lots of stuff

2025-07-03 17:21:31 +02:00 · 2025-07-03 17:21:31 +02:00 · 3d3d65575b
commit 3d3d65575b
parent dac4a98f79
11 changed files with 296 additions and 17 deletions
--- a/ansible/example.inventory.ini
+++ b/ansible/example.inventory.ini
@ -1,5 +1,7 @@
 [vipy]
 your.vps.ip.here ansible_user=counterweight ansible_port=22 ansible_ssh_private_key_file=~/.ssh/your-key

+# Local connection to laptop: this assumes you're running ansible commands from your personal laptop
+# Make sure to adjust the username
 [lapy]
 localhost ansible_connection=local ansible_user=your laptop user
--- a/ansible/infra/02_firewall_and_fail2ban_playbook.yml
+++ b/ansible/infra/02_firewall_and_fail2ban_playbook.yml
--- a/ansible/infra/910_docker_playbook.yml
+++ b/ansible/infra/910_docker_playbook.yml
--- a/ansible/services/uptime_kuma/setup_backup_uptime_kuma_to_lapy.yml
+++ b/ansible/services/uptime_kuma/setup_backup_uptime_kuma_to_lapy.yml
--- a/ansible/services/uptime_kuma/uptime_kuma_vars.yml
+++ b/ansible/services/uptime_kuma/uptime_kuma_vars.yml
@ -15,6 +15,3 @@ remote_key_file: "{{ hostvars[remote_host]['ansible_ssh_private_key_file'] | def
 # Local backup
 local_backup_dir: "{{ lookup('env', 'HOME') }}/uptime-kuma-backups"
 backup_script_path: "{{ lookup('env', 'HOME') }}/.local/bin/uptime_kuma_backup.sh"
-
-# Encryption
-pgp_recipient: "your-gpg-id@example.com"  # Replace this with your actual GPG email or ID
--- a/ansible/services/vaultwarden/deploy_vaultwarden_playbook.yml
+++ b/ansible/services/vaultwarden/deploy_vaultwarden_playbook.yml
@ -0,0 +1,108 @@
+- name: Deploy Vaultwarden with Docker Compose and configure Caddy reverse proxy
+  hosts: vipy
+  become: yes
+  vars_files:
+    - ../../infra_vars.yml
+    - ./vaultwarden_vars.yml
+  vars:
+    vaultwarden_domain: "{{ vaultwarden_subdomain }}.{{ root_domain }}"
+
+  tasks:
+    - name: Create vaultwarden directory
+      file:
+        path: "{{ vaultwarden_dir }}"
+        state: directory
+        owner: "{{ ansible_user }}"
+        group: "{{ ansible_user }}"
+        mode: '0755'
+
+    - name: Create docker-compose.yml for vaultwarden
+      copy:
+        dest: "{{ vaultwarden_dir }}/docker-compose.yml"
+        content: |
+          version: "3"
+          services:
+            vaultwarden:
+              image: vaultwarden/server:latest
+              container_name: vaultwarden
+              restart: unless-stopped
+              ports:
+                - "{{ vaultwarden_port }}:80"
+              volumes:
+                - ./data:/data
+              environment:
+                WEBSOCKET_ENABLED: 'true'
+                DOMAIN: "https://{{ vaultwarden_domain }}"
+                SIGNUPS_ALLOWED: 'true'
+                LOG_FILE: /data/vaultwarden.log
+
+    - name: Deploy vaultwarden container with docker compose
+      command: docker compose up -d
+      args:
+        chdir: "{{ vaultwarden_dir }}"
+
+    - name: Create Fail2Ban filter for Vaultwarden
+      copy:
+        dest: /etc/fail2ban/filter.d/vaultwarden.local
+        owner: root
+        group: root
+        mode: '0644'
+        content: |
+          [INCLUDES]
+          before = common.conf
+
+          [Definition]
+          failregex = ^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
+          ignoreregex =
+
+    - name: Create Fail2Ban jail for Vaultwarden
+      copy:
+        dest: /etc/fail2ban/jail.d/vaultwarden.local
+        owner: root
+        group: root
+        mode: '0644'
+        content: |
+          [vaultwarden]
+          enabled = true
+          port = http,https
+          filter = vaultwarden
+          logpath = {{ vaultwarden_data_dir }}/vaultwarden.log
+          maxretry = 10
+          findtime = 10m
+          bantime = 1h
+
+    - name: Restart fail2ban to apply changes
