Refining vaultwarden

immich-argocd-apps/Chart.yaml

@@ -2,4 +2,5 @@ apiVersion: v2
 name: immich-argocd-apps
 description: A Helm chart for deploying Immich as an ArgoCD app
 type: application
-version: 0.1.0
+version: 0.1.4
+appVersion: v1.120.2

immich-argocd-apps/templates/immich-main-chart.yaml

@@ -17,6 +17,8 @@ spec:
     helm:
       releaseName: immich
       valuesObject:
+        image:
+          tag: {{ .Chart.AppVersion }}
         immich:
           persistence:
             library:

vaultwarden-argocd-apps/templates/vaultwarden-chart.yaml

@@ -15,12 +15,22 @@ spec:
     helm:
       releaseName: vaultwarden
       valuesObject:
+        domain: {{ .Values.vaultwarden.fqdn }}
+        timeZone: {{ .Values.vaultwarden.timeZone }}
         database:
           type: postgresql
           existingSecret: {{ .Values.vaultwarden.dbCluster.secretName }}
           existingSecretKey: uri
+        data:
+          name: {{ .Values.vaultwarden.dataPvc.name }}
+          size: {{ .Values.vaultwarden.dataPvc.size }}
+          class: {{ .Values.vaultwarden.dataPvc.storageClassName }}
+        attachments:
+          name: {{ .Values.vaultwarden.attachmentPvc.name }}
+          size: {{ .Values.vaultwarden.attachmentPvc.size }}
+          class: {{ .Values.vaultwarden.attachmentPvc.storageClassName }}
         ingress:
-          enabled: true
+          enabled: false
   destination:
     server: {{ .Values.mainDestination }}
     namespace: {{ .Values.mainNamespace }}

vaultwarden-argocd-apps/templates/vaultwarden-postinstall.yaml

@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vaultwarden-postinstall
+  namespace: {{ .Values.argocd.namespace }}
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    notifications.argoproj.io/subscribe.on-sync-succeeded.telegram: "-1002270587578"
+spec:
+  project: {{ .Values.argocd.project }}
+  source:
+    repoURL: {{ .Values.argocd.postinstall.repoURL }}
+    targetRevision: {{ .Values.argocd.postinstall.targetRevision }}
+    path: {{ .Values.argocd.postinstall.path }}
+    helm:
+      releaseName: vaultwarden-postinstall
+      valuesObject:
+        tailscaleIngresses:
+          vaultwardenHostname: {{ .Values.tailscaleIngresses.vaultwardenHostname }}
+  destination:
+    server: {{ .Values.destination.server }} 
+    namespace: {{ .Values.destination.namespace }}
+  syncPolicy:
+    automated:
+      prune: true           # Automatically remove resources no longer in the repo
+      selfHeal: true        # Automatically self-heal when drift is detected
+    syncOptions:
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+      - CreateNamespace=true

vaultwarden-argocd-apps/templates/vaultwarden-requirements-app.yaml

@@ -23,6 +23,7 @@ spec:
             name: {{ .Values.vaultwarden.dataPvc.name }}
             storageClassName: {{ .Values.vaultwarden.dataPvc.storageClassName }}
             size: {{ .Values.vaultwarden.dataPvc.size }}
+        mainNamespace: {{ .Values.destnation.namespace }}
   destination:
     server: {{ .Values.destination.server }} 
     namespace: {{ .Values.destination.namespace }}

vaultwarden-argocd-apps/values.yaml

@@ -23,8 +23,12 @@ vaultwarden:
     name: vaultwarden-data
     storageClassName: ''
     size: 10Gi
-  FQDN: vaultwarden.domain.net
+  attachmentPvc:
-  replicaCount: 1
+    name: vaultwarden-attachments
+    storageClassName: 'linode-block-storage-retain-luks-vw'
+    size: 10Gi
+  fqdn: vaultwarden.domain.net
+  timeZone: "Europe/Lisbon"
 
 tailscaleIngresses:
-  odooHostname: odoo
+  vaultwardenHostname: vaultwarden

vaultwarden-postinstall/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
 name: vaultwarden-postinstall
-description: A Helm chart for Kubernetes
+description: A Helm chart for deploynig vaultwarden's ingress
 type: application
 version: 0.1.0

vaultwarden-postinstall/templates/vaultwarden-ingress.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ts-vaultwarden
+  annotations:
+    tailscale.com/funnel: "true"
+spec:
+  defaultBackend:
+    service:
+      name: vaultwarden
+      port:
+        name: http
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - {{ .Values.tailscaleIngresses.vaultwardenHostname }}

vaultwarden-postinstall/values.yaml

@@ -0,0 +1,2 @@
+tailscaleIngresses:
+  vaultwardenHostname: vaultwarden

vaultwarden-requirements/templates/encrypted-storage-class.yaml

@@ -0,0 +1,14 @@
+allowVolumeExpansion: true
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: linode-block-storage-retain-luks-vw
+  namespace: kube-system
+provisioner: linodebs.csi.linode.com
+reclaimPolicy: Retain
+parameters:
+  linodebs.csi.linode.com/luks-encrypted: "true"
+  linodebs.csi.linode.com/luks-cipher: "aes-xts-plain64"
+  linodebs.csi.linode.com/luks-key-size: "512"
+  csi.storage.k8s.io/node-stage-secret-namespace: {{ .Values.mainNamespace }}
+  csi.storage.k8s.io/node-stage-secret-name: vw-data-luks-key

vaultwarden-requirements/templates/vaultwarden-data.yaml

@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ .Values.vaultwarden.dataPvc.name }}
-spec:
-  storageClassName: {{ .Values.vaultwarden.dataPvc.storageClassName }}
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: {{ .Values.vaultwarden.dataPvc.size }}

vaultwarden-requirements/values.yaml

@@ -6,3 +6,4 @@ vaultwarden:
     name: vaultwarden-data
     storageClassName: ''
     size: 10Gi
+mainNamespace: vaultwarden