diff --git a/badhouseplants/helmfile.yaml b/badhouseplants/helmfile.yaml index 0d2b132..7d85357 100644 --- a/badhouseplants/helmfile.yaml +++ b/badhouseplants/helmfile.yaml @@ -43,7 +43,7 @@ releases: createNamespace: false - <<: *mailu - installed: true + installed: false namespace: mailu-application createNamespace: true diff --git a/badhouseplants/values/secrets.mailu.yaml b/badhouseplants/values/secrets.mailu.yaml index bd27314..5e20299 100644 --- a/badhouseplants/values/secrets.mailu.yaml +++ b/badhouseplants/values/secrets.mailu.yaml @@ -1,8 +1,9 @@ -secretKey: ENC[AES256_GCM,data:AY41e2XkC0e32L/9MWxK4YkbeGj/piZpgIGjU7Bd,iv:3DRmPKD3YHgqizBq2EAy/BC0qc0mSmpLLMCxRXdakRc=,tag:HgnEjhISDMqUkoObbpf3NA==,type:str] +secretKey: ENC[AES256_GCM,data:yL0+ORBJ4ZWHrmoNvVowEA==,iv:XJuY89wtdz8b+9SnTMro33Ka/pBOymyhN3MLJOyujAA=,tag:hSXjKC6+6NLgCoiHlbqtxQ==,type:str] initialAccount: + enabled: ENC[AES256_GCM,data:MvyEVw==,iv:ICIPR4oJW6pCRUks7Rk70NqdxVTXYqmM2qjQetppmEY=,tag:1FOK5MyPSTaiDayAAaPPuQ==,type:bool] username: ENC[AES256_GCM,data:qSsqS5iQAyNzAQ+ZOLSWsie3k04b7qPUpcfU,iv:sXe2sjo4XesoEmjI9tY8gYd2psUlZCltBtLlIyE+v8w=,tag:uZeXnjU+7aLHI87qW+tiGw==,type:str] domain: ENC[AES256_GCM,data:T5w/nPrq36iwZQdYHMQkisY1,iv:7EskbKJfRXMhkKZBgHy6nP8r1epcf7bNi8gAp4qY5TI=,tag:nZ+0BhvIy9Ap88SHaKhSvw==,type:str] - password: ENC[AES256_GCM,data:HR5qr3fZIOs7ye4DkwtacY2BcQbxu+27Yw==,iv:pq+0zNOhxAAWGsy579HQCrymcq0dfbOph1xyzkgPdcA=,tag:dSR8CW94YNaRujBK/Ysmtw==,type:str] + password: ENC[AES256_GCM,data:dki7Cw2n5FxYsINS+aap4u8hkQBl4RUVW2KxSXrQ,iv:XxUHdy5xAWoH00yxItL9P5YuCJtCG4pfRUhZdOr0EWw=,tag:Lo7ahX7CAXS31lFDKEYRww==,type:str] postgresql: auth: password: ENC[AES256_GCM,data:o2KghCpri6cUbGeh3LIjUO6TXBz4nrZSaU8tW7PD,iv:KNp+FM1DqC2h1/F2cudAQfQZA6UAD833SQbEQ/oKkTM=,tag:oHZzKLzZ+IIJDrjFDX/3cA==,type:str] @@ -30,8 +31,8 @@ sops: RjVVYmRKcERYZVhMT0ViZzR5cm8rMTgKizZBRrU/WauUmFYm9fnouiegNkYZkudp QpOha6CggN8rItelbnWMHlzGZBzM+77mFocuGmvNuTY/YGSkXfLjLA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-22T17:13:44Z" - mac: ENC[AES256_GCM,data:GMqaB9uNNkO2oLFncxOIql2vQyLneopSCIZ75sbEQJpbEtc+UltcQ46EaK8MeII3vEuxa5EvEZQbaz04+zfi33lDyYIv/0IsIyKkZg1WtC+6pEzoXUCSAfSLFaPPSsvaycerU+S9rUl4hXPJJmyg/tdm75HWg9KrA0LSnlO2PSI=,iv:XbFgdnsDa8kbX2EwEmyTDiktq3VWm3QBbfpTCB8LCWo=,tag:kLLsjih/YJkQa9K07791oQ==,type:str] + lastmodified: "2023-04-28T08:37:51Z" + mac: ENC[AES256_GCM,data:NtXsrrs9yWlVO6oBQuJKHKPlmFMkqmu5BqOrYjdj9R7KdYycIWRDlNojieP9lghjSllgjkR3N4DpST9n6r6GHOkrpCl0eX12AsY0GUhSwaJzMgvX34Kzo+BjtISvODy0UzEVb9qKzbFuO9R4FMqyxBjTJirJVFT1EIB7Hxbb5Zc=,iv:OFKLvj96oRasDg5sYbJNS5KvZnxOXhh36Nwjl2gA1v0=,tag:aWsKrlbubuh+xTnyxvWeRg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/badhouseplants/values/values.istio-ingressgateway.yaml b/badhouseplants/values/values.istio-ingressgateway.yaml index 5b29616..b20aa3d 100644 --- a/badhouseplants/values/values.istio-ingressgateway.yaml +++ b/badhouseplants/values/values.istio-ingressgateway.yaml @@ -53,6 +53,8 @@ service: port: 995 protocol: TCP targetPort: 995 +podAnnotations: + proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 0, "forwardClientCertDetails": SANITIZE } }' resources: requests: cpu: 100m diff --git a/badhouseplants/values/values.mailu.yaml b/badhouseplants/values/values.mailu.yaml index 0b38aa0..c2188b2 100644 --- a/badhouseplants/values/values.mailu.yaml +++ b/badhouseplants/values/values.mailu.yaml @@ -9,7 +9,7 @@ certificate: name: badhouseplants-issuer dnsNames: - badhouseplants.net - - "*.badhouseplants.net" + - "email.badhouseplants.net" # ------------------------------------------ # -- Istio extenstion. Just because I'm # -- not using ingress nginx @@ -23,62 +23,67 @@ istio: hostname: email.badhouseplants.net service: mailu-front port: 80 - - name: mailu-smpt - kind: tcp - gateway: badhouseplants-mail - service: mailu-front - hostname: "*" - port_match: 25 - port: 25 - - name: mailu-smpts - kind: tcp - gateway: badhouseplants-mail - port_match: 465 - hostname: "*" - service: mailu-front - port: 465 - - name: mailu-smpt-startls - kind: tcp - gateway: badhouseplants-mail - hostname: "*" - port_match: 587 - service: mailu-front - port: 587 - - name: mailu-imap - kind: tcp - hostname: "*" - gateway: badhouseplants-mail - port_match: 143 - service: mailu-front - port: 143 - - name: mailu-imaps - kind: tcp - gateway: badhouseplants-mail - hostname: "*" - port_match: 993 - service: mailu-front - port: 993 - - name: mailu-pop3 - kind: tcp - gateway: badhouseplants-mail - port_match: 110 - hostname: "*" - service: mailu-front - port: 110 - - name: mailu-pop3s - kind: tcp - gateway: badhouseplants-mail - port_match: 993 - hostname: "*" - service: mailu-front - port: 993 + # - name: mailu-smpt + # kind: tcp + # gateway: badhouseplants-mail + # service: mailu-front + # hostname: email.badhousplants.net + # port_match: 25 + # port: 25 + # - name: mailu-smpts + # kind: tcp + # gateway: badhouseplants-mail + # port_match: 465 + # hostname: email.badhousplants.net + # service: mailu-front + # port: 465 + # - name: mailu-smpt-startls + # kind: tcp + # gateway: badhouseplants-mail + # hostname: email.badhousplants.net + # port_match: 587 + # service: mailu-front + # port: 587 + # - name: mailu-imap + # kind: tcp + # hostname: email.badhousplants.net + # gateway: badhouseplants-mail + # port_match: 143 + # service: mailu-front + # port: 143 + # - name: mailu-imaps + # kind: tcp + # gateway: badhouseplants-mail + # hostname: email.badhousplants.net + # port_match: 993 + # service: mailu-front + # port: 993 + # - name: mailu-pop3 + # kind: tcp + # gateway: badhouseplants-mail + # port_match: 110 + # hostname: email.badhousplants.net + # service: mailu-front + # port: 110 + # - name: mailu-pop3s + # kind: tcp + # gateway: badhouseplants-mail + # port_match: 993 + # hostname: email.badhousplants.net + # service: mailu-front + # port: 993 subnet: 10.1.0.0/16 -sessionCookieSecure: false +sessionCookieSecure: true hostnames: - - email.badhouseplants.net + - post.badhouseplants.net domain: badhouseplants.net persistence: single_pvc: false +limits: + messageRatelimit: + value: "10/day" +tls: + outboundLevel: secure ingress: enabled: false tls: false @@ -108,10 +113,10 @@ redis: postfix: resources: requests: - memory: 100Mi - cpu: 70m + memory: 1024Mi + cpu: 200m limits: - memory: 200Mi + memory: 1024Mi cpu: 200m persistence: size: 1Gi @@ -148,11 +153,11 @@ postgresql: enabled: false storageClass: "" accessMode: ReadWriteOnce - size: 1Gi + size: 2Gi front: logLevel: DEBUG hostPort: - enabled: false + enabled: true rspamd: resources: requests: @@ -173,4 +178,4 @@ webmail: storageClass: "" accessModes: [ReadWriteOnce] claimNameOverride: "" - annotations: {} \ No newline at end of file + annotations: {} diff --git a/helmfile.yaml b/helmfile.yaml index 7de8c56..1bbc24e 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -40,6 +40,11 @@ releases: installed: true namespace: openvpn-service createNamespace: false + + - <<: *metallb + installed: true + namespace: metallb-system + createNamespace: true helmfiles: - path: {{.Environment.Name }}/helmfile.yaml diff --git a/manifests/badhouseplants-ip.yaml b/manifests/badhouseplants-ip.yaml new file mode 100644 index 0000000..b98f76f --- /dev/null +++ b/manifests/badhouseplants-ip.yaml @@ -0,0 +1,10 @@ +# addresspool.yaml +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: custom-addresspool + namespace: metallb-system +spec: + addresses: + - 195.201.250.50-195.201.250.50 diff --git a/manifests/debug/istio-stuff.yaml b/manifests/debug/istio-stuff.yaml new file mode 100644 index 0000000..70c689e --- /dev/null +++ b/manifests/debug/istio-stuff.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: proxy-protocol + namespace: istio-system +spec: + workloadSelector: + labels: + istio: ingressgateway + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + diff --git a/manifests/debug/proxy-prot.yaml b/manifests/debug/proxy-prot.yaml new file mode 100644 index 0000000..94e9946 --- /dev/null +++ b/manifests/debug/proxy-prot.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: proxy-protocol + namespace: istio-system +spec: + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.listener.proxy_protocol + - name: envoy.listener.tls_inspector + workloadSelector: + labels: + istio: ingressgateway diff --git a/manifests/debug/test.yaml b/manifests/debug/test.yaml new file mode 100644 index 0000000..25636a6 --- /dev/null +++ b/manifests/debug/test.yaml @@ -0,0 +1,83 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: httpbin-gateway +spec: + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP2 + hosts: + - "test.badhouseplants.net" + - hosts: + - "test.badhouseplants.net" + port: + name: https + number: 443 + protocol: HTTPS + tls: + credentialName: badhouseplants-wildcard-tls + mode: SIMPLE +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: httpbin +spec: + hosts: + - "test.badhouseplants.net" + gateways: + - httpbin-gateway + http: + - route: + - destination: + host: httpbin + port: + number: 8000 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 80 + selector: + app: httpbin +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/kong/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 80 diff --git a/manifests/etersoft-ip.yaml b/manifests/etersoft-ip.yaml new file mode 100644 index 0000000..7e8a401 --- /dev/null +++ b/manifests/etersoft-ip.yaml @@ -0,0 +1,10 @@ +# addresspool.yaml +--- +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: custom-addresspool + namespace: metallb-system +spec: + addresses: + - 91.232.225.63-91.232.225.63 diff --git a/releases.yaml b/releases.yaml index cd70427..d77cf32 100644 --- a/releases.yaml +++ b/releases.yaml @@ -79,6 +79,11 @@ templates: values: - common/values.{{ .Release.Name }}.yaml + metallb: &metallb + name: metallb + chart: metallb/metallb + version: 0.13.9 + cert-manager: &cert-manager name: cert-manager chart: jetstack/cert-manager diff --git a/repositories.yaml b/repositories.yaml index 42797a0..b71fcdf 100644 --- a/repositories.yaml +++ b/repositories.yaml @@ -28,3 +28,5 @@ repositories: url: https://bedag.github.io/helm-charts/ - name: mailu url: https://mailu.github.io/helm-charts/ + - name: metallb + url: https://metallb.github.io/metallb