added vaultwarden

2025-10-12 11:57:54 +02:00 · 2025-10-12 11:57:54 +02:00 · 4051494ea6
commit 4051494ea6
parent 3b4c5ed58e
4 changed files with 132 additions and 18 deletions
--- a/inventory/hosts.yml
+++ b/inventory/hosts.yml
@ -8,24 +8,6 @@ all:
      hosts:
        leh01:
          ansible_host: 192.168.100.30
        git:
          ansible_host: 192.168.180.20
        dashboard:
          ansible_host: 192.168.180.220
        jellyfin:
          ansible_host: 192.168.180.190
        timescaledb:
          ansible_host: 192.168.150.130
        vectordb:
          ansible_host: 192.168.150.131
        photoprism:
          ansible_host: 192.168.180.180
        harvester:
          ansible_host: 192.168.150.175
        n8n:
          ansible_host: 192.168.150.176
        crawl4ai:
          ansible_host: 192.168.150.177
        bankmanager:
          ansible_host: 192.168.110.20
        urbackup:
@ -34,3 +16,24 @@ all:
          ansible_host: 192.168.110.112
        llama01:
          ansible_host: 192.168.130.52
        timescaledb:
          ansible_host: 192.168.150.130
        vectordb:
          ansible_host: 192.168.150.131
        harvester:
          ansible_host: 192.168.150.175
        n8n:
          ansible_host: 192.168.150.176
        crawl4ai:
          ansible_host: 192.168.150.177
        git:
          ansible_host: 192.168.180.20        
        photoprism:
          ansible_host: 192.168.180.180
        vaultwarden:
          ansible_host: 192.168.180.181
        jellyfin:
          ansible_host: 192.168.180.190
        dashboard:
          ansible_host: 192.168.180.220
--- a/playbooks/lehmann-vaultwarden.yml
+++ b/playbooks/lehmann-vaultwarden.yml
@ -0,0 +1,62 @@
 #
 # 
 # Automated installation for vaultwarden
 # 
 # Project: playbooks
 # Author: Tobias Lehmann <tobias.lehmann@captica.de>
 # License: MIT License (see LICENSE.md)
 # 
 # Copyright (c) captica GmbH est. 2021
 #
 - hosts: "leh01"
  name: Create container
  vars:
    lxc_id: 143
    lxc_name: vaultwardem
    lxc_domain: leh01.local
    lxc_template: "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst"
    lxc_mac: CC:CC:CC:18:01:81
    lxc_bridge: vmbr180
    lxc_vlan: ""
    lxc_disk: datapool:20
    lxc_cpu: 4
    lxc_memory: 8192
    lxc_swap: 8192
    lxc_ssh_pub_key: ~/.ssh/id_ed25519_ansible.pub
  roles:
    - lxc-container
 - hosts: "vaultwardem" 
  vars:    
    hostname: vaultwardem
    tools_install_users:
      - root     
      - ansible
    ssh_pubkeys_root:
      - "../files/ssh/root.pub"
    ssh_pubkeys_ansible:
      - "../files/ssh/ansible.pub"
  roles: 
    - linux-base-install
    - zsh
    - vim    
    - fzf    
    - linux-docker
 - hosts: "vaultwardem"
  tags: 
    - vaultwardem
    - install
  vars:
    service_name: vaultwardem
    service_directory: /opt/vaultwardem
    service_volume_dirs:
      - appdata
    service_user_name: vaultwardem
    service_user_id: 1090
    service_group_name: vaultwardem
    service_group_id: 1090    
    bankmanager_version: latest
  tasks:
    - name: "Install vaultwardem application"
      include_tasks: setup-docker-application.yml
--- a/templates/vaultwarden/.env.j2
+++ b/templates/vaultwarden/.env.j2
@ -0,0 +1,4 @@
 ADMIN_TOKEN={{vaultwaden_admin_token}}
 SMTP_PASSWORD={{vaultwaden_smtp_password}}
 SSO_CLIENT_ID={{vaultwaden_client_id}}
 SSO_CLIENT_SECRET={{vaultwaden_client_secret}}
--- a/templates/vaultwarden/docker-compose.yml.j2
+++ b/templates/vaultwarden/docker-compose.yml.j2
@ -0,0 +1,45 @@
 services:
  vaultwarden:
    image: vaultwarden/server:latest
    environment:
      - TZ=Europe/Berlin
      - DOMAIN=https://vault.lehmannhaus.de                     # z.B. https://vw.example.home oder http://localhost:8080
      - ADMIN_TOKEN=${ADMIN_TOKEN}           # starkes Token für Admin-Panel
      - SIGNUPS_ALLOWED=false                   # Family: Accounts nur via Einladung
      - WEBSOCKET_ENABLED=true                 # auf true setzen, wenn du Port 3012 mappst
      - LOG_FILE=/data/vaultwarden.log
      - LOG_LEVEL=info
      - SMTP_HOST=mail.gmx.net
      - SMTP_FROM="Vaultwarden <info.lehmannhaus@gmx.de>"
      - SMTP_PORT=587
      - SMTP_SECURITY=starttls
      - SMTP_TIMEOUT=15
      - SMTP_USERNAME=info.lehmannhaus@gmx.de
      - SMTP_PASSWORD=${SMTP_PASSWORD}
      # ---- OIDC / SSO (Vaultwarden >= v1.34) ----
      - SSO_ENABLED=true
      - SSO_ONLY=false                          # true = nur SSO-Login erlauben
      - SSO_AUTHORITY=https://cloud.lehmannhaus.de
      - SSO_CLIENT_ID=${SSO_CLIENT_ID}
      - SSO_CLIENT_SECRET=${SSO_CLIENT_SECRET}
      - SSO_SCOPES=openid profile email         # Nextcloud: üblicherweise diese drei
      - SSO_PKCE=true  
    restart: always
    ports:
      - '8080:80'
      - '3012:3012' 
    volumes:
      - {{ service_directory }}/data:/data
    networks:      
      - default
 networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: 172.9.0.0/16
          gateway: 172.9.0.1