# TLS for mail.dezky.eu — issued in-cluster by cert-manager, consumed on the
# HOST by Stalwart: stalwart-cert-sync.timer (host/stalwart/cert-sync.sh)
# copies the mail/mail-tls secret to /opt/stalwart/etc/tls every 12h and
# reloads Stalwart when it changes. Until this Certificate is Ready, Stalwart
# serves the self-signed bootstrap cert and mail clients refuse the TLS
# handshake ("cannot verify account name or password" in Apple Mail).
#
# HTTP-01 works because Traefik owns :80 on the node and cert-manager's
# solver ingress answers /.well-known/acme-challenge for any Host.
#
# Apply by hand with the rest of the cert-manager layer (see RUNBOOK):
#   kubectl apply -f mail-certificate.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: mail
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mail-dezky-eu
  namespace: mail
spec:
  secretName: mail-tls
  dnsNames:
    - mail.dezky.eu
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer