fix(vaultwarden): handle reverse proxy

Signed-off-by: Matej Focko <me@mfocko.xyz>

roles/vaultwarden/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+# Defines whether Vaultwarden is deployed behind a reverse proxy
+# if so, installs the nginx config file
+vaultwarden_reverse_proxy: true
+
+# Subdomain to be used for the reverse proxy configuration
+vaultwarden_subdomain: vault
+
+# HTTP port that's both exposed by container and used by the reverse proxy
+vaultwarden_http_port: 8888

roles/vaultwarden/tasks/main.yml

@@ -19,6 +19,16 @@
     owner: root
     group: root
 
+- name: Install the reverse proxy config
+  ansible.builtin.template:
+    src: templates/nginx.conf
+    dest: "/etc/nginx/conf.d/vaultwarden.conf"
+    mode: 0644
+    owner: root
+    group: root
+  when: vaultwarden_reverse_proxy
+  notify: Restart nginx
+
 - name: Enable the Vaultwarden quadlet
   ansible.builtin.systemd_service:
     daemon_reload: true

roles/vaultwarden/templates/nginx.conf

@@ -0,0 +1,77 @@
+# {{ ansible_managed }}
+
+# The `upstream` directives ensure that you have a http/1.1 connection
+# This enables the keepalive option and better performance
+#
+# Define the server IP and ports here.
+upstream vaultwarden-default {
+  zone vaultwarden-default 64k;
+  server 127.0.0.1:{{ vaultwarden_http_port }};
+  keepalive 2;
+}
+
+# Needed to support websocket connections
+# See: https://nginx.org/en/docs/http/websocket.html
+# Instead of "close" as stated in the above link we send an empty value.
+# Else all keepalive connections will not work.
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      "";
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};
+
+    if ($host = {{ vaultwarden_subdomain }}.{{ host_fqdn }}) {
+        return 301 https://$host$request_uri;
+    }
+    return 404;
+}
+
+server {
+    # For older versions of nginx appened http2 to the listen line after ssl and remove `http2 on`
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name {{ vaultwarden_subdomain }}.{{ host_fqdn }};
+
+    include ssl.conf;
+
+    client_max_body_size 525M;
+
+    location / {
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+
+      proxy_pass http://vaultwarden-default;
+    }
+
+    # Optionally add extra authentication besides the ADMIN_TOKEN
+    # Remove the comments below `#` and create the htpasswd_file to have it active
+    #
+    #location /admin {
+    #  # See: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
+    #  auth_basic "Private";
+    #  auth_basic_user_file /path/to/htpasswd_file;
+    #
+    #  proxy_http_version 1.1;
+    #  proxy_set_header Upgrade $http_upgrade;
+    #  proxy_set_header Connection $connection_upgrade;
+    #
+    #  proxy_set_header Host $host;
+    #  proxy_set_header X-Real-IP $remote_addr;
+    #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #  proxy_set_header X-Forwarded-Proto $scheme;
+    #
+    #  proxy_pass http://vaultwarden-default;
+    #}
+}

roles/vaultwarden/templates/vaultwarden.container

@@ -10,7 +10,7 @@ Image=ghcr.io/dani-garcia/vaultwarden:latest
 EnvironmentFile=/etc/vaultwarden.ini
 
 Network=vaultwarden.network
-PublishPort=8888:80
+PublishPort={{ vaultwarden_http_port }}:80
 PublishPort=3012:3012
 
 Volume=vaultwarden-data:/data