Refactor CI/CD setup: streamline Python package installations and add bcrypt hashing for email credentials
This commit is contained in:
@@ -1 +0,0 @@
|
||||
../../repository.vault
|
||||
@@ -1,9 +1,10 @@
|
||||
locals {
|
||||
mail_path = "${local.persistent_folder}/mail"
|
||||
mailboxes_path = "${local.mail_path}/mailboxes"
|
||||
getmail_path = "${local.mail_path}/getmail"
|
||||
postfix_path = "${local.mail_path}/postfix"
|
||||
mail_backup_path = "${local.persistent_folder}/backup.mail"
|
||||
mail_path = "${local.persistent_folder}/mail"
|
||||
mailboxes_path = "${local.mail_path}/mailboxes"
|
||||
getmail_path = "${local.mail_path}/getmail"
|
||||
postfix_path = "${local.mail_path}/postfix"
|
||||
mail_backup_path = "${local.persistent_folder}/backup.mail"
|
||||
email_domain_name = "alexpires.me"
|
||||
|
||||
email_accounts = [
|
||||
{
|
||||
@@ -44,7 +45,8 @@ locals {
|
||||
# Email configuration
|
||||
SMTP_HOST = local.scaleway_smtp_host
|
||||
SMTP_PORT = 465
|
||||
MY_DESTINATION = "alexpires.me"
|
||||
MY_PRIMARY_DOMAIN = local.email_domain_name
|
||||
MY_DESTINATION = join(",", [for account in local.email_accounts : account.domain])
|
||||
MY_NETWORKS = "127.0.0.0/8"
|
||||
MAILNAME = "smtp.alexpires.me"
|
||||
DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local"
|
||||
@@ -54,6 +56,10 @@ locals {
|
||||
LOG_TO_STDOUT = 1
|
||||
}
|
||||
|
||||
password_hashes = {
|
||||
for account in local.email_accounts : account.username => data.external.password_hasher[account.username].result.hex_encoded_bcrypt_hash
|
||||
}
|
||||
|
||||
postfix_secrets = {
|
||||
SMTP_USER = {
|
||||
key = "username"
|
||||
@@ -67,6 +73,16 @@ locals {
|
||||
}
|
||||
}
|
||||
|
||||
data "external" "password_hasher" {
|
||||
for_each = { for account in local.email_accounts : account.username => account }
|
||||
program = ["python3", "${path.module}/../../lib/bcrypt_hash.py"]
|
||||
|
||||
query = {
|
||||
password = each.value.password
|
||||
cost = "10"
|
||||
}
|
||||
}
|
||||
|
||||
resource "kubernetes_namespace" "mail" {
|
||||
metadata {
|
||||
annotations = {
|
||||
@@ -85,7 +101,7 @@ resource "kubernetes_secret" "dovecot_users" {
|
||||
namespace = kubernetes_namespace.mail.metadata[0].name
|
||||
}
|
||||
data = {
|
||||
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{plain}${account.password}:1000:1000::/var/mail/${account.username}::"])
|
||||
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{BLF-CRYPT.HEX}${local.password_hashes[account.username]}:1000:1000::/var/mail/${account.username}::"])
|
||||
}
|
||||
}
|
||||
|
||||
@@ -419,7 +435,7 @@ resource "kubernetes_deployment" "dovecot" {
|
||||
ignore_changes = [spec[0].template[0].metadata[0].annotations]
|
||||
replace_triggered_by = [
|
||||
kubernetes_config_map.dovecot_config,
|
||||
kubernetes_secret.dovecot_users,
|
||||
# kubernetes_secret.dovecot_users,
|
||||
kubernetes_config_map.dovecot_sieve,
|
||||
]
|
||||
}
|
||||
|
||||
@@ -25,9 +25,10 @@ if [ -z "$DOVECOT_AUTH_PORT" ]; then
|
||||
fi
|
||||
|
||||
postconf -e "myhostname=$MAILNAME"
|
||||
postconf -e "mydomain=$MY_DESTINATION"
|
||||
postconf -e "myorigin=$MY_DESTINATION"
|
||||
postconf -e "smtpd_banner = \$myhostname ESMTP \$mail_name"
|
||||
postconf -e "mydomain=$MY_PRIMARY_DOMAIN"
|
||||
postconf -e "myorigin=$MY_PRIMARY_DOMAIN"
|
||||
postconf -e "smtpd_banner=\$myhostname ESMTP \$mail_name"
|
||||
postconf -e "mydestination=$MY_DESTINATION"
|
||||
|
||||
# Relay configuration
|
||||
postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT"
|
||||
@@ -47,7 +48,6 @@ postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
|
||||
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
|
||||
postconf -e "smtpd_sasl_authenticated_header=yes"
|
||||
postconf -e "smtpd_tls_wrappermode=yes"
|
||||
postconf -e "smtpd_sasl_local_domain=$MY_DESTINATION"
|
||||
|
||||
# TLS configuration
|
||||
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt"
|
||||
|
||||
Reference in New Issue
Block a user