jenstimmerman.vaultwarden

Vaultwarden

This role was previously called `dmaes.bitwardenrs` and `dmaes.vaultwarden`

The Bitwarden_RS project has been renamed to Vaultwarden, and this role has changed along with it (see #12 for details). To enforce this change, we replaced all instances of bitwardenrs with vaultwarden (including variables in the Ansible code, directories, users, systemd services, etc.).

When switching over, please:

Stop the old bitwarden_rs service.
Create a backup of both files and the database.
Update your Ansible code to use the new role.
Either keep the vaultwarden_directory pointing to the old directory or move the files to the new default directory (/opt/vaultwarden). Also, check vaultwarden_datadir if you're using a custom directory.
The new vaultwarden user should have the same permissions on the database as the previous bitwardenrs user.
- For Postgres:
  - su - postgres
  - psql
  - postgres-# GRANT bitwardenrs TO vaultwarden;
Run Ansible, which will create everything under the new name (user and service, but not the directory).
Remove the old user and service (and possibly the data directory).

This role builds, installs, and configures Vaultwarden (without Docker).

Note: Only tested on Rocky Linux 9.

Requirements

Requirements for the unarchive module.
Requirements for the package module.
wget or curl.
jinja version 2.11 or higher.
Systemd (optional).

Minimum 1 GB of RAM is needed (2 GB recommended), as the Rust compiler will compile Bitwarden on your host, which uses a lot of RAM. Insufficient RAM may result in errors like: Memory cgroup out of memory: Killed process 709453 (rustc) total-vm:2668356kB, anon-rss:955680kB, file-rss:0kB, shmem-rss:0kB, UID:996 pgtables:4516kB oom_score_adj:0

Role Variables

Variable	Description	Default Value
`vaultwarden_directory`	Installation directory for Vaultwarden	`/opt/vaultwarden`
`vaultwarden_version`	Version to install	`latest`
`vaultwarden_webvault`	Install the patched web vault	`true`
`vaultwarden_webvault_version`	Version of the web vault to install (ignored if vaultwarden version is set to latest)	`2022.12.0`
`vaultwarden_build_backend`	Database type to compile for	specific to vaultwarden_version()*
`vaultwarden_force_recompile`	Force recompilation of binary (e.g., if you changed backends)	`false`
`vaultwarden_config`	Environment variables for the Vaultwarden `.env` file	`{ DOMAIN: "https://{{ ansible_fqdn }}/" }`
`vaultwarden_datadir`	Vaultwarden data directory (only creates, not configures)	`{{ vaultwarden_directory }}/data`
`vaultwarden_encryption_key`	RSA key for encryption (content only, not the file)	`""`
`vaultwarden_force_encryption_key`	Force change of encryption key if it exists (DANGEROUS!)	`false`
`vaultwarden_systemd`	Manage systemd service	`{{ ansible_service_mgr == 'systemd' }}`
`vaultwarden_required_service`	Wait for another service before starting vaultwarden	`undefined`
`vaultwarden_proc_limit`	Set LimitNPROC for the systemd service file	`128`
()Starting with `vaultwarden_version: 1.17.0`: defaults to `sqlite,mysql,postgresql`; before that, it defaulted to `sqlite`.*

Example Playbook

- hosts: servers
  vars:
    vaultwarden_configure: yes
    vaultwarden_port: "443"
    vaultwarden_build_backend: "sqlite,postgresql"
    vaultwarden_required_service: "postgresql.service"  # Wait for this service if postgresql has slow starts
    admin_token: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      ...
    vaultwarden_config:
      DOMAIN: "https://example.com/"
      DOMAIN_PATH: "/vaultwarden"  # results in a domain of https://example.com/vaultwarden/, needs to start with a '/'
      ADMIN_TOKEN: "{{ admin_token }}"
      DATABASE_URL: "postgresql:///vaultwarden?host=/run/postgresql/"
      SIGNUPS_ALLOWED: 'false'
      SIGNUPS_VERIFY: 'true'
      SIGNUPS_DOMAINS_WHITELIST: 'example.com'
      INVITATIONS_ALLOWED: 'true'
      SMTP_HOST: 'mail.example.com'
      SMTP_FROM: '[email protected]'
      SMTP_FROM_NAME: 'vaultwarden'
      ROCKET_ADDRESS: '0.0.0.0'
  roles:
    - jenstimmerman.vaultwarden