327 lines
11 KiB
YAML
327 lines
11 KiB
YAML
# Default values for vaultwarden.
|
|
|
|
database:
|
|
# Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
|
|
type: postgresql
|
|
# Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/vaultwarden/wiki/Running-without-WAL-enabled
|
|
wal: true
|
|
## URL for external databases (mysql://user:pass@host:port/database-name or postgresql://user:pass@host:port/database-name).
|
|
url: "postgresql://vaultwarden:0UnBYmhT7LZ1GePohx13zRxIKM30TZA0m3GZTjgFh0dBiwENwOtZZqcPlyhMXIUD@home-postgres.db.svc.cluster.local:5432/vw"
|
|
## Use existing secret for database URL, key 'database-url'.
|
|
existingSecret: vw-home-vaultwarden
|
|
## Use a different key for the existing secret.
|
|
#existingSecretKey:
|
|
## Set the size of the database connection pool.
|
|
#maxConnections: 10
|
|
## Connection retries during startup, 0 for infinite. 1 second between retries.
|
|
#retries: 15
|
|
|
|
# Set vaultwarden application variables
|
|
vaultwarden:
|
|
## Set Bitwarden URL, mandatory for invitations over email. Recommended if using a reverse proxy / ingress. Format is https://name or http://name
|
|
#domain:
|
|
# Allow any user to sign-up: https://github.com/dani-garcia/vaultwarden/wiki/Disable-registration-of-new-users
|
|
allowSignups: true
|
|
## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
|
|
#signupDomains:
|
|
# - domain.tld
|
|
# Verify e-mail before login is enabled. SMTP must be enabled.
|
|
verifySignup: false
|
|
# When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
|
|
requireEmail: false
|
|
## Maximum attempts before an email token is reset and a new email will need to be sent.
|
|
#emailAttempts: 3
|
|
## Email token validity in seconds.
|
|
#emailTokenExpiration: 600
|
|
# Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/vaultwarden/wiki/Disable-invitations
|
|
allowInvitation: true
|
|
## Number of hours after which an organization invite token, emergency access invite token,
|
|
## email verification token and deletion request token will expire
|
|
#invitationExpiration: 120
|
|
## Allow users to set password hints. Applies to all users.
|
|
#passwordHintsAllowed: true
|
|
# Show password hints: https://github.com/dani-garcia/vaultwarden/wiki/Password-hint-display
|
|
showPasswordHint: false
|
|
## Default organization name in invitation e-mails that are not coming from a specific organization.
|
|
#defaultInviteName: ""
|
|
# Enable Web Vault (static content). https://github.com/dani-garcia/vaultwarden/wiki/Disabling-or-overriding-the-Vault-interface-hosting
|
|
enableWebVault: true
|
|
# Enable Bitwarden Sends globally
|
|
enableSends: true
|
|
# Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
|
|
orgCreationUsers: all
|
|
## Limit attachment disk usage per organization.
|
|
#attachmentLimitOrg:
|
|
## Limit attachment disk usage per user.
|
|
#attachmentLimitUser:
|
|
## Limit send disk usage per user.
|
|
#sendLimitUser:
|
|
## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
|
|
#hibpApiKey:
|
|
## Number of days to auto-delete trashed items. By default iteams are not auto-deleted.
|
|
#autoDeleteDays:
|
|
## Organization event logging
|
|
#orgEvents: false
|
|
## Organization event retation. Leave empty to not delete.
|
|
#orgEventsRetention: ""
|
|
## Allow users to change their email.
|
|
#emailChangeAllowed: true
|
|
## Map of custom environment variables. Use carefully.
|
|
#extraEnv:
|
|
# IP_HEADER: CF-Connecting-IP
|
|
# ALLOWED_IFRAME_ANCESTORS: myintranet.local
|
|
# COOL_VARIABLE:
|
|
# secretKeyRef:
|
|
# name: my-secret
|
|
# key: my-secret-key
|
|
# ANOTHER_VARIABLE:
|
|
# configMapKeyRef:
|
|
# name: my-config-map
|
|
# key: my-config-map-key
|
|
|
|
admin:
|
|
# Enable admin portal.
|
|
enabled: admin
|
|
# Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/vaultwarden/wiki/Disable-admin-token
|
|
disableAdminToken: false
|
|
## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page
|
|
#token:
|
|
## Use existing secret for the admin token. Key is 'admin-token'.
|
|
#existingSecret:
|
|
|
|
emergency:
|
|
# Allow any user to enable emergency access.
|
|
enabled: true
|
|
## Schedule to send expiration reminders to emergency access grantors. Cron schedule format.
|
|
#reminder: "0 3 * * * *"
|
|
## Schedule to grant emergency access requests that have met the required wait time. Cron schedule format.
|
|
#timeout: "0 3 * * * *"
|
|
|
|
# Enable SMTP. https://github.com/dani-garcia/vaultwarden/wiki/SMTP-configuration
|
|
smtp:
|
|
enabled: false
|
|
# SMTP hostname, required if SMTP is enabled.
|
|
host: ""
|
|
# SMTP sender e-mail address, required if SMTP is enabled.
|
|
from: ""
|
|
## SMTP sender name, defaults to 'Vaultwarden'.
|
|
#fromName: ""
|
|
# Enable secure SSL connection. Options are: "starttls", "force_tls" and "off"
|
|
# Users migrating from 1.24 or lower using ssl/explicitTLS settings:
|
|
# ssl = false -> "off"
|
|
# ssl = true and explicitTLS = false -> "starttls"
|
|
# ssl = true and explicitTLS = true -> "force_tls"
|
|
security: starttls
|
|
## SMTP port. Defaults depends on security: 465 for "force_tls", 587 for "starttls" and 25 for "off"
|
|
#port: 587
|
|
## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
|
|
#authMechanism: Plain
|
|
## Hostname to be sent for SMTP HELO. Defaults to pod name.
|
|
#heloName: ""
|
|
## SMTP timeout.
|
|
#timeout: 15
|
|
## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
|
|
#invalidHostname: false
|
|
## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
|
|
#invalidCertificate: false
|
|
## SMTP username.
|
|
#user: ""
|
|
## SMTP password. Required is user is specified, ignored if no user provided.
|
|
#password: ""
|
|
## Use existing secret for SMTP authentication. Keys are 'smtp-user' and 'smtp-password'.
|
|
#existingSecret:
|
|
## Embed images as email attachments
|
|
#embedImages: true
|
|
|
|
## Enable Yubico OPT authentication. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Yubikey-OTP-authentication
|
|
yubico:
|
|
enabled: false
|
|
## Yubico server. Defaults to YubiCloud.
|
|
#server:
|
|
## Yubico ID and Secret Key.
|
|
#clientId:
|
|
#secretKey:
|
|
## Use existing secret for Yubico. Keys are 'yubico-client-id' and 'yubico-secret-key'.
|
|
#existingSecret:
|
|
|
|
## Logging options. https://github.com/dani-garcia/vaultwarden/wiki/Logging
|
|
log:
|
|
# Log to file.
|
|
file: ""
|
|
# Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
|
|
level: ""
|
|
## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
|
|
#timeFormat: ""
|
|
|
|
icons:
|
|
## Icon download service. "internal" to fetch icons directly, otherwise options are: "bitwarden", "duckduckgo" or "google"
|
|
#service: internal
|
|
# Disables download of external icons on internal service. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
|
|
disableDownload: false
|
|
## Cache time-to-live for icons fetched. 0 means no purging.
|
|
#cache: 2592000
|
|
## Cache time-to-live for icons that were not available. 0 means no purging.
|
|
#cacheFailed: 259200
|
|
## HTTP code for redirect to external icon service
|
|
#redirectCode: 302
|
|
|
|
# Push notifications. https://github.com/dani-garcia/vaultwarden/wiki/Enabling-Mobile-Client-push-notification
|
|
push:
