From b0f461668923eab078c0147c9413f6a753573bca Mon Sep 17 00:00:00 2001
From: viktorbarzin <vbarzin@gmail.com>
Date: Thu, 18 Feb 2021 22:26:36 +0000
Subject: [PATCH] add missing mailserver terraform items

---
 main.tf                                    |   2 +
 modules/kubernetes/blog/main.tf            |   2 -
 modules/kubernetes/mailserver/main.tf      | 274 ++++++++++++++++++++-
 modules/kubernetes/mailserver/variables.tf |   4 +-
 modules/kubernetes/main.tf                 |   5 +-
 modules/kubernetes/monitoring/main.tf      |  60 +++++
 6 files changed, 339 insertions(+), 8 deletions(-)

diff --git a/main.tf b/main.tf
index 9815c2fc..749aa565 100644
--- a/main.tf
+++ b/main.tf
@@ -11,6 +11,7 @@ variable "tls_key" {}
 variable "client_certificate_secret_name" {}
 variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
+variable "mailserver_opendkim_key" {}
 variable "pihole_web_password" {}
 variable "webhook_handler_secret" {}
 variable "wireguard_wg_0_conf" {}
@@ -169,6 +170,7 @@ module "kubernetes_cluster" {
   client_certificate_secret_name = var.client_certificate_secret_name
   mailserver_accounts            = var.mailserver_accounts
   mailserver_aliases             = var.mailserver_aliases
+  mailserver_opendkim_key        = var.mailserver_opendkim_key
   pihole_web_password            = var.pihole_web_password
   webhook_handler_secret         = var.webhook_handler_secret
   wireguard_wg_0_conf            = var.wireguard_wg_0_conf
diff --git a/modules/kubernetes/blog/main.tf b/modules/kubernetes/blog/main.tf
index 13a7f248..9bb65fd6 100644
--- a/modules/kubernetes/blog/main.tf
+++ b/modules/kubernetes/blog/main.tf
@@ -1,6 +1,4 @@
 variable "tls_secret_name" {}
-variable "tls_crt" {}
-variable "tls_key" {}
 # variable "dockerhub_password" {}
 
 resource "kubernetes_namespace" "website" {
diff --git a/modules/kubernetes/mailserver/main.tf b/modules/kubernetes/mailserver/main.tf
index a0bbdae6..efb25189 100644
--- a/modules/kubernetes/mailserver/main.tf
+++ b/modules/kubernetes/mailserver/main.tf
@@ -1,5 +1,7 @@
+variable "tls_secret_name" {}
 variable "mailserver_accounts" {}
-variable postfix_account_aliases {}
+variable "postfix_account_aliases" {}
+variable "opendkim_key" {}
 
 resource "kubernetes_namespace" "mailserver" {
   metadata {
@@ -7,6 +9,12 @@ resource "kubernetes_namespace" "mailserver" {
   }
 }
 
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = "mailserver"
+  tls_secret_name = var.tls_secret_name
+}
+
 resource "kubernetes_config_map" "mailserver_env_config" {
   metadata {
     name      = "mailserver.env.config"
@@ -28,6 +36,9 @@ resource "kubernetes_config_map" "mailserver_env_config" {
     ONE_DIR             = "1"
     OVERRIDE_HOSTNAME   = "mail.viktorbarzin.me"
     TLS_LEVEL           = "intermediate"
+    SSL_TYPE            = "manual"
+    SSL_CERT_PATH       = "/tmp/ssl/tls.crt"
+    SSL_KEY_PATH        = "/tmp/ssl/tls.key"
   }
 }
 
