5,6 +5,8 @@ By default, applications can be found on the ports listed below. | Application | Port | Notes | |-----------------|--------|-----------| | Couchpotato | 5050 | | +| Bitwarden "hub" | 3012 | Web Not. | +| Bitwarden | 19080 | HTTP | | Duplicati | 8200 | | | Emby | 8096 | HTTP | | Emby | 8920 | HTTPS | diff --git a/tasks/bitwarden.yml b/tasks/bitwarden.yml index e6217aec..1e7b1c5c 100644 --- a/tasks/bitwarden.yml +++ b/tasks/bitwarden.yml @@ -11,7 +11,7 @@ image: mprasil/bitwarden:latest pull: true ports: - #- "19080:80" + - "19080:80" - "3012:3012" volumes: - "{{ bitwarden_data_directory }}:/data:rw" From ca47b2c2fac473505208cc8c0c92f8848bb76b4a Mon Sep 17 00:00:00 2001 From: Jesse Beard Date: Wed, 10 Apr 2019 10:28:35 -0400 Subject: [PATCH 3/6] fix trailing whitespace --- tasks/bitwarden.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/bitwarden.yml b/tasks/bitwarden.yml index 1e7b1c5c..2c996eb0 100644 --- a/tasks/bitwarden.yml +++ b/tasks/bitwarden.yml @@ -17,7 +17,7 @@ - "{{ bitwarden_data_directory }}:/data:rw" env: SIGNUPS_ALLOWED: "false" - ADMIN_TOKEN: "{{ bitwarden_admin_token }}" + ADMIN_TOKEN: "{{ bitwarden_admin_token }}" LOG_FILE: "/data/bitwarden.log" labels: traefik.backend: "bitwarden" From 5a63ca02d720ca9df491d02290d3d266ea1935fc Mon Sep 17 00:00:00 2001 From: Jesse Beard Date: Wed, 10 Apr 2019 16:55:14 -0400 Subject: [PATCH 4/6] Updated bitwarden and documentation --- docs/applications/bitwarden.md | 7 +++++-- tasks/bitwarden.yml | 8 ++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/docs/applications/bitwarden.md b/docs/applications/bitwarden.md index b66f4b58..f806bebf 100644 --- a/docs/applications/bitwarden.md +++ b/docs/applications/bitwarden.md @@ -11,5 +11,8 @@ Set `bitwarden_enabled: true` in your `group_vars/all.yml` file. ## Specific Configuration -Make sure you set your admin token! It is bitwarden_admin_token in `group_vars/all.yml` file. The string you put here will be the login to the admin section -of your bitwarden installation (https://bitwarden.ansiblenasdomain.tld/admin). This token can be anything, but it's recommended to use a long, randomly generated string of characters, for example running: openssl rand -base64 48. +Make sure you set your admin token! It is bitwarden_admin_token in `group_vars/all.yml` file. The string you put here will be the login to the admin section of your bitwarden installation (https://bitwarden.ansiblenasdomain.tld/admin). This token can be anything, but it's recommended to use a long, randomly generated string of characters, for example running: openssl rand -base64 48. + +To create a user, you need to change a variable in ./tasks/bitwarden.yml. Set "SIGNUPS_ALLOWED" to "true", and reprovision the container. Once you have created your user, I would reccomend setting it to false and reprovisioning one more time. + +There is currently an issue with websockets and this configuration; traefik does not work correctly when enabled. If this issue gets resolved, I will update the file. Until that time, please note that synchronizations between your vault and browser extensions will not be instant. You will need to force a sync or wait on the scheduled sync (approx. 1h). \ No newline at end of file diff --git a/tasks/bitwarden.yml b/tasks/bitwarden.yml index 2c996eb0..c36a3b97 100644 --- a/tasks/bitwarden.yml +++ b/tasks/bitwarden.yml @@ -26,9 +26,8 @@ traefik.web.port: "80" #traefik.web.frontend.headers.customFrameOptionsValue: "ALLOW-FROM http://{{ ansible_nas_domain }}" #traefik.web.frontend.headers.customFrameOptionsValue: "ALLOW-FROM https://{{ ansible_nas_domain }}" - #traefik.web.frontend.headers.SSLRedirect: "true" - traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub" - traefik.hub.port: "3012" + #traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub" + #traefik.hub.port: "3012" restart_policy: unless-stopped #memory: 1g @@ -38,4 +37,5 @@ image: bruceforce/bw_backup:latest pull: true restart_policy: unless-stopped - volumes_from: bitwarden \ No newline at end of file + volumes_from: bitwarden + memory: 1g \ No newline at end of file From f2e71ca17caed35ed78acdc6bf4fc8d69d7dd2e1 Mon Sep 17 00:00:00 2001 From: David Stephens Date: Sun, 14 Apr 2019 16:45:48 +0100 Subject: [PATCH 5/6] Tweaks for Bitwarden WebSockets --- tasks/bitwarden.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/bitwarden.yml b/tasks/bitwarden.yml index c36a3b97..4335880d 100644 --- a/tasks/bitwarden.yml +++ b/tasks/bitwarden.yml @@ -19,15 +19,15 @@ SIGNUPS_ALLOWED: "false" ADMIN_TOKEN: "{{ bitwarden_admin_token }}" LOG_FILE: "/data/bitwarden.log" + WEBSOCKET_ENABLED: "true" labels: traefik.backend: "bitwarden" traefik.web.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }}" traefik.enable: "true" traefik.web.port: "80" - #traefik.web.frontend.headers.customFrameOptionsValue: "ALLOW-FROM http://{{ ansible_nas_domain }}" - #traefik.web.frontend.headers.customFrameOptionsValue: "ALLOW-FROM https://{{ ansible_nas_domain }}" - #traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub" - #traefik.hub.port: "3012" + traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub" + traefik.hub.port: "3012" + traefik.hub.protocol: "ws" restart_policy: unless-stopped #memory: 1g From da29d3c903b75b02d8eed0f6b92d5a0b7ba8aa4d Mon Sep 17 00:00:00 2001 From: David Stephens Date: Sun, 14 Apr 2019 17:05:21 +0100 Subject: [PATCH 6/6] Enable Bitwarden for external access --- group_vars/all.yml.dist | 1 + tasks/bitwarden.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/group_vars/all.yml.dist b/group_vars/all.yml.dist index d7c0cbf6..41eeaa56 100644 --- a/group_vars/all.yml.dist +++ b/group_vars/all.yml.dist @@ -493,6 +493,7 @@ thelounge_data_directory: "{{ docker_home }}/thelounge" ### Bitwarden ### bitwarden_data_directory: "{{ docker_home }}/bitwarden" +bitwarden_available_externally: "false" # Keep this token secret, this is password to access admin area of your server! # This token can be anything, but it's recommended to use a long, randomly generated string of characters, diff --git a/tasks/bitwarden.yml b/tasks/bitwarden.yml index 4335880d..a362f005 100644 --- a/tasks/bitwarden.yml +++ b/tasks/bitwarden.yml @@ -23,7 +23,7 @@ labels: traefik.backend: "bitwarden" traefik.web.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }}" - traefik.enable: "true" + traefik.enable: "{{ bitwarden_available_externally }}" traefik.web.port: "80" traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub" traefik.hub.port: "3012"