110 lines
4.4 KiB
YAML
110 lines
4.4 KiB
YAML
---
|
|
# =================================================================
|
|
# Vaultwarden Password Manager Role - Default Variables
|
|
# =================================================================
|
|
# Self-contained Vaultwarden deployment with Podman and PostgreSQL
|
|
|
|
# =================================================================
|
|
# Service Configuration
|
|
# =================================================================
|
|
|
|
# Service user and directories
|
|
vaultwarden_user: vaultwarden
|
|
vaultwarden_group: vaultwarden
|
|
vaultwarden_home: /opt/vaultwarden
|
|
vaultwarden_data_dir: "{{ vaultwarden_home }}/data"
|
|
|
|
# Container configuration
|
|
# NOTE: SSO feature is only available in "testing" tag (as of Dec 2025)
|
|
# Using "latest" (stable) means SSO will not appear even if configured
|
|
# SSO settings below are configured and ready for when feature reaches stable
|
|
vaultwarden_version: "latest"
|
|
vaultwarden_image: "vaultwarden/server"
|
|
|
|
# Service management
|
|
vaultwarden_service_enabled: true
|
|
vaultwarden_service_state: "started"
|
|
|
|
# =================================================================
|
|
# Database Configuration (Self-managed)
|
|
# =================================================================
|
|
|
|
vaultwarden_db_name: "vaultwarden"
|
|
vaultwarden_db_user: "vaultwarden"
|
|
vaultwarden_db_password: "{{ vault_vaultwarden_db_password }}"
|
|
|
|
# =================================================================
|
|
# Network Configuration
|
|
# =================================================================
|
|
|
|
vaultwarden_domain: "vault.jnss.me"
|
|
vaultwarden_http_port: 8080
|
|
|
|
# =================================================================
|
|
# Vaultwarden Core Configuration
|
|
# =================================================================
|
|
|
|
# Admin panel access token (plain text, will be hashed during deployment)
|
|
vaultwarden_admin_token_plain: "{{ vault_vaultwarden_admin_token }}"
|
|
|
|
# Registration and invitation controls
|
|
vaultwarden_signups_allowed: false # Disable open registration
|
|
vaultwarden_invitations_allowed: true # Allow existing users to invite
|
|
vaultwarden_show_password_hint: false # Don't show password hints
|
|
|
|
# WebSocket support for live sync
|
|
vaultwarden_websocket_enabled: true
|
|
|
|
# =================================================================
|
|
# Email Configuration (Optional)
|
|
# =================================================================
|
|
|
|
vaultwarden_smtp_enabled: true
|
|
vaultwarden_smtp_host: "smtp.titan.email"
|
|
vaultwarden_smtp_port: 587
|
|
vaultwarden_smtp_from: "hello@jnss.me"
|
|
vaultwarden_smtp_username: "hello@jnss.me"
|
|
vaultwarden_smtp_password: "{{ vault_smtp_password | default('') }}"
|
|
vaultwarden_smtp_security: "starttls" # Options: starttls, force_tls, off
|
|
|
|
# =================================================================
|
|
# SSO Configuration (Optional - Authentik Integration)
|
|
# =================================================================
|
|
|
|
vaultwarden_sso_enabled: false
|
|
|
|
# SSO Provider Configuration (Authentik)
|
|
vaultwarden_sso_client_id: "{{ vault_vaultwarden_sso_client_id | default('') }}"
|
|
vaultwarden_sso_client_secret: "{{ vault_vaultwarden_sso_client_secret | default('') }}"
|
|
# Authority must include full path with application slug
|
|
vaultwarden_sso_authority: "https://{{ authentik_domain }}/application/o/vaultwarden/"
|
|
vaultwarden_sso_scopes: "openid email profile offline_access"
|
|
|
|
# Additional SSO settings (per Authentik integration guide)
|
|
vaultwarden_sso_only: false # Set to true to disable email+password login and require SSO
|
|
vaultwarden_sso_signups_match_email: true # Match first SSO login to existing account by email
|
|
vaultwarden_sso_allow_unknown_email_verification: false
|
|
vaultwarden_sso_client_cache_expiration: 0
|
|
|
|
# Domain whitelist for SSO signups (comma-separated domains, empty = all)
|
|
vaultwarden_sso_signups_domains_whitelist: ""
|
|
|
|
# =================================================================
|
|
# Caddy Integration
|
|
# =================================================================
|
|
|
|
# Caddy configuration (assumes caddy role provides these variables)
|
|
caddy_sites_enabled_dir: "/etc/caddy/sites-enabled"
|
|
caddy_log_dir: "/var/log/caddy"
|
|
caddy_user: "caddy"
|
|
|
|
# =================================================================
|
|
# Infrastructure Dependencies (Read-only)
|
|
# =================================================================
|
|
|
|
# PostgreSQL socket configuration (managed by postgresql role)
|
|
postgresql_unix_socket_directories: "/var/run/postgresql"
|
|
postgresql_client_group: "postgres-clients"
|
|
postgresql_port: 5432
|
|
postgresql_unix_socket_enabled: true
|