bitwarden deployment

services/bitwarden/files/docker-compose.yaml

@@ -0,0 +1,46 @@
+version: "2.1"
+
+services:
+  traefik:
+    image: traefik:1.7
+    restart: always
+    ports:
+      - 80:80
+      - 443:443
+    networks:
+      - web
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${INSTALL_DIR}/traefik.toml:/traefik.toml
+      - ${INSTALL_DIR}/acme.json:/acme.json
+    container_name: traefik
+
+  bitwarden:
+    image: mprasil/bitwarden:latest
+    restart: always
+    expose:
+      - "80"
+      - "3012"
+    networks:
+      - web
+    volumes:
+      - ${BITWARDEN_DATA_DIR}/:/data/
+    environment:
+      SIGNUPS_ALLOWED: "false"
+      SERVER_ADMIN_EMAIL: "${BITWARDEN_ADMIN_EMAIL}"
+    labels:
+      - "traefik.frontend.rule=Host:${HOST}"
+      - "traefik.docker.network=web"
+      - "traefik.port=80"
+      - "traefik.enable=true"
+      - "traefik.web.frontend.rule=Host:${HOST}"
+      - "traefik.web.port=80"
+      - "traefik.hub.frontend.rule=Path:/notifications/hub"
+      - "traefik.hub.port=3012"
+      - "traefik.negotiate.frontend.rule=Path:/notifications/hub/negotiate"
+      - "traefik.negotiate.port=80"
+    container_name: bitwarden
+
+networks:
+  web:
+    name: web

services/bitwarden/files/traefik.toml

@@ -0,0 +1,28 @@
+debug = true
+
+logLevel = "INFO"
+defaultEntryPoints = ["https","http"]
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+  [entryPoints.https]
+  address = ":443"
+  [entryPoints.https.tls]
+
+[retry]
+
+[docker]
+endpoint = "unix:///var/run/docker.sock"
+watch = true
+exposedByDefault = false
+
+[acme]
+email = "julian.toelle97@gmail.com"
+storage = "acme.json"
+entryPoint = "https"
+onHostRule = true
+  [acme.httpChallenge]
+  entryPoint = "http"

services/bitwarden/main.tf

@@ -0,0 +1,134 @@
+##########
+## NODE ##
+##########
+module "node" {
+  source = "../../modules/docker_node"
+
+  name = "${var.name}"
+
+  ssh_key_id = "${var.ssh_key_id}"
+}
+
+############
+## VOLUME ##
+############
+
+resource "hcloud_volume" "data" {
+  name     = "${var.volume_name}"
+  size     = "${var.volume_size}"
+  location = "${var.location}"
+
+  format = "ext4"
+}
+
+resource hcloud_volume_attachment "data" {
+  volume_id = "${hcloud_volume.data.id}"
+  server_id = "${module.node.id}"
+
+  automount = true
+}
+
+resource null_resource "start-stop-bitwarden" {
+  # This resource is responsible for starting and stopping Bitwarden before
+  # changing volume assignments. This should avoid data corruption.
+  depends_on = ["hcloud_volume_attachment.data", "null_resource.install-bitwarden"]
+
+  triggers = {
+    id = "${hcloud_volume_attachment.data.id}"
+  }
+
+  connection = {
+    host        = "${module.node.ip}"
+    private_key = "${file("keys/id_terraform")}"
+  }
+
+  provisioner remote-exec {
+    # Stop bitwarden container before unmounting data volume
+    when = "destroy"
+
+    inline = [
+      "echo Stopping Bitwarden",
+      "docker stop bitwarden",
+    ]
+  }
+
+  provisioner remote-exec {
+    # Start bitwarden after mounting new volume
+    inline = [
+      "echo Starting Bitwarden",
+      "cd ${local.install_dir}",
+      "docker-compose up -d",
+    ]
+  }
+}
+
+################
+## IP ADDRESS ##
+################
+
+module floating_ip {
+  source = "../../modules/floating_ip"
+
+  location  = "${var.location}"
+  host      = "${var.host}"
+  server_id = "${module.node.id}"
+  server_ip = "${module.node.ip}"
+}
+
+#################
+## APPLICATION ##
+#################
+
+data "template_file" "compose" {
+  template = "${file("services/bitwarden/files/docker-compose.yaml")}"
+
+  vars = {
+    INSTALL_DIR           = "${local.install_dir}"
+    BITWARDEN_DATA_DIR    = "${local.bitwarden_data_dir}"
+    BITWARDEN_ADMIN_EMAIL = "${var.bitwarden_admin_email}"
+    HOST                  = "${var.host}"
+  }
+}
+
+resource "null_resource" "install-bitwarden" {
+  depends_on = ["module.node", "hcloud_volume_attachment.data"]
+
+  triggers {
+    node_id   = "${module.node.id}"
+    volume_id = "${hcloud_volume.data.id}"
+
+    docker_compose = "${sha1(data.template_file.compose.rendered)}"
+    traefik_config = "${sha1(file("services/bitwarden/files/traefik.toml"))}"
+  }
+
+  connection = {
+    host        = "${module.node.ip}"
+    private_key = "${file("keys/id_terraform")}"
+  }
+
+  provisioner remote-exec {
+    inline = [
+      "mkdir -p ${local.install_dir}",
+      "touch ${local.install_dir}/acme.json",
+      "chmod 600 ${local.install_dir}/acme.json",
+    ]
+  }
+
+  provisioner file {
+    content     = "${data.template_file.compose.rendered}"
+    destination = "${local.install_dir}/docker-compose.yaml"
+  }
+
+  provisioner file {
+    source      = "services/bitwarden/files/traefik.toml"
+    destination = "${local.install_dir}/traefik.toml"
+  }
+
+  provisioner remote-exec {
+    inline = [
+      "cd ${local.install_dir}",
+      "docker-compose pull",
+      "docker-compose up -d",
+    ]
+  }
+}

services/bitwarden/output.tf

@@ -0,0 +1,3 @@
+output ip {
+  value = "${module.floating_ip.ip}"
+}

services/bitwarden/vars.tf

@@ -0,0 +1,39 @@
+variable location {
+  type    = "string"
+  default = "nbg1"
+}
+
+variable ssh_key_id {
+  type = "string"
+}
+
+variable volume_size {
+  type    = "string"
+  default = 10
+}
+
+variable name {
+  type    = "string"
+  default = "bitwarden"
+}
+
+variable volume_name {
+  type    = "string"
+  default = "bitwarden-data"
+}
+
+variable host {
+  type    = "string"
+  default = "bitwarden.apricote.de"
+}
+
+variable bitwarden_admin_email {
+  type = "string"
+}
+
+locals = {
+  volume_path = "/mnt/${var.volume_name}"
+
+  install_dir        = "/opt/${var.name}"
+  bitwarden_data_dir = "${local.volume_path}"
+}