bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

Update telephony-web image to v20260324d, resolve merge conflicts

Browse Source
This commit is contained in:
Andrew M. Stoltz
2026-03-24 15:55:52 -05:00
parent 42d2894ed1
commit f3fde15002
14 changed files with 3333 additions and 3420 deletions
Download Patch File Download Diff File Expand all files Collapse all files

518
apps/mail/mail.yaml
View File

@@ -1,259 +1,259 @@
# docker-mailserver - Postfix + Dovecot + rspamd
# ArgoCD managed - BlueJay Lab
# Credentials: 1Password → OnePasswordItem CRD → K8s Secret
---
apiVersion: v1
kind: Namespace
metadata:
name: mail
labels:
app.kubernetes.io/part-of: bluejay-infra
---
# 1Password → K8s Secret sync for mail credentials
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: mail-credentials
namespace: mail
spec:
itemPath: "vaults/IAmWorkin/items/Mail Postmaster"
---
# Mail data PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail-data
namespace: mail
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 5Gi
---
# Mail state PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail-state
namespace: mail
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 1Gi
---
# docker-mailserver Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailserver
namespace: mail
labels:
app: mailserver
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: mailserver
template:
metadata:
labels:
app: mailserver
spec:
hostname: mail
initContainers:
- name: inject-accounts
image: busybox:1.36
command:
- sh
- -c
- |
ADMIN_EMAIL=$(cat /credentials/Admin-Email)
ADMIN_HASH=$(cat /credentials/Admin-Hash)
NOREPLY_EMAIL=$(cat /credentials/Noreply-Email)
NOREPLY_HASH=$(cat /credentials/Noreply-Hash)
echo "${ADMIN_EMAIL}|${ADMIN_HASH}" > /accounts/postfix-accounts.cf
echo "${NOREPLY_EMAIL}|${NOREPLY_HASH}" >> /accounts/postfix-accounts.cf
volumeMounts:
- name: mail-credentials
mountPath: /credentials
readOnly: true
- name: mail-accounts-generated
mountPath: /accounts
containers:
- name: mailserver
image: docker.io/mailserver/docker-mailserver:latest
ports:
- containerPort: 25
name: smtp
- containerPort: 465
name: smtps
- containerPort: 587
name: submission
- containerPort: 143
name: imap
- containerPort: 993
name: imaps
env:
- name: ENABLE_SPAMASSASSIN
value: "1"
- name: ENABLE_CLAMAV
value: "0"
- name: ENABLE_RSPAMD
value: "1"
- name: TZ
value: America/Chicago
- name: POSTMASTER_ADDRESS
value: postmaster@iamwork.in
- name: OVERRIDE_HOSTNAME
value: mail.iamwork.in
- name: ENABLE_FAIL2BAN
value: "0"
- name: ENABLE_POSTGREY
value: "0"
- name: ONE_DIR
value: "1"
- name: PERMIT_DOCKER
value: network
- name: SSL_TYPE
value: manual
- name: SSL_CERT_PATH
value: /etc/ssl/mail/tls.crt
- name: SSL_KEY_PATH
value: /etc/ssl/mail/tls.key
- name: ACCOUNT_PROVISIONER
value: FILE
volumeMounts:
- name: mail-data
mountPath: /var/mail
- name: mail-state
mountPath: /var/mail-state
- name: mail-tls
mountPath: /etc/ssl/mail
readOnly: true
- name: mail-accounts-generated
mountPath: /tmp/docker-mailserver/postfix-accounts.cf
subPath: postfix-accounts.cf
readOnly: true
resources:
requests:
memory: 512Mi
cpu: 200m
limits:
memory: 2Gi
cpu: "1"
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_PTRACE
volumes:
- name: mail-data
persistentVolumeClaim:
claimName: mail-data
- name: mail-state
persistentVolumeClaim:
claimName: mail-state
- name: mail-tls
secret:
secretName: mail-tls
- name: mail-credentials
secret:
secretName: mail-credentials
- name: mail-accounts-generated
emptyDir: {}
---
# SMTP LoadBalancer Service (external)
apiVersion: v1
kind: Service
metadata:
name: mail-smtp
namespace: mail
annotations:
metallb.universe.tf/loadBalancerIPs: 10.0.56.202
spec:
type: LoadBalancer
selector:
app: mailserver
ports:
- port: 25
targetPort: 25
name: smtp
protocol: TCP
- port: 465
targetPort: 465
name: smtps
protocol: TCP
- port: 587
targetPort: 587
name: submission
protocol: TCP
---
# IMAP ClusterIP Service (internal)
apiVersion: v1
kind: Service
metadata:
name: mail-imap
namespace: mail
spec:
selector:
app: mailserver
ports:
- port: 143
targetPort: 143
name: imap
- port: 993
targetPort: 993
name: imaps
---
# TLS Certificate via cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mail-tls
namespace: mail
spec:
secretName: mail-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- mail.iamworkin.lan
---
# Traefik IngressRoute - Webmail placeholder
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mail-webmail
namespace: mail
spec:
entryPoints:
- websecure
routes:
- match: Host(`mail.iamworkin.lan`)
kind: Rule
services:
- name: mail-imap
port: 993
tls:
secretName: mail-tls
---
# Public IngressRoute - Webmail (flowercore.io with Cloudflare origin cert)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mail-webmail-public
namespace: mail
spec:
entryPoints:
- websecure
routes:
- match: Host(`webmail.flowercore.io`)
kind: Rule
services:
- name: mail-webmail
port: 8080
tls:
secretName: cf-origin-flowercore-io
# docker-mailserver - Postfix + Dovecot + rspamd
# ArgoCD managed - BlueJay Lab
# Credentials: 1Password → OnePasswordItem CRD → K8s Secret
---
apiVersion: v1
kind: Namespace
metadata:
name: mail
labels:
app.kubernetes.io/part-of: bluejay-infra
---
# 1Password → K8s Secret sync for mail credentials
apiVersion: onepassword.com/v1
kind: OnePasswordItem
metadata:
name: mail-credentials
namespace: mail
spec:
itemPath: "vaults/IAmWorkin/items/Mail Postmaster"
---
# Mail data PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail-data
namespace: mail
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 5Gi
---
# Mail state PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail-state
namespace: mail
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 1Gi
---
# docker-mailserver Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: mailserver
namespace: mail
labels:
app: mailserver
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: mailserver
template:
metadata:
labels:
app: mailserver
spec:
hostname: mail
initContainers:
- name: inject-accounts
image: busybox:1.36
command:
- sh
- -c
- |
ADMIN_EMAIL=$(cat /credentials/Admin-Email)
ADMIN_HASH=$(cat /credentials/Admin-Hash)
NOREPLY_EMAIL=$(cat /credentials/Noreply-Email)
NOREPLY_HASH=$(cat /credentials/Noreply-Hash)
echo "${ADMIN_EMAIL}|${ADMIN_HASH}" > /accounts/postfix-accounts.cf
echo "${NOREPLY_EMAIL}|${NOREPLY_HASH}" >> /accounts/postfix-accounts.cf
volumeMounts:
- name: mail-credentials
mountPath: /credentials
readOnly: true
- name: mail-accounts-generated
mountPath: /accounts
containers:
- name: mailserver
image: docker.io/mailserver/docker-mailserver:latest
ports:
- containerPort: 25
name: smtp
- containerPort: 465
name: smtps
- containerPort: 587
name: submission
- containerPort: 143
name: imap
- containerPort: 993
name: imaps
env:
- name: ENABLE_SPAMASSASSIN
value: "1"
- name: ENABLE_CLAMAV
value: "0"
- name: ENABLE_RSPAMD
value: "1"
- name: TZ
value: America/Chicago
- name: POSTMASTER_ADDRESS
value: postmaster@iamwork.in
- name: OVERRIDE_HOSTNAME
value: mail.iamwork.in
- name: ENABLE_FAIL2BAN
value: "0"
- name: ENABLE_POSTGREY
value: "0"
- name: ONE_DIR
value: "1"
- name: PERMIT_DOCKER
value: network
- name: SSL_TYPE
value: manual
- name: SSL_CERT_PATH
value: /etc/ssl/mail/tls.crt
- name: SSL_KEY_PATH
value: /etc/ssl/mail/tls.key
- name: ACCOUNT_PROVISIONER
value: FILE
volumeMounts:
- name: mail-data
mountPath: /var/mail
- name: mail-state
mountPath: /var/mail-state
- name: mail-tls
mountPath: /etc/ssl/mail
readOnly: true
- name: mail-accounts-generated
mountPath: /tmp/docker-mailserver/postfix-accounts.cf
subPath: postfix-accounts.cf
readOnly: true
resources:
requests:
memory: 512Mi
cpu: 200m
limits:
memory: 2Gi
cpu: "1"
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_PTRACE
volumes:
- name: mail-data
persistentVolumeClaim:
claimName: mail-data
- name: mail-state
persistentVolumeClaim:
claimName: mail-state
- name: mail-tls
secret:
secretName: mail-tls
- name: mail-credentials
secret:
secretName: mail-credentials
- name: mail-accounts-generated
emptyDir: {}
---
# SMTP LoadBalancer Service (external)
apiVersion: v1
kind: Service
metadata:
name: mail-smtp
namespace: mail
annotations:
metallb.universe.tf/loadBalancerIPs: 10.0.56.202
spec:
type: LoadBalancer
selector:
app: mailserver
ports:
- port: 25
targetPort: 25
name: smtp
protocol: TCP
- port: 465
targetPort: 465
name: smtps
protocol: TCP
- port: 587
targetPort: 587
name: submission
protocol: TCP
---
# IMAP ClusterIP Service (internal)
apiVersion: v1
kind: Service
metadata:
name: mail-imap
namespace: mail
spec:
selector:
app: mailserver
ports:
- port: 143
targetPort: 143
name: imap
- port: 993
targetPort: 993
name: imaps
---
# TLS Certificate via cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: mail-tls
namespace: mail
spec:
secretName: mail-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- mail.iamworkin.lan
---
# Traefik IngressRoute - Webmail placeholder
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mail-webmail
namespace: mail
spec:
entryPoints:
- websecure
routes:
- match: Host(`mail.iamworkin.lan`)
kind: Rule
services:
- name: mail-imap
port: 993
tls:
secretName: mail-tls
---
# Public IngressRoute - Webmail (flowercore.io with Cloudflare origin cert)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: mail-webmail-public
namespace: mail
spec:
entryPoints:
- websecure
routes:
- match: Host(`webmail.flowercore.io`)
kind: Rule
services:
- name: mail-webmail
port: 8080
tls:
secretName: cf-origin-flowercore-io