diff --git a/bootstrap/helmrepositories/helmrepository-vaultwarden.yaml b/bootstrap/helmrepositories/helmrepository-vaultwarden.yaml new file mode 100644 index 0000000..069131e --- /dev/null +++ b/bootstrap/helmrepositories/helmrepository-vaultwarden.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: vaultwarden + namespace: flux-system +spec: + interval: 15m + url: https://guerzon.github.io/vaultwarden diff --git a/bootstrap/kustomizations/kustomization-vaultwarden.yaml b/bootstrap/kustomizations/kustomization-vaultwarden.yaml new file mode 100644 index 0000000..4ba9461 --- /dev/null +++ b/bootstrap/kustomizations/kustomization-vaultwarden.yaml @@ -0,0 +1,18 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: vaultwarden + namespace: flux-system +spec: + interval: 15m + path: ./vaultwarden + prune: true # remove any elements later removed from the above path + timeout: 2m # if not set, this defaults to interval duration, which is 1h + sourceRef: + kind: GitRepository + name: flux-system + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2beta2 + kind: HelmRelease + name: vaultwarden + namespace: vaultwarden diff --git a/bootstrap/namespaces/namespace-vaultwarden.yaml b/bootstrap/namespaces/namespace-vaultwarden.yaml new file mode 100644 index 0000000..6fc17a5 --- /dev/null +++ b/bootstrap/namespaces/namespace-vaultwarden.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden diff --git a/mytls.crt b/mytls.crt index 2549427..8ccdfcb 100644 --- a/mytls.crt +++ b/mytls.crt @@ -1,31 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIFQTCCAymgAwIBAgIUY5XY25fJB0VKy2xLS4rPEHshR+gwDQYJKoZIhvcNAQEL -BQAwMDEWMBQGA1UEAwwNc2VhbGVkLXNlY3JldDEWMBQGA1UECgwNc2VhbGVkLXNl -Y3JldDAeFw0yMzExMjAyMTI2MDhaFw0yNDExMTkyMTI2MDhaMDAxFjAUBgNVBAMM -DXNlYWxlZC1zZWNyZXQxFjAUBgNVBAoMDXNlYWxlZC1zZWNyZXQwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQDfs0B+gK6MDpnyJONb1n1AyaZiobGW29bo -+uowrDg7fJhol+PG+iexpTdYKUFrAVvs8V3Q3kdqp/w/W+R4GP1MZibfQ7BgaPDt -i7fCSIO7jXhqdxkOqvYFXfPHVwx+D5jRuIimtQKZMu/yfk2r2tWxG+L+36QXoqGt -3z9+vIX9bwndG+LXSnT3vppD6stDEepiV3E4D+RKPCSKAp8njxYqO3/X7iKFmR4l -8TqPv4n+pkGR5pIQU0KqRdMaTkwjUtN0H1vJtDeXbjBbeC74ct+Dt9+GKjUDVzZS -S8pYgPS25YMJkui9gWje3eh+uTH610Kn06r2rGkun0F1Tdho2mwVnY3xdsieyUZP -t6yNNGg5h2Grrw+pt6Izc3i7kxJE0rQo1BZ4srbjt2XX/ME4M8Nj66xH+jadfFzM -/1Xp1w+040wHte+GOAHRgfyN6yLUx1QZ1PcLZpZ6vuDzeMgd9I1A+p+nvG0l5xI/ -fR6Rx9UPh9Ev+cwGA2IXhuEPZoB4UUzVDtUlkmMREMKmkMa2UK+15QSjT7nRu4kc -wCluziMI6E98sbMucot7KxAnm1RJzZTzitCJnAgcfxVh3C593YsVsVdm1VxKTwZU -9Sl0C8XG1ZKXtez/LmWvV9v6iJ7GasdtqCZHaFfOlA7gGjmz/0h6S8XlAc+2+Bq8 -mkXtVLJDrQIDAQABo1MwUTAdBgNVHQ4EFgQUIk8j8LewHuCOxnCClxvd9yn9wqQw -HwYDVR0jBBgwFoAUIk8j8LewHuCOxnCClxvd9yn9wqQwDwYDVR0TAQH/BAUwAwEB -/zANBgkqhkiG9w0BAQsFAAOCAgEAk0wgNe071fLXV2J0OCXASttxq1XlB/RvlhJz -76PWChacLHmK3KcCjmXs6A6dwnCeEvade21HQV/mi/r7Y1PK9jyguysRChMaSTCx -XY7ZSY/vqVhGWbH5svDuKf8S+eLqTFOiMI/2nbvNwNW3/cgT8Tw+aHFTZ8S6tZCB -4TswlV7/4C9O87sYKksuaBfy3b9lSincfrTf1GDwMuAChwm8HfqNSh1TC+WNg+uC -D4sbvMuydRqUNLvfAqH8JYrOyg7aXoEPqVI3vq6VQam5PM1YofFNZVlXj47yEUyx -lSIgxxAHWGv9CVBayjdHsXcWM4+S1ELv82WcW47lylzo4iLeJJewCMqWY+X57Jvn -IKPn0Hf4farU0ZwH4544Q7Un/0w1e+Q/s/qLTdqUr0rYh0CDieCaKvfFsmdsvyaC -0vs7Qqh1xXh7RunFgrvIMxRHbYrQauV08fJYjIbewtYq+b+ONIX4gOLhcV+ATEmG -kYzGwJ1MD1i/tEJgL638vt10h+SP9hUuYRPSQrwTCIzNYUiBAHKaob/1tFIW35w0 -rtN/JKCwvaN0VPr/OLJCDOCtKccZs5nnNAiSti9LV6mqh/cCPhfYMsbZhilY1AJC -JuDDtNIRgeitD6Zgo+eKjqjUWzxTx1jcMZILw36tJhKjQjm5s1XDjHH+1bKAC2eq -VLC/zWk= +MIIEzDCCArSgAwIBAgIQLlDPRQv6L9tMQoBb+BVv0zANBgkqhkiG9w0BAQsFADAA +MB4XDTI0MTExODExMzIxOFoXDTM0MTExNjExMzIxOFowADCCAiIwDQYJKoZIhvcN +AQEBBQADggIPADCCAgoCggIBAOzsY3VngR61osK/s1bu/O5CUTRfPVw1G4ckcIzm +nFNTl6DWQ9bfBqaSn+qhwLIG3j4AIkJfr5nEl8XcQ8OLFdfrqfMf/Xh+gL/WJRLM +97jAVplNEgESCg95T8Nfdyyc3l/tKn66DZlG7QG7slq0NJ5xD71b5UDhaReMjkTk ++cu+ii0UaF0XzsvGU546pwtRb67LUe2HzUAWTcXEDdeTjJFqRLB/Q12zIxHejHU6 +ZCzh46qVRa1VnKr2og1u85+L+NStDeSBkqHk7dzrHULP97+Lqd5k2v4iDUt3SCVb +Jf8uI2YTNuRkcFCqDSUhlobToq7Vs4gTeRG3xkrXVjIip0p9gypLHxsPyYcDkdp5 +HJF5pkQY+iHji6ah1OZIcQgUzsYYlpVh3RmzlIpH+ZTE0GL6t1zEnRCmV3FX8CYA +w1Oce3ppqaZstzWZVneLhTm/3C+tc+1ttr/WjLiLdcFD+hO1wxTYXuc2Gi92TK5H +th5WuBTqDE4HxFzzKDYWz5BXBs1nfnBHN3ytzgwvEyYECMED3Ng1SDvs9Am3VgZL +xLaWgcmy0ngDlDQrHuavOYrCyZjfVSQw/oO0okOPf+ThS6sQdWUag3dQv8Ts1tqs +RpiWi8zkfx8aytVnApRHgvgu7/ADyFe3cjJLDHy28ZnHJrB5ryge4HW3dc6Xavok +NtSPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIAATAPBgNVHRMBAf8EBTADAQH/MB0G +A1UdDgQWBBTau1lw2zmui8sn8hi7fJrO44EDKTANBgkqhkiG9w0BAQsFAAOCAgEA +Z+JQecM6Mv5ZdOmqOzdd+iIVzW6iidVrxurXkU6XZYKND3FeMJbQYbwK55x5rMeg +HlVa/6qoFal5H3lzXdtwbZaidMIVyyq1TbtntO2j4u7P9dRKmfA0Nu/i8RUMXtAP +Sc62dF5ixd9mZUNEgnU+TtATPNWSGG+B/t5bl1lCA/jjbZRdALN2Bj1VTE7Zi0yc +H6HSJnFFQ22fX6JhHy7u6Z4nIq/TIbEvCD4OtXGPt2jcGNhf4vBhtbMVJuK+bN3W +lNODSY0z/LW/C/J8BYMHTpkJIi5OhGdhKeuzhtns80r8mO43KNVzs88DzKvtWa6a +B+Gnu4SSevODFG/XSOYaHtXxfPaHKUF0uxomNKbW0uzCdPQQZUmrRACTD487G3Cm +WXIpCU6uQ3rreqKfbbVTmeZCXlqWaF7wrrbX05rp4WwGjLWLMcGLSrddGOHUBEyM +heDR24FR3atlsFXs+eUDy6g4qriINzTu3i0TUfYvpz3VYdrVXpvoYNuF4G+4pI5u +hMsoQZ4B5cNFNm9ly6qYHmFuidalapniYOlAC6qDEUdY+JhsNG4ppqQLns5lCa4y +LDY9OvrpqXwpO1Vq++5nRSbsxl0YGySOAYEZCeAIywV9PBwIzAuIKcipg8jHHz9l +Z/mw/plHgkLR6RPtWkBFsDAQU0teWxwLJCAtNjFcmPU= -----END CERTIFICATE----- diff --git a/vaultwarden/admincreds_secret.yaml b/vaultwarden/admincreds_secret.yaml new file mode 100644 index 0000000..6a01a76 --- /dev/null +++ b/vaultwarden/admincreds_secret.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: admincreds_secret + namespace: vaultwarden +spec: + encryptedData: + ADMIN_TOKEN: AgBq9/RdgzBv/zI3hfCNT9VRFb++rd47xGsCG/zWJb9UeTCOEXsbnGaRKz5YtSUtpPIxz8PkdQT1M6+4y0X2yp2XzecGk9OWFC+aLTDxPeHnxeVQrMQoNqEWRnLCFR6HoZJrqhdOWuNu9H3dyfx4H34xS22t8kBkr0kK7gc3n2qhGSua5m7K6j5LOVrETjOQYtZWCmfK4ObijE07nPZF9oMCCzKRknRtR2ZSfriRuCbwc+fEZYtP+Vmw0fNvjnrOGxdDaatl37kC9WjHXAtEt8Qc1ZpOlc1VEA32Hs5w50ZbtBKDTyzqeKTKzkQ1g9KNYGyoh2kZ0gu9iBt8u43f4yBQEDDWJZxHhfajTt4Kq3GNUSW8dqw61nQkSBpVWecQvjd4t/NUeJKyeNT+LWdaOhaabWT+84YkaMw6693ertK6XLdMFPgOuehlvrt9Cc6MU4N+5kjhup83rfLtzfaEBO1iGdroKMdJltJMzJZmBLdOhDGy0ZvroOwf1xKTcbAdADirgojRgMx+BBZPaMRa7mQNf9LrtG2MvDsGpeI0nfyaGSBKuKDOB4NiWzE71NKvDtEBjbcIa5L2N+TGm8EqMHNElYhtgYcRnsEUMsAGpfFQUrEL4Q0aV62bcnc/EosRnntpVPXe3JCae5080sJoNNoItXW2XXAgUuSJfemMH+bTOcJNkpHzpeYeDY+Ih6YyVx//SkytSZKLK8eZQk1s + template: + metadata: + creationTimestamp: null + name: admincreds_secret + namespace: vaultwarden diff --git a/vaultwarden/dns-endpoint.yaml b/vaultwarden/dns-endpoint.yaml new file mode 100644 index 0000000..5afcc96 --- /dev/null +++ b/vaultwarden/dns-endpoint.yaml @@ -0,0 +1,15 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: vaultwarden.michaelthomson.dev + namespace: vaultwarden +spec: + endpoints: + - dnsName: vaultwarden.michaelthomson.dev + recordTTL: 180 + recordType: CNAME + targets: + - michaelthomson.ddns.net + providerSpecific: + - name: external-dns.alpha.kubernetes.io/cloudflare-proxied + value: "true" diff --git a/vaultwarden/helmrelease-woodpecker.yaml b/vaultwarden/helmrelease-woodpecker.yaml new file mode 100644 index 0000000..227518b --- /dev/null +++ b/vaultwarden/helmrelease-woodpecker.yaml @@ -0,0 +1,47 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + chart: + spec: + chart: vaultwarden + version: 0.30.x + sourceRef: + kind: HelmRepository + name: vaultwarden + namespace: flux-system + interval: 15m + timeout: 5m + releaseName: vaultwarden + values: + domain: "https://vaultwarden.michaelthomson.dev" + signupsAllowed: false + signupsVerify: "true" + requireDeviceEmail: "true" + adminToken: + existingSecret: "admincreds_secret" + existingSecretKey: "ADMIN_TOKEN" + timeZone: "America/Toronto" + smtp: + existingSecret: "smtpcreds_secret" + host: "mail.michaelthomson.dev" + security: "starttls" + port: 465 + from: "vaultwarden@michaelthomson.dev" + fromName: "Vaultwarden" + username: + existingSecretKey: "SMTP_USERNAME" + password: + existingSecretKey: "SMTP_PASSWORD" + ingress: + enabled: true + class: "traefik" + additionalAnnotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + labels: {} + tls: true + hostname: "vaultwarden.michaelthomson.dev" + tlsSecret: "letsencrypt-wildcard-cert-michaelthomson.dev" diff --git a/vaultwarden/smtpcreds_secret.yaml b/vaultwarden/smtpcreds_secret.yaml new file mode 100644 index 0000000..a2aceaf --- /dev/null +++ b/vaultwarden/smtpcreds_secret.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: smtpcreds_secret + namespace: vaultwarden +spec: + encryptedData: + SMTP_PASSWORD: AgAp/KXEWFfdjITDfcJt+JZ6WuqO9Vm2Zw3ivC1ilqzV50W1CenDn9R78dHfmOP1rx4dvwOaIZ1EPgVAQ7RACXs7AHtL7LcGCRdJwwhArOMHo3Uaxm8pCw+yBwA6dNLtfJpwcjmGa9aErNKhIFBhBfwjNjBc1jRiB0UgDGZy5HbI3ARtFlOtQoe5FssrxysMnebgiFxUcXNTDOQEAP7Pi1JgrlGvI1Tm6+uwb3esS2El8EqJDu6s8oj/dis4T6qNoACe5W5mZCjfKlndwM1LFo8jUUxk13CqU7aQXXTlCQHM+N+mit+x+CDQQH+svqhZtMQMgxAnmU6uHdsHFGfqYb3ZcE/xyljWEGEp3wrcchBuVnUILl/FpxpVOIytZNVpOMbMrFNAZ10ELoLbDPkqH0zrEQPVU6LrS+vsIeEJ8dWsKgBTrO1UtdJ5BRbpuGBbQ+8BmU9YEGQRGUOZRQP0FIYmFg/8D82Zv3fHtCE3kTKJuapTDlA/L7DtuMNZmdyDwtABpeyyufiqRT5sIEHusiivB5OkcASWwMCr7TZA7IE/lOePEbteOAI2ifGGuROv31BQp7tNAQl8XyKetkUlPjG/b+w50FE7q9HXBGkNugB73V3Qc4oLq9xosX4+k8F1P95JSfPpHg3NhXM+vpsmT9EWhxtLZyKLpz4cyyQDNa+/YGFI2VYo3xiuLNPdL6OFeul0w/WuJrcB1yQtdsu2KNvvG8O4Enf0eTkZ + SMTP_USERNAME: AgAPnFtz05NZl/PzniXrdnpq1RpG7cE16jtfqE7TsJCcbFb2e7PcEiMfLGK+lyHK4uSRLoJbQDy+q9lyYx65yodScYd5614XP87U5aqRf8oeI+2qGbY9me/hvO52Y7NHitG1ukv8nZX5ps5s7lT7RV0E1pjKpMGLZ1HvK/1OqACcP8a86RIMLAvUEQFwZu1tm+0hJXqvcMRiYiVQGV85dgsZUMiEvCtcQFlo7CKuivqYV0M575yrkmgjkHzS5r6/FZE0dDRau7gvgUvGmcaKuuRAMGfPaDrYXXHDIo8rzQY4srqwFDTaOfKqQWAoBwnNihkR4e7QNFZqE9mZTEqTTR0V3J5WfNPiwQdPGeoLz8iWBFFvJt0oWuPXec5kJpnqhu5XtILD9CuKzGMLNkpdtZedvEZuWp0+o2MMtfPKTiBgVd331vATDApa/O2+dhYabOtYY3yWPNenoxkFfvVGGB1MDN+jiClIHQX+8xd2xk7ZKCifuH/vf9vDxdVz7w/T7NUE13anvCd8igbbsFPzyaCYTl9pQiJWyLBJj7p0r6IUvGQAP8UMP8u6bfqe0RAMzWrXMXlEgKO+pdawrWhhINQ05GfAf+i+FNO9tIcM0tWR1w3osKCh+AKOaD+qH8sC9kl1XjlECAIESoRixdR2CZcontVR2fHbYGhhd5WaZQRWaIs6sx0aYb/fFi28UC/P/srlvpgeY0jRZ2rd1RLR+lY3NoESlWbWC9jlpJ5+pD4= + template: + metadata: + creationTimestamp: null + name: smtpcreds_secret + namespace: vaultwarden