Merge pull request #11 from Diesel-Net/development

Promotion
Diesel-Net · Jan 2, 2022 · ba8f2ab · ba8f2ab
2 parents 9000d37 + 2a1005f
commit ba8f2ab
Show file tree

Hide file tree

Showing 12 changed files with 51 additions and 59 deletions.
diff --git a/.ansible/ansible.cfg b/.ansible/ansible.cfg
@@ -1,9 +1,4 @@
 [defaults]
 
-stdout_callback = debug
 host_key_checking = True
 retry_files_enabled = False
-
-# Fixes ansible variable precedence issue: Makes inventory group_vars override playbook group_vars
-# https://github.com/ansible/ansible/issues/18154
-precedence = all_plugins_play, all_inventory, all_plugins_inventory, groups_plugins_play, groups_inventory, groups_plugins_inventory
diff --git a/.ansible/inventory/development/group_vars/tools/config.yaml b/.ansible/inventory/development/group_vars/tools/config.yaml
@@ -1,2 +1,3 @@
 signups_allowed: yes
 admin_token: admin
+host: bitwarden.dev.diesel.net
diff --git a/.ansible/inventory/development/group_vars/tools/proxy.yaml b/.ansible/inventory/development/group_vars/tools/proxy.yaml
diff --git a/.ansible/inventory/development/hosts b/.ansible/inventory/development/hosts
@@ -1,8 +1,10 @@
 all:
   children:
+
     tools:
       hosts:
         dev.diesel.net
+
   vars:
     ansible_user: automation
     ansible_python_interpreter: /usr/bin/python3
diff --git a/.ansible/inventory/production/group_vars/tools/config.yaml b/.ansible/inventory/production/group_vars/tools/config.yaml
@@ -1,11 +1,3 @@
-signups_allowed: no
-admin_token: !vault |
-  $ANSIBLE_VAULT;1.1;AES256
-  63353762613865376264346632316461666430653533353062363762393766383936303538663831
-  6535613862376263623966663039626631313931336331320a376464633533353262373739323330
-  62373336316365323964323665383137616132613364313239363736656236623630663061333838
-  3633383966323731330a306535626637363034366362323738336235623239373064386536636361
-  33613136346535323839396132636130373639613966346235396531636338646338316661343564
-  65386330303032623163306131616333623931633139363334376332383463646233396664613339
-  66623662643664366633396236313466663663353935353166383865356665393332653064643464
-  64313437303036626330
+signups_allowed: yes
+admin_token: "{{ lookup('env', 'ADMIN_TOKEN') }}"
+host: bitwarden.diesel.net
diff --git a/.ansible/inventory/production/group_vars/tools/proxy.yaml b/.ansible/inventory/production/group_vars/tools/proxy.yaml
diff --git a/.ansible/inventory/production/hosts b/.ansible/inventory/production/hosts
@@ -1,8 +1,10 @@
 all:
   children:
+
     tools:
       hosts:
         tools.diesel.net
+
   vars:
     ansible_user: automation
     ansible_python_interpreter: /usr/bin/python3
diff --git a/.ansible/roles/requirements.yaml b/.ansible/roles/requirements.yaml
@@ -1,9 +1,9 @@
 - name: docker
   scm: git
   src: "[email protected]:Diesel-Net/ansible-role-docker.git"
-  version: 1.3.0
+  version: 1.10.0
 
 - name: common
   scm: git
   src: "[email protected]:Diesel-Net/ansible-role-common.git"
-  version: 1.1.0
+  version: 1.2.0
diff --git a/.ansible/templates/docker-compose.yaml.j2 b/.ansible/templates/docker-compose.yaml.j2
@@ -5,40 +5,31 @@ services:
 
