Add mail

daurnimator · daurnimator · commit 3c750643aee8 · 2020-06-05T14:31:47.000+10:00
diff --git a/argocd/applications/mail.yaml b/argocd/applications/mail.yaml
@@ -0,0 +1,13 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mail
+spec:
+  project: default
+  source:
+    repoURL: git@github.com:hashbang/gitops.git
+    path: mail/
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: mail
diff --git a/argocd/kustomization.yaml b/argocd/kustomization.yaml
@@ -18,6 +18,7 @@ resources:
   - applications/external-dns.yaml
   - applications/ingress-nginx.yaml
   - applications/ircd.yaml
+  - applications/mail.yaml
   - applications/monitoring.yaml
   - applications/userdb-api.yaml
   - applications/webirc.yaml
diff --git a/cert-manager-issuers/prod_issuer.yaml b/cert-manager-issuers/prod_issuer.yaml
@@ -15,6 +15,7 @@ spec:
     - selector:
         dnsZones:
           - "irc.hashbang.sh"
+          - "mail.hashbang.sh"
       dns01:
         route53:
           region: us-west-2
diff --git a/mail/README.md b/mail/README.md
@@ -0,0 +1,5 @@
+# Mail
+
+https://github.com/hashbang/docker-postfix
+
+Delivers mail to the shell servers
diff --git a/mail/aliases.enc.yaml b/mail/aliases.enc.yaml
@@ -0,0 +1,133 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: mail-aliases
+type: Opaque
+stringData:
+    aliases: ENC[AES256_GCM,data:zTwzx4D4eS7cq9bjCeca9IB7pwJuHGysnxgbgNhwHLJv0e4A7EnvlFP5f/zRG/HKNIay/m+ygxwaRg/PwMf1kn6mJpoXym/cqAv4ZJN6etZw/c/WOipCrm1mf9sZB0DLAB/PvvEEy09Q0RUxOIcPg/jxMnEAlbann0LLJcaXYxvAZYyNHjCDvqsxZ+NzZU7bnkMGII1Mv8tc6vLt605yQG5KEaOs5lbiU55XZOUyqTEzHpbyhM6hDSFC5Wz71FnwPQqLaaAGHyiCg77XWtJIzLvrEQofxZg8YsG8R1F6CXoNfQJ5Ka+rzL6YnLk39JAT6KpV8CQaGtVONthpapDEFz5eJi8qgUKFyoEIG/122Yb5RJkZCgoZiXPt2GkCgYSjq3UHfUIZoP/R1uiuOh0hUa0nIXKe3gb3hmzOo/fUjttgF0BIyA48CSAJeEYaoDBIvE5hK7FmfA8RJ6tWvtWYOINwYSGIxIme9TGPJ6Ym7cOp2c4Bu0i0HX4d5amJQ1uaDSQW1jbPo/4kr/x9pJaL9E+rJsDdktnuJIXII0vJqsmZVaAhEltZDUNY6KR51VZejh3hzd3k9MrBOqFOa/KBrOyKsXZCJkU8jnlBBF/g6UwAft5e3Dms5PpAIxm9p6LXXkBmUu8Zgzs=,iv:YhRtkz4oL8wqN3W+CQyhwGwhNYKsmEQvga62wzc+gBI=,tag:9rkZ3caaI915ykCFchdxpA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    lastmodified: '2020-06-05T04:05:09Z'
+    mac: ENC[AES256_GCM,data:MV6KgQQfm039vRGE6eszA0PDmtkDe1Qv0zzjFd728iH/8xVpwsvn2s6TL3/N0huWMWFRbh6M9kU2xGA87vNOrqbUMuEIwi01Z2v5Cuu4EalBHafEaFE68UygFOB+VDO7WQiZmEkHLUY0za7LfinZ3QbPikX8GrXMjaHjDfYtqvo=,iv:6R9m5hVXFAtXokwJHnd9SbfNXc4eKdgohHWBlTdrLkI=,tag:eHUROJe44qeYuvPwdqI0NQ==,type:str]
+    pgp:
+    -   created_at: '2020-05-27T02:00:39Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA+pWRuJw67SWAQ/9GXIZFEp/v1IT68Ro9LOMEtxoi1rmzmJRYMca5Jgt7xf+
+            V0Hyfpo0fl3/xZaLwd0bIBaE0pjnsPCwzCd+IologGctDD5/PwOtdXm6WS1Lh6vH
+            tvVOAo63RnyGqlwO2cXkKIOCzIF7LKJi8TxE0M4cEK2RkcYz7ukfvzyrbm+jLAYo
+            3Ve2k9GL72VPLwo+o+WbrhGjqsf6Qy5D9OT45FPNXCC2EF6zDyRrJwYtRFU+lZcB
+            bBQc2aE90fVSxxMQ18VNW7VNFAOfMANPSOilrIfzoyZE8lxgAExgXRyrwRuVxKfL
+            UAws9jrXz72AYTkVoQ3tWJP3MgtnbdTS9A8kUJI0hIjnKTsUKwBZv3SJxvKBFV0y
+            4Qnz/cXw0qYp/6zBEaM0tOq04LqmU8fuPtPZg4V9TKVCoMaCQrvgLj5nWS6UiIhF
+            1LOQSxPEjBPApvht4bRexfOGIdMxJ7uqZTfBkpa1McoPQFvFLmY9TT9IHjqkhj2g
+            kLpDX/oKskHP9/4C4QJa93az983GITDER4AhMmMN6P21LTnlRpzxQ1wDryzF4HCW
+            1lixCt8KSM1qA2yAnrdzf0spmYl1Hh948AzDuMI6YoMJkDnyKsMH0vboOQnidTjK
+            WRMxUAoYhTKoJ3WXL1csakLFMMtbtIPWPWrH4lnbXA9WK2f50X5Ka7vkMkvdsrfS
+            XgFMqlMJ/AvlaQKJfqtca0xn47K9+8KMx9iroBpT4H8ejFA76JpTx9MQTgb+voUO
+            nQ0Y+2qr27/lyR2Esv7q+jkXkGhNlpL0o2nE2ZRpUJ9bV713KJCSSViBPe87Npc=
+            =ZQHM
+            -----END PGP MESSAGE-----
+        fp: 1FD6667A0808D4D48BDB8757A61B48D8288FCF8A
+    -   created_at: '2020-05-27T02:00:39Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA4FedWMNSzdLARAAoj7C/JHMHvgNkVqs+c0JrgbrIlue6GnmPrQIPeyZpqxw
+            Lu75lw/a/SyZhEoJpDfJIGpt8edBmVEb6qJiwdvwZPcIkak6yfj9tMqaIU6vpNqb
+            qgSzPQqsaojOpeH9A6RJARixdcXM3b4essnV4PXmMQ7IVZCmeOT22qQ+7Gk/oX2M
+            3eQ64x0mvSH1UNeo9BkzMD1vPEDa5pcUUBhzs8gT+IOpAq8EwKEAhna9JRnUDR9a
+            Ft4dyIREAO4evUtJ7ZtkZGEc2LpMkoK/lH9ljhUOjlAlSSC22Hpk5ol5Sg2pwCJJ
+            931K1Ueptb+Cuhi/1NPk2XZKkVkQP5+Xglg5vI8e5jarXb0t0kKs7tjOlFc+0iRx
+            ToaSdHwSuPnskbVIOKgyvRml0uHnPmPpa+8ND6TxgBBa+Mb8tQnFNnkRKFz/19Ak
+            j9UAsVdJw+zU0KTTx4SiDRH39ydv2oeFLD20Oh80fqXyPcHc6jHsPEukn3A012Lm
+            p3BWab4WTaDBNCioWGtXKRHED3ZTorvSg1arbwHp1P3z/+8G3mJI9q0CvheMeG4k
+            j71YGeokktz626PT7LWBfViK60ZadmnHg6Cf/I19pd+Ai3FdsRadxLz/5jBiV2VE
+            0j9WqtSXQSs7e9Xd85gEaEbLeKO1W7Ypa7Pmg86gJfaXHuWz4Cp3vDZdVhV161nS
+            4AHkgmb1HMc7vAHPR0V+knYM9eGTfOCT4J3hRnLgauIfcvnI4GTlGpZO9NKaU22k
+            ZO/Gj//eS0JbkffL2GGFu8tA/eCakyrgq+S1MJe3HwUHzRL9AEonlt0O4ofNwT7h
+            SM0A
+            =nu7e
+            -----END PGP MESSAGE-----
+        fp: 954A3772D62EF90E4B31FBC6C91A9911192C187A
+    -   created_at: '2020-05-27T02:00:39Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMA4SNlT+wHnqoAQf/fB2EW5yaGESpPSLUcOXdEfQON/wqfR3EZroX34xNz3+4
+            RLFOwo7PagIOMbugSfVbxt14RYbxWT9+43oGSgg1F4b5IuxIT1wUwLSrCnR/QE8z
+            VEZkf2/yuZ8k0+HB3wG7fgP10EYo236aoiaWC28kWivqO76W9+ZQCgVcL4Wj+XTe
+            ueIPDAyZrnXbd3GTAUl0/VBMoZKJMr8AIK/5ZCnwoILxGe6BQpX4qDxBFRg65Yf6
+            8nMoai6FxbGnuBdIL3fuQ1UAggYCou9iQZpp632f0yHZ+B4b1plEt/iVCgb8WH4v
+            paCGx836Um2uFXm0rCZB5whAasxNkY9Ik/nZxuPnodJeAVWjlcPPAY9cqo3fTnYK
+            tnSxZ970TwiNWCeocWL/VGNXAnaIkofldGMzFsIumLVuyhUe3NhfTRYbflDTxG2o
+            nLb/1mGv416ULuKEgX9j+fezJgOyMgOaeQfkS8dm0w==
+            =al2j
+            -----END PGP MESSAGE-----
+        fp: 8333F292B1BBD334A61E6F566785F7AF28DE7081
+    -   created_at: '2020-05-27T02:00:39Z'
+        enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA82rPM2mSf/aARAAon72nRRf9II/gY+zdEH4IyqIHOiCG4H8jLt2dm2CkfOV
+            q/kiZoL5KUL+L+bGbOOiqenBZI5w4U6Vva4ap8/UKbaLqK3yDVBd/WafJf58BUlq
+            u76cNhxn9rcTcHzJ22/bKEbGO0KbVdx7ibQ85OBvzF1cdrqr1cxr+nblff81gQ41
+            H6OvNUCneQYI4Bq9OYfOnesLC6cYunk+eFHiNGmcAbT7gpF+RD3DsyBLGPFCFm+a
+            CMOkCaXRNKrQdf7lCJi1jiuTOoJwER5CdYnEPNoojQCVGDqtKPHgggC81fc8rqme
+            Y09Zh9X6wWiJdbOVXZDCATzF5it+tqNz8ZSq9kNdpaOXXMOoYXBpP0Jamt4rMQbn
+            MqDsy4HEpL6u7D+IEe3+lArXLRAeJ6KhMnQM9MjWjQwZ2l6Gcy914j3y1ItGguBc
+            Ohd2y0PynT3F2jzxhQhlQ4D5wYQM31jpiE6x0acsTbDFYHAYn7dRprH9BYY3Dgh1
+            V9EQIYdWowl9pUBEQzsJ+dAOVjTtUv+O/UQJCuow0/66n44dZ4UEycU0+lLqrRiE
+            CLnxDMtXdimm5/SEOHHLjaR8q4rve9WfGujV1iQZPEuK73kVaa3TbsQtc19FwhGq
+            YxLJuRqyZ2eM82Fq92ibCjT6xpUSz3fFyZJSSI2nTIGtKLXOYoArSrOAOTzdun/S
+            4AHkwZABmgQMa+15cThhPISJ9+HuNuBK4OrhQvDgz+JihNuC4MHlhlKev/A2BFYi
+            YwFEvbPkyGNjZNCiV+tWGtf4KL4skSTg8eTgOFfu1Jr2Q3lYtRa/Zl/a4mFUGMTh
+            5G0A
+            =oGHl
+            -----END PGP MESSAGE-----
+        fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
+    -   created_at: '2020-05-27T02:00:39Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA6dhVUuTLV7oAQ/6AoEKc0aiAC16FTJEQVpsi5Y6ffxey6zKRJeyx/6480DF
+            Bkg2tfoT8bEDTNYi6EqPPM4Vef3tgoR+3KMlML6Mt1y77N5Knni93RSaCyeSKaa6
+            1AZaLtLc6a6UF/qLJJ5ISniRdiSmJAQFttARu6h35IJrZlfNEi8rvnlP7AZObc2d
+            qjKcSqNI0S3jvHam61xys93mmvQbTpGP+PE++1qlt53231KH/RrgNhPMFQij6d52
+            Pfxicu9D+x7fcIkDVHIbh3ycQOTzKzi1zJQpzo0vIRK7zVMOGNBL4V3jlxN+JTFa
+            xDSTW+E46BnmG1kwVGsawkakDt4W1MOGzT3Nd1b4X6QuEEOvqVGAOaYoYatAk2D5
+            qy3ov3jq36z5Nc1+Zm6hMq+KnSSSOez5YDxx89b3eMuAb10Z1IcJ3Owr/zeXDdzJ
+            tX3gRWL/Mq9StJMhaXd1gH5Ba7ZH/P+USk68uny1erIUG3oFxa0quwW5VycYWDQf
+            aVJuhwX9XxPvAnUz/BGGt+r6rpFNPtmb0hDYk+TIYElXRHi9jQxYiOeBXhq87iBF
+            U1Jv/tsXZMKnAK0l/xZrwihAa3ZZ5jp0djZ5Btff/0afbz44vAjhmagWRaNNdHdr
+            elITYEoqnG/XIEtSXu3VBM9ArAU2h+H2IpslohkaDE7WqCsLvNtIRyiG5a6wJjvS
+            XgFCmA5J+bqcFs+EEncWcvRepym+pgVzp2z1e2ZPrSYXeJYw/L+KkSSCb+48F5eE
+            bJHG57xw6Krtfb1T6kFErfmiCDjgaJJ0mJUJozfFYsxL+/AlTjKf+oA+qkHh7qw=
+            =SkM7
+            -----END PGP MESSAGE-----
+        fp: FC2255B7BBC7EABD4EFAFA1068907D8BCCD85A5A
+    -   created_at: '2020-05-27T02:00:39Z'
+        enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8KRInHl7Vz+AQ/+NzGqUvMLyF9GPB5zfJDLRcNe0DPdj3rEoszXcl0LBxBY
+            27wekbYkiF/pS8+EqIzgfaVRNAx5IOQvotSomATXgZ10FiLSYksmka1wI6xKUqRf
+            Gygnevg5MykUa03RhTVlEmKew4GdObN8bmMmGiqSYgnMeLCYlfuUnCixg/g5jmer
+            kZ+QWrvfoHnqiV5WI7cySXh3+Q8Ndyj3YjhIvw6H3Pc+RaCQ8WQ/H7AQjGpJPNrZ
+            iLriNeKlNNJYfPM7FZCi/PAhmmVS8m+AyFuHTe9rP8RMLCMCxqKzRZGteUi+XIjV
+            Z3gSsHXe5WWoyAgi0ox8B1bs6qP5jHZoN8/hrdtZqXBt90FTp5UyxM/cwd7oUYok
+            Y8Ep/innfyrxjxE/ND07v29LhFnFpZJMm0Orgze4gAiTy6S/Urnt6TW3OJvJPWjK
+            sjyaGECL3efgcGXeSfJxmsErtR2QtHB1oeIYlMetyGfS5Oego0Vo9KZ8uPu/TB5W
+            XqtbWJpxXpxrCj8kIDec1P3AhBYAohZfmPw10nqWOLcQwJEZWrj80Lr8HNH8AjBj
+            1dMGC0nPUlT4hsiXav3ZA4ecy8kY3B6VFcXufWm9MreOS+QFW+g4s3Gvr0aQEzbg
+            //Q7DKvfPmDtWQf62tqX6yYA2KS7GkX8jH7tHKUsPYSOIt7/7z0JXvRB1BU2uHDS
+            XgHL9LbfoxLCWIqyQsRpX3UVpMCg44RqIOmJDRwnV22g97YATblk8AwgqaIiJk9O
+            lJcRfr25f5Q9cXxU4LPbR6h7LRJsrNKquxtefdkz0SoRUQjE40xR00NJ7htQB5E=
+            =n94p
+            -----END PGP MESSAGE-----
+        fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
+    encrypted_regex: ^(data|stringData)$
+    version: 3.5.0
diff --git a/mail/certificate.yaml b/mail/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  namespace: mail
+  name: mail.hashbang.sh
+spec:
+  secretName: mail-certs
+  dnsNames:
+  - mail.hashbang.sh
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
diff --git a/mail/files/main.cf b/mail/files/main.cf
@@ -0,0 +1,49 @@
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file = /etc/postfix/certs/server.crt
+smtpd_tls_key_file = /etc/postfix/certs/server.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+# smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
+smtpd_tls_security_level = may
+smtpd_tls_auth_only = no
+smtpd_tls_loglevel = 1
+smtpd_tls_received_header = yes
+smtpd_tls_session_cache_timeout = 3600s
+smtp_tls_security_level = dane
+smtp_tls_note_starttls_offer = yes
+smtp_dns_support_level = dnssec
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+
+myhostname = mail.hashbang.sh
+relay_domains = hashbang.sh
+mydestination = mail.hashbang.sh, hashbang.sh, localhost.hashbang.sh, localhost
+mynetworks = 127.0.0.0/8 46.4.114.111
+relayhost =
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = $mydomain
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+
+virtual_alias_maps = pgsql:/etc/postfix/userdb-aliases.cf
+
+message_size_limit = 52428800
+
+compatibility_level = 2
diff --git a/mail/files/userdb-aliases.cf b/mail/files/userdb-aliases.cf
@@ -0,0 +1,4 @@
+domain = hashbang.sh
+hosts = postgresql://mail:userdb-mail-lookup@userdb-attempt-too-do-user-989073-0.db.ondigitalocean.com:25060/userdb?sslmode=require
+dbname = userdb
+query = select name || '@' || host from passwd where name = '%u'
diff --git a/mail/kustomization.yaml b/mail/kustomization.yaml
@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: mail
+resources:
+- namespace.yaml
+- resources.yaml
+- certificate.yaml
+configMapGenerator:
+- name: mail-config
+  options:
+    disableNameSuffixHash: true
+  files:
+  - files/main.cf
+  - files/userdb-aliases.cf
+generators:
+- secret-generator.yaml
+images:
+- name: hashbang/postfix
+  digest: sha256:1c9491593e383b95cde6c75a82abcfe2e12e4a26b1656abeaac0bf1f8209b9ee
+- name: alpine
+  newTag: alpine:3.12.0
+  digest: sha256:a15790640a6690aa1730c38cf0a440e2aa44aaca9b0e8931a9f2b0d7cc90fd65
diff --git a/mail/namespace.yaml b/mail/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mail
diff --git a/mail/resources.yaml b/mail/resources.yaml
@@ -0,0 +1,109 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mail
+spec:
+  selector:
+    matchLabels:
+      app: mail
+  template:
+    metadata:
+      labels:
+        app: mail
+    spec:
+      shareProcessNamespace: true
+      containers:
+      - name: postfix
+        image: hashbang/postfix
+        ports:
+        - containerPort: 25
+          name: smtp
+        readinessProbe:
+          tcpSocket:
+            port: 25
+        livenessProbe:
+          tcpSocket:
+            port: 25
+        volumeMounts:
+        - mountPath: /etc/postfix
+          name: mail-config
+          readOnly: true
+        - mountPath: /etc/postfix/aliases
+          name: mail-aliases
+          subPath: aliases
+          readOnly: true
+        - mountPath: /etc/tls
+          name: mail-certs
+          readOnly: true
+        - mountPath: /var/spool/postfix
+          name: mail-spool
+      - name: config-reloader
+        # image includes busybox's inotifyd + pkill
+        image: alpine
+        command: ["/bin/sh"]
+        args:
+          - "-c"
+          - |
+            echo "Watching /etc/postfix";
+            inotifyd - /etc/postfix/:wMymndox /etc/postfix/aliases:wMymndox /etc/postfix/tls/:wMymndox | while read -r notifies ; do
+              echo "notify received: $notifies";
+              echo "running newaliases";
+              newaliases;
+              echo "sending SIGHUP";
+              pkill -HUP master;
+            done
+            echo "Exiting.";
+        volumeMounts:
+        - mountPath: /etc/postfix
+          name: mail-config
+          readOnly: true
+        - mountPath: /etc/postfix/aliases
+          name: mail-aliases
+          subPath: aliases
+          readOnly: true
+        - mountPath: /etc/tls
+          name: mail-certs
+          readOnly: true
+      volumes:
+      - name: mail-config
+        configMap:
+          name: mail-config
+      - name: mail-aliases
+        secret:
+          secretName: mail-aliases
+      - name: mail-certs
+        secret:
+          secretName: mail-certs
+      - name: mail-spool
+        persistentVolumeClaim:
+          claimName: mail-spool
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail
+  labels:
+    app: mail
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: "mail.hashbang.sh"
+spec:
+  type: NodePort
+  ports:
+  - name: smtp
+    port: 25
+    targetPort: 25
+  selector:
+    app: mail
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mail-spool
+  labels:
+    app: mail
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/mail/secret-generator.yaml b/mail/secret-generator.yaml
@@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: mail-secrets
+files:
+  - ./aliases.enc.yaml

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +# Mail
++
 +https://github.com/hashbang/docker-postfix
++
 +Delivers mail to the shell servers