Initial commit after Claude implementation

roles/vaultwarden/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+vaultwarden_data_dir: "{{ sovereign_base_dir }}/vaultwarden"

roles/vaultwarden/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart vaultwarden
+  community.docker.docker_compose_v2:
+    project_src: "{{ vaultwarden_data_dir }}"
+    state: present
+    recreate: always

roles/vaultwarden/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Create Vaultwarden directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ vaultwarden_data_dir }}"
+    - "{{ vaultwarden_data_dir }}/data"
+
+- name: Deploy Vaultwarden docker-compose
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "{{ vaultwarden_data_dir }}/docker-compose.yml"
+    mode: '0644'
+  notify: restart vaultwarden
+
+- name: Start Vaultwarden
+  community.docker.docker_compose_v2:
+    project_src: "{{ vaultwarden_data_dir }}"
+    state: present

roles/vaultwarden/templates/docker-compose.yml.j2

@@ -0,0 +1,63 @@
+services:
+  vaultwarden-db:
+    image: postgres:16-alpine
+    container_name: vaultwarden-db
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: vaultwarden
+      POSTGRES_USER: vaultwarden
+      POSTGRES_PASSWORD: "{{ vaultwarden_db_password }}"
+    volumes:
+      - {{ vaultwarden_data_dir }}/db:/var/lib/postgresql/data
+    networks:
+      - internal
+    logging:
+      driver: gelf
+      options:
+        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
+        tag: "vaultwarden-db"
+
+  vaultwarden:
+    image: vaultwarden/server:{{ vaultwarden_version }}
+    container_name: vaultwarden
+    restart: unless-stopped
+    depends_on:
+      - vaultwarden-db
+    environment:
+      DATABASE_URL: "postgresql://vaultwarden:{{ vaultwarden_db_password }}@vaultwarden-db/vaultwarden"
+      ADMIN_TOKEN: "{{ vaultwarden_admin_token }}"
+      DOMAIN: "https://{{ vaultwarden_domain }}"
+      SMTP_HOST: "{{ smtp_host }}"
+      SMTP_FROM: "{{ smtp_from }}"
+      SMTP_PORT: "{{ smtp_port }}"
+      SMTP_SECURITY: "{{ smtp_tls }}"
+      SMTP_USERNAME: "{{ smtp_user }}"
+      SMTP_PASSWORD: "{{ smtp_password }}"
+      SIGNUPS_ALLOWED: "false"
+      SSO_ENABLED: "true"
+      SSO_ONLY: "false"
+      SSO_AUTHORITY: "https://{{ authentik_domain }}/application/o/vaultwarden/"
+      SSO_CLIENT_ID: "vaultwarden"
+      SSO_CLIENT_SECRET: "changeme_vaultwarden_oidc_secret"
+      LOG_LEVEL: warn
+    volumes:
+      - {{ vaultwarden_data_dir }}/data:/data
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.vaultwarden.rule=Host(`{{ vaultwarden_domain }}`)"
+      - "traefik.http.routers.vaultwarden.tls=true"
+      - "traefik.http.routers.vaultwarden.tls.certresolver=letsencrypt"
+      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"
+    networks:
+      - internal
+      - {{ sovereign_network_name }}
+    logging:
+      driver: gelf
+      options:
+        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
+        tag: "vaultwarden"
+
+networks:
+  internal:
+  {{ sovereign_network_name }}:
+    external: true