Sienna Meridian Satterwhite
8662c79212
Stalwart + Bulwark mail server deployment with OIDC, TLS cert, vault secrets. Beam design service. Pingora config cleanup. SeaweedFS replication fix. Kratos values tweak. Migration scripts for mbox/messages /calendars from La Suite to Stalwart.
31 lines
1013 B
YAML
31 lines
1013 B
YAML
# Bulwark webmail OIDC client — authenticates directly with Hydra.
|
|
# Hydra Maester creates K8s Secret "oidc-bulwark" with CLIENT_ID/CLIENT_SECRET.
|
|
# DOMAIN_SUFFIX is replaced by sed at deploy time.
|
|
apiVersion: hydra.ory.sh/v1alpha1
|
|
kind: OAuth2Client
|
|
metadata:
|
|
name: bulwark
|
|
namespace: stalwart
|
|
spec:
|
|
clientName: Webmail
|
|
grantTypes:
|
|
- authorization_code
|
|
- refresh_token
|
|
responseTypes:
|
|
- code
|
|
scope: openid email profile offline_access
|
|
redirectUris:
|
|
- https://mail.DOMAIN_SUFFIX/en/auth/callback
|
|
- https://mail.DOMAIN_SUFFIX/auth/callback
|
|
- https://mail.DOMAIN_SUFFIX/api/auth/callback
|
|
postLogoutRedirectUris:
|
|
- https://mail.DOMAIN_SUFFIX
|
|
tokenEndpointAuthMethod: client_secret_post
|
|
secretName: oidc-bulwark
|
|
skipConsent: true
|
|
tokenLifespans:
|
|
authorization_code_grant_access_token_lifespan: 24h
|
|
authorization_code_grant_refresh_token_lifespan: 720h
|
|
refresh_token_grant_access_token_lifespan: 24h
|
|
refresh_token_grant_refresh_token_lifespan: 720h
|