Installer: maddy
diff --git a/charts/maddy/.helmignore b/charts/maddy/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/charts/maddy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/maddy/Chart.yaml b/charts/maddy/Chart.yaml
new file mode 100644
index 0000000..8476282
--- /dev/null
+++ b/charts/maddy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: maddy
+description: A Helm chart for Maddy email server running on PCloud
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
diff --git a/charts/maddy/templates/config.yaml b/charts/maddy/templates/config.yaml
new file mode 100644
index 0000000..9c14421
--- /dev/null
+++ b/charts/maddy/templates/config.yaml
@@ -0,0 +1,178 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: config
+ namespace: {{ .Release.Namespace }}
+data:
+ maddy.conf: |
+ # ----
+ ## Maddy Mail Server - default configuration file (2021-03-07)
+ # Suitable for small-scale deployments. Uses its own format for local users DB,
+ # should be managed via maddyctl utility.
+ #
+ # See tutorials at https://maddy.email for guidance on typical
+ # configuration changes.
+ #
+ # See manual pages (also available at https://maddy.email) for reference
+ # documentation.
+
+ # ----------------------------------------------------------------------------
+ # Base variables
+
+ $(hostname) = mail.{{ .Values.ingress.public.domain }}
+ $(primary_domain) = {{ .Values.ingress.public.domain }}
+ $(local_domains) = $(primary_domain)
+
+ tls file /etc/maddy/certs/tls.crt /etc/maddy/certs/tls.key
+
+ # ----------------------------------------------------------------------------
+ # Local storage & authentication
+
+ # pass_table provides local hashed passwords storage for authentication of
+ # users. It can be configured to use any "table" module, in default
+ # configuration a table in SQLite DB is used.
+ # Table can be replaced to use e.g. a file for passwords. Or pass_table module
+ # can be replaced altogether to use some external source of credentials (e.g.
+ # PAM, /etc/shadow file).
+ #
+ # If table module supports it (sql_table does) - credentials can be managed
+ # using 'maddyctl creds' command.
+
+ auth.pass_table local_authdb {
+ table sql_table {
+ driver sqlite3
+ dsn credentials.db
+ table_name passwords
+ }
+ }
+
+ # imapsql module stores all indexes and metadata necessary for IMAP using a
+ # relational database. It is used by IMAP endpoint for mailbox access and
+ # also by SMTP & Submission endpoints for delivery of local messages.
+ #
+ # IMAP accounts, mailboxes and all message metadata can be inspected using
+ # imap-* subcommands of maddyctl utility.
+
+ storage.imapsql local_mailboxes {
+ driver sqlite3
+ dsn imapsql.db
+ }
+
+ # ----------------------------------------------------------------------------
+ # SMTP endpoints + message routing
+
+ hostname $(hostname)
+
+ msgpipeline local_routing {
+ # Insert handling for special-purpose local domains here.
+ # e.g.
+ # destination lists.example.org {
+ # deliver_to lmtp tcp://127.0.0.1:8024
+ # }
+
+ destination postmaster $(local_domains) {
+ modify {
+ replace_rcpt regexp "(.+)\+(.+)@(.+)" "$1@$3"
+ replace_rcpt file /etc/maddy/aliases
+ }
+
+ deliver_to &local_mailboxes
+ }
+
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+
+ smtp tcp://0.0.0.0:25 {
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections.
+ all rate 20 1s
+ all concurrency 10
+ }
+
+ dmarc yes
+ check {
+ require_mx_record
+ dkim
+ spf
+ }
+
+ source $(local_domains) {
+ reject 501 5.1.8 "Use Submission for outgoing SMTP"
+ }
+ default_source {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.1.1 "User doesn't exist"
+ }
+ }
+ }
+
+ submission tls://0.0.0.0:465 tcp://0.0.0.0:587 {
+ limits {
+ # Up to 50 msgs/sec across any amount of SMTP connections.
+ all rate 50 1s
+ }
+
+ auth &local_authdb
+
+ source $(local_domains) {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ modify {
+ dkim $(primary_domain) $(local_domains) default
+ }
+ deliver_to &remote_queue
+ }
+ }
+ default_source {
+ reject 501 5.1.8 "Non-local sender domain"
+ }
+ }
+
+ target.remote outbound_delivery {
+ limits {
+ # Up to 20 msgs/sec across max. 10 SMTP connections
+ # for each recipient domain.
+ destination rate 20 1s
+ destination concurrency 10
+ }
+ mx_auth {
+ dane
+ mtasts {
+ cache fs
+ fs_dir mtasts_cache/
+ }
+ local_policy {
+ min_tls_level encrypted
+ min_mx_level none
+ }
+ }
+ }
+
+ target.queue remote_queue {
+ target &outbound_delivery
+
+ autogenerated_msg_domain $(primary_domain)
+ bounce {
+ destination postmaster $(local_domains) {
+ deliver_to &local_routing
+ }
+ default_destination {
+ reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+ }
+ }
+ }
+
+ # ----------------------------------------------------------------------------
+ # IMAP endpoints
+
+ imap tls://0.0.0.0:993 tcp://0.0.0.0:143 {
+ auth &local_authdb
+ storage &local_mailboxes
+ }
diff --git a/charts/maddy/templates/install.yaml b/charts/maddy/templates/install.yaml
new file mode 100644
index 0000000..1ecc7a9
--- /dev/null
+++ b/charts/maddy/templates/install.yaml
@@ -0,0 +1,267 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: maddy
+ ports:
+ - name: imap
+ port: 143
+ protocol: TCP
+ - name: imaps
+ port: 993
+ protocol: TCP
+ - name: smtp
+ port: 25
+ protocol: TCP
+ - name: smtps
+ port: 465
+ protocol: TCP
+ - name: submission
+ port: 587
+ protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: manage
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: maddy
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: manage
+ namespace: {{ .Release.Namespace }}
+spec:
+ ingressClassName: {{ .Values.ingress.private.className }}
+ tls:
+ - hosts:
+ - mail.{{ .Values.ingress.private.domain }}
+ secretName: cert-mail.{{ .Values.ingress.private.domain }}
+ rules:
+ - host: mail.{{ .Values.ingress.private.domain }}
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: manage
+ port:
+ name: http
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: mail.{{ .Values.ingress.public.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ dnsNames:
+ - 'mail.{{ .Values.ingress.public.domain }}'
+ issuerRef:
+ name: {{ .Values.ingress.public.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-mail.{{ .Values.ingress.public.domain }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: data
+ namespace: {{ .Release.Namespace }}
+spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: {{ .Values.storage.size }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: maddy
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: maddy
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: maddy
+ spec:
+ volumes:
+ - name: config
+ configMap:
+ name: config
+ - name: certs
+ secret:
+ secretName: cert-mail.{{ .Values.ingress.public.domain}}
+ - name: data
+ persistentVolumeClaim:
+ claimName: data
+ containers:
+ - name: maddy
+ image: giolekva/maddy:v0.4.4
+ imagePullPolicy: Always
+ ports:
+ - name: imap
+ containerPort: 143
+ protocol: TCP
+ - name: imaps
+ containerPort: 993
+ protocol: TCP
+ - name: smtp
+ containerPort: 25
+ protocol: TCP
+ - name: smtps
+ containerPort: 465
+ protocol: TCP
+ - name: submission
+ containerPort: 587
+ protocol: TCP
+ command:
+ - maddy
+ - -config
+ - /etc/maddy/config/maddy.conf
+ volumeMounts:
+ - name: config
+ mountPath: /etc/maddy/config
+ - name: certs
+ mountPath: /etc/maddy/certs
+ - name: data
+ mountPath: /var/lib/maddy
+ - name: web
+ image: giolekva/maddy-web:latest
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ command:
+ - maddy-web
+ - --port=80
+ - --maddy-config=/etc/maddy/config/maddy.conf
+ - --export-dkim=/var/lib/maddy/dkim_keys/{{ .Values.ingress.public.domain }}_default.dns
+ volumeMounts:
+ - name: config
+ mountPath: /etc/maddy/config
+ - name: certs
+ mountPath: /etc/maddy/certs
+ - name: data
+ mountPath: /var/lib/maddy
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+data:
+ mta-sts.txt: |
+ version: STSv1
+ mode: enforce
+ max_age: 604800
+ mx: mail.{{ .Values.ingress.public.domain }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ selector:
+ matchLabels:
+ app: mta-sts
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: mta-sts
+ spec:
+ volumes:
+ - name: mta-sts
+ configMap:
+ name: mta-sts
+ containers:
+ - name: maddy
+ image: giolekva/static-file-server:latest
+ imagePullPolicy: Always
+ ports:
+ - name: http
+ containerPort: 80
+ protocol: TCP
+ command:
+ - static-file-server
+ - --port=80
+ - --dir=/etc/static-file-server/data
+ volumeMounts:
+ - name: mta-sts
+ mountPath: /etc/static-file-server/data/.well-known
+ readOnly: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ type: ClusterIP
+ selector:
+ app: mta-sts
+ ports:
+ - name: http
+ port: 80
+ targetPort: http
+ protocol: TCP
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: mta-sts.{{ .Values.ingress.public.domain }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/resource-policy": keep
+spec:
+ dnsNames:
+ - 'mta-sts.{{ .Values.ingress.public.domain }}'
+ issuerRef:
+ name: {{ .Values.ingress.public.certificateIssuer }}
+ kind: ClusterIssuer
+ secretName: cert-mta-sts.{{ .Values.ingress.public.domain }}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: mta-sts
+ namespace: {{ .Release.Namespace }}
+spec:
+ ingressClassName: {{ .Values.ingress.public.className }}
+ tls:
+ - hosts:
+ - mta-sts.{{ .Values.ingress.public.domain }}
+ secretName: cert-mta-sts.{{ .Values.ingress.public.domain }}
+ rules:
+ - host: mta-sts.{{ .Values.ingress.public.domain }}
+ http:
+ paths:
+ - pathType: Prefix
+ path: "/"
+ backend:
+ service:
+ name: mta-sts
+ port:
+ name: http
diff --git a/charts/maddy/values.yaml b/charts/maddy/values.yaml
new file mode 100644
index 0000000..815ca99
--- /dev/null
+++ b/charts/maddy/values.yaml
@@ -0,0 +1,10 @@
+ingress:
+ private:
+ className: ingress-private
+ domain: p.example.com
+ public:
+ className: ingress-public
+ domain: example.com
+ certificateIssuer: issuer-public
+storage:
+ size: 1Gi