--- # tasks file for mail - name: Create Mail namespace k8s: state: present definition: apiVersion: v1 kind: Namespace metadata: name: mail - name: Request a certificate for mail k8s: state: present definition: apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: mail namespace: mail spec: secretName: mail privateKey: algorithm: RSA encoding: PKCS1 size: 2048 duration: 2160h # 90d renewBefore: 360h # 15d isCA: false usages: - server auth - client auth subject: organizations: - EOM commonName: mail.eom.dev dnsNames: - mail.eom.dev issuerRef: name: ca-issuer kind: ClusterIssuer - name: Create a persistent volume claim for mail k8s: state: present definition: apiVersion: v1 kind: PersistentVolumeClaim metadata: name: mail namespace: mail spec: accessModes: - ReadWriteOnce resources: requests: storage: 128Gi - name: Create a deployment k8s: definition: apiVersion: v1 kind: Deployment metadata: name: mail namespace: mail spec: replicas: 1 selector: matchLabels: app: mail template: metadata: labels: app: mail spec: containers: - name: mail image: mailserver/docker-mailserver volumeMounts: - name: ssl mountPath: /etc/letsencrypt - name: mail mountPath: /var/mail ports: - containerPort: 25 - containerPort: 465 - containerPort: 587 - containerPort: 993 env: - name: OVERRIDE_HOSTNAME value: "mail.eom.dev" - name: POSTMASTER_ADDRESS value: "eric@mail.eom.dev" - name: ACCOUNT_PROVISIONER value: "LDAP" - name: LDAP_SERVER_HOST value: "ldap://openldap.auth.svc.cluster.local/" - name: LDAP_SEARCH_BASE value: "dc=eom,dc=dev" - name: LDAP_BIND_DN value: "cn=readonly,dc=eom,dc=dev" - name: LDAP_BIND_PW value: "{{ ldap_readonly_password }}" - name: LDAP_QUERY_FILTER_DOMAIN value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))" - name: LDAP_QUERY_FILTER_USER value: "(|(objectClass=inetOrgPerson))" - name: LDAP_QUERY_FILTER_ALIAS value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))" - name: LDAP_QUERY_FILTER_GROUP value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))" - name: LDAP_QUERY_FILTER_SENDERS value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))" - name: SPOOF_PROTECTION value: "1" - name: DOVECOT_AUTH_BIND value: "yes" - name: DOVECOT_DEFAULT_PASS_SCHEME value: "MD5-CRYPT" - name: DOVECOT_USER_FILTER value: "(|(objectClass=inetOrgPerson))" - name: DOVECOT_PASS_ATTRS value: "=user=%{ldap:uid},=password=%{ldap:userPassword}" - name: DOVECOT_USER_ATTRS value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid" - name: ENABLE_SASLAUTHD value: "1" - name: SASLAUTHD_MECHANISMS value: "ldap" - name: SASLAUTHD_LDAP_FILTER value: "(|(objectClass=inetOrgPerson))" - name: SSL_TYPE value: "manual" - name: SSL_CERT_PATH value: "/etc/letsencrypt/tls.crt" - name: SSL_KEY_PATH value: "/etc/letsencrypt/tls.key" volumes: - name: ssl secret: secretName: mail - name: mail persistentVolumeClaim: claimName: mail - name: Expose deployment as a service k8s: definition: apiVersion: v1 kind: Service metadata: name: mail namespace: mail spec: selector: app: mail ports: - port: 25 name: smtp-a - port: 465 name: smtp-b - port: 587 name: smtps - port: 993 name: imap type: LoadBalancer