mass update

requirements.txt

@@ -1,28 +1,29 @@
-ansible==7.6.0
+ansible==9.5.1
-ansible-core==2.14.7
+ansible-core==2.16.6
-cachetools==5.3.1
+cachetools==5.3.3
-certifi==2023.5.7
+certifi==2024.2.2
-cffi==1.15.1
+cffi==1.16.0
-charset-normalizer==3.1.0
+charset-normalizer==3.3.2
-cryptography==41.0.1
+cryptography==42.0.7
-google-auth==2.21.0
+google-auth==2.29.0
-idna==3.4
+idna==3.7
-Jinja2==3.1.2
+Jinja2==3.1.4
-kubernetes==26.1.0
+kubernetes==29.0.0
-MarkupSafe==2.1.3
+MarkupSafe==2.1.5
+netaddr==1.2.1
 oauthlib==3.2.2
-openshift==0.13.1
+openshift==0.13.2
-packaging==23.1
+packaging==24.0
-pyasn1==0.5.0
+pyasn1==0.6.0
-pyasn1-modules==0.3.0
+pyasn1_modules==0.4.0
-pycparser==2.21
+pycparser==2.22
-python-dateutil==2.8.2
+python-dateutil==2.9.0.post0
 python-string-utils==1.0.0
-PyYAML==6.0
+PyYAML==6.0.1
 requests==2.31.0
-requests-oauthlib==1.3.1
+requests-oauthlib==2.0.0
-resolvelib==0.8.1
+resolvelib==1.0.1
 rsa==4.9
 six==1.16.0
-urllib3==1.26.16
+urllib3==2.2.1
-websocket-client==1.6.1
+websocket-client==1.8.0

roles/adguard-home/tasks/main.yaml

@@ -19,7 +19,7 @@
           group: cert-manager.io
 
 - set_fact:
-    adguard_combined_values: "{{ adguard_default_values | combine(adguard_values, recursive=true) }}"
+    adguard_combined_values: "{{ adguard_default_values | combine(adguard_values | default({}), recursive=true) }}"
 
 - name: Deploy Adguard Home
   kubernetes.core.helm:

roles/bitwarden/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    bitwarden_combined_values: "{{ bitwarden_default_values | combine(bitwarden_values, recursive=true) }}"
+    bitwarden_combined_values: "{{ bitwarden_default_values | combine(bitwarden_values | default({}), recursive=true) }}"
 
 - name: Deploy Bitwarden
   kubernetes.core.helm:

roles/ceph-csi-cephfs/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    ceph_csi_cephfs_combined_values: "{{ ceph_csi_cephfs_default_values | combine(ceph_csi_cephfs_values, recursive=true) }}"
+    ceph_csi_cephfs_combined_values: "{{ ceph_csi_cephfs_default_values | combine(ceph_csi_cephfs_values | default({}), recursive=true) }}"
 
 - name: Deploy CSI CephFS {{ ceph_csi_cephfs_version }}
   kubernetes.core.helm:

roles/ceph-csi-rbd/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    ceph_csi_rbd_combined_values: "{{ ceph_csi_rbd_default_values | combine(ceph_csi_rbd_values, recursive=true) }}"
+    ceph_csi_rbd_combined_values: "{{ ceph_csi_rbd_default_values | combine(ceph_csi_rbd_values | default({}), recursive=true) }}"
 
 - name: Deploy CSI Ceph RBD {{ ceph_csi_rbd_version }}
   kubernetes.core.helm:

roles/cert-manager/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values, recursive=true) }}"
+    cert_manager_combined_values: "{{ cert_manager_default_values | combine(cert_manager_values | default({}), recursive=true) }}"
 
 - name: Deploy Cert-manager {{ cert_manager_version }}
   kubernetes.core.helm:

roles/dovecot/defaults/main.yaml

@@ -10,7 +10,7 @@ dovecot_default_values:
     existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
   dovecot:
     configmaps:
-      dovecot: 
+      dovecot:
         dovecot: |
           protocols = imap lmtp sieve
           mail_max_userip_connections = 1000
@@ -51,14 +51,12 @@ dovecot_default_values:
         auth-ldap: |
           passdb {
             driver = ldap
-          
             # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
             args = /etc/dovecot/ldap.conf
           }
           userdb {
             driver = ldap
             args = /etc/dovecot/ldap.conf
-          
           }
         10-auth: |
           auth_default_realm = {{ domain }}
@@ -80,7 +78,7 @@ dovecot_default_values:
           mbox_write_locks = fcntl
         10-master: |
           protocol imap {
-            mail_plugins = virtual 
+            mail_plugins = virtual
           }
           service imap-login {
             inet_listener imap {
@@ -130,13 +128,13 @@ dovecot_default_values:
           }
           
           service auth {
-             inet_listener {
+            inet_listener {
                port = 12345
             }
             unix_listener auth-userdb {
               mode = 0660
               user = vmail
-              #group = 
+              #group =
             }
           
             # Postfix smtp-auth
@@ -158,7 +156,7 @@ dovecot_default_values:
           ssl = required
           #verbose_ssl = yes
           ssl_prefer_server_ciphers = yes
-          ssl_min_protocol = TLSv1.2
+          ssl_min_protocol = TLSv1.3
           ssl_cert = </tls/tls.crt
           ssl_key = </tls/tls.key
         10-logging: |
@@ -170,7 +168,202 @@ dovecot_default_values:
           hostname = {{ domain }}
           rejection_reason = Your message to  was automatically rejected:%n%r
           protocol lda {
-            mail_plugins = virtual sieve 
+            mail_plugins = virtual sieve
+          }
+        20-lmtp: |
+          protocol lmtp {
+            mail_plugins = virtual sieve
+            postmaster_address = postmaster@{{ domain }}
+          }
+        20-managesieve: |
+          service managesieve-login {
+            inet_listener sieve {
+              port = 4190
+              ssl = yes
+            }
+            service_count = 1
+            vsz_limit = 64M
+          }
+          
+          service managesieve {
+            process_limit = 1024
+          }
+  service:
+    type: LoadBalancer
+    loadBalancerIP: "{{ dovecot_loadbalancer_ip | default(omit) }}"
+
+# WIP
+dovecot_oidc: false
+dovecot_oidc_default_values:
+  replicaCount: 1
+  persistence:
+    enabled: true
+    existingClaim: mailboxes
+  tls:
+    enabled: true
+    existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
+  dovecot:
+    configmaps:
+      dovecot:
+        dovecot: |
+          protocols = imap lmtp sieve
+          mail_max_userip_connections = 1000
+          mail_plugins = virtual
+          
+          auth_debug = yes
+          auth_verbose = yes
+          #haproxy_trusted_networks = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+          #haproxy_timeout = 30s
+          dict {
+            #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
+            #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
+          }
+          
+          # Most of the actual configuration gets included below. The filenames are
+          # first sorted by their ASCII value and parsed in that order. The 00-prefixes
+          # in filenames are intended to make it easier to understand the ordering.
+          !include conf.d/*.conf
+          
+          # A config file can also tried to be included without giving an error if
+          # it's not found:
+          !include_try local.conf
+        oauth2: |
+          introspection_mode = post
+          introspection_url = https://{{ dovecot_oidc_username }}:{{ dovecot_oidc_password }}@keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token/introspect
+          grant_url = https://keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token
+          #client_id = dovecot
+          #client_secret = X10dQgQprHLxZj8nsvB2fEpJwuBr0hWq
+          tokeninfo_url = https://keycloak.{{ domain }}/auth/realms/{{ keycloak_realm }}/protocol/openid-connect/token
+          #tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+          rawlog_dir = /tmp/oauth2
+          debug = yes
+          #use_grant_password = no
+          #username_attribute = username
+          #pass_attrs = pass=%{oauth2:access_token}
+        ldap: |
+      confd:
+        auth-ldap: |
+        auth-oauth2: |
+          passdb {
+            driver = oauth2
+            mechanisms = xoauth2 oauthbearer
+            args = /etc/dovecot/oauth2.conf
+          }
+          userdb {
+            driver = static
+            args = uid=vmail gid=vmail home=/home/vmail/%u
+          }
+        10-auth: |
+          auth_default_realm = {{ domain }}
+          auth_username_format = %Lu
+          auth_mechanisms = plain login xoauth2 oauthbearer
+        10-mail: |
+          mail_location = maildir:%h
+          namespace inbox {
+            inbox = yes
+          }
+          mail_uid = vmail
+          mail_gid = vmail
+          first_valid_uid = 1000
+          last_valid_uid = 1000
+          first_valid_gid = 1000
+          last_valid_gid = 1000
+          protocol !indexer-worker {
+          }
+          mbox_write_locks = fcntl
+        10-master: |
+          protocol imap {
+            mail_plugins = virtual
+          }
+          service imap-login {
+            inet_listener imap {
+              #port = 143
+            }
+            inet_listener imaps {
+              #port = 993
+              #ssl = yes
+            }
+            inet_listener imap_haproxy {
+              port = 1109
+              #haproxy = yes
+            }
+            inet_listener imaps_haproxy {
+              port = 10993
+              ssl = yes
+              #haproxy = yes
+            }
+          }
+          
+          service pop3-login {
+            inet_listener pop3 {
+              #port = 110
+            }
+            inet_listener pop3s {
+              #port = 995
+              #ssl = yes
+            }
+          }
+          
+          service lmtp {
+            inet_listener lmtp {
+               port = 24
+            }
+            unix_listener /var/spool/postfix/private/dovecot-lmtp {
+              mode = 0600
+              group = postfix
+              user = postfix
+            }
+            user = vmail
+          }
+          
+          service imap {
+          }
+          
+          service pop3 {
+          }
+          
+          service auth {
+            inet_listener {
+               port = 12345
+            }
+            unix_listener auth-userdb {
+              mode = 0660
+              user = vmail
+              #group =
+            }
+          
+            # Postfix smtp-auth
+            unix_listener /var/spool/postfix/private/auth {
+              mode = 0660
+              user = postfix
+              group = postfix
+            }
+          }
+          
+          service auth-worker {
+          }
+          
+          service dict {
+            unix_listener dict {
+            }
+          }
+        10-ssl: |
+          ssl = required
+          #verbose_ssl = yes
+          ssl_prefer_server_ciphers = yes
+          ssl_min_protocol = TLSv1.3
+          ssl_cert = </tls/tls.crt
+          ssl_key = </tls/tls.key
+        10-logging: |
+          log_path = /dev/stderr
+          info_log_path = /dev/stdout
+          debug_log_path = /dev/stdout
+        15-lda: |
+          postmaster_address = postmaster@{{ domain }}
+          hostname = {{ domain }}
+          rejection_reason = Your message to  was automatically rejected:%n%r
+          protocol lda {
+            mail_plugins = virtual sieve
           }
         20-lmtp: |
           protocol lmtp {

