168 lines
5.0 KiB
YAML
168 lines
5.0 KiB
YAML
---
|
|
# tasks file for mail
|
|
- name: Create Mail namespace
|
|
k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: mail
|
|
|
|
- name: Request a certificate for mail
|
|
k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: mail
|
|
namespace: mail
|
|
spec:
|
|
secretName: mail
|
|
privateKey:
|
|
algorithm: RSA
|
|
encoding: PKCS1
|
|
size: 2048
|
|
duration: 2160h # 90d
|
|
renewBefore: 360h # 15d
|
|
isCA: false
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
subject:
|
|
organizations:
|
|
- EOM
|
|
commonName: mail.eom.dev
|
|
dnsNames:
|
|
- mail.eom.dev
|
|
issuerRef:
|
|
name: ca-issuer
|
|
kind: ClusterIssuer
|
|
|
|
- name: Create a persistent volume claim for mail
|
|
k8s:
|
|
state: present
|
|
definition:
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: mail
|
|
namespace: mail
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 128Gi
|
|
|
|
- name: Create a deployment
|
|
k8s:
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: mail
|
|
namespace: mail
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: mail
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: mail
|
|
spec:
|
|
containers:
|
|
- name: mail
|
|
image: mailserver/docker-mailserver
|
|
volumeMounts:
|
|
- name: ssl
|
|
mountPath: /etc/letsencrypt
|
|
- name: mail
|
|
mountPath: /var/mail
|
|
ports:
|
|
- containerPort: 25
|
|
- containerPort: 465
|
|
- containerPort: 587
|
|
- containerPort: 993
|
|
env:
|
|
- name: OVERRIDE_HOSTNAME
|
|
value: "mail.eom.dev"
|
|
- name: POSTMASTER_ADDRESS
|
|
value: "eric@mail.eom.dev"
|
|
- name: ACCOUNT_PROVISIONER
|
|
value: "LDAP"
|
|
- name: LDAP_SERVER_HOST
|
|
value: "ldap://openldap.auth.svc.cluster.local/"
|
|
- name: LDAP_SEARCH_BASE
|
|
value: "dc=eom,dc=dev"
|
|
- name: LDAP_BIND_DN
|
|
value: "cn=readonly,dc=eom,dc=dev"
|
|
- name: LDAP_BIND_PW
|
|
value: "{{ ldap_readonly_password }}"
|
|
- name: LDAP_QUERY_FILTER_DOMAIN
|
|
value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))"
|
|
- name: LDAP_QUERY_FILTER_USER
|
|
value: "(|(objectClass=inetOrgPerson))"
|
|
- name: LDAP_QUERY_FILTER_ALIAS
|
|
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
|
|
- name: LDAP_QUERY_FILTER_GROUP
|
|
value: "(&(objectClass=inetOrgPerson)(mailGroupMember=%s))"
|
|
- name: LDAP_QUERY_FILTER_SENDERS
|
|
value: "(&(objectClass=inetOrgPerson)(|(mail=%s)(mailAlias=%s)(mailGroupMember=%s)))"
|
|
- name: SPOOF_PROTECTION
|
|
value: "1"
|
|
- name: DOVECOT_AUTH_BIND
|
|
value: "yes"
|
|
- name: DOVECOT_DEFAULT_PASS_SCHEME
|
|
value: "MD5-CRYPT"
|
|
- name: DOVECOT_USER_FILTER
|
|
value: "(|(objectClass=inetOrgPerson))"
|
|
- name: DOVECOT_PASS_ATTRS
|
|
value: "=user=%{ldap:uid},=password=%{ldap:userPassword}"
|
|
- name: DOVECOT_USER_ATTRS
|
|
value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
|
|
- name: ENABLE_SASLAUTHD
|
|
value: "1"
|
|
- name: SASLAUTHD_MECHANISMS
|
|
value: "ldap"
|
|
- name: SASLAUTHD_LDAP_FILTER
|
|
value: "(|(objectClass=inetOrgPerson))"
|
|
- name: SSL_TYPE
|
|
value: "manual"
|
|
- name: SSL_CERT_PATH
|
|
value: "/etc/letsencrypt/tls.crt"
|
|
- name: SSL_KEY_PATH
|
|
value: "/etc/letsencrypt/tls.key"
|
|
volumes:
|
|
- name: ssl
|
|
secret:
|
|
secretName: mail
|
|
- name: mail
|
|
persistentVolumeClaim:
|
|
claimName: mail
|
|
|
|
- name: Expose deployment as a service
|
|
k8s:
|
|
definition:
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: mail
|
|
namespace: mail
|
|
spec:
|
|
selector:
|
|
app: mail
|
|
ports:
|
|
- port: 25
|
|
name: smtp-a
|
|
- port: 465
|
|
name: smtp-b
|
|
- port: 587
|
|
name: smtps
|
|
- port: 993
|
|
name: imap
|
|
type: LoadBalancer
|