feat(vaultwarden): add SMTP configuration options and enhance signup settings

- Introduced SMTP settings for Vaultwarden including host, port, security, and authentication details.
- Added variables for signup verification, 2FA settings, password hints, and logging options.
- Updated Vaultwarden deployment to utilize new SMTP configurations.
- Enhanced Grafana module to support dynamic dashboard and datasource provisioning.
- Added LLM proxy configuration for Open Web UI with necessary environment variables.
This commit is contained in:
2026-05-30 23:24:44 +02:00
parent 350650ecc2
commit ec740f458f
89 changed files with 3154 additions and 856 deletions
+21 -4
View File
@@ -1,6 +1,23 @@
locals {
app_folder = var.persistent_folder
app_version = var.tag
app_fqdn = var.fqdn
db_path = var.db_folder != "" ? var.db_folder : local.app_folder
app_folder = var.persistent_folder
app_version = var.tag
app_fqdn = var.fqdn
db_path = var.db_folder != "" ? var.db_folder : local.app_folder
signup = var.signup_enabled ? "true" : "false"
signup_verify = var.signup_verify ? "true" : "false"
disable_2fa_remember = var.disable_2fa_remember ? "true" : "false"
show_password_hint = var.show_password_hint ? "true" : "false"
password_hints_allowed = var.password_hints_allowed ? "true" : "false"
disable_icon_download = var.disable_icon_download ? "true" : "false"
icon_service = var.icon_service
http_request_block_non_global_ips = var.http_request_block_non_global_ips ? "true" : "false"
extended_logging = var.extended_logging ? "true" : "false"
websocket_enabled = var.websocket_enabled ? "true" : "false"
sends_allowed = var.sends_allowed ? "true" : "false"
trash_auto_delete_days = var.trash_auto_delete_days
events_days_retain = var.events_days_retain
admin_session_lifetime = tostring(var.admin_session_lifetime)
# SMTP locals — only enable mail if host or from is configured
smtp_enabled = var.smtp_host != "" || var.smtp_from != ""
}
+49 -10
View File
@@ -19,11 +19,38 @@ resource "kubernetes_config_map" "vaultwarden_config" {
namespace = kubernetes_namespace.vaultwarden.metadata[0].name
}
data = {
DOMAIN = "https://${local.app_fqdn}/"
SIGNUP = var.signup_enabled ? "true" : "false"
DATABASE_URL = "file:///data/db.sqlite3"
}
data = merge({
DOMAIN = "https://${local.app_fqdn}/"
SIGNUPS_ALLOWED = local.signup
SIGNUPS_VERIFY = local.signup_verify
DATABASE_URL = "/data/db.sqlite3"
ENABLE_WEBSOCKET = local.websocket_enabled
DISABLE_2FA_REMEMBER = local.disable_2fa_remember
SHOW_PASSWORD_HINT = local.show_password_hint
PASSWORD_HINTS_ALLOWED = local.password_hints_allowed
DISABLE_ICON_DOWNLOAD = local.disable_icon_download
ICON_SERVICE = local.icon_service
HTTP_REQUEST_BLOCK_NON_GLOBAL_IPS = local.http_request_block_non_global_ips
EXTENDED_LOGGING = local.extended_logging
SENDS_ALLOWED = local.sends_allowed
TRASH_AUTO_DELETE_DAYS = local.trash_auto_delete_days
EVENTS_DAYS_RETAIN = local.events_days_retain
ADMIN_SESSION_LIFETIME = local.admin_session_lifetime
USE_SENDMAIL = "false"
},
local.smtp_enabled ? {
SMTP_HOST = var.smtp_host
SMTP_PORT = tostring(var.smtp_port)
SMTP_SECURITY = var.smtp_security
SMTP_FROM = var.smtp_from
SMTP_FROM_NAME = var.smtp_from_name
SMTP_TIMEOUT = tostring(var.smtp_timeout)
SMTP_EMBED_IMAGES = var.smtp_embed_images ? "true" : "false"
SMTP_DEBUG = var.smtp_debug ? "true" : "false"
SMTP_ACCEPT_INVALID_CERTS = var.smtp_accept_invalid_certs ? "true" : "false"
SMTP_ACCEPT_INVALID_HOSTNAMES = var.smtp_accept_invalid_hostnames ? "true" : "false"
} : {}
)
}
resource "kubernetes_secret" "vaultwarden_secrets" {
@@ -32,9 +59,14 @@ resource "kubernetes_secret" "vaultwarden_secrets" {
namespace = kubernetes_namespace.vaultwarden.metadata[0].name
}
data = {
data = merge({
ADMIN_TOKEN = var.admin_token
}
},
local.smtp_enabled ? {
SMTP_USERNAME = var.smtp_username
SMTP_PASSWORD = var.smtp_password
} : {}
)
}
resource "kubernetes_deployment" "vaultwarden" {
@@ -62,7 +94,8 @@ resource "kubernetes_deployment" "vaultwarden" {
template {
metadata {
labels = {
app = "vaultwarden"
app = "vaultwarden"
config_checksum = md5(join("", values(kubernetes_config_map.vaultwarden_config.data)))
}
}
@@ -101,6 +134,11 @@ resource "kubernetes_deployment" "vaultwarden" {
}
}
env {