+      systemd:
+        name: fail2ban
+        state: restarted
+
+    - name: Ensure Caddy sites-enabled directory exists
+      file:
+        path: "{{ caddy_sites_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Ensure Caddyfile includes import directive for sites-enabled
+      lineinfile:
+        path: /etc/caddy/Caddyfile
+        line: 'import sites-enabled/*'
+        insertafter: EOF
+        state: present
+        backup: yes
+
+    - name: Create Caddy reverse proxy configuration for vaultwarden
+      copy:
+        dest: "{{ caddy_sites_dir }}/vaultwarden.conf"
+        content: |
+          {{ vaultwarden_domain }} {
+              reverse_proxy localhost:{{ vaultwarden_port }}
+          }
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Reload Caddy to apply new config
+      command: systemctl reload caddy
+
--- a/ansible/services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml.yml
+++ b/ansible/services/vaultwarden/setup_backup_vaultwarden_to_lapy.yml.yml
@ -0,0 +1,63 @@
+- name: Configure local backup for Vaultwarden from remote
+  hosts: lapy
+  gather_facts: no
+  vars_files:
+    - ../../infra_vars.yml
+    - ./vaultwarden_vars.yml
+  vars:
+    remote_data_path: "{{ vaultwarden_data_dir }}"
+
+  tasks:
+    - name: Debug remote backup vars
+      debug:
+        msg:
+          - "remote_host={{ remote_host }}"
+          - "remote_user={{ remote_user }}"
+          - "remote_data_path='{{ remote_data_path }}'"
+          - "local_backup_dir={{ local_backup_dir }}"
+
+    - name: Ensure local backup directory exists
+      file:
+        path: "{{ local_backup_dir }}"
+        state: directory
+        mode: '0755'
+
+    - name: Ensure ~/.local/bin exists
+      file:
+        path: "{{ lookup('env', 'HOME') }}/.local/bin"
+        state: directory
+        mode: '0755'
+
+    - name: Create backup script
+      copy:
+        dest: "{{ backup_script_path }}"
+        mode: '0750'
+        content: |
+          #!/bin/bash
+          set -euo pipefail
+
+          TIMESTAMP=$(date +'%Y-%m-%d')
+          BACKUP_DIR="{{ local_backup_dir }}/$TIMESTAMP"
+          mkdir -p "$BACKUP_DIR"
+
+          {% if remote_key_file %}
+          SSH_CMD="ssh -i {{ remote_key_file }} -p {{ hostvars[remote_host]['ansible_port'] | default(22) }}"
+          {% else %}
+          SSH_CMD="ssh -p {{ hostvars[remote_host]['ansible_port'] | default(22) }}"
+          {% endif %}
+
+          rsync -az -e "$SSH_CMD" --delete {{ remote_user }}@{{ remote_host }}:{{ remote_data_path }}/ "$BACKUP_DIR/"
+
+          # Rotate old backups (keep 14 days)
+          find "{{ local_backup_dir }}" -maxdepth 1 -type d -name '20*' -mtime +13 -exec rm -rf {} \;
+
+    - name: Ensure cronjob for backup exists
+      cron:
+        name: "Vaultwarden backup"
+        user: "{{ lookup('env', 'USER') }}"
+        job: "{{ backup_script_path }}"
+        minute: 5
+        hour: "9,12,15,18"
+
+    - name: Run the backup script to make the first backup
+      command: "{{ backup_script_path }}"
--- a/ansible/services/vaultwarden/vaultwarden_vars.yml
+++ b/ansible/services/vaultwarden/vaultwarden_vars.yml
@ -0,0 +1,17 @@
+# General
+vaultwarden_dir: /opt/vaultwarden
+vaultwarden_data_dir: "{{ vaultwarden_dir }}/data"
+vaultwarden_port: 8222
+
+# Caddy
+caddy_sites_dir: /etc/caddy/sites-enabled
+vaultwarden_subdomain: vault
+
+# Remote access
+remote_host: "{{ groups['vipy'][0] }}"
+remote_user: "{{ hostvars[remote_host]['ansible_user'] }}"
+remote_key_file: "{{ hostvars[remote_host]['ansible_ssh_private_key_file'] | default('') }}"
+
+# Local backup
+local_backup_dir: "{{ lookup('env', 'HOME') }}/vaultwarden-backups"
+backup_script_path: "{{ lookup('env', 'HOME') }}/.local/bin/vaultwarden_backup.sh"