checkpoint: stalwart deploy, beam-design, migration scripts, config tweaks
Stalwart + Bulwark mail server deployment with OIDC, TLS cert, vault secrets. Beam design service. Pingora config cleanup. SeaweedFS replication fix. Kratos values tweak. Migration scripts for mbox/messages /calendars from La Suite to Stalwart.
This commit is contained in:
30
base/stalwart/oidc-client-bulwark.yaml
Normal file
30
base/stalwart/oidc-client-bulwark.yaml
Normal file
@@ -0,0 +1,30 @@
|
||||
# Bulwark webmail OIDC client — authenticates directly with Hydra.
|
||||
# Hydra Maester creates K8s Secret "oidc-bulwark" with CLIENT_ID/CLIENT_SECRET.
|
||||
# DOMAIN_SUFFIX is replaced by sed at deploy time.
|
||||
apiVersion: hydra.ory.sh/v1alpha1
|
||||
kind: OAuth2Client
|
||||
metadata:
|
||||
name: bulwark
|
||||
namespace: stalwart
|
||||
spec:
|
||||
clientName: Webmail
|
||||
grantTypes:
|
||||
- authorization_code
|
||||
- refresh_token
|
||||
responseTypes:
|
||||
- code
|
||||
scope: openid email profile offline_access
|
||||
redirectUris:
|
||||
- https://mail.DOMAIN_SUFFIX/en/auth/callback
|
||||
- https://mail.DOMAIN_SUFFIX/auth/callback
|
||||
- https://mail.DOMAIN_SUFFIX/api/auth/callback
|
||||
postLogoutRedirectUris:
|
||||
- https://mail.DOMAIN_SUFFIX
|
||||
tokenEndpointAuthMethod: client_secret_post
|
||||
secretName: oidc-bulwark
|
||||
skipConsent: true
|
||||
tokenLifespans:
|
||||
authorization_code_grant_access_token_lifespan: 24h
|
||||
authorization_code_grant_refresh_token_lifespan: 720h
|
||||
refresh_token_grant_access_token_lifespan: 24h
|
||||
refresh_token_grant_refresh_token_lifespan: 720h
|
||||
Reference in New Issue
Block a user