Add mail

argocd/applications/mail.yaml

@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mail
+spec:
+  project: default
+  source:
+    repoURL: [email protected]:hashbang/gitops.git
+    path: mail/
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: mail

argocd/kustomization.yaml

@@ -18,6 +18,7 @@ resources:
   - applications/external-dns.yaml
   - applications/ingress-nginx.yaml
   - applications/ircd.yaml
+  - applications/mail.yaml
   - applications/monitoring.yaml
   - applications/userdb-api.yaml
   - applications/webirc.yaml

cert-manager-issuers/prod_issuer.yaml

@@ -15,6 +15,7 @@ spec:
     - selector:
         dnsZones:
           - "irc.hashbang.sh"
+          - "mail.hashbang.sh"
       dns01:
         route53:
           region: us-west-2

mail/README.md

@@ -0,0 +1,5 @@
+# Mail
+
+https://github.com/hashbang/docker-postfix
+
+Delivers mail to the shell servers

mail/certificate.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  namespace: mail
+  name: mail.hashbang.sh
+spec:
+  secretName: mail-certs
+  dnsNames:
+  - mail.hashbang.sh
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

mail/files/main.cf

@@ -0,0 +1,52 @@
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file = /etc/postfix/certs/tls.crt
+smtpd_tls_key_file = /etc/postfix/certs/tls.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+# smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = no
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtp_tls_security_level = dane
+smtp_tls_note_starttls_offer = yes
+smtp_dns_support_level = dnssec
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+myhostname = mail.hashbang.sh
+relay_domains = hashbang.sh
+mydestination = mail.hashbang.sh, hashbang.sh, localhost.hashbang.sh, localhost
+mynetworks = 127.0.0.0/8 46.4.114.111
+relayhost =
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = $mydomain
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+virtual_alias_maps = pgsql:/etc/postfix/userdb-aliases.cf
+
+message_size_limit = 52428800
+
+compatibility_level = 2
+
+# Support PROXY from load balancer
+postscreen_upstream_proxy_protocol = haproxy

mail/files/master.cf

@@ -0,0 +1,125 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       y       -       1       postscreen
+smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
+#submission inet n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       y       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       y       -       -       qmqpd
+pickup    unix  n       -       y       60      1       pickup
+cleanup   unix  n       -       y       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       y       1000?   1       tlsmgr
+rewrite   unix  -       -       y       -       -       trivial-rewrite
+bounce    unix  -       -       y       -       0       bounce
+defer     unix  -       -       y       -       0       bounce
+trace     unix  -       -       y       -       0       bounce
+verify    unix  -       -       y       -       1       verify
+flush     unix  n       -       y       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       y       -       -       smtp
+relay     unix  -       -       y       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       y       -       -       showq
+error     unix  -       -       y       -       -       error
+retry     unix  -       -       y       -       -       error
+discard   unix  -       -       y       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       y       -       -       lmtp
+anvil     unix  -       -       y       -       1       anvil
+scache    unix  -       -       y       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}

mail/files/userdb-aliases.cf

@@ -0,0 +1,4 @@
+domain = hashbang.sh
+hosts = postgresql://mail:[email protected]:25060/userdb?sslmode=require
+dbname = userdb
+query = select name || '@' || host from passwd where name = '%u'

mail/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mail
+resources:
+- namespace.yaml
+- resources.yaml
+- certificate.yaml
+configMapGenerator:
+- name: mail-config
+  files:
+  - files/main.cf
+  - files/master.cf
+  - files/userdb-aliases.cf
+generators:
+- secret-generator.yaml
+images:
+- name: hashbang/postfix
+  digest: sha256:1c9491593e383b95cde6c75a82abcfe2e12e4a26b1656abeaac0bf1f8209b9ee
+- name: alpine
+  newTag: alpine:3.12.0
+  digest: sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65

mail/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mail

mail/resources.yaml

@@ -0,0 +1,118 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mail
+spec:
+  selector:
+    matchLabels:
+      app: mail
+  replicas: 1
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: mail
+    spec:
+      shareProcessNamespace: true
+      containers:
+      - name: postfix
+        image: hashbang/postfix
+        command: ["/bin/sh"]
+        args:
+          - "-c"
+          - |
+            ln -sf /etc/postfix/secrets/aliases /etc/aliases
+            exec bash ./run.sh
+        ports:
+        - containerPort: 25
+          name: smtp
+        readinessProbe:
+          tcpSocket:
+            port: 25
+        livenessProbe:
+          tcpSocket:
+            port: 25
+        volumeMounts:
+        - mountPath: /etc/postfix/main.cf
+          name: mail-config
+          subPath: main.cf
+          readOnly: true
+        - mountPath: /etc/postfix/master.cf
+          name: mail-config
+          subPath: master.cf
+          readOnly: true
+        - mountPath: /etc/postfix/userdb-aliases.cf
+          name: mail-config
+          subPath: userdb-aliases.cf
+          readOnly: true
+        - mountPath: /etc/postfix/secrets
+          name: mail-secrets
+          readOnly: true
+        - mountPath: /etc/postfix/certs
+          name: mail-certs
+          readOnly: true
+        - mountPath: /var/spool/postfix
+          name: mail-spool
+      - name: config-reloader
+        # image includes busybox's inotifyd + pkill
+        image: alpine
+        command: ["/bin/sh"]
+        args:
+          - "-c"
+          - |
+            echo "Watching /etc/postfix/certs";
+            inotifyd - /etc/postfix/certs:wMymndox | while read -r notifies ; do
+              echo "notify received: $notifies";
+              echo "sending SIGHUP";
+              pkill -HUP tlsmgr;
+            done
+            echo "Exiting.";
+        volumeMounts:
+        - mountPath: /etc/postfix/certs
+          name: mail-certs
+          readOnly: true
+      volumes:
+      - name: mail-config
+        configMap:
+          name: mail-config
+      - name: mail-secrets
+        secret:
+          secretName: mail-secrets
+      - name: mail-certs
+        secret:
+          secretName: mail-certs
+      - name: mail-spool
+        persistentVolumeClaim:
+          claimName: mail-spool
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail
+  labels:
+    app: mail
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
+    external-dns.alpha.kubernetes.io/hostname: "mail.hashbang.sh"
+spec:
+  type: LoadBalancer
+  ports:
+  - name: smtp
+    port: 25
+    targetPort: 25
+  selector:
+    app: mail
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mail-spool
+  labels:
+    app: mail
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

mail/secret-generator.yaml

@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: mail-secrets
+files:
+  - ./secrets.enc.yaml