Update stalwart config
Put the admin secret to environment, and read it from the main config, so there are no plain secrets in the repo anymore
This commit is contained in:
parent
5a17d56044
commit
ce72702593
GPG Key ID:
0AA46A90E25592AD
@ -84,6 +84,7 @@ releases:
|
||||
namespace: applications
|
||||
inherit:
|
||||
- template: default-env-values
|
||||
- template: default-env-secrets
|
||||
- template: ext-tcp-routes
|
||||
- name: shadowsocks-libev
|
||||
#- name: vaultwardentest
|
||||
|
||||
24
values/badhouseplants/secrets.stalwart.yaml
Normal file
24
values/badhouseplants/secrets.stalwart.yaml
Normal file
@ -0,0 +1,24 @@
|
||||
env:
|
||||
secrets:
|
||||
data:
|
||||
SW_ADMIN_SECRET: ENC[AES256_GCM,data:Cbeqg1J5J4oSmXhiWRX0jiEgflrI7MVRiLmFlM5dQAqAfO/IoruZsqfYtKZjxsPGhKA=,iv:+IKV2jW69cnZo1gCGWyf8hZDh2wvBAkcOJ1xEm6pBM4=,tag:So7bqtKscDOnKhCz+AOsCw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUHVRdFA0UTZCVitsYzFq
|
||||
a2JhaUR2ODkydmN3ck1wc1h0UTRXMmI2eVUwCkd2bk9TWVFlUEdhcGk4RUFmVHZp
|
||||
djJsOU1vanEySkpVMVN6SWF4OWd6MzQKLS0tIDJZcWxVeWJtOE1LNFZDZk5ZSEl5
|
||||
eUhLTUwvUysyYnhSMzRhanMyT3BPam8KkK4cWHKEGGSnva0t6XjmVY9uoc8gHX+Y
|
||||
CdixG+aPhhimSx64DsZiE01ZGnT7iL1OC/W3umGWZv3OO0IAEXo3NQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-13T03:42:42Z"
|
||||
mac: ENC[AES256_GCM,data:R8Uq4puFFIG5/snx/pgFLbYX+uqFZoVQOyn3Iw1Vh7vRX1QkG0njFMp3sbHTMfXqvoRPuXNJNK88jA+e0P04BzfbKqj9O+biP+AksRsS+5uGIeNtZXWzFOwFl5+Fv/RLvPY08+stE09ChUVZzJSe+l2ed7OSs8FXtJrJAXrSSh8=,iv:elp8yKU2AUjIIa4b2sZm0VJbO+qg//+SjGMvm9dMNbc=,tag:k79lBuL4Pa6+P35kLeeoQA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.0
|
||||
@ -21,7 +21,6 @@ workload:
|
||||
args:
|
||||
- -c
|
||||
- cp /app/config/config.toml /app/etc/config.toml
|
||||
|
||||
containers:
|
||||
stalwart:
|
||||
args:
|
||||
@ -38,15 +37,15 @@ workload:
|
||||
path: /app/logs
|
||||
etc:
|
||||
path: /app/etc
|
||||
|
||||
envFrom:
|
||||
- secrets
|
||||
storage:
|
||||
data:
|
||||
enabled: true
|
||||
storageClassName: default
|
||||
storageClassName: ceph-filesystem
|
||||
size: 1Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
|
||||
extraVolumes:
|
||||
certs:
|
||||
secret:
|
||||
@ -64,7 +63,6 @@ ingress:
|
||||
kubernetes.io/ingress.global-static-ip-name: ""
|
||||
kubernetes.io/tls-acme: "true"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
|
||||
|
||||
traefik:
|
||||
enabled: true
|
||||
tcpRoutes:
|
||||
@ -98,11 +96,6 @@ traefik:
|
||||
service: stalwart-pop3s
|
||||
entrypoint: pop3s
|
||||
port: 995
|
||||
|
||||
storage:
|
||||
data:
|
||||
storageClassName: ceph-filesystem
|
||||
|
||||
files:
|
||||
config:
|
||||
enabled: true
|
||||
@ -115,38 +108,38 @@ files:
|
||||
[server.listener."smtp"]
|
||||
bind = ["[::]:25"]
|
||||
protocol = "smtp"
|
||||
|
||||
|
||||
[server.listener."submission"]
|
||||
bind = ["[::]:587"]
|
||||
protocol = "smtp"
|
||||
|
||||
|
||||
[server.listener."submissions"]
|
||||
bind = ["[::]:465"]
|
||||
protocol = "smtp"
|
||||
tls.implicit = true
|
||||
|
||||
|
||||
[server.listener."imap"]
|
||||
bind = ["[::]:143"]
|
||||
protocol = "imap"
|
||||
|
||||
|
||||
[server.listener."imaptls"]
|
||||
bind = ["[::]:993"]
|
||||
protocol = "imap"
|
||||
tls.implicit = true
|
||||
|
||||
|
||||
[server.listener.pop3]
|
||||
bind = "[::]:110"
|
||||
protocol = "pop3"
|
||||
|
||||
|
||||
[server.listener.pop3s]
|
||||
bind = "[::]:995"
|
||||
protocol = "pop3"
|
||||
tls.implicit = true
|
||||
|
||||
|
||||
[server.listener."sieve"]
|
||||
bind = ["[::]:4190"]
|
||||
protocol = "managesieve"
|
||||
|
||||
|
||||
[server.listener."https"]
|
||||
protocol = "https"
|
||||
bind = ["[::]:443"]
|
||||
@ -155,43 +148,43 @@ files:
|
||||
[server.listener."http"]
|
||||
bind = "[::]:8080"
|
||||
protocol = "http"
|
||||
|
||||
|
||||
[storage]
|
||||
data = "rocksdb"
|
||||
fts = "rocksdb"
|
||||
blob = "rocksdb"
|
||||
lookup = "rocksdb"
|
||||
directory = "internal"
|
||||
|
||||
|
||||
[store."rocksdb"]
|
||||
type = "rocksdb"
|
||||
path = "/app/data"
|
||||
compression = "lz4"
|
||||
|
||||
|
||||
[directory."internal"]
|
||||
type = "internal"
|
||||
store = "rocksdb"
|
||||
|
||||
|
||||
[tracer."stdout"]
|
||||
type = "stdout"
|
||||
level = "info"
|
||||
ansi = false
|
||||
enable = true
|
||||
|
||||
#[server.run-as]
|
||||
#user = "stalwart-mail"
|
||||
#group = "stalwart-mail"
|
||||
|
||||
|
||||
[authentication.fallback-admin]
|
||||
user = "admin"
|
||||
secret = 'R@ndomToken$tring'
|
||||
|
||||
user = "overlord"
|
||||
secret = "%{env:SW_ADMIN_SECRET}%"
|
||||
|
||||
[tracer.console]
|
||||
type = "console"
|
||||
level = "info"
|
||||
ansi = true
|
||||
enable = true
|
||||
|
||||
|
||||
[certificate."default"]
|
||||
cert = "%{file:/app/certs/tls.crt}%"
|
||||
private-key = "%{file:/app/certs/tls.key}%"
|
||||
env:
|
||||
secrets:
|
||||
enabled: true
|
||||
sensitive: true
|
||||
|
||||
Loading…
Reference in New Issue
Block a user