From 43d79e7710225a51dabdf9f4858400125aa7e308 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <KrisPublicEmail@gmail.com>
Date: Sat, 27 Feb 2021 00:00:52 -0500
Subject: [PATCH] Set up Bitwarden behind Traefik

---
 dev/host_vars/moxie.yml                       | 15 ++++-
 dev/moxie.yml                                 |  2 +
 roles/bitwarden/defaults/main.yml             |  4 ++
 roles/bitwarden/handlers/main.yml             |  7 ++
 roles/bitwarden/tasks/main.yml                | 67 ++++++++++++++++---
 roles/bitwarden/templates/bw_wrapper.j2       | 14 ++--
 .../templates/compose.override.yml.j2         | 16 +++++
 update-hosts.sh                               |  1 +
 8 files changed, 109 insertions(+), 17 deletions(-)
 create mode 100644 roles/bitwarden/defaults/main.yml
 create mode 100644 roles/bitwarden/handlers/main.yml
 create mode 100644 roles/bitwarden/templates/compose.override.yml.j2

diff --git a/dev/host_vars/moxie.yml b/dev/host_vars/moxie.yml
index 08c5d71..7dc7a2b 100644
--- a/dev/host_vars/moxie.yml
+++ b/dev/host_vars/moxie.yml
@@ -1,9 +1,22 @@
+# base
+allow_reboot: false
+manage_network: false
+
 # docker
 docker_user: vagrant
 
+# traefik
+traefik_version: latest
+traefik_dashboard: true
+traefik_domain: traefik.vm.krislamo.org
+traefik_auth: admin:$apr1$T1l.BCFz$Jyg8msXYEAUi3LLH39I9d1 # admin:admin
+#traefik_acme_email: realemail@example.com # Let's Encrypt settings
+#traefik_production: true
+
 # bitwarden
 # Get Installation ID & Key at https://bitwarden.com/host/
-bitwarden_domain: vault.test.krislamo.org
+bitwarden_domain: vault.vm.krislamo.org
 bitwarden_dbpass: password
 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
 bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
+#bitwarden_prod: true
diff --git a/dev/moxie.yml b/dev/moxie.yml
index fd68ea2..ebc6cd0 100644
--- a/dev/moxie.yml
+++ b/dev/moxie.yml
@@ -4,5 +4,7 @@
   vars_files:
     - host_vars/moxie.yml
   roles:
+    - base
     - docker
+    - traefik
     - bitwarden
diff --git a/roles/bitwarden/defaults/main.yml b/roles/bitwarden/defaults/main.yml
new file mode 100644
index 0000000..80d6cc5
--- /dev/null
+++ b/roles/bitwarden/defaults/main.yml
@@ -0,0 +1,4 @@
+bitwarden_name: bitwarden
+bitwarden_root: "/opt/{{ bitwarden_name }}"
+bitwarden_standalone: false
+bitwarden_production: false
diff --git a/roles/bitwarden/handlers/main.yml b/roles/bitwarden/handlers/main.yml
new file mode 100644
index 0000000..8fd980b
--- /dev/null
+++ b/roles/bitwarden/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: Rebuild Bitwarden
+  shell: "{{ bitwarden_root }}/bitwarden.sh rebuild"
+  listen: rebuild_bitwarden
+
+- name: Start Bitwarden
+  shell: "{{ bitwarden_root }}/bitwarden.sh start"
+  listen: start_bitwarden
diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml
index 3f9d839..2b66848 100644
--- a/roles/bitwarden/tasks/main.yml
+++ b/roles/bitwarden/tasks/main.yml
@@ -5,27 +5,72 @@
 
 - name: Create Bitwarden directory
   file:
-    path: "/home/{{ docker_user }}/bitwarden/"
+    path: "{{ bitwarden_root }}"
     state: directory
-    owner: "{{ docker_user }}"
-    group: "{{ docker_user }}"
 
 - name: Download Bitwarden script
   get_url:
     url: "https://raw.githubusercontent.com/\
           bitwarden/server/master/scripts/bitwarden.sh"
-    dest: "/home/{{ docker_user }}/bitwarden/"
-    owner: "{{ docker_user }}"
-    group: "{{ docker_user }}"
+    dest: "{{ bitwarden_root }}"
     mode: u+x
 
 - name: Install Bitwarden script wrapper
   template:
     src: bw_wrapper.j2
-    dest: "/home/{{ docker_user }}/bitwarden/bw_wrapper"
-    owner: "{{ docker_user }}"
-    group: "{{ docker_user }}"
+    dest: "{{ bitwarden_root }}/bw_wrapper"
     mode: u+x
 
