Add Gitea and Mail modules with configuration and resources

- Created Gitea module with outputs, provider, and variables for deployment.
- Implemented Mail module including configuration for Dovecot and Postfix, along with necessary resources such as secrets, config maps, and deployments.
- Added Python script for bcrypt password hashing and integrated it into the Mail module.
- Defined persistent volumes and claims for Seafile module, along with Nginx configuration for serving content.
- Established necessary variables for all modules to ensure flexibility and configurability.
This commit is contained in:
2025-04-27 22:36:18 +02:00
parent 58fb1ea167
commit b7408fb4d8
25 changed files with 715 additions and 207 deletions
+43
View File
@@ -0,0 +1,43 @@
locals {
gitea_env_vars = {
APP_NAME = var.app_name
HTTP_PORT = "3000"
RUN_MODE = "prod"
LFS_START_SERVER = "true"
SSH_DOMAIN = var.fqdn
DISABLE_REGISTRATION = true
INSTALL_LOCK = "true"
DB_TYPE = "mysql"
DB_NAME = "gitea"
DB_HOST = module.gitea_database.host
SSH_LISTEN_PORT = 22
GITEA__mailer__ENABLED = true
GITEA__mailer__FROM = var.from_email
GITEA__mailer__SMTP_ADDR = var.relay_smtp_host
GITEA__mailer__SMTP_PORT = var.relay_smtp_port
GITEA__mailer__PROTOCOL = "smtps"
}
gitea_secrets = {
DB_USER = {
key = "username"
name = module.gitea_database.app_crendentials_name
}
DB_PASSWD = {
key = "password"
name = module.gitea_database.app_crendentials_name
}
GITEA__mailer__USER = {
key = "username"
name = kubernetes_secret.gitea_mail_credentials.metadata[0].name
}
GITEA__mailer__PASSWD = {
key = "password"
name = kubernetes_secret.gitea_mail_credentials.metadata[0].name
}
}
gitea_path = "${var.persistent_folder}/gitea"
gitea_db_path = "${var.database_folder}/mysql.gitea"
}
+263
View File
@@ -0,0 +1,263 @@
resource "kubernetes_namespace" "gitea" {
metadata {
annotations = {
name = "gitea"
}
labels = {
name = "gitea"
}
name = "gitea"
}
}
resource "kubernetes_secret" "gitea_mail_credentials" {
metadata {
name = "gitea-mail-credentials"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
data = {
username = var.relay_smtp_username
password = var.relay_smtp_password
}
type = "Opaque"
}
module "gitea_database" {
source = "../k8s_mariadb"
namespace = kubernetes_namespace.gitea.metadata[0].name
app_name = "gitea"
app_password = var.db_password
root_password = var.db_root_password
retention_days = var.backup_retention_days
cron_schedule = var.backup_cron_schedule
database_folder = local.gitea_db_path
backup_folder = var.backup_folder
}
resource "kubernetes_service_account" "gitea_service_account" {
metadata {
name = "gitea-app-sa"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
automount_service_account_token = false
}
resource "kubernetes_service" "gitea_http" {
metadata {
name = "http"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
spec {
port {
port = 80
target_port = "http"
}
selector = {
app = "gitea"
}
cluster_ip = "None"
}
}
resource "kubernetes_ingress_v1" "gitea_ingress" {
metadata {
name = "gitea-ingress"
namespace = kubernetes_namespace.gitea.metadata[0].name
annotations = {
"kubernetes.io/ingress.class" = "public"
"cert-manager.io/cluster-issuer" = "letsencrypt-prod"
"nginx.ingress.kubernetes.io/ssl-redirect" = "true"
"nginx.ingress.kubernetes.io/proxy-body-size" = "8m"
"nginx.ingress.kubernetes.io/proxy-request-buffering" = "on"
"nginx.ingress.kubernetes.io/proxy-buffer-size" = "32k"
"nginx.ingress.kubernetes.io/proxy-buffers-number" = "16"
}
}
spec {
tls {
hosts = [var.fqdn]
secret_name = "gitea-tls"
}
rule {
host = var.fqdn
http {
path {
backend {
service {
name = "http"
port {
number = 80
}
}
}
}
}
}
}
}
resource "kubernetes_deployment" "gitea" {
depends_on = [module.gitea_database]
metadata {
name = "gitea-app"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
spec {
selector {
match_labels = {
app = "gitea"
}
}
strategy {
type = "Recreate"
}
template {
metadata {
labels = {
app = "gitea"
}
}
spec {
service_account_name = kubernetes_service_account.gitea_service_account.metadata[0].name
container {
name = "gitea"
image = "gitea/gitea:${var.tag}"
image_pull_policy = "Always"
resources {
requests = {
memory = "100Mi"
}
limits = {
memory = "300Mi"
}
}
liveness_probe {
http_get {
path = "/api/healthz"
port = "http"
}
initial_delay_seconds = 200
period_seconds = 300
success_threshold = 1
failure_threshold = 5
}
readiness_probe {
tcp_socket {
port = "http"
}
initial_delay_seconds = 5
period_seconds = 10
success_threshold = 1
failure_threshold = 3
}
dynamic "env" {
for_each = local.gitea_env_vars
content {
name = env.key
value = env.value
}
}
security_context {
allow_privilege_escalation = false
}
dynamic "env" {
for_each = local.gitea_secrets
content {
name = env.key
value_from {
secret_key_ref {
key = env.value.key
name = env.value.name
}
}
}
}
port {
container_port = 3000
name = "http"
}
port {
container_port = 22
name = "ssh"
}
volume_mount {
mount_path = "/data"
name = "persistent-storage"
}
}
volume {
name = "persistent-storage"
host_path {
path = local.gitea_path
}
}
}
}
}
}
resource "kubernetes_role" "gitea_ssh_access" {
metadata {
name = "gitea-ssh-access"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
rule {
api_groups = [""]
resources = ["pods", "pods/log"]
verbs = ["get", "list"]
}
rule {
api_groups = [""]
resources = ["pods/exec"]
verbs = ["create"]
}
}
resource "kubernetes_role_binding" "gitea_ssh_access" {
metadata {
name = "gitea-ssh-access"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "Role"
name = kubernetes_role.gitea_ssh_access.metadata[0].name
}
subject {
kind = "ServiceAccount"
name = kubernetes_service_account.gitea_service_account.metadata[0].name
namespace = kubernetes_namespace.gitea.metadata[0].name
}
}
resource "kubernetes_secret" "gitea_access_token" {
metadata {
annotations = {
"kubernetes.io/service-account.name" = kubernetes_service_account.gitea_service_account.metadata[0].name
}
name = "git-token"
namespace = kubernetes_namespace.gitea.metadata[0].name
}
type = "kubernetes.io/service-account-token"
wait_for_service_account_token = true
}
+15
View File
@@ -0,0 +1,15 @@
output "path" {
value = local.gitea_path
}
output "db_path" {
value = local.gitea_db_path
}
output "namespace" {
value = kubernetes_namespace.gitea.metadata[0].name
}
output "app_name" {
value = "gitea"
}
+13
View File
@@ -0,0 +1,13 @@
terraform {
required_version = "~>1.8"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~>2.18"
}
scaleway = {
source = "scaleway/scaleway"
version = "~>2.13"
}
}
}
+79
View File
@@ -0,0 +1,79 @@
variable "persistent_folder" {
description = "The path to the persistent folder"
type = string
}
variable "database_folder" {
description = "The path to the database folder"
type = string
}
variable "backup_folder" {
description = "The path to the backup folder"
type = string
}
variable "backup_retention_days" {
description = "The number of days to retain backups"
type = number
}
variable "backup_cron_schedule" {
description = "The cron schedule for backups"
type = string
}
variable "db_password" {
description = "The password for the Gitea MySQL database"
type = string
sensitive = true
}
variable "db_root_password" {
description = "The root password for the MySQL database"
type = string
sensitive = true
}
variable "tag" {
description = "The version of the websites to install"
type = string
default = "1.23.4"
}
variable "fqdn" {
description = "The fully qualified domain name for the Rustdesk server"
type = string
}
variable "app_name" {
description = "The name of the application"
type = string
}
variable "relay_smtp_host" {
description = "The SMTP relay host"
type = string
}
variable "relay_smtp_port" {
description = "The SMTP relay port"
type = number
}
variable "relay_smtp_username" {
description = "The SMTP relay username"
type = string
sensitive = true
}
variable "relay_smtp_password" {
description = "The SMTP relay password"
type = string
sensitive = true
}
variable "from_email" {
description = "The email address to use as the sender"
type = string
}
+56
View File
@@ -0,0 +1,56 @@
locals {
persistent_folder = var.persistent_folder
mail_path = "${local.persistent_folder}/mail"
mailboxes_path = "${local.mail_path}/mailboxes"
getmail_path = "${local.mail_path}/getmail"
postfix_path = "${local.mail_path}/postfix"
mail_backup_path = "${local.persistent_folder}/backup.mail"
getmail_jobs = flatten([
for account in var.email_accounts : [
for mailbox in account.mailboxes : {
name = "${account.recipient}-${mailbox}"
recipient = "${account.recipient}+${mailbox}"
domain = account.domain
server = account.receive.server
port = account.receive.port
username = account.username
password = account.password
mailbox = mailbox
delete_after = coalesce(account.delete_after, 30)
}
]
])
postfix_env_vars = {
# Email configuration
SMTP_HOST = var.relay_smtp_host
SMTP_PORT = var.relay_smtp_port
MY_PRIMARY_DOMAIN = var.primary_domain
MY_DESTINATION = join(",", [for account in var.email_accounts : account.domain])
MY_NETWORKS = "127.0.0.0/8"
MAILNAME = "smtp.${var.primary_domain}"
DOVECOT_AUTH_ADDRESS = "dovecot-auth.mail.svc.cluster.local"
DOVECOT_AUTH_PORT = 31000
DOVECOT_LMTP_ADDRESS = "dovecot-lmtp.mail.svc.cluster.local"
DOVECOT_LMTP_PORT = 31024
LOG_TO_STDOUT = 0
}
password_hashes = {
for account in var.email_accounts : account.username => data.external.password_hasher[account.username].result.hex_encoded_bcrypt_hash
}
postfix_secrets = {
SMTP_USER = {
key = "username"
name = kubernetes_secret.relay_mail_credentials.metadata[0].name
}
SMTP_PASSWORD = {
key = "password"
name = kubernetes_secret.relay_mail_credentials.metadata[0].name
}
}
}
+27
View File
@@ -0,0 +1,27 @@
import sys
import json
import bcrypt
import binascii
# Read input JSON from stdin
input_data = json.load(sys.stdin)
password = input_data.get("password")
cost = int(input_data.get("cost", "10")) # Default cost 10
if not password:
print(json.dumps({"error": "Password is required"}), file=sys.stderr)
sys.exit(1)
# Generate bcrypt hash
hashed_bytes = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=cost))
hashed_string = hashed_bytes.decode('utf-8')
# Hex encode for Glauth
hex_encoded_hash = binascii.hexlify(hashed_string.encode('utf-8')).decode('utf-8')
# Output JSON to stdout
output_data = {
"bcrypt_hash": hashed_string,
"hex_encoded_bcrypt_hash": hex_encoded_hash
}
print(json.dumps(output_data))
+559
View File
@@ -0,0 +1,559 @@
data "external" "password_hasher" {
for_each = { for account in var.email_accounts : account.username => account }
program = ["python3", "${path.module}//lib/bcrypt_hash.py"]
query = {
password = each.value.password
cost = "10"
}
}
resource "kubernetes_namespace" "mail" {
metadata {
annotations = {
name = "mail"
}
labels = {
name = "mail"
}
name = "mail"
}
}
resource "kubernetes_secret" "dovecot_users" {
metadata {
name = "dovecot-users"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"users" = join("\n", [for account in var.email_accounts : "${account.username}:{BLF-CRYPT.HEX}${local.password_hashes[account.username]}:1000:1000::/var/mail/${account.username}::"])
}
}
resource "kubernetes_secret" "relay_mail_credentials" {
metadata {
name = "relay-mail-credentials"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
username = var.relay_smtp_username
password = var.relay_smtp_password
}
type = "Opaque"
}
resource "kubernetes_secret" "mail_crypt_certs" {
metadata {
name = "mail-crypt-certs"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"ecprivkey.pem" = var.mail_crypt_private_key
"ecpubkey.pem" = var.mail_crypt_public_key
}
type = "Opaque"
}
resource "kubernetes_service_account" "mail_app" {
metadata {
name = "mail-app-sa"
namespace = kubernetes_namespace.mail.metadata[0].name
}
automount_service_account_token = false
}
resource "kubernetes_config_map" "postfix_config" {
metadata {
name = "postfix-config"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"run.config" = file("${path.module}/resources/mail/run.config")
}
}
resource "kubernetes_secret" "bcc_map" {
metadata {
name = "bcc-map"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"bcc_map" = join("\n", [for account in var.email_accounts : "/([^@]+)@${replace(account.domain, ".", "\\.")}/ $${1}+Sent@${account.domain}"])
}
}
resource "kubernetes_config_map" "getmail_config" {
metadata {
name = "getmail-config"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = { for job in local.getmail_jobs : "getmailrc_${job.name}" =>
