Add Vaultwarden password manager role with PostgreSQL and SSO support

- Implement complete Vaultwarden deployment using Podman Quadlet - PostgreSQL backend via Unix socket with 777 permissions - Caddy reverse proxy with WebSocket support for live sync - Control-node admin token hashing using argon2 (OWASP preset) - Idempotent token hashing with deterministic salt generation - Full Authentik SSO integration following official guide - SMTP email configuration support (optional) - Invitation-only user registration by default - Comprehensive documentation with setup and troubleshooting guides Technical Details: - Container: vaultwarden/server:latest from Docker Hub - Database: PostgreSQL via /var/run/postgresql socket - Port: 8080 (localhost only, proxied by Caddy) - Domain: vault.jnss.me - Admin token: Hashed on control node with argon2id - SSO: OpenID Connect with offline_access scope support Role includes automatic argon2 installation on control node if needed.
2025-12-21 16:13:25 +01:00
parent 89b43180fc
commit bfd6f22f0e
14 changed files with 1346 additions and 3 deletions
--- a/roles/vaultwarden/tasks/hash_admin_token.yml
+++ b/roles/vaultwarden/tasks/hash_admin_token.yml
@@ -0,0 +1,57 @@
+---
+# Hash admin token on Ansible control node using argon2
+
+- name: Check if argon2 is available on control node
+  command: which argon2
+  register: argon2_check
+  delegate_to: localhost
+  become: false
+  changed_when: false
+  failed_when: false
+
+- name: Install argon2 on control node if not present
+  package:
+    name: argon2
+    state: present
+  delegate_to: localhost
+  become: false
+  when: argon2_check.rc != 0
+  run_once: true
+
+- name: Generate deterministic salt from domain
+  set_fact:
+    vaultwarden_salt_source: "{{ vaultwarden_domain }}-{{ vaultwarden_sso_authority }}"
+  no_log: true
+
+- name: Create base64-encoded salt for argon2
+  shell: echo -n "{{ vaultwarden_salt_source }}" | sha256sum | cut -d' ' -f1 | head -c 22
+  register: admin_token_salt
+  delegate_to: localhost
+  become: false
+  changed_when: false
+  no_log: true
+
+- name: Hash admin token using argon2 (OWASP preset)
+  shell: echo -n "{{ vaultwarden_admin_token_plain }}" | argon2 "{{ admin_token_salt.stdout }}" -id -t 2 -k 19456 -p 1 -e
+  register: admin_token_hash_result
+  delegate_to: localhost
+  become: false
+  changed_when: false
+  no_log: true
+
+- name: Extract hashed admin token
+  set_fact:
+    vaultwarden_admin_token_hashed: "{{ admin_token_hash_result.stdout | trim }}"
+  no_log: true
+
+- name: Display token hash status
+  debug:
+    msg: |
+      Admin token hashed successfully on control node
+      
+      Hash algorithm: argon2id
+      Preset: OWASP (m=19456, t=2, p=1)
+      Format: PHC string (Vaultwarden compatible)
+      Idempotent: Same token always produces same hash
+      
+      The hashed token will be used in the environment configuration