From bad83858fdf537ab349154b8ef52bccfba2aef5a Mon Sep 17 00:00:00 2001
From: j <repobase@j7b.net>
Date: Sat, 12 Jul 2025 13:09:53 +1000
Subject: [PATCH] vault warden

---
 deployments/home-server/vaultwarden.yaml | 105 +++++++++++++++++++++++
 1 file changed, 105 insertions(+)
 create mode 100644 deployments/home-server/vaultwarden.yaml

diff --git a/deployments/home-server/vaultwarden.yaml b/deployments/home-server/vaultwarden.yaml
new file mode 100644
index 0000000..62a2d0c
--- /dev/null
+++ b/deployments/home-server/vaultwarden.yaml
@@ -0,0 +1,105 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: vaultwarden-pv
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-path
+  hostPath:
+    path: /dpool/services/vaultwarden
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-pvc
+  namespace: home-server
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+  volumeName: vaultwarden-pv
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden
+  namespace: home-server
+spec:
+  selector:
+    app: vaultwarden
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+  namespace: home-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vaultwarden
+  template:
+    metadata:
+      labels:
+        app: vaultwarden
+    spec:
+      containers:
+        - name: vaultwarden
+          image: vaultwarden/server:latest
+          imagePullPolicy: Always
+          env:
+            - name: TZ
+              value: "Australia/Sydney"
+            - name: WEBSOCKET_ENABLED
+              value: "true"
+            - name: SIGNUPS_ALLOWED
+              value: "false" # Set to "true" if you want open registration
+          ports:
+            - containerPort: 80
+          volumeMounts:
+            - name: vaultwarden-data
+              mountPath: /data
+      volumes:
+        - name: vaultwarden-data
+          persistentVolumeClaim:
+            claimName: vaultwarden-pvc
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden
+  namespace: home-server
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: vault.hxme.net
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+spec:
+  tls:
+    - hosts:
+        - vault.hxme.net
+      secretName: wildcard-hxme-net
+  rules:
+    - host: vault.hxme.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: vaultwarden
+                port:
+                  number: 80
+