Update stalwart config
Put the admin secret to environment, and read it from the main config, so there are no plain secrets in the repo anymore
This commit is contained in:
parent
5a17d56044
commit
ce72702593
GPG Key ID:
0AA46A90E25592AD
@ -84,6 +84,7 @@ releases:
|
|||||||
namespace: applications
|
namespace: applications
|
||||||
inherit:
|
inherit:
|
||||||
- template: default-env-values
|
- template: default-env-values
|
||||||
|
- template: default-env-secrets
|
||||||
- template: ext-tcp-routes
|
- template: ext-tcp-routes
|
||||||
- name: shadowsocks-libev
|
- name: shadowsocks-libev
|
||||||
#- name: vaultwardentest
|
#- name: vaultwardentest
|
||||||
|
|||||||
24
values/badhouseplants/secrets.stalwart.yaml
Normal file
24
values/badhouseplants/secrets.stalwart.yaml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
env:
|
||||||
|
secrets:
|
||||||
|
data:
|
||||||
|
SW_ADMIN_SECRET: ENC[AES256_GCM,data:Cbeqg1J5J4oSmXhiWRX0jiEgflrI7MVRiLmFlM5dQAqAfO/IoruZsqfYtKZjxsPGhKA=,iv:+IKV2jW69cnZo1gCGWyf8hZDh2wvBAkcOJ1xEm6pBM4=,tag:So7bqtKscDOnKhCz+AOsCw==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUHVRdFA0UTZCVitsYzFq
|
||||||
|
a2JhaUR2ODkydmN3ck1wc1h0UTRXMmI2eVUwCkd2bk9TWVFlUEdhcGk4RUFmVHZp
|
||||||
|
djJsOU1vanEySkpVMVN6SWF4OWd6MzQKLS0tIDJZcWxVeWJtOE1LNFZDZk5ZSEl5
|
||||||
|
eUhLTUwvUysyYnhSMzRhanMyT3BPam8KkK4cWHKEGGSnva0t6XjmVY9uoc8gHX+Y
|
||||||
|
CdixG+aPhhimSx64DsZiE01ZGnT7iL1OC/W3umGWZv3OO0IAEXo3NQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-13T03:42:42Z"
|
||||||
|
mac: ENC[AES256_GCM,data:R8Uq4puFFIG5/snx/pgFLbYX+uqFZoVQOyn3Iw1Vh7vRX1QkG0njFMp3sbHTMfXqvoRPuXNJNK88jA+e0P04BzfbKqj9O+biP+AksRsS+5uGIeNtZXWzFOwFl5+Fv/RLvPY08+stE09ChUVZzJSe+l2ed7OSs8FXtJrJAXrSSh8=,iv:elp8yKU2AUjIIa4b2sZm0VJbO+qg//+SjGMvm9dMNbc=,tag:k79lBuL4Pa6+P35kLeeoQA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
||||||
@ -21,7 +21,6 @@ workload:
|
|||||||
args:
|
args:
|
||||||
- -c
|
- -c
|
||||||
- cp /app/config/config.toml /app/etc/config.toml
|
- cp /app/config/config.toml /app/etc/config.toml
|
||||||
|
|
||||||
containers:
|
containers:
|
||||||
stalwart:
|
stalwart:
|
||||||
args:
|
args:
|
||||||
@ -38,15 +37,15 @@ workload:
|
|||||||
path: /app/logs
|
path: /app/logs
|
||||||
etc:
|
etc:
|
||||||
path: /app/etc
|
path: /app/etc
|
||||||
|
envFrom:
|
||||||
|
- secrets
|
||||||
storage:
|
storage:
|
||||||
data:
|
data:
|
||||||
enabled: true
|
enabled: true
|
||||||
storageClassName: default
|
storageClassName: ceph-filesystem
|
||||||
size: 1Gi
|
size: 1Gi
|
||||||
accessModes:
|
accessModes:
|
||||||
- ReadWriteMany
|
- ReadWriteMany
|
||||||
|
|
||||||
extraVolumes:
|
extraVolumes:
|
||||||
certs:
|
certs:
|
||||||
secret:
|
secret:
|
||||||
@ -64,7 +63,6 @@ ingress:
|
|||||||
kubernetes.io/ingress.global-static-ip-name: ""
|
kubernetes.io/ingress.global-static-ip-name: ""
|
||||||
kubernetes.io/tls-acme: "true"
|
kubernetes.io/tls-acme: "true"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
|
||||||
|
|
||||||
traefik:
|
traefik:
|
||||||
enabled: true
|
enabled: true
|
||||||
tcpRoutes:
|
tcpRoutes:
|
||||||
@ -98,11 +96,6 @@ traefik:
|
|||||||
service: stalwart-pop3s
|
service: stalwart-pop3s
|
||||||
entrypoint: pop3s
|
entrypoint: pop3s
|
||||||
port: 995
|
port: 995
|
||||||
|
|
||||||
storage:
|
|
||||||
data:
|
|
||||||
storageClassName: ceph-filesystem
|
|
||||||
|
|
||||||
files:
|
files:
|
||||||
config:
|
config:
|
||||||
enabled: true
|
enabled: true
|
||||||
@ -115,38 +108,38 @@ files:
|
|||||||
[server.listener."smtp"]
|
[server.listener."smtp"]
|
||||||
bind = ["[::]:25"]
|
bind = ["[::]:25"]
|
||||||
protocol = "smtp"
|
protocol = "smtp"
|
||||||
|
|
||||||
[server.listener."submission"]
|
[server.listener."submission"]
|
||||||
bind = ["[::]:587"]
|
bind = ["[::]:587"]
|
||||||
protocol = "smtp"
|
protocol = "smtp"
|
||||||
|
|
||||||
[server.listener."submissions"]
|
[server.listener."submissions"]
|
||||||
bind = ["[::]:465"]
|
bind = ["[::]:465"]
|
||||||
protocol = "smtp"
|
protocol = "smtp"
|
||||||
tls.implicit = true
|
tls.implicit = true
|
||||||
|
|
||||||
[server.listener."imap"]
|
[server.listener."imap"]
|
||||||
bind = ["[::]:143"]
|
bind = ["[::]:143"]
|
||||||
protocol = "imap"
|
protocol = "imap"
|
||||||
|
|
||||||
[server.listener."imaptls"]
|
[server.listener."imaptls"]
|
||||||
bind = ["[::]:993"]
|
bind = ["[::]:993"]
|
||||||
protocol = "imap"
|
protocol = "imap"
|
||||||
tls.implicit = true
|
tls.implicit = true
|
||||||
|
|
||||||
[server.listener.pop3]
|
[server.listener.pop3]
|
||||||
bind = "[::]:110"
|
bind = "[::]:110"
|
||||||
protocol = "pop3"
|
protocol = "pop3"
|
||||||
|
|
||||||
[server.listener.pop3s]
|
[server.listener.pop3s]
|
||||||
bind = "[::]:995"
|
bind = "[::]:995"
|
||||||
protocol = "pop3"
|
protocol = "pop3"
|
||||||
tls.implicit = true
|
tls.implicit = true
|
||||||
|
|
||||||
[server.listener."sieve"]
|
[server.listener."sieve"]
|
||||||
bind = ["[::]:4190"]
|
bind = ["[::]:4190"]
|
||||||
protocol = "managesieve"
|
protocol = "managesieve"
|
||||||
|
|
||||||
[server.listener."https"]
|
[server.listener."https"]
|
||||||
protocol = "https"
|
protocol = "https"
|
||||||
bind = ["[::]:443"]
|
bind = ["[::]:443"]
|
||||||
@ -155,43 +148,43 @@ files:
|
|||||||
[server.listener."http"]
|
[server.listener."http"]
|
||||||
bind = "[::]:8080"
|
bind = "[::]:8080"
|
||||||
protocol = "http"
|
protocol = "http"
|
||||||
|
|
||||||
[storage]
|
[storage]
|
||||||
data = "rocksdb"
|
data = "rocksdb"
|
||||||
fts = "rocksdb"
|
fts = "rocksdb"
|
||||||
blob = "rocksdb"
|
blob = "rocksdb"
|
||||||
lookup = "rocksdb"
|
lookup = "rocksdb"
|
||||||
directory = "internal"
|
directory = "internal"
|
||||||
|
|
||||||
[store."rocksdb"]
|
[store."rocksdb"]
|
||||||
type = "rocksdb"
|
type = "rocksdb"
|
||||||
path = "/app/data"
|
path = "/app/data"
|
||||||
compression = "lz4"
|
compression = "lz4"
|
||||||
|
|
||||||
[directory."internal"]
|
[directory."internal"]
|
||||||
type = "internal"
|
type = "internal"
|
||||||
store = "rocksdb"
|
store = "rocksdb"
|
||||||
|
|
||||||
[tracer."stdout"]
|
[tracer."stdout"]
|
||||||
type = "stdout"
|
type = "stdout"
|
||||||
level = "info"
|
level = "info"
|
||||||
ansi = false
|
ansi = false
|
||||||
enable = true
|
enable = true
|
||||||
|
|
||||||
#[server.run-as]
|
|
||||||
#user = "stalwart-mail"
|
|
||||||
#group = "stalwart-mail"
|
|
||||||
|
|
||||||
[authentication.fallback-admin]
|
[authentication.fallback-admin]
|
||||||
user = "admin"
|
user = "overlord"
|
||||||
secret = 'R@ndomToken$tring'
|
secret = "%{env:SW_ADMIN_SECRET}%"
|
||||||
|
|
||||||
[tracer.console]
|
[tracer.console]
|
||||||
type = "console"
|
type = "console"
|
||||||
level = "info"
|
level = "info"
|
||||||
ansi = true
|
ansi = true
|
||||||
enable = true
|
enable = true
|
||||||
|
|
||||||
[certificate."default"]
|
[certificate."default"]
|
||||||
cert = "%{file:/app/certs/tls.crt}%"
|
cert = "%{file:/app/certs/tls.crt}%"
|
||||||
private-key = "%{file:/app/certs/tls.key}%"
|
private-key = "%{file:/app/certs/tls.key}%"
|
||||||
|
env:
|
||||||
|
secrets:
|
||||||
|
enabled: true
|
||||||
|
sensitive: true
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user