Skip to content

Commit

Permalink
Add mail
Browse files Browse the repository at this point in the history
  • Loading branch information
@daurnimator
daurnimator committed Jun 5, 2020
1 parent 6217d67 commit 3c75064
Show file tree
Hide file tree
Showing 12 changed files with 359 additions and 0 deletions.
13 changes: 13 additions & 0 deletions argocd/applications/mail.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: mail
spec:
project: default
source:
repoURL: [email protected]:hashbang/gitops.git
path: mail/
targetRevision: HEAD
destination:
server: https://kubernetes.default.svc
namespace: mail
1 change: 1 addition & 0 deletions argocd/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ resources:
- applications/external-dns.yaml
- applications/ingress-nginx.yaml
- applications/ircd.yaml
- applications/mail.yaml
- applications/monitoring.yaml
- applications/userdb-api.yaml
- applications/webirc.yaml
Expand Down
1 change: 1 addition & 0 deletions cert-manager-issuers/prod_issuer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ spec:
- selector:
dnsZones:
- "irc.hashbang.sh"
- "mail.hashbang.sh"
dns01:
route53:
region: us-west-2
Expand Down
5 changes: 5 additions & 0 deletions mail/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Mail

https://github.com/hashbang/docker-postfix

Delivers mail to the shell servers
133 changes: 133 additions & 0 deletions mail/aliases.enc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
apiVersion: v1
kind: Secret
metadata:
name: mail-aliases
type: Opaque
stringData:
aliases: ENC[AES256_GCM,data:zTwzx4D4eS7cq9bjCeca9IB7pwJuHGysnxgbgNhwHLJv0e4A7EnvlFP5f/zRG/HKNIay/m+ygxwaRg/PwMf1kn6mJpoXym/cqAv4ZJN6etZw/c/WOipCrm1mf9sZB0DLAB/PvvEEy09Q0RUxOIcPg/jxMnEAlbann0LLJcaXYxvAZYyNHjCDvqsxZ+NzZU7bnkMGII1Mv8tc6vLt605yQG5KEaOs5lbiU55XZOUyqTEzHpbyhM6hDSFC5Wz71FnwPQqLaaAGHyiCg77XWtJIzLvrEQofxZg8YsG8R1F6CXoNfQJ5Ka+rzL6YnLk39JAT6KpV8CQaGtVONthpapDEFz5eJi8qgUKFyoEIG/122Yb5RJkZCgoZiXPt2GkCgYSjq3UHfUIZoP/R1uiuOh0hUa0nIXKe3gb3hmzOo/fUjttgF0BIyA48CSAJeEYaoDBIvE5hK7FmfA8RJ6tWvtWYOINwYSGIxIme9TGPJ6Ym7cOp2c4Bu0i0HX4d5amJQ1uaDSQW1jbPo/4kr/x9pJaL9E+rJsDdktnuJIXII0vJqsmZVaAhEltZDUNY6KR51VZejh3hzd3k9MrBOqFOa/KBrOyKsXZCJkU8jnlBBF/g6UwAft5e3Dms5PpAIxm9p6LXXkBmUu8Zgzs=,iv:YhRtkz4oL8wqN3W+CQyhwGwhNYKsmEQvga62wzc+gBI=,tag:9rkZ3caaI915ykCFchdxpA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
