# Vaultwarden — self-hosted Bitwarden-compatible password manager
# SQLite backend — data persisted in local-path PVC
# Unpinned — scheduler places freely
# NodePort 32377
# Signups disabled — use admin panel to invite users
#
# Deploy:
#   kubectl create secret generic vaultwarden-secret \
#     --namespace <ns> \
#     --from-literal=admin-token='<token>'
#   kubectl apply -f vaultwarden.yaml -n <ns>
#
# Generate admin token with: openssl rand -base64 48
# Admin panel: http://<any-node-mesh-ip>:32377/admin

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: vaultwarden-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 5Gi

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: vaultwarden
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vaultwarden
  template:
    metadata:
      labels:
        app: vaultwarden
    spec:
      containers:
        - name: vaultwarden
          image: vaultwarden/server:latest
          env:
            - name: SIGNUPS_ALLOWED
              value: "false"
            - name: INVITATIONS_ALLOWED
              value: "true"
            - name: SHOW_PASSWORD_HINT
              value: "false"
            - name: ROCKET_PORT
              value: "8222"
            - name: ADMIN_TOKEN
              valueFrom:
                secretKeyRef:
                  name: vaultwarden-secret
                  key: admin-token
          ports:
            - containerPort: 8222
          volumeMounts:
            - name: vaultwarden-data
              mountPath: /data
      volumes:
        - name: vaultwarden-data
          persistentVolumeClaim:
            claimName: vaultwarden-pvc

---
apiVersion: v1
kind: Service
metadata:
  name: vaultwarden
spec:
  selector:
    app: vaultwarden
  ports:
    - port: 8222
      targetPort: 8222
      nodePort: 32377
  type: NodePort