templatefile("${path.module}/resources/mail/getmailrc.tpl", {
recipient = job.recipient
domain = job.domain
server = job.server
port = job.port
username = job.username
password = job.password
mailbox = job.mailbox
delete_after = job.delete_after
dovecot_lmtp_address = "dovecot-lmtp.mail.svc.cluster.local"
dovecot_lmtp_port = 31024
})
}
}
resource "kubernetes_config_map" "dovecot_config" {
metadata {
name = "dovecot-config"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"dovecot.conf" = file("${path.module}/resources/mail/dovecot.conf")
}
}
resource "kubernetes_config_map" "dovecot_sieve" {
metadata {
name = "dovecot-sieve"
namespace = kubernetes_namespace.mail.metadata[0].name
}
data = {
"sieve" = file("${path.module}/resources/mail/sieve")
}
}
resource "kubernetes_manifest" "mail_certificate" {
manifest = {
apiVersion = "cert-manager.io/v1"
kind = "Certificate"
metadata = {
name = "mail-cert"
namespace = kubernetes_namespace.mail.metadata[0].name
}
spec = {
secretName = "mail-tls"
issuerRef = {
name = "letsencrypt-prod"
kind = "ClusterIssuer"
}
commonName = "imap.${var.primary_domain}"
dnsNames = flatten([for account in var.email_accounts : ["imap.${account.domain}", "smtp.${account.domain}"]])
}
}
}
resource "kubernetes_cron_job_v1" "fetch_emails" {
metadata {
namespace = kubernetes_namespace.mail.metadata[0].name
name = "fetch-emails"
}
spec {
schedule = var.fetch_emails_schedule
job_template {
metadata {
name = "fetch-emails"
}
spec {
backoff_limit = 1
parallelism = 1
completions = 1
active_deadline_seconds = 300
template {
metadata {
labels = {
app = "fetch-emails"
}
}
spec {
container {
name = "getmail"
image = "a13labs/getmail6:${var.getmail_tag}"
args = concat(["--getmaildir", "/var/getmail"], flatten([for job in local.getmail_jobs : ["-r", "/getmail/getmailrc_${job.name}"]]))
volume_mount {
name = "getmail-config"
mount_path = "/getmail"
read_only = true
}
security_context {
run_as_user = 1000
run_as_group = 1000
}
volume_mount {
name = "getmail-cache"
mount_path = "/var/getmail"
}
}
restart_policy = "Never"
volume {
name = "getmail-config"
config_map {
name = "getmail-config"
}
}
volume {
name = "getmail-cache"
host_path {
path = local.getmail_path
}
}
}
}
}
}
}
}
resource "kubernetes_deployment" "dovecot" {
metadata {
namespace = kubernetes_namespace.mail.metadata[0].name
name = "dovecot"
labels = {
app = "dovecot"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "dovecot"
}
}
strategy {
type = "Recreate"
}
template {
metadata {
labels = {
app = "dovecot"
}
}
spec {
service_account_name = kubernetes_service_account.mail_app.metadata[0].name
container {
name = "dovecot"
image = "dovecot/dovecot:${var.dovecot_tag}"
port {
container_port = 31993
host_port = 993
}
port {
container_port = 31024
}
port {
container_port = 31000
}
volume_mount {
name = "email-storage"
mount_path = "/var/mail"
}
volume_mount {
name = "users"
mount_path = "/etc/dovecot/users"
sub_path = "users"
read_only = true
}
volume_mount {
name = "dovecot-config"
mount_path = "/etc/dovecot/dovecot.conf"
sub_path = "dovecot.conf"
read_only = true
}
volume_mount {
name = "dovecot-sieve"
mount_path = "/etc/dovecot/sieve/default.sieve"
sub_path = "sieve"
read_only = true
}
volume_mount {
name = "certs"
mount_path = "/etc/letsencrypt"
read_only = true
}
volume_mount {
name = "mail-crypt-certs"
mount_path = "/etc/mail-crypt"
read_only = true
}
}
volume {
name = "email-storage"
host_path {
path = local.mailboxes_path
}
}
volume {
name = "users"
secret {
secret_name = kubernetes_secret.dovecot_users.metadata[0].name
}
}
volume {
name = "dovecot-config"
config_map {
name = kubernetes_config_map.dovecot_config.metadata[0].name
}
}
volume {
name = "certs"
secret {
secret_name = "mail-tls"
}
}
volume {
name = "dovecot-sieve"
config_map {
name = kubernetes_config_map.dovecot_sieve.metadata[0].name
}
}
volume {
name = "mail-crypt-certs"
secret {
secret_name = kubernetes_secret.mail_crypt_certs.metadata[0].name
}
}
}
}
}
depends_on = [kubernetes_manifest.mail_certificate, kubernetes_service_account.mail_app]
lifecycle {
ignore_changes = [spec[0].template[0].metadata[0].annotations]
replace_triggered_by = [
kubernetes_config_map.dovecot_config,
kubernetes_config_map.dovecot_sieve,
]
}
}
resource "kubernetes_deployment" "postfix" {
metadata {
namespace = kubernetes_namespace.mail.metadata[0].name
name = "postfix"
labels = {
app = "postfix"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "postfix"
}
}
strategy {
type = "Recreate"
}
template {
metadata {
labels = {
app = "postfix"
}
}
spec {
service_account_name = kubernetes_service_account.mail_app.metadata[0].name
container {
name = "postfix"
image = "tozd/postfix:${var.postfix_tag}"
port {
container_port = 465
host_port = 465
}
dynamic "env" {
for_each = local.postfix_env_vars
content {
name = env.key
value = env.value
}
}
dynamic "env" {
for_each = local.postfix_secrets
content {
name = env.key
value_from {
secret_key_ref {
key = env.value.key
name = env.value.name
}
}
}
}
volume_mount {
name = "email-storage"
mount_path = "/var/spool/postfix"
}
volume_mount {
name = "postfix-run-config"
mount_path = "/etc/service/postfix/run.config"
sub_path = "run.config"
read_only = true
}
volume_mount {
name = "bcc-map"
mount_path = "/etc/postfix/bcc_map"
sub_path = "bcc_map"
read_only = true
}
volume_mount {
name = "certs"
mount_path = "/etc/letsencrypt"
read_only = true
}
volume_mount {
name = "postfix-logs"
mount_path = "/var/log/postfix"
read_only = false
}
}
volume {
name = "email-storage"
host_path {
path = local.postfix_path
}
}
volume {
name = "postfix-run-config"
config_map {
name = kubernetes_config_map.postfix_config.metadata[0].name
}
}
volume {
name = "bcc-map"
secret {
secret_name = kubernetes_secret.bcc_map.metadata[0].name
}
}
volume {
name = "certs"
secret {
secret_name = "mail-tls"
}
}
volume {
name = "postfix-logs"
host_path {
path = "/var/log/postfix"
}
}
}
}
}
depends_on = [kubernetes_manifest.mail_certificate, kubernetes_service_account.mail_app]
lifecycle {
ignore_changes = [spec[0].template[0].metadata[0].annotations]
replace_triggered_by = [
kubernetes_config_map.postfix_config,
kubernetes_secret.relay_mail_credentials,
kubernetes_secret.bcc_map,
]
}
}
resource "kubernetes_service" "dovecot" {
metadata {
namespace = kubernetes_namespace.mail.metadata[0].name
name = "dovecot"
}
spec {
selector = {
app = "dovecot"
}
port {
name = "imap"
port = 993
target_port = 31993
}
type = "LoadBalancer"
}
lifecycle {
ignore_changes = [
metadata[0].annotations
]
}
}
resource "kubernetes_service" "dovecot_lmtp" {
metadata {
name = "dovecot-lmtp"
namespace = kubernetes_namespace.mail.metadata[0].name
}
spec {
selector = {
app = "dovecot"
}
port {
port = 31024
}
cluster_ip = "None"
}
}
resource "kubernetes_service" "dovecot_auth" {
metadata {
name = "dovecot-auth"
namespace = kubernetes_namespace.mail.metadata[0].name
}
spec {
selector = {
app = "dovecot"
}
port {
port = 31000
}
cluster_ip = "None"
}
}
resource "kubernetes_service" "postfix" {
metadata {
namespace = kubernetes_namespace.mail.metadata[0].name
name = "postfix"
}
spec {
selector = {
app = "postfix"
}
port {
name = "smtp"
port = 465
target_port = 465
}
type = "LoadBalancer"
}
lifecycle {
ignore_changes = [
metadata[0].annotations
]
}
}
+11
View File
@@ -0,0 +1,11 @@
output "path" {
value = local.mail_path
}
output "namespace" {
value = kubernetes_namespace.mail.metadata[0].name
}
output "app_name" {
value = "mail"
}
+13
View File
@@ -0,0 +1,13 @@
terraform {
required_version = "~>1.8"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~>2.18"
}
scaleway = {
source = "scaleway/scaleway"
version = "~>2.13"
}
}
}
@@ -0,0 +1,253 @@
dovecot_config_version = "2.4.0"
dovecot_storage_version = "2.4.0"
base_dir = /run/dovecot
state_dir = /run/dovecot
protocols = imap lmtp
listen = *
mail_driver=maildir
mailbox_list_layout=index
mailbox_list_utf8=yes
mail_path=~/mail
mail_home=/var/mail/%{user|lower}
mail_utf8_extensions = yes
default_internal_user = vmail
default_login_user = vmail
default_internal_group = vmail
mail_uid = vmail
mail_gid = vmail
namespace inbox {
inbox = yes
mailbox Drafts {
special_use = \Drafts
auto = create
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = create
auto = subscribe
}
mailbox Trash {