lastmodified: '2020-06-05T04:05:09Z'
mac: ENC[AES256_GCM,data:MV6KgQQfm039vRGE6eszA0PDmtkDe1Qv0zzjFd728iH/8xVpwsvn2s6TL3/N0huWMWFRbh6M9kU2xGA87vNOrqbUMuEIwi01Z2v5Cuu4EalBHafEaFE68UygFOB+VDO7WQiZmEkHLUY0za7LfinZ3QbPikX8GrXMjaHjDfYtqvo=,iv:6R9m5hVXFAtXokwJHnd9SbfNXc4eKdgohHWBlTdrLkI=,tag:eHUROJe44qeYuvPwdqI0NQ==,type:str]
pgp:
- created_at: '2020-05-27T02:00:39Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA+pWRuJw67SWAQ/9GXIZFEp/v1IT68Ro9LOMEtxoi1rmzmJRYMca5Jgt7xf+
V0Hyfpo0fl3/xZaLwd0bIBaE0pjnsPCwzCd+IologGctDD5/PwOtdXm6WS1Lh6vH
tvVOAo63RnyGqlwO2cXkKIOCzIF7LKJi8TxE0M4cEK2RkcYz7ukfvzyrbm+jLAYo
3Ve2k9GL72VPLwo+o+WbrhGjqsf6Qy5D9OT45FPNXCC2EF6zDyRrJwYtRFU+lZcB
bBQc2aE90fVSxxMQ18VNW7VNFAOfMANPSOilrIfzoyZE8lxgAExgXRyrwRuVxKfL
UAws9jrXz72AYTkVoQ3tWJP3MgtnbdTS9A8kUJI0hIjnKTsUKwBZv3SJxvKBFV0y
4Qnz/cXw0qYp/6zBEaM0tOq04LqmU8fuPtPZg4V9TKVCoMaCQrvgLj5nWS6UiIhF
1LOQSxPEjBPApvht4bRexfOGIdMxJ7uqZTfBkpa1McoPQFvFLmY9TT9IHjqkhj2g
kLpDX/oKskHP9/4C4QJa93az983GITDER4AhMmMN6P21LTnlRpzxQ1wDryzF4HCW
1lixCt8KSM1qA2yAnrdzf0spmYl1Hh948AzDuMI6YoMJkDnyKsMH0vboOQnidTjK
WRMxUAoYhTKoJ3WXL1csakLFMMtbtIPWPWrH4lnbXA9WK2f50X5Ka7vkMkvdsrfS
XgFMqlMJ/AvlaQKJfqtca0xn47K9+8KMx9iroBpT4H8ejFA76JpTx9MQTgb+voUO
nQ0Y+2qr27/lyR2Esv7q+jkXkGhNlpL0o2nE2ZRpUJ9bV713KJCSSViBPe87Npc=
=ZQHM
-----END PGP MESSAGE-----
fp: 1FD6667A0808D4D48BDB8757A61B48D8288FCF8A
- created_at: '2020-05-27T02:00:39Z'
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA4FedWMNSzdLARAAoj7C/JHMHvgNkVqs+c0JrgbrIlue6GnmPrQIPeyZpqxw
Lu75lw/a/SyZhEoJpDfJIGpt8edBmVEb6qJiwdvwZPcIkak6yfj9tMqaIU6vpNqb
qgSzPQqsaojOpeH9A6RJARixdcXM3b4essnV4PXmMQ7IVZCmeOT22qQ+7Gk/oX2M
3eQ64x0mvSH1UNeo9BkzMD1vPEDa5pcUUBhzs8gT+IOpAq8EwKEAhna9JRnUDR9a
Ft4dyIREAO4evUtJ7ZtkZGEc2LpMkoK/lH9ljhUOjlAlSSC22Hpk5ol5Sg2pwCJJ
931K1Ueptb+Cuhi/1NPk2XZKkVkQP5+Xglg5vI8e5jarXb0t0kKs7tjOlFc+0iRx
ToaSdHwSuPnskbVIOKgyvRml0uHnPmPpa+8ND6TxgBBa+Mb8tQnFNnkRKFz/19Ak
j9UAsVdJw+zU0KTTx4SiDRH39ydv2oeFLD20Oh80fqXyPcHc6jHsPEukn3A012Lm
p3BWab4WTaDBNCioWGtXKRHED3ZTorvSg1arbwHp1P3z/+8G3mJI9q0CvheMeG4k
j71YGeokktz626PT7LWBfViK60ZadmnHg6Cf/I19pd+Ai3FdsRadxLz/5jBiV2VE
0j9WqtSXQSs7e9Xd85gEaEbLeKO1W7Ypa7Pmg86gJfaXHuWz4Cp3vDZdVhV161nS
