# Default values for Bitwarden.

image:
  repository: ghcr.io/truecharts/vaultwarden
  pullPolicy: IfNotPresent
  tag: v1.22.2@sha256:8693c057298731f507128a395395172d60093be9b299f6bf9e5c35512a74d457

securityContext:
  privileged: false
  readOnlyRootFilesystem: false
  allowPrivilegeEscalation: true
  runAsNonRoot: true

podSecurityContext:
  runAsUser: 568
  runAsGroup: 568
  fsGroup: 568
  supplementalGroups: []
  fsGroupChangePolicy: "OnRootMismatch"

postgresqlImage:
  repository: bitnami/postgresql
  pullPolicy: IfNotPresent
  tag: 13.4.0@sha256:abfb7efd31afc36a8b16aa077bb9dd165c4f635412affef37c7859605fda762c


service:
  main:
    ports:
      main:
        port: 8080
  ws:
    ports:
      ws:
        enabled: true
        port: 3012

env: {}

# -- Configure the ingresses for the chart here.
# Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress.
# @default -- See below
ingress:
  main:
    # -- Enables or disables the ingress
    enabled: true

    # -- Make this the primary ingress (used in probes, notes, etc...).
    # If there is more than 1 ingress, make sure that only 1 ingress is marked as primary.
    primary: true

    # -- Override the name suffix that is used for this ingress.
    nameOverride:

    # -- List of middlewares in the traefikmiddlewares k8s namespace to add automatically
    # Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
    # Primarily used for TrueNAS SCALE to add additional (seperate) middlewares without exposing them to the end-user
    fixedMiddlewares:
      - chain-basic

    # -- Additional List of middlewares in the traefikmiddlewares k8s namespace to add automatically
    # Creates an annotation with the middlewares and appends k8s and traefik namespaces to the middleware names
    middlewares: []
    annotationsList: []
    # - name: somename
    #   value: somevalue
    # -- Provide additional annotations which may be required.
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"

    labelsList: []
    # - name: somename
    #   value: somevalue
    # -- Set labels on the deployment/statefulset/daemonset
    # -- Provide additional labels which may be required.
    # -- Provide additional labels which may be required.
    labels: {}

    # -- Set the ingressClass that is used for this ingress.
    # Requires Kubernetes >=1.19
    ingressClassName:  # "nginx"

    ## Configure the hosts for the ingress
    hosts:
      -  # -- Host address. Helm template can be passed.
        host: chart-example.local
        ## Configure the paths for the host
        paths:
          -  # -- Path.  Helm template can be passed.
            path: /
            # -- Ignored if not kubeVersion >= 1.14-0
            pathType: Prefix
            service:
              # -- Overrides the service name reference for this path
              name:
              # -- Overrides the service port reference for this path
              port:

    # -- Configure TLS for the ingress. Both secretName and hosts can process a Helm template.
    tls: []
    #  - secretName: chart-example-tls
    # -- Create a secret from a GUI selected TrueNAS SCALE certificate
    #    scaleCert: true
    #    hosts:
    #      - chart-example.local

initContainers:
  init-postgresdb:
    image: "{{ .Values.postgresqlImage.repository }}:{{ .Values.postgresqlImage.tag }}"
    command:
      - "sh"
      - "-c"
      - "until pg_isready -U authelia -h ${pghost} ; do sleep 2 ; done"
    imagePullPolicy: IfNotPresent
    env:
      - name: pghost
        valueFrom:
          secretKeyRef:
            name: dbcreds
            key: plainhost

envTpl:
  DOMAIN: "https://{{ if .Values.ingress }}{{ if .Values.ingress.main.enabled }}{{ ( index .Values.ingress.main.hosts 0 ).host }}{{ else }}placeholder.com{{ end }}{{ else }}placeholder.com{{ end }}"

envFrom:
  - configMapRef:
      name: vaultwardenconfig
  - secretRef:
      name: vaultwardensecret

envValueFrom:
  DATABASE_URL:
    secretKeyRef:
      name: dbcreds
      key: url

database:
  # Database type, must be one of: 'sqlite', 'mysql' or 'postgresql'.
  type: postgresql
  # Enable DB Write-Ahead-Log for SQLite, disabled for other databases. https://github.com/dani-garcia/bitwarden_rs/wiki/Running-without-WAL-enabled
  wal: true
  ## URL for external databases (mysql://user:pass@host:port or postgresql://user:pass@host:port).
  # url: ""
  ## Set the size of the database connection pool.
  # maxConnections: 10
  ## Connection retries during startup, 0 for infinite. 1 second between retries.
  # retries: 15