name = "ROCKET_PORT"
value = "8080"
}
security_context {
allow_privilege_escalation = false
privileged = false
@@ -114,7 +152,7 @@ resource "kubernetes_deployment" "vaultwarden" {
port {
name = "http"
container_port = 80
container_port = 8080
protocol = "TCP"
}
@@ -151,6 +189,7 @@ resource "kubernetes_deployment" "vaultwarden" {
name = "vaultwarden-data"
host_path {
path = local.db_path
type = "DirectoryOrCreate"
}
}
@@ -177,7 +216,7 @@ resource "kubernetes_service" "vaultwarden" {
port {
name = "http"
port = 80
target_port = 80
target_port = 8080
}
type = "ClusterIP"
@@ -32,6 +32,84 @@ variable "signup_enabled" {
default = false
}
variable "signup_verify" {
description = "Require email verification on signup (defense-in-depth)"
type = bool
default = true
}
variable "disable_2fa_remember" {
description = "Force 2FA on every login, no 'remember this browser'"
type = bool
default = true
}
variable "show_password_hint" {
description = "Show password hints on web login (no SMTP configured)"
type = bool
default = false
}
variable "password_hints_allowed" {
description = "Allow users to set password hints"
type = bool
default = false
}
variable "disable_icon_download" {
description = "Disable external icon downloads to prevent network leaks"
type = bool
default = true
}
variable "icon_service" {
description = "Icon service to use (internal, bitwarden, duckduckgo, google)"
type = string
default = "internal"
}
variable "http_request_block_non_global_ips" {
description = "Block requests to private/reserved IP addresses"
type = bool
default = true
}
variable "extended_logging" {
description = "Enable extended logging with timestamps for audit"
type = bool
default = true
}
variable "websocket_enabled" {
description = "Enable WebSocket notifications for real-time sync"
type = bool
default = true
}
variable "sends_allowed" {
description = "Allow users to create Bitwarden Sends"
type = bool
default = true
}
variable "trash_auto_delete_days" {
description = "Days before auto-deleting trashed items (empty = never)"
type = string
default = "30"
}
variable "events_days_retain" {
description = "Days to retain event logs (empty = indefinitely)"
type = string
default = "90"
}
variable "admin_session_lifetime" {
description = "Admin session lifetime in minutes"
type = number
default = 20
}
variable "admin_token" {
description = "Admin token for VaultWarden"
type = string
@@ -43,3 +121,90 @@ variable "db_folder" {
type = string
default = ""
}
# --- SMTP / Email settings ---
variable "smtp_host" {
description = "SMTP host for sending emails"
type = string
default = ""
}
variable "smtp_port" {
description = "SMTP port (default: 587 for starttls, 465 for force_tls, 25 for off)"
type = number
default = 587
}
variable "smtp_security" {
description = "SMTP security mode: starttls, force_tls, or off"
type = string
default = "starttls"
}
variable "smtp_from" {
description = "Email address to send from"
type = string
default = ""
}
variable "smtp_from_name" {
description = "Sender name for outgoing emails"
type = string
default = "Vaultwarden"
}
variable "smtp_username" {
description = "SMTP username for authentication"
type = string
default = ""
}
variable "smtp_password" {
description = "SMTP password for authentication"
type = string
sensitive = true
default = ""
}
variable "smtp_timeout" {
description = "SMTP connection timeout in seconds"
type = number
default = 15
}
variable "smtp_auth_mechanism" {
description = "SMTP authentication mechanisms (e.g., Plain, Login, Xoauth2, comma-separated)"
type = string
default = ""
}
variable "smtp_helo_name" {
description = "Server name sent during SMTP HELO"
type = string
default = ""
}
variable "smtp_embed_images" {
description = "Embed images as email attachments"
type = bool
default = true
}
variable "smtp_debug" {
description = "Enable detailed SMTP debug output (warning: may contain sensitive data)"
type = bool
default = false
}
variable "smtp_accept_invalid_certs" {
description = "Accept invalid SMTP server certificates (dangerous, not recommended)"
type = bool
default = false
}
variable "smtp_accept_invalid_hostnames" {
description = "Accept invalid SMTP server hostnames (dangerous, not recommended)"
type = bool
default = false
}