add app vaultwarden

kubernetes/apps/kustomization.yaml

@@ -15,4 +15,5 @@ resources:
   - ./snippet-box/snippet-box.yaml
   - ./sonarqube/sonarqube.yaml
   - ./uptime-kuma/uptime-kuma.yaml
+  - ./vaultwarden/vaultwarden.yaml
   - ./weave-gitops/weave-gitops.yaml

kubernetes/apps/vaultwarden/app/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: vaultwarden
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: vaultwarden
+        rpi5.cluster.policy/egress-world: "true"
+        rpi5.cluster.policy/ingress-world: "true"
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      containers:
+        - securityContext:
+            runAsUser: 1000
+            runAsNonRoot: true
+            runAsGroup: 1000
+          restartPolicy: Always
+          name: vaultwarden
+          image: vaultwarden/server:1.31.0
+          env:
+            - name: DOMAIN
+              value: vaultwarden.cluster.edward.sydney
+            - name: SIGNUPS_ALLOWED
+              value: "true"
+            - name: DATABASE_URL
+              value: postgresql://${db_username}:${db_password}@${db_host}:5432/${db_name}
+          ports:
+            - protocol: TCP
+              containerPort: 80
+              name: http
+          volumeMounts:
+            - name: vaultwarden-data
+              mountPath: /data
+      volumes:
+        - name: vaultwarden-data
+          hostPath:
+            path: /mnt/nfs/AppData/vaultwarden/data
+            type: Directory
+

kubernetes/apps/vaultwarden/app/ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden-ingress
+  namespace: vaultwarden
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: vaultwarden
+  rules:
+    - host: "vaultwarden.cluster.edward.sydney"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: vaultwarden
+                port:
+                  number: 11080

kubernetes/apps/vaultwarden/app/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+  labels:
+    app.kubernetes.io/name: vaultwarden
+spec:
+  selector:
+    app.kubernetes.io/name: vaultwarden
+  type: ClusterIP
+  internalTrafficPolicy: Cluster
+  ports:
+    - protocol: TCP
+      port: 11080
+      targetPort: 80
+      name: http

kubernetes/apps/vaultwarden/vaultwarden.yaml

@@ -0,0 +1,46 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vaultwarden-secrets
+  namespace: flux-system
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  targetNamespace: vaultwarden
+  path: ./vaultwarden
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: vaultwarden
+  namespace: vaultwarden
+spec:
+  interval: 10m
+  timeout: 1m30s
+  retryInterval: 30s
+  path: ./kubernetes/apps/vaultwarden/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: vaultwarden-secrets
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: vaultwarden-secrets

kubernetes/infrastructure/namespaces/namespaces/vaultwarden.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden