Files
argocd-apps/apps/base/stalwart/stalwart-deployment.yaml
T
unkinben 0d89a69c18 feat(stalwart): deploy Stalwart mail server with CNPG and S3
- stalwart namespace with Deployment + HPA (2-6 replicas)
- CNPG PostgreSQL cluster (3 instances, 20Gi cephrbd-fast-delete) with PgBouncer pooler
- S3/Ceph-RGW for blob storage (stalwart-maildata bucket, lz4 compressed)
- Secrets from Vault: postgres-credentials, s3-credentials, stalwart-admin
- TLS cert via cert-manager (vault-issuer) for mail.main.unkin.net
- SMTP relay on port 25 (internal ClusterIP, trusted pod CIDRs)
- Submission on port 587, IMAP 143/993, HTTPS 443 via LoadBalancer
- HTTP port 8080 for Traefik reverse proxy (web admin at mail.k8s.syd1.au.unkin.net)
- Outbound mail routed through postfix.mailgateway.svc.cluster.local:25
- Spam filtering offloaded to postfix/rspamd (disabled internally)
2026-05-24 12:44:46 +10:00

108 lines
2.8 KiB
YAML

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: stalwart
namespace: stalwart
spec:
selector:
matchLabels:
app: stalwart
template:
metadata:
annotations:
reloader.stakater.com/auto: "true"
labels:
app: stalwart
spec:
securityContext:
runAsUser: 2000
runAsGroup: 2000
fsGroup: 2000
containers:
- name: stalwart
image: ghcr.io/stalwartlabs/stalwart:v0.16.6
ports:
- containerPort: 25
name: smtp-relay
protocol: TCP
- containerPort: 587
name: submission
protocol: TCP
- containerPort: 143
name: imap
protocol: TCP
- containerPort: 993
name: imaps
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8080
name: http-internal
protocol: TCP
- containerPort: 9090
name: metrics
protocol: TCP
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-credentials
key: password
- name: S3_ACCESS_KEY
valueFrom:
secretKeyRef:
name: s3-credentials
key: access_key
- name: S3_SECRET_KEY
valueFrom:
secretKeyRef:
name: s3-credentials
key: secret_key
- name: ADMIN_PASSWORD_HASH
valueFrom:
secretKeyRef:
name: stalwart-admin
key: password_hash
livenessProbe:
tcpSocket:
port: 25
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
tcpSocket:
port: 25
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: "2"
memory: 2Gi
volumeMounts:
- name: config
mountPath: /etc/stalwart/config.toml
subPath: config.toml
readOnly: true
- name: tls
mountPath: /etc/stalwart/tls
readOnly: true
- name: data
mountPath: /var/lib/stalwart
volumes:
- name: config
configMap:
name: stalwart-config
- name: tls
secret:
secretName: stalwart-tls
- name: data
emptyDir: {}