diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/vaultwarden/templates | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/vaultwarden/templates')
-rw-r--r-- | roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2 | 48 | ||||
-rw-r--r-- | roles/vaultwarden/templates/etc/systemd/system/vaultwarden.service.j2 | 35 |
2 files changed, 83 insertions, 0 deletions
diff --git a/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2 b/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2 new file mode 100644 index 0000000..61d50e7 --- /dev/null +++ b/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2 @@ -0,0 +1,48 @@ +ROCKET_CLI_COLORS=false + +LOG_LEVEL=warn +EXTENDED_LOGGING=true + +IP_HEADER=X-Forwarded-For + +DATABASE_URL=postgresql://{{ vaultwarden_user }}@{{ vaultwarden_db_host }}/{{ vaultwarden_db_name }} + +WEBSOCKET_ENABLED=true +WEBSOCKET_ADDRESS=127.0.0.1 +WEBSOCKET_PORT={{ vaultwarden_websocket_port }} + +SIGNUPS_ALLOWED={{ 'false' if vaultwarden_signup_domain_whitelist else 'true' }} +SIGNUPS_VERIFY={{ vaultwarden_verify_signups }} + +{% if vaultwarden_signup_domain_whitelist %} +SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_signup_domain_whitelist | join(',') }} +{% endif %} + +DISABLE_ADMIN_TOKEN=true + +INVITATIONS_ALLOWED={{ vaultwarden_invitations_allowed }} + +{% if vaultwarden_user_attachment_limit_kb %} +USER_ATTACHMENT_LIMIT={{ vaultwarden_user_attachment_limit_kb }} +{% endif %} + +DOMAIN={{ vaultwarden_url }} + +{% if vaultwarden_yubico_client_id is defined %} +YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }} +YUBICO_SECRET_KEY={{ vaultwarden_yubico_secret_key }} +{% endif %} + +ROCKET_ADDRESS=127.0.0.1 +ROCKET_PORT={{ vaultwarden_port }} + +SMTP_HOST=localhost +SMTP_FROM={{ vaultwarden_smtp_from }} +SMTP_FROM_NAME={{ vaultwarden_smtp_from_name }} +SMTP_SECURITY=off +SMTP_SSL=false +SMTP_PORT=25 + +{% if vaultwarden_haveibeenpwned_api_key is defined %} +HIBP_API_KEY={{ vaultwarden_haveibeenpwned_api_key }} +{% endif %} diff --git a/roles/vaultwarden/templates/etc/systemd/system/vaultwarden.service.j2 b/roles/vaultwarden/templates/etc/systemd/system/vaultwarden.service.j2 new file mode 100644 index 0000000..883359b --- /dev/null +++ b/roles/vaultwarden/templates/etc/systemd/system/vaultwarden.service.j2 @@ -0,0 +1,35 @@ +[Unit] +Description=Vaultwarden Server +Documentation=https://github.com/dani-garcia/vaultwarden +Wants=gssproxy.service +After=network-online.target nss-user-lookup.target gssproxy.service + +[Service] +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +DevicePolicy=closed +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths={{ vaultwarden_data_dir }} + +User={{ vaultwarden_user }} +Group={{ vaultwarden_user }} + +Environment=DATA_FOLDER={{ vaultwarden_data_dir }} +Environment=WEB_VAULT_FOLDER={{ vaultwarden_web_dir }} +Environment=GSS_USE_PROXY=yes +EnvironmentFile=/etc/sysconfig/vaultwarden + +ExecStart={{ vaultwarden_source_dir }}/target/release/vaultwarden + +[Install] +WantedBy=multi-user.target |