From 92cc3f01c11b914cf09a0ffcd006e16e95d6aae0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 14 Mar 2026 22:45:56 +0000
Subject: [PATCH] migrate vaultwarden storage from NFS to iSCSI

SQLite on NFS causes DB corruption due to unreliable POSIX fcntl locking.
iSCSI provides a block device with a local filesystem where locking works
correctly. Same approach used for Redis, MySQL, PostgreSQL, etc.
---
 stacks/platform/main.tf                     |  1 -
 stacks/platform/modules/vaultwarden/main.tf | 23 ++++++++++++++-------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf
index 4b792389..ea80f4c9 100644
--- a/stacks/platform/main.tf
+++ b/stacks/platform/main.tf
@@ -225,7 +225,6 @@ module "monitoring" {
 module "vaultwarden" {
   source          = "./modules/vaultwarden"
   tls_secret_name = var.tls_secret_name
-  nfs_server      = var.nfs_server
   mail_host       = var.mail_host
   smtp_password   = data.vault_kv_secret_v2.secrets.data["vaultwarden_smtp_password"]
   tier            = local.tiers.edge
diff --git a/stacks/platform/modules/vaultwarden/main.tf b/stacks/platform/modules/vaultwarden/main.tf
index ba1b850d..12573647 100644
--- a/stacks/platform/modules/vaultwarden/main.tf
+++ b/stacks/platform/modules/vaultwarden/main.tf
@@ -1,7 +1,6 @@
 variable "tls_secret_name" {}
 variable "tier" { type = string }
 variable "smtp_password" {}
-variable "nfs_server" { type = string }
 variable "mail_host" { type = string }
 
 resource "kubernetes_namespace" "vaultwarden" {
@@ -20,12 +19,20 @@ module "tls_secret" {
   tls_secret_name = var.tls_secret_name
 }
 
-module "nfs_data" {
-  source     = "../../../../modules/kubernetes/nfs_volume"
-  name       = "vaultwarden-data"
-  namespace  = kubernetes_namespace.vaultwarden.metadata[0].name
-  nfs_server = var.nfs_server
-  nfs_path   = "/mnt/main/vaultwarden"
+resource "kubernetes_persistent_volume_claim" "vaultwarden_data" {
+  metadata {
+    name      = "vaultwarden-data-iscsi"
+    namespace = kubernetes_namespace.vaultwarden.metadata[0].name
+  }
+  spec {
+    access_modes       = ["ReadWriteOnce"]
+    storage_class_name = "iscsi-truenas"
+    resources {
+      requests = {
+        storage = "1Gi"
+      }
+    }
+  }
 }
 
 resource "kubernetes_deployment" "vaultwarden" {
@@ -136,7 +143,7 @@ resource "kubernetes_deployment" "vaultwarden" {
         volume {
           name = "data"
           persistent_volume_claim {
-            claim_name = module.nfs_data.claim_name
+            claim_name = kubernetes_persistent_volume_claim.vaultwarden_data.metadata[0].name
           }
         }
         dns_config {