viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add missing mailserver terraform items

Browse source
This commit is contained in:
viktorbarzin 2021-02-18 22:26:36 +00:00
parent 3a37fc181d
commit b0f4616689
6 changed files with 339 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
main.tf
View file

@ -11,6 +11,7 @@ variable "tls_key" {}
variable "client_certificate_secret_name" {}
variable "mailserver_accounts" {}
variable "mailserver_aliases" {}
variable "mailserver_opendkim_key" {}
variable "pihole_web_password" {}
variable "webhook_handler_secret" {}
variable "wireguard_wg_0_conf" {}
@ -169,6 +170,7 @@ module "kubernetes_cluster" {
client_certificate_secret_name = var.client_certificate_secret_name
mailserver_accounts = var.mailserver_accounts
mailserver_aliases = var.mailserver_aliases
mailserver_opendkim_key = var.mailserver_opendkim_key
pihole_web_password = var.pihole_web_password
webhook_handler_secret = var.webhook_handler_secret
wireguard_wg_0_conf = var.wireguard_wg_0_conf

2
modules/kubernetes/blog/main.tf
View file

@ -1,6 +1,4 @@
variable "tls_secret_name" {}
variable "tls_crt" {}
variable "tls_key" {}
# variable "dockerhub_password" {}
resource "kubernetes_namespace" "website" {

274
modules/kubernetes/mailserver/main.tf
View file

@ -1,5 +1,7 @@
variable "tls_secret_name" {}
variable "mailserver_accounts" {}
variable postfix_account_aliases {}
variable "postfix_account_aliases" {}
variable "opendkim_key" {}
resource "kubernetes_namespace" "mailserver" {
metadata {
@ -7,6 +9,12 @@ resource "kubernetes_namespace" "mailserver" {
}
}
module "tls_secret" {
source = "../setup_tls_secret"
namespace = "mailserver"
tls_secret_name = var.tls_secret_name
}
resource "kubernetes_config_map" "mailserver_env_config" {
metadata {
name = "mailserver.env.config"
@ -28,6 +36,9 @@ resource "kubernetes_config_map" "mailserver_env_config" {
ONE_DIR = "1"
OVERRIDE_HOSTNAME = "mail.viktorbarzin.me"
TLS_LEVEL = "intermediate"
SSL_TYPE = "manual"
SSL_CERT_PATH = "/tmp/ssl/tls.crt"
SSL_KEY_PATH = "/tmp/ssl/tls.key"
}
}
@ -61,5 +72,264 @@ resource "kubernetes_config_map" "mailserver_config" {
lifecycle {
ignore_changes = [data["postfix-accounts.cf"]]
}
}
# resource "kubernetes_config_map" "user_patches" {
# metadata {
# name = "user-patches"
# namespace = "mailserver"
# labels = {
# "app" = "mailserver"
# }
# }
# data = {
# user_patches = <<EOF
# #!/bin/bash
# cp -f /tmp/dovecot.key /etc/dovecot/ssl/dovecot.key
# cp -f /tmp/dovecot.crt /etc/dovecot/ssl/dovecot.pem
# EOF
# }
# }
resource "kubernetes_secret" "opendkim_key" {
metadata {
name = "mailserver.opendkim.key"
namespace = "mailserver"
labels = {
"app" = "mailserver"
}
}
type = "Opaque"
data = {
"viktorbarzin.me-mail.key" = var.opendkim_key
}
}
resource "kubernetes_deployment" "mailserver" {
metadata {
name = "mailserver"
namespace = "mailserver"
labels = {
"app" = "mailserver"
}
}
spec {
replicas = "1"
strategy {
type = "Recreate"
}
selector {
match_labels = {
"app" = "mailserver"
}
}
template {
metadata {
labels = {
"app" = "mailserver"
"role" = "mail"
"tier" = "backend"
}
}
spec {
container {
name = "docker-mailserver"
image = "tvial/docker-mailserver:release-v7.2.0"
image_pull_policy = "IfNotPresent"
# lifecycle {
# post_start {
# exec {
# command = [
# "/bin/sh",
# "-c",
# "cp -f /tmp/user-patches.sh /tmp/docker-mailserver/user-patches.sh && chown root:root /var/log/mail && chmod 755 /var/log/mail",
# ]
# }
# }
# }
volume_mount {
name = "config-tls"
mount_path = "/tmp/ssl/tls.key"
sub_path = "tls.key"
read_only = true
}
volume_mount {
name = "config-tls"
mount_path = "/tmp/ssl/tls.crt"
sub_path = "tls.crt"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/postfix-accounts.cf"
sub_path = "postfix-accounts.cf"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/postfix-main.cf"
sub_path = "postfix-main.cf"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/postfix-virtual.cf"
sub_path = "postfix-virtual.cf"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/fetchmail.cf"
sub_path = "fetchmail.cf"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/dovecot.cf"
sub_path = "dovecot.cf"
read_only = true
}
# volume_mount {
# name = "user-patches"
# mount_path = "/tmp/user-patches.sh"
# sub_path = "user-patches.sh"
# read_only = true
# }
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/opendkim/SigningTable"
sub_path = "SigningTable"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/opendkim/KeyTable"
sub_path = "KeyTable"
read_only = true
}
volume_mount {
name = "config"
mount_path = "/tmp/docker-mailserver/opendkim/TrustedHosts"
sub_path = "TrustedHosts"
read_only = true
}
volume_mount {
name = "opendkim-key"
mount_path = "/tmp/docker-mailserver/opendkim/keys"
read_only = true
}
volume_mount {
name = "data"
mount_path = "/var/mail"
sub_path = "data"
}
volume_mount {
name = "data"
mount_path = "/var/mail-state"
sub_path = "state"
}
volume_mount {
name = "data"
mount_path = "/var/log/mail"
sub_path = "log"
}
volume_mount {
name = "var-run-dovecot"
mount_path = "/var/run/dovecot"
}
port {
name = "smtp"
container_port = 25
protocol = "TCP"
}
port {
name = "smtp-secure"
container_port = 465
protocol = "TCP"
}
port {
name = "smtp-auth"
container_port = 587
protocol = "TCP"
}
port {
name = "imap"
container_port = 143
protocol = "TCP"
}
port {
name = "imap-secure"
container_port = 993
protocol = "TCP"
}
env_from {
config_map_ref {
name = "mailserver.env.config"
}
}
}
container {
name = "dovecot-exporter"
image = "viktorbarzin/dovecot_exporter:latest"
command = [
"/dovecot_exporter/exporter",
"--dovecot.socket-path=/var/run/dovecot/stats-reader"
]
image_pull_policy = "IfNotPresent"
port {
name = "dovecotexporter"
container_port = 9166
protocol = "TCP"
}
volume_mount {
name = "var-run-dovecot"
mount_path = "/var/run/dovecot"
}
}
volume {
name = "config"
config_map {
name = "mailserver.config"
}
}
volume {
name = "config-tls"
secret {
secret_name = var.tls_secret_name
}
}
volume {
name = "opendkim-key"
secret {
secret_name = "mailserver.opendkim.key"
}
}
volume {
name = "data"
iscsi {
target_portal = "iscsi.viktorbarzin.lan:3260"
iqn = "iqn.2020-12.lan.viktorbarzin:storage:mailserver"
lun = 0
fs_type = "ext4"
}
}
# volume {
# name = "user-patches"
# config_map {
# name = "user-patches"
# }
# }
volume {
name = "var-run-dovecot"
empty_dir {}
}
}
}
}
}

4
modules/kubernetes/mailserver/variables.tf
View file

@ -20,8 +20,8 @@ inet_interfaces = all
inet_protocols = ipv4
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_cert_file=/tmp/ssl/tls.crt
smtpd_tls_key_file=/tmp/ssl/tls.key
#smtpd_tls_CAfile=
#smtp_tls_CAfile=
smtpd_tls_security_level = may

5
modules/kubernetes/main.tf
View file

@ -3,6 +3,7 @@ variable "client_certificate_secret_name" {}
variable "hackmd_db_password" {}
variable "mailserver_accounts" {}
variable "mailserver_aliases" {}
variable "mailserver_opendkim_key" {}
variable "pihole_web_password" {}
variable "webhook_handler_secret" {}
variable "wireguard_wg_0_conf" {}
@ -25,8 +26,6 @@ resource "null_resource" "core_services" {
module "blog" {
source = "./blog"
tls_secret_name = var.tls_secret_name
tls_crt = var.tls_crt
tls_key = var.tls_key
# dockerhub_password = var.dockerhub_password
depends_on = [null_resource.core_services]
@ -94,8 +93,10 @@ module "k8s-dashboard" {
module "mailserver" {
source = "./mailserver"
tls_secret_name = var.tls_secret_name
mailserver_accounts = var.mailserver_accounts
postfix_account_aliases = var.mailserver_aliases
opendkim_key = var.mailserver_opendkim_key
depends_on = [null_resource.core_services]
}

60
modules/kubernetes/monitoring/main.tf
View file

@ -142,3 +142,63 @@ resource "helm_release" "grafana" {
values = [file("${path.module}/grafana_chart_values.yaml")]
}
resource "kubernetes_ingress" "status" {
metadata {
name = "hetrix-redirect-ingress"
namespace = "monitoring"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/permanent-redirect" = "https://hetrixtools.com/r/38981b548b5d38b052aca8d01285a3f3/"
}
}
spec {
tls {
hosts = ["status.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "status.viktorbarzin.me"
http {
path {
path = "/"
backend {
service_name = "not-used" # redirected by annotation
service_port = "80"
}
}
}
}
}
}
resource "kubernetes_ingress" "status_yotovski" {
metadata {
name = "hetrix-yotovski-redirect-ingress"
namespace = "monitoring"
annotations = {
"kubernetes.io/ingress.class" = "nginx"
"nginx.ingress.kubernetes.io/permanent-redirect" = "https://hetrixtools.com/r/2ba9d7a5e017794db0fd91f0115a8b3b/"
}
}
spec {
tls {
hosts = ["yotovski-status.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "yotovski-status.viktorbarzin.me"
http {
path {
path = "/"
backend {
service_name = "not-used" # redirected by annotation
service_port = "80"
}
}
}
}
}
}