Initial commit

wildduck/.gitignore

@@ -0,0 +1,2 @@
+redis.yml
+secret.yml

wildduck/README.md

@@ -0,0 +1,17 @@
+To deploy replace the API secret in configmaps/webmail.yml and:
+
+```
+kubectl -n wildduck apply --recursive -f namespace.yml -f webmail.yml -f redis.yml
+kubectl -n wildduck rollout restart deployment/webmail
+```
+
+To generate secrets:
+
+```
+ kubectl create secret generic -n wildduck wildduck \
+    --from-literal=WILDDUCK_API_TOKEN=$(cat /dev/urandom | base64 | head -c 30)
+ REDIS_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
+ kubectl create secret generic -n wildduck redis-secrets \
+    --from-literal=REDIS_PASSWORD=$REDIS_PASSWORD \
+    --from-literal=REDIS_URL="redis://:$REDIS_PASSWORD@redis:6379/5"
+```

wildduck/application.yml

@@ -0,0 +1,127 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: webmail-config
+  namespace: wildduck
+data:
+  www.toml: |-
+    name="Wild Duck Mail"
+    title="wildduck-www"
+    [service]
+    domain="k-space.ee"
+    identities=1
+    allowIdentityEdit=false
+    allowJoin=false
+    domains=[]
+    [service.sso.http]
+    enabled = true
+    header = "Remote-User"
+    logoutRedirect = "https://auth.k-space.ee/logout"
+    [u2f]
+    enabled=false
+    [log]
+    level="info"
+    [setup.imap]
+    hostname="mail.k-space.ee"
+    secure=true
+    port=993
+    [setup.pop3]
+    hostname="mail.k-space.ee"
+    secure=true
+    port=995
+    [setup.smtp]
+    hostname="mail.k-space.ee"
+    secure=true
+    port=465
+    [api]
+    url="https://mail.k-space.ee"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webmail
+  namespace: wildduck
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webmail
+  template:
+    metadata:
+      labels:
+        app: webmail
+    spec:
+      containers:
+        - name: webmail
+          image: harbor.k-space.ee/k-space/wildduck-webmail:latest
+          command:
+            - node
+            - server.js
+            - --config=/etc/wildduck/www.toml
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 65534
+          volumeMounts:
+            - name: webmail-config
+              mountPath: /etc/wildduck
+              readOnly: true
+          env:
+            - name: APPCONF_api_accessToken
+              valueFrom:
+                secretKeyRef:
+                  name: wildduck
+                  key: WILDDUCK_API_TOKEN
+            - name: APPCONF_dbs_redis
+              valueFrom:
+                secretKeyRef:
+                  name: redis-secrets
+                  key: REDIS_URL
+      volumes:
+        - name: webmail-config
+          projected:
+            sources:
+              - configMap:
+                  name: webmail-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webmail
+  namespace: wildduck
+spec:
+  selector:
+    app: webmail
+  ports:
+  - protocol: TCP
+    port: 80
+    targetPort: 5000
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: webmail
+  namespace: wildduck
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: webmail.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: webmail
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - webmail.k-space.ee
+    secretName: webmail-tls