---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: &app vaultwarden
  namespace: default
spec:
  interval: 30m
  chart:
    spec:
      chart: app-template
      version: 3.4.0
      sourceRef:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
  maxHistory: 2
  install:
    createNamespace: true
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      strategy: rollback
      retries: 3
  uninstall:
    keepHistory: false
  values:
    controllers:
      vaultwarden:
        annotations:
          reloader.stakater.com/auto: "true"
        initContainers:
          init-db:
            image:
              repository: ghcr.io/onedr0p/postgres-init
              tag: 16
            envFrom: &envFrom
              - secretRef:
                  name: vaultwarden-secret
        containers:
          app:
            image:
              repository: vaultwarden/server
              tag: 1.32.0@sha256:71668d20d4208d70919cf8cb3caf3071d41ed4b7d95afe71125ccad8408b040d
            env:
              DATA_FOLDER: data
              ICON_CACHE_FOLDER: data/icon_cache
              ATTACHMENTS_FOLDER: data/attachments
              DOMAIN: "https://vaultwarden.${SECRET_EXTERNAL_DOMAIN}"
              TZ: "${TIMEZONE}"
              SIGNUPS_ALLOWED: "false"
              WEBSOCKET_ENABLED: "true"
              WEBSOCKET_ADDRESS: 0.0.0.0
              WEBSOCKET_PORT: 3012
              SMTP_HOST: smtp-relay.default.svc.cluster.local.
              SMTP_FROM: vaultwarden@${SECRET_DOMAIN}
              SMTP_FROM_NAME: vaultwarden
              SMTP_PORT: 2525
              SMTP_SECURITY: "off"
            envFrom: *envFrom
            resources:
              requests:
                cpu: 100m
                memory: 100Mi
              limits:
                memory: 2Gi
    service:
      app:
        controller: *app
        ports:
          http:
            port: &port 80
    ingress:
      app:
        enabled: true
        className: nginx
        annotations:
          external-dns.alpha.kubernetes.io/enabled: "true"
          external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}.
          hajimari.io/icon: mdi:lock
          gethomepage.dev/enabled: "true"
          gethomepage.dev/name: Vaultwarden
          gethomepage.dev/description: Open-source password manager compatible with Bitwarden clients.
          gethomepage.dev/group: Applications
          gethomepage.dev/icon: vaultwarden.png
          gethomepage.dev/pod-selector: >-
            app in (
              vaultwarden
            )
        hosts:
          - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
            paths:
              - path: /
                service:
                  identifier: app
                  port: *port
        tls:
          - hosts:
              - *host
    persistence:
      config:
        enabled: true
        existingClaim: *app
        globalMounts:
          - path: /data