roles/dovecot/tasks/main.yaml

@@ -1,5 +1,10 @@
 - set_fact:
-    dovecot_combined_values: "{{ dovecot_default_values | combine(dovecot_values, recursive=true) }}"
+    dovecot_combined_values: "{{ dovecot_default_values | combine(dovecot_values | default({}), recursive=true) }}"
+  when: not mail_oidc
+
+- set_fact:
+    dovecot_combined_values: "{{ dovecot_oidc_default_values | combine(dovecot_oidc_values | default({}), recursive=true) }}"
+  when: mail_oidc
 
 - name: Deploy Dovecot
   kubernetes.core.helm:
@@ -9,5 +14,4 @@
     chart_ref: "{{ dovecot_chart_ref }}"
     chart_version: "{{ dovecot_version | default(omit) }}"
     release_values: "{{ dovecot_combined_values | from_yaml }}"
-    wait: true
 

roles/external-dns/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    external_dns_combined_values: "{{ external_dns_default_values | combine(external_dns_values, recursive=true) }}"
+    external_dns_combined_values: "{{ external_dns_default_values | combine(external_dns_values | default({}), recursive=true) }}"
 
 - name: Deploy external DNS
   kubernetes.core.helm:

roles/external-ingress-nginx/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    external_ingress_nginx_combined_values: "{{ external_ingress_nginx_default_values | combine(external_ingress_nginx_values, recursive=true) }}"
+    external_ingress_nginx_combined_values: "{{ external_ingress_nginx_default_values | combine(external_ingress_nginx_values | default({}), recursive=true) }}"
 
 - name: Deploy external Nginx Ingress
   kubernetes.core.helm:

roles/gitea-act-runner/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    gitea_act_runner_combined_values: "{{ gitea_act_runner_default_values | combine(gitea_act_runner_values, recursive=true) }}"
+    gitea_act_runner_combined_values: "{{ gitea_act_runner_default_values | combine(gitea_act_runner_values | default({}), recursive=true) }}"
 
 - name: Deploy Gitea Act Runner
   kubernetes.core.helm:

roles/gitea/tasks/main.yaml

@@ -5,20 +5,20 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    gitea_combined_values: "{{ gitea_default_values | combine(gitea_values, recursive=true) }}"
+    gitea_combined_values: "{{ gitea_default_values | combine(gitea_values | default({}), recursive=true) }}"
 
 - set_fact:
-    gitea_combined_values: "{{ gitea_combined_values | combine(gitea_external_db_values, recursive=true) }}"
+    gitea_combined_values: "{{ gitea_combined_values | combine(gitea_external_db_values | default({}), recursive=true) }}"
   when: gitea_use_external_db
 
 - set_fact:
-    gitea_dns_combined_values: "{{ gitea_dns_default_values | combine(gitea_dns_values, recursive=true) }}"
+    gitea_dns_combined_values: "{{ gitea_dns_default_values | combine(gitea_dns_values | default({}), recursive=true) }}"
 
 - set_fact:
-    gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_default_values | combine(gitea_ingress_nginx_values, recursive=true) }}"
+    gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_default_values | combine(gitea_ingress_nginx_values | default({}), recursive=true) }}"
 
 - set_fact:
-    gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_combined_values | combine(gitea_publish_ingress_nginx_values, recursive=true) }}"
+    gitea_ingress_nginx_combined_values: "{{ gitea_ingress_nginx_combined_values | combine(gitea_publish_ingress_nginx_values | default({}), recursive=true) }}"
   when: gitea_publish_web
 
 - name: Deploy Nginx Ingress for Gitea

roles/harbor/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    harbor_combined_values: "{{ harbor_default_values | combine(harbor_values, recursive=true) }}"
+    harbor_combined_values: "{{ harbor_default_values | combine(harbor_values | default({}), recursive=true) }}"
 
 - name: Deploy Harbor
   kubernetes.core.helm:

roles/internal-dns/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    internal_dns_combined_values: "{{ internal_dns_default_values | combine(internal_dns_values, recursive=true) }}"
+    internal_dns_combined_values: "{{ internal_dns_default_values | combine(internal_dns_values | default({}), recursive=true) }}"
 
 - name: Deploy internal DNS
   kubernetes.core.helm:

roles/internal-ingress-nginx/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    internal_ingress_nginx_combined_values: "{{ internal_ingress_nginx_default_values | combine(internal_ingress_nginx_values, recursive=true) }}"
+    internal_ingress_nginx_combined_values: "{{ internal_ingress_nginx_default_values | combine(internal_ingress_nginx_values | default({}), recursive=true) }}"
 
 - name: Deploy internal Nginx Ingress
   kubernetes.core.helm:

roles/keycloak/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values, recursive=true) }}"
+    keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values | default({}), recursive=true) }}"
 
 - name: Deploy Keycloak
   kubernetes.core.helm:

roles/local-dns/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    local_dns_combined_values: "{{ local_dns_default_values | combine(local_dns_values, recursive=true) }}"
+    local_dns_combined_values: "{{ local_dns_default_values | combine(local_dns_values | default({}), recursive=true) }}"
 
 - name: Deploy local DNS
   kubernetes.core.helm:

roles/local-ingress-nginx/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    local_ingress_nginx_combined_values: "{{ local_ingress_nginx_default_values | combine(local_ingress_nginx_values, recursive=true) }}"
+    local_ingress_nginx_combined_values: "{{ local_ingress_nginx_default_values | combine(local_ingress_nginx_values | default({}), recursive=true) }}"
 
 - name: Deploy local Nginx Ingress
   kubernetes.core.helm:

roles/mail/defaults/main.yaml

@@ -1 +1,4 @@
 mail_short_name: "mail"
+
+# WIP
+mail_oidc: false

roles/mail/tasks/main.yaml

@@ -37,11 +37,15 @@
         storageClassName: "{{ mailbox_storage | default('nfs-hdd') }}"
 
 - name: Deploy Postfix
+  vars:
+    postfix_oidc: "{{ mail_oidc }}"
   import_role: 
     name: postfix
   tags: postfix
 
 - name: Deploy Dovecot
+  vars:
+    dovecot_oidc: "{{ mail_oidc }}"
   import_role: 
     name: dovecot
   tags: dovecot

roles/mastodon/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    mastodon_combined_values: "{{ mastodon_default_values | combine(mastodon_values, recursive=true) }}"
+    mastodon_combined_values: "{{ mastodon_default_values | combine(mastodon_values | default({}), recursive=true) }}"
 
 - name: Deploy Mastodon
   kubernetes.core.helm:

roles/metallb/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    metallb_combined_values: "{{ metallb_default_values | combine(metallb_values, recursive=true) }}"
+    metallb_combined_values: "{{ metallb_default_values | combine(metallb_values | default({}), recursive=true) }}"
 
 - name: Deploy MetalLB
   kubernetes.core.helm:

roles/metrics-server/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    metrics_server_combined_values: "{{ metrics_server_default_values | combine(metrics_server_values, recursive=true) }}"
+    metrics_server_combined_values: "{{ metrics_server_default_values | combine(metrics_server_values | default({}), recursive=true) }}"
 
 - name: Deploy Metrics server
   kubernetes.core.helm:

roles/minio/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    minio_combined_values: "{{ minio_default_values | combine(minio_values, recursive=true) }}"
+    minio_combined_values: "{{ minio_default_values | combine(minio_values | default({}), recursive=true) }}"
 
 - name: Deploy MinIO
   kubernetes.core.helm:

roles/nextcloud/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    nextcloud_combined_values: "{{ nextcloud_default_values | combine(nextcloud_values, recursive=true) }}"
+    nextcloud_combined_values: "{{ nextcloud_default_values | combine(nextcloud_values | default({}), recursive=true) }}"
 
