service/vault.md

@@ -47,39 +47,28 @@ Vaultwarden: https://github.com/dani-garcia/vaultwarden
 This service is installed using the upstream-provided container which runs under
 [Podman][].
 
-To set it up, deploy the `profile::podman` needs to be first deployed on a
-Debian machine. A directory needs to also be provisioned to hold Vaulwarden's
-persistent data, eg. `/srv/vaultwarden-data`.
+To set it up, deploy the `profile::vaultwarden` Puppet profile. This will:
 
-Then, run this command to instantiate a container with the desired
-configuration:
+- install Podman
+- deploy an unprivileged user/group pair
+- manage this user's home directory under `/srv/vault.torproject.org`
+- install systemd unit to instantiate and manage the container
+- install the container configuration in
+  `/srv/vault.torproject.org/container-env`
+- create a directory for the container's persistent storage in
+  `/srv/vault.torproject.org/data`
+- deploy a cron job to create a database backup
 
-    podman run -d --name vaultwarden \
-        --label io.containers.autoupdate=registry \
-        -e DOMAIN=https://vault.torproject.org \
-        -e SIGNUPS_ALLOWED=false \
-        -e ROCKET_PORT=8080 \
-        -v /srv/vaultwarden-data/:/data/:Z \
-        -p 8080:8080 \
-        quay.io/vaultwarden/server:latest
-
-It's possible the above command fails with a networking error. In this case,
-reboot the machine to allow the required modules to load.
-
-It's recommended to generate a systemd service to start the container at
-startup and for auto-upgrades to work:
-
-    podman generate systemd --new --name vaultwarden > /etc/systemd/system/container-vaultwarden.service
-    systemctl start container-vaultwarden
-
-The installation requirements are recorded in the GitLab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541
+The installation requirements are recorded in the GitLab ticket:
+https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541
 
 ## Upgrades
 
-When created as above, with label `io.containers.autoupdate=registry` and the
-`--new` switch on the `podman generate systemd` command, the container will be
+Because the cintainer is started with label `io.containers.autoupdate=registry`
+and the systemd unit is configured to create new containers on startup (`--new`
+switch on the `podman generate systemd` command) the container will be
 auto-upgraded daily from the upstream container registry via the
-`podman-auto-update` service/timer unit pair.
+`podman-auto-update` service/timer unit pair (enabled by default on bookworm).
 
 ## SLA
 
@@ -107,7 +96,7 @@ the standard web ports 80 and 443 and handle HTTPS termination.
 ## Storage
 
 All the Vaultwarden data, including SQlite3 database is stored below
-`/srv/vaultwarden-data`.
+`/srv/vault.torproject.org/data`.
 
 ## Interfaces