-- name: Run Bitwarden script
-  shell: /home/{{ docker_user }}/bitwarden/bw_wrapper
+- name: Run Bitwarden installation script
+  shell: "{{ bitwarden_root }}/bw_wrapper"
+  args:
+    creates: "{{ bitwarden_root }}/bwdata/config.yml"
+  notify: start_bitwarden
+
+- name: Install docker-compose override
+  template:
+    src: compose.override.yml.j2
+    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable bitwarden-nginx HTTP on 80
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^http_port: 80$"
+    replace: "http_port: 8080"
+  when: not bitwarden_standalone
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable bitwarden-nginx HTTPS on 443
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^https_port: 443$"
+    replace: "https_port: 8443"
+  when: not bitwarden_standalone
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable Bitwarden managed Lets Encrypt
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^ssl_managed_lets_encrypt: true$"
+    replace: "ssl_managed_lets_encrypt: false"
+  when: not bitwarden_standalone or not bitwarden_production
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
+
+- name: Disable Bitwarden managed SSL
+  replace:
+    path: "{{ bitwarden_root }}/bwdata/config.yml"
+    regexp: "^ssl: true$"
+    replace: "ssl: false"
+  when: not bitwarden_standalone
+  notify:
+    - rebuild_bitwarden
+    - start_bitwarden
diff --git a/roles/bitwarden/templates/bw_wrapper.j2 b/roles/bitwarden/templates/bw_wrapper.j2
index 0ce23f2..126b14c 100644
--- a/roles/bitwarden/templates/bw_wrapper.j2
+++ b/roles/bitwarden/templates/bw_wrapper.j2
@@ -2,13 +2,17 @@
 
 set timeout -1
 
-spawn /home/{{ docker_user }}/bitwarden/bitwarden.sh install
+spawn {{ bitwarden_root }}/bitwarden.sh install
 
 expect "Enter the domain name for your Bitwarden instance (ex. bitwarden.example.com):"
 send "{{ bitwarden_domain }}\r"
 
 expect "Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n):"
+{% if bitwarden_standalone and bitwarden_production %}
+send "y\r"
+{% else %}
 send "n\r"
+{% endif %}
 
 expect "Enter your installation id (get at https://bitwarden.com/host):"
 send "{{ bitwarden_install_id }}\r"
@@ -20,11 +24,11 @@ expect "Do you have a SSL certificate to use? (y/n):"
 send "n\r"
 
 expect "Do you want to generate a self-signed SSL certificate? (y/n):"
+{% if bitwarden_standalone and not bitwarden_production %}
 send "y\r"
+{% else %}
+send "n\r"
+{% endif %}
 
 expect "Next steps, run:\r\n`./bitwarden.sh start`"
 expect eof
-
-spawn /home/{{ docker_user }}/bitwarden/bitwarden.sh start
-expect "Bitwarden is up and running!"
-expect eof
diff --git a/roles/bitwarden/templates/compose.override.yml.j2 b/roles/bitwarden/templates/compose.override.yml.j2
new file mode 100644
index 0000000..aef4263
--- /dev/null
+++ b/roles/bitwarden/templates/compose.override.yml.j2
@@ -0,0 +1,16 @@
+services:
+  nginx:
+    networks:
+      - traefik
+    labels:
+      traefik.http.routers.bitwarden.rule: "Host(`{{ bitwarden_domain }}`)"
+      traefik.http.routers.bitwarden.entrypoints: websecure
+      traefik.http.routers.bitwarden.tls.certresolver: letsencrypt
+      traefik.http.routers.bitwarden.middlewares: "securehttps@file"
+      traefik.http.services.bitwarden.loadbalancer.server.port: 8080
+      traefik.docker.network: traefik
+      traefik.enable: "true"
+
+networks:
+  traefik:
+    external: true
diff --git a/update-hosts.sh b/update-hosts.sh
index f62f080..9be49ff 100755
--- a/update-hosts.sh
+++ b/update-hosts.sh
@@ -9,6 +9,7 @@ HOST[3]="jenkins.${DOMAIN}"
 HOST[4]="prom.${DOMAIN}"
 HOST[5]="grafana.${DOMAIN}"
 HOST[6]="nginx.${DOMAIN}"
+HOST[7]="vault.${DOMAIN}"
 
 # Get Vagrantbox guest IP
 VAGRANT_OUTPUT=$(vagrant ssh -c "hostname -I | cut -d' ' -f2" 2>/dev/null)