Refactor CI/CD setup: streamline Python package installations and add bcrypt hashing for email credentials

This commit is contained in:
2025-04-24 19:15:04 +02:00
parent 4b8ad821b4
commit 5253d4dd41
10 changed files with 69 additions and 17 deletions
+24 -8
View File
@@ -1,9 +1,10 @@
locals {
mail_path = "${local.persistent_folder}/mail"
mailboxes_path = "${local.mail_path}/mailboxes"
getmail_path = "${local.mail_path}/getmail"
postfix_path = "${local.mail_path}/postfix"
mail_backup_path = "${local.persistent_folder}/backup.mail"
mail_path = "${local.persistent_folder}/mail"
mailboxes_path = "${local.mail_path}/mailboxes"
getmail_path = "${local.mail_path}/getmail"
postfix_path = "${local.mail_path}/postfix"
mail_backup_path = "${local.persistent_folder}/backup.mail"
email_domain_name = "alexpires.me"
email_accounts = [
{
@@ -44,7 +45,8 @@ locals {
# Email configuration
SMTP_HOST = local.scaleway_smtp_host
SMTP_PORT = 465
MY_DESTINATION = "alexpires.me"
MY_PRIMARY_DOMAIN = local.email_domain_name
MY_DESTINATION = join(",", [for account in local.email_accounts : account.domain])
MY_NETWORKS = "127.0.0.0/8"
MAILNAME = "smtp.alexpires.me"
DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local"
@@ -54,6 +56,10 @@ locals {
LOG_TO_STDOUT = 1
}
password_hashes = {
for account in local.email_accounts : account.username => data.external.password_hasher[account.username].result.hex_encoded_bcrypt_hash
}
postfix_secrets = {
SMTP_USER = {
key = "username"
@@ -67,6 +73,16 @@ locals {
}
}
data "external" "password_hasher" {
for_each = { for account in local.email_accounts : account.username => account }
program = ["python3", "${path.module}/../../lib/bcrypt_hash.py"]
query = {
password = each.value.password
cost = "10"
}
}
resource "kubernetes_namespace" "mail" {
metadata {
annotations = {
@@ -85,7 +101,7 @@ resource "kubernetes_secret" "dovecot_users" {
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{plain}${account.password}:1000:1000::/var/mail/${account.username}::"])
"users" = join("\n", [for account in local.email_accounts : "${account.username}:{BLF-CRYPT.HEX}${local.password_hashes[account.username]}:1000:1000::/var/mail/${account.username}::"])
}
}
@@ -419,7 +435,7 @@ resource "kubernetes_deployment" "dovecot" {
ignore_changes = [spec[0].template[0].metadata[0].annotations]
replace_triggered_by = [
kubernetes_config_map.dovecot_config,
kubernetes_secret.dovecot_users,
# kubernetes_secret.dovecot_users,
kubernetes_config_map.dovecot_sieve,
]
}
+4 -4
View File
@@ -25,9 +25,10 @@ if [ -z "$DOVECOT_AUTH_PORT" ]; then
fi
postconf -e "myhostname=$MAILNAME"
postconf -e "mydomain=$MY_DESTINATION"
postconf -e "myorigin=$MY_DESTINATION"
postconf -e "smtpd_banner = \$myhostname ESMTP \$mail_name"
postconf -e "mydomain=$MY_PRIMARY_DOMAIN"
postconf -e "myorigin=$MY_PRIMARY_DOMAIN"
postconf -e "smtpd_banner=\$myhostname ESMTP \$mail_name"
postconf -e "mydestination=$MY_DESTINATION"
# Relay configuration
postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT"
@@ -47,7 +48,6 @@ postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
postconf -e "smtpd_sasl_authenticated_header=yes"
postconf -e "smtpd_tls_wrappermode=yes"
postconf -e "smtpd_sasl_local_domain=$MY_DESTINATION"
# TLS configuration
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt"