Add infra setup: Terraform for DO droplet + Cloudflare DNS, Ansible roles for Gitea, Vaultwarden, and Gitea runner

2026-03-31 06:08:21 -05:00
parent bde3ad64fd
commit fe3c7646d6
33 changed files with 6435 additions and 0 deletions
--- a/infra/ansible/roles/vaultwarden/defaults/main.yml
+++ b/infra/ansible/roles/vaultwarden/defaults/main.yml
@@ -0,0 +1,18 @@
+---
+vaultwarden_domain: "vault.example.com"
+vaultwarden_port: 8080
+vaultwarden_data_dir: /var/lib/vaultwarden
+
+# Set to your postgres connection string or leave as default for SQLite
+vaultwarden_database_url: ""  # e.g. postgresql://user:pass@host/vaultwarden
+
+# Restrict signups after first admin account is created
+vaultwarden_signups_allowed: "true"
+
+# Admin token — set this to a strong random string
+# Generate with: openssl rand -base64 48
+vaultwarden_admin_token: ""
+
+# Cloudflare Origin Certificate
+cf_origin_cert: ""
+cf_origin_key: ""
--- a/infra/ansible/roles/vaultwarden/handlers/main.yml
+++ b/infra/ansible/roles/vaultwarden/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Restart vaultwarden
+  community.docker.docker_compose_v2:
+    project_src: "{{ vaultwarden_data_dir }}"
+    state: present
+    recreate: always
+
+- name: Reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
--- a/infra/ansible/roles/vaultwarden/tasks/main.yml
+++ b/infra/ansible/roles/vaultwarden/tasks/main.yml
@@ -0,0 +1,76 @@
+---
+- name: Install dependencies
+  apt:
+    name: [docker.io, docker-compose-v2]
+    state: present
+    update_cache: true
+
+- name: Enable and start Docker
+  systemd:
+    name: docker
+    enabled: true
+    state: started
+
+- name: Create vaultwarden data directory
+  file:
+    path: "{{ vaultwarden_data_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Deploy docker-compose file
+  template:
+    src: docker-compose.yml.j2
+    dest: "{{ vaultwarden_data_dir }}/docker-compose.yml"
+    mode: "0600"
+  notify: Restart vaultwarden
+
+- name: Start vaultwarden
+  community.docker.docker_compose_v2:
+    project_src: "{{ vaultwarden_data_dir }}"
+    state: present
+
+# ─── Cloudflare Origin Certificate ───────────────────────────────────────────
+
+- name: Create SSL directory
+  file:
+    path: /etc/nginx/ssl
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Install Cloudflare origin certificate
+  copy:
+    content: "{{ cf_origin_cert }}"
+    dest: /etc/nginx/ssl/cf-origin.pem
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload nginx
+
+- name: Install Cloudflare origin key
+  copy:
+    content: "{{ cf_origin_key }}"
+    dest: /etc/nginx/ssl/cf-origin.key
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload nginx
+
+# ─── nginx ────────────────────────────────────────────────────────────────────
+
+- name: Deploy nginx config
+  template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/sites-available/vaultwarden
+    mode: "0644"
+  notify: Reload nginx
+
+- name: Enable nginx site
+  file:
+    src: /etc/nginx/sites-available/vaultwarden
+    dest: /etc/nginx/sites-enabled/vaultwarden
+    state: link
+  notify: Reload nginx
--- a/infra/ansible/roles/vaultwarden/templates/docker-compose.yml.j2
+++ b/infra/ansible/roles/vaultwarden/templates/docker-compose.yml.j2
@@ -0,0 +1,16 @@
+services:
+  vaultwarden:
+    image: vaultwarden/server:latest
+    container_name: vaultwarden
+    restart: unless-stopped
+    volumes:
+      - {{ vaultwarden_data_dir }}/data:/data
+    environment:
+      DOMAIN: "https://{{ vaultwarden_domain }}"
+      SIGNUPS_ALLOWED: "{{ vaultwarden_signups_allowed }}"
+      ADMIN_TOKEN: "{{ vaultwarden_admin_token }}"
+{% if vaultwarden_database_url %}
+      DATABASE_URL: "{{ vaultwarden_database_url }}"
+{% endif %}
+    ports:
+      - "127.0.0.1:{{ vaultwarden_port }}:80"
--- a/infra/ansible/roles/vaultwarden/templates/nginx.conf.j2
+++ b/infra/ansible/roles/vaultwarden/templates/nginx.conf.j2
@@ -0,0 +1,27 @@
+server {
+    listen 80;
+    server_name {{ vaultwarden_domain }};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ vaultwarden_domain }};
+
+    ssl_certificate     /etc/nginx/ssl/cf-origin.pem;
+    ssl_certificate_key /etc/nginx/ssl/cf-origin.key;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # Required for Bitwarden web vault
+    client_max_body_size 525m;
+
+    location / {
+        proxy_pass         http://127.0.0.1:{{ vaultwarden_port }};
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}