mail-gateway
diff --git a/.gitignore b/.gitignore
index 09bf6c8..1f804df 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@
*.img
*.xz
kubeconfig
+cert-*
\ No newline at end of file
diff --git a/apps/maddy/auth/.gitignore b/apps/maddy/auth/.gitignore
new file mode 100644
index 0000000..cd8d050
--- /dev/null
+++ b/apps/maddy/auth/.gitignore
@@ -0,0 +1 @@
+auth-smtp
diff --git a/apps/maddy/auth/Dockerfile b/apps/maddy/auth/Dockerfile
new file mode 100644
index 0000000..3b1168d
--- /dev/null
+++ b/apps/maddy/auth/Dockerfile
@@ -0,0 +1,3 @@
+FROM giolekva/maddy:v0.4.4
+
+COPY auth-smtp /usr/bin/auth-smtp
diff --git a/apps/maddy/auth/Makefile b/apps/maddy/auth/Makefile
new file mode 100644
index 0000000..7bd9ea3
--- /dev/null
+++ b/apps/maddy/auth/Makefile
@@ -0,0 +1,17 @@
+clean:
+ rm -f auth-smtp
+
+build: clean
+ go build -o auth-smtp *.go
+
+image: build
+ docker build --tag=giolekva/maddy-auth-smtp:v0.4.4 . --platform=linux/arm64
+
+push: image
+ docker push giolekva/maddy-auth-smtp:v0.4.4
+
+push_arm64: export GOOS=linux
+push_arm64: export GOARCH=arm64
+push_arm64: export CGO_ENABLED=0
+push_arm64: export GO111MODULE=on
+push_arm64: push
diff --git a/apps/maddy/auth/go.mod b/apps/maddy/auth/go.mod
new file mode 100644
index 0000000..820d651
--- /dev/null
+++ b/apps/maddy/auth/go.mod
@@ -0,0 +1,8 @@
+module github.com/giolekva/pcloud/apps/maddy/auth
+
+go 1.16
+
+require (
+ github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac
+ github.com/emersion/go-smtp v0.15.0
+)
diff --git a/apps/maddy/auth/go.sum b/apps/maddy/auth/go.sum
new file mode 100644
index 0000000..7d3f0d2
--- /dev/null
+++ b/apps/maddy/auth/go.sum
@@ -0,0 +1,5 @@
+github.com/emersion/go-sasl v0.0.0-20200509203442-7bfe0ed36a21/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac h1:tn/OQ2PmwQ0XFVgAHfjlLyqMewry25Rz7jWnVoh4Ggs=
+github.com/emersion/go-sasl v0.0.0-20211008083017-0b9dcfb154ac/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
+github.com/emersion/go-smtp v0.15.0 h1:3+hMGMGrqP/lqd7qoxZc1hTU8LY8gHV9RFGWlqSDmP8=
+github.com/emersion/go-smtp v0.15.0/go.mod h1:qm27SGYgoIPRot6ubfQ/GpiPy/g3PaZAVRxiO/sDUgQ=
diff --git a/apps/maddy/auth/main.go b/apps/maddy/auth/main.go
new file mode 100644
index 0000000..ab71fdb
--- /dev/null
+++ b/apps/maddy/auth/main.go
@@ -0,0 +1,55 @@
+package main
+
+import (
+ "bufio"
+ "crypto/tls"
+ "fmt"
+ "os"
+
+ "github.com/emersion/go-sasl"
+ "github.com/emersion/go-smtp"
+)
+
+var smtpServers = []string{
+ "maddy.app-maddy.svc.cluster.local:587",
+ "maddy.shveli-app-maddy.svc.cluster.local:587",
+}
+
+func auth(server, username, password string) (bool, error) {
+ c, err := smtp.Dial(server)
+ if err != nil {
+ return false, err
+ }
+ if err := c.StartTLS(&tls.Config{InsecureSkipVerify: true}); err != nil {
+ return false, err
+ }
+ if err := c.Auth(sasl.NewPlainClient(username, username, password)); err != nil {
+ return false, err
+ }
+ return true, nil
+}
+
+func main() {
+ inp := bufio.NewReader(os.Stdin)
+ username, err := inp.ReadString('\n')
+ if err != nil {
+ fmt.Fprintln(os.Stderr, "Could not read username")
+ os.Exit(2)
+ }