@@ -61,5 +72,264 @@ resource "kubernetes_config_map" "mailserver_config" {
   lifecycle {
     ignore_changes = [data["postfix-accounts.cf"]]
   }
-
+}
+
+# resource "kubernetes_config_map" "user_patches" {
+#   metadata {
+#     name      = "user-patches"
+#     namespace = "mailserver"
+#     labels = {
+#       "app" = "mailserver"
+#     }
+#   }
+
+#   data = {
+#     user_patches = <<EOF
+# #!/bin/bash
+# cp -f /tmp/dovecot.key /etc/dovecot/ssl/dovecot.key
+# cp -f /tmp/dovecot.crt /etc/dovecot/ssl/dovecot.pem 
+#     EOF
+#   }
+# }
+
+resource "kubernetes_secret" "opendkim_key" {
+  metadata {
+    name      = "mailserver.opendkim.key"
+    namespace = "mailserver"
+    labels = {
+      "app" = "mailserver"
+    }
+  }
+  type = "Opaque"
+  data = {
+    "viktorbarzin.me-mail.key" = var.opendkim_key
+  }
+}
+
+
+resource "kubernetes_deployment" "mailserver" {
+  metadata {
+    name      = "mailserver"
+    namespace = "mailserver"
+    labels = {
+      "app" = "mailserver"
+    }
+  }
+  spec {
+    replicas = "1"
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        "app" = "mailserver"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          "app"  = "mailserver"
+          "role" = "mail"
+          "tier" = "backend"
+        }
+      }
+      spec {
+        container {
+          name              = "docker-mailserver"
+          image             = "tvial/docker-mailserver:release-v7.2.0"
+          image_pull_policy = "IfNotPresent"
+
+          # lifecycle {
+          #   post_start {
+          #     exec {
+          #       command = [
+          #         "/bin/sh",
+          #         "-c",
+          #         "cp -f /tmp/user-patches.sh /tmp/docker-mailserver/user-patches.sh && chown root:root /var/log/mail && chmod 755 /var/log/mail",
+          #       ]
+          #     }
+          #   }
+          # }
+
+          volume_mount {
+            name       = "config-tls"
+            mount_path = "/tmp/ssl/tls.key"
+            sub_path   = "tls.key"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config-tls"
+            mount_path = "/tmp/ssl/tls.crt"
+            sub_path   = "tls.crt"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/postfix-accounts.cf"
+            sub_path   = "postfix-accounts.cf"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/postfix-main.cf"
+            sub_path   = "postfix-main.cf"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/postfix-virtual.cf"
+            sub_path   = "postfix-virtual.cf"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/fetchmail.cf"
+            sub_path   = "fetchmail.cf"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/dovecot.cf"
+            sub_path   = "dovecot.cf"
+            read_only  = true
+          }
+          # volume_mount {
+          #   name       = "user-patches"
+          #   mount_path = "/tmp/user-patches.sh"
+          #   sub_path   = "user-patches.sh"
+          #   read_only  = true
+          # }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/opendkim/SigningTable"
+            sub_path   = "SigningTable"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/opendkim/KeyTable"
+            sub_path   = "KeyTable"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "config"
+            mount_path = "/tmp/docker-mailserver/opendkim/TrustedHosts"
+            sub_path   = "TrustedHosts"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "opendkim-key"
+            mount_path = "/tmp/docker-mailserver/opendkim/keys"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/var/mail"
+            sub_path   = "data"
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/var/mail-state"
+            sub_path   = "state"
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/var/log/mail"
+            sub_path   = "log"
+          }
+          volume_mount {
+            name       = "var-run-dovecot"
+            mount_path = "/var/run/dovecot"
+          }
+          port {
+            name           = "smtp"
+            container_port = 25
+            protocol       = "TCP"
+          }
+          port {
+            name           = "smtp-secure"
+            container_port = 465
+            protocol       = "TCP"
+          }
+          port {
+            name           = "smtp-auth"
+            container_port = 587
+            protocol       = "TCP"
+          }
+          port {
+            name           = "imap"
+            container_port = 143
+            protocol       = "TCP"
+          }
+          port {
+            name           = "imap-secure"
+            container_port = 993
+            protocol       = "TCP"
+          }
+          env_from {
+            config_map_ref {
+              name = "mailserver.env.config"
+            }
+          }
+
+        }
+        container {
+          name  = "dovecot-exporter"
+          image = "viktorbarzin/dovecot_exporter:latest"
+          command = [
+            "/dovecot_exporter/exporter",
+            "--dovecot.socket-path=/var/run/dovecot/stats-reader"
+          ]
+          image_pull_policy = "IfNotPresent"
+          port {
+            name           = "dovecotexporter"
+            container_port = 9166
+            protocol       = "TCP"
+          }
+          volume_mount {
+            name       = "var-run-dovecot"
+            mount_path = "/var/run/dovecot"
+          }
+        }
+
+        volume {
+          name = "config"
+          config_map {
+            name = "mailserver.config"
+          }
+        }
+        volume {
+          name = "config-tls"
+          secret {
+            secret_name = var.tls_secret_name
+          }
+        }
+        volume {
+          name = "opendkim-key"
+          secret {
+            secret_name = "mailserver.opendkim.key"
+          }
+        }
+        volume {
+          name = "data"
+          iscsi {
+            target_portal = "iscsi.viktorbarzin.lan:3260"
+            iqn           = "iqn.2020-12.lan.viktorbarzin:storage:mailserver"
+            lun           = 0
+            fs_type       = "ext4"
+          }
+        }
+        # volume {
+        #   name = "user-patches"
+        #   config_map {
+        #     name = "user-patches"
+        #   }
+        # }
+        volume {
+          name = "var-run-dovecot"
+          empty_dir {}
+        }
+      }
+    }
+  }
 }
diff --git a/modules/kubernetes/mailserver/variables.tf b/modules/kubernetes/mailserver/variables.tf
index f20b862b..f5916807 100644
--- a/modules/kubernetes/mailserver/variables.tf
+++ b/modules/kubernetes/mailserver/variables.tf
@@ -20,8 +20,8 @@ inet_interfaces = all
 inet_protocols = ipv4
 
