# Vaultwarden namespace
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-namespace
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Namespace
      metadata:
        name: vaultwarden
---
# Vaultwarden ConfigMap
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-config
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: vaultwarden-config
        namespace: vaultwarden
      data:
        DOMAIN: "https://vault.nge6.com"
        WEBSOCKET_ENABLED: "true"
        ROCKET_PORT: "8080"
        ROCKET_WORKERS: "10"
        # Security settings
        INVITATIONS_ALLOWED: "true"
        SIGNUPS_ALLOWED: "false"
        SHOW_PASSWORD_HINT: "false"
        # Email configuration (disabled)
        # Admin settings
        ADMIN_TOKEN: "vaultwarden-admin-token-change-in-production"
        # Database (using SQLite for simplicity)
        DATABASE_URL: "/data/db.sqlite3"
        # File attachments
        ATTACHMENTS_FOLDER: "/data/attachments"
        # Icons
        ICON_CACHE_FOLDER: "/data/icon_cache"
---
# Vaultwarden PVC for data persistence
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-data-pvc
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: vaultwarden-data
        namespace: vaultwarden
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: civo-volume
        resources:
          requests:
            storage: 10Gi
---
# Vaultwarden Deployment
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-deployment
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: vaultwarden
        namespace: vaultwarden
        labels:
          app: vaultwarden
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: vaultwarden
        template:
          metadata:
            labels:
              app: vaultwarden
          spec:
            containers:
            - name: vaultwarden
              image: vaultwarden/server:1.30.5
              ports:
              - containerPort: 8080
                name: http
              - containerPort: 3012
                name: websocket
              envFrom:
              - configMapRef:
                  name: vaultwarden-config
              resources:
                limits:
                  cpu: 500m
                  memory: 1Gi
                requests:
                  cpu: 100m
                  memory: 256Mi
              volumeMounts:
              - name: data
                mountPath: /data
              readinessProbe:
                httpGet:
                  path: /alive
                  port: 8080
                initialDelaySeconds: 5
                periodSeconds: 10
              livenessProbe:
                httpGet:
                  path: /alive
                  port: 8080
                initialDelaySeconds: 30
                periodSeconds: 30
            volumes:
            - name: data
              persistentVolumeClaim:
                claimName: vaultwarden-data
---
# Vaultwarden Service
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-service
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Service
      metadata:
        name: vaultwarden-http
        namespace: vaultwarden
        labels:
          app: vaultwarden
      spec:
        selector:
          app: vaultwarden
        ports:
        - name: http
          port: 8080
          targetPort: 8080
        - name: websocket
          port: 3012
          targetPort: 3012
        type: ClusterIP
---
# SSL Certificate for Vaultwarden
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-certificate
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: vaultwarden-tls
        namespace: emissary
      spec:
        secretName: vaultwarden-tls
        issuerRef:
          name: letsencrypt-dns
          kind: ClusterIssuer
        dnsNames:
          - vault.nge6.com
---
# Ambassador Host for Vaultwarden
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-host
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: getambassador.io/v3alpha1
      kind: Host
      metadata:
        name: vaultwarden-host
        namespace: emissary
      spec:
        hostname: vault.nge6.com
        tlsSecret:
          name: vaultwarden-tls
---
# Ambassador Mapping for Vaultwarden
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: vaultwarden-mapping
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: getambassador.io/v3alpha1
      kind: Mapping
      metadata:
        name: vaultwarden-mapping
        namespace: emissary
      spec:
        hostname: vault.nge6.com
        prefix: /
        service: https://pomerium-proxy.pomerium:443
        timeout_ms: 30000
        connect_timeout_ms: 10000