 - name: Deploy Nextcloud
   kubernetes.core.helm:

roles/nfs-client-provisioner/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    nfs_client_provisioner_hdd_combined_values: "{{ nfs_client_provisioner_hdd_default_values | combine(nfs_client_provisioner_hdd_values, recursive=true) }}"
+    nfs_client_provisioner_hdd_combined_values: "{{ nfs_client_provisioner_hdd_default_values | combine(nfs_client_provisioner_hdd_values | default({}), recursive=true) }}"
 
 - name: Deploy NFS client provisioner for HDD storage
   kubernetes.core.helm:
@@ -12,7 +12,7 @@
     wait: true
 
 - set_fact:
-    nfs_client_provisioner_ssd_combined_values: "{{ nfs_client_provisioner_ssd_default_values | combine(nfs_client_provisioner_ssd_values, recursive=true) }}"
+    nfs_client_provisioner_ssd_combined_values: "{{ nfs_client_provisioner_ssd_default_values | combine(nfs_client_provisioner_ssd_values | default({}), recursive=true) }}"
 
 - name: Deploy NFS client provisioner for SSD storage
   kubernetes.core.helm:

roles/openldap/tasks/main.yaml

@@ -31,7 +31,7 @@
           group: cert-manager.io
 
 - set_fact:
-    openldap_combined_values: "{{ openldap_default_values | combine(openldap_values, recursive=true) }}"
+    openldap_combined_values: "{{ openldap_default_values | combine(openldap_values | default({}), recursive=true) }}"
 
 - name: Deploy OpenLDAP
   kubernetes.core.helm:

roles/peertube/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    peertube_combined_values: "{{ peertube_default_values | combine(peertube_values, recursive=true) }}"
+    peertube_combined_values: "{{ peertube_default_values | combine(peertube_values | default({}), recursive=true) }}"
 
 - name: Deploy PeerTube
   kubernetes.core.helm:

roles/playmaker/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    playmaker_combined_values: "{{ playmaker_default_values | combine(playmaker_values, recursive=true) }}"
+    playmaker_combined_values: "{{ playmaker_default_values | combine(playmaker_values | default({}), recursive=true) }}"
 
 - name: Deploy Docker playmaker
   kubernetes.core.helm:

roles/postfix/defaults/main.yaml

@@ -57,12 +57,12 @@ postfix_default_values:
         virtual_transport = lmtp:inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:24
         
         # Certs and TLS options
-        smtpd_tls_cert_file = /tls/tls.crt 
+        smtpd_tls_cert_file = /tls/tls.crt
         smtpd_tls_key_file = /tls/tls.key
         smtpd_use_tls = yes
         smtpd_tls_auth_only = yes
         smtpd_tls_security_level = may
-        smtp_tls_loglevel = 1 
+        smtp_tls_loglevel = 1
         smtpd_tls_loglevel = 1
         smtpd_tls_received_header = yes
         smtpd_tls_session_cache_timeout = 3600s
@@ -117,7 +117,7 @@ postfix_default_values:
         manpage_directory = /usr/share/man
         newaliases_path = /usr/bin/newaliases
         mailq_path = /usr/bin/mailq
-  
+        
       master: |
         #
         # Postfix master process configuration file.  For details on the format
@@ -287,6 +287,290 @@ postfix_default_values:
         query_filter = mail=%s
         result_attribute = cn
         cache = no
+
+  service:
+    type: LoadBalancer
+    loadBalancerIP: "{{ postfix_loadbalancer_ip | default(omit) }}"
+
+# WIP
+postfix_oidc: false
+postfix_oidc_default_values:
+  replicaCount: 1
+  persistence:
+    enabled: true
+    existingClaim: mailboxes
+  tls:
+    enabled: true
+    existingSecret: "{{ mail_short_name | default('mail') }}.{{ domain }}-secret"
+  postfix:
+    configmaps:
+      main: |
+        #smtp_host_lookup = native
+        compatibility_level = 2
+        maillog_file = /dev/stdout
+        # Use ipv4 and listen on all interfaces
+        inet_protocols = ipv4
+        inet_interfaces = all
+        
+        queue_directory = /var/spool/postfix
+        command_directory = /usr/sbin
+        daemon_directory = /usr/libexec/postfix
+        data_directory = /var/lib/postfix
+        mail_owner = postfix
+        
+        # Postfix full server name for mail send/recieve
+        myhostname = {{ mail_short_name | default('mail') }}.{{ domain }}
+        
+        # Set domain name
+        mydomain = {{ domain }}
+        
+        # Local name for mail send
+        myorigin = $mydomain
+        
+        # Local mail delivery
+        mydestination = $myhostname, localhost.$mydomain, localhost
+        
+        # Transport type
+        local_transport = virtual
+        
+        # Local users map
+        #local_recipient_maps = $virtual_mailbox_maps
+        
+        # Reject code
+        unknown_local_recipient_reject_code = 550
+        
+        # Virtual domain list
+        virtual_mailbox_domains = {{ domain }}
+        virtual_mailbox_base = /var/mail/vhosts
+        
+        # Allowed users map
+        #virtual_mailbox_maps = ldap:/etc/postfix/ldap-local-recipients.cf
+        
+        # Dovecot socket for mail delivery
+        #virtual_transport = lmtp:unix:private/dovecot-lmtp
+        virtual_transport = lmtp:inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:24
+        
+        # Certs and TLS options
+        smtpd_tls_cert_file = /tls/tls.crt
+        smtpd_tls_key_file = /tls/tls.key
+        smtpd_use_tls = yes
+        smtpd_tls_auth_only = yes
+        smtpd_tls_security_level = may
+        smtp_tls_loglevel = 1
+        smtpd_tls_loglevel = 1
+        smtpd_tls_received_header = yes
+        smtpd_tls_session_cache_timeout = 3600s
+        smtp_tls_note_starttls_offer = yes
+        tls_random_source = dev:/dev/urandom
+        smtp_tls_security_level = may
+        # DANE-Settings
+        #smtp_dns_support_level=dnssec
+        #smtp_host_lookup=dns
+        #smtp_tls_security_level = dane
+        #smtp_tls_loglevel=1
+        
+        # Filters for mail
+        smtpd_helo_required = yes
+        #smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_unauth_destination
+        smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unauth_destination
+        smtpd_discard_ehlo_keywords = ''
+        
+        # SASL auth with dovecot options
+        smtpd_sasl_auth_enable = yes
+        smtpd_sasl_security_options = noanonymous
+        broken_sasl_auth_clients = yes
+        smtpd_sasl_type = dovecot
+        smtpd_sasl_path = inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
+        smtpd_sasl_local_domain = $myorigin
+        
+        milter_protocol = 6
+        milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
+        smtpd_milters = inet:{{ rspamd_short_name | default('rspamd') }}.{{ namespace }}.svc.cluster.local:11332
+        non_smtpd_milters = $smtpd_milters
+        milter_default_action = accept
+        
+        smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
+        smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
+        smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+        
+        smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
+        smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
+        
+        tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
+        tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
+        
+        smtp_tls_ciphers = high
+        smtpd_tls_ciphers = high
+        
+        sendmail_path = /usr/sbin/sendmail
+        html_directory = no
+        setgid_group = postdrop
+        manpage_directory = /usr/share/man
+        newaliases_path = /usr/bin/newaliases
+        mailq_path = /usr/bin/mailq
+        
+      master: |
+        #
+        # Postfix master process configuration file.  For details on the format
+        # of the file, see the master(5) manual page (command: "man 5 master").
+        #
+        # Do not forget to execute "postfix reload" after editing this file.
+        #
+        # ==========================================================================
+        # service type  private unpriv  chroot  wakeup  maxproc command + args
+        #               (yes)   (yes)   (yes)   (never) (100)
+        # ==========================================================================
+        smtp      inet  n       -       n       -       -       smtpd
+        #smtp      inet  n       -       n       -       1       postscreen
+        smtpd     pass  -       -       n       -       -       smtpd
+        dnsblog   unix  -       -       n       -       0       dnsblog
+        tlsproxy  unix  -       -       n       -       0       tlsproxy
+        submission inet n       -       n       -       -       smtpd
+        #  -o syslog_name=postfix/submission
+        #  -o smtpd_tls_security_level=encrypt
+        #  -o smtpd_sasl_auth_enable=yes
+        #  -o smtpd_reject_unlisted_recipient=no
+        #  -o smtpd_client_restrictions=$mua_client_restrictions
+        #  -o smtpd_helo_restrictions=$mua_helo_restrictions
+        #  -o smtpd_sender_restrictions=$mua_sender_restrictions
+        #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+        #  -o milter_macro_daemon_name=ORIGINATING
+        smtps     inet  n       -       n       -       -       smtpd
+        #  -o syslog_name=postfix/smtps
+          -o smtpd_tls_wrappermode=yes
+          -o smtpd_sasl_auth_enable=yes
+        #  -o smtpd_reject_unlisted_recipient=no
