Merge branch 'main' into wgautomeshwgautomesh

4 files changed, 171 insertions, 0 deletions

diff --git a/cluster/prod/app/email/deploy/email-android7.hcl b/cluster/prod/app/email/deploy/email-android7.hcl
new file mode 100644
index 0000000..967f58a
--- /dev/null
+++ b/cluster/prod/app/email/deploy/email-android7.hcl
@@ -0,0 +1,126 @@
+job "email-android7" {
+  datacenters = ["neptune"]
+  type = "service"
+  priority = 100
+
+  group "rsa-ecc-proxy" {
+    network {
+      port "smtps" {
+        static = 465
+        to = 465
+      }
+      port "imaps" {
+        static = 993
+        to = 993
+      }
+    } 
+    task "imaps-proxy" {
+      driver = "docker"
+      config {
+        image = "alpine/socat:1.7.4.4"
+        readonly_rootfs = true
+        ports = [ "imaps" ]
+        network_mode = "host"
+        args = [
+          "openssl-listen:993,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key",
+          "openssl:imap.deuxfleurs.fr:993,verify=0",
+        ]
+        volumes = [
+          "secrets/certs:/var/secrets"
+        ]
+      }
+
+      template {
+        data = "{{ key \"secrets/email/tls-tls-proxy/rsa.crt\" }}"
+        destination = "secrets/certs/rsa.crt"
+      }
+      template {
+        data = "{{ key \"secrets/email/tls-tls-proxy/rsa.key\" }}"
+        destination = "secrets/certs/rsa.key"
+      }
+
+      resources {
+        cpu = 50
+        memory = 50
+      }
+
+      service {
+        name = "imap-android7"
+        port = "imaps"
+        address_mode = "host"
+        tags = [
+          "rsa-ecc-proxy",
+          "(diplonat (tcp_port 993))",
+          "d53-a imap-android7.deuxfleurs.fr",
+          # ipv6 is commented for now as socat does not listen on ipv6 now
+          # "d53-aaaa imap-android7.deuxfleurs.fr"
+        ]
+        check {
+          type = "tcp"
+          port = "imaps"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+    task "smtps-proxy" {
+      driver = "docker"
+      config {
+        image = "alpine/socat:1.7.4.4"
+        readonly_rootfs = true
+        network_mode = "host"
+        ports = [ "smtps" ]
+        args = [
+          "openssl-listen:465,reuseaddr,fork,verify=0,bind=0.0.0.0,cert=/var/secrets/rsa.crt,key=/var/secrets/rsa.key",
+          "openssl:smtp.deuxfleurs.fr:465,verify=0",
+        ]
+        volumes = [
+          "secrets/certs:/var/secrets"
+        ]
+      }
+
+      template {
+        data = "{{ key \"secrets/email/tls-tls-proxy/rsa.crt\" }}"
+        destination = "secrets/certs/rsa.crt"
+      }
+      template {
+        data = "{{ key \"secrets/email/tls-tls-proxy/rsa.key\" }}"
+        destination = "secrets/certs/rsa.key"
+      }
+
+      resources {
+        cpu = 50
+        memory = 50
+      }
+
+      service {
+        name = "smtp-android7"
+        port = "smtps"
+        address_mode = "host"
+        tags = [
+          "rsa-ecc-proxy",
+          "(diplonat (tcp_port 465))",
+          "d53-a smtp-android7.deuxfleurs.fr",
+          # ipv6 is commented for now as socat does not listen on ipv6 now
+          # "d53-aaaa smtp-android7.deuxfleurs.fr"
+        ]
+        check {
+          type = "tcp"
+          port = "smtps"
+          interval = "60s"
+          timeout = "5s"
+          check_restart {
+            limit = 3
+            grace = "90s"
+            ignore_warnings = false
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/cluster/prod/app/email/integration/README.md b/cluster/prod/app/email/integration/README.md
new file mode 100644
index 0000000..d396277
--- /dev/null
+++ b/cluster/prod/app/email/integration/README.md
@@ -0,0 +1,23 @@
+# Email
+
+## TLS TLS Proxy
+
+Required for Android 7.0 that does not support elliptic curves.
+
+Generate a key:
+
+```bash
+openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout rsa.key -out rsa.crt -subj "/CN=imap.deuxfleurs.fr" -addext "subjectAltName=DNS:smtp.deuxfleurs.fr"
+```
+
+Run the command:
+
+```bash
+./integration/proxy.sh imap.deuxfleurs.fr:993 1993
+```
+
+Test it:
+
+```bash
+openssl s_client localhost:1993
+```
diff --git a/cluster/prod/app/email/integration/tls-tls-proxy.sh b/cluster/prod/app/email/integration/tls-tls-proxy.sh
new file mode 100644
index 0000000..afb7317
--- /dev/null
+++ b/cluster/prod/app/email/integration/tls-tls-proxy.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+UPSTREAM=$1
+PROXY_PORT=$2
+socat -dd \
+"openssl-listen:${PROXY_PORT},\
+reuseaddr,\
+fork,\
+cert=/tmp/tls-tls-proxy/rsa.crt,\
+key=/tmp/tls-tls-proxy/rsa.key,\
+verify=0,\
+bind=0.0.0.0" \
+"openssl:${UPSTREAM},\
+verify=0"
diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml
index 6263e33..54bee46 100644
--- a/cluster/prod/app/email/secrets.toml
+++ b/cluster/prod/app/email/secrets.toml
@@ -21,3 +21,12 @@ password_secret = "email/sogo/ldap_bindpw"
 type = 'user'
 description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'
 
+# ---- TLS TLS PROXY ---
+
+[secrets."email/tls-tls-proxy/rsa.crt"]
+type="user"
+description="PEM encoded file containing the RSA certificate"
+
+[secrets."email/tls-tls-proxy/rsa.key"]
+type="user"
+description="PEM encoded file containing the RSA key"