feat(vaultwarden): add SMTP configuration options and enhance signup settings
- Introduced SMTP settings for Vaultwarden including host, port, security, and authentication details. - Added variables for signup verification, 2FA settings, password hints, and logging options. - Updated Vaultwarden deployment to utilize new SMTP configurations. - Enhanced Grafana module to support dynamic dashboard and datasource provisioning. - Added LLM proxy configuration for Open Web UI with necessary environment variables.
This commit is contained in:
@@ -1,6 +1,23 @@
|
||||
locals {
|
||||
app_folder = var.persistent_folder
|
||||
app_version = var.tag
|
||||
app_fqdn = var.fqdn
|
||||
db_path = var.db_folder != "" ? var.db_folder : local.app_folder
|
||||
app_folder = var.persistent_folder
|
||||
app_version = var.tag
|
||||
app_fqdn = var.fqdn
|
||||
db_path = var.db_folder != "" ? var.db_folder : local.app_folder
|
||||
signup = var.signup_enabled ? "true" : "false"
|
||||
signup_verify = var.signup_verify ? "true" : "false"
|
||||
disable_2fa_remember = var.disable_2fa_remember ? "true" : "false"
|
||||
show_password_hint = var.show_password_hint ? "true" : "false"
|
||||
password_hints_allowed = var.password_hints_allowed ? "true" : "false"
|
||||
disable_icon_download = var.disable_icon_download ? "true" : "false"
|
||||
icon_service = var.icon_service
|
||||
http_request_block_non_global_ips = var.http_request_block_non_global_ips ? "true" : "false"
|
||||
extended_logging = var.extended_logging ? "true" : "false"
|
||||
websocket_enabled = var.websocket_enabled ? "true" : "false"
|
||||
sends_allowed = var.sends_allowed ? "true" : "false"
|
||||
trash_auto_delete_days = var.trash_auto_delete_days
|
||||
events_days_retain = var.events_days_retain
|
||||
admin_session_lifetime = tostring(var.admin_session_lifetime)
|
||||
|
||||
# SMTP locals — only enable mail if host or from is configured
|
||||
smtp_enabled = var.smtp_host != "" || var.smtp_from != ""
|
||||
}
|
||||
|
||||
@@ -19,11 +19,38 @@ resource "kubernetes_config_map" "vaultwarden_config" {
|
||||
namespace = kubernetes_namespace.vaultwarden.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
DOMAIN = "https://${local.app_fqdn}/"
|
||||
SIGNUP = var.signup_enabled ? "true" : "false"
|
||||
DATABASE_URL = "file:///data/db.sqlite3"
|
||||
}
|
||||
data = merge({
|
||||
DOMAIN = "https://${local.app_fqdn}/"
|
||||
SIGNUPS_ALLOWED = local.signup
|
||||
SIGNUPS_VERIFY = local.signup_verify
|
||||
DATABASE_URL = "/data/db.sqlite3"
|
||||
ENABLE_WEBSOCKET = local.websocket_enabled
|
||||
DISABLE_2FA_REMEMBER = local.disable_2fa_remember
|
||||
SHOW_PASSWORD_HINT = local.show_password_hint
|
||||
PASSWORD_HINTS_ALLOWED = local.password_hints_allowed
|
||||
DISABLE_ICON_DOWNLOAD = local.disable_icon_download
|
||||
ICON_SERVICE = local.icon_service
|
||||
HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS = local.http_request_block_non_global_ips
|
||||
EXTENDED_LOGGING = local.extended_logging
|
||||
SENDS_ALLOWED = local.sends_allowed
|
||||
TRASH_AUTO_DELETE_DAYS = local.trash_auto_delete_days
|
||||
EVENTS_DAYS_RETAIN = local.events_days_retain
|
||||
ADMIN_SESSION_LIFETIME = local.admin_session_lifetime
|
||||
USE_SENDMAIL = "false"
|
||||
},
|
||||
local.smtp_enabled ? {
|
||||
SMTP_HOST = var.smtp_host
|
||||
SMTP_PORT = tostring(var.smtp_port)
|
||||
SMTP_SECURITY = var.smtp_security
|
||||
SMTP_FROM = var.smtp_from
|
||||
SMTP_FROM_NAME = var.smtp_from_name
|
||||
SMTP_TIMEOUT = tostring(var.smtp_timeout)
|
||||
SMTP_EMBED_IMAGES = var.smtp_embed_images ? "true" : "false"
|
||||
SMTP_DEBUG = var.smtp_debug ? "true" : "false"
|
||||
SMTP_ACCEPT_INVALID_CERTS = var.smtp_accept_invalid_certs ? "true" : "false"
|
||||
SMTP_ACCEPT_INVALID_HOSTNAMES = var.smtp_accept_invalid_hostnames ? "true" : "false"
|
||||
} : {}
|
||||
)
|
||||
}
|
||||
|
||||
resource "kubernetes_secret" "vaultwarden_secrets" {
|
||||
@@ -32,9 +59,14 @@ resource "kubernetes_secret" "vaultwarden_secrets" {
|
||||
namespace = kubernetes_namespace.vaultwarden.metadata[0].name
|
||||
}
|
||||
|
||||
data = {
|
||||
data = merge({
|
||||
ADMIN_TOKEN = var.admin_token
|
||||
}
|
||||
},
|
||||
local.smtp_enabled ? {
|
||||
SMTP_USERNAME = var.smtp_username
|
||||
SMTP_PASSWORD = var.smtp_password
|
||||
} : {}
|
||||
)
|
||||
}
|
||||
|
||||
resource "kubernetes_deployment" "vaultwarden" {
|
||||
@@ -62,7 +94,8 @@ resource "kubernetes_deployment" "vaultwarden" {
|
||||
template {
|
||||
metadata {
|
||||
labels = {
|
||||
app = "vaultwarden"
|
||||
app = "vaultwarden"
|
||||
config_checksum = md5(join("", values(kubernetes_config_map.vaultwarden_config.data)))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -101,6 +134,11 @@ resource "kubernetes_deployment" "vaultwarden" {
|
||||
}
|
||||
}
|
||||
|
||||
env {
|
||||
name = "ROCKET_PORT"
|
||||
value = "8080"
|
||||
}
|
||||
|
||||
security_context {
|
||||
allow_privilege_escalation = false
|
||||
privileged = false
|
||||
@@ -114,7 +152,7 @@ resource "kubernetes_deployment" "vaultwarden" {
|
||||
|
||||
port {
|
||||
name = "http"
|
||||
container_port = 80
|
||||
container_port = 8080
|
||||
protocol = "TCP"
|
||||
}
|
||||
|
||||
@@ -151,6 +189,7 @@ resource "kubernetes_deployment" "vaultwarden" {
|
||||
name = "vaultwarden-data"
|
||||
host_path {
|
||||
path = local.db_path
|
||||
type = "DirectoryOrCreate"
|
||||
}
|
||||
}
|
||||
|
||||
@@ -177,7 +216,7 @@ resource "kubernetes_service" "vaultwarden" {
|
||||
port {
|
||||
name = "http"
|
||||
port = 80
|
||||
target_port = 80
|
||||
target_port = 8080
|
||||
}
|
||||
|
||||
type = "ClusterIP"
|
||||
|
||||
@@ -32,6 +32,84 @@ variable "signup_enabled" {
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "signup_verify" {
|
||||
description = "Require email verification on signup (defense-in-depth)"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "disable_2fa_remember" {
|
||||
description = "Force 2FA on every login, no 'remember this browser'"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "show_password_hint" {
|
||||
description = "Show password hints on web login (no SMTP configured)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "password_hints_allowed" {
|
||||
description = "Allow users to set password hints"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "disable_icon_download" {
|
||||
description = "Disable external icon downloads to prevent network leaks"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "icon_service" {
|
||||
description = "Icon service to use (internal, bitwarden, duckduckgo, google)"
|
||||
type = string
|
||||
default = "internal"
|
||||
}
|
||||
|
||||
variable "http_request_block_non_global_ips" {
|
||||
description = "Block requests to private/reserved IP addresses"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "extended_logging" {
|
||||
description = "Enable extended logging with timestamps for audit"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "websocket_enabled" {
|
||||
description = "Enable WebSocket notifications for real-time sync"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "sends_allowed" {
|
||||
description = "Allow users to create Bitwarden Sends"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "trash_auto_delete_days" {
|
||||
description = "Days before auto-deleting trashed items (empty = never)"
|
||||
type = string
|
||||
default = "30"
|
||||
}
|
||||
|
||||
variable "events_days_retain" {
|
||||
description = "Days to retain event logs (empty = indefinitely)"
|
||||
type = string
|
||||
default = "90"
|
||||
}
|
||||
|
||||
variable "admin_session_lifetime" {
|
||||
description = "Admin session lifetime in minutes"
|
||||
type = number
|
||||
default = 20
|
||||
}
|
||||
|
||||
variable "admin_token" {
|
||||
description = "Admin token for VaultWarden"
|
||||
type = string
|
||||
@@ -43,3 +121,90 @@ variable "db_folder" {
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
# --- SMTP / Email settings ---
|
||||
|
||||
variable "smtp_host" {
|
||||
description = "SMTP host for sending emails"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "smtp_port" {
|
||||
description = "SMTP port (default: 587 for starttls, 465 for force_tls, 25 for off)"
|
||||
type = number
|
||||
default = 587
|
||||
}
|
||||
|
||||
variable "smtp_security" {
|
||||
description = "SMTP security mode: starttls, force_tls, or off"
|
||||
type = string
|
||||
default = "starttls"
|
||||
}
|
||||
|
||||
variable "smtp_from" {
|
||||
description = "Email address to send from"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "smtp_from_name" {
|
||||
description = "Sender name for outgoing emails"
|
||||
type = string
|
||||
default = "Vaultwarden"
|
||||
}
|
||||
|
||||
variable "smtp_username" {
|
||||
description = "SMTP username for authentication"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "smtp_password" {
|
||||
description = "SMTP password for authentication"
|
||||
type = string
|
||||
sensitive = true
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "smtp_timeout" {
|
||||
description = "SMTP connection timeout in seconds"
|
||||
type = number
|
||||
default = 15
|
||||
}
|
||||
|
||||
variable "smtp_auth_mechanism" {
|
||||
description = "SMTP authentication mechanisms (e.g., Plain, Login, Xoauth2, comma-separated)"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "smtp_helo_name" {
|
||||
description = "Server name sent during SMTP HELO"
|
||||
type = string
|
||||
default = ""
|
||||
}
|
||||
|
||||
variable "smtp_embed_images" {
|
||||
description = "Embed images as email attachments"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "smtp_debug" {
|
||||
description = "Enable detailed SMTP debug output (warning: may contain sensitive data)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "smtp_accept_invalid_certs" {
|
||||
description = "Accept invalid SMTP server certificates (dangerous, not recommended)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "smtp_accept_invalid_hostnames" {
|
||||
description = "Accept invalid SMTP server hostnames (dangerous, not recommended)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user