 # TLS parameters
-smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file=/tmp/ssl/tls.crt
+smtpd_tls_key_file=/tmp/ssl/tls.key
 #smtpd_tls_CAfile=
 #smtp_tls_CAfile=
 smtpd_tls_security_level = may
diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 952f969e..809d4e8d 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -3,6 +3,7 @@ variable "client_certificate_secret_name" {}
 variable "hackmd_db_password" {}
 variable "mailserver_accounts" {}
 variable "mailserver_aliases" {}
+variable "mailserver_opendkim_key" {}
 variable "pihole_web_password" {}
 variable "webhook_handler_secret" {}
 variable "wireguard_wg_0_conf" {}
@@ -25,8 +26,6 @@ resource "null_resource" "core_services" {
 module "blog" {
   source          = "./blog"
   tls_secret_name = var.tls_secret_name
-  tls_crt         = var.tls_crt
-  tls_key         = var.tls_key
   # dockerhub_password = var.dockerhub_password
 
   depends_on = [null_resource.core_services]
@@ -94,8 +93,10 @@ module "k8s-dashboard" {
 
 module "mailserver" {
   source                  = "./mailserver"
+  tls_secret_name         = var.tls_secret_name
   mailserver_accounts     = var.mailserver_accounts
   postfix_account_aliases = var.mailserver_aliases
+  opendkim_key            = var.mailserver_opendkim_key
 
   depends_on = [null_resource.core_services]
 }
diff --git a/modules/kubernetes/monitoring/main.tf b/modules/kubernetes/monitoring/main.tf
index a47a0aba..3e619838 100644
--- a/modules/kubernetes/monitoring/main.tf
+++ b/modules/kubernetes/monitoring/main.tf
@@ -142,3 +142,63 @@ resource "helm_release" "grafana" {
 
   values = [file("${path.module}/grafana_chart_values.yaml")]
 }
+
+resource "kubernetes_ingress" "status" {
+  metadata {
+    name      = "hetrix-redirect-ingress"
+    namespace = "monitoring"
+    annotations = {
+      "kubernetes.io/ingress.class"                    = "nginx"
+      "nginx.ingress.kubernetes.io/permanent-redirect" = "https://hetrixtools.com/r/38981b548b5d38b052aca8d01285a3f3/"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["status.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "status.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service_name = "not-used" # redirected by annotation
+            service_port = "80"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_ingress" "status_yotovski" {
+  metadata {
+    name      = "hetrix-yotovski-redirect-ingress"
+    namespace = "monitoring"
+    annotations = {
+      "kubernetes.io/ingress.class"                    = "nginx"
+      "nginx.ingress.kubernetes.io/permanent-redirect" = "https://hetrixtools.com/r/2ba9d7a5e017794db0fd91f0115a8b3b/"
+    }
+  }
+
+  spec {
+    tls {
+      hosts       = ["yotovski-status.viktorbarzin.me"]
+      secret_name = var.tls_secret_name
+    }
+    rule {
+      host = "yotovski-status.viktorbarzin.me"
+      http {
+        path {
+          path = "/"
+          backend {
+            service_name = "not-used" # redirected by annotation
+            service_port = "80"
+          }
+        }
+      }
+    }
+  }
+}