update
diff --git a/charts/maddy/.helmignore b/charts/maddy/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/maddy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/maddy/Chart.yaml b/charts/maddy/Chart.yaml
new file mode 100644
index 0000000..8476282
--- /dev/null
+++ b/charts/maddy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: maddy
+description: A Helm chart for Maddy email server running on PCloud
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/maddy/templates/config.yaml b/charts/maddy/templates/config.yaml
new file mode 100644
index 0000000..166adc3
--- /dev/null
+++ b/charts/maddy/templates/config.yaml
@@ -0,0 +1,122 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config
+ namespace: {{ .Release.Namespace }}
+data:
+ maddy.conf: |
+ $(hostname) = mail.{{ .Values.ingress.public.domain }}
+ $(primary_domain) = {{ .Values.ingress.public.domain }}
+ $(local_domains) = $(primary_domain)
+
+ auth.pass_table local_authdb {
+ table sql_table {
+ driver sqlite3
+ dsn credentials.db
+ table_name passwords
+ }
+ }
+
+ storage.imapsql local_mailboxes {
+ driver sqlite3
+ dsn imapsql.db
+ }
+
+ hostname $(hostname)
+
+ msgpipeline local_routing {
+ destination postmaster $(local_domains) {
+ modify {
+ replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3"
+ replace_rcpt file /etc/maddy/aliases
+ }
+
+ deliver_to &local_mailboxes
+ }
+
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+
+ smtp tcp://0.0.0.0:25 {
+ tls off
+
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections.
+ all rate 20 1s
+ all concurrency 10
+ }
+
+ dmarc yes
+ check {
+ require_mx_record
+ dkim
+ spf
+ }
+
+ source $(local_domains) {
+ reject 501 5.1.8 "Use Submission for outgoing SMTP"
+ }
+ default_source {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+ }
+
+ submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ tls file /etc/maddy/certs-private/tls.crt /etc/maddy/certs-private/tls.key
+
+ limits {
+ # Up to 50 msgs/sec across any amount of SMTP connections.
+ all rate 50 1s
+ }
+
+ auth &local_authdb
+
+ source $(local_domains) {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ # modify {
+ # dkim $(primary_domain) $(local_domains) default
+ # }
+ deliver_to &remote_queue
+ }
+ }
+ default_source {
+ reject 501 5.1.8 "Non-local sender domain"
+ }
+ }
+
+ target.smtp outbound_gateway {
+ hostname {{ .Values.mailGateway.mxHostname }}
+ attempt_starttls false
+ require_tls no
+ auth forward
+ targets {{ .Values.mailGateway.address}}
+ }
+
+ target.queue remote_queue {
+ target &outbound_gateway
+ autogenerated_msg_domain $(primary_domain)
+ bounce {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+ }
+ }
+ }
+
+ imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+ tls file /etc/maddy/certs-private/tls.crt /etc/maddy/certs-private/tls.key
+ auth &local_authdb
+ storage &local_mailboxes
+ }
diff --git a/charts/maddy/templates/install.yaml b/charts/maddy/templates/install.yaml
new file mode 100644
index 0000000..ccc423a
--- /dev/null
+++ b/charts/maddy/templates/install.yaml
@@ -0,0 +1,176 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: maddy
+ ports:
+ - name: imap
+ port: 143
+ protocol: TCP
+ - name: imaps
+ port: 993
+ protocol: TCP
+ - name: smtp
+ port: 25
+ protocol: TCP
+ - name: smtps
+ port: 465
+ protocol: TCP
+ - name: submission
+ port: 587
+ protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: manage
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: maddy
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: manage
+ namespace: {{ .Release.Namespace }}
+spec:
+ ingressClassName: {{ .Values.ingress.private.className }}
+ tls:
+ - hosts:
+ - mail.{{ .Values.ingress.private.domain }}
+ secretName: cert-wildcard.{{ .Values.ingress.private.domain }}
+ rules:
+ - host: mail.{{ .Values.ingress.private.domain }}
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: manage
+ port:
+ name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: mail.{{ .Values.ingress.public.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/resource-policy: keep
+spec:
+ dnsNames:
+ - 'mail.{{ .Values.ingress.public.domain }}'
+ issuerRef:
+ name: {{ .Values.ingress.public.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-mail.{{ .Values.ingress.public.domain }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: data
+ namespace: {{ .Release.Namespace }}
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: {{ .Values.storage.size }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: maddy
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: maddy
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+ spec:
+ volumes:
+ - name: config
+ configMap:
+ name: config
+ - name: certs
+ secret:
+ secretName: cert-mail.{{ .Values.ingress.public.domain}}
+ - name: certs-private
+ secret:
+ secretName: cert-wildcard.{{ .Values.ingress.private.domain}}
+ - name: data
+ persistentVolumeClaim:
+ claimName: data
+ containers:
+ - name: maddy
+ image: giolekva/maddy:v0.4.4
+ imagePullPolicy: Always
+ ports:
+ - name: imap
+ containerPort: 143
+ protocol: TCP
+ - name: imaps
+ containerPort: 993
+ protocol: TCP
+ - name: smtp
+ containerPort: 25
+ protocol: TCP
+ - name: smtps
+ containerPort: 465
+ protocol: TCP
+ - name: submission
+ containerPort: 587
+ protocol: TCP
+ command:
+ - maddy
+ - -config
+ - /etc/maddy/config/maddy.conf
+ volumeMounts:
+ - name: config
+ mountPath: /etc/maddy/config
+ readOnly: true
+ - name: certs-private
+ mountPath: /etc/maddy/certs-private
+ readOnly: true
+ - name: data
+ mountPath: /var/lib/maddy
+ readOnly: false
+ - name: web
+ image: giolekva/maddy-web:latest
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ command:
+ - maddy-web
+ - --port=80
+ - --maddy-config=/etc/maddy/config/maddy.conf
+ volumeMounts:
+ - name: config
+ mountPath: /etc/maddy/config
+ readOnly: true
+ - name: certs
+ mountPath: /etc/maddy/certs
+ readOnly: true
+ - name: data
+ mountPath: /var/lib/maddy
+ readOnly: false
diff --git a/charts/maddy/templates/mta-sts.yaml b/charts/maddy/templates/mta-sts.yaml
new file mode 100644
index 0000000..c44e3dd
--- /dev/null
+++ b/charts/maddy/templates/mta-sts.yaml
@@ -0,0 +1,101 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+data:
+ mta-sts.txt: |
+ version: STSv1
+ mode: enforce
+ max_age: 604800
+ mx: {{ .Values.mailGateway.mxHostname }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: mta-sts.{{ .Values.ingress.public.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ helm.sh/resource-policy: keep
+spec:
+ dnsNames:
+ - 'mta-sts.{{ .Values.ingress.public.domain }}'
+ issuerRef:
+ name: {{ .Values.ingress.public.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-mta-sts.{{ .Values.ingress.public.domain }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ ingressClassName: {{ .Values.ingress.public.className }}
+ tls:
+ - hosts:
+ - mta-sts.{{ .Values.ingress.public.domain }}
+ secretName: cert-mta-sts.{{ .Values.ingress.public.domain }}
+ rules:
+ - host: mta-sts.{{ .Values.ingress.public.domain }}
+ http:
+ paths:
+ - pathType: Prefix
+ path: "/"
+ backend:
+ service:
+ name: mta-sts
+ port:
+ name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: mta-sts
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: mta-sts
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mta-sts
+ spec:
+ volumes:
+ - name: mta-sts
+ configMap:
+ name: mta-sts
+ containers:
+ - name: maddy
+ image: giolekva/static-file-server:latest
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ command:
+ - static-file-server
+ - --port=80
+ - --dir=/etc/static-file-server/data
+ volumeMounts:
+ - name: mta-sts
+ mountPath: /etc/static-file-server/data/.well-known
+ readOnly: true
diff --git a/charts/maddy/values.yaml b/charts/maddy/values.yaml
new file mode 100644
index 0000000..984109e
--- /dev/null
+++ b/charts/maddy/values.yaml
@@ -0,0 +1,13 @@
+mailGateway:
+ mxHostname: mail.example.com
+ address: tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587
+ingress:
+ private:
+ className: ingress-private
+ domain: p.example.com
+ public:
+ className: ingress-public
+ domain: example.com
+ certificateIssuer: issuer-public
+storage:
+ size: 1Gi