Merge branch 'jesse-troy-add-bitwarden-service'

* jesse-troy-add-bitwarden-service:
  Enable Bitwarden for external access
  Tweaks for Bitwarden WebSockets
  Updated bitwarden and documentation
  fix trailing whitespace
  Adding bitwarden documentation
  Changes to vars, toml, task and playbook

README.md

@@ -26,6 +26,7 @@ just a stock Ubuntu install, some clever Ansible config and a bunch of Docker co
 ### Docker Containers Used
 
 * [Airsonic](https://airsonic.github.io/) - catalog and stream music
+* [Bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs) - Self-Hosting port of password manager
 * [Cloudflare DDNS](https://hub.docker.com/r/joshuaavalon/cloudflare-ddns/) - automatically update Cloudflare with your dynamic IP address
 * [CouchPotato](https://couchpota.to/) - for downloading and managing movies
 * [Duplicati](https://www.duplicati.com/) - for backing up your stuff

docs/applications/bitwarden.md

@@ -0,0 +1,18 @@
+# Bitwarden(_rs) Password Management
+
+Homepage: [https://github.com/dani-garcia/bitwarden_rs](https://github.com/dani-garcia/bitwarden_rs)
+Bitwarden: [https://bitwarden.com/](https://bitwarden.com/)
+
+This is a Bitwarden server API implementation written in Rust compatible with upstream Bitwarden clients*, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
+
+## Usage
+
+Set `bitwarden_enabled: true` in your `group_vars/all.yml` file.
+
+## Specific Configuration
+
+Make sure you set your admin token! It is bitwarden_admin_token in `group_vars/all.yml` file. The string you put here will be the login to the admin section of your bitwarden installation (https://bitwarden.ansiblenasdomain.tld/admin). This token can be anything, but it's recommended to use a long, randomly generated string of characters, for example running: openssl rand -base64 48.
+
+To create a user, you need to change a variable in ./tasks/bitwarden.yml. Set "SIGNUPS_ALLOWED" to "true", and reprovision the container. Once you have created your user, I would reccomend setting it to false and reprovisioning one more time.
+
+There is currently an issue with websockets and this configuration; traefik does not work correctly when enabled. If this issue gets resolved, I will update the file. Until that time, please note that synchronizations between your vault and browser extensions will not be instant. You will need to force a sync or wait on the scheduled sync (approx. 1h).

docs/configuration/application_ports.md

@@ -5,6 +5,8 @@ By default, applications can be found on the ports listed below.
 | Application     | Port   | Notes     |
 |-----------------|--------|-----------|
 | Couchpotato     | 5050   |           |
+| Bitwarden "hub" | 3012   | Web Not.  |
+| Bitwarden       | 19080  | HTTP      |
 | Duplicati       | 8200   |           |
 | Emby            | 8096   | HTTP      |
 | Emby            | 8920   | HTTPS     |

group_vars/all.yml.dist

@@ -61,6 +61,9 @@ timemachine_enabled: false
 znc_enabled: false
 thelounge_enabled: false
 
+# Password Management
+bitwarden_enabled: false
+
 ###
 ### General
 ###
@@ -208,10 +211,9 @@ cloudflare_email: "{{ ansible_nas_email }}"
 # Cloudflare 'Global API Key', can be found on the 'My Profile' page
 cloudflare_api_key: abcdeabcdeabcdeabcde1234512345
 
-######################################################################################
-###### Advanced Settings                                                        ######
-###### Ensure you know what you're doing before getting stuck in down here 8-)  ######
-######################################################################################
+##################################################################
+###### You shouldn't need to edit anything below this point ######
+##################################################################
 
 ###
 ### General
@@ -486,3 +488,14 @@ jackett_data_directory: "{{ docker_home }}/jackett"
 ### The Lounge
 ###
 thelounge_data_directory: "{{ docker_home }}/thelounge"
+
+###
+### Bitwarden
+###
+bitwarden_data_directory: "{{ docker_home }}/bitwarden"
+bitwarden_available_externally: "false"
+
+# Keep this token secret, this is password to access admin area of your server!
+# This token can be anything, but it's recommended to use a long, randomly generated string of characters,
+# for example running openssl rand -base64 48
+bitwarden_admin_token: qwertyuiop1234567890poiuytrewq0987654321

nas.yml

@@ -142,3 +142,7 @@
   - import_tasks: tasks/jackett.yml
     when: (jackett_enabled | default(False))
     tags: jackett
+
+  - import_tasks: tasks/bitwarden.yml
+    when: (bitwarden_enabled | default(False))
+    tags: bitwarden

tasks/bitwarden.yml

@@ -0,0 +1,41 @@
+- name: Create Bitwarden Directories
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - "{{ bitwarden_data_directory }}"
+
+- name: Bitwarden Docker Container
+  docker_container:
+    name: bitwarden
+    image: mprasil/bitwarden:latest
+    pull: true
+    ports:
+      - "19080:80"
+      - "3012:3012"
+    volumes:
+      - "{{ bitwarden_data_directory }}:/data:rw"
+    env:
+      SIGNUPS_ALLOWED: "false"
+      ADMIN_TOKEN: "{{ bitwarden_admin_token }}"
+      LOG_FILE: "/data/bitwarden.log"
+      WEBSOCKET_ENABLED: "true"
+    labels:
+      traefik.backend: "bitwarden"
+      traefik.web.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }}"
+      traefik.enable: "{{ bitwarden_available_externally }}"
+      traefik.web.port: "80"
+      traefik.hub.frontend.rule: "Host:bitwarden.{{ ansible_nas_domain }};Path:/notifications/hub"
+      traefik.hub.port: "3012"
+      traefik.hub.protocol: "ws"
+    restart_policy: unless-stopped
+    #memory: 1g
+
+- name: Bitwarden Backup Container
+  docker_container:
+    name: bitwarden-backup
+    image: bruceforce/bw_backup:latest
+    pull: true
+    restart_policy: unless-stopped
+    volumes_from: bitwarden
+    memory: 1g

templates/traefik/traefik.toml

@@ -180,6 +180,7 @@ onDemand = false # create certificate when container is created
 
   # we request a certificate for everything, because why not.
   sans = ["airsonic.{{ ansible_nas_domain }}",
+          "bitwarden.{{ ansible_nas_domain }}",
           "couchpotato.{{ ansible_nas_domain }}",
           "duplicati.{{ ansible_nas_domain }}",
           "emby.{{ ansible_nas_domain }}",