bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Fix mail (accounts), matrix (homeserver.yaml), irc (proper image+config)

Browse Source
This commit is contained in:
root
2026-03-09 17:02:59 -05:00
parent ef442e29eb
commit 3c29b0abe5
3 changed files with 1179 additions and 741 deletions
Download Patch File Download Diff File Expand all files Collapse all files

388
apps/irc/irc.yaml
View File

@@ -1,5 +1,4 @@
# UnrealIRCd + Anope IRC Services
# PLACEHOLDER - UnrealIRCd needs config files mounted before running
# ArgoCD managed - BlueJay Lab
---
apiVersion: v1
@@ -9,6 +8,364 @@ metadata:
labels:
app.kubernetes.io/part-of: bluejay-infra
---
# TLS Certificate for IRC
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: irc-tls
namespace: irc
spec:
secretName: irc-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- irc.iamworkin.lan
---
# UnrealIRCd configuration
apiVersion: v1
kind: Secret
metadata:
name: unrealircd-config
namespace: irc
type: Opaque
stringData:
unrealircd.conf: |
/* BlueJay Lab IRC - UnrealIRCd 6.x config */
/* Managed by ArgoCD */
include "modules.default.conf";
include "help/help.conf";
include "operclass.default.conf";
include "snomasks.default.conf";
me {
name "irc.iamworkin.lan";
info "BlueJay Lab IRC Server";
sid 001;
}
admin {
"BlueJay Lab IRC";
"admin@iamwork.in";
}
class clients {
pingfreq 90;
maxclients 500;
sendq 200k;
recvq 8000;
}
class opers {
pingfreq 90;
maxclients 50;
sendq 1M;
recvq 8000;
}
class servers {
pingfreq 60;
connfreq 15;
maxclients 10;
sendq 20M;
}
allow {
mask *;
class clients;
maxperip 5;
}
listen {
ip *;
port 6667;
}
listen {
ip *;
port 6697;
options { tls; }
tls-options {
certificate "/etc/ssl/irc/tls.crt";
key "/etc/ssl/irc/tls.key";
}
}
listen {
ip *;
port 8067;
}
oper bluejay {
mask *;
password "BlueJay-IRC-Oper-2026";
operclass netadmin-with-override;
class opers;
}
drpass {
restart "BlueJay-IRC-Oper-2026";
die "BlueJay-IRC-Oper-2026";
}
link services.iamworkin.lan {
incoming {
mask *;
}
password "BlueJay-Services-Link-2026";
class servers;
}
ulines {
services.iamworkin.lan;
}
log {
source {
all;
\!debug;
}
destination {
channel "#ops";
}
}
set {
network-name "BlueJayIRC";
default-server "irc.iamworkin.lan";
services-server "services.iamworkin.lan";
stats-server "stats.iamworkin.lan";
help-channel "#general";
cloak-keys {
"bluejay-cloak-key-1-aHR0cHM6Ly9pcmM";
"bluejay-cloak-key-2-aWFtd29ya2luLmxhbg";
"bluejay-cloak-key-3-Ymx1ZWpheS1pcmM";
}
kline-address "admin@iamwork.in";
maxchannelsperuser 25;
anti-flood {
everyone {
connect-flood 3:60;
}
}
options {
hide-ulines;
show-connect-info;
}
/* TLS config */
tls {
certificate "/etc/ssl/irc/tls.crt";
key "/etc/ssl/irc/tls.key";
}
}
---
# Anope configuration
apiVersion: v1
kind: Secret
metadata:
name: anope-config
namespace: irc
type: Opaque
stringData:
services.conf: |
define {
name = "services.host"
value = "services.iamworkin.lan"
}
uplink {
host = "unrealircd.irc.svc.cluster.local"
port = 8067
password = "BlueJay-Services-Link-2026"
}
serverinfo {
name = "services.iamworkin.lan"
description = "BlueJay IRC Services"
pid = "/data/services.pid"
motd = "/data/services.motd"
}
module {
name = "unreal4"
}
networkinfo {
networkname = "BlueJayIRC"
nicklen = 31
userlen = 10
hostlen = 64
chanlen = 32
mail_from = "noreply@iamwork.in"
}
options {
casemap = "ascii"
seed = 42
strictpasswords
}
module { name = "nickserv" }
module { name = "chanserv" }
module { name = "operserv" }
module { name = "botserv" }
module { name = "hostserv" }
module { name = "memoserv" }
module { name = "global" }
module { name = "db_flatfile" }
module { name = "enc_sha256" }
module { name = "ns_access" }
module { name = "ns_ajoin" }
module { name = "ns_cert" }
module { name = "ns_drop" }
module { name = "ns_group" }
module { name = "ns_identify" }
module { name = "ns_info" }
module { name = "ns_list" }
module { name = "ns_logout" }
module { name = "ns_recover" }
module { name = "ns_register" }
module { name = "ns_set" }
module { name = "ns_suspend" }
module { name = "ns_update" }
module { name = "cs_access" }
module { name = "cs_akick" }
module { name = "cs_ban" }
module { name = "cs_clone" }
module { name = "cs_drop" }
module { name = "cs_enforce" }
module { name = "cs_entrymsg" }
module { name = "cs_flags" }
module { name = "cs_info" }
module { name = "cs_invite" }
module { name = "cs_kick" }
module { name = "cs_list" }
module { name = "cs_log" }
module { name = "cs_mode" }
