Ajoute le rôle vaultwarden

group_vars/all/vars.yml

@@ -10,3 +10,6 @@ zds_antispam_dir: /opt/zds-antispam
 logdir: /var/log/zds
 appuser: zds
 latex_template_version: c285c1c1a60807b732472b036ecb204ac2cb48f3
+pass_manager_user: vaultwarden
+pass_manager_dir: /opt/vaultwarden
+pass_manager_port: 8081

group_vars/production/vars.yml

@@ -10,3 +10,7 @@ certificate:
 munin_certificate:
   cert: /etc/letsencrypt/live/munin.zestedesavoir.com/fullchain.pem
   key: /etc/letsencrypt/live/munin.zestedesavoir.com/privkey.pem
+pass_manager_host: "vault-ro.{{ http_host }}"
+pass_manager_certificate:
+  cert: "/etc/letsencrypt/live/{{ pass_manager_host }}/fullchain.pem"
+  key: "/etc/letsencrypt/live/{{ pass_manager_host }}/privkey.pem"

playbook.yml

@@ -22,3 +22,6 @@
       when: env == "beta"
     - role: munin
       tags: bootstrap
+    # - role: vaultwarden  # not used in practice
+      # tags: bootstrap
+      # when: (env == "prod") or (env == "vagrant")

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: should have a user named {{ pass_manager_user }}
+  ansible.builtin.user:
+    name: "{{ pass_manager_user }}"
+    shell: /bin/false
+    home: "{{ pass_manager_dir }}"
+    comment: Vaultwarden
+
+- name: create the needed directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ pass_manager_user }}"
+    group: "{{ pass_manager_user }}"
+    mode: "0750"
+  with_items:
+    - "{{ pass_manager_dir }}"
+    - "{{ pass_manager_dir }}/data"
+
+- name: create environment file
+  ansible.builtin.template:
+    src: templates/vaultwarden.env.j2
+    dest: "{{ pass_manager_dir }}/vaultwarden.env"
+    mode: "0640"
+
+- name: create service file
+  ansible.builtin.template:
+    src: templates/vaultwarden.service.j2
+    dest: /etc/systemd/system/vaultwarden.service
+    mode: u=rw,g=r,o=r
+
+- name: start service
+  ansible.builtin.systemd:
+    state: started
+    name: vaultwarden.service
+    enabled: true
+    daemon_reload: true