From d59ac2a933e6b98fce196766b4aeab23104cb240 Mon Sep 17 00:00:00 2001
From: Davide Piu <davide@davidepiu.xyz>
Date: Thu, 19 Feb 2026 22:58:29 +0000
Subject: [PATCH] sec: disable Vaultwarden open signups, add admin token

- signupsAllowed: false - prevents public registration
- invitationsAllowed: false - prevents invitation abuse
- adminToken from Secret for /admin panel access
---
 clusters/lab/apps/vaultwarden.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/clusters/lab/apps/vaultwarden.yaml b/clusters/lab/apps/vaultwarden.yaml
index 95ef3b7..3a185f6 100644
--- a/clusters/lab/apps/vaultwarden.yaml
+++ b/clusters/lab/apps/vaultwarden.yaml
@@ -30,8 +30,15 @@ spec:
         kind: HelmRepository
         name: vaultwarden
       interval: 1h
+  valuesFrom:
+  - kind: Secret
+    name: vaultwarden-admin
+    valuesKey: ADMIN_TOKEN
+    targetPath: adminToken.value
   values:
     domain: "https://vault.davidepiu.xyz"
+    signupsAllowed: false
+    invitationsAllowed: false
     ingress:
       enabled: true
       class: traefik