-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.yml
302 lines (248 loc) · 16.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
---
# Vaultwaden is a lightweight unofficial and compatible implementation of the Bitwarden password manager.
# Project source code URL: https://github.com/dani-garcia/vaultwarden
vaultwarden_enabled: true
vaultwarden_identifier: vaultwarden
vaultwarden_version: 1.32.7
# The fully-qualified name of your Vaultwarden server (e.g. `vaultwarden.example.com`)
vaultwarden_hostname: ''
# vaultwarden_path_prefix controls the URL prefix where Vaultwarden will be exposed to.
#
# By default (`/` prefix), it's accessible at `https://VAULTWARDEN_DOMAIN/`,
# but you can use another prefix for additional security.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Hardening-Guide#hiding-under-a-subdir
#
# Example: '/my-secret-warden'
vaultwarden_path_prefix: '/'
vaultwarden_container_image: "{{ vaultwarden_container_registry_prefix }}dani-garcia/vaultwarden:{{ vaultwarden_container_image_tag }}"
vaultwarden_container_image_tag: "{{ vaultwarden_version }}-alpine"
vaultwarden_container_image_force_pull: "{{ vaultwarden_container_image.endswith(':latest') }}"
vaultwarden_container_registry_prefix: ghcr.io/
vaultwarden_container_hostname: "{{ vaultwarden_hostname }}"
vaultwarden_container_network: "{{ vaultwarden_identifier }}"
# A list of additional container networks that the container would be connected to.
# The playbook does not create these networks, so make sure they already exist.
#
# Use this to expose this container to another reverse proxy, which runs in a different container network,
# without exposing all other container services to that other reverse-proxy.
#
# For background, see: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1498
vaultwarden_container_additional_networks: "{{ vaultwarden_container_additional_networks_auto + vaultwarden_container_additional_networks_custom }}"
# vaultwarden_container_additional_networks_auto is reserved for usage by the playbook.
# Your custom networks should go into vaultwarden_container_additional_networks_custom.
vaultwarden_container_additional_networks_auto: []
vaultwarden_container_additional_networks_custom: []
vaultwarden_uid: ''
vaultwarden_gid: ''
vaultwarden_base_path: "/vaultwarden"
vaultwarden_data_dir_path: "{{ vaultwarden_base_path }}/data"
vaultwarden_cache_dir_path: "{{ vaultwarden_base_path }}/cache"
vaultwarden_ephemeral_dir_path: "{{ vaultwarden_base_path }}/ephemeral"
vaultwarden_systemd_required_systemd_services_list: "{{ vaultwarden_systemd_required_systemd_services_list_default + vaultwarden_systemd_required_systemd_services_list_auto + vaultwarden_systemd_required_systemd_services_list_custom }}"
vaultwarden_systemd_required_systemd_services_list_default: ['docker.service']
vaultwarden_systemd_required_systemd_services_list_auto: []
vaultwarden_systemd_required_systemd_services_list_custom: []
vaultwarden_systemd_wanted_systemd_services_list: "{{ vaultwarden_systemd_wanted_systemd_services_list_default + vaultwarden_systemd_wanted_systemd_services_list_auto + vaultwarden_systemd_wanted_systemd_services_list_custom }}"
vaultwarden_systemd_wanted_systemd_services_list_default: []
vaultwarden_systemd_wanted_systemd_services_list_auto: []
vaultwarden_systemd_wanted_systemd_services_list_custom: []
vaultwarden_database_type: postgres
vaultwarden_database_hostname: ''
vaultwarden_database_port: 5432
vaultwarden_database_name: vaultwarden
vaultwarden_database_username: ''
vaultwarden_database_password: ''
# Use this to set the sslmode parameter of the SSL connection
# By default, we expect a local container (without SSL), so attempting SSL connections is not necessary.
# It's even potentially buggy too.
# See: https://github.com/dani-garcia/vaultwarden/issues/2386
vaultwarden_database_sslmode: disable
# vaultwarden_config_database_url controls the DATABASE_URL environment variable.
# See https://github.com/dani-garcia/vaultwarden/wiki/Using-the-PostgreSQL-Backend
# and the other database-related Wiki articles
vaultwarden_config_database_url: |-
{{
('postgresql://' + vaultwarden_database_username + ':' + vaultwarden_database_password + '@' + vaultwarden_database_hostname + ':' + vaultwarden_database_port | string + '/' + vaultwarden_database_name + '?sslmode=' + vaultwarden_database_sslmode)
if vaultwarden_database_type == 'postgres'
else ''
}}
# vaultwarden_config_domain controls the DOMAIN environment variable,
# which tells Vaultwarden its full URL (e.g. `https://vaultwarden.DOMAIN/prefix`)
vaultwarden_config_domain: "https://{{ vaultwarden_hostname }}{{ vaultwarden_path_prefix }}"
# vaultwarden_config_signups_enabled controls the SIGNUPS_ALLOWED environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
# Related to: vaultwarden_config_signups_domains_whitelist
# Related to: vaultwarden_config_invitations_allowed
vaultwarden_config_signups_enabled: false
# vaultwarden_config_signups_verify controls the SIGNUPS_VERIFY environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains
vaultwarden_config_signups_verify: false
# vaultwarden_config_invitations_allowed controls the INVITATIONS_ALLOWED environment variable,
# which controls if owners and Organization admins can invite people (even when signups are enabled).
# See: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
# Related to: vaultwarden_config_signups_enabled
vaultwarden_config_invitations_allowed: true
# vaultwarden_config_signups_enabled controls the SIGNUPS_DOMAINS_WHITELIST environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users#restricting-registrations-to-certain-email-domains
# Note: this is meant to be a list of domain strings (e.g. `['example.com', 'another.com']`, not a comma-separated string like shown in the upstream docs.
vaultwarden_config_signups_domains_whitelist: []
# vaultwarden_config_show_password_hint controls the SHOW_PASSWORD_HINT environment variable,
# which can allow showing password hints directly in the user interface.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display
vaultwarden_config_show_password_hint: false
# vaultwarden_config_require_device_email controls the REQUIRE_DEVICE_EMAIL environment variable,
# which controls whether to require new device emails.
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail!
vaultwarden_config_require_device_email: false
# vaultwarden_config_admin_token controls the ADMIN_TOKEN environment variable,
# which (if set) exposes an /admin page, where people possesing this token can perform administrative actions.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
vaultwarden_config_admin_token: ''
# vaultwarden_config_rocket_port controls the ROCKET_PORT environment variable,
# which controls Vaultwarden's HTTP port in the container
vaultwarden_config_rocket_port: 8080
# vaultwarden_config_rocket_limits controls the ROCKET_LIMITS environment variable,
# which controls the maximum size of uploaded files.
# See: vaultwarden_max_json_mb
# See: https://github.com/dani-garcia/vaultwarden/wiki/Changing-the-API-request-size-limit
vaultwarden_config_rocket_limits: "{json={{ vaultwarden_max_json_mb | int * 1024 * 1024 }}}"
# vaultwarden_config_smtp_from controls the SMTP_FROM environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
vaultwarden_config_smtp_from: "noreply@{{ vaultwarden_hostname }}"
# vaultwarden_config_smtp_host controls the SMTP_HOST environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
vaultwarden_config_smtp_host: ''
# vaultwarden_config_smtp_port controls the SMTP_PORT environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
# See: vaultwarden_config_smtp_security
vaultwarden_config_smtp_port: 587
# vaultwarden_config_smtp_security controls the SMTP_SECURITY environment variable.
# Valid values: starttls, force_tls, off
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
vaultwarden_config_smtp_security: starttls
# vaultwarden_config_smtp_username controls the SMTP_USERNAME environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
vaultwarden_config_smtp_username: ''
# vaultwarden_config_smtp_password controls the SMTP_PASSWORD environment variable.
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
vaultwarden_config_smtp_password: ''
# vaultwarden_config_smtp_auth_mechanism controls the SMTP_AUTH_MECHANISM environment variable.
# Valid values: Plain, Login, Xoauth2. Multiple may be provided when comma-separated
# See: https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration
vaultwarden_config_smtp_auth_mechanism: Login
# vaultwarden_config_icon_cache_folder controls the ICON_CACHE_FOLDER environment variable.
vaultwarden_config_icon_cache_folder: /cache/icon_cache
# vaultwarden_config_sends_folder controls the SENDS_FOLDER environment variable.
vaultwarden_config_sends_folder: /ephemeral/sends
# vaultwarden_config_tmp_folder controls the TMP_FOLDER environment variable.
vaultwarden_config_tmp_folder: /ephemeral/tmp
# vaultwarden_config_log_level controls the LOG_LEVEL environment variable.
# Valid values: trace, debug, info, warn, error, off
vaultwarden_config_log_level: info
# vaultwarden_config_extended_logging controls the EXTENDED_LOGGING environment variable,
# which (when enabled) shows timestamps and targets in the logs
vaultwarden_config_extended_logging: false
# vaultwarden_config_experimental_client_feature_flags controls the EXPERIMENTAL_CLIENT_FEATURE_FLAGS environment variable,
# which enable experimental feature flags for clients.
# This is a comma-separated list of flags, e.g. "flag1,flag2,flag3".
vaultwarden_config_experimental_client_feature_flags: ''
# NOTE:
# Additional environment variables for configuration can be discovered from https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
# and configured using vaultwarden_container_additional_environment_variables
# vaultwarden_max_json_mb the maximum size of uploaded JSON payloads.
# This ultimately influences the json setting of vaultwarden_config_rocket_limits.
# See: https://github.com/dani-garcia/vaultwarden/wiki/Changing-the-API-request-size-limit
vaultwarden_max_json_mb: 10
# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
vaultwarden_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
vaultwarden_http_header_frame_options: SAMEORIGIN
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
vaultwarden_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
vaultwarden_http_header_content_security_policy: frame-ancestors 'self'
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
vaultwarden_http_header_content_permission_policy: "{{ 'interest-cohort=()' if vaultwarden_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
vaultwarden_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if vaultwarden_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `vaultwarden_content_permission_policy`
vaultwarden_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `vaultwarden_http_header_strict_transport_security`
vaultwarden_hsts_preload_enabled: false
# vaultwarden_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `vaultwarden_container_labels_additional_labels`.
vaultwarden_container_labels_traefik_enabled: true
vaultwarden_container_labels_traefik_docker_network: "{{ vaultwarden_container_network }}"
vaultwarden_container_labels_traefik_hostname: "{{ vaultwarden_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/vaultwarden`).
vaultwarden_container_labels_traefik_path_prefix: "{{ vaultwarden_path_prefix }}"
vaultwarden_container_labels_traefik_rule_ui: "Host(`{{ vaultwarden_container_labels_traefik_hostname }}`){% if vaultwarden_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ vaultwarden_container_labels_traefik_path_prefix | quote }}`){% endif %}"
vaultwarden_container_labels_traefik_priority: 0
vaultwarden_container_labels_traefik_entrypoints: web-secure
vaultwarden_container_labels_traefik_tls_certResolver: default # noqa var-naming
# Controls whether a compression middleware will be injected into the middlewares list.
# This compression middleware is supposed to be defined elsewhere (using labels or a File provider, etc.) and is merely referenced by this router.
vaultwarden_container_labels_traefik_compression_middleware_enabled: false
vaultwarden_container_labels_traefik_compression_middleware_name: ""
# Controls which additional headers to attach to all HTTP responses.
# To add your own headers, use `vaultwarden_container_labels_traefik_additional_response_headers_custom`
vaultwarden_container_labels_traefik_additional_response_headers: "{{ vaultwarden_container_labels_traefik_additional_response_headers_auto | combine(vaultwarden_container_labels_traefik_additional_response_headers_custom) }}"
vaultwarden_container_labels_traefik_additional_response_headers_auto: |
{{
{}
| combine ({'X-XSS-Protection': vaultwarden_http_header_xss_protection} if vaultwarden_http_header_xss_protection else {})
| combine ({'X-Frame-Options': vaultwarden_http_header_frame_options} if vaultwarden_http_header_frame_options else {})
| combine ({'X-Content-Type-Options': vaultwarden_http_header_content_type_options} if vaultwarden_http_header_content_type_options else {})
| combine ({'Content-Security-Policy': vaultwarden_http_header_content_security_policy} if vaultwarden_http_header_content_security_policy else {})
| combine ({'Permission-Policy': vaultwarden_http_header_content_permission_policy} if vaultwarden_http_header_content_permission_policy else {})
| combine ({'Strict-Transport-Security': vaultwarden_http_header_strict_transport_security} if vaultwarden_http_header_strict_transport_security and vaultwarden_container_labels_traefik_tls else {})
}}
vaultwarden_container_labels_traefik_additional_response_headers_custom: {}
# vaultwarden_container_http_bind_port controls whether (and how) the container exposes its HTTP port (`vaultwarden_config_rocket_port`).
# Leave empty to not expose it.
# Example values: `127.0.0.1:8080`, `0.0.0.0:8080`, `8080`.
vaultwarden_container_http_bind_port: ''
# vaultwarden_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# vaultwarden_container_labels_additional_labels: |
# my.label=1
# another.label="here"
vaultwarden_container_labels_additional_labels: ''
# vaultwarden_container_additional_environment_variables contains a multiline string with additional environment variables to pass to the container.
#
# Example:
# vaultwarden_container_additional_environment_variables: |
# VAR=1
# ANOTHER=value
vaultwarden_container_additional_environment_variables: ''