base/lasuite/postfix-deployment.yaml

# Postfix MTA for the Messages email platform.
#
# MTA-out: accepts SMTP from cluster-internal services (Kratos, Messages Django),
#          signs with DKIM, and relays outbound via Scaleway TEM.
#
# MTA-in: receives inbound email from the internet (routed via Pingora on port 25).
#         In local dev, no MX record points here so inbound never arrives.
#
# Credentials: Secret "postfix-tem-credentials" with keys:
#   smtp_user     — Scaleway TEM SMTP username (project ID)
#   smtp_password — Scaleway TEM SMTP password (API key)
#
# DKIM keys: Secret "postfix-dkim" with key:
#   private.key   — DKIM private key for sunbeam.pt (generated once; add DNS TXT record)
#   selector      — DKIM selector (e.g. "mail")
#
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postfix
  namespace: lasuite
spec:
  replicas: 1
  selector:
    matchLabels:
      app: postfix
  template:
    metadata:
      labels:
        app: postfix
    spec:
      automountServiceAccountToken: false
      containers:
        - name: postfix
          image: boky/postfix:latest
          ports:
            - name: smtp
              containerPort: 25
              protocol: TCP
          env:
            # Accept mail from all cluster-internal pods.
            - name: MYNETWORKS
              value: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8"
            # Sending domain — replaced by sed at deploy time.
            - name: ALLOWED_SENDER_DOMAINS
              value: "DOMAIN_SUFFIX"
            # Scaleway TEM outbound relay.
            - name: RELAYHOST
              value: "[smtp.tem.scw.cloud]:587"
            - name: SASL_USER
              valueFrom:
                secretKeyRef:
                  name: postfix-tem-credentials
                  key: smtp_user
                  optional: true  # allows pod to start before secret exists
            - name: SASL_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: postfix-tem-credentials
                  key: smtp_password
                  optional: true
          resources:
            limits:
              memory: 64Mi
            requests:
              memory: 32Mi
              cpu: 10m
---
apiVersion: v1
kind: Service
metadata:
  name: postfix
  namespace: lasuite
spec:
  selector:
    app: postfix
  ports:
    - name: smtp
      port: 25
      targetPort: 25
      protocol: TCP
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values 2026-03-01 16:25:11 +00:00			`# Postfix MTA for the Messages email platform.`
			`#`
			`# MTA-out: accepts SMTP from cluster-internal services (Kratos, Messages Django),`
			`# signs with DKIM, and relays outbound via Scaleway TEM.`
			`#`
			`# MTA-in: receives inbound email from the internet (routed via Pingora on port 25).`
			`# In local dev, no MX record points here so inbound never arrives.`
			`#`
			`# Credentials: Secret "postfix-tem-credentials" with keys:`
			`# smtp_user — Scaleway TEM SMTP username (project ID)`
			`# smtp_password — Scaleway TEM SMTP password (API key)`
			`#`
			`# DKIM keys: Secret "postfix-dkim" with key:`
			`# private.key — DKIM private key for sunbeam.pt (generated once; add DNS TXT record)`
			`# selector — DKIM selector (e.g. "mail")`
			`#`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: postfix`
			`namespace: lasuite`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: postfix`
			`template:`
			`metadata:`
			`labels:`
			`app: postfix`
			`spec:`
			`automountServiceAccountToken: false`
			`containers:`
			`- name: postfix`
			`image: boky/postfix:latest`
			`ports:`
			`- name: smtp`
			`containerPort: 25`
			`protocol: TCP`
			`env:`
			`# Accept mail from all cluster-internal pods.`
			`- name: MYNETWORKS`
			`value: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8"`
			`# Sending domain — replaced by sed at deploy time.`
			`- name: ALLOWED_SENDER_DOMAINS`
			`value: "DOMAIN_SUFFIX"`
			`# Scaleway TEM outbound relay.`
			`- name: RELAYHOST`
			`value: "[smtp.tem.scw.cloud]:587"`
			`- name: SASL_USER`
			`valueFrom:`
			`secretKeyRef:`
			`name: postfix-tem-credentials`
			`key: smtp_user`
			`optional: true # allows pod to start before secret exists`
			`- name: SASL_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: postfix-tem-credentials`
			`key: smtp_password`
			`optional: true`
			`resources:`
			`limits:`
			`memory: 64Mi`
			`requests:`
			`memory: 32Mi`
			`cpu: 10m`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: postfix`
			`namespace: lasuite`
			`spec:`
			`selector:`
			`app: postfix`
			`ports:`
			`- name: smtp`
			`port: 25`
			`targetPort: 25`
			`protocol: TCP`