From 2f8ea80af31ae914d7a73113208b2e42ed69d35e Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Tue, 21 Feb 2023 21:56:16 -0500
Subject: vaultwarden: add docs

---
 roles/vaultwarden/README.md                        | 64 ++++++++++++++++++++++
 roles/vaultwarden/defaults/main.yml                |  1 -
 .../templates/etc/sysconfig/vaultwarden.j2         |  2 +-
 roles/vaultwarden/vars/main.yml                    |  3 -
 4 files changed, 65 insertions(+), 5 deletions(-)
 create mode 100644 roles/vaultwarden/README.md

(limited to 'roles/vaultwarden')

diff --git a/roles/vaultwarden/README.md b/roles/vaultwarden/README.md
new file mode 100644
index 0000000..6c2ff83
--- /dev/null
+++ b/roles/vaultwarden/README.md
@@ -0,0 +1,64 @@
+Vaultwarden
+===========
+
+Description
+-----------
+
+The `vaultwarden` role installs [Vaultwarden](https://github.com/dani-garcia/vaultwarden),
+an unofficial Bitwarden-compatible server written in Rust.
+
+This role configures the Rust application only; it does not set up a reverse
+proxy.
+
+Variables
+---------
+
+This role **accepts** the following variables:
+
+Variable                               | Default                                | Description
+---------------------------------------|----------------------------------------|------------
+`vaultwarden_version`                  | see [defaults](defaults/vars.yml)      | Git version of Vaultwarden to install
+`vaultwarden_web_version`              | see [defaults](defaults/vars.yml)      | Git version of web vault to install
+`vaultwarden_port`                     | 8008                                   | Local listening port
+`vaultwarden_websocket_port`           | 8009                                   | Local websocket port
+`vaultwarden_server_name`              | `{{ ansible_fqdn }}`                   | Canonical HTTP hostname
+`vaultwarden_user`                     | `s-vaultwarden`                        | FreeIPA user (will be created)
+`vaultwarden_db_name`                  |  `vaultwarden`                         | PostgreSQL database (will be created)
+`vaultwarden_db_host`                  | `{{ postgresql_host }}`                | PostgreSQL host
+`vaultwarden_verify_signups`           | yes                                    | Confirm email address of new users
+`vaultwarden_signup_domain_whitelist`  | `['{{ email_domain }}']`               | Allowed email domains (empty list to allow all)
+`vaultwarden_invitations_allowed`      | no                                     | Allow admins to invite users
+`vaultwarden_user_attachment_limit_kb` | 1048576                                | Per-user attachment size limit (KB)
+`vaultwarden_admin_group`              | `role-bitwarden-admin`                 | FreeIPA group for Vaultwarden administrators (will be created)
+`vaultwarden_smtp_host`                | `{{ mail_host }}`                      | SMTP host
+`vaultwarden_smtp_from`                | `bitwarden-noreply@{{ email_domain }}` | Email `From:` address
+`vaultwarden_smtp_from_name`           | `Bitwarden`                            | Email `From:` name
+
+This role **exports** the following variables:
+
+Variable                    | Description
+----------------------------|------------
+`vaultwarden_apache_config` | Apache config block for reverse proxy
+
+Usage
+-----
+
+Example playbook:
+
+````yaml
+- name: configure vaultwarden
+  hosts: vaultwarden_servers
+  roles:
+    - role: vaultwarden
+      vars:
+        vaultwarden_db_host: postgres.ipa.example.com
+        vaultwarden_verify_signups: yes
+        vaultwarden_signup_domain_whitelist: []
+        vaultwarden_admin_group: vaultwarden-admins
+
+    - role: apache
+      vars:
+        apache_default_vhost: yes
+        apache_canonical_hostname: '{{ vaultwarden_server_name }}'
+        apache_config: '{{ vaultwarden_apache_config }}'
+````
diff --git a/roles/vaultwarden/defaults/main.yml b/roles/vaultwarden/defaults/main.yml
index 8652adc..3dd0435 100644
--- a/roles/vaultwarden/defaults/main.yml
+++ b/roles/vaultwarden/defaults/main.yml
@@ -5,7 +5,6 @@ vaultwarden_port: 8008
 vaultwarden_websocket_port: 8009
 
 vaultwarden_server_name: '{{ ansible_fqdn }}'
-vaultwarden_url: https://{{ vaultwarden_server_name }}
 
 vaultwarden_user: s-vaultwarden
 vaultwarden_db_name: vaultwarden
diff --git a/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2 b/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2
index 61d50e7..f275000 100644
--- a/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2
+++ b/roles/vaultwarden/templates/etc/sysconfig/vaultwarden.j2
@@ -26,7 +26,7 @@ INVITATIONS_ALLOWED={{ vaultwarden_invitations_allowed }}
 USER_ATTACHMENT_LIMIT={{ vaultwarden_user_attachment_limit_kb }}
 {% endif %}
 
-DOMAIN={{ vaultwarden_url }}
+DOMAIN=https://{{ vaultwarden_server_name }}
 
 {% if vaultwarden_yubico_client_id is defined %}
 YUBICO_CLIENT_ID={{ vaultwarden_yubico_client_id }}
diff --git a/roles/vaultwarden/vars/main.yml b/roles/vaultwarden/vars/main.yml
index 5c232ad..3d55e20 100644
--- a/roles/vaultwarden/vars/main.yml
+++ b/roles/vaultwarden/vars/main.yml
@@ -19,9 +19,6 @@ vaultwarden_web_dir: '{{ vaultwarden_home }}/web-vault'
 vaultwarden_data_dir: /var/lib/vaultwarden
 vaultwarden_keytab: /var/lib/gssproxy/clients/{{ vaultwarden_user }}.keytab
 
-vaultwarden_admin_hbac_hostgroup: bitwarden_servers
-vaultwarden_admin_hbac_service: bitwarden-admin
-
 vaultwarden_apache_config: |
   {{ apache_proxy_config }}
   <Location />
-- 
cgit