module { name = "cs_register" }
module { name = "cs_seen" }
module { name = "cs_set" }
module { name = "cs_suspend" }
module { name = "cs_topic" }
module { name = "cs_unban" }
module { name = "os_akill" }
module { name = "os_chankill" }
module { name = "os_defcon" }
module { name = "os_forbid" }
module { name = "os_ignore" }
module { name = "os_info" }
module { name = "os_jupe" }
module { name = "os_kick" }
module { name = "os_kill" }
module { name = "os_list" }
module { name = "os_login" }
module { name = "os_logsearch" }
module { name = "os_mode" }
module { name = "os_modinfo" }
module { name = "os_module" }
module { name = "os_noop" }
module { name = "os_oper" }
module { name = "os_reload" }
module { name = "os_session" }
module { name = "os_set" }
module { name = "os_shutdown" }
module { name = "os_stats" }
module { name = "os_svsnick" }
module { name = "os_sxline" }
module { name = "os_update" }
module { name = "bs_assign" }
module { name = "bs_badwords" }
module { name = "bs_bot" }
module { name = "bs_info" }
module { name = "bs_kick" }
module { name = "bs_set" }
module { name = "hs_del" }
module { name = "hs_group" }
module { name = "hs_list" }
module { name = "hs_off" }
module { name = "hs_on" }
module { name = "hs_request" }
module { name = "hs_set" }
module { name = "ms_cancel" }
module { name = "ms_check" }
module { name = "ms_del" }
module { name = "ms_ignore" }
module { name = "ms_info" }
module { name = "ms_list" }
module { name = "ms_read" }
module { name = "ms_rsend" }
module { name = "ms_send" }
module { name = "ms_set" }
module { name = "gl_global" }
module { name = "m_dns" }
module { name = "m_helpchan" }
module { name = "m_httpd" }
module { name = "m_ldap" }
module { name = "m_xmlrpc" }
module { name = "m_proxyscan" }
nickserv {
nick = "NickServ"
defaults = "kill_quick ns_secure ns_private hide_email"
registration = "none"
expire = 90d
}
chanserv {
nick = "ChanServ"
defaults = "keeptopic peace cs_secure"
expire = 14d
}
operserv {
nick = "OperServ"
}
botserv {
nick = "BotServ"
defaults = "dontkickops fantasy greet"
}
hostserv {
nick = "HostServ"
}
memoserv {
nick = "MemoServ"
maxmemos = 20
}
global {
nick = "Global"
}
service {
nick = "bluejay"
}
oper {
name = "bluejay"
type = "Services Root"
}
db_flatfile {
database = "/data/anope.db"
fork = yes
}
log {
target = "/data/services.log"
admin = "*"
override = "chanserv/* nickserv/* operserv/*"
commands = "chanserv/* nickserv/* operserv/*"
servers = "*"
channels = "*"
users = "connect disconnect"
}
---
# UnrealIRCd PVC
apiVersion: v1
kind: PersistentVolumeClaim
@@ -34,9 +391,6 @@ spec:
storage: 1Gi
---
# UnrealIRCd Deployment
# NOTE: This is a placeholder. UnrealIRCd requires configuration files
# (unrealircd.conf, TLS certs, etc.) to be present in /data before starting.
# Mount config via ConfigMap/Secret or init container before enabling.
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -56,7 +410,7 @@ spec:
spec:
containers:
- name: unrealircd
image: ghcr.io/unrealircd/unrealircd:latest
image: ircd/unrealircd:latest
ports:
- containerPort: 6667
name: irc-plain
@@ -65,8 +419,14 @@ spec:
- containerPort: 8067
name: services-link
volumeMounts:
- name: unrealircd-config
mountPath: /ircd/unrealircd.conf
subPath: unrealircd.conf
- name: unrealircd-data
mountPath: /data
- name: irc-tls
mountPath: /etc/ssl/irc
readOnly: true
resources:
requests:
memory: 64Mi
@@ -75,13 +435,17 @@ spec:
memory: 256Mi
cpu: 250m
volumes:
- name: unrealircd-config
secret:
secretName: unrealircd-config
- name: unrealircd-data
persistentVolumeClaim:
claimName: unrealircd-data
- name: irc-tls
secret:
secretName: irc-tls
---
# Anope IRC Services Deployment
# NOTE: Placeholder. Anope requires services.conf with link block
# matching UnrealIRCd's link configuration.
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -103,6 +467,9 @@ spec:
- name: anope
image: anope/anope:latest
volumeMounts:
- name: anope-config
mountPath: /data/conf/services.conf
subPath: services.conf
- name: anope-data
mountPath: /data
resources:
@@ -113,11 +480,14 @@ spec:
memory: 128Mi
cpu: 100m
volumes:
- name: anope-config
secret:
secretName: anope-config
- name: anope-data
persistentVolumeClaim:
claimName: anope-data
---
# UnrealIRCd Service (ClusterIP for internal + Traefik TCP routing)
# UnrealIRCd Service
apiVersion: v1
kind: Service
metadata:
@@ -174,7 +544,7 @@ metadata:
namespace: irc
spec:
entryPoints:
- ircs
- irctls
routes:
- match: HostSNI(`*`)
services:

23
apps/mail/mail.yaml
View File

@@ -8,6 +8,18 @@ metadata:
labels:
app.kubernetes.io/part-of: bluejay-infra
---
# Mail accounts Secret (postfix-accounts.cf format: user@domain|{SHA512-CRYPT}hash)
apiVersion: v1
kind: Secret
metadata:
name: mail-accounts
namespace: mail
type: Opaque
stringData:
postfix-accounts.cf: |
admin@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
noreply@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/
---
# Mail data PVC
apiVersion: v1
kind: PersistentVolumeClaim
@@ -94,6 +106,8 @@ spec:
value: /etc/ssl/mail/tls.crt
- name: SSL_KEY_PATH
value: /etc/ssl/mail/tls.key
- name: ACCOUNT_PROVISIONER
value: FILE
volumeMounts:
- name: mail-data
mountPath: /var/mail
@@ -102,6 +116,10 @@ spec:
- name: mail-tls
mountPath: /etc/ssl/mail
readOnly: true
- name: mail-accounts
mountPath: /tmp/docker-mailserver/postfix-accounts.cf
subPath: postfix-accounts.cf
readOnly: true
resources:
requests:
memory: 512Mi
@@ -124,6 +142,9 @@ spec:
- name: mail-tls
secret:
secretName: mail-tls
- name: mail-accounts
secret:
secretName: mail-accounts
---
# SMTP LoadBalancer Service (external)
apiVersion: v1
@@ -183,8 +204,6 @@ spec:
- mail.iamworkin.lan
---
# Traefik IngressRoute - Webmail placeholder
# Snappymail will need a separate deployment; this routes to the
# mail server's HTTP port if available, or to a future webmail deployment
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:

119
apps/matrix/matrix.yaml
View File

@@ -21,6 +21,64 @@ stringData:
POSTGRES_DB: synapse
POSTGRES_INITDB_ARGS: "--encoding=UTF-8 --lc-collate=C --lc-ctype=C"
---
# Synapse homeserver.yaml ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: synapse-config
namespace: matrix
data:
homeserver.yaml: |
server_name: "iamworkin.lan"
pid_file: /data/homeserver.pid
public_baseurl: "https://matrix.iamworkin.lan/"
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
bind_addresses: ["0.0.0.0"]
resources:
- names: [client, federation]
compress: false
database:
name: psycopg2
args:
user: synapse
password: BlueJay-Matrix-DB-2026
database: synapse
host: matrix-postgres
port: 5432
cp_min: 5
cp_max: 10
log_config: "/data/log.config"
media_store_path: /data/media_store
registration_shared_secret: "a208f2e4b260f6b7d6ff4566df49c56c8b73fa20b911ce4e617b791ee7868adc"
report_stats: false
macaroon_secret_key: "9964f398e8b48a91469ad419d293c06db4562f49df8cc6e129fb3a801fd9052d"
form_secret: "7b0a9dbaf9ee94450e0b3271c408dfc4d313a55843ce4eec2ac1bb0315ffeb76"
signing_key_path: "/data/signing.key"
trusted_key_servers:
- server_name: "matrix.org"
enable_registration: false
suppress_key_server_warning: true
log.config: |
version: 1
formatters:
precise:
format: "%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s"
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
synapse.storage.SQL:
level: WARNING
root:
level: WARNING
handlers: [console]
disable_existing_loggers: false
---
# PostgreSQL 16 StatefulSet
apiVersion: apps/v1
kind: StatefulSet
@@ -62,18 +120,12 @@ spec:
cpu: 500m
livenessProbe:
exec:
command:
- pg_isready
- -U
- synapse
command: ["pg_isready", "-U", "synapse"]
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- pg_isready
- -U
- synapse
command: ["pg_isready", "-U", "synapse"]
initialDelaySeconds: 5
periodSeconds: 5
volumeClaimTemplates:
@@ -111,7 +163,7 @@ spec:
requests:
storage: 2Gi
---
# Synapse Homeserver Deployment
# Synapse init job: generate signing key if missing
apiVersion: apps/v1
kind: Deployment
metadata:
@@ -131,6 +183,20 @@ spec:
labels:
app: synapse
spec:
initContainers:
- name: generate-signing-key
image: matrixdotorg/synapse:latest
command: ["sh", "-c"]
args:
- |
if [ \! -f /data/signing.key ]; then
python -m synapse.app.homeserver --generate-keys --config-path /config/homeserver.yaml
fi
volumeMounts:
- name: synapse-data
mountPath: /data
- name: synapse-config
mountPath: /config
containers:
- name: synapse
image: matrixdotorg/synapse:latest
@@ -138,36 +204,15 @@ spec:
- containerPort: 8008
name: http
env:
- name: SYNAPSE_SERVER_NAME
value: iamworkin.lan
- name: SYNAPSE_REPORT_STATS
value: "no"
- name: SYNAPSE_CONFIG_DIR
value: /data
- name: SYNAPSE_DATA_DIR
value: /data
- name: POSTGRES_HOST
value: matrix-postgres
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: matrix-db-secret
key: POSTGRES_DB
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: matrix-db-secret
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: matrix-db-secret
key: POSTGRES_PASSWORD
value: /config
- name: SYNAPSE_CONFIG_PATH
value: /config/homeserver.yaml
volumeMounts:
- name: synapse-data
mountPath: /data
- name: synapse-config
mountPath: /config
resources:
requests:
memory: 512Mi
@@ -191,6 +236,9 @@ spec:
- name: synapse-data
persistentVolumeClaim:
claimName: synapse-data
- name: synapse-config
configMap:
name: synapse-config
---
apiVersion: v1
kind: Service
@@ -243,6 +291,7 @@ spec:
labels:
app: element-web
spec:
enableServiceLinks: false
containers:
- name: element-web
image: vectorim/element-web:latest