feat: create stalwart module (#418)

- add stalwart module
- add psql database on the shared patroni instance
- add ceph-rgw credentials to eyaml
- ensure psql pass and s3 access key are converted to sensitive

Reviewed-on: #418
This commit was merged in pull request #418.
This commit is contained in:
2025-11-08 19:09:30 +11:00
parent 92a48b4113
commit 9dd74013ea
13 changed files with 1067 additions and 2 deletions
+57
View File
@@ -0,0 +1,57 @@
# Example hieradata for profiles::mail::stalwart
# This shows the required and optional parameters for Stalwart configuration
# Required: Unique node ID for each server in the cluster (1, 2, 3, etc.)
profiles::mail::stalwart::node_id: 1
# Required: Cluster role name for query_nodes() discovery
profiles::mail::stalwart::cluster_role: 'mail-backend'
# Required: PostgreSQL connection settings
profiles::mail::stalwart::postgresql_host: 'pgsql.example.com'
profiles::mail::stalwart::postgresql_port: 5432
profiles::mail::stalwart::postgresql_database: 'stalwart'
profiles::mail::stalwart::postgresql_user: 'stalwart'
profiles::mail::stalwart::postgresql_password: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
profiles::mail::stalwart::postgresql_ssl: true
# Required: S3/Ceph-RGW connection settings
profiles::mail::stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
profiles::mail::stalwart::s3_bucket: 'stalwart-blobs'
profiles::mail::stalwart::s3_region: 'default'
profiles::mail::stalwart::s3_access_key: 'stalwart_access_key'
profiles::mail::stalwart::s3_secret_key: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
profiles::mail::stalwart::s3_key_prefix: 'stalwart/'
# Required: Domains this mail backend serves
profiles::mail::stalwart::domains:
- 'example.com'
- 'mail.example.com'
# Required: Postfix relay host for SMTP delivery
profiles::mail::stalwart::postfix_relay_host: 'postfix.example.com'
# Optional: Protocol configuration (defaults shown)
profiles::mail::stalwart::enable_imap: true
profiles::mail::stalwart::enable_imap_tls: true
profiles::mail::stalwart::enable_http: true
profiles::mail::stalwart::enable_smtp_relay: true
# Optional: Management settings
profiles::mail::stalwart::manage_dns_records: true
profiles::mail::stalwart::log_level: 'info'
# Optional: TLS certificate paths (defaults shown)
profiles::mail::stalwart::tls_cert: '/etc/pki/tls/vault/certificate.crt'
profiles::mail::stalwart::tls_key: '/etc/pki/tls/vault/private.key'
# Example PKI alt_names configuration for TLS certificates
# This should include all domains and hostnames that need certificates
profiles::pki::vault::alt_names:
mail-backend:
- 'imap.example.com'
- 'mail.example.com'
- 'autoconfig.example.com'
- 'autodiscover.example.com'
@@ -0,0 +1,58 @@
# Example hieradata for roles::infra::mail::backend
# Place this in: hieradata/roles/infra/mail/backend.yaml
# Stalwart module configuration - all parameters passed directly to the module
# stalwart::node_id: 1234 # Optional - automatically extracted from last 4 digits of hostname
stalwart::cluster_role: 'mail-backend'
# PostgreSQL connection settings
stalwart::postgresql_host: 'pgsql.example.com'
stalwart::postgresql_port: 5432
stalwart::postgresql_database: 'stalwart'
stalwart::postgresql_user: 'stalwart'
stalwart::postgresql_password: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
stalwart::postgresql_ssl: true
# S3/Ceph-RGW connection settings
stalwart::s3_endpoint: 'https://ceph-rgw.example.com'
stalwart::s3_bucket: 'stalwart-blobs'
stalwart::s3_region: 'default'
stalwart::s3_access_key: 'stalwart_access_key'
stalwart::s3_secret_key: >
ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAxample...]
stalwart::s3_key_prefix: 'stalwart/'
# Domains this mail backend serves
stalwart::domains:
- 'example.com'
- 'mail.example.com'
# Postfix relay host for SMTP delivery
stalwart::postfix_relay_host: 'postfix.example.com'
# Optional protocol configuration (defaults shown)
stalwart::enable_imap: true
stalwart::enable_imap_tls: true
stalwart::enable_http: true
stalwart::enable_smtp_relay: true
# Optional management settings
stalwart::manage_dns_records: true
stalwart::log_level: 'info'
# Optional TLS certificate paths (defaults work with profiles::pki::vault)
# stalwart::tls_cert: '/etc/pki/tls/vault/certificate.crt'
# stalwart::tls_key: '/etc/pki/tls/vault/private.key'
# Optional path overrides (RPM package sets up these defaults)
# stalwart::config_dir: '/opt/stalwart/etc'
# stalwart::data_dir: '/var/lib/stalwart'
# PKI alt_names configuration for TLS certificates
# This should include all domains and hostnames that need certificates
profiles::pki::vault::alt_names:
- 'imap.example.com'
- 'mail.example.com'
- 'autoconfig.example.com'
- 'autodiscover.example.com'