Add initial Vaultwarden support

Absorbed from the https://github.com/spantaleev/vaultwarden-docker-ansible-deploy
Ansible playbook.

The `vaultwarden_backup` role hasn't been migrated over yet.

docs/services/README.md

@@ -7,6 +7,7 @@
 | [PostgreSQL](https://www.postgresql.org) | A powerful, open source object-relational database system | [Link](postgres.md) |
 | [Radicale](https://miniflux.app/) | A Free and Open-Source CalDAV and CardDAV Server (solution for hosting contacts and calendars) | [Link](radicale.md) |
 | [Traefik](https://doc.traefik.io/traefik/) | A container-aware reverse-proxy server | [Link](traefik.md) |
+| [Vaultwarden](https://github.com/dani-garcia/vaultwarden) | A lightweight unofficial and compatible implementation of the [Bitwarden](https://bitwarden.com/) password manager | [Link](vaultwarden.md) |
 | [Uptime-kuma](https://uptime.kuma.pet/) | A fancy self-hosted monitoring tool | [Link](uptime-kuma.md) |
 
 

docs/services/postgres.md

@@ -47,7 +47,7 @@ Before doing the actual import, **you need to upload your Postgres dump file to
 
 ### Importing
 
-To import, run this command (make sure to replace `<server-path-to-postgres-dump.sql>` with a file path on your server):
+To import, run this command (make sure to replace `SERVER_PATH_TO_POSTGRES_DUMP_FILE` with a file path on your server):
 
 ```sh
 just run-tags import-postgres \

docs/services/vaultwarden.md

@@ -0,0 +1,84 @@
+# Vaultwarden
+
+[Vaultwarden](https://github.com/dani-garcia/vaultwarden) (unofficial [Bitwarden](https://bitwarden.com/) compatible server) is a password manager server that you can use with the official **Bitwarden** apps and browser addons.
+
+
+## Dependencies
+
+This service requires the following other services:
+
+- a [Postgres](postgres.md) database
+- a [Traefik](traefik.md) reverse-proxy server
+
+
+## Configuration
+
+To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
+
+```yaml
+########################################################################
+#                                                                      #
+# vaultwarden                                                          #
+#                                                                      #
+########################################################################
+
+vaultwarden_enabled: true
+
+vaultwarden_hostname: mash.example.com
+
+# For additional security, we recommend hosting Vaultwarden at a subpath.
+# See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#hiding-under-a-subdir
+#
+# Choose your own custom path below.
+# When using a path prefix, Vaultwarden will be available at: https://VAULTWARDEN_DOMAIN/PATH_PREFIX
+# while the homepage (/) shows a 404 HTTP error.
+#
+# If you'd like to host at the root (without a path prefix), remove this configuration line.
+vaultwarden_path_prefix: /vaultwarden-secret-custom-prefix
+
+# Configure a strong admin secret here (generated with `pwgen -s 64 1`, etc).
+# You will need this for accessing the /admin section useful for creating your first user
+# and for doing various maintenance tasks.
+# In the future, you can also consider disabling the /admin section by removing this configuration line.
+vaultwarden_config_admin_token: ''
+
+# Require people to validate their email addresses. When enabled, SMTP settings (below) are required.
+vaultwarden_config_signups_verify: true
+
+# Example SMTP settings.
+# If you keep `vaultwarden_config_signups_verify` enabled, you will need to specify them.
+# There are more SMTP variables in `roles/custom/devture_vaultwarden/defaults/main.yml`, in case you need them.
+# If you decide you won't set up SMTP, consider removing all these configuration lines below
+# and removing `vaultwarden_config_signups_verify: true` above.
+vaultwarden_config_smtp_from: vaultwarden@DOMAIN
+vaultwarden_config_smtp_host: ''
+vaultwarden_config_smtp_port: 587
+vaultwarden_config_smtp_security: starttls
+vaultwarden_config_smtp_username: ''
+vaultwarden_config_smtp_password: ''
+
+########################################################################
+#                                                                      #
+# /vaultwarden                                                         #
+#                                                                      #
+########################################################################
+```
+
+In the example configuration above, we configure the service to be hosted at `https://mash.example.com/vaultwarden-secret-custom-prefix`.
+
+You can remove the `vaultwarden_path_prefix` variable definition, to make it default to `/`, so that the service is served at `https://mash.example.com/`.
+
+
+## Usage
+