+        #  -o smtpd_client_restrictions=$mua_client_restrictions
+        #  -o smtpd_helo_restrictions=$mua_helo_restrictions
+        #  -o smtpd_sender_restrictions=$mua_sender_restrictions
+          -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+        #  -o milter_macro_daemon_name=ORIGINATING
+        #628       inet  n       -       n       -       -       qmqpd
+        pickup    unix  n       -       n       60      1       pickup
+        cleanup   unix  n       -       n       -       0       cleanup
+        qmgr      unix  n       -       n       300     1       qmgr
+        #qmgr     unix  n       -       n       300     1       oqmgr
+        tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+        rewrite   unix  -       -       n       -       -       trivial-rewrite
+        bounce    unix  -       -       n       -       0       bounce
+        defer     unix  -       -       n       -       0       bounce
+        trace     unix  -       -       n       -       0       bounce
+        verify    unix  -       -       n       -       1       verify
+        flush     unix  n       -       n       1000?   0       flush
+        proxymap  unix  -       -       n       -       -       proxymap
+        proxywrite unix -       -       n       -       1       proxymap
+        smtp      unix  -       -       n       -       -       smtp
+        relay     unix  -       -       n       -       -       smtp
+        #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+        showq     unix  n       -       n       -       -       showq
+        error     unix  -       -       n       -       -       error
+        retry     unix  -       -       n       -       -       error
+        discard   unix  -       -       n       -       -       discard
+        local     unix  -       n       n       -       -       local
+        virtual   unix  -       n       n       -       -       virtual
+        lmtp      unix  -       -       n       -       -       lmtp
+        anvil     unix  -       -       n       -       1       anvil
+        scache    unix  -       -       n       -       1       scache
+        postlog   unix-dgram n  -       n       -       1       postlogd
+        2525      inet  n       -       n       -       1       postscreen
+          #-o postscreen_upstream_proxy_protocol=haproxy
+          -o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache
+          -o syslog_name=postfix/2525
+        10587     inet     n    -    n    -    -    smtpd
+          -o syslog_name=postfix/10587
+          -o smtpd_tls_security_level=encrypt
+          -o smtpd_tls_wrappermode=no
+          -o smtpd_sasl_auth_enable=yes
+          -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+          -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+          -o milter_macro_daemon_name=ORIGINATING
+          -o smtpd_sasl_type=dovecot
+          -o smtpd_sasl_path=inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
+          #-o smtpd_upstream_proxy_protocol=haproxy
+        10465     inet  n       -       n       -       -       smtpd
+          -o syslog_name=postfix/10465
+          -o smtpd_tls_wrappermode=yes
+          -o smtpd_sasl_auth_enable=yes
+          -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
+          -o milter_macro_daemon_name=ORIGINATING
+          -o smtpd_sasl_type=dovecot
+          -o smtpd_sasl_path=inet:{{ dovecot_short_name | default('dovecot') }}.{{ namespace }}.svc.cluster.local:12345
+          #-o smtpd_upstream_proxy_protocol=haproxy
+        #
+        # ====================================================================
+        # Interfaces to non-Postfix software. Be sure to examine the manual
+        # pages of the non-Postfix software to find out what options it wants.
+        #
+        # Many of the following services use the Postfix pipe(8) delivery
+        # agent.  See the pipe(8) man page for information about ${recipient}
+        # and other message envelope options.
+        # ====================================================================
+        #
+        # maildrop. See the Postfix MAILDROP_README file for details.
+        # Also specify in main.cf: maildrop_destination_recipient_limit=1
+        #
+        #maildrop  unix  -       n       n       -       -       pipe
+        #  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+        #
+        # ====================================================================
+        #
+        # Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+        #
+        # Specify in cyrus.conf:
+        #   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+        #
+        # Specify in main.cf one or more of the following:
+        #  mailbox_transport = lmtp:inet:localhost
+        #  virtual_transport = lmtp:inet:localhost
+        #
+        # ====================================================================
+        #
+        # Cyrus 2.1.5 (Amos Gouaux)
+        # Also specify in main.cf: cyrus_destination_recipient_limit=1
+        #
+        #cyrus     unix  -       n       n       -       -       pipe
+        #  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+        #
+        # ====================================================================
+        #
+        # Old example of delivery via Cyrus.
+        #
+        #old-cyrus unix  -       n       n       -       -       pipe
+        #  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+        #
+        # ====================================================================
+        #
+        # See the Postfix UUCP_README file for configuration details.
+        #
+        #uucp      unix  -       n       n       -       -       pipe
+        #  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+        #
+        # ====================================================================
+        #
+        # Other external delivery methods.
+        #
+        #ifmail    unix  -       n       n       -       -       pipe
+        #  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+        #
+        #bsmtp     unix  -       n       n       -       -       pipe
+        #  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+        #
+        #scalemail-backend unix -       n       n       -       2       pipe
+        #  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+        #  ${nexthop} ${user} ${extension}
+        #
+        #mailman   unix  -       n       n       -       -       pipe
+        #  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+        #  ${nexthop} ${user}
+        #dane       unix  -       -       n       -       -       smtp
+        #  -o smtp_dns_support_level=dnssec
+        #  -o smtp_tls_security_level=dane
+        #policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
+      ldap-local-recipients: |
+
   service:
     type: LoadBalancer
     loadBalancerIP: "{{ postfix_loadbalancer_ip | default(omit) }}"

