Fix mail (accounts), matrix (homeserver.yaml), irc (proper image+config)

2026-03-09 17:02:59 -05:00
parent ef442e29eb
commit 3c29b0abe5
3 changed files with 1179 additions and 741 deletions
--- a/apps/irc/irc.yaml
+++ b/apps/irc/irc.yaml
@@ -1,5 +1,4 @@
 # UnrealIRCd + Anope IRC Services
 # PLACEHOLDER - UnrealIRCd needs config files mounted before running
 # ArgoCD managed - BlueJay Lab
 ---
 apiVersion: v1
@@ -9,6 +8,364 @@ metadata:
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
 # TLS Certificate for IRC
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: irc-tls
  namespace: irc
 spec:
  secretName: irc-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - irc.iamworkin.lan
 ---
 # UnrealIRCd configuration
 apiVersion: v1
 kind: Secret
 metadata:
  name: unrealircd-config
  namespace: irc
 type: Opaque
 stringData:
  unrealircd.conf: |
    /* BlueJay Lab IRC - UnrealIRCd 6.x config */
    /* Managed by ArgoCD */
    include "modules.default.conf";
    include "help/help.conf";
    include "operclass.default.conf";
    include "snomasks.default.conf";
    me {
      name "irc.iamworkin.lan";
      info "BlueJay Lab IRC Server";
      sid 001;
    }
    admin {
      "BlueJay Lab IRC";
      "admin@iamwork.in";
    }
    class clients {
      pingfreq 90;
      maxclients 500;
      sendq 200k;
      recvq 8000;
    }
    class opers {
      pingfreq 90;
      maxclients 50;
      sendq 1M;
      recvq 8000;
    }
    class servers {
      pingfreq 60;
      connfreq 15;
      maxclients 10;
      sendq 20M;
    }
    allow {
      mask *;
      class clients;
      maxperip 5;
    }
    listen {
      ip *;
      port 6667;
    }
    listen {
      ip *;
      port 6697;
      options { tls; }
      tls-options {
        certificate "/etc/ssl/irc/tls.crt";
        key "/etc/ssl/irc/tls.key";
      }
    }
    listen {
      ip *;
      port 8067;
    }
    oper bluejay {
      mask *;
      password "BlueJay-IRC-Oper-2026";
      operclass netadmin-with-override;
      class opers;
    }
    drpass {
      restart "BlueJay-IRC-Oper-2026";
      die "BlueJay-IRC-Oper-2026";
    }
    link services.iamworkin.lan {
      incoming {
        mask *;
      }
      password "BlueJay-Services-Link-2026";
      class servers;
    }
    ulines {
      services.iamworkin.lan;
    }
    log {
      source {
        all;
        \!debug;
      }
      destination {
        channel "#ops";
      }
    }
    set {
      network-name "BlueJayIRC";
      default-server "irc.iamworkin.lan";
      services-server "services.iamworkin.lan";
      stats-server "stats.iamworkin.lan";
      help-channel "#general";
      cloak-keys {
        "bluejay-cloak-key-1-aHR0cHM6Ly9pcmM";
        "bluejay-cloak-key-2-aWFtd29ya2luLmxhbg";
        "bluejay-cloak-key-3-Ymx1ZWpheS1pcmM";
      }
      kline-address "admin@iamwork.in";
      maxchannelsperuser 25;
      anti-flood {
        everyone {
          connect-flood 3:60;
        }
      }
      options {
        hide-ulines;
        show-connect-info;
      }
      /* TLS config */
      tls {
        certificate "/etc/ssl/irc/tls.crt";
        key "/etc/ssl/irc/tls.key";
      }
    }
 ---
 # Anope configuration
 apiVersion: v1
 kind: Secret
 metadata:
  name: anope-config
  namespace: irc
 type: Opaque
 stringData:
  services.conf: |
    define {
      name = "services.host"
      value = "services.iamworkin.lan"
    }
    uplink {
      host = "unrealircd.irc.svc.cluster.local"
      port = 8067
      password = "BlueJay-Services-Link-2026"
    }
    serverinfo {
      name = "services.iamworkin.lan"
      description = "BlueJay IRC Services"
      pid = "/data/services.pid"
      motd = "/data/services.motd"
    }
    module {
      name = "unreal4"
    }
    networkinfo {
      networkname = "BlueJayIRC"
      nicklen = 31
      userlen = 10
      hostlen = 64
      chanlen = 32
      mail_from = "noreply@iamwork.in"
    }
    options {
      casemap = "ascii"
      seed = 42
      strictpasswords
    }
    module { name = "nickserv" }
    module { name = "chanserv" }
    module { name = "operserv" }
    module { name = "botserv" }
    module { name = "hostserv" }
    module { name = "memoserv" }
    module { name = "global" }
    module { name = "db_flatfile" }
    module { name = "enc_sha256" }
    module { name = "ns_access" }
    module { name = "ns_ajoin" }
    module { name = "ns_cert" }
    module { name = "ns_drop" }
    module { name = "ns_group" }
    module { name = "ns_identify" }
    module { name = "ns_info" }
    module { name = "ns_list" }
    module { name = "ns_logout" }
    module { name = "ns_recover" }
    module { name = "ns_register" }
    module { name = "ns_set" }
    module { name = "ns_suspend" }
    module { name = "ns_update" }
    module { name = "cs_access" }
    module { name = "cs_akick" }
    module { name = "cs_ban" }
    module { name = "cs_clone" }
    module { name = "cs_drop" }
    module { name = "cs_enforce" }
    module { name = "cs_entrymsg" }
    module { name = "cs_flags" }
    module { name = "cs_info" }
    module { name = "cs_invite" }
    module { name = "cs_kick" }
    module { name = "cs_list" }
    module { name = "cs_log" }
    module { name = "cs_mode" }
    module { name = "cs_register" }
    module { name = "cs_seen" }
    module { name = "cs_set" }
    module { name = "cs_suspend" }
    module { name = "cs_topic" }
    module { name = "cs_unban" }
    module { name = "os_akill" }
    module { name = "os_chankill" }
    module { name = "os_defcon" }
    module { name = "os_forbid" }
    module { name = "os_ignore" }
    module { name = "os_info" }
    module { name = "os_jupe" }
    module { name = "os_kick" }
    module { name = "os_kill" }
    module { name = "os_list" }
    module { name = "os_login" }
    module { name = "os_logsearch" }
    module { name = "os_mode" }
    module { name = "os_modinfo" }
    module { name = "os_module" }
    module { name = "os_noop" }
    module { name = "os_oper" }
    module { name = "os_reload" }
    module { name = "os_session" }
    module { name = "os_set" }
    module { name = "os_shutdown" }
    module { name = "os_stats" }
    module { name = "os_svsnick" }
    module { name = "os_sxline" }
    module { name = "os_update" }
    module { name = "bs_assign" }
    module { name = "bs_badwords" }
    module { name = "bs_bot" }
    module { name = "bs_info" }
    module { name = "bs_kick" }
    module { name = "bs_set" }
    module { name = "hs_del" }
    module { name = "hs_group" }
    module { name = "hs_list" }
    module { name = "hs_off" }
    module { name = "hs_on" }
    module { name = "hs_request" }
    module { name = "hs_set" }
    module { name = "ms_cancel" }
    module { name = "ms_check" }
    module { name = "ms_del" }
    module { name = "ms_ignore" }
    module { name = "ms_info" }
    module { name = "ms_list" }
    module { name = "ms_read" }
    module { name = "ms_rsend" }
    module { name = "ms_send" }
    module { name = "ms_set" }
    module { name = "gl_global" }
    module { name = "m_dns" }
    module { name = "m_helpchan" }
    module { name = "m_httpd" }
    module { name = "m_ldap" }
    module { name = "m_xmlrpc" }
    module { name = "m_proxyscan" }
    nickserv {
      nick = "NickServ"
      defaults = "kill_quick ns_secure ns_private hide_email"
      registration = "none"
      expire = 90d
    }
    chanserv {
      nick = "ChanServ"
      defaults = "keeptopic peace cs_secure"
      expire = 14d
    }
    operserv {
      nick = "OperServ"
    }
    botserv {
      nick = "BotServ"
      defaults = "dontkickops fantasy greet"
    }
    hostserv {
      nick = "HostServ"
    }
    memoserv {
      nick = "MemoServ"
      maxmemos = 20
    }
    global {
      nick = "Global"
    }
    service {
      nick = "bluejay"
    }
    oper {
      name = "bluejay"
      type = "Services Root"
    }
    db_flatfile {
      database = "/data/anope.db"
      fork = yes
    }
    log {
      target = "/data/services.log"
      admin = "*"
      override = "chanserv/* nickserv/* operserv/*"
      commands = "chanserv/* nickserv/* operserv/*"
      servers = "*"
      channels = "*"
      users = "connect disconnect"
    }
 ---
 # UnrealIRCd PVC
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -34,9 +391,6 @@ spec:
      storage: 1Gi
 ---
 # UnrealIRCd Deployment
 # NOTE: This is a placeholder. UnrealIRCd requires configuration files
 # (unrealircd.conf, TLS certs, etc.) to be present in /data before starting.
 # Mount config via ConfigMap/Secret or init container before enabling.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -56,7 +410,7 @@ spec:
    spec:
      containers:
        - name: unrealircd
-          image: ghcr.io/unrealircd/unrealircd:latest
+          image: ircd/unrealircd:latest
          ports:
            - containerPort: 6667
              name: irc-plain
@@ -65,8 +419,14 @@ spec:
            - containerPort: 8067
              name: services-link
          volumeMounts:
            - name: unrealircd-config
              mountPath: /ircd/unrealircd.conf
              subPath: unrealircd.conf
            - name: unrealircd-data
              mountPath: /data
            - name: irc-tls
              mountPath: /etc/ssl/irc
              readOnly: true
          resources:
            requests:
              memory: 64Mi
@@ -75,13 +435,17 @@ spec:
              memory: 256Mi
              cpu: 250m
      volumes:
        - name: unrealircd-config
          secret:
            secretName: unrealircd-config
        - name: unrealircd-data
          persistentVolumeClaim:
            claimName: unrealircd-data
        - name: irc-tls
          secret:
            secretName: irc-tls
 ---
 # Anope IRC Services Deployment
 # NOTE: Placeholder. Anope requires services.conf with link block
 # matching UnrealIRCd's link configuration.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -103,6 +467,9 @@ spec:
        - name: anope
          image: anope/anope:latest
          volumeMounts:
            - name: anope-config
              mountPath: /data/conf/services.conf
              subPath: services.conf
            - name: anope-data
              mountPath: /data
          resources:
@@ -113,11 +480,14 @@ spec:
              memory: 128Mi
              cpu: 100m
      volumes:
        - name: anope-config
          secret:
            secretName: anope-config
        - name: anope-data
          persistentVolumeClaim:
            claimName: anope-data
 ---
-# UnrealIRCd Service (ClusterIP for internal + Traefik TCP routing)
+# UnrealIRCd Service
 apiVersion: v1
 kind: Service
 metadata:
@@ -174,7 +544,7 @@ metadata:
  namespace: irc
 spec:
  entryPoints:
-    - ircs
+    - irctls
  routes:
    - match: HostSNI(`*`)
      services:
--- a/apps/mail/mail.yaml
+++ b/apps/mail/mail.yaml
@@ -8,6 +8,18 @@ metadata:
  labels:
    app.kubernetes.io/part-of: bluejay-infra
 ---
 # Mail accounts Secret (postfix-accounts.cf format: user@domain|{SHA512-CRYPT}hash)
 apiVersion: v1
 kind: Secret
 metadata:
  name: mail-accounts
  namespace: mail
 type: Opaque
 stringData:
  postfix-accounts.cf: |
    admin@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
    noreply@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
 ---
 # Mail data PVC
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -94,6 +106,8 @@ spec:
              value: /etc/ssl/mail/tls.crt
            - name: SSL_KEY_PATH
              value: /etc/ssl/mail/tls.key
            - name: ACCOUNT_PROVISIONER
              value: FILE
          volumeMounts:
            - name: mail-data
              mountPath: /var/mail
@@ -102,6 +116,10 @@ spec:
            - name: mail-tls
              mountPath: /etc/ssl/mail
              readOnly: true
            - name: mail-accounts
              mountPath: /tmp/docker-mailserver/postfix-accounts.cf
              subPath: postfix-accounts.cf
              readOnly: true
          resources:
            requests:
              memory: 512Mi
@@ -124,6 +142,9 @@ spec:
        - name: mail-tls
          secret:
            secretName: mail-tls
        - name: mail-accounts
          secret:
            secretName: mail-accounts
 ---
 # SMTP LoadBalancer Service (external)
 apiVersion: v1
@@ -183,8 +204,6 @@ spec:
    - mail.iamworkin.lan
 ---
 # Traefik IngressRoute - Webmail placeholder
 # Snappymail will need a separate deployment; this routes to the
 # mail server's HTTP port if available, or to a future webmail deployment
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
--- a/apps/matrix/matrix.yaml
+++ b/apps/matrix/matrix.yaml
@@ -21,6 +21,64 @@ stringData:
  POSTGRES_DB: synapse
  POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
 ---
 # Synapse homeserver.yaml ConfigMap
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: synapse-config
  namespace: matrix
 data:
  homeserver.yaml: |
    server_name: "iamworkin.lan"
