Add Vaultwarden password manager role with PostgreSQL and SSO support

- Implement complete Vaultwarden deployment using Podman Quadlet - PostgreSQL backend via Unix socket with 777 permissions - Caddy reverse proxy with WebSocket support for live sync - Control-node admin token hashing using argon2 (OWASP preset) - Idempotent token hashing with deterministic salt generation - Full Authentik SSO integration following official guide - SMTP email configuration support (optional) - Invitation-only user registration by default - Comprehensive documentation with setup and troubleshooting guides Technical Details: - Container: vaultwarden/server:latest from Docker Hub - Database: PostgreSQL via /var/run/postgresql socket - Port: 8080 (localhost only, proxied by Caddy) - Domain: vault.jnss.me - Admin token: Hashed on control node with argon2id - SSO: OpenID Connect with offline_access scope support Role includes automatic argon2 installation on control node if needed.
2025-12-21 16:13:25 +01:00
parent 89b43180fc
commit bfd6f22f0e
14 changed files with 1346 additions and 3 deletions
--- a/roles/vaultwarden/tasks/database.yml
+++ b/roles/vaultwarden/tasks/database.yml
@@ -0,0 +1,51 @@
+---
+# Database setup for Vaultwarden - PostgreSQL via Unix Socket
+
+- name: Test PostgreSQL socket connectivity
+  postgresql_ping:
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: "{{ vaultwarden_user }}"
+  become: true
+  become_user: "{{ vaultwarden_user }}"
+
+- name: Create Vaultwarden database user via socket
+  postgresql_user:
+    name: "{{ vaultwarden_db_user }}"
+    password: "{{ vaultwarden_db_password }}"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+
+- name: Create Vaultwarden database via socket
+  postgresql_db:
+    name: "{{ vaultwarden_db_name }}"
+    owner: "{{ vaultwarden_db_user }}"
+    encoding: UTF8
+    template: template0
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+
+- name: Grant Vaultwarden database privileges
+  postgresql_privs:
+    db: "{{ vaultwarden_db_name }}"
+    privs: ALL
+    type: database
+    role: "{{ vaultwarden_db_user }}"
+    login_unix_socket: "{{ postgresql_unix_socket_directories }}"
+    login_user: postgres
+  become: true
+  become_user: postgres
+
+- name: Display database setup status
+  debug:
+    msg: |
+      Vaultwarden database setup complete!
+      
+      Database: {{ vaultwarden_db_name }}
+      User: {{ vaultwarden_db_user }}
+      Connection: Unix socket ({{ postgresql_unix_socket_directories }})
+      
+      Ready for Vaultwarden container deployment