roles/postfix/tasks/main.yaml

@@ -1,5 +1,10 @@
 - set_fact:
-    postfix_combined_values: "{{ postfix_default_values | combine(postfix_values, recursive=true) }}"
+    postfix_combined_values: "{{ postfix_default_values | combine(postfix_values | default({}), recursive=true) }}"
+  when: not mail_oidc
+
+- set_fact:
+    postfix_combined_values: "{{ postfix_oidc_default_values | combine(postfix_oidc_values | default({}), recursive=true) }}"
+  when: mail_oidc
 
 - name: Deploy Postfix
   kubernetes.core.helm:

roles/postgres/tasks/main.yaml

@@ -43,7 +43,7 @@
         ALLOW_NOSSL: "true"
 
 - set_fact:
-    postgres_operator_combined_values: "{{ postgres_operator_default_values | combine(postgres_operator_values, recursive=true) }}"
+    postgres_operator_combined_values: "{{ postgres_operator_default_values | combine(postgres_operator_values | default({}), recursive=true) }}"
   when: postgres_operator_enabled
 
 - name: Deploy Postgres Operator
@@ -58,7 +58,7 @@
   when: postgres_operator_enabled
 
 - set_fact:
-    postgres_operator_ui_combined_values: "{{ postgres_operator_ui_default_values | combine(postgres_operator_ui_values, recursive=true) }}"
+    postgres_operator_ui_combined_values: "{{ postgres_operator_ui_default_values | combine(postgres_operator_ui_values | default({}), recursive=true) }}"
   when: postgres_operator_ui_enabled
 
 - name: Deploy Postgres Operator UI

roles/pypiserver/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    pypiserver_combined_values: "{{ pypiserver_default_values | combine(pypiserver_values, recursive=true) }}"
+    pypiserver_combined_values: "{{ pypiserver_default_values | combine(pypiserver_values | default({}), recursive=true) }}"
 
 - name: Deploy pypiserver
   kubernetes.core.helm:

roles/roundcube/defaults/main.yaml

@@ -77,7 +77,7 @@ roundcube_default_values:
             'ssl' => array(
               'verify_peer'       => false,
               'allow_self_signed' => true,
-              'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
+              'ciphers' => 'TLSv1.3+HIGH:!aNull:@STRENGTH',
             ),
         );
         // For STARTTLS SMTP
@@ -85,7 +85,7 @@ roundcube_default_values:
             'ssl' => array(
               'verify_peer'       => false,
               'allow_self_signed' => true,
-              'ciphers' => 'TLSv1.2+HIGH:!aNull:@STRENGTH',
+              'ciphers' => 'TLSv1.3+HIGH:!aNull:@STRENGTH',
             ),
         );
       ?>

roles/roundcube/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values, recursive=true) }}"
+    roundcube_combined_values: "{{ roundcube_default_values | combine(roundcube_values | default({}), recursive=true) }}"
 
 - name: Deploy RoundCube
   kubernetes.core.helm:

roles/rspamd/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    rspamd_combined_values: "{{ rspamd_default_values | combine(rspamd_values, recursive=true) }}"
+    rspamd_combined_values: "{{ rspamd_default_values | combine(rspamd_values | default({}), recursive=true) }}"
 
 - name: Deploy Rspamd
   kubernetes.core.helm:

roles/service-dns/tasks/main.yaml

@@ -1,5 +1,5 @@
 - set_fact:
-    service_dns_combined_values: "{{ service_dns_default_values | combine(service_dns_values, recursive=true) }}"
+    service_dns_combined_values: "{{ service_dns_default_values | combine(service_dns_values | default({}), recursive=true) }}"
 
 - name: Deploy service DNS
   kubernetes.core.helm:

roles/wikijs/tasks/main.yaml

@@ -5,7 +5,7 @@
     - postgres_enabled is defined and postgres_enabled
 
 - set_fact:
-    wikijs_combined_values: "{{ wikijs_default_values | combine(wikijs_values, recursive=true) }}"
+    wikijs_combined_values: "{{ wikijs_default_values | combine(wikijs_values | default({}), recursive=true) }}"
 
 - name: Deploy WikiJS
   kubernetes.core.helm: