From ce7270259356dab8dd6fd2de3b8e6c9113ce24f1 Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Fri, 13 Sep 2024 06:42:35 +0200 Subject: [PATCH] Update stalwart config Put the admin secret to environment, and read it from the main config, so there are no plain secrets in the repo anymore --- installations/applications/helmfile.yaml | 1 + values/badhouseplants/secrets.stalwart.yaml | 24 +++++++++ values/badhouseplants/values.stalwart.yaml | 55 +++++++++------------ 3 files changed, 49 insertions(+), 31 deletions(-) create mode 100644 values/badhouseplants/secrets.stalwart.yaml diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile.yaml index 373333e..c8a97aa 100644 --- a/installations/applications/helmfile.yaml +++ b/installations/applications/helmfile.yaml @@ -84,6 +84,7 @@ releases: namespace: applications inherit: - template: default-env-values + - template: default-env-secrets - template: ext-tcp-routes - name: shadowsocks-libev #- name: vaultwardentest diff --git a/values/badhouseplants/secrets.stalwart.yaml b/values/badhouseplants/secrets.stalwart.yaml new file mode 100644 index 0000000..21a5046 --- /dev/null +++ b/values/badhouseplants/secrets.stalwart.yaml @@ -0,0 +1,24 @@ +env: + secrets: + data: + SW_ADMIN_SECRET: ENC[AES256_GCM,data:Cbeqg1J5J4oSmXhiWRX0jiEgflrI7MVRiLmFlM5dQAqAfO/IoruZsqfYtKZjxsPGhKA=,iv:+IKV2jW69cnZo1gCGWyf8hZDh2wvBAkcOJ1xEm6pBM4=,tag:So7bqtKscDOnKhCz+AOsCw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUHVRdFA0UTZCVitsYzFq + a2JhaUR2ODkydmN3ck1wc1h0UTRXMmI2eVUwCkd2bk9TWVFlUEdhcGk4RUFmVHZp + djJsOU1vanEySkpVMVN6SWF4OWd6MzQKLS0tIDJZcWxVeWJtOE1LNFZDZk5ZSEl5 + eUhLTUwvUysyYnhSMzRhanMyT3BPam8KkK4cWHKEGGSnva0t6XjmVY9uoc8gHX+Y + CdixG+aPhhimSx64DsZiE01ZGnT7iL1OC/W3umGWZv3OO0IAEXo3NQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-13T03:42:42Z" + mac: ENC[AES256_GCM,data:R8Uq4puFFIG5/snx/pgFLbYX+uqFZoVQOyn3Iw1Vh7vRX1QkG0njFMp3sbHTMfXqvoRPuXNJNK88jA+e0P04BzfbKqj9O+biP+AksRsS+5uGIeNtZXWzFOwFl5+Fv/RLvPY08+stE09ChUVZzJSe+l2ed7OSs8FXtJrJAXrSSh8=,iv:elp8yKU2AUjIIa4b2sZm0VJbO+qg//+SjGMvm9dMNbc=,tag:k79lBuL4Pa6+P35kLeeoQA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/values/badhouseplants/values.stalwart.yaml b/values/badhouseplants/values.stalwart.yaml index a831d2e..46234f7 100644 --- a/values/badhouseplants/values.stalwart.yaml +++ b/values/badhouseplants/values.stalwart.yaml @@ -21,7 +21,6 @@ workload: args: - -c - cp /app/config/config.toml /app/etc/config.toml - containers: stalwart: args: @@ -38,15 +37,15 @@ workload: path: /app/logs etc: path: /app/etc - + envFrom: + - secrets storage: data: enabled: true - storageClassName: default + storageClassName: ceph-filesystem size: 1Gi accessModes: - ReadWriteMany - extraVolumes: certs: secret: @@ -64,7 +63,6 @@ ingress: kubernetes.io/ingress.global-static-ip-name: "" kubernetes.io/tls-acme: "true" traefik.ingress.kubernetes.io/router.entrypoints: web,websecure - traefik: enabled: true tcpRoutes: @@ -98,11 +96,6 @@ traefik: service: stalwart-pop3s entrypoint: pop3s port: 995 - -storage: - data: - storageClassName: ceph-filesystem - files: config: enabled: true @@ -115,38 +108,38 @@ files: [server.listener."smtp"] bind = ["[::]:25"] protocol = "smtp" - + [server.listener."submission"] bind = ["[::]:587"] protocol = "smtp" - + [server.listener."submissions"] bind = ["[::]:465"] protocol = "smtp" tls.implicit = true - + [server.listener."imap"] bind = ["[::]:143"] protocol = "imap" - + [server.listener."imaptls"] bind = ["[::]:993"] protocol = "imap" tls.implicit = true - + [server.listener.pop3] bind = "[::]:110" protocol = "pop3" - + [server.listener.pop3s] bind = "[::]:995" protocol = "pop3" tls.implicit = true - + [server.listener."sieve"] bind = ["[::]:4190"] protocol = "managesieve" - + [server.listener."https"] protocol = "https" bind = ["[::]:443"] @@ -155,43 +148,43 @@ files: [server.listener."http"] bind = "[::]:8080" protocol = "http" - + [storage] data = "rocksdb" fts = "rocksdb" blob = "rocksdb" lookup = "rocksdb" directory = "internal" - + [store."rocksdb"] type = "rocksdb" path = "/app/data" compression = "lz4" - + [directory."internal"] type = "internal" store = "rocksdb" - + [tracer."stdout"] type = "stdout" level = "info" ansi = false enable = true - - #[server.run-as] - #user = "stalwart-mail" - #group = "stalwart-mail" - + [authentication.fallback-admin] - user = "admin" - secret = 'R@ndomToken$tring' - + user = "overlord" + secret = "%{env:SW_ADMIN_SECRET}%" + [tracer.console] type = "console" level = "info" ansi = true enable = true - + [certificate."default"] cert = "%{file:/app/certs/tls.crt}%" private-key = "%{file:/app/certs/tls.key}%" +env: + secrets: + enabled: true + sensitive: true