Set up Bitwarden behind Traefik

dev/host_vars/moxie.yml

@@ -1,9 +1,22 @@
+# base
+allow_reboot: false
+manage_network: false
+
 # docker
 docker_user: vagrant
 
+# traefik
+traefik_version: latest
+traefik_dashboard: true
+traefik_domain: traefik.vm.krislamo.org
+traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
+#traefik_acme_email: realemail@example.com # Let's Encrypt settings
+#traefik_production: true
+
 # bitwarden
 # Get Installation ID & Key at https://bitwarden.com/host/
-bitwarden_domain: vault.test.krislamo.org
+bitwarden_domain: vault.vm.krislamo.org
 bitwarden_dbpass: password
 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
 bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
+#bitwarden_prod: true

dev/moxie.yml

@@ -4,5 +4,7 @@
   vars_files:
     - host_vars/moxie.yml
   roles:
+    - base
     - docker
+    - traefik
     - bitwarden

roles/bitwarden/defaults/main.yml

@@ -0,0 +1,4 @@
+bitwarden_name: bitwarden
+bitwarden_root: "/opt/{{ bitwarden_name }}"
+bitwarden_standalone: false
+bitwarden_production: false

roles/bitwarden/handlers/main.yml

@@ -0,0 +1,7 @@
+- name: Rebuild Bitwarden
+  shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
+  listen: rebuild_bitwarden
+
+- name: Start Bitwarden
+  shell: "{{ bitwarden_root }}/bitwarden.sh start"
+  listen: start_bitwarden

roles/bitwarden/tasks/main.yml

@@ -5,27 +5,72 @@
 
 - name: Create Bitwarden directory
   file:
-    path: "/home/{{ docker_user }}/bitwarden/"
+    path: "{{ bitwarden_root }}"
     state: directory
-    owner: "{{ docker_user }}"
-    group: "{{ docker_user }}"
 
 - name: Download Bitwarden script
   get_url:
     url: "https://raw.githubusercontent.com/\
           bitwarden/server/master/scripts/bitwarden.sh"
-    dest: "/home/{{ docker_user }}/bitwarden/"
-    owner: "{{ docker_user }}"
-    group: "{{ docker_user }}"
+    dest: "{{ bitwarden_root }}"
     mode: u+x
 
 - name: Install Bitwarden script wrapper
   template:
     src: bw_wrapper.j2
-    dest: "/home/{{ docker_user }}/bitwarden/bw_wrapper"
-    owner: "{{ docker_user }}"
-    group: "{{ docker_user }}"
+    dest: "{{ bitwarden_root }}/bw_wrapper"
     mode: u+x
 
-- name: Run Bitwarden script
-  shell: /home/{{ docker_user }}/bitwarden/bw_wrapper
+- name: Run Bitwarden installation script
+  shell: "{{ bitwarden_root }}/bw_wrapper"
+  args:
+    creates: "{{ bitwarden_root }}/bwdata/config.yml"
+  notify: start_bitwarden
+
+- name: Install docker-compose override
+  template:
+    src: compose.override.yml.j2
+    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable bitwarden-nginx HTTP on 80
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^http_port: 80$"
+    replace: "http_port: 8080"
+  when: not bitwarden_standalone
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable bitwarden-nginx HTTPS on 443
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^https_port: 443$"
+    replace: "https_port: 8443"
+  when: not bitwarden_standalone
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable Bitwarden managed Lets Encrypt
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^ssl_managed_lets_encrypt: true$"
+    replace: "ssl_managed_lets_encrypt: false"
+  when: not bitwarden_standalone or not bitwarden_production
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable Bitwarden managed SSL
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^ssl: true$"
+    replace: "ssl: false"
+  when: not bitwarden_standalone
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden

roles/bitwarden/templates/bw_wrapper.j2

@@ -2,13 +2,17 @@
 
 set timeout -1
 
-spawn /home/{{ docker_user }}/bitwarden/bitwarden.sh install
+spawn {{ bitwarden_root }}/bitwarden.sh install
 
 expect "Enter the domain name for your Bitwarden instance (ex. bitwarden.example.com):"
 send "{{ bitwarden_domain }}\r"
 
 expect "Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n):"
+{% if bitwarden_standalone and bitwarden_production %}
+send "y\r"
+{% else %}
 send "n\r"
+{% endif %}
 
 expect "Enter your installation id (get at https://bitwarden.com/host):"
 send "{{ bitwarden_install_id }}\r"
@@ -20,11 +24,11 @@ expect "Do you have a SSL certificate to use? (y/n):"
 send "n\r"
 
 expect "Do you want to generate a self-signed SSL certificate? (y/n):"
+{% if bitwarden_standalone and not bitwarden_production %}
 send "y\r"
+{% else %}
+send "n\r"
+{% endif %}
 
 expect "Next steps, run:\r\n`./bitwarden.sh start`"
 expect eof
-
-spawn /home/{{ docker_user }}/bitwarden/bitwarden.sh start
-expect "Bitwarden is up and running!"
-expect eof

roles/bitwarden/templates/compose.override.yml.j2

@@ -0,0 +1,16 @@
+services:
+  nginx:
+    networks:
+      - traefik
+    labels:
+      traefik.http.routers.bitwarden.rule: "Host(`{{ bitwarden_domain }}`)"
+      traefik.http.routers.bitwarden.entrypoints: websecure
+      traefik.http.routers.bitwarden.tls.certresolver: letsencrypt
+      traefik.http.routers.bitwarden.middlewares: "securehttps@file"
+      traefik.http.services.bitwarden.loadbalancer.server.port: 8080
+      traefik.docker.network: traefik
+      traefik.enable: "true"
+
+networks:
+  traefik:
+    external: true

update-hosts.sh

@@ -9,6 +9,7 @@ HOST[3]="jenkins.${DOMAIN}"
 HOST[4]="prom.${DOMAIN}"
 HOST[5]="grafana.${DOMAIN}"
 HOST[6]="nginx.${DOMAIN}"
+HOST[7]="vault.${DOMAIN}"
 
 # Get Vagrantbox guest IP
 VAGRANT_OUTPUT=$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)