From d4477c4beac72fe19680c802ba434685dbf6d48f Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Sun, 21 Mar 2021 18:47:20 +0000
Subject: [PATCH] Add bitwarden_rs

---
 ansible/main.yml                              |  1 +
 .../bitwarden_rs/files/docker-compose.yml     | 47 +++++++++++++++++++
 ansible/roles/bitwarden_rs/handlers/main.yml  |  4 ++
 ansible/roles/bitwarden_rs/tasks/main.yml     | 17 +++++++
 ansible/roles/bitwarden_rs/vars/main.yml      |  8 ++++
 5 files changed, 77 insertions(+)
 create mode 100644 ansible/roles/bitwarden_rs/files/docker-compose.yml
 create mode 100644 ansible/roles/bitwarden_rs/handlers/main.yml
 create mode 100644 ansible/roles/bitwarden_rs/tasks/main.yml
 create mode 100644 ansible/roles/bitwarden_rs/vars/main.yml

diff --git a/ansible/main.yml b/ansible/main.yml
index 9ca4949..44070c4 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -61,6 +61,7 @@
     - yourls
     - pve_nebula_route
     - privatebin
+    - bitwarden_rs
 
 - hosts: ingress
   roles:
diff --git a/ansible/roles/bitwarden_rs/files/docker-compose.yml b/ansible/roles/bitwarden_rs/files/docker-compose.yml
new file mode 100644
index 0000000..42690da
--- /dev/null
+++ b/ansible/roles/bitwarden_rs/files/docker-compose.yml
@@ -0,0 +1,47 @@
+version: '3'
+
+services:
+  bitwarden:
+    image: bitwardenrs/server:1.19.0-alpine
+    restart: unless-stopped
+    user: "{{ docker_user.id }}:{{ docker_user.id }}"
+    volumes:
+      - "{{ app_data_dir }}/bitwarden_rs/:/data"
+    depends_on:
+      - db
+    labels:
+      - traefik.enable=true
+
+      - traefik.http.routers.bitwarden-ui.rule=Host(`bw.jakehoward.tech`)
+      - traefik.http.routers.bitwarden-ui.service=bitwarden-ui
+      - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
+      - traefik.http.routers.bitwarden-ui.tls.certresolver=le
+
+      - traefik.http.routers.bitwarden-websocket.rule=Host(`bw.jakehoward.tech`) && Path(`/notifications/hub`)
+      - traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket
+      - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
+      - traefik.http.routers.bitwarden-websocket.tls.certresolver=le
+
+      - traefik.http.middlewares.bw-ratelimit.ratelimit.average=5
+      - traefik.http.middlewares.bw-ratelimit.ratelimit.burst=1000
+      - traefik.http.middlewares.bw-compress.compress=true
+
+      - traefik.http.routers.bitwarden-ui.middlewares=bw-ratelimit,bw-compress
+      - traefik.http.routers.bitwarden-websocket.middlewares=bw-ratelimit,bw-compress
+    environment:
+      - SIGNUPS_ALLOWED=false
+      - DOMAIN=https://bw.jakehoward.tech
+      - SHOW_PASSWORD_HINT=false
+      - DATABASE_URL=postgres://bitwarden:{{ bitwarden_database_password }}@db/bitwarden
+      - INVITATIONS_ALLOWED=false
+      - ROCKET_WORKERS=2
+      - WEBSOCKET_ENABLED=true
+
+  db:
+    image: postgres:12-alpine
+    restart: unless-stopped
+    volumes:
+      - /mnt/tank/dbs/postgres/bitwarden_rs/:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD={{ bitwarden_database_password }}
+      - POSTGRES_USER=bitwarden
diff --git a/ansible/roles/bitwarden_rs/handlers/main.yml b/ansible/roles/bitwarden_rs/handlers/main.yml
new file mode 100644
index 0000000..f5c145d
--- /dev/null
+++ b/ansible/roles/bitwarden_rs/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart bitwarden_rs
+  shell:
+    chdir: /opt/bitwarden_rs
+    cmd: "{{ docker_update_command }}"
diff --git a/ansible/roles/bitwarden_rs/tasks/main.yml b/ansible/roles/bitwarden_rs/tasks/main.yml
new file mode 100644
index 0000000..231671d
--- /dev/null
+++ b/ansible/roles/bitwarden_rs/tasks/main.yml
@@ -0,0 +1,17 @@
+- name: Create install directory
+  file:
+    path: /opt/bitwarden_rs
+    state: directory
+    owner: "{{ docker_user.name }}"
+    mode: "{{ docker_compose_directory_mask }}"
+  become: true
+
+- name: Install compose file
+  template:
+    src: files/docker-compose.yml
+    dest: /opt/bitwarden_rs/docker-compose.yml
+    mode: "{{ docker_compose_file_mask }}"
+    owner: "{{ docker_user.name }}"
+    validate: docker-compose -f %s config
+  notify: restart bitwarden_rs
+  become: true
diff --git a/ansible/roles/bitwarden_rs/vars/main.yml b/ansible/roles/bitwarden_rs/vars/main.yml
new file mode 100644
index 0000000..ae83496
--- /dev/null
+++ b/ansible/roles/bitwarden_rs/vars/main.yml
@@ -0,0 +1,8 @@
+bitwarden_database_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  37666163343038663763633038323938383665386463666239313431626334613432346462656366
+  3937363766396236326333353332393564623736336535630a333930613864396536366330633438
+  37376637646561636238646636356533343837376336636637646434383731316264353462383039
+  3138666164623437360a306538323263313966633631653739313435646435363236303066663938
+  34336366313439356434353333373963633666306463323662353033393832356462666163613161
+  3031623933363563343163376564373066613634356237643663