+After installation, you should be able to access your new Vaultwarden instance at: `https://VAULTWARDEN_DOMAIN/PATH_PREFIX`, where:
+
+- `VAULTWARDEN_DOMAIN` matches your domain, as specified in `vaultwarden_hostname` in your `vars.yml` file
+- `PATH_PREFIX` matches your path prefix, as specified in `vaultwarden_path_prefix` in your `vars.yml` file
+
+To set up your first user account, you should use the `/admin` page, available at `https://VAULTWARDEN_DOMAIN/PATH_PREFIX/admin` and accessible with an admin token, as specified in `vaultwarden_config_admin_token` in your `vars.yml` file.
+
+If you hadn't enabled the `/admin` feature (by defining `vaultwarden_config_admin_token`), you would:
+
+- **either** need to do so and [re-run the playbook](../installing.md) (you can do it quickly with `just install-service vaultwarden`)
+- **or** to enable public registration (`vaultwarden_config_signups_enabled: true`) at least temporarily.

group_vars/mash_servers

@@ -18,6 +18,8 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': (radicale_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'radicale']}] if radicale_enabled else [])
     +
+    ([{'name': (vaultwarden_identifier + '.service'), 'priority': 1000, 'groups': ['mash', 'vaultwarden', 'vaultwarden-server']}])
+    +
     ([{'name': (uptime_kuma_identifier + '.service'), 'priority': 2000, 'groups': ['mash', 'uptime-kuma']}] if uptime_kuma_enabled else [])
   }}
 
@@ -58,6 +60,12 @@ devture_postgres_managed_databases_auto: |
       'username': miniflux_database_username,
       'password': miniflux_database_password,
     }] if miniflux_enabled else [])
+    +
+    ([{
+      'name': vaultwarden_database_name,
+      'username': vaultwarden_database_username,
+      'password': vaultwarden_database_password,
+    }] if vaultwarden_enabled else [])
   }}
 
 ########################################################################
@@ -261,6 +269,51 @@ radicale_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certReso
 
 
 
+########################################################################
+#                                                                      #
+# vaultwarden                                                          #
+#                                                                      #
+########################################################################
+
+vaultwarden_enable: false
+
+vaultwarden_identifier: mash-vaultwarden
+
+vaultwarden_uid: "{{ mash_playbook_uid }}"
+vaultwarden_gid: "{{ mash_playbook_gid }}"
+
+vaultwarden_base_path: "{{ mash_playbook_base_path }}/vaultwarden"
+
+vaultwarden_systemd_required_systemd_services_list: |
+  {{
+    (['docker.service'])
+    +
+    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+  }}
+
+vaultwarden_container_additional_networks: |
+  {{
+    ([mash_playbook_reverse_proxyable_services_additional_network] if mash_playbook_reverse_proxyable_services_additional_network else [])
+    +
+    ([devture_postgres_container_network] if devture_postgres_enabled and vaultwarden_database_hostname == devture_postgres_identifier and vaultwarden_container_network != devture_postgres_container_network else [])
+  }}
+
+vaultwarden_container_labels_traefik_enabled: "{{ mash_playbook_traefik_labels_enabled }}"
+vaultwarden_container_labels_traefik_docker_network: "{{ mash_playbook_reverse_proxyable_services_additional_network }}"
+
+vaultwarden_database_hostname: "{{ devture_postgres_identifier if devture_postgres_enabled else '' }}"
+vaultwarden_database_port: "{{ '5432' if devture_postgres_enabled else '' }}"
+vaultwarden_database_username: "vaultwarden"
+vaultwarden_database_password: "{{ '%s' | format(mash_playbook_generic_secret_key) | password_hash('sha512', 'db.vaultwarden', rounds=655555) | to_uuid }}"
+
+########################################################################
+#                                                                      #
+# /vaultwarden                                                         #
+#                                                                      #
+########################################################################
+
+
+
 ########################################################################
 #                                                                      #
 # etke/uptime_kuma                                                     #

requirements.yml

@@ -41,3 +41,7 @@
 
 - src: git+https://gitlab.com/etke.cc/roles/uptime_kuma.git
   version: v1.20.2-1
+
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-vaultwarden.git
+  name: vaultwarden
+  version: v1.27.0-0

setup.yml

@@ -48,6 +48,8 @@
 
     - role: galaxy/radicale
 
+    - role: galaxy/vaultwarden
+
     - role: galaxy/uptime_kuma
 
     - when: devture_systemd_service_manager_enabled | bool