From 7a97aa257bad9c1d37b3494d4afe44f6c2fbdf82 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Fri, 2 Jan 2026 01:12:35 -0300 Subject: [PATCH] services: scaffold postgres and vaultwarden manifests --- services/postgres/kustomization.yaml | 8 +++ services/postgres/namespace.yaml | 5 ++ services/postgres/service.yaml | 15 ++++++ services/postgres/statefulset.yaml | 68 +++++++++++++++++++++++++ services/vaultwarden/deployment.yaml | 43 ++++++++++++++++ services/vaultwarden/ingress.yaml | 28 ++++++++++ services/vaultwarden/kustomization.yaml | 10 ++++ services/vaultwarden/namespace.yaml | 5 ++ services/vaultwarden/pvc.yaml | 12 +++++ services/vaultwarden/service.yaml | 15 ++++++ 10 files changed, 209 insertions(+) create mode 100644 services/postgres/kustomization.yaml create mode 100644 services/postgres/namespace.yaml create mode 100644 services/postgres/service.yaml create mode 100644 services/postgres/statefulset.yaml create mode 100644 services/vaultwarden/deployment.yaml create mode 100644 services/vaultwarden/ingress.yaml create mode 100644 services/vaultwarden/kustomization.yaml create mode 100644 services/vaultwarden/namespace.yaml create mode 100644 services/vaultwarden/pvc.yaml create mode 100644 services/vaultwarden/service.yaml diff --git a/services/postgres/kustomization.yaml b/services/postgres/kustomization.yaml new file mode 100644 index 0000000..1d7c8c0 --- /dev/null +++ b/services/postgres/kustomization.yaml @@ -0,0 +1,8 @@ +# services/postgres/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: postgres +resources: + - namespace.yaml + - service.yaml + - statefulset.yaml diff --git a/services/postgres/namespace.yaml b/services/postgres/namespace.yaml new file mode 100644 index 0000000..c5503ce --- /dev/null +++ b/services/postgres/namespace.yaml @@ -0,0 +1,5 @@ +# services/postgres/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: postgres diff --git a/services/postgres/service.yaml b/services/postgres/service.yaml new file mode 100644 index 0000000..52c4656 --- /dev/null +++ b/services/postgres/service.yaml @@ -0,0 +1,15 @@ +# services/postgres/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: postgres-service + namespace: postgres +spec: + clusterIP: None + ports: + - name: postgres + port: 5432 + protocol: TCP + targetPort: 5432 + selector: + app: postgres diff --git a/services/postgres/statefulset.yaml b/services/postgres/statefulset.yaml new file mode 100644 index 0000000..014567b --- /dev/null +++ b/services/postgres/statefulset.yaml @@ -0,0 +1,68 @@ +# services/postgres/statefulset.yaml +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: postgres + namespace: postgres + labels: + app: postgres +spec: + serviceName: postgres-service + replicas: 1 + selector: + matchLabels: + app: postgres + persistentVolumeClaimRetentionPolicy: + whenDeleted: Retain + whenScaled: Retain + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: postgres + spec: + nodeSelector: + node-role.kubernetes.io/worker: "true" + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/worker + operator: In + values: ["true"] + - key: hardware + operator: In + values: ["rpi4", "rpi5"] + containers: + - name: postgres + image: postgres:15 + ports: + - name: postgres + containerPort: 5432 + protocol: TCP + env: + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + - name: POSTGRES_USER + value: postgres + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgres-auth + key: POSTGRES_PASSWORD + - name: POSTGRES_DB + value: postgres + volumeMounts: + - name: postgres-data + mountPath: /var/lib/postgresql/data + volumeClaimTemplates: + - metadata: + name: postgres-data + spec: + accessModes: ["ReadWriteOnce"] + storageClassName: astreae + resources: + requests: + storage: 100Gi diff --git a/services/vaultwarden/deployment.yaml b/services/vaultwarden/deployment.yaml new file mode 100644 index 0000000..175cbca --- /dev/null +++ b/services/vaultwarden/deployment.yaml @@ -0,0 +1,43 @@ +# services/vaultwarden/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vaultwarden + namespace: vaultwarden +spec: + replicas: 1 + selector: + matchLabels: + app: vaultwarden + template: + metadata: + labels: + app: vaultwarden + spec: + containers: + - name: vaultwarden + image: vaultwarden/server:1.33.2 + env: + - name: SIGNUPS_ALLOWED + value: "true" + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: vaultwarden-db-url + key: DATABASE_URL + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: vaultwarden-admin + key: ADMIN_TOKEN + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: vaultwarden-data + mountPath: /data + volumes: + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-data diff --git a/services/vaultwarden/ingress.yaml b/services/vaultwarden/ingress.yaml new file mode 100644 index 0000000..2eaa991 --- /dev/null +++ b/services/vaultwarden/ingress.yaml @@ -0,0 +1,28 @@ +# services/vaultwarden/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: vaultwarden-ingress + namespace: vaultwarden + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt-prod + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: traefik + rules: + - host: vault.bstein.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: vaultwarden-service + port: + number: 80 + tls: + - hosts: + - vault.bstein.dev + secretName: vaultwarden-tls diff --git a/services/vaultwarden/kustomization.yaml b/services/vaultwarden/kustomization.yaml new file mode 100644 index 0000000..f0d02fd --- /dev/null +++ b/services/vaultwarden/kustomization.yaml @@ -0,0 +1,10 @@ +# services/vaultwarden/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: vaultwarden +resources: + - namespace.yaml + - pvc.yaml + - deployment.yaml + - service.yaml + - ingress.yaml diff --git a/services/vaultwarden/namespace.yaml b/services/vaultwarden/namespace.yaml new file mode 100644 index 0000000..2e97e87 --- /dev/null +++ b/services/vaultwarden/namespace.yaml @@ -0,0 +1,5 @@ +# services/vaultwarden/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden diff --git a/services/vaultwarden/pvc.yaml b/services/vaultwarden/pvc.yaml new file mode 100644 index 0000000..b4e0617 --- /dev/null +++ b/services/vaultwarden/pvc.yaml @@ -0,0 +1,12 @@ +# services/vaultwarden/pvc.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vaultwarden-data + namespace: vaultwarden +spec: + accessModes: ["ReadWriteOnce"] + storageClassName: astreae + resources: + requests: + storage: 100Gi diff --git a/services/vaultwarden/service.yaml b/services/vaultwarden/service.yaml new file mode 100644 index 0000000..7cc05a0 --- /dev/null +++ b/services/vaultwarden/service.yaml @@ -0,0 +1,15 @@ +# services/vaultwarden/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: vaultwarden-service + namespace: vaultwarden +spec: + type: ClusterIP + selector: + app: vaultwarden + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http