wildduck: Clean up configs

wildduck/.gitignore

@@ -1 +1,2 @@
+dhparams.pem
 secret.yml

wildduck/README.md

@@ -22,3 +22,10 @@ The mail stack consists of several moving parts:
 Outside Kubernetes there is NAT rule on the Mikrotik router
 which rewrites source IP of any TCP port 25 headed traffic to
 originate from the IP address of the mail exchange.
+
+TODO: Figure out how to automate DH parameters generation:
+
+```
+openssl dhparam -out dhparams.pem 2048
+kubectl create secret generic -n wildduck dhparams --from-file=dhparams.pem
+```

wildduck/haraka.yaml

@@ -11,7 +11,9 @@ data:
     spf
     clamd
     rspamd
+    dkim_verify
     wildduck
+    tls
   rspamd.ini: |-
     host = rspamd
     port = 11333
@@ -53,7 +55,7 @@ data:
       "redis": process.env.REDIS_URI,
       "mongo": {
         "url": process.env.MONGO_URI,
-        "sender": "application"
+        "sender": "zone-mta",
       },
       "sender": {
         "enabled": true,
@@ -62,7 +64,7 @@ data:
         "collection": "zone-queue"
       },
       "srs": {
-        "secret": "foobar"
+        "secret": process.env.SRS_SECRET
       },
       "attachments": {
         "type": "gridstore",
@@ -135,6 +137,11 @@ spec:
             - mountPath: /cert
               name: cert
           env:
+            - name: SRS_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: srs
+                  key: secret
             - name: REDIS_URI
               valueFrom:
                 secretKeyRef:
@@ -152,6 +159,8 @@ spec:
         - name: wildduck-haraka-config
           projected:
             sources:
+              - secret:
+                  name: dhparams
               - configMap:
                   name: haraka
         - name: var-lib-haraka

wildduck/loadbalancer.yaml

@@ -13,9 +13,6 @@ spec:
   selector:
     app.kubernetes.io/name: wildduck
   ports:
-  - port: 8080
-    name: wildduck-api
-    targetPort: wildduck-api
   - port: 993
     name: wildduck-mda
     targetPort: wildduck-mda
@@ -25,4 +22,3 @@ spec:
   - port: 25
     name: haraka-mta
     targetPort: haraka-mta
-

wildduck/srs.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: srs
+spec:
+  size: 32
+  mapping:
+    - key: secret
+      value: "%(plaintext)s"

wildduck/wildduck-operator.yaml

@@ -24,7 +24,7 @@ spec:
             - name: ALLOWED_GROUPS
               value: k-space:friends,k-space:floor
             - name: WILDDUCK_API_URL
-              value: http://mail2.k-space.ee:8080
+              value: http://wildduck-api:8080
             - name: WILDDUCK_API_TOKEN
               valueFrom:
                 secretKeyRef:

wildduck/wildduck.yaml

@@ -55,6 +55,14 @@ spec:
               cpu: 10m
               memory: 100Mi
           env:
+            - name: APPCONF_emailDomain
+              value: k-space.ee
+            - name: APPCONF_log_level
+              value: info
+            - name: APPCONF_maxForwards
+              value: "2000"
+            - name: APPCONF_hostname
+              value: mail.k-space.ee
             - name: APPCONF_tls_key
               value: /cert/tls.key
             - name: APPCONF_tls_cert

wildduck/wildflock.yaml

@@ -105,7 +105,7 @@ spec:
             - name: NODE_ENV
               value: prod
             - name: WILDDUCK_URL
-              value: https://mail.k-space.ee
+              value: http://wildduck-api:8080
             - name: WILDDUCK_TOKEN
               valueFrom:
                 secretKeyRef:

wildduck/zonemta.yaml

@@ -16,9 +16,7 @@ data:
     hostname="mail.k-space.ee"
     authlogExpireDays=30
     [wildduck.srs]
-    enabled=false
+    enabled=true
-    # SRS secret value. Must be the same as in the MX side
-    secret="................................"
     rewriteDomain="k-space.ee"
   zonemta.toml: |-
     [log]
@@ -57,7 +55,7 @@ spec:
     spec:
       containers:
         - name: zonemta
-          image: docker.io/codemowers/wildduck-zonemta-outbound:latest@sha256:a35453409c29882bacb4a758909a38ed62daa875ad72cf706996bb144703ef49
+          image: docker.io/codemowers/wildduck-zonemta-outbound:latest@sha256:0878c803164e636820398f11a3811f3d92b7771c6202cfe229f97449d0009119
           imagePullPolicy: IfNotPresent
           command:
             - /sbin/tini
@@ -83,6 +81,11 @@ spec:
               cpu: 10m
               memory: 500Mi
           env:
+            - name: APPCONF_plugins_wildduck_srs_secret
+              valueFrom:
+                secretKeyRef:
+                  name: srs
+                  key: secret
             - name: APPCONF_dbs_sender
               value: zone-mta
             - name: APPCONF_dbs_mongo