4AHkgmb1HMc7vAHPR0V+knYM9eGTfOCT4J3hRnLgauIfcvnI4GTlGpZO9NKaU22k
ZO/Gj//eS0JbkffL2GGFu8tA/eCakyrgq+S1MJe3HwUHzRL9AEonlt0O4ofNwT7h
SM0A
=nu7e
-----END PGP MESSAGE-----
fp: 954A3772D62EF90E4B31FBC6C91A9911192C187A
- created_at: '2020-05-27T02:00:39Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQEMA4SNlT+wHnqoAQf/fB2EW5yaGESpPSLUcOXdEfQON/wqfR3EZroX34xNz3+4
RLFOwo7PagIOMbugSfVbxt14RYbxWT9+43oGSgg1F4b5IuxIT1wUwLSrCnR/QE8z
VEZkf2/yuZ8k0+HB3wG7fgP10EYo236aoiaWC28kWivqO76W9+ZQCgVcL4Wj+XTe
ueIPDAyZrnXbd3GTAUl0/VBMoZKJMr8AIK/5ZCnwoILxGe6BQpX4qDxBFRg65Yf6
8nMoai6FxbGnuBdIL3fuQ1UAggYCou9iQZpp632f0yHZ+B4b1plEt/iVCgb8WH4v
paCGx836Um2uFXm0rCZB5whAasxNkY9Ik/nZxuPnodJeAVWjlcPPAY9cqo3fTnYK
tnSxZ970TwiNWCeocWL/VGNXAnaIkofldGMzFsIumLVuyhUe3NhfTRYbflDTxG2o
nLb/1mGv416ULuKEgX9j+fezJgOyMgOaeQfkS8dm0w==
=al2j
-----END PGP MESSAGE-----
fp: 8333F292B1BBD334A61E6F566785F7AF28DE7081
- created_at: '2020-05-27T02:00:39Z'
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aARAAon72nRRf9II/gY+zdEH4IyqIHOiCG4H8jLt2dm2CkfOV
q/kiZoL5KUL+L+bGbOOiqenBZI5w4U6Vva4ap8/UKbaLqK3yDVBd/WafJf58BUlq
u76cNhxn9rcTcHzJ22/bKEbGO0KbVdx7ibQ85OBvzF1cdrqr1cxr+nblff81gQ41
H6OvNUCneQYI4Bq9OYfOnesLC6cYunk+eFHiNGmcAbT7gpF+RD3DsyBLGPFCFm+a
CMOkCaXRNKrQdf7lCJi1jiuTOoJwER5CdYnEPNoojQCVGDqtKPHgggC81fc8rqme
Y09Zh9X6wWiJdbOVXZDCATzF5it+tqNz8ZSq9kNdpaOXXMOoYXBpP0Jamt4rMQbn
MqDsy4HEpL6u7D+IEe3+lArXLRAeJ6KhMnQM9MjWjQwZ2l6Gcy914j3y1ItGguBc
Ohd2y0PynT3F2jzxhQhlQ4D5wYQM31jpiE6x0acsTbDFYHAYn7dRprH9BYY3Dgh1
V9EQIYdWowl9pUBEQzsJ+dAOVjTtUv+O/UQJCuow0/66n44dZ4UEycU0+lLqrRiE
CLnxDMtXdimm5/SEOHHLjaR8q4rve9WfGujV1iQZPEuK73kVaa3TbsQtc19FwhGq
YxLJuRqyZ2eM82Fq92ibCjT6xpUSz3fFyZJSSI2nTIGtKLXOYoArSrOAOTzdun/S
4AHkwZABmgQMa+15cThhPISJ9+HuNuBK4OrhQvDgz+JihNuC4MHlhlKev/A2BFYi
YwFEvbPkyGNjZNCiV+tWGtf4KL4skSTg8eTgOFfu1Jr2Q3lYtRa/Zl/a4mFUGMTh
5G0A
=oGHl
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: '2020-05-27T02:00:39Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA6dhVUuTLV7oAQ/6AoEKc0aiAC16FTJEQVpsi5Y6ffxey6zKRJeyx/6480DF
Bkg2tfoT8bEDTNYi6EqPPM4Vef3tgoR+3KMlML6Mt1y77N5Knni93RSaCyeSKaa6
1AZaLtLc6a6UF/qLJJ5ISniRdiSmJAQFttARu6h35IJrZlfNEi8rvnlP7AZObc2d
qjKcSqNI0S3jvHam61xys93mmvQbTpGP+PE++1qlt53231KH/RrgNhPMFQij6d52
Pfxicu9D+x7fcIkDVHIbh3ycQOTzKzi1zJQpzo0vIRK7zVMOGNBL4V3jlxN+JTFa
xDSTW+E46BnmG1kwVGsawkakDt4W1MOGzT3Nd1b4X6QuEEOvqVGAOaYoYatAk2D5
qy3ov3jq36z5Nc1+Zm6hMq+KnSSSOez5YDxx89b3eMuAb10Z1IcJ3Owr/zeXDdzJ
tX3gRWL/Mq9StJMhaXd1gH5Ba7ZH/P+USk68uny1erIUG3oFxa0quwW5VycYWDQf
aVJuhwX9XxPvAnUz/BGGt+r6rpFNPtmb0hDYk+TIYElXRHi9jQxYiOeBXhq87iBF
U1Jv/tsXZMKnAK0l/xZrwihAa3ZZ5jp0djZ5Btff/0afbz44vAjhmagWRaNNdHdr
elITYEoqnG/XIEtSXu3VBM9ArAU2h+H2IpslohkaDE7WqCsLvNtIRyiG5a6wJjvS
XgFCmA5J+bqcFs+EEncWcvRepym+pgVzp2z1e2ZPrSYXeJYw/L+KkSSCb+48F5eE
bJHG57xw6Krtfb1T6kFErfmiCDjgaJJ0mJUJozfFYsxL+/AlTjKf+oA+qkHh7qw=
=SkM7
-----END PGP MESSAGE-----
fp: FC2255B7BBC7EABD4EFAFA1068907D8BCCD85A5A
- created_at: '2020-05-27T02:00:39Z'
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA8KRInHl7Vz+AQ/+NzGqUvMLyF9GPB5zfJDLRcNe0DPdj3rEoszXcl0LBxBY
27wekbYkiF/pS8+EqIzgfaVRNAx5IOQvotSomATXgZ10FiLSYksmka1wI6xKUqRf
Gygnevg5MykUa03RhTVlEmKew4GdObN8bmMmGiqSYgnMeLCYlfuUnCixg/g5jmer
kZ+QWrvfoHnqiV5WI7cySXh3+Q8Ndyj3YjhIvw6H3Pc+RaCQ8WQ/H7AQjGpJPNrZ
iLriNeKlNNJYfPM7FZCi/PAhmmVS8m+AyFuHTe9rP8RMLCMCxqKzRZGteUi+XIjV
Z3gSsHXe5WWoyAgi0ox8B1bs6qP5jHZoN8/hrdtZqXBt90FTp5UyxM/cwd7oUYok
Y8Ep/innfyrxjxE/ND07v29LhFnFpZJMm0Orgze4gAiTy6S/Urnt6TW3OJvJPWjK
sjyaGECL3efgcGXeSfJxmsErtR2QtHB1oeIYlMetyGfS5Oego0Vo9KZ8uPu/TB5W
XqtbWJpxXpxrCj8kIDec1P3AhBYAohZfmPw10nqWOLcQwJEZWrj80Lr8HNH8AjBj
1dMGC0nPUlT4hsiXav3ZA4ecy8kY3B6VFcXufWm9MreOS+QFW+g4s3Gvr0aQEzbg
//Q7DKvfPmDtWQf62tqX6yYA2KS7GkX8jH7tHKUsPYSOIt7/7z0JXvRB1BU2uHDS
XgHL9LbfoxLCWIqyQsRpX3UVpMCg44RqIOmJDRwnV22g97YATblk8AwgqaIiJk9O
lJcRfr25f5Q9cXxU4LPbR6h7LRJsrNKquxtefdkz0SoRUQjE40xR00NJ7htQB5E=
=n94p
-----END PGP MESSAGE-----
fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
encrypted_regex: ^(data|stringData)$
version: 3.5.0
12 changes: 12 additions & 0 deletions mail/certificate.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
namespace: mail
name: mail.hashbang.sh
spec:
secretName: mail-certs
dnsNames:
- mail.hashbang.sh
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
49 changes: 49 additions & 0 deletions mail/files/main.cf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/certs/server.crt
smtpd_tls_key_file = /etc/postfix/certs/server.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_security_level = dane
smtp_tls_note_starttls_offer = yes
smtp_dns_support_level = dnssec

