titan-iac/services/mailu/helmrelease.yaml

# services/mailu/helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: mailu
  namespace: mailu-mailserver
spec:
  interval: 30m
  chart:
    spec:
      chart: mailu
      version: 2.1.2
      sourceRef:
        kind: HelmRepository
        name: mailu
        namespace: flux-system
  install:
    remediation: { retries: 3 }
    timeout: 10m
  upgrade:
    remediation:
      retries: 3
      remediateLastFailure: true
    cleanupOnFail: true
    timeout: 10m
  values:
    mailuVersion: "2024.06"
    domain: bstein.dev
    hostnames: [mail.bstein.dev]
    domains:
      - name: bstein.dev
        enabled: true
        dkim:
          enabled: true
    timezone: Etc/UTC
    subnet: 10.42.0.0/16
    existingSecret: mailu-secret
    externalDatabase:
      enabled: true
      type: postgresql
      host: postgres-service.postgres.svc.cluster.local
      port: 5432
      database: mailu
      username: mailu
      existingSecret: mailu-db-secret
      existingSecretUsernameKey: username
      existingSecretPasswordKey: password
      existingSecretDatabaseKey: database
    initialAccount:
      enabled: true
      username: test
      domain: bstein.dev
      existingSecret: mailu-initial-account-secret
      existingSecretPasswordKey: password
    persistence:
      accessModes: [ReadWriteMany]
      size: 100Gi
      storageClass: astreae
      single_pvc: true
    front:
      hostnames: [mail.bstein.dev]
      proxied: true
      hostPort:
        enabled: false
      https:
        enabled: false
        external: false
        forceHttps: false
      externalService:
        enabled: true
        type: LoadBalancer
        externalTrafficPolicy: Cluster
        ports:
          submission: true
        nodePorts:
          pop3: 30010
          pop3s: 30011
          imap: 30143
          imaps: 30993
          manageSieve: 30419
          smtp: 30025
          smtps: 30465
          submission: 30587
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
    admin:
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
      podLivenessProbe:
        enabled: true
        initialDelaySeconds: 30
        periodSeconds: 10
        timeoutSeconds: 5
        failureThreshold: 6
        successThreshold: 1
      podReadinessProbe:
        enabled: true
        initialDelaySeconds: 20
        periodSeconds: 10
        timeoutSeconds: 5
        failureThreshold: 6
        successThreshold: 1
      extraEnvVars:
        - name: FLASK_DEBUG
          value: "1"
        - name: ACCESSLOG
          value: /dev/stdout
        - name: ERRORLOG
          value: /dev/stderr
        - name: WEBROOT_REDIRECT
          value: ""
        - name: FORWARDED_ALLOW_IPS
          value: 127.0.0.1,10.42.0.0/16
        - name: DNS_RESOLVERS
          value: 1.1.1.1,9.9.9.9
      extraVolumes:
        - name: unbound-config
          configMap:
            name: mailu-unbound
        - name: unbound-run
          emptyDir: {}
      extraVolumeMounts:
        - name: unbound-run
          mountPath: /var/lib/unbound
      extraContainers:
        - name: unbound
          image: docker.io/alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              while :; do
                printf "nameserver 10.43.0.10\n" > /etc/resolv.conf
                if apk add --no-cache unbound bind-tools; then
                  break
                fi
                echo "apk failed, retrying" >&2
                sleep 10
              done
              cat >/etc/resolv.conf <<'EOF'
              search mailu-mailserver.svc.cluster.local svc.cluster.local cluster.local
              nameserver 127.0.0.1
              EOF
              unbound-anchor -a /var/lib/unbound/root.key || true
              exec unbound -d -c /opt/unbound/etc/unbound/unbound.conf
          ports:
            - containerPort: 53
              protocol: UDP
            - containerPort: 53
              protocol: TCP
          volumeMounts:
            - name: unbound-config
              mountPath: /opt/unbound/etc/unbound
            - name: unbound-run
              mountPath: /var/lib/unbound
      dnsPolicy: None
      dnsConfig:
        nameservers:
          - 127.0.0.1
        searches:
          - mailu-mailserver.svc.cluster.local
          - svc.cluster.local
          - cluster.local
    clamav:
      image:
        repository: clamav/clamav-debian
        tag: "1.4"
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi5
      resources:
        requests:
          cpu: 200m
          memory: 1Gi
        limits:
          cpu: 500m
          memory: 3Gi
      livenessProbe:
        enabled: false
        initialDelaySeconds: 300
        periodSeconds: 30
        timeoutSeconds: 5
        failureThreshold: 6
        successThreshold: 1
      startupProbe:
        enabled: false
        initialDelaySeconds: 60
        periodSeconds: 30
        timeoutSeconds: 5
        failureThreshold: 20
        successThreshold: 1
      readinessProbe:
        enabled: false
        initialDelaySeconds: 300
        periodSeconds: 30
        timeoutSeconds: 5
        failureThreshold: 6
        successThreshold: 1
    dovecot:
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
    oletools:
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
    postfix:
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
    redis:
      enabled: true
      architecture: standalone
      logLevel: DEBUG
      image:
        repository: bitnamilegacy/redis
        tag: 8.0.3-debian-12-r3
      master:
        nodeSelector:
          hardware: rpi4
        persistence:
          enabled: true
          accessModes: [ReadWriteMany]
          size: 8Gi
          storageClass: astreae
    rspamd:
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
      persistence:
        accessModes: [ReadWriteOnce]
        size: 8Gi
        storageClass: astreae
    tika:
      logLevel: DEBUG
      nodeSelector:
        hardware: rpi4
    global:
      logLevel: DEBUG
      storageClass: astreae
    webmail:
      enabled: false
      nodeSelector:
        hardware: rpi4
    ingress:
      enabled: false
      ingressClassName: traefik
      tls: true
      existingSecret: mailu-certificates
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/service.serversscheme: https
        traefik.ingress.kubernetes.io/service.serverstransport: mailu-transport@kubernetescrd
      extraRules:
        - host: mail.bstein.dev
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: mailu-front
                    port:
                      number: 443
    service:
      ports:
        smtp:
          port: 25
          targetPort: 25
        smtps:
          port: 465
          targetPort: 465
        submission:
          port: 587
          targetPort: 587
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`# services/mailu/helmrelease.yaml`
			`apiVersion: helm.toolkit.fluxcd.io/v2`
			`kind: HelmRelease`
			`metadata:`
			`name: mailu`
			`namespace: mailu-mailserver`
			`spec:`
			`interval: 30m`
			`chart:`
			`spec:`
			`chart: mailu`
			`version: 2.1.2`
			`sourceRef:`
			`kind: HelmRepository`
			`name: mailu`
			`namespace: flux-system`
			`install:`
			`remediation: { retries: 3 }`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`timeout: 10m`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`upgrade:`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`remediation:`
			`retries: 3`
			`remediateLastFailure: true`
mailu: add validating dns sidecar and disable vip hostports 2025-12-12 01:06:38 -03:00			`cleanupOnFail: true`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`timeout: 10m`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`values:`
			`mailuVersion: "2024.06"`
			`domain: bstein.dev`
			`hostnames: [mail.bstein.dev]`
			`domains:`
			`- name: bstein.dev`
			`enabled: true`
			`dkim:`
			`enabled: true`
			`timezone: Etc/UTC`
			`subnet: 10.42.0.0/16`
			`existingSecret: mailu-secret`
			`externalDatabase:`
			`enabled: true`
			`type: postgresql`
			`host: postgres-service.postgres.svc.cluster.local`
			`port: 5432`
			`database: mailu`
			`username: mailu`
			`existingSecret: mailu-db-secret`
			`existingSecretUsernameKey: username`
			`existingSecretPasswordKey: password`
			`existingSecretDatabaseKey: database`
			`initialAccount:`
			`enabled: true`
			`username: test`
			`domain: bstein.dev`
			`existingSecret: mailu-initial-account-secret`
			`existingSecretPasswordKey: password`
			`persistence:`
			`accessModes: [ReadWriteMany]`
			`size: 100Gi`
			`storageClass: astreae`
			`single_pvc: true`
			`front:`
			`hostnames: [mail.bstein.dev]`
			`proxied: true`
mailu: fix admin dns and tame vip 2025-12-12 00:49:45 -03:00			`hostPort:`
			`enabled: false`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`https:`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`enabled: false`
			`external: false`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`forceHttps: false`
			`externalService:`
			`enabled: true`
			`type: LoadBalancer`
mailu: fix admin dns and tame vip 2025-12-12 00:49:45 -03:00			`externalTrafficPolicy: Cluster`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`ports:`
			`submission: true`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`nodePorts:`
			`pop3: 30010`
			`pop3s: 30011`
			`imap: 30143`
			`imaps: 30993`
			`manageSieve: 30419`
			`smtp: 30025`
			`smtps: 30465`
			`submission: 30587`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
			`admin:`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`podLivenessProbe:`
			`enabled: true`
			`initialDelaySeconds: 30`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 6`
			`successThreshold: 1`
			`podReadinessProbe:`
			`enabled: true`
			`initialDelaySeconds: 20`
			`periodSeconds: 10`
			`timeoutSeconds: 5`
			`failureThreshold: 6`
			`successThreshold: 1`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`extraEnvVars:`
			`- name: FLASK_DEBUG`
			`value: "1"`
			`- name: ACCESSLOG`
			`value: /dev/stdout`
			`- name: ERRORLOG`
			`value: /dev/stderr`
			`- name: WEBROOT_REDIRECT`
			`value: ""`
			`- name: FORWARDED_ALLOW_IPS`
			`value: 127.0.0.1,10.42.0.0/16`
			`- name: DNS_RESOLVERS`
			`value: 1.1.1.1,9.9.9.9`
mailu: add validating dns sidecar and disable vip hostports 2025-12-12 01:06:38 -03:00			`extraVolumes:`
			`- name: unbound-config`
			`configMap:`
			`name: mailu-unbound`
			`- name: unbound-run`
			`emptyDir: {}`
			`extraVolumeMounts:`
			`- name: unbound-run`
			`mountPath: /var/lib/unbound`
			`extraContainers:`
			`- name: unbound`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`image: docker.io/alpine:3.20`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`while :; do`
			`printf "nameserver 10.43.0.10\n" > /etc/resolv.conf`
			`if apk add --no-cache unbound bind-tools; then`
			`break`
			`fi`
			`echo "apk failed, retrying" >&2`
			`sleep 10`
			`done`
			`cat >/etc/resolv.conf <<'EOF'`
			`search mailu-mailserver.svc.cluster.local svc.cluster.local cluster.local`
			`nameserver 127.0.0.1`
			`EOF`
			`unbound-anchor -a /var/lib/unbound/root.key \|\| true`
			`exec unbound -d -c /opt/unbound/etc/unbound/unbound.conf`
mailu: add validating dns sidecar and disable vip hostports 2025-12-12 01:06:38 -03:00			`ports:`
			`- containerPort: 53`
			`protocol: UDP`
			`- containerPort: 53`
			`protocol: TCP`
			`volumeMounts:`
			`- name: unbound-config`
mailu: fix unbound sidecar mounts 2025-12-12 01:19:27 -03:00			`mountPath: /opt/unbound/etc/unbound`
mailu: add validating dns sidecar and disable vip hostports 2025-12-12 01:06:38 -03:00			`- name: unbound-run`
			`mountPath: /var/lib/unbound`
mailu: fix admin dns and tame vip 2025-12-12 00:49:45 -03:00			`dnsPolicy: None`
			`dnsConfig:`
			`nameservers:`
mailu: add validating dns sidecar and disable vip hostports 2025-12-12 01:06:38 -03:00			`- 127.0.0.1`
			`searches:`
			`- mailu-mailserver.svc.cluster.local`
			`- svc.cluster.local`
			`- cluster.local`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`clamav:`
mailu: forcing version 1.4 clamav over 1.2 2025-12-13 00:11:40 -03:00			`image:`
			`repository: clamav/clamav-debian`
			`tag: "1.4"`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`logLevel: DEBUG`
			`nodeSelector:`
mailu: forcing version 1.4 clamav over 1.2 2025-12-13 00:11:40 -03:00			`hardware: rpi5`
			`resources:`
			`requests:`
			`cpu: 200m`
			`memory: 1Gi`
			`limits:`
			`cpu: 500m`
			`memory: 3Gi`
			`livenessProbe:`
			`enabled: false`
			`initialDelaySeconds: 300`
			`periodSeconds: 30`
			`timeoutSeconds: 5`
			`failureThreshold: 6`
			`successThreshold: 1`
			`startupProbe:`
			`enabled: false`
			`initialDelaySeconds: 60`
			`periodSeconds: 30`
			`timeoutSeconds: 5`
			`failureThreshold: 20`
			`successThreshold: 1`
			`readinessProbe:`
			`enabled: false`
			`initialDelaySeconds: 300`
			`periodSeconds: 30`
			`timeoutSeconds: 5`
			`failureThreshold: 6`
			`successThreshold: 1`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`dovecot:`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
			`oletools:`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
			`postfix:`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
			`redis:`
			`enabled: true`
			`architecture: standalone`
			`logLevel: DEBUG`
mailu: use mvance unbound sidecar and current redis image 2025-12-12 01:12:48 -03:00			`image:`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`repository: bitnamilegacy/redis`
			`tag: 8.0.3-debian-12-r3`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`master:`
			`nodeSelector:`
			`hardware: rpi4`
			`persistence:`
			`enabled: true`
			`accessModes: [ReadWriteMany]`
			`size: 8Gi`
			`storageClass: astreae`
			`rspamd:`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
			`persistence:`
			`accessModes: [ReadWriteOnce]`
			`size: 8Gi`
			`storageClass: astreae`
			`tika:`
			`logLevel: DEBUG`
			`nodeSelector:`
			`hardware: rpi4`
			`global:`
			`logLevel: DEBUG`
			`storageClass: astreae`
			`webmail:`
			`enabled: false`
			`nodeSelector:`
			`hardware: rpi4`
			`ingress:`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`enabled: false`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`ingressClassName: traefik`
			`tls: true`
			`existingSecret: mailu-certificates`
			`annotations:`
			`traefik.ingress.kubernetes.io/router.entrypoints: websecure`
forcing 12-r3 over 12-r6 for redis 2025-12-12 22:09:04 -03:00			`traefik.ingress.kubernetes.io/service.serversscheme: https`
			`traefik.ingress.kubernetes.io/service.serverstransport: mailu-transport@kubernetescrd`
mailu: capture helm release and cert 2025-12-11 23:54:43 -03:00			`extraRules:`
			`- host: mail.bstein.dev`
			`http:`
			`paths:`
			`- path: /`
			`pathType: Prefix`
			`backend:`
			`service:`
			`name: mailu-front`
			`port:`
			`number: 443`
			`service:`
			`ports:`
			`smtp:`
			`port: 25`
			`targetPort: 25`
			`smtps:`
			`port: 465`
			`targetPort: 465`
			`submission:`
			`port: 587`
			`targetPort: 587`