--- apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: "{{ .Release.Name }}-hr" spec: chart: spec: sourceRef: kind: GitRepository name: "wrenix-helm-charts" namespace: "flux-system" chart: "./stalwart-mail" reconcileStrategy: "Revision" install: {{- toYaml .Values.commons.helm.release.install | nindent 4 }} test: {{- toYaml .Values.commons.helm.release.test | nindent 4 }} upgrade: {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} driftDetection: {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }} interval: 10m valuesFrom: - kind: Secret name: {{ .Release.Name | quote }} valuesKey: admin_password targetPath: "secrets.env.FALLBACK_ADMIN_SECRET" - kind: Secret name: {{ .Release.Name | quote }} valuesKey: "database_password" targetPath: "secrets.env.STORE_PGSQL_PASSWORD" - kind: Secret name: {{ .Release.Name | quote }} valuesKey: "metrics_secret" targetPath: "secrets.env.METRICS_SECRET" values: {{- $host := .Values.ingress.host | default (printf "mail.%s" .Values.commons.ingress.domain) }} config: lookup: default: hostname: {{ $host | quote }} server: listener: smtp: proxy: trusted-networks: {{- toYaml .Values.networks.trustedNetworks | nindent 16 }} submission: submissions: proxy: trusted-networks: {{- toYaml .Values.networks.trustedNetworks | nindent 16 }} imap: imaptls: proxy: trusted-networks: {{- toYaml .Values.networks.trustedNetworks | nindent 16 }} pop3: pop3s: proxy: trusted-networks: {{- toYaml .Values.networks.trustedNetworks | nindent 16 }} sieve: proxy: trusted-networks: {{- toYaml .Values.networks.trustedNetworks | nindent 16 }} # without proxy and tls for ingress http: protocol: "http" bind: [ "[::]:8080" ] https: url: {{ printf "https://%s" $host | quote }} bind: [ "[::]:443" ] proxy: trusted-networks: {{- toYaml .Values.networks.trustedNetworks | nindent 16 }} tls: implicit: true storage: data: "pgsql" fts: "pgsql" full-text: default-language: "en" blob: "filesystem" lookup: "pgsql" directory: "ldap" store: rocksdb: null pgsql: type: "postgresql" host: {{ .Values.database.host | quote }} database: {{ .Values.database.name | quote }} user: {{ .Values.database.username | quote }} password: "%{env:STORE_PGSQL_PASSWORD}%" filesystem: type: "fs" path: "/data/blobs" depth: 2 directory: internal: ldap: type: "ldap" url: "ldap://{{ .Release.Name }}-auth-authentik-application-ldap:389" base-dn: "dc=ldap,dc=goauthentik,dc=io" timeout: "30s" tls: enable: false allow-invalid-certs: false bind: dn: "cn=ldap-mail,ou=users,dc=ldap,dc=goauthentik,dc=io" secret: "oJyh5W3P50glb8fWDdlDABUJlJPIMHp4dGBl14g9aLxv1SNbLudvfBWFMrFJ" auth: enable: false dn: "cn=?,ou=users,dc=ldap,dc=goauthentik,dc=io" search: true filter: name: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(cn=?))" email: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(|(mail=?)(mailAlias=?)(mailList=?)))" verify: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(|(mail=*?*)(mailAlias=*?*)))" expand: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(mailList=?))" domains: "(&(|(objectClass=posixAccount)(ak-active=TRUE))(|(mail=*@?)(mailAlias=*@?)))" attributes: name: "cn" class: "ak-superuser" description: "displayName" # secret: "userPassword" groups: "memberOf" email: "mail" email-alias: "mailAlias" # quota: "diskQuota" tracer: stdout: level: info # TODO cleanup # level: warn {{- with .Values.commons.tracing }} {{- if .enabled }} otel: enable: span-exporter: true log-exporter: false level: "debug" {{- if .grpc.enabled }} transport: "grpc" endpoint: {{ printf "%s://%s" (.grpc.insecure | ternary "http" "https") .grpc.endpoint }} {{- else }} transport: "http" endpoint: {{ .hrrp.endpoint }} {{- end }} {{- end }} {{- end }} certificate: default: cert: "%{file:/opt/stalwart-mail/etc/certs/tls.crt}%" private-key: "%{file:/opt/stalwart-mail/etc/certs/tls.key}%" service: {{- if .Values.networks.ipv6 }} ipFamilies: [ "IPv6", "IPv4" ] ipFamilyPolicy: "RequireDualStack" {{- end }} ports: submission: imap: pop3: http: 8080 ingress: enabled: true annotations: {{- with .Values.commons.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 8 }} {{- end }} hosts: - host: "{{ .Values.commons.ingress.domain }}" paths: - path: /.well-known/jmap pathType: Prefix - path: /.well-known/mta-sts.txt pathType: Exact - path: /.well-known/mail-v1.xml pathType: Exact - path: /.well-known/autoconfig pathType: Prefix - path: /autodiscover pathType: Prefix - host: "autoconfig.{{ .Values.commons.ingress.domain }}" paths: - path: /mail pathType: Prefix - host: "autodiscover.{{ .Values.commons.ingress.domain }}" paths: - path: /autodiscover pathType: Prefix - host: "mta-sts.{{ .Values.commons.ingress.domain }}" paths: - path: / pathType: Prefix {{- if .Values.commons.ingress.tls.enabled }} tls: {{- with .Values.commons.ingress.tls.override }} {{- toYaml . | nindent 8 }} {{- else }} - secretName: "{{ .Release.Name }}-cert" hosts: - "{{ .Values.commons.ingress.domain }}" - "autoconfig.{{ .Values.commons.ingress.domain }}" - "autodiscover.{{ .Values.commons.ingress.domain }}" - "mta-sts.{{ .Values.commons.ingress.domain }}" {{- end }} {{- end }} traefik: enabled: true host: {{ $host | quote }} ports: smtp: match: 'HostSNI(`*`)' submission: imap: pop3: https: entrypoint: websecure certificate: certmanager: dnsNames: - {{ $host | quote }} prometheus: servicemonitor: enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }} labels: {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }} persistence: enabled: true size: {{ .Values.persistence.size }} {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }} storageClass: {{ . }} {{- end }} {{- if .Values.commons.persistence.hostPath.enabled }} hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/mail-stalwart" {{- end }}