Merge pull request #69 from carverauto/updates/ory_api

✨ adding mailserver stuff
carverauto · Nov 28, 2024 · 59153f2 · 59153f2
2 parents ba5c708 + 83c5726
commit 59153f2
Show file tree

Hide file tree

Showing 7 changed files with 153 additions and 0 deletions.
diff --git a/k8s/calico/04-route-adv.yaml b/k8s/calico/04-route-adv.yaml
@@ -8,4 +8,5 @@ spec:
   serviceClusterIPs:
     - cidr: 10.43.0.0/16
   serviceLoadBalancerIPs:
+    - cidr: "10.43.0.0/16"
     - cidr: "2001:470:c0b5:5::/64"
diff --git a/k8s/mailserver/base/deployment.yaml b/k8s/mailserver/base/deployment.yaml
@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mailserver
+  namespace: default
+spec:
+  serviceName: mailserver
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mailserver
+  template:
+    metadata:
+      labels:
+        app: mailserver
+    spec:
+      containers:
+        - name: mailserver
+          image: ghcr.io/docker-mailserver/docker-mailserver:latest
+          ports:
+            - containerPort: 25   # SMTP
+              name: smtp
+            - containerPort: 465  # SMTPS
+              name: smtps
+            - containerPort: 587  # Submission
+              name: submission
+            - containerPort: 993  # IMAPS
+              name: imaps
+          volumeMounts:
+            - name: maildata
+              mountPath: /var/mail
+            - name: config
+              mountPath: /tmp/docker-mailserver
+            - name: certs
+              mountPath: /etc/letsencrypt/live/mail.tunnel.threadr.ai
+              readOnly: true
+          envFrom:
+            - configMapRef:
+                name: mailserver-config
+      volumes:
+        - name: config
+          emptyDir: {}
+        - name: maildata
+          persistentVolumeClaim:
+            claimName: maildata
+        - name: certs
+          secret:
+            secretName: mail-tls-secret
+---
diff --git a/k8s/mailserver/base/kustomization.yaml b/k8s/mailserver/base/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - mailserver-configmap.yaml
+  - storage.yaml
+  - tls.yaml
+  - deployment.yaml
+  - service.yaml
diff --git a/k8s/mailserver/base/mailserver-configmap.yaml b/k8s/mailserver/base/mailserver-configmap.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mailserver-config
+  namespace: default
+data:
+  .env: |
+    # General
+    OVERRIDE_HOSTNAME=mail.tunnel.threadr.ai
+    [email protected]
+    POSTSCREEN_ACTION=enforce
+    ONE_DIR=1
+    ENABLE_CLAMAV=0
+    ENABLE_SPAMASSASSIN=1
+    SPAMASSASSIN_SPAM_TO_INBOX=1
+    ENABLE_FAIL2BAN=1
+    SSL_TYPE=manual
+    
+    # IPv6 settings
+    NETWORK_INTERFACE=eth0
+    PERMIT_DOCKER=connected-networks
+    POSTFIX_INET_PROTOCOLS=all
+    
+    # Debug
+    LOG_LEVEL=debug
diff --git a/k8s/mailserver/base/service.yaml b/k8s/mailserver/base/service.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mailserver
+  namespace: default
+  annotations:
+    metallb.universe.tf/address-pool: k3s-pool
+    metallb.universe.tf/allow-shared-ip: "true"
+    external-dns.alpha.kubernetes.io/hostname: "mail.tunnel.threadr.ai"
+    # Add MX record
+    external-dns.alpha.kubernetes.io/mx-preference: "10"
+    external-dns.alpha.kubernetes.io/mx-record: "mail.tunnel.threadr.ai"
+    # Add TXT records for SPF and DMARC
+    external-dns.alpha.kubernetes.io/txt-owner-id: "mail-tunnel-threadr"
+    external-dns.alpha.kubernetes.io/txt-records: |
+      heritage=external-dns,txt-record="v=spf1 mx a -all"
+      heritage=external-dns,name=_dmarc,txt-record="v=DMARC1; p=reject; rua=mailto:[email protected]"
+spec:
+  type: LoadBalancer
+  ipFamilyPolicy: PreferDualStack
+  ipFamilies:
+    - IPv6
+    - IPv4
+  ports:
+    - port: 25
+      name: smtp
+      targetPort: smtp
+    - port: 465
+      name: smtps
+      targetPort: smtps
+    - port: 587
+      name: submission
+      targetPort: submission
+    - port: 993
+      name: imaps
+      targetPort: imaps
+  selector:
+    app: mailserver
diff --git a/k8s/mailserver/base/storage.yaml b/k8s/mailserver/base/storage.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: maildata
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: local-path
diff --git a/k8s/mailserver/base/tls.yaml b/k8s/mailserver/base/tls.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mail-cert
+  namespace: default
+spec:
+  secretName: mail-tls-secret
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days
+  issuerRef:
+    name: threadr-issuer
+    kind: ClusterIssuer
+  commonName: mail.tunnel.threadr.ai
+  dnsNames:
+    - mail.tunnel.threadr.ai
+  usages:
+    - digital signature
+    - key encipherment
+    - server auth
+    - client auth