special_use = \Trash
auto = create
auto = subscribe
}
mailbox Sent {
special_use = \Sent
auto = create
auto = subscribe
}
mailbox Archive {
special_use = \Archive
auto = create
auto = subscribe
}
}
passdb passwd-file {
driver = passwd-file
passwd_file_path = /etc/dovecot/users
}
ssl_server {
cert_file = /etc/letsencrypt/tls.crt
key_file = /etc/letsencrypt/tls.key
}
mail_attribute {
dict file {
path = %{home}/dovecot-attributes
}
}
log_path = /dev/stdout
imap_hibernate_timeout = 5s
mail_plugins {
fts = yes
fts_flatcurve = yes
mail_log = yes
notify = yes
}
mail_log_events = delete undelete expunge save copy mailbox_create mailbox_delete mailbox_rename flag_change
fts_autoindex = yes
fts_autoindex_max_recent_msgs = 999
fts_search_add_missing = yes
language_filters = normalizer-icu snowball stopwords
language_tokenizers = generic email-address
language_tokenizer_generic_algorithm = simple
language en {
default = yes
filters = lowercase snowball english-possessive stopwords
}
fts flatcurve {
substring_search = yes
}
protocol imap {
mail_plugins {
imap_sieve = yes
imap_filter_sieve = yes
}
}
lmtp_save_to_detail_mailbox = yes
recipient_delimiter = +
protocol lmtp {
mail_plugins {
sieve = yes
}
}
service imap-login {
process_min_avail = 1
client_limit = 100
inet_listener imap {
port = 31143
}
inet_listener imaps {
port = 31993
ssl = yes
}
}
service stats {
process_min_avail = 1
inet_listener http {
port = 9090
}
}
auth_mechanisms = plain login
service auth {
inet_listener auth {
port = 31000
}
}
# LMTP service to store sent emails
service lmtp {
inet_listener auth {
port = 31024
}
mail_plugins {
sieve = yes
}
}
event_exporter log {
format = json
time_format = rfc3339
}
metric auth_success {
filter = (event=auth_request_finished AND success=yes)
}
metric auth_failure {
filter = (event=auth_request_finished AND NOT success=yes)
exporter = log
}
metric imap_command {
filter = event=imap_command_finished
group_by cmd_name {
method discrete {
}
}
group_by tagged_reply_state {
method discrete {
}
}
}
metric smtp_command {
filter = event=smtp_server_command_finished and protocol=submission
group_by cmd_name {
method discrete {
}
}
group_by status_code {
method discrete {
}
}
group_by duration {
method exponential {
base = 10
min_magnitude = 1
max_magnitude = 5
}
}
}
metric lmtp_command {
filter = event=smtp_server_command_finished and protocol=lmtp
group_by cmd_name {
method discrete {
}
}
group_by status_code {
method discrete {
}
}
group_by duration {
method exponential {
base = 10
min_magnitude = 1
max_magnitude = 5
}
}
}
metric mail_delivery {
filter = event=mail_delivery_finished
group_by duration {
method exponential {
base = 10
min_magnitude = 1
max_magnitude = 5
}
}
}
sieve_script default {
path = /etc/dovecot/sieve/default.sieve
}
mail_plugins {
mail_crypt = yes
}
crypt_global_private_key main {
crypt_private_key_file = /etc/mail-crypt/ecprivkey.pem
}
crypt_global_public_key_file = /etc/mail-crypt/ecpubkey.pem
log_path = /dev/stdout
info_log_path = /dev/stdout
debug_log_path = /dev/stdout
# Enable verbose logging
# auth_verbose = yes
# auth_debug = yes
# auth_debug_passwords = yes
# mail_debug = yes
@@ -0,0 +1,20 @@
[retriever]
type = SimpleIMAPSSLRetriever
server = ${server}
port = ${port}
username = ${username}
password = ${password}
mailboxes = ('${mailbox}',)
[destination]
type = MDA_lmtp
host = ${dovecot_lmtp_address}
port = ${dovecot_lmtp_port}
override = ${recipient}@${domain}
[options]
read_all = false
delete_after = ${delete_after}
verbose = 1
mark_read = true
@@ -0,0 +1,81 @@
#!/bin/bash
if [ -z "$SMTP_HOST" ]; then
echo "SMTP_HOST is required"
exit 1
fi
if [ -z "$SMTP_PORT" ]; then
echo "SMTP_PORT is required"
exit 1
fi
if [ -z "$SMTP_USER" ]; then
echo "SMTP_USER is required"
exit 1
fi
if [ -z "$SMTP_PASSWORD" ]; then
echo "SMTP_PASSWORD is required"
exit 1
fi
if [ -z "$DOVECOT_AUTH_ADDRESS" ]; then
echo "DOVECOT_AUTH_ADDRESS is required"
exit 1
fi
if [ -z "$DOVECOT_AUTH_PORT" ]; then
echo "DOVECOT_AUTH_PORT is required"
exit 1
fi
postconf -e "myhostname=$MAILNAME"
postconf -e "mydomain=$MY_PRIMARY_DOMAIN"
postconf -e "myorigin=$MY_PRIMARY_DOMAIN"
