image:
  repository: docker.io/vaultwarden/server
  tag: 1.35.3
  pullPolicy: IfNotPresent

replicaCount: 1

service:
  type: ClusterIP
  port: 8080

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  hosts:
    - host: vaultwarden.immich-ad.ovh
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: vaultwarden-tls
      hosts:
        - vaultwarden.immich-ad.ovh

# Persist vaultwarden data (attachments, icon cache, etc.)
persistence:
  enabled: true
  existingClaim: pvc-vaultwarden-data

vaultwarden:
  # REQUIRED for secure cookies, web vault, etc.
  domain: "vaultwarden.immich-ad.ovh"
  signupAllowed: false
  adminToken: "x4FBfkK4f1wDCuXWQdX9"

# Database config
database:
  name: vaultwarden
  user: vaultwarden

# Bitnami PostgreSQL subchart values
postgresql:
  enabled: true
  image:
    registry: docker.io
    repository: bitnami/postgresql
    tag: latest

  auth:
    username: vaultwarden
    database: vaultwarden

    # Upgrade-safe: point to an existing secret you create once
    existingSecret: vaultwarden-postgresql-auth
    secretKeys:
      adminPasswordKey: postgres-password
      userPasswordKey: password

  primary:
    persistence:
      enabled: true
      existingClaim: pvc-vaultwarden-data  # bind to precreated PVC if you want