+ username = username[:len(username)-1]
+ password, err := inp.ReadString('\n')
+ if err != nil {
+ fmt.Fprintln(os.Stderr, "Could not read password")
+ os.Exit(2)
+ }
+ password = password[:len(password)-1]
+ for _, s := range smtpServers {
+ if ok, _ := auth(s, username, password); ok {
+ os.Exit(0)
+ // } else if err != nil {
+ // fmt.Println(os.Stderr, err.Error())
+ // os.Exit(2)
+ }
+ }
+ os.Exit(1)
+}
diff --git a/charts/maddy/templates/config.yaml b/charts/maddy/templates/config.yaml
index 9c14421..166adc3 100644
--- a/charts/maddy/templates/config.yaml
+++ b/charts/maddy/templates/config.yaml
@@ -5,39 +5,10 @@
namespace: {{ .Release.Namespace }}
data:
maddy.conf: |
- # ----
- ## Maddy Mail Server - default configuration file (2021-03-07)
- # Suitable for small-scale deployments. Uses its own format for local users DB,
- # should be managed via maddyctl utility.
- #
- # See tutorials at https://maddy.email for guidance on typical
- # configuration changes.
- #
- # See manual pages (also available at https://maddy.email) for reference
- # documentation.
-
- # ----------------------------------------------------------------------------
- # Base variables
-
$(hostname) = mail.{{ .Values.ingress.public.domain }}
$(primary_domain) = {{ .Values.ingress.public.domain }}
$(local_domains) = $(primary_domain)
-
- tls file /etc/maddy/certs/tls.crt /etc/maddy/certs/tls.key
-
- # ----------------------------------------------------------------------------
- # Local storage & authentication
-
- # pass_table provides local hashed passwords storage for authentication of
- # users. It can be configured to use any "table" module, in default
- # configuration a table in SQLite DB is used.
- # Table can be replaced to use e.g. a file for passwords. Or pass_table module
- # can be replaced altogether to use some external source of credentials (e.g.
- # PAM, /etc/shadow file).
- #
- # If table module supports it (sql_table does) - credentials can be managed
- # using 'maddyctl creds' command.
-
+
auth.pass_table local_authdb {
table sql_table {
driver sqlite3
@@ -45,59 +16,45 @@
table_name passwords
}
}
-
- # imapsql module stores all indexes and metadata necessary for IMAP using a
- # relational database. It is used by IMAP endpoint for mailbox access and
- # also by SMTP & Submission endpoints for delivery of local messages.
- #
- # IMAP accounts, mailboxes and all message metadata can be inspected using
- # imap-* subcommands of maddyctl utility.
-
+
storage.imapsql local_mailboxes {
driver sqlite3
dsn imapsql.db
}
-
- # ----------------------------------------------------------------------------
- # SMTP endpoints + message routing
-
+
hostname $(hostname)
-
+
msgpipeline local_routing {
- # Insert handling for special-purpose local domains here.
- # e.g.
- # destination lists.example.org {
- # deliver_to lmtp tcp://127.0.0.1:8024
- # }
-
destination postmaster $(local_domains) {
modify {
replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3"
replace_rcpt file /etc/maddy/aliases
}
-
+
deliver_to &local_mailboxes
}
-
+
default_destination {
reject 550 5.1.1 "User doesn't exist"
}
}
-
+
smtp tcp://0.0.0.0:25 {
+ tls off
+
limits {
# Up to 20 msgs/sec across max. 10 SMTP connections.
all rate 20 1s
all concurrency 10
}
-
+
dmarc yes
check {
require_mx_record
dkim
spf
}
-
+
source $(local_domains) {
reject 501 5.1.8 "Use Submission for outgoing SMTP"
}
@@ -110,23 +67,25 @@
}
}
}
-
+
submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ tls file /etc/maddy/certs-private/tls.crt /etc/maddy/certs-private/tls.key
+
limits {
# Up to 50 msgs/sec across any amount of SMTP connections.
all rate 50 1s
}
-
+
auth &local_authdb
-
+
source $(local_domains) {
destination postmaster $(local_domains) {
deliver_to &local_routing
}
default_destination {
- modify {
- dkim $(primary_domain) $(local_domains) default
- }
+ # modify {
+ # dkim $(primary_domain) $(local_domains) default
+ # }
deliver_to &remote_queue
}
}
@@ -135,29 +94,16 @@
}
}
- target.remote outbound_delivery {
- limits {
- # Up to 20 msgs/sec across max. 10 SMTP connections
- # for each recipient domain.
- destination rate 20 1s
- destination concurrency 10
- }
- mx_auth {
- dane
- mtasts {
- cache fs
- fs_dir mtasts_cache/
- }
- local_policy {
- min_tls_level encrypted
- min_mx_level none
- }
- }
+ target.smtp outbound_gateway {
+ hostname {{ .Values.mailGateway.mxHostname }}
+ attempt_starttls false
+ require_tls no
+ auth forward
+ targets {{ .Values.mailGateway.address}}
}
-
+
target.queue remote_queue {
- target &outbound_delivery
-
+ target &outbound_gateway
autogenerated_msg_domain $(primary_domain)
bounce {
destination postmaster $(local_domains) {
@@ -168,11 +114,9 @@
}
}
}
-
- # ----------------------------------------------------------------------------
- # IMAP endpoints
-
+
imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+ tls file /etc/maddy/certs-private/tls.crt /etc/maddy/certs-private/tls.key
auth &local_authdb
storage &local_mailboxes
}
diff --git a/charts/maddy/templates/install.yaml b/charts/maddy/templates/install.yaml
index 1ecc7a9..dad1fa7 100644
--- a/charts/maddy/templates/install.yaml
+++ b/charts/maddy/templates/install.yaml
@@ -103,6 +103,8 @@
metadata:
labels:
app: maddy
+ annotations:
+ checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
spec:
volumes:
- name: config
@@ -111,6 +113,9 @@
- name: certs
secret:
secretName: cert-mail.{{ .Values.ingress.public.domain}}
+ - name: certs-private
+ secret:
+ secretName: cert-wildcard.{{ .Values.ingress.private.domain}}
- name: data
persistentVolumeClaim:
claimName: data
@@ -141,10 +146,13 @@
volumeMounts:
- name: config
mountPath: /etc/maddy/config
- - name: certs
- mountPath: /etc/maddy/certs
+ readOnly: true
+ - name: certs-private
+ mountPath: /etc/maddy/certs-private
+ readOnly: true
- name: data
mountPath: /var/lib/maddy
+ readOnly: false
- name: web
image: giolekva/maddy-web:latest
imagePullPolicy: Always
@@ -160,10 +168,13 @@
volumeMounts:
- name: config
mountPath: /etc/maddy/config
+ readOnly: true
- name: certs
mountPath: /etc/maddy/certs
+ readOnly: true
- name: data
mountPath: /var/lib/maddy
+ readOnly: false
---
apiVersion: v1
kind: ConfigMap
@@ -175,7 +186,7 @@
version: STSv1
mode: enforce
max_age: 604800
- mx: mail.{{ .Values.ingress.public.domain }}
+ mx: {{ .Values.mailGateway.mxHostname }}
---
apiVersion: apps/v1
kind: Deployment
diff --git a/charts/maddy/templates/mta-sts.yaml b/charts/maddy/templates/mta-sts.yaml
new file mode 100644
index 0000000..bad3794
--- /dev/null
+++ b/charts/maddy/templates/mta-sts.yaml
@@ -0,0 +1,101 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+data:
+ mta-sts.txt: |
+ version: STSv1
+ mode: enforce
+ max_age: 604800
+ mx: {{ .Values.mailGateway.mxHostname}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: mta-sts.{{ .Values.ingress.public.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ dnsNames:
+ - 'mta-sts.{{ .Values.ingress.public.domain }}'
+ issuerRef:
+ name: {{ .Values.ingress.public.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-mta-sts.{{ .Values.ingress.public.domain }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ ingressClassName: {{ .Values.ingress.public.className }}
+ tls:
+ - hosts:
+ - mta-sts.{{ .Values.ingress.public.domain }}
+ secretName: cert-mta-sts.{{ .Values.ingress.public.domain }}
+ rules:
+ - host: mta-sts.{{ .Values.ingress.public.domain }}
+ http:
+ paths:
+ - pathType: Prefix
+ path: "/"
+ backend:
+ service:
+ name: mta-sts
+ port:
+ name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: mta-sts
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: mta-sts
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mta-sts
+ spec:
+ volumes:
+ - name: mta-sts
+ configMap:
+ name: mta-sts
+ containers:
+ - name: maddy
+ image: giolekva/static-file-server:latest
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ command:
+ - static-file-server
+ - --port=80
+ - --dir=/etc/static-file-server/data
+ volumeMounts:
+ - name: mta-sts
+ mountPath: /etc/static-file-server/data/.well-known
+ readOnly: true
diff --git a/charts/maddy/values.yaml b/charts/maddy/values.yaml
index 815ca99..984109e 100644
--- a/charts/maddy/values.yaml
+++ b/charts/maddy/values.yaml
@@ -1,3 +1,6 @@
+mailGateway:
+ mxHostname: mail.example.com
+ address: tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587
ingress:
private:
className: ingress-private
diff --git a/charts/mail-gateway/.helmignore b/charts/mail-gateway/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/mail-gateway/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/mail-gateway/Chart.yaml b/charts/mail-gateway/Chart.yaml
new file mode 100644
index 0000000..8a533ea
--- /dev/null
+++ b/charts/mail-gateway/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: mail-gateway
+description: A Helm chart for Email gateway running on PCloud
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/mail-gateway/templates/maddy.yaml b/charts/mail-gateway/templates/maddy.yaml
new file mode 100644
index 0000000..16ebdfb
--- /dev/null
+++ b/charts/mail-gateway/templates/maddy.yaml
@@ -0,0 +1,243 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+data:
+ maddy.conf: |
+ $(hostname) = mx1.lekva.me
+ $(primary_domain) = lekva.me
+ $(local_domains) = lekva.me shve.li
+
+ tls file /etc/maddy/certs/tls.crt /etc/maddy/certs/tls.key
+
+ auth.external authsmtp {
+ helper /usr/bin/auth-smtp
+ perdomain yes
+ domains $(local_domains)
+ }
+
+ hostname $(hostname)
+
+ msgpipeline local_routing {
+ destination lekva.me {
+ deliver_to &lekvame
+ }
+ destination shve.li {
+ deliver_to &shveli
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+
+ smtp tcp://0.0.0.0:25 {
+ io_debug true
+ debug true
+
+ insecure_auth no
+
+ defer_sender_reject yes
+
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections.