|
|
enabled: false
|
|
## Installation ID from Bitwarden.
|
|
#installationId:
|
|
## Installation Key from Bitwarden.
|
|
#installationKey:
|
|
## Relay URI
|
|
#relayUri:
|
|
## Identity URI
|
|
#identityUri:
|
|
## Use existing secret for Push notifications. Keys are 'push-id' and 'push-key'.
|
|
#existingSecret:
|
|
|
|
service:
|
|
type: ClusterIP
|
|
httpPort: 80
|
|
externalTrafficPolicy: Cluster
|
|
# loadBalancerIP:
|
|
nodePorts:
|
|
# Choose NodePorts manually
|
|
http: ""
|
|
|
|
# Kubernetes Ingress
|
|
ingress:
|
|
enabled: true
|
|
className: "nginx"
|
|
host: "warden.ervine.cloud"
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
tls:
|
|
- secretName: warden-ervine-cloud-tls
|
|
hosts:
|
|
- warden.ervine.cloud
|
|
|
|
# Traefik IngressRoute CRD
|
|
ingressRoute:
|
|
enabled: false
|
|
# Starting on Traefik 2.10, the IngressRoute CRD moved to traefik.io namespace
|
|
newCRD: false
|
|
# Mandatory to enable IngressRoute
|
|
host: ""
|
|
entrypoints:
|
|
- websecure
|
|
## Enable Traefik middlewares
|
|
middlewares: {}
|
|
# - name: my_middleware
|
|
# namespace: default
|
|
tls: {}
|
|
#certResolver: letsencrypt
|
|
|
|
persistence:
|
|
enabled: true
|
|
size: 1Gi
|
|
accessMode: ReadWriteOnce
|
|
## Persistent Volume storage class
|
|
# storageClass: "-"
|
|
## Use existing Persistent Volume Claim
|
|
existingClaim: vw-home-vaultwarden
|
|
## Annotations to add to the Persistent Volume Claim
|
|
annotations: {}
|
|
|
|
# Use custom volume definition. Cannot be used with persistence.
|
|
customVolume: {}
|
|
#hostPath:
|
|
# path: "/examplefolder/vaultwarden"
|
|
|
|
# Additional volumes, to be used by sidecars
|
|
#additionalVolumes: []
|
|
|
|
image:
|
|
pullPolicy: IfNotPresent
|
|
repository: vaultwarden/server
|
|
tag: ""
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
replicaCount: 1
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: false
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
|
|
# Annotations to add to the Deployment
|
|
deploymentAnnotations: {}
|
|
# Readiness and Liveness probes
|
|
probes: {}
|
|
#liveness:
|
|
#timeoutSeconds: 1
|
|
#periodSeconds: 10
|
|
#successThreshold: 1
|
|
#failureThreshold: 3
|
|
#readiness:
|
|
#timeoutSeconds: 1
|
|
#periodSeconds: 10
|
|
#successThreshold: 1
|
|
#failureThreshold: 3
|
|
|
|
# initContainers containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
|
|
# No templating possible, values need to be hardcoded
|
|
initContainers: []
|
|
# - name: initcontainer
|
|
# image: initcontainer:1.2.3
|
|
# env:
|
|
# - name: INITCONTAINER_END
|
|
# value: "initcontainer"
|
|
# volumeMounts:
|
|
# - name: vaultwarden
|
|
# mountPath: /data
|
|
|
|
# Sidecar containers, add container spec (https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Container)
|
|
# No templating possible, values need to be hardcoded
|
|
sidecars: []
|
|
# - name: sidecar
|
|
# image: sidecarimage:1.2.3
|
|
# env:
|
|
# - name: SIDECAR_END
|
|
# value: "sidecar"
|
|
# volumeMounts:
|
|
# - name: vaultwarden
|
|
# mountPath: /data
|
|
|
|
podSecurityContext:
|
|
fsGroup: 65534
|
|
|
|
securityContext:
|
|
runAsUser: 65534
|
|
runAsGroup: 65534
|
|
|
|
strategy: {}
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|