Wire IRC, mail, teamspeak to 1Password secrets

- IRC: OnePasswordItem CRD, ConfigMap templates with inject-credentials initContainers - Mail: OnePasswordItem CRD, inject-accounts initContainer builds postfix-accounts.cf - TeamSpeak: OnePasswordItem CRD, TS3SERVER_SERVERADMIN_PASSWORD from secret - Zero hardcoded passwords remain in these manifests
2026-03-09 20:55:45 -05:00
parent 3199c509c0
commit 2be7bf1279
3 changed files with 232 additions and 142 deletions
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -1,5 +1,6 @@
 # docker-mailserver - Postfix + Dovecot + rspamd
 # ArgoCD managed - BlueJay Lab
+# Credentials: 1Password → OnePasswordItem CRD → K8s Secret
 ---
 apiVersion: v1
 kind: Namespace
@@ -8,17 +9,14 @@ metadata:
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
-# Mail accounts Secret (postfix-accounts.cf format: user@domain|{SHA512-CRYPT}hash)
-apiVersion: v1
-kind: Secret
+# 1Password → K8s Secret sync for mail credentials
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
 metadata:
-  name: mail-accounts
+  name: mail-credentials
  namespace: mail
-type: Opaque
-stringData:
-  postfix-accounts.cf: |
-    admin@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
-    noreply@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
+spec:
+  itemPath: "vaults/IAmWorkin/items/Mail Postmaster"
 ---
 # Mail data PVC
 apiVersion: v1
@@ -65,6 +63,25 @@ spec:
        app: mailserver
    spec:
      hostname: mail
+      initContainers:
+        - name: inject-accounts
+          image: busybox:1.36
+          command:
+            - sh
+            - -c
+            - |
+              ADMIN_EMAIL=$(cat /credentials/Admin-Email)
+              ADMIN_HASH=$(cat /credentials/Admin-Hash)
+              NOREPLY_EMAIL=$(cat /credentials/Noreply-Email)
+              NOREPLY_HASH=$(cat /credentials/Noreply-Hash)
+              echo "${ADMIN_EMAIL}|${ADMIN_HASH}" > /accounts/postfix-accounts.cf
+              echo "${NOREPLY_EMAIL}|${NOREPLY_HASH}" >> /accounts/postfix-accounts.cf
+          volumeMounts:
+            - name: mail-credentials
+              mountPath: /credentials
+              readOnly: true
+            - name: mail-accounts-generated
+              mountPath: /accounts
      containers:
        - name: mailserver
          image: docker.io/mailserver/docker-mailserver:latest
@@ -116,7 +133,7 @@ spec:
            - name: mail-tls
              mountPath: /etc/ssl/mail
              readOnly: true
-            - name: mail-accounts
+            - name: mail-accounts-generated
              mountPath: /tmp/docker-mailserver/postfix-accounts.cf
              subPath: postfix-accounts.cf
              readOnly: true
@@ -142,9 +159,11 @@ spec:
        - name: mail-tls
          secret:
            secretName: mail-tls
-        - name: mail-accounts
+        - name: mail-credentials
          secret:
-            secretName: mail-accounts
+            secretName: mail-credentials
+        - name: mail-accounts-generated
+          emptyDir: {}
 ---
 # SMTP LoadBalancer Service (external)
 apiVersion: v1