Joakim
bfd6f22f0e
- Implement complete Vaultwarden deployment using Podman Quadlet - PostgreSQL backend via Unix socket with 777 permissions - Caddy reverse proxy with WebSocket support for live sync - Control-node admin token hashing using argon2 (OWASP preset) - Idempotent token hashing with deterministic salt generation - Full Authentik SSO integration following official guide - SMTP email configuration support (optional) - Invitation-only user registration by default - Comprehensive documentation with setup and troubleshooting guides Technical Details: - Container: vaultwarden/server:latest from Docker Hub - Database: PostgreSQL via /var/run/postgresql socket - Port: 8080 (localhost only, proxied by Caddy) - Domain: vault.jnss.me - Admin token: Hashed on control node with argon2id - SSO: OpenID Connect with offline_access scope support Role includes automatic argon2 installation on control node if needed.
74 lines
3.1 KiB
Django/Jinja
74 lines
3.1 KiB
Django/Jinja
# Vaultwarden Environment Configuration
|
|
# Generated by Ansible - DO NOT EDIT MANUALLY
|
|
|
|
# =================================================================
|
|
# Database Configuration (PostgreSQL via Unix Socket)
|
|
# =================================================================
|
|
DATABASE_URL=postgresql://{{ vaultwarden_db_user }}:{{ vaultwarden_db_password }}@/{{ vaultwarden_db_name }}?host={{ postgresql_unix_socket_directories }}
|
|
|
|
# =================================================================
|
|
# Domain Configuration
|
|
# =================================================================
|
|
DOMAIN=https://{{ vaultwarden_domain }}
|
|
|
|
# =================================================================
|
|
# Admin Configuration
|
|
# =================================================================
|
|
ADMIN_TOKEN={{ vaultwarden_admin_token_hashed }}
|
|
|
|
# =================================================================
|
|
# Registration and Invitation Controls
|
|
# =================================================================
|
|
SIGNUPS_ALLOWED={{ vaultwarden_signups_allowed | lower }}
|
|
INVITATIONS_ALLOWED={{ vaultwarden_invitations_allowed | lower }}
|
|
SHOW_PASSWORD_HINT={{ vaultwarden_show_password_hint | lower }}
|
|
|
|
# =================================================================
|
|
# WebSocket Configuration (for live sync)
|
|
# =================================================================
|
|
WEBSOCKET_ENABLED={{ vaultwarden_websocket_enabled | lower }}
|
|
|
|
# =================================================================
|
|
# SMTP Configuration (Optional)
|
|
# =================================================================
|
|
{% if vaultwarden_smtp_enabled %}
|
|
SMTP_HOST={{ vaultwarden_smtp_host }}
|
|
SMTP_PORT={{ vaultwarden_smtp_port }}
|
|
SMTP_FROM={{ vaultwarden_smtp_from }}
|
|
SMTP_SECURITY={{ vaultwarden_smtp_security }}
|
|
{% if vaultwarden_smtp_username %}
|
|
SMTP_USERNAME={{ vaultwarden_smtp_username }}
|
|
SMTP_PASSWORD={{ vaultwarden_smtp_password }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# =================================================================
|
|
# SSO Configuration (Optional - Authentik Integration)
|
|
# =================================================================
|
|
{% if vaultwarden_sso_enabled %}
|
|
SSO_ENABLED=true
|
|
SSO_ONLY={{ vaultwarden_sso_only | lower }}
|
|
SSO_CLIENT_ID={{ vaultwarden_sso_client_id }}
|
|
SSO_CLIENT_SECRET={{ vaultwarden_sso_client_secret }}
|
|
SSO_AUTHORITY={{ vaultwarden_sso_authority }}
|
|
SSO_SCOPES="{{ vaultwarden_sso_scopes }}"
|
|
SSO_SIGNUPS_MATCH_EMAIL={{ vaultwarden_sso_signups_match_email | lower }}
|
|
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION={{ vaultwarden_sso_allow_unknown_email_verification | lower }}
|
|
SSO_CLIENT_CACHE_EXPIRATION={{ vaultwarden_sso_client_cache_expiration }}
|
|
{% if vaultwarden_sso_signups_domains_whitelist %}
|
|
SSO_SIGNUPS_DOMAINS_WHITELIST={{ vaultwarden_sso_signups_domains_whitelist }}
|
|
{% endif %}
|
|
{% endif %}
|
|
|
|
# =================================================================
|
|
# Security and Performance
|
|
# =================================================================
|
|
# Disable user registration via email (use admin panel or invitations)
|
|
SIGNUPS_VERIFY=false
|
|
|
|
# Log level (trace, debug, info, warn, error, off)
|
|
LOG_LEVEL=info
|
|
|
|
# Rocket configuration
|
|
ROCKET_WORKERS=10
|