diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-03-20 10:45:40 +0100 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-03-20 10:45:40 +0100 |
commit | eec09724febf398e538a275c7d2f586027839d94 (patch) | |
tree | 50e8ed1438b5e07644bcab4b0da3f3bd450bf8a2 /cluster/prod/app/email | |
parent | bebbf5bd8bef496e08bc0d6a094cc1b915f61a90 (diff) | |
download | nixcfg-eec09724febf398e538a275c7d2f586027839d94.tar.gz nixcfg-eec09724febf398e538a275c7d2f586027839d94.zip |
socat proxy
Diffstat (limited to 'cluster/prod/app/email')
-rw-r--r-- | cluster/prod/app/email/deploy/email-android7.hcl | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/cluster/prod/app/email/deploy/email-android7.hcl b/cluster/prod/app/email/deploy/email-android7.hcl new file mode 100644 index 0000000..967f58a --- /dev/null +++ b/cluster/prod/app/email/deploy/email-android7.hcl @@ -0,0 +1,126 @@ +job "email-android7" { + datacenters = ["neptune"] + type = "service" + priority = 100 + + group "rsa-ecc-proxy" { + network { + port "smtps" { + static = 465 + to = 465 + } + port "imaps" { + static = 993 + to = 993 + } + } + task "imaps-proxy" { + driver = "docker" + config { + image = "alpine/socat:1.7.4.4" + readonly_rootfs = true + ports = [ "imaps" ] + network_mode = "host" + args = [ + "openssl-listen:993,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key", + "openssl:imap.deuxfleurs.fr:993,verify=0", + ] + volumes = [ + "secrets/certs:/var/secrets" + ] + } + + template { + data = "{{ key \"secrets/email/tls-tls-proxy/rsa.crt\" }}" + destination = "secrets/certs/rsa.crt" + } + template { + data = "{{ key \"secrets/email/tls-tls-proxy/rsa.key\" }}" + destination = "secrets/certs/rsa.key" + } + + resources { + cpu = 50 + memory = 50 + } + + service { + name = "imap-android7" + port = "imaps" + address_mode = "host" + tags = [ + "rsa-ecc-proxy", + "(diplonat (tcp_port 993))", + "d53-a imap-android7.deuxfleurs.fr", + # ipv6 is commented for now as socat does not listen on ipv6 now + # "d53-aaaa imap-android7.deuxfleurs.fr" + ] + check { + type = "tcp" + port = "imaps" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + task "smtps-proxy" { + driver = "docker" + config { + image = "alpine/socat:1.7.4.4" + readonly_rootfs = true + network_mode = "host" + ports = [ "smtps" ] + args = [ + "openssl-listen:465,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key", + "openssl:smtp.deuxfleurs.fr:465,verify=0", + ] + volumes = [ + "secrets/certs:/var/secrets" + ] + } + + template { + data = "{{ key \"secrets/email/tls-tls-proxy/rsa.crt\" }}" + destination = "secrets/certs/rsa.crt" + } + template { + data = "{{ key \"secrets/email/tls-tls-proxy/rsa.key\" }}" + destination = "secrets/certs/rsa.key" + } + + resources { + cpu = 50 + memory = 50 + } + + service { + name = "smtp-android7" + port = "smtps" + address_mode = "host" + tags = [ + "rsa-ecc-proxy", + "(diplonat (tcp_port 465))", + "d53-a smtp-android7.deuxfleurs.fr", + # ipv6 is commented for now as socat does not listen on ipv6 now + # "d53-aaaa smtp-android7.deuxfleurs.fr" + ] + check { + type = "tcp" + port = "smtps" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "90s" + ignore_warnings = false + } + } + } + } + } +} |