# Set Bitwarden_rs application variables
vaultwarden:
  # Allow any user to sign-up: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-registration-of-new-users
  allowSignups: true
  ## Whitelist domains allowed to sign-up. 'allowSignups' is ignored if set.
  # signupDomains:
  #  - domain.tld
  # Verify e-mail before login is enabled. SMTP must be enabled.
  verifySignup: false
  # When a user logs in an email is required to be sent. If sending the email fails the login attempt will fail. SMTP must be enabled.
  requireEmail: false
  ## Maximum attempts before an email token is reset and a new email will need to be sent.
  # emailAttempts: 3
  ## Email token validity in seconds.
  # emailTokenExpiration: 600
  # Allow invited users to sign-up even feature is disabled: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-invitations
  allowInvitation: true
  # Show password hints: https://github.com/dani-garcia/bitwarden_rs/wiki/Password-hint-display
  ## Default organization name in invitation e-mails that are not coming from a specific organization.
  # defaultInviteName: ""
  showPasswordHint: true
  # Enable Websockets for notification. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-WebSocket-notifications
  # Redirect HTTP path "/notifications/hub" to port 3012. Ingress/IngressRoute controllers are automatically configured.
  enableWebsockets: true
  # Enable Web Vault (static content). https://github.com/dani-garcia/bitwarden_rs/wiki/Disabling-or-overriding-the-Vault-interface-hosting
  enableWebVault: true
  # Restrict creation of orgs. Options are: 'all', 'none' or a comma-separated list of users.
  orgCreationUsers: all
  ## Limit attachment disk usage per organization.
  # attachmentLimitOrg:
  ## Limit attachment disk usage per user.
  # attachmentLimitUser:
  ## HaveIBeenPwned API Key. Can be purchased at https://haveibeenpwned.com/API/Key.
  # hibpApiKey:

  admin:
    # Enable admin portal.
    enabled: false
    # Disabling the admin token will make the admin portal accessible to anyone, use carefully: https://github.com/dani-garcia/bitwarden_rs/wiki/Disable-admin-token
    disableAdminToken: false
    ## Token for admin login, will be generated if not defined. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-admin-page
    # token:

  # Enable SMTP. https://github.com/dani-garcia/bitwarden_rs/wiki/SMTP-configuration
  smtp:
    enabled: false
    # SMTP hostname, required if SMTP is enabled.
    host: ""
    # SMTP sender e-mail address, required if SMTP is enabled.
    from: ""
    ## SMTP sender name, defaults to 'Bitwarden_RS'.
    # fromName: ""
    ## Enable SSL connection.
    # ssl: true
    ## SMTP port. Defaults to 25 without SSL, 587 with SSL.
    # port: 587
    ## SMTP Authentication Mechanisms. Comma-separated options: 'Plain', 'Login' and 'Xoauth2'. Defaults to 'Plain'.
    # authMechanism: Plain
    ## Hostname to be sent for SMTP HELO. Defaults to pod name.
    # heloName: ""
    ## SMTP timeout.
    # timeout: 15
    ## Accept SSL session if certificate is valid but hostname doesn't match. DANGEROUS, vulnerable to men-in-the-middle attacks!
    # invalidHostname: false
    ## Accept invalid certificates. DANGEROUS, vulnerable to men-in-the-middle attacks!
    # invalidCertificate: false
    ## SMTP username.
    # user: ""
    ## SMTP password. Required is user is specified, ignored if no user provided.
    # password: ""

  ## Enable Yubico OTP authentication. https://github.com/dani-garcia/bitwarden_rs/wiki/Enabling-Yubikey-OTP-authentication
  yubico:
    enabled: false
    ## Yubico server. Defaults to YubiCloud.
    # server:
    ## Yubico ID and Secret Key.
    # clientId:
    # secretKey:

  ## Logging options. https://github.com/dani-garcia/bitwarden_rs/wiki/Logging
  log:
    # Log to file.
    file: ""
    # Log level. Options are "trace", "debug", "info", "warn", "error" or "off".
    level: "trace"
    ## Log timestamp format. See https://docs.rs/chrono/0.4.15/chrono/format/strftime/index.html. Defaults to time in milliseconds.
    # timeFormat: ""

  icons:
    # Disables download of external icons. Setting to true will still serve icons from cache (/data/icon_cache). TTL will default to zero.
    disableDownload: false
    ## Cache time-to-live for icons fetched. 0 means no purging.
    # cache: 2592000
    ## Cache time-to-live for icons that were not available. 0 means no purging.
    # cacheFailed: 259200

persistence:
  data:
    enabled: true
    mountPath: "/data"
    type: pvc
    accessMode: ReadWriteOnce
    size: "100Gi"

# Enabled postgres
postgresql:
  enabled: true
  postgresqlUsername: vaultwarden
  postgresqlDatabase: vaultwarden
  existingSecret: dbcreds