dezky/infrastructure/production/fleet/apps/mail-autodiscovery.yaml

# Mail-client autodiscovery for dezky.eu — routes ONLY the discovery paths
# through Traefik to host-Stalwart's HTTP listener (10.42.0.1:8080):
#
#   autodiscover.dezky.eu  POST /autodiscover/autodiscover.xml   (Outlook)
#   autoconfig.dezky.eu    GET  /mail/config-v1.1.xml            (Thunderbird)
#
# Everything else on these hostnames (Stalwart's /admin, /login, /jmap …)
# falls through to Traefik's 404 — the management surface stays internal.
# No HTTPS-redirect middleware on purpose: Thunderbird probes plain HTTP and
# Outlook POSTs, which doesn't survive a 301 in all clients; both schemes
# serve the same answer.
#
# DNS at simply.com: autoconfig + autodiscover CNAME → mail.dezky.eu (the
# records are listed on the portal's Domains page).
#
# Customer domains (autodiscover.<customer>.tld) need per-domain certs and an
# automated Ingress/Certificate per verified domain — follow-up feature.
#
# NB: the ci-deployer Role carries explicit Endpoints write — the namespaced
# 'admin' role stopped granting it (CVE-2021-25740 hardening).
apiVersion: v1
kind: Service
metadata:
  name: stalwart-http
  labels:
    app.kubernetes.io/name: stalwart-http
    app.kubernetes.io/part-of: dezky
spec:
  # No selector — Stalwart runs on the HOST, not in a pod. The Endpoints
  # object below pins the cni0 gateway address pods/Traefik can reach.
  ports:
    - name: http
      port: 8080
      targetPort: 8080
---
apiVersion: v1
kind: Endpoints
metadata:
  name: stalwart-http
subsets:
  - addresses:
      - ip: 10.42.0.1
    ports:
      - name: http
        port: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mail-autodiscovery
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - autodiscover.dezky.eu
        - autoconfig.dezky.eu
      secretName: autodiscovery-dezky-eu-tls
  rules:
    - host: autodiscover.dezky.eu
      http:
        paths:
          # Outlook probes both capitalizations.
          - path: /autodiscover/autodiscover.xml
            pathType: Exact
            backend: { service: { name: stalwart-http, port: { number: 8080 } } }
          - path: /Autodiscover/Autodiscover.xml
            pathType: Exact
            backend: { service: { name: stalwart-http, port: { number: 8080 } } }
    - host: autoconfig.dezky.eu
      http:
        paths:
          - path: /mail/config-v1.1.xml
            pathType: Exact
            backend: { service: { name: stalwart-http, port: { number: 8080 } } }
---
# CalDAV/CardDAV for mail.dezky.eu — Apple Calendar/Contacts, Thunderbird and
# every other DAV client. Separate Ingress from the autodiscovery one because
# DAV gets the HTTPS-redirect middleware (safe for GET/PROPFIND; the
# autodiscover Ingress must stay redirect-free for Outlook's POST). Only the
# well-knowns + /dav are routed — the admin surface stays internal.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mail-dav
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    traefik.ingress.kubernetes.io/router.middlewares: dezky-apps-redirect-https@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - mail.dezky.eu
      secretName: mail-dezky-eu-traefik-tls
  rules:
    - host: mail.dezky.eu
      http:
        paths:
          - path: /.well-known/caldav
            pathType: Exact
            backend: { service: { name: stalwart-http, port: { number: 8080 } } }
          - path: /.well-known/carddav
            pathType: Exact
            backend: { service: { name: stalwart-http, port: { number: 8080 } } }
          - path: /dav
            pathType: Prefix
            backend: { service: { name: stalwart-http, port: { number: 8080 } } }