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

myhostname = mail.hashbang.sh
relay_domains = hashbang.sh
mydestination = mail.hashbang.sh, hashbang.sh, localhost.hashbang.sh, localhost
mynetworks = 127.0.0.0/8 46.4.114.111
relayhost =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

virtual_alias_maps = pgsql:/etc/postfix/userdb-aliases.cf

message_size_limit = 52428800

compatibility_level = 2
4 changes: 4 additions & 0 deletions mail/files/userdb-aliases.cf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
domain = hashbang.sh
hosts = postgresql://mail:userdb-mail-lookup@userdb-attempt-too-do-user-989073-0.db.ondigitalocean.com:25060/userdb?sslmode=require
dbname = userdb
query = select name || '@' || host from passwd where name = '%u'
22 changes: 22 additions & 0 deletions mail/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: mail
resources:
- namespace.yaml
- resources.yaml
- certificate.yaml
configMapGenerator:
- name: mail-config
options:
disableNameSuffixHash: true
files:
- files/main.cf
- files/userdb-aliases.cf
generators:
- secret-generator.yaml
images:
- name: hashbang/postfix
digest: sha256:1c9491593e383b95cde6c75a82abcfe2e12e4a26b1656abeaac0bf1f8209b9ee
- name: alpine
newTag: alpine:3.12.0
digest: sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65
4 changes: 4 additions & 0 deletions mail/namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: mail
109 changes: 109 additions & 0 deletions mail/resources.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mail
spec:
selector:
matchLabels:
app: mail
template:
metadata:
labels:
app: mail
spec:
shareProcessNamespace: true
containers:
- name: postfix
image: hashbang/postfix
ports:
- containerPort: 25
name: smtp
readinessProbe:
tcpSocket:
port: 25
livenessProbe:
tcpSocket:
port: 25
volumeMounts:
- mountPath: /etc/postfix
name: mail-config
readOnly: true
- mountPath: /etc/postfix/aliases
name: mail-aliases
subPath: aliases
readOnly: true
- mountPath: /etc/tls
name: mail-certs
readOnly: true
- mountPath: /var/spool/postfix
name: mail-spool
- name: config-reloader
# image includes busybox's inotifyd + pkill
image: alpine
command: ["/bin/sh"]
args:
- "-c"
- |
echo "Watching /etc/postfix";
inotifyd - /etc/postfix/:wMymndox /etc/postfix/aliases:wMymndox /etc/postfix/tls/:wMymndox | while read -r notifies ; do
echo "notify received: $notifies";
echo "running newaliases";
newaliases;
echo "sending SIGHUP";
pkill -HUP master;
done
echo "Exiting.";
volumeMounts:
- mountPath: /etc/postfix
name: mail-config
readOnly: true
- mountPath: /etc/postfix/aliases
name: mail-aliases
subPath: aliases
readOnly: true
- mountPath: /etc/tls
name: mail-certs
readOnly: true
volumes:
- name: mail-config
configMap:
name: mail-config
- name: mail-aliases
secret:
secretName: mail-aliases
- name: mail-certs
secret:
secretName: mail-certs
- name: mail-spool
persistentVolumeClaim:
claimName: mail-spool
---
apiVersion: v1
kind: Service
metadata:
name: mail
labels:
app: mail
annotations:
external-dns.alpha.kubernetes.io/hostname: "mail.hashbang.sh"
spec:
type: NodePort
ports:
- name: smtp
port: 25
targetPort: 25
selector:
app: mail
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mail-spool
labels:
app: mail
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
6 changes: 6 additions & 0 deletions mail/secret-generator.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: mail-secrets
files:
- ./aliases.enc.yaml

0 comments on commit 3c75064

Please sign in to comment.