postconf -e "smtpd_banner=\$myhostname ESMTP \$mail_name"
postconf -e "mydestination=$MY_DESTINATION"
# Relay configuration
postconf -e "relayhost=[$SMTP_HOST]:$SMTP_PORT"
postconf -e "smtp_sasl_auth_enable=yes"
postconf -e "smtp_sasl_password_maps=static:$SMTP_USER:$SMTP_PASSWORD"
postconf -e "smtp_sasl_security_options=noanonymous"
postconf -e "smtp_tls_security_level=encrypt"
postconf -e "smtp_use_tls=yes"
postconf -e "smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt"
# SASL configuration
postconf -e "smtpd_sasl_type=dovecot"
postconf -e "smtpd_sasl_path=inet:$DOVECOT_AUTH_ADDRESS:$DOVECOT_AUTH_PORT"
postconf -e "smtpd_sasl_auth_enable=yes"
postconf -e "smtpd_sasl_security_options=noanonymous"
postconf -e "smtpd_recipient_restrictions=permit_sasl_authenticated, reject"
postconf -e "smtpd_relay_restrictions=permit_sasl_authenticated, reject_unauth_destination"
postconf -e "smtpd_sasl_authenticated_header=yes"
postconf -e "smtpd_tls_wrappermode=yes"
# TLS configuration
postconf -e "smtpd_tls_cert_file=/etc/letsencrypt/tls.crt"
postconf -e "smtpd_tls_key_file=/etc/letsencrypt/tls.key"
postconf -e "smtpd_tls_security_level=encrypt"
postconf -e "smtp_tls_wrappermode=yes"
# BCC configuration
postconf -e "virtual_transport=lmtp:[$DOVECOT_LMTP_ADDRESS]:$DOVECOT_LMTP_PORT"
# Other configuration
postconf -e "inet_interfaces=all"
postconf -e "inet_protocols=ipv4"
postconf -e "queue_directory=/var/spool/postfix"
postconf -e "compatibility_level=2"
# Debugging
# postconf -e "debug_peer_list=127.0.0.1"
# postconf -e "debug_peer_level=3"
echo "
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
" | sudo tee -a /etc/postfix/master.cf
/usr/sbin/postfix -c /etc/postfix start
/usr/sbin/postfix -c /etc/postfix abort
exec "$POSTFIX_PATH" -c /etc/postfix -s
@@ -0,0 +1,5 @@
require ["fileinto", "envelope"];
if envelope :is "from" "${user}" {
fileinto "Sent";
}
+82
View File
@@ -0,0 +1,82 @@
variable "persistent_folder" {
description = "The path to the persistent folder"
type = string
}
variable "primary_domain" {
description = "The primary domain for the websites"
type = string
}
variable "email_accounts" {
description = "List of email accounts to be created"
type = list(object({
recipient = string
domain = string
username = string
password = string
delete_after = optional(number)
mailboxes = list(string)
receive = object({
server = string
port = number
})
}))
}
variable "relay_smtp_host" {
description = "The SMTP relay host"
type = string
}
variable "relay_smtp_port" {
description = "The SMTP relay port"
type = number
}
variable "relay_smtp_username" {
description = "The SMTP relay username"
type = string
sensitive = true
}
variable "relay_smtp_password" {
description = "The SMTP relay password"
type = string
sensitive = true
}
variable "fetch_emails_schedule" {
description = "The cron schedule for fetching emails"
type = string
}
variable "getmail_tag" {
description = "The version of getmail to install"
type = string
default = "v0.0.1-6.19.07"
}
variable "postfix_tag" {
description = "The version of postfix to install"
type = string
default = "alpine-316"
}
variable "dovecot_tag" {
description = "The version of dovecot to install"
type = string
default = "latest"
}
variable "mail_crypt_private_key" {
description = "The private key for mail encryption"
type = string
sensitive = true
}
variable "mail_crypt_public_key" {
description = "The public key for mail encryption"
type = string
sensitive = true
}
+7
View File
@@ -0,0 +1,7 @@
locals {
persistent_folder = var.persistent_folder
websites_path = "${local.persistent_folder}/web"
primary_domain = var.primary_domain
websites = var.websites
}
+128
View File
@@ -0,0 +1,128 @@
#
# Namespace for Seafile
#
resource "kubernetes_namespace" "seafile" {
metadata {
annotations = {
name = "seafile"
}
labels = {
name = "seafile"
}
name = "seafile"
}
}
#
# Persistent Volume for Seafile data
#
resource "kubernetes_persistent_volume" "seafile_data" {
metadata {
name = "seafile-data"
labels = {
type = "local" # Example label, adjust as needed
}
}
spec {
capacity = {
storage = "10Gi"
}
access_modes = ["ReadWriteOnce"]
