apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: vaultwarden
spec:
  selector:
    matchLabels:
      app: vaultwarden
  serviceName: vaultwarden
  replicas: 1
  template:
    metadata:
      labels:
        app: vaultwarden
    spec:
      volumes:
        - name: litestream
          configMap:
            name: vaultwarden-litestream
        - name: config
          configMap:
            name: vaultwarden
      initContainers:
        - name: init-litestream
          image: litestream/litestream:0.3.11
          args: ['restore', '-if-db-not-exists', '-if-replica-exists', '-v', '/data/db.sqlite3']
          volumeMounts:
          - name: data
            mountPath: /data
          - name: litestream
            mountPath: /etc/litestream.yml
            subPath: vaultwarden.yml
          envFrom:
            - secretRef:
                name: vaultwarden-litestream-s3
      containers:
      - name: vaultwarden
        image: docker.io/vaultwarden/server:testing
        imagePullPolicy: Always
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
          requests:
            memory: "64Mi"
            cpu: "100m"
        ports:
        - containerPort: 80
          name: web
        volumeMounts:
        - name: data
          mountPath: /data
        - name: config
          mountPath: /data/config.json
          subPath: vaultwarden.json
      - name: litestream
        image: litestream/litestream:0.3.11
        args: ['replicate']
        volumeMounts:
        - name: data
          mountPath: /data
        - name: litestream
          mountPath: /etc/litestream.yml
          subPath: vaultwarden.yml
        envFrom:
          - secretRef:
              name: vaultwarden-litestream-s3
        ports:
        - name: metrics
          containerPort: 9090
        resources:
          limits:
            memory: "128Mi"
            cpu: "300m"
          requests:
            memory: "64Mi"
            cpu: "100m"

  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      storageClassName: nfs-client
      accessModes: [ "ReadWriteOnce" ]
      resources:
        requests:
          storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: vaultwarden
  labels:
    app: vaultwarden
spec:
  selector:
    app: vaultwarden
  ports:
  - port: 80
    targetPort: 80
    name: web
  - port: 9090
    targetPort: 9090
    name: metrics
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: vaultwarden
spec:
  selector:
    matchLabels:
      app: vaultwarden
  endpoints:
  - port: metrics
    interval: 30s
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vaultwarden
  annotations:
    cert-manager.io/issuer: "le-issuer"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Forwarded-For $http_x_forwarded_for";
  namespace: default
spec:
  tls:
  - hosts:
    - pw.gmem.ca
    secretName: gmem-ca-wildcard
  rules:
    - host: pw.gmem.ca
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  vaultwarden
                port:
                  number: 80