added vaultwarden

2025-10-12 11:57:54 +02:00 · 2025-10-12 11:57:54 +02:00 · 4051494ea6
commit 4051494ea6
parent 3b4c5ed58e
4 changed files with 132 additions and 18 deletions
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -8,24 +8,6 @@ all:
      hosts:
        leh01:
          ansible_host: 192.168.100.30
-        git:
-          ansible_host: 192.168.180.20
-        dashboard:
-          ansible_host: 192.168.180.220
-        jellyfin:
-          ansible_host: 192.168.180.190
-        timescaledb:
-          ansible_host: 192.168.150.130
-        vectordb:
-          ansible_host: 192.168.150.131
-        photoprism:
-          ansible_host: 192.168.180.180
-        harvester:
-          ansible_host: 192.168.150.175
-        n8n:
-          ansible_host: 192.168.150.176
-        crawl4ai:
-          ansible_host: 192.168.150.177
        bankmanager:
          ansible_host: 192.168.110.20
        urbackup:
@ -34,3 +16,24 @@ all:
          ansible_host: 192.168.110.112
        llama01:
          ansible_host: 192.168.130.52
+        timescaledb:
+          ansible_host: 192.168.150.130
+        vectordb:
+          ansible_host: 192.168.150.131
+        harvester:
+          ansible_host: 192.168.150.175
+        n8n:
+          ansible_host: 192.168.150.176
+        crawl4ai:
+          ansible_host: 192.168.150.177
+        git:
+          ansible_host: 192.168.180.20        
+        photoprism:
+          ansible_host: 192.168.180.180
+        vaultwarden:
+          ansible_host: 192.168.180.181
+        jellyfin:
+          ansible_host: 192.168.180.190
+        dashboard:
+          ansible_host: 192.168.180.220
+        
--- a/playbooks/lehmann-vaultwarden.yml
+++ b/playbooks/lehmann-vaultwarden.yml
@ -0,0 +1,62 @@
+#
+# 
+# Automated installation for vaultwarden
+# 
+# Project: playbooks
+# Author: Tobias Lehmann <tobias.lehmann@captica.de>
+# License: MIT License (see LICENSE.md)
+# 
+# Copyright (c) captica GmbH est. 2021
+#
+- hosts: "leh01"
+  name: Create container
+  vars:
+    lxc_id: 143
+    lxc_name: vaultwardem
+    lxc_domain: leh01.local
+    lxc_template: "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
+    lxc_mac: CC:CC:CC:18:01:81
+    lxc_bridge: vmbr180
+    lxc_vlan: ""
+    lxc_disk: datapool:20
+    lxc_cpu: 4
+    lxc_memory: 8192
+    lxc_swap: 8192
+    lxc_ssh_pub_key: ~/.ssh/id_ed25519_ansible.pub
+  roles:
+    - lxc-container
+
+- hosts: "vaultwardem" 
+  vars:    
+    hostname: vaultwardem
+    tools_install_users:
+      - root     
+      - ansible
+    ssh_pubkeys_root:
+      - "../files/ssh/root.pub"
+    ssh_pubkeys_ansible:
+      - "../files/ssh/ansible.pub"
+  roles: 
+    - linux-base-install
+    - zsh
+    - vim    
+    - fzf    
+    - linux-docker
+
+- hosts: "vaultwardem"
+  tags: 
+    - vaultwardem
+    - install
+  vars:
+    service_name: vaultwardem
+    service_directory: /opt/vaultwardem
+    service_volume_dirs:
+      - appdata
+    service_user_name: vaultwardem
+    service_user_id: 1090
+    service_group_name: vaultwardem
+    service_group_id: 1090    
+    bankmanager_version: latest
+  tasks:
+    - name: "Install vaultwardem application"
+      include_tasks: setup-docker-application.yml
--- a/templates/vaultwarden/.env.j2
+++ b/templates/vaultwarden/.env.j2
@ -0,0 +1,4 @@
+ADMIN_TOKEN={{vaultwaden_admin_token}}
+SMTP_PASSWORD={{vaultwaden_smtp_password}}
+SSO_CLIENT_ID={{vaultwaden_client_id}}
+SSO_CLIENT_SECRET={{vaultwaden_client_secret}}
--- a/templates/vaultwarden/docker-compose.yml.j2
+++ b/templates/vaultwarden/docker-compose.yml.j2
@ -0,0 +1,45 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    environment:
+      - TZ=Europe/Berlin
+      - DOMAIN=https://vault.lehmannhaus.de                     # z.B. https://vw.example.home oder http://localhost:8080
+      - ADMIN_TOKEN=${ADMIN_TOKEN}           # starkes Token für Admin-Panel
+      - SIGNUPS_ALLOWED=false                   # Family: Accounts nur via Einladung
+      - WEBSOCKET_ENABLED=true                 # auf true setzen, wenn du Port 3012 mappst
+      - LOG_FILE=/data/vaultwarden.log
+      - LOG_LEVEL=info
+
+      - SMTP_HOST=mail.gmx.net
+      - SMTP_FROM="Vaultwarden <info.lehmannhaus@gmx.de>"
+      - SMTP_PORT=587
+      - SMTP_SECURITY=starttls
+      - SMTP_TIMEOUT=15
+      - SMTP_USERNAME=info.lehmannhaus@gmx.de
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+
+      # ---- OIDC / SSO (Vaultwarden >= v1.34) ----
+      - SSO_ENABLED=true
+      - SSO_ONLY=false                          # true = nur SSO-Login erlauben
+      - SSO_AUTHORITY=https://cloud.lehmannhaus.de
+      - SSO_CLIENT_ID=${SSO_CLIENT_ID}
+      - SSO_CLIENT_SECRET=${SSO_CLIENT_SECRET}
+      - SSO_SCOPES=openid profile email         # Nextcloud: üblicherweise diese drei
+      - SSO_PKCE=true  
+
+    restart: always
+    ports:
+      - '8080:80'
+      - '3012:3012' 
+    volumes:
+      - {{ service_directory }}/data:/data
+    networks:      
+      - default
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.9.0.0/16
+          gateway: 172.9.0.1