 
   main:
-    image: vaultwarden/server:1.22.2
+    image: vaultwarden/server:1.23.1
     volumes:
-      - /etc/localtime:/etc/localtime
-      - {{ ssl_cert_dir }}/:/etc/ssl/certs/
-      - {{ data_dir }}:/data/
+      - {{ localtime_file }}:/etc/localtime
+      - {{ ssl_cert_file }}:/etc/ssl/certs/ca-certificates.crt
+      - {{ data_dir }}:/data
     environment:
       - SIGNUPS_ALLOWED={{ signups_allowed | string | lower }}
       - ADMIN_TOKEN={{ admin_token }}
-      - DOMAIN=https://{{ proxy_domain }}
+      - DOMAIN=https://{{ host }}
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.docker.network={{ docker_network }}
-        - traefik.http.middlewares.redirect-https.redirectScheme.scheme=https
-        - traefik.http.middlewares.redirect-https.redirectScheme.permanent=true
-        - traefik.http.routers.bitwarden-ui-https.rule=Host(`{{ proxy_domain }}`)
-        - traefik.http.routers.bitwarden-ui-https.entrypoints=websecure
-        - traefik.http.routers.bitwarden-ui-https.tls=true
-        - traefik.http.routers.bitwarden-ui-https.service=bitwarden-ui
-        - traefik.http.routers.bitwarden-ui-http.rule=Host(`{{ proxy_domain }}`)
-        - traefik.http.routers.bitwarden-ui-https.tls.certresolver=step-ca
-        - traefik.http.routers.bitwarden-ui-http.entrypoints=web
-        - traefik.http.routers.bitwarden-ui-http.middlewares=redirect-https
-        - traefik.http.routers.bitwarden-ui-http.service=bitwarden-ui
+
+        # web interface
         - traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
-        - traefik.http.routers.bitwarden-websocket-https.rule=Host(`{{ proxy_domain }}`) && Path(`/notifications/hub`)
-        - traefik.http.routers.bitwarden-websocket-https.entrypoints=websecure
-        - traefik.http.routers.bitwarden-websocket-https.tls=true
-        - traefik.http.routers.bitwarden-websocket-https.service=bitwarden-websocket
-        - traefik.http.routers.bitwarden-websocket-http.rule=Host(`{{ proxy_domain }}`) && Path(`/notifications/hub`)
-        - traefik.http.routers.bitwarden-websocket-http.entrypoints=web
-        - traefik.http.routers.bitwarden-websocket-http.middlewares=redirect-https
-        - traefik.http.routers.bitwarden-websocket-http.service=bitwarden-websocket
+        - traefik.http.routers.bitwarden-ui.rule=Host(`{{ host }}`)
+        - traefik.http.routers.bitwarden-ui.tls.certresolver=step-ca
+        - traefik.http.routers.bitwarden-ui.service=bitwarden-ui
+
+        # websocket notifications
         - traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
+        - traefik.http.routers.bitwarden-websocket.rule=Host(`{{ host }}`) && Path(`/notifications/hub`)
+        - traefik.http.routers.bitwarden-websocket.tls.certresolver=step-ca
+        - traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket
+
     networks:
       - {{ docker_network }}
 

diff --git a/.drone.yaml b/.drone.yaml
@@ -15,7 +15,7 @@ steps:
     settings:
       playbook: .ansible/deploy.yaml
       galaxy: .ansible/roles/requirements.yaml
-      inventory: .ansible/inventory/development/hosts
+      inventory: .ansible/inventory/development
       private_key:
         from_secret: automation_id_rsa
       vault_password:
@@ -41,10 +41,12 @@ steps:
     image: plugins/ansible:3
     environment:
       ANSIBLE_CONFIG: .ansible/ansible.cfg
+      ADMIN_TOKEN:
+        from_secret: admin_token
     settings:
       playbook: .ansible/deploy.yaml
       galaxy: .ansible/roles/requirements.yaml
-      inventory: .ansible/inventory/production/hosts
+      inventory: .ansible/inventory/production
       private_key:
         from_secret: automation_id_rsa
       vault_password:

diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
-.ansible/roles/docker_deploy
+.ansible/roles/docker
+.ansible/roles/common
 .DS_Store
diff --git a/README.md b/README.md
@@ -1,20 +1,28 @@
 [![Build Status](https://drone.kiwi-labs.net/api/badges/Diesel-Net/bitwarden/status.svg)](https://drone.kiwi-labs.net/Diesel-Net/bitwarden)
 
 # bitwarden
-Sets up [vaultwarden](https://github.com/dani-garcia/vaultwarden) (formerly called bitwarden_rs) on the internal network.
+Sets up bitwarden on Docker Swarm. 
 
-# Notes
-- [traefik v2 labels](https://github.com/dani-garcia/bitwarden_rs/wiki/Proxy-examples#traefik-v1-labels-migrated-to-traefik-v2)
+:warning: this configuration uses the unofficial backend [vaultwarden](https://github.com/dani-garcia/vaultwarden), formerly known as `bitwarden_rs` :warning:
 
-## Requirements
-- Ansible 2.10+
 
-## Installing Dependencies
-```bash
-ansible-galaxy install -r .ansible/roles/requirements.yaml -p .ansible/roles --force
-```
+## Deployments
+This application is configured and deployed automatically using [Drone CI](https://github.com/harness/drone), however there might be situations where you would prefer to do this manually. 
 
-## Deploy to Docker Swarm
+You will need to have the [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html#encrypting-content-with-ansible-vault) password file configured on your machine, if there are any vaulted secrets. Please read the relevant ansible documentation on [setting a default password source](https://docs.ansible.com/ansible/latest/user_guide/vault.html#setting-a-default-password-source). If you are trying to reuse this Ansible configuration for your own purposes, then you will need to encrypt all of _your own_ secrets using _your own_ Ansible Vault password and replace those variables in the [Ansible configuration](.ansible).
+
+### Requirements
+I recommend [installing Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html#installing-ansible) with `pip` (globally) versus other package managers like Apt or Brew. It makes upgrading and using third party modules much easier.
 ```bash
-ansible-playbook .ansible/deploy.yaml -i .ansible/inventory/development/hosts --vault-id ~/.tokens/master_id
+python3 -m pip install --user ansible
 ```
+
+### Steps
+1. Install roles (dependencies).
+   ```bash
+   ansible-galaxy install -r .ansible/roles/requirements.yaml -p .ansible/roles --force
+   ```
+2. Run playbook.
+   ```bash
+   ansible-playbook .ansible/deploy.yaml -i .ansible/inventory/development
+   ```