+ all rate 20 1s
+ all concurrency 10
+ }
+
+ dmarc yes
+ check {
+ require_mx_record
+ dkim
+ spf
+ }
+
+ source $(local_domains) {
+ reject 501 5.1.8 "Use Submission for outgoing SMTP"
+ }
+ default_source {
+ destination $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+ }
+
+ submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ io_debug true
+ debug true
+
+ auth &authsmtp
+ insecure_auth yes
+
+ defer_sender_reject yes
+
+ source $(local_domains) {
+ destination $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ modify {
+ dkim $(primary_domain) $(local_domains) default
+ }
+ deliver_to &remote_queue
+ }
+ }
+ default_source {
+ reject 501 5.1.8 "Non-local sender domain"
+ }
+ }
+
+ target.smtp lekvame {
+ debug true
+ hostname mx1.lekva.me
+ attempt_starttls false
+ require_tls no
+ auth off
+ targets tcp://maddy.app-maddy.svc.cluster.local:25
+ }
+
+ target.smtp shveli {
+ debug true
+ hostname mail.shve.li
+ attempt_starttls false
+ require_tls no
+ auth off
+ targets tcp://maddy.shveli-app-maddy.svc.cluster.local:25
+ }
+
+ target.queue remote_queue {
+ target &outbound_delivery
+
+ autogenerated_msg_domain $(primary_domain)
+ bounce {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+ }
+ }
+ }
+
+ target.remote outbound_delivery {
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections
+ # for each recipient domain.
+ destination rate 20 1s
+ destination concurrency 10
+ }
+ mx_auth {
+ dane
+ mtasts {
+ cache fs
+ fs_dir mtasts_cache/
+ }
+ local_policy {
+ min_tls_level encrypted
+ min_mx_level none
+ }
+ }
+ }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: maddy
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: maddy
+ spec:
+ # hostAliases:
+ # - ip: "10.43.66.220"
+ # hostnames:
+ # - "mx1.lekva.me"
+ volumes:
+ - name: config
+ configMap:
+ name: maddy
+ - name: certs
+ secret:
+ secretName: cert-mx1.lekva.me
+ - name: data
+ persistentVolumeClaim:
+ claimName: data
+ containers:
+ - name: maddy
+ image: giolekva/maddy-auth-smtp:v0.4.4
+ imagePullPolicy: Always
+ ports:
+ - name: imap
+ containerPort: 143
+ protocol: TCP
+ - name: imaps
+ containerPort: 993
+ protocol: TCP
+ - name: smtp
+ containerPort: 25
+ protocol: TCP
+ - name: smtps
+ containerPort: 465
+ protocol: TCP
+ - name: submission
+ containerPort: 587
+ protocol: TCP
+ command:
+ - maddy
+ - -config
+ - /etc/maddy/config/maddy.conf
+ volumeMounts:
+ - name: config
+ mountPath: /etc/maddy/config
+ - name: certs
+ mountPath: /etc/maddy/certs
+ - name: data
+ mountPath: /var/lib/maddy
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: LoadBalancer
+ externalTrafficPolicy: Local
+ selector:
+ app: maddy
+ ports:
+ - name: imap
+ port: 143
+ protocol: TCP
+ - name: imaps
+ port: 993
+ protocol: TCP
+ - name: smtp
+ port: 25
+ protocol: TCP
+ - name: smtps
+ port: 465
+ protocol: TCP
+ - name: submission
+ port: 587
+ protocol: TCP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: data
+ namespace: {{ .Release.Namespace }}
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 100Gi
diff --git a/charts/mail-gateway/values.yaml b/charts/mail-gateway/values.yaml
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/charts/mail-gateway/values.yaml
diff --git a/helmfile/users/helmfile.yaml b/helmfile/users/helmfile.yaml
index 436a7b6..4902095 100644
--- a/helmfile/users/helmfile.yaml
+++ b/helmfile/users/helmfile.yaml
@@ -27,7 +27,7 @@
namespace: {{ .Values.id }}-ingress-private
createNamespace: true
values:
- - fullnameOverride: nginx
+ - fullnameOverride: {{ .Values.id }}-nginx-private
- controller:
service:
type: ClusterIP
@@ -70,10 +70,14 @@
config:
bind-address: 111.0.0.1
proxy-body-size: 0
- udp:
- - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
- tcp:
- - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
+ - udp:
+ 53: "{{ .Values.id }}-app-pihole/pihole-dns-udp:53"
+ - tcp:
+ 53: "{{ .Values.id }}-app-pihole/pihole-dns-tcp:53"
+ 143: "{{ .Values.id }}-app-maddy/maddy:143"
+ 465: "{{ .Values.id }}-app-maddy/maddy:465"
+ 587: "{{ .Values.id }}-app-maddy/maddy:587"
+ 993: "{{ .Values.id }}-app-maddy/maddy:993"
- name: certificate-issuer
chart: ../../charts/certificate-issuer
namespace: {{ .Values.id }}-ingress-private
@@ -538,6 +542,9 @@
certificateIssuer: {{ .Values.id }}-public
- storage:
size: 10Gi
+ - mailGateway:
+ mxHostname: {{ .Values.mxHostname}}
+ address: {{ .Values.mailGatewayAddress }}
environments:
shveli:
@@ -548,3 +555,5 @@
- domain: shve.li
- contactEmail: giolekva@gmail.com
- certManagerNamespace: cert-manager
+ - mxHostname: mx1.lekva.me
+ - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
diff --git a/scripts/homelab/installer/ingress-nginx.sh b/scripts/homelab/installer/ingress-nginx.sh
index 98ba8f6..05f131a 100644
--- a/scripts/homelab/installer/ingress-nginx.sh
+++ b/scripts/homelab/installer/ingress-nginx.sh
@@ -1,23 +1,18 @@
#!/bin/sh
-# helm upgrade --create-namespace \
-# --namespace ingress-nginx \
-# nginx ingress-nginx/ingress-nginx \
-# --version 4.0.3 \
-# --set fullnameOverride=nginx \
-# --set controller.service.type=LoadBalancer \
-# --set controller.ingressClassByName=true \
-# --set controller.ingressClassResource.name=nginx \
-# --set controller.ingressClassResource.enabled=true \
-# --set controller.ingressClassResource.default=true \
-# --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx" \
-# --set controller.extraArgs.default-ssl-certificate=ingress-nginx/cert-wildcard.lekva.me \
-# --set controller.config.proxy-body-size="100M" \
-# --set tcp.25="app-maddy/maddy:25" \
-# --set tcp.143="app-maddy/maddy:143" \
-# --set tcp.993="app-maddy/maddy:993" \
-# --set tcp.587="app-maddy/maddy:587" \
-# --set tcp.465="app-maddy/maddy:465"
+helm upgrade --create-namespace \
+ --namespace ingress-nginx \
+ nginx ingress-nginx/ingress-nginx \
+ --version 4.0.3 \
+ --set fullnameOverride=nginx \
+ --set controller.service.type=LoadBalancer \
+ --set controller.ingressClassByName=true \
+ --set controller.ingressClassResource.name=nginx \
+ --set controller.ingressClassResource.enabled=true \
+ --set controller.ingressClassResource.default=true \
+ --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx" \
+ --set controller.extraArgs.default-ssl-certificate=ingress-nginx/cert-wildcard.lekva.me \
+ --set controller.config.proxy-body-size="100M"
# kubectl create configmap \
# -n ingress-nginx-private \
@@ -33,39 +28,43 @@
# kubectl apply -f installer/lighthouse-node.yaml
-helm upgrade --create-namespace \
- --namespace ingress-nginx-private \
- nginx ingress-nginx/ingress-nginx \
- --version 4.0.3 \
- --set fullnameOverride=nginx-private \
- --set controller.service.type=ClusterIP \
- --set controller.ingressClassByName=true \
- --set controller.ingressClassResource.name=nginx-private \
- --set controller.ingressClassResource.enabled=true \
- --set controller.ingressClassResource.default=false \
- --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx-private" \
- --set controller.extraVolumes[0].name="lighthouse-cert" \
- --set controller.extraVolumes[0].secret.secretName="node-lighthouse-cert" \
- --set controller.extraVolumes[1].name=config \
- --set controller.extraVolumes[1].configMap.name=lighthouse-config \
- --set controller.extraContainers[0].name=lighthouse \
- --set controller.extraContainers[0].image=giolekva/nebula:latest \
- --set controller.extraContainers[0].imagePullPolicy=IfNotPresent \
- --set controller.extraContainers[0].securityContext.capabilities.add[0]=NET_ADMIN \
- --set controller.extraContainers[0].securityContext.privileged=true \
- --set controller.extraContainers[0].ports[0].name=nebula \
- --set controller.extraContainers[0].ports[0].containerPort=4242 \
- --set controller.extraContainers[0].ports[0].protocol=UDP \
- --set controller.extraContainers[0].command[0]="nebula" \
- --set controller.extraContainers[0].command[1]="--config=/etc/nebula/config/lighthouse.yaml" \
- --set controller.extraContainers[0].volumeMounts[0].name=lighthouse-cert \
- --set controller.extraContainers[0].volumeMounts[0].mountPath=/etc/nebula/lighthouse \
- --set controller.extraContainers[0].volumeMounts[1].name=config \
- --set controller.extraContainers[0].volumeMounts[1].mountPath=/etc/nebula/config \
- --set controller.config.bind-address="111.0.0.1" \
- --set controller.config.proxy-body-size="0" \
- --set udp.53="app-pihole/pihole-dns-udp:53" \
- --set tcp.53="app-pihole/pihole-dns-tcp:53"
+# helm upgrade --create-namespace \
+# --namespace ingress-nginx-private \
+# nginx ingress-nginx/ingress-nginx \
+# --version 4.0.3 \
+# --set fullnameOverride=nginx-private \
+# --set controller.service.type=ClusterIP \
+# --set controller.ingressClassByName=true \
+# --set controller.ingressClassResource.name=nginx-private \
+# --set controller.ingressClassResource.enabled=true \
+# --set controller.ingressClassResource.default=false \
+# --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx-private" \
+# --set controller.extraVolumes[0].name="lighthouse-cert" \
+# --set controller.extraVolumes[0].secret.secretName="node-lighthouse-cert" \
+# --set controller.extraVolumes[1].name=config \
+# --set controller.extraVolumes[1].configMap.name=lighthouse-config \
+# --set controller.extraContainers[0].name=lighthouse \
+# --set controller.extraContainers[0].image=giolekva/nebula:latest \
+# --set controller.extraContainers[0].imagePullPolicy=IfNotPresent \
+# --set controller.extraContainers[0].securityContext.capabilities.add[0]=NET_ADMIN \
+# --set controller.extraContainers[0].securityContext.privileged=true \
+# --set controller.extraContainers[0].ports[0].name=nebula \
+# --set controller.extraContainers[0].ports[0].containerPort=4242 \
+# --set controller.extraContainers[0].ports[0].protocol=UDP \
+# --set controller.extraContainers[0].command[0]="nebula" \
+# --set controller.extraContainers[0].command[1]="--config=/etc/nebula/config/lighthouse.yaml" \
+# --set controller.extraContainers[0].volumeMounts[0].name=lighthouse-cert \
+# --set controller.extraContainers[0].volumeMounts[0].mountPath=/etc/nebula/lighthouse \
+# --set controller.extraContainers[0].volumeMounts[1].name=config \
+# --set controller.extraContainers[0].volumeMounts[1].mountPath=/etc/nebula/config \
+# --set controller.config.bind-address="111.0.0.1" \
+# --set controller.config.proxy-body-size="0" \
+# --set udp.53="app-pihole/pihole-dns-udp:53" \
+# --set tcp.53="app-pihole/pihole-dns-tcp:53" \
+# --set tcp.143="app-maddy/maddy:143" \
+# --set tcp.465="app-maddy/maddy:465" \
+# --set tcp.587="app-maddy/maddy:587" \
+# --set tcp.993="app-maddy/maddy:993"
# # --set controller.extraVolumes[1].name=ca-cert \
# # --set controller.extraVolumes[1].configMap.name=ca-cert \