mailu: fix admin dns and tame vip

clusters/oceanus/README.md

@@ -1,5 +0,0 @@
-# Oceanus Cluster Scaffold
-
-This directory prepares the Flux and Kustomize layout for a future Oceanus-managed cluster.
-Populate `flux-system/` with `gotk-components.yaml` and related manifests after running `flux bootstrap`.
-Define node-specific resources under `infrastructure/modules/profiles/oceanus-validator/` and reference workloads in `applications/` as they come online.

hosts/styx/README.md

@@ -1,2 +0,0 @@
-# hosts/styx/README.md
-Styx is air-gapped; provisioning scripts live under `scripts/`.

services/keycloak/README.md

@@ -1,27 +0,0 @@
-# services/keycloak
-
-Keycloak is deployed via raw manifests and backed by the shared Postgres (`postgres-service.postgres.svc.cluster.local:5432`). Create these secrets before applying:
-
-```bash
-# DB creds (per-service DB/user in shared Postgres)
-kubectl -n sso create secret generic keycloak-db \
-  --from-literal=username=keycloak \
-  --from-literal=password='<DB_PASSWORD>' \
-  --from-literal=database=keycloak
-
-# Admin console creds (maps to KC admin user)
-kubectl -n sso create secret generic keycloak-admin \
-  --from-literal=username=brad@bstein.dev \
-  --from-literal=password='<ADMIN_PASSWORD>'
-```
-
-Apply:
-
-```bash
-kubectl apply -k services/keycloak
-```
-
-Notes
-- Service: `keycloak.sso.svc:80` (Ingress `sso.bstein.dev`, TLS via cert-manager).
-- Uses Postgres schema `public`; DB/user should be provisioned in the shared Postgres instance.
-- Health endpoints on :9000 are wired for probes.

services/mailu/helmrelease.yaml

@@ -55,6 +55,8 @@ spec:
     front:
       hostnames: [mail.bstein.dev]
       proxied: true
+      hostPort:
+        enabled: false
       https:
         enabled: true
         external: true
@@ -62,7 +64,7 @@ spec:
       externalService:
         enabled: true
         type: LoadBalancer
-        externalTrafficPolicy: Local
+        externalTrafficPolicy: Cluster
         nodePorts:
           pop3: 30010
           pop3s: 30011
@@ -92,6 +94,11 @@ spec:
           value: 127.0.0.1,10.42.0.0/16
         - name: DNS_RESOLVERS
           value: 1.1.1.1,9.9.9.9
+      dnsPolicy: None
+      dnsConfig:
+        nameservers:
+          - 1.1.1.1
+          - 9.9.9.9
     clamav:
       logLevel: DEBUG
       nodeSelector:

services/mailu/kustomization.yaml

@@ -6,3 +6,4 @@ resources:
   - namespace.yaml
   - helmrelease.yaml
   - certificate.yaml
+  - vip-controller.yaml

services/mailu/vip-controller.yaml

@@ -0,0 +1,71 @@
+# services/mailu/vip-controller.yaml
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vip-controller
+  namespace: mailu-mailserver
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vip-controller-role
+  namespace: mailu-mailserver
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vip-controller-binding
+  namespace: mailu-mailserver
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vip-controller-role
+subjects:
+  - kind: ServiceAccount
+    name: vip-controller
+    namespace: mailu-mailserver
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: vip-controller
+  namespace: mailu-mailserver
+spec:
+  selector:
+    matchLabels:
+      app: vip-controller
+  template:
+    metadata:
+      labels:
+        app: vip-controller
+    spec:
+      serviceAccountName: vip-controller
+      hostNetwork: true
+      nodeSelector:
+        mailu.bstein.dev/vip: "true"
+      containers:
+        - name: vip-controller
+          image: lachlanevenson/k8s-kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              set -e
+              while true; do
+                if ip addr show end0 | grep -q 'inet 192\.168\.22\.9/32'; then
+                  NODE=$(hostname)
+                  echo "VIP found on node ${NODE}."
+                  kubectl patch deployment mailu-front -n mailu-mailserver --type='merge' \
+                    -p "{\"spec\":{\"template\":{\"spec\":{\"nodeSelector\":{\"kubernetes.io/hostname\":\"${NODE}\"}}}}}"
+                else
+                  echo "No VIP on node ${HOSTNAME}."
+                fi
+                sleep 60
+              done

services/monitoring/README.md

@@ -1,28 +0,0 @@
-# services/monitoring
-
-## Grafana admin secret
-
-The Grafana Helm release expects a pre-existing secret named `grafana-admin`
-in the `monitoring` namespace. Create or rotate it with:
-
-```bash
-kubectl create secret generic grafana-admin \
-  --namespace monitoring \
-  --from-literal=admin-user=admin \
-  --from-literal=admin-password='REPLACE_ME'
-```
-
-Update the password whenever you rotate credentials.
-
-## DCGM exporter image
-
-The NVIDIA GPU metrics DaemonSet expects `registry.bstein.dev/monitoring/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04`, mirrored from `docker.io/nvidia/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04`. Refresh it in Zot when bumping versions:
-
-```bash
-skopeo copy \
-  --all \
-  docker://docker.io/nvidia/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04 \
-  docker://registry.bstein.dev/monitoring/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04
-```
-
-When finished mirroring from the control-plane, you can remove temporary tooling with `sudo apt-get purge -y skopeo && sudo apt-get autoremove -y` and clear `~/.config/containers/auth.json`.