---
apiVersion: codemowers.cloud/v1beta1
kind: RedisClaim
metadata:
  name: webmail
spec:
  class: ephemeral
  capacity: 100Mi
---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWMiddlewareClient
metadata:
  name: webmail
spec:
  displayName: Wildduck Webmail
  uri: 'https://webmail.k-space.ee'
  allowedGroups:
    - k-space:floor
    - k-space:friends
  headerMapping:
    user: Remote-Username
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: webmail-config
  namespace: wildduck
data:
  www.toml: |-
    [service]
    identities=1
    allowIdentityEdit=false
    allowJoin=false
    domains=["k-space.ee"]
    allowSendFromOtherDomains=false
    [service.sso.http]
    enabled = true
    header = "Remote-Username"
    logoutRedirect = "https://auth2.k-space.ee/"
    [u2f]
    enabled=false
    [log]
    level="info"
    [setup.imap]
    hostname="mail.k-space.ee"
    secure=true
    port=993
    [setup.pop3]
    hostname="mail.k-space.ee"
    secure=true
    port=995
    [setup.smtp]
    hostname="mail.k-space.ee"
    secure=true
    port=465
    [api]
    url="http://wildduck-api:8080"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: webmail
  namespace: wildduck
spec:
  revisionHistoryLimit: 0
  replicas: 2
  selector:
    matchLabels:
      app.kubernetes.io/name: webmail
  template:
    metadata:
      labels:
        app.kubernetes.io/name: webmail
    spec:
      containers:
        - name: webmail
          image: nodemailer/wildduck-webmail:latest
          command:
            - node
            - server.js
            - --config=/etc/wildduck/www.toml
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
          volumeMounts:
            - name: webmail-config
              mountPath: /etc/wildduck
              readOnly: true
          env:
            - name: APPCONF_api_accessToken
              valueFrom:
                secretKeyRef:
                  name: wildduck
                  key: WILDDUCK_API_TOKEN
            - name: APPCONF_dbs_redis
              valueFrom:
                secretKeyRef:
                  name: redis-wildduck-owner-secrets
                  key: REDIS_MASTER_1_URI
      volumes:
        - name: webmail-config
          projected:
            sources:
              - configMap:
                  name: webmail-config
---
apiVersion: v1
kind: Service
metadata:
  name: webmail
  namespace: wildduck
spec:
  selector:
    app.kubernetes.io/name: webmail
  ports:
  - protocol: TCP
    port: 80
    targetPort: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: webmail
  namespace: wildduck
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: wildduck-webmail@kubernetescrd,wildduck-webmail-redirect@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
  rules:
  - host: webmail.k-space.ee
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webmail
            port:
              number: 80
  tls:
  - hosts:
    - "*.k-space.ee"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: webmail-redirect
spec:
  redirectRegex:
    regex: ^https://webmail.k-space.ee/$
    replacement: https://webmail.k-space.ee/webmail/
    permanent: false
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: webmail
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: webmail
  policyTypes:
    - Ingress
  ingress:
    - ports:
        - port: 3000
      from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik