personal_infra/ansible/services/vaultwarden/deploy_vaultwarden_playbook.yml

- name: Deploy Vaultwarden with Docker Compose and configure Caddy reverse proxy
  hosts: vipy
  become: yes
  vars_files:
    - ../../infra_vars.yml
    - ./vaultwarden_vars.yml
  vars:
    vaultwarden_domain: "{{ vaultwarden_subdomain }}.{{ root_domain }}"

  tasks:
    - name: Create vaultwarden directory
      file:
        path: "{{ vaultwarden_dir }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: '0755'

    - name: Create docker-compose.yml for vaultwarden
      copy:
        dest: "{{ vaultwarden_dir }}/docker-compose.yml"
        content: |
          version: "3"
          services:
            vaultwarden:
              image: vaultwarden/server:latest
              container_name: vaultwarden
              restart: unless-stopped
              ports:
                - "{{ vaultwarden_port }}:80"
              volumes:
                - ./data:/data
              environment:
                WEBSOCKET_ENABLED: 'true'
                DOMAIN: "https://{{ vaultwarden_domain }}"
                SIGNUPS_ALLOWED: 'true'
                LOG_FILE: /data/vaultwarden.log

    - name: Deploy vaultwarden container with docker compose
      command: docker compose up -d
      args:
        chdir: "{{ vaultwarden_dir }}"

    - name: Create Fail2Ban filter for Vaultwarden
      copy:
        dest: /etc/fail2ban/filter.d/vaultwarden.local
        owner: root
        group: root
        mode: '0644'
        content: |
          [INCLUDES]
          before = common.conf

          [Definition]
          failregex = ^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
          ignoreregex =

    - name: Create Fail2Ban jail for Vaultwarden
      copy:
        dest: /etc/fail2ban/jail.d/vaultwarden.local
        owner: root
        group: root
        mode: '0644'
        content: |
          [vaultwarden]
          enabled = true
          port = http,https
          filter = vaultwarden
          logpath = {{ vaultwarden_data_dir }}/vaultwarden.log
          maxretry = 10
          findtime = 10m
          bantime = 1h

    - name: Restart fail2ban to apply changes
      systemd:
        name: fail2ban
        state: restarted

    - name: Ensure Caddy sites-enabled directory exists
      file:
        path: "{{ caddy_sites_dir }}"
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Ensure Caddyfile includes import directive for sites-enabled
      lineinfile:
        path: /etc/caddy/Caddyfile
        line: 'import sites-enabled/*'
        insertafter: EOF
        state: present
        backup: yes

    - name: Create Caddy reverse proxy configuration for vaultwarden
      copy:
        dest: "{{ caddy_sites_dir }}/vaultwarden.conf"
        content: |
          {{ vaultwarden_domain }} {
              reverse_proxy localhost:{{ vaultwarden_port }}
          }
        owner: root
        group: root
        mode: '0644'

    - name: Reload Caddy to apply new config
      command: systemctl reload caddy
lots of stuff 2025-07-03 17:21:31 +02:00			`- name: Deploy Vaultwarden with Docker Compose and configure Caddy reverse proxy`
			`hosts: vipy`
			`become: yes`
			`vars_files:`
			`- ../../infra_vars.yml`
			`- ./vaultwarden_vars.yml`
			`vars:`
			`vaultwarden_domain: "{{ vaultwarden_subdomain }}.{{ root_domain }}"`

			`tasks:`
			`- name: Create vaultwarden directory`
			`file:`
			`path: "{{ vaultwarden_dir }}"`
			`state: directory`
			`owner: "{{ ansible_user }}"`
			`group: "{{ ansible_user }}"`
			`mode: '0755'`

			`- name: Create docker-compose.yml for vaultwarden`
			`copy:`
			`dest: "{{ vaultwarden_dir }}/docker-compose.yml"`
			`content: \|`
			`version: "3"`
			`services:`
			`vaultwarden:`
			`image: vaultwarden/server:latest`
			`container_name: vaultwarden`
			`restart: unless-stopped`
			`ports:`
			`- "{{ vaultwarden_port }}:80"`
			`volumes:`
			`- ./data:/data`
			`environment:`
			`WEBSOCKET_ENABLED: 'true'`
			`DOMAIN: "https://{{ vaultwarden_domain }}"`
			`SIGNUPS_ALLOWED: 'true'`
			`LOG_FILE: /data/vaultwarden.log`

			`- name: Deploy vaultwarden container with docker compose`
			`command: docker compose up -d`
			`args:`
			`chdir: "{{ vaultwarden_dir }}"`

			`- name: Create Fail2Ban filter for Vaultwarden`
			`copy:`
			`dest: /etc/fail2ban/filter.d/vaultwarden.local`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`content: \|`
			`[INCLUDES]`
			`before = common.conf`

			`[Definition]`
			`failregex = ^.?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.$`
			`ignoreregex =`

			`- name: Create Fail2Ban jail for Vaultwarden`
			`copy:`
			`dest: /etc/fail2ban/jail.d/vaultwarden.local`
			`owner: root`
			`group: root`
			`mode: '0644'`
			`content: \|`
			`[vaultwarden]`
			`enabled = true`
			`port = http,https`
			`filter = vaultwarden`
			`logpath = {{ vaultwarden_data_dir }}/vaultwarden.log`
			`maxretry = 10`
			`findtime = 10m`
			`bantime = 1h`

			`- name: Restart fail2ban to apply changes`
			`systemd:`
			`name: fail2ban`
			`state: restarted`

			`- name: Ensure Caddy sites-enabled directory exists`
			`file:`
			`path: "{{ caddy_sites_dir }}"`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: '0755'`

			`- name: Ensure Caddyfile includes import directive for sites-enabled`
			`lineinfile:`
			`path: /etc/caddy/Caddyfile`
			`line: 'import sites-enabled/*'`
			`insertafter: EOF`
			`state: present`
			`backup: yes`

			`- name: Create Caddy reverse proxy configuration for vaultwarden`
			`copy:`
			`dest: "{{ caddy_sites_dir }}/vaultwarden.conf"`
			`content: \|`
			`{{ vaultwarden_domain }} {`
			`reverse_proxy localhost:{{ vaultwarden_port }}`
			`}`
			`owner: root`
			`group: root`
			`mode: '0644'`

			`- name: Reload Caddy to apply new config`
			`command: systemctl reload caddy`