titan-iac/services/mailu/mailu-sync-cronjob.yaml

# services/mailu/mailu-sync-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: mailu-sync-nightly
  namespace: mailu-mailserver
  labels:
    atlas.bstein.dev/glue: "true"
spec:
  schedule: "30 4 * * *"
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/agent-pre-populate-only: "true"
            vault.hashicorp.com/role: "mailu-mailserver"
            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"
            vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: |
              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"
            vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: |
              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"
            vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: |
              {{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"
            vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: |
              {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"
            vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: |
              {{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}
            vault.hashicorp.com/agent-inject-secret-mailu-initial-account-secret__password: "kv/data/atlas/mailu/mailu-initial-account-secret"
            vault.hashicorp.com/agent-inject-template-mailu-initial-account-secret__password: |
              {{- with secret "kv/data/atlas/mailu/mailu-initial-account-secret" -}}{{ .Data.data.password }}{{- end -}}
        spec:
          restartPolicy: OnFailure
          serviceAccountName: mailu-vault-sync
          containers:
            - name: mailu-sync
              image: python:3.11-alpine
              imagePullPolicy: IfNotPresent
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -euo pipefail
                  . /vault/scripts/mailu_vault_env.sh
                  pip install --no-cache-dir requests psycopg2-binary passlib >/tmp/pip.log \
                    && python /app/sync.py
              env:
                - name: KEYCLOAK_BASE_URL
                  value: http://keycloak.sso.svc.cluster.local
                - name: KEYCLOAK_REALM
                  value: atlas
                - name: MAILU_DOMAIN
                  value: bstein.dev
                - name: MAILU_DEFAULT_QUOTA
                  value: "20000000000"
                - name: MAILU_SYSTEM_USERS
                  value: "no-reply-portal@bstein.dev,no-reply-vaultwarden@bstein.dev"
                - name: MAILU_DB_HOST
                  value: postgres-service.postgres.svc.cluster.local
                - name: MAILU_DB_PORT
                  value: "5432"
              volumeMounts:
                - name: sync-script
                  mountPath: /app/sync.py
                  subPath: sync.py
                - name: vault-scripts
                  mountPath: /vault/scripts
                  readOnly: true
              resources:
                requests:
                  cpu: 50m
                  memory: 128Mi
                limits:
                  cpu: 200m
                  memory: 256Mi
          volumes:
            - name: sync-script
              configMap:
                name: mailu-sync-script
                defaultMode: 0444
            - name: vault-scripts
              configMap:
                name: mailu-vault-env
                defaultMode: 0555
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`# services/mailu/mailu-sync-cronjob.yaml`
			`apiVersion: batch/v1`
			`kind: CronJob`
			`metadata:`
			`name: mailu-sync-nightly`
			`namespace: mailu-mailserver`
monitoring: add glue dashboard and tag cronjobs 2026-01-18 02:50:07 -03:00			`labels:`
			`atlas.bstein.dev/glue: "true"`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`spec:`
			`schedule: "30 4 * * *"`
			`concurrencyPolicy: Forbid`
			`jobTemplate:`
			`spec:`
			`template:`
vault: move comms and mailu workloads to injector 2026-01-14 14:17:26 -03:00			`metadata:`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
vault: prepopulate injector for jobs 2026-01-14 14:29:29 -03:00			`vault.hashicorp.com/agent-pre-populate-only: "true"`
vault: move comms and mailu workloads to injector 2026-01-14 14:17:26 -03:00			`vault.hashicorp.com/role: "mailu-mailserver"`
			`vault.hashicorp.com/agent-inject-secret-mailu-db-secret__database: "kv/data/atlas/mailu/mailu-db-secret"`
			`vault.hashicorp.com/agent-inject-template-mailu-db-secret__database: \|`
			`{{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.database }}{{- end -}}`
			`vault.hashicorp.com/agent-inject-secret-mailu-db-secret__username: "kv/data/atlas/mailu/mailu-db-secret"`
			`vault.hashicorp.com/agent-inject-template-mailu-db-secret__username: \|`
			`{{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.username }}{{- end -}}`
			`vault.hashicorp.com/agent-inject-secret-mailu-db-secret__password: "kv/data/atlas/mailu/mailu-db-secret"`
			`vault.hashicorp.com/agent-inject-template-mailu-db-secret__password: \|`
			`{{- with secret "kv/data/atlas/mailu/mailu-db-secret" -}}{{ .Data.data.password }}{{- end -}}`
			`vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-id: "kv/data/atlas/mailu/mailu-sync-credentials"`
			`vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-id: \|`
			`{{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-id" }}{{- end -}}`
			`vault.hashicorp.com/agent-inject-secret-mailu-sync-credentials__client-secret: "kv/data/atlas/mailu/mailu-sync-credentials"`
			`vault.hashicorp.com/agent-inject-template-mailu-sync-credentials__client-secret: \|`
			`{{- with secret "kv/data/atlas/mailu/mailu-sync-credentials" -}}{{ index .Data.data "client-secret" }}{{- end -}}`
mailu: add portal sender mailbox 2026-01-19 01:40:27 -03:00			`vault.hashicorp.com/agent-inject-secret-mailu-initial-account-secret__password: "kv/data/atlas/mailu/mailu-initial-account-secret"`
			`vault.hashicorp.com/agent-inject-template-mailu-initial-account-secret__password: \|`
			`{{- with secret "kv/data/atlas/mailu/mailu-initial-account-secret" -}}{{ .Data.data.password }}{{- end -}}`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`spec:`
			`restartPolicy: OnFailure`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`serviceAccountName: mailu-vault-sync`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`containers:`
			`- name: mailu-sync`
			`image: python:3.11-alpine`
			`imagePullPolicy: IfNotPresent`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`set -euo pipefail`
			`. /vault/scripts/mailu_vault_env.sh`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`pip install --no-cache-dir requests psycopg2-binary passlib >/tmp/pip.log \`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`&& python /app/sync.py`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`env:`
			`- name: KEYCLOAK_BASE_URL`
			`value: http://keycloak.sso.svc.cluster.local`
			`- name: KEYCLOAK_REALM`
			`value: atlas`
			`- name: MAILU_DOMAIN`
			`value: bstein.dev`
			`- name: MAILU_DEFAULT_QUOTA`
			`value: "20000000000"`
mailu: add portal sender mailbox 2026-01-19 01:40:27 -03:00			`- name: MAILU_SYSTEM_USERS`
vaultwarden: use mailu smtp creds 2026-01-19 02:17:16 -03:00			`value: "no-reply-portal@bstein.dev,no-reply-vaultwarden@bstein.dev"`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`- name: MAILU_DB_HOST`
			`value: postgres-service.postgres.svc.cluster.local`
			`- name: MAILU_DB_PORT`
			`value: "5432"`
			`volumeMounts:`
			`- name: sync-script`
			`mountPath: /app/sync.py`
			`subPath: sync.py`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-scripts`
			`mountPath: /vault/scripts`
			`readOnly: true`
nextcloud: integration with mailu & gitops-ui: initial install 2025-12-14 14:21:40 -03:00			`resources:`
			`requests:`
			`cpu: 50m`
			`memory: 128Mi`
			`limits:`
			`cpu: 200m`
			`memory: 256Mi`
			`volumes:`
			`- name: sync-script`
			`configMap:`
			`name: mailu-sync-script`
			`defaultMode: 0444`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-scripts`
			`configMap:`
			`name: mailu-vault-env`
monitoring: add glue dashboard and tag cronjobs 2026-01-18 02:50:07 -03:00			`defaultMode: 0555`