variable "tls_secret_name" {} variable "tier" { type = string } variable "smtp_password" {} variable "mail_host" { type = string } variable "nfs_server" { type = string } resource "kubernetes_namespace" "vaultwarden" { metadata { name = "vaultwarden" labels = { "istio-injection" : "disabled" tier = var.tier } } } module "tls_secret" { source = "../../../../modules/kubernetes/setup_tls_secret" namespace = kubernetes_namespace.vaultwarden.metadata[0].name tls_secret_name = var.tls_secret_name } resource "kubernetes_persistent_volume_claim" "vaultwarden_data" { metadata { name = "vaultwarden-data-iscsi" namespace = kubernetes_namespace.vaultwarden.metadata[0].name } spec { access_modes = ["ReadWriteOnce"] storage_class_name = "iscsi-truenas" resources { requests = { storage = "1Gi" } } } } resource "kubernetes_deployment" "vaultwarden" { metadata { name = "vaultwarden" namespace = kubernetes_namespace.vaultwarden.metadata[0].name labels = { app = "vaultwarden" tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" } } spec { replicas = 1 strategy { type = "Recreate" } selector { match_labels = { app = "vaultwarden" } } template { metadata { annotations = { "diun.enable" = "true" "diun.include_tags" = "^\\d+(?:\\.\\d+)?(?:\\.\\d+)?$" } labels = { "app" = "vaultwarden" } } spec { container { image = "vaultwarden/server:1.35.4" name = "vaultwarden" resources { requests = { cpu = "10m" memory = "256Mi" } limits = { memory = "256Mi" } } env { name = "DOMAIN" value = "https://vaultwarden.viktorbarzin.me" } # env { # name = "ADMIN_TOKEN" # value = "" # } env { name = "SMTP_HOST" value = var.mail_host } env { name = "SMTP_FROM" value = "vaultwarden@viktorbarzin.me" } env { name = "SMTP_PORT" value = "587" } env { name = "SMTP_SECURITY" value = "starttls" } env { name = "SMTP_USERNAME" value = "vaultwarden@viktorbarzin.me" } env { name = "SMTP_PASSWORD" value = var.smtp_password } port { container_port = 80 } liveness_probe { http_get { path = "/alive" port = 80 } initial_delay_seconds = 15 period_seconds = 30 timeout_seconds = 5 failure_threshold = 5 } readiness_probe { http_get { path = "/alive" port = 80 } initial_delay_seconds = 5 period_seconds = 30 timeout_seconds = 5 failure_threshold = 3 } volume_mount { name = "data" mount_path = "/data" } } volume { name = "data" persistent_volume_claim { claim_name = kubernetes_persistent_volume_claim.vaultwarden_data.metadata[0].name } } dns_config { option { name = "ndots" value = "2" } } } } } } resource "kubernetes_service" "vaultwarden" { metadata { name = "vaultwarden" namespace = kubernetes_namespace.vaultwarden.metadata[0].name labels = { "app" = "vaultwarden" } } spec { selector = { app = "vaultwarden" } port { name = "http" port = "80" protocol = "TCP" } } } module "ingress" { source = "../../../../modules/kubernetes/ingress_factory" namespace = kubernetes_namespace.vaultwarden.metadata[0].name name = "vaultwarden" tls_secret_name = var.tls_secret_name rybbit_site_id = "b8fc85e18683" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Vaultwarden" "gethomepage.dev/description" = "Password manager" "gethomepage.dev/icon" = "vaultwarden.png" "gethomepage.dev/group" = "Other" "gethomepage.dev/pod-selector" = "" } } # ----------------------------------------------------------------------------- # Backup — Daily SQLite + data files to NFS # ----------------------------------------------------------------------------- module "nfs_vaultwarden_backup" { source = "../../../../modules/kubernetes/nfs_volume" name = "vaultwarden-backup" namespace = kubernetes_namespace.vaultwarden.metadata[0].name nfs_server = var.nfs_server nfs_path = "/mnt/main/vaultwarden-backup" } resource "kubernetes_cron_job_v1" "vaultwarden-backup" { metadata { name = "vaultwarden-backup" namespace = kubernetes_namespace.vaultwarden.metadata[0].name } spec { concurrency_policy = "Replace" failed_jobs_history_limit = 5 schedule = "0 0 * * *" starting_deadline_seconds = 10 successful_jobs_history_limit = 10 job_template { metadata {} spec { backoff_limit = 3 ttl_seconds_after_finished = 10 template { metadata {} spec { affinity { pod_affinity { required_during_scheduling_ignored_during_execution { label_selector { match_labels = { app = "vaultwarden" } } topology_key = "kubernetes.io/hostname" } } } container { name = "vaultwarden-backup" image = "docker.io/library/alpine" command = ["/bin/sh", "-c", <<-EOT set -euxo pipefail apk add --no-cache sqlite now=$(date +"%Y_%m_%d_%H_%M") mkdir -p /backup/$now # Safe SQLite backup (handles WAL/locks) sqlite3 /data/db.sqlite3 ".backup /backup/$now/db.sqlite3" # Copy RSA keys, attachments, sends, config cp -a /data/rsa_key.pem /data/rsa_key.pub.pem /backup/$now/ 2>/dev/null || true cp -a /data/attachments /backup/$now/ 2>/dev/null || true cp -a /data/sends /backup/$now/ 2>/dev/null || true cp -a /data/config.json /backup/$now/ 2>/dev/null || true # Rotate — 30 day retention find /backup -maxdepth 1 -mindepth 1 -type d -mtime +30 -exec rm -rf {} + echo "Backup complete: $now" EOT ] volume_mount { name = "data" mount_path = "/data" read_only = true } volume_mount { name = "backup" mount_path = "/backup" } } volume { name = "data" persistent_volume_claim { claim_name = kubernetes_persistent_volume_claim.vaultwarden_data.metadata[0].name } } volume { name = "backup" persistent_volume_claim { claim_name = module.nfs_vaultwarden_backup.claim_name } } dns_config { option { name = "ndots" value = "2" } } } } } } } }