Update stalwart config

Put the admin secret to environment, and read it from the main config,
so there are no plain secrets in the repo anymore

installations/applications/helmfile.yaml

@@ -84,6 +84,7 @@ releases:
     namespace: applications
     inherit:
       - template: default-env-values
+      - template: default-env-secrets
       - template: ext-tcp-routes
   - name: shadowsocks-libev
     #- name: vaultwardentest

values/badhouseplants/secrets.stalwart.yaml

@@ -0,0 +1,24 @@
+env:
+  secrets:
+    data:
+      SW_ADMIN_SECRET: ENC[AES256_GCM,data:Cbeqg1J5J4oSmXhiWRX0jiEgflrI7MVRiLmFlM5dQAqAfO/IoruZsqfYtKZjxsPGhKA=,iv:+IKV2jW69cnZo1gCGWyf8hZDh2wvBAkcOJ1xEm6pBM4=,tag:So7bqtKscDOnKhCz+AOsCw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUHVRdFA0UTZCVitsYzFq
+        a2JhaUR2ODkydmN3ck1wc1h0UTRXMmI2eVUwCkd2bk9TWVFlUEdhcGk4RUFmVHZp
+        djJsOU1vanEySkpVMVN6SWF4OWd6MzQKLS0tIDJZcWxVeWJtOE1LNFZDZk5ZSEl5
+        eUhLTUwvUysyYnhSMzRhanMyT3BPam8KkK4cWHKEGGSnva0t6XjmVY9uoc8gHX+Y
+        CdixG+aPhhimSx64DsZiE01ZGnT7iL1OC/W3umGWZv3OO0IAEXo3NQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-09-13T03:42:42Z"
+  mac: ENC[AES256_GCM,data:R8Uq4puFFIG5/snx/pgFLbYX+uqFZoVQOyn3Iw1Vh7vRX1QkG0njFMp3sbHTMfXqvoRPuXNJNK88jA+e0P04BzfbKqj9O+biP+AksRsS+5uGIeNtZXWzFOwFl5+Fv/RLvPY08+stE09ChUVZzJSe+l2ed7OSs8FXtJrJAXrSSh8=,iv:elp8yKU2AUjIIa4b2sZm0VJbO+qg//+SjGMvm9dMNbc=,tag:k79lBuL4Pa6+P35kLeeoQA==,type:str]
+  pgp: []
+  unencrypted_suffix: _unencrypted
+  version: 3.9.0

values/badhouseplants/values.stalwart.yaml

@@ -21,7 +21,6 @@ workload:
       args:
         - -c
         - cp /app/config/config.toml /app/etc/config.toml
-         
   containers:
     stalwart:
       args:
@@ -38,15 +37,15 @@ workload:
             path: /app/logs
           etc:
             path: /app/etc
-
+      envFrom:
+        - secrets
 storage:
   data:
     enabled: true
-    storageClassName: default
+    storageClassName: ceph-filesystem
     size: 1Gi
     accessModes:
       - ReadWriteMany
-
 extraVolumes:
   certs:
     secret:
@@ -64,7 +63,6 @@ ingress:
       kubernetes.io/ingress.global-static-ip-name: ""
       kubernetes.io/tls-acme: "true"
       traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
-
 traefik:
   enabled: true
   tcpRoutes:
@@ -98,11 +96,6 @@ traefik:
       service: stalwart-pop3s
       entrypoint: pop3s
       port: 995
-
-storage:
-  data:
-    storageClassName: ceph-filesystem
-
 files:
   config:
     enabled: true
@@ -178,13 +171,9 @@ files:
           ansi = false
           enable = true
 
-          #[server.run-as]
-          #user = "stalwart-mail"
-          #group = "stalwart-mail"
-          
           [authentication.fallback-admin]
-          user = "admin"
+          user = "overlord"
-          secret = 'R@ndomToken$tring'
+          secret = "%{env:SW_ADMIN_SECRET}%"
 
           [tracer.console]
           type = "console"
@@ -195,3 +184,7 @@ files:
           [certificate."default"]
           cert = "%{file:/app/certs/tls.crt}%"
           private-key = "%{file:/app/certs/tls.key}%"
+env:
+  secrets:
+    enabled: true
+    sensitive: true