all repos — infra @ 3b44bec47bda26a24c36599f52f8637ca1c06414

infrastructure manifests and setup notes

apps: vaultwarden: guess i'll just do it myself
Anirudh Oppiliappan x@icyphox.sh
Fri, 26 Jul 2024 12:03:29 +0300
commit

3b44bec47bda26a24c36599f52f8637ca1c06414

parent

fb0a59c0bf6578a054cfc9dcb120e29e7a2d2ad8

4 files changed, 182 insertions(+), 34 deletions(-)

jump to
A apps/vaultwarden/config.yaml

@@ -0,0 +1,49 @@

+apiVersion: v1 +data: + DISABLE_ADMIN_TOKEN: "true" + ADMIN_RATELIMIT_MAX_BURST: "3" + ADMIN_RATELIMIT_SECONDS: "300" + DATA_FOLDER: /data + DATABASE_MAX_CONNS: "10" + DB_CONNECTION_RETRIES: "15" + DOMAIN: http://pass.koti.lan + EMAIL_CHANGE_ALLOWED: "true" + EMERGENCY_ACCESS_ALLOWED: "true" + EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE: 0 3 * * * * + EMERGENCY_REQUEST_TIMEOUT_SCHEDULE: 0 7 * * * * + EXTENDED_LOGGING: "true" + ICON_BLACKLIST_NON_GLOBAL_IPS: "true" + ICON_REDIRECT_CODE: "302" + ICON_SERVICE: internal + INVITATION_EXPIRATION_HOURS: "120" + INVITATION_ORG_NAME: Vaultwarden + INVITATIONS_ALLOWED: "true" + IP_HEADER: X-Real-IP + LOG_TIMESTAMP_FORMAT: "%Y-%m-%d %H:%M:%S.%3f" + ORG_EVENTS_ENABLED: "false" + ORG_GROUPS_ENABLED: "false" + PUSH_ENABLED: "true" + PUSH_IDENTITY_URI: https://identity.bitwarden.eu + PUSH_INSTALLATION_ID: 9f08a610-b413-4e6b-b07c-b1b9008435dc + PUSH_INSTALLATION_KEY: HY8uowMTFT9GgbcSfPMF + PUSH_RELAY_URI: https://api.bitwarden.eu + REQUIRE_DEVICE_EMAIL: "false" + ROCKET_ADDRESS: 0.0.0.0 + ROCKET_PORT: "8080" + ROCKET_WORKERS: "10" + SENDS_ALLOWED: "false" + SHOW_PASSWORD_HINT: "false" + SIGNUPS_ALLOWED: "true" + SIGNUPS_VERIFY: "true" + TRASH_AUTO_DELETE_DAYS: "" + TZ: Europe/Helsinki + WEB_VAULT_ENABLED: "true" + WEBSOCKET_ENABLED: "false" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + name: vaultwarden + namespace: default
A apps/vaultwarden/ingress.yaml

@@ -0,0 +1,43 @@

+apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/rewrite-target: / + ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + more_set_headers "Request-Id: $req_id"; + nginx.ingress.kubernetes.io/connection-proxy-header: keep-alive + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/limit-connections: "25" + nginx.ingress.kubernetes.io/limit-rps: "15" + nginx.ingress.kubernetes.io/proxy-body-size: 1024m + nginx.ingress.kubernetes.io/proxy-connect-timeout: "10" + nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" + nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + name: pass.koti.lan + namespace: default +spec: + ingressClassName: nginx + rules: + - host: pass.koti.lan + http: + paths: + - backend: + service: + name: vaultwarden + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - pass.koti.lan + secretName: pass-koti-lan
A apps/vaultwarden/vaultwarden.yaml

@@ -0,0 +1,90 @@

+apiVersion: apps/v1 +kind: Deployment +metadata: + generation: 1 + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + name: vaultwarden + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + template: + metadata: + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + spec: + containers: + - env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgres + key: postgres-password + - name: DATABASE_URL + value: "postgres://postgres:$(POSTGRES_PASSWORD)@postgres.default:5432/vaultwarden?sslmode=disable" + envFrom: + - configMapRef: + name: vaultwarden + image: docker.io/vaultwarden/server:testing-alpine + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + path: /alive + port: http + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: vaultwarden + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /alive + port: http + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - mountPath: /data + name: vaultwarden-data + volumes: + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-data-vaultwarden-0 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + name: vaultwarden + namespace: default +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/component: vaultwarden + app.kubernetes.io/instance: vaultwarden + app.kubernetes.io/name: vaultwarden + type: ClusterIP
D charts/vaultwarden.yaml

@@ -1,34 +0,0 @@

-apiVersion: helm.cattle.io/v1 -kind: HelmChart -metadata: - name: vaultwarden - namespace: default -spec: - repo: https://guerzon.github.io/vaultwarden - chart: vaultwarden - targetNamespace: default - valuesContent: |- - image: - tag: testing-alpine - domain: "http://pass.koti.lan" - ingress: - enabled: true - hostname: pass.koti.lan - class: nginx - tls: true - tlsSecret: pass-koti-lan - database: - type: postgresql - existingSecret: vaultwarden-uri - existingSecretKey: uri - adminToken: {} - data: - name: vaultwarden-data - size: 2Gi - class: longhorn - keepPvc: true - pushNotifications: - installationId: b029be00-7ea1-40bd-9ade-b1b800d91667 - installationKey: ok1vzce9HEb1tH4Wk4Em - relayUri: "https://api.bitwarden.eu" - identityUri: "https://identity.bitwarden.eu"