locals { zonemta-labels = merge(local.common_labels, { "app.kubernetes.io/component" = "zonemta" }) } resource "kubectl_manifest" "zonemta_deploy" { yaml_body = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: "${var.instance}-zonemta" namespace: "${var.namespace}" labels: ${jsonencode(local.zonemta-labels)} spec: replicas: 1 selector: matchLabels: ${jsonencode(local.zonemta-labels)} template: metadata: labels: ${jsonencode(local.zonemta-labels)} spec: securityContext: fsGroup: 1000 containers: - name: wildduck securityContext: capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 image: "${var.images.zonemta.registry}/${var.images.zonemta.repository}:${var.images.zonemta.tag}" imagePullPolicy: "${var.images.zonemta.pull_policy}" ports: - name: smtp containerPort: 5870 protocol: TCP livenessProbe: tcpSocket: port: smtp initialDelaySeconds: 20 periodSeconds: 30 readinessProbe: tcpSocket: port: smtp initialDelaySeconds: 20 periodSeconds: 30 resources: {} volumeMounts: - name: tls mountPath: "/var/opt/certs" readOnly: true - name: config mountPath: /app/config/dbs-production.toml subPath: dbs-production.toml - name: config mountPath: /app/config/pools.toml subPath: pools.toml - name: config mountPath: /app/config/plugins/wildduck.toml subPath: wildduck.toml - name: config mountPath: /app/config/plugins/loop-breaker.toml subPath: loop-breaker.toml - name: config mountPath: /app/config/interfaces/feeder.toml subPath: feeder.toml volumes: - name: config configMap: name: "${var.instance}-zonemta" - name: tls secret: secretName: "${var.instance}-cert" EOF } resource "kubernetes_config_map_v1" "zonemta_config" { metadata { name = "${var.instance}-zonemta" namespace = "${var.namespace}" labels = local.zonemta-labels } data = yamldecode(<<-EOF feeder.toml: |- # Default SMTP interface for accepting mail for delivery [feeder] enabled=true # How many worker processes to spawn processes=1 # Maximum allowed message size 30MB maxSize=31457280 # Local IP and port to bind to host="0.0.0.0" port=5870 # Set to true to require authentication # If authentication is enabled then you need to use a plugin with an authentication hook authentication=true # How many recipients to allow per message maxRecipients=1000 # Set to true to enable STARTTLS. Do not forget to change default TLS keys starttls=true # set to true to start in TLS mode if using port 465 # this probably does not work as TLS support with 465 in ZoneMTA is a bit buggy secure=false # define keys for STARTTLS/TLS. These paths are relative to CWD # NB! Keys must be accessible by process user or SMTP authentication will fail. key="/var/opt/certs/tls.key" cert="/var/opt/certs/tls.crt" dbs-production.toml: |- # Database configuration # this file is loaded when NODE_ENV=production # MongoDB connection string mongo="mongodb://${var.component}:${local.mongo-password}@${var.instance}-${var.component}-mongo-svc.${var.namespace}.svc:27017/${var.component}" # Redis connection string redis="redis://${var.instance}-${var.component}-redis.${var.namespace}.svc:6379/2" # Database name for ZoneMTA data in MongoDB. In most cases it should be the same as in the connection string sender="wildduck" # Database name for Wild Duck users # users="wildduck" # Database name for Wild Duck attachments # gridfs="wildduck" pools.toml: |- # List local IP addresses that can be used for outbound tcp connections # Server process must be able to locally bind to these addresses [[default]] address="0.0.0.0" name="${var.sub_domain}.${var.domain_name}" # #[[default]] #address="1.2.3.5" #name="ip-2.hostname" loop-breaker.toml: |- ["modules/zonemta-loop-breaker"] enabled="sender" secret="${local.secrets.zonemta}" algo="md5" wildduck.toml: |- ["modules/zonemta-wildduck"] enabled=["receiver", "sender"] # to which SMTP interfaces this plugin applies to. Use "*" for all interfaces interfaces=["feeder"] # optional hostname to be used in headers # defaults to os.hostname() hostname="${var.sub_domain}.${var.domain_name}" # How long to keep auth records in log authlogExpireDays=30 # default smtp recipients for 24h (can be overriden per user) maxRecipients=2000 disableUploads=false # if true then messages are not uploaded to Sent Mail folder uploadAll=false # if false then messages from Outlook are not uploaded to Sent Mail folder # SRS settings for forwarded emails # --------------------------------- ["modules/zonemta-wildduck".srs] # Handle rewriting of forwarded emails. If false then SRS is not used # Only affect messages that have interface set to "forwarder" enabled=true # SRS secret value. Must be the same as in the MX side secret="${local.secrets.srs}" # SRS domain, must resolve back to MX rewriteDomain="${var.domain_name}" # DKIM Settings # ------------- ["modules/zonemta-wildduck".dkim] cipher="aes192" secret="${local.secrets.dkim}" useOpenSSL=true signTransportDomain=true hashAlgo="sha256" EOF ) } resource "kubectl_manifest" "zonemta_service" { yaml_body = <<-EOF apiVersion: v1 kind: Service metadata: name: "${var.instance}-zonemta" namespace: "${var.namespace}" labels: ${jsonencode(local.zonemta-labels)} spec: type: LoadBalancer ports: - port: 587 targetPort: smtp protocol: TCP name: smtp selector: ${jsonencode(local.zonemta-labels)} EOF }