---
apiVersion: v1
kind: ConfigMap
metadata:
  name: haraka
data:
  loglevel: info
  plugin_timeout: "180"
  queue_dir: /var/lib/haraka/queue
  me: |-
    mail.k-space.ee
  plugins: |-
    spf
    clamd
    rspamd
    dkim_verify
    wildduck
    tls
  rspamd.ini: |-
    host = rspamd
    port = 11333
    add_headers = always
    timeout = 30
    [dkim]
    enabled = true
    [header]
    bar = X-Rspamd-Bar
    report = X-Rspamd-Report
    score = X-Rspamd-Score
    spam = X-Rspamd-Spam
    [check]
    authenticated = true
    private_ip = true
    [reject]
    spam = false
    [soft_reject]
    enabled = true
    [rmilter_headers]
    enabled = true
    [spambar]
    positive = +
    negative = -
    neutral = /
  clamd.ini: |-
    clamd_socket = clamav:3310
    [reject]
    virus=true
    error=false
  smtp.ini: |-
    listen=0.0.0.0:2525
    nodes=1
  tls.ini: |-
    key=/cert/tls.key
    cert=/cert/tls.crt
    dhparam=dhparams.pem
  wildduck.js: |-
    module.exports = {
      "redis": process.env.REDIS_URI,
      "mongo": {
        "url": process.env.MONGO_URI,
        "sender": "wildduck",
      },
      "sender": {
        "enabled": true,
        "zone": "default",
        "gfs": "mail",
        "collection": "zone-queue"
      },
      "srs": {
        "secret": process.env.SRS_SECRET
      },
      "attachments": {
        "type": "gridstore",
        "bucket": "attachments",
        "decodeBase64": true
      },
      "log": {
        "authlogExpireDays": 30
      },
      "limits": {
        "windowSize": 3600,
        "rcptIp": 100,
        "rcptWindowSize": 60,
        "rcpt": 60
      },
      "gelf": {
        "enabled": false
      },
      "rspamd": {
        "forwardSkip": 10,
        "blacklist": [
          "DMARC_POLICY_REJECT"
        ],
        "softlist": [
          "RBL_ZONE"
        ],
        "responses": {
          "DMARC_POLICY_REJECT": "Unauthenticated email from {host} is not accepted due to domain's DMARC policy",
          "RBL_ZONE": "[{host}] was found from Zone RBL"
        }
      }
    }
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: haraka
spec:
  strategy:
    type: Recreate
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: wildduck
      app.kubernetes.io/component: haraka
  template:
    metadata:
      labels:
        app.kubernetes.io/name: wildduck
        app.kubernetes.io/component: haraka
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: app.kubernetes.io/name
                    operator: In
                    values:
                      - wildduck
                  - key: app.kubernetes.io/component
                    operator: In
                    values:
                      - haraka
              topologyKey: topology.kubernetes.io/zone
        podAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            - labelSelector:
                matchExpressions:
                  - key: app.kubernetes.io/name
                    operator: In
                    values:
                      - wildduck
                  - key: app.kubernetes.io/component
                    operator: In
                    values:
                      - wildduck
              topologyKey: kubernetes.io/hostname
      containers:
        - name: haraka
          image: mirror.gcr.io/codemowers/wildduck-haraka-inbound:latest@sha256:5b9ec221d9686604a8f247e894727dfaa3413ac75d31428773441d31bb4feaa6
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 2525
              name: haraka-mta
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
          volumeMounts:
            - name: wildduck-haraka-config
              mountPath: /etc/haraka
              readOnly: true
            - name: wildduck-haraka-config
              mountPath: /etc/haraka/config
              readOnly: true
            - name: var-lib-haraka
              mountPath: /var/lib/haraka
            - mountPath: /cert
              name: cert
          env:
            - name: SRS_SECRET
              valueFrom:
                secretKeyRef:
                  name: srs
                  key: secret
            - name: REDIS_URI
              valueFrom:
                secretKeyRef:
                  name: session-storage
                  key: REDIS_WILDDUCK_URI
            - name: MONGO_URI
              valueFrom:
                secretKeyRef:
                  name: wildduck-mongodb
                  key: MONGO_URI
      volumes:
        - name: cert
          secret:
            secretName: wildduck-tls
        - name: wildduck-haraka-config
          projected:
            sources:
              - secret:
                  name: dhparams
              - configMap:
                  name: haraka
        - name: var-lib-haraka
          emptyDir:
            sizeLimit: 500Mi