add stalwart

clusters/cl01tl/platform/stalwart/Chart.yaml

@@ -0,0 +1,40 @@
+apiVersion: v2
+name: stalwart
+version: 1.0.0
+description: Stalwart
+keywords:
+  - stalwart
+  - email
+  - smtp
+home: https://wiki.alexlebens.dev/doc/stalwart-mail-server-RxyiB7jWwR
+sources:
+  - https://github.com/stalwartlabs/mail-server
+  - https://github.com/minio/operator
+  - https://github.com/valkey-io/valkey
+  - https://github.com/elastic/elasticsearch
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://hub.docker.com/r/stalwartlabs/mail-server
+  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/minio/operator/tree/master/helm/tenant
+  - https://github.com/bitnami/charts/tree/main/bitnami/valkey
+  - https://github.com/bitnami/charts/tree/main/bitnami/elasticsearch
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: stalwart
+    version: 3.7.1
+    repository: https://bjw-s.github.io/helm-charts/
+  - name: valkey
+    version: 2.4.0
+    repository: https://charts.bitnami.com/bitnami
+  - name: elasticsearch
+    version: 21.4.6
+    repository: https://charts.bitnami.com/bitnami
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.2.0
+    repository: http://alexlebens.github.io/helm-charts
+icon: https://raw.githubusercontent.com/stalwartlabs/website/main/static/img/logo.png
+appVersion: v0.10.7

clusters/cl01tl/platform/stalwart/templates/external-secret.yaml

@@ -0,0 +1,114 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: stalwart-elasticsearch-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ELASTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/stalwart/config
+        metadataPolicy: None
+        property: ELASTIC_PASSWORD
+
+# ---
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: stalwart-config-backup-secret
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: stalwart-config-backup-secret
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/version: {{ .Chart.AppVersion }}
+#     app.kubernetes.io/component: backup
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault
+#   target:
+#     template:
+#       mergePolicy: Merge
+#       engineVersion: v2
+#       data:
+#         RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/stalwart/stalwart-config"
+#   data:
+#     - secretKey: BUCKET_ENDPOINT
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: S3_BUCKET_ENDPOINT
+#     - secretKey: RESTIC_PASSWORD
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: RESTIC_PASSWORD
+#     - secretKey: AWS_DEFAULT_REGION
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /cl01tl/volsync/restic/config
+#         metadataPolicy: None
+#         property: AWS_DEFAULT_REGION
+#     - secretKey: AWS_ACCESS_KEY_ID
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: access_key
+#     - secretKey: AWS_SECRET_ACCESS_KEY
+#       remoteRef:
+#         conversionStrategy: Default
+#         decodingStrategy: None
+#         key: /digital-ocean/home-infra/volsync-backups
+#         metadataPolicy: None
+#         property: secret_key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: stalwart-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: stalwart-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/platform/stalwart/templates/http-route.yaml

@@ -0,0 +1,30 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-stalwart
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-stalwart
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - stalwart.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: stalwart
+          port: 80
+          weight: 100

clusters/cl01tl/platform/stalwart/templates/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stalwart
+  labels:
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/platform/stalwart/templates/replication-source.yaml

@@ -0,0 +1,27 @@
+# apiVersion: volsync.backube/v1alpha1
+# kind: ReplicationSource
+# metadata:
+#   name: stalwart-config-backup-source
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: stalwart-config-backup-source
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/version: {{ .Chart.AppVersion }}
+#     app.kubernetes.io/component: backup
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   sourcePVC: stalwart-config
+#   trigger:
+#     schedule: 0 0 */3 * *
+#   restic:
+#     pruneIntervalDays: 14
+#     repository: stalwart-config-backup-secret
+#     retain:
+#       hourly: 1
+#       daily: 1
+#       weekly: 1
+#       monthly: 2
+#       yearly: 4
+#     copyMethod: Snapshot
+#     storageClassName: ceph-block
+#     volumeSnapshotClassName: ceph-blockpool-snapshot

clusters/cl01tl/platform/stalwart/values.yaml

@@ -0,0 +1,103 @@
+stalwart:
+  controllers:
+    main:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      revisionHistoryLimit: 3
+      containers:
+        main:
+          image:
+            repository: stalwartlabs/mail-server
+            tag: v0.11.6
+            pullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 10m
+              memory: 128Mi
+  serviceAccount:
+    create: true
+  service:
+    main:
+      controller: main
+      ports:
+        http:
+          port: 80
+          targetPort: 8080
+          protocol: HTTP
+        smtp:
+          port: 25
+          targetPort: 25
+          protocol: TCP
+        smtps:
+          port: 465
+          targetPort: 465
+          protocol: TCP
+        imap:
+          port: 143
+          targetPort: 143
+          protocol: TCP
+        imaps:
+          port: 993
+          targetPort: 993
+          protocol: TCP
+  persistence:
+    config:
+      storageClass: ceph-block
+      accessMode: ReadWriteOnce
+      size: 10Gi
+      retain: true
+      advancedMounts:
+        main:
+          main:
+            - path: /opt/stalwart-mail
+              readOnly: false
+valkey:
+  architecture: standalone
+  auth:
+    enabled: false
+    usePasswordFiles: false
+  primary:
+    persistence:
+      enabled: false
+  replica:
+    persistence:
+      enabled: false
+elasticsearch:
+  global:
+    storageClass: ceph-block
+  extraEnvVars:
+    - name: discovery.type
+      value: single-node
+    - name: xpack.security.enabled
+      value: "true"
+  extraEnvVarsSecret: stalwart-elasticsearch-secret
+  master:
+    masterOnly: false
+    replicaCount: 1
+  data:
+    replicaCount: 0
+  coordinating:
+    replicaCount: 0
+  ingest:
+    enabled: false
+    replicaCount: 0
+postgres-17-cluster:
+  mode: recovery
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  recovery:
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/stalwart/stalwart-postgresql-17-cluster
+    endpointCredentials: stalwart-postgresql-17-cluster-backup-secret
+  backup:
+    enabled: false
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/stalwart/stalwart-postgresql-17-cluster
+    endpointCredentials: stalwart-postgresql-17-cluster-backup-secret
+    backupIndex: 2