195 lines
6.8 KiB
HCL
195 lines
6.8 KiB
HCL
locals {
|
|
zonemta-labels = merge(local.common-labels, {
|
|
"app.kubernetes.io/component" = "zonemta"
|
|
})
|
|
}
|
|
|
|
resource "kubectl_manifest" "zonemta_deploy" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: "${var.instance}-zonemta"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.zonemta-labels)}
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels: ${jsonencode(local.zonemta-labels)}
|
|
template:
|
|
metadata:
|
|
labels: ${jsonencode(local.zonemta-labels)}
|
|
spec:
|
|
securityContext:
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: wildduck
|
|
securityContext:
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
image: "${var.images.zonemta.registry}/${var.images.zonemta.repository}:${var.images.zonemta.tag}"
|
|
imagePullPolicy: "${var.images.zonemta.pullPolicy}"
|
|
ports:
|
|
- name: smtp
|
|
containerPort: 5870
|
|
protocol: TCP
|
|
livenessProbe:
|
|
tcpSocket:
|
|
port: smtp
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 30
|
|
readinessProbe:
|
|
tcpSocket:
|
|
port: smtp
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 30
|
|
resources:
|
|
{}
|
|
volumeMounts:
|
|
- name: tls
|
|
mountPath: "/var/opt/certs"
|
|
readOnly: true
|
|
- name: config
|
|
mountPath: /app/config/dbs-production.toml
|
|
subPath: dbs-production.toml
|
|
- name: config
|
|
mountPath: /app/config/pools.toml
|
|
subPath: pools.toml
|
|
- name: config
|
|
mountPath: /app/config/plugins/wildduck.toml
|
|
subPath: wildduck.toml
|
|
- name: config
|
|
mountPath: /app/config/plugins/loop-breaker.toml
|
|
subPath: loop-breaker.toml
|
|
- name: config
|
|
mountPath: /app/config/interfaces/feeder.toml
|
|
subPath: feeder.toml
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: "${var.instance}-zonemta"
|
|
- name: tls
|
|
secret:
|
|
secretName: "${var.instance}-cert"
|
|
EOF
|
|
}
|
|
|
|
resource "kubernetes_config_map_v1" "zonemta_config" {
|
|
metadata {
|
|
name = "${var.instance}-zonemta"
|
|
namespace = "${var.namespace}"
|
|
labels = local.zonemta-labels
|
|
}
|
|
data = yamldecode(<<-EOF
|
|
feeder.toml: |-
|
|
# Default SMTP interface for accepting mail for delivery
|
|
[feeder]
|
|
enabled=true
|
|
# How many worker processes to spawn
|
|
processes=1
|
|
# Maximum allowed message size 30MB
|
|
maxSize=31457280
|
|
# Local IP and port to bind to
|
|
host="0.0.0.0"
|
|
port=5870
|
|
# Set to true to require authentication
|
|
# If authentication is enabled then you need to use a plugin with an authentication hook
|
|
authentication=true
|
|
# How many recipients to allow per message
|
|
maxRecipients=1000
|
|
# Set to true to enable STARTTLS. Do not forget to change default TLS keys
|
|
starttls=true
|
|
# set to true to start in TLS mode if using port 465
|
|
# this probably does not work as TLS support with 465 in ZoneMTA is a bit buggy
|
|
secure=false
|
|
# define keys for STARTTLS/TLS. These paths are relative to CWD
|
|
# NB! Keys must be accessible by process user or SMTP authentication will fail.
|
|
key="/var/opt/certs/tls.key"
|
|
cert="/var/opt/certs/tls.crt"
|
|
dbs-production.toml: |-
|
|
# Database configuration
|
|
# this file is loaded when NODE_ENV=production
|
|
# MongoDB connection string
|
|
mongo="mongodb://${var.component}:${local.mongo-password}@${var.instance}-${var.component}-mongo-svc.${var.namespace}.svc:27017/${var.component}"
|
|
# Redis connection string
|
|
redis="redis://${var.instance}-${var.component}-redis.${var.namespace}.svc:6379/2"
|
|
# Database name for ZoneMTA data in MongoDB. In most cases it should be the same as in the connection string
|
|
sender="wildduck"
|
|
# Database name for Wild Duck users
|
|
# users="wildduck"
|
|
# Database name for Wild Duck attachments
|
|
# gridfs="wildduck"
|
|
pools.toml: |-
|
|
# List local IP addresses that can be used for outbound tcp connections
|
|
# Server process must be able to locally bind to these addresses
|
|
[[default]]
|
|
address="0.0.0.0"
|
|
name="${var.sub_domain}.${var.domain_name}"
|
|
#
|
|
#[[default]]
|
|
#address="1.2.3.5"
|
|
#name="ip-2.hostname"
|
|
loop-breaker.toml: |-
|
|
["modules/zonemta-loop-breaker"]
|
|
enabled="sender"
|
|
secret="${local.secrets.zonemta}"
|
|
algo="md5"
|
|
wildduck.toml: |-
|
|
["modules/zonemta-wildduck"]
|
|
enabled=["receiver", "sender"]
|
|
# to which SMTP interfaces this plugin applies to. Use "*" for all interfaces
|
|
interfaces=["feeder"]
|
|
# optional hostname to be used in headers
|
|
# defaults to os.hostname()
|
|
hostname="${var.sub_domain}.${var.domain_name}"
|
|
# How long to keep auth records in log
|
|
authlogExpireDays=30
|
|
# default smtp recipients for 24h (can be overriden per user)
|
|
maxRecipients=2000
|
|
disableUploads=false # if true then messages are not uploaded to Sent Mail folder
|
|
uploadAll=false # if false then messages from Outlook are not uploaded to Sent Mail folder
|
|
# SRS settings for forwarded emails
|
|
# ---------------------------------
|
|
["modules/zonemta-wildduck".srs]
|
|
# Handle rewriting of forwarded emails. If false then SRS is not used
|
|
# Only affect messages that have interface set to "forwarder"
|
|
enabled=true
|
|
# SRS secret value. Must be the same as in the MX side
|
|
secret="${local.secrets.srs}"
|
|
# SRS domain, must resolve back to MX
|
|
rewriteDomain="${var.domain_name}"
|
|
# DKIM Settings
|
|
# -------------
|
|
["modules/zonemta-wildduck".dkim]
|
|
cipher="aes192"
|
|
secret="${local.secrets.dkim}"
|
|
useOpenSSL=true
|
|
signTransportDomain=false
|
|
hashAlgo="sha256"
|
|
EOF
|
|
)
|
|
}
|
|
|
|
resource "kubectl_manifest" "zonemta_service" {
|
|
yaml_body = <<-EOF
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: "${var.instance}-zonemta"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.zonemta-labels)}
|
|
spec:
|
|
type: LoadBalancer
|
|
ports:
|
|
- port: 587
|
|
targetPort: smtp
|
|
protocol: TCP
|
|
name: smtp
|
|
selector: ${jsonencode(local.zonemta-labels)}
|
|
EOF
|
|
}
|