still drinking yolo vaultwarden

2025-07-12 18:53:13 +10:00 · 2025-07-12 18:53:13 +10:00 · 8b0f9f17f2
commit 8b0f9f17f2
parent b325f73d63
1 changed files with 36 additions and 56 deletions
--- a/deployments/home-server/vaultwarden.yaml
+++ b/deployments/home-server/vaultwarden.yaml
@ -2,7 +2,7 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: vaultwarden-pv
+  name: vaultwarden-pgdata-pv
 spec:
  capacity:
    storage: 5Gi
@ -11,12 +11,12 @@ spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: local-path
  hostPath:
-    path: /dpool/services/vaultwarden/data
+    path: /dpool/services/vaultwarden-pgdata
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: vaultwarden-pvc
+  name: vaultwarden-pgdata-pvc
  namespace: home-server
 spec:
  accessModes:
@ -25,83 +25,63 @@ spec:
  resources:
    requests:
      storage: 5Gi
-  volumeName: vaultwarden-pv
+  volumeName: vaultwarden-pgdata-pv
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: vaultwarden
+  name: vaultwarden-postgres
  namespace: home-server
 spec:
-  selector:
-    app: vaultwarden
  ports:
-    - port: 80
-      targetPort: 80
-      protocol: TCP
+    - port: 5432
+  selector:
+    app: vaultwarden-postgres
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vaultwarden-postgres-secret
+  namespace: home-server
+type: Opaque
+stringData:
+  postgres-password: "super-strong-password"
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: vaultwarden
+  name: vaultwarden-postgres
  namespace: home-server
 spec:
  replicas: 1
  selector:
    matchLabels:
-      app: vaultwarden
+      app: vaultwarden-postgres
  template:
    metadata:
      labels:
-        app: vaultwarden
+        app: vaultwarden-postgres
    spec:
      containers:
-        - name: vaultwarden
-          image: vaultwarden/server:latest
-          imagePullPolicy: Always
+        - name: postgres
+          image: postgres:15
          env:
-            - name: TZ
-              value: "Australia/Brisbane"
-            - name: WEBSOCKET_ENABLED
-              value: "true"
-            - name: SIGNUPS_ALLOWED
-              value: "false" # Set to "true" if you want open registration
-            - name: ADMIN_TOKEN
-              value: 0h12893hj0129j30129j3
+            - name: POSTGRES_DB
+              value: vaultwarden
+            - name: POSTGRES_USER
+              value: vaultuser
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: vaultwarden-postgres-secret
+                  key: postgres-password
          ports:
-            - containerPort: 80
+            - containerPort: 5432
          volumeMounts:
-            - name: vaultwarden-data
-              mountPath: /data
+            - name: pgdata
+              mountPath: /var/lib/postgresql/data
      volumes:
-        - name: vaultwarden-data
+        - name: pgdata
          persistentVolumeClaim:
-            claimName: vaultwarden-pvc
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: vaultwarden
-  namespace: home-server
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: vault.hxme.net
-    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
-    nginx.ingress.kubernetes.io/server-snippet: |
-      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-spec:
-  tls:
-    - hosts:
-        - vault.hxme.net
-      secretName: wildcard-hxme-net
-  rules:
-    - host: vault.hxme.net
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: vaultwarden
-                port:
-                  number: 80
+            claimName: vaultwarden-pgdata-pvc