Fix mail (accounts), matrix (homeserver.yaml), irc (proper image+config)

2026-03-09 17:02:59 -05:00
parent ef442e29eb
commit 3c29b0abe5
3 changed files with 1179 additions and 741 deletions
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -1,203 +1,222 @@
-# docker-mailserver - Postfix + Dovecot + rspamd
-# ArgoCD managed - BlueJay Lab
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: mail
-  labels:
-    app.kubernetes.io/part-of: bluejay-infra
---
-# Mail data PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mail-data
-  namespace: mail
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 5Gi
---
-# Mail state PVC
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mail-state
-  namespace: mail
-spec:
-  accessModes: [ReadWriteOnce]
-  resources:
-    requests:
-      storage: 1Gi
---
-# docker-mailserver Deployment
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: mailserver
-  namespace: mail
-  labels:
-    app: mailserver
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: mailserver
-  template:
-    metadata:
-      labels:
-        app: mailserver
-    spec:
-      hostname: mail
-      containers:
-        - name: mailserver
-          image: docker.io/mailserver/docker-mailserver:latest
-          ports:
-            - containerPort: 25
-              name: smtp
-            - containerPort: 465
-              name: smtps
-            - containerPort: 587
-              name: submission
-            - containerPort: 143
-              name: imap
-            - containerPort: 993
-              name: imaps
-          env:
-            - name: ENABLE_SPAMASSASSIN
-              value: "1"
-            - name: ENABLE_CLAMAV
-              value: "0"
-            - name: ENABLE_RSPAMD
-              value: "1"
-            - name: TZ
-              value: America/Chicago
-            - name: POSTMASTER_ADDRESS
-              value: postmaster@iamwork.in
-            - name: OVERRIDE_HOSTNAME
-              value: mail.iamwork.in
-            - name: ENABLE_FAIL2BAN
-              value: "0"
-            - name: ENABLE_POSTGREY
-              value: "0"
-            - name: ONE_DIR
-              value: "1"
-            - name: PERMIT_DOCKER
-              value: network
-            - name: SSL_TYPE
-              value: manual
-            - name: SSL_CERT_PATH
-              value: /etc/ssl/mail/tls.crt
-            - name: SSL_KEY_PATH
-              value: /etc/ssl/mail/tls.key
-          volumeMounts:
-            - name: mail-data
-              mountPath: /var/mail
-            - name: mail-state
-              mountPath: /var/mail-state
-            - name: mail-tls
-              mountPath: /etc/ssl/mail
-              readOnly: true
-          resources:
-            requests:
-              memory: 512Mi
-              cpu: 200m
-            limits:
-              memory: 2Gi
-              cpu: "1"
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-                - SYS_PTRACE
-      volumes:
-        - name: mail-data
-          persistentVolumeClaim:
-            claimName: mail-data
-        - name: mail-state
-          persistentVolumeClaim:
-            claimName: mail-state
-        - name: mail-tls
-          secret:
-            secretName: mail-tls
---
-# SMTP LoadBalancer Service (external)
-apiVersion: v1
-kind: Service
-metadata:
-  name: mail-smtp
-  namespace: mail
-  annotations:
-    metallb.universe.tf/loadBalancerIPs: 10.0.56.202
-spec:
-  type: LoadBalancer
-  selector:
-    app: mailserver
-  ports:
-    - port: 25
-      targetPort: 25
-      name: smtp
-      protocol: TCP
-    - port: 465
-      targetPort: 465
-      name: smtps
-      protocol: TCP
-    - port: 587
-      targetPort: 587
-      name: submission
-      protocol: TCP
---
-# IMAP ClusterIP Service (internal)
-apiVersion: v1
-kind: Service
-metadata:
-  name: mail-imap
-  namespace: mail
-spec:
-  selector:
-    app: mailserver
-  ports:
-    - port: 143
-      targetPort: 143
-      name: imap
-    - port: 993
-      targetPort: 993
-      name: imaps
---
-# TLS Certificate via cert-manager
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: mail-tls
-  namespace: mail
-spec:
-  secretName: mail-tls
-  issuerRef:
-    name: step-ca-acme
-    kind: ClusterIssuer
-  dnsNames:
-    - mail.iamworkin.lan
---
-# Traefik IngressRoute - Webmail placeholder
-# Snappymail will need a separate deployment; this routes to the
-# mail server's HTTP port if available, or to a future webmail deployment
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: mail-webmail
-  namespace: mail
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`mail.iamworkin.lan`)
-      kind: Rule
-      services:
-        - name: mail-imap
-          port: 993
-  tls:
-    secretName: mail-tls
+# docker-mailserver - Postfix + Dovecot + rspamd
+# ArgoCD managed - BlueJay Lab
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mail
+  labels:
+    app.kubernetes.io/part-of: bluejay-infra
+---
+# Mail accounts Secret (postfix-accounts.cf format: user@domain|{SHA512-CRYPT}hash)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mail-accounts
+  namespace: mail
+type: Opaque
+stringData:
+  postfix-accounts.cf: |
+    admin@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
+    noreply@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
+---
+# Mail data PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mail-data
+  namespace: mail
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 5Gi
+---
+# Mail state PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mail-state
+  namespace: mail
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 1Gi
+---
+# docker-mailserver Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mailserver
+  namespace: mail
+  labels:
+    app: mailserver
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: mailserver
+  template:
+    metadata:
+      labels:
+        app: mailserver
+    spec:
+      hostname: mail
+      containers:
+        - name: mailserver
+          image: docker.io/mailserver/docker-mailserver:latest
+          ports:
+            - containerPort: 25
+              name: smtp
+            - containerPort: 465
+              name: smtps
+            - containerPort: 587
+              name: submission
+            - containerPort: 143
+              name: imap
+            - containerPort: 993
+              name: imaps
+          env:
+            - name: ENABLE_SPAMASSASSIN
+              value: "1"
+            - name: ENABLE_CLAMAV
+              value: "0"
+            - name: ENABLE_RSPAMD
+              value: "1"
+            - name: TZ
+              value: America/Chicago
+            - name: POSTMASTER_ADDRESS
+              value: postmaster@iamwork.in
+            - name: OVERRIDE_HOSTNAME
+              value: mail.iamwork.in
+            - name: ENABLE_FAIL2BAN
+              value: "0"
+            - name: ENABLE_POSTGREY
+              value: "0"
+            - name: ONE_DIR
+              value: "1"
+            - name: PERMIT_DOCKER
+              value: network
+            - name: SSL_TYPE
+              value: manual
+            - name: SSL_CERT_PATH
+              value: /etc/ssl/mail/tls.crt
+            - name: SSL_KEY_PATH
+              value: /etc/ssl/mail/tls.key
+            - name: ACCOUNT_PROVISIONER
+              value: FILE
+          volumeMounts:
+            - name: mail-data
+              mountPath: /var/mail
+            - name: mail-state
+              mountPath: /var/mail-state
+            - name: mail-tls
+              mountPath: /etc/ssl/mail
+              readOnly: true
+            - name: mail-accounts
+              mountPath: /tmp/docker-mailserver/postfix-accounts.cf
+              subPath: postfix-accounts.cf
+              readOnly: true
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 200m
+            limits:
+              memory: 2Gi
+              cpu: "1"
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+                - SYS_PTRACE
+      volumes:
+        - name: mail-data
+          persistentVolumeClaim:
+            claimName: mail-data
+        - name: mail-state
+          persistentVolumeClaim:
+            claimName: mail-state
+        - name: mail-tls
+          secret:
+            secretName: mail-tls
+        - name: mail-accounts
+          secret:
+            secretName: mail-accounts
+---
+# SMTP LoadBalancer Service (external)
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail-smtp
+  namespace: mail
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 10.0.56.202
+spec:
+  type: LoadBalancer
+  selector:
+    app: mailserver
+  ports:
+    - port: 25
+      targetPort: 25
+      name: smtp
+      protocol: TCP
+    - port: 465
+      targetPort: 465
+      name: smtps
+      protocol: TCP
+    - port: 587
+      targetPort: 587
+      name: submission
+      protocol: TCP
+---
+# IMAP ClusterIP Service (internal)
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail-imap
+  namespace: mail
+spec:
+  selector:
+    app: mailserver
+  ports:
+    - port: 143
+      targetPort: 143
+      name: imap
+    - port: 993
+      targetPort: 993
+      name: imaps
+---
+# TLS Certificate via cert-manager
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: mail-tls
+  namespace: mail
+spec:
+  secretName: mail-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - mail.iamworkin.lan
+---
+# Traefik IngressRoute - Webmail placeholder
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: mail-webmail
+  namespace: mail
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mail.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: mail-imap
+          port: 993
+  tls:
+    secretName: mail-tls