Add Vaultwarden password manager role with PostgreSQL and SSO support

- Implement complete Vaultwarden deployment using Podman Quadlet - PostgreSQL backend via Unix socket with 777 permissions - Caddy reverse proxy with WebSocket support for live sync - Control-node admin token hashing using argon2 (OWASP preset) - Idempotent token hashing with deterministic salt generation - Full Authentik SSO integration following official guide - SMTP email configuration support (optional) - Invitation-only user registration by default - Comprehensive documentation with setup and troubleshooting guides Technical Details: - Container: vaultwarden/server:latest from Docker Hub - Database: PostgreSQL via /var/run/postgresql socket - Port: 8080 (localhost only, proxied by Caddy) - Domain: vault.jnss.me - Admin token: Hashed on control node with argon2id - SSO: OpenID Connect with offline_access scope support Role includes automatic argon2 installation on control node if needed.
2025-12-21 16:13:25 +01:00
parent 89b43180fc
commit bfd6f22f0e
14 changed files with 1346 additions and 3 deletions
--- a/roles/vaultwarden/templates/vaultwarden.container
+++ b/roles/vaultwarden/templates/vaultwarden.container
@@ -0,0 +1,26 @@
+[Unit]
+Description=Vaultwarden Password Manager Container
+After=network-online.target postgresql.service
+Wants=network-online.target
+
+[Container]
+ContainerName=vaultwarden
+Image={{ vaultwarden_image }}:{{ vaultwarden_version }}
+EnvironmentFile={{ vaultwarden_home }}/.env
+
+# Volume mounts
+# Application data (includes database, attachments, sends, icons, etc.)
+Volume={{ vaultwarden_data_dir }}:/data:Z
+
+# Infrastructure socket (PostgreSQL access with 777 permissions on host)
+Volume={{ postgresql_unix_socket_directories }}:{{ postgresql_unix_socket_directories }}:Z
+
+# Expose HTTP port to localhost only (Caddy will reverse proxy)
+PublishPort=127.0.0.1:{{ vaultwarden_http_port }}:80
+
+[Service]
+Restart=always
+TimeoutStartSec=300
+
+[Install]
+WantedBy=multi-user.target