    pid_file: /data/homeserver.pid
    public_baseurl: "https://matrix.iamworkin.lan/"
    listeners:
      - port: 8008
        tls: false
        type: http
        x_forwarded: true
        bind_addresses: ["0.0.0.0"]
        resources:
          - names: [client, federation]
            compress: false
    database:
      name: psycopg2
      args:
        user: synapse
        password: BlueJay-Matrix-DB-2026
        database: synapse
        host: matrix-postgres
        port: 5432
        cp_min: 5
        cp_max: 10
    log_config: "/data/log.config"
    media_store_path: /data/media_store
    registration_shared_secret: "a208f2e4b260f6b7d6ff4566df49c56c8b73fa20b911ce4e617b791ee7868adc"
    report_stats: false
    macaroon_secret_key: "9964f398e8b48a91469ad419d293c06db4562f49df8cc6e129fb3a801fd9052d"
    form_secret: "7b0a9dbaf9ee94450e0b3271c408dfc4d313a55843ce4eec2ac1bb0315ffeb76"
    signing_key_path: "/data/signing.key"
    trusted_key_servers:
      - server_name: "matrix.org"
    enable_registration: false
    suppress_key_server_warning: true
  log.config: |
    version: 1
    formatters:
      precise:
        format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
    handlers:
      console:
        class: logging.StreamHandler
        formatter: precise
    loggers:
      synapse.storage.SQL:
        level: WARNING
    root:
      level: WARNING
      handlers: [console]
    disable_existing_loggers: false
 ---
 # PostgreSQL 16 StatefulSet
 apiVersion: apps/v1
 kind: StatefulSet
@@ -62,18 +120,12 @@ spec:
              cpu: 500m
          livenessProbe:
            exec:
-              command:
+              command: ["pg_isready", "-U", "synapse"]
                - pg_isready
                - -U
                - synapse
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            exec:
-              command:
+              command: ["pg_isready", "-U", "synapse"]
                - pg_isready
                - -U
                - synapse
            initialDelaySeconds: 5
            periodSeconds: 5
  volumeClaimTemplates:
@@ -111,7 +163,7 @@ spec:
    requests:
      storage: 2Gi
 ---
-# Synapse Homeserver Deployment
+# Synapse init job: generate signing key if missing
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -131,6 +183,20 @@ spec:
      labels:
        app: synapse
    spec:
      initContainers:
        - name: generate-signing-key
          image: matrixdotorg/synapse:latest
          command: ["sh", "-c"]
          args:
            - |
              if [ \! -f /data/signing.key ]; then
                python -m synapse.app.homeserver --generate-keys --config-path /config/homeserver.yaml
              fi
          volumeMounts:
            - name: synapse-data
              mountPath: /data
            - name: synapse-config
              mountPath: /config
      containers:
        - name: synapse
          image: matrixdotorg/synapse:latest
@@ -138,36 +204,15 @@ spec:
            - containerPort: 8008
              name: http
          env:
            - name: SYNAPSE_SERVER_NAME
              value: iamworkin.lan
            - name: SYNAPSE_REPORT_STATS
              value: "no"
            - name: SYNAPSE_CONFIG_DIR
-              value: /data
+              value: /config
-            - name: SYNAPSE_DATA_DIR
+            - name: SYNAPSE_CONFIG_PATH
-              value: /data
+              value: /config/homeserver.yaml
            - name: POSTGRES_HOST
              value: matrix-postgres
            - name: POSTGRES_PORT
              value: "5432"
            - name: POSTGRES_DB
              valueFrom:
                secretKeyRef:
                  name: matrix-db-secret
                  key: POSTGRES_DB
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: matrix-db-secret
                  key: POSTGRES_USER
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: matrix-db-secret
                  key: POSTGRES_PASSWORD
          volumeMounts:
            - name: synapse-data
              mountPath: /data
            - name: synapse-config
              mountPath: /config
          resources:
            requests:
              memory: 512Mi
@@ -191,6 +236,9 @@ spec:
        - name: synapse-data
          persistentVolumeClaim:
            claimName: synapse-data
        - name: synapse-config
          configMap:
            name: synapse-config
 ---
 apiVersion: v1
 kind: Service
@@ -243,6 +291,7 @@ spec:
      labels:
        app: element-web
    spec:
      enableServiceLinks: false
      containers:
        - name: element-web
          image: vectorim/element-web:latest