From 4051494ea687f7be60ab33d781fccfe2dd233ec9 Mon Sep 17 00:00:00 2001
From: Tobias Lehmann <tobias.lehmann@external.telekom.de>
Date: Sun, 12 Oct 2025 11:57:54 +0200
Subject: [PATCH] added vaultwarden

---
 inventory/hosts.yml                         | 39 +++++++------
 playbooks/lehmann-vaultwarden.yml           | 62 +++++++++++++++++++++
 templates/vaultwarden/.env.j2               |  4 ++
 templates/vaultwarden/docker-compose.yml.j2 | 45 +++++++++++++++
 4 files changed, 132 insertions(+), 18 deletions(-)
 create mode 100644 playbooks/lehmann-vaultwarden.yml
 create mode 100644 templates/vaultwarden/.env.j2
 create mode 100644 templates/vaultwarden/docker-compose.yml.j2

diff --git a/inventory/hosts.yml b/inventory/hosts.yml
index 6e93548..b9e9956 100644
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@@ -8,24 +8,6 @@ all:
       hosts:
         leh01:
           ansible_host: 192.168.100.30
-        git:
-          ansible_host: 192.168.180.20
-        dashboard:
-          ansible_host: 192.168.180.220
-        jellyfin:
-          ansible_host: 192.168.180.190
-        timescaledb:
-          ansible_host: 192.168.150.130
-        vectordb:
-          ansible_host: 192.168.150.131
-        photoprism:
-          ansible_host: 192.168.180.180
-        harvester:
-          ansible_host: 192.168.150.175
-        n8n:
-          ansible_host: 192.168.150.176
-        crawl4ai:
-          ansible_host: 192.168.150.177
         bankmanager:
           ansible_host: 192.168.110.20
         urbackup:
@@ -34,3 +16,24 @@ all:
           ansible_host: 192.168.110.112
         llama01:
           ansible_host: 192.168.130.52
+        timescaledb:
+          ansible_host: 192.168.150.130
+        vectordb:
+          ansible_host: 192.168.150.131
+        harvester:
+          ansible_host: 192.168.150.175
+        n8n:
+          ansible_host: 192.168.150.176
+        crawl4ai:
+          ansible_host: 192.168.150.177
+        git:
+          ansible_host: 192.168.180.20        
+        photoprism:
+          ansible_host: 192.168.180.180
+        vaultwarden:
+          ansible_host: 192.168.180.181
+        jellyfin:
+          ansible_host: 192.168.180.190
+        dashboard:
+          ansible_host: 192.168.180.220
+        
diff --git a/playbooks/lehmann-vaultwarden.yml b/playbooks/lehmann-vaultwarden.yml
new file mode 100644
index 0000000..aae9b63
--- /dev/null
+++ b/playbooks/lehmann-vaultwarden.yml
@@ -0,0 +1,62 @@
+#
+# 
+# Automated installation for vaultwarden
+# 
+# Project: playbooks
+# Author: Tobias Lehmann <tobias.lehmann@captica.de>
+# License: MIT License (see LICENSE.md)
+# 
+# Copyright (c) captica GmbH est. 2021
+#
+- hosts: "leh01"
+  name: Create container
+  vars:
+    lxc_id: 143
+    lxc_name: vaultwardem
+    lxc_domain: leh01.local
+    lxc_template: "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
+    lxc_mac: CC:CC:CC:18:01:81
+    lxc_bridge: vmbr180
+    lxc_vlan: ""
+    lxc_disk: datapool:20
+    lxc_cpu: 4
+    lxc_memory: 8192
+    lxc_swap: 8192
+    lxc_ssh_pub_key: ~/.ssh/id_ed25519_ansible.pub
+  roles:
+    - lxc-container
+
+- hosts: "vaultwardem" 
+  vars:    
+    hostname: vaultwardem
+    tools_install_users:
+      - root     
+      - ansible
+    ssh_pubkeys_root:
+      - "../files/ssh/root.pub"
+    ssh_pubkeys_ansible:
+      - "../files/ssh/ansible.pub"
+  roles: 
+    - linux-base-install
+    - zsh
+    - vim    
+    - fzf    
+    - linux-docker
+
+- hosts: "vaultwardem"
+  tags: 
+    - vaultwardem
+    - install
+  vars:
+    service_name: vaultwardem
+    service_directory: /opt/vaultwardem
+    service_volume_dirs:
+      - appdata
+    service_user_name: vaultwardem
+    service_user_id: 1090
+    service_group_name: vaultwardem
+    service_group_id: 1090    
+    bankmanager_version: latest
+  tasks:
+    - name: "Install vaultwardem application"
+      include_tasks: setup-docker-application.yml
\ No newline at end of file
diff --git a/templates/vaultwarden/.env.j2 b/templates/vaultwarden/.env.j2
new file mode 100644
index 0000000..61bab6a
--- /dev/null
+++ b/templates/vaultwarden/.env.j2
@@ -0,0 +1,4 @@
+ADMIN_TOKEN={{vaultwaden_admin_token}}
+SMTP_PASSWORD={{vaultwaden_smtp_password}}
+SSO_CLIENT_ID={{vaultwaden_client_id}}
+SSO_CLIENT_SECRET={{vaultwaden_client_secret}}
\ No newline at end of file
diff --git a/templates/vaultwarden/docker-compose.yml.j2 b/templates/vaultwarden/docker-compose.yml.j2
new file mode 100644
index 0000000..bba8515
--- /dev/null
+++ b/templates/vaultwarden/docker-compose.yml.j2
@@ -0,0 +1,45 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    environment:
+      - TZ=Europe/Berlin
+      - DOMAIN=https://vault.lehmannhaus.de                     # z.B. https://vw.example.home oder http://localhost:8080
+      - ADMIN_TOKEN=${ADMIN_TOKEN}           # starkes Token für Admin-Panel
+      - SIGNUPS_ALLOWED=false                   # Family: Accounts nur via Einladung
+      - WEBSOCKET_ENABLED=true                 # auf true setzen, wenn du Port 3012 mappst
+      - LOG_FILE=/data/vaultwarden.log
+      - LOG_LEVEL=info
+
+      - SMTP_HOST=mail.gmx.net
+      - SMTP_FROM="Vaultwarden <info.lehmannhaus@gmx.de>"
+      - SMTP_PORT=587
+      - SMTP_SECURITY=starttls
+      - SMTP_TIMEOUT=15
+      - SMTP_USERNAME=info.lehmannhaus@gmx.de
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+
+      # ---- OIDC / SSO (Vaultwarden >= v1.34) ----
+      - SSO_ENABLED=true
+      - SSO_ONLY=false                          # true = nur SSO-Login erlauben
+      - SSO_AUTHORITY=https://cloud.lehmannhaus.de
+      - SSO_CLIENT_ID=${SSO_CLIENT_ID}
+      - SSO_CLIENT_SECRET=${SSO_CLIENT_SECRET}
+      - SSO_SCOPES=openid profile email         # Nextcloud: üblicherweise diese drei
+      - SSO_PKCE=true  
+
+    restart: always
+    ports:
+      - '8080:80'
+      - '3012:3012' 
+    volumes:
+      - {{ service_directory }}/data:/data
+    networks:      
+      - default
+
+networks:
+  default:
+    ipam:
+      driver: default
+      config:
+        - subnet: 172.9.0.0/16
+          gateway: 172.9.0.1