diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml new file mode 100644 index 0000000..cffa0f2 --- /dev/null +++ b/roles/vaultwarden/defaults/main.yml @@ -0,0 +1,10 @@ +--- +# Defines whether Vaultwarden is deployed behind a reverse proxy +# if so, installs the nginx config file +vaultwarden_reverse_proxy: true + +# Subdomain to be used for the reverse proxy configuration +vaultwarden_subdomain: vault + +# HTTP port that's both exposed by container and used by the reverse proxy +vaultwarden_http_port: 8888 diff --git a/roles/vaultwarden/tasks/main.yml b/roles/vaultwarden/tasks/main.yml index 6b0d112..2be7bb0 100644 --- a/roles/vaultwarden/tasks/main.yml +++ b/roles/vaultwarden/tasks/main.yml @@ -19,6 +19,16 @@ owner: root group: root +- name: Install the reverse proxy config + ansible.builtin.template: + src: templates/nginx.conf + dest: "/etc/nginx/conf.d/vaultwarden.conf" + mode: 0644 + owner: root + group: root + when: vaultwarden_reverse_proxy + notify: Restart nginx + - name: Enable the Vaultwarden quadlet ansible.builtin.systemd_service: daemon_reload: true diff --git a/roles/vaultwarden/templates/nginx.conf b/roles/vaultwarden/templates/nginx.conf new file mode 100644 index 0000000..4aa52af --- /dev/null +++ b/roles/vaultwarden/templates/nginx.conf @@ -0,0 +1,77 @@ +# {{ ansible_managed }} + +# The `upstream` directives ensure that you have a http/1.1 connection +# This enables the keepalive option and better performance +# +# Define the server IP and ports here. +upstream vaultwarden-default { + zone vaultwarden-default 64k; + server 127.0.0.1:{{ vaultwarden_http_port }}; + keepalive 2; +} + +# Needed to support websocket connections +# See: https://nginx.org/en/docs/http/websocket.html +# Instead of "close" as stated in the above link we send an empty value. +# Else all keepalive connections will not work. +map $http_upgrade $connection_upgrade { + default upgrade; + '' ""; +} + +# Redirect HTTP to HTTPS +server { + listen 80; + listen [::]:80; + server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }}; + + if ($host = {{ vaultwarden_subdomain }}.{{ host_fqdn }}) { + return 301 https://$host$request_uri; + } + return 404; +} + +server { + # For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on` + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }}; + + include ssl.conf; + + client_max_body_size 525M; + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://vaultwarden-default; + } + + # Optionally add extra authentication besides the ADMIN_TOKEN + # Remove the comments below `#` and create the htpasswd_file to have it active + # + #location /admin { + # # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ + # auth_basic "Private"; + # auth_basic_user_file /path/to/htpasswd_file; + # + # proxy_http_version 1.1; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection $connection_upgrade; + # + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # + # proxy_pass http://vaultwarden-default; + #} +} diff --git a/roles/vaultwarden/templates/vaultwarden.container b/roles/vaultwarden/templates/vaultwarden.container index 8b720d4..2ee5fb5 100644 --- a/roles/vaultwarden/templates/vaultwarden.container +++ b/roles/vaultwarden/templates/vaultwarden.container @@ -10,7 +10,7 @@ Image=ghcr.io/dani-garcia/vaultwarden:latest EnvironmentFile=/etc/vaultwarden.ini Network=vaultwarden.network -PublishPort=8888:80 +PublishPort={{ vaultwarden_http_port }}:80 PublishPort=3012:3012 Volume=vaultwarden-data:/data