Blue Jay
ef442e29eb
Zabbix, IRC, Mail, Guacamole, Matrix, TeamSpeak, Intranet, PKI Web, FC Landing. All with cert-manager TLS, Traefik IngressRoutes, Longhorn PVCs.
204 lines
4.6 KiB
YAML
204 lines
4.6 KiB
YAML
# docker-mailserver - Postfix + Dovecot + rspamd
|
|
# ArgoCD managed - BlueJay Lab
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: mail
|
|
labels:
|
|
app.kubernetes.io/part-of: bluejay-infra
|
|
---
|
|
# Mail data PVC
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: mail-data
|
|
namespace: mail
|
|
spec:
|
|
accessModes: [ReadWriteOnce]
|
|
resources:
|
|
requests:
|
|
storage: 5Gi
|
|
---
|
|
# Mail state PVC
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: mail-state
|
|
namespace: mail
|
|
spec:
|
|
accessModes: [ReadWriteOnce]
|
|
resources:
|
|
requests:
|
|
storage: 1Gi
|
|
---
|
|
# docker-mailserver Deployment
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: mailserver
|
|
namespace: mail
|
|
labels:
|
|
app: mailserver
|
|
spec:
|
|
replicas: 1
|
|
strategy:
|
|
type: Recreate
|
|
selector:
|
|
matchLabels:
|
|
app: mailserver
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: mailserver
|
|
spec:
|
|
hostname: mail
|
|
containers:
|
|
- name: mailserver
|
|
image: docker.io/mailserver/docker-mailserver:latest
|
|
ports:
|
|
- containerPort: 25
|
|
name: smtp
|
|
- containerPort: 465
|
|
name: smtps
|
|
- containerPort: 587
|
|
name: submission
|
|
- containerPort: 143
|
|
name: imap
|
|
- containerPort: 993
|
|
name: imaps
|
|
env:
|
|
- name: ENABLE_SPAMASSASSIN
|
|
value: "1"
|
|
- name: ENABLE_CLAMAV
|
|
value: "0"
|
|
- name: ENABLE_RSPAMD
|
|
value: "1"
|
|
- name: TZ
|
|
value: America/Chicago
|
|
- name: POSTMASTER_ADDRESS
|
|
value: postmaster@iamwork.in
|
|
- name: OVERRIDE_HOSTNAME
|
|
value: mail.iamwork.in
|
|
- name: ENABLE_FAIL2BAN
|
|
value: "0"
|
|
- name: ENABLE_POSTGREY
|
|
value: "0"
|
|
- name: ONE_DIR
|
|
value: "1"
|
|
- name: PERMIT_DOCKER
|
|
value: network
|
|
- name: SSL_TYPE
|
|
value: manual
|
|
- name: SSL_CERT_PATH
|
|
value: /etc/ssl/mail/tls.crt
|
|
- name: SSL_KEY_PATH
|
|
value: /etc/ssl/mail/tls.key
|
|
volumeMounts:
|
|
- name: mail-data
|
|
mountPath: /var/mail
|
|
- name: mail-state
|
|
mountPath: /var/mail-state
|
|
- name: mail-tls
|
|
mountPath: /etc/ssl/mail
|
|
readOnly: true
|
|
resources:
|
|
requests:
|
|
memory: 512Mi
|
|
cpu: 200m
|
|
limits:
|
|
memory: 2Gi
|
|
cpu: "1"
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- NET_ADMIN
|
|
- SYS_PTRACE
|
|
volumes:
|
|
- name: mail-data
|
|
persistentVolumeClaim:
|
|
claimName: mail-data
|
|
- name: mail-state
|
|
persistentVolumeClaim:
|
|
claimName: mail-state
|
|
- name: mail-tls
|
|
secret:
|
|
secretName: mail-tls
|
|
---
|
|
# SMTP LoadBalancer Service (external)
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: mail-smtp
|
|
namespace: mail
|
|
annotations:
|
|
metallb.universe.tf/loadBalancerIPs: 10.0.56.202
|
|
spec:
|
|
type: LoadBalancer
|
|
selector:
|
|
app: mailserver
|
|
ports:
|
|
- port: 25
|
|
targetPort: 25
|
|
name: smtp
|
|
protocol: TCP
|
|
- port: 465
|
|
targetPort: 465
|
|
name: smtps
|
|
protocol: TCP
|
|
- port: 587
|
|
targetPort: 587
|
|
name: submission
|
|
protocol: TCP
|
|
---
|
|
# IMAP ClusterIP Service (internal)
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: mail-imap
|
|
namespace: mail
|
|
spec:
|
|
selector:
|
|
app: mailserver
|
|
ports:
|
|
- port: 143
|
|
targetPort: 143
|
|
name: imap
|
|
- port: 993
|
|
targetPort: 993
|
|
name: imaps
|
|
---
|
|
# TLS Certificate via cert-manager
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: mail-tls
|
|
namespace: mail
|
|
spec:
|
|
secretName: mail-tls
|
|
issuerRef:
|
|
name: step-ca-acme
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- mail.iamworkin.lan
|
|
---
|
|
# Traefik IngressRoute - Webmail placeholder
|
|
# Snappymail will need a separate deployment; this routes to the
|
|
# mail server's HTTP port if available, or to a future webmail deployment
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: mail-webmail
|
|
namespace: mail
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`mail.iamworkin.lan`)
|
|
kind: Rule
|
|
services:
|
|
- name: mail-imap
|
|
port: 993
|
|
tls:
|
|
secretName: mail-tls
|