--- apiVersion: v1 kind: Namespace metadata: name: vaultwarden-system --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden name: vaultwarden namespace: vaultwarden-system spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden spec: containers: - name: vaultwarden image: vaultwarden/server:1.35.2 imagePullPolicy: IfNotPresent env: - name: TZ value: Europe/Budapest - name: DOMAIN value: https://vaultwarden.dooplex.hu - name: SIGNUPS_ALLOWED value: "false" - name: INVITATIONS_ALLOWED value: "true" - name: ADMIN_TOKEN valueFrom: secretKeyRef: name: vaultwarden-admin key: admin-token - name: WEBSOCKET_ENABLED value: "true" - name: SMTP_HOST valueFrom: secretKeyRef: name: smtp-credentials key: host - name: SMTP_PORT valueFrom: secretKeyRef: name: smtp-credentials key: port - name: SMTP_SECURITY value: starttls - name: SMTP_USERNAME valueFrom: secretKeyRef: name: smtp-credentials key: username - name: SMTP_PASSWORD valueFrom: secretKeyRef: name: smtp-credentials key: password - name: SMTP_FROM valueFrom: secretKeyRef: name: smtp-credentials key: from-address - name: SMTP_FROM_NAME value: Vaultwarden - name: SSO_ENABLED value: "true" - name: SSO_AUTHORITY value: "https://authentik.dooplex.hu/application/o/vaultwarden/" - name: SSO_CLIENT_ID valueFrom: secretKeyRef: name: vaultwarden-oauth key: client-id - name: SSO_CLIENT_SECRET valueFrom: secretKeyRef: name: vaultwarden-oauth key: client-secret - name: SSO_SCOPES value: "openid email profile offline_access" - name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION value: "false" - name: SSO_CLIENT_CACHE_EXPIRATION value: "0" - name: SSO_ONLY value: "false" # Set to true to disable email+password login - name: SSO_SIGNUPS_MATCH_EMAIL value: "true" ports: - containerPort: 80 name: http protocol: TCP livenessProbe: httpGet: path: /alive port: http initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readinessProbe: httpGet: path: /alive port: http initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 resources: limits: cpu: 500m memory: 512Mi requests: cpu: 50m memory: 128Mi volumeMounts: - name: data mountPath: /data volumes: - name: data persistentVolumeClaim: claimName: vaultwarden-data --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden name: vaultwarden namespace: vaultwarden-system spec: type: ClusterIP ports: - name: http port: 80 protocol: TCP targetPort: http selector: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: vaultwarden.dooplex.hu,vaultwarden.home nginx.ingress.kubernetes.io/proxy-body-size: 100m nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden name: vaultwarden namespace: vaultwarden-system spec: ingressClassName: nginx-internal rules: - host: vaultwarden.dooplex.hu http: paths: - backend: service: name: vaultwarden port: number: 80 path: / pathType: Prefix - host: vaultwarden.home http: paths: - backend: service: name: vaultwarden port: number: 80 path: / pathType: Prefix tls: - hosts: - vaultwarden.dooplex.hu secretName: vaultwarden-tls --- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden name: vaultwarden-data namespace: vaultwarden-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: longhorn ---