Changes

Page history
service/vault: update docs now that service unit is managed authored by Jérôme Charaoui's avatar Jérôme Charaoui
Hide whitespace changes
Inline Side-by-side
service/vault.md
View page @ 333e5876
...@@ -47,39 +47,28 @@ Vaultwarden: https://github.com/dani-garcia/vaultwarden ...@@ -47,39 +47,28 @@ Vaultwarden: https://github.com/dani-garcia/vaultwarden
This service is installed using the upstream-provided container which runs under This service is installed using the upstream-provided container which runs under
[Podman][]. [Podman][].
To set it up, deploy the `profile::podman` needs to be first deployed on a To set it up, deploy the `profile::vaultwarden` Puppet profile. This will:
Debian machine. A directory needs to also be provisioned to hold Vaulwarden's
persistent data, eg. `/srv/vaultwarden-data`.
Then, run this command to instantiate a container with the desired - install Podman
configuration: - deploy an unprivileged user/group pair
- manage this user's home directory under `/srv/vault.torproject.org`
- install systemd unit to instantiate and manage the container
- install the container configuration in
`/srv/vault.torproject.org/container-env`
- create a directory for the container's persistent storage in
`/srv/vault.torproject.org/data`
- deploy a cron job to create a database backup
podman run -d --name vaultwarden \ The installation requirements are recorded in the GitLab ticket:
--label io.containers.autoupdate=registry \ https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541
-e DOMAIN=https://vault.torproject.org \
-e SIGNUPS_ALLOWED=false \
-e ROCKET_PORT=8080 \
-v /srv/vaultwarden-data/:/data/:Z \
-p 8080:8080 \
quay.io/vaultwarden/server:latest
It's possible the above command fails with a networking error. In this case,
reboot the machine to allow the required modules to load.
It's recommended to generate a systemd service to start the container at
startup and for auto-upgrades to work:
podman generate systemd --new --name vaultwarden > /etc/systemd/system/container-vaultwarden.service
systemctl start container-vaultwarden
The installation requirements are recorded in the GitLab ticket: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541
## Upgrades ## Upgrades
When created as above, with label `io.containers.autoupdate=registry` and the Because the cintainer is started with label `io.containers.autoupdate=registry`
`--new` switch on the `podman generate systemd` command, the container will be and the systemd unit is configured to create new containers on startup (`--new`
switch on the `podman generate systemd` command) the container will be
auto-upgraded daily from the upstream container registry via the auto-upgraded daily from the upstream container registry via the
`podman-auto-update` service/timer unit pair. `podman-auto-update` service/timer unit pair (enabled by default on bookworm).
## SLA ## SLA
...@@ -107,7 +96,7 @@ the standard web ports 80 and 443 and handle HTTPS termination. ...@@ -107,7 +96,7 @@ the standard web ports 80 and 443 and handle HTTPS termination.
## Storage ## Storage
All the Vaultwarden data, including SQlite3 database is stored below All the Vaultwarden data, including SQlite3 database is stored below
`/srv/vaultwarden-data`. `/srv/vault.torproject.org/data`.
## Interfaces ## Interfaces
... ...
......