persistent_volume_source {
host_path {
path = "/opt/seafile-data" # Consider making this configurable via variables
}
}
persistent_volume_reclaim_policy = "Retain" # Or Delete, depending on desired behavior
storage_class_name = "manual" # Or your specific storage class
volume_mode = "Filesystem"
}
}
#
# Persistent Volume Claim for Seafile data
#
resource "kubernetes_persistent_volume_claim" "seafile_data" {
metadata {
name = "seafile-data"
namespace = kubernetes_namespace.seafile.metadata[0].name
}
spec {
access_modes = ["ReadWriteOnce"]
resources {
requests = {
storage = "10Gi"
}
}
storage_class_name = "manual" # Must match the PV's storage class
volume_name = kubernetes_persistent_volume.seafile_data.metadata[0].name
}
wait_until_bound = false # Set to true if you need to ensure binding before proceeding
}
#
# ConfigMap for Seafile environment variables
#
resource "kubernetes_config_map" "seafile_env" {
metadata {
name = "seafile-env"
namespace = kubernetes_namespace.seafile.metadata[0].name
}
data = {
# for Seafile server
TIME_ZONE = "UTC" # Consider making this configurable
SEAFILE_LOG_TO_STDOUT = "false"
SITE_ROOT = "/"
ENABLE_SEADOC = "false"
SEADOC_SERVER_URL = "https://seafile.example.com/sdoc-server" # Replace with actual URL or variable
SEAFILE_SERVER_HOSTNAME = "seafile.example.com" # Replace with actual hostname or variable
SEAFILE_SERVER_PROTOCOL = "http" # Replace with actual protocol or variable
# for database - Consider using secrets for credentials
SEAFILE_MYSQL_DB_HOST = "<your MySQL host>" # Replace with actual host or variable/secret
SEAFILE_MYSQL_DB_PORT = "3306"
SEAFILE_MYSQL_DB_USER = "seafile" # Replace with actual user or variable/secret
SEAFILE_MYSQL_DB_CCNET_DB_NAME = "ccnet_db"
SEAFILE_MYSQL_DB_SEAFILE_DB_NAME = "seafile_db"
SEAFILE_MYSQL_DB_SEAHUB_DB_NAME = "seahub_db"
# Init
## for Seafile admin - Consider using secrets
INIT_SEAFILE_ADMIN_EMAIL = "<Seafile admin's email>" # Replace with actual email or variable/secret
## For S3 storage backend (only valid in INIT_S3_STORAGE_BACKEND_CONFIG = true) - Consider using secrets
INIT_S3_STORAGE_BACKEND_CONFIG = "false"
INIT_S3_COMMIT_BUCKET = ""
INIT_S3_FS_BUCKET = ""
INIT_S3_BLOCK_BUCKET = ""
INIT_S3_KEY_ID = ""
INIT_S3_USE_V4_SIGNATURE = "true"
INIT_S3_AWS_REGION = "us-east-1"
INIT_S3_HOST = "s3.us-east-1.amazonaws.com"
INIT_S3_USE_HTTPS = "true"
}
}
#
# Service for Seafile
#
resource "kubernetes_service" "seafile" {
metadata {
name = "seafile"
namespace = kubernetes_namespace.seafile.metadata[0].name
}
spec {
selector = {
app = "seafile" # Ensure your Seafile deployment/pod has this label
}
port {
protocol = "TCP"
port = 80
target_port = 80
node_port = 30000 # NodePort might not be ideal for production, consider Ingress or LoadBalancer service type without explicit nodePort
}
type = "LoadBalancer" # Or ClusterIP/NodePort depending on your needs
}
}
+13
View File
@@ -0,0 +1,13 @@
terraform {
required_version = "~>1.8"
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = "~>2.18"
}
scaleway = {
source = "scaleway/scaleway"
version = "~>2.13"
}
}
}
@@ -0,0 +1,35 @@
server {
listen 8080;
server_name localhost;
gzip on;
gzip_comp_level 9;
gzip_types
text/html
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
root /tmp/site;
location / {
index index.html index.htm;
}
location ~* ^/([^/]+) {
index index.html index.htm;
error_page 404 = @error;
}
error_page 404 /404.html;
location @error {
try_files /$1/404.html /404.html =404;
}
}
@@ -0,0 +1,34 @@
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
proxy_temp_path /tmp/proxy_temp;
client_body_temp_path /tmp/client_temp;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
}
+23
View File
@@ -0,0 +1,23 @@
variable "persistent_folder" {
description = "The path to the persistent folder"
type = string
}
variable "primary_domain" {
description = "The primary domain for the websites"
type = string
}
variable "tag" {
description = "The version of the websites to install"
type = string
default = "stable-alpine"
}
variable "websites" {
description = "A list of websites to be deployed"
type = map(object({
domain_name = string
fqdn = list(string)
}))
}