Skip to content

thedataflows/stalwart-kubernetes

Repository files navigation

Stalwart Kubernetes

Introduction

This repository contains the Kubernetes manifests to deploy Stalwart mail server.

Will deploy in a kubernetes cluster:

  • All in one mail server
  • TLS enabled using cert-manager certificates

Requirements

Guide

  1. Fork this repository
  2. Clone it locally git clone https://github.com/change-me/stalwart-kubernetes.git
  3. Recommended to use Listestream
    • Keep StatefulSet replicas to 1
    • Create a bucket in your S3 compatible storage and set environment variables:
      • export ACCESS_KEY_ID=value
      • export SECRET_ACCESS_KEY=value
  4. Generate configuration: make config will download and run stalwart-install in interactive mode. In turn this will:
    • Download and modify stalwart toml config files in config/etc
    • Generate sqlite databases in config/data
    • Generate DKIM cert amd key in config/etc/dkim (excluded from git because contains secrets)
  5. Update generated stalwart config files as needed:
    • Default user directory is sql:

      config/etc/config.toml:15
      ...
      "%{BASE_PATH}%/etc/directory/sql.toml",
      ...
    • Can use other types instead

  6. Update config/*.patch.yaml files with your specific configuration:
    • Set storageClassName and storage size
    • Enable litestream:
      • Comment out the removal of initContainer/0 and container/1 in config/statefulset.patch.yaml
      • Configure bucket, path, endpoint in config/listestream.yaml
  7. Deploy manually: make install
    • Will deploy in the current kubernetes context. Assumes kubectl is present and a local kuberenes context is configured
    • Alternatively, you can just generate the manifests: make kustomize and inspect them in out/ directory.
  8. git commit -am "Set up stalwart for domain yourdomain.org" && git push
    • Warning: config/kustomization.yaml contains a secretGenerator section that with plain text secrets. Remove it before pushing to a git repository: yq -i 'del(.secretGenerator)' config/kustomization.yaml.

  9. Deploy using GitOps (recommended):
    • Using your FluxCD git repo (different from this one):
      • In this repo: make gitops
      • Copy gitops/ to the gitops repoo and encrypt all the secrets with SOPS
    • Using ArgoCD:
      • TODO
  10. Setup DKIM: follow config/etc/dkim/yourdomain.org.readme instructions
  11. Uninstall manually: kubectl delete ns stalwart
  12. Cleanup: make clean will remove all generated files

Helm chart

make helm will generate a helm chart in chart/ directory. This is not the preferred way to deploy stalwart and is not tested, but it can be used as a reference.

License

MIT License