openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
87696df3ca
openova/platform/stalwart
History
hatiyildiz 7cafa3c894 docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 
Component-level architectural correction (two changes):

1. MinIO → SeaweedFS as unified S3 encapsulation layer

The old design used MinIO for in-cluster S3 plus separate cold-tier configuration scattered across consumers. The new design positions SeaweedFS as the single S3 encapsulation layer: every Catalyst component talks to one endpoint (seaweedfs.storage.svc:8333). SeaweedFS internally handles hot tier (in-cluster NVMe), warm tier (in-cluster bulk), and cold tier (transparent passthrough to cloud archival storage — Cloudflare R2 / AWS S3 / Hetzner Object Storage / etc., chosen at Sovereign provisioning). One audit/lifecycle/encryption boundary instead of N. No Catalyst component talks to cloud S3 directly anymore — Velero, CNPG WAL archive, OpenSearch snapshots, Loki/Mimir/Tempo, Iceberg, Harbor blob store, Application buckets all share one S3 surface.

2. Apache Guacamole added as Application Blueprint §4.5 Communication

Clientless browser-based RDP/VNC/SSH/kubectl-exec gateway. Keycloak SSO, full session recording to SeaweedFS for compliance evidence (PSD2/DORA/SOX). Composed into bp-relay. Replaces VPN+native-client distribution for auditable remote access.

Component changes:
- DELETED: platform/minio/
- CREATED: platform/seaweedfs/README.md (unified S3 + cold-tier encapsulation; bucket layout; multi-region replication via shared cold backend; migration-from-MinIO section)
- CREATED: platform/guacamole/README.md (clientless remote-desktop gateway; GuacamoleConnection CRD; compliance integration via session recordings)

Doc updates: PLATFORM-TECH-STACK §1+§3.5+§4.5+§5+§7.4; TECHNOLOGY-FORECAST L11+mandatory+a-la-carte counts (52 → 53); ARCHITECTURE §3 topology; SECURITY §4 DB engines; SOVEREIGN-PROVISIONING §1 inputs; SRE §2.5+§7; IMPLEMENTATION-STATUS §3; BLUEPRINT-AUTHORING stateful examples; BUSINESS-STRATEGY 13 component-count anchors + Relay product line; README.md backup row; CLAUDE.md folder count.

Component README updates (S3 endpoint + dependency renames): cnpg, clickhouse, flink, gitea, iceberg, harbor, grafana, livekit, kserve, milvus, opensearch, flux, stalwart, velero (substantive rewrite of velero — now writes exclusively to SeaweedFS with cold-tier auto-routing). Products: relay, fabric.

UI scaffold: products/catalyst/bootstrap/ui/src/shared/constants/components.ts — minio entry replaced with seaweedfs; velero+harbor deps updated; new guacamole entry added.

VALIDATION-LOG entry "Pass 104 — MinIO → SeaweedFS swap + Guacamole add" captures the encapsulation principle and adds Lesson #22: storage tier policy belongs at the encapsulation boundary, not inside every consumer.

Verification: zero remaining MinIO references in canonical docs (one intentional retention in TECHNOLOGY-FORECAST L37 explaining the swap); 53 platform/ folders matching all "53 components" anchors; bp-relay composition includes guacamole.
2026-04-28 10:23:46 +02:00
..
README.md docs(seaweedfs+guacamole): replace MinIO with SeaweedFS as unified S3 encapsulation; add Guacamole to bp-relay 2026-04-28 10:23:46 +02:00

README.md

Stalwart

Self-hosted email server (JMAP/IMAP/SMTP). Application Blueprint (see docs/PLATFORM-TECH-STACK.md §4.5 — Communication). Used by bp-relay (composite Communication Blueprint) as the email service for Organizations that need self-hosted mail.

Status: Accepted | Updated: 2026-04-27

Overview

Stalwart provides self-hosted email with:

  • SMTP, IMAP, and JMAP support
  • Modern Rust implementation
  • DKIM, SPF, DMARC compliance
  • Anti-spam filtering

Architecture

flowchart TB
    subgraph Stalwart["Stalwart Mail"]
        SMTP[SMTP Server]
        IMAP[IMAP Server]
        JMAP[JMAP API]
    end

    subgraph Backend["Backend"]
        CNPG[CNPG Postgres]
        SeaweedFS[SeaweedFS Storage]
    end

    subgraph DNS["DNS Records"]
        MX[MX Record]
        SPF[SPF Record]
        DKIM[DKIM Record]
        DMARC[DMARC Record]
    end

    SMTP --> CNPG
    IMAP --> CNPG
    JMAP --> CNPG
    SMTP --> SeaweedFS
    MX --> SMTP

Protocols

Protocol Port Purpose
SMTP 25/465/587 Sending mail
IMAP 993 Mail access
JMAP 443 Modern API

Configuration

Stalwart Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: stalwart
  namespace: communication
spec:
  replicas: 2
  template:
    spec:
      containers:
        - name: stalwart
          image: stalwartlabs/mail-server:latest
          ports:
            - containerPort: 25
              name: smtp
            - containerPort: 465
              name: smtps
            - containerPort: 587
              name: submission
            - containerPort: 993
              name: imaps
            - containerPort: 8080
              name: jmap
          env:
            - name: STALWART_DATABASE_URL
              valueFrom:
                secretKeyRef:
                  name: stalwart-db-credentials
                  key: url

DNS Records

# Required DNS records
dns_records:
  - type: MX
    name: <domain>
    value: mail.<domain>
    priority: 10

  - type: TXT
    name: <domain>
    value: "v=spf1 mx ip4:<server-ip> -all"

  - type: TXT
    name: default._domainkey.<domain>
    value: "v=DKIM1; k=rsa; p=<public-key>"

  - type: TXT
    name: _dmarc.<domain>
    value: "v=DMARC1; p=reject; rua=mailto:dmarc@<domain>"

Anti-Spam

Stalwart includes built-in spam filtering:

Feature Description
SpamAssassin Rule-based filtering
DNSBL Blocklist checking
Greylisting Temporary rejection
Rate limiting Abuse prevention

Monitoring

Metric Description
stalwart_messages_received_total Received messages
stalwart_messages_sent_total Sent messages
stalwart_spam_blocked_total Blocked spam
stalwart_